ZeroNights 2016 + HackQuest Announcement

By a good tradition, we share with you the news of the ZeroNights conference program, our expectations from the event, look forward to new topics and discussions, rejoice at new speakers and participants. Below we will present the news of the program and tell a little about each report that you will be able to hear on ZN.
Main program
Key Conference Speaker - Michael Ossmann
Welcome to the Physical Level
Each ZeroNights conference is a new world with its own characteristics, opportunities for discoveries and achievements. The research universe has no boundaries.
It is no coincidence that as the keynote speaker at ZN 2016, we chose Michael Ossmann, a well-known researcher in the field of security of wireless systems, a developer of hardware for highly qualified IT experts. Michael is a wireless security researcher and hardware developer for hackers. Known for his open source projects, HackRF, Ubertooth, and Daisho, Michael founded the Great Scott Gadgets project so that researchers can use promising new tools.
Michael will open the door to the new world of ZN with a report entitled “Welcome to the Physical Level”, inviting us to witness a new discovery. Together we will go through the thorns of abstractions and encapsulations, along paths overgrown with obscurity and ignorance, and eventually reach a point at which all our theories and hypotheses will be confirmed. You will witness miracles previously seen only by the brave discoverers of methods such as Packet-In-Packet and Rowhammer. In the wilds of the physical level, we will find long-beaten paths and again go through them, going deeper into the dense jungle of vulnerabilities that grew next to absolutely explored areas. The physical level, which is the simplest but often underestimated, and from which, in fact, it all begins, opens up new possibilities.
Michael Ossmann gained fame thanks to the open source projects HackRF, Ubertooth, and Daisho, founded the Great Scott Gadgets project so that innovative researchers can use new promising tools.
⬝ Link →
Speakers - Rodrigo Rubira Branco and Rohit Mothe
DPTrace tool: dual-purpose tracing for analyzing potential vulnerabilities
Speakers will present the results of their research, in which they examined the possibilities of practical exploitation of software vulnerabilities using failure analysis. The task was to create a holistic approach with feedback, which helps the researcher to determine the possibility of exploiting a software failure (or error), as well as the degree of its impact. As a result, a system of semi-automatic failure analysis was obtained, which allows to accelerate the work of creating exploits.
⬝ Link →
Speakers - Thomas DEBIZE , Mahdi BRAIK Mahdi BRAIK
Hadoop Safari - Vulnerability Hunting The
so-called “Big Data” is one of the most popular areas in IT at the moment due to the need for volume analysis of constantly growing traffic. Many companies are now working in this direction, deploying clusters on Hadoop - the most "modern" framework for working with Big Data today.
The speakers will talk about Hadoop security problems or even “concepts”, as well as show many different attack vectors for the cluster. Students will learn how to access the coveted Data Lake repository after connecting their laptop to the target network.
⬝ Link →
Speaker - Matthias Deeg
About mice and keyboards: guard the security of modern wireless input
devices Wireless input devices have become very popular over the past couple of years. From an attacker's point of view, these wireless devices are an attractive target that allows you to take control of your computer system and get such important data as passwords.
The speaker will present the results of his own research, demonstrate methods of attacks on wireless input devices using various vulnerabilities as an example.
⬝ Link →
Speaker - Angel Villegas
“FIRST”: a new look at reverse engineering A
reverse engineer takes a decent amount of time to determine if a file is malicious or not. When using disassemblers, for example, IDA Pro, it can analyze the same processes on several files during their life cycle. It doesn’t matter if static libraries are used, code re-execution slows down the reverse process. This presentation will present the new FIRST reverse engineering tool - Function Identification and Recovery Signature Tool - a solution for obtaining information about similar functions, which allows to reduce analysis time and provide information exchange.
⬝ Link →
Speaker - Enrique Nissim
I know the address of your page: derandomizing the address space of the kernel of the latest version of Windows 10
The latest version of Windows 10 (Anniversary Update) again raised the bar for successful exploitation of the vulnerability in the kernel. Microsoft took a step forward when it stopped the leak of GDI objects in the kernel, which was widely used after the infamous exploit of a group of hackers. Also, with the advent of page memory randomization, the system uses ASLR in kernel mode (KASLR), which requires a memory leak to gain control of the RIP using the ROP or DKOM method.
This presentation will feature an attack called DrK, “De-randomizing Kernel Address Space”, which was presented at the Blackhat 2016 conference and is applicable to the randomization of the PML4 structure. By combining TSX instructions and a few tricks, it is possible to determine the exact placement of the “PML4 SelfRef Entry”. After that, all known attacks on the page organization of memory can be carried out as if KASLR did not exist at all.
Speaker - Ayoub Elaassal CICS
Fall: Into the Transaction World Through Hacking
CICS - The Customer Information Control System is the most widely used transaction processing system in the world through which more than 20 billion transactions pass daily. It is mainly deployed on IBM z / OS systems.
In fact, with a high probability it can be assumed that when a person withdraws money from the account, CICS applications are used at some stage of the operation. This also applies to various banking operations, including creating an account, managing returns, paying taxes, etc.
The report will dispel myths around this important system, the speaker will also explain how it works, and will pay close attention to how to abuse some of its functions in order to read and edit business files with impunity, gain access to other applications, remotely execute code without authentication ...
The report will present the Cicspwn tool, designed to help penetration testers to verify the security of the CICS system and exploit its key vulnerabilities.
⬝ Link →
Speaker - Patrick Wardle
Deceive death - we hide in recovery mode to survive after reinstalling OS X
Traveling with your Mac to exotic countries and catch a virus? Experience dictates: clean and reinstall OS! On a Mac, you can switch to the “recovery mode” of the OS, clean up the infected volume, and then install clean OS X. Unfortunately, this will not work anymore.
The report will reveal malicious code that can infect OS in recovery mode (directly from OS X), which allows it to survive a complete reinstallation of OS X. But do not panic! We will discuss OS recovery ideas for recovery.
⬝ Link →
Speakers - Ilya Safonov , Alexander Matrosov
Excite Project: The Truth About Symbols for BIOS Protection
Researchers are working on an Excite project that uses the S2E (Selection Symbolic Execution) platform and Intel's Simics virtual platform to look for vulnerabilities in the BIOS, including such a well-known class vulnerabilities like SMM call-out. All tools and approaches in this report are considered within the framework of real vulnerabilities that were discovered with their help. It will also discuss the limitations and problems that occur when using the character execution approach to ensure BIOS security.
⬝ Link →
Speaker - Alexander Ermolov
Guarding rootkits: Intel BootGuard
Intel BootGuard is a new technology for hardware BIOS protection against modifications that the computer system vendor can permanently turn on at the production stage. The report will tell in detail about the technology itself, about related and non-related undocumented subsystems (Intel ME, boot code inside the CPU and not only). Listeners will also learn about how, over the years, a cloned mistake in the production of several vendors allows a potential attacker to use this technology to create a hidden rootkit in an undeletable (even programmer) system.
⬝ Link →
Speakers - Roman Bazhin and Maxim Malyutin
JE TPLOW is dead, long live JETPLOW!
The NSA software documents published by Edward Snowden made a lot of noise. However, until recently it was impossible to see how all this works. The publication of the leak from The Shadow Brokers provided such an opportunity. Roman Bazhin and Maxim Malyutin did not sit idly by, but conducted an independent study, the results of which they will tell at the conference. An in-depth analysis of the leaked JETPLOW and comparison with their data will be presented. Also, the conference guests will be invited to look at possible options for the development of the bookmark situation, a conversation will be held on how things are with other Cisco equipment. In conclusion, we show methods for detecting such bookmarks.
⬝Link →
Speaker - Ali Abassi and Majid Hashemi.
We hit the pin control in programmable logic controllers.
Embedded systems interact with the outside world and control it through input / output (I / O) mechanisms. The input / output of embedded systems must be particularly reliable and secure in the case of systems designed to perform mission-critical tasks. The input / output of the embedded system is controlled by pins. This report will explore the security issues of pin management in embedded systems. In particular, the speakers will demonstrate how an attacker can compromise the integrity and accessibility of the I / O of the embedded system by using certain operations to control the pin and the absence of associated hardware interruptions.
⬝Link →
Speaker - Alexander Matrosov and Evgeny Rodionov
Rootkits in UEFI firmware: myths and reality
Recently, the topic of security of UEFI firmware is extremely relevant. In recent years, there have been many publications discussing vulnerabilities discovered in UEFI. They allow an attacker to compromise the system at one of the most privileged levels and gain complete control over the victim’s system. In this report, the authors will consider the most relevant types of attacks on UEFI firmware from a practical point of view and analyze the applicability of the described attacks to real scenarios: can such vulnerabilities be easily used in real rootkits (OS-> SMM-> SPI Flash)?
⬝ Link →
Speaker - Mariano Graziano
A critical analysis of complex code reuse
attacks using ROPMEMU Code reuse attacks based on the concept of return oriented programming (ROP) are gaining more and more popularity every year. Initially used as a way to bypass the protection of operating systems from embedded code, now such attacks are used as a method of hiding malicious code from detection and analysis systems. The author proposed ROPMEMU, which is a complex system of many different techniques for analyzing ROP chains and restoring their equivalent code in a form that can be analyzed using traditional reverse engineering tools.
⬝ Link →
Speaker - Ivan Novikov
Hacking ElasticSearch
The report will discuss the popular data indexing and search system ElasticSearch. Security issues of the entire technological stack necessary for implementing this technology in modern web applications will be considered:
• Wrapper classes (so-called “drivers”) for popular platforms (php, nodejs, Java, python);
• Protocol of program interaction (API) ElasticSearch;
• Built-in interpreter;
• Interaction of the service with the file system.
A retrospective of all detected vulnerabilities will be given and assumptions about future possible problems made. The report presents new vulnerabilities and practical methods for their exploitation. The examples of the most common mistakes made during the implementation of this technology are also given based on the security audits of web applications.
⬝ Link →
Speaker - Sen Nie and Lin Liu
Tesla Motors Gateway Components
The car gateway is a microcontroller that controls the exchange of data between different CAN channels. In a Tesla car, it is also a link between Ethernet and CANBus for transmitting / filtering messages sent from the Infotainment system to the internal CANBus network. Currently, gateways play an important role in the operation of internal vehicle networks, especially if the car is connected to the Internet (the so-called cars with network capabilities). In the report, experts will describe the process of designing and implementing automobile locks, as well as reveal the secrets of the functioning of the lock in a Tesla car. In particular, they will talk about how to restore the source code of the gateway firmware, how the gateway manages the services: shell, file system, network, registration, etc.
⬝ Link →
Speaker - Mikhail Stepankin
Advanced Web Application Fuzzing.
The talk will focus on methods of fuzzing web applications for searching complex injections (not only SQL). Automated web application scanners often carry out only basic vulnerability checks, and it is quite easy to block using WAF. However, manual analysis does not cover all possible cases. The author has developed his own tool for fuzzing web applications, which combines automatic and manual analysis in order to search for complex injections. The report will also talk about vulnerabilities in PayPal and Yahoo servers that were found by the author using the presented tools.
Link →
Speaker - Alexander Bolshev
How to trick an ADC, part 3 or tools for attacks on devices converting analog data to digital
We are used to working with digital systems, but the world around us is analog. In order to somehow influence it, or vice versa, to obtain information about it, digital devices use data conversion mechanisms (in the simplest case, an ADC (analog-to-digital converter)). Analog signals with specific characteristics can be interpreted differently by different ADCs, even if they are connected to the same line. This can lead to a “false perception” of the state of the control system of any process or to incorrect data at the output of the sensor, which, in turn, will also affect the process. In this report, we will consider various tools and ways to influence the conversion from analog to digital data, which will allow us to carry out attacks on industrial control systems, embedded and other systems.
Link →
Speaker - Alexei Rossovsky.
Life stories about hacking low-cost
phones There are a lot of reports about breaking top models of phones. But phones from a lower price category are undeservedly deprived of attention. Although they are also sold and used in the market. In the framework of this report, the speaker will talk about a number of cases when a phone from a budget price category was unlocked or patched. Topics such as: mobile Intel XMM chipset, important AT teams, OTA using MITM, flashing Qualcomm-based devices, exploitation on ARM devices, getting root with SELinux enabled, and much more will be touched on.
⬝ Link →
Speakers - Alexander Evstigneev and Dmitry Kuznetsov
Cisco Smart Install. Pentester Features
The report will discuss previously unreported bugs in Cisco Smart Install, which together allow control over Cisco switches that support Smart Install features.
⬝ Link →
Speakers - Yuri Drozdov and Lyudmila Drozdova
Approach to the development of LPE exploits on Windows 10, taking into account the latest security updates.
The report describes the difficulties of writing LPE exploits on Windows 10 and how to overcome them. Emphasis will be placed on a new way to manage gdi object handles (in the latest Windows 10 update), as well as how this affected the operation process. Other features of Windows 10 that affect the operation process will be briefly considered.
⬝ Link →
Reports on Defensive Track
We have already formed a pool of hurricane reports for the Defensive Track section, and today we are announcing the first part of our speeches. We remind you that the main “feature” of this slot is the presentation of real experience and a description of practical work from the original source. It’s not about “introducing the product”, it’s about “how to make everything work in the best way without extra expenses”. Content “from and for hackers.” And most importantly - this is for those who need results and experience, and not advertising.
Speakers - Ekaterina Pukhareva and Alexander Leonov
Enterprise Vulnerability Management
Speakers will talk about how to choose a solution, talk about the intricacies of Vulnerability management and vulnerability intelligence, and will advise how to efficiently organize the patch- and vulnerability-management process. There will also be talk about customization of Nessus and about Vulnerability Scanner as a valuable asset.
⬝ Link →
Speakers - Natalya Kukanova and Igor Gots
20% of investments and 80% of the result. How to implement IS requirements and not lose internal freedom
In the framework of this presentation, the speakers will talk about how in a dynamic network it is possible to build a control scheme for the implementation of basic IS requirements for employees' workplaces. They will talk in detail about what technologies were used to implement the principles of NAC (Network Access Control) in the Yandex network, what difficulties specialists faced both from an organizational and from a technical point of view.
⬝ Link →
Speakers - Pavel Grachev and Aleksey Karyabkin
Monitoring and analysis of mail messages, Or a tool for detecting cyber attacks on the knee
In this presentation, we will consider one of the most popular attack vectors on organizations - mass mailings of malware, phishing, and spy phishing (targeted attacks). The speakers will tell how they built the defense, what they encountered and how they overcame difficulties. Actual issues of applying modern technologies and commercial solutions for detecting and combating cyber attacks will be touched. In the practical part, the
speakers will demonstrate their own “bicycle” (a solution for detecting cyber attacks). Development of the idea of ZeroNigths 0x04: ( link ).
⬝ Link →
Speakers - Evgeny Sidorov and Eldar Zaitov
Managing the digital signature of applications in a large company
All mobile applications and almost all desktop applications must be digitally signed by the developer. When you try to deploy a key management system for signing applications, you may encounter a number of difficulties. To solve them, the speakers created their own solution, which can sign applications for Android, Windows (usermode, kernel mode), Java applications and applets, and which they will talk about during the lecture.
⬝ Link →
Speaker - Igor Bulatenko
Report
Fear and Loathing of Two-Factor Authentication
More and more companies are starting to think about the need to implement two-factor authentication systems. In this matter, it is very important not to make a mistake with the choice of solution and implementation methods, since it is always necessary to strike a balance between usability and security. The report will tell you what you should pay attention to when choosing solutions, and what difficulties you may encounter during implementation.
⬝ Link →
Speakers - Teymur Kheirkhabarov and Sergey Soldatov
. Threat Hunter
. Due to the fact that fully customized compromise tools are becoming more popular and attacks without malware are also widely spread, corporate information security services have become urgently required to identify software and network attacks. not detectable by classic remedies. Now “Threat hunting is fashionable, but the speakers will tell the truth about how this can be done by ourselves.
⬝ Link →
Speaker - Mikhail Sosonkin.
Automation of iOS scanning using the blackbox method.
Today, application security for the iOS system has become a hot topic. During this presentation, the “insides” of CHAOTICMARCH (automation tool), as well as methods for controlling and monitoring the actions of applications will be demonstrated. If you plan to create your own iOS security assessment project, or if you need help automating the analysis of limit values, then this report is what you were looking for.
⬝ Link →
Without further ado - FastTrack section reports
Many people know and love this section - here in the Security StandUp format, participants quickly, cheerfully, with a twinkle present their little research, talk about a new hacker tool or find. So, please love and favor - FastTrack on ZN!
Speaker - Ksenia Gnitko
Neurotechnology in security
⬝ Link →
Speaker - Igor Kirillov
HexRaysPyTools
⬝ Link →
Speaker - Andrey Kovalev
You are somehow not like that ...
⬝ Link →
Speaker - Anton Lopanitsyn
Blow below the belt. Bypass modern WAF / IPS / DLP
⬝ Link →
Speaker - Georgy Zaitsev
Reversing golang
⬝ Link →
Speaker - Denis Kolegov
F5 BIG-IP configuration vulnerabilities: detection and elimination
устран Link →
HackQuest 2016 Announcement

Every year before ZeroNights, we launch a traditional HackQuest. Its essence is to solve tasks related to different areas of practical security (reverse / binary pwn / web hacking / etc) and receive a reward. Winners receive an invite and an eternal place in Hall Of Fame, as well as pleasant bonuses (already at the conference). The dates for this year's hackquest are from October 31 to November 7. The rules are the same:
- The duration of the quest is 7 days, from 8 p.m. October 31 to 8 p.m. November 7;
- Every day - one task. On the decision - 24 hours;
- Whoever solves the task first will receive an invitation to the conference;
- Solving the task second or third, you can get points. The second fastest participant will receive 0.5 points, the third - 0.25. Having earned 1 full point, the participant will receive an invitation (note that 2 or more points give the right to only one invite).
- Upon request, the organizers can request a description of the solution to the task (we are for justice and honesty);
- It is forbidden to give hints or give answers to other participants;
- It is forbidden to submit a response more than once (under a different account).
The quest will be available at (the site is in preparation for launching a new quest). I can say that this year there will be a very large bias towards reverse / hardware / binary pwn. And some tasks will be extremely, extremely difficult (however, as well as years earlier).
This is not all the news of the program. Soon we will delight you with a story about the activities at the conference and present our coolest workshops. We are often asked recently: “Are there any more tickets for ZN?” We answer: “Of course, they remained, but only three weeks are left until the sales close;)” If you have not registered yet, you can do this and pay for your participation here :
→ Registration .
See you at the conference!