About
SPEAKERS
Brief biography
Alexander Popov has been a Linux kernel developer since 2013. He is a security
researcher at Positive Technologies, where he has a lot of fun with Linux kernel
vulnerabilities, exploitation techniques, and defensive technologies.
Abstract
CVE-2021-26708 is assigned to five race condition bugs in the virtual socket
implementation of the Linux kernel. These vulnerabilities were discovered and
fixed by Alexander Popov. In this talk, he will describe how to exploit them for
local privilege escalation on Fedora 33 Server for x86_64, bypassing SMEP and
SMAP. Alexander will demonstrate an artful way of turning very limited kernel
memory corruption into a powerful weapon.
Brief biography
ChenNan
is a Security Researcher of Chaitin Security Research Lab.
He has more than 5 years of information security experience.
In the past years, his work involved bug hunting and exploit techniques,mainly in virtualization, iot, os kernel direction.
He was listed on Microsoft Most Valuable Researcher of 2019.
He was an author of the RealWorldCTF competition.
He was also a speaker at several conferences such as 44Con, CSS2018 and insomnihack.
Abstract
Virtualbox is a well-known open source cross-platform virtualization software.
With the continuous update of virtualbox, its security has been greatly improved. For example,it created virtualbox process hardening that is to prevent malicious software from using VirtualBox as a vehicle to obtain kernel level access.
And it deleted Chromium 3D libraries and VHWA interface that are prone to vulnerabilities. Also it adds critical section to the io or mmio of the PDM device by default.
But it still has some interesting attack surfaces, such as usb backends, storage backends, and special self-use interfaces.
This talk presents how we found some vulnerabilities in VirtualBox. In particular, we designed a special fuzzer for the irtualbox, which effectively found 10+ vulnerabilities. We will introduce the design idea and implement skills used in the fuzzer, and disclose the details of some vulnerabilities. Next we will introduce in detail how to exploit these vulnerabilities, including some new exploit primitives. Finally , We will demonstrate the exploit of box escpae.
Attendee Takeaways
1. Some interesting attack surfaces of virtualbox.
2. A good method to fuzz virtualbox. (It can be extended to other virtualization platforms).
3. Some real vulnerabilities in virtualbox;
4. A nice exploit and new primitives that maybe you have never seen before.
Virtual machine escape is a very popular research direction now. This topic describes some valid attack surfaces in virtualbox.
Our fuzzing framework is effective in practice, we had discovered 10+ bugs in few months. And we carefully studied the ways of exploit ,and finally completed the entire escape process.
Brief biography
Yuhao Weng (cjm00n) is an intern with Sangfor. He has been studying the web for two years and found a lot of bugs in Sharepoint, Exchange, Outlook and so on. Now he is focused on .NET security.
Steven Seeley (mr_me) is a member of the 360 Vulcan team and enjoys finding and exploiting bugs. Currently his focus is on web and cloud tech and has over 10 years experiance in offensive security. Steven won the Pwn2Own Miami competition with his team mate Chris Anastasio in early 2020 and has taught several classes in web security including his own, Full Stack Web Attack.
Dr. Zhiniang Peng (@edwardzpeng) is the Principal Security Researcher at Sangfor. His current research areas include applied cryptography, software security and threat hunting. He has more than 10 years of experience in both offensive and defensive security and published many research in both academia and industry. Dr. Peng also is a bug hunter in his free time, and he has ranked #1 on the MSRC most valuable security researcher list for three consecutive quarters.
Abstract
Many organizations are forced to make changes in how their business model operates to open the door for remote working due to the current global issues. They urgently need a Management System to manage and share their content, internal knowledge to empower teamwork and seamlessly collaborate across an organization. As a part of Office 365 Products, Microsoft SharePoint is one of the most popular and trusted Content Mangement System's (CMS), which don't need too much professional knowledge and skills to deploy and are concerned by many organizations.
In this presentation, we will focus on the architecture, attack surfaces and mitigations of Sharepoint Server, and how to bypass those mitigations. Then We will present several high impact vulnerabilities detail and exploitation discovered in our research.
Brief biography
Xinru Chi is a Security Researcher in Pangu Lab and has extensive experience in security research. She is currently working on macOS, iOS vulnerability research.
Tielei Wang is a member of Team Pangu. He was a research scientist at the Georgia Institute of Technology from 2012 to 2014 and received his Ph.D. degree in 2011. His research interests include system security, software security, and mobile security.
Abstract
When we were analyzing CVE-2020-27932, a kernel type confusion vulnerability found by Google Project Zero being exploited in the wild and fixed in iOS 14.2, we discovered a variant issue in the XNU kernel. The new variant exposes a giant attack vector against the XNU kernel, affecting both iOS and macOS. As an example, we will share how we develop a 100% reliable exploit to gain the root privilege on macOS Big Sur on Apple Silicon, without the need of constructing kernel read/write primitives, manipulating kernel memory layout, or bypassing PAC, etc. Although this variant was also fixed by Apple in iOS 14.4 and macOS 11.2, we believed that the exploitation technique in this talk might be useful for other memory corruption vulnerabilities.
Brief biography
Zhaofeng Chen is a security researcher from Baidu Security. He is experienced in both offensive and defensive security on confidential computing, system security, and mobile security. He has designed multiple data/mobile security products and is the PPMC of the Apache Teaclave (Incubating) project. Over the years, he has also discovered various TEE and iOS framework vulnerabilities with 20+ CVEs credited by Google, Microsoft, and Apple.
Kang Li is the director of Baidu Security Research. He is a frequent speaker at BlackHat and POC. Over the years, he has discovered vulnerabilities in various systems from CDN to DNS, and from Mobile Bootloader to Deep Learning Frameworks.
Abstract
Intel SGX provides hardware support to protect sensitive data. Cloud vendors, such as Microsoft Azure and Google Cloud, have developed SGX software frameworks, such as Asylo and OpenEnclave, and offered Intel SGX-enabled virtual machines for confidential computing.
We conduct an in-depth analysis of Microsoft OpenEnclave SDK (powered by Azure CC) and Google Asylo SDK (powered by GCP), discovering 20+ vulnerabilities (14 CVEs assigned) in them. We show that these vulnerabilities allow an attacker to read and write arbitrary enclave protected memory by exploiting the vulnerability, which affects all SGX enclaves using the vendor-provided SDK. Our attack is more realistic for exploitation than side-channel attacks and can reliably retrieve and manipulate protected enclave data.
In this talk, we will go through the SGX enclave security model and analyze attack surfaces. In this model, developers have to partition trusted components of an application as TCB into the SGX enclave. After partitioning, any out-enclave data flowing into these trusted components become untrusted and require additional checks and sanitization. To reduce the attack surface, developers declare enclave boundary interfaces with annotated parameters in an EDL file and generate boilerplate code for marshaling the parameters. However, this EDL approach is insufficient since it lacks checks for nested pointers, context-aware data, shared memory, etc.
Also, we cover typical mistakes enclave developers made and share real-world vulnerability cases we have discovered with our bug-finding tool, SGXRay. We discuss attack scenarios and the consequences once successfully exploited by attackers outside the enclave. This talk also includes demonstrations of our enclave exploitation with arbitrary read and write capability to enclave memory by leveraging the bugs found by us.
Brief biography
Zhenpeng Pan(@Peterpan0927) is a security researcher at Alibaba Security Pandora Lab, focusing on macOS/iOS bug hunting and exploitation. He used to be an intern at Qihoo 360 Nirvan Team and the leader of Newthread Geek group.
Abstract
As more and more mitigations have been introduced into macOS, it's harder to gain kernel privilege on modern macOS PCs. Thus it's important to choose the target and strategy properly. The Apple driver, as one of the oldest attack surface, has always been the focus of attackers, but things might be easier from a different abstract perspective.
This talk will first cut into the driver bug hunting by establishing a three-layer model with a clearer purpose and finer granularity. It was made from the perspective of processing user controlled data and divided into three parts: the entry layer, dispatch layer and the function layer. According to this model, several vulnerabilities have been found in each layer through fuzz/audit and I'will analyze them one by one. Besides, one of them (CVE-2021-1757) can be used to get kernel privilege on macOS Big Sur(Intel/M1) or as part of the exploit chain of iOS.
In this talk I will also cover in detail about some mitigations such as heap isolation and Auto- zeroing that were newly introduced on macOS Big Sur and iOS 14. Then, I will share how to use heap feng shui and multiple times vulnerability type conversions to leak kernel slide and get 100% reliable kernel code execution on Big Sur, regardless of the mitigations.
Brief biography
Gengming Liu is a security researcher of Singular Security Lab. He has mostly focused on browser security in recent years. He participated in Pwn2Own in 2016 & 2017 and won "Master of Pwn" with Tencent Security Team Sniper. He has also won Chrome Pwnium Bounty in 2019. He is the fan of CTF games. He was the captain of A*0*E & eee CTF team and won first place on DEFCON 2020 Quals&Finals. Gengming has spoken at several security conferences including BlackHat USA, POC, CanSecWest.
Shan Huang is a security researcher of Singular Security Lab. His interest lies in browser security. He is the captain of CTF team AAA and a member of CTF team A*0*E which participated in DEFCON CTF 26&27&28 and won first place on DEFCON CTF 28.
Abstract
Most vendor-customized browsers use chromium as the core component. However, some security patches of Chromium will not be patched on these browsers in time. Our recent work focuses on vulnerabilities that have not been patched for a long time in browsers customized by vendors. These vulnerabilities are often difficult to exploit or considered to be less harmful.
In our recent works, we chained two chromium 1days for a full-chain exploit(CVE-2020-16040 and CVE-2020-16041) before they disclosed.
• CVE-2020-16040 is a bug in Simplified Lowering phase.
• CVE-2020-16041 is an out-of-bounds read bug on heap in networking.
By digging into the details of the vulnerability, we finally implemented the stable exploitation of V8 and found the technique could be used to bypass all typer hardening. Besides, based on @_tsuro's research, we successfully exploit the single out-of-bounds read bug to upload arbitrary local files.
In our talk, we will share V8 exploitation details, Mojo's underlying communication model and exploitation techniques. A successful exploitation will lead to sensitive data exfiltration on user's device by just 1 click, which will be demonstrated at the end of the talk.
Brief biography
Cristofaro Mune (@pulsoid) has been in the security field for 15+ years. He has 10 years of experience with evaluating SW and HW security of secure products, as well as more than 5 years of experience in testing and assessing the security of TEEs.
He is a Co-Founder and security researcher at Raelize providing support for developing, analyzing and testing the security of embedded devices.
His research on Fault Injection, TEEs, White-Box cryptography, IoT exploitation and Mobile Security has been presented at renowned international conferences and in academic papers.
Niek Timmers (@tieknimmers) has been in the security field for 10+ years. He has been analyzing and evaluating the security of advanced security products and technologies for over a decade. Usually his interest is sparked by technologies where the hardware is fundamentally present.
He shared his research on topics like Secure Boot and Fault Injection at various conferences like Black Hat, Bluehat, HITB, hardwear.io and NULLCON.
Abstract
The Qualcomm IPQ40xx family of chips are popular System-on-Chip (SoC) solutions for both consumer and enterprise networking products. Many manufacturers, like ASUS, Linksys, Netgear and Cisco, use these SoCs for their products. As we often analyze networked products, it's not surprising that one of these devices eventually found a way to our lab. We got extremely interested once we realized that these SoCs support a Trusted Execution Environment (TEE) made by Qualcomm named QSEE.
During our research, we extracted the QSEE binary from the target devices and reverse engineered its attack surface. We identified multiple critical vulnerabilities in QSEE: CVE-2020-11256, CVE-2020-11257, CVE-2020-11258 and CVE-2020-11259. We exploited all these vulnerabilities and we were able to achieve arbitrary code execution. Qualcomm disclosed the existence of these vulnerability publicly. They've indicated to us that fixes are available and that their customer are notified. This gives us the opportunity to discuss the technical details of these vulnerabilities and our exploits.
In this talk, we give introduce the target and our approach for analyzing it. Then, we dive right into the nitty gritty technical details of how we identified the vulnerabilities. We dedicate a good chunk of the presentation to our exploitation approach and how we achieve arbitrary code execution. We finalize the talk by placing the attack into context and what the impact is for a vulnerable device.
It's important to raelize that these software vulnerabilities are tightly coupled to the SoC that's used by the vulnerable devices. The amount of vulnerable devices in the field is likely significant as many manufacturers produce devices designed around this SoC. Moreover, the vulnerabilities are present in a component typically not updated by the device manufacturers. Therefore, we believe that it may take a while before the population of vulnerable devices becomes insignificant.
Brief biography
Yarden Shafir is a Software Engineer at Crowdstrike, working on EDR features, and a consultant for Winsider Seminars & Solutions Inc.,co-teaching security trainings. Previously, she worked at SentinelOne as a security researcher and QA engineer.
Outside of her primary work duties, Yarden writes articles and tools and gives talks about various topics such as CET internals, extension host hooking and kernel exploit mitigations.
Outside of infosec, Yarden is a circus artist, teaching and performing aerial arts.
Abstract
For decades, the Windows kernel pool remained the same, using simple structures that were easy to read, parse and search for.
But recently this all changed, with a new and complex design that breaks assumptions, exploits and debugger extensions.
This new design has security implications as well - both good and bad. Major code changes break existing code and could make future pool-related exploits more difficult to write.
But could this open up a new attack surface as well?
Brief biography
Philip Pettersson is a security researcher based in the San Francisco Bay Area since 2018, helping startups and large corporations alike secure their software. He previously worked for the Samsung Group in South Korea doing product security on everything from Smart TVs to refrigerators. In his spare time he enjoys surfing, auditing open source software and hanging out with animals.
Maxime Peterlin (@lyte__) is a security researcher working at Longterm Security. His day-to-day work includes reverse engineering, studying low-level systems, vulnerability research, binary exploitation and tools development. He was also a speaker & trainer at various conferences such as BHUSA, Zer0Con and hardwear.io.
Alexandre Adamski (@NeatMonster_) is a security researcher currently working at Longterm Security. His day-to-day work includes reverse engineering, vulnerability research and binary exploitation. What he likes more than anything is breaking binaries executing at non-zero exception levels. In his free time, he also develops open-source tools and plugins.
Abstract
Binder, the Android driver managing IPCs, has been the target of multiple privilege escalation exploits in the past. Its omnipotent and essential role in Android allows the compromise of a device from even the most restricted user, making it a prime candidate for vulnerability research.
This talk will detail yet another critical bug found in Binder, namely CVE-2020-0423. It's a single-instruction race condition that causes a use-after-free when triggered. This bug was not reported by Longterm Security, but in this talk we will detail how this bug was independently discovered by our fuzzing architecture. This presentation also gives an in-depth explanation of the vulnerability, breaks down the exploitation process on a Pixel 4 and compares it to other devices.
SCHEDULE
Once the schedule is confirmed, You can download a pdf version here.
TIME | SPEAKER | TITLE |
09:30 ~ 10:00 | Welcome & Introduction | |
10:00 ~ 11:10 | Xinru Chi, Tielei Wang | Rooting macOS Big Sur on Apple Silicon |
11:20 ~ 12:30 | Zhenpeng Pan | Three Layers in Apple Driver Bug Hunting : Pwn macOS Big Sur in One Shot |
12:30 ~ 14:00 | Lunch | |
14:00 ~ 15:30 | Yarden Shafir | Heap-backed Kernel Pool: The good, the bad and the encoded |
15:40 ~ 16:50 | Cristofaro Mune, Niek Timmers | An Unexpected Cup of QSEE |
17:00 ~ 18:10 | cjm00n, mr_me, Zhiniang Peng | Exploiting Microsoft Sharepoint |
TIME | SPEAKER | TITLE |
10:00 ~ 11:10 | Zhaofeng Chen, Kang Li | A Journey on Discovering Vulnerabilities and Exploiting SGX Enclave Frameworks |
11:20 ~ 12:30 | ChenNan | Box Escape: Discovering 10+ Vulnerabilities in VirtualBox |
12:30 ~ 14:00 | Lunch | |
14:00 ~ 15:10 | Alexander Popov | Four Bytes of Power: Exploiting CVE-2021-26708 in the Linux Kernel |
15:20 ~ 16:30 | Philip Pettersson, Maxime Peterlin, Alexandre Adamski | Getting Root on Android with CVE-2020-0423 |
16:40 ~ 17:50 | Gengming Liu, Shan Huang | Chrome Exploitation |
18:00 ~ 18:20 | Closing Ceremony |
TRAINING
The training courses of Zer0Con focus on bug hunting and exploitation.
VENUE
Zer0Con2021 is held online for the safety of everyone in the Covid-19 situation.
CONTACT
If you have any questions, contact us.
* We recommend you to use the pgp key (PGP KEY)
Also, we are looking for sponsors.
There are several benefits for sponsors, so please feel free to contact us.