Unveiling Hidden Threats: 0-Days, Impact, And Implications

firstly thank you everyone for attending uh bid um I highly appreciate your presence and I'm confident that by the end of this presentation you'll gain some more insights on the main topic of this uh presentation which will cover zero days their impact and the implications for the vendor of that product so the outline of the presentation will be as follows it will start with a short biography of the presenter then we are going to talk about what are zero days and how a zero day can become an N day and then we are going to talk about how to choose your target when hunting for zero days how to build your methodology when hunting for

them and then we're going to discuss if this specific vulnerability can be exploited in the wild which is the key point that will determine the impact of the vulnerability and the potential implications for that product and then we're going to dive on the proper reporting for uh these kind of vulnerabilities and then lastly I'm going to share some of the uh CVS that Cent team has uh identified so starting with a short biography I am Aran G A managing security consolid Sentry and on my daily basis I'm responsible for breaking stuff and these kind of stuff include uh web applications apis mobile applications infrastructures external uh infrastructures internal Cloud ones and um apart from the technical part I also

lead a team of Security Consultants where my main duty and responsibility is uh the professional growth of my team and uh I've been part of Cent for more than three years now and uh throughout this time I've had the opportunity to contribute as an instructor at uh cyber Academy some of my certification achievements include the the ones issued by cyber Academy and they are cacp CAC and C ACI and on my free time I enjoy offensive security researching swimming and some heavy metal music especially if that's some Lamb of God prior to kick prior to kicking up into details every information Shar throughout this presentation is meant to serve for educational purpose only and the presenter will not take any kind of

accountability or responsibility for any misuse of this um information starting off with um zero days zero zero days are security vulnerabilities but these kind of vulnerabilities are more unique rather than the ones that are not zero days due to the potential impact that they might have if such attack were to happen and um the term zero day stands for the zero day of Defense towards that um vulnerability meaning that the vendor or the uh developer had zero days of remediation towards that vulnerability and to be more familiar with um zero days we got to understand three terminologies and they are the zero day vulnerability zero day exploit and zero day attack so with zero day

vulnerability we mean the actual flaw or the piece of code that makes the application to be vulnerable whereas the zero day exploit is another piece of code that takes advantage of the vulnerability and with a zero day attack we mean the actual Cyber attack that utilizes the exploit in order to exploit the actual flaw and in order to conduct a zero day attack attackers must have a Target and you might wonder who can be a target of zero days and that includes literally uh everyone including us including individuals of high interest military organizations government agencies organizations Nos and so on and uh in most of the cases when we hear about zero days we mean um some critical

vulnerability which in most of the cases is an rce but what if this rce gets exposed in the in the public it means that that zero day is not a zero day anymore and uh that vulnerability becomes an end day and the key differences between zero days and end days is shared throughout this Meme and the difference between zero days and N days is that n days have an available batch and the n in the uh in the end days stands for the number of days since that vulnerability has been addressed and some of the potential risks that Nas uh can have is that if you don't update your device meaning that everyone who has that specific um

and they exploit they can still take advantage of that vulnerability and you can still get exploited then at the next slide we're going to talk on how you can build your uh how you can choose your Target and Frankly Speaking prior to choosing the target you got to be very very honest with yourself and you got to be aware of your own skill set and if you don't have the sufficient skill set brace yourself to learn and then start hunting for zero days and after you build this skill set you first got to research the industry whether that industry is um financial industry or file sharing or collaboration platforms and so on and after you identify the industry which in

case is a collaboration platform you got to research the providers what kind of providers offer that solution and in The Next Step you got to be careful what you pick and you don't want to be a vanilla ice cream and that means of choosing the default product that every other researcher attempts to find vulnerabilities and this is important because you got to you got to identify a specific product that it is edable a lot in the wild but yet not a lot of people have heard of it a lot and one of the uh bonus points that I also take care L uh take care a lot to look at is if that application is complex and the reason

why I try to care if that application is complex is due to the functionalities that that application might offer and if an application offers more functionalities it means that the attacking surf surface can grow way way way longer and of course if that uh application has the source code it has uh a bonus point in me and one of the applications that had all of these checks back at the time when me and my team were conducting a research was nextcloud and nextcloud is an application that is open source and it also serves as a file sharing platform and a collaboration platform and B at the time while me and my team were researching this um application we took

a look at the security advisories that were published back then the existing vulnerabilities and back at the time nexcloud didn't have critical or high issues such as RC for more than two or three years and what could be the potential impact if an RC could occur in nextcloud I mean who who who would care if if an RC exists in the nextcloud which is the key point that would determine the real impact of high and uh critical issues and then the next St what you want to do is build your own methodology and of course you got to trust the process don't uh don't attempt to find uh the default vulnerabilities or some lwh hanging fruits because they

can be automated and how I automate them is by using my my personalized nuclei templates and then I run nuclei with the default and my personalized um templates and then start for hunting for Z for low hanging fruits if they can occur but I don't Focus uh my my research on on uh on hunting for low hanging fruits and what I also try to do is to be persistent on one application and try to find the undocumented stuff in that um application and if none of this is working you got to go back to the roots but what if what if let's say you find a cool vulnerability that its impact is high but not as high as the scale I mean

what you want to do then in the Next Step maybe you want to consider um introducing yourself to complex exploit chains and with complex exploit chains we mean um chaining two or three vulnerabilities together to perform one action which is exactly what we did back at the time in nextcloud and one of the cases where um complex exploit chains you can think of is the browser exploit I mean what if you have a sort of code execution the browser but but that code execution remains in the sandbox system of the browser it means that you got to chain it with another vulnerability to escape it sandbox to write an arbitrary file and then to achieve um code

execution and with complex exploit chains me and my team were successful on identifying this CV and using this vulnerability we were able to induce our next cloud in instance to send arbitrary htttp requests to arbitrary server and this was possible by manipulating this parameter here which was the UR and then what next Cloud tried to do was try to load this file which is the file name parameter try to load this file Within These instance and what me and my team tried to do back at the time was set up um web server and then try to identify whether that application is communicating with us and then it ended up that the application was vulnerable

to server side request forgery but this ssrf was not your typical ssrf that allows you to extract kws metadata or maybe access locally hosted interfaces on Port 880 because this vulnerability was an account takeover and how we did account takeover is by setting up a fake webd interface in our locally uh hosted web server and then indu the application to send an arbitrary uh HTP request to us but to perform that we had to bypass the URL validation in nexcloud which was successful and then we got an account takeover where the application sent the administrative uh credentials through the basic authorization header next what me and my team did back at the time was investigate more on

nextcloud I mean yeah we had an account takeover but it's a cool vulnerability but it's not critical yet even so that it didn't require any sort of fuser interaction it was still a high severity vulnerability so what we decided to do was conduct some more research until we inspected this specific HTTP um request and what this HTTP request did was to call an arbitrary HTTP class which is used to perform an action but to perform detection there's got to be a check or a condition and the condition that was specified was check if that uh if a file when gets created check if that file name is rc. txt and if it is not RC txt

perform an action that uses this style command and then analyze the style written within this file and then append the output towards another file and what me and my team did was create a legit uh condition and then in the operation parameter we induced the next Cloud instance to execute the curl command and as the query parameter execute thei command and send the output back to our server which was a code execution vulnerability also that this vulnerability was an RC it was still not high enough and the reason why it was not high enough is because the vulnerability required administrative permissions hence we had to do some more research and then change this vulnerability with another teching

Vector so that we can induce this sort of vulnerability to be to be exploitable by the least privileged user in next Cloud instances and the beauty of it is that numerous next Cloud instances have uh default registration which means it's still sort of zero day uh zero click um RC and zero click account take over two vulnerabilities and cool vulnerabilities but who cares and to determine it me and the team had to do some more research to determine whether the these vulnerabilities can be exploited in the wild and to to determine it firstly we use shadan which is a search engine and in Shan we identified at around 6,000 um nextcloud instances which means these next Cloud instances were

vulnerable to come takeover and were vulnerable to to code execution and we also used the Google hacking database also known as Google Dorking and by using that we identified many many more nextcloud instances and each one of them was vulnerable to code execution and the most precious client of nextcloud was dut Telecom which was uh identified by researching the blog posts of nextcloud and then we came to this article that uh they were Pres presenting their their collaboration to offer a product and these vulnerabilities were so high and were so critical so that the German media was reporting on them which directly indicated that these vulnerabilities are cool and these vulnerabilities could be exploited um in

the wild the next step of course we have to report these vulnerabilities and I've seen a lot of reports writeups bug Bounty reports and I've seen the default mistakes that security researchers do and the default mistake is that security researchers try to describe the whole vulnerability in one title as then the vulnerability can be one click account take cover Through xss inquiry parameter I mean if the parent vulnerability is xss you got to name that vulnerability xss and in the next section you got to describe the issue and what induces the issue as in a short summary to help the client understand their issue and then in the impact you got to you got to

demonstrate what you did and what could be achieved by carrying out this specific attack and this setion is highly important not to pretend and not to assume and what I mean with Pretender assume you cannot go like hey I have an xss and I can perform account take over I mean did you try to do the account takeover if you didn't try maybe you got to craft a JavaScript code that that carries out this specific action and if that didn't uh didn't happen I mean why you got to assume or make it such big of a deal hey there's an xss and attackers could could do this and that did you do that if not try to do

that and of course you got to provide remediation assistance to the client and be as helpful as you can and use professional wording and avoid the hackish hackish um words and and then uh these are some of the achievements of Team santry where these two vulnerabilities that I've just presented were identified by Me by aranit and den and we also have two more CDs being published and they are still in the process of remediation so we cannot disclose them that yet and they are yet cooler vulnerabilities than than these two that I've just presented and then we have Adriatic Roi who is a lead software engineer at centry and um Adriatic had a very cool vulnerability in Safari that

allowed him to perform a Deni of service on each iPhone which means that it was a zero day until Adriatic reported that and Adriatic also has another cve which is still reserved and apple is still in the process of remediation so we cannot disclose it yet and then we have two more sort of Zer identified by D and these two vulnerabilities are yet in next Cloud so I think that was it from me do you have any questions or any concerns so that was [Music] it