 So this is Zachary Menaker, he is going to talk about how to get mumps 30 years later With some more stuff added on that you can read All right, let me just set my timer here real quick and then we will get going Okay What's up? I I think I already do I recognize you from the office Yeah, all right. Yeah, all right cool Yeah, thanks for coming everybody. This is how to get mumps 30 years later. My name's Zach Menaker Yeah, so to just start I'm gonna just give you a little bit of an agenda what we're gonna talk about here First I'm just gonna talk about like the history of the thing where we're talking about here I'm gonna talk about like how to break mumps how to break an EMR that's called Vista And then I'm gonna talk about like the the future in the past of these things Before I start I just want to say just get some definitions going First I'm gonna say EMR throughout by which I mean electronic medical records Which is just like software that is used to maintain patient records stuff like that I'm also gonna say VA throughout by which I mean the Department of Veterans Affairs Which handles Concerns for veterans the United States chiefly for what we care about their medical care after they're out of the Military and then I'm also gonna talk about FOIA Which is the freedom of information act which basically you can you can submit a form to the government that says I want information about this specific thing And as long as it's not as long as they don't have a reason to say no they give it to you basically Yeah, cool. So who am I like I said my name is Zach re menaker. I work for a company called security innovation I Don't work for the government. I you know I break stuff for a living I also used to work in health care kind of sort of and now I just like work on Breaking health care stuff for fun and I care a lot about like the history of a lot of the software that we use You know like I'm a real big fan of the PDP 11 for example Yeah, also, I'm speaking on behalf of myself and not of my employer And also I made these slides and an ANSI tech senator called Mobius And they should be available on the media server Under the name like the title of the talk dot info. They're not up there right now, but I will get those up there Yeah, so anyway So what's this talk about? in health care, there's a language called mumps that effectively undergirds a ton of modern like Health care infrastructure, right? You've probably seen this xkcd You've got on the left there a these towers that say all of digital infrastructure And then there's a little block that says, you know random project maintained by somebody in Nebraska since 20 2003 This talk is sort of about hitting that block with a hammer. It's basically what we're trying to do here so Like I said, we're gonna talk a little bit about like the history of the things involved here so Where the hell did mumps come from? in 1966 there was a group of engineers that were working for a doctor octo Barnett in Mass General Hospital in Boston Including Neil Papalardo that were they started working on this new language that they called the Massachusetts General Hospital Utility multi-programming system, which of course shortens to mumps There are is some movement now to call it the m language I'm gonna refer to it at mumps throughout because I think that's a more fun name Yeah, so mumps was specifically Imagined as a language for health care environments It was originally written allegedly for pdp-9s and then digital equipment corporation grabbed it and they Turned it into like a standalone OS for for pdp-11s that they called mumps 11 Some some records say that like originally it was deployed on pdp-7s Yeah, there's also It has a lot of influence from a language called BBNN telecom Which I say mostly just to say that like This is a pre-unix language. This is a pre-c language This is like this is before the the the standard Concept of how programming works as you and I know it right and so originally it wasn't like a language It was an environment. It was everything you needed to make software for health care like uses So as just an example of like one of the little oddities here There wasn't an unix epoch, right? There was no, you know, number of minutes since or number of seconds since 1970 Right, so instead they have this variable. That's called oralog that has two numbers separated by a comma And the first number is the number of days since January 1st 1841 and The whole reason for that is because their assumption was that the oldest living veteran that they would have to give health care to fought in the Civil War and That was their like measure that they went for so yeah, also the maximum data can support is like December 31st 9 9 9 9 So like why 2k compliant, which you know good job really thinking ahead there Yeah, so originally like months wasn't super well standardized It was this idea that they were playing around with it showed up in PDPs It showed up all over the place But eventually the VA hired two engineers and said hey, there's this new thing like let's look into Doing something with us And they eventually started working on this suite of utilities Over at the the VA that eventually sort of coalesced into this single Total EMR that they called Vista capital V capital a real cute name and like the people who are working on this was this group that was called the hard hats and Just as an example of like the people were talking about they're still around and this is their website as of 2021 Absolutely incredible like these these folks are really going for it so like Vista this this EMR that they were working on Vista it sort of grew throughout the years It got bigger and bigger and bigger and it became like really well loved and well respected on the one hand This is like you have people that have a need for software, and they're making it themselves, right? This is like for doctors by doctors effectively right on the other hand. It's effectively Like shadow IT as a development strategy so there's a lot of you know, there was a lot of Working that needed to be done to get stuff to you know fit together basically months the language Was was and is Extremely fast. It's no SQL partially because it beat SQL to market Also partially because like it fits every definition of no SQL And it's like it's perfect for like any time you've got data that needs a lot a lot of rights banks sciences hospitals, right? In like nowadays like Vista is still like widely deployed at basically every VA hospital Doctors really love it like people who have interacted with it love it Hospitals outside of the VA system like use Vista for certain things There's inside of the VA. There's this this effort to like modernize their EMR Which means that they're like trying to move they're trying to get rid of Vista But it's still deployed all over the place And yeah, like months is is like still widely used even outside of healthcare. There's Some of the biggest EMRs in the world use it core banking systems use it The European Space Agency has deployed it like within the decade I believe or within the last decade which like it's still people are still finding uses for it If you want to join me on this adventure, you can install months by running in Ubuntu or Debian Pseudo apt install hyphen why FIS GTM which will install FIS is GT M you need that hyphen why because if you even think about installing months you must So like you you have to have apt install it for you And Vista you can actually just get at some point it got foyid is my understanding This appears to have started somewhere in like September of 2004 But like it just somebody at the VA just uploads it to an FTP server every month and like whatever the most modern version Of of Vista is it just every year come you can or every month you can just grab a new version Um So we're gonna talk about like a couple of different You know we're gonna talk about like months a little bit I'm not gonna talk a whole lot about how Vista works, but I just kind of wanted to ask like Has anyone in here like written any months? I know there's at least one person. Okay, so we've got two people three people All right. That's yeah. Oh wait. Okay. So we've got like, you know less than 10 makes sense. All right Yeah, look at mums is a cool language. I'm gonna demonstrate to you that it's a cool language First off in months three plus six times two is 18 So if we if we think about like our order of operations here six times two is 12 plus three is 15 Right, so that doesn't make a whole lot of sense The reason why this is happening is because all math is strictly evaluated from left to right Yeah It gets weirder from here. We're gonna we're gonna keep going in In general like I find it to be a pretty readable language, but it's from a time where like like size for for Computers was at like a really high premium, right? So a lot of code isn't commented It just isn't because they didn't want to have to store it. There's some on some implementations There's a performance cost to actually having comments in the code And then also a lot of the keywords in the language can be shortened down to single characters Which you know gets kind of wild so like Here's just an example of some months. I don't believe this runs, but it like you know, it looks okay And if you notice I just want to point out at the bottom the third to last line there You have period space the word else and then space space the word do and then there's a semicolon for the comment Those two spaces after the else are important because like white space is significant in the language It's you know, you can you can do some stuff with it, but it's significant But like I said, you can shorten a lot of keywords down to single characters so we can go from that to that right Extremely like Honestly still kind of readable as long as like everything stays just sort of short per line like everything's cool, right? But we can go smaller Right, there is no reason to stop at only like if you think about how code is written Usually it flows from top to bottom, right? This is this is an invention that does not need to exist What if instead of writing your code vertically you wrote it horizontally, right? So that same code can be turned into that Right this is basically code golf like this is this is enterprise code golf And in fact if you go on like some code golf forums like people are using this language to do code golf Like it's just yeah, it's a great language for it And I'm not like I am not cherry picking here like this is actual source from vista And like this is how readable it is right if you look at that first line You have like n space and then a couple variable names and then the line below it you have set d sub equals zero That's just like setting a variable to a certain value space for space space set d sub equal to and then like you know a bunch of like there is a Like that is how this code gets written is like entire for loops on one line, you know Here's like another example and for some reason in the vista source code There doesn't seem to be like a strong coding style that was enforced. There's no linters for this language, right? So like in this case you have if written literally as if you know Like they're literally using if but then like new and set are just single characters, right? Yeah, it's like this language gets rough to look at But like on modern implementations now that we've talked about like writing the code, right? We need to like run the code Generally months is described as both like a both an interpreted and also a compiled language So on the one hand You can you know write your code and then tell months like hey run this code And what it does is compile it store that as a shared object or at least gt.m And got a dp do I should be clear It compiles it stores that as a shared object And then it loads that shared object into its memory space and then jumps into that code that you just wrote, right? And so what that means is like you can deploy Vista code as just the source code which is kind of small and then compile on site, which is a pretty you know useful feature to have Yeah, it's it's just it's like this is how it works in the modern era So like like I said earlier like just to be real clear about what we're talking about. That's the language months, right? Vista is written entirely in months the way that I got it for this research is just by downloading it from that FTP server I mentioned and a lot of this is based on a certain flavor of the foya version of months There's some modifications that get done to Vista sort of after the fact That get you know packaged into different distributions for different uses and stuff The if you are using a version of Vista that like is deployed using gt.m For example Usually you're storing your Routines in a folder that's traditionally just called r slash So if you follow me on this and you like you know use Vista that is deployed with gt.m Using like Docker or something look for that routines folder because it's gonna have all of your source code All right, so that's all of our history. So then I show up, right? So how did I actually get involved in this so at security innovation the company a workout? We have like research time where we you know look at interesting stuff learn how to break new things whatever And I have been using mine to kind of like Systematically go through a bunch of different you know health care protocols look at different EMRs kind of you know Do whatever and like I had heard about Vista maybe like Five or six years ago, and I didn't realize like I didn't realize it was mumps I didn't realize how foundational mumps was to all of like a lot of health care stuff talk more about like where it's being used later And like places I had worked at in in hospitals had always used Java based EMRs So like I just never you know never got a whole lot of exposure to mumps and on top of that I desperately want to be cool And like I think hacking weird code is cool And I think I've demonstrated that Vista is weird and like mumps is weird. So like you know thus we can play Yeah, so let me just talk about like what a deployment of Vista sort of looks like It's basically this so you have some hardware some like x86 Probably machine that you're running it on that you have an operating system that's running on right on top of that You're running some sort of mumps implementation for my use. This is either gt.m. Or yada db There's also a windows Implementation that's called cache. That's pretty common and then on top of that is Vista So in Vista when you like, you know make a new string or whatever you're interacting You're asking the mumps implementation to give you like memory to use as a string and it goes to the operating system to get that memory yeah, yeah, yeah, yeah, so The way that in a actual hospital Vista gets used is that you have clients that talk to it using this this RPC method That's called xwb a really common Client is CPRS Which I'll talk about in a sec here. But yeah, that's our general map of what this this thing looks like right So I go out and say like I want to I want to attack this as an attacker I want to attack this as a client I want to just be able to show up at like a VA hospital plug into a wall and go right so like I want to use Start with their their client and then you know start exploring what I can do here, right? So I go and grab the most common Vista client which is called CPRS CPRS is really widely available. I think it's up on github now It's written in Delphi so it's more readable than mumps And so yeah, so I install CPRS I run a version of Vista that's deployed without TLS which isn't hard That'll come back later And then I start capturing packets, right? And so I get a lot of RPC traffic that looks like this and like You know ignoring like the the the normal like, you know TCP stuff at the at the bottom We've got all this like ASCII at the bottom that I Just don't really understand if you look on like the third line You can kind of make out that there's 127 dot 0 dot 0 dot 1 that's on there that makes sense I'm running the server on local host But like I have no idea what's going on and I can't really turn to the source code because at this point This is you know like a year into this research and I don't know months So like I'm gonna do this in the dumbest way possible and just start looking for keywords in the source code And so when I'm like dragging through the source at some point I start finding this Code and if you look here You'll notice there's a line that says type equals XR equals and then in quotes Square bracket XWB close quotes, right? That's our code that is like consuming the this RPC traffic. So we've got like we've got a way in right So like I said don't want to learn months And so I turned it to old reliable here, which is bufuz so bufuz if you haven't used it is a Python library for Basically making like network fuzzers where you don't really have to you can just say like here's what the network traffic looks like Go fuzz this thing. Here's like the address But to do that I need to capture a lot of traffic and then turn that traffic into this bufuz script And if you use Vista for like with CPRS for like, you know, I don't know 15 minutes or so like you'll generate hundreds of RPC calls so I Start writing these like notating these by hand into a bufuz script and they get through about 20 before I'm like This is dumb and I write a script that'll just create the the bufuz script for me And then I end up with an 18,000 line bufuz script that gets me nothing I ran that for a couple of months. Absolutely nothing So I switched tack. I'm I think to myself like I don't necessarily like the network is slow Like let's see if we can cut the network out. So I learned enough months to write a harness that will take input from standard in Instead of from that like the instead of from a socket, right? And it will still hit that RPC code. So after doing that I can now use AFL plus plus in dumb mode not have to worry about like instrumentation Just kind of like feed input into this thing and see if it dies, right? And that also doesn't seem to be what seemed to be working. So I think to myself like What if I just like instrument it and then I can see if code is actually getting hit, right? And so like we need to talk a little bit about like instrumenting some mumps implementations here So there's two mumps implementations that I kind of care about for this research The first one is GT.m. The other one is yada DB. Both of them are open source Yada DB is based on GT.m. Because of some like historical reasons The VISTA deployment that I was working on was based on GT.m So I have like already have like a stood up GT.m instance Yada DB is very easy to get going if you want to get it going and both Yada DB and GT.m Are written by like sea wizards who are like way cooler than me And like they do everything they possibly can to like make see even faster Big parts of it are written in assembly, which is of GT.m and yada DB, which is fascinating But all I have to do is make like three changes to the code to get like AFL to work, which is good for me Yeah, and so since I'm down here anyway and like instrumenting this underlying mumps implementation I figured like I might as well just fuzz like the the mumps implementation Anyway, you know like fuzz how it handles source code input And so to do that yada DB has all of these test-driven development like source code examples That are all like they all explore weird states, right? And so like that's a really perfect corpus for this and in general like that's my advice if you're fuzzing something that you Don't understand, but they have code tests. Just steal their code tests You know just steal their test inputs and just use those like it's it works a lot And then yeah at this point I've written enough mumps that I can finally like read mumps So now I can actually go through and like you know read the the source code and you know make some sense of it So I start looking through the authentication. I start looking at the input handling I start looking at how it interacts with the underlying system mostly just looking for like quick wins and stuff So we've got three it's like three pathways of attack here first. We're fuzz in the Vista RPC Mechanisms using like a month's harness and AFL plus plus second I'm just fuzzing how yada DB and GT dot M handle source code input using like yada DB's Tests and then third. I'm just looking through the code by hand looking for anything weird that I can see right So what we find So first off the RPC fuzzing got us just nothing There's a really boring technical reason for this that I'm not gonna get into but yeah Just absolutely nothing fuzzing yada DB and GT dot M Got us 30 CVE's All of those are memory corruption bugs It's everything from like buffer overflows to use after freeze to null pointer dereferences to everything you can possibly imagine And I want to be really clear about like what the attack surface for those looks like this is I'm talking about Modifying source code that gets fed to the interpreter right so you have to be in a really specific spot to exploit these I don't think it's I think it's easier than you would expect to get there, but yeah So cool these CVE's are a CVE 2021 4 4 4 8 1 2 4 4 5 10 And like these bugs are weird Like I said like this is this was written by like C graybeards using every possible trick you can imagine And so there's all of these weird states that like ended up getting explored doing doing all this So let's like take one of those bugs and like talk about it Right, so we're gonna look at 4 4 4 8 6 So what I'm gonna do is I'm gonna show you the input. I'm gonna show you the crash We're gonna talk about like why this crash is happening And then I'm gonna show you the crash again from like a different angle and show you like what actually is Causing the memory corruption here one sec. All right. So here we go so First I'm just gonna open that input And just kind of show this to you. This is the input that is gonna cause the crash This is just like a non minified input that the fuzzer found If you look at this line here, you can see this right command, which is actually what causes the crash to happen So if I bail out of them real quick, I'm just gonna run got a DB in GDP It is configured to just read that input and like try to create a source code or a shared object from that And we get this seg fault, right? If we take a look at the state of the registers What we will see here is that rip is at this the instruction pointer is that like 555 c6 950 it's and so if we look at like the instructions around that location There's just sort of a bunch of garbage there There's that instruction at the bottom that like GDP can't really make sense of And I'm gonna talk about this later, but that's somewhere in the heap. Just trust me that that's In the heap. So if we look at like the line of source code that caused this crash It's inside of op underscore right and there's this call that uses I occur device dot out Then an arrow dispatch pointer If I print that you can see that there's like some memory addresses in here that don't make a lot of sense to me But there's also that that right function pointer is at 555 c6 950, right? so What's actually happening here, right? There is a specific order of strings being created and like attempts to compile the code That is corrupting some data structure in in memory that contains a function pointer So then later in the source code file that's being parsed There's this call to write that where the function pointer gets corrupted and we just jump out into the middle of absolutely Nowhere so like in this case. We're jumping to somewhere in the middle of the heap But like that's just purely chance in this case So the thing that's actually being corrupted is this I occur device dot out I occurred device dot out is like the current Input output device it handles like taking input from the user and also like printing and emitting source code and stuff like that it has a Dispatch table that's called DSP underscore PTR and that dispatch table is just a Bunch of Function pointers that point to different functions that you can like rewrite on the fly if you need to change what the mumps implementation is doing and Then we are trying to perform the right function. That's in that dispatch pointer using some input, right? So once the corruption happens we end up with this where the that I occur Device dot out just gets corrupted So it's completely kind of destroyed that dispatch pointer Excuse me points to just somewhere randomly Which means that that right function call is completely random, you know, it's just some other, you know It's just some area of memory basically So but like what like why does that happen, right? And like what actually is this this corruption look like basically what we end up having is is like these two Objects in memory that are at the same like memory locations that we're overlapping two chunks basically I'll explain this more later But like in other contexts like if you're just doing like normal heap exploitation things you can kind of get into a similar state Using like a use after free or a double free And like let me let me demonstrate that for you like we're gonna I'm gonna look at that crash again But we're gonna take a slightly different look and look at the way specifically that malloc is being called here So Let me restart the program and then we're gonna run it again with that same input just and see what happens, right? And if we take a look here at this is we are inside of upright And now we're breaking at this this Inker link function call before a call to malloc, right? Dispatch pointer looks fine like this is the the symbols are are being like this is correct, right? And if we look at like some strings around that area where that dispatch pointers or where Kerr device not out is There's nothing really reasonable After a call to malloc, there's this Macro that gets called that uses the output that it gets from malloc And if we check IO Kerr device after that now all of a sudden there's a string written there, right? So we're overriding some data that's in that that Kerr device that Or IO Kerr device, right and the dispatch pointer now is just completely clobbered like it is just nonsense And if you look at the rest of this like all of these have been just completely destroyed So let me rerun that again and this time we're gonna step into that call to malloc to like figure out Like what the malloc is actually doing Right, so here's our completely normal call to malloc. We step in and we are not in malloc This is GTM malloc. They wrote their own malloc And replaced the system malloc with it. So if I break at Another macro later inside of this like custom malloc There's this call to like get cued element that gets Some piece of memory that starts around like e 200 ignore like, you know 5 5 5 5 somewhere on the heap e 200, right? And if I look at where Kerr device dot out is It is at e 210. So there's 16 bytes between those two, right? so Before that crashing call before that called them to to uh Yeah, before like the the crash that happens on upright IO Kerr device is well formed And it's at a memory address that that ends with e 210, right? there's this call to malloc that goes to GTM malloc instead of g libc malloc and like eventually returns this memory address that ends in e 200 Right, the devs have made their own memory allocator inside of the heap that like manages There is the heap memory allocator and then there is their memory allocator managing the same locations and memory, right? There's at least two memory allocators in use on this application Which is just super wild and by like a little bit of Some magic you can get that second memory allocator to return overlapping chunks basically So just to do this a little bit visually On the uh the far left here We have the way that like, you know process memory is laid out You've got you know the the text at low addresses You got the memory you got the heap and then there's like the heap, right the heap is made up of Chunks like memory that is either allocated in which case it's labeled chunk or it's freed like and the the memory allocator can you know Do whatever it wants to it, right? If we take a look at one of those chunks We've just got some memory that we can use for whatever During initialization gt.m and yada db allocate a chunk a really big chunk And then they just say like this is the memory that we are going to use for any months program that's written, right? so then when the When iocur device runs it like or when gtm runs it initializes this iocur device somewhere in that same memory space and then that gtm malloc Returns a similar look at memory space and they overwrite that iocur device So you have in one part of the code Like the code thinking that we're looking at the input and output device and in a different part of the code They think it's a routine header, right? Which lets us get that like overlapping chunks type confusion thing So basically we have these two like mechanisms that are managing memory malloc and gtm malloc And then we get like a type confusion bug In the way that gtm malloc specifically is handling that memory So like this is a a heap bug Inside of a memory manager that is managing memory managed by a different memory manager So like yeah, the address there is not completely random, but it's not really in our control And i just i really wanted to talk about this bug in particular because it's just so fucking weird. It's so weird So yeah, so yeah, that's what we got looking at like the you know looking at at The mumps implementations themselves, right? So what about that source review where we were just looking at vista, right? This next slide i have to read really carefully The source code review just looked at like just was looking for quick wins and only looked at like the off mechanisms input handling Like how it interacts with the underlying system So that rpc mechanism i was talking about that the clients use Is gated by a Encryption mechanism that uses roll your own encryption from the 90s Right, so if you deploy Vista without tls creds are poorly encrypted and transmitted in a way That attackers can trivially decrypt them or simply replay the packets There also appears to be hard-coded creds in the source, but because of some like particulars I'm not super sure that they can be used Um, and I would absolutely love to explain to you how this works Uh, but we had some problems disclosing this Uh, so let me show you my disclosure timeline real fast So on january 3rd, we sent an email to the va following their their disclosure policy We received an automated email that said somebody will email you back Nobody emailed us back So then like on the 10th. I emailed them. I sent them another email that said hey, there's some problems I really want to talk to you about these they sent another at automated email No follow-up. We never got another email from the va after this Uh, and then on the 10th. I sent another email and got nothing Right, so like I assumed that they you know either something changed on their back end or they'd like just blocked my email address So cool. Um, so then I reached out to somebody I know works at the dhs They did not respond. Um, I then reached out to cisa directly They also did not respond and then I called cisa on the phone This is a thing that you can do their phone number is on the internet. You can find them and call them Uh, and somehow I think because of a phone tree thing that call just got disconnected Like before I could ever speak to somebody and like explain what the hell was going on So then I called cisa again and it was told that any information that I give them Is just not going to be provided the va like they're not going to Like give it to the people to try to fix the bug, right? They said they were going to give it to their threat hunting teams So then I reached out to cm usert And I received an email that was like hey, give me more details And then they didn't respond to responses to that email This says they never responded within the last week. They have started responding But I don't believe they they yeah, I'm not super sure what's going on there I don't I still don't think the va has been told about this this problem And I want to be clear like this is an emr that is deployed in Like it is at va hospitals right now, right? It is also at civilian hospitals in the united states, right? Um, so yeah, also we like disclose a lot of bugs to a bunch of uh, uh, months distributions For yada db, we send him an email that was like, hey, like we we found some some bugs They sent us an email back that was like cool. Do you mind teaching us how to do this? And I said hell, yeah And then we explained to him like hey, here's how you fuzz here's like the changes you need to make like, you know And then they started fuzzing and they've got they found tons and tons and tons of bugs And then by like, you know February we we disclosed to them in november by february new version was out that had all the fixes in it Uh gt.m. We sent them an email in in december by march. They had like fixed all the bugs Um, so yeah, that's the that's our disclosure there So what does this all mean, right? um, when I first like started looking at this this uh This research like I've done a lot of fuzzing projects and never found anything You know, I always kind of figured that like, oh, you know all the fun memory corruption bugs are dead, right? Nope, there's still big stuff out there that has real real kind of obvious memory corruption bugs um Mumps isn't really going to go anywhere. I think at this point we're sort of we're we're stuck with it When months first got like off the ground and people started using it for stuff It was faster than everything. It was cutting edge. It was innovative. It was everything you want um And like a lot of companies jumped on this bandwagon and are still there core banking uses mumps You know a bunch of health care stuff uses months outside of just vista uh, like I said the esa uses months Based on some numbers that I've seen more than 50 percent of health care records in the united states pass through like Some application that's written in this language at some point. Um, and yeah, there's like there's still More weird machines out there to break, you know, there's like there's still like more stuff to find, right? so what should you do like if you're working on Vista or a vista derived product or something like that make sure you're deploying tls everywhere this Deploying tls is not like difficult on a lot of months implementations, but it's not trivial um, and like just make sure even internally do not trust that you're just behind your inside of like your vlands and everything's fine like Make sure you've got tls everywhere If you deploy months or a month space product You need to update if you're using gt.m from apt like I said to do earlier Your four versions behind and your two versions behind the patch that has all of the fixes to the bugs that were disclosed So, you know update basically probably build from source And if you're a hacker looking for research like I can't think of like look at health care stuff like there's people are Health care stuff is still not getting the eyes on it that it needs like look at health care stuff Also, if you work at the va send me an email Like I I don't yeah, this shouldn't be this hard, you know um, yeah I just want to like I I've just trashed this language and this product for like, you know At this point like 40 minutes and I just want to say that like everybody who worked on this is a hero to me like I am not kidding about this like looking at some of this code. You see these names that are like These people that are wizards, right? months was this incredible idea that like Was just like hey, we have computers now like what can we do for health care stuff? And they made this Incredible thing that is still in use that you can still play around with and still learn It's not exactly an esoteric language, but if you're looking for a new so-lang Look at mumps. There's it's neat um Vista as like the emr is super well Respected. It's really flexible. There's a story about like the va has just been in constant scandal forever forever and ever um And there's a story about how the uh like during some bad times uh they Basically like there was this this congressional testimony that was like, oh, you know Everything over there is broken except for that emr that emr is the best emr I have ever seen and a bunch of doctors were have said this about months And I like just as like a fun little side thing it was so Vista got named vista in like 1994, which is like almost 30 years ago now um, and the reason why they called it vista is because previously they were calling it dhcp um, which then you know led to be a problem I think it stands for like this Distributed healthcare program or something like that And they renamed it to vista capital v capital a and I'm sure at the time they were like This is the greatest name. No, no one will ever scoop us on this name Why the hell would you call something vista? You know, uh, and then you know a decade later here comes a bill gates says microsoft.com Um, so yeah, that's that's slide 63 of 64. Here's slide 63 and a half This is my greet slide Thank you for having me like I I this really means a lot to me this this community and like everybody who has Stood on the stage and all of the research that everyone who has ever gone to def con has ever done has been a great Like inspiration to me. Um, yeah, thanks to everybody at si. Thanks to you know, just everybody who helped out on this um, yeah Thank you so much for your time. That's kind of that's everything I got Uh, you can yell at me at twitter Uh, that's it. Yeah Thank you. You're my hero All right. Oh, yeah. Also my my twitter account is the word binaries backwards Um, which yeah, it's just doesn't look like it doesn't look like it, but it is Cool. Yeah Are we Yeah, any questions anybody have any questions? All right. I have I have absolutely killed the crowd. Hell yeah All right. Yeah, like I said go go look at months. It's it's a fun language. It's real weird There is there's a lot of multi-billion dollar companies that deploy stuff that's written in months So like there's there's some fun stuff out there. What's up? Uh, there is not the question is is there a wire shark decode for the rpc? There is not. Um, there is a Uh, a long dead. I think there is there's a git commit. I can't remember what project it's on for a j s file that I think is called rpc snoop Which you're not that's going to be difficult to find but like look for rpc snoop in relation to vista and hopefully you'll find it It's a no j s file that was uh floating around um, yeah Cool. Any other questions? All right Thank you very much