Nvidia is one of the main GPU manufacturers and chances are that your own computer is equipped with one of their cards. With such devices come proprietary kernel drivers that are in charge of communicating with the hardware. These drivers are usually a fantastic playground for researchers as they handle complex messages and embed tons of shady parsers.
In this talk, we’ll present our journey in one of them and how we ended up going from what should have been a simple and noncommittal fuzzing campaign for honing our skills, to exploiting an up-to-date Windows 10 machine.
We’ll deep dive into the internals of the driver to explain the different message formats and how, by using IDA scripting and some dynamic symbolic execution, we managed to generate a comprehensive corpus to feed the fuzzer.
Fuzzing kernel components is also not so trivial so we’ll succinctly describe the inner working of the snapshot based fuzzer used and present a couple of bugs found during the campaign.
Finally, to go down the rabbit hole through the end, we’ll explain how we managed to leverage these bugs to obtain kernel code execution on the machine.
Thierry Doré is a security engineer at Quarkslab for 5 years now. He tackles various topics going from embedded to Windows internals, with the latter being his main topic of interest. He also contributes as a trainer for university and security events, where he shares his knowledge about reverse engineering and vulnerability exploitation.
The Safari browser is a critical piece of an iPhone/Mac device. Attackers often used it as an entry point for a full-chain. Apple is aware of this method and implements many mitigations to make attackers’ life harder. This talk introduces each mitigation used to prevent attackers from executing arbitrary shellcodes in the WebContent context. All these mitigations will be presented as well as the different bypasses that existed, from the old SEPARATED_WX_HEAP mitigation and its weaknesses to APRR, PAC and JIT code signature. We will see how Apple changed the game for attackers with the recent changes made to these mitigations.
Quentin Meffre is a computer security researcher at Synacktiv. His main interests are vulnerability research, exploit development, and software programming. He especially likes browser security.
Media parsing is known as one of the weakest components of every consumer system. It often operates complex data structures in the most performant way possible, which is at odds with security requirements, such as attack surface minimization, compartmentalization, and privilege separation. Compared to other operating systems, video decoding on MacOS/iOS is an interesting case for two different reasons. First, instead of running in usermode, a considerable portion of format parsing is implemented in a kernel extension called AppleAVD, exposing the kernel to additional remote attack vectors. Second, recent anonymous reports suggest that AppleAVD may have been exploited in the wild. Our talk investigates AppleAVD kernel extension in-depth, covering video decoding subsystem internals, analysis of vulnerabilities, and ways to exploit them.
Nikita Tarakanov is an independent security researcher. He has worked as a security researcher in Positive Technologies, Vupen Security, Intel corporation and Huawei. He likes writing exploits, especially for OS kernels. He won the PHDays Hack2Own contest in 2011 and 2012. He has published a few papers about kernel mode drivers and their exploitation. He is currently engaged in reverse engineering research and vulnerability search automation.
Andrey Labunets is a security researcher with more than a decade of experience in vulnerability research and reverse engineering.
Hacking routers is a well covered topic, but what about finding an RCE without even having the device itself?
Through a mix of static reversing, function emulation and full firmware emulation, I defeated many layers of compression, encryption and weird abstraction to eventually find a pre-auth RCE affecting hundreds of thousands of routers from DrayTek.
Using the proprietary DrayOS operating system, these devices are commonly found in small to medium sized businesses. In the last couple of years, some other models have also been known to be the target of exploits in the wild.
If you’re curious about how to approach these devices, come to this talk where I’ll share the process and techniques used to unpack the firmware, emulate the useful bits, and write an exploit that resulted in the remote & unauthenticated take over of a device purchased for the occasion.
Philippe Laulheret is a Senior Security Researcher on the Trellix vulnerability research team. With a focus on Reverse Engineering and Vulnerability Research, Philippe uses his background in Embedded Security and Software Engineering to poke at complex systems and get them behave in interesting ways. Philippe presented multiple projects covering hardware hacking, reverse engineering and exploitation at DEF CON, Hardwear.io, Eko Party and more. In his spare time, Philippe enjoys playing CTFs, immersing himself in the beauty of the Pacific Northwest, and exploring the realm of Creative Coding. Philippe holds a MSc in Computer Science from Georgia Tech and a MSc in Electrical and Computer Engineering from Supélec (France).
MS-RPC is Microsoft’s implementation of the Remote Procedure Calls protocol. Even though the protocol is extremely widespread, and serves as the basis for nearly all Windows services on both managed and unmanaged networks, little has been published about MS-RPC, its attack surface and design flaws.
In this talk, we will walkthrough and demonstrate several vulnerabilities which we discovered through our research of MS-RPC. When exploited, these vulnerabilities allow attackers to trigger restricted functions on remote RPC servers. We believe these bugs belong to a somewhat novel category which is unique to RPC server implementations, and would like to share this idea as a possible research direction with the audience.
To aid future research into the topic of MS-RPC, we will share a technical overview of the RPC system in Windows, explain why we decided to target it, and point out several design flaws. We will also dive into the methodology we developed around RPC as a research target and share the tools we built to facilitate the bug-hunting process.
Ophir Harpaz is a security research team lead in Akamai, where she manages research projects around OS internals, exploitation and malware analysis. Ophir has spoken in various security conferences including Black Hat USA, Botconf, SEC-T, HackFest and more. As an active member in Baot - a community for women engineers - she has taught a reverse-engineering workshop (https://begin.re) to share her enthusiasm for reversing. Ophir has entered Forbes' list of 30-under-30 and won the Rising Star category of SC Magazine's Reboot awards for her achievements and contribution to the Cyber security industry.
Stiv Kupchik is a security researcher at Akamai, whose research projects revolve around OS internals, vulnerability research and malware analysis. Before joining Akamai, Stiv was a DFIR team leader in the IDF, specializing in Windows and networks forensics. Besides cyber security, Stiv is also a physics student, and likes to read and game on his PC in his spare time.
Microsoft’s Remote Desktop Protocol (RDP) client has been fuzzed by various teams in the past few years, it thus seemed like a good target to try a recent snapshot fuzzer: what the fuzz (wtf) (of which we are only users). In this talk we’ll show how we took advantage of wtf flexibility in order to efficiently fuzz the RDPEGFX channel of Microsoft RDP client and uncover CVE-2022-30221. After briefly presenting RDP and prior work, we’ll describe our campaign and the changes made to wtf. We first improved the memory management code to be able to add breakpoints to pages in transition. We then added context sensitive edge coverage to the bochscpu backend, and experimented with more exotic ones.
These modifications will be published as pull requests on wtf repository before the conference.
By combining a fast but coarse KVM backend with our precise but slow modified bochscpu backend we were able to find an OOB write in Windows’ software rasterizer. We will explain how we minimized the crash before analyzing it with tenet and built a PoC server triggering the OOB write remotely on vulnerable clients.
The main takeaways for attendees will be some insight into dump preparation, exotic coverage, and corpus manipulation. Several open source tools make it possible to get up and fuzzing relatively easily even on client/server targets, and some old bugs are still waiting to be found.
Colas Le Guernic is a security researcher at Thalium (part of THALES group). He started his career in academia working on safety analysis of cyber-physical systems.
His love for the Cyber lead him to an enlightening modeling career at DGA Information Superiority. He is now searching for vulnerabilities in userland applications and is perfectly happy staying on the third floor (he has never been to the basement).
Despite striving to lead the way towards a more sustainable world in a refreshing way, Colas is not related to any infrastructure or beverage company.
Jérémy Rubert is a reverse engineer at Thalium (part of THALES group) for 4 years now and in info security domain for 10 years. He is specialist on reverse engineering, fuzzing and vulnerability exploitation. He also contributes as a trainer for university where he shares his knowledge about reverse engineering and malware.
Security Assertion Markup Language (SAML) is a single-sign-on standard based on XML signatures. It’s widely used in cloud, enterprise and government environments to provide a seamless login flow into web applications.
This talk will present the results of my research on the security of modern SAML implementations. I’ll present a technical deep dive into the SAML attack surface and novel ways to attack SAML support in modern SaaS applications. After discussing the vulnerabilities I discovered in widely used SAML stacks, I’ll finish with a detailed walkthrough of an unusual remote code execution bug in a widely used library that’s exposed via SAML.
Felix Wilhelm is a security researcher at Google Project Zero focusing on cloud and virtualization security. Previously, he worked in product security for Google Cloud and as a security researcher at ERNW.
Over the years, major mobile devices manufacturers have steadily improved their security to foil increasingly sophisticated attacks. This is achieved on most modern Android-based systems by implementing custom hardware and software components that rely on the latest ARM security features.
These components are an integral part of the execution lifecycle. Starting with the boot process, devices maintain integrity using a multi-stage secure bootchain where each stage cryptographically verifies the next one. Once the device is booted, kernel integrity is ensured by a security hypervisor that watches over it.
Security-sensitive hardware peripherals, such as the touchscreen or the crypto-processors, can be accessed in a secure and isolated manner using the ARM TrustZone technology. It can be used to create trusted UIs, implement DRMs, etc. as all the sensitive data and the critical interruptions are directly handled by a trusted environment.
However, the benefits of these security features are highly dependent on a robust implementation, as they could otherwise widen the attack surface and potentially introduce a single point of failure. On Huawei smartphones, these privileged components have seen little public scrutiny as they are hidden behind a layer of encryption.
In this presentation, we will shed light on the internals of Huawei’s implementation by detailing some unique design choices that were made. We will also explain our research methodology and reveal the now-fixed vulnerabilities that we found and exploited in the hypervisor, monitor, trusted OS and trusted applications.
Maxime Peterlin is a security researcher and co-founder at Impalabs. His day-to-day work includes reverse engineering, studying low-level systems, vulnerability research, binary exploitation and tools development. He was also a speaker & trainer at various conferences such as BHUSA, Zer0con and hardware.io
Alexandre Adamski is a security researcher and co-founder at Impalabs. His day-to-day work includes reverse engineering, vulnerability research and binary exploitation. What he likes more than anyting is breaking binaries at non-zero exception levels. In his free time, he also develops open-source tools and plugins
SSRF vulnerabilities are fairly common these days, almost as popular as stack overflows were 2 decades ago. Properly exploited they can have devastating effects on the attacker’s target. The MSRC even temporarily created a dedicated Azure SSRF bug bounty last year to try to learn more from these attacks. This talk will cover several freshly discovered issues found in critical Azure services such as Azure Kubernetes Services or Office Online. It will describe them from a black box perspective and give details on the methodology used behind their discoveries. Exploitation of those issues will only be quickly discussed, the talk will focus on how to find such bugs.
Nicolas Joly is a security engineer at the MSRC in the UK. He has more than 10 years of experience at reverse engineering and vulnerability discovery, and is now focused on finding and exploiting bugs at Microsoft. Prior to this, he used to hunt bugs for bounties and won several times pwn2own with Vupen Security.
Luca Todesco is a co-founder and managing partner at Dataflow Security, a company focusing on offensive mobile security. He has dedicated most of his research career to *OS and continues to focus on its new challenges
Exploitation of Apple’s iOS operating system, including its kernel, has long been a topic receiving much attention in the information security community. Yet not much technical research in the area has been made public in recent years, with many patched or mitigated bugs and techniques never being publicly detailed. This talk will be a technical talk about exploitation of the iOS 15 kernel, using bugs and techniques that in research available to the public have seen little or no use before.
WebKit has been exploited in the past in order to have a userland entry point, the initial foothold, on the PS4. Though, porting such an exploit to the PS5 is challenging as the PS5’s AMD CPU newly supports eXecute-Only-Memory (XOM) which prevents the attacker from reading the .text segment. That basically makes it impossible to find addresses of functions, syscalls, and ROP gadgets. In this talk, Andy Nguyen presents a new attack vector and a firmware-agnostic and ROP-less exploit to achieve native code execution on the PS4 and PS5.
Andy Nguyen is an Information Security Engineer at Google focusing on Cloud Vulnerability Research. Andy has been hacking PlayStation consoles since 16 years old and has released multiple jailbreaks for the PS Vita and published multiple kernel vulnerabilities for the PS4 / FreeBSD.
This presentation describes the exploit chain used at Pwn2own Vancouver 2022 against the Tesla Model3, which allowed the Synacktiv team to gain remote code execution, over Wi-Fi, on the car’s infotainment system without any user interaction.
Initial access to the firmware and its emulation will be presented as an introduction, followed by an overview of the remote attack surface.
Two remote vulnerabilities will then be detailed, as well as their exploitation method, involving complex heap manipulations. The targeted process being sandboxed, escape & bypass strategies and an analysis of the restricted environment will also be provided.
To end on a lighter note, the CAN messages format and how to use them to interact with the car will be explained.
The various adventures encountered during the participation in the competition will also be discussed.
David Berard is a security expert in Synacktiv's engineering team. He is specialized in mobile and embedded systems reverse engineering, vulnerability research and exploit development.
Vincent Dehors has worked on the design and development of many products as a low-level software engineer. Now he is doing vulnerability research and exploit development at Synacktiv. He likes giraffes.
In November 2021, NCC Group won at the Pwn2Own hacking contest against a Lexmark printer. This talk is about the journey from purchase of the printer, having zero knowledge of its internals, remotely compromising it using a vulnerability which affected 235 models, developing a persistence mechanism and more.
This talk is particularly relevant due to printers having access to a wide range of documents within an organisation, the printers often being connected to internal/sensitive parts of a network, their lack of detection/monitoring capability and often poor firmware update management processes.
Cedric (@saidelike) specialises in vulnerability research and exploit development, and while at NCC Group working in the Exploit Development Group (EDG) has published some public research related to Cisco ASA, Windows kernel, NAS devices, printers, etc.
Alex Plaskett is a Security Researcher at NCC Group. He specialises in vulnerability identification and exploitation. He has found and exploited vulnerabilities in a wide range of high profile products. Alex was previously leading teams in multiple areas of security (Fintech, Mobile Security), competing at multiple Pwn2Own’s and just generally causing vendors to patch things.
Zimbra is an enterprise-level email solution, which is used by over 200 000 businesses and government institutions. It has recently been the target of a 0-day campaign likely conducted by a state actor. As demonstrated by the Microsoft Exchange vulnerabilities, enterprise mail servers are a gold mine for attackers: their compromise would give access to the target’s most sensitive data and provide an initial foothold to later pivot to internal services. This motivated us to search for what others had missed.
We will first break down how we approached a complex enterprise web target made of several services from the viewpoint of a sophisticated attacker. Then, we’ll take a deep dive and show how we abused a newline injection bug to steal clear-text credentials from users, applied a common vulnerability pattern to find a stored XSS vulnerability in the email body, and finally went beyond scope and program boundaries and discovered a 0-day in a third-party dependency to get pre-authenticated code execution.
Thomas Chauchefoin is a Vulnerability Researcher at Sonar. With a strong background in offensive security, he helps uncover and responsibly disclose 0-days in major open-source software to sharpen Sonar's static analysis technology. He also participated in competitions like Pwn2Own or Hack-a-Sat and was nominated twice for a Pwnie Award for his research on PHP supply chain security.
Reserve your place