0%

Brief biography
Andrea Zapparoli Manzoni manages Crowdfense Limited, a UAE based vulnerability R&D hub, which he designed in 2017 with a multidisciplinary team of ethical hackers, lawyers and vulnerability researchers.

Abstract
TBA

Brief biography
VictorV(@474172261) is a security researcher of Cyber Kunlun. He focused on virtualization security for 5 years, He had broke down VMware Workstation and ESXi more than 3 times. He also made a successful escape from Hyper-V last year. Besides, he had found several bugs on Windows DNS, Windows RDP server, QEMU/KVM and more.

Abstract
Hyper-V is one of the hardest targets to exploit. Because of its few components, complex, and special architecture, there have been few successful exploit cases. However, in order to improve ease of use, the RDP component is used in the enhanced mode in default setting. This gives us the possibility of finding a new breakthrough. In this talk, I will discuss how RDP is used in Hyper-V architecture and introduce the potential attack surface, and then show several cases about escaping from Hyper-V through enhanced mode, including the bugs I found fixed in the December 2021 patch. They are all about Path Traversal bug, it's old, but also new.

Brief biography
Andrea (@_pox_) is a security researcher and a member of Singular Security Lab. In the past years, his focus has been on Android, where he carries out fuzzing and vulnerability research activities on both user and kernel space.

Abstract
Nowadays, Android applications use native components (developed through the Java Native Interface) to perform tasks that, if not executed natively, could have a strong impact on performance.
For example, many Instant Messaging apps use these native libraries to perform resource-intensive tasks such as encoding and decoding audio and video resources. All these operations on potentially malicious content are an additional attack surface that is worth testing.
Although this component has only been analysed in recent years and several approaches have been published, we believe there is still a lack of a generic and fast method for testing the functions of native libraries used by apps.
In this talk, we will show in detail how Android applications use JNI, what vulnerabilities these components may hide, how they have been analysed over the years, and we will analyse the limitations of these approaches.
We will then present a new approach to test these components: we will show how to find different categories of bugs and how to write harnesses for components that have not yet been tested.

Brief biography
WANG, YONG(@ThomasKing2014) is a Security Engineer at Alibaba Security Pandora Lab. Currently focusing on Android/Browser vulnerability hunting and exploitation. He was a speaker at several security conferences including BlackHat{Asia 2018, Europe 2019}, HITB Amsterdam 2018, Zer0Con 2019, QPSS 2019, POC 2020, etc. These years he has reported several vulnerabilities, and one of them was nominated for Pwine Award 2019.

Abstract
This talk will be about a TTY vulnerability that was first disclosed to the Linux kernel by Jann Horn(Google Project Zero), but also found by me before it was fixed. The vulnerability was assigned CVE-2020-29661 and finally listed on the Android Security bulletin in May 2021. I successfully rooted the Pixel 2 Android 11 in mid-January 2021 and then the Pixel 4, and also tested on Pixel 5 and other Android 11 devices. Project Zero posted a blog on Oct 19, 2021, detailing how to exploit it against Debian Buster's 4.19.0-13-amd64 kernel[1]. However, since the build config of the Android kernel is different, the SUID binary does not exist on Android, etc, the exploit code cannot work directly.

In this talk, I will first analyze the Use-After-Free bug, especially the parts that have not been covered in Project Zero's post. And I will also detail the critical code changes that affect the exploit steps in different Android kernel branches. Then, I will detail how to exploit the bug in different kernel branches. Since the associated kernel object is allocated in the dedicated slab cache, the technique of cross-cache attack has to be applied. However, due to the small size of the kernel object, the public cross-cache attack techniques cannot help improve the success rate. I will introduce a new and generic exploitation technique to solve those problems. Furthermore, to achieve the arbitrary kernel memory R/W ability and gain the root privilege, I will also detail how to bypass the general mitigations(KASLR, PAN, etc) of Android 11.

During the presentation, I will give the exploit demos of rooting Android 11 flagship devices. In summary, the ideas of exploitation are fresh and have never been discussed before.

Brief biography
Gengming Liu (@dmxcsnsbh) is a security researcher of Singular Security Lab. He has mostly focused on browser security in recent years. He participated in Pwn2Own in 2016 & 2017 and won "Master of Pwn" with Tencent Security Team Sniper. He has also won Chrome Pwnium Bounty in 2019. He is the fan of CTF games. He was the captain of A*0*E & eee CTF team and won first place on DEFCON 2020 Quals&Finals. Gengming has spoken at several security conferences including BlackHat USA, POC, Zer0Con, CanSecWest.

Zhutian Feng (@FengPolaris) is a security researcher of Singular Security Lab, focusing on v8 security research. He was a member of CTF team 0ops and A0E which won first place on DEFCON CTF 28.

Haojie He (@SGFvamll) is an intern security researcher of Singular Security Lab. His interest lies in JS security, especially fuzzing techniques. He is a member of CTF team AAA and is good at reverse engineering.

Abstract
JavaScript is one of the most popular targets in security research, and has always attracted the attention of many security researchers. We, Singular Security Lab(S.S.L), also have some new research on v8 in recent months, that we are glad to share in this talk.

The talk covers two major parts. We will first focus on the JS fuzzing. After a brief review of the modern JS fuzzers, we will introduce a new guide for JS fuzzing, which is a lift and a generalization of traditional coverage-based guide and can be extended to some other scenarios.

Next, we will share a typical issue found by our fuzzer, and introduce how to exploit it step by step. Finally, we will introduce how we discovered a new vulnerability by analyzing this vulnerability further.

Brief biography
Yuhao Weng, Zhiniang Peng

Abstract
The Proxy Series of Vulnerabilities like ProxyLogon turned out last year, and caused uproar in the world. To Protect their customers MS published a lot of patches to Exchange Server to make it more difficult to exploit.

In the past period of time, Microsoft silently fixed multiple high-risk vulnerabilities reported by NSA or exploited in the wild. However, there are no public discussion on these critical vulnerabilities. To uncover the power of those vulnerabilities and unknown attack surfaces, We dug the code and found more critical bugs in it.

In this talk, we will share some critical vulnerabilities, and show how to exploit them. Then we will give our detect & defense suggestions to protect Exchange Server.

Brief biography
Arav Garg is
✓ Employer (at the time of this research): Exodus Intelligence
✓ N-day Vulnerability Researcher

Abstract
Over the past 7 months, I have written reliable LPE exploits for 7 CVEs in the Windows kernel. These are:
-> 5 in clfs.sys: CVE-2022-22000, CVE-2021-40443, CVE-2021-36955, CVE-2021-40466, CVE-2021-31954
-> 2 in ntfs.sys: CVE-2021-43229, CVE-2021-31956

The bug classes I encountered include Paged Pool Overflow, Out-of-Bounds read/write, Integer overflow and use-after-free. In this talk, I will discuss:

1. Suitable objects for heap grooming and corruption
2. Relevant heap internals
3. How to use these objects in each of the 4 cases (Controlled/uncontrolled size/data of overflow)
4. Improving exploit primtives even from the worst case scenario (uncontrolled size/data of overflow) to controlled size/data of overflow
5. Techniques to figure out memory layout dynamically to defeat randomization and improve reliability
6. Achieving LPE with arbitrary r/w
7. Achieving LPE without arbitrary r/w

Brief biography
Peter Nguyễn Vũ Hoàng is
✓ Focusing on macOS/iOS bug hunting and exploitation.
✓ Awarded bounties by Apple Security Platform.
✓ Found some vulnerabilities in Apple from userland to kernel-level vulnerabilities
such as:
- CVE-2022-22593: XNU kernel Heap overflow
- CVE-2021-30868: SMBFS Use-After-Free allows attackers to to escalate privileges on macOS
- CVE-2021-30745: QuartzCore type confusion allows the attacker to escape the Safari sandbox
- QuartzCore uninitialize stack allows attackers to escape the Safari sandbox effect on macOS 11.1, iOS 14.1
- libFontParser out of bound write on OpenType Font blog: allows attackers to gain code execution in the renderer process of Safari
- CVE-2020-9816: libFontParser Out-of-Bounds Write allows attackers to gain code execution in the Safari renderer process

Abstract
It has become more and more challenging to exploit macOS these days. Apple has implemented many sophisticated mitigation measures to thwart kernel exploits. That’s why thinking out of the box is an effective way to go. There are some exciting attack surfaces that we can still explore, such as SMBFS, that the macOS supports out-of-the-box approach. This feature allows the user to mount the samba network share folder into the filesystem and help users use it easily in Finder.

In this talk, I will share about the SMBFS bugs that I found and some of common real-world mistakes developers may make that can have unintended security consequences to macOS. I will also explain how I have developed a fuzzer to discover a fascinating yet straightforward race condition that leads to a use-after-free security bug in SMBFS. Upon investigating further, I found that this vulnerability is really hard to corrupt kernel memory. I then discovered a new trick to increase the chance to win race conditions so that we can use it to escalate privileges on the system. I will conclude my presentation with a short demonstration of how to use this vulnerability to gain control of the vtable pointer.

In summary, I will focus on five main parts:
● SMBFS fundamentals: I will briefly describe the SMBFS features and explain how to interact with this driver.
● Fuzzing methodology: I will share how I developed a test-case generator to discover this vulnerability. It is a good method to fuzz SMBFS. (Theoretically, It can be extended to other OS).
● Some Real Vulnerabilities: I will explain in-depth on how simple mistakes made by developers can lead to unintended security bugs and high impact to the system.
● Race condition trick: I will present the trick discovered when investigating my vulnerability which allows me to always win race condition stably in CVE-2021-30868. This trick also helps me to win another race condition vulnerability in iOS.
● Demo: I will demonstrate using CVE-2021-30868 to gain control of the vtable pointer.

Here are three key takeaways that may aid the attendees during their work:
● Firstly, how to approach a target, audit the source code and then build a custom test case generator based on the understanding of the target.
● Secondly, a better understanding of how their code could have side effects which lead to potential vulnerabilities.
● Finally, how the race condition trick would increase the vulnerability impacts on the macOS kernel.

Brief biography
Csaba Fitzl graduated in 2006 as a computer engineer. He worked for 6 years as a network engineer, troubleshooting and designing big networks. After that, he worked for 8 years as a blue and red teamer focusing on network forensics, malware analysis, adversary simulation, and defense bypasses. Currently, he is working as a content developer at Offensive Security. He gave talks/workshops at various international IT security onferences, including Hacktivity, hack.lu, Troopers, SecurityFest, DEFCON, Objective By The Sea, and Black Hat USA. Csaba spends his free time with his family, trail running and hiking

Abstract
Sometimes when we publish details and writeups about vulnerabilities we are so focused on the actual bug, that we don't notice others, which might be still hidden inside the details. The same can happen when we read these issues, but if we keep our eyes open we might find hidden gems.

In this talk, I will cover two macOS vulnerabilities that I found while reading the writeup of other vulnerabilities. I also only spotted them after multiple reads, and once found I realized that it was right there in front of us every single time.

In the pwn2own 2020 macOS exploit chain, there was a vulnerability concerning the preferences daemon. The patch was presented later by the authors and after reading through the patch for the ~20th time, I spotted a new privilege escalation possibility.

In 2021, the macOS XCSSET malware used a TCC 0day bypass, which was later patched. Mickey Jin found a bypass for the patch and presented a new TCC bypass. While reading through his analysis for the n-th time, it hit me, that not only possible to bypass the new patch but there is an underlying fundamental issue with the TCC framework, which allowed us to generically bypass TCC.

Brief biography
John Aakerblom(@jaakerblom) is an independent security researcher with several years experience of security research focused on the iOS and macOS operating systems.

Abstract
The finding and exploitation of vulnerabilities in Apple's macOS and especially iOS operating systems, not least in their kernels, has long been a very hot topic in the information security community. Yet the actual details of a lot of vulnerabilities and exploitation techniques discovered never get publicly published after they are patched, meaning they often remain nothing more than a CVE number or patch note - if even that - in the public's eye. This talk will be diving into the technical details of some of the recently patched vulnerabilities and exploitation techniques for the iOS and macOS kernels that haven't made it into the spotlight.

Brief biography
Ned Williamson is a security researcher at Google Project Zero. He has experience exploiting Chrome and iOS and focuses on novel and deep fuzzing techniques.

Abstract
SockFuzzer, the XNU kernel fuzzer that discovered SockPuppet, was released a year ago. After about a year of brainstorming and several months of development, an upcoming release will feature support for discovering concurrency bugs using fuzzing - deterministically. This talk will describe the approach and methodology that enables this feature.

Brief biography
JunDong Xie, security expert of Ant Security Light-Year Lab, graduated from Zhejiang University and was a member of the AAA CTF team. His main research areas are binary fuzzing and browser security. He has participated in three Tianfu Cup International Cybersecurity Contests with the team from 2018 to 2020 and has broken the Safari browser, PDF reader and many mobile devices in the competition. He was also presented his research about exploiting safari on BlackHat asia.
Follow him on Twitter: https://twitter.com/Jdddong

Abstract
At Black Hat Asia 2020, I described how to dig vulnerabilities in MacOS/iOS's WebAudio and how to break Safari. This year, I dig deeper into WebAudio based on previous work.
Some audio file formats can be thought of as consisting of different types of chunks, each of which is generally composed of the size plus the content, some chunks may be constrained by other chunks, which suggests that these audio formats are well suited for structure-aware mutations.
Currently many structure-aware fuzzing tool define a very detailed template and then generate seed files for fuzzing based on this template, but this has the disadvantage of taking a lot of time to construct the template. My idea is to define the structure at a coarser granularity and transform the large number of seeds collected on the web into a structured intermediate representation. The advantage of this is that only a small amount of time is needed to define the structure, and the large number of seeds ensures that even if the fine-grained structure is not defined, the relevant code can be covered, striking a balance between the time cost, the structural correctness of the mutated file, and the flexibility of mutation.
I developed my own fuzzing tools based on honggfuzz and libprotobuf-mutator to perform coverage driven, structure-aware fuzz for binary targets on macOS, and have found more than 20 vulnerabilities in audio formats such as caf and mp4. 12 CVEs have been achieved util now.

Brief biography
foobar.o & 0gr1nd are an independent vulnerability researchers. Currently focusing on ISP and WAN devices.

Abstract
ISP systems are core components which are responsible to provide internet access for clients all over the world. Such systems consist of a wide range of devices necessary for transmission, data communication and network access. The most of these tasks are achieved by so called multi-service access device (MA shortly). In this talk we will disclose the hardware design of representative of such devices, present the results of its firmware reverse-engineering and introduce dynamic/static tools we developed for its hacking.

Outline:
     - Hardware analysis & firmware extraction
     - Analisys of a complex device with huge code base
     - VxWorks internals & RE tips
     - VOS internals
     - Dynamic/Static toolset overview and demo