Suhwan Myeong(@bigfrog)

Sunhong Hwang(@fkillrra)

Seungmin Yoon(@sunytony)

TaiSic Yun(@t4131c)

Taiho Kim(@kimtaiho5412)

@pwnchline @Best of the Best, South Korea

TaiSic Taiho Suhwan Sunhong Seungmin
Yun Kim Myeong Hwang Yoon

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

 What is Grid Computing?

Application Application
(.NET Client) (C++ Client)

Application
Application
(Node.js Client)
(Java Client)

Data Grid
Node 1

Data Grid Data Grid

Node 1 Node 1

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

 • Computational Grid
• Performing complex operations using functions such as CPU or GPU

• Data Grid
• Sharing and managing large amounts of distributed data

• Access Grid
• A collection of resources and technologies that enables large format audio and video based
collaboration between groups of people in different locations

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

 • P2P Based Services
• e.g.
• File upload/download platform
• Live-Streaming service platform

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

 Company A Company B Company C

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

01. Building Environment for Test
✓ Tested in private channel to prevent harm to other clients
✓ Filter IP/PORT during on hooking with Frida

02. Process Execution Flow Analysis

✓ Process execution flow analysis with monitoring tools
✓ Checking privilege of process

03. Protocol Analysis

✓ Analysis of packet flows and data protocol using Wireshark
✓ Hooking with Frida

04. Code Analysis

✓ Static Analysis using disassembler
✓ Dynamic Analysis using debugger and hooking

05. Mutation
✓ Mutating received data by hooking recv()
✓ Mutating data to send by hooking WSASend()/Send()

06. Crash dump Analysis

✓ Prevent to send crash dump to server
✓ Root Cause Analysis

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

 ∙
∙

∙
∙

∙
∙

∙
∙

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

Bypass Themida

pe-sieve

Memory dump

Bypass Anti-Debugging
Themida Unpacking script

Not Readable Readable

Binary Binary
Code Coverage Analysis
With frida + lighthouse

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

Process Flow

Manager.exe Updater.exe Streamer.exe

Process Managing

Update to newest version

Detecting mutated file

Socket connections

Grid Telecommunications

Send video data to Browser

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

Process Structure
CPU Speed
RAM Availability
Network Traffic

Grid Telecommunications Application

Main Server Send video data to Web Browser
Browser/Application

Socket connections

Send/Recv Streaming Data

Manager.exe Updater.exe Streamer.exe Streamer.exe

Managing Update

Detecting File Download

Check mutated files
Update Server

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

Grid Structure
Socket Connection

Tree based Grid Mesh based Grid

Main Main
Server Server

Client Client

Client Client
Client

Client

Client Client Client

Client Client Client

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

Grid Structure
Tree based Grid

Main
Server

Client Client Client

Client Client Client Client Client

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

Grid Structure
Mesh based Grid

Main
Server

Client Client Client Client

Client

Client

Client Client Client Client Client

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

Process Structure
CPU Speed
RAM Availability
Network Traffic

Grid Telecommunications Application

Main Server Send video data to Web Browser
Browser/Application

Socket connections

Send/Recv Streaming Data

Manager.exe Updater.exe Streamer.exe Streamer.exe

Managing Update

Detecting File Download

Check mutated files
Update Server

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

Attack Surface
CPU Speed
RAM Availability
Network Traffic

Attack Application
Main Server Send video data to Web Browser
Browser/Application
With Main Server

Attack

Send/Recv Streaming Data

Init. Data
Manager.exe Updater.exe Streamer.exe Req. Data Streamer.exe

Video Data
Attack

With Update Server

Managing Update

Detecting File Download

Check mutated files
Update Server

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

Attack Surface

Comparison Table

Attack Surface Company A Company B Company C

With Main Server Undiscovered Undiscovered Discovered

With Update Server Discovered Undiscovered Undiscovered

Initial Data Discovered Discovered Discovered

Request Data Not Applicable Undiscovered Discovered

Video Data Discovered Discovered Discovered

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

Attack Surface

Comparison Table

Attack Surface Company A Company B Company C

With Main Server Undiscovered Undiscovered Discovered

With Update Server Discovered Undiscovered Undiscovered

Initial Data Discovered Discovered Discovered

Request Data Not Applicable Undiscovered Discovered

Video Data Discovered Discovered Discovered

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

Attack Surface

Comparison Table

Attack Surface Company A Company B Company C

With Main Server Undiscovered Undiscovered Discovered

With Update Server Discovered Undiscovered Undiscovered

Initial Data Discovered Discovered Discovered

Request Data Not Applicable Undiscovered Discovered

Video Data Discovered Discovered Discovered

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

Attack Surface

Comparison Table

Attack Surface Company A Company B Company C

With Main Server Undiscovered Undiscovered Discovered

With Update Server Discovered Undiscovered Undiscovered

Initial Data Discovered Discovered Discovered

Request Data Not Applicable Undiscovered Discovered

Video Data Discovered Discovered Discovered

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

Attack Surface
CPU Speed
RAM Availability
Network Traffic

Attack Application
Main Server Send video data to Web Browser
Browser/Application
With Main Server

Attack

Send/Recv Streaming Data

Init. Data
Manager.exe Updater.exe Streamer.exe Req. Data Streamer.exe

Video Data
Attack

With Update Server

Managing Update

Detecting File Download

Check mutated files
Update Server

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

Attack Surface
CPU Speed
RAM Availability
Network Traffic With Main Server

Attack Company A Company B Application

Company C
Main Server Send video data to Web Browser
Browser/Application
With Main Server

Undiscovered Undiscovered Discovered

Attack

Send/Recv Streaming Data

Init. Data
Manager.exe Updater.exe Streamer.exe Req. Data Streamer.exe

Video Data
Attack

With Update Server

Managing Update

Detecting File Download

Check mutated files
Update Server

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

Communications with Main Server

Platform Company A Company B Company C

∘ Analyzing data that communicates ∘ Analyzing data that communicates with

with the server using Frida to hook the the server using Frida to hook the ∘ Packet Analysis using Wireshark and API
Contents
recv/send function recv/send function Monitor
∘ Packet Analysis using Wireshark ∘ Packet Analysis using Wireshark

Vuln. ∘ Private IP exposure

Undiscovered Undiscovered
about connected clients

At - - ∘ Windows Web Browser

Unnecessary information of client can be

exposure during P2P connection

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

Company C
Private IP Exposure

Fig1. IP Exposure in packet Fig2. Collecting Private IP using python

✓ Information Leak
✓ Main server sends private IP which is unnecessary for connection.
✓ We could collect 70 more private IP using python in 2 hrs.

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

Attack Surface
CPU Speed
RAM Availability
Network Traffic

Attack Application
Main Server Send video data to Web Browser
Browser/Application
With Main Server

Attack

Send/Recv Streaming Data

Init. Data
Manager.exe Updater.exe Streamer.exe Req. Data Streamer.exe

Video Data
Attack

With Update Server

Managing Update

Detecting File Download

Check mutated files
Update Server

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

Attack Surface
CPU Speed
RAM Availability
Network Traffic With Update Server

Attack Company A Company B Application

Company C
Main Server Send video data to Web Browser
Browser/Application
With Main Server

Discovered Undiscovered Undiscovered

Attack

Send/Recv Streaming Data

Init. Data
Manager.exe Updater.exe Streamer.exe Req. Data Streamer.exe

Video Data
Attack

With Update Server

Managing Update

Detecting File Download

Check mutated files
Update Server

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

Communications with Update Server

Platform Company A Company B Company C

∘ Analysis packet for update

∘ Manager.exe is running in background ∘ Update Server is using HTTP
∘ Mutated file runs as it is
∘ When clients use the service, ∘ Trigger Update : Comparing SHA1 value
∘ Check with directory and file name
Contents Manager.exe executes Updater.exe ∘ Update is triggered when PC is booted in local file with the hash value from server
automatically ∘ MacOS : Update server is using HTTPS ∘ Check if file is mutated through verifying
∘ File execute as admin
digital signature

Vuln. ∘ Mutate Update file and Execute Undiscovered ∘ Invoke downgrade to older version

At ∘ Windows Web Browser - ∘ Windows Web Browser

✓ Execute as admin
✓ Updater.exe is triggered automatically (No user interaction)

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

Company A
Remote Code Execution as root via Update File Tampering

There is no sub-routine that

check if file is mutated
before file execution.

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing
Company C
Prevented by Digital Signature Check
pseudocode in Manager.exe

✓ Check if file is mutated using Digital Signature.

✓ But It can invoke downgrade to older version

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

Attack Surface
CPU Speed
RAM Availability
Network Traffic

Attack Application
Main Server Send video data to Web Browser
Browser/Application
With Main Server

Attack

Send/Recv Streaming Data

Init. Data
Manager.exe Updater.exe Streamer.exe Req. Data Streamer.exe

Video Data
Attack

With Update Server

Managing Update

Detecting File Download

Check mutated files
Update Server

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

Attack Surface
CPU Speed
RAM Availability
Network Traffic Init. Data

Attack Company A Company B Application

Company C
Main Server Send video data to Web Browser
Browser/Application
With Main Server

Discovered Discovered Discovered

Attack

Send/Recv Streaming Data

Init. Data
Manager.exe Updater.exe Streamer.exe Req. Data Streamer.exe

Video Data
Attack

With Update Server

Managing Update

Detecting File Download

Check mutated files
Update Server

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

Mutating Init. Data

Platform Company A Company B Company C

∘ Packet Analysis Packet Analysis / P2P communication

∘ Initial data Analysis ∘
∘ Hooking recv/send func. using Frida User Authentication with Ticket from server
∘ Data protocol includes First Sequence and ∘
∘ Initial data is for P2P connection Data sender first attempts to connect
Contents Last Sequence ∘
∘ Initial data Analysis So Stealing is hard
∘ To mutate field of size of the packet can ∘
∘ Send init. data format to another Fixed Port number
invoke Heap based buffer overflow ∘
client who is not connected

∘ Heap Based Buffer Overflow

Vuln. ∘ Stealing Video ∘ Denial of Service
∘ Stealing Video

At ∘ Windows Web Browser ∘ Windows Web Browser

∘ Windows Web Browser ∘ MacOS

Stealing video is possible depending on

the subject that transmits the initial data

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

Company A
Video Stealing with Initial Data

main server

Video Data

Client Client Server

Send initial data

Attacker
Client

Client Client Client Send video data

Attacker

✓ An attacker could receive any video data.

✓ Even if it ask some authentication or
password.

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

Company A
Video Stealing with Initial Data

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing
Company B
Video Stealing with Initial Data

main server

Client Client

Client Client Client

An unauthorized person may steal video

data from the channel for services
requiring authentication
Attacker

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

Company B
Heap Based Buffer Overflow due to Data Length Modulation of Initial Data

main server

Attacker Client

Client Client Client

✓ Heap Based Buffer Overflow

memmove(arg1, arg2, “Attacker’s Input”)

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

Company C
Denial of Service

Attacker
main server

Client Client

✓ Make Ticket length value is greater than the

length defined in the Ticket.
✓ It won't be processed properly, and be terminated
Client
after the Throw Exception.

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing
Attack Surface
CPU Speed
RAM Availability
Network Traffic

Attack Application
Main Server Send video data to Web Browser
Browser/Application
With Main Server

Attack

Send/Recv Streaming Data

Init. Data
Manager.exe Updater.exe Streamer.exe Req. Data Streamer.exe

Video Data
Attack

With Update Server

Managing Update

Detecting File Download

Check mutated files
Update Server

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

Attack Surface
CPU Speed
RAM Availability
Network Traffic Req. Data

Attack Company A Company B Application

Company C
Main Server Send video data to Web Browser
Browser/Application
With Main Server

Not Applicable Undiscovered Discovered

Attack

Send/Recv Streaming Data

Init. Data
Manager.exe Updater.exe Streamer.exe Req. Data Streamer.exe

Video Data
Attack

With Update Server

Managing Update

Detecting File Download

Check mutated files
Update Server

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

Mutating Req. Data

Platform Company A Company B Company C

∘ In the initial connection process, the ∘ A receiver sends a 0x1b byte to sender
sequence number was transmitted to find for video data
∘ No request data the requested data. ∘ The requested data includes the Seq Num
Contents ∘ Just send data to client in tree-based ∘ However, this is part of the initial of the video data
grid connection process, which leads to ∘ The sender parses the header of the
disconnection unless it is a sequence within request data and transmits the video data
a certain interval. corresponding to the sequence number

Vuln. Undiscovered Undiscovered ∘ Denial of Service

At - - ∘ Windows Web Browser

Index Access based on Request

Peer-to-Peer communication

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

Company C
Denial of Service

main server

Attacker Client

Client

✓ It reads Seq Num field by number of Request data.

✓ By altering the Seq Num field, It overreads packet.
✓ Process is terminated but not processed properly,
if outside the actual packet range.

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing
Attack Surface
CPU Speed
RAM Availability
Network Traffic

Attack Application
Main Server Send video data to Web Browser
Browser/Application
With Main Server

Attack

Send/Recv Streaming Data

Init. Data
Manager.exe Updater.exe Streamer.exe Req. Data Streamer.exe

Video Data
Attack

With Update Server

Managing Update

Detecting File Download

Check mutated files
Update Server

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

Attack Surface
CPU Speed
RAM Availability
Network Traffic Video Data

Attack Company A Company B Application

Company C
Main Server Send video data to Web Browser
Browser/Application
With Main Server

Discovered Discovered Discovered

Attack

Send/Recv Streaming Data

Init. Data
Manager.exe Updater.exe Streamer.exe Req. Data Streamer.exe

Video Data
Attack

With Update Server

Managing Update

Detecting File Download

Check mutated files
Update Server

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

Mutating Video Data

Platform Company A Company B Company C

∘ Mutating header part of the packet ∘ Using Frida, Hooking the WSASend()
∘ Mutating the video data area other ∘ Static Analysis : Sequences of calling function to mutate video data
than the header recv() func ~ malloc() func. ∘ Mutating the video data area other than
Contents
∘ As a result, Other clients' screen were ∘ Hooking WSASend() func. the header
broken or completely controlled by an ∘ Mutating length field of the packet ∘ As a result, Other clients' screen were
attacker broken.

Vuln. ∘ Heap Based Buffer Overflow ∘ Denial of Service

∘ Picture Distortion
∘ Pirate Broadcasting ∘ Picture Distortion

∘ Windows Web Browser ∘ Windows Web Browser ∘ Windows Web Browser

At ∘ Windows App ∘ Android
∘ IOS / MacOS ∘ MacOS

✓ Weak data integrity verification

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

Company A
Heap Based Buffer Overflow

main server

Attacker Client

Client Client Client

✓ By modulation the size value of the
memcpy(), Heap Based Buffer Overflow
occurs

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing
Company A
Pirate Broadcasting by modulation of video data

Broadcast A Broadcast B

main server

Attacker
Attacker Client

<Usual Case>

Victim

Client Client Client

✓ No validation on tampered data, so
existing video data can be replaced with
new video data and transmitted to other
clients for pirated broadcasting.

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

Company A
Pirate Broadcasting by modulation of video data

Broadcast A Broadcast B

main server

Attacker
Attacker Client

<Pirate Broadcasting>

Victim

Client Client Client

✓ No validation on tampered data, so
existing video data can be replaced with
new video data and transmitted to other
clients for pirated broadcasting.

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

Company A
Pirate Broadcasting by modulation of video data

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

Company B
Denial of Service

Hook the WSASend() function in

WS2_22.dll using Frida, arbitrarily
modulating and sending the data length
value sent to another client.

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

Company B
Denial of Service

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

Company B
Picture Distortion

main server

Attacker Client

Client Client Client

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

Company B
Memory corruption via Sequence Number field modulation

Crash occurs while referencing memory

because % operation result is negative
due to wrong type declaration

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

Company C
Picture Distortion

main server

Attacker Client

✓ Using Frida Client

✓ Hooking WSASend() func. and mutating video data

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

Company C
Picture Distortion

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

Vuln. Type

Vulnerability Company A Company B Company C

Picture Distortion O O O

Stealing Video O O X

File Tampering O X

Information Leakage X X O

DoS(Denial of Service) O O O

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

Security Measures
✓ Beware of unnecessary information disclosure
With Main server
✓ Delete : fixed port number and private IP number

With Update server ✓ HTTPS

✓ Detect file tampering / Digital sigature

P2P - Initial data ✓ Enhance authentication for user to connect

P2P - Request data ✓ Ensure data integrity

P2P - Video data ✓ Distributes control of the flow of receiving data

✓ Ensure data integrity

Suhwan Myeong | Client-Side Attack on Live-Streaming Services Using Grid Computing

For your attention