Speakers of Zer0Con

Team Member
James Forshaw Google Project Zero
A Bridge too Far

In Windows 10 Anniversary Edition Microsoft introduced Desktop Bridge, originally known as Project Centennial. This technology allows normal Win32 applications to be converted to run as self contained Windows Store applications, redirecting file and registry access to allow the application to easily be uninstalled leaving no remaining footprint. To support Desktop Bridge Microsoft had to change a number of different parts of the OS including the Kernel and system services. This presentation will be an in-depth look at how Desktop Bridge works as well as a look at some of the bugs I’ve discovered in the various components which make up the technology.

Team Member
Jonathan Levin                                  
Friends, Romans, Countrymen - Lend me your kernel_task port

This talk starts by reviewing all the countermeasures utilized by Apple to discourage exploitation. It then explains why all of them are essentially futile for a determined attacker with sufficient knowledge of system internals. It explores a freely available post-exploitation library provided by the author, which enables researchers or jailbreaking hobbyists to code a functional jailbreak in about 20 lines of code.

Team Member
James Lee            Kryptos Logic           
Unusual Windows Insider Preview

An unusual way to exploit Windows Insider Preview via an interesting binary in windows folder called HTML Help Executable; hh.exe.
- Windows Media Player Information Disclosure vulnerability that I triggered via hh.exe and its idea behind bypassing prompt to avoid user interaction.
- The interesting trick that allows you to escape from Microsoft Edge's AppContainer Sandbox.
- Multiple vulnerability cases that he found in hh.exe
As well as a look at Firefox browser Remote Code Execution + Windows Elevation of Privilege exploit to achieve SYSTEM-level Code Execution on latest Windows 10 Operating System.

Team Member
Brian Pak(Cai)            Theori           
Patch Analysis on Google Chrome

Google Chrome is the most popular web browser with over one billion users. With the proliferation of Android devices, Chrome has become a compelling target for APT attacks. New features in the Javascript language and deeper analysis by security researchers have opened the door for finding weakness in modern browsers. While Chrome is well-known for its performance, it often comes with a cost to its security. We will examine a recent vulnerability in Chrome (specifically in V8) to witness how these new shiny features end up opening up security holes. We will also discuss the methodology of exploiting vulnerabilities within Chrome by understanding its internals. Finally, we make it simple to achieve arbitrary code execution by extending pwn.js to support Google Chrome.

Team Member
Singi               Theori              
How to make macOS exploit(from Browser to Kernel)

In this talk, I will be explaining about macOS exploitation by using browser/kernel 1-day vulnerability
Defining the exploit process from 1-day vulnerability analysis to macOS / safari exploitation including bypassing mitigation

Team Member
The HIDeous parts of IOKit

This talk takes a deep dive into XNU's IOKit, discussing its architecture, security features and significance in Apple's operating systems. It shows how to interface with, probe, reverse, and finally exploit IOKit components, touching down on common patterns and convenient exploit strategies. Lastly it takes a look at previous IOKit vulnerabilities and does a detailed case study on the "IOHIDeous" exploit.

Team Member
Zinuo Han(ele7enxxh) &
Zhe Jin
Qihoo 360
Find Vulnerabilities in Android Daemons

There are lots of daemons in Android devices, and most of them provide support for privilege services, such as starting activity, playing back media and making phone calls. But what if daemons are not security enough? Evil attacking process can send crafted and malformed data to daemons via IPC to trigger vulnerabilities daemons, so that they can achieve various aims such as denial of service, information disclosure and even privilege escalation.
In this presentation, I will first introduce some basic knowledge about Android daemons, including mechanism and attack surface. Then I will present a coverage-guided fuzzing approach. This approach is efficient by comprehensively integrating AFL(american fuzzy lop), ASAN(addresssanitizer) and valgrind together. Finally I will demonstrate the proof-of-concept code and discuss the potential way that how to exploit one of the vulnerabilities to elevate privileges.

Team Member
Slipper &
           Pangu Team            
Carefully handle your message

Mach message mechanism is widely used in iOS/macOS and it is the very foundation of all other message mechanisms like XPC or MIG. In the past, some critical bugs about mach message are reported by security researchers, we will introduce some of them and show how Apple add new mitigations to try to prevent successful exploitation.
And through learning of those bugs we will understand that the knowledge gap between developers is the actual root cause. For example, mishandling of mach messages could lead to very powerful exploitation primitives like deallocating arbitrary memory or port. And such kind of bugs exist in both user space and kernel space. We will analyze two powerful user space sandbox escape bugs and a kernel privilege escalation bug. The user space bugs were collided by 2017 Mobile Pwn2Own contest and the kernel one was collided by researcher from google project zero.

Team Member
Daniel Shapiro &
Eylon Ben Yaakov
Old Bugs Don't Die

A vulnerability is found, fixed, the fix is bypassed, the bypass is patched.
Instead of being the exception to the rule, it has become standard. In addition to being a useful research methodology, this has serious implications for the exploitation economy - as almost no adjustments are needed for an existing exploit.
In this talk, we will cover Linux memory manager, Chakra engine internals and focus on incorrectly patched past vulnerabilities in browsers and operating systems (e.g "Huge Dirty COW" found by us) and their exploits.

Team Member
Wayne Low &
Yongjian Yang
Breaking Security Software
Protections by diving into
AV self-protection attack vector

Over the course of the past few years, security software like Anti-Virus products have been gaining lots of attentions whether by security researchers or black-hat hackers, who actively finding security issues or vulnerabilities in these software. One of the reasons is perhaps security product consists of many attack vectors and usually they can be easily exploited. However one of the attack vectors, self-defense mechanism, has been neglected by security researchers, which contains plenty of low-hanging security issues that are yet to be explored. Because of the fact that self-defense mechanism is a less explored area, we started to manually reverse engineer some popular security products and took a deeper look into the implementation of the self-protection mechanism on these products. Over the course of six months, we audited six leading AV products and we managed to discover multiple trivial vulnerabilities from security bypass to local privilege escalation. Though, one of the techniques we used to defeat the self-defense mechanism has existed for years and is very well-known to malware authors and also actively exploited by CIA to defeat AV, and it has come to light as a result of the disclosure by WikiLeaks in early March 2017. One of the highlights of this presentation is to show how old school trick like Process Hollowing can be effective in bypassing AV self-protection. In this presentation, we will first give an overview of how self-defense mechanism was implemented by security products. Then we will present some case studies to demonstrate how to defeat AV by bypassing self-protection mechanism of different security products. Finally, we will also introduce a generic technique, which is not widely known yet, that could effectively get around the self-defense mechanism of most security products.


Schedule of Zer0Con2018

March 29 ~ 30, 2018, Seoul, Korea

You can download a pdf version here.


Zer0Con Training Course

The training courses of Zer0Con focus on bug hunting and exploitation.


The-K Hotel, Seoul

Crystal Ballroom A, B Hall

- ADDRESS: 70, Baumoe-ro 12-gil, Seocho-gu, Seoul, Korea
- TEL: +82-2-571-8100
- WEB: http://thek-hotel.co.kr/e_seoul/main.asp
- If you want more information, click the map below.

“There seems no empty room now in the venue hotel.
So, we recommend attendees to book other hotels in Gangnam area. Check this file for your hotel rooms.”

Organizer & Sponsor

Copyright(c) Zer0Con All rights reserved.