Relaying NTLM authentication is still a serious problem on Windows domain networks almost 20 years after it was initially published. While Microsoft have introduced many changes to NTLM authentication such as Extended Protection for Authentication one common recommendation is to just disable NTLM entirely and revert to using Kerberos. The obvious question to ask, is disabling NTLM sufficient to solve authentication relay attacks on Windows networks? Read more...
Exploits targeting JavaScript engines have risen to prominence in recent years and are today frequently used to compromise the renderer process in a typical browser exploit chain. This talk aims to give an overview of the current state of JavaScript engine security. It will cover various JavaScript engine internals, common bug types and how they are typically exploited, as well as the state of present and potential future exploit mitigations. It will then hopefully become clear why JavaScript engines are currently favoured by attackers. Read more...
A round-up of the state-of-the-art in modern Chromium-based browser IPC sandbox-escape exploitation, and a look towards the future. We'll start with a brief overview of the techniques that we've used in our own past exploits, and seen in public and in-the-wild exploit samples, and then move on to describing a more futuristic approach and its interaction with current and prospective exploit mitigations. Read more...
Exynos-based Samsung phones contain an encrypted blob of highly privileged firmware known as the loadable firmware of which little is (publicly) known, but that implements many of the most security critical operations related to efuses, cryptographic keys, memory protection, etc. In this presentation we will demonstrate how we extracted the decrypted firmware of last year’s Galaxy S21 and some of the bugs we found while reverse engineering the firmware, resulting in several ways to fully compromise the Trusted Execution Environment from a rooted Android environment. Read more...
Modern basebands are an attractive exploitation vector to target smartphones and cellular-connected devices. Baseband vulnerability research remains complex, as researchers often lack means of debugging these components. This submission presents how standard communication interfaces present on all baseband chips can be used to write a target-agnostic debugger, provided that partially overwriting baseband firmware is possible. The decisions taken during development are explained and the construction of such a debugger is explained step by step. Finally, to demonstrate the debugger, a breakpoint is created and a GSM message delivered from a rogue cellular base station is observed live in the baseband memory. Read more...
Kernel Fuzzer for Xen (KF/x), the Xen-based snapshot fuzzer has been open-source for over a year now and it has resulted in finding bugs in a variety of Linux kernel modules. As the name of the tool implies,it was intended to target hard-to-reach parts of the OS and allow deterministic fuzzing by running the target code in lightweight VM forks. Read more...
For any device, the supply chain is extremely complex and it plays a significant role in the platform security. The UEFI System Firmware relies heavily on its supply chain with many parties involved, including OBV, IBV, OEM etc. each following their own development lifecycle, mitigations policy and impacting different security models and update delivery timeline for endpoint devices. Read more...
The landscape of offensive security for *OS has evolved over the years due to ever-increasing mitigations. This talk will shed some light on what it takes to successfully attack *OS in current times and how things have changed compared to a few years ago. Read more...
From Parser Differentials to Sandbox Escapes, Valve's Source Engine isn't just fun for players, but for Exploit Developers as well. In this talk, we map out client and server-side attack surface that affects dozens of millions of users, detail exploitation strategies and share our journey into developing a 100% reliable, wormable RCE chain. Learn how to find, validate, and profit from bugs affecting some of the most popular multiplayer games. Read more...
Hacking through the WAN (Wide Area Network) interface of a consumer or enterprise network router requires different approaches and techniques than hacking through the LAN (Local Area Network) interfaces. WAN interface services are usually much better protected and firewalled than in a LAN interface, and usually there are no network services accessible from the WAN. However, using the techniques we have developed we were able to demonstrate 6 unique successful WAN exploits during our Pwn2Own adventures. In this talk, we will present our exploits and methodology that we kept private for our own use until now. Read more...
In 2021, a record-breaking XX [51 as of Oct 21, 2021] 0-day exploits were detected in-the-wild, up from 25 in 2020. That means we have XX [51 so far] data points to learn what attackers are actually doing with 0-day exploits. This talk synthesizes what we can learn from the 0-days detected in-the-wild in 2021: the trends, the lessons learned, the novel bugs & methods. All of this will be backed up with detailed walk-throughs of some of the most notable aspects of the in-the-wild 0-day exploits seen in 2021. Read more...
Since the discovery of the Spectre and Meltdown vulnerabilities, transient execution attacks have increasingly gained momentum. However, while the security community has investigated several variants to trigger attacks during transient execution, much less attention has been devoted to the analysis of the root causes of transient execution itself. Most transient attack variants simply build on well-known causes, such as branch misprediction and aborts of Intel TSX—which is no longer supported on many recent processors. Read more...
During research this past spring multiple privilege elevation vulnerabilities were discovered that affect all versions of Windows since Vista. Most of the vulnerabilities are memory corruption bugs and, despite modern mitigations, were easy to exploit. This talk will cover the discovery of the bugs and the techniques used to create reliable exploits. Read more...
All the modern Intel CPUs have RISC-core inside the chip. The core implements abstraction layer that interprets user-visible instruction set to invisible hardware-internal RISC instructions. RISC core has maximum privileges accessing the data. The microcode program is built into chip, but the OS and UEFI may apply some patches – microcode updates. Unfortunately, they are encrypted and there is poor public information on how it is working. Due to this, there are no public researchers about internal structure of Intel CPU microcode. Now we found the way that you can use to get an access to it on public-available platform. Read more...
This talk is about our journey and step-by-step process into fuzzing Ethereum 2.0 implementations software. We will start with a brief introduction to Ethereum 2.0 specification and ecosystem. Then, we will explain the architecture of this type of software and the kind of bugs we were looking for (DoS, logic/consensus bugs). We will also detail the complexity behind fuzzing 5 differents under-development software written in 5 different languages (Rust, Go, Java, Nim, JS) by 5 different teams. Finally, we will go chronologically through all the different fuzzing frameworks and techniques (dumb, coverage-guided, differential, structural) we used and why we choose them in the first place. In the end, this project leads us to find more than 30 critical bugs across all implementations. Read more...