SPEAKERS
In Windows 10 Anniversary Edition Microsoft introduced Desktop Bridge, originally known as Project Centennial. This technology allows normal Win32 applications to be converted to run as self contained Windows Store applications, redirecting file and registry access to allow the application to easily be uninstalled leaving no remaining footprint. To support Desktop Bridge Microsoft had to change a number of different parts of the OS including the Kernel and system services. This presentation will be an in-depth look at how Desktop Bridge works as well as a look at some of the bugs I’ve discovered in the various components which make up the technology.
This talk starts by reviewing all the countermeasures utilized by Apple to discourage exploitation. It then explains why all of them are essentially futile for a determined attacker with sufficient knowledge of system internals. It explores a freely available post-exploitation library provided by the author, which enables researchers or jailbreaking hobbyists to code a functional jailbreak in about 20 lines of code.
An unusual way to exploit Windows Insider Preview via an interesting binary in windows folder called HTML Help Executable; hh.exe.
- Windows Media Player Information Disclosure vulnerability that I triggered via hh.exe and its idea behind bypassing prompt to avoid user interaction.
- The interesting trick that allows you to escape from Microsoft Edge's AppContainer Sandbox.
- Multiple vulnerability cases that he found in hh.exe
As well as a look at Firefox browser Remote Code Execution + Windows Elevation of Privilege exploit to achieve SYSTEM-level Code Execution on latest Windows 10 Operating System.
Google Chrome is the most popular web browser with over one billion users. With the proliferation of Android devices, Chrome has become a compelling target for APT attacks. New features in the Javascript language and deeper analysis by security researchers have opened the door for finding weakness in modern browsers. While Chrome is well-known for its performance, it often comes with a cost to its security. We will examine a recent vulnerability in Chrome (specifically in V8) to witness how these new shiny features end up opening up security holes. We will also discuss the methodology of exploiting vulnerabilities within Chrome by understanding its internals. Finally, we make it simple to achieve arbitrary code execution by extending pwn.js to support Google Chrome.
In this talk, I will be explaining about macOS exploitation by using browser/kernel 1-day vulnerability
Defining the exploit process from 1-day vulnerability analysis to macOS / safari exploitation including bypassing mitigation
This talk takes a deep dive into XNU's IOKit, discussing its architecture, security features and significance in Apple's operating systems. It shows how to interface with, probe, reverse, and finally exploit IOKit components, touching down on common patterns and convenient exploit strategies. Lastly it takes a look at previous IOKit vulnerabilities and does a detailed case study on the "IOHIDeous" exploit.
There are lots of daemons in Android devices, and most of them provide support for privilege services, such as starting activity, playing back media and making phone calls. But what if daemons are not security enough? Evil attacking process can send crafted and malformed data to daemons via IPC to trigger vulnerabilities daemons, so that they can achieve various aims such as denial of service, information disclosure and even privilege escalation.
In this presentation, I will first introduce some basic knowledge about Android daemons, including mechanism and attack surface. Then I will present a coverage-guided fuzzing approach. This approach is efficient by comprehensively integrating AFL(american fuzzy lop), ASAN(addresssanitizer) and valgrind together. Finally I will demonstrate the proof-of-concept code and discuss the potential way that how to exploit one of the vulnerabilities to elevate privileges.
Mach message mechanism is widely used in iOS/macOS and it is the very
foundation of all other message mechanisms like XPC or MIG. In the past,
some critical bugs about mach message are reported by security researchers,
we will introduce some of them and show how Apple add new mitigations to
try to prevent successful exploitation.
And through learning of those bugs we will understand that the knowledge
gap between developers is the actual root cause. For example, mishandling
of mach messages could lead to very powerful exploitation primitives like
deallocating arbitrary memory or port. And such kind of bugs exist in both
user space and kernel space. We will analyze two powerful user space sandbox
escape bugs and a kernel privilege escalation bug. The user space bugs were
collided by 2017 Mobile Pwn2Own contest and the kernel one was collided by
researcher from google project zero.
A vulnerability is found, fixed, the fix is bypassed, the bypass is patched.
Instead of being the exception to the rule, it has become standard.
In addition to being a useful research methodology, this has serious implications for the exploitation economy - as almost no adjustments are needed for an existing exploit.
In this talk, we will cover Linux memory manager, Chakra engine internals and focus on incorrectly patched past vulnerabilities in browsers and operating systems (e.g "Huge Dirty COW" found by us) and their exploits.
Over the course of the past few years, security software like Anti-Virus products have been gaining lots of attentions whether by security researchers or black-hat hackers, who actively finding security issues or vulnerabilities in these software. One of the reasons is perhaps security product consists of many attack vectors and usually they can be easily exploited. However one of the attack vectors, self-defense mechanism, has been neglected by security researchers, which contains plenty of low-hanging security issues that are yet to be explored. Because of the fact that self-defense mechanism is a less explored area, we started to manually reverse engineer some popular security products and took a deeper look into the implementation of the self-protection mechanism on these products. Over the course of six months, we audited six leading AV products and we managed to discover multiple trivial vulnerabilities from security bypass to local privilege escalation. Though, one of the techniques we used to defeat the self-defense mechanism has existed for years and is very well-known to malware authors and also actively exploited by CIA to defeat AV, and it has come to light as a result of the disclosure by WikiLeaks in early March 2017. One of the highlights of this presentation is to show how old school trick like Process Hollowing can be effective in bypassing AV self-protection. In this presentation, we will first give an overview of how self-defense mechanism was implemented by security products. Then we will present some case studies to demonstrate how to defeat AV by bypassing self-protection mechanism of different security products. Finally, we will also introduce a generic technique, which is not widely known yet, that could effectively get around the self-defense mechanism of most security products.
Brief biography James Forshaw from Google Project Zero Abstract In Windows 10 Anniversary Edition Microsoft introduced Desktop Bridge, originally known as Project Centennial. This technology allows normal Win32 applications to be converted to run as self contained Windows Store applications, redirecting file and registry access to allow the application to easily be uninstalled leaving no remaining footprint. To support Desktop Bridge Microsoft had to change a number of different parts of the OS including the Kernel and system services. This presentation will be an in-depth look at how Desktop Bridge works as well as a look at some of the bugs I’ve discovered in the various components which make up the technology.
Brief biography James Lee from Kryptos Logic Abstract An unusual way to exploit Windows Insider Preview via an interesting binary in windows folder called HTML Help Executable; hh.exe. First, we'll go through Windows Media Player Information Disclosure vulnerability that I triggered via hh.exe and its idea behind bypassing prompt to avoid user interaction. Second, The interesting trick that allows you to escape from Microsoft Edge's AppContainer Sandbox. hh.exe has an embedded feature inside - which is EPM disabled Medium IL Internet Explorer 11. Similarly, there are several interesting extensions which opens an Internet Explorer 11 as Medium IL without EPM while you are on Internet Zone and this file automatically runs without user interaction when you visited a specially crafted page via Microsoft Edge. We'll go through about this bahavior and my own way to exploit this vulnerability. Finally, I'll finish off by going through Multiple vulnerability cases that I found in hh.exe. It contains multiple Remote Code Execution vulnerability in hh.exe which is UMCI/Device Guard bypasses that allows you to execute Trusted signed code/binary from unsigned code/binary.
Brief biography Brian Pak (Cai) Co-founder/Researcher at Theori. Reverse engineering / Exploit dev. Automotive security. R&D. Founder of Plaid Parliament of Pwning (PPP) CTF team. 3 wins on DefCon CTF finals, and numerous wins on other international CTFs. Abstract Google Chrome is the most popular web browser with over one billion users. With the proliferation of Android devices, Chrome has become a compelling target for APT attacks. New features in the Javascript language and deeper analysis by security researchers have opened the door for finding weakness in modern browsers. While Chrome is well-known for its performance, it often comes with a cost to its security. We will examine a recent vulnerability in Chrome (specifically in V8) to witness how these new shiny features end up opening up security holes. We will also discuss the methodology of exploiting vulnerabilities within Chrome by understanding its internals. Finally, we make it simple to achieve arbitrary code execution by extending pwn.js to support Google Chrome. 구글에서 만든 Chrome 브라우저는 전 세계적으로 10억명 이상의 유저를 가진 가장 인기있는 웹 브라우저이다. 안드로이드 기기가 널리 보급됨에 따라 Chrome은 더더욱 APT 공격에 있어 매력적인 타겟이 되었다. 자바스크립트 언어에 새롭게 추가된 기능들과 보안 전문가들의 심층 분석을 통해 최신 브라우저들의 취약점 발견이 가능해졌다. Chrome은 빠른 성능으로 잘 알려져 있는데, 보통 보안성을 그 대가로 치루게 된다. 이번 발표에서는 최근 Chrome (특히 V8 엔진)에서 발견된 취약점을 살펴보며 어떻게 이 새로운 기능들이 보안 허점을 만들게 되었는지 알아본다. 또한, Chrome의 내부구조를 파악함으로서 Chrome에서의 익스플로잇 기법에 대해서 알아보도록 한다. 마지막으로 지난 POC에서 공개했던 웹 브라우저 익스플로잇 프레임워크인 pwn.js에서 Chrome을 지원하도록 확장하여 배포할 계획이다.
Brief biography Zinuo Han(ele7enxxh) is a security researcher at Chengdu Security Response Center, Qihoo 360, mainly focus on vulnerability discovery and vulnerability analysis on Android. He has discovered 26 Android vulnerabilities in 2017, including 11 critical vulnerabilities. He has presented his security research at Ruxcon 2017. Zhe Jin is a security researcher at Chengdu Security Response Center, Qihoo 360 Technology.He previously worked at Ahnlab and Tencent,as a security researcher.He has been involved in security research for 10 years.As an experienced researcher,he performs investigations to malware analysis and develops general virtual machine engine for unpacking poly viruses, taint-based android malware detection system, machine learning-based android ELF detection Engine etc..Recently, His research mainly focus on vulnerability discovery and vulnerability analysis on Android.He has rich experiences in Binary Fuzzing & Grammar-based Fuzzing and discovered some valuable vulnerabilities in Android OS this year. Abstract There are lots of daemons in Android devices, and most of them provide support for privilege services, such as starting activity, playing back media and making phone calls. But what if daemons are not security enough? Evil attacking process can send crafted and malformed data to daemons via IPC to trigger vulnerabilities daemons, so that they can achieve various aims such as denial of service, information disclosure and even privilege escalation. In this presentation, I will first introduce some basic knowledge about Android daemons, including mechanism and attack surface. Then I will present a coverage-guided fuzzing approach. This approach is efficient by comprehensively integrating AFL(american fuzzy lop), ASAN(addresssanitizer) and valgrind together. Finally I will demonstrate the proof-of-concept code and discuss the potential way that how to exploit one of the vulnerabilities to elevate privileges.
Brief biography Slipper and Xu Hao from Pangu team Abstract Mach message mechanism is widely used in iOS/macOS and it is the very foundation of all other message mechanisms like XPC or MIG. In the past, some critical bugs about mach message are reported by security researchers, we will introduce some of them and show how Apple add new mitigations to try to prevent successful exploitation. And through learning of those bugs we will understand that the knowledge gap between developers is the actual root cause. For example, mishandling of mach messages could lead to very powerful exploitation primitives like deallocating arbitrary memory or port. And such kind of bugs exist in both user space and kernel space. We will analyze two powerful user space sandbox escape bugs and a kernel privilege escalation bug. The user space bugs were collided by 2017 Mobile Pwn2Own contest and the kernel one was collided by researcher from google project zero.
Brief biography Wayne Low (@x9090) [wlow@fortinet.com] Vulnerability Research Team Lead, Fortinet Inc. He was a Senior Malware Analyst at F-Secure and now working as a Security Researcher at Fortinet. As a malware analyst, he mainly focuses on performing in-depth malware analysis and working closely with dynamic analysis or behavior-based technology. Currently his main interest is performing exploit analysis and vulnerability research on Microsoft Windows kernel and Microsoft Office. In the past, he has discovered multiple vulnerabilities and shares his discoveries through blog post, whitepaper and also presented his findings in security conferences like ISOI12, HITB and HITCON. Yongjian Yang [yjyang@fortinet.com] Antivirus Manager, Fortinet Inc. He works as an Anti-virus Manager in FortiGuard Lion Team at Fortinet Inc. He has more than 10 years of malware reverse-engineering experience, specializing in generic malicious characteristic extraction, custom packers and cryptography. He led the RAP team for the Reactive & Proactive detection and he is one of the pioneers who setup FortiGuard APAC Anti-virus R&D lab based in Singapore. Abstract Over the course of the past few years, security software like Anti-Virus products have been gaining lots of attentions whether by security researchers or black-hat hackers, who actively finding security issues or vulnerabilities in these software. One of the reasons is perhaps security product consists of many attack vectors and usually they can be easily exploited. However one of the attack vectors, self-defense mechanism, has been neglected by security researchers, which contains plenty of low-hanging security issues that are yet to be explored. Because of the fact that self-defense mechanism is a less explored area, we started to manually reverse engineer some popular security products and took a deeper look into the implementation of the self-protection mechanism on these products. Over the course of six months, we audited six leading AV products and we managed to discover multiple trivial vulnerabilities from security bypass to local privilege escalation. Though, one of the techniques we used to defeat the self-defense mechanism has existed for years and is very well-known to malware authors and also actively exploited by CIA to defeat AV, and it has come to light as a result of the disclosure by WikiLeaks in early March 2017. One of the highlights of this presentation is to show how old school trick like Process Hollowing can be effective in bypassing AV self-protection. In this presentation, we will first give an overview of how self-defense mechanism was implemented by security products. Then we will present some case studies to demonstrate how to defeat AV by bypassing self-protection mechanism of different security products. Finally, we will also introduce a generic technique, which is not widely known yet, that could effectively get around the self-defense mechanism of most security products.
SCHEDULE
March 29, 2018
TIME | SPEAKER | TITLE |
09:00 ~ 09:30 | Registration | |
09:30 ~ 10:00 | Welcome & Introduction | |
10:00 ~ 11:00 | Pangu Team | Carefully handle your message |
11:00 ~ 11:30 | Break Time | |
11:30 ~ 12:30 | Jonathan Levin | Friends, Romans, Countrymen - Lend me your kernel_task port |
12:30 ~ 14:00 | Lunch | |
14:00 ~ 15:00 | Singi | How to make macOS exploit(from Browser to Kernel) |
15:00 ~ 16:00 | Social Break | |
16:00 ~ 17:00 | Siguza | The HIDeous parts of IOKit |
17:00 ~ 17:30 | Break Time | |
17:30 ~ 18:30 | Zinuo Han, Zhe Jin | Find Vulnerabilities in Android Daemons |
TIME | SPEAKER | TITLE |
10:00 ~ 11:00 | Wayne Low, Yongjian Yang | Breaking Security Software Protections by diving into AV self-protection attack vector |
11:00 ~ 11:30 | Break Time | |
11:30 ~ 12:30 | James Forshaw | A Bridge too Far |
12:30 ~ 14:00 | Lunch | |
14:00 ~ 15:00 | James Lee | Unusual Windows Insider Preview Exploitation |
15:00 ~ 16:00 | Social Break | |
16:00 ~ 17:00 | Brian Pak | Patch Analysis on Google Chrome |
17:00 ~ 17:30 | Break Time | |
17:30 ~ 18:30 | Daniel Shapiro, Eylon Ben Yaakov | Old Bugs Don't Die |
19:00 ~ | Dinner Party for Speaker, All Attendees |
TRAINING
The training courses of Zer0Con focus on bug hunting and exploitation.
Trainer | Date | Subject | Fee |
Pangu Team | March 26 ~ 28 | The practice and evolution of iOS kernel hacking | $4,000 |
Aseem Jakhar | March 26 ~ 28 | Practical IoT Hacking Training | $3,500 |
Ashfaq Ansari | March 26 ~ 28 | Windows Kernel Exploitation Advanced | $3,500 |
- Training course fee does not include a Zer0Con conference ticket.
- Training course includes hotel lunch.
- Zer0Con issues CISSP CPE certificate, etc.
- After your registration, you will see the detailed information about payment.
- A training course may be canceled if the number of the registered is less than a trainer specifies
If you want to run your training course, send us email with the followings.
- Self introduction, Abstract, Curriculum, ETC.
- zer0con@ pocsec.com (PGP public key)
VENUE
- ADDRESS: 70, Baumoe-ro 12-gil, Seocho-gu, Seoul, Korea
- TEL: +82-2-571-8100
- WEB: http://thek-hotel.co.kr/e_seoul/main.asp
- If you want more information, click the map below.
“There seems no empty room now in the venue hotel.
So, we recommend attendees to book other hotels in Gangnam area.
Check
this file for your hotel rooms.”