TALKS & SPEAKERS

Abstract

Nvidia is one of the main GPU manufacturers and chances are that your own computer is equipped with one of their cards. With such devices come proprietary kernel drivers that are in charge of communicating with the hardware. These drivers are usually a fantastic playground for researchers as they handle complex messages and embed tons of shady parsers.

In this talk, we’ll present our journey in one of them and how we ended up going from what should have been a simple and noncommittal fuzzing campaign for honing our skills, to exploiting an up-to-date Windows 10 machine.

We’ll deep dive into the internals of the driver to explain the different message formats and how, by using IDA scripting and some dynamic symbolic execution, we managed to generate a comprehensive corpus to feed the fuzzer.

Fuzzing kernel components is also not so trivial so we’ll succinctly describe the inner working of the snapshot based fuzzer used and present a couple of bugs found during the campaign.

Finally, to go down the rabbit hole through the end, we’ll explain how we managed to leverage these bugs to obtain kernel code execution on the machine.

Abstract

The Safari browser is a critical piece of an iPhone/Mac device. Attackers often used it as an entry point for a full-chain. Apple is aware of this method and implements many mitigations to make attackers’ life harder. This talk introduces each mitigation used to prevent attackers from executing arbitrary shellcodes in the WebContent context. All these mitigations will be presented as well as the different bypasses that existed, from the old SEPARATED_WX_HEAP mitigation and its weaknesses to APRR, PAC and JIT code signature. We will see how Apple changed the game for attackers with the recent changes made to these mitigations.

Abstract

Media parsing is known as one of the weakest components of every consumer system. It often operates complex data structures in the most performant way possible, which is at odds with security requirements, such as attack surface minimization, compartmentalization, and privilege separation. Compared to other operating systems, video decoding on MacOS/iOS is an interesting case for two different reasons. First, instead of running in usermode, a considerable portion of format parsing is implemented in a kernel extension called AppleAVD, exposing the kernel to additional remote attack vectors. Second, recent anonymous reports suggest that AppleAVD may have been exploited in the wild. Our talk investigates AppleAVD kernel extension in-depth, covering video decoding subsystem internals, analysis of vulnerabilities, and ways to exploit them.

Abstract

Hacking routers is a well covered topic, but what about finding an RCE without even having the device itself?  
Through a mix of static reversing, function emulation and full firmware emulation, I defeated many layers of compression, encryption and weird abstraction to eventually find a pre-auth RCE affecting hundreds of thousands of routers from DrayTek.  
Using the proprietary DrayOS operating system, these devices are commonly found in small to medium sized businesses. In the last couple of years, some other models have also been known to be the target of exploits in the wild.  
If you’re curious about how to approach these devices, come to this talk where I’ll share the process and techniques used to unpack the firmware, emulate the useful bits, and write an exploit that resulted in the remote & unauthenticated take over of a device purchased for the occasion.

Abstract

MS-RPC is Microsoft’s implementation of the Remote Procedure Calls protocol. Even though the protocol is extremely widespread, and serves as the basis for nearly all Windows services on both managed and unmanaged networks, little has been published about MS-RPC, its attack surface and design flaws.
 
In this talk, we will walkthrough and demonstrate several vulnerabilities which we discovered through our research of MS-RPC. When exploited, these vulnerabilities allow attackers to trigger restricted functions on remote RPC servers. We believe these bugs belong to a somewhat novel category which is unique to RPC server implementations, and would like to share this idea as a possible research direction with the audience.
 
To aid future research into the topic of MS-RPC, we will share a technical overview of the RPC system in Windows, explain why we decided to target it, and point out several design flaws. We will also dive into the methodology we developed around RPC as a research target and share the tools we built to facilitate the bug-hunting process.

Abstract

Microsoft’s Remote Desktop Protocol (RDP) client has been fuzzed by various teams in the past few years, it thus seemed like a good target to try a recent snapshot fuzzer: what the fuzz (wtf) (of which we are only users). In this talk we’ll show how we took advantage of wtf flexibility in order to efficiently fuzz the RDPEGFX channel of Microsoft RDP client and uncover CVE-2022-30221. After briefly presenting RDP and prior work, we’ll describe our campaign and the changes made to wtf. We first improved the memory management code to be able to add breakpoints to pages in transition. We then added context sensitive edge coverage to the bochscpu backend, and experimented with more exotic ones.

These modifications will be published as pull requests on wtf repository before the conference.

By combining a fast but coarse KVM backend with our precise but slow modified bochscpu backend we were able to find an OOB write in Windows’ software rasterizer. We will explain how we minimized the crash before analyzing it with tenet and built a PoC server triggering the OOB write remotely on vulnerable clients.

The main takeaways for attendees will be some insight into dump preparation, exotic coverage, and corpus manipulation. Several open source tools make it possible to get up and fuzzing relatively easily even on client/server targets, and some old bugs are still waiting to be found.

Abstract

Security Assertion Markup Language (SAML) is a single-sign-on standard based on XML signatures. It’s widely used in cloud, enterprise and government environments to provide a seamless login flow into web applications.
 
This talk will present the results of my research on the security of modern SAML implementations. I’ll present a technical deep dive into the SAML attack surface and novel ways to attack SAML support in modern SaaS applications. After discussing the vulnerabilities I discovered in widely used SAML stacks, I’ll finish with a detailed walkthrough of an unusual remote code execution bug in a widely used library that’s exposed via SAML.

Abstract

Over the years, major mobile devices manufacturers have steadily improved their security to foil increasingly sophisticated attacks. This is achieved on most modern Android-based systems by implementing custom hardware and software components that rely on the latest ARM security features.
 
These components are an integral part of the execution lifecycle. Starting with the boot process, devices maintain integrity using a multi-stage secure bootchain where each stage cryptographically verifies the next one. Once the device is booted, kernel integrity is ensured by a security hypervisor that watches over it.
 
Security-sensitive hardware peripherals, such as the touchscreen or the crypto-processors, can be accessed in a secure and isolated manner using the ARM TrustZone technology. It can be used to create trusted UIs, implement DRMs, etc. as all the sensitive data and the critical interruptions are directly handled by a trusted environment.
 
However, the benefits of these security features are highly dependent on a robust implementation, as they could otherwise widen the attack surface and potentially introduce a single point of failure. On Huawei smartphones, these privileged components have seen little public scrutiny as they are hidden behind a layer of encryption.
 
In this presentation, we will shed light on the internals of Huawei’s implementation by detailing some unique design choices that were made. We will also explain our research methodology and reveal the now-fixed vulnerabilities that we found and exploited in the hypervisor, monitor, trusted OS and trusted applications.

Abstract

SSRF vulnerabilities are fairly common these days, almost as popular as stack overflows were 2 decades ago. Properly exploited they can have devastating effects on the attacker’s target. The MSRC even temporarily created a dedicated Azure SSRF bug bounty last year to try to learn more from these attacks. This talk will cover several freshly discovered issues found in critical Azure services such as Azure Kubernetes Services or Office Online. It will describe them from a black box perspective and give details on the methodology used behind their discoveries. Exploitation of those issues will only be quickly discussed, the talk will focus on how to find such bugs.

Abstract

TBD

Abstract

Exploitation of Apple’s iOS operating system, including its kernel, has long been a topic receiving much attention in the information security community. Yet not much technical research in the area has been made public in recent years, with many patched or mitigated bugs and techniques never being publicly detailed. This talk will be a technical talk about exploitation of the iOS 15 kernel, using bugs and techniques that in research available to the public have seen little or no use before.

Abstract

WebKit has been exploited in the past in order to have a userland entry point, the initial foothold, on the PS4. Though, porting such an exploit to the PS5 is challenging as the PS5’s AMD CPU newly supports eXecute-Only-Memory (XOM) which prevents the attacker from reading the .text segment. That basically makes it impossible to find addresses of functions, syscalls, and ROP gadgets. In this talk, Andy Nguyen presents a new attack vector and a firmware-agnostic and ROP-less exploit to achieve native code execution on the PS4 and PS5.

Abstract

This presentation describes the exploit chain used at Pwn2own Vancouver 2022 against the Tesla Model3, which allowed the Synacktiv team to gain remote code execution, over Wi-Fi, on the car’s infotainment system without any user interaction.

Initial access to the firmware and its emulation will be presented as an introduction, followed by an overview of the remote attack surface.

Two remote vulnerabilities will then be detailed, as well as their exploitation method, involving complex heap manipulations. The targeted process being sandboxed, escape & bypass strategies and an analysis of the restricted environment will also be provided.

To end on a lighter note, the CAN messages format and how to use them to interact with the car will be explained.

The various adventures encountered during the participation in the competition will also be discussed.

Abstract

In November 2021, NCC Group won at the Pwn2Own hacking contest against a Lexmark printer. This talk is about the journey from purchase of the printer, having zero knowledge of its internals, remotely compromising it using a vulnerability which affected 235 models, developing a persistence mechanism and more.
 

This talk is particularly relevant due to printers having access to a wide range of documents within an organisation, the printers often being connected to internal/sensitive parts of a network, their lack of detection/monitoring capability and often poor firmware update management processes.
 

The presentation is divided into the following key sections:

1. Platform Security: We describe the technical details of hardware attacks on the Lexmark printer to enable unencrypted firmware dumping and visibility into the internals of the platform. We explain the security architecture of the device and strengths/weaknesses of certain components.
2. Vulnerability Research and Exploitation: We describe a vulnerability identified within the Printer Job Language (PJL) handling code and how this could be exploited to achieve arbitrary file write. We show how this was exploited to obtain a shell on the device.
3. Getting Persistence: We describe internal mechanisms in place to make it difficult for an attacker to persist, such as a secure boot chain and a locked down file system. We detail a vulnerability which we found that allowed us to gain access to the device both across reboots and firmware updates.

An attendee to this talk should have the following key takeaways:

• Enhance their knowledge of embedded system security attack and defence
• Enhance their reverse engineering, vulnerability research and exploitation knowledge
• For a device vendor this should provide insights into attacker methodology and provide tangible technical feedback in areas which may often be overlooked within a device’s security posture

Abstract

Essential for the performance and business continuity of companies, data must constantly be accessible. Losing data, either accidentally or intentionally, can become a significant disaster, as showcased by the proliferation of ransomware. As such, large companies usually turn to backup management and data recovery software to tackle this issue.
 
By design, these products often have extensive and sometimes privileged accesses to large parts of the infrastructure. They are thus a target of choice for attackers of all sorts, including red-teamers. It is indeed during the preparation of a red-team engagement that the authors decided to dig into the internals of the leader in backup management and data recovery: NetBackup by Veritas.
 
In this talk, AirbusSeclab will present their deep security analysis of NetBackup. They will cover several critical vulnerabilities which, combined, allow a remote unauthenticated attacker to fully compromise the whole backup infrastructure. They will also share insights about their methodology, as well as usage recommendations and some lessons learnt from the undertaken evaluation and coordinated disclosure.

Abstract

Zimbra is an enterprise-level email solution, which is used by over 200 000 businesses and government institutions. It has recently been the target of a 0-day campaign likely conducted by a state actor. As demonstrated by the Microsoft Exchange vulnerabilities, enterprise mail servers are a gold mine for attackers: their compromise would give access to the target’s most sensitive data and provide an initial foothold to later pivot to internal services. This motivated us to search for what others had missed.
 
We will first break down how we approached a complex enterprise web target made of several services from the viewpoint of a sophisticated attacker. Then, we’ll take a deep dive and show how we abused a newline injection bug to steal clear-text credentials from users, applied a common vulnerability pattern to find a stored XSS vulnerability in the email body, and finally went beyond scope and program boundaries and discovered a 0-day in a third-party dependency to get pre-authenticated code execution.