1. Moscone West 3004

Moabi just reported CVE-2016-10743 and CVE-2019-10064, which are not public. The first one relates to an accidental fix in Hostapd 2.5; the second one is current and affects all versions of Hostapd including the current ones (there is no patch). Both relate to the fact that Hostapd is relaying on PRNGs from the libc to generate various cryptographic keys, while never actually seeding those PRNGs.

Pre-Requisites: Technical experience in Reverse Engineering and a working knownedge of everything ranging from assembly to C auditing to compiler mitigations and exploits writing.

Download pdf
Participants: