What are Volga CTF 2020 memorable for?
This year, 23 teams reached the Volga CTF final, 10 of which, due to the prevailing epidemiological situation, participated online. There were many foreign teams, including from Austria, Portugal, Canada, Taiwan, Tunisia, Italy and Germany. It is not the first time that some teams have taken part in these competitions and have been to Russia on a full-time tour.
AT first day the official opening of the competition took place, followed by reports of information security experts. Vladimir Kononovich shared how, through reverse engineering, he managed to get the source code of the once most popular data packer for Amiga home computers – PowerPacker Cruncher. His main task was to get the C code by converting it from assembler. The speaker talked about the most difficult cases that arose during the work, considered the nuances of loops and variable renaming in C in comparison with assembler, and also emphasized the complexity of reverse without using Ghidra with its decompilers.
Ilya Tsaturov told how the GraphQL query language works, why it is better than the Rest API, and how its misuse in a web application can create many bugs and vulnerabilities. The speaker listed options for specific attacks such as Information Disclosure, Broken Access Control, DoS and Batching Attack, and how to avoid them. And if the names of the first three options speak for themselves, then I personally heard about Batching Attack for the first time. As it turned out, this is a type of attacks related to the Batching Queries feature, thanks to which the system can combine into an array several requests that have come in a short period of time from one user, which, under certain circumstances, makes it possible to arrange a kind of brute force.
Nikolay Anisenya and Maxim Kostikov shared their experience in analyzing the security of banking applications, told how banks protect users’ money and personal data, and how attackers can bypass this protection. Participants of the event also learned about authentication bugs from the speakers’ report. For example, with two-factor authentication, you can iterate over SMS codes even if you limit the number of login attempts from one IP address, simply by changing it on the server side. Several logical vulnerabilities were also named, including the vulnerability to DoS attacks and the race condition (the ability to perform several identical transactions using multiple requests). The speakers also mentioned attacks on the client side of mobile applications (for example, bypassing PIN blocking using brute force or disabling part of the interface, which is especially important for Android devices) and talked about why banking data leaks are so important.
Further Nikita Stupin in his speech, he analyzed in detail how you can test IoT devices with minimal knowledge of binary applications and hardware, and apply your skills by participating in the Bug Bounty program. He also touched on the topic of radio hacking, telling what you can do with interfaces that work via Wi-Fi or Bluetooth. For example, every device marketed in America has an FCC ID that can be used to find out what frequencies it operates on. The speaker focused on the use of Bluetooth, since on the device he was considering as a daemon that launched Wi-Fi, there was an open source hostapd, the search for vulnerabilities in which was complicated by the existence of the OSS-Fuzz repository.
“I have already looked at everything – webcam, wireless networks … Only binary applications remained. And I wanted to fuzz “– said Nikita Stupin.
For the purpose of fuzzing, the speaker chose a proprietary UDP daemon that worked on a proprietary protocol, which was a bit unusual, since they usually fuzz something open source, where there is source code and what accepts a file as input.
“All this led me to the fact that instead of the DBI (Dynamic Binary Instrumentation) technique, I looked towards Radamsa and started fuzzing, as they did in the 90s or even earlier, that is, it was Black Box Fuzzing.”…
Fragment of the presentation
Fuzzing did not bring the desired results, but after analyzing the logs, a line was found, which eventually led to the discovery of a logical vulnerability at the authentication input.
Further, the listeners, together with Denis Makrushin online pondered what would happen if services and automated security controls were vulnerable and were used for an attack. The speaker talked about using GitHub to find workarounds for connecting to commercial cybersecurity solutions (for example, Checkmarx), but did not forget about open source projects. Denis showed how open source can change the attack surface, and gave examples of vulnerabilities found when analyzing such software. As one of the objects for research, he chose Flower – an open source dashboard for managing queues in Python scripts. The latter can store valuable data in RAM and buffer it. When analyzing this tool, the presenter found the only field where any data could be entered, and even this field contained a vulnerability.
After that, the speaker commented on the steps by which you can prevent the potential leakage of your intellectual property through partners or those who work with the target product.
Fragment of the presentation
The next day on the program was Anatol Prisacaru aka shark0der… In the online format, the speaker talked about the vulnerabilities in Ethereum smart contracts, arbitrage bots, proactive attacks, and touched on the topic of flash loans.
After the break Innokenty Sennovsky told how modern fuzzers implementations differ from vanilla AFL. The listeners got acquainted with the terms AFLFast, MOpt, Entropic and learned how they affect fuzzing, and what to use if they figured out how to improve fuzzing, but they don’t really want to rewrite AFL.
The final speech was the report Anton Kutepova and Ilyasa Ochkova… The speakers told (and showed a little) how open source projects can effectively detect attacks based on data from various log files. The stack used is ELK, Sigma rules, Atomic Threat Coverage, Sysmon, auditd. For me personally, as an operator of the first line of incident response, this report was closest to professional topics.
Throughout second day the lecture block continued. Speakers first Zen and Tuo considered the actual and not very controllers, briefly described the ways of interacting with them and considered the main ways of their reverse.
Thereafter Egor Valov told what is often forgotten when building protection in an organization, and how it turns out, and Sergey Belov described several cases from the life of forensics and pentesters, and also voiced the most common mistakes and pitfalls when designing web services:
- using JWT (JSON Web Tokens) for authorization sessions instead of good old cookies;
- refusal to use addresses purposefully allocated for authorization;
- using the imagemagick library without a sandbox;
- lack of domain isolation for user content;
- starting sessions with a one-time token (for example, coming by e-mail);
- excessive use of cryptography (for example, writing your own algorithms);
- using server-2-server connections with real users;
- use of passwords (according to the speaker, the future belongs to services that use one-time authentication codes, for example, a QR code in WhatsApp or one-time links, as in Medium).
Ramadan aka r0hack DeteAct talked about how to choose a program for Bug Hunting, where to start studying it, and also described effective ways to find bugs and a couple of interesting cases.
Further Lan told how to choose the right antenna or design it yourself. Together with the participants, he calculated and designed a simple antenna, tuned and tested it, and also compared its characteristics with a branded antenna purchased.
After a short break, an online lecture was delivered by a professor from Belgium Tom van goethem… He talked about a new type of transient attacks that use bundling of packets over network protocols and simultaneous processing of requests by applications.
Later he took over the online baton Dan Demeter… He showed you some interesting tricks you can use with Yara, and explained how malware samples can be classified, and how they can improve the threat search process.
Alexander Barabanov provided an overview and comparative analysis of architectural approaches used to implement authentication and authorization in applications with microservice architecture. In particular, he considered typical approaches to the implementation of interservice authentication, forwarding the context of an external subject, and authorization in the microserver code.
Third day was completely dedicated to the competition. There were some minor technical problems, but the participants bravely endured it and maintained their fighting spirit. The competition was held in the Attack-Defense format: throughout the day, teams used all their skills to attack other people’s services and protect their own.
The last one fourth, the day the official closing ceremony took place, as well as the awarding of the winners and prize-winners.
I would like to note that this format of events is a good opportunity for beginners, students and novice specialists to get closer to the information security industry. To take part in lectures on current topics, learn about cases from the practice of experienced information security specialists and ask them your questions – all this could be done for several days and in one place. Such events help children who are just at the beginning of their journey to see the prospects for development in the field of information security. As a beginner specialist, I would like such events to be held as often as possible.
Author: Maria Volgina, specialist of the information security incident handling group of the Center for monitoring and responding to information security incidents Jet CSIRT, Jet Infosystems
