Program

(invited talk) Pwn a SAP System... then what ?

what?

We are pleased to announce the program of GreHack'18.

SAP is no longer an unknown black box for security community. But despite this, we realize that risks behind SAP aren't well know. After a quick overview of SAP Netweaver fundamental, from pentesters point of view, I'll demonstrate three well know different ways to compromises a SAP system. Then I do not stop here and continue by showing post-exploitation examples who cover espionage, sabotage as well as fraud threats.

who?

Yvan has 16 years of experience in SAP, now working as a security researcher at Onapsis. He received official acknowledgements from SAP AG for vulnerabilities he's reported. Furthermore, he has conducted training or talks at HIP, Hack.lu, Troopers and SSTIC.

Affiliate : Onapsis (https://www.onapsis.com/)

(invited talk) Screaming Channels: When Electromagnetic Side Channels Meet Radio Transceivers

what?

"Screaming Channels" are a new side channel that affect mixed-signal chips used in widespread wireless communication protocols, such as Bluetooth and WiFi. This increasingly common type of chip includes the radio transceiver along with digital logic on the same integrated circuit. In such systems, the radio transmitter may unintentionally broadcast sensitive information from hardware cryptographic components or software executing on the CPU.

The analog noise produced by the digital logic is inadvertently mixed with the radio carrier, which is amplified and then transmitted by the antenna. This allows electromagnetic side-channel attacks to succeed over a much longer range than before, as our team demonstrated in a proof of concept for remote AES key extraction over a distance of 10m.

This talk will cover the background to understand the side channel, give insight about how it was discovered, and discuss its impact and implications for the future.

who?

Marius is a PhD student at the Software and Systems Security group of EURECOM in Sophia-Antipolis. His main research interests are dynamic binary analysis techniques for firmware in order to discover and detect vulnerabilities in embedded devices. To ease this task, he created and maintains the avatar²-framework. Besides that, he is interested in any kind of low-level hardware detail and assisted in the screaming channels project. In his spare time, he largely appreciates capturing flags and playing the guitar.

The Evolution of GandCrab Ransomware

what?

The vast majority of ransomware infections in the past years have been results of ransomware being sold as an easy-to-use service, following the Ransomware-as-a-Service (RaaS) model. In 2018, the RaaS-space was dominated by a new malware family: Gandcrab.

We tracked and analyzed the family from the earliest stages to the latest version, observing differences between versions, like added features and rewritten functions. Besides the reverse-engineering of the payload, we analyzed the various distribution methods: drive-by downloads via exploit kits and different Javascript and Word doc droppers attached to spam e-mails.

In this talk we present technical details of the different methods used to distribute the malware, highlight some interesting facts about the packer, and show the evolution of the malware payload.

who?

Tamas Boczan

ROPGenerator: practical automated ROP-Chain generation

what?

When exploiting binary vulnerabilities on hardened systems, ROP-Chains are common alternatives to shellcodes and still considered to be the best way to execute arbitrary code under an ASLR + DEP environment. However, building ROP-Chains is onerous and time-consuming, and even though several attempts have already been made to automate the process, none of them produced a practical solution. To solve the problem, we developed a new approach for semantic code analysis that is specifically designed to scale to gadgets. We also created a gadget-chaining engine which, given a semantic query and a list of available gadgets, is able to build ROP-Chains matching the queries. We implemented this approach in a free tool named ROPGenerator.

who?

Freshly graduated from UGA, I am now a R&D security researcher at Quarkslab. I enjoy reverse-engineering stuff, exploiting other stuff, and developing tools that make my life easier.

Abusing privileged file manipulation

what?

This talk presents how some file operations by privileged processes can be abused to escalate privileges. It will walk through various techniques to exploit such vulnerabilities on Windows, and illustrate these techniques with actual bugs found in security products, with a focus on AV quarantine bugs.

who?

Clément Lavoillotte is a pentester at Provadys where he performs security assessments for a wide range of customers. He likes all kinds of bugs and "features", and understanding how things work across abstraction levels.

Trap your Keyboard 101

what?

Nowadays hardware devices are programmable, have large memory spaces and important computing power. What could be the security implications? What kind of attacks can we perform? Let us take the example of keyboards. Which risks are induced by the sophistication of the components used? This presentation is a journey to the land of firmware trapping. Several steps are presented from the firmware collection, to the effective addition of a keylogger through the reverse engineering analysis.

who?

Marion (Miniaturized Automatic Research & IntrusiON) is a miniaturized version of an IT security research engineer at CEA/DAM. She is very useful in penetration tests in tiny environments (where size does matter). She also specializes in tiny components firmware analysis.

Twitter: @marilafo19

Analyzing Ultrasound-based Physical Tracking Systems

what?

who?

Mathieu is an associate professor at INSA-Lyon, a member of the CITI Lab and a faculty member of the Inria PRIVATICS team. His research interests include privacy and security in the context of wireless networks and mobile environment, as well as online censorship and surveillance. He conducted several works on the leakage of private data from mobile devices especially through the use of Wi-Fi. He has been involved in standardization activities at IETF and at IEEE 802. Finding Internet connectivity anywhere in the world and reading raw pcap files are his two most famous skills. Above all, he loves it when a plan comes together.

Leonardo S. Cardoso received his electrical engineering and M.Sc. degrees from the Universidade Federal do Ceara (UFC), Brazil in 2003 and 2006, and his Ph.D. degree in 2011 at Supelec, France, on Cognitive Radio and Dynamic Spectrum Access. Since 2014 he is an associate professor at the INSA engineering school in Lyon where he designed and co-developed CorteXlab, a testbed for multi-node cognitive radio experimentation. His research interests include wireless communications, interference management, cognitive radio and signal processing.

Bridging the gap between Secure Hardware and Open Source

what?

Hardware security is an opaque world while it's currently the best option to ensure high level security. The talk presents the first native open platform based on a EAL5+ certified chip. Then it describes Ledger's security approach, from its Bounty program, its annual CTF to its Open Source Attack tools. A special focus is made on one of the challenge of 2018 CTF.

who?

Charles joined Ledger in 2017 as Chief Security Officer after working for 10 years of in the Cryptography and Hardware Security sector. He started his career at Tiempo, an innovative startup in the Secure industry based in Grenoble, where he was designing the security of EAL5+ secure integrated circuits. He then worked as Technical Manager in an Information Technology Security Evaluation Facility (ITSEF) at the CEA. Charles is graduated from ENSIMAG, with a Major Cryptography and Security, where he also was a Lecturer

Detecting all type of illegal Access Points on enterprise networks

what?

BYOD(Bring Your Own Device) is becoming popular now, If a company does not provide a Wi-Fi network, employees may use their Wi-Fi adapter(soft AP) or router to set up unauthorized wireless access point on office networks.

However, it's a challenge to detect a layer3 AP with WPA/WPA2 protected. The layer3 AP usually comes with NAT(network address translation), which allows multiple local clients to use a same public IP address to access the external network, and the local networks are not visible to external. Existing solutions, such as detecting base the wired and wireless MAC address with the difference of +1/-1, blocking all Wi-Fi access points except whitelist, have much false positive and false negative.

In this talk, I will introduce some new method to detect them. It will first inject special packets into a target. If it is an AP device, some of the packets would be successfully transmitted to the wireless medium. Then the packets can be detected by our wireless sniffers.

Advantages:

Works for any NAT and Bridge APs, including Soft APs, Router APs, WISP mode APs.

Works for different types of encryption, such as WPA2+AES, WPA2+TKIP, WPA+AES, WPA+TKIP, OPEN.

Can get detailed information about AP’s SSID, Wired and Wireless MAC address, Vendor, etc.

Can get information about the associated wireless clients.

Have none false positive and have few false negatives.

who?

Yunfei Yang (@qingxp9) is a wireless security researcher of 360 PegasusTeam. He is a guest lecturer at China Northeastern University. He focuses on Wi-Fi attacks and defends. He made several talks about wireless security onBlackHat, CodeBlue, KCON, FIT, CCF YOCSEF, DC010, Overdrive, Infosec-City, ISC etc.