As an indispensable part of our modern life, Smart Speakers have become a crucial role of Home Automation Systems. With Sonos emerging as a leader in this space, they have prioritized security, resulting in its Sonos One Speaker becoming as a Pwn2Own target for 3 consecutive years. As the first team to successfully hack it, we will share our experiences, stories, and insights throughout our past 3-year research journey. Our talk will explore attacks on the hardware, firmware, and software levels, as well as discuss the evolution of defenses we have observed from Sonos. We will also recount the cat-and-mouse game we played with the Sonos security team: Why were they always able to kill our vulnerabilities so precisely right after we developed a working exploit? This forces us to exhaust 4 different types of 0day to conquer a single Pwn2Own target.
The saga begins with our amusing but failed attempt in the first year, followed by our strong comeback in the second year, where we successfully took over the target using an Integer Underflow. After the competition, we witnessed a significant leap in Sonos’s defense mechanisms, which made our struggle with the Sonos security team even more challenging in the third year. To provide a comprehensive overview of our research, we will cover hardware attacks such as leveraging DMA Attack to jailbreak and obtain a Local Shell; firmware analysis, from firmware decryption to vulnerability discovery in the firmware over-the-air (FOTA) mechanism; and of course, software-level attack surface analysis and vulnerability mining in different ways. We will detail the stories behind our successful exploitations, such as bypassing all protections to exploit the target, racing the Thread Stack to different primitives to exploit the Stack Clash, and leveraging different types of vulnerabilities to achieve RCEs. These stories are all essential parts of our journey to win the Pwn2Own Toronto 2022 championship trophy and at least $80K in rewards.
Cheng-Da Tsai, aka Orange Tsai, is the principal security researcher of DEVCORE and the core member of CHROOT security group in Taiwan. He is also the champion and the "Master of Pwn" title holder in Pwn2Own 2021/2022. In addition, Orange has spoken at several top conferences such as Black Hat USA/ASIA, DEF CON, HITCON, HITB GSEC/AMS, CODE BLUE, POC, and WooYun!
Currently, Orange is a 0day researcher focusing on web/application security. His research got not only the Pwnie Awards for "Best Server-Side Bug" winner of 2019/2021 but also 1st place in "Top 10 Web Hacking Techniques" of 2017/2018. Orange also enjoys bug bounties in his free time. He is enthusiastic about the RCE bugs and uncovered RCEs in numerous vendors such as Twitter, Facebook, Uber, Apple, GitHub, Amazon, etc. You can find him on Twitter @orange_8361 and blog https://blog.orange.tw/
XNU is getting harder and harder to exploit. There are now more talks about how hard it has become than how to actually break it (the author has actually shamelessly given two in 2019 and 2022).
The (somewhat irritating) answer to that is often “jUsT fiNd LogIc/cRYptOgrAphIC bUGs”. However it’s not that easy to find a kernel bug that gives arbitrary code exec as root… or is it?
MikroTik, as a supplier of network infrastructures, its products and RouterOS are adopted widely. Currently, at least 3 million+ devices are running RouterOS online. Being the target research by attackers actively, the exploits leaked from the CIA in 2018 and the massive exploits that followed are samples of the havoc that can be caused when such devices are maliciously exploited again. Therefore, RouterOS also attracts many researchers to hunt bugs in it. However, there are rarely high-impact vulnerabilities reported over a long period. Can the OS become perfect overnight? Of course not. Some details have been missed.
Researches on RouterOS were mainly against jailbreak, Nova Message in IPC, and analysis of exploits in the wild. Especially researches against Nova Message have reported tons of post-auth vulnerabilities. However, the architecture design and the lower-layer objects, which are closely related to the functionality of Nova Binary, were being neglected due to their complexity, causing some details to be overlooked for a long time. Starting by introducing the mechanisms of the socket callback and the remote object, we will disclose more about the overlooked attack surface and implementations in RouterOS. Moreover, we will discuss how we, at the end of rarely visited trails, found the pre-auth RCE that existed for nine years and can exploit all active versions and the race condition in the remote object. We will also share our methodology and vulnerability patterns.
Delving into the design of the RouterOS, attendees will have a greater understanding of the overlooked attack surface and implementation of it and be able to review the system more reliably. Additionally, we will also share our open-source tools and methodology to facilitate researchers researching RouterOS, making it less obscure.
Ting-Yu Chen, aka NiNi, is a security researcher at DEVCORE and a member of the Balsn CTF team. He won the title of the "Master of Pwn" at Pwn2Own Toronto 2022 with the DEVCORE team. NiNi has also made notable achievements in CTF competitions, including placing 2nd and 3rd in DEF CON CTF 27 and 28 as a member of HITCON⚔BFKinesiS and HITCON⚔Balsn teams, respectively. NiNi is currently immersed in vulnerability research and reverse engineering, continuing to hone his skills. You can keep up with his latest discoveries and musings on Twitter via his handle @terrynini38514 or blog at http://blog.terrynini.tw/.
Can you think about even one project that does not use several programming languages, protocols, or communication standards? Today’s variety of technologies introduces a significant challenge when it comes to interoperability. If two different software components interact with each other but disagree about certain specifics of their communication protocol, this may introduce vulnerabilities known as parser differentials.
This talk dives into two critical vulnerabilities in the remote desktop gateway Apache Guacamole, which allows users to access remote machines via a web browser. The Guacamole gateway is usually the only externally accessible instance, granting access to remote machines isolated in an organization’s internal network.
Guacamole’s fascinating architecture connects a Java component with a C backend server which introduces the aforementioned challenge of interoperability. We will determine how Java’s internal processing of Unicode strings can lead to unexpected results and how an attacker can leverage this.
Furthermore, we will see that the requirement of high parallelism to serve and share hundreds of connections at the same time makes an application like Guacamole also prone to concurrency issues. We will dive into the world of glibc heap exploitation and ultimately gain remote code execution.
Stefan Schiller is a Vulnerability Researcher in the Sonar R&D team. He has been passionate about software and programming since his early childhood. With a background in red teaming, he has been working in the field of offensive IT security for quite a while now. At Sonar, he finds and responsibly discloses vulnerabilities in popular open-source software.
In the last decade the industry has seen a large amount of research released around Intel platform security. Since the release of CHIPSEC, the industry has had a tool to quickly analyze their Intel platform against a secure baseline for misconfigurations. As a result of this, it has become more difficult to find misconfigured Intel platforms from major OEMs.
As we dove into the platform security realm ourselves, we noticed a complete lack of focus and analysis of AMD platforms. This was a surprise to us due to the popularity and significantly growing market share of AMD.
In this presentation we will dive into interesting architectural differences across Intel and AMD that make up for the security of the platform. As part of it, we provide a first glance of various AMD security features, such as ROM Armor and Platform Secure Boot. Additionally, we’re going to present several vulnerabilities that, when combined, allowed us to inject a persistent firmware implant running in ring -2 on various systems.
All these details have been flushed into a tool that we developed which can be used by end users to quickly verify that their systems are free from common misconfigurations.
Krzysztof Okupski is a Senior Security Consultant with IOActive where he specializes in embedded security. While he enjoys hacking various targets, he is particularly interested in the nitty-gritty details of platform security where small misconfigurations can lead to critical issues.
Deserialization of untrusted data has become one of the most abused vulnerability classes across multiple programming languages. Over time, most developers have become adept with the secure handling of deserialization operations. Consequently, easy-to-exploit deserialization issues are mostly a thing of the past. Typically, protections are based on either selective allow lists, broader allow lists that may pull from hundreds of classes, or block lists based on known deserialization gadgets.
However, my research shows that both allow and block lists can still be frequently abused in .NET applications. This research was focused primarily on setter-based serializers and shows:
This presentation provides examples of new deserialization gadgets in the .NET Framework, third-party libraries, and other codebases. It is based on over a dozen vulnerabilities I discovered in multiple products including Microsoft Exchange and SolarWinds Platform. It shows how to be creative during gadget searching and how to tune searching for a given serializer. The talk includes a release of gadgets for several different serializers. Finally, this presentation will present what is believed to be the first setter-based deserialization gadget for .NET version 5 and above.
Piotr Bazydło is a vulnerability researcher at Trend Micro’s Zero Day Initiative (ZDI) program. His research is focused on high-level languages, such as C# and Java. In his current role, Piotr investigates and performs root cause analysis on hundreds of vulnerabilities submitted to the ZDI program, which is the world's largest vendor-agnostic bug bounty program. His research emphasis primarily involves complex vulnerabilities where either the original attack vectors are manipulated or intricate vulnerability chains must be prepared. His vulnerability disclosures include critical-rated bugs in Microsoft Exchange Server, Microsoft SharePoint, SolarWinds, and Apache libraries.
Prior to joining ZDI, Piotr worked as a vulnerability researcher and penetration tester in the European financial sector. He participated in the Pwn2Own Miami competition where he won by successfully exploiting multiple ICS/SCADA targets.
In this talk, the authors present their research where a comprehensive analysis of the Windows kernel was conducted, leading to the discovery of a new vulnerability. Through strategic utilization of the user fault handling process and the application of a reliable Data-Oriented approach with Windows kernel structures, the newfound vulnerability was successfully exploited.
The findings of this research highlight the importance of thoroughly exploring all potential attack vectors, regardless of their initial perceived significance. This research emphasizes the value of comprehensive analysis, showcases the potential impact of identifying attack vectors within the Windows kernel, and introduces a new vulnerability that can be used to execute arbitrary kernel code in windows.
Junoh Lee is vulnerability researcher at Theori. He is interested in reverse engineering and find a new attack vector, mostly in major OS like Windows and Mac OS. Also, he is interested in exploit techniques, such as writing exploit codes for the latest vulnerabilities by researching ways to bypass the latest mitigations. He is also a CTF player and has played in various world competitions such as WCTF and DEFCON.
JeongOh Kyea is an researcher at Theori Korea, having intertest in automatic vulnerability detection, binary analysis and exploit technique. He received a BS and MS degree in KAIST. He was selected as the Most Valuable Researcher(MVR) 2020, 2021, 2022 from Microsoft.
There are many kernel fuzzers such as SockFuzzer, Syzkaller, etc. They are developed for many purposes. SockFuzzer is developed to fuzz XNU sockets with a source code level, while Syzkaller is used to fuzz many types of OSes like Windows, Linux, FreeBSD, macOS which are very easy to set up and scale up to many instances. Despite their advantages they still have some limits to discover side-effect vulnerabilities in the kernel. The fuzzer that I’ve developed focuses on these limitations and tries to explore deeper in the XNU kernel to find any vulnerabilities. This Fuzzer is a template-based fuzzer which can generate a C test-case from a C template. Besides, its mutator is customizable and adaptable for each C template.
In my talk, I will share how I have built the Fuzzer from scratch based on Linux KVM which can be scalable and easy to write automation scripts. I also show you how to reuse XNU tests to create a C template for this Fuzzer and use it to discover new vulnerabilities.
After that, I will share the root cause of some vulnerabilities found by my Fuzzer last year, some of them are very interesting.The CVE-2022-32894 one is out-of-bound write in XNU Mach IPC exploited in the wild last year.
Finally, I will show you the development roadmap of my Fuzzer for the future.
Focusing on macOS/iOS bug hunting and exploitation.
✓ Awarded bounties by Apple Security Platform.
✓ Found some vulnerabilities in Apple from userland to kernel-level vulnerabilities
- CVE-2022-22593: XNU kernel Heap overflow
- CVE-2021-30868: SMBFS Use-After-Free allows attackers to to escalate privileges on macOS
- CVE-2021-30745: QuartzCore type confusion allows the attacker to escape the Safari sandbox
- QuartzCore uninitialize stack allows attackers to escape the Safari sandbox effect on macOS 11.1, iOS 14.1
- libFontParser out of bound write on OpenType Font blog: allows attackers to gain code execution in the renderer process of Safari
- CVE-2020-9816: libFontParser Out-of-Bounds Write allows attackers to gain code execution in the Safari renderer process
This presentation is about the Hyper-V Core Isolation (HVCI, Secure Kernel): what it’s for, how it protects, and how we broke it, and (perhaps) why and how our findings matter.
The Hyper-V Core Isolation was developed by Microsoft as an ultimate effort to only allow signed valid code into the kernel and keep ANY unauthorized ring 0 code out, including the scenario where an attacker has already gained administrative privileges. It’s main job is also to protect the memory of the kernel from ANY unauthorized changes using ring -1 hypervisor technology, so that an attacker cannot write on read-only physical pages anymore or change access protections on PTEs, such as change RW to RX, or U (usermode page) to K (kernel page).
However, there is a fundamental design flaw in the Core Isolation implementation that breaks the promised memory protection with relative ease (e.g.: no exploit chain required, no ROP required).
With a background in malware analysis, reverse engineering, and a solid 15 years experience in writing Windows kernel drivers, Viviane Zwanger is a veteran researcher at Fraunhofer FKIE. Besides doing her own research, she also works as a consultant, offers training sessions, and gives talks about Windows kernel, drivers, and kernel debugging topics to various clients.
Studies in computer science and cyber security.
Working at the FKIE since 2018.
Experienced programmer, reverser and security enthusiast especially in the field of windows,
Hyper-V has long been considered a prestige target for security researchers, with Microsoft offering high value bug bounties, and performing continuous in-house testing and attack-surface hardening. In this presentation I’ll show how I turned the discovery of a seemingly unreproducible bug into a critical-rated arbitrary code execution vulnerability, which was awarded MSRC’s maximum bounty.
The talk will begin with a very brief introduction to virtualization and Hyper-V, before launching into an in-depth examination of the low-level VMBus protocol which underpins guest-host communication. We will cover the mechanisms VMBus uses for signaling, shared memory, and callback messages, and the different types of devices it supports. Finally, I will trace the flow of a VMBus message from a guest VM all the way through to a host device driver in order to demonstrate the attack surface exposed by VMBus.
To finish this presentation I will dive into the details of a bug I discovered in early 2023 in a core VMBus host driver. In the journey to create a reliable proof-of-concept I will explain how to modify the Linux kernel’s Hyper-V guest drivers to craft our own custom VMBus packets, discuss a novel method of manipulating the Windows kernel’s LookasideList cache implementation from inside a guest VM, and finally, demonstrate how I won an incredibly precise race between host kernel threads to trigger the vulnerability.
Leo Adrien is an independent security researcher, postgraduate Computer Science student at Monash University, and recovering “security consultant”. He primarily focuses on finding bugs in Windows, but somehow still spends an inordinate amount of time reading Linux kernel code. He often thinks about creating static analysis tools, but always ends up writing another fuzzer.
ClamAV is an open-source antivirus engine maintained by Cisco. As it is freely available, it is widely used across a large number of software products, like email servers, and appliances. This means that if an attacker can fully compromise the AV engine running in one of those products, they could access incoming and outgoing emails and for an appliance even control the network traffic of an organization. It is well known that AV engines expose a large, externally reachable attack surface as they parse a variety of file-formats, often coming from the Internet. On the other hand, modern mitigations make the exploitation of antivirus software significantly harder because remote attackers cannot interact with the target and thus can’t leak memory addresses.
This talk is a case-study of reliably exploiting CVE-2023-20032, a heap-buffer-overflow as a remote-attacker and lessons learned from it. The exploit results in remote-code-execution impact and utilizes a unique exploit-technique to bypass ASLR that can be applied to similar targets.
Simon Scannell is a self-taught Vulnerability Researcher at Google who is passionate about playing CTF, traveling, and sports. He has come up with ways to find 0days in some of the most popular web applications such as WordPress, Zimbra, and Magento2. He has also developed exploits for the Linux Kernel and Counter-Strike: Global Offensive.
There has been virtually no public discussion of vulnerabilities within Qualcomm’s bootrom. Despite being difficult to research, the PBL is not immune to flaws.
For this talk, we focus on an unbounded recursion bug introduced by a new command in the Sahara protocol.
We will walk through exploitation of the memory corruption caused by the recursion and transform it into PC control, culminating in shellcode execution in EL3. From there, we will cover persistence through all layers of the phone’s boot stack and demonstrate popping a root shell on a bootloader-locked Pixel phone.
Finally, we wrap up with the interesting way this was mitigated on newer chipsets.
Seamus Burke is a senior vulnerability researcher with more than 7 years of experience on mobile targets, with a focus on Android. He has spoken at multiple security conferences, including Def Con and Shmoocon, and has a particular affection for embedded targets like basebands and bootroms.
When not staring at IDA, he likes to spend his time wrenching on cars and racing.
Aaron Willey is a vulnerability researcher with nearly a decade of experience working on mobile and other targets. Currently, he spends most of his time looking at the non-Android parts of Android phones, including bootroms, bootloaders, basebands, and more. There's a special place in his heart for all the little coprocessors and their firmware living inside modern SoCs - the umpteen different ARM cores, including the venerable ARM926EJ-S that he really hopes actually supports the Jazelle extension; the tiny bespoke cores implementing one-off architectures that are only supported by a barely-functional port of GCC 4.9; and of course that one 8051 lurking in the depths of the on-chip interconnects that serves as the One Root of Trust to Rule Them All.
Xerub is an iOS Security Researcher at Cellebrite. Past experience include both defensive security (malware analysis, emulation, unpacking, compilers) and offensive security, having been involved for many years in the iOS scene as a big fan and occasional producer of exotic bugs and exploits. He was also a speaker at various conferences such as Warcon and MOSEC, and has published code/write-ups for some of his work.
As hypervisors become increasingly popular in enterprise environments, they are also becoming a popular target for attackers. In this talk, the authors will present a chain of three bugs demonstrated at Pwn2Own Vancouver 2023 targeting VirtualBox and Windows 11 kernel. The bugs allowed the authors to escape a virtual machine and gain administrator privileges on the host machine.
In this talk, we will focus on the methodology used to find bugs reachable from inside a guest machine, how the codebase and the architecture of the hypervisor was approached from an attacker perspective and how we exploited and chained together multiple bugs. We will talk about how deeper bugs can be a source of very interesting primitives that sometimes require less effort than expected, especially in case of hypervisors. Lastly, the authors will discuss a logical vulnerability in the Windows kernel that allows for privilege escalation on the host.
Thomas Bouzerar is a security researcher and member of Synacktiv's Reverse Engineering team, specializing in iOS and embedded devices, with prior experience in PlayStation console hacking scene.
His team at Synacktiv and himself achieved success at Pwn2Own 2023 in Vancouver, showcasing their skills in identifying and exploiting vulnerabilities within various targets.
Thomas Imbert is a security engineer at Synacktiv and previously worked at Microsoft. His area of expertise is in reverse engineering and vulnerability research, with a particular focus on the Windows operating system. He has spoken at several conferences including PacSec and Hack.lu. He has won Pwn2Own Austin 2021 and Vancouver 2023 competitions with his company Synacktiv.
While performing a red team assessment, due to limited scope, we were forced to look for 0-day vulnerabilities on a Fortinet appliance. This talk describes how we found and exploited CVE-2023-27997, a pre-authentication remote code execution vulnerability affecting the VPN interface of Fortigate, affecting hundreds of thousands of servers on the internet, and used it to completely compromise the company’s intranet.
We’ll go through each step of the way, from how to get an initial shell on the appliance and fingerprinting targets to post-exploitation and persistence.
You will leave this talk with a good sense of how Fortigate products are built, and a head-start to find new vulnerabilities on the product.
Charles Fol, also known as cfreal, is a security researcher at LEXFO / AMBIONICS. He has discovered remote code execution vulnerabilities targeting renowned CMS and frameworks such as Drupal, Magento, Symfony or Laravel, but also enjoys binary exploitation, to escalate privileges (Apache, PHP-FPM) or compromise security solutions (DataDog’s Sqreen, Fortinet SSL VPN, Watchguard). He is the creator for PHPGGC, the go-to tool to exploit PHP deserialization.
Reserve your place