More talks to be released soon

  • 22 October
  • 23 October


Windows Metafiles: An Analysis of the EMF Attack Surface & Recent Vulnerabilities

The 16-bit Windows Metafile (WMF) image file format has been present in the Microsoft software ecosystem since 1990. It remained a fundamental format until 1993, when 32-bit Enhanced Metafiles (EMF) were introduced in the Win32 GDI, eliminating many of the original format's limitations and significantly extending it. Since then, another derivative format called EMF+ was added in Windows XP, but all of them have been in decline for the last 15 years, in favor of other raster image representations such as BMP, JPEG, PNG or even TIFF.

However, it would be wrong to believe that Metafiles completely went away into oblivion and are no longer a valid attack vector or something to take interest in as a security engineer. They are still supported by Internet Explorer, are the native image storage format in Microsoft Office, and play an essential role in Print Spooling. For these reasons, the metafile formats (but especially EMF) should not be forgotten, and their most widespread implementations in GDI and GDI+ kept at a high quality level.

Internally, metafiles are collections of records instructing the parser which GDI (or GDI+, in case of EMF+) API functions to call, and what parameters to pass to them. In other words, images encoded as metafiles can be thought of as simple GDI-only programs. For any bughunter aware of the complexities of the interface, this sounds like a dream: so many corner cases and conditions to validate against that it's very unlikely for any implementation to get it completely right. One such commonly known bug was the WMF SetAbortProc vulnerability discovered on December 27, 2005, which took advantage of a documented feature to overwrite a GDI function pointer with the address of attacker-controlled data and have it called, effectively resulting in a reliable arbitrary code execution.

Have GDI and other relevant libraries been thoroughly audited since that incident? Are there any more such critical bugs lurking in the code bases? To what extent can EMF files interact with the operating system? The goal of this talk is to address these questions by discussing the results of my recent research in this area, including detailed analysis of the discovery and exploitation of multiple amusing security flaws, many of which are still not patched at the time of this writing.


Mateusz is the vice-captain of the Dragon Sector CTF team and a big fan of memory corruption. His main areas of interest are client software security, vulnerability exploitation and mitigation techniques, and delving into the darkest corners of low-level kernel internals with a very strong emphasis on Microsoft Windows. He currently works as a security engineer within the Project Zero team at Google.



Forcing A Targeted LTE Cellphone Into An Unsafe Network

LTE is a more advanced mobile network but not absolutely secure. Recently there already some papers those exposed the vulnerabilities of LTE network. In this presentation, we will introduce one method which jointly exploits the vulnerabilities in tracking area update procedure, attach procedure, and RRC redirection procedure, and finally can force a targeted LTE cellphone to downgrade into a malicious GSM network, then consequently can eavesdrop its data traffic or even voice call.

This attack is not a simple DoS attack. It can select the targeted cellphone by filtering the IMSI number (IMSI catcher function), so it will not influence the other cellphones and keep them still in the real network. Further more, it can force the cellphone into the malicious network that we setup (a fake network) or we assign (operator’s network), therefore the cellphone has no chance to choose other secure network. This is the danger point of this attack. 


Wanqiao Zhang is a master who graduated form NUAA last year. She is enthusiastic about security of radio transmission and cellular network. Meanwhile, she is a speaker of DefCon. This year she will give a presentation about LTE redirection on DefCon. 

GlitchShot cropped gray 150x190


$hell on Earth: From Browser to System Compromise

The winning submissions to Pwn2Own 2016 provided unprecedented insight into the state of the art in software exploitation. Every successful submission provided remote code execution as the super user (SYSTEM/root) via the browser or a default browser plugin. In most cases, these privileges were attained by exploiting the Microsoft Windows or Apple OS X kernel. Kernel exploitation using the browser as an initial vector was a rare sight in previous contests.

This presentation will detail the eight winning browser to super user exploitation chains (21 total vulnerabilities) demonstrated at this year’s Pwn2Own contest. We will cover topics such as modern browser exploitation, the complexity of kernel Use-After-Free exploitation, and the simplicity of exploiting logic errors and directory traversals in the kernel. We will analyze all attack vectors, root causes, exploitation techniques, and possible remediations for the vulnerabilities presented.

Reducing attack surfaces with application sandboxing is a step in the right direction, but the attack surface remains expansive and sandboxes are clearly still just a speed bump on the road to complete compromise. Kernel exploitation is clearly a problem which has not disappeared and is possibly on the rise. If you're like us, you can't get enough of it; it's shell on earth. 


Matt Molinyawe
Trend Micro - Zero Day Initiative

Matt Molinyawe is a vulnerability analyst and exploit developer for the Zero Day Initiative (ZDI) program. In this role, Molinyawe analyzes and performs root-cause analysis on hundreds of vulnerabilities submitted to the Zero Day Initiative (ZDI) program, which represents the world's largest vendor-agnostic bug bounty program. His focus includes vulnerability research along with analyzing and performing root-cause analysis on hundreds of zero-day vulnerabilities submitted by ZDI researchers from around the world. He has presented at numerous security conferences including DEF CON, RuxCon, Power of Community, and PacSec. Prior to joining ZDI, Matt worked as a reverse engineer for General Dynamics Advanced Information Systems and a software engineer for both USAA and L3 Communications. In 2014, Matt was part of the ZDI team that exploited Internet Explorer 11 on Windows 8.1 x64 during the Pwn4Fun event at CanSecWest, which helped raise over $80K for charity. In his spare time, he was also a 2005 and 2007 US Finalist as a Scratch DJ. Matt has a B.S. in Computer Science from the University of Texas at Austin. Twitter: @djmanilaice

Jasiel Spelman
Trend Micro - Zero Day Initiative

Jasiel Spelman is a vulnerability analyst and exploit developer for the Zero Day Initiative (ZDI) program. His primary role involves performing root cause analysis on ZDI submissions to determine exploitability, followed by developing exploits for accepted cases. Prior to being part of ZDI, Jasiel was a member of the Digital Vaccine team where he wrote exploits for ZDI submissions, and helped develop the ReputationDV service from TippingPoint. Jasiel's focus started off in the networking world but then shifted to development until transitioning to security. He has a BA in Computer Science from the University of Texas at Austin. Twitter: @WanderingGlitch

Abdul-Aziz Hariri
Trend Micro - Zero Day Initiative

Abdul-Aziz Hariri is a security researcher with the Zero Day Initiative program. In this role, Hariri analyzes and performs root-cause analysis on hundreds of vulnerabilities submitted to the Zero Day Initiative (ZDI) program, which is the world's largest vendor-agnostic bug bounty program. His focus includes performing root-cause analysis, fuzzing and exploit development. Prior to joining ZDI, Hariri worked as an independent security researcher and threat analyst for Morgan Stanley emergency response team. During his time as an independent researcher, he was profiled by Wired magazine in their 2012 article, Portrait of a Full-Time Bug Hunter. In 2015, Abdul was part of the research team that submitted "Breaking Silent Mitigations - Gaining code execution on Isolated Heap and MemoryProtection hardened Internet Explorer" to the Microsoft bounty program. Their submission netted the highest payout to date from the Microsoft bounty program where the proceeds went to many STEM organizations. Twitter: @abdhariri

tm 150x190


Demystifying the Secure Enclave Processor

The secure enclave processor (SEP) was introduced by Apple as part of the A7 SOC with the release of the iPhone 5S, most notably to support their fingerprint technology, Touch ID. SEP is designed as a security circuit configured to perform secure services for the rest of the SOC, with with no direct access from the main processor. In fact, the secure enclave processor runs it own fully functional operating system - dubbed SEPOS - with its own kernel, drivers, services, and applications. This isolated hardware design prevents an attacker from easily recovering sensitive data (such as fingerprint information and cryptographic keys) from an otherwise fully compromised device.

Despite almost three years have passed since its inception, little is still known about the inner workings of the SEP and its applications. The lack of public scrutiny in this space has consequently led to a number of misconceptions and false claims about the SEP.

In this presentation, we aim to shed some light on the secure enclave processor and SEPOS. In particular, we look at the hardware design and boot process of the secure enclave processor, as well as the SEPOS architecture itself. We also detail how the iOS kernel and the SEP exchange data using an elaborate mailbox mechanism, and how this data is handled by SEPOS and relayed to its services and applications. Last, but not least, we evaluate the SEP attack surface and highlight some of the findings of our research, including potential attack vectors.


Tarjei Mandt (@kernelpool) is a senior security researcher at Azimuth Security. He holds a Master's degree in Information Security from GUC (Norway) and has spoken at security conferences such as Black Hat USA, CanSecWest, INFILTRATE, RECon, SyScan, and Hack in the Box. In his free time, he enjoys spending countless hours challenging security mechanisms and researching intricate issues in low-level system components. Previously, he has discovered several Windows kernel vulnerabilities, and spoken on topics such as kernel pool exploitation and user-mode callback attacks. More recently, he has focused on Apple technology and presented on various security flaws and weaknesses in Mac OS X and iOS.



Strolling into Ring-0 via I/O Kit Drivers

Due to recent macOS security enhancements such as system integrity protection and signed driver requirements, having root is not what it once was :( Now, in order to fully own a Mac, one generally needs ring-0 code execution. 

Not to worry though, there are seem to be many kernel-level vulnerabilities in both Apple and 3rd party drivers! This talk will provide a practical ‘how to’ on reversing engineering I/O Kit drivers in order to search for such bugs. Starting with I/O Kit basics, the talk will then illustratively walk thru the discovery of a (now-patched) 0day which was found during the audit of a common 3rd-party I/O kit driver.

Specifically, we’ll first explore how to reverse-engineer the target I/O Kit driver and its interfaces in order to ‘connect’ to the driver. Then, how to identify and audit the methods where user input is processed in ring-0. Finally details of the subtle bug and control of $RIP will be discussed. A few tangential topics will be explored along the way, such as macOS kernel debugging, macOS specific anti-debugging mechanisms (employed by the 3rd-party product), and the discovery of a core macOS kernel implementation bug that initially prevented the exploitation the I/O Kit driver bug.

Thru this talk, attendees will gain (or enhance) both knowledge and foundations of macOS kernel and I/O Kit reversing. Armed with this know-how, no I/O Kit driver will remain safe :) 


Patrick Wardle is the Director of Research at Synack, where he leads cyber R&D efforts. Having worked at NASA, the NSA, and Vulnerability Research Labs (VRL), he is intimately familiar with aliens, spies, and talking nerdy. Currently, Patrick’s focus is on automated vulnerability discovery, and the emerging threats of OS X and mobile malware. In his personal time, Patrick collects OS X malware and writes free OS X security tools. Both can be found on his website; www.Objective-See.com



Rainbow Over the Windows: More Colors Than You Could Expect

As time goes on operating systems keep evolving, like Microsoft Windows do, it ships new designs, features and codes from time to time. However sometimes it also ships more than bit of codes for complex subsystems residing in its kernel ... and at some future point it starts implementing new designs to prevent unnecessary access to it. However is it safe enough?

As we can see from security bulletins, win32k subsystem attracts lots of attention. It looks that with efforts of many security researchers who has dug into this area, finding bugs here shall becomes pretty tough and almost fruitless. But unfortunately this is not true, as win32k is backed up by very complex logic and large amount of code by nature..

We will present our point of view to Windows graphic subsystem, as well as schema of our fuzzing strategies. We will introduce some unusual areas of win32k, its extensions and how it can breaks even locked environments.

Part of our talk will be dedicated to CVE-2016-0176, the bug we used for this year's Pwn2Own Edge sandbox bypass, from its discovery to its exploitation techniques, which could serves as an example for universal DirectX escape which is independent of graphics vendors.


Peter (@zer0mem)

Peter is a Lead for Windows Kernel Research at Keen Lab of Tencent (originally known as KEEN Team). With primary focus on vulnerability discovery and novel exploitation techniques dev. Presenting his research on various conferences such as Recon, Syscan, ZeroNights, NoSuchCon and others. Prior to Keen, Peter was AV (ESET) guy, with 4+ years of experience in that field switched to offensive software security research focused on windows and linux kernel architectures. Pwnie nominee and pwn2own 2015 & 2016(MoP) winner, member of GeeKon committee and GeekPwn judge, occasionally CTF player. Besides software security field, doing his best as wushu player as well.
Daniel (Jin Long 金龙) @long123king

Tencent Keen Security Lab researcher, 6 years programming experience, 4 years security experience. Former TrendMicro employee, now focused on Windows security research at Keen Security Lab. Pwn2Own 2016 winner (Master of Pwn by final Edge to SYSTEM escape).



Hacker-Machine Interface - State of the Union for SCADA HMI Vulnerabilities

Over the last year, synchronised and coordinated attacks against critical infrastructure have taken center stage. Remote cyber intrusions at three Ukrainian regional electric power distribution companies in December 2015 left approximately 225,000 customers without power. Malware, like BlackEnergy, is being specially developed to target supervisory control and data acquisition (SCADA) systems. Specifically, adversaries are focusing their efforts on obtaining access to the human-machine interface (HMI) solutions that act as the main hub for managing the operation of the control system. Vulnerabilities in these SCADA HMI solutions are, and will continue to be, highly valuable as we usher in this new era of software exploitation.
This talk covers an in-depth analysis performed on a corpus of 200+ confirmed SCADA HMI vulnerabilities. It details out the popular vulnerability types discovered in HMI solutions developed by the biggest SCADA vendors, including Schneider Electric, Siemens, General Electric, and Advantech. It studies the weaknesses in the technologies used to develop HMI solutions and describes how critical vulnerabilities manifest in the underlying code. The talk will compare the time-to-patch performance of various SCADA vendors along with a comparison of the SCADA industry to the rest of the software industry. Finally, using the data presented, additional guidance will be provided to SCADA researchers along with a prediction on what we expect next in attacks that leverage SCADA HMI vulnerabilities.


Brian Gorenc is the senior manager of Vulnerability Research with Trend Micro. In this role, Gorenc leads the Zero Day Initiative (ZDI) program, which represents the world’s largest vendor-agnostic bug bounty program. His focus includes analyzing and performing root-cause analysis on hundreds of zero-day vulnerabilities submitted by ZDI researchers from around the world. The ZDI works to expose and remediate weaknesses in the world’s most popular software. Brian is also responsible for organizing the ever-popular Pwn2Own hacking competitions. 


Breaking out of QEMU

QEMU is a fundamental part of modern open source virtualization solution, especially in KVM and Xen.  The most important function of QEMU is device emulation. QEMU can emulate a lot of peripheral device of the computer such as mouse, network card, SCSI host controller and USB host controller. The soft emulation can bring a lot of security issues. As the QEMU can emulate a very wide range of device, theses security issues can be leveraged  to break out QEMU easily.

This talk will present how to break out of QEMU with two vulnerabilities. This covers the overview of QEMU mostly focus on Device Model of QEMU and it's attack surface, the data flow from a virtual machine to host machine, the common type of vulnerabilities in QEMU such as UAF, infinite loop, some of these is interesting. Finally, this talk will illustrate how to leverage CVE-2016-2857 and another heap overflow to implement a VM escape fully bypass ASLR/DEP.



Qiang Li is a security researcher at Qihoo 360, mainly focus on vulnerability discovery and vulnerability analysis. He has been a low level system programmer for several years both on Windows and Linux. He is very interested in system low-level programming and want to know the secret under the surface of virtualization. He is currently working on cloud and virtualization security and discovered a lot of QEMU vulnerabilities this year.


Wei Wang
Zhaowei Wang


Make iOS App more Robust and Security through Fuzzing

In this presentation, first we will introduce the status of iOS App security development lifecycle. Then, we will explain why we should use AFL to fuzz iOS App and 3rd party iOS libraries. In order to do fuzzing on iOS, we will show the steps of porting AFL to iOS. After porting AFL to iOS, we will demonstrate how to do fuzzing on iOS or OS X. Finally, we will show the vulnerabilities fuzzed out.


Wei Wang

Wei Wang is senior security researcher of Qihoo 360 Nirvan Team. He is focusing on the security of Apple’s products, including the os, developer toolchain, and fundamental frameworks, and has found many vulnerabilities. He also has 6+ years long experience in software development and software architecture, so he is also good at developing security tools. Twitter: @ProteasWang

Zhaowei Wang

Zhaowei Wang is senior security researcher in Qihoo 360 Nirvan Team. He is interested in reverse engineering and exploitation development, sometimes a CTF player. Recently, he is focusing on vulnerability research and exploitation techniques on Mac OS X and iOS.



Exploiting COF Vulnerabilities In The Linux Kernel

Most memory corruption vulnerabilities affecting user-space processes are also prevalent in kernel space. Due to the missing kernel-space memory corruption mitigations, exploitation of these kernel-space vulnerabilities is often more trivial than exploiting the same class of vulnerabilities in user space.

There are several new kernel sanitisers such as KASAN, KTSAN and KUBSAN, including the original kmemcheck and SLAB poisoning, that aid in detection of common memory corruption vulnerabilities. Combined with a fuzzing tool, these techniques speed up the discovery process of common vulnerability classes.

Counter overflow (COF) vulnerabilities, on the other hand, are not easily detectable using these approaches and common fuzzing techniques. Furthermore, once identified, they are often not trivial to exploit. In this presentation, we will demonstrate recent real-life COF examples and walk through the exploitation techniques associated with some corner-cases in COF and use-after-free (UAF) vulnerabilities.

We will conclude this presentation with a discussion of our current research: a static-analysis framework designed to automatically identify counter overflows as well as some other UAF vulnerabilities in the Linux kernel.


Vitaly is a security researcher specialising in reverse engineering and exploit development. He has a solid academic background in programming languages, algorithms and cryptography. He is currently focused on OS security (kernel space exploitation techniques and countermeasures on POSIX systems) and software hypervisors.



PHP Internals: Exploit Dev Edition

This talk will give a tour about PHP Internals. It'll take the audience on a journey from the design behind a custom PHP fuzzer, to how PHP internal heap can be exploited. It will also cover some of the changes in PHP 7 Internals and what that means from an exploit dev perspective. A sample of interesting and unusual PHP bugs that I had discovered will also be presented. I hope to be able to share what had worked for me and what are some of the lessons I've learnt throughout this journey.


 Emmanuel Law (@libnex) is a Principal Security Consultant from Aura Information Security. He works as a penetration tester during the day. By night he can be found fuzzing and exploiting binaries. Recently he has a new found hobby in hacking away at PHP internals. 



Active Incident Response

During the Pacnet breach in 2015, we developed a method which differs from the usual IR process for targeted attacks, utilising what we have termed ‘Full Spectrum Visibility' and ‘Targeted Containment’, which form like Voltron to create ‘Active Incident Response’. This method, utilising threat intelligence, hunting and active defense gives incident responders the information the business needs to assess risk, and another avenue for actions to mitigate that risk

We will demonstrate, using examples from the Pacnet breach and follow-on waves, how ‘Targeted Containment’ can be used during incident response, the visibility required, and explore actor TTP’s, tools and activity associated with this campaign

Expect to see pcap decodes, command-line activity and actor typo’s


Brian is a Chief Security Researcher for Australia's largest telecommunications company, who spends his days and nights making the internet a safer place. His interests in information security include attack and detection techniques, intelligence and “active defence”. He enjoys hunting adversaries on large corporate networks.

Christian is a Senior Security Specialist for Australia’s largest telecommunications provider. He specialises in hunting for evidence of breach with endpoint, network and log data. He has over a decade of experience in information security, with a background focusing on intrusion detection, incident response and computer forensics for the enterprise.

Matthias Deeg small grayscale
Gerhard Klostermeier small grayscale


Of Mice and Keyboards: On the Security of Modern Wireless Desktop Sets

Wireless desktop sets consisting of a wireless mouse, a wireless keyboard, and a USB dongle have become more popular and more widespread in the last couple of years. Seen as potential target, those radio-based devices are of more interest to people with malicious intentions than their wired counterparts, due to the fact that they can also be attacked remotely from a safe distance via radio signals.

As wireless desktop sets represent an attractive target both allowing to take control of a computer system and to gain knowledge of sensitive data like passwords, they have been frequently analyzed for security vulnerabilities and were successfully attacked in the past. One well-know example for exploiting vulnerabilities in wireless keyboards is the open source wireless keyboard sniffer KeyKeriki by Dreamlab Technologies, the first version of which was presented back in 2009 for Microsoft keyboards using the 27 MHz ISM band. The second version of which also supported wireless keyboards using the 2.4 GHz ISM band and was presented in 2010. In 2015, Samy Kamkar published an Arduino-based wireless keyboard sniffer for Microsoft keyboards with known security weaknesses that extended the work of the KeyKeriki v2.0 project and of Travis Goodspeed's research concerning Nordic Semiconductor's transceiver family nRF24. And in spring 2016, a collection of security vulnerabilities found in USB dongles of wireless desktop sets of different manufacturers was released by Bastille Networks Internet Security under the name of MouseJack which allowed keystroke injection attacks.

SySS GmbH started a research project about the security of modern wireless desktop sets using AES encryption in 2015, as there was no publicly available data concerning security issues in current wireless mice and keyboards. Up to now (May 2016), several security vulnerabilities in modern wireless desktop sets of different manufacturers like Microsoft, Cherry, Logitech, and Perixx have been found and reported in the course of our responsible disclosure program.

The found security vulnerabilities can be exploited within different attack scenarios from different attacker's perspectives. On the one hand, there are security issues which require one-time physical access to a keyboard or a USB dongle, for example to extract cryptographic keys which can be used in further attacks or to manipulate the firmware. On the other hand, there are security issues that can be exploited remotely via radio communication, for example replay or keystroke injection attacks due to insecure implementations of the AES encrypted data communication.

The results of our research show that the security levels of modern wireless desktop sets of different manufacturers are not equal and that some devices are more secure than others. Still, there was no wireless desktop set without any security issues.

In our talk, we will present the results of this research and will demonstrate ways in which modern wireless desktop sets of several manufacturers can be attacked by practically exploiting different security vulnerabilities.


Matthias is interested in information technology – especially IT security – since his early days and has a great interest in seeing whether security assumptions in soft-, firm- or hardware hold true when taking a closer look. Matthias successfully studied computer science at the university of Ulm and holds the following IT security certifications: CISSP, CISA, OSCP, OSCE.

Since 2007 he works as IT security consultant for the IT security company SySS GmbH and is also leader of R&D.

Matthias was speaker at the Chaos Communication Congress in 2009 and 2010 (lightning talks and a workshop), at the BSidesVienna security conference in 2014 and 2015 (talks) and at the DeepSec security conference in 2015 (talk). In the last years, he also published several IT security papers and security advisories.

Gerhard is interested in all things concerning IT security – especially when it comes to hardware or radio protocols. He successfully studied IT security at Aalen University and is working at SySS GmbH since 2014 as IT security consultant and penetration tester.

Gerhard was speaker at GPN 2013 – a conference organized by the Chaos Computer Club (CCC) in Karlsruhe – where he talked about hacking RFID-based student cards. He is also author of the Mifare Classic Tool Android app.



Firmware Biopsy: Towards Taming The Lunacy

Firmware attacks initially came to public attention when Snowden’s leaks demonstrated the extent of nation-state capabilities. More recently, commercial groups such as Hacking Team were found to provide similar services, including reflashing the BIOS to install persistent remote access tools.

Although the cost of developing and deploying firmware implants remains high, they have become a viable target for attackers with sufficient resources. Not only can firmware compromises provide long-term persistent access they also have a lower chance of detection by the defenders, mainly because of limited knowledge and the scarcity of tools available in the security community.

This talk will present some of the work done at Google to advance the current state of firmware collection and verification for laptops, desktops and servers. We will discuss the approaches we are taking, some of the techniques we use for verification and the software we are publishing to help other organisations do this at scale.


tweek is a Security Engineer at Google, Sydney.



Leaking Windows Kernel Pointers

As part of reversing win32k.sys to understand the User-Mode Callback mechanism, I found several kernel information leaks. As it turns out, there were several situations where the kernel was readily returning kernel pointers to user land. This talk will be a brief introduction into how user-mode callbacks operate, a description of the information leaks vulnerability and how prevalent they are, and then a detailed description of how to take advantage of CVE-2015-0094 and CVE-2015-1680.



Jasiel Spelman is a vulnerability analyst and exploit developer for the Zero Day Initiative (ZDI) program. His primary role involves performing root cause analysis on ZDI submissions to determine exploitability, followed by developing exploits for accepted cases. Prior to being part of ZDI, Jasiel was a member of the Digital Vaccine team where he wrote exploits for ZDI submissions, and helped develop the ReputationDV service from TippingPoint. Jasiel's focus started off in the networking world but then shifted to development until transitioning to security. He has a BA in Computer Science from the University of Texas at Austin.