Speakers 2020 @OffensiveCon

Aristeidis Thallas

Emulating Hypervisors; a Samsung RKP case study

In this work we will be investigating the emulation of proprietary Hypervisors in the Android ecosystem under QEMU. We will be providing information about ARM virtualization extensions and demonstrating key concepts with a framework implemented to allow execution of Samsung S8 hypervisor under QEMU. Finally, fuzzing implementations under this setup will be examined. Read more...

Eloi Sanfelix

A Bug Collision Tale

This talk will be about a Binder vulnerability that was first disclosed to Google by the Qihoo 360 C0RE Team, but also found by Jann Horn (who else?) and ourselves before it was fixed. The vulnerability was assigned CVE-2019-2025 and the Qihoo 360 guys named it "Waterdrop". Read more...

Ki Chan Ahn

Adventures on Hunting for Safari Sandbox Escapes

This talk will describe different bug hunting strategies for finding sandbox escapes in Safari. I describe strategies that actually worked, which helped finding exploitable bugs for userland daemons. The talk begins by going over the attack surface, covering basic IPC internals, explains details of the bug hunting process, and finally lays out some thoughts on bug hunting in general. Read more...

Marco Grassi and Kira

Exploring the MediaTek Baseband

Cellular communications and baseband have always been obscure and not publicly explored topics, until the very last couple of years where more public research has surfaced. The Cellular modem are an interesting remote attack surface and they lack often of modern mitigations, making them an attractive target for a "0-click" compromise over the air. Read more...

Stephen Röttger

Popping Calc with Hardware Vulnerabilities

Over the past few years many hardware vulnerabilities like rowhammer and Spectre were released. But even though they come with cool demos, we haven’t seen them exploited in the wild. Is that because they’re all mitigated or just too slow to exploit in practice? Read more...

FX and Hadez

Look what you could be up against soon

Lateral movement is essential for offensive operations during CNO. Exploiting the inherent trust relationships is what makes spreading within the chewy inside of a network so easy once the crunchy outside is broken. Read more...

Samuel Groß

No Clicks Required: Exploiting Memory Corruption Vulnerabilities in Messenger Apps

So called “0-click” exploits, in which no user interaction is required to compromise a mobile device, have become a highly interesting topic for security researchers, and not just because Apple announced a one million dollar bug bounty for such exploits against the iPhone. This talk will go into the details of how a single memory corruption vulnerability in iMessage was remotely exploited to compromise an iPhone. Read more...

Natalie Silvanovich

No Clicks Required: Finding Fully Remote Vulnerabilities in Messaging Applications

There is increasing evidence that ‘0-click’ or ‘interaction-less’ vulnerabilities in messaging applications are being used by attackers. This talk will discuss how to evaluate a messaging application for fully remote vulnerabilities. Read more...

Jonathan Afek

Simplifying iOS Research: Booting the iOS Kernel to an Interactive Bash Shell on QEMU

Booting the iOS kernel on QEMU with an interactive bash shell and a live debugger attached to the kernel. A major step forward in the direction of having a full iOS open source system emulator on QEMU. The research details and demo will be presented in this talk. Read more...

Maddie Stone

Bad Binder: Finding an Android In The Wild 0day

This talk will discuss my process for hunting, finding, exploiting, and reporting CVE-2019-2215, a local privilege escalation vulnerability in the Android kernel that was used in an in-the-wild exploit. Read more...

Alexander Popov

Exploiting a Linux Kernel Vulnerability in the V4L2 Subsystem

This talk is about exploiting CVE-2019-18683 in the Linux kernel for a local privilege escalation. Read more...

Martijn Bogaard

Grab those keyz and learn somebodies darkest secrets!

With almost everybody having a smartphone nowadays that is used to record and share pretty much every detail of our lives, who ever wonders* how secure your data actually is? And how is it possible you can unlock your phone by holding it in front of your face? Read more...

Netanel Ben-Simon and Yoav Alon

Bugs on the Windshield: Fuzzing the Windows Kernel

This talk will share our new approach for coverage-guided grammar fuzzing the Windows Kernel, and enhancements to the known approaches for fuzzing Windows Applications, triaging the bugs from the vulnerabilities, and being acknowledged in the MSRC Top 100. Read more...

Shahar Tal

Modern Phone Forensics 101

During this session, I will give a quick review of modern-day mobile phone forensic extraction technology, and discuss the forces shaping this domain, as well as cover the dramatic changes overturning the industry in recent years. Read more...

b1ack0wl

Don't forget to SUBSCRIBE.

This talk is about how an unauthenticated heap-based buffer overflow vulnerability was discovered and exploited within a router distributed by a market-leading ISP. Despite the targeted process utilizing mitigations such as DEP and ASLR, it still fell prey after spending weeks finding all of the required primitives. This talk will go over the thought processes, failures, and road-blocks that were encountered and how they were overcame. The techniques developed in this talk are not tied down to just one specific application||library. Read more...

Cedric Halbronn

How CVE-2018-8611 can be exploited to achieve privilege escalation on Windows 10 1809 (RS5) and earlier

This talk will discuss how CVE-2018-8611 can be exploited to achieve privilege escalation on Windows 10 1809 (RS5) and earlier. This research was done without getting a chance to analyze the in-the-wild 0day exploit that lead to the bug being patched by Microsoft, but rather by patch diffing and following some minimal public information as a starting point. The following steps will be detailed: race condition -> use-after-free -> memory disclosure -> increment primitive -> arbitrary read -> arbitrary write -> privilege escalation Read more...

oct0xor

Hacking Sony PlayStation Blu-ray Drives

Xbox 360 video game console had a number of widely known hacks for firmware of its optical disc drives. However, it was never the case with Blu-ray disc drives of Sony PlayStation video game consoles. In fact, up until recently there was no much information available on this subject publicly. In this presentation, I would like to share my journey of delving deep into internals and security of Sony PlayStation Blu-ray disc drives. Read more...

Alexander Ermolov

Untrusted Roots: exploiting vulnerabilities in Intel ACMs

This talk will be all about security analysis of all known types of ACMs and how to exploit vulnerabilities in them (keeping in mind that they are sometimes encrypted and running only from L3 cache). Read more...