TeamT5 於台灣駭客年會 HITCON 2024 分享多場技術演講

TeamT5 於台灣駭客年會 HITCON 2024 分享2場技術演講，本篇文章簡介各場演講。

Named Pipe 從 Windows 早期以來一直是作業系統的重要元件，它提供了 Inter-Process Communication (IPC) 機制讓 Process 之間進行溝通。Named Pipe 讓同一台機器或網域內的系統的 Process 以 Client-Server 模式互相傳遞資訊。其中一個關鍵功能是 Impersonation，Server 端可以暫時使用 Client 的 Security Context，從而使其能夠以 Client 的權限執行操作。

在這個研究中，我做了一個用於分析 Named Pipe 的工具。結合了 Minifilter 驅動程式和透過 DLL Injection 實作 Ring3 Hook 來監控和攔截 Named Pipe 的資訊。Minifilter 驅動程式用來監控檔案系統的操作，而 Ring3 Hook 攔截與 Named Pipe 相關的 API。利用這工具我在 Windscribe、CyberGhost 和 OpenVPN 中發現了許多 Named Pipe 相關的漏洞。具體來說，Windscribe 的漏洞可以讓攻擊者達到 Elevation of Privilege (EoP) (CVE-2024-6141) 和 Broken Access Control (BAC)；CyberGhost 的漏洞則可被利用達到 BAC；而在 OpenVPN 中，漏洞會導致 EoP (CVE-2024-4877)。其中 EoP 的漏洞會讓攻擊者獲得更高的權限，而 BAC 會導致低權限的使用者可以訪問敏感資源。

在參加這個議程後，聽眾將更深入地了解 Named Pipe 相關的資安議題。議程將包含分析工具的實作原理、漏洞的影響範圍。聽眾將得知該如何實作更安全的 Named Pipe，在意識到 IPC 機制重要性的同時，也了解開發者可能常犯的錯誤與怎麼避免類似情況發生。

Since the 2010s, Polaris (also known as Mustang Panda, Earth Preta, or Twill Typhoon) has maintained a persistent presence in various East Asian countries, including Vietnam, Myanmar, the Philippines, Thailand, Taiwan, and more. In late 2021, we discovered a new malware family that we had dubbed NoFive, characterized by its shellcode form and rudimentary features. Since then, we have observed an increasing number of backdoors utilizing NoFive as a base template. Although these malware variants initially seem disorganized, our telemetry and analysis indicate that Polaris strategically deploys them based on specific target countries and sectors. This presentation aims to provide deeper insights into Polaris' malware development strategies and deployment patterns through our comprehensive threat intelligence.

In this talk, we will provide a detailed technical analysis of the relationships among these various malware families, including NoFive, TOnePipeShell, QReverse, and others. We will examine how the developer(s) of these backdoors have been gradually modifying them by changing the traffic encoding/decoding mechanisms, continually shifting the features included within the backdoors, adding USB lateral movement abilities and more. Additionally, we will share our observations of Polaris’ recent activities and discuss our expectations for future developments.