TALKS & SPEAKERS

Two day of conferences | 16 talks | 27 speakers

Click on a talk to see the speaker's presentation

A journey of fuzzing Nvidia graphic driver leading to LPE exploitation

Thierry Doré

Attacking Safari in 2022

Quentin Meffre

Cinema time!

Nikita Tarakanov, Andrey Labunets

Emulate it until you make it! Pwning a DrayTek Router before getting it out of the box.

Philippe Laulheret

Exploring Ancient Ruins to Find Modern Bugs: Discovering a 0-Day in MS-RPC service

Ophir Harpaz, Stiv Kupchik

Fuzzing RDPEGFX with wtf

Colas Le Guernic, Jérémy Rubert

Hacking the Cloud with SAML

Felix Wilhelm

Hara-Kirin: Dissecting the Privileged Components of Huawei Mobile Devices

Maxime Peterlin, Alexandre Adamski

Hunting for cloudy SSRFs

Nicolas Joly

Life and death of an iOS attacker

Luca Todesco

More Tales from the iOS/macOS Kernel Trenches

John Aakerblom

bd-jb: Blu-ray Disc Sandbox Escape

Andy Nguyen

I feel a draft. Opening the doors and windows: 0-click RCE on the Tesla Model3

David Berard, Vincent Dehors

Toner deaf - Printing your next persistence

Cedric Halbronn, Alex Plaskett

The unavoidable pain of backups: security deep-dive into the internals of NetBackup

Nicolas Devillers, Jean-Romain Garnier, Anaïs Gantet, Abouhali Mouad, Benoît Camredon

You've got mail! And I'm root on your Zimbra server

Thomas Chauchefoin

A journey of fuzzing Nvidia graphic driver leading to LPE exploitation

Abstract

Nvidia is one of the main GPU manufacturers and chances are that your own computer is equipped with one of their cards. With such devices come proprietary kernel drivers that are in charge of communicating with the hardware. These drivers are usually a fantastic playground for researchers as they handle complex messages and embed tons of shady parsers.

In this talk, we’ll present our journey in one of them and how we ended up going from what should have been a simple and noncommittal fuzzing campaign for honing our skills, to exploiting an up-to-date Windows 10 machine.

We’ll deep dive into the internals of the driver to explain the different message formats and how, by using IDA scripting and some dynamic symbolic execution, we managed to generate a comprehensive corpus to feed the fuzzer.

Fuzzing kernel components is also not so trivial so we’ll succinctly describe the inner working of the snapshot based fuzzer used and present a couple of bugs found during the campaign.

Finally, to go down the rabbit hole through the end, we’ll explain how we managed to leverage these bugs to obtain kernel code execution on the machine.

Speakers

Thierry Doré

Quarkslab

Bio

Thierry Doré is a security engineer at Quarkslab for 5 years now. He tackles various topics going from embedded to Windows internals, with the latter being his main topic of interest. He also contributes as a trainer for university and security events, where he shares his knowledge about reverse engineering and vulnerability exploitation.

Attacking Safari in 2022

Abstract

The Safari browser is a critical piece of an iPhone/Mac device. Attackers often used it as an entry point for a full-chain. Apple is aware of this method and implements many mitigations to make attackers’ life harder. This talk introduces each mitigation used to prevent attackers from executing arbitrary shellcodes in the WebContent context. All these mitigations will be presented as well as the different bypasses that existed, from the old SEPARATED_WX_HEAP mitigation and its weaknesses to APRR, PAC and JIT code signature. We will see how Apple changed the game for attackers with the recent changes made to these mitigations.

Speakers

Quentin Meffre

Synacktiv
@0xdagger

Bio

Quentin Meffre is a computer security researcher at Synacktiv. His main interests are vulnerability research, exploit development, and software programming. He especially likes browser security.

Cinema time!

Abstract

Media parsing is known as one of the weakest components of every consumer system. It often operates complex data structures in the most performant way possible, which is at odds with security requirements, such as attack surface minimization, compartmentalization, and privilege separation. Compared to other operating systems, video decoding on MacOS/iOS is an interesting case for two different reasons. First, instead of running in usermode, a considerable portion of format parsing is implemented in a kernel extension called AppleAVD, exposing the kernel to additional remote attack vectors. Second, recent anonymous reports suggest that AppleAVD may have been exploited in the wild. Our talk investigates AppleAVD kernel extension in-depth, covering video decoding subsystem internals, analysis of vulnerabilities, and ways to exploit them.

Speakers

Nikita Tarakanov

Bio

Nikita Tarakanov is an independent security researcher. He has worked as a security researcher in Positive Technologies, Vupen Security, Intel corporation and Huawei. He likes writing exploits, especially for OS kernels. He won the PHDays Hack2Own contest in 2011 and 2012. He has published a few papers about kernel mode drivers and their exploitation. He is currently engaged in reverse engineering research and vulnerability search automation.

Andrey Labunets

@isciurus

Bio

Andrey Labunets is a security researcher with more than a decade of experience in vulnerability research and reverse engineering.

Emulate it until you make it! Pwning a DrayTek Router before getting it out of the box.

Abstract

Hacking routers is a well covered topic, but what about finding an RCE without even having the device itself?  
Through a mix of static reversing, function emulation and full firmware emulation, I defeated many layers of compression, encryption and weird abstraction to eventually find a pre-auth RCE affecting hundreds of thousands of routers from DrayTek.  
Using the proprietary DrayOS operating system, these devices are commonly found in small to medium sized businesses. In the last couple of years, some other models have also been known to be the target of exploits in the wild.  
If you’re curious about how to approach these devices, come to this talk where I’ll share the process and techniques used to unpack the firmware, emulate the useful bits, and write an exploit that resulted in the remote & unauthenticated take over of a device purchased for the occasion.

Speakers

Philippe Laulheret

@phLaul

Bio

Philippe Laulheret is a Senior Security Researcher on the Trellix vulnerability research team. With a focus on Reverse Engineering and Vulnerability Research, Philippe uses his background in Embedded Security and Software Engineering to poke at complex systems and get them behave in interesting ways. Philippe presented multiple projects covering hardware hacking, reverse engineering and exploitation at DEF CON, Hardwear.io, Eko Party and more. In his spare time, Philippe enjoys playing CTFs, immersing himself in the beauty of the Pacific Northwest, and exploring the realm of Creative Coding. Philippe holds a MSc in Computer Science from Georgia Tech and a MSc in Electrical and Computer Engineering from Supélec (France).

Exploring Ancient Ruins to Find Modern Bugs: Discovering a 0-Day in MS-RPC service

Abstract

MS-RPC is Microsoft’s implementation of the Remote Procedure Calls protocol. Even though the protocol is extremely widespread, and serves as the basis for nearly all Windows services on both managed and unmanaged networks, little has been published about MS-RPC, its attack surface and design flaws.
 
In this talk, we will walkthrough and demonstrate several vulnerabilities which we discovered through our research of MS-RPC. When exploited, these vulnerabilities allow attackers to trigger restricted functions on remote RPC servers. We believe these bugs belong to a somewhat novel category which is unique to RPC server implementations, and would like to share this idea as a possible research direction with the audience.
 
To aid future research into the topic of MS-RPC, we will share a technical overview of the RPC system in Windows, explain why we decided to target it, and point out several design flaws. We will also dive into the methodology we developed around RPC as a research target and share the tools we built to facilitate the bug-hunting process.

Speakers

Ophir Harpaz

Akamai
@OphirHarpaz

Bio

Ophir Harpaz is a security research team lead in Akamai, where she manages research projects around OS internals, exploitation and malware analysis. Ophir has spoken in various security conferences including Black Hat USA, Botconf, SEC-T, HackFest and more. As an active member in Baot - a community for women engineers - she has taught a reverse-engineering workshop (https://begin.re) to share her enthusiasm for reversing. Ophir has entered Forbes' list of 30-under-30 and won the Rising Star category of SC Magazine's Reboot awards for her achievements and contribution to the Cyber security industry.

Stiv Kupchik

Akamai
@kupsul

Bio

Stiv Kupchik is a security researcher at Akamai, whose research projects revolve around OS internals, vulnerability research and malware analysis. Before joining Akamai, Stiv was a DFIR team leader in the IDF, specializing in Windows and networks forensics. Besides cyber security, Stiv is also a physics student, and likes to read and game on his PC in his spare time.

Fuzzing RDPEGFX with wtf

Abstract

Microsoft’s Remote Desktop Protocol (RDP) client has been fuzzed by various teams in the past few years, it thus seemed like a good target to try a recent snapshot fuzzer: what the fuzz (wtf) (of which we are only users). In this talk we’ll show how we took advantage of wtf flexibility in order to efficiently fuzz the RDPEGFX channel of Microsoft RDP client and uncover CVE-2022-30221. After briefly presenting RDP and prior work, we’ll describe our campaign and the changes made to wtf. We first improved the memory management code to be able to add breakpoints to pages in transition. We then added context sensitive edge coverage to the bochscpu backend, and experimented with more exotic ones.

These modifications will be published as pull requests on wtf repository before the conference.

By combining a fast but coarse KVM backend with our precise but slow modified bochscpu backend we were able to find an OOB write in Windows’ software rasterizer. We will explain how we minimized the crash before analyzing it with tenet and built a PoC server triggering the OOB write remotely on vulnerable clients.

The main takeaways for attendees will be some insight into dump preparation, exotic coverage, and corpus manipulation. Several open source tools make it possible to get up and fuzzing relatively easily even on client/server targets, and some old bugs are still waiting to be found.

Speakers

Colas Le Guernic

Thalium

Bio

Colas Le Guernic is a security researcher at Thalium (part of THALES group). He started his career in academia working on safety analysis of cyber-physical systems.
His love for the Cyber lead him to an enlightening modeling career at DGA Information Superiority. He is now searching for vulnerabilities in userland applications and is perfectly happy staying on the third floor (he has never been to the basement).

Despite striving to lead the way towards a more sustainable world in a refreshing way, Colas is not related to any infrastructure or beverage company.

Jérémy Rubert

Thalium

Bio

Jérémy Rubert is a reverse engineer at Thalium (part of THALES group) for 4 years now and in info security domain for 10 years. He is specialist on reverse engineering, fuzzing and vulnerability exploitation. He also contributes as a trainer for university where he shares his knowledge about reverse engineering and malware.

Hacking the Cloud with SAML

Abstract

Security Assertion Markup Language (SAML) is a single-sign-on standard based on XML signatures. It’s widely used in cloud, enterprise and government environments to provide a seamless login flow into web applications.
 
This talk will present the results of my research on the security of modern SAML implementations. I’ll present a technical deep dive into the SAML attack surface and novel ways to attack SAML support in modern SaaS applications. After discussing the vulnerabilities I discovered in widely used SAML stacks, I’ll finish with a detailed walkthrough of an unusual remote code execution bug in a widely used library that’s exposed via SAML.

Speakers

Felix Wilhelm

@_fel1x

Bio

Felix Wilhelm is a security researcher at Google Project Zero focusing on cloud and virtualization security. Previously, he worked in product security for Google Cloud and as a security researcher at ERNW.

Hara-Kirin: Dissecting the Privileged Components of Huawei Mobile Devices

Abstract

Over the years, major mobile devices manufacturers have steadily improved their security to foil increasingly sophisticated attacks. This is achieved on most modern Android-based systems by implementing custom hardware and software components that rely on the latest ARM security features.
 
These components are an integral part of the execution lifecycle. Starting with the boot process, devices maintain integrity using a multi-stage secure bootchain where each stage cryptographically verifies the next one. Once the device is booted, kernel integrity is ensured by a security hypervisor that watches over it.
 
Security-sensitive hardware peripherals, such as the touchscreen or the crypto-processors, can be accessed in a secure and isolated manner using the ARM TrustZone technology. It can be used to create trusted UIs, implement DRMs, etc. as all the sensitive data and the critical interruptions are directly handled by a trusted environment.
 
However, the benefits of these security features are highly dependent on a robust implementation, as they could otherwise widen the attack surface and potentially introduce a single point of failure. On Huawei smartphones, these privileged components have seen little public scrutiny as they are hidden behind a layer of encryption.
 
In this presentation, we will shed light on the internals of Huawei’s implementation by detailing some unique design choices that were made. We will also explain our research methodology and reveal the now-fixed vulnerabilities that we found and exploited in the hypervisor, monitor, trusted OS and trusted applications.

Speakers

Maxime Peterlin

Impalabs
@lyte__

Bio

Maxime Peterlin is a security researcher and co-founder at Impalabs. His day-to-day work includes reverse engineering, studying low-level systems, vulnerability research, binary exploitation and tools development. He was also a speaker & trainer at various conferences such as BHUSA, Zer0con and hardware.io

Alexandre Adamski

Impalabs
@NeatMonster_

Bio

Alexandre Adamski is a security researcher and co-founder at Impalabs. His day-to-day work includes reverse engineering, vulnerability research and binary exploitation. What he likes more than anyting is breaking binaries at non-zero exception levels. In his free time, he also develops open-source tools and plugins

Hunting for cloudy SSRFs

Abstract

SSRF vulnerabilities are fairly common these days, almost as popular as stack overflows were 2 decades ago. Properly exploited they can have devastating effects on the attacker’s target. The MSRC even temporarily created a dedicated Azure SSRF bug bounty last year to try to learn more from these attacks. This talk will cover several freshly discovered issues found in critical Azure services such as Azure Kubernetes Services or Office Online. It will describe them from a black box perspective and give details on the methodology used behind their discoveries. Exploitation of those issues will only be quickly discussed, the talk will focus on how to find such bugs.

Speakers

Nicolas Joly

@n_joly

Bio

Nicolas Joly is a security engineer at the MSRC in the UK. He has more than 10 years of experience at reverse engineering and vulnerability discovery, and is now focused on finding and exploiting bugs at Microsoft. Prior to this, he used to hunt bugs for bounties and won several times pwn2own with Vupen Security.

Life and death of an iOS attacker

Abstract

TBD

Speakers

Luca Todesco

@qwertyoruiopz

Bio

Luca Todesco is a co-founder and managing partner at Dataflow Security, a company focusing on offensive mobile security. He has dedicated most of his research career to *OS and continues to focus on its new challenges

More Tales from the iOS/macOS Kernel Trenches

Abstract

Exploitation of Apple’s iOS operating system, including its kernel, has long been a topic receiving much attention in the information security community. Yet not much technical research in the area has been made public in recent years, with many patched or mitigated bugs and techniques never being publicly detailed. This talk will be a technical talk about exploitation of the iOS 15 kernel, using bugs and techniques that in research available to the public have seen little or no use before.

Speakers

John Aakerblom

@jaakerblom

Bio

John Aakerblom is an independent security researcher with several years of experience of security research focused on the iOS and macOS operating systems.

bd-jb: Blu-ray Disc Sandbox Escape

Abstract

WebKit has been exploited in the past in order to have a userland entry point, the initial foothold, on the PS4. Though, porting such an exploit to the PS5 is challenging as the PS5’s AMD CPU newly supports eXecute-Only-Memory (XOM) which prevents the attacker from reading the .text segment. That basically makes it impossible to find addresses of functions, syscalls, and ROP gadgets. In this talk, Andy Nguyen presents a new attack vector and a firmware-agnostic and ROP-less exploit to achieve native code execution on the PS4 and PS5.

Speakers

Andy Nguyen

Google
@theflow0

Bio

Andy Nguyen is an Information Security Engineer at Google focusing on Cloud Vulnerability Research. Andy has been hacking PlayStation consoles since 16 years old and has released multiple jailbreaks for the PS Vita and published multiple kernel vulnerabilities for the PS4 / FreeBSD.

I feel a draft. Opening the doors and windows: 0-click RCE on the Tesla Model3

Abstract

This presentation describes the exploit chain used at Pwn2own Vancouver 2022 against the Tesla Model3, which allowed the Synacktiv team to gain remote code execution, over Wi-Fi, on the car’s infotainment system without any user interaction.

 

Initial access to the firmware and its emulation will be presented as an introduction, followed by an overview of the remote attack surface.

Two remote vulnerabilities will then be detailed, as well as their exploitation method, involving complex heap manipulations. The targeted process being sandboxed, escape & bypass strategies and an analysis of the restricted environment will also be provided.

To end on a lighter note, the CAN messages format and how to use them to interact with the car will be explained.

 

The various adventures encountered during the participation in the competition will also be discussed.

Speakers

David Berard

Synacktiv
@_p0ly_

Bio

David Berard is a security expert in Synacktiv's engineering team. He is specialized in mobile and embedded systems reverse engineering, vulnerability research and exploit development.

Vincent Dehors

Synacktiv
@vdehors

Bio

Vincent Dehors has worked on the design and development of many products as a low-level software engineer. Now he is doing vulnerability research and exploit development at Synacktiv. He likes giraffes.

Toner deaf - Printing your next persistence

Abstract

In November 2021, NCC Group won at the Pwn2Own hacking contest against a Lexmark printer. This talk is about the journey from purchase of the printer, having zero knowledge of its internals, remotely compromising it using a vulnerability which affected 235 models, developing a persistence mechanism and more.
 

This talk is particularly relevant due to printers having access to a wide range of documents within an organisation, the printers often being connected to internal/sensitive parts of a network, their lack of detection/monitoring capability and often poor firmware update management processes.
 

The presentation is divided into the following key sections:

  1. Platform Security: We describe the technical details of hardware attacks on the Lexmark printer to enable unencrypted firmware dumping and visibility into the internals of the platform. We explain the security architecture of the device and strengths/weaknesses of certain components.
  2. Vulnerability Research and Exploitation: We describe a vulnerability identified within the Printer Job Language (PJL) handling code and how this could be exploited to achieve arbitrary file write. We show how this was exploited to obtain a shell on the device.
  3. Getting Persistence: We describe internal mechanisms in place to make it difficult for an attacker to persist, such as a secure boot chain and a locked down file system. We detail a vulnerability which we found that allowed us to gain access to the device both across reboots and firmware updates.

 

An attendee to this talk should have the following key takeaways:

  • Enhance their knowledge of embedded system security attack and defence
  • Enhance their reverse engineering, vulnerability research and exploitation knowledge
  • For a device vendor this should provide insights into attacker methodology and provide tangible technical feedback in areas which may often be overlooked within a device’s security posture

Speakers

Cedric Halbronn

@saidelike

Bio

Cedric (@saidelike) specialises in vulnerability research and exploit development, and while at NCC Group working in the Exploit Development Group (EDG) has published some public research related to Cisco ASA, Windows kernel, NAS devices, printers, etc.

Alex Plaskett

@alexjplaskett

Bio

Alex Plaskett is a Security Researcher at NCC Group. He specialises in vulnerability identification and exploitation. He has found and exploited vulnerabilities in a wide range of high profile products. Alex was previously leading teams in multiple areas of security (Fintech, Mobile Security), competing at multiple Pwn2Own’s and just generally causing vendors to patch things.

The unavoidable pain of backups: security deep-dive into the internals of NetBackup

Abstract

Essential for the performance and business continuity of companies, data must constantly be accessible. Losing data, either accidentally or intentionally, can become a significant disaster, as showcased by the proliferation of ransomware. As such, large companies usually turn to backup management and data recovery software to tackle this issue.
 
By design, these products often have extensive and sometimes privileged accesses to large parts of the infrastructure. They are thus a target of choice for attackers of all sorts, including red-teamers. It is indeed during the preparation of a red-team engagement that the authors decided to dig into the internals of the leader in backup management and data recovery: NetBackup by Veritas.
 
In this talk, AirbusSeclab will present their deep security analysis of NetBackup. They will cover several critical vulnerabilities which, combined, allow a remote unauthenticated attacker to fully compromise the whole backup infrastructure. They will also share insights about their methodology, as well as usage recommendations and some lessons learnt from the undertaken evaluation and coordinated disclosure.

Speakers

Nicolas Devillers

Airbus
@nikaiw

Bio

Nicolas Devillers is a security engineer at Airbus, member of the Digital Security Evaluation Team (@AirbusSeclab). Before that, he spent around 10 years in offensive security previously working at Lexfo with a special focus in pentest and red teaming. He is also an avid CTF player, member of the 0daysober team.

Jean-Romain Garnier

Airbus
@JRomainG

Bio

Jean-Romain Garnier is a security engineer at Airbus, part of the Digital Security Evaluation Team (@AirbusSeclab) since 2020. Before that, he studied physics and mathematics before specializing in computer science. Along cybersecurity, he worked on projects ranging from telecommunications to computer vision, managed networks, and developed commercial products for iOS devices. He is now mainly interested in reverse engineering and low level security.

Anaïs Gantet

Airbus

Bio

Anaïs Gantet is a security engineer at Airbus. As a member of the Digital Security Evaluation Team (@AirbusSeclab), she has five years experience in offensive security targeting IT solutions as well as avionics systems, and is interested in low level security. She gave talks about vulnerability research in hypervisors and embedded kernels, as well as about specific tooling development to help reverse engineering on Android emulators at SSTIC, THCon, ISSRE and Blackhoodie.re conferences. She also teaches network security, kernel security and virtualisation security to Master degree's students.

Abouhali Mouad

Airbus
@_m00dy_

Bio

Mouad Abouhali is currently a security evaluation expert at Airbus, member of the Digital Security Evaluation Team (@AirbusSeclab) for about 10 years. He is currently responsible for performing deep-dive evaluations to assess the security level of network infrastructure software, IT products and avionic products. Before joining Airbus, he worked as a security consultant and pentester for several years in various organizations. He's also a SANS community instructor and loves teaching reverse engineering and hacking.

Benoît Camredon

Airbus
@ben64_

Bio

Benoît Camredon is a security expert at Airbus, specialized in avionics audit. He has more than ten years experience in avionic cybersecurity. After several years spent in development and system administration, he began in 2008 writing high level security rules for aircraft embedded systems. Since 2011, he has specialized in security low level audits and penetration testing. In 2015, he developed a USB framework, presented in a French security conference, used to emulate USB peripherals and assess USB stacks and drivers robustness.

You've got mail! And I'm root on your Zimbra server

Abstract

Zimbra is an enterprise-level email solution, which is used by over 200 000 businesses and government institutions. It has recently been the target of a 0-day campaign likely conducted by a state actor. As demonstrated by the Microsoft Exchange vulnerabilities, enterprise mail servers are a gold mine for attackers: their compromise would give access to the target’s most sensitive data and provide an initial foothold to later pivot to internal services. This motivated us to search for what others had missed.
 
We will first break down how we approached a complex enterprise web target made of several services from the viewpoint of a sophisticated attacker. Then, we’ll take a deep dive and show how we abused a newline injection bug to steal clear-text credentials from users, applied a common vulnerability pattern to find a stored XSS vulnerability in the email body, and finally went beyond scope and program boundaries and discovered a 0-day in a third-party dependency to get pre-authenticated code execution.

Speakers

Thomas Chauchefoin

Sonar
@swapgs

Bio

Thomas Chauchefoin is a Vulnerability Researcher at Sonar. With a strong background in offensive security, he helps uncover and responsibly disclose 0-days in major open-source software to sharpen Sonar's static analysis technology. He also participated in competitions like Pwn2Own or Hack-a-Sat and was nominated twice for a Pwnie Award for his research on PHP supply chain security.

Prepare your venue at Hexacon

Brace yourselves, it is going to be amazing

Reserve your place

Trainings

Agenda