Following the Breadcrumbs: Hacking Behind the Scenes

good morning for me because it's 11 a.m here so i have been asleep the whole night watching all the talks super interesting talks here and this is my first keynote so i hope you enjoy it today i'm going to try to show you and explain you my approach for hacking and learning behind the scenes so well the introduction ellen just care about it but the important fact here is that i think everyone was asking about this is my cat is called odin and he's also a back hunter so you can answer that question because you have been asking the whole morning so let me explain you something about this talk before going further and is

that you won't find answers here because we are going to be talking about questions and let me explain you this with something that happened to me a few months ago at the end of may i released an advisory with a bug affecting a well-known application for gamers and this back got a lot of attraction it got published on different portal news so i started receiving different emails but the interesting thing i noticed is that i got a lot of questions and those questions were something like this if you look at them you will see that are basically questions asking about the mindset how to start learning bugs like this how to uh what do you need to know

in order to find this kind of bugs the path to follow in the learning process so when i thought about them i realized that i had thought about those questions before probably when i was reversing when i was testing an application or when i was reading a write-up from another researcher so i wasn't alone so that maybe those questions are more important than we think and that's when i realized that sometimes those questions we ask ourselves while we are hacking or we are learning could be more important that the technical knowledge that we already know for that particular case i released the advisory with around seven pages and people was not asking or most of the

people wasn't asking about the technical part but about the learning process and the mindset behind the hack so let me propose you something something let me show you how i like to use questions to open up different possibilities of learning things so i will use those questions to point out what what i know and what i don't know and that's when i start following those hints of those breadcrumbs that the answers are providing to me in order to discover different paths and that's where basically the learning curve appears and when we talk about learning there are a few things that i would like to discuss and that we need to be sincere about first of all

learning is hard it takes time effort and of course it's endless because every time we start a new project a new gig and we start with a new write up we are constantly learning and we are constantly going through that learning curve where we don't nothing about the application of the technical knowledge that we are reading but we are trying to go through that curve and spend time and effort trying to master that knowledge so my personal approach in order to identify that learning path and and walk through it through this learning curve is to first of all split the whole problem into pieces right those pieces or components could be one technical knowledge i need to master

a technique could be something more smaller like a feature from one application could be one feature that that belongs to a framework that application is using so what i like to do is to focus on one of those components and then start asking questions myself things like how it's built which language is being used how it communicates with the other components how it works internally and so on and so on um by asking those questions they will end up helping me to discover for example new components in the application and continue with the cycle so i can focus on different components and keep asking myself things about that particular piece at some point those questions may help

me to identify all the components and with some lag and if we have been asking the right questions and we follow correctly the path we could find sometimes an attack vector that will help us to create this attack that maybe we're looking for so what i'm trying to explain you here is that by constantly asking things to myself about the different things that are part of the problem those answers will help me to identify a path and to follow those background into the learning process and that way travels through this learning curve so now what i'm going to show you are this thinking process but with two examples so with some bugs i found previously

so i can help you to understand better what i mean the first bug is the one i mentioned before on the advisory is a one-click remote execution in overwatch application and overwatch is an application that gamers use to integrate third-party plugins with their games so let's jump to a quick proof of concept where you can see that we have a browser and then if the user accepts this pop-up the application is going to be launched a cross-site the scripting attack is going to be performed in the back end and by by passing some restrictions uh some local restrictions it's possible to achieve the remote call execution so that's like the whole perspective the whole overview and that's the only thing

we need to know so far so here we have the the whole graphic of the whole problem right the the whole attack vector we have the different components and how they communicate between them but the interesting thing is that when we start analyzing the application we really don't know anything about this application we don't know how those components communicate and we don't even know that those components exist so let's start from the obvious the main overwatch process that we can see for example the ui and let's start asking questions ourselves while we are analyzing this application we can ask ourselves things like which language is being used how is built it's using any particular framework how this

content is being rendered to the user is everything static or there are other things that are dynamic and by answer those questions we will realize that this overwolf binary is built using chromium embed framework or cef that this application is built using c sharp and c plus plus but the content is going to be rendered in an embed browser inside of the application that will manage all the html and javascript code that the user is seeing so when we ask is this content all static or we have something dynamic and how we retrieve that dynamic content a new component will appear so this question has helped us to identify something else into this diagram so we can ask ourselves things like

how it communicates with the server how which protocol it use is this protocol secure enough can we probably see the traffic proxy it in somehow in order to analyze it and see what is being sent back to the user and while trying to answer those questions we will realize that this communication is doing is made using https which seems to be secure by now but that we could ask something different maybe is this application can be this application in bulk remotely and we will realize that there is another component that will help us to interactly with this application from another perspective for example using a custom url handler so we need to start again identify to learn about this topic

because we have identified something new custom url handlers in windows and we need to start learning and asking ourselves things like how this handle works how this communicates with the application this can we arbitrarily invoke this for example from any browser and the thing is that the more we learn about this component we will discover that this custom url handler can help us to invoke the overwatch application and that it can be accessed for example from browsers like chromium and firefox so what happens when we execute this handler for example when a website redirects us to this custom url well the overgrowth application is going to be launched and if it doesn't if it's already running the url is going to be

parsed and some different components are going to be involved some different features so can we for example manipulate how the application behaves base it on the url can we somehow use it to produce something unexpected and the the thing is that while we ask our questions we will realize that we can trigger some unexpected events for example every time we invoke this handler a request is going to be sent to a cert to the server and some different content is going to be retrieved some something dynamic that comes from the server so we can ask ourselves how this traffic is being sent can we see the responses can we somehow use this url handler in order to trigger an unexpected result

and if we keep asking ourselves and analyzing the application and what happens every time we invoke this we will realize that we could achieve a cross-site scripting attack inside of the embed browser of the cef application so we start need we suddenly need to learn about cross-site scripting web attacks we need to understand and see how dangerous this attack is on a desktop application for example um if there is any limitation or if we can basically escalate this somehow to achieve a bug with higher impact so by answering those questions a new interesting component is going to appear and it's the cf sandbox so in this case we start reading and learning about the sandbox we start asking ourselves how it

works can we escape from the sandbox somehow there are bugs or vulnerabilities that we already know that could help us or that they already exist sorry that could help us to escape from the sandbox and by keeping asking ourselves and learning we will see that the sandbox is there to somehow prevent this kind of attacks to avoid a custom cross-site descriptive attacks or custom javascript code from manipulating directly the operative system and that it's somehow protecting the user so we can ask ourselves is anything that this sandbox help allow us to interact with or can we interact with other different components and the thing is that yes there is something new that appears here another component which is called the

native api and when we ask ourselves how this native api is built how it works if it has custom features and we keep asking different things we will realize that this native api is built with c sharp and c plus plus code again but also is going to have some piece of code code in javascript in the browser so in that way it's going to provide additional capabilities to the browser in order to communicate somehow and perform some actions with the operative system so can we somehow use those features uh in our advantage or can we invoke them from the cross-site scripting attack and the thing is that yes there are some interesting features and while we

analyze this c-sharp code we will realize that for example it allow us to create new files so those files can be anything could have any extension or we are limited somehow with the content we can place in that file and the the names and the extensions we can create in this case lucky for us we have no limitations at all so we can create any file in the system as long as the the process has privilege to write right so can we trigger the execution of this file not yet because we are just writing the file and we don't know how to execute it but by further analyzing this component we can identify that there are

there is another feature that help us to execute any file on the system kind of funny but for example this function if we provide an url it's going to open a browser if we provide a batch script it's going to execute this patch script so now maybe we can ask ourselves if we can combine those two things in order to write this file write a batch file with custom commands and then use this second feature to execute it and the thing is that that works and that will help us to successfully achieve the remote called execution on this application so let's summarize what happened here so by asking questions we were able to identify new components and also new

pieces of knowledge that we need to learn and understand in order to go and finally identify this attack vector we were following some hints and we were following the breadcrumbs that those answers were providing us in order to travel to travel across this learning curve and achieve this attack vector so let me try this again with a different back so we have another example this is another remote called execution on overwatch again but in this case it's going to be targeting the updater process here we have the the proof of concept where we are going to see that in this case what we are going to be is performing a people in the middle attack

and we are going to be stepping between the client and the server and by doing that we are going to make believe the client that we are actually the server and we are going to be replacing the binaries with the installer for the new version after that by by pricing some by passing some local restrictions again we are going to be able to execute command as the user system and create a new file on the c disk and this this user is the highest available user on windows so it provides a lot of power to the attacker right let's do again this graph but if you see this time it's not empty because we have gone once through the

learning curve before with the previous back and we already know things like there is a cef application there is a server and we know a few things about this application so let's start asking questions for example we can ask is there any other process that oberwolf is using or how this application gets updated when it needs to be updated and we will realize that there is another process running on a higher privilege with the user system that is taking care of this updating process so again which language is built how this process is being triggered how it's been run and launched and we will see that there are two different components that are possible to invoke and start

this updating binary and one of them is something called windows service controller so we started learning about some windows internals and we started learning how these services or this a high user process can be invoked but also we have the previous overwolf application that we have seen before that executes this process automatically every time that it gets launched so maybe we should follow that path because we don't need to do anything if we if the application is executed the overwatch the client the process with updater higher privilege is going to be executed as well so how this logic work how this updater process works we start learning about this logic this process and we will see that there is a

bunch of c-sharp code with a lot with the logic and that this logic is retrieving the new versions and i'm performing the installation so how it does communicate with the server in order to retrieve those versions well we again have this communication and we start asking and question questioning this component and we say okay how it communicates with protocol it's secure can we intercept this traffic somehow um for for this case it's not that secure as the previous one because they are using we will see that they are using http without a secure channel so somehow we could maybe intercept or manipulate it right maybe if we are in the right position so can we manipulate it how can we

perform a people in the middle attack those questions will help us to start thinking about different attacks about about learning different people in the middle techniques and see how we could manipulate that traffic somehow and may and probably produce an unexpected result and the thing is that once we have learned and mastered those kind of attacks we will see that if an attacker steps between the client and the server for example in the lan in the local network they will be able to confuse the client in order to make it believe that they are actually the overwatch server so now we need to understand also what's being transmitted right what the what happened if we replace this content and by

analyzing this traffic by proxy in the application and by understanding what's happening we will see that there are a few things are coming back from the server first the the the numbers of the newer versions but also the url with the installer to download the installer and also the md5 checksums that those installers must match so what happens if we replace those files can we for example force the overwatch client with higher privilege to execute those files and by trying and failing and analyzing these we will see that there are two local controls that will prevent us to successfully execute this attack first we have the checksum control that it will validate that the file that

we are going to install matches with the md5 checksum that the server is returning and second we have a signature certificate signature validation that is going to validate that that binary that particular banner that we want to execute is going to be signed but by overwolf so let's start asking about the first check how does it work how is implemented which functions are using from c-sharp in order to control it is there anything we can use to create for example a collision or to bypass this checksum and the thing is that if you pay attention to the previous answers you may have noticed that the checksum was also coming in via an insecure channel so in that way we could replace

not only the url with installer pointing to our malicious file but also we could replace the md5 a value and in that way force the application to believe that that binary hasn't been manipulated so the first check has been bypassed now is this enough to achieve remote code execution not yet because we still haven't bypassed the second control the certificate signature so now we need to start learning again about this component and start thinking about how we could bypass this how it's implemented which is the certificate authority that is being validated or maybe if we could use a self-signed certificate and see what happens right an interesting thing is that the longer we keep asking and learning about this

component we will see that due to some c-sharp internals the developers weren't using the correct function in order to validate the certificate so maybe we could use a self-signed certificate to bypass this control and luckily for us the answer is yes by providing by singing the the binary with the self-signed certificate it's also possible to bypass this second second control and finally achieve the remote called execution so again in a nutshell we have the questions we have the knowledge and we can see how by learning and asking about the language how it works how they interact how it's expected to be to behave and what how we can manipulate that expected behavior we're going to

identify the different pieces of knowledge that we need to start learning and reading and mastering in order to for example look for similar backs like this or know that you you see the mindset and i have shared this with you let's jump into some conclusions first what though those pack have in common and the interesting thing is that i wasn't looking for any of those facts when i while i was reversing that application i just starting like the same we did here i start analyzing one component focusing on one component and start asking things to see where i could go i started following those breadcrumbs those hints that the answers were provided me in order to

follow that path and identify that attack vector that i wasn't looking for i couldn't end up finding a previous escalation back but that will depend of the questions and of course of the answers um what do this question tell us well basically is that sometimes the things that we don't know could be more important than the things that we do know because those questions help us to identify the things we need to learn the things we need to discover those voids that we have that we need to find out and understand in order to discover new things and probably attacks objectors and of course the right questions come with practice the more we ask ourselves things about different

components the better are going to be the questions right with the practice we will know how to question different components in order to find those paths and during this talk i provide you the answers immediately because i already already traveled that path but sometimes in in when we are working on researching those answers can take minutes dates maybe weeks so don't get disappointed if you are trying to find out some answers but it's taking too much time to do it finally is that if we ask questions that don't help us in during the research or the learning process that's fine because that answer that didn't help us it means that we learned something or maybe that

that path that we were trying to go through is not the correct one and that we need to find our way into the breadcrumbs in a different way and what i want to show you here is to that this can be applied everywhere i like to go through this a mindset process to this mental process for everything for example when i'm hacking a new application a web application desktop whatever i'm doing i for example when i'm learning a new technique or simple when i'm reading a write app i like to start asking questions that the write-up is not mentioning so i start focusing if for example write up mentions a technology a framework or something i start asking things about

that and start trying to find those answers by myself because in that way i can take any right tab start asking things to the different components and probably start understanding a lot of more information or probably learning that new attack that i'm learning and that i sorry that i'm reading and i didn't know about it so that was all for the talk i hope you have enjoyed so now do you have questions from me