Dark Hat USA 2021 Review

                                                                                                                                        中文

First of all, thank Orange Tsai for giving me the change to come to a decision half in Dark Hat USA 2021 in Las Vegas. This article would no longer exist with out this tag.

I dart to fragment my thoughts and a few technical issues on the two days of Dark Hat USA 2021 listed here.

The hotel and the convention venue are connected. It takes 10 minutes to stroll from my room to the convention venue. It’s a long way terribly convenient to pass between my room and the convention venue for switching between physical briefings and on-line briefings, pondering the 20-minute gap between briefings.

Watch outdoors my room

Casino downstairs, it is the capability to the convention venue.

Pools outdoors, which compose an sizable distinction to the convention internal.

The hallway

Listed below are the briefings I wait on in chronological verbalize.

9: 00 ~ 10: 00

Speaker: Matt Tait


Video display: Keynote


Layout: Briefings

First of all, Jeff Moss, the founding father of Dark Hat and DEF CON, did the outlet, and then Matt Tait did the Keynote. On occasion, He shared in a tall direction on provide chain security awareness and disorders.

A Unusual Class of DNS Vulnerabilities Affecting Many DNS-as-Carrier Platforms

10: 20 ~ 11: 00

Speaker: Shir Tamari, Ami Luttwak


Tracks: CorpSec, Cloud & Platform Security


Layout: Briefings

This briefing is made by Wiz. It mentions the Hijacking predicament that can maybe well also merely come up beneath the use of DNS as a Carrier, and took AWS Route53 as the instance.

They stumbled on that within the Route53 provider, the domain of its Title Server shall be registered, e.g., ns-852.awsdns-42.gain. After registration, if this domain is the equal as the randomly assigned Title Server, and the A story of this domain factors to our consider server, you will intercept rather a few Dynamic DNS traffic on the server.

In Dynamic DNS, the Inner Main Master Server is to blame for storing the IP of every computer within the intranet, and accepts the Replace Attach a query to from every computer to substitute the corresponding IP. Computer programs find out where the Inner Main Master Server is by making an try up the SOA story from the Inner Recursive DNS Server.

When we use Route53 and the Inner Recursive DNS Server isn’t any longer effectively-configured, computers may maybe maybe well also merely treat the IP equal to the A story of the Router53 Title Server as the IP of the Master Server and send an Replace Attach a query to to it. From these packets, it is most likely you’ll maybe also get the IP, physical put of living of the firm, and even the computer name of the intranet records, and a lot others.

There usually are now not any complicated ways weak in this briefing, it is a “oh~ there is the sort of thing” kind of fragment.

Breaking the Isolation: Gruesome-Yarn AWS Vulnerabilities

11: 20 ~ 12: 00

Speaker: Shir Tamari, Ami Luttwak


Tracks: Cloud & Platform Security, AppSec


Layout: Briefings

This briefing is made by Wiz as effectively. It’s a long way ready vulnerabilities in three of the AWS products and services.

• AWS CloudTrail
• AWS Config (Identical ways weak for CloudTrail)
• AWS Serverless Utility Repository

The main one is AWS CloudTrail, which makes records, exports logs, and locations them in S3 buckets. We can add a prefix for the direction of the destination when exporting, and it is a long way where the object took put. Salvage that the user with Yarn ID 123456789012 has a bucket victims-cloudtrail-bucket, the destination direction shall be victims-cloudtrail-bucket/AWSLogs/123456789012. If we add the prefix abc, the direction shall be victims-cloudtrail-bucket/abc/AWSLogs/123456789012.

If there is an attacker with ID 133713371337. He can no longer write straight away to victims-cloudtrail-bucket/AWSLogs/133713371337 if he wishes to write down to victims-cloudtrail-bucket. There is a direction examine. However, if he provides the prefix AWSLogs/123456789012, making the direction to victims-cloudtrail-bucket/AWSLogs/123456789012/AWSLogs/133713371337, he can pass the examine and write into the bucket.

AWS Config has the equal vulnerability attributable to it uses the equal mechanism as AWS CloudTrail for interacting with S3 buckets.

Right here comes the AWS Serverless Utility Repository, it will procure App images and resources from S3 buckets. To our shock, the S3 bucket would now not examine who’s the proprietor of the bucket. Anyone who’s aware of the direction of the Repository bucket with Actions put to GetObject can procure records from the Repository bucket.

All-Purpose A long way off Accumulate admission to Trojan

12: 00 ~ 13: 00

Speaker: David Hunt, Alex Manners


Tracks: Malware Offense


Layout: Arsenal

In Dark Hat Arsenal, every speaker introduces their initiate-provide instruments. As long as there isn’t such a thing as a Briefing at the 2d, I will consider to wait on an Arsenal.

This article introduces Pneuma, it is a long way an agent that will more than seemingly be weak with C2.

One other Road Ends within the Host: From a Message to VM Accumulate away on Nvidia vGPU

13: 30 ~ 14: 10

Speaker: Wenxiang Qian


Tracks: Exploit Trend, Network Security


Layout: Briefings

Right here is doubtless the most Briefings I’m staring at for. It’s a long way ready utilizing Nvidia’s vGPU to flee from the virtual atmosphere. I used to be very surprised by every Accumulate away-connected agenda.

nvidia-vgpu-mgr is working on the Host machine, facing vRPC messages from the Customer machine.

There are various kinds of vPRC commands, doubtless the most insist 0x35 – rpc_update_pde_2 shall be weak to leak the stack pointer, for bypassing ASLR.

When facing 0x1A - rpc_dma_control, this would maybe reproduction records from the message to the memory. Since there isn’t such a thing as a boundary restrict, heap overflow happens. The overflown plan shall be weak as an argument to the characteristic set_item_value, which executes the unlink characteristic from link list and mmap.

We can compose the GOT of mmap to the take care of of the ROP system with the wait on of unlink, after that, we are in a position to use mmap to enact RCE.

We now consider got talked about the total describe. The note-up is the predicament the presenter encounters. There’s no precious system on the stack, so he uses 0x3C - rpc_get_engine_utilization to attach items on the stack.

When copying the records, it jumps between bytes, making rather a few 4-bytes 0 on the heap. We can treat them as 0, as the better 4 bytes of the take care of, or use the pop operation to resolve this predicament.

Diving Into Spooler: Discovering LPE and RCE Vulnerabilities in Home windows Printer

14: 30 ~ 15: 00

Speaker: Zhiniang Peng, XueFeng Li, Lewis Lee


Tracks: Applied Security, Exploit Trend


Layout: Briefings

Right here is a Briefing from Sangfor. I’d obtain to wait on this briefing mainly since the most modern PrintNightmare is a vulnerability from Printer Spooler, I need to know extra about this program.

The speaker began with CVE-2020-1048 and offered various vulnerabilities of Printer Spooler within the past two years, from arbitrary write after privilege escalation, bypass with a symbolic link, UNC direction, NTFS Alternate Recordsdata Slither, to arbitrary delete, which is created from doubtless the most patches. They saved fixing Printer Spooler.

And this year, memory corruption, just a few RCEs, finally making PrintNightmare the winner of “Most Tale Fail”, the nominee of “Easiest Server-Facet Worm”. CVE-2020-1048 and CVE-2020-1337 are the nominees of “Easiest Privilege Escalation Worm”. CVE-2021-1675 is the nominee of “Easiest Server-Facet Worm”. All from Pwnie Awards. There’s Microsoft in every single put, at the side of a form of vulnerabilities adore ProxyLogon. Are they doing product placement selling? I don’t know. However I’m obvious they are critical now within the security field, no longer obvious it’s factual or unfavorable for them even though

Attach in One Worm and Pop Out More: An Efficient System of Worm Looking in Chrome

15: 20 ~ 16: 00

Speaker: Leecraso, Rong Jian, Guang Gong


Tracks: AppSec, Exploit Trend


Layout: Briefings

This briefing is ready how to search out unusual bugs from older bugs in Chrome. They write patterns for CodeQL to search out extra equal bugs.

There are three components

1. From old vulnerabilities, they stumbled on UAF can easily happen with RenderFrameHost pointer. Add some restrictions adore the Sinful class of RenderFrameHost pointer may maybe maybe well also merely silent no longer belong to FrameServiceBase, which can maybe well also merely super up RenderFrameHost pointer, and spurious positive shall be reduced.
2. The next movement is to compose some mutations. They tried to search out UAF from pointers which are accessed after they purchased erased from some unexpected conditional branches.
3. The final one is WeakPtr Optimization. If no null test is performed, it will easily change into null pointer dereference, which crashes the program. Nevertheless, within the occasion that they enact optimization when compiling the program, it may maybe perchance maybe well also merely no longer shatter, extra into UAF.

Locknote: Conclusions and Key Takeaways from Day 1

16: 20 ~ 17: 00

Speaker: Jeff Moss, Stephanie Domas, Alex Ionescu, Kymberlee Price, Chris Rohlf


Video display: Keynote


Layout: Briefings

This briefing is for company to chat with the host on stage, adore a Stay Focus on Display disguise. Right here isn’t any longer attractive to the US. I consider viewed the equal kind of briefing at a security convention in Taiwan.

What impressed me essentially the most is that with regards to all americans on the stage has a bottle of beer. I for my fragment adore the sort of feeling. Some exchanges, some discussions, telling others your solutions, with beer, relax ~

Pwnie Awards

17: 30 ~ 18: 30

The Pwnie Awards

In actual fact, no longer many other folks came to the put of living for the Pwnie Awards. I judge there are mainly two causes. One is that this occasion isn’t any longer selling on the Dark Hat webpage. The a form of is that there are rather a few contented ingesting social events at the 2d.

The presenters consider ready jokes between the awards, and the presenters are altering. It in reality feels adore a mountainous-scale awards ceremony.

I for my fragment judge that essentially the most attention-grabbing fragment of the Pwnie Awards is that there are awards adore “Lamest Vendor Response” and “Most Tale Fail”, letting all americans know what ridiculous issues consider took put within the easy task security industry within the past year. It’s a long way also a reminder to vendors, where there are rather a few locations they may maybe maybe well also merely silent have in mind of. After all, vulnerabilities are no longer only connected to hackers, vendors may maybe maybe well also merely silent cooperate with their ideal for minimizing the injury.

Moreover, I judge these awards no longer only give honors to the nominees and winners, nonetheless even consider the attend that they’re going to be semi-motivating for americans who need to come to a decision half to learn extra. It’s adore the “Music of the twelve months” at the Golden Melody Awards. Within the occasion you concentrate on an interest in this award, it is most likely you’ll maybe also merely silent hear to every tune as a minimum as soon as after the nominees are announced. Otherwise, on the day of the award, a tune won, and likewise you concentrate on no longer consider any capability to strategy attend up with extra thoughts, “Ah, I in reality adore another tune extra. It’s a pity that it didn’t obtain the award”, “I didn’t search information from this tune to acquire the award, nonetheless the thought that within the attend of this tune is certainly very attention-grabbing.” Within the equal capability, when the research is in entrance of you and likewise you must come to a decision half in this awards ceremony, then notion the general thought for every research is something it is most likely you’ll maybe also merely silent enact. Otherwise, you are going to only glance a bunch of awards and corresponding winners, nonetheless consider no longer consider any thought about the which suggests and cause within the attend of every the awards and research.

Right here is the internet sites of the Pwnie Awards, there are outdoors resources for with regards to every nominee.

Commerce Hall

Commerce Hall is where the vendors are, it is a long way on the first floor of Mandalay Bay Convention Center (P.S. Briefings are on the 2d and third floor). It lasts for two days, and it is a in reality phenomenal put. Luckily, I went to CyberSec this year, so I’m in a position to compose a comparability. The variation between the two is that Dark Hat purchased food, alcohol, and reside performances, making it a extra informal put for vendors. It’s a long way attributable to of the cultural incompatibility I divulge.

Turing in a Field: Applying Synthetic Intelligence as a Carrier to Targeted Phishing and Defending In opposition to AI Generated Assaults

10: 20 ~ 11: 00

Speaker: Eugene Lim, Glenice Tan, Tan Kee Hock, Timothy Lee


Tracks: Human Factors


Layout: Briefings

Learn from Govt Technology Company, Singapore

This briefing is from Singapore, talking about utilizing AI as a Carrier（AIaaS）for phishing and the technique to dwell it. I consider this one attributable to I’d obtain to consider an change on what AI can enact within the security field.

They mention that GPT-3 API from OpenAI isn’t any longer only very good, nonetheless also offers a “textual reveal in, textual reveal out” atmosphere that is convenient for users. When the predominant records of the aim is supplied to AI, it will generate a phishing letter for the aim. Even supposing the letter silent wishes handbook inspection and minor modification, I judge this would be better within the shut to future, which is entirely AI automation with none modification by other folks.

Within the 2d half of of the briefing, they mention that despite the incontrovertible truth that AI phishing letters are efficient, automatic detection is terribly complicated, it isn’t any longer entirely very unlikely to take care of. You can have the power to manufacture a mannequin by calculating the phrase sequence, the entropy of the expected distribution, and the absolute notorious of the phrase, to examine whether or no longer the letter is mechanically generated by AI, nonetheless the head result isn’t any longer assured. It depends on the phishing letter mannequin.

Within the smash, they focus on about the regulation of GPT-3 API. OpenAI has a trusty job governing the use of GPT-3 API, which suggests malicious utilization isn’t any longer allowed. However with extra suppliers on AIaaS, it may maybe perchance maybe well also merely silent be phenomenal extra complicated to take care of a watch on, and here comes the malicious utilization on GPT-3 API.

I judge it is a long way what cybersecurity is. Because the offense gets better, the defensive facet will get better, and then the offense will get better all as soon as more, nonetheless the defensive facet can silent resolve up since the technology and ways got by all facets are the equal. The identical goes for vulnerabilities. Your latest attack manner shall be blocked by the patch soon, and even as soon as you patch it, there are silent vulnerabilities in a form of locations or in unusual factors.

I’m a Hacker Accumulate Me Out of Right here! Breaking Network Segregation The utilization of Esoteric Enlighten & Control Channels

11: 20 ~ 12: 00

Speaker: James Coote, Alfie Champion


Tracks: Network Security, Defense


Layout: Briefings

This briefing is from F-Accurate. It’s a long way ready the capability to join C2 and the customer despite the incontrovertible truth that there isn’t such a thing as a advise cyber internet connection between them.

The tool weak is the initiate provide tool supplied from F-Accurate, C3

And the presenters present two references

1. The utilization of and detecting C2 printer pivoting
2. Assault Detection Fundamentals: Discovery and Lateral Slither – Lab #3

They introduce four programs

1. C2 into VMs via vCenter and Customer Additions
2. C2 utilizing arbitrary network printers and print jobs
3. C2 over A long way off Desktop mapped drives and file shares
4. C2 utilizing LDAP attributes

The presenters defined intimately about the circumstance, limitations, solutions within the attend of the use of the above four ideas, and the technique to implement them.

From logs, loaded modules, and even particular kind of connection looks may maybe maybe well also merely point out that the sort of design is being utilized.

Within the head, the presenters attain that after we need to isolate an atmosphere, we may maybe maybe well also merely silent compose obvious that that it is a long way entirely isolated, or if there may maybe be a connection to a printer, it shall be an implicit connection route.

We now consider got to evaluate of how to detect the sort of field, and whether or no longer we are in a position to extra end total isolation.

reNgine: An Automated Reconnaissance Framework

12: 00 ~ 13: 00

Speaker: Yogesh Ojha


Tracks: Internet AppSec


Layout: Arsenal

Right here is an Arsenal introducing the initiate-provide tool reNgine. As mentioned within the title, it is a long way an computerized reconnaissance framework.

There are various factors, essentially the most attention-grabbing fragment for me is filter and co-relation. Let’s assume, it will swiftly list subdomains for port 22, and even subdomains utilizing Apache. It has mountainous visualization modules, which can prove the phenomenal describe of the aim.

Moreover, it has an Attention-grabbing brand characteristic. Customers can put it up, and the match results will get this brand. They’ll also arrange notifications for these match results. For now, it supports slack, discord, and telegram.

It has a ancient past comparability characteristic. For a single aim, it will examine the final scan to the most modern one, so users can know what are the diversifications between the two scans straight away. It also supports proxy, and this would maybe send requests from a random one, fighting a capability ban.

HTTP/2: The Sequel is Continually Worse

13: 30 ~ 14: 10

Speaker: James Kettle


Tracks: AppSec, Cloud & Platform Security


Layout: Briefings

Right here is doubtless the most briefings I’m most pondering. HTTP/2 vulnerabilities by James Kettle from PortSwigger.

In abstract, HTTP/2 downgrades compose rather a few complicated factors within the backend. After the search information from is downgraded, generally the security factors in HTTP/2 are also discarded.

In accordance to the presenter, if there isn’t such a thing as a downgrade happens, generally many of the vulnerabilities will no longer exist (with the exception of for URL prefix injection).

Right here is the Weblog post from PortSwigger, with movies included.

Moreover, PortSwigger has launched Burp Suite 2021.8, which provides many factors for HTTP/2. Bolt safe and play with it as soon as you concentrate on an interest.

Can You Hear Me Now? A long way off Eavesdropping Vulnerabilities in Cell Messaging Capabilities

14: 30 ~ 15: 00

Speaker: Natalie Silvanovich


Tracks: Cell, AppSec


Layout: Briefings

This briefing is from Google, bringing in vulnerabilities connected to calling verbalize machines.

The presenter analyzed many cellular messaging applications, and stumbled on many vulnerabilities connected to calling verbalize machines, at the side of Designate, Facebook Messenger, JioChat, Mocha, and Google Duo. It permits calls to be connected with out user interplay.

The cause within the attend of this field is that prior to the caller and callee birth the connection, there are rather a few messages exchanging, either with servers within the middle or with out servers. If we mess up the verbalize of the messages, or substitute the sending direction of the messages, it may maybe perchance maybe well also merely confuse the verbalize machine, which ends in audio and video transmission with out consent.

Nobody would wish their cellular phone to suggested the camera or the microphone and transmit it to the a form of dwell, appropriate?

ProxyLogon is Goal appropriate the Tip of the Iceberg: A Unusual Assault Ground on Microsoft Commerce Server!

15: 20 ~ 16: 00

Speaker: Orange Tsai


Tracks: AppSec, Exploit Trend


Layout: Briefings

Right here is doubtless the most briefings I’m most pondering as effectively. It’s a long way the Microsoft Commerce Server vulnerabilities by Orange Tsai from Devcore. Begin from a Facebook posting obtain 惹 and lasts for loads of months, generally all americans has heard of this Commerce Server field as soon as you note the security information. Goal appropriate don’t learn about the technical information.

On this briefing, there are ProxyLogon, ProxyOracle, and ProxyShell, all in a single, highly instructed.

Timeless Timing Assaults

Speaker: Tom Van Goethem, Mathy Vanhoef


Tracks: Network Security, AppSec


Layout: Briefings

I made up this on-line briefing after Dark Hat USA 2021. Frail timing assaults shall be affected by the transmission between networks. It’s a long way complicated to implement within the precise world. A puny extend between routers can compose an sizable incompatibility to the .

On this briefing, the presenters introduce Timeless timing attack, which contains three requirements,

1. Requests need to come at the equal time at the server
2. Server wishes to job requests concurrently
3. Response verbalize wishes to replicate incompatibility in execution time

And three attack eventualities,

1. advise timing attack
2. injurious-put of living timing attack
3. Wi-Fi authentication

The tall thought is to attach just a few requests in a single packet, one is test, and the a form of one is baseline. They’ll come at the equal time, and be processed concurrently. The attacker can see the response verbalize and leak honest records.

With the sort of technique, we may maybe maybe well also no longer be affected by network jitter the least bit adore the aged timing attack.

There are slides for quite loads of of the briefings. You can have the power to safe them from Dark Hat USA 2021.

Some of us may maybe maybe well also merely shock why I did no longer dart to DEF CON as effectively. That is attributable to DEF CON requires of us to be entirely vaccinated. I don’t meet the requirement. I am hoping I’m in a position to pass to DEF CON someday in some unspecified time in the future.

I’m very lucky to come to a decision doubtless the most pupil scholarships from Orange Tsai.

I in reality realized a lot from it, and I serve all americans to wait on Dark Hat as soon as you concentrate on an interest.

Ensuing from the total researchers and group of workers from Dark Hat USA 2021.

Within the occasion you’ve any questions, in reality be at liberty to contact me.