DEF CON 29 Takeaways (and missing out on a CVE)

DEF CON 29 Takeaways (and missing out on a CVE)

I started attending DEF CON in Las Vegas a few years ago in 2018, so I guess I could be considered a newb in the eyes of The Con, but because I work in the field of cybersecurity, my work would reimburse all expenses, so it was a sweet deal. I instantly fell in love with everything there, and I met some new friends, who I would later discover to be brothers. I was inducted into The Illuminati Party at DEF CON 26, and upon entering the IP Suite the next year at DEF CON 27, when I was met by the big booming voice of, “Welcome Home,” it truly did feel like home.

Last year, because of the pandemic, DEF CON was actually cancelled, and instead we had the first ever DEF CON Safe Mode, which took place entirely online. I missed being around all my hacker friends in person, but it was still a great year. This year, DEF CON 29 was a hybrid of both on-prem and online events, so it was a bit scattered. My workplace is still on a business travel lockdown, and I wasn’t going to make things difficult, so I opted to stay at home and enjoy the virtual side of things, and The Illuminati Party did the same — conducting all of their private talks and events on a private Discord server.

In this post, I will go over some of the high points (and bittersweet points) of DC29.

My private talks

I always enjoy private talks like Skytalks, and I enjoy the IP talks even more, because you never know what to expect — it could be something hacking and security-related, or it could be something completely esoteric and off-the-wall. That being said, I never envisioned being invited to give any talks or presentations myself. However, right before the Con, I was approached by Skullhacker, the founder of IP, who asked if I could give two private IP talks this year. I ended up giving three. One was security-related and was a basic demonstration of Project Divinity, an open source tool written in Go, that I personally developed for Hakdefnet International in order to allow security researchers to have a tool that would provide the ability to find devices with default login credentials on a LAN or the Internet.

The second talk I gave was cryptography-themed and called The Secret Cipher of the UFOnauts, during which I discussed the book of the same title by Allen Greenfield, which takes cryptography into the realms of ufology and the occult. The third and final talk was titled HACKING THE MATRIX OF REALITY: Mental Illness, High Strangeness, Quantum Events, and The Real Mandela Effect. That one was basically a series of thought experiments, where we really went down the rabbit hole, and it’s for these reasons that I love DEF CON, and especially The Illuminati Party — I can gather with like-minded brothers and sisters who share the same basic interests (hacking and security) — but IP takes it down deeper to a whole new level, where we also share the same niche esoteric interests as well, which we have definitively termed “woo-woo”. For these reasons, I will always love DEF CON and truly consider IP as family.

Illuminati Party

The public talks

I caught a few live talks this year, many of which were on The Red Team Village’s Twitch stream. Below, I will post some links to a few of what I considered to be some standout talks this year — most of which are posted on The DEF CON Media Server, as well as their YouTube channel.

…and there’s obviously plenty more where that came from, and I still have talks marked in hackertracker that I need to catch up on, but those were just a few that I caught that I thought were impressive. But let’s talk about the talk that stood out most to me, which caused me to realize that I missed out on getting a CVE…

How I missed out on a bug bounty and my first CVE

So I watched this incredible talk (not listed above) by Cedric Owens called Gone Apple Pickin: Red Teaming MacOS Environments in 2021. The more I listened, the more it resonated with me on a personal level. I was thinking to myself, “I could be giving this same talk,” because I was deeply familiar with everything he was speaking on. I have always had a bone to pick with Apple about the way their installers work and how insecure most of them can be, but I have also seen some really good installers, such as the official Java installer, which does numerous sanity checks to make sure it’s doing the right thing and there are no shenanigans at play. That being said, I never thought that I could get Apple to listen to me if I brought this to their attention, and I just assumed they would fault the developers for their insecure installer implementation and would yada yada at me about how users should only trust applications downloaded directly from the MacOS AppStore, etc., etc.

So I have been backdooring MacOS installers since 2017. The first time I ever did it, I tried to convince a couple of my coworkers who used Macs to download a backdoored installer of Compuware’s DynaTrace APM which would function completely normally, but would send me a persistent reverse root shell to their computers and then clean itself up to where it was just a normal application again. Like I said, and I feel like I should stress the fact that this was 2017. I quickly dove into how various MacOS installers work, and I created a very nifty shell script called njx, which would take nearly any file type you threw at it — .app, .dmg, .pkg, etc. — and would backdoor any program or shell script of your choice to run on the victim’s computer during installation.

Two years ago, in 2019, I spoke with a fellow security researcher about my gripes with Apple’s installation methods and told him that I was planning to open source njx in hopes that Apple might take notice and implement some methods to further lock down the installation process. However, this researcher offered to buy the source code from me in exchange for not open sourcing it so that his cybersecurity defense framework could detect the behavior and protect Macs from this attack vector. Furthermore, MacOS Catalina had been released, and the Gatekeeper behavior prevented some types of exploits from running, so I figured what the hell, I might as well get paid for my work, and I knew it was going to a better cause than it would if I released it to the public. I actually wrote a blog post on November 5th, 2019, in the wake of recent ransomware attacks, where I outlined how and why MacOS was going to be a great target in the future. This post was titled Ransomware. Ransomewhere? Inside malicious installers on MacOS, that’s where.

I was approached by the same individual shortly after, this time wanting to know if I could create an implementation of the program that would work on current versions of MacOS and could bypass Gatekeeper. I was offered a very nice sum for the development work, and soon created an alternate program called inception, which basically did the same thing, but bypassed Gatekeeper by packing the original .app or .dmg into a .pkg installer and utilizing the preload scripts to deliver the payload. These are the some of the exact same methods discussed by Cedric Owens in his talk. What pained me most was hearing that I missed out on getting a CVE, but I also missed a small bug bounty by Apple. From what was said, the bug bounty seemed to be pretty small, so I probably got more for selling my source code a few years ago, but it still stings a bit.

That being said, Cedric is a much better public speaker than I am, and he did spice up his presentation with a few additional items that I had not delved too deeply into, so obviously the best man won in this scenario. He’s a smart guy, who’s all about some red teaming and offensive security targeting MacOS. Go follow this dude on Twitter. He seems like a really cool guy.

CVE-2021-30657
(MFW reaction captured directly in one of Cedric’s own slides at DEF CON 29)

Leave a Reply