Talks

The State Of the Art in R2Land

pancake

radare2 is almost a 14yo open-source project focused on providing tools for doing several talks related to reverse engineering, initially designed for Forensics it quickly evolved into a disassembler and debugger to solve crackmes and help on exploiting, bugfinding as well.

The author of this tool is nowadays the project leader as well as the main developer and maintainer (which is me), and keeps introducing new features every day at a pace no other projects can cope with the help of a very active and vibrant community that makes the whole ecosystem a perfect place for learning, improving your skills or solving your daily needs at work or at home. (Yes, you can order pizzas with it).

This talk will present the tool with a quick overview of the project history and show several powerful features and capabilities, describing the current state of the project with its strengths and weaknesses.

@trufae
Bio

Sergi Àlvarez i Capilla (also known as pancake) is the author of radare2 and many other open-source tools, like 0xFFFF a flasher for the Nokia internet tablets. Interest in UNIX systems, free software, programming languages and low level stuff.

He is currently working at NowSecure as a Mobile Security Analyst in the RD team writing tools to automate the analysis of mobile apps. In the past it has worked as a sysadmin, package maintainer, forensic analyst, firmware developer, bluetooth hacking, wrote audio codec optimizations for arm, mips as well as porting software to sparc, solaris, gnu/hurd.

Reverse RDP Attack - Pwning RDP Clients

Eyal Itkin

A pentester's main goal is to move inside the network, gaining privileges on the way until the ultimate goal is reached: full control of the corporate network. Would you believe me If I tell you there is a shortcut? That one can simply wait in place, ambushing a privileged users, until he will unknowingly let us take over his account / computer? And the answer is simple: Remote Desktop Protocol (RDP).

In this talk, we demonstrate exactly how we did it. We show the numerous vulnerabilities we found in the popular open source RDP clients, and thereafter move on to the main target: Mstsc.exe. Together we take a deep dive into the main synchronized resource between the client and the server, the Clipboard. On the end of our journey we would see the inherent design problem in this synchronization. Chained together with an additional vulnerability, we will show a Live Demo of how we took over the computer of the unsuspecting Mstsc.exe user.

But wait there is more. Given the initial vendor response of "doesn't meet the bar for servicing", we dug in a bit deeper and found a target that no one will be able to ignore this time: Hyper-V.

@EyalItkin
Bio

Eyal Itkin is a vulnerability researcher in the Malware and Vulnerability Research group at Check Point Software Technologies.
Eyal has an extensive background in security research, that includes years of experience in embedded network devices and protocols, bug bounties from all popular interpreter languages, and an award by Microsoft for his CFG enhancement white paper. When not breaking I2P or FAX, he loves bouldering, swimming, and thinking about the next target for his research.

Can You Escape This?

Nimrod Stoler

In this session we will attempt to mimic some of the escapes performed by the Great Houdini, an American magician noted for his sensational escape acts, this time, from a real, live container web site: Play-with-Docker, the Docker training website, using novel, never attempted before, escape techniques.

@n1mr0d5
Bio

Nimrod Stoler is a security researcher at CyberArk Labs where he focuses on researching the latest attack techniques and applying lessons learned to improve cyber defenses. Nimrod's primary research areas are network defense, DevOps analysis and security and Linux containers. Prior to CyberArk, Nimrod served in several high-technology roles doing research and development of software and hardware.

Nimrod holds an LLB in law and BA in economics.