My keynote from CypherCon 7 is now online: 25 Years of Years of Vulnerability. Thanks again to Michael Goetzman and the whole @CypherCon crew for a warm welcome and an amazing event!
home > posts
I am super excited to speak at Black Hat USA this year with Rob King (@lorddimwit) Our work, "Secure Shells in Shambles", dives deep into the Secure Shell protocol, its popular implementations, what's changed, what hasn't, and how this leads to unexpected vulnerabilities and novel attacks. An open source tool, dubbed "sshamble", will be demonstrated, which reproduces these attacks and opens the door for further research.
#BHUSA #vulnerability #infosec
- https://www.blackhat.com/us-24/briefings/schedule/#secure-shells-in-shambles-40393
Some of the announced talks that I am looking forward to include:
* Super Hat Trick: Exploit Chrome and Firefox Four Times: Nan Wang, Zhenghang Xiao, & Xuehao Guo
* Securing Network Appliances: New Technologies and Old Challenges: Vladyslav Babkin
* Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server! Orange Tsai
* Listen to the Whispers: Web Timing Attacks that Actually Work: James Kettle
* Project Zero: Ten Years of 'Make 0-Day Hard': Natalie Silvanovich
* Nope, S7ill Not Secure: Stealing Private Keys From S7 PLCs: Nadav Adir, Alon Dankner, Eli Biham, Sara Bitan, Ron Freudenthal, Or Keret
* Listen Up: Sonos Over-The-Air Remote Kernel Exploitation and Covert Wiretap: Alex Plaskett, Robert Hererra
* Bugs of Yore: A Bug Hunting Journey on VMware's Hypervisor: Zisis Sialveras
* Crashing the Party: Vulnerabilities in RPKI Validation: Niklas Vogel, Donika Mirdita, Haya Schulmann, Michael Waidner
* OVPNX: 4 Zero-Days Leading to RCE, LPE and KCE (via BYOVD) Affecting Millions of OpenVPN Endpoints Across the Globe: Vladimir Tokarev
* Surveilling the Masses with Wi-Fi Positioning Systems: Erik Rye
* Terrapin Attack: Breaking SSH Channel Integrity by Sequence Number Manipulation: Fabian Bäumer
I fell into a rabbit hole today on memcmp() timing analysis for a remote service that verifies a MD5 digest... hours later, it's clear that due to compiler optimizations this is _really_ hard to exploit on most 64-bit machines (it can turn into 2^64 brute force in many cases).
Any tips on modern (remote) timing analysis of memcmp() implementations?
Also, Erlang should probably stop using memcmp() for cookie digest verification.
runZero 3.7 is live with support for custom integrations, a new python SDK, a Service Now Graph Connector, and a bucket of new fingerprints and protocols. The hosted scan engines now support scanning up to a /8 at a time on all ports (!). Free trials (and a free tier) even if you don't want to share a corporate email address:
https://www.runzero.com/blog/runzero-3.7/Today’s fun turtle-chasing[0] moment was trying to understand how a python application validated TLS certificates. The application relies on the certifi package[1], which is built from the python-certifi github repository[2]. Both of these describe the source of this data as Mozilla, but they actually call an endpoint on the https://mkcert.org service hosted on Digital Ocean[3], which is built from the Lukasa/mkcert github repository[4]. The mkcert repository uses a Mercurial repository URL hosted by Mozilla[5]. This is fed by Mozilla’s CA inclusion process[6].
Even ignoring the Mozilla CA process, the number of people and companies involved in bringing a static PEM file into your python application is mind-boggling.
0. https://en.wikipedia.org/wiki/Turtles_all_the_way_down
1. https://pypi.org/project/certifi/
2. https://github.com/certifi/python-certifi/blob/master/Makefile
4. https://github.com/Lukasa/mkcert
5. https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt
6. https://wiki.mozilla.org/CA/Included_Certificates
The unintentional irony of the mkcert.org landing page is 😘