TALKS & SPEAKERS

Abstract

As an indispensable part of our modern life, Smart Speakers have become a crucial role of Home Automation Systems. With Sonos emerging as a leader in this space, they have prioritized security, resulting in its Sonos One Speaker becoming as a Pwn2Own target for 3 consecutive years. As the first team to successfully hack it, we will share our experiences, stories, and insights throughout our past 3-year research journey. Our talk will explore attacks on the hardware, firmware, and software levels, as well as discuss the evolution of defenses we have observed from Sonos. We will also recount the cat-and-mouse game we played with the Sonos security team: Why were they always able to kill our vulnerabilities so precisely right after we developed a working exploit? This forces us to exhaust 4 different types of 0day to conquer a single Pwn2Own target.
 
The saga begins with our amusing but failed attempt in the first year, followed by our strong comeback in the second year, where we successfully took over the target using an Integer Underflow. After the competition, we witnessed a significant leap in Sonos’s defense mechanisms, which made our struggle with the Sonos security team even more challenging in the third year. To provide a comprehensive overview of our research, we will cover hardware attacks such as leveraging DMA Attack to jailbreak and obtain a Local Shell; firmware analysis, from firmware decryption to vulnerability discovery in the firmware over-the-air (FOTA) mechanism; and of course, software-level attack surface analysis and vulnerability mining in different ways. We will detail the stories behind our successful exploitations, such as bypassing all protections to exploit the target, racing the Thread Stack to different primitives to exploit the Stack Clash, and leveraging different types of vulnerabilities to achieve RCEs. These stories are all essential parts of our journey to win the Pwn2Own Toronto 2022 championship trophy and at least $80K in rewards.

Abstract

XNU is getting harder and harder to exploit. There are now more talks about how hard it has become than how to actually break it (the author has actually shamelessly given two in 2019 and 2022).
 
The (somewhat irritating) answer to that is often “jUsT fiNd LogIc/cRYptOgrAphIC bUGs”. However it’s not that easy to find a kernel bug that gives arbitrary code exec as root… or is it?

Abstract

MikroTik, as a supplier of network infrastructures, its products and RouterOS are adopted widely. Currently, at least 3 million+ devices are running RouterOS online. Being the target research by attackers actively, the exploits leaked from the CIA in 2018 and the massive exploits that followed are samples of the havoc that can be caused when such devices are maliciously exploited again. Therefore, RouterOS also attracts many researchers to hunt bugs in it. However, there are rarely high-impact vulnerabilities reported over a long period. Can the OS become perfect overnight? Of course not. Some details have been missed.
 
Researches on RouterOS were mainly against jailbreak, Nova Message in IPC, and analysis of exploits in the wild. Especially researches against Nova Message have reported tons of post-auth vulnerabilities. However, the architecture design and the lower-layer objects, which are closely related to the functionality of Nova Binary, were being neglected due to their complexity, causing some details to be overlooked for a long time. Starting by introducing the mechanisms of the socket callback and the remote object, we will disclose more about the overlooked attack surface and implementations in RouterOS. Moreover, we will discuss how we, at the end of rarely visited trails, found the pre-auth RCE that existed for nine years and can exploit all active versions and the race condition in the remote object. We will also share our methodology and vulnerability patterns.
 
Delving into the design of the RouterOS, attendees will have a greater understanding of the overlooked attack surface and implementation of it and be able to review the system more reliably. Additionally, we will also share our open-source tools and methodology to facilitate researchers researching RouterOS, making it less obscure.

Abstract

Can you think about even one project that does not use several programming languages, protocols, or communication standards? Today’s variety of technologies introduces a significant challenge when it comes to interoperability. If two different software components interact with each other but disagree about certain specifics of their communication protocol, this may introduce vulnerabilities known as parser differentials.
 
This talk dives into two critical vulnerabilities in the remote desktop gateway Apache Guacamole, which allows users to access remote machines via a web browser. The Guacamole gateway is usually the only externally accessible instance, granting access to remote machines isolated in an organization’s internal network.
 
Guacamole’s fascinating architecture connects a Java component with a C backend server which introduces the aforementioned challenge of interoperability. We will determine how Java’s internal processing of Unicode strings can lead to unexpected results and how an attacker can leverage this.
 
Furthermore, we will see that the requirement of high parallelism to serve and share hundreds of connections at the same time makes an application like Guacamole also prone to concurrency issues. We will dive into the world of glibc heap exploitation and ultimately gain remote code execution.

Abstract

In the last decade the industry has seen a large amount of research released around Intel platform security. Since the release of CHIPSEC, the industry has had a tool to quickly analyze their Intel platform against a secure baseline for misconfigurations. As a result of this, it has become more difficult to find misconfigured Intel platforms from major OEMs.
 
As we dove into the platform security realm ourselves, we noticed a complete lack of focus and analysis of AMD platforms. This was a surprise to us due to the popularity and significantly growing market share of AMD.
 
In this presentation we will dive into interesting architectural differences across Intel and AMD that make up for the security of the platform. As part of it, we provide a first glance of various AMD security features, such as ROM Armor and Platform Secure Boot. Additionally, we’re going to present several vulnerabilities that, when combined, allowed us to inject a persistent firmware implant running in ring -2 on various systems.

All these details have been flushed into a tool that we developed which can be used by end users to quickly verify that their systems are free from common misconfigurations.

Abstract

Deserialization of untrusted data has become one of the most abused vulnerability classes across multiple programming languages. Over time, most developers have become adept with the secure handling of deserialization operations. Consequently, easy-to-exploit deserialization issues are mostly a thing of the past. Typically, protections are based on either selective allow lists, broader allow lists that may pull from hundreds of classes, or block lists based on known deserialization gadgets.
 
However, my research shows that both allow and block lists can still be frequently abused in .NET applications. This research was focused primarily on setter-based serializers and shows:

• New gadgets in the .NET Framework can be used to bypass protections.
• Deserialization gadgets exist in popular .NET third-party libraries.
• Deserialization gadgets can exist in products codebases.
• Deserialization gadgets may abuse product functionalities.
• Serialization problems exist and can be used to bypass protections applied to the deserialization routine when the deserialized object is then again serialized.
• Deserialization gadgets do not have to directly lead to code execution. A creative approach may allow attackers to chain it with other vulnerabilities to achieve it. For example, arbitrary file read gadgets can lead to remote code execution.
• All the above factors impact defensive strategies as detections and protections are mainly based on known gadgets.

 
This presentation provides examples of new deserialization gadgets in the .NET Framework, third-party libraries, and other codebases. It is based on over a dozen vulnerabilities I discovered in multiple products including Microsoft Exchange and SolarWinds Platform. It shows how to be creative during gadget searching and how to tune searching for a given serializer. The talk includes a release of gadgets for several different serializers. Finally, this presentation will present what is believed to be the first setter-based deserialization gadget for .NET version 5 and above.

Abstract

In this talk, the authors present their research where a comprehensive analysis of the Windows kernel was conducted, leading to the discovery of a new vulnerability. Through strategic utilization of the user fault handling process and the application of a reliable Data-Oriented approach with Windows kernel structures, the newfound vulnerability was successfully exploited.
 
The findings of this research highlight the importance of thoroughly exploring all potential attack vectors, regardless of their initial perceived significance. This research emphasizes the value of comprehensive analysis, showcases the potential impact of identifying attack vectors within the Windows kernel, and introduces a new vulnerability that can be used to execute arbitrary kernel code in windows.

Abstract

There are many kernel fuzzers such as SockFuzzer, Syzkaller, etc. They are developed for many purposes. SockFuzzer is developed to fuzz XNU sockets with a source code level, while Syzkaller is used to fuzz many types of OSes like Windows, Linux, FreeBSD, macOS which are very easy to set up and scale up to many instances. Despite their advantages they still have some limits to discover side-effect vulnerabilities in the kernel. The fuzzer that I’ve developed focuses on these limitations and tries to explore deeper in the XNU kernel to find any vulnerabilities. This Fuzzer is a template-based fuzzer which can generate a C test-case from a C template. Besides, its mutator is customizable and adaptable for each C template.
 
In my talk, I will share how I have built the Fuzzer from scratch based on Linux KVM which can be scalable and easy to write automation scripts. I also show you how to reuse XNU tests to create a C template for this Fuzzer and use it to discover new vulnerabilities.
 
After that, I will share the root cause of some vulnerabilities found by my Fuzzer last year, some of them are very interesting.The CVE-2022-32894 one is out-of-bound write in XNU Mach IPC exploited in the wild last year.
 
Finally, I will show you the development roadmap of my Fuzzer for the future.

Abstract

This presentation is about the Hyper-V Core Isolation (HVCI, Secure Kernel): what it’s for, how it protects, and how we broke it, and (perhaps) why and how our findings matter.
 
The Hyper-V Core Isolation was developed by Microsoft as an ultimate effort to only allow signed valid code into the kernel and keep ANY unauthorized ring 0 code out, including the scenario where an attacker has already gained administrative privileges. It’s main job is also to protect the memory of the kernel from ANY unauthorized changes using ring -1 hypervisor technology, so that an attacker cannot write on read-only physical pages anymore or change access protections on PTEs, such as change RW to RX, or U (usermode page) to K (kernel page).
 
However, there is a fundamental design flaw in the Core Isolation implementation that breaks the promised memory protection with relative ease (e.g.: no exploit chain required, no ROP required).

Abstract

Hyper-V has long been considered a prestige target for security researchers, with Microsoft offering high value bug bounties, and performing continuous in-house testing and attack-surface hardening. In this presentation I’ll show how I turned the discovery of a seemingly unreproducible bug into a critical-rated arbitrary code execution vulnerability, which was awarded MSRC’s maximum bounty.
 
The talk will begin with a very brief introduction to virtualization and Hyper-V, before launching into an in-depth examination of the low-level VMBus protocol which underpins guest-host communication. We will cover the mechanisms VMBus uses for signaling, shared memory, and callback messages, and the different types of devices it supports. Finally, I will trace the flow of a VMBus message from a guest VM all the way through to a host device driver in order to demonstrate the attack surface exposed by VMBus.
 
To finish this presentation I will dive into the details of a bug I discovered in early 2023 in a core VMBus host driver. In the journey to create a reliable proof-of-concept I will explain how to modify the Linux kernel’s Hyper-V guest drivers to craft our own custom VMBus packets, discuss a novel method of manipulating the Windows kernel’s LookasideList cache implementation from inside a guest VM, and finally, demonstrate how I won an incredibly precise race between host kernel threads to trigger the vulnerability.

Abstract

ClamAV is an open-source antivirus engine maintained by Cisco. As it is freely available, it is widely used across a large number of software products, like email servers, and appliances. This means that if an attacker can fully compromise the AV engine running in one of those products, they could access incoming and outgoing emails and for an appliance even control the network traffic of an organization. It is well known that AV engines expose a large, externally reachable attack surface as they parse a variety of file-formats, often coming from the Internet. On the other hand, modern mitigations make the exploitation of antivirus software significantly harder because remote attackers cannot interact with the target and thus can’t leak memory addresses.
 
This talk is a case-study of reliably exploiting CVE-2023-20032, a heap-buffer-overflow as a remote-attacker and lessons learned from it. The exploit results in remote-code-execution impact and utilizes a unique exploit-technique to bypass ASLR that can be applied to similar targets.

Abstract

There has been virtually no public discussion of vulnerabilities within Qualcomm’s bootrom. Despite being difficult to research, the PBL is not immune to flaws.
 
For this talk, we focus on an unbounded recursion bug introduced by a new command in the Sahara protocol.
 
We will walk through exploitation of the memory corruption caused by the recursion and transform it into PC control, culminating in shellcode execution in EL3. From there, we will cover persistence through all layers of the phone’s boot stack and demonstrate popping a root shell on a bootloader-locked Pixel phone.
Finally, we wrap up with the interesting way this was mitigated on newer chipsets.

Abstract

Keynote

Abstract

As hypervisors become increasingly popular in enterprise environments, they are also becoming a popular target for attackers. In this talk, the authors will present a chain of three bugs demonstrated at Pwn2Own Vancouver 2023 targeting VirtualBox and Windows 11 kernel. The bugs allowed the authors to escape a virtual machine and gain administrator privileges on the host machine.
 
In this talk, we will focus on the methodology used to find bugs reachable from inside a guest machine, how the codebase and the architecture of the hypervisor was approached from an attacker perspective and how we exploited and chained together multiple bugs. We will talk about how deeper bugs can be a source of very interesting primitives that sometimes require less effort than expected, especially in case of hypervisors. Lastly, the authors will discuss a logical vulnerability in the Windows kernel that allows for privilege escalation on the host.

Abstract

While performing a red team assessment, due to limited scope, we were forced to look for 0-day vulnerabilities on a Fortinet appliance. This talk describes how we found and exploited CVE-2023-27997, a pre-authentication remote code execution vulnerability affecting the VPN interface of Fortigate, affecting hundreds of thousands of servers on the internet, and used it to completely compromise the company’s intranet.
 
We’ll go through each step of the way, from how to get an initial shell on the appliance and fingerprinting targets to post-exploitation and persistence.
You will leave this talk with a good sense of how Fortigate products are built, and a head-start to find new vulnerabilities on the product.