YoVDO

Hacking the Supply Chain - The Ripple20 Vulnerabilities Haunt Tens of Millions of Critical Devices

Offered By: Black Hat via YouTube

Tags

Black Hat Courses Memory Leaks Courses IoT security Courses Integer Overflow Courses

Course Description

Overview

Explore a Black Hat conference talk detailing the discovery and exploitation of Ripple20, a series of critical vulnerabilities affecting millions of IoT devices across various sectors. Delve into the intricacies of supply chain security, DNS protocols, and exploitation techniques used to compromise devices from major vendors. Learn about the far-reaching impact of these vulnerabilities on industrial controllers, power grids, medical equipment, and more. Gain insights into the technical aspects of the research, including DNS parsing logic, integer overflow, memory leaks, and heap shaping. Understand the implications of these security flaws for the IoT ecosystem and the importance of addressing supply chain vulnerabilities in critical infrastructure.

Syllabus

Intro
Supply chain
Why Treck TCP/IP?
Ripple20 Research
About CVE-2020-11901
DNS Primer: The Basics
DNS Primer: Record Types
Domain Names Encoding
DNS Message Compression
DNS Parsing Logic Type MX
DNS Label Length Calculation
Vulnerability #1: Read Out-Of-Bounds
Integer Overflow
Fixing the Read Out-Of-Bounds
Bad RDLENGTH
Artifact: Memory Leak
CVE-2020-11901: Summary
Target Device
Vulnerability Recap
Exploitation Technique
Overflow Target
CNAME Processing
Controlled Pointer Write
Linear Overflow
Heap Shaping
Pointer Write Limitations
Overwriting a Far Call
Payload Trigger


Taught by

Black Hat

Related Courses

Information Security - 5 - Secure Systems Engineering
Indian Institute of Technology Madras via Swayam
A Crash Course in C
Northwestern University via YouTube
WebAssembly - A New World of Native Exploits on the Browser
Black Hat via YouTube
Squashing Low-hanging Fruit in Embedded Software
Hack In The Box Security Conference via YouTube
Software Security Era - Past, Present, and Future
Hack In The Box Security Conference via YouTube