Announcement

Collapse
No announcement yet.

Martin Doyhenard - Internal Server Error: Exploiting Inter-Process Communication with new...

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Martin Doyhenard - Internal Server Error: Exploiting Inter-Process Communication with new...

    Martin Doyhenard - Internal Server Error: Exploiting Inter-Process Communication with new desynchronization primitives



    Martin Doyhenard, Security Researcher at Onapsis

    Presentation Title: Internal Server Error: Exploiting Inter-Process Communication with new desynchronization primitives
    Length of presentation: 45 minutes
    Demo, Tool, Exploit

    In this talk I will show how to reverse engineer a proprietary HTTP Server in order to leverage memory corruption vulnerabilities using high level HTTP protocol exploitation techniques. To do so, I will present two critical vulnerabilities, CVE-2022-22536 and CVE-2022-22532, which were found in SAP's proprietary HTTP Server, and could be used by a remote unauthenticated attacker to compromise any SAP installation in the world.

    First, I will explain how to escalate an error in the request handling process to Desynchronize data buffers and hijack every user’s account with Advanced Response Smuggling. Furthermore, as the primitives of this vulnerability do not rely on header parsing errors, I will show a new technique to persist the attack using the first Desync botnet in history. This attack will prove to be effective even in an “impossible to exploit” scenario: without a Proxy!

    Next I will examine a Use-After-Free in the shared memory used for Inter-Process Communication. By exploiting the incorrect deallocation, I will show how to tamper messages belonging to other TCP connections and take control of all responses using Cache Poisoning and Response Splitting theory.

    Finally, as the affected buffers could also contain IPC control data, I will explain how to corrupt memory address pointers and end up obtaining RCE.
    .


    SPEAKER BIO:

    Martin is a security researcher at the Onapsis Research Labs. His work includes performing security assessment on SAP and Oracle products and detecting vulnerabilities in ERP systems. His research is focused on Web stack security, reverse engineering and binary analisis, and he is also an active CTF player.

    Martin has spoken at different conferences including DEFCON, RSA, HITB and EkoParty, and presented multiple critical vulnerabilities.
    Twitter: @tincho_508

    REFERENCES:
    Please provide a simple bibliography and/or works cited. List sources you have used (whether referenced or not) in the process of finalizing your presentation. Please remember to credit prior works and acknowledge others. References will be posted online with your talk information. We want attendees interested in your talk to be able to research what has been helpful for you in developing this presentation.

    RFC 2616: Hypertext Transfer Protocol -- HTTP/1.1
    https://tools.ietf.org/html/rfc2616

    RFC 7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content
    https://tools.ietf.org/html/rfc7231

    Response Smuggling: Pwning HTTP 1 1 Connections
    https://media.defcon.org/DEF%20CON%2...onnections.pdf

    James Kettle:
    HTTP Desync Attacks: Request Smuggling Reborn
    https://portswigger.net/research/htt...uggling-reborn


    Dennis Andriesse
    No Starch Press: Practical Binary Analysis: Build Your Own Linux Tools for Binary Instrumentation, Analysis, and Disassembly


    Daniel P. Bovet
    O'Reilly: Understanding the Linux Kernel


Working...
X