Заголовок 7 sins of atm - nullcon · 7 sins of atm protection against logical attacks...
Post on 24-Aug-2020
1 Views
Preview:
TRANSCRIPT
Заголовок
ptsecurity.com
7 sins of ATM protection against logical attacks
Timur Yunusov
Senior expert
Заголовокwhoami
• Positive Technologies (from 2009)
• Application security researcher (from 2009)
• Banking systems security senior expert (from 2012)
• Big fan of #nullcon
• Always in search/research ;)
Заголовокwhoami
• Positive Technologies (from 2009)
• Application security researcher (from 2009)
• Banking systems security senior expert (from 2012)
• Big fan of #nullcon
• Always in search/research ;)10+ ATMs for the last year
ЗаголовокATM security assessment
Заголовок7 sins
• Kiosk bypass techniques
• Privilege escalation techniques
• Application control software bypass
• Network physical layer
• Device management
• Booting process
• Logical vulnerabilities
• OS / Software vulns /
Kiosk mode bypass
• Network attacks
• Hardware attacksHardware
Network
OS
ЗаголовокBlackbox
Blackbox is
dead
ЗаголовокBlackbox
Blackbox is
dead
ЗаголовокBlackbox
Blackbox is (almost)
dead (for researchers)
Have strong crypto btw
dispenser and OS?
BB is not possible
BB is possible
Yes
ЗаголовокKiosk mode bypass
Kiosk mode bypass
Windows XP/7
ЗаголовокKiosk mode bypass
•Safe mode
•Hotkeys
•Windows Plug&Play
•Race condition
ЗаголовокSafe mode
•F8 + Safe mode with command line
•DS restore mode
•AC/DC fun
ЗаголовокHotkeys
•Win+R
ЗаголовокHotkeys
•Win+R
•Alt+Tab
•Alt+F4
•Alt+Shift+ESC
•F1-F12
•Shift x5 (Windows 7 only)
•Win+(etc)
http://www.techrepublic.com/blog/windows-and-office/the-complete-list-of-windows-logo-keyboard-shortcuts/
ЗаголовокAlwaysOnTop
This ATM is Out Of Service, Sorry for inconvenience
ЗаголовокAlwaysOnTop
• Disabling mouse icon
• AlwaysOnTop
This ATM is Out Of Service, Sorry for inconvenience
ЗаголовокP&P
ЗаголовокP&P
ЗаголовокP&P video/screenshot
ЗаголовокEnd of the story
ЗаголовокPrivilege escalation techniques
• How exactly we extract money?
ЗаголовокPrivilege escalation techniques
•FS restrictions
•Local Security Policy restrictions
ЗаголовокPrivilege escalation techniques
•Arbitrary command execute - XFS API
•Command execute - priv escalation
•Write files/registry - modify sec configs
ЗаголовокPrivilege escalation techniques
•Arbitrary command execute - XFS API
•Command execute - priv escalation
•Write files/registry - modify sec configs
•Read files - ***
ЗаголовокApp control software bypass
Story so far…
• https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html
• https://cansecwest.com/slides/2016/CSW2016_Freingruber_Bypassing_Application_Whitelisting.pdf
ЗаголовокSecurity software bypass
• McAfee Solidcore - https://www.ptsecurity.com/ww-en/about/news/131496/
• MS Applocker - http://www.blackhillsinfosec.com/?p=5257 – State of Art!
• etc (6 total different products) – stay tuned!
• 0days (5 total, in process of fixing): network, local, logical
• Misconfiguration
• Whitelist Memory Execution: IE, rundll32, powershell, java, etc
ЗаголовокSecurity software bypass
ЗаголовокNetwork
+ Firewall
VPN
TLS
MAC
• OS services
• Software services (Solidcore, UPDD, etc)
• Processing
• Track2
• Processing
• Track2
• Processing
ЗаголовокNetwork vulns
• VPN disabling• Logical vulns part
• TLS disabling
• MAC disabling• Files/registry manipulations
ЗаголовокNetwork/Hardware layer
•3G industrial modem• Long story short
http://blog.ptsecurity.com/2015/12/critical-vulnerabilities-in-3g4g-modems.html
•Security measures• VPN channel
• Private APN
•Result•ATM network infection
• Processing access
ЗаголовокNetwork/Hardware layer
•Access to *:80
•Auth bypass
•Physical access
•Proper VPN protocols(((
ЗаголовокDevice mgmt
How to do all hacking stuff
much easier?
ЗаголовокDevice mgmt
•Keyboard/mouse
•Teensy
•Network card• fw bypass
• plug&play
•USB drive• local access to Exe file content
• plug&play
•MS13-081
ЗаголовокBooting process
The easiest way is…
ЗаголовокBooting process
•BIOS pwd
•Network load
•Safe mode
•Physical access
•OS access• Same passwords story
•Bootkit• Software skimming
ЗаголовокLogical vulns
How it happened?
ЗаголовокLogical vulns
•Security tools runs from regedit/autorun• Shift x5
• Win+U
•Security race condition • Hash(loooooooong file)
• exploit.exe at the same time
•Ctrl+C
ЗаголовокLogical vulns
ЗаголовокLogical vulns
• VPN disabling
ЗаголовокLogical vulns
• FS access is strictly prohibited
ЗаголовокLogical vulns
• FTP is strictly prohibited!
ЗаголовокSummary
Windows 7 SP1 ATM Windows XP SP3 ATM
Kiosk bypass Hotkeys/Safe mode KeyboardDisabler bypass
App control bypass 0day/Trusted soft Untrusted booting
Privilege escalation 0day/MS15-051 Untrusted booting
VPN/TLS disabling Misconfiguration/FS Untrusted booting
Social Engineering Misconfiguration/FS -
Untrusted boot BIOS accessing from OS No password
Network attacks MAC/TLS/VPN/App service MAC/TLS/VPN/OS services
ЗаголовокHow all that happens?
•Security through obscurity is not an option!• You should know your landscape and your threat model
• Use compliance management tools instead of paper
• In case of impossibility of fixing vulns, use
mitigation measures like SIEM
ЗаголовокGreetz
• Anon guy ;-)
• Positive Technologies researchers teams:
• ICS/SCADA
• Reverse Engineering
• Banking security
ЗаголовокContacts
http://uk.linkedin.com/in/tyunusov
tyunusov@ptsecurity.com
a66at
Заголовок
Thank You!
ptsecurity.com
top related