Our technology, work processes, and activities all are depend based on Operation Systems to be safe and secure. Join us virtually for our upcoming "The Hacking Games - Operation System Vulnerabilities" Meetup to learn how hacker can compromise Operation System, bypass AntiVirus protection layer and exploiting Linux eBPF.

1. Join Us:
https://www.linkedin.com
/company/application-
security-virtual-meetups
QR Link:

2. Enso.security
The Code OS
IDE Risks
The developer’s attack surface
Omer Yaron
Research

3. Enso.security
● Head of Research at Enso.security
● Securing scale cloud-computing and serverless environments.
● Former Incident response and digital forensics @ Israel National Cyber Directorate
● Former Mentor for Israel's national cyber education program
Omer Yaron

4. Enso.security
Agenda
What is an IDE ?
Developers and supply chain attacks
Research of IDE extensions/plugins
Findings
Takeaways

5. Enso.security
IDE
Integrated Development Environment
Why and how

6. Integrated Development Environment
Microsoft - VScode JetBrains - IntelliJ IDEA
An integrated development environment (IDE) is a software application that provides
comprehensive facilities to computer programmers for software development. An IDE
normally consists of at least a source code editor, build automation tools and a debugger.
From wikipedia

7. Enso.security
Developers and supply
chain attacks

8. Supply chain and malicious packages
Google Trends
Dependency Confusion
Feb 2021
ESLint-scope incident
Jul 2018
Log4shell
Dec 2021
Some Context:
Biden’s executive order
May 2021
And more…

9. Enso.security
Research of IDE
extensions/plugins

10. What we wanted to check?
● Can we use supply chain malicious packages attacks for IDE plugins?
○ Can anonymous users publish packages?
○ Are name-squatting attacks possible?
○ Star-Jacking?
○ Download counter manipulation?
○ Indication of validity?

11. Enso.security
Findings
Can you guess?

12. VScode - Create
https://code.visualstudio.com/api/get-started/your-first-extension

13. VScode - Publish
https://code.visualstudio.com/api/working-with-extensions/publishing-extension

14. VScode

15. VScode

16. VScode - add credibility

17. VScode - add credibility - Star-Jacking

18. VScode - Verified package?
https://code.visualstudio.com/api/working-with-extensions/publishing-extension

19. VScode - Verified package?

20. VScode - Last thing - counter?

21. VScode - Last thing - counter?

22. VScode - Last thing - Install counter?

23. IntelliJ
https://plugins.jetbrains.com/docs/intellij/plugin-github-template.html

24. IntelliJ - what more?
https://plugins.jetbrains.com/docs/marketplace/custom-pages.html

25. IntelliJ - what more?

26. Enso.security
Takeaways
What did we learn?

27. Code is a vast and constantly changing resource
● IDEs are a potential threat!
● Developers awareness to this threat, and tools to assess extension’s security are lacking
● Code repositories hold crucial security relevant data
● It is easy, free and anonymous to publish publicly available extensions/plugins
● Follow up - hunt for malicious extensions/plugins
Takeaways
Original Blog Post

28. Thank You
Questions?

29. Some extra time? (CVE-2022-30129)
reference: https://blog.sonarsource.com/securing-developer-tools-argument-injection-in-
vscode
Deep links allow for code execution:
vscode:// - vscode-insiders://

30. Malware Analysis - Red Team Edition
Uriel Kosayev - @MalFuzzer

31. Think like Fluid Water, not like a Rigid Rock
Think and operate like a criminal
Help security grow and become better

32. To learn Malware Analysis!

33. root@caliber/# Uriel Kosayev
Book Author
Founder of MalwareAnalysis.co
Red Team Tech Leader
Malware Researcher
YouTuber, Blogger & Lecturer
Twitter Handle: @MalFuzzer

34. But before the show begins!

35. What is Malware Analysis?

36. The art of analyzing and
research of malicious software
behavior and patterns.

37. Static Analysis
Automated Analysis
Dynamic Analysis
Reverse Engineering
Harder

38. What is Red Teaming?

39. Red Teaming is not about achieving DA!
Red Teaming is about simulating Real-World threats!

40. The purpose of Red Teams is to provide a real-world picture of business-related threats
Act like the adversary based on accurate TI of threat actors targeting your business
Simulate potential threat actors' TTPs as accurate as possible
To help the organization grow its security posture

41. A Red Teamer must have an adversarial mindset

42. But mom always told us to stay away from bad guys…
Oh so sweet! ☺

44. Now behold the real power of Red Teaming!

45. Cobalt Strike!

46. So why not doing things like this?!

47. Malware Analysis + Red Teaming == 0x4C6F7665
(Love)

48. Now don’t get me wrong!

49. Both Malware Analysis and Red Teaming are not about
the tools one is using, but the ability to research and
understand technical and abstract concepts

50. So why does Malware Analysis need to concern Red Teamers?

51. Because the bad guys do!

52. Threat actors evolve by learning and leveraging the craft
and TTPs by researching malware samples in the wild.
So why Red Teamers cannot do so?!

53. The Malware Development Life-Cycle (MDLC)

54. Malware
Development
Tests and
QA
Malware
Defense
Bypass
Techniques
Offline
AV/EDR
Testing
IoC
Collection
and
Removal
Operational
Use and TI
Feed

55. You do not have to develop your malware from zero
Learn from real world malware samples and incidents

56. DarkSide Ransomware Seek & Hide
Runtime Code Decryption & Dynamic API Resolve

57. No functions in the IAT!

59. Packed/Encrypted PE Sections

61. Runtime Unpacking/Decryption

63. Dynamic API Resolve

65. And Voila!
Runtime built IAT for you

67. Bypass Techniques Implementation
Rename Obfuscation & Memory Bombing

68. Let’s take a simple Reverse Shell

71. Look for IoCs in the compiled malware

73. Rename/Obfuscate variables and strings

76. Validate IoC Removal

78. BOMB the memory!

80. And now for the Detection Test Results!

81. Before Rename Obfuscation & Memory Bombing

83. After Rename Obfuscation & Memory Bombing

85. Some important tips for success

86. Always understand your tools and malware
Go as deep as possible, you will be surprised as what you will learn
Learn Malware Analysis to understand and think like a blue teamer
Research malware to gain deeper knowledge and inspirations
Follow the MDLC model, malware development is like any other SDLC process
Be curious, passionate, and innovative
And take some break in between!

87. Cooperation!

88. Threat
Intelligence
Red Team
Adversary
Simulation

89. Adversary
Simulation
Blue
Team
Better
Security &
Monitoring

90. Think like Fluid Water, not like a Rigid Rock
Think and operate like a criminal
Help security grow and become better

91. Malware Analysis Tools and More!
https://MalwareAnalysis.co

92. Thank you!

93. PAGE
Matan Liber, Research Team Lead @ Pentera
93
The Good, Bad and
Compromisable Aspects
of Linux eBPF

94. PAGE
About me:
• 25 years old
• Served in a classified unit in the IDF, specializing in malware analysis,
reverse engineering and incident response
• Worked at Pentera for 2 years (current Team Lead)
• Areas of research: Vulnerability hunting and exploitation, codeql,
linux lateral movement.
94

95. PAGE
AMA
Feel free to ask questions!
I’ll be sure to answer them at the end of the presentation.
95

96. PAGE
What is eBPF?
• Technology for operating systems that allows
programs to analyze network traffic
• Provides a raw interface to data link layers
(i.e. Layer 2 connectivity), allowing a user space
process to supply a filter program specifying
which packets it wants to receive
96
LINUX KERNEL
Process
write() read()
File Descriptor
VFS
Block Device
Storage
Syscall
sendmsg() recvmsg()
Sockets
TCP/IP
Network Device
Network
Syscall
Process
eBPF
eBPF
eBPF
eBPF eBPF
eBPF

97. PAGE
What is eBPF?
97
11
REGISTERS
BYTES STACK
x86
ASSEMBLY-LIKE
INSTRUCTIONS
512

98. PAGE
eBPF Attack Surface
98
A malicious payload with
kernel mode privileges
basically compromises
the entire system!
Allows a user mode
process to supply a
program which will run with
kernel mode privileges

99. PAGE
eBPF verifier
Prevents the user provided program from acting maliciously
• Pointer bounds checking
• Verifies that the stack’s reads are preceded by stack writes
• Disallowing writing of pointers to the stack
• And much more…
99

100. PAGE
CVE-2022-23222
• eBPF has several types of pointers, some of which have the phrase
`OR_NULL` in their names used for operations that may yield null
• Pointer arithmetic should not be allowed for this type of pointers
• Due to improper type checking, pointer arithmetic is allowed for some
of these types
• Can lead to Privilege Escalation
100

101. PAGE
BPF Maps
What are Maps used for?
101
Memory Layout:
• Program state
• Program coniguration
• Share data between programs
• Share state, metrics and statics with user space
Map Types
 Hash tables, Arrays
 LRU (Least Recently Used)
 Ring Buffer
 Stack Trace
 LPM (Longest Prefix match)
MAP Struct (Metadata) Map Value (Data)
Controller
Syscall
Admin
Syscall
BPF
Map
LINUX
KERNEL
sendmsg() recvmsg()
Sockets
TCP/IP
Network Device
Syscall
</> Process
eBPF
eBPF

102. PAGE
Exploitation
• Historically exploited using BPF maps underflow
• Map struct members overwrite can lead to local privilege escalation
102
Map Struct Map Value

103. PAGE
Exploitation - Step 1
• Bypass the verifier – make some sort of action that is supposed to be prohibited
• Using a series of carefully crafted instructions, we can achieve a state in which
the register holds the value X, but the verifier believes the value is 1
103

104. PAGE
How can we use it
to our advantage?
104

105. PAGE
Exploitation - Ideal Scheme
• R0 = Map value pointer
• R1 = Invalid register holding X (verifier thinks it’s 0)
• R0= R0-R1
• Store data at R0
105
Map Struct Map Value

106. PAGE
Exploitation - Verifier
• R0 = Map value pointer
• R1 = Invalid register holding X (verifier thinks it’s 0)
• R0= R0-R1
• Store data at R0
106
ALU sanitation renders the subtraction obsolete. (R0 = R0-0)

107. PAGE
Exploitation - Step 2
• We need to find a way to achieve some kind of overflow/underflow
that the verifier does not intervene with
• No pointer arithmetics!
107

108. PAGE
Exploitation - Step 2 – BPF Helpers
108
• Random numbers
• Get current time
• Map access
• Get process/cgroup context
• Manipulate network packets and forwarding
What helpers exist?
LINUX
KERNEL
sendmsg() recvmsg()
Sockets
TCP/IP
Network Device
Syscall
</> Process
eBPF
eBPF
• Access socket data
• Perform tail call
• Access process stack
• Access syscall arguments

109. PAGE
Exploitation - Step 2 – BPF Helpers
• bpf_skb_load_bytes(skb, len, to)
• Used to read data from packet into memory
• Using to as a pointer to a map and with out invalid register as len value we can
write to it
109

110. PAGE
Exploitation - Verifier
• The verifier would normally block us if we try to write out of bounds
110

111. PAGE
• Using our pointer from step 1, which holds the value X but the verifier thinks is
1, we can trick the verifier into thinking we are still In bounds.
• We have successfully achieved out-of-bound read and write!
Exploitation - Step 2
111
Map Struct Map Value
Memory
Beyond Map

112. PAGE
How can we use it
to our advantage?
112

113. PAGE
Exploitation
But what we wanted was:
113
Map Struct Map Value

114. PAGE
Exploitation
• What if we could get the following layout:
114
Map Struct Map Value Map Struct Map Value

115. PAGE
Exploitation
• We want to allocate two maps that would reside one after the other
• Allocation order is random – we are not guaranteed that the maps
will be allocated contiguously
115
Map Struct Map Value Map Struct Map Value
…
…

116. PAGE
Exploitation – step 3
• We can control map values
• Keep allocating maps and assign each map a unique value
116
Map Struct Map Struct
… … … …
Value A
Map
Value B
Map

117. PAGE
Exploitation – step 3
• Now read out of bounds from our maps
• Most likely at the start we won’t find anything interesting
117
Map Struct Map Struct
… … … …
Value A
Map
Value B
Map

118. PAGE
Exploitation – step 3
• But after allocating enough maps we can be certain we have two contiguous
maps by encountering one of our generated values at an expected offset
118
Map
Struct
… …
Value B
Map
Map
Struct
Value C
Map
Map
Struct
Value A
Map

119. PAGE
Exploitation – step 3
• Finally, we can use our out of bound write to use the tried-and-true map
structure overwrite technique for LPE
• Linux Kernel Privilege Escalation Via Improper EBPF Program Verification –
Manfred Paul
119
Map
Struct
… …
Value B
Map
Map
Struct
Value C
Map
Map
Struct
Value A
Map

120. About Me

121. PAGE
Conclusion
• Went from a relatively small bug to full blown LPE
• New technique to achieve map structure overwrite using map value overflows
121

123. • Thank You!
• Questions?
• To be continued…
Join Us:
https://www.linkedin.com/company/ap
plication-security-virtual-meetups