Hao Xu - @windknown
Keynote – Changing and Unchanged Things in Vulnerability Research
OffensiveCon23 Keynote Read more...
OffensiveCon23 Keynote Read more...
KSMBD is a young component in the Linux kernel upstreamed since 5.15 and shipping with Ubuntu 22.04. It offers an in-kernel SMB server focused on performance, and attempts to keep the complex, non-performance-critical parts of the protocol separate in a userspace daemon. This talk focuses on several vulnerabilities discovered in the KSMBD kernel module itself, which we chained to achieve kernel remote code execution. Read more...
This presentation will explore fully-remote baseband vulnerabilities. Read more...
It all started with a “Print Spooler” 0-day privilege escalation, CVE-2022-41073, on investigation the fix in the spooler was almost trivial. However, based on issues Project Zero has discovered in the past it was clear the real vulnerability was inside the Windows DLL loader. Read more...
Every modern Windows mitigation can be bypassed. Mitigations can have unintentional bugs, design choices that create known gaps, or just good old backwards compatibility. And while these protections may succeed in killing older exploit primitives, they also sometimes introduce entirely new ones. This talk will provide a whirlwind tour through exploitation on a modern Windows system and introduce advanced techniques for the modern attacker. Read more...
In this talk, we will take a look at the Intel Infineon Baseband's ASN.1 parser which is a key component of a number mobile devices and embedded systems. Read more...
Over the last year the Exploit Development Group (EDG) at NCC Group found and exploited three different 0-day Linux kernel local privilege escalation vulnerabilities (CVE-2022-0185, CVE-2022-0995, CVE-2022-32250) against fully patched OSs with all mitigations enabled. The most recent vulnerability was patched against versions of the kernel going back 6 years affecting most stable Linux distributions. Read more...
An in-depth explanation of one of the neatest Chrome sandbox escape vulnerabilities in recent years, CVE-2022-3075. Read more...
This talk will cover some XNU virtual memory internals, discuss some fun vulns and show how you could use them to escape the sandbox in iOS 16. Read more...
With the increasing adoption of the embedded SIM (eSIM) or embedded Universal Integrated Circuit Card (eUICC), new connectivity opportunities and conveniences are emerging for users. However, with these advances emerge new potential vulnerabilities and security implications. This presentation will shed light on the yet unexplored attack surface of eSIM technology and highlight the potential risks and challenges of this now widely deployed technology. Read more...
Apple's Lightning has been around since 2012 - but it can be used for so much more than just charging or transferring pictures: It allows JTAG debugging, getting a serial console, and much more. In this talk we will start by a brief introduction of the protocol behind Lightning - SDQ/IDBUS - and then jump into the weeds: How we built an open-source iPhone JTAG adapter (The Tamarin Cable), and how we can use it to perform low-level fuzzing on the iPhone. Read more...
In this talk, we present the first framework for static and dynamic analysis of Intel Atom microcode. Building upon prior research, we reverse engineer Goldmont microcode semantics and reconstruct the patching primitives for microcode customization. Read more...
What’s new in JavaScript engine fuzzing, and what might still be to come? This talk will dive into the unique challenges and opportunities of JavaScript engine fuzzing. Read more...
In this work, we will present an exploit for a unique Binder kernel use-after-free (UAF) vulnerability (CVE-2022-20421) which was disclosed recently. Through this vulnerability, we examine the exploitability of a spinlock use-after-free, containing no other memory corruption primitive. Read more...
This is the first public disclosure in history of UEFI specification related to the ARM device ecosystem. It shows some of the attacks and classes of bugs can be the same on both ARM and x86 devices, but exploitation specifics will be different. These vulnerabilities are confirmed on Lenovo’s Thinkpad and Microsoft’s Surface devices during our research. Read more...
I'm excited to introduce KidFuzzerV2.0, which includes an innovative Driver collection method that could expand driver attack surfaces by 95%. Then I will demonstrate how to do the lateral migration with the "Backward Fuzzing" idea in Apple Kernel space and discuss the bugs found in XNU kernel, IOKit Drivers, and various firmwares, including DCP/SEP/AOP, etc Read more...
Join the story of finding and exploiting these vulnerabilities, a forgotten patch, the effect of mitigations such as Shadow Stacks and CFI in the secure world and reverse-engineering subsystems of a complex SoC without hardware documentation. Followed by the aftermath of a lengthy disclosure process ending with a mandatory upgrade to Android 13 to recover the security of the platform by leveraging the Tensor Security Core, an isolated security processor inside the SoC. Read more...
OffensiveCon23 Keynote Read more...