Appsec DC - wXf -2010

With the 'rise of containers' comes also the rise of container platforms. And while Docker is the way to do things for now, Podman has also been gaining traction as the new kid on the block especially after being somewhat embraced by RedHat and Fedora. Being new also comes with lack of heavy scrutiny and audit on the security side of things. Once you start integrating other protocols and pieces that compliment each other, such as Varlink, boundaries become fuzzy. Rather than focus on container breakouts, which are also very important, we'll focus on how Podman and Varlink interoperate and the authentication and security implications as such. We'll look at the remote API capabilities, secure configurations and how certain setups and projects out there by default can be vulnerable to compromise. By the end of the talk, we will have discussed various bugs, issues and hardening techniques around deploying Podman and Varlink together and if you don't know a lot about containers, you'll learn a bit along the way.

Adventures with Podman and Varlink

Jeremy Brown

"TotallyNotAVirus.app" would like to access the camera and spy on you. To protect your privacy, Apple introduced Transparency, Consent, and Control (TCC) framework that restricts access to sensitive personal resources: documents, camera, microphone, emails, and more. Granting such access requires authorization, and the mechanism's main design concern was clear user consent. In this talk, we will share multiple techniques that allowed us to bypass this prompt, and as a malicious application, get access to protected resources without any additional privileges or user's consent. Together, we submitted over 40 vulnerabilities just to Apple through the past year, which allowed us to bypass some parts or the entire TCC. We also found numerous vulnerabilities in third-party apps (including Firefox, Signal, and others), which allowed us to avoid the OS restrictions by leveraging the targeted apps' privileges. In the first part of the talk, we will give you an overview of the TCC framework, its building blocks, and how it limits application access to private data. We will explore the various databases it uses and discuss the difference between user consent and user intent. Next, we will go through various techniques and specific vulnerabilities that we used to bypass TCC. We will cover how we can use techniques like process injection, mounting, application behavior, or simple file searches to find vulnerabilities and gain access to the protected resources. The audience will leave with a solid understanding of the macOS privacy restrictions framework (TCC) and its weaknesses. We believe there is a need to raise awareness on why OS protections are not 100% effective, and in the end, users have to be careful with installing software on their machines. Moreover - as we're going to publish several exploits - red teams will also benefit from the talk.

20+ ways to bypass your mac os privacy mechanisms

The Travelling Pentester: Diaries of the Shortest Path to Compromise

Slides of the talk I gave at BlackHat Europe and DeepSec 2015. Continuous Integration (CI) tools provide an excellent attack surface due to the no/poor security controls, distributed build management capability, and level of access/privileges in an enterprise. This talk looks at the CI tools from an attacker's perspective and to use them as portals for getting a foothold and lateral movement. We will see how to execute attacks like command and script execution, credentials stealing, privilege escalation to not only compromise the build process but the underlying operating system and even entire Windows domains. No memory corruption bugs will be exploited and only the features of the CI tools will be used.

All Things Open 2017: How to Treat a Network as a Container

Rosemary Wang

Defcon - Veil-Pillage

VeilFramework

WMI for Penetration Testers - Arcticcon 2017

Alexander Polce Leary

Continuous intrusion: Why CI tools are an attacker’s best friends

Nikhil Mittal

Scaling and securing node.js apps

Maciej Lasyk

In this talk we will publish our research we conducted on 28 different AntiVirus products on macOS through 2020. Our focus was to assess the XPC services these products expose and if they presented any security vulnerabilities. We will talk about the typical issues, and demonstrate plenty of vulnerabilities, which typically led to full control of the given product or local privilege escalation on the system. At the end we will give advice to developers how to write secure XPC services.

Exploiting XPC in AntiVirus

How to convince a malware to avoid us

Catch Me If You Can: PowerShell Red vs Blue

I have spent the last two years finding logic vulnerabilities both in Apple's macOS operating system and in third-party apps running on macOS. One of the common ways to gain more privileges is by injecting code into a process that possesses various entitlements, which grants various rights to the process. Although Apple's own processes are well protected, the same is not the case for third-party apps. This has opened up the possibilities for plenty of privacy (TCC) related bypasses and privilege escalation to root through XPC services. Another common pattern is to attack the system and applications through symbolic links. When Apple introduced the Endpoint Security framework, I decided to write an application to protect against such attacks, and to learn the framework myself. This application is free and open source. In this talk I will introduce the basic concepts behind some of the logic attacks. I will talk about how they work, and what they make possible. Then we will discuss Apple's Endpoint Security framework, how it works, and how someone can use it. Next I will talk about the development of the application, how the mitigations are implemented, and how it works in the background. I will go through several demonstrations showing its effectiveness against exploitation. I will also go through my experiences getting the Endpoint Security entitlement from Apple.

Power on, Powershell

Roo7break

Mitigating Exploits Using Apple's Endpoint Security

BH Arsenal '14 TurboTalk: The Veil-framework

VeilFramework

Getting root with benign app store apps vsecurityfest

I hunt sys admins 2.0

What's hot (20)

SANS DFIR Prague: PowerShell & WMI

Oded Coster - Stack Overflow behind the scenes - how it's made - Codemotion M...

Csp and http headers

Building an Empire with PowerShell

Adventures with Podman and Varlink

20+ ways to bypass your mac os privacy mechanisms

The Travelling Pentester: Diaries of the Shortest Path to Compromise

All Things Open 2017: How to Treat a Network as a Container

Defcon - Veil-Pillage

WMI for Penetration Testers - Arcticcon 2017

Continuous intrusion: Why CI tools are an attacker’s best friends

Scaling and securing node.js apps

Exploiting XPC in AntiVirus

How to convince a malware to avoid us

Catch Me If You Can: PowerShell Red vs Blue

Power on, Powershell

Mitigating Exploits Using Apple's Endpoint Security

BH Arsenal '14 TurboTalk: The Veil-framework

Getting root with benign app store apps vsecurityfest

I hunt sys admins 2.0

Viewers also liked

hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2

Top Security Challenges Facing Credit Unions Today

Dirty Little Secrets They Didn't Teach You In Pentest Class v2

Lares from LOW to PWNED

MSF Auxiliary Modules

A little over a year ago I made the transition from external security consultant to internal offensive security engineer at Facebook. I went from a full time breaker to part time fixer. This talk is aimed at providing lessons learned and documenting the mindset changes I've made over the last year that I feel can be used by the industry as a whole. I've broken the lessons learned into three primary buckets; Red, Blue, and Purple and the talk will hopefully bring value to anyone working in their respective bucket or assist in their creation/continuing of purple teaming at their company.

Going Purple : From full time breaker to part time fixer: 1 year later

Brucon 2016 The evolution chain in security testing is fundamentally broken due to a lack of understanding, reduction of scope, and a reliance on vulnerability “whack a mole.” To help break the barriers of the common security program we are going to have to divorce ourselves from the metrics of vulnerability statistics and Pavlovian risk color charts and really get to work on how our security programs perform during a REAL event. To do so, we must create an entirely new set of metrics, tests, procedures, implementations and repeatable process. It is extremely rare that a vulnerability causes a direct risk to an environment, it is usually what the attacker DOES with the access gained that matters. In this talk we will discuss the way that Internal and external teams have been created to simulate a REAL WORLD attack and work hand in hand with the Defensive teams to measure the environments resistance to the attacks. We will demonstrate attacks, capabilities, TTP’s tracking, trending, positive metrics, hunt integration and most of all we will lay out a road map to STOP this nonsense of Red vs BLUE and realize that we are all on the same team. Sparring and training every day to be ready for the fight when it comes to us.

Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...

Home Arcade setup (NoVA Hackers)

ColdFusion for Penetration Testers

Sector 2016 Chris Gates & Haydn Johnson Purple Teaming is conducting focused Red Teams with clear training objectives for the Blue Team for the ultimate goal of improving the organization’s overall security posture. The popular opinion is that Purple Teaming requires a big undertaking. This is not true and we will show practical exercises for Purple Teaming for varying levels of organizational maturity using the Cyber Kill Chain[1] as our framework.

Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...

In a rare mash-up, DevOps is increasingly blending the work of both application and network security professionals. In a quest to move faster, organizations can end up creating security vulnerabilities using the tools and products meant to protect them. Both Chris Gates (carnal0wnage) and Ken Johnson (cktricky) will share their collaborative research into the technology driving DevOps as well as share their stories of what happens when these tools are used insecurely as well as when the tools are just insecure. Technologies discussed will encompass AWS Technology, Chef, Puppet, Hudson/Jenkins, Vagrant, Kickstart and much, much more. Everything from common misconfigurations to remote code execution will be presented. This is research to bring awareness to those responsible for securing a DevOps environment.

LasCon 2014 DevOoops

Docker is an open-source project to easily create lightweight, portable, self-sufficient containers from any application. The same container that a developer builds and tests on a laptop can run at scale, in production, on VMs, bare metal, OpenStack clusters, public clouds and more. In this demo, I will show how to build a Apache image from a Dockerfile and deploy a PHP application which is present in an external folder using custom configuration files.

Viewers also liked (11)

hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2

Top Security Challenges Facing Credit Unions Today

Dirty Little Secrets They Didn't Teach You In Pentest Class v2

Lares from LOW to PWNED

MSF Auxiliary Modules

Going Purple : From full time breaker to part time fixer: 1 year later

Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...

Home Arcade setup (NoVA Hackers)

ColdFusion for Penetration Testers

Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...

LasCon 2014 DevOoops

Similar to Appsec DC - wXf -2010

Apache Flex and the imperfect Web

masuland

Shell vs. Java: Overcoming the Challenges of Shell Scripting for UNIX Install...

Flexera

Docker - Demo on PHP Application deployment

Arun prasath

Machine learning in cybersecutiry

Vishwas N

2012-03-15 What's New at Red Hat

Shawn Wells

Introduction to Java: History, Versioning, The Java Virtual Machine, Byte code, Writing simple java program, Language Components: Primitive Data Types, Comments, Keywords, literals, The break Statement, The continue Statement, Operators – Casts and Conversions, Arrays. Introduction to classes and methods, constructors, Passing Objects to Methods, Method Overloading, Static and final, The this Reference, finalize, inner and nested classes. Inheriting class, extends, member access and inheritance, super keyword, Object class. Dynamic method dispatch, method overriding, abstract class, interface, packages, import statement

Java 2 computer science.pptx

MUHAMMED MASHAHIL PUKKUNNUMMAL

There are certain use cases where JavaScript is not performant enough. But fortunately, JavaScript is no longer the only language that runs in the browser. WebAssembly (Wasm) is a technology that can revolutionize how we build apps for the web browser. Take the example of eBay. Just last year, the online marketplace revealed how it improved the performance of a demanding web app by 50x using WebAssembly. In certain use cases where performance demands are high, WebAssembly surpasses JavaScript in terms of loading time, execution speed, memory usage, debugging, portability and more. Using WebAssembly with Rust, especially for backend development, is even better as it is memory safe and ships with an extremely minimal runtime. This webinar introduces you to the concept of WebAssembly and the Rust programming language along with a hands-on example of using both these technologies in practice.

First Step towards WebAssembly with Rust

Knoldus Inc.

WebAssembly with Rust

Knoldus Inc.

Malware analysis

xabean

Front end frameworks

Madushan Sandaruwan

Making clouds: turning opennebula into a product

Carlo Daffara

Making Clouds: Turning OpenNebula into a Product

NETWAYS

What does it takes to bring innovations like private clouds to small and medium enterprises? In the course of this talk we will present our experience in creating a self-service toolkit for creating a complete virtualization and cloud platform based on OpenNebula, as well as our experience gathered in tens of installations of all sizes. From scalable storage (with benchmarks!) to autonomic optimization, we will present what in our view is needed to bring private clouds to everyone, what components and additions we created to better solve our customers’ problems (from replacing industrial control systems to medium scale virtual desktop infrastructures), and why OpenNebula has been chosen over other competing cloud toolkits. Bio: Carlo Daffara the Technical director of Cloudweavers, and formerly head of research and development at Conecta, a consulting firm specializing in open source systems and distributed computing; Italian member of the European Working Group on Libre Software and co-coordinator of the working group on SMEs of the EU ICT task force on competitiveness. Since 1999, works as evaluator for IST programme submissions in the field of component-based software engineering, GRIDs and international cooperation. Coordinator of the open source platforms technical area of the IEEE technical committee on scalable computing, co-chair of the SIENA EU cloud initiative roadmap editorial board and part of the editorial review board of the International Journal of Open Source Software & Processes (IJOSSP).

OpenNebulaConf 2013 - Making Clouds: Turning OpenNebula into a Product by Car...

OpenNebula Project

Shake Hooves With BeEF - OWASP AppSec APAC 2012

Christian Frichot

Nodejs

Bhushan Patil

Igalia Focus and Goals 2020 (2019 WebKit Contributors Meeting)

Igalia

Docker 101

Kevin Nord

WebAssembly with Rust

Knoldus Inc.

Maven is now established as the de facto standard build tool for Java web applications. But what if the application makes extensive use of modern client-side technologies like AngularJS or Ember framework, CSS processors like SASS/LESS, Bower package manager, what if we need to compress and minify JavaScript and CSS files? In that case it makes sense to have a dedicated build infrastructure for the client. Enter Grunt.js, a build tool specifically made for the client side. In this BOF, we will explore combining the use of Maven for the server side with Grunt.js for the client.

Extending Build to the Client: A Maven User's Guide to Grunt.js

Petr Jiricka

Using MySQL Containers

Matt Lord

Similar to Appsec DC - wXf -2010 (20)

Apache Flex and the imperfect Web

Shell vs. Java: Overcoming the Challenges of Shell Scripting for UNIX Install...

Docker - Demo on PHP Application deployment

Machine learning in cybersecutiry

2012-03-15 What's New at Red Hat

Java 2 computer science.pptx

First Step towards WebAssembly with Rust

WebAssembly with Rust

Malware analysis

Front end frameworks

Making clouds: turning opennebula into a product

Making Clouds: Turning OpenNebula into a Product

OpenNebulaConf 2013 - Making Clouds: Turning OpenNebula into a Product by Car...

Shake Hooves With BeEF - OWASP AppSec APAC 2012

Nodejs

Igalia Focus and Goals 2020 (2019 WebKit Contributors Meeting)

Docker 101

WebAssembly with Rust

Extending Build to the Client: A Maven User's Guide to Grunt.js

Using MySQL Containers

More from Chris Gates

Reiki 101 - Defcon29 MHHV

Contrary to most presentations and blog posts there is more to AWS than S3. In a quest to create more re-usable code we have created WeirdAAL (AWS Attack Library). Offensively, WeirdAAL helps you answer the “what can I do with this AWS key”? We aim to answer that question, in a blackbox way, via recon modules and modules specifically dedicated to attack each of the interesting AWS service offerings while avoiding detection. It also provides multiple functions sorted by AWS service that you can use for both offensive and defensive checks.

WeirdAAL (Awesome Attack Library) CactusCon 2018

WeirdAAL (AWS Attack Library)

PENETRATION TESTING FROM A HOT TUB TIME MACHINE

The evolution chain in security testing is fundamentally broken due to a lack of understanding, reduction of scope, and a reliance on vulnerability “whack a mole.” To help break the barriers of the common security program we are going to have to divorce ourselves from the metrics of vulnerability statistics and Pavlovian risk color charts and really get to work on how our security programs perform during a REAL event. To do so, we must create an entirely new set of metrics, tests, procedures, implementations and repeatable process. It is extremely rare that a vulnerability causes a direct risk to an environment, it is usually what the attacker DOES with the access gained that matters. In this talk, we will discuss the way that Internal and external teams have been created to simulate a REAL WORLD attack and work hand in hand with the Defensive teams to measure the environments resistance to the attacks. We will demonstrate attacks, capabilities, TTP’s tracking, trending, positive metrics, hunt integration and most of all we will lay out a road map to STOP this nonsense of Red vs BLUE and realize that we are all on the same team. Sparring and training every day to be ready for the fight when it comes to us. This is an update to our 2016 Brucon talk. We plan to discuss what have we accomplished regarding the above in the last year. We plan to show how we have progressed with the automation of attacker activities and event generation using MITRE’s Cyber Analytics Repository & CAR Exploration Tool (CARET) along with pumping these results to Unfetter (https://iadgov.github.io/unfetter/) for aggregation and display in a useful format.

Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017

Open Source Information Gathering Brucon Edition

The Dirty Little Secrets They Didn’t Teach You In Pentesting Class

This presentation focuses on pentesting high security environments, new ways of identifying/bypassing common security mechanisms, owning the domain, staying persistent, and ex-filtrating critical data from the network without being detected. The term Advanced Persistent Threat (APT) has caused quite a stir in the IT Security field, but few pentesters actually utilize APT techniques and tactics in their pentests.

Big Bang Theory: The Evolution of Pentesting High Security Environments

SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf

Hacking Oracle Web Applications With Metasploit

Attacking Oracle with the Metasploit Framework

Client-Side Penetration Testing Presentation