RomHack Conference

RomHack Conference 2024 Agenda

Sat, 28 Sept 2024 in Rome, Italy

RomHack 2024 opening and closing

Carola Frediani, Gerardo Di Giacomo and Cyber Saiyan

Welcome & opening remarks

10:00 – 10:15

Carola Bio

Carola Frediani has written about hacking, surveillance and cybercrime for Italian and foreign publications. She then went on to work as a cybersecurity awareness manager in international organisations. She joined the global security team at Amnesty International and is now an Infosec technologist at Human Rights Watch. She writes the free weekly newsletter Guerre di Rete, which analyses news and stories on cyber and digital rights. The newsletter has since evolved into an independent information project, Guerredirete.it, created together with the association Cyber Saiyan.

Gerardo Bio
Lorenzo Cavallaro

Lorenzo Cavallaro

Trustworthy AI… for Systems Security

[ keynote | ML | malware ]

10:15 – 11:05

No day goes by without reading machine learning (ML) success stories across various application areas. Systems security is no exception, where ML’s tantalizing performance leave one to wonder whether there are any unsolved problems left. However, machine learning has no real clairvoyant abilities and once the magic wears off, we’re left in uncharted territory. Is machine learning truly capable of ensuring systems security? After sharing its foundation, in this talk, Lorenzo will illustrate some of the challenges in the context of adversarial ML evasion attacks against malware classifiers. He’ll first see that the classic formulation is ill-suited for reasoning about how to generate realizable evasive malware. Then, he’ll provide a deep dive into recent work that provides a reformulation of the problem and enables more principled attack designs and defenses. Implications are interesting, as the framework facilitates reasoning around end-to-end attacks that can generate real-world adversarial malware, at scale, that evades both vanilla and hardened classifiers, thus calling for novel defenses. Ultimately, Lorenzo’s aim is to foster a deeper understanding of machine learning’s role in systems security and its potential for future advancements.

Lorenzo Bio

Lorenzo Cavallaro is a Full Professor of Computer Science at University College London (UCL), where he leads the Systems Security Research Lab. He grew up on pizza, spaghetti, and Phrack, and soon developed a passion for underground and academic research. Lorenzo’s research vision is to enhance the effectiveness of machine learning for systems security in adversarial settings. He works with his team to investigate the interplay between program analysis abstractions, representations, and ML models, and their crucial role in creating Trustworthy AI for Systems Security. Lorenzo publishes at and sits on the Program Committee of top-tier conferences in computer security and ML and received the Distinguished Paper Award at USENIX Security 2022. He is Associate Editor of ACM TOPS, IEEE TDSC, and Computer & Security. Lorenzo holds a PhD in Computer Science from the University of Milan and held positions at King’s College London, Royal Holloway University of London, Vrije Universitat Amsterdam, UC Santa Barbara, and Stony Brook University. In addition to his love for food, Lorenzo finds his Flow in science, music, and family.

RomHack 2024 - Sina Kheirkhah

Sina Kheirkhah

Unveiling the Ivanti vulnerability: from discovery to exploitation

11:05 – 11:55

In this presentation Sina will discuss the various vulnerabilities he discovered when auditing an Ivanti enterprise solution and how they were exploited creatively.

Sina Bio

Meet Sina Kheirkhah, widely recognized as @SinSinology in the cybersecurity community. Sina is a dedicated full-time vulnerability researcher with a passion for breaking into various systems. From cracking server-side enterprise solutions to targeting hardware and delving into reverse engineering, Sina’s expertise covers a wide spectrum. He specializes in low-level exploitation, attacking .NET/Java stacks, bypassing security measures, and chaining bugs seamlessly. Notably, Sina has competed in Pwn2Own for three consecutive years, demonstrating his dedication to the field.

RomHack 2024 - Alex Plaskett and McCaulay Hudson

Alex Plaskett & McCaulay Hudson

Revving up: the journey to pwn2own automotive 2024

11:55 – 12:45

In 2024 NCC EDG compromised 3 automotive devices at Pwn2Own Automotive in Tokyo to win $90,000. This talk is about the journey all the way from building and setting up research environments, finding vulnerabilities to developing exploits eligible for the competition.

Throughout this presentation we will describe our process with a deep dive into in-vehicle entertainment systems and an electric vehicle (EV) charger controller (Phoenix Contact CHARX SEC-3100).
We will reveal multiple zero-day vulnerabilities which were used to compromise these devices. EV charging security is currently a hot topic where there is expected to be over 3 million charging stations in Europe at the end of 2024 and continuously expanding.
However, most importantly we will describe our methodology and approach, allowing aspiring bug hunters to understand the trials and tribulations of vulnerability research against automotive targets. This will also allow vendors to see the amount of effort vulnerability researchers take to compromise these devices.

Our talk will include attack surface research and how we priorities finding vulnerable areas. We will also demonstrate tooling we use to speed up and automate the process. We will discuss both hardware and software attacks and the need to first perform hardware attacks to gain an understanding of the target before software only exploits could be developed to obtain remote code execution. For fun we will also demonstrate both a light show on the CHARX device and porting and running DOOM on the Alpine IVI.

Briefly we will discuss our failures and lessons learned, to show that not everything was plain sailing with the research.
Finally, we will wrap up with conclusions and guidance to both automotive manufacturers and prospective hacking competition participants.

Alex Bio

Alex Plaskett (@alexjplaskett) is a security researcher within the Exploit Development Group (EDG) at NCC Group. Alex is a five times Pwn2Own winner (desktop, mobile, embedded, and automotive) and has over 15+ years of experience in vulnerability research and exploitation. Alex has exploited vulnerabilities in a large range of high-profile products across many different areas of security. Alex is a frequent speaker at security conferences (e.g. OffensiveCon, 44CON, Hexacon, HITB, BlueHat, POC, Troopers etc). Alex was previously leading security teams in Fintech, Mobile Security and Security Research) and just generally causing vendors to patch things on a regular basis!

McCaulay Bio

McCaulay Hudson is a Security Researcher in NCC Group’s Exploit Development Group (EDG). He has previously competed in multiple Pwn2Own competitions and has publicly published work on exploiting embedded devices such as consumer routers and the PlayStation 5 console. McCaulay has spoken at HITB AMS previously.

Lunch

12:45 – 14:45

We believe that a long lunch break will give you the opportunity to recharge your batteries in preparation for the afternoon sessions,  meet friends, know our sponsors and your prospects without rushing.

IMPORTANT: It is possible to have a lunch at the bar located inside the venue or at one of the many bar, fast food and restaurant located outside. If you go outside we recommend to reserve in advance.

RomHack 2024 - Adnan Khan

Adnan Khan

The dark side of github actions

14:45 – 15:35

GitHub is the most popular hosting platform for open-source projects. GitHub also offers a CI/CD platform called GitHub Actions, and many projects opt to use GitHub Actions for CI/CD because it is free for open-source projects.

However, there is a dark side to GitHub Actions. Simple misconfigurations can lead to devastating supply chain attacks, and even companies like Microsoft, Nvidia, Puppet Labs, and more cannot get a handle on these issues.
In this talk you’ll learn what these misconfigurations are and how to discover them at scale:

  • Pwn Request and Injection Vulnerabilities
  • Misconfigured Self-Hosted Runners
  • Broken Approval Checks via Time-of-Check-Time-of-Use Issues

You will also learn how an attacker can use an arsenal of pipeline post-exploitation and privilege escalation techniques to achieve their objectives:

  • Post-Compromise Enumeration
  • ‘GITHUB_TOKEN’ Permissions Abuse
  • GitHub Actions Cache Poisoning
  • Bypassing Branch Protections by approving and merging an external pull request.

Finally, Adnan will walk through how he detected such a misconfiguration by a major company, gained control of a GitHub Classic Personal Access Token, and proved out impactful post-exploitation scenarios. To conclude, Adnan will cover defensive controls that you can deploy today that will prevent an attacker from achieving their final objective even if they obtain a privileged access token.

Adnan Bio

Before finding a passion for offensive security, Adnan was a software engineer focused on back-end systems development, this allows him to put on his “developer hat” and find security misconfigurations and vulnerabilities within platforms used by developers. Adnan approaches problems from a first principles perspective, seeking to understand how a system works and then identifying assumptions that developers make that turn into security vulnerabilities. Adnan brings with him a deep understanding of how to exploit GitHub Actions, including Self-Hosted runners, Pwn Requests, Cache Poisoning, and Race conditions. He has spoken at Black Hat USA 24, DEF CON 32, and ShmooCon about GitHub Actions and has reported CI/CD vulnerabilities to some of the largest companies in the world.

RomHack 2024 - Ta-Lun Yen

Ta-Lun Yen

My name is impostor. You are SSL VPN. Prepare to let me surf freely.

15:35 – 16:25

We present a User Impersonation Attack in multiple SSL VPNs, including Cisco, Palo Alto, Fortinet, SonicWall. Our attack allows the attacker to bypass any intended firewall and routing rules and therefore able to explore freely within an SSL VPN-protected network without restrictions, while being connected from the Internet. We dubbed this attack “VPN Gremlin” as if a gremlin has tampered with the intended firewalling and routing rules. We will also present our research behind this vulnerability which includes our analysis and reverse engineering of network firewalling and routing mechanisms of popular SSL VPNs.

Our findings stemmed from our research focused on multiple major SSL VPN implementations, as vendors has saw rapid expansion during the rise of need of teleworking, yet it’s another example of “security through obscurity” as breach incidents around SSL VPN gateways are unusual. We, however, are also astonished by the fact that we can demonstrate our attack using the same method on four different vendors.
We intend to shed light again by diving into implementation of routing and firewall rules on different vendors, from firmware extraction to reverse engineering of its networking stack and will demonstrate our methodology of fuzzing its VPN tunneling implementations. We will also demonstrate our (to-be open-sourced) tools for testing multiple SSL VPN tunneling protocols.

Ta-Lun Bio

Sr. Vulnerability Researcher at TXOne Networks with interest in compromising everything that runs on 1 and 0’s. Focused in embedded system security, protocol analysis and reverse engineering. Long-time member of Taiwanese hacker group ‘UCCU Hacker’. Presented various high-impacting topics at numerous International conferences such as Black Hat, CODE BLUE, hardwear.io

RomHack 2024 - Eric Woodruff

Eric Woodruff

UnOAuthorized: The discovered path to privilege elevation to Global Administrator

16:25 – 17:15

For customers of Microsoft 365 and Azure, obtaining the role of Global Administrator (GA) is every attacker’s dream – it is the Domain Administrator of the cloud. This makes Global Administrator every organization’s nightmare of being owned by a threat group or hacker. Luckily, well-defined role-based access control and a strict application consent model can severely limit who gets their fingers on Global Administrator – or does it?

This talk explores a novel discovery that resulted in privilege elevation to Global Administrator in Entra ID (Azure AD), found in a place and through a way least expected. Part conversation about the research background, part discussion of the foundational components involved, this talk will walk step-by-step through the path to privilege elevation and obtaining Global Administrator. While Microsoft has resolved the underlying vulnerability, we will also cover the markers organizations can look for to determine if they were targeted by this abuse.

Eric Bio

Throughout his 24-year career in the IT field, Eric has sought out and held a diverse range of roles, including technical manager in the public sector, Sr. Premier Field Engineer at Microsoft, and Security and Identity Architect in the Microsoft Partner ecosystem. Currently he is a Senior Security Researcher working as part of the Security Research team at Semperis. Eric is a Microsoft MVP for security, recognized for his expertise in the Microsoft identity ecosystem. Outside of work, Eric supports the professional community, providing his insights and expertise at conferences, participating on the IDPro Body of Knowledge committee, and blogging about Entra and related cloud security topics.

RomHack 2024 - Andy Nguien

Andy Nguyen

PlayStation 4 Remote Kernel Exploitation

17:15 – 18:05

This talk is about successful exploitation of kernel vulnerabilities in a network protocol on the PlayStation 4 which is based on FreeBSD. Andy will show how internals of the IPv6 protocol can be abused to achieve an information leak and to redirect control flow to get RCE with kernel privileges on the console.

Andy Bio

Andy is a console security researcher

RomHack 2024 opening and closing

Carola Frediani, Gerardo Di Giacomo and Cyber Saiyan

Closing remarks

18:05 – 18:15

Beer

After-Party

Starting at 19:00

Circolo Tennis EUR (10 minutes by walk)