Andrew Wesie / @zoaedk
The following are speakers that will be presenting at our event. We will publish the agenda and schedule as soon as we finalize it.
Halvar Flake / @halvarflake
The good 0(ld) days
Adam Donenfeld / @doadam
Viewer discretion is advised: (De)coding an iOS vulnerability
In this talk, a real-world journey of finding, we will be uncovering a deeply buried vulnerability in the iOS kernel cache. The vulnerability, which is hidden within the video-decoder driver, can be triggered by processing maliciously crafted codec frames. The driver is normally not accessible to the standard application. This vulnerability, however, is still exploitable from within a sandboxed process or application. During this talk, concepts and methods of work will be given: from initial investigation till getting familiar with a complete closed-source environment, as well as a real-world example of finding “sandbox-restrictive” vulnerabilities and exploiting them from the most narrowed context nevertheless.
Eric Sesterhenn / @X41Sec
In Sowjet Russia Smartcard Hacks You
Smartcards are secure and trustworthy. This is the idea smartcard driver developers have in mind when developing drivers and smartcard software. The work presented in this talk not only challenges, but crushes this assumption by attacking smartcard drivers using malicious smartcards.
A fuzzing framework for *nix and Windows is presented along with some interesting bugs found by auditing and fuzzing smartcard drivers and middleware. Among them classic stack and heap buffer overflows, double frees, but also a replay attack against smartcard authentication.
Since smartcards are used in the authentication process, a lot of vulnerabilities can be triggered by an unauthenticated user, in code running with high privileges. During the authors research, bugs were discovered in OpenSC (EPass, PIV, OpenPGP, CAC, Cryptoflex,...), YubiKey drivers, pam_p11, pam_pkc11, Apple smartcardservices...
James Lee / @windowsrcer
A Journey of Logical Vulnerabilities in Microsoft Browsers
Max Bazaliy / @mbazaliy
Dual booting modern iOS devices
SungHyoun Song / @decashx
Bypass Android Security Mechanisms using Custom Android
Not all IoT Devices are Created Equal: Reverse Engineering of Xiaomi's IoT ecosystem
Vitaly Nikolenko / @vnik5287
Dissecting a 17-old Linux Kernel Bug
In this talk we will present analysis and exploitation of the Linux kernel 0day affecting all major Linux distributions. This bug resulting in local privilege escalation has been around for almost 17 years making it one of the oldest kernel vulnerabilities. It affects all kernels starting from 2.4 and can be triggered reliably on most distributions without any special privileges or system requirements.
We will demonstrate a detailed analysis of the vulnerability and walk through the exploitation steps required to escalate privileges on x86_64.
Yunding Jian @WhiteA10n3 / KaiJern Lau @xwings
Wireless Hacking with 'HackCUBE'
This is a small size (9.2cm^3) and battery powered cube box. It integrates Raspberry Pi, Arduino, 2.4/5.8G Wifi and HID etc, and can externally be connected with some SDR hardware, such as HackRF, RTL-SDR, CC2541 etc. The whole system (without external accessories) will be equal to Unicorn HackID Plus (RFID read/write/emulator) + Wifi Pineapple + rfcat (Sub-GHz transceiver). It can provide comprehensive and powerful wireless hacking capability.
In the session, we will talk about daily wiresless hacking with HackCUBE and HackCUBE mini.
We will bring some HackCubes (e.g. ~10) to the lab and the attendees can operate and program it to complete the two experiments, and even can try other ideas they have.
The highlights of the HackCUBE are its portability and multi-function. As a hackers, we also hope to have an unnoticeable and battery powered tool to do wireless hacking so we create this cube. Wish we have this opportunity to introduce it to people.
For beVX, we will officially introduce our brand new HackCUBE with more powerful features and functionality and first time to show a golf ball size HackCUBE mini.
Yunding Jian is the co-founder of UnicornTeam. He is the leader of RocTeam (Subset of UnicornTeam ) in the Radio Security Research Department of 360 Technology. He is the designer of all pervious SyScan360 Conference badges, HITB2018AMS badges and badges for few other conferences. He paper is being presentations in Blackhat USA, Blackhat Europe&Asia (Arsenal), HITB, DEFCON about his hardware security research and design experience.
KaiJern, Lau (xwings) is the IoT/Blockchain researcher at JD Security (JD.COM), Advisor for UnicornTeam/HACKNOWN Team and also Hack In The Box Security Conference core crew. His research topic mainly on hardware and software of embedded device, blockchain security, reverse engineering and various security topics. He presented his findings in different international security conferences like HITB, Codegate, QCon, KCon, International Antivirus Conference and etc. He conducted Hardware Hacking Course during KCon, Beijing. He is also the review board member for Hack In The Box Security Conference.
Luat Nguyen / @l4wio
Tail of pdfium use-after-free series
pdfium is a pdf reader shipped along with Google Chrome. In this talk, I will talk about how did I choose the target and strategy to beat pdfium. Sharing tips and what I was thinking when doing code-review on a target. After 04 months, I successfully discovered 12 high-severity bugs results in 6 CVEs and $42,000 bounty in total.
Luat is currently an independent security researcher, a keen CTF player, who love hacking and music. Luat is also member of CLGT/Meepwn CTF team, former member of eee/A*0*E (3rd place at DEFCON CTF Finals 2017).
Sheng-Hao Ma / @aaaddress1
Playing Malware Injection with Exploit thoughts
In the past, when hackers did malicious program code injection, they used to adopt RunPE, AtomBombing, cross-process creation threads, and other approaches. They could forge their own execution program as any critical system service. However with increasing process of anti-virus techniques, these sensitive approaches have been gradually proactively killed. Therefore, hackers began to aim at another place, namely memory-level weakness, due to the breakages of critical system service itself.
This lecture will introduce a new memory injection technique that emerged after 2013, PowerLoadEx. Based on this concept, three new injection methods will be disclosed as well. These makes good use of the memory vulnerability in Windows to inject malicious behavior into system critical services. The content will cover Windows reverse analysis, memory weakness analysis, how to use and utilize, and so on. The relevant PoC will be released at the end of the lecture.
Sheng-Hao Ma (aaaddress1) is a core member of CHROOT Security Group and TDOHacker security community in Taiwan. He has over 10-year experience in reverse engineering, machine language, and Intel 8086. He experts in Windows vulnerability, and Reverse Engineering. Moreover, Sheng-Hao Ma was also a speaker at Black Hat, DEFCON USA, VXCON, HITCON (Hackers In Taiwan Conference).
Julian Rauchberger / Tobias Dam
Breaking the Bluetooth stack: Where to look and what to expect
From an attacker’s point of view, the Bluetooth stack is a really interesting yet often overlooked target. While there have been a number of practical attacks against the cryptography protocols used in Bluetooth in the past, this talk will focus on discovering memory corruptions that can be found in various layers.
The Bluetooth specification is extremely complex and repeatedly features questionable design decisions that are hard to implement correctly. This includes for instance a high number of length fields and packet fragmentation mechanisms that can be found in multiple places. These issues combined with the fact that the overall code quality suggests that little research has been conducted on common Bluetooth implementations in the past makes it a prime target for exploitation.
This talk will focus on giving an overview of the lower layer protocols of Bluetooth, how to iterate supported protocols and possible targets on a device and where to look for exploits. We will show how to create a test environment to start vulnerability research for anyone interested. An in-depth explanation of two real world vulnerabilities - an info leak and a heap corruption - that were found by the speakers in the BlueZ stack, will be presented as a practical example.
Julian Rauchberger is a grad student at St. Pölten University of Applied Sciences as well as an independent security researcher in his pastime, interested in everything that contains assembly. He is currently mostly focused on exploiting Linux-based systems.
Tobias Dam is a security researcher, who specialises in privacy, network and web security. He is currently focusing on the security of modern network technologies.
Niklas Baumstark / @_niklasb
Thinking outside the (Virtual)Box
Desktop virtualization solutions like Oracle VirtualBox and VMware Workstation are extremely useful for software development, kernel debugging and security research. They are also often used to isolate the host system from potentially malicious or vulnerable code, and thus present interesting targets for exploitation. While VMware Workstation has been a target at the annual Pwn2Own contest since 2016, this year's edition added VirtualBox for the first time, and it ended up as the only hypervisor that was successfully attacked during the competition.
This talk briefly compares the architecture of VirtualBox to that of the VMware product, with a focus on the guest-to-host attack surface available in their respective default configurations. After laying out the internals of the VirtualBox-specific HGCM and HGSMI protocols, examples of VM escape exploits against VirtualBox on Windows 10 and Linux hosts will be discussed, including the one used at Pwn2Own 2018.
You will find in this presentation basic vulnerability discovery strategies as well as exploitation techniques for VirtualBox, including powerful heap grooming primitives. You will also learn how the weak boundary between the VirtualBox userland and kernel components can be abused to escalate privileges to SYSTEM/root in a reliable manner after achieving code execution on the host.
Niklas Baumstark is an independent security researcher with a special interest in reverse engineering and binary exploitation. He publicly demonstrated exploits against Safari and VirtualBox at Pwn2Own '17 & '18, respectively. Besides breaking real software, he loves playing and organizing Capture-The-Flag events..
Brandon Azad / @_bazad
Crashing to root: How to escape the iOS sandbox using abort()
Apple has greatly improved iOS security in recent years, but many attack surfaces remain largely ignored. For example: is it possible to elevate privileges by crashing maliciously? I decided to investigate how crash handling is implemented in iOS and whether it poses a viable attack vector. What began as a seemingly absurd question ended with control over every userspace process on the phone.
In this talk, I will share how I reverse engineered a system service to find a critical Mach port replacement vulnerability, how to bypass protections in order to trigger the bug, and how to exploit the bug to escape the application sandbox and execute code with full system privileges. I'll also explain a technique I discovered to obtain the coveted task_for_pid-allow entitlement, which grants control over any userspace process. This technique bypasses recent defenses designed to stop even unsandboxed root processes from taking control of other processes.
The talk will assume basic familiarity with iOS but I'll briefly cover the concepts we'll need (codesigning, sandboxing, Mach ports, MIG, launchd) before diving into the core of the vulnerability. The complete exploit code and documentation is available online.
Brandon Azad is an independent macOS/iOS security researcher who enjoys finding 0-days, developing elegant exploits, and writing articles about security. His first work in the field was to report on the kernel code execution vulnerability used by the Pegasus iOS spyware before Pegasus was even discovered. Brandon also develops open-source tools to facilitate research, including a macOS/iOS kernel inspection tool called memctl and a kernelcache analysis toolkit for IDA called ida_kernelcache.
Nikita Tarakanov / @NTarakanov
Exploiting Kernel Pool Overflows on Windows 10 RS4
Each new version of Windows OS Microsoft enhances security by adding security mitigation mechanisms - Kernel land vulnerabilities are getting more and more valuable these days. For example, the easy way to escape from a sandbox is by using a kernel vulnerability. That's why Microsoft struggles to enhance security of Windows kernel.
Kernel pool allocator plays a significant role in security of whole kernel. Since Windows 7, Microsoft started to enhance the security of the Windows kernel pool allocator. In Windows 8, Microsoft has eliminated almost all reliable (previously published) techniques of exploiting kernel pool corruptions.
Then Microsoft eliminated "0xBAD0B0B0" technique in Windows 8.1, and there was no easy technique to exploit Pool Overflows on Windows 8.1
Then DKOM/DKOHM technique was present that gave really nice primitives(arbitrary read/write/execute) for kernel exploitation.
Following up Microsoft obfuscated TypeIndex in an object header leaving DKOM/DKOHM technique useless.
But Microsoft left unprotected optional headers that gave born to DKOOHM technique.
Sadly enough, techniques don?t live long life these days and Microsoft eliminated DKOOHM as well leaving all known techniques not working...
This talk presents a new technique of exploiting pool overflows for Windows 10 RS4.
Bonus: overview of enhancement in the upcoming Windows RS5.
Nikita Tarakanov is an independent information security researcher. He has worked as an IS researcher in Positive Technologies, Vupen Security, CISS, Intel corporation. He likes writing exploits, especially for Windows NT Kernel. He won the PHDays Hack2Own contest in 2011 and 2012. He has published a several papers about kernel mode drivers and their exploitation. He is currently, engaged in reverse engineering research and vulnerability discovery automation.
Seunghun Han / @kkamagui1
The Last Man Standing: The Only Practical, Lightweight and Hypervisor-Based Kernel Protector Struggling with the Real World Alone
- Rootkits and kernel exploits can neutralize protection mechanisms running in the kernel- level (Ring 0). This means that the protection mechanisms need the higher privilege (Ring - 1). Because of this reason, I presented Shadow-box v1 and v2 at Black Hat Asia. Shadow-box is a security monitoring framework for operating systems using Intel virtualization technologies and ARM TrustZone technologies. Shadow-box has a novel architecture inspired by a shadow play. It supports multi-platform, Intel and ARM, and I made Shadow-box from scratch. I have been developing it as an open-source project.
- Shadow-box v1 (for x86) is primarily composed of a lightweight hypervisor and a security monitor. The lightweight hypervisor, Light-box, efficiently isolates an OS inside a guest machine and projects static and dynamic kernel objects of the guest into the host machine so that the security monitor in the host can investigate the projected images. The security monitor, Shadow-watcher, places event monitors on static kernel elements and tests security of dynamic kernel elements. I manipulate address translations from the guest physical address to the host physical address in order to exclude unauthorized accesses to the host and the hypervisor spaces. Shadow-box v2 (ARM version) also has similar architecture and it was turned for IoT devices. Unlike the mobile phone, the processor of IoT device has lower resources and functions. Because of this reason, I used only security extension, ARM TrustZone, with Open Platform Trusted Execution Environment (OP-TEE).
- In this talk, I propose a Shadow-box as a practical and lightweight security framework and show how it protects the kernel from rootkits and kernel exploits with a demo. Unlike other academic research results, I have been operating and updating Shadow-box in real world for 3 years. I share my know-how about it.
Seunghun Han is a senior security researcher at National Security Research Institute of South Korea. He is an expert in the hypervisor and Linux kernel, and had his own lightweight hypervisor, “Shadow-box”. He also had several CVEs on Linux kernel and BIOS/UEFI firmware. He was a speaker at Black Hat Asia and HITBSecConf several times, published a paper to USENIX Security, and authored books, “64-bit multi-core OS principles and structure volume 1 and volume 2”.