Zero clients in the enterprise - Skating on THIN ice

next we have zero points enterprise and we have L done yes pink

[Applause]

[Music] all right why do you care what I have to sign for the scooter research or if the predecessors training in all the social media usually as required

already for people that not security I'm probably more for all right zero feet once so remember mentioning you again stink clients are essentially very small blood powered devices they let you remote into the club or some bigger computing resource so that he uses pink lines Jenna conduct large organizations we're buying a low-power devices of open actually testability I can save significant money Eco utilization that's the amount of power tools but also deactivated poppers capacity they're often seen in deployments when have deployments typical silos where you see the by our government

but today it's also presented usually in that it secures this in point in its own environment it's secure then you play into network having used this way or that way new species and then certainly that notion of security kind of also right but one do you have one of these if you want to just about do some research there are some sources of information becomes a path research is always a great start unfortunately so does research is always a great starting point for the thin clients there are links there are people people have done in part and build on that will do scientific actually using the occupation access to public files or the posture on

the client itself applications usually a great spot

[Music]

just grab that which is kind of closer to desktop so use the operation mode and then you remotely connect where you want to work whether that be citrix remote desktop BMC takes a number of different ones being with you where is the syrup like that kiosk mode you have to define the secret connection and then mimic read you can shut down on the management software and use this you're going to cover the clock to cook things so you see you have a lot of configuration options the other thing is you can usually have multiple connections going in to say browser etc where the heels miss Montero mode at only sports for I think only one

active at the time if the mannequin is you'll be glad to know that there are patches and updates of elements now and then it's a virtual image tool of using is this when he released just under a year ago and since then they have zero package affects the happily a couple of service packs but as you see that's less than one a month and they're mostly over all right this is the latest version of HP pink line is running flash eleven point two with public exploits luckily there are other ways so so once you know that you have a base OS and the management that they add on to it like pink line three recline

and the management cell thread because one try to the deployment of ten thousand credit class machines you don't want someone walking around with USB stick out there not a great business model so romantic so forgive Ruby mt4 ssh in the case of the big pros either keep the windows and then of course there are management very less able to interact with it operates on two derivatives monsters a user and administrator privilege level so and it almost seems when you boot it up it just issue the

or you can't clear that all your social and anyone wants to give them anything that's a good starting point I would not be surprised if you just look like us go right ahead so on the actual box itself processes again run this I broke the privilege levels and because of the vibe that was on the software to be able to go from an unknown users with administrative functions and we can get in network etc a lot of stuff right at the root but then when you do certain operations to run sudo and then and on the command Nova the privilege and this is what well or black Sarang htpc I mean that's used to determine whether or not

a piece of software behaves a certain way because it's privileged operation or the other way to non privilege and of course with this Africa you know hundred percent test coverage of all privilege escalation or the equation for every norm operation in every sequence which they don't have this is sort of mostly that's operations occur and the old one beast generated by agnostic father this web session let's go up these the reclass read these keys each my hand if red teams right so we're going to do the privileges and we highlight some of the things we talked about this might get system exploit but there is no shortage of progress local access

running in it generates this Diagnostics that you don't actually have a printer so what we want to do is you want to save this and because this particular piece of software runs a Schrute we're ready to just save this as the admin flag now before I do that I just want to prove that if I try to add any marks which the last one positive currently I mean on average and the other thing that's interesting to see is in the available software that I have to run from here's I've got one connection and I got a couple rather than pointing out and looking back in change behavior and then what we're going to do is we're

going to go through a known problem the whole HP about this recipe and I get this is the latest version so they took that very seriously here we just have a command injection 4x2

[Applause]

so one of the next destroying principles or problems that we might have to overcome around the policy these things run with the flash and it runs with the flash right detective sigh thanks it has and we know that this from Enix it actually has a full this is working for some grants and the best scripts through there and then enable what access to the station or or not it also has it implicates Allah factor because nothing about to do this but temp is the desiccated right contraction with quick pop emissions also the process is quite static temple design and then you can break tradition for root for the other on Windows similar kind of thing a great little boy that we

notice like break around right and then you can't actually buy filters that allows him to pass through and then once you reboot the device all these and of course the admin user has to write on the rope but unlike unlike we know putting it on or off tries to read it now there are a couple of cases as you might see here in the red where a normal user can disable the right action such as make the right protection reach a warning level of memory usage but not even to the point where it took probe's he's just trying to think out memory look I'm running a bit lower memory been erased a warning letter and that disables the right

protection the next reader software requirement in addition to write protection and also amended from the command line which h DC snappers say if you did have access and you go and it's not like a disk image it's just literally a copy system the CP minus R prime group in this truck you'll see this there's a second record that temple the remarkable the registry values any part of the user now go live in in this section HDTV snapper up that the factory reset to the current which many other factor reason for my notice that things aren't actually the pole and the other thing is you can just put FSM thought and it was routed into the total

slash slash factories natural and I meant reenable right axis depending on which version of the file it is you might have

reverse filing any of those mostly smuggling ship ship to the hex key flash intersect you got that device you can always be see there as well

Corky's of all the HP dignified software is mandatory and man quarries that is a framework that deals with Linux it has an XML pub where repented tentative dollars in 15 2004 can be exported imported from the airport and it took the cool component of all the dimensions of point

I could use the point applause if you want to have some customization today simply cubic what it looks like stuff from the manticore a bunch of grief namespace and then stuck define in this guy's solution it has all the values feed requires

and in this case the that is well if the root password has been deployed it will give you the password hash all right as far as the encryption you don't have access to the endings are

Peralta's you're not supposed to reuse the key provides important activity I did a little bit of reverse engineering while rt4 have that problem they absolutely do not need using crypto attacks in this fishing at all when you need it strings you'll see that GM priority is between the name of the software plus the algorithm must with with some complexity weld up so thanks a man all right Victor we can just eat with these these spring values to be adequate across the actual pasta [Music]

which regiment how we do actually hectic wanting employment across a large part of the health of exactly the same minor variations I'm not quite sure we need these men solutions to solve the same problem from the same vendor I mean obviously some of our windows and some of needs yeah one of the reason for that is not cause in HP buttocks rather than present solve those problems I just went ahead and the Iroquois advances I even

it's just listen to the fourth 4010 aspect like in Clash the Pacific comes along tough get what haven't you around these four the repository identity that start of the fall from there so if you were have you'd help us see the sort of things you can do just grab a listener for that and then whenever the next crucial comes along do the plenum random IP addresses and we'll just keep in touch and that for that would give you the repository and any credentials that you access it pulls out the config one of my values deploy it again and then we went for the next value or whatever it's the next push back the only thing is it

has a tendency to giving up time things that your partner the point image we go

to companies you know do you see the easel sorry for and the other one set all those three buddies to the same value possible from admin admin but I think

to do this if 43:30

this robot action this house pondage the other thing which is very handy when you're Mak using a keyboard you can employ three phones we've gotta run the demo attempting we're going to do the deploy a coffee receipts are right near the aircraft we're just you probably fall but that's my friend provoking folks these are deployed settings in this case we're not the point because the point settings enable fall and in that setting we're using the previous command injection so we've defined here a gateway gateway is feel like SH echo that should run

we're gonna use the older edition that makes it easy to point and fire up the browser [Music]

that's not the circle girls and go FTP download for the central spot that settings well you sit on the boat and stuffing spit it's launching a deep yet to be again we go to pump it into this side we spend enough W get [Music]

[Applause]

so that's so comfy boys the treatment time self Dominic done through this 20 new software called HD device management PDF and that it is like super into frosting the thing it has a bazillion different Ward's of different things in different directions yeah cross-platform and I have started with reverse engineering again so typically you would see this sort of satellite deployment we have multiple segregated networks you put it that way but that's all in the operation it gets

again some of the things I've seen relax to signature again it's an xml-based Manticore as the basis of the but it does seem to have some sort of the power signatures and various new devices right other question actually the world apart of a managed the big problem having a moment it's using compression engineer no trading stocks for that I'm aware of I kind of man in the middle is wicked progress if anyone all right so Gaelic said so we get reports this like this whole secret identify whether money in that way will enroll information and it sends like things back and forth as these compressed XML blocks much the stick up cost that will execute about two commands or maybe

write a script locomotive run that straight both for extracting information at the point

you could technically even in a stage poisonous the other one that's DHCP packs but but if none of those things like an bigoted people broadcast and then it will connect to server' like a web server running an ad on that what might be around

[Music]

[Music] [Music] what does it expect response

that's applications and the actual for loop of the application is right here and I'm going to can't read it so this bit here the disciples have defined equals and a MAC address and then refer to every URL + stream I wrote a python script to practice my hunt that sends a super URL back through that sure enough I was able to set the update server I begin takes a full view a relic document we don't have to run the Webster

but we want to do for them what the doctors welcome to you on the same network that's these people to be able to do this malicious remote attacker and then you're the attitude you want be able to write the existing server that sitting there broadcast so the way to do that is you have to get multiple people fighting broadcast and have spots in response so we need a perhaps the the IP address of the big part that iran messages that into a euro and then just run so in in the loop and a cat listen important responders over URL so you don't recognize the command-line options for that one it's the open deity the worst and again because it does have

monastery for productive reuse as possible in lose

[Music]

[Music]

[Music]

[Music]

as you can see we're back to our friend we have fun here we have I can see it automatically what about that to do and I probably didn't have and wishes things you see here try to broadcast however now that we have of course

right here para los seizure spikes in this platform there's also a mess serious bugs some have spoken up publicly pops is a really to put one on the other one where you can just read that the ribs are running high TTC security space minus minus root

this one was pretty neat every every snapshot script checks for this and 12:00 last a factory reset Noah beyond previously like right and if that Pollux is do not apply any any research social engineer the classrooms what's your monthly on there we get the users password HD actually runs on the law of their custom software as as shops printers and the little bus rectus muscle HPD's desire some people might remember is that this critical window interface that was pretty cool and they have their own version that has some of these but it is your husband is expired and this commitment it's on a fight I couldn't fight that screen and then so you know as a rabona

[Music]

[Music]

cwe person and if you are running these Network segregation

I'm sorry we only divide accent with different access to one of these pots nothing back another client of course the elephant in the room is is the fact that well these are separate have access to your emails directly they have secrets these projects and talk about they control the keylogger it is a factor because acting as having access

[Applause]