From iOS kernel debugging to “Rickrolling” voting machines, DEF CON 25 this year was, as usual, highly entertaining.
DEF CON 25 was held in late July at Caesar’s Palace in Las Vegas. Well over 10,000 hackers, penetration testers, red teamers, vulnerability researchers, technical writers, bug bounty hunters, incident responders, students, and the likely “Feds” attended.
As expected with a conference of this scale, and with anonymous attendees (DEF CON is strictly cash only), Las Vegas resorts went into IT lockdown. All unfortunate non-conference resort guests wishing to use in-resort IT facilities and Wi-Fi were denied because the resort couldn’t guarantee their security and privacy; after all, the place was crammed with hackers!
ATMs were monitored by resort staff like hawks, and the bars and casino floor were filled with ladies and gentlemen in black hoodies and jeans catching up, having a good time, and talking hacks.
“Rickrolling” voters and hacking votes
A popular event saw 30 of five different types of voting machines laid out for hackers to have a crack at. The organisers had laid out the voting machines to see how easy they were to hack, and what could be done with them once hacked. The people who purchased these machines didn’t know of any prior vulnerabilities, they were just keen to see if it was possible to hack votes.
Yes. It is.
The first voting machine was exploited within 90 minutes of the event starting, and one machine was set to “Rickroll” electors upon entering their vote. In other words, it played Never Gonna Give You Up by Rick Astley, a 1987 hit that achieved a second bite at fame thanks to YouTube!
The biggest callouts from the vote-machine hacking suite were that machines commonly used in various US elections are apparently less secure than a standard personal computer. In some machines, default passwords are in use that could be easily Googled!
In other cases, physical ports were not properly secured, letting computers and peripherals be plugged in to alter the machine’s functionality. For example, this could let a hacker reroute a vote for one thing to a vote for the other, effectively hacking votes!
From my point of view as a recovering low-level developer, I was very keen to hear a talk by Min (Spark) Zheng on kernel (XNU – macOS and iOS) debugging. As this was a ‘101-stream’ talk, it covered the basics of kernel debugging followed by some cool things that could be done once the debugging session starts: much like most debugging, you can read/write data at memory addresses and set breakpoints, but, being the kernel, a lot more can be done (and broken).
Mr Zheng’s talk got more complicated when he started talking about iOS kernel debugging because Apple doesn’t open-source the iOS version of XNU. He referenced others, who have found tips and tricks before him, to find the root address of the kernel to set up a debugging environment to debug a type of overflow known as a heap overflow (or a heap smash) (CVE-2017- 2370).
CVE-2017- 2370 was discovered, exploited and published by Ian Beer from Google’s Project Zero, but, being in the 101-stream, Mr Zheng walked the audience through it.
It turns out the vulnerability exists because of human error when programming. The developer uses a user-editable “size” value to determine the size of a kernel-level string: a user-mode value can be arbitrarily set.
Mr Zheng provided code and gave a demonstration, always a risky move in a hacker conference but it paid off, to demonstrate this.
The most controversial talk of the conference was titled MEATPISTOL – A modular malware implant framework. The talk is for members of red teams, or teams of long-term penetration testing engagements.
More specifically, it was about the tool that they created to help this red team achieve their goals of penetrating a network, gaining a foothold, identifying trophy data, and exfiltrating it. It’s essentially malware, but used in an authorised setting. The reason this group made its own malware was because most for-sale red teaming tools are exclusively Windows only, as Windows is more prevalent than other operating systems in business environments.
The two presenters went through their history of using in-house built malware, including how they had to evade detection, and how the incident response teams in their clients were doing a good job of detecting early versions of their command-and- control malware. This meant they had to reinvent everything every time new features were introduced, or whenever they were eventually discovered, as each iteration was simply an improvement on the previous with detection evasion enhancements. It really illustrated the cat-and-mouse game of IT security.
Finally, the presenters introduced MEATPISTOL as a type of modular malware that would use different command-and- control settings for each client, different modules based on requirements, the ability to add or remove modules, and the ability to be cross-platform (specifically for Windows, macOS, earlier OS X versions, and the various Linuxes). This malware was scalable across clients with separate keys, separate tunnels to get to C2, and separate modules for each client.
After explaining the internals (multiple channels, modules that determine what role they play, unidirectional client-to- client, persistent installation), the two presenters gave a demonstration. It was a work of art.
The ease of use, the elegance of the architecture; it is simply an amazing bit of software that is a glorified Trojan horse. It is worth noting that while MEATPISTOL might be compared to the well-known metasploit framework, it’s not an exploit database. If an exploit is required before infection with MEATPISTOL, one needs to be prepared (maybe using metasploit framework).
See you next year
DEF CON 26 is on next year from 9-12 August at Caesar’s Palace. As always, you can’t pre-register. Tickets are available by paying cash at the door. See you there!