Timeslot | Activity |
---|---|
8:00am – 9:00am |
Registration Registration, Coffee & Snacks |
9.00am – 9.20am |
Welcome Address TBA |
9.25am – 10.10am |
[Keynote] Breaking Into Vulnerability Research Dr Silvio Cesare - InfoSect |
10.10am – 10.30am |
Coffee Break TBA |
10.30am – 11.15am |
Beyond Borders - Unveiling Android’s Multi-User Vulnerabilities Wang Tao & Zhang Chennan - OPPO ziwu security lab |
11.15am – 12.00pm |
Unlocking Automotive Secrets - Strategies and Tool for accessing hidden services Peng Fan - QAX STARV Lab |
12.00pm – 1.15pm |
Lunch TBA |
1.15pm – 2.00pm |
Exploring WebKit’s Just-In-Time Compilation Vignesh S Rao - Exodus Intelligence |
2.00pm – 2.45pm |
Ghost in the BLF: A two-year journey of chasing in-the-wild LPE exploits in Windows CLFS Quan Jin, Yingqi Shi & Guoxian Zhong - DBAPPSecurity WeBin Lab |
2.45pm – 3.30pm |
Uncharted Depths: Navigating Overlooked Vulnerabilities in the Sea of Million WordPress Sites Rafie Muhammad - Patchstack |
3.30pm – 4.00pm |
Coffee Break TBA |
4.00pm - 4.45pm |
GPUAF - Using a general GPU exploit tech to attack Pixel8 Pan ZhenPeng & Jheng Bing Jhong - STAR LABS SG Pte. Ltd. |
4.45pm – 5.30pm |
Universal Code Execution by Chaining Messages in Browser Extensions Eugene Lim |
Dr Silvio Cesare - InfoSect
Abstract
This talk discusses the challenges of starting and running a company that specialises in vulnerability research. The typical problems likely faced include:
- How do you build a new team?
- And how do you encourage knowledge transfer and upskilling within your team?
- What targets do you focus on?
- How much engineering is required to support research?
This talk will give insights and answer these questions, for the purpose of maintaining reliable, consistent, and high quality research outputs.
Biography
Dr Silvio Cesare is a founder and Director at InfoSect, a vulnerability research company. He has worked in technical roles and been involved in computer security for over 29 years.
This period includes time in Silicon Valley in the USA, France, and Australia. He has worked commercially in both defensive and offensive roles within engineering.
He was previously the Director for Education and Training at UNSW Canberra Cyber, ensuring quality content and delivery. In his early career, he was the lead architect and developer for the startup Qualys, now the industry standard in vulnerability management. He has a Ph.D. from Deakin University and has published in academia, having been cited over 800 times on google scholar. He is a 4-time speaker and also a trainer at the international industry leading Black Hat conference.
He has taken his University research through commercialisation and authored a book (Software Similarity and Classification, published by Springer).
Wang Tao & Zhang Chennan - OPPO ziwu security lab
Abstract
The multi-user functionality of the Android platform plays a critical role in safeguarding the security and privacy of data and settings isolation.
During a comprehensive investigation conducted in 2023, we discovered a number of high-severity vulnerabilities that pertained to cross-user interactions.
These vulnerabilities encompassed unauthorized access to sensitive media photos and manipulation of privacy settings.
During this presentation, we will explore the common underlying pattern behind these vulnerabilities and discuss the measures taken by Google to mitigate their impact.
Biography
Wang Tao (Natsuki) is a seasoned mobile security researcher at OPPO ziwu security lab. Prior to his foray into the security realm, he spent years honing his skills as frontend & mobile application developer at Tencent & ByteDance.
Over the past year, he has been acknowledged with more than 20 CVEs from Google and Transsion. Presently, his main area of focus revolves around static program analysis and vulnerability exploration.
Follow Wang Tao on X @minamikazecafe.
Zhang Chennan is a security practitioner at OPPO ziwu security lab, specializing in vulnerability research, security tool development and reverse engineering.
He has found vulnerabilities in Google, bytedance, Xiaomi, and other products. He has also presented his research at ACM WiSec 2022.
Follow Chennan on X @Sp1kee01.
Peng Fan - QAX STARV Lab
Abstract
During car hacking, the first consideration typically revolves around the manufacturer or Tier 1 provider’s hidden services. This spans from common engineer mode applications to deeply concealed mechanisms. However, due to regulatory requirements and increased manufacturer security awareness, high-level privilege hidden services have dramatically decreased. Through analyzing dozens of Intelligent Connected Vehicles, we’ve discovered new tactics for managing hidden services.
In this talk, we’ll demonstrate multiple methods to access hidden functions and thoroughly analyze underlying theories which involving both traditional and new era approaches. Once we understand the background mechanisms, we attempted to bypass security protections and share our journey, including some bypass skills. Such as use Fipper Zero crack the engineer mode pincode. Upon gaining access to hidden services, we’ll show how to leverage these functions to attain root privileges, execute lateral movement to other Electronic Control Units (ECUs), and gain control of the vehicle.
Lastly, I’ll introduce a self-developed graphical hacking tool designed to reveal hidden services. This tool extracts information from firmware and automatically generates a graphical representation of the hidden services relationships. By using this tool, we’ve successfully identified entry paths for many vehicles, including deeply hidden ones.
Biography
Peng Fan (@delikely) is a Security Researcher and Tech Lead working at QAX STARV Lab, focusing on the automotive security. He has received CVEs from Tesla/Cybellum/Bender/etc. Hall of fame of GeekPwn( 2021-2022). Member of the Automobile Safety Research Organization - Qing Ji.The earliest automotive cybersecurity community in China, operating a WeChat Official accounts, has released a panorama of automotive security. Maintainer of Automotive Security Timeline.
Vignesh S Rao - Exodus Intelligence
Abstract
JIT compilers have been the subject of numerous vulnerability discoveries. This is due to the nuances of optimization phases and their potential to introduce subtle bugs. This talk aims to unravel some key optimization phases in JavaScriptCore, WebKit’s JavaScript engine that powers Apple Safari.
The focus will be mainly on DFG intermediate representation and how optimization phases on this can give rise to vulnerabilities.
Through specific examples and case studies, we will examine vulnerabilities resulting from logic errors in the compiler. These examples will showcase the real-world impact of optimization phase vulnerabilities, highlighting their severity and potential exploitation scenarios.
Biography
Vignesh Rao is a vulnerability researcher at Exodus Intelligence. He is currently focusing on bug hunting and exploitation of web browsers, with specific focus on JavaScript Engines. He loves anything system security related and has researched multiple userland and kernel applications before especially in the MacOS/iOS ecosystem.
Vignesh also used to be an avid CTF player and regularly participated in CTF’s as a part of the bi0s team in the past.
Quan Jin, Yingqi Shi & Guoxian Zhong - DBAPPSecurity WeBin Lab
Abstract
Since October 2021, we have been continuously chasing the latest in-the-wild Windows CLFS (Common Log File System) LPE exploits. During this process, we captured two in-the-wild Windows CLFS 0days and at least seven in-the-wild Windows CLFS 1days.
Meanwhile, through variant analysis of the itw exploits, we identified two new CLFS vulnerabilities and reported them to Microsoft. Interestingly, two of the captured 1day exploits utilized the vulnerabilities that we discovered through variant analysis.
In this talk, we will share how we are using the combination of “threat hunting” and “variant analysis” to assist Microsoft in patching four CLFS 0day vulnerabilities (two in-the-wild 0days and two independently discovered 0days).
We believe that the approach combining “threat hunting” and “variant analysis” is more effective than traditional defense methods, and we want to share our practical and insights into this process: why we selected CLFS vulnerabilities, how we chased in-the-wild CLFS exploits, how we analyzed captured vulnerability exploits, and how we conduct variant analysis. At the end of this talk, we will incorporate the latest findings to give some insights on the in-the-wild Windows LPE 0days trends.
Biography
Quan Jin is a security research expert from DBAPPSecurity WeBin Lab. His interests are vulnerability research and itw 0day hunting.
He has received more than 40 CVE acknowledgments from Microsoft/Adobe/Apple, and has been listed as a MSRC Most Valuable Security Researcher for three years(2020-2022).
He once spoke at Bluehat Shanghai 2019, HITB2021AMS/HITB2023AMS and BlackHat USA 2022/BlackHat Asia 2024.
Yingqi Shi is an undergraduate senior majoring in Computer Science, currently serving as a security research intern at DBAPPSecurity. His main research areas include binary analysis, vulnerability discovery & exploitation and reverse engineering.
He excels particularly in reverse engineering. He is a core member of the Nu1L Team, achieving excellent results in numerous top-tier CTF (Capture The Flag) events both domestically and internationally. He once spoke at BlackHat Asia 2024.
Guoxian Zhong is a senior security engineer at DBAPPSecurity WeBin Lab. His main research areas include binary analysis, reverse engineering and vulnerability discovery & exploitation. He once spoke at BlackHat Asia 2024.
Rafie Muhammad - Patchstack
Abstract
Content Management System (CMS) platform is still one of the best options to build a website quickly. CMS provides a user-friendly interface that allows non-technical users to easily create, edit, and publish content without requiring extensive HTML, CSS, or Javascript programming language knowledge.
WordPress is still the most popular CMS platform, powering 43.2% of the websites online, with a CMS market share of 63.5%. With its popularity, it’s prone to massive exploit attempts. The WordPress Core itself is not the actual target, the plugins and themes are the actual target of an attacker with the vast majority of the security bugs being found in plugins and themes.
This talk will cover deep technical details of overlooked impactful vulnerabilities discovered in WordPress Core and across the most popular WordPress plugins, with each component having more than a hundred thousand active installations.
We will also cover vulnerability in one of the most popular libraries used in plugins and themes, which could affect more than 7 million websites.
We will use multiple cases of overlooked XSS and privilege escalation attack vectors which could be easily exploited in the wild. We will show how we found these vulnerability cases and how to secure the code from these potential vulnerabilities.
Join us for the journey of exploiting the WordPress ecosystem (An Exploit demo is included too !)
Biography
Rafie Muhammad is a security researcher at Patchstack. He specializes in web application security, WordPress security and PHP code review.
Rafie is passionate about web application security with a white-box approach. He likes listening to podcasts while reading a bunch of PHP code on VSCode.
With almost 2 years experience on WordPress security, Rafie has secured critical and most popular WordPress environments ranging from WordPress Core, Plugins and Themes.
Pan ZhenPeng & Jheng Bing Jhong - STAR LABS SG Pte. Ltd.
Abstract
Last year, we developed an advanced exploit technique capable of transforming a conventional out-of-bounds (OOB) bug into a more potent exploit primitive, specifically a page Use-After-Free (UAF). Utilizing this technique, we successfully exploited a vulnerability in the Pixel series, achieving Kernel Code Execution.
This presentation will commence with a thorough examination of the component where we identified eight vulnerabilities, all of which were patched this year. We will delve into the root causes of these vulnerabilities.
Subsequently, we will demonstrate how we applied our exploit technique to convert one of these bugs into a Page UAF (PUAF), and subsequently construct a physical memory read/write primitive on a Pixel 8 with Memory Tagging Extension (MTE) enabled.
Furthermore, this talk will address the challenges we encountered during the development of this exploit, highlighting the differences in exploitation techniques between the Pixel 6 and Pixel 8 models.
Biography
Pan Zhenpeng (@peterpan980927) is a mobile security researcher at STAR LABS SG, focusing on Mobile(iOS/Android) and Web security, he was the speaker of Zer0Con, POC, OffensiveCon, 0x41Con and HITB Armory.
Jheng Bing Jhong (@st424204) is a security researcher at STAR LABS SG, focusing on Linux, VM and mobile security.
Eugene Lim
Abstract
By chaining various messaging APIs in browsers and browser extensions, I demonstrate how we can jump from web pages to “universal code execution”, breaking both Same Origin Policy and the browser sandbox.
I provide two new vulnerability disclosures affecting millions of users as examples. In addition, I demonstrate how such vulnerabilities can be discovered at scale with a combination of large dataset queries and static code analysis.
Biography
Eugene Lim is a security researcher and white hat hacker. From Amazon to Zoom, he has helped secure applications from a range of vulnerabilities. His work has been featured at top conferences such as Black Hat, DEF CON, and industry publications like WIRED and The Register.
In 2021, he was 1 of 5 selected from a pool of 1 million white hat hackers for the H1-Elite Hall of Fame.
Timeslot | Activity |
---|---|
10.00am – 10.45am |
[Keynote] Pwing to Action - How Offense Helps Us Improve Security Eduardo Vela - Google |
10.45 am – 11.30am |
Love and hate - The cyber tale between fuzzer and exploits in Linux kernel Xiaochen Zou |
11.30am – 11.50am |
Coffee Break TBA |
11.50am – 12.35pm |
Attacking the Samsung Galaxy A* Boot Chain Maxime Rossi Bellom, Gabrielle Viala, Raphael Nevue & Damiano Melotti - Quarkslab |
12.35pm – 1.50pm |
Lunch TBA |
1.50pm – 2.35pm |
Win32k Vulnerability Dead? Taking win32k Exploitation To The Next Level Zishuang Yan & YunLong Deng |
2.35pm – 3.20pm |
AI-Powered Bug Hunting - Evolution and benchmarking Alfredo Ortega |
3.20pm – 3.50pm |
Coffee Break TBA |
3.50pm – 4.35pm |
The Forgotten Treasure In Classic Targets Hua Hangyu & Wu JunTao - Shuffle Team |
4.35pm – 5.20pm |
Make N-Day Great Again - The Story of N-Day Full Chain from browser in guest to SYSTEM in host JeongOh Kyea, Gwangun Jung & Yeonghun Kim - Theori |
5.20pm – 5.35pm |
Closing Remarks TBA |
Eduardo Vela - Google
Abstract
It’s too easy to find problems in software today. Not enough people understand how attacks really work, and this is bad for defense. Both attackers and defenders need this knowledge, but we are always busy fixing today’s problems.
There’s not always enough time for making things stronger long-term. In this talk, I share how my teams have used offense to make defense better. We use weaknesses and exploits, study how they work, and then use this data to help organizations decide how to move forward.
We’ll discuss using exploits to prioritize patches, motivate process changes, and ultimately create systems that are more resilient. Sometimes, we offer money to break things in new ways – and show us where to focus, sometimes, we turn on the heat on a broken system so it transforms into something better.
This is not always about fancy new insights, ideas or attacks. It’s just about working together to make systems safer for everyone.
Biography
Eduardo breaks things for a living, mostly the digital kind. Leads a team of Google’s finest bug squashers, manages disclosure drama and spends an unhealthy amount of time poking at software and hardware in the name of science teaching them new tricks (that they really shouldn’t be able to do)…
Aims to make the digital world a more or less terrifying place, one exploit at a time. Eduardo often wonders why anyone trusts him with this much responsibility.
He’s pretty sure this is due to a combination of luck, caffeine, and the fact that he’s surrounded by people far smarter than himself. But hey, he’s not going to question it too much.
Xiaochen Zou
Abstract
Continuous fuzzing has become an integral part of the Linux kernel ecosystem, discovering thousands of bugs over the past few years. Interestingly, only a tiny fraction of them were turned into real-world exploits that target downstream distributions, e.g., Ubuntu and Fedora. This contradicts the conclusions of existing exploitability assessment tools, which classify hundreds of those bugs as high-risk, implying a high likelihood of exploitability.
Our study aims to understand the gap and bridge it. Through our investigation, we realize that the current exploitability assessment tools exclusively test bug exploitability on the upstream Linux, which is for development only; in fact, we find many of them fail to reproduce directly in downstreams.
Through a large-scale measurement study of 230 bugs on 43 distros (8,032 bug/distro pairs), we find that each distro only reproduces 19.1% of bugs on average by running the upstream PoCs as root user, and 0.9% without root.
Remarkably, both numbers can be significantly improved by 61% and 1300% times respectively through appropriate PoC adaptations, necessitated by environment differences.
Biography
Zou Xiaochen is a Ph.D. candidate at University of California, Riverside, advised by Professor Zhiyun Qian. Xiaochen earned his bachelor degree from University of Electronic Science and Technology of China.
Follow Xiaochen on X @ ETenal7
Maxime Rossi Bellom, Gabrielle Viala, Raphael Nevue & Damiano Melotti - Quarkslab
Abstract
During our past research analyzing the Android Data Encryption Scheme, we dived into the boot chain of Samsung low-end mobile devices, in particular the Galaxy A family, which is based on Mediatek System-on-Chips. These devices are often overlooked by the security research community, which usually targets high-end ones (e.g., the S family for Samsung). Nonetheless, these devices are extremely popular, and thus represent a big share of the phones in the wild.
On top of the Mediatek boot chain, Samsung added its own features including Knox Security Bit, support for their recovery tool Odin, a JPEG parser and so on.
In their latest system of chips, Mediatek have improved their security, and fixed an infamous BootROM vulnerability that used to impact most of their chips.
Yet, even with the security improvement done by Mediatek and the apparent security brought by Samsung, we were able to break the boot chain of most of the Samsung phones powered by Mediatek SoCs.
We will present several 0-day vulnerabilities that, chained together, can be used by an attacker with physical access to a wide range of Samsung devices (mainly from the A* family), to bypass the secure boot, execute code on the chip, reach persistency and ultimately leak the secret keys protected by the hardware-backed keystore.
This presentation brings together two important concepts of modern mobile architectures: the secure boot and the Trusted Execution Environment. It gives a comprehensive view of how these features work and how they can be targeted by security researchers, focusing on the offensive approach.
Biography
Maxime Rossi Bellom (@max_r_b) is a Security Researcher and Tech Lead working at Quarkslab, focusing on the hardware and low level software security of mobiles devices and embedded systems.
He likes playing with secure boot, and security chips embedded in smartphones.
Damiano Melotti (@DamianoMelotti) is a security researcher. He is mostly interested in systems security, especially in mobile platforms (Android) and automated vulnerability research.
Gabrielle Viala (@pwissenlit) is a security engineer specialized in vulnerability research and exploitation at Quarkslab. She is usually focused on desktop-based components, but as long as the project involves low-level technology, any target can be a good playground for her.
Zishuang Yan & YunLong Deng
Abstract
As a well-known attack surface in Windows system, the Win32k has caused many security problems in history. But with the efforts of Microsoft and security researchers, peoples believe that Win32k has become secure enough that it’s no longer harmful.
Especially with the continuous updates of the mitigation measures added by Microsoft, vulnerabilities in Win32k have become difficult to exploit, It has caused attackers to lose interest in the Win32k.
In this topic, we will present the results of our work, which will completely bypass all security mitigation mechanisms and revitalize the ancient attack surface of the Win32k, so we named it “Next Level”.
More specifically, We will present 5 Win32k vulnerabilities we discovered, which can lead to privilege escalation not only in normal environments. And it can also be used in the sandbox environment, causing the escape of the security sandbox.
Also, we will introduce the various restrictions Microsoft has imposed on Win32k and how to bypass them.
Finally, we will also summarize whether there is universality in vulnerability exploitation and vulnerability mining methods, and what suggestions we have for future win32k security.
Biography
YanZiShuang is a Windows security researcher at CyberKunlun. His main research areas are Web and OS, Red Team and Penetration Testing.
Follow Yan on X @ YanZiShuang
Deng YunLong is a reseacher specialising in Windows Security, Tor traffic and Deep learning methods. He is currently attached to the information security laboratory at WTU.
Alfredo Ortega
Abstract
While AI holds promise for assisting bug hunting, its actual impact remains unclear. This presentation addresses this gap by introducing Crash-Benchmark, a standardized evaluation framework for AI-driven static analysis tools.
We’ll share results from a simple bug-hunting AI agent, AK1, and discuss the implications for optimizing AI-based bug hunting in C/C++ codebases.
AI-bughunting presents unique challenges: Early models lacked sophistication, struggling to comprehend long codebases. Moreover, privacy concerns often necessitate exclusive use of local models, which are inherently less capable than commercial AI models offered by industry leaders such as OpenAI and Google.
To illustrate this challenge, we’ll showcase AK1, a simple rule-based AI agent capable of autonomously identifying various bug classes within C/C++ codebases.
Notably, its model-agnostic design allows it to improve performance with each new model release. Nevertheless, evaluating the effectiveness of AI-based tools poses difficulties due to the subjectivity of the output.
Biography
Alfredo Ortega is a security researcher and bug hunter, delivering presentations at over two dozen prominent information security conferences globally, including Black Hat, Defcon, Syscan, and Hackers-to-Hacker (H2HC) events, dating back to 2007.
Ortega holds a Doctorate degree in Computer Science from the Instituto Tecnológico de Buenos Aires. He is also the founder and primary architect of Neuroengine.ai, a pioneering platform dedicated to the open-source distribution and collaborative development of open-source artificial intelligence models, promoting community-driven innovation.
Alfredo serves as a Web3 Auditor at Coinfabrik, where he leverages his extensive expertise to fortify the security posture of cryptocurrency infrastructures, ensuring the integrity and reliability of decentralized systems.
Follow Alfredo on X @ortegaalfredo
Hua Hangyu & Wu JunTao - Shuffle Team
Abstract
As is well known, there are numerous mature fuzz testing tools on the market, including iconic ones like AFLplusplus for general objects, syzkaller for Linux kernel.
However, despite the continuous and round-the-clock efforts of these powerful fuzzers to test these targets, several longstanding vulnerabilities have exposed in recent years, posing significant risks for privilege escalation.
This suggests that many secrets still lie deep within the code, beyond the reach of fuzzing techniques.
Therefore, by investigating the pain points of fuzzers and conducting manual code audits targeted at high-value objectives such as the Linux kernel and mobile RCE-involved decoders, we have successfully uncovered dozens of high-value vulnerabilities.
These vulnerabilities, which are not easily detected by existing fuzzers, may enable privilege escalation to obtain root access. Through analysis of these vulnerabilities, we have devised methods to enhance fuzzers and discovered multiple new 0days.
Biography
Hangyu Hua (@HBh25Y) is a security researcher at numen cyber and the co-founder of Shuffle Team, mainly focusing on low-level security such as boot chains, kernels, etc.
Juntao Wu (@Dawuge3) is a security researcher and the founder of Shuffle Team, mainly focusing on mobile/web3 vulnerability discovery and exploitation. He was inducted into the Samsung Mobile Security Hall of Fame 2021/2022/2023.
JeongOh Kyea, Gwangun Jung & Yeonghun Kim - Theori
Abstract
During the last year, numerous vulnerabilities were patched, and some of them were proven to be exploitable, as they were exploited in the wild, Pwn2Own, and so on.
We have continuously tracked these issues and written the Proof-of-Concepts and exploits to keep them in our vulnerability database.
Although each vulnerability itself has a critical impact, we think it would become more powerful if they are chained into a full chain exploit.
Therefore, we wrote an exploit chaining several vulnerabilities chosen from our database and demonstrated the exploit on X; the exploit starts from a Chrome browser running in a VMware guest and then manages to achieve SYSTEM privileges in a Windows host.
This scenario mimics a situation where a security analyst clicks a malicious link in a virtual machine. The N-Day full chain includes six unique vulnerabilities; three of them were exploited in the wild, two of them were used in Pwn2Own 2023, and the last one, a variant of a Pwn2Own 2023 vulnerability, was found by one of our team members.
In this presentation, we will explain the root causes and the exploit techniques of each vulnerability and how we connected them into a full chain exploit.
We will also discuss chaining details to glue our exploit pieces together successfully, including how to bypass V8 pointer compression, implant browser sandbox escape vulnerability in JavaScript code, escape the browser sandbox with the pickup window, and drop the exploit binary on the host of VMware.
This presentation will cover overall concepts from browser to virtualization and OS, and you will have a comprehensive understanding of them after this talk.
Biography
JeongOh Kyea is a researcher at Theori Korea and has an interest in automatic vulnerability detection, binary analysis, and exploit techniques. He received a BS and MS degree in KAIST. He was selected as the Most Valuable Researcher(MVR) in 2020, 2021, 2022 from Microsoft.
Gwangun Jung is a security researcher at Theori. His main research areas are operating systems, virtualization, red teaming. He is the Pwn2own Vancouver 2024 Virtualization category winner targeting VMware Workstation and received CVEs from Linux/VMware/etc.
Follow Gwangun on X @pr0ln.
Yeonghun Kim is a security researcher working at Theori. His main research areas are web browsers and JavaScript engines, especially Chrome and V8.