Speakers

More talks to be released soon

  • 22 October
  • 23 October
j00ru
pl

MATEUSZ "J00RU" JURCZYK

Windows Metafiles: An Analysis of the EMF Attack Surface & Recent Vulnerabilities

The 16-bit Windows Metafile (WMF) image file format has been present in the Microsoft software ecosystem since 1990. It remained a fundamental format until 1993, when 32-bit Enhanced Metafiles (EMF) were introduced in the Win32 GDI, eliminating many of the original format's limitations and significantly extending it. Since then, another derivative format called EMF+ was added in Windows XP, but all of them have been in decline for the last 15 years, in favor of other raster image representations such as BMP, JPEG, PNG or even TIFF.

However, it would be wrong to believe that Metafiles completely went away into oblivion and are no longer a valid attack vector or something to take interest in as a security engineer. They are still supported by Internet Explorer, are the native image storage format in Microsoft Office, and play an essential role in Print Spooling. For these reasons, the metafile formats (but especially EMF) should not be forgotten, and their most widespread implementations in GDI and GDI+ kept at a high quality level.

Internally, metafiles are collections of records instructing the parser which GDI (or GDI+, in case of EMF+) API functions to call, and what parameters to pass to them. In other words, images encoded as metafiles can be thought of as simple GDI-only programs. For any bughunter aware of the complexities of the interface, this sounds like a dream: so many corner cases and conditions to validate against that it's very unlikely for any implementation to get it completely right. One such commonly known bug was the WMF SetAbortProc vulnerability discovered on December 27, 2005, which took advantage of a documented feature to overwrite a GDI function pointer with the address of attacker-controlled data and have it called, effectively resulting in a reliable arbitrary code execution.

Have GDI and other relevant libraries been thoroughly audited since that incident? Are there any more such critical bugs lurking in the code bases? To what extent can EMF files interact with the operating system? The goal of this talk is to address these questions by discussing the results of my recent research in this area, including detailed analysis of the discovery and exploitation of multiple amusing security flaws, many of which are still not patched at the time of this writing.

MATEUSZ "J00RU" JURCZYK BIO

Mateusz is the vice-captain of the Dragon Sector CTF team and a big fan of memory corruption. His main areas of interest are client software security, vulnerability exploitation and mitigation techniques, and delving into the darkest corners of low-level kernel internals with a very strong emphasis on Microsoft Windows. He currently works as a security engineer within the Project Zero team at Google.

matt
GlitchShot cropped gray 150x190
us.png

MATT MOLINYAWE & JASIEL SPELMAN & ABDUL-AZIZ HARIRI

$hell on Earth: From Browser to System Compromise

The winning submissions to Pwn2Own 2016 provided unprecedented insight into the state of the art in software exploitation. Every successful submission provided remote code execution as the super user (SYSTEM/root) via the browser or a default browser plugin. In most cases, these privileges were attained by exploiting the Microsoft Windows or Apple OS X kernel. Kernel exploitation using the browser as an initial vector was a rare sight in previous contests.

This presentation will detail the eight winning browser to super user exploitation chains (21 total vulnerabilities) demonstrated at this year’s Pwn2Own contest. We will cover topics such as modern browser exploitation, the complexity of kernel Use-After-Free exploitation, and the simplicity of exploiting logic errors and directory traversals in the kernel. We will analyze all attack vectors, root causes, exploitation techniques, and possible remediations for the vulnerabilities presented.

Reducing attack surfaces with application sandboxing is a step in the right direction, but the attack surface remains expansive and sandboxes are clearly still just a speed bump on the road to complete compromise. Kernel exploitation is clearly a problem which has not disappeared and is possibly on the rise. If you're like us, you can't get enough of it; it's shell on earth. 

MATT MOLINYAWE & JASIEL SPELMAN & ABDUL-AZIZ HARIRI BIO

Matt Molinyawe
Trend Micro - Zero Day Initiative

Matt Molinyawe is a vulnerability analyst and exploit developer for the Zero Day Initiative (ZDI) program. In this role, Molinyawe analyzes and performs root-cause analysis on hundreds of vulnerabilities submitted to the Zero Day Initiative (ZDI) program, which represents the world's largest vendor-agnostic bug bounty program. His focus includes vulnerability research along with analyzing and performing root-cause analysis on hundreds of zero-day vulnerabilities submitted by ZDI researchers from around the world. He has presented at numerous security conferences including DEF CON, RuxCon, Power of Community, and PacSec. Prior to joining ZDI, Matt worked as a reverse engineer for General Dynamics Advanced Information Systems and a software engineer for both USAA and L3 Communications. In 2014, Matt was part of the ZDI team that exploited Internet Explorer 11 on Windows 8.1 x64 during the Pwn4Fun event at CanSecWest, which helped raise over $80K for charity. In his spare time, he was also a 2005 and 2007 US Finalist as a Scratch DJ. Matt has a B.S. in Computer Science from the University of Texas at Austin. Twitter: @djmanilaice

Jasiel Spelman
Trend Micro - Zero Day Initiative

Jasiel Spelman is a vulnerability analyst and exploit developer for the Zero Day Initiative (ZDI) program. His primary role involves performing root cause analysis on ZDI submissions to determine exploitability, followed by developing exploits for accepted cases. Prior to being part of ZDI, Jasiel was a member of the Digital Vaccine team where he wrote exploits for ZDI submissions, and helped develop the ReputationDV service from TippingPoint. Jasiel's focus started off in the networking world but then shifted to development until transitioning to security. He has a BA in Computer Science from the University of Texas at Austin. Twitter: @WanderingGlitch

Abdul-Aziz Hariri
Trend Micro - Zero Day Initiative

Abdul-Aziz Hariri is a security researcher with the Zero Day Initiative program. In this role, Hariri analyzes and performs root-cause analysis on hundreds of vulnerabilities submitted to the Zero Day Initiative (ZDI) program, which is the world's largest vendor-agnostic bug bounty program. His focus includes performing root-cause analysis, fuzzing and exploit development. Prior to joining ZDI, Hariri worked as an independent security researcher and threat analyst for Morgan Stanley emergency response team. During his time as an independent researcher, he was profiled by Wired magazine in their 2012 article, Portrait of a Full-Time Bug Hunter. In 2015, Abdul was part of the research team that submitted "Breaking Silent Mitigations - Gaining code execution on Isolated Heap and MemoryProtection hardened Internet Explorer" to the Microsoft bounty program. Their submission netted the highest payout to date from the Microsoft bounty program where the proceeds went to many STEM organizations. Twitter: @abdhariri

zer0mem
daniel
China.png

PETER HLAVATY & JIN LONG

Rainbow Over the Windows: More Colors Than You Could Expect

As time goes on operating systems keep evolving, like Microsoft Windows do, it ships new designs, features and codes from time to time. However sometimes it also ships more than bit of codes for complex subsystems residing in its kernel ... and at some future point it starts implementing new designs to prevent unnecessary access to it. However is it safe enough?

As we can see from security bulletins, win32k subsystem attracts lots of attention. It looks that with efforts of many security researchers who has dug into this area, finding bugs here shall becomes pretty tough and almost fruitless. But unfortunately this is not true, as win32k is backed up by very complex logic and large amount of code by nature..

We will present our point of view to Windows graphic subsystem, as well as schema of our fuzzing strategies. We will introduce some unusual areas of win32k, its extensions and how it can breaks even locked environments.

Part of our talk will be dedicated to CVE-2016-0176, the bug we used for this year's Pwn2Own Edge sandbox bypass, from its discovery to its exploitation techniques, which could serves as an example for universal DirectX escape which is independent of graphics vendors.

PETER HLAVATY & JIN LONG BIO

Peter (@zer0mem)

Peter is a Lead for Windows Kernel Research at Keen Lab of Tencent (originally known as KEEN Team). With primary focus on vulnerability discovery and novel exploitation techniques dev. Presenting his research on various conferences such as Recon, Syscan, ZeroNights, NoSuchCon and others. Prior to Keen, Peter was AV (ESET) guy, with 4+ years of experience in that field switched to offensive software security research focused on windows and linux kernel architectures. Pwnie nominee and pwn2own 2015 & 2016(MoP) winner, member of GeeKon committee and GeekPwn judge, occasionally CTF player. Besides software security field, doing his best as wushu player as well.
 
Daniel (Jin Long 金龙) @long123king

Tencent Keen Security Lab researcher, 6 years programming experience, 4 years security experience. Former TrendMicro employee, now focused on Windows security research at Keen Security Lab. Pwn2Own 2016 winner (Master of Pwn by final Edge to SYSTEM escape).

mercy
au.png

MERCY

It's Time We Talk About Off-By-One's Again

One of my favorite phrack articles ever published was "The Frame Pointer Overwrite" by klog (Issue #55 article 8). The premise of a single byte overwrite leading to code execution is both beautiful and incredibly scary. Well, technology has changed significantly since '99 and exploiting this awesome bug class has all but become an urban legend. This presentation will deep dive into the nuances of memory corruption bugs with a focus on compilers, stack alignment and optimizations, heap allocators, and application specific attacks. This will hopefully breathe life back into the question - is a single byte still enough to rule them all?

MERCY BIO

Hard yakka, VB, and footy.

gorenc
ca.jpeg

BRIAN GORENC

Hacker-Machine Interface - State of the Union for SCADA HMI Vulnerabilities

Over the last year, synchronised and coordinated attacks against critical infrastructure have taken center stage. Remote cyber intrusions at three Ukrainian regional electric power distribution companies in December 2015 left approximately 225,000 customers without power. Malware, like BlackEnergy, is being specially developed to target supervisory control and data acquisition (SCADA) systems. Specifically, adversaries are focusing their efforts on obtaining access to the human-machine interface (HMI) solutions that act as the main hub for managing the operation of the control system. Vulnerabilities in these SCADA HMI solutions are, and will continue to be, highly valuable as we usher in this new era of software exploitation.
This talk covers an in-depth analysis performed on a corpus of 200+ confirmed SCADA HMI vulnerabilities. It details out the popular vulnerability types discovered in HMI solutions developed by the biggest SCADA vendors, including Schneider Electric, Siemens, General Electric, and Advantech. It studies the weaknesses in the technologies used to develop HMI solutions and describes how critical vulnerabilities manifest in the underlying code. The talk will compare the time-to-patch performance of various SCADA vendors along with a comparison of the SCADA industry to the rest of the software industry. Finally, using the data presented, additional guidance will be provided to SCADA researchers along with a prediction on what we expect next in attacks that leverage SCADA HMI vulnerabilities.

BRIAN GORENC BIO

Brian Gorenc is the senior manager of Vulnerability Research with Trend Micro. In this role, Gorenc leads the Zero Day Initiative (ZDI) program, which represents the world’s largest vendor-agnostic bug bounty program. His focus includes analyzing and performing root-cause analysis on hundreds of zero-day vulnerabilities submitted by ZDI researchers from around the world. The ZDI works to expose and remediate weaknesses in the world’s most popular software. Brian is also responsible for organizing the ever-popular Pwn2Own hacking competitions. 
qiangli
China.png

QIANG LI

Breaking out of QEMU

QEMU is a fundamental part of modern open source virtualization solution, especially in KVM and Xen.  The most important function of QEMU is device emulation. QEMU can emulate a lot of peripheral device of the computer such as mouse, network card, SCSI host controller and USB host controller. The soft emulation can bring a lot of security issues. As the QEMU can emulate a very wide range of device, theses security issues can be leveraged  to break out QEMU easily.

This talk will present how to break out of QEMU with two vulnerabilities. This covers the overview of QEMU mostly focus on Device Model of QEMU and it's attack surface, the data flow from a virtual machine to host machine, the common type of vulnerabilities in QEMU such as UAF, infinite loop, some of these is interesting. Finally, this talk will illustrate how to leverage CVE-2016-2857 and another heap overflow to implement a VM escape fully bypass ASLR/DEP.

 

QIANG LI BIO

Qiang Li is a security researcher at Qihoo 360, mainly focus on vulnerability discovery and vulnerability analysis. He has been a low level system programmer for several years both on Windows and Linux. He is very interested in system low-level programming and want to know the secret under the surface of virtualization. He is currently working on cloud and virtualization security and discovered a lot of QEMU vulnerabilities this year.

 

Wei Wang
Zhaowei Wang
China.png

WEI WANG & ZHAOWEI WANG

Make iOS App more Robust and Security through Fuzzing

In this presentation, first we will introduce the status of iOS App security development lifecycle. Then, we will explain why we should use AFL to fuzz iOS App and 3rd party iOS libraries. In order to do fuzzing on iOS, we will show the steps of porting AFL to iOS. After porting AFL to iOS, we will demonstrate how to do fuzzing on iOS or OS X. Finally, we will show the vulnerabilities fuzzed out.

WEI WANG & ZHAOWEI WANG BIO

Wei Wang

Wei Wang is senior security researcher of Qihoo 360 Nirvan Team. He is focusing on the security of Apple’s products, including the os, developer toolchain, and fundamental frameworks, and has found many vulnerabilities. He also has 6+ years long experience in software development and software architecture, so he is also good at developing security tools. Twitter: @ProteasWang

Zhaowei Wang

Zhaowei Wang is senior security researcher in Qihoo 360 Nirvan Team. He is interested in reverse engineering and exploitation development, sometimes a CTF player. Recently, he is focusing on vulnerability research and exploitation techniques on Mac OS X and iOS.

vitaly
au.png

VITALY NIKOLENKO

Exploiting COF Vulnerabilities In The Linux Kernel

Most memory corruption vulnerabilities affecting user-space processes are also prevalent in kernel space. Due to the missing kernel-space memory corruption mitigations, exploitation of these kernel-space vulnerabilities is often more trivial than exploiting the same class of vulnerabilities in user space.

There are several new kernel sanitisers such as KASAN, KTSAN and KUBSAN, including the original kmemcheck and SLAB poisoning, that aid in detection of common memory corruption vulnerabilities. Combined with a fuzzing tool, these techniques speed up the discovery process of common vulnerability classes.

Counter overflow (COF) vulnerabilities, on the other hand, are not easily detectable using these approaches and common fuzzing techniques. Furthermore, once identified, they are often not trivial to exploit. In this presentation, we will demonstrate recent real-life COF examples and walk through the exploitation techniques associated with some corner-cases in COF and use-after-free (UAF) vulnerabilities.

We will conclude this presentation with a discussion of our current research: a static-analysis framework designed to automatically identify counter overflows as well as some other UAF vulnerabilities in the Linux kernel.

VITALY NIKOLENKO BIO

Vitaly is a security researcher specialising in reverse engineering and exploit development. He has a solid academic background in programming languages, algorithms and cryptography. He is currently focused on OS security (kernel space exploitation techniques and countermeasures on POSIX systems) and software hypervisors.

default5.jpg
nz.png

EMMANUEL LAW

PHP Internals: Exploit Dev Edition

This talk will give a tour about PHP Internals. It'll take the audience on a journey from the design behind a custom PHP fuzzer, to how PHP internal heap can be exploited. It will also cover some of the changes in PHP 7 Internals and what that means from an exploit dev perspective. A sample of interesting and unusual PHP bugs that I had discovered will also be presented.

EMMANUEL LAW BIO

Emmanuel Law is a Principal Security Consultant from Aura Information Security. He enjoys fuzzing and exploiting stuff. Recently he has a new found hobby in hacking away at PHP internals.  

default4.jpg
au.png

BRIAN CANDLISH & CHRISTIAN TEUTENBERG

Active Incident Response

During the Pacnet breach in 2015, we developed a method which differs from the usual IR process for targeted attacks, utilising what we have termed ‘Full Spectrum Visibility' and ‘Targeted Containment’, which form like Voltron to create ‘Active Incident Response’. This method, utilising threat intelligence, hunting and active defense gives incident responders the information the business needs to assess risk, and another avenue for actions to mitigate that risk

We will demonstrate, using examples from the Pacnet breach and follow-on waves, how ‘Targeted Containment’ can be used during incident response, the visibility required, and explore actor TTP’s, tools and activity associated with this campaign

Expect to see pcap decodes, command-line activity and actor typo’s

BRIAN CANDLISH & CHRISTIAN TEUTENBERG BIO

Brian is a Chief Security Researcher for Australia's largest telecommunications company, who spends his days and nights making the internet a safer place. His interests in information security include attack and detection techniques, intelligence and “active defence”. He enjoys hunting adversaries on large corporate networks.

Christian is a Senior Security Specialist for Australia’s largest telecommunications provider. He specialises in hunting for evidence of breach with endpoint, network and log data. He has over a decade of experience in information security, with a background focusing on intrusion detection, incident response and computer forensics for the enterprise.