Mach ports are one of the most fundamental parts of the XNU kernel. This talk takes a deep-dive into how the user and kernel mach port APIs work, the implicit security guarantees they make and how to leverage those guarantees to build logical exploit primitives. I will discuss the discovery and exploitation of multiple sandbox escape and kernel bugs on iOS.
We take a look at the general process of patch analysis. We walk through each step from downloading the patch to a weaponized exploit. For the case study, we perform the analysis for CVE-2016-0189(vbscript.dll) & jscript9.dll bug fixed in MS16-063 for IE11, Edge/chakra.dll bugs(CVE-2016-7200, 7201), win32k kernel bug fixed in MS16-106, as well as new bugs that are discovered in latest March update.
We also talk about ways to bypass mitigation such as CFG and RFG.
Last year, when I focus on AV(Antivirus Software) Kernel Driver, a thought comes to me, which helps me find many nice vulnerabilities in AV Kernel Driver and save me a lot of time. In this talk, I will share my thought in detail. And then, I will talk about how to find AV Kernel Driver vulnerability efficiently.
Teaming up with Lokihardt, we successfully exploited fully patched Apple Safari on macOS Sierra and got root privilege at PWNFEST 2016. After gaining arbitrary code execution in a strictly sandboxed Safari Web Process , we first exploited an uninitialized kernel heap issue to bypass KASLR, and then exploited an uninitialized kernel stack issue to gain arbitrary code execution in the kernel. In this talk, we will uncover such kernel vulnerabilities, and discuss the whole kernel exploitation chain in detail.
This talk introduces the various web browser vulnerabilities I've found and reported, and how I exploited those vulnerabilities. I will discuss not only just web browser vulnerabilities, but also various logical bugs and kernel bugs.
From physical (GPON FTTH) to logical networks, this talk is about finding
vulnerabilities in protocols (CWMP, GPON), devices (FTTH Optical
Network Units, routers, switches, cameras, NAS), services (APIs, TR-069
servers) and potentially exploiting them in order to take over large
parts of ISP networks with 0day vulnerabilities.
The contents of this 0-day talk will be opened only in the conference room
The last public Sony PS4 jailbreak was targeting to version 1.76, which has been released more than two years. As more mitigation is introduced, PS4 jailbreaking is much more challenging. In GeekPWN 2016, I have demonstrated booting a Linux system on latest PS4 console by exploiting multiple vulnerabilities through webkit to kernel. In this talk, I’d like to share some technique details about PS4 hacking.
Intel SGX is a new security mechanism that is recently shipped with
Intel Skylake, with the unprecedented promise of making the cloud
computing secure. In this talk, we will introduce 1) how to blindly
launch an exploit against SGX, and 2) how to reveal execution traces
of a SGX program with a new side-channel we found recently.
This talk will describe a number of successful vulnerability exploitation attempts of Android. The root cause of each exploit and a corresponding mitigation technique that was built into the Android platform will be given. The talk will conclude with current vulnerability trends in Android and mitigation techniques that the Android Security team has been experimenting with.
This talk is mostly about design bugs exploitation. The speaker will show live 0-day vulnerability exploitations that will be disclosed at conference.
You can download a pdf version here.
The training courses of Zer0Con focus on bug hunting and exploitation.
Regstration will be closed on March 31.
If you want to run your training course, send us email with the followings.
- Self introduction, Abstract, Curriculum, ETC.
- poc.zer0con@ gmail.com (PGP public key)
- ADDRESS: 70, Baumoe-ro 12-gil, Seocho-gu, Seoul, Korea
- TEL: +82-2-571-8100
- WEB: http://thek-hotel.co.kr/e_seoul/main.asp
- If you want more information, click the map below.
“There seems no empty room now in the venue hotel.
So, we recommend attendees to book other hotels in Gangnam area.
this file for your hotel rooms.”
Organizer & Sponsor
Copyright(c) Zer0Con All rights reserved.