NULLCON Goa - Chapter 2022 | First Experience

NULLCON Goa - Chapter 2022 | First Experience

Gaurav Raheja's photo
Gaurav Raheja
·

6 min read

If you are in the cybersecurity world by any means, you might have been aware of the NULLCON conference that usually occurs in March. Due to COVID, it was organized physically on September 9th and 10th, 2022, after two years. Since it was the first NULLCON for me, so I was very excited to listen to the words and stories from elite researchers around the world. In this post, I will try to give just a brief overview of the conferences held. Later on, I will write more posts on each talk I attended personally.

The event has different tracks and talks for every person of different interests.

  • CXO Track
  • Technical Track
  • IOS & Mac OS Security Track
  • BountyCraft Track
  • Developer Track
  • WINJA Track
  • Workshop & Villages
  • AMMO Track

The event started with great excitement and a huge mass of professionals and learners from different parts of the world. The conference started at 9:15 with opening notes and a keynote by Dr. - ING. Mario Heiderich. Though I started late due to some personal arrangement issue, missed some wonderful talks. Some of the talks, which I get to know from my colleagues which I missed was Hack The Bridge by Anto Joseph. His talk was basically on blockchain and smart contracts and how the bridges in blockchain are exploited in the real world. There were more amazing talks and CTF being organized at the same time.

I attended the first talk by Mohan Sri Rama Krishna on Pwning popular apps while uncovering new attack surface on electron. He explained how popular apps like discord, elements were vulnerable to attack (now patched) due to misconfiguration, or the update cycle of the application leads to a critical bug. Then after that, it was lunch break.

After lunch, I tried to move to a talk on Peeling back the onion: Taking Security onion into battle. But due to bad luck, the hall was already full. Since I missed that conference, I started looking into and around the challenges that were being organized by different organizers and sponsors, who were giving some goodies if you participated in and solved the CTF and challenges. They were offering many goodies. Since it was the first conference and first day for me, I was trying to make sense of the things around me and participating only in simple and known challenges. In the evening, I attended two more talks:

  • Mind the Gap The Linux Ecosystem Kernel Patch Gap. - Introduced a tool kernel-patchalyzer to identify common vulnerabilities in kernel source code and patch them.
  • Software Defined Snort with Barnyard and Pulled Pork for NIDPS.

And after that, I got to meet some fantastic minds at the afterparty. I had some chit-chat with them, and the day ended with the rain but the fantastic party of NULLCON.

On day two, since I was aware of the things and places, I quickly moved to the Grand Hyatt for the first conference of that day by Tamhir Zahavi - Brunner on How the Android Trust zone can be elevated to achieve a powerful kernel exploit. As soon as this ended, I headed toward a workshop that was onRed Teaming, but that room was already packed, and I needed to drop this workshop and wait for another conference.

So the next conference that I attended was on Hacking 5G is no rocket science. by Altaf Shaik & Matteo Srada where they explained how the next-gen attack would be simpler to execute and will expose more attack surfaces over the 5G networks. Earlier, the attack was used to target users of the network, but the upcoming attack will be more vendor-specific and will expose users in bulk. It would be simple to attack the upcoming network generation because, to link to any IoT device, the distributor will intentionally expose the APIs to manage the sim details (which include operations like changing the master key and deleting the sim itself). Not only are they exposing the critical operation, but also the user's Personal Information (P.I.).

After lunch, I was very much interested in attending another conference by Rony Das on Hacking Android Foreground Services Escalation of Privileges, since I have some context about android internals. Here he uncovered a zero-day on Android 10 or below, that how a very short duration between startForegroundService() and stopForegroundService() can be utilized to access hardware-specific functionality(like GPS location, sound recording, etc.) without the user even knowing it.

As this conference ended, I took a break from the conferences and headed toward the game room for refreshment and also because I was not aware of the context of the next talks going on.

The last day is about to end in 2 and a half hours, so you don't want to miss the remaining conferences. The other two talks were on

  • Pushing security Left, by Mutating Byte Code by Gaurav Goggia - Where he introduced his research work as a new programming language Mutant with main features as the statements stored in the source code is encrypted and decrypted on the fly in the processor, which can help the hiding secrets(like AWS tokens, or any secret API key, etc.) stored in the binary application itself.

  • And the last one was Unearthing Malicious open-source packages using code provenance analysis by Ashish Bijlani and Devdut Patnaik. They introduced a tool named packj that can identify a malicious package. Malicious actors utilizing open source trust modify(account takeover) or create a similar package(by typosquatting) which users install without verifying and ended up making applications vulnerable to users using them. They offer a SaaS platform also to uncover some other stats and features that packj cmd tool doesn't provide https://packj.dev/

The event ended with prize closing notes and prize distributions of two CTF organized at NULLCON. For Hardwear CTF and Winja CTF. The winner of WINJA CTF can be tracked here https://ctf.winja.site/scoreboard, the one shocking news I get to know is that at end of the day that WINJA CTF is now no more specific to women. To add diversification and be more challenging it is open to all sorts of people in and around the world.

Takeaways

  • Plan ahead of time for any event you want to join since there are many parallel talks and both can be interesting to watch and you might see already a huge rush at some events. And try to find out the Program Guide available at the event reception.
  • How the incorrect configuration of an electron app can lead to RCE-like vulnerability.
  • Kernel Patching is quite a complex process as different vendors are maintaining different versions and some are hardware-specific kernels. So automating the process of analyzing and patching vulnerability by tools like kernel-patchalyzer
  • Attack on 5g networks would be easier to execute as they were more based on top 10 OWASP attacks and can lead to top 10 Telecommunication flavors of OWASP.
  • Never install applications from untrusted sources as they may lead to 0 days. Even application only with permission in the manifest of start foreground service may lead to a critical breach and dispose of your P.I.
  • WINJA CTF now offers diversification, it's no more specific to women.
  • Malicious user may misuse the trust in the open source packages (some of the scenarios was colorjs, requests-python) and create malicious alternative packages that may sound similar. Tools like packj might reduce this to a greater extent.

At last, this event was a great event for meeting old friends, connecting with elite talents, and learning and sharing knowledge.

Credits

  • NullCon for the Cover Image
nullcon#cybersecurityAndroidMeetuphacking