Pwn2Own Stories - Ben McBride

all right good morning uh can everyone hear me reasonably well perfect thank you uh my name is Ben MC Pride thanks for being here for pone to own stories uh in this talk I hope to entertain you with some of my phone to own experiences while encouraging you to participate um regardless of where you are in your career I think phone to own is a great opportunity a quick p in hands uh I know it's early so we're going to try to make this inter who has heard of phone to own before okay few people okay well at this point in my career I have quite a few gray hairs as I've been doing uh

vulnerability research and reverse engineering for more than 17 years uh as mentioned I'm currently the Android team lead at elre Harris trench and my research is focused on the Android colel in pro sand now previously I spent about 13 years at Sania National Labs National Lab doing lots of fun things that I can't talk about in my spare time uh I like to uh participate in phone to own and I hope in this talk I will convince you uh to also participate and show you that it can be fun and Prof so this talk uh will highlight six short stories from P own Miami in 2020 and 2022 uh there'll be three successes and three failures

uh covering a variety of targets Technologies and approaches uh there'll be some net uh some Java some photography and some weird Windows stuff uh all of the stories are related to IC uh industrial control system and ska products uh if you're not familiar with those types of products uh they run power plants uh hydroelectric dams water treatment plants factories uh they're used in lots of important places so a little bit about own to own it is a hacking contest that's run by the zero day initiative and from my perspective researchers get paid for bugs which is nice and all the vulnerabilities get reported to the Avers so zbi will run multiple contests annually targeting common software used

by many people and software that is important to secure uh this software uh includes really hard things like uh Chrome um Microsoft Windows Apple products include the iPhone um there's even contests parging Tesla uh where you can win a Tesla if you hack it um but then there's other products that uh are less splashy things like your uh home entertainment uh speakers like products there's also home automation products uh electric vehicle Chargers and again things that run power bus so there's a wide spectrum of Targets in these coms so uh the last contest that zdm paid over $1.1 million in bance so uh it can also be quite luup the basic rules of phone own targ

are announced about 3 months before the contest and now this is real vulnerability research there's no special access given no product Source uh so this is um as if you were a real attacker so you have to acquire the product uh grab firmware if it's a a product that has firmware uh you have to identify the attack surface everything is real all bugs in the export ch must be zero days on the day of the contest uh if the vendor or CBI already knows about the bug it doesn't count participants will get three attempts in a 15minute span to demonstrate code execution it's not enough to just come with a bug you have to De demonstrate a working exploit that

getes code execution so to get a full contest win bugs must not be known by Z nor the V okay so why should you try phone to own uh one it's fun uh you can get paid uh quite a bit uh it's a really good Resume Builder uh a lot of vulnerability research firms uh look at own to own as a uh check uh box to say you know what you're doing um but I think this is the most important one it's an opportunity to learn new things uh you've got a wide spectrum Technologies and uh lots of uh lots of things to learn so I hope the following stories show you uh that phone

to own isn't always hard uh it's not always like going after Chrome or going after a Tesla and I hope it encourages you to try yourself okay for the first story we go to P to Own Miami in 2020 where we target the Rockwell Automation Factory talk to you SE HMI and ews now don't worry if you don't understand what that particular piece of software is or does I don't understand what it is or does either um it just a piece of software and it turns out uh the system ends up configured as 3 VMS lots of different processes lots of network ports open uh so where do we start and I think this a common problem for uh beginners

is there's a big piece of software what do I do it's so big it's intimidating and so I'm going to walk you through exactly what I did now this particular approach does not lean on any experience it is the silliest thing you could do to start and it works so how about just browsing with a web browser to each open port maybe we canid HTTP server now hopefully you all know better ways to do this because this is not a good way to do it uh but if you did do this you will find that you get a really interesting exception uh on one of those open ports what makes it interesting well there's uh keywords like

deserialized and binary server format and remoting now there's probably people in this room that know what this means uh I was not one of them when I saw this exception uh but I did know enough to Google uh and so one Google search later we find an article by James porw describing vulnerabilities in the net remoting protocol the net remoting protocol allows for deserialization of untrusted objects by Design now again you don't really need to know a whole lot to be successful here you just need to know that deserialization of untrusted objects is bad uh so does anyone know that already good good okay you can win and own to own now fora adds that there

are ways to mitigate this uh one is to not use remoting um so if you're using about that remoting in uh your systems don't do it uh he further adds if the service is running with the type filter level set to full then even with these fixes the service can still now I started reverse engineering the server and quickly saw that type filter level was indeed set to full okay so this this is really good news for me uh 20 minutes later I've got a work from exploit uh I used a tool called wio serial to generate a serialized object that would take advantage of the binary formatter uh protocol in net remoting didn't have to know a whole lot

there had to type a command line a little bit of python to send my serialized object to the vulnerable endpoint and the end result is a 100% reliable exploit and I worked on both HMI and the ews software now unfortunately this particular bug ended up colliding with a bug reported in 2019 um so at home own this is a partial uh it was released as a zero day in February 2020 as the vendor had not fixed it after 120 days uh I haven't looked recently it might not be fixed today so uh don't use their software okay now this was a very shallow bug that was always likely to be found by researchers um it's however a very

accessible bug for beginners again if you knew very little uh if all you knew was to browse to open ports and could do Google searches you can win with this book it's a great opportunity to learn a little bit more about net and serialization issues and really the hardest part of this entire process was reading the blog post onet okay the second story is also from P to Own Miami in 2020 this time we are the iconic Genesis 64 control server again it's not really too important what it is uh other than it's a giant net application with some native code instead of using legacy. net remoting uh for client server Communications it uses uh the windows communication

Foundation I don't understand why it's foundation not framework but is uh Chris Anastasio presented a really nice talk at bide San franisco in 2019 talking about how to abuse WCF endpoints uh again if you can use Google and you learn WCF vulnerabilities you can find this great talk and you can win home to as well so it turns out this WCF inpoint in iconic Genesis 64 allowed for unauthenticated access the WCF endpoints would uh allow for talking to a wide variety of Point managers on the server and the main uh IO F WX server Proxes these requests to other services depending on the point name as provided in the request now I had a winning bug uh but

it was patched the week before the contest and so I scrambled to find another one in time uh this this was very stressful um but the good news is uh after reverse engineering I learned the gddx coor handles several methods related to the database of the product so there were uh functions like get database schemas get table columns get SQL servers procedure test query uh yep it takes an SQL query from the remote client and runs it without authentication now I am not an SQL expert by any means but this seems bad okay so what went wrong here well in the last few hours before the contest registration closed I wrote a custom WCF client to trigger the test query

function it leveraged uh iconic Supply Powershell Commandments to get all the necessary configuration information that I needed to uh call test I hunted for RC options besides using XP command shell since that's configuration dependent and everything worked 5 minutes before the contest everything worked as I expected and then on stage it didn't work camera's going it was actually live on Twitter uh and it my exploit wasn't working uh and I had no idea what was going on it turns out that the powers shelf commandlets stopped working my dental license had expired and the Commandments wouldn't run without a valid license um this really sucked uh I couldn't get back in the 15minute time window to demo the

exploit um so I don't know quite what the lesson there is other than don't write lazy exploits um I could have written a better exploit that would have grabbed all that configuration information uh without depending on the vendor Supply power shelland but that would take time okay so this this one really hurt um thankfully the iconic Genesis 64 control server was back in 2022 but there was a rule change um so in 2022 uh an attempt in this category must be launched against the targets exposed Network from the contestant's laptop within the contest Network or by opening a file within the Target on the contest laptop the files must that are eligible to be open must be file types that are handled

by default by the Target application so this is nice so I started looking at all the file types uh that were handled by 6 Genesis 64 uh by default and for each file type I did a quick visual scan of available files in the install directory for interesting data and keyword this was a very simple way to start it's nothing complex here uh so I would open up the file try to read for Clues to the purpose of the file is it compressed does it look encrypted it'd be really nice if there are serialized objects in the file CU then I could probably send uh my own serialized objects and win again uh but as I was browsing I found one

file that had code in it uh there's an XML file that had keywords like script code and jscript net uh this looks nice um so I found that the tdfx file which really isn't important the graph work 64 template file could be opened without Authentication and if I just added two lines of code in a script code tag again the particular code isn't important other than that it uh executes C and I really don't know what it's doing but I can do Google uh you do that throw in the file open file and you pop count easy okay not hard this is a very weak bug and I had a lot of angst over whether I should submit this bug or not

because it was trivial to find and likely others would find it as well if it wasn't killed prior to the contest uh but at this time I had two kids and I didn't have lots of time so maybe I would just give Lu um despite being a fifth entry to Target icon Genesis 64 it was a full winner it didn't collide with any of the previous attempts there are more details in the blog post but there's really not a whole lot more than code in file Google wi uh now I later learned that at least two other researchers had the same bug uh and opted for deeper bugs but again the point is that even at P to own there are

easy bugs that are accessible to a wide variety of researchers okay our fourth story starts at H to Own Miami in 2020 where we're targeting the inductive automation ignition ska control server it's just one big JV web app the main web app listens on Port ab88 and there's a Gateway Network port on 86 this is probably the most difficult uh example in my six stories so really this is how do you start so what code is reasonable and I'm not really a Java guy so I was starting at the very beginning web.xml so I started by looking in the file Googling what these things called servlets I did just classes that handle HTTP requests for different URL patterns

and I started by examining the control and data flow of each one so here's an example serlet uh from the web.xml file you can see it handles the SL system star URL pattern there's probably a whole bunch of people in the room saying yeah this is 101 Java and and 101 web apps kind important uh the serent class the map serent handles all the requests on the URL okay so if you start examining the code for the map serlet you'll find that it registers a number of sub servants that handle subpaths on SL system so I started by auditing each one in turn looking for suspect code and the Gateway seret is first and it

also sounds kind of interesting uh posts to system Gateway are handled by the gateway to post method and it expects some XML describing a message going through each message type we find that message type 199 allows for a type of RPC function the RPC functions uh are subclasses of the abstract Gateway function and most of them require authentication by being part of a valid session so the default implementation uh defines this is session required method and the default is to return true so it has to be authenticated now there's a number of interestingly named functions that require a valid session things like module and vote call espro run query I love things like uh security funks script invoke is my

favorite uh because you can exact Supply python code but you have to be authenticated so that's that's not so great however not all of these Gateway functions requireed authentication uh this particular Gateway function called G diff uh does not require any authentication so is session required returns false and the function takes in a string called effective project to Bas 64 I have no idea what this means but it passes it to this method called base 64 decode to object fragile now I really like seeing things like that fragile thanks Developers for giving me a hint and if you follow that you'll find that eventually they create an object input stream uh and do a read object this is a

deserialization of the data provided in string so again this is a classic uh Java der sterilization vulnerability I used yso seral again to build a payload uh because they used an old version of Apache comments and then I posted the payload Bas 64 in proper XML format to system Gateway and it's a winner now this was a partial win pH to own uh because another uh research team had this bug and they got to go first they have a really nice write up on this if you want more details but this was not a particularly hard bug to find again if all you knew about Java was that deserialization of untrusted data is bad this was

doable beginning to end this bug took me about eight hours to find okay next inductive automation ignition was back at home to Own Miami in 2022 in this time I decided to learn how session authentication Works remember if authenticated we can win with the script involing Gateway function and I can just exact Pyon code okay so I started digging into the authentication and what we find is when we create an authenticated session it generates a session ID the session ID gets put into a hashmap of sessions when I remove uh a session all it is is a removal from the session's hashmap and if I want to know if a particular ID is authenticated I just it

just does a lookup in the session hash so how are these session IDs generated lots of gobbly goop on here doesn't really matter the main thing is that it pulls uh bytes from a random uh number generator there's a little bit of math on there but it's all deterministic math so it doesn't really matter so we have to ask how is this random number generator initialized we find that uh server startup uh the NIT random function gets called there's a seed based on the current time and milliseconds of the system and then the random number generator is seated with the seed based on the current time in millisecs now I am not a cryptographer but what I do know is that

seeing a random number generator with the system time is not usually a good ide idea so my idea was I can Brute Force session ID of a lock in user then get RC with the authenticated script inv vot function and then I failed miserable uh my brain started telling me that's no good as it requires a user to Lo in and that won't be allowed under the rules a few months later there's an advisory that comes out followed by the blog post saying that the ignition server is vulnerable to authentication bypass due to a poorly seated random number generator and it turns out a simple email to the phone to own organizers would have confirmed this as a valid

scenario under the contest rules so if a doubt send an email uh um I felt it was stup for our final story uh we fast forward about a year later when I noticed an interesting post on Twitter so CBE 2023 inductive automation ignition Java serialization codc der serialization rce and then there's a zdi advisory saying about the same thing that this Java serialization codic uh der serialization of untrusted data is remote code execution so I started flipping through my notes from the prior year and I found this page in my notes I've got highlighted at the top this uh web socket control Ser service where data comes in and I got the control and data flow path all the way down to Java

serialization cc. code with the infamous Star saying this is really good uh I even talk about deserialization deserializing the server message header so I've got the beginning of this to the very end and so the question is what went wrong I honestly have no idea and this is a really frustrating part about this failure so I took no more notes uh Beyond this one page that highlights attacker Control Data coming in all the way to to a winning bug at the end I have no PO uh whatsoever in my attempt to prove or disprove that this was a good bug got nothing uh so I guess the moral of the story is uh write better notes you

should always document your work always P if you have something uh because you just never know could be a winning book uh so why should you by phone to own I hope at this point uh you believe that phone to own is a good learning opportunity and something you should consider doing I think it is a lot of fun there's a wide variety of targets a wide range of skills and approaches can be successful uh I think even students uh can be successful at homeown not all these targets are hard if you've done one two ctfs you are ready to try some of these targets you get paid that's always fun you can also build your reputation and

resume I think that one of the most important aspects of P to own though is that opportunity for feedback from others if you go honestly after one of these targets whether you succeed or fail you can learn from the successes of others uh and it can improve your processes in the way you do your work okay thank you I hope you enjoyed this talk thanks to zdi for hosting F thanks for elre Harris trench and Oak Bridge National Lab for supporting me and participating uh last thanks to bides adq for hosting this wonderful event and I'll take [Applause]

questions I know nothing about home to own so is it individuals or groups great question certific uh nothing is required for entry there's no barrier no degrees no certifications needed nothing uh you can participate in teams uh there's a lot of individual participants but plenty of people will team up with two or three I think there's been teams as large as five or six in some cases

all right thank you thank you so much