2025
10 ~ 11 April, 2025
Please attach the contents below as an email body and send it to zer0con adm @ gmail.com.
########## Zer0Con Call For Paper ###########
Name(@handle):
Affiliation
Topic title
Topic keywords
Abstract
Speaker information
Previously presented/published?
Includes exploitation demo?
#############################################For more information about CFP, see below.
Zer0con is dedicated to the identify, analysis, and exploit of vulnerabilities in various environments. This includes the exploitation of web browsers, operating system kernels, mobile platforms, AI systems, security products, Internet of Things (IoT) devices, and the pursuit of bug hunting within these domains.
If you have any questions, feel free to mail to [zer0conadm (at) gmail.com].
Please attach the contents below as an email body and send it to zer0con adm @ gmail.com.
########## Zer0Con Call For Training ###########
Name(@handle):
Affiliation:
Course title:
Course keywords:
Previously delivered at other events or organizations?:
Abstract & Trainer information (PDF attachment)
#############################################For more information about CFT, see below.
Zer0Con Training aims to provide an educational experience focused on identifying, analyzing, and exploiting vulnerabilities in influential software such as operating system kernels, browsers, and more. We do not limit the scope of target software, so if you have a valuable training program to propose, we welcome your submission.
If you have any questions, feel free to mail to [zer0conadm (at) gmail.com].
About
SPEAKERS
Abstract
Some memory corruption bugs are much harder to exploit than others. They may involve race conditions, crash the system, and bring various limitations that make the researcher's life hard. Experimenting with such fragile vulnerabilities usually takes a lot of time and effort.
The kernel-hack-drill project helps to develop PoC exploits for such hard bugs in the Linux kernel. It provides a test environment for constructing specific exploit primitives that you need for your research: https://github.com/a13xp0p0v/kernel-hack-drill
In this talk, Alexander Popov will present kernel-hack-drill and show how this project helped in experiments with CVE-2024-50264, a complicated race condition in the Linux kernel.
Alexander Popov (@a13xp0p0v)
Positive Technologies
Alexander Popov (@a13xp0p0v) has been a Linux kernel developer since 2013. He is a principal security researcher and head of the Open Source Program Office at Positive Technologies. In his spare time, Alexander is a maintainer of open-source projects connected with Linux kernel security. He is interested in kernel vulnerabilities, exploitation techniques, and defensive technologies.
Abstract
Ethereum Virtual Machines (EVMs) are stack-based Turing-complete machines at the core of blockchain platforms like Ethereum, Aurora, and others. Ensuring their compliance and robustness is critical to blockchain security. This talk provides a deep dive into fuzzing techniques tailored for EVMs, focusing on harness-based fuzzing and differential fuzzing.
Key highlights of the talk: Introduction to EVMs:
Fuzzing Harnesses:
Differential Fuzzing:
Impact Analysis:
This talk combines theoretical insights and practical demonstrations, making it a valuable resource for blockchain developers, researchers, and security professionals. Attendees will leave with a deeper understanding of EVM fuzzing, tools, and techniques for identifying and mitigating vulnerabilities.
Bryton Bernard (@lxt33r)
FuzzingLabs
Bryton Bernard is passionate about cybersecurity and currently works at FuzzingLabs as a Security Engineer. His focus is on researching vulnerabilities in blockchain systems. He employs techniques such as fuzzing to identify and address flaws, aiming to enhance the security and reliability of these technologies.
Mathieu Hoste (@mhoste1)
FuzzingLabs
Mathieu Hoste is a security engineer at FuzzingLabs, he is a cybersecurity enthusiast who began his journey in reverse engineering. Over time, his passion led him to specialize in blockchain vulnerability research. At FuzzingLabs, he focuses on uncovering critical flaws in Ethereum using advanced fuzzing techniques to improve the security of the blockchain ecosystem.
Abstract
As one of the most popular commercial virtualization solutions, VMware's security has always been a focal point in the industry. Over the past few years, we have been closely monitoring security issues related to its virtualization infrastructure, discovering and reporting numerous vulnerabilities in both ESXi and Workstation to VMware. We have also been invited to share our research findings at security conferences such as DEFCON and HITB.
At the end of 2023, we noticed that VMware had patched a critical memory corruption vulnerability (CVE-2023-34048) in vCenter Server. The official advisory indicated that this vulnerability might have been exploited in the wild, which sparked our interest in further investigation. Over the past year, we shifted our focus to vCenter Server. Ultimately, we identified three heap overflow vulnerabilities and one privilege escalation vulnerability within its DCE/RPC protocol component, which were assigned CVE numbers CVE-2024-37079, CVE-2024-37080, CVE-2024-38812, and CVE-2024-38813. In the Matrix Cup 2024 security competition, we successfully achieved remote code execution with root privileges by exploiting one of these heap overflow vulnerabilities along with the privilege escalation defect, completing the vCenter Server project challenge. We promptly reported all discovered vulnerabilities to VMware.
In this presentation, we will begin by providing a detailed overview of the DCERPC protocol and the four vulnerabilities we uncovered in its implementation within vCenter Server. It is well-known that achieving remote code execution through memory corruption vulnerabilities in network services is particularly challenging, especially when defenses like Address Space Layout Randomization (ASLR) and Position Independent Executable (PIE) are in place. We will then dive into advanced heap fengshui techniques we used to exploit two of these vulnerabilities to execute remote code with root privileges. Finally, after gaining root access to the vCenter Server's operating system, we will introduce a method to escalate privileges further and gain control over ESXi itself—demonstrating how these vulnerabilities can be leveraged to fully control the virtualized infrastructure.
Hao Zheng (@zhz__6951)
QI-ANXIN TianGong Team
Hao Zheng is a security researcher at QI-ANXIN TianGong Team, specializing in binary security. At GeekPwn 2023, he and his teammates successfully carried out a Parallels Desktop escape. In 2024, they earned the Best Vulnerability Award at the Matrix Cup for completing the vCenter Project Challenge. Hao has also been a speaker at DEFCON 32 and HITBSecConf 2024.
Zibo Li (@zblee_)
QI-ANXIN TianGong Team
Zibo Li is a security researcher at QI-ANXIN TianGong Team, specializing in binary security and IoT security. He has reported multiple vulnerabilities to VMware, receiving acknowledgments for his contributions. In 2024, he and his teammates won the Best Vulnerability Award at the Matrix Cup for their exceptional work on the vCenter Project Challenge. He is also a speaker at HITBSecConf 2024.
Yue Liu (@Mr_LiuYue)
QI-ANXIN TianGong Team
Yue Liu is a Ph.D. student at Southeast University, under the guidance of Prof. Guang Cheng. He also serves as a Security Researcher at QI-ANXIN Group, where he leads the QI-ANXIN TianGong Team. He and his team have found lots of bugs in Windows/Android/ChromeOS/IoT Devices and cracked multiple targets in Tianfu Cup 2019/2020, GeekPwn 2020/2021/2022, and GeekCon 2023/2024. He has published his work in various conferences, including Usenix 2021, ACM CCS 2022, EuroS&P 2022, HITBSecConf2022, Black Hat Asia 2024 and DEFCON24.
Abstract
Open Authorization (OAuth) is an open-standard authorization framework that grants applications access to an end user's protected resources—such as photos, calendars, or social media posts—without requiring the login credentials of the user's account.
OAuth brings convenience to people but also poses significant security risks. In fact, if OAuth's design and implementation are improper, it can lead to serious account takeover issues. After attackers take over user accounts, they can not only obtain users' private information but also cause significant losses to users' property and other assets.
However, through testing, I found that many enterprises still have serious OAuth implementation problems. Some of these enterprises are even very well-known companies, which seems a bit incredible.
Here, I will present for the first time my test results for leading companies in different industries. I will vividly introduce the flaws in their designs and explain how I combined seemingly insignificant vulnerabilities into a perfect account takeover vulnerability.
Ji'an Zhou (@azraelxuemo)
Security Researcher
Ji'an Zhou (@azraelxuemo) is focusing on Java security and cloud native security and his work helped many high-profile vendors improve their products' security, including Amazon, Cloudera, IBM, Microsoft, Oracle, Google. He has previously spoken at BlackHat.
Abstract
What's old is new again. The rush to capitalize on the AI boom created a deluge of applications and libraries that are being written and deployed without sufficient regard for hard-won security lessons of the last 20 years. This talk will present AI-specific vulnerabilities, but also use real-world examples to show what traditional vulnerabilities are likely to be lurking in AI applications. After mapping the attack surface, we'll move into discovery techniques and mitigation strategies. Attendees will leave confident in their ability to discover vulnerabilities in AI systems.
Joe Lucas (@josephtlucas)
NVIDIA
Joe Lucas (@josephtlucas) is a senior offensive security researcher focused on AI at NVIDIA. He is the founder and chair of the NumFOCUS Security Committee and is a member of the Jupyter Security Council. He was one of the architects and hosts of the DEF CON 30 AI Village Capture the Flag competition and is passionate about machine learning security education.
Abstract
When doing browser research we can usually celebrate once we have an arbitrary read/write primitive. Not so with Safari running on modern Apple ARM chips: Pointer Authentication Codes (PACs) prevent all the usual techniques of hijacking control flow, from modifying JIT code pointers to ROP chains.
So imagine you are weeks away from Pwn2Own, and PAC is the last obstacle between yourself and pwning the last remaining entry of the browser category. With no way to modify control flow, there's also no way to jump to any potential PAC-breaking gadget. How to escape this dilemma? In this talk I'll show you a (to my knowledge) novel technique that I used to both create and call my own PAC-signing gadget using the JIT compiler itself. This powerful gadget then allowed me to PAC-sign arbitrary pointers, making it possible to run my shellcode - and win the Master of Pwn title!
The talk will consist of a full journey from the initial JIT-bug to finished exploit, with a short refresher on PAC and associated mitigations along the way.
Manfred Paul (@_manfp)
Security Researcher
Manfred Paul (@_manfp) is an independent security researcher from Germany. He has participated in Pwn2Own Vancouver multiple times since 2020 with vulnerabilities in the Linux kernel and all major browsers, winning the 2024s edition Master of Pwn title.
Abstract
Chrome's V8 engine remains a prime target for attackers, with type confusion vulnerabilities driving some of the most impactful exploits in recent years. In this talk, we'll explore the modern landscape of V8 exploitation, focusing on how recent CVEs, bypass strengthened defenses such as the V8 heap sandbox. We'll examine the evolution of Chrome's JIT pipeline, the role of speculative optimizations in introducing type confusion, and how techniques like WASM JIT-spraying have adapted to new mitigations. Through real-world case studies and live debugging demos, attendees will gain practical insights into breaking V8 in 2024, from exploitation chains requiring multiple bugs to advanced evasion tactics targeting Chrome's latest security model.
Matteo Malvica (@matteomalvica)
OffSec
Matteo Malvica (@matteomalvica) is a senior content developer and researcher at OffSec focusing on vulnerability research, exploit development, reverse engineering and operating system internals.
Abstract
Pishi Reloaded introduces a binary-only Address Sanitizer designed for macOS Kernel Extensions (KEXTs). It detects memory safety issues like use-after-free and buffer overflows as they occur. Using techniques such as shadow memory, ARM64 pointer tagging (TBI), and binary rewriting, it's fast and reliable, providing an effective fuzzing environment. This talk will cover how these features work together to make finding hidden vulnerabilities easier and more effective.
Meysam Firouzi (@R00tkitSMM)
Security Researcher
Meysam Firouzi (@R00tkitSMM) is a software security researcher, with expertise in hypervisors, Windows, Unix-based systems, and XNU(macOS and iOS). You can read about him here https://r00tkitsmm.github.io/about/
Abstract
15-year-old threat researcher Ruikai Peng (aka. retr0reg), will share his journey of transforming a heap-overflow in Llama.cpp RPC Distributed Inference Servers into a ten thousand-word exploitation writeup.
As an exclusive content for Zer0con, Ruikai will also provide insights into his experience in the AI/ML field and offer guidance to future threat researchers interested in transitioning into the AI/ML.
Ruikai Peng (@retr0reg)
Security Researcher
Ruikai Peng (aka retr0reg) (@retr0reg) is a 15-years old threat researcher with a focus in ML security and binary-exploitation. He reported 25 CVEs, including RCEs in state-of-the-art ML projects such as TensorFlow, Transformers, Llama.cpp, Llama-cpp-python... Ruikai love diving deep into complex application. Other than ML, his works includes Electron RCEs in Evernote and Youdao Notes, ROPing MIPS Tenda Routers, Account takeovers in Managebac, and IDOR in sensitive governmental education systems.
Ruikai is passionate about crafting intriguing, in-depth, detailed, step-by-step exploitation write-ups, with his research featured on The Hacker News, MalwareDotNews, InfosecWriteups, and Checkmarx. He is excited to make his conference debut at zer0con!
Abstract
The talk will focus on chrome extension security. While there is a good body of knowledge with regards to identifying malicious extensions that attack users, relatively little systematic research exists for the attack surface of legitimate (benign) chrome extensions. At the same time, chrome users rely heavily on extensions and use them to perform sensitive operations (crypto wallet extensions being one of common examples).
FYI detailed plan for presentation, also I can provide slides.
Presentation should be useful for both red-team and blue-team participants of the information security community, since browser extension security is a relatively poorly known topic which only recently started gathering more attention. I will cover known and novel attacks and how they can be avoided and defended against.
Vsevolod Kokorin (@slonser_)
Security Researcher
Vsevolod Kokorin (Slonser) (@slonser_) is an experienced Web2 penetration tester and Bug Bounty hunter specializing in frontend and browser security, having registered over 10 CVEs in 2024 in products such as DOMPurify and Chromium
TRAINING
The training courses of Zer0Con focus on bug hunting and exploitation.
| Trainer | Date | Subject | USD | KRW |
|---|---|---|---|---|
| Nabih Benazzouz & Kylian Boulard De Pouqueville | 4.7 ~ 4.9 | Fuzzing Windows Userland Applications | $3,500 | ₩5,103,700 |
| Dawid Czagan | 4.7 ~ 4.9 | Black Belt Pentesting / Bug Hunting Millionaire: Mastering Web Attacks with Full-Stack Exploitation (100% Hands-On, Extended Edition) Virtual | $3,500 | ₩5,103,700 |
| Andrey Konovalov | 4.7 ~ 4.9 | Fuzzing the Linux Kernel Cancelled | $3,100 | ₩4,520,420 |
ARCHIVES
Organizer & Sponsor
Copyright(c) Zer0Con All rights reserved.