Day: ?? . Time: ?? SGT
TBA
Dr. Edward PengHuazhong University of Science and Technology (HUST)
0x00//PROGRAMME — TALK BOARD
The Line-Up
// one single track.
More talks to come. Reviewed by a peer-review board of practising researchers. Click any talk for details — share the link with a colleague.
Day: ?? . Time: ?? SGT
The Chaos Phase or How I Learned to Stop Worrying and Love Offensive AI
Nico WaismanXBOW
Day: ?? . Time: ?? SGT
I Let A.I. Loose on Google. It Found RCE. Twice.
Arvin ShivramBrutecat Security Pte Ltd
Day: ?? . Time: ?? SGT
From CloseHandle to Code Execution: Exploiting an arbitrary handle close vulnerability for EOP
Arjun VasudevaMicrosoft
Day: ?? . Time: ?? SGT
Chaining Logical Bugs for Reliable Windows LPE
Bocheng Xiang , HeeChan KimFudan University · Soongsil University
Day: ?? . Time: ?? SGT
Beyond XNU: Agentic Hunting for Vulnerabilities in TXM
Stefan EsserCalif
Day: ?? . Time: ?? SGT
No Time to Pwn2Own: Exploiting After the Draw
Evangelos Daravigkas , Ben KooTeam DDOS
From CloseHandle to Code Execution: Exploiting an arbitrary handle close vulnerability for EOP
// Abstract
Arbitrary handle close vulnerabilities are an underexplored bug class in Windows. While these issues have appeared in multiple security cases, there has been little public research showing whether an attacker-controlled CloseHandle in a privileged process can be turned into a practical exploitation primitive, or whether the impact is mostly theoretical. This talk presents what is believed to be one of the first demonstrated end-to-end exploit chains for this class of vulnerability, using Desktop Window Manager as a case study.
The talk shows how a seemingly narrow primitive, closing an attacker-chosen handle inside DWM, can lead to an unexpected uninitialised memory use condition, a constrained two-byte out-of-bounds write, object corruption, and ultimately code execution in a privileged process.
// Speakers
Arjun Vasudeva
Microsoft
Security researcher at Microsoft (MSRC Exploit Research Team)