The offensively minded eco-systems are critical to cyber defence. Given this we need the various communities to grow and thrive to support shared endeavours. The talk will open with a view when charged to defend a nation..
As GPUs assume increasingly intricate roles—from machine learning to advanced image processing and augmented reality—they are simultaneously becoming more appealing targets for attackers. Their exposed position to unprivileged applications and browser processes, allowing 0-click attacks, amplifies the need for rigorous security evaluation. In this presentation we will discuss an interesting vulnerability found on the Imagination DXT GPU. This adventurous exploit diverged from conventional kernel exploits as it leveraged undocumented behavior of the GPU hardware itself. Additionally, the Linux kernel mitigations turned out to be ineffective in preventing exploitation.
Trusted Execution Environments (TEEs) serve as one of the last lines of defense for a device's most sensitive assets — from cryptographic keys to secure boot chains. Designed to be resilient even when the rest of the system is compromised, in practice, they often fall short of this promise.
Minecraft is one of the most popular games of all time, with millions of players relying on community-hosted servers. A 1-click server-to-client RCE vulnerability poses an extremely serious security threat.
Microsoft Edge's Enhanced Security Mode was designed as the ultimate defense when browsing unfamiliar websites. By disabling JIT compilation and forcing all WebAssembly code through an interpreter called DrumBrake, Microsoft promised protection against the most common classes of browser exploitation. The irony? This security feature became a massive attack surface itself.
Apple's deployment of **Memory Tagging Extension** (MTE) across iOS represents a fundamental shift in mobile platform memory safety. This talk provides a comprehensive technical analysis of how MTE is integrated throughout the iOS memory management stack, from kernel zone allocators to userland heap implementations.
Attackers are often reported to target mobile devices with 0-click exploits, but limited information is available about how such exploits work on modern Android devices. This talk will explain how Project Zero exploited two vulnerabilities to compromise a Google Pixel 9 remotely, without user interaction. It will then explain how we chained a different privilege escalation vulnerability to exploit the Pixel 10.
On the Android system, finding new attack surfaces to achieve root privilege remains a hot topic among security researchers. In the past, the most commonly used rooting attack surfaces were Binder and GPU. Since OffensiveCon 2025, this novel rooting attack surface - the Qualcomm DSP Driver - has come into the eyes of the security community. We will share our research on the Qualcomm DSP driver. The vulnerabilities we found and the exploit on the latest device shows it’s still an important attack surface for rooting.
While iOS image-based exploits have received significant public analysis, Android-specific one-shot exploits have historically seen less public documentation. This presentation offers a technical autopsy of an exploit targeting the Samsung-specific Quram image parsing library, used in the wild between late 2024 and early 2025. The attack utilized a crafted DNG file delivered via WhatsApp to achieve remote code execution.
Modern CPUs are comprised of many different components and therefore require a high amount of interconnectivity between each other. This task is handled by internal routing networks. These networks are hugely important for the CPU to function correctly and in a performant fashion. Unfortunately for researchers, they are also not documented in depth, which makes investigating their impacts on the security of different CPU features difficult.
Graphics virtualization has long been one of the most fragile hypervisor attack surfaces. A representative example is VMware SVGA. It’s not only used in VMware but also supported by VirtualBox and QEMU. The combination of a complex, stateful interface and memory-unsafe code paths makes it prone to bugs, and the primitives exposed by the graphics stack often make it easy to develop practical VM-escape exploits.
Between 2018 and 2019, Chrome introduced Site Isolation, a security feature that prevents attackers from using renderer or side-channel exploits to access sensitive cross-site data. The feature is not without limitations, some of which are well known and documented. This talk introduces another one.
The Local Security Authority Subsystem Service (LSASS) sits at the core of Windows security, handling critical functions like authentication, credential management, and security policy enforcement.
Achieving a 0-click capability in Android is a non-trivial process of taking into account multiple factors such as exploitability, covertness, and deep understanding of our target's surface of communication.
In this presentation, the speaker will disclose several macOS design-based vulnerabilities. Compared with code-level bugs, design-based vulnerabilities are often hard to fix in a single shot. A piece of vulnerable code might only be exploitable on macOS, but the same code can exist across Apple platforms (macOS, iOS, watchOS, etc.).
Arbitrary file overwrite vulnerabilities are common in Android apps, but since Android 5, whether this can be turned into code execution or not has become highly app-dependent. We present a new, app-agnostic, persistent technique that reliably converts arbitrary file overwrites into code execution by targeting the runtime-generated app image .art file, which remains writable within an app’s sandbox. By replacing this file with a crafted malicious image, attackers persistently gain code execution when the app restarts.
For the first edition of ZeroDay Cloud, the new kid around the hacking competitions, we had a look at multiple targets. PostgreSQL, one of the most-used database systems, was an interesting one.
