The document discusses vulnerabilities found in Swisslog's Translogic Pneumatic Tube System (PTS) used in many hospitals. The researchers discovered 9 vulnerabilities in the Nexus station, including hardcoded passwords, privilege escalation issues, and memory corruption bugs that could allow remote code execution. They were able to fully compromise the PTS through a heap overflow vulnerability by overwriting function pointers to execute shellcode on the device. PTS systems are critical hospital infrastructure but require more security research as they connect analog tube networks to internet-connected management systems.
The Internet is the most toxic computing environment ever created. ARM Cortex-M devices that are exposed to it can be hacked and compromised, using techniques evolved from the famous x86 ret2libc buffer overflow attack.
This excellent session by Alexander Bolshev (@dark_k3y) was a very pleasant surprise, and it's a bit frustrating that it is one of the three lost S4x14 videos.
We were concerned that it would be a bit S4x13 / insecure by design / low hanging fruit, but HART has received so little attention that we thought it was worth including in S4x14. HART is widely used in DCS to connect controllers and instruments. The HART Foundation says over 30 million HART devices are deployed.
Alexander covers the protocol in the early slides, but make sure you look at slides 16-21 where he shows how he can change the RTU's Polling Unit ID (who the RTU expects to poll it) to create a man-in-the-middle attack.
There are a number of other HART protocol attacks described, but I was most interested in his HRT Shield board - a high-power low-noise HART modem Arduino shield for sniffing, injecHng, and jamming current loop. He brought over some boards that we are building up to have in our Rack when we go out on an assessment.
I should note, mainly to avoid an email from Jeff, that WirelessHART has integrated security such as source/data authentication and encryption. As we walk through plants and factories we are seeing a number of these WirelessHART devices. They are easy to spot because they can be deployed in the most physically convenient place without worrying about wiring.
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs BlueChris Sistrunk
Real Time Operating Systems (RTOS) form the backbone for embedded systems and control units used in vehicle control technology (such as automobiles, trucks, buses, locomotives, UAVs, etc).
In this session, we will get hands on red teaming a popular RTOS that's at the heart of vehicle control systems worldwide. To counter this activity, we will then provide a demo of memory extraction and data analysis following Mandiant’s Digital Forensics and Incident Response Framework for Embedded OT Systems
https://www.mandiant.com/resources/blog/mandiant-dfir-framework-ot
rpdebug tool
https://github.com/mandiant/rpdebug_qnx
The Internet is the most toxic computing environment ever created. ARM Cortex-M devices that are exposed to it can be hacked and compromised, using techniques evolved from the famous x86 ret2libc buffer overflow attack.
This excellent session by Alexander Bolshev (@dark_k3y) was a very pleasant surprise, and it's a bit frustrating that it is one of the three lost S4x14 videos.
We were concerned that it would be a bit S4x13 / insecure by design / low hanging fruit, but HART has received so little attention that we thought it was worth including in S4x14. HART is widely used in DCS to connect controllers and instruments. The HART Foundation says over 30 million HART devices are deployed.
Alexander covers the protocol in the early slides, but make sure you look at slides 16-21 where he shows how he can change the RTU's Polling Unit ID (who the RTU expects to poll it) to create a man-in-the-middle attack.
There are a number of other HART protocol attacks described, but I was most interested in his HRT Shield board - a high-power low-noise HART modem Arduino shield for sniffing, injecHng, and jamming current loop. He brought over some boards that we are building up to have in our Rack when we go out on an assessment.
I should note, mainly to avoid an email from Jeff, that WirelessHART has integrated security such as source/data authentication and encryption. As we walk through plants and factories we are seeing a number of these WirelessHART devices. They are easy to spot because they can be deployed in the most physically convenient place without worrying about wiring.
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs BlueChris Sistrunk
Real Time Operating Systems (RTOS) form the backbone for embedded systems and control units used in vehicle control technology (such as automobiles, trucks, buses, locomotives, UAVs, etc).
In this session, we will get hands on red teaming a popular RTOS that's at the heart of vehicle control systems worldwide. To counter this activity, we will then provide a demo of memory extraction and data analysis following Mandiant’s Digital Forensics and Incident Response Framework for Embedded OT Systems
https://www.mandiant.com/resources/blog/mandiant-dfir-framework-ot
rpdebug tool
https://github.com/mandiant/rpdebug_qnx
Java on arm theory, applications, and workloads [dev5048]Aleksei Voitylov
Although ARM processors are almost always viewed as having been designed for the embedded market, several vendors are making a bet and building server CPUs that contend with Intel in cloud deployments. With the presence of the Java ARM port and a wide variety of applications in the Java ecosystem able to run on ARM CPUs, the real question becomes which workloads are best suited to the ARM servers niche and which metrics can be optimized for using ARM servers. This presentation explores the status of Java and the Java ecosystem on ARM, together with the Java ARM port features and performance of specific workloads. Some focus is on the recent changes in the Java ARM port, which the speaker’s company contributes to.
Breaking Smart Speakers: We are Listening to You.Priyanka Aash
"In the past two years, smart speakers have become the most popular IoT device, Amazon_ Google and Apple have introduced their own smart speaker products. Most of these smart speakers have natural language recognition, chat, music playback, IoT device control, shopping, and so on. Manufacturers use artificial intelligence technology to make smart speakers have similar human capabilities in the chat conversation. However, with the smart speakers coming into more and more homes, and the function is becoming more powerful, its security has been questioned by many people. People are worried that smart speakers will be hacked to leak their privacy, and our research proves that this concern is very necessary.
In this talk, we will present how to use multiple vulnerabilities to achieve remote attack some of the most popular smart speakers. Our final attack effects include silent listening, control speaker speaking content and other demonstrations. And we're also going to talk about how to extract firmware from BGA packages Flash chips such as EMMC, EMCP, NAND Flash, etc. In addition, it contains how to turn on debug interfaces and get root privileges by modifying firmware content and Re-soldering Flash chips, which can be of great help for subsequent vulnerability analysis and debugging. Finally, we will play several demo videos to demonstrate how we can remotely access some Smart Speaker Root permissions and use smart speakers for eavesdropping and playing voice."
Discusses my 25-year journey for finding the perfect operating-system interface, covering our work on the Mungi single-address-space operating system (SASOS), early work on L4 microkernels, and now the seL4 microkernel, its evolution and verification.
Talk originally given at a seminar series hosted by VMware Research on occasion of the company's 20st anniversary.
Financial Markets have latency and jitter requirements that Kernel-RT PREEMPT_RT allows to solve.
From Timesync with nfp, ptp, whiterabbit, to business requirement of minimal jitter and latency
Shared on 5th Dec at SGInnovate with Swirlds Mance Harmon, Jordan Fried and Edgar Seah.
Hashgraph consensus, demo apps in Swirlds Java SDK, babble (unofficial golang implementation of Hashgraph) and their implications for distributed ledger technology.
About the author: Priya Autee is software engineer at Intel working on various leading edge IA features and Intel(R) RDT expert. She is focused on prototyping and researching open source APIs like DPDK, Intel(R) RDT etc. to support NFV/compute sensitive requirements on Intel Architecture. She holds Masters in Computer Science from Arizona State University, Arizona.
ironSource's security application expert, Tomer Zait, shares his insights on engineering in the stack. Tomer, an Ort Singalovsky alumnus himself, gave this presentation to the Ort Singalovsky students on their tour of ironSource's headquarters in Tel Aviv.
Want to learn more about ironSource? Visit our website: www.ironsrc.com
Follow us on Twitter @ironSource
ironSource is looking for new talent! Check out our openings: http://bit.ly/Work-at-ironSource
Snapdragon is a family of mobile systems on a chip (SoC) by Qualcomm. Qualcomm considers Snapdragon a "platform" for use in smartphones, tablets, and smartbook devices.
ARM is a family of RISC-based microprocessors and microcontrollers designed by ARM Inc., Cambridge, England.
ARM chips are high-speed processors that are known for their small die size and low power requirements.
[CB21] Appearances are deceiving: Novel offensive techniques in Windows 10/11...CODE BLUE
In 2017, Microsoft announced the ARM version of Windows.
The number of devices with ARM version of Windows is increasing, such as Surface Pro X series and HP ENVY x2, and it is gradually becoming popular.
When using these ARM devices, there is a compatibility issue that existing x86/x64 applications cannot be used.
However, this problem has been addressed by providing x86/x64 emulation capabilities.
In recent years, ARM64EC has been announced, allowing for the gradual migration of x64 applications to ARM.
The aggressive introduction of these compatibility technologies is a sign of Microsoft's strong will to promote the ARM version of Windows.
On the other hand, doesn't the introduction of new compatibility technologies provide a new avenue of attack for attackers?
As far as we know, this point has not even been discussed much at this point.
Therefore, we reverse engineered the compatibility technology that exists in Windows on ARM and examined its exploitability.
We found that various techniques are available, such as code injection by modifying XTA cache files, and obfuscation by exploiting newly introduced relocation entries.
All of these techniques have in common the characteristic that the binary "appearance" and runtime behavior are different, making them difficult to detect and track.
In addition, some of the techniques can be widely exploited to interfere with static analysis or sandbox analysis.
Therefore, there is a high possibility that they will become a threat to the ARM version of Windows in the future.
In this presentation, we will explain the details of our new method and its features with demonstrations.
We hope that this presentation will be a good opportunity to develop and promote the security research of Windows on ARM.
The PoC code and detailed reverse engineering results will be available on GitHub.
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMFFRI, Inc.
In 2017, Microsoft announced the ARM version of Windows. The number of devices with ARM version of Windows is increasing, such as Surface Pro X series and HP ENVY x2, and it is gradually becoming popular.
When using these ARM devices, there is a compatibility issue that existing x86/x64 applications cannot be used.
However, this problem has been addressed by providing x86/x64 emulation capabilities. In recent years, ARM64EC has been announced, allowing for the gradual migration of x64 applications to ARM. The aggressive introduction of these compatibility technologies is a sign of Microsoft's strong will to promote the ARM version of Windows.
On the other hand, doesn't the introduction of new compatibility technologies provide a new avenue of attack for attackers? As far as we know, this point has not even been discussed much at this point. Therefore, we reverse engineered the compatibility technology that exists in Windows on ARM and examined its exploitability.
We found that various techniques are available, such as code injection by modifying XTA cache files, and obfuscation by exploiting newly introduced relocation entries. All of these techniques have in common the characteristic that the binary "appearance" and runtime behavior are different, making them difficult to detect and track. In addition, some of the techniques can be widely exploited to interfere with static analysis or sandbox analysis. Therefore, there is a high possibility that they will become a threat to the ARM version of Windows in the future.
In this presentation, we will explain the details of our new method and its features with demonstrations. We hope that this presentation will be a good opportunity to develop and promote the security research of Windows on ARM.
The PoC code and detailed reverse engineering results will be available on GitHub.
Java on arm theory, applications, and workloads [dev5048]Aleksei Voitylov
Although ARM processors are almost always viewed as having been designed for the embedded market, several vendors are making a bet and building server CPUs that contend with Intel in cloud deployments. With the presence of the Java ARM port and a wide variety of applications in the Java ecosystem able to run on ARM CPUs, the real question becomes which workloads are best suited to the ARM servers niche and which metrics can be optimized for using ARM servers. This presentation explores the status of Java and the Java ecosystem on ARM, together with the Java ARM port features and performance of specific workloads. Some focus is on the recent changes in the Java ARM port, which the speaker’s company contributes to.
Breaking Smart Speakers: We are Listening to You.Priyanka Aash
"In the past two years, smart speakers have become the most popular IoT device, Amazon_ Google and Apple have introduced their own smart speaker products. Most of these smart speakers have natural language recognition, chat, music playback, IoT device control, shopping, and so on. Manufacturers use artificial intelligence technology to make smart speakers have similar human capabilities in the chat conversation. However, with the smart speakers coming into more and more homes, and the function is becoming more powerful, its security has been questioned by many people. People are worried that smart speakers will be hacked to leak their privacy, and our research proves that this concern is very necessary.
In this talk, we will present how to use multiple vulnerabilities to achieve remote attack some of the most popular smart speakers. Our final attack effects include silent listening, control speaker speaking content and other demonstrations. And we're also going to talk about how to extract firmware from BGA packages Flash chips such as EMMC, EMCP, NAND Flash, etc. In addition, it contains how to turn on debug interfaces and get root privileges by modifying firmware content and Re-soldering Flash chips, which can be of great help for subsequent vulnerability analysis and debugging. Finally, we will play several demo videos to demonstrate how we can remotely access some Smart Speaker Root permissions and use smart speakers for eavesdropping and playing voice."
Discusses my 25-year journey for finding the perfect operating-system interface, covering our work on the Mungi single-address-space operating system (SASOS), early work on L4 microkernels, and now the seL4 microkernel, its evolution and verification.
Talk originally given at a seminar series hosted by VMware Research on occasion of the company's 20st anniversary.
Financial Markets have latency and jitter requirements that Kernel-RT PREEMPT_RT allows to solve.
From Timesync with nfp, ptp, whiterabbit, to business requirement of minimal jitter and latency
Shared on 5th Dec at SGInnovate with Swirlds Mance Harmon, Jordan Fried and Edgar Seah.
Hashgraph consensus, demo apps in Swirlds Java SDK, babble (unofficial golang implementation of Hashgraph) and their implications for distributed ledger technology.
About the author: Priya Autee is software engineer at Intel working on various leading edge IA features and Intel(R) RDT expert. She is focused on prototyping and researching open source APIs like DPDK, Intel(R) RDT etc. to support NFV/compute sensitive requirements on Intel Architecture. She holds Masters in Computer Science from Arizona State University, Arizona.
ironSource's security application expert, Tomer Zait, shares his insights on engineering in the stack. Tomer, an Ort Singalovsky alumnus himself, gave this presentation to the Ort Singalovsky students on their tour of ironSource's headquarters in Tel Aviv.
Want to learn more about ironSource? Visit our website: www.ironsrc.com
Follow us on Twitter @ironSource
ironSource is looking for new talent! Check out our openings: http://bit.ly/Work-at-ironSource
Snapdragon is a family of mobile systems on a chip (SoC) by Qualcomm. Qualcomm considers Snapdragon a "platform" for use in smartphones, tablets, and smartbook devices.
ARM is a family of RISC-based microprocessors and microcontrollers designed by ARM Inc., Cambridge, England.
ARM chips are high-speed processors that are known for their small die size and low power requirements.
[CB21] Appearances are deceiving: Novel offensive techniques in Windows 10/11...CODE BLUE
In 2017, Microsoft announced the ARM version of Windows.
The number of devices with ARM version of Windows is increasing, such as Surface Pro X series and HP ENVY x2, and it is gradually becoming popular.
When using these ARM devices, there is a compatibility issue that existing x86/x64 applications cannot be used.
However, this problem has been addressed by providing x86/x64 emulation capabilities.
In recent years, ARM64EC has been announced, allowing for the gradual migration of x64 applications to ARM.
The aggressive introduction of these compatibility technologies is a sign of Microsoft's strong will to promote the ARM version of Windows.
On the other hand, doesn't the introduction of new compatibility technologies provide a new avenue of attack for attackers?
As far as we know, this point has not even been discussed much at this point.
Therefore, we reverse engineered the compatibility technology that exists in Windows on ARM and examined its exploitability.
We found that various techniques are available, such as code injection by modifying XTA cache files, and obfuscation by exploiting newly introduced relocation entries.
All of these techniques have in common the characteristic that the binary "appearance" and runtime behavior are different, making them difficult to detect and track.
In addition, some of the techniques can be widely exploited to interfere with static analysis or sandbox analysis.
Therefore, there is a high possibility that they will become a threat to the ARM version of Windows in the future.
In this presentation, we will explain the details of our new method and its features with demonstrations.
We hope that this presentation will be a good opportunity to develop and promote the security research of Windows on ARM.
The PoC code and detailed reverse engineering results will be available on GitHub.
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMFFRI, Inc.
In 2017, Microsoft announced the ARM version of Windows. The number of devices with ARM version of Windows is increasing, such as Surface Pro X series and HP ENVY x2, and it is gradually becoming popular.
When using these ARM devices, there is a compatibility issue that existing x86/x64 applications cannot be used.
However, this problem has been addressed by providing x86/x64 emulation capabilities. In recent years, ARM64EC has been announced, allowing for the gradual migration of x64 applications to ARM. The aggressive introduction of these compatibility technologies is a sign of Microsoft's strong will to promote the ARM version of Windows.
On the other hand, doesn't the introduction of new compatibility technologies provide a new avenue of attack for attackers? As far as we know, this point has not even been discussed much at this point. Therefore, we reverse engineered the compatibility technology that exists in Windows on ARM and examined its exploitability.
We found that various techniques are available, such as code injection by modifying XTA cache files, and obfuscation by exploiting newly introduced relocation entries. All of these techniques have in common the characteristic that the binary "appearance" and runtime behavior are different, making them difficult to detect and track. In addition, some of the techniques can be widely exploited to interfere with static analysis or sandbox analysis. Therefore, there is a high possibility that they will become a threat to the ARM version of Windows in the future.
In this presentation, we will explain the details of our new method and its features with demonstrations. We hope that this presentation will be a good opportunity to develop and promote the security research of Windows on ARM.
The PoC code and detailed reverse engineering results will be available on GitHub.
The Art Pastor's Guide to Sabbath | Steve ThomasonSteve Thomason
What is the purpose of the Sabbath Law in the Torah. It is interesting to compare how the context of the law shifts from Exodus to Deuteronomy. Who gets to rest, and why?
Instructions for Submissions thorugh G- Classroom.pptxJheel Barad
This presentation provides a briefing on how to upload submissions and documents in Google Classroom. It was prepared as part of an orientation for new Sainik School in-service teacher trainees. As a training officer, my goal is to ensure that you are comfortable and proficient with this essential tool for managing assignments and fostering student engagement.
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfTechSoup
In this webinar you will learn how your organization can access TechSoup's wide variety of product discount and donation programs. From hardware to software, we'll give you a tour of the tools available to help your nonprofit with productivity, collaboration, financial management, donor tracking, security, and more.
Synthetic Fiber Construction in lab .pptxPavel ( NSTU)
Synthetic fiber production is a fascinating and complex field that blends chemistry, engineering, and environmental science. By understanding these aspects, students can gain a comprehensive view of synthetic fiber production, its impact on society and the environment, and the potential for future innovations. Synthetic fibers play a crucial role in modern society, impacting various aspects of daily life, industry, and the environment. ynthetic fibers are integral to modern life, offering a range of benefits from cost-effectiveness and versatility to innovative applications and performance characteristics. While they pose environmental challenges, ongoing research and development aim to create more sustainable and eco-friendly alternatives. Understanding the importance of synthetic fibers helps in appreciating their role in the economy, industry, and daily life, while also emphasizing the need for sustainable practices and innovation.
The Indian economy is classified into different sectors to simplify the analysis and understanding of economic activities. For Class 10, it's essential to grasp the sectors of the Indian economy, understand their characteristics, and recognize their importance. This guide will provide detailed notes on the Sectors of the Indian Economy Class 10, using specific long-tail keywords to enhance comprehension.
For more information, visit-www.vavaclasses.com
Palestine last event orientationfvgnh .pptxRaedMohamed3
An EFL lesson about the current events in Palestine. It is intended to be for intermediate students who wish to increase their listening skills through a short lesson in power point.
1. A Hole In The Tube
Uncovering Vulnerabilities in Critical Infrastructure of Healthcare Facilities
#BHUSA @BlackHatEvents
Ben Seri – VP Research
Barak Hadad – Security Researcher
13. ARMIS @ #BHUSA @BlackHatEvents
▪ 9 vulnerabilities discovered in Swisslog’s Translogic Pneumatic Tube System
▪ Critical vulnerabilities were found in the Nexus Station – A prominent PTS station
by Swisslog:
▪ Hardcoded Passwords, Privilege Escalation, Heap & Stack overflows (can lead
to RCE), DoS, and non-secure firmware upgrade mechanism
▪ All vulnerabilities can be triggered via unauthenticated network packets, without
any user-interaction
▪ Disclosed to Swisslog on May 1, 2021, working together to patch & test
pwnedPiper – Overview
14. ARMIS @ #BHUSA @BlackHatEvents
▪ TransLogic is installed in more than 2,300 hospitals in North America and
over 3,000 worldwide.
▪ The majority of hospitals in North America use Swisslog TransLogic as
their PTS solution
▪ TransLogic is one of the most advanced PTS systems in the market,
supports high-load, advanced features, reliability and even physical-
security features
Swisslog TransLogic - The Leading PTS Sytem
15. ARMIS @ #BHUSA @BlackHatEvents
• PTS systems transfer physical carriers throughout
hospitals using a complex network of:
• Tubes
• Blowers
• Transfer Units (Routers)
• Stations
• The entire system is managed over Ethernet
by a central server
PTS systems are complex analog networks
16. ARMIS @ #BHUSA @BlackHatEvents
16
The Central Server is a Windows
device, connected to the Internet
Stations Stations Stations
INTERNET
Transfer Unit #1 Transfer Unit #2 Transfer Unit #3
Blowers
Central Server
Pneumatic Tube System – IP-connected
17. ARMIS @ #BHUSA @BlackHatEvents
• Takeover of PTS stations can result in various attacks
• DoS of the PTS network
• Information leak of PII (staff records, RFID credentials,
etc.)
• Sophisticated RansomwareSabotage attacks:
- Re-routing carriers can derail hospital operations significantly
Potential Affect of cyber attacks on PTS systems
18. ARMIS @ #BHUSA @BlackHatEvents
Design and structure of the PTS system
22. ARMIS @ #BHUSA @BlackHatEvents
Central Management Server (SCC)
23. ARMIS @ #BHUSA @BlackHatEvents
Design and structure of the PTS system
24. ARMIS @ #BHUSA @BlackHatEvents
Swisslog Translogic PTS –
A “Next-gen” PTS with advanced features
• Secure transfers, with RFID and/or password-protected
carriers
• Slow-speed transfers, for sensitive cargo
• Internet connected Alert system, for user notifications via
email/text/etc
• Remote system monitoring, for offloading the
maintenance of the system to the Swisslog Cloud
25. ARMIS @ #BHUSA @BlackHatEvents
TransLogic Legacy Stations
• CTS 30 Station
• IQ Station
• Supports serial connection (RS-422)
or Ethernet (in newer models)
26. ARMIS @ #BHUSA @BlackHatEvents
• Has Ethernet connection
• Uses 8086 16-bit MCU
(DSTni-Ex)
• Firmware is non-encrypted
and unsigned…
IQ Station
27. ARMIS @ #BHUSA @BlackHatEvents
• Firmware upgrade requires a physical switch change:
IQ Station
28. ARMIS @ #BHUSA @BlackHatEvents
Nexus Station
• High-end station with touchscreen
and RFID
• IP-connected, runs Linux v2.6
• 32Bit ARM CPU
• Two main processes:
• HMI3 – ELF containing the low-level operation of the
station
• HMI3.jar – Responsible for the GUI and high level
operations
29. ARMIS @ #BHUSA @BlackHatEvents
HMI3
• Not PIC so no ASLR for the main
elf
• No stack canaries, and no DEP
for the bss (?)
• Compiled with debug symbols
31. ARMIS @ #BHUSA @BlackHatEvents
Physical Attack Surface
An SD card containing the
non-encrypted, unsigned
firmware
32. ARMIS @ #BHUSA @BlackHatEvents
Network Attack Surface
From the manual:
Security by obscurity is no security at all!
33. ARMIS @ #BHUSA @BlackHatEvents
Internet Attack Surface
• The central management server connects outbound to the
Internet.
• This connection allows various features such as alert
notifications via the Alert System and remote monitoring and
maintenance.
• Any vulnerability found in its proprietary code can lead an
attack from the Internet to control the entire PTS system
35. ARMIS @ #BHUSA @BlackHatEvents
#1 & #2 Hard-coded passwords (yeah, that old trick)
CENSORED
John The
Ripper
36. ARMIS @ #BHUSA @BlackHatEvents
#3 Privilege escalation
/home/user/hmi/run
• user writeable
• Executed by root (!)
37. ARMIS @ #BHUSA @BlackHatEvents
• Connect to the telnet server using the user “user” with the hardcoded
password
• Edit “/home/user/hmi/run” to do whatever
• Reboot using the memory corruption vulnerability on the next slide
• …
• Profit!
#3 Privilege escalation
38. ARMIS @ #BHUSA @BlackHatEvents
#4 Underflow in udpRXThread (RCE)
39. ARMIS @ #BHUSA @BlackHatEvents
Bad memcpy (CVE-2020-6096)
40. ARMIS @ #BHUSA @BlackHatEvents
Bad memcpy (CVE-2020-6096)
41. ARMIS @ #BHUSA @BlackHatEvents
#4 Underflow in udpRXThread (RCE)
42. ARMIS @ #BHUSA @BlackHatEvents
#5 Overflow in sccProcessMsg (RCE)
43. ARMIS @ #BHUSA @BlackHatEvents
#6 GUI socket DOS in tcpServerThread
44. ARMIS @ #BHUSA @BlackHatEvents
#6 GUI socket DOS in tcpServerThread
45. ARMIS @ #BHUSA @BlackHatEvents
#7 Overflow in hmiProcessMsg (RCE)
57. ARMIS @ #BHUSA @BlackHatEvents
Exploitation – the easy way
1.Upload a new malicious FW
2.Connect using the default user and use the PE
58. ARMIS @ #BHUSA @BlackHatEvents
Heap Overflow Exploitation Plan
Off-By-Three Stack Overflow
• Corrupt buffer_to_send via the
stack overflow
• Move buffer_to_send to the .got
section where all the fun(c)
pointers can be overwritten
• Send another UDP packet that
will trigger the use of the
overwritten buffer
• Overwrite the memcpy function
pointer in the .got section with a
call to a shellcode in the heap
59. ARMIS @ #BHUSA @BlackHatEvents
Heap examination
• 59 pre-allocated “heap” blocks in the bss section
• “heap” blocks are moved between queues
• Each block is of size 0x180 bytes
Next
Prev
Data
60. ARMIS @ #BHUSA @BlackHatEvents
Next
Prev
Data
FreeQ
WorkerQ
Heap examination
• 59 pre-allocated “heap” blocks in the bss section
• “heap” blocks are moved between queues
• Each block is of size 0x180 bytes
64. ARMIS @ #BHUSA @BlackHatEvents
.GOT BLOCK - Controlling a function pointer
The first two dwords are unused, perfect for the new .got block
start!
FreeQ
GOT
65. ARMIS @ #BHUSA @BlackHatEvents
From GOT Block to RCE
When the removed block is the one in the GOT, seq_num will
overwrite the memcpy address with a call to our shellcode (in the
heap)
memcpy
Overwrite
66. ARMIS @ #BHUSA @BlackHatEvents
Memcpy(shellcode) is used right after it is set
memcpy
Overwrite
Memcpy(shellcode)
Usage
From GOT Block to RCE
67. ARMIS @ #BHUSA @BlackHatEvents
Heap Overflow Exploitation - Summary
1.Spray the heap with shellcode buffers
2.Trigger the off-by-three vulnerability to move one heap
block to the .got section
3.Spray the heap (again) with the shellcode and the
shellcode address as the sequence number.
4.Once the .got block is used, the memcpy pointer will be
point to the shellcode, and then the shellcode will be
triggered
5.Demo time!
71. ARMIS @ #BHUSA @BlackHatEvents
Final Thoughts
• Pneumatic Tube Systems require more research
• They are critical infrastructure – like electricity or elevators
• The Swisslog case is a classic case of embedded devices gone
wrong
• Developing robust security mitigations to safeguard these
systems is essential
• Adding DOOM to pneumatic systems would make any hospital
visit much more entertaining ;)
72. ARMIS @ #BHUSA @BlackHatEvents
Questions?
• More info at: https://www.armis.com/pwnedPiper