Unveiling New Attack Vectors in Bluetooth Vulnerability Discovery through Protocol State Machine

State Manipulation: Unveiling New Attack Vectors in Bluetooth Vulnerability Discovery through Protocol State Machine Reconfiguration The Bluetooth protocol has become ubiquitous, supporting a wide range of devices from personal gadgets like headphones and smartphones to complex systems in automotive and IoT environments. While Bluetooth's flexibility and performance have been thoroughly validated, an overlooked attack surface exists within the protocol's underlying state machines. This study uncovers Bluetooth vulnerabilities by analyzing state machine mechanisms in various applications, including automotive and mobile devices. Unlike prior research, which primarily focuses on traditional Bluetooth security issues—such as buffer overflows or crashes triggered by malformed packets in the protocol's Type-Length-Value (TLV) structure—our work delves into the complexities of state machine interactions among supported profiles within the protocol stack. By carefully examining state machine sequences and their interdependencies, we attempt to break the standard execution order and reconfigure protocol interaction states, thereby opening a new path for Bluetooth protocol vulnerability discovery. Since state machine-based vulnerabilities often do not produce visible logs or crash data, they frequently evade detection. We will provide in-depth insights into techniques for manipulating Bluetooth state machine interactions, focusing on systematic methods for discovering these vulnerabilities and assessing their impact on the Bluetooth ecosystem. By: Lidong Li | Chief Security Officer, SouceGuard Oliver Dong | CEO, SouceGuard Xiao Wang | Senior Security Researcher, SouceGuard Lewei Qu | Security Architect, Bytedance Full Abstract and Presentation Materials: https://ift.tt/nQCyxZz

source https://www.youtube.com/watch?v=3M9UT77VFIA

Inbox Invasion: Exploiting MIME Ambiguities to Evade Email Attachment Detectors

Email attachments have become a favored delivery vector for malware campaigns. In response, email attachment detectors are widely deployed to safeguard email security. However, an emerging threat arises when adversaries exploit parsing discrepancies between email detectors and clients to evade detection. Currently, uncovering these vulnerabilities still depends on manual, ad hoc methods. In this session, we perform the first systematic evaluation of email attachment detection against parsing ambiguity vulnerabilities. We propose a novel testing methodology, MIMEminer, to systematically discover evasion vulnerabilities in email systems. We evaluated our methodology against 16 content detectors of popular email services like Gmail and iCloud, and 7 popular email clients like Outlook and Thunderbird. In total, we discovered 19 new evasion methods affecting all tested email services and clients. We further analyzed these vulnerabilities and identified three primary categories of malware evasions. We have responsibly reported those identified vulnerabilities to the affected providers to help with the remediation of such vulnerabilities and received acknowledgments from Google Gmail, Apple iCloud, Coremail, Tencent, Amavis and Perl MIME-tools. By: Jiahe Zhang | PhD Student, Tsinghua University Jianjun Chen | Associate Professor, Tsinghua University Qi Wang | Ph.D. Student, Network and Information Security Lab (NISL), Tsinghua University. Hangyu Zhang | Ph.D. Student, Network and Information Security Lab (NISL), Tsinghua University Shengqiang Li | Undergraduate Student, Tsinghua University Chuhan Wang | Ph.D., Network and Information Security Lab (NISL), Tsinghua University Jianwei Zhuge | Associate Researcher, Network and Information Security Lab (NISL), Tsinghua University Haixin Duan | Professor, Network and Information Security Lab (NISL), Tsinghua University Full Abstract and Presentation Materials: https://ift.tt/WGXNECx

source https://www.youtube.com/watch?v=eZjP91Ly1r4

The Problems of Embedded Python in Excel, or How to Excel in Pwning Pandas

In Windows build 2407, Microsoft released Python support inside Excel as embedded =PY() functions. According to the Microsoft website: "Python in Excel brings the power of Python analytics into Excel. Use it to process data in Excel with Python code. You type Python directly into a cell, the Python calculations run in the Microsoft cloud, and your results are returned to the worksheet. Python in Excel comes with a core set of Python libraries provided by Anaconda that you can use to simplify your data analysis, find patterns and hidden insights, and visualize your data with plots." The Python code from the PY() Excel function is executed as a Jupyter notebook on Microsoft-managed Jupyter servers. The PY() Excel function has a built-in connection to Excel data and cells as Python pandas objects, and can return discrete values, lists, or pandas datasets. The implementation creates several attack surfaces: -The Microsoft Azure host and cluster where the Python code runs -The Jupyter server where the Python code runs -3rd parties that share the runtime environment Despite heavy restrictions on the environment, using Excel data processing capabilities and Python it is possible to upload and execute binaries like nmap and netcat, install rpm packages, and upload and execute shell scripts. It is also possible to poison the Python environment and possibly exfiltrate 3rd party data. The presentation will show python code, Excel definitions and steps to automate all of the above, that anyone with an Excel spreadsheet can do at home. By: Shalom Carmel | Hacker Emeritus Ofir Carmel | Computer Science Student Full Abstract and Presentation Materials: https://ift.tt/2cpuQHF

source https://www.youtube.com/watch?v=zQ0Z8aAqVVc

CDN Cannon: Exploiting CDN Back-to-Origin Strategies for Amplification Attacks

Content Delivery Networks (CDNs) are widely adopted to enhance web performance and offer protection against DDoS attacks. However, our research unveils a critical vulnerability within CDN back-to-origin strategies, allowing attackers to exploit these mechanisms for massive amplification attacks, termed as Back-to-Origin Amplification (BtOAmp) attacks. These attacks leverage CDN configurations that prioritize performance over security, leading to the exhaustion of origin server resources. In this talk, we will introduce a new class of HTTP amplification attacks that leverage CDN edge servers as amplifiers to break CDN's DDoS protection mechanisms. By systematically exploring the CDN back-to-origin strategies, we identified five amplification attacks that can effectively compromise the CDN's DDoS protection by directly attacking the origin server. Our experiments show that an attacker can destroy a 1 Gbps bandwidth website using only a laptop with 200 Kbps bandwidth. We will also discuss mitigation strategies, along with our responsible disclosure process, where multiple CDN vendors acknowledged the vulnerabilities. This research underscores the need for CDN operators and users to recognize the latent risks within CDN infrastructures and adopt proactive security measures. By: Zhiwei Lin | Master Student, National University of Singapore Ziyu Lin | Student, Singapore Management University Full Abstract and Presentation Materials: https://ift.tt/4luy9Fs

source https://www.youtube.com/watch?v=ZEz9_vVspoo

Standing on the Shoulders of Giants: De-Obfuscating WebAssembly Using LLVM

WebAssembly (Wasm) is an increasingly popular compilation target, offering compact representation, efficient validation and compilation, and safe low to no-overhead execution. Wasm is popular not only on the browsers but finding adoption across various platforms. As its popularity grows for various applications, so does the need to obfuscate it, subsequently raising the necessity to de-obfuscate. In this talk we will discuss how to de-obfuscate Wasm code using LLVM compiler infrastructure. There is extensive literature available on the security of Wasm from an exploitation perspective, i.e. finding vulnerabilities, writing exploits and secure coding practices. In this work, we will discuss Wasm security from a reverse engineering perspective, specifically how to deal with obfuscate and de-obfuscate Wasm. Broadly we will be covering the following topics in this presentation: - Essential Wasm internals from reverse-engineering perspective. - Brief introduction to obfuscation techniques. - How to perform compiler-based obfuscation of Wasm code using various open-source tooling. - The core idea - how to de-obfuscate Wasm code using LLVM compiler infrastructure. LLVM implements extensive code optimisation techniques that can be harnessed to simplify diverse obfuscation techniques. We will use this very idea in our de-obfuscation journey, commencing with simple obfuscation scenarios and progressively ratcheting up the complexity level to demonstrate the effectiveness of our approach. We will also show application of our learnings to some real world scenarios. The final takeaway for the audience will be an understanding of how to obfuscate and de-obfuscate Wasm code. Moreover, they will gain confidence to tackle obfuscated code without writing pattern-based simplification rules. The ideas and techniques discussed are not limited to Wasm, in fact they are language and platform agnostic, and can be applied to any obfuscated code. By: Vikas Gupta | Senior Security Researcher, Thales DIS Pvt. Ltd. Peter Garba | Principal Software Engineer, Thales DIS Pvt. Ltd. Full Abstract and Presentation Materials: https://ift.tt/ZhsJSgI

source https://www.youtube.com/watch?v=Z-udrjM7Z78

(Mis)adventures with Copilot+: Attacking and Exploiting Windows NPU Drivers

In May 2024, Microsoft introduced a new category of PCs designed for AI, called Copilot+ PCs. According to Microsoft, those PCs are starting a new chapter of AI integration on Windows and, thus, personal computing. Each device will have an NPU enabling the device to run Large-Language Models (LLMs) locally. But how exactly were those NPUs integrated into Windows? In this talk, we will do a deep dive into the architecture of NPUs and discuss how relevant drivers on Windows are implemented. We will describe different vectors to attack NPUs and showcase how we, as an attacker, can interact with an NPU. Then, we will explain and showcase a bug from two different NPU vendors. For one NPU, we will demonstrate how we can use the discovered bug to escalate our privileges as a concrete exploitation example. Via this Briefing, the attendees will gain insights on NPU bugs and their security implications, and learn how to exploit them on Copilot+ PCs on the latest Windows 11 version 24H2. By: Nicola Stauffer | Student, Zürich University of Applied Sciences ZHAW Gürkan Gür | Senior Lecturer, Zürich University of Applied Sciences ZHAW Full Abstract and Presentation Materials: https://ift.tt/KzR8Lo4

source https://www.youtube.com/watch?v=K_C5-wZCAN0

Mini-App But Great Impact: New Ways to Compromise Mobile Apps

In the mobile app ecosystem, super-apps serve as platforms hosting mini-apps, facilitating cross-platform operation across Android and iOS. Traditionally, attacks on mobile apps have targeted native applications, web pages, and networks. Our research pioneers a novel exploitation vector targeting mobile apps via mini-apps. For security considerations, capabilities open to Mini-Apps need to be strictly restricted and implemented in the sandbox. After comprehensive research on 11 popular super-apps involving hundreds of APIs, we found the sandbox environment can not provide isolation as expected. Attackers can exploit different methods for sandbox escaping and privilege escalation such as attacks against storage and network capabilities, which lead to remote code execution (RCE) and account hijacking. Additionally, we have adapted JavaScript prototype pollution for the mini-apps framework. This adaptation allows attackers to tamper with the mini-app environment logic, enabling malicious apps to invoke privileged APIs, inject parameters, and access sensitive data. This is the first instance of deploying this attack in mobile apps, with implications more severe than those in web security. The significant risks we identified impacted 9 different super-apps with over 10 billion downloads. (All of the risks have already been reported and repaired.) Through our presentation, we want to expose a new remote attack surface for mobile apps, and improve the security of super-apps to better protect billions of user privacy. By: Wei Wen | Security Engineer, IES Red Team of ByteDance Xiangyu Cao | Security Researcher, IES Red Team of ByteDance Jiangchunxi Hou | Security Researcher, IES Red Team of ByteDance Zixi Liao | Security Researcher, IES Red Team of ByteDance Yingyan Song | Security Engineer, IES Red Team of ByteDance Zhongcheng Li | Security Researcher, IES Red Team of ByteDance Yijie Zhao | Security Researcher, IES Red Team of ByteDance Bin Ma | Security Researcher, IES Red Team of ByteDance Full Abstract and Presentation Materials: https://ift.tt/Gnb8tWs

source https://www.youtube.com/watch?v=J5Jn0-FsAc8

Watch Your Phone: Novel USB-Based File Access Attacks Against Mobile Devices

Modern mobile OSs employ lock screens and user confirmation prompts to shield sensitive data from attackers with access to the device's USB port. In this talk, we present novel attacks and attack techniques that bypass both of these critical security mechanisms to gain USB-based file access on state-of-the-art mobile devices. In the first part of this talk, we uncover the shortcomings of user confirmation prompts for USB file access in iOS and Android. We present novel attack techniques that allow a malicious USB charger to effectively establish a data connection and inject input events at the same time. We show a live demo of an end-to-end attack that uses this technique to bypass user confirmation prompts for USB file access virtually stealthily on a state-of-the-art Samsung phone. In the second part of this talk, we present novel attacks against locked Android devices. These attacks exploit vulnerabilities in AOSP and vendor-specific Android variants to gain file access through USB. We show two live demos, one of which is an end-to-end attack that allows full read-write access to files on a locked Google Pixel running Android 14 or 15. We conclude our presentation with a discussion of suitable mitigations for our novel attacks. By: Florian Draschbacher | PhD Student, Graz University of Technology Lukas Maar | PhD Student, Graz University of Technology Full Abstract and Presentation Materials: https://ift.tt/bWOafit

source https://www.youtube.com/watch?v=UYKet66vLsg

Invisible Ink: Privacy Risks of CSS in Browsers and Emails

Recently, Google Chrome and other browsers have started restricting traditional tracking methods, such as third-party cookies, to improve user privacy. Still, websites can leverage browser fingerprinting to track users across websites, even when they try to protect their privacy. Interestingly, the same principles can be leveraged to enhance the security of web applications, such as in risk-based authentication, where users are identified based on their browser fingerprint. Traditionally, the tracking industry and privacy community have concentrated on JavaScript-based fingerprinting, which is widely used by websites for tracking and security purposes. This focus has led to the development of spot mitigations that limit the execution of JavaScript. In this talk, we showcase that these mitigations can lead to a false sense of security. We explore the novel privacy implications of recent additions to Cascading Style Sheets (CSS), a style-sheet language for the web that defines the look and feel of HTML content. Unlike JavaScript, CSS is often considered harmless and, thus, for example, enabled by default in most email clients when rendering HTML emails. We show how CSS can be used to track users across websites, enabling third-party tracking and user profiling without the need for cookies or JavaScript, thereby bypassing state-of-the-art mitigations. Even more concerning, modern browser engines, which form the backbone of most email clients, allow these tracking techniques to be used in HTML emails due to their low requirements. Email fingerprinting opens up an arsenal of opportunities for tracking parties and malicious actors alike, including user profiling, targeted phishing, and spam campaigns. By: Leon Trampert | PhD Student, CISPA Helmholtz Center for Information Security Daniel Weber | PhD Student, CISPA Helmholtz Center for Information Security Full Abstract and Presentation Materials: https://ift.tt/nfqzkEa

source https://www.youtube.com/watch?v=em7Mja6CNwY

KernJC: Automated Vulnerable Environment Generation for Linux Kernel Vulnerabilities

Linux kernel vulnerability reproduction is a critical task in system security. To reproduce a kernel vulnerability, the vulnerable environment and the Proof of Concept (PoC) program are needed. Most existing research focuses on the generation of PoC, while the construction of the environment is overlooked. However, establishing an effective vulnerable environment to trigger a vulnerability is challenging. Firstly, it is hard to guarantee that the selected kernel version for reproduction is vulnerable, as the vulnerability version claims in online databases can occasionally be incorrect. Secondly, many vulnerabilities cannot be reproduced in kernels built with default configurations. Intricate non-default kernel configurations must be set to include and trigger a kernel vulnerability, but less information is available on how to recognize these configurations. To solve these challenges, we propose a patch-based approach to identify real vulnerable kernel versions and a graph-based approach to identify necessary configs for activating a specific vulnerability. We implement these approaches in a tool, KernJC, automating the generation of vulnerable environments for kernel vulnerabilities. To evaluate the efficacy of KernJC, we build a dataset containing 66 representative real-world vulnerabilities with PoCs from kernel vulnerability research in the past five years. The evaluation shows that KernJC builds vulnerable environments for all these vulnerabilities, 32 (48.5%) of which require non-default configs, and 4 have incorrect version claims in the National Vulnerability Database (NVD). Furthermore, we conduct large-scale spurious version detection on kernel vulnerabilities and identify 128 vulnerabilities that have spurious version claims in NVD. To foster future research, we release KernJC with the dataset in the community. By: Bonan Ruan | Student, National University of Singapore Jiahao Liu | Student, National University of Singapore Chuqi Zhang | Student, National University of Singapore Zhenkai Liang | Associate Professor, National University of Singapore Full Abstract and Presentation Materials: https://ift.tt/XBRzV9S

source https://www.youtube.com/watch?v=Xmig8oWzlrk

Foreign Information Manipulation and Interference (Disinformation 2.0)

Foreign Information Manipulation and Interference (Disinformation 2.0) - How Patterns of Behavior in the Information Domain Threaten or Attack Organizations' Values, Procedures and Political Processes Over the past decade, foreign information manipulation and interference (FIMI) operations have grown in complexity and scope. More specifically, Russia and China have continuously invested resources into developing their hybrid warfare strategy. Hybrid warfare goes beyond physical confrontation. It can include the use of conventional forces but also other elements, such as FIMI operations, to shape the policy, geostrategic positions, public opinion, and capabilities of a target country. The speed, availability, and cohesion of tools and tactics employed by foreign malign actors have increased in recent years as the result of increasing global interconnectivity via social media and the internet at large, as well as technological advancements - such as rapid improvements in generative AI - that increasingly enable faster, better, and cheaper FIMI operations and tactics including deep fakes, and manipulated content including text, images, audio, and video. Additionally, these campaigns increasingly seek to destabilize the very foundations of target countries - undermining democratic principles through the targeting of elections, eroding public trust in institutions and local media, and exploiting social divisions to distract and subvert the target's efforts toward progress. The speaker will walk the audience through some Asia Pacific case studies that highlight patterns that targeted both NATO as an organization as well as individual NATO member countries and how there is often a link between different tactics, techniques, and procedures (TTPs) - such as usage of proxies, usage of sock puppet accounts, and increasing usage of generative AI to support their activities. FIMI campaigns also frequently target specific demographics to influence decision-making processes in politics, economy, or societal affairs. The lessons I will share will help any organization better prepare for these narrative attacks created by misinformation and disinformation. Although attribution is not always straightforward on social media, it often becomes obvious through narrative analysis and social network analysis that foreign actors and the ecosystems they cultivate online covertly try to influence international public opinion on a wide range of topics and issues by amplifying polarization and eroding democratic discourse. The World Economic Forum 2024 Global Risks Report recognizes misinformation and disinformation as the #1 global threat with technological, economic, environmental, social, and political impacts. This talk will go deep into sharing examples and stories of why I also believe this to be the biggest risk to all organizations. Full Abstract and Presentation Materials: https://ift.tt/PFNvshf

source https://www.youtube.com/watch?v=JjtF7gbguC4