TippingPoint Digital Vaccine Laboratories

Ekoparty Wrap Up

Ekoparty 2009 is all wrapped and everyone had a great time. The venue was spectacular. An open split level warehouse which comfortably held the 500 researchers who attended this boutique con in Buenos Aires, Argentina. The talks were held in the theater upstairs in both English and Spanish via real-time translation. The downstairs area housed the various sponsors and a slew of interesting competitions.

CORE Security created a really fun 3-level simulated hardware reverse engineering challenge via the Ruckingenur Editor. Immunity had their NOP certification test. TOOOL had a lock picking competition. There was a fun CTF where teams had to hack into faux bank websites and steal money from each others accounts. Finally, my team had the DRINC challenge (see the previous blog announcement) where we intentionally exposed 17 bugs across various components for contestants to discover in exchange for drink tickets and a grand prize.

We had over 40 entrants participate in our challenge and over the course of the 2-days we ran the contest a handful of them discovered almost all of the exposed issues. At the end of the competition we were pleased to announce Gera from CORE Security as the grand prize winner and recipient of a our TippingPoint "Kick-Ass" trophy, a Zero Day Initiative laptop messenger bag and a bottle of Dom Perignon champagne. Here he is accepting his reward with the TippingPoint team:


[full size]

The following is a list of the various DRINC components and the discoverers of each of the exposed bugs.

AwesomeX.ocx
  1. Peter Vreugdenhil, Fermin Serna
  2. Peter Vreugdenhil, Fermin Serna
DRINCryptionSuite.zip
  1. Gera CORE Security
  2. Gera CORE Security
EkoFriendlyServer.exe
  1. Esteban-Hernan, Costantino Leandro
  2. Costantino Leandro, Esteban-Hernan
LogAnalyzer.exe
  1. Charlie Miller, Victor from Hauttech Group
  2. Charlie Miller, Victor from Hauttech Group
NetworkScriptingEngine.py
  1. Esteban-Facundo, Agustin, Costantino Leandro, Gera CORE Security, Jean Sigwald
SecureLoggingServer.exe
  1. Gera CORE Security
  2. Gera CORE Security
  3. No entries
  4. No entries
TSRTVideoCodec.dll
  1. Sergio Alvarez Recurity Labs
  2. Sergio Alvarez Recurity Labs
Web30Server.exe
  1. Costantino Leandro, Jean Sigwald
  2. Gera CORE Security
  3. Gera CORE Security, Esteban (this bug was not part of the contest!)
The third bug discovered by both Gera and Esteban was not actually among the list of purposefully planted bugs but rather a directory traversal issue in the underlying mongoose webserver that we modified for the purposes of the contest. A bug report has been opened with the mongoose developers.

The TippingPoint DRINC contest is now available for download as both a Windows MSI installer, which will properly install the various components, and a standalone archive. We are going to hold off on posting the solutions for now. However, if you want to see them simply drop one of us an e-mail and we'll shoot it over to you. If you e-mail us a find before we post the solutions we will add your name to the above list of discoverers. Here are some hints we shared with contestants that should help you get started:
  • Don't bother fuzzing the AwesomeX ActiveX control, there is a mechanism to prevent it.
  • On the LogAnalyzer the values 0x3 and 0x10 should save you some time.
  • Be sure to look at the sample AVI provided when you are working on the video codec.
  • Here is an IDAPython script for Web30Server that will add symbols to your IDB.
Here are some not-so-great-quality cell phone camera pictures we took at the event (click for a larger version):

The DRINC contest grand prize:

[full size]

Zoom up on the "Kick-Ass" trophy

[full size]

The audience during my talk

[full size]

2nd place DRINC team (Facundo, Emiliano, Hernan, Esteban)

[full size]

Cody and Cameron working with Charlie Miller on the DRINC contest

[full size]

Gera and I catching up before my talk

[full size]

The WOPR (yes from War Games) from the speaker stage

[full size]

There was a professional photographer at the event as well, we look forward to seeing those pictures when they are released. All in all everyone from my team had a great time at Ekoparty and we look forward to attending again next year.

-pedram

Tags:
Published On: 2009-09-21 11:45:04

Comments post a comment

  1. Anonymous commented on 2009-09-21 @ 12:20

    Where can we get a copy of your talk?

  2. Pedram Amini commented on 2009-09-21 @ 16:26

    @Anonymous: Many people have asked this and I promise it'll be up within a week or so. I need to write a blog entry around its release to ensure that non of the eye charts get misinterpreted by media etc...

  3. Fernando commented on 2009-09-22 @ 12:34

    Great to meet you all and hope to see you again in Argentina!

  4. Costantino Leandro commented on 2009-09-23 @ 18:55

    Pedram, ty for your comment's. I am looking forward for the next challenge on argentina :)

    About the ideas, i will think about it and let you know, but , right i know i'am thinking in two of them:
    1) include an encrypted txt with the access point password and ip address of the internal zdi. The first challenge should be to find that password, or something like that ( an app, that will show a popup with it, etc) , to assure no so many ppl is bothering on the network. (just an idea )
    2) Maybe, some kind on internal chat with the members, would be great too, during the event, just to ask things :)

    Best Regards, nice to meet your team

  5. Pedram Amini commented on 2009-09-30 @ 12:07

    Peter Vreugdenhil and Fermin Serna have each submitted correct solutions to both of the exposed issues in the ActiveX component.

    Names added to the above list.

  6. Pedram Amini commented on 2009-10-09 @ 13:15

    Added Jean Sigwald to the list of discovers. Thanks for taking the time to look at our contest!


Trackback