IMCAFS

 Home

defcon china experience and key points record

Posted by fierce at 2020-04-06
all

Author: giantbranch (from the author team of Xin'an Road)

Complimentary book: Android application security protection and reverse analysis

Activity address: Book delivery activity on Xin'an Road in May

Defcon, a hacker conference, came to China. It's estimated that many people would like to go, but because of distance, tickets, time and other factors, of course, many people who want to go didn't go.

Of course, I was one of those people who wanted to go, and then I had a chance. Someone gave me a ticket. Ha ha, happy~

In fact, I didn't feel very good about this conference, so I only participated in the first and third days. In fact, I weighed it the next day and chose to go out for a walk.

1. First of all, I chose the location too far away. I chose Kuntai Hotel. The direction is northeast of Beijing, next to North Fifth Ring Road and near wangjingdong subway station. I thought the National Convention Center was far enough.

2. The topic starts late and doesn't rest in the middle. The first topic on the first day is 12 o'clock (as if we don't need to eat). The following topic is down to 18 o'clock, and the earliest topic on the next two days is 10 o'clock (maybe it's far from the hotel, and there will be no one in the early days, ha ha).

3. I felt that the tickets were overbooked seriously, and the main venue was soon full at the beginning. As a result, it was estimated that more than 200 people were watching the live broadcast in the nearby room. What do you think about buying tickets to watch the live broadcast, so it's still cool for the National Convention center. The hotel venue fee is estimated to be not cheap, because it's 1000 + one night to see if it's like accommodation.

4, there is also to make complaints about those HACK VILLAGE and WORKSHOPS, these sites are smaller, and it can be nice to get into 50 people, so whenever you want to go in, many hot ones are not full.

5. In fact, the quality of the overall issues of this conference is not as high as expected.

Having said so many shortcomings, of course, we should also say something good. Should we first suppress them and then raise them?

1. You can see a lot of foreigners, ha ha ~. They have a spirit of sharing. When they are at Villa, they will come to explain, guide and be very enthusiastic.

2. There seems to be nothing more......

Let's write down the topics we've heard

First day

The first day I didn't listen to "spread Malware with Google", "you're on my account"

When memory security language is virtual

This is to say that the languages such as rust and go are memory safe, so there will be no UAF and other vulnerabilities. For example, some applications written by rust still use libc library, so memory security problems can also occur. For example, the SQLite written by rust is better than the SQLite dug by Yang Kun before The vulnerability can also cause segmentation fault of SQLite written by the rule

The practical point is to use safe language and unsafe library

What's interesting is that a questioner asked the speaker: did you dig the holes that rust can exploit? Answer: no~

5 years of experience in CTF construction

The speaker is the def con CTF organizer from 2013 to 2017. He talked about the history of Defcon CTF. The organizer in history also sent his own to participate in CTF eight years ago When I made a topic, I was happy. I mainly talked about starting from team building and building a diversified team. Everyone has their own good points, and the rest is just like blowing water~

Triton and symbol execution on GDB

This is to say that the speaker briefly introduces the following symbol execution, and then introduces his own tools, that is, writing plug-ins in GDB and calling Triton. You can see this in detail. It's convenient to do CTF. You can have a look at it

https://github.com/SQLab/symgdb

When I came back, I found out what I said in hitcon... Halo

https://hitcon.org/2017/CMT/slide-files/d2_s1_r0.pdf

Several general Android platform path through vulnerability mining and utilization posture

I didn't listen to this very carefully. What impressed me was the two

1. For example, decompress the compressed package to SD card, and the directory may cross

2. Sometimes when the file name cannot be.. /.. / test.txt, it can be modified in the form of hook. The speaker hooks QQ and sends a file containing.. /, so the receiver is traversed by the directory, which they report to TX

../../test.txt

You can see more about ppt's where to find directory traversal. I am too lazy to post it:

https://media.defcon.org/DEF%20CON%20China%201/DEF%20CON%20China%201%20presentations/DEFCON-China-B-Xiang-General-ways-to-find-and-exploit-path-traversal-vulnerabilities-on-Android.pdf

On the third day

It's over at 2 o'clock

From grey visitors to important allies: on the evolution of hacker community in Asia and the world

The front is blowing water, and then there are actually less than three global communities,

The most important thing is: (just roughly) ask a fool for a while, and don't ask a fool for a lifetime

This shows the importance of questioning and communication, and through vilage and workshopps, foreigners are very geeky, sharing, communicating and helping each other without reservation.

Ppt here, ha ha

https://media.defcon.org/DEF%20CON%20China%201/DEF%20CON%20China%201%20presentations/DEFCON-China-B-Jayson-E-Street-sphereny.pdf

Intranet intrusion: security issues of cross source resource sharing (CORS)

This is the one with more dry goods

Due to the browser's same origin policy, for network access: in the case of different sources, requests can be sent, but responses cannot be received

In fact, this is relatively loose, so this is the root cause of CSRF

So later, in order to cross domains, jsonp (JSON with padding) appeared, which is a "usage mode" of JSON. It allows web pages to obtain data from other domain names (websites), that is, cross domain read data.

CORS appears when jsonp is not secure. In fact, I think it can be understood as adding a white list to the same source policy

The main idea is that if the server configuration is not secure, it may be able to cross domain or even directly call the intranet host

For specific security issues, see the following misconfiguration types of GitHub. The configuration of * is the most pitiful, which is equivalent to directly killing the browser's homology policy. Ha ha

*

If you want to dig this loophole, go to the tool directly. Haha, he has estimated some big websites

https://github.com/chenjj/CORScanner

"Wi Fi on the road: attacking smartcfg wireless distribution network scheme" and "I'm gerut: security guard of windows 10"

I went out for dinner at noon. I listened to the one in the back, but I didn't remember much

Androsia: securing 'data in use' in Android apps

At the beginning, it was said that data in process is probably the most insecure. The author implemented androsia to protect the data in use. It was implemented by inserting piles. It seems that as long as the variable is no longer used, it will be recycled (released) immediately

For details, you can see PPT, which I don't understand, and for the time being, Android is not my focus......

https://media.defcon.org/DEF%20CON%20China%201/DEF%20CON%20China%201%20presentations/DEFCON-China-Samit-Anwer-Androsia-Securing-Data-in-Process-for-Android.pdf

Last

After saying so much, I feel that the biggest harvest is to know the principle of unlocking and try to open the lock with only two marbles, ha ha~~

© 2023