Black Hat has always been a must-attend event for security professionals. When it opens in Las Vegas in July, it will be one of the first major security conferences to return in person since COVID. For those who can't make it out, you'll still have an opportunity as there are live events happening online that you can watch remotely. There’s a great lineup of sessions this year, with over 140 hours of hands-on labs, briefings, talks, workshops, and expert panels. To help you make the most of your time, we took an informal poll of security professionals attending this year’s event. Here are the top 10 sessions they’re most excited about.
FragAttacks: Breaking Wi-Fi through Fragmentation and Aggregation
Format: 40-Minute Briefings
Tracks: Cryptography, Network Security
This presentation introduces three novel security-related design flaws in Wi-Fi and various widespread implementation flaws. An adversary can abuse these to inject packets or exfiltrate selected frames. As an example, it will be demonstrated how packet injection can be used to punch a hole in the router's NAT so the adversary can connect to and exploit internal devices in the network (e.g. BlueKeep against Windows 7).
The first design flaw is present in Wi-Fi's frame aggregation feature where a flag in the Wi-Fi header is not properly protected. The other two design flaws are present in Wi-Fi's frame fragmentation feature where the receiver improperly verifies and manages fragments. Although these design flaws can be non-trivial to exploit, they affect all protected Wi-Fi networks. Some design flaws even affect the ancient WEP protocol meaning these flaws have been part of Wi-Fi since 1997.
In practice, the implementation vulnerabilities are the most concerning. Several are widespread and trivial to exploit. For example, some devices accept plaintext frames in a protected Wi-Fi network and others accept plaintext aggregated frames that resemble handshake messages. The resulting attacks will be demonstrated, such as turning an IoT power socket on and off, and a tool will be released that can be used to test Wi-Fi products against all the discovered vulnerabilities.
Breaking the Isolation: Cross-Account AWS Vulnerabilities
Format: 40-Minute Briefings
Tracks: Cloud & Platform Security, AppSec
Multiple AWS services were found to be vulnerable to a new cross-account vulnerability class. An attacker could manipulate various services in AWS and cause them to perform actions on other clients' resources due to unsafe identity policies used by AWS services to access clients' resources. The vulnerabilities have been proven on three major AWS services (AWS Config, Cloudtrail, and Serverless Repository) and have allowed a potential attacker to write and read certain objects from private S3 buckets.
In this presentation, we will review the discovered vulnerabilities and explain their root cause. We will show how an attacker can perform actions on any account in AWS using these services via the discovered cross-account vulnerability. We believe this is a new class of vulnerabilities that may affect many other services in AWS because the tenant scope is implicitly defined in AWS IAM policies, causing services that allow multi-tenant access to perform unintended actions.
While reporting and working with the AWS security team on resolving these issues, we concluded that the process of updating IAM-related vulnerabilities is sub-optimal. Although AWS acted very quickly to fix the issues, the cloud provider relies on customers to perform the IAM policy updates, which often does not happen. IAM vulnerabilities are not tracked by NIST, do not have a CVE, and do not have scanning tools that provide IAM vulnerability scanning results. The result is that most customers are running with vulnerable IAM policies and have no process to fix them. Furthermore, we discovered that AWS issues hundreds of security updates to its IAM policies, but security teams lack tools to scan for them and prioritize fixing them. It is vital to raise the community awareness of the issue of IAM CVEs because identity-related vulnerabilities are a key attack surface in cloud environments.
We will review the specific mitigations provided to the IAM vulnerabilities we found and discuss the current gaps in the way the vulnerability management process for IAM is handled today.
HTTP/2: The Sequel is Always Worse
Format: 40-Minute Briefings
Tracks: AppSec, Cloud & Platform Security
HTTP/2 is easily mistaken for a transport-layer protocol that can be swapped in with zero security implications for the website behind it. Two years ago, I presented HTTP Desync Attacks and kicked off a wave of request smuggling, but HTTP/2 escaped serious analysis. In this presentation, I'll take you beyond the frontiers of existing HTTP/2 research, to unearth horrifying implementation flaws and subtle RFC imperfections.
I'll show you how these flaws enable HTTP/2-exclusive desync attacks, with case studies targeting high-profile websites powered by servers ranging from Amazon's Application Load Balancer to WAFs, CDNs, and bespoke stacks by big tech. I'll demonstrate critical impact by hijacking thick clients, poisoning caches, and stealing plaintext passwords to net multiple max-bounties. One of these attacks remarkably offers an array of exploit-paths surpassing all known techniques.
After that, I'll unveil novel techniques and tooling to crack open a widespread but overlooked request smuggling variant affecting both HTTP/1 and HTTP/2 that is typically mistaken for a false positive.
Finally, I'll drop multiple exploit-primitives that resurrect a largely forgotten class of vulnerability, and use HTTP/2 to expose a fresh application-layer attack surface.
I'll leave you with an open-source scanner with accurate automated detection, a custom, open-source HTTP/2 stack so you can try out your own ideas, and free interactive labs so you can hone your new skills on live systems.
A New Class of DNS Vulnerabilities Affecting Many DNS-as-Service Platforms
Format: 40-Minute Briefings
Tracks: CorpSec, Cloud & Platform Security
We present a novel class of DNS vulnerabilities that affect multiple DNS-as-a-Service (DNSaaS) providers. The vulnerabilities have been proven and successfully exploited on three major cloud providers including AWS Route 53 and may affect many others. Successful exploitation of the vulnerabilities may allow exfiltration of sensitive information from service customers' corporate networks. The leaked information contains internal and external IP addresses, computer names, and sometimes NTLM / Kerberos tickets. The root cause of the problem is the non-standard implementation of DNS resolvers that, when coupled with specific unintended edge cases on the DNS service provider's side, cause major information leakage from internal corporate networks.
In this research, we detail a specific vulnerability that is common across many major DNS service providers that leads to information leakage in connected corporate networks. Specifically, we show how Microsoft Windows endpoints reveal sensitive customer information when performing DNS update queries. The security risk is high. If an organization's DNS Updates are leaked to a malicious 3rd party, they reveal sensitive network information that can be used to map the organization and make operational goals. Internal IP addresses reveal the network segments of the organization; computer names hint at the potential content they may hold; external IP addresses expose geographical locations and the organization's sites throughout the world; and internal IPv6 addresses are sometimes accessible from the outside and allow an entry point into the organization. The impact is huge. Out of six major DNSaaS providers we examined, three were vulnerable to nameserver registration.
Any cloud provider, domain registrar, and website host who provides DNSaaS could be vulnerable. The number of organizations vulnerable to this weakness is shocking. Over a few hours of DNS sniffing, we received DNS Updated from 992,597 Windows endpoints from around 15,000 potentially vulnerable companies, including 15 Fortune 500 companies. In some organizations, there were more than 20,000 endpoints that actively leaked their information out of the organization. Exploiting the weakness is very easy. A single attacker with a single cloud account can get information on thousands of organizations in one step. There are several possible mitigations to this problem. We will review the solutions for both DNSaaS providers and managed networks.
Can You Roll Your Own SIEM?
Format: 40-Minute Briefings
Tracks: CorpSec, Data Forensics & Incident Response
At Two Sigma, we had sunk over $1 million in licensing for a popular third-party SIEM product and were paying an additional $200,000 in annual maintenance. We were limited on what data sources we could leverage as our license was restricted to a low daily ingestion rate. As our company began to explore cloud transformation broadly, we in Security began investigating competitive options for our event collection and analysis platform. We wanted to know if we could roll our own cloud-native SIEM more efficiently while providing greater access to our data, and be as effective as the vendor's solution.
To figure that out, we asked:
Does the vendor SIEM product cover enough of our threat landscape to make it worth the cost?
If not, has our organization made strategic investments in alternate platforms which could be leveraged instead?
If yes, does our team have the skills required to implement and mold these platforms to our needs?
The answers led us to roll our own SIEM. In our presentation, we'll dig into these questions and decisions in-depth, as well as describe our architecture and several use cases. At the end of the day, we've been running our GCP SIEM for over a year and have moved off the vendor platform. To get started, we wrote less than 6,000 lines of code across a handful of simple tools. We ingest 5TB of data per day and have over 2PB of historical data stored and instantly searchable. In the end, we spent ~$500,000 to build our own SIEM that would have cost us $4 million if we used our third-party vendor. We're also saving an estimated $600,000 year over year in maintenance and subscription fees, plus reducing hardware capital expenditure.
IPvSeeYou: Exploiting Leaked Identifiers in IPv6 for Street-Level Geolocation
Format: 40-Minute Briefings
Track: Network Security
While IP Geolocation -- tying an IP address to a physical location -- is in common use, available public and commercial techniques and tools provide only coarse city-level locations that are often wrong. With "IPvSeeYou," we develop a data fusion attack against residential home routers running IPv6 that provides *street-level* geolocation. We then demonstrate IPvSeeYou by discovering and precisely geolocating millions of home routers deployed in the wild across the world.
We assume a weak adversary who is remote to the target and has no privileged access. Our privacy attack lies in IPv6 addresses formed via EUI-64, which embed the interface's hardware MAC address in the IPv6 address. While EUI-64 IPv6 addresses are no longer used by most operating systems, they are commonly found in legacy and low-profit-margin customer premises equipment (CPE), e.g., commodity routers connecting residential and business subscribers. Because IPv6 CPE are routed hops (as opposed to IPv4 NATs), we can discover their MAC address via traceroute if they use EUI-64.
These CPE are frequently all-in-one devices that also provide Wi-Fi. Crucially, the MAC address of the Wi-Fi interface is often related to the MAC address of the wide area interface, e.g., a +/-1 offset. These Wi-Fi MACs are broadcast (the 802.11 BSSID) and captured by wardriving databases that also record their physical location. By correlating the MAC addresses embedded in IPv6 home router addresses with their Wi-Fi address counterpart, we can remotely geolocate them, fusing virtual data with meatspace.
Last, we demonstrate IPvSeeYou in practice. We develop an Internet-scale IPv6 router discovery technique that finds tens of millions of deployed CPE with EUI-64 addresses. On a per-OUI basis, we map these to a corresponding Wi-Fi BSSID. We search for these BSSID in geolocation databases to successfully map millions of routers, across the world, to a precise geolocation.
How I Used a JSON Deserialization 0day to Steal Your Money on the Blockchain
Format: 40-Minute Briefings
Tracks: Exploit Development, Applied Security
Fastjson is a widely used open source JSON parser with 23'100 stars on GitHub. As a basic module of countless java web services, it serves hundreds of millions of users. We managed to find a way to bypass many security checks and mitigations by using the inheritance process of some basic classes, and achieve remote code execution successfully. We will disclose these high-risk and universal gadgets for the first time in this talk.
Now, we can control many important websites and affect millions of users. Let's make things more interesting. We found that this fastjson vulnerability affects a multi-billion-dollar blockchain. We designed multiple complex gadgets based on the features of the blockchain, and exquisitely achieved information leakage and pointer hijacking. Putting all these gadgets together, we achieved remote code execution on the blockchain nodes.
However, generally after remote code execution, we seem to have no better exploit method other than the 51% attack, which will lead to serious accounting confusion. After a detailed analysis of the architecture design of the public blockchain, we found a way from RCE to steal the public blockchain users' assets almost without any notification.
To the best of our knowledge, this is the first published attack case on the realization of covertly stealing user assets after RCE on the public blockchain nodes. We will propose a more covert post penetration exploit method for public blockchain nodes in this talk.
Blockchain is not bulletproof to security vulnerability and we hope our work can notify blockchain developers and users to be more careful about security.
Timeless Timing Attacks
Format: 40-Minute Briefings
Tracks: Network Security, AppSec
25 years ago, the first timing attacks against well-known cryptosystems such as RSA and Diffie-Hellman were introduced. By carefully measuring the execution time of crypto operations, an attacker could infer the bits of the secret. Ever since, timing attacks have frequently resurfaced, leading to many vulnerabilities in various applications and cryptosystems that do not have constant-time execution. As networks became more stable and low-latency, it soon became possible to perform these timing attacks over an Internet connection, potentially putting millions of devices at risk. However, attackers still face the challenge of overcoming the jitter that is incurred on the network path, as it obfuscates the real timing values. Up until now, an adversary would have to collect thousands or millions of measurements to infer a single bit of information.
In this presentation, we introduce a conceptually novel way of performing timing attacks that is completely resilient to network jitter. This means that remote timing attacks can now be executed with a performance and accuracy that is similar as if the attack was performed on the local system. With this technique, which leverages coalescing of network packets and request multiplexing, it is possible to detect timing differences as small as 100ns over any Internet connection. We will elaborate on how this technique can be launched against HTTP/2 webservers, Tor onion services, and EAP-pwd, a popular Wi-Fi authentication method.
Siamese Neural Networks for Detecting Brand Impersonation
Format: 30-Minute Briefings
Tracks: AI, ML, & Data Science, Applied Security
Brand impersonation is a key attack strategy in which a malicious user crafts content to look like a known brand to deceive a user into entering sensitive information, such as account passwords or credit card details.
To address this issue, we developed and trained a Siamese Neural Network on labeled images to detect brand impersonation. Specifically, our dataset consists of over 50,000 screenshots of known malicious log-in pages encompassing over 1000 brand impersonations. Our Siamese network learns to embed images of the same brand relatively close together in a low dimensional space while images of different brands are embedded further apart. We then perform a nearest neighbor classification in the embedded space.
To present the results and fully characterize the performance of our Siamese network, we developed metrics that capture how well the Siamese network performs on known as well as previously unseen brands and show how the network outperforms a baseline image hashing algorithm on a held-out training set. We will then discuss further applications and planned enhancements to the baseline machine learning model.