 All right looks like we're live. So Thank you all for joining us this morning. I have Pali Hilar Hadar and Tomer Barr who are going to be here to be talking about their research into the stuck net printing Vulnerabilities that they found are still still around after you know ten years later But to start things off. We have two first-time speakers and as our tradition in DEF CON we We shot the nubes and so I'd like to Invite you all to join me in a shot folks. Here's to your talk Thank you. Cheers All right, great So we actually have a first question on the line It said can you please explain more about the fuzzing process when finding corruption in the SHH SHD files? Yeah, sure So actually it was pretty interesting because we didn't want to use Some I don't know where already existing tool. We wanted to do something on our own So after we understood the SHD processing processing The SCG processing and all this stuff. We just wanted you to do the most naive thing We just written our own Python script, which takes already Already existing SHD file which works And we just mutated it one by one and one byte at a time and we use Zero to FF on each byte and we didn't do anything that there was You know dependent by Each byte we just did it each byte at a time Afterwards we just dropped all the SHD files and we wanted to make sure it's working and we understood that there's some kind of a limit In the service that it won't process more than 256 files at a time. So we just modified the spoiler service we just patched it and we replaced the check with knobs of course and then we just Kicked around a kind of a spoiler which was modified and it just worked Then it took 20 minutes. It processed all of the SHD files and it crashed So it was critical We don't intend to release the Python script, but maybe we will need to discuss it very cool. Yeah, I was I was pretty impressed with the the ability or what you guys did and sort of walking through the entire For lack of a better term kill chain of the of the Stuxnet I Mean how much of the how much of studying that original code? Do you think influenced your your discovery of this these remaining these marine vulnerabilities? Yeah, I think it was pretty much We started to look at it. We thought that okay, it's ten years after Stuxnet a lot of very strong researchers already Research it what are the chances that we will find anything new? But we came with a lot of motivation and after seeing that the first patch was Was not fully patched and can be re exploited and the second batch and the third batch so We understood that we are onto something and further the research and after 20 minutes of fuzzing to get your first Crash, and it's not usual Hope that we'll find Well Great we have another question from the from the audience who said was the shd crash exploitable So a good question From what we we've seen it wasn't exploitable was only one bite which was controllable and It was pretty odd. I mean we pretty sure it wasn't exploitable But we really invite everyone to try and maybe to understand whether it's exploitable or not and if it did if it Explorable so treat about it, and you can mention me Me it's it'll be a very interesting because as we mentioned the Microsoft didn't fix it So it might be more interesting and maybe if you'll find something you can report it to Microsoft as well So we're good luck Actually, we see a lot of people other researchers that haven't been in the spooler And now we see a lot of research about the school We hope we'll contribute Well, I see another question. Yeah, so the The other balls were there where they found by fuzzing or code review So actually good question. So After we started fuzzing and we had our first crash we were intrigued enough in order to to move to manual source code editing and manual binary auditing so it was fun completely manually 100% and We just looked at the code and We understood how the mechanism works and what kind of use cases we can you know challenge the mechanism And we just found it manually Where it was pretty cool Basically, we're We I know I do I think somewhere as well. We we use less fuzzing. We generally do more manual code editing But I think you know, you can find interesting bugs using Fuzzing and using manual code editing If you use both it will be Probably the best Yeah, so you mentioned the Microsoft system not to not to patch that Shc1 did you I mean do you think that they were justified and in In their logic on that or or would you have like to see in a patch it? Well, I think that they have a very clear and Security boundary and service criteria on MSRC. I don't want to say whether I think it's right or not but all I can say that they mentioned that a local denial of service is not You know, it's not faster service criteria. Therefore, it won't be fixed Maybe they will decide to fix it if it will be used in order to abuse or something, but I respect their decision Yeah, totally agree and maybe other Endpoints Just so you mentioned the oh god So when I was watching the video, I noticed that when it came to the last half vulnerability You kind of give a very pregnant there, you know, no vulnerability yet And is that more because you guys are expecting one to come out or have a theory that there's one out that just hasn't been released in the Wild like there was a big emphasis on that And we don't have anything up in our sleeve and we don't know about anything and of course if we if we will know We will report it to Microsoft, but all we said is, you know, you have two paths which were exploited and you have this the third one which Might be explainable. We don't know about anything that we know as much as you know but I Don't know. Maybe we will find that Microsoft has patched it in the future But nothing concrete Right, so we actually have another question on the line said after experience on this What would you say the researchers attempting to replicate the same vulnerabilities on semen microcontrollers matching those and Iran So, you want to take it? So you can you repeat the questions Yeah, it said after your after your experience, what would you say to researchers attempting to Replicate the same vulnerabilities on semen microcontrollers matching those and Iran Actually, this is what the focus of our research I think that our research is basically focused on the propagation part of Spural services specifically and the school services on the windows Microsoft calls To the hardware or anything else just any before Windows OS It's a huge, you know, it's a huge domain Stuxnet and we have so many aspects to load we focused on the Windows part and We don't know if the fact that we found the vulnerability in the same domain in the window spot wheel you know Just said that if you do the same in the CMOS PLC will be the same, but I think it is a Interesting part that if you want to forget into just share it with the community I think it will be interesting enough to people to come and see So maybe we'll see you in that context answering this question Yeah, something tells me if they actually have anyone has an oh day up their sleeve for semen's microcontrollers They're probably not presenting that at DEF CON, but Right, so You talked about the the spooler or you demonstrated how the spooler was exploited By a local user to get the escalation It seemed like you you were hinting that this might still be a remote capability as well Did you did you find that or not? No, actually we will only focus on the local Part vector and we haven't found a way to bypass the patch the original patch Great, so it looks like we got another question coming in but so yeah We're all waiting for typing to be done, but So You know earlier you talked about walking through the the stuck net Process and sort of finding Finding which which vulnerability still existed It's so your original intent was to recreate that and look for residual or was it actually to look at you know what? What vulnerabilities that by themselves may be still available? So we had a the first version was if we if Building stocks net 2.0 is possible. Of course, allegedly When we start to look at the components and we saw that if for our lack the community lack Discovery the Say equivalent abilities that were found in the last decade Legendary the stocks that 2.0 where this goes to Microsoft in a safe manner and but if Evil corp that will manage to do it by themselves single actor and allegedly could build Equivalent capabilities So we asked ourselves, okay What else is missing and the only missing part was the windows full of mobility So we thought it would be a very interesting the research and it was so we started to dig in and found out Next question we have in chat is what do you think about the state of variant analysis in the windows platform? What do you mean by variant analysis? So have a follow-up there and All right, so the next one was Were there any unused methods found by you in Stuxnet's code Revealing any possible plan future attack Yeah, we didn't mean I mean we didn't look on stocknet code or you know, we just We will focus on the one ability to reduce was stuck that we didn't end the propagation part. We didn't dive into Stuxnet's code so Clarification on that last question when it comes to very analysis, they were speaking to like analysis existing vulnerabilities to find variants Okay, I Think if I got it correctly, I think that the state is I mean, it's very interesting because I know that once someone find Pretty common by class a lot of other researchers are diving into it and find a lot I mean, if you if you can take a look up MSRC each month, obviously releasing a boot in a batch to them and I think that the very common vulnerability by classes, of course the elevation of privilege, which is caused by Logic bugs, I think that you can see a lot and I think that the trend got started I don't know if officially, but this is what I know is James Forshoff Just you know, take a look took a look of all the file system privilege Issues and and released a lot of tools that help other researchers to take a look of it and then people just found a lot of variants and So I think that is definitely Pretty discussed the topic and And And I know that I will keep in and take a look if the back was still exist. If that answered your question Yeah, if I may head That's why we Started to develop our driver Mitigation driver that is not focused on a specific variant looks at the root cause of the entire arbitrary class right progress so I believe that if there will be future Exploiting this battle us and this driver, which is also only appeal to some of the Product ready production ready, so May Catch some and take some new experts Thank you to be interesting to see if any vendor Adopting the the idea Implemented in their in his own product Yeah, I'm glad you mentioned the driver. I was I was pretty impressed with the you know your your Publication of that and the analysis of those those universal right, you know locations I mean it seems like That's something could be fixed in policy as well Do you see, you know, what do you see the advantage of using the driver approach you did over a just an ankle on a policy or something? I mean we It can be fixed by policy, right? I mean we wanted to demonstrate the this solution it's not like we are Saying that it's you know a hundred percent sealed and there were no vulnerabilities that can bypass it But we do think it was a pretty good way to demonstrate it. I think that the use of Meal filter driver It's good because obviously you you catch the IRP's and the IR requests pretty low and you can just block it and cancel it and I don't know what kind of you know white listing Or you know where policy you will use obviously the vendor can just implement it by using his own mini kernel driver Mini filter driver, but I think it's a pretty good Demonstration So we talked about this a little before the call started I think the most Comical thing I saw in your presentation was that you all minute manage somehow to get the delete tag on your CVE. Was that something that you actually Actually timed or was it just a happy coincidence that? Microsoft labeled you guys lead with their CVE 2021 337 It wasn't happy coincidence. It was the happiest coincidence. I mean we didn't we didn't organize anything We didn't ask for it. We just got it. Thank you for a made the work filled from MSRC We signed it. It's an awesome CVE number and I think everyone wanted to get it so Maybe next year one more time I think I have the all the big what a question so I'm just gonna throw this one out even after the other one You know in your talk you focused a bit about how the last patch Previous patch had kind of killed the concept of remote execution and all these were focused on local With these new releases that you've just done as a POC releases What do you think that there's a chance that he's gonna kind of pivot into remote execution now? Not likely but we'll see Yeah, yeah, I warned you guys against one ant one your word answers, but we'll we'll let you slide on that one So I feel like I just put a very pregnant question out there. It's like come on guys Now we're we're pretty happy to have you guys I think this is this is pretty pretty interesting I think there was a really I really appreciated the the sort of complete walkthrough of that the what you know what the What the malware did and and you know what exploited each way eight step and I think like you said it just may have been Or there should have been something that was covered, you know pretty extensively over the last ten years, but You know going back and revisiting those can can have happy coincidences as well, right? Yeah, that's all I think that the we'd be glad to see another You know a briefing a walkthrough in a decade so If you're someone you'll remember and it will be probably still you know interesting to see Yeah Okay, so we're coming up on only 10 minutes left you guys have any any last words you like to share about the research I I shared your your github out there and I understand that You kind of got one more Release up your sleeves waiting for you know patch Tuesday next week Do you want to give us a preview of what we may see then? yeah, so actually we gave it the preview during our talk we had a Video which would demonstrate the demo of how we bypass the patch of 20 to 20 2010 48 And how we re-exploited it obviously we can't provide the details now But we will have to wait in the last moment and when the patch will be released. We hope it will be on The following past Tuesday, that's what NSRC told us but we can't guarantee it of course because we're not my person So we have to see to where and see and once we will be able to to make sure that it was already patched We will release the POC in the guitar repository that you published on the channel and we will also Provide a write-up Technical blog post so we wait and see we will match it then on Twitter was there once it will be deployed and You know the last thing I want to say tomorrow if you want to add something so we'll go ahead But I think that it was very interesting Research and we provided all of our technical materials in our Guitar repository and if anyone would like to you know to continue research the same area or something if you have any questions Go ahead. You can DM me on Twitter You can You know you can mention me and we'll be glad Tomer and I to help someone to keep that I think we there are a lot of Other areas which are related not even on this on the sport itself But even in this for itself, it's a huge mechanism and there are a lot of things to keep and investigate it And we didn't have a much time. So if anyone would like to to do it and we would like some help go ahead Okay, well, so I'd really like to thank you guys for for the talk you guys did I want to congratulate you again on your first time at Defcon and if dropping two oh days for a Defcon is What we can see in the future from you guys. I'm sure we'll be inviting you back next year. So thank you