Portcullis Labs » 44CON

Secrets of the motherboard

GCS — Fri, 16 Feb 2018 10:13:07 +0000

Presentation on “interesting” features of the Intel x86[_64] platform (as given at 44CON 2017).

A lot of recent work has gone into the discovery, analysis, and (on occasion) marketing of hardware weaknesses in the Intel x86[_64] platform particularly with respect to how it is often implemented as part of specific motherboard designs. Some, such as the recent speculative execution borne attacks, are issues in the architecture itself. Other issues, however, affect individual implementations. This talk will take a wide-coverage “state of play” look at x86[_64] platform security covering:

Architectural failings in hardware design
Identifying security issues with modern computer hardware (treat it just like IoT devices!)
Attempts at restoring privacy, ownership, and security
Code and data persistence
How secure hardware can be re-used

44CSOTM.pptx
February 16, 2018

5.7 MiB
MD5 hash: 912badf9570eef6597578674e52bbb9d
Details

The post Secrets of the motherboard appeared first on Portcullis Labs.

GET IN THE RING0

TMB — Thu, 24 Sep 2015 13:50:39 +0000

Presentation on how Windows kernel drivers work and where to look for vulnerabilities (as given at 44CON 2015).

GITR044C.pdf
September 24, 2015

1.2 MiB
MD5 hash: 580f0d3354e95e5447f497677cd1a1bc
Details

The post GET IN THE RING0 appeared first on Portcullis Labs.

Graham “@gsuberland” Sutherland’s 44CON presentation

OMC — Fri, 11 Sep 2015 13:16:32 +0000

Graham recently gave a presentation at 44CON’s community night entitled “GET IN THE RING0″ on the subject of Windows kernel drivers.

His talk covered:

Same basic concepts as writing usermode apps
Some additional bits
- Talking between usermode / kernelmode
- Major functions, IRPs, IOCTLs
- Special concepts like IRQLs
(mostly) officially documented on MSDN!
(most of) the rest is reverse engineered

You can find the slides here.

The post Graham “@gsuberland” Sutherland’s 44CON presentation appeared first on Portcullis Labs.

44CON uncovered

TMB — Sat, 21 Jun 2014 12:01:45 +0000

Presentation on system level vulnerabilities (as given at BT’s SnoopCon 2014).

This talk references previous presentations including:

“I miss LSD“
“Big Game Hunting: Simple techniques for bug hunting on big iron UNIX“
“Breaking the Links: Exploiting the Linker“

44CU.pdf
June 20, 2014

247.5 KiB
MD5 hash: 22527f212e79dffdb8a91c56b878130f
Details

The post 44CON uncovered appeared first on Portcullis Labs.

Memory Squatting: Attacks On System V Shared Memory

TMB — Wed, 13 Nov 2013 03:26:00 +0000

Rather than representing a definitive guide, this document represents a review of the specific security issues identified during Portcullis Computer Security Ltd’s recent research into System V shared memory segments and their usage.

What follows should, however, provide a high-level summary of issues, impacts and methods of remediation in cases where System V shared memory segments are used in an insecure fashion. This paper was released as part of my presentation at 44CON 2013 entitled “I miss LSD“.

MSAOSVSM.pdf
November 13, 2013

569.3 KiB
MD5 hash: 2511c7c09b51f39b74f37ed5e79fe1b5
Details

The post Memory Squatting: Attacks On System V Shared Memory appeared first on Portcullis Labs.

smaSHeM

TMB — Tue, 12 Nov 2013 22:24:29 +0000

smaSHeM is a System V shared memory segment manipulator.

Key features

Allows dumping of segments in a variety of formats including JPEGs
Allows patching of segments

Overview

System V shared memory segments created with shmget() are assigned an owner, a group and a set of permissions intended to limit access to the segment to designated processes only. The owner of a shared memory segment can change the ownership and permissions on a segment after its creation using shmctl(). Any subsequent processes that wish to attach to the segment can only do so if they have the appropriate permissions. Once attached, the process can read or write to the segment, as per the permissions that were set when the segment was created.

smaSHeM takes advantage of applications that set weak permissions on such segments, allowing an attacker to dump or patch their contents. As discussed in my presentation at 44CON 2013 entitled “I miss LSD“, in the case of many X11 applications it is possible to extract pixmaps of previously rendered GUI artifacts. When compiled with QtCore linking enabled, smaSHeM aids in that process by brute forcing potentially valid dimensions for the raw pixmap dump.

Installation

$ ./configure [--with-qtcore] && make && make install

Usage

$ smaSHeM -v | -i  -l  <-@  -s  | -d [-p | -c | -P | -j -x  -X  -y  -Y ]>

Examples

Dumping the contents of a System V shared memory segment prettily:

$ smaSHeM -i 94273546 -l 459200 -d -P
0xf32fa000      00 00 00 00 1a 1a 1a 1a ........
0xf32fa008      7d 7d 7d 7d a7 a7 a7 a7 ........
0xf32fa010      af af af af af af af af ........
0xf32fa018      af af af af af af af af ........
0xf32fa020      af af af af af af af af ........
0xf32fa028      af af af af af af af af ........
0xf32fa030      af af af af af af af af ........
0xf32fa038      af af af af af af af af ........
0xf32fa040      af af af af af af af af ........
0xf32fa048      af af af af af af af af ........
0xf32fa050      af af af af af af af af ........
0xf32fa058      af af af af af af af af ........
0xf32fa060      af af af af af af af af ........
0xf32fa068      af af af af af af af af ........
0xf32fa070      af af af af af af af af ........
0xf32fa078      af af af af af af af af ........
...

Patching a segment:

$ smaSHeM -i 41779331 -l 2640 -@ 0 -s `perl -e 'print "A"x1024'`

Dumping the contents of a segment as a set of JPEGs with dimensions 0-300×30 (required QtCore):

$ smaSHeM -i 41779331 -l 2640 -d -J -x 0 -X 300 -y 30 -Y 30

smaSHeM-0.4.tar.gz
November 12, 2013

210.0 KiB
MD5 hash: 2e30e4edd2faf5946b6c0e1a244fd0ba
Details

The post smaSHeM appeared first on Portcullis Labs.

I miss LSD

TMB — Sun, 15 Sep 2013 00:48:00 +0000

Presentation on system level vulnerabilities (as given at 44CON 2013).

A wise man once said (paraphrased) “if you want to find UNIX bugs, compare and contrast the Linux and Solaris man pages”. Following on from my previous work on linker bugs and more recently AIX (at 44CON 2012), we’ll look at some of the more interesting areas of the POSIX specification, focusing on the various IPC mechanisms that can be found in modern POSIX alike OS as well as kernel land more generally. The talk included some new tools I’ve written (to be published in due course) to aid in this analysis along with some discussion around how I uncovered potentially exploitable bugs in ~400 Debian GNU/Linux packages in a single day.

This talk was based around the recently released whitepaper “Memory Squatting: Attacks On System V Shared Memory“.

Tools referenced in this talk include:

IML44C.pdf
September 29, 2013

244.4 KiB
MD5 hash: 3dbaf8ee9413111d8284f4b1f2dc5aa1
Details

The post I miss LSD appeared first on Portcullis Labs.

UNIXSocketScanner

TMB — Fri, 26 Apr 2013 18:16:40 +0000

UNIXSocketScanner is a UNIX domain socket scanner.

Key features

Multi threaded
Supports both internal probes format and nmap probes format

Overview

UNIX domain sockets are “files” that follow the semantics of the UNIX socket interface and can be utilised by applications to offer services to other processes that are present on the same host. Whilst it can often be clear what protocols such services support from the name of the socket and/or the process that created it, this is not always the case especially if the process isn’t part of a well known F/OSS application.

UNIXSocketScanner allows the UNIX domain sockets offered by a given application to be enumerated using both nmap and internal probes to determine the likely protocol. As discussed in my presentation at 44CON 2013 entitled “I Miss LSD“, the results are sometimes surprising – who knew that CUPS offered HTTP over a UNIX domain socket?

Installation

UNIXSocketScanner does not require installation but simply requires that the necessary dependencies have been installed.

Usage

$ find / -type s | UNIXSocketScanner.pl [-v] -x  <-p  | -n >

Examples

Scanning the CUPS UNIX domain socket:

$ echo /var/run/cups/cups.sock | UNIXSocketScanner.pl -x 2 -n /usr/share/nmap/nmap-service-probes
I: /var/run/cups/cups.sock
I: /var/run/cups/cups.sock finished
/var/run/cups/cups.sock
+ matches nmap-response-ssl
+ matches nmap-probe-SSLSessionReq
+ matches nmap-probe-GetRequest
+ matches nmap-response-ipp
+ matches nmap-probe-SSLv23SessionReq
+ matches nmap-probe-HTTPOptions

Connecting to the Avahi UNIX domain socket manually with socat:

$ socat UNIX:/var/run/cups/cups.sock STDIO
HEAD / HTTP/1.0

HTTP/1.0 200 OK
Date: Tue, 12 Nov 2013 22:50:04 GMT
Server: CUPS/1.5
Content-Language: en_US
Content-Type: text/html; charset=utf-8
Last-Modified: Mon, 18 Mar 2013 14:36:53 GMT
Content-Length: 3796

Scanning the Avahi UNIX domain socket:

$ echo /var/run/avahi-daemon/socket | UNIXSocketScanner.pl -x 2 -p src/probes
I: /var/run/avahi-daemon/socket
I: /var/run/avahi-daemon/socket finished
/var/run/avahi-daemon/socket
+ matches avahi-fuck

Connecting to the Avahi UNIX domain socket manually with socat:

$ socat UNIX:/var/run/avahi-daemon/socket STDIO
FUCK
+ FUCK: Go fuck yourself!

UNIXSocketScanner-0.4.tar.gz
April 26, 2013

5.3 KiB
MD5 hash: ccf7b78735ca12eb2d7195c1193979ba
Details

The post UNIXSocketScanner appeared first on Portcullis Labs.

Big Game Hunting: Simple techniques for bug hunting on big iron UNIX

TMB — Fri, 26 Apr 2013 18:07:33 +0000

Presentation on auditing and bug hunting on AIX (as given at 44CON 2012).

Simple techniques for bug hunting on big iron UNIX. The talk will build on the work previously done in my “Breaking The Links” paper but will focus on AIX and associated IBM products. The talk will include some new bugs as well as going through a simple methodology for finding them.

BGH44C.pdf
April 26, 2013

378.1 KiB
MD5 hash: e54c2439529af6f99f149ef34b840556
Details

The post Big Game Hunting: Simple techniques for bug hunting on big iron UNIX appeared first on Portcullis Labs.