2017 SyScan360 | SyScan360 Information Security Conference China ‧ Beijing

2017 SyScan360 | SyScan360 Information Security Conference
Omri Herscovici Omri Herscovici Check Point Software Technologies
Omer Gull Omer Gull Check Point Software Technologies


Pwned in Translation - from Subtitles to RCE


What if I told you, that when you're watching a movie on your PC or streamer - someone might also be watching you? And he might be doing so - using subtitles.

Yes, subtitles, those innocent looking text lines at the bottom of your screen.

Millions of people use them without a second thought – never wondering where they come from, where they're parsed or how they are rendered.

You might be surprised to find that there are actually more than 25 subtitle formats out there, most of which support exotic features such as HTML tags, raw images or even freeform binary (What?). Moreover, there is usually no standard library designed to parse subtitles, which leaves this task to be independently implemented by the various media players.

What can go wrong?

Well, basically - everything.

We will pioneer the uncharted subtitles attack vector and demonstrate its disastrous potential, and unravel the numerous vulnerabilities we found involving subtitles. There will be unsanitized JavaScript running on native web applications; files being manipulated; heaps being corrupted; and full RCE on the most common streaming platforms including VLC, Kodi (XBMC) and PopcornTime.

It seems there is no limit to what can be achieved by using these supposedly minor text files.

But wait, the plot thickens. Our presentation will delve even further into the subtitle supply chain. Some media players download subtitles automatically from shared online repositories (such as OpenSubtitles) where they are indexed and ranked.

By manipulating the website's ranking algorithm, we were able to guarantee our crafted malicious subtitles would be the ones downloaded by the video player, allowing us to take complete control over the entire subtitle supply chain - Look ma, no MITM or user interaction.

Do you like scary movies?


Omri Herscovici is a security researcher at Check Point Software Technologies. Omri is a developer and network security expert with extensive technical experience in software development, exploit and vulnerability research, and security architecture. In his past, Omri served seven years as an officer and R&D leader in an elite Israeli intelligence unit.

Omer has been a security researcher at Check Point Software Technologies LTD for the past year. Omer has diverse security background which includes networking, web application pentesting and exploit research. Previously Omer served in an elite IDF intelligence unit as an IT specialist.

Adam Donenfeld Adam Donenfeld Trustwave


The Ro(o)tten Apple: Vulnerabilities heaven behind the iOS sandbox


In modern days, no exploitation chain can be considered complete without a reliable privilege escalation vulnerability. This is why many security researchers spend a lot of their research time in finding those vulnerabilities.

Apple has set a new standard in iOS security by implementing many innovative techniques to prevent exploitation of PE vulnerabilities, however despite their continuous efforts some areas of iOS still remain more exposed than others to this kind of vulnerabilities.

This presentation will shed a light on some critical areas in the iOS kernel, that have been proven to contain many privilege escalation vulnerabilities that can potentially affect hundred of millions of iOS devices.

In this talk, we will overview these yet unexplored areas and present a chain of vulnerabilities, leading to a complete kernel privilege escalation exploit while bypassing all the latest kernel mitigations Apple introduced.


Adam Donenfeld is a mobile security researcher at Zimperium with vast experience in the mobile research field. Researching vulnerabilities and exploiting them for both PC and mobile environments, Adam has presented his researches at several international security conferences including Black Hat, DEF CON and HITB.

Yuriy Gurkin Yuriy Gurkin The founder and CTO of Gleg ltd.


Penetration through ICS Development Software - potentially devastating attack vector or not? CODESYS 0days examples.


Among well known ICS development tools there is a CODESYS Programming Software which is widely used in energy, factory and other Automation Technology Sectors. Those tools are used by engineers to create Controller Applications, HMI devices etc... But could someone attack that (or another) Development Software, and gain control over engineer PC, over connected real or tested ICS, even leave a backdoor (potentially for whole Controller line ) ?

It seems like successful attacks against development software could be really devastating especially if they stays unidentified.

E.G. In 2015 Volkswagen had lost 30 % (2.5 billions) of its shares in two days as a result of its Diesel engine controller software scandal ... It was a strange and unclear story, but what is clear - controller software being "tuned" is pretty serious thing.

So, let's take a look to CODESYS. Utilizing open-source EAST pentest framework we will show vulnerabilities in CODESYS software of older versions, and two 0days in newer versions.


Working in the infosec field since 2004. Has cofounded the company Gleg ltd which nowadays develops exploit packages for Immunity Inc's "Canvas" framework, Core Security's "Core Impact" framework.The company is also heading and promoting open-source EAST penetration testing framework and associated exploit packages.

Zoltan Balazs Zoltan Balazs MRG Effitas


How to hide your brower 0-Days


When it comes to browser exploits, so far there was no known technique to make network forensics of the exploit impossible. In my research I have demonstrated that it is possible to deliver browser exploits in an encrypted way (using AES after ECDH key agreement), which makes passive network analysis of the exploit impossible.


Zoltan (@zh4ck) is the Chief Technology Officer at MRG Effitas, a company focusing on AV testing.Before MRG Effitas, he had worked as an IT Security expert in the financial industry for 5 years and as a senior IT security consultant at one of the Big Four companies for 2 years. His main expertise areas are penetration testing, malware analysis, computer forensics and security monitoring. He released the Zombie Browser Tool that has POC malicious browser extensions for Firefox, Chrome and Safari. He is also the developer of the Hardware Firewall Bypass Kernel Driver (HWFWBypass) and the Sandbox tester tool to test Malware Analysis Sandbox es. He has been invited to give presentations worldwide at information security conferences including DEF CON, Hacker Halted USA, Botconf, AusCERT, Nullcon,Hackcon, Shakacon, OHM, Hacktivity and Ethical Hacking.Zoltan passed OSCE recently, and he is very proud of it

Brian Gorenc Brian Gorenc Trend Micro Zero Day Initiative
Abdul-Aziz Hariri Abdul-Aziz Hariri Trend Micro Zero Day Initiative
Jasiel Spelman Jasiel Spelman Trend Micro Zero Day Initiative


Transforming Open Source to Open Access in Closed Applications: Finding Vulnerabilities in Adobe Reader's XSLT Engine


The inclusion of open-source components into large, closed-sourced applications has become a common practice in modern software. Vendors obviously benefit from this approach as it allows them to quickly add functionality for their users without the need to invest costly engineering effort. However, leveraging open source for a quick functionality boost comes with security side effects that might not be understood by the vendor until it is too late. In those cases, misunderstood or poorly implemented open source allows attackers to bypass security mechanisms that may exist elsewhere in the proprietary system.

This talk provides insight into these side effects through an examination of Adobe Reader’s XSLT (Extensible Stylesheet Language Transformations) engine, which is based on the now abandoned open-source project called Sablotron – an XML processor fully implemented in C++. We focus on techniques for auditing the source code of Sablotron in order to find corresponding bugs in Adobe Reader. We also present a new source-to-binary matching technique to help you pinpoint the vulnerable conditions within Sablotron that also reside in the assembly of Reader. Real-world application of these techniques will be demonstrated through a series of code execution vulnerabilities discovered in Adobe Reader’s codebase. Finally, we'll highlight the trends in vulnerabilities discovered in Adobe Reader’s XSLT engine over the last year.


Brian Gorenc is the director of Vulnerability Research with Trend Micro. In this role, Gorenc leads the Zero Day Initiative (ZDI) program, which represents the world’s largest vendor-agnostic bug bounty program. His focus includes analyzing and performing root-cause analysis on hundreds of zero-day vulnerabilities submitted by ZDI researchers from around the world. The ZDI works to expose and remediate weaknesses in the world’s most popular software. Brian is also responsible for organizing the ever-popular Pwn2Own hacking competitions.

Abdul-Aziz Hariri is a security researcher with the Zero Day Initiative program. In this role, Hariri analyzes and performs root-cause analysis on hundreds of vulnerabilities submitted to the Zero Day Initiative (ZDI) program, which is the world's largest vendor-agnostic bug bounty program. His focus includes performing root-cause analysis, fuzzing and exploit development. Prior to joining ZDI, Hariri worked as an independent security researcher and threat analyst for Morgan Stanley emergency response team. During his time as an independent researcher, he was profiled by Wired magazine in their 2012 article, Portrait of a Full-Time Bug Hunter. In 2015, Abdul was part of the research team that submitted "Breaking Silent Mitigations - Gaining code execution on Isolated Heap and MemoryProtection hardened Internet Explorer" to the Microsoft bounty program. Their submission netted the highest payout to date from the Microsoft bounty program where the proceeds went to many STEM organizations. Twitter: @abdhariri

Jasiel Spelman is a vulnerability analyst and exploit developer for the Zero Day Initiative (ZDI) program. His primary role involves performing root cause analysis on ZDI submissions to determine exploitability, followed by developing exploits for accepted cases. Prior to being part of ZDI, Jasiel was a member of the Digital Vaccine team where he wrote exploits for ZDI submissions, and helped develop the ReputationDV service from TippingPoint. Jasiel's focus started off in the networking world but then shifted to development until transitioning to security. He has a BA in Computer Science from the University of Texas at Austin. Twitter: @WanderingGlitch

Maxwell Koh Maxwell Koh Trustwave


Bypass 2FA, Stealing Private Keys, and the Introduction to 2FAssassin


The "knowledge factor" (using passwords for authentication) will never be enough for security. We need the second layer of defense -- a "possession factor" or sometimes called the "Two-Factor Authentication", hence the term, "2FA". Nowadays many organization plans to adopt password-free login to authenticate their systems, thereby completely replacing the password-based authentication with key-based authentication, which they believed is more secure. However, the truth is far from reality. Although 2FA creates a formidable barrier against potential security breaches, however it doesn't guarantee much security at all, especially when it comes to the inefficacious and often futile private key protection. In that sense, we can say that the effectiveness of the 2FA depends on how well they can protect "something only user has". In fact, there are many ways to steal someone’s private keys without performing social engineering attacks. This talk is dedicated to discuss and demonstrate the newly discovered techniques to bypass the two-factor authentication by stealing and cracking OTP, private keys, and client certificates. By that means, an attacker must compromise the voice or text message accounts, software token, infecting memory agents, cracking passphrase, stealing hardware token, etc. With the help from the “2FAssassin” we could turn these looted keys for more fun and profits. The demonstration will include the scenario where the private keys are compromised and then show how an attacker could leverage the situation to gain more access into the corporate networks and for making profits. These are not limited to systems that used single sign-on (with 2FA enabled), public key authentication (e.g., password-less authentication, authorized_keys abuse), free software token (e.g., Google Authenticator), website owner (e.g., phishing sites created using stolen private key), and even software vendor (e.g., stolen private key can be used to sign the malicious malware). The tool will automate the exploitations against the common vulnerabilities that lead to the private key leakage. It can be used to compromise individual system, or the entire network using looted private keys. It also capable to analyze and identify potential private keys, key information extraction in order to profile the target servers, cracking and removing the passphrase, injecting arbitrary key-based backdoors, building multi-chained covert tunnels by leveraging on the loopholes found in vulnerable public key authentication. Nevertheless, the talk will end with recommendations to protect the private keys from theft, as well as what to do during the worst case scenario.


Maxwell is a penetration tester with Trustwave's SpiderLabs Asia-Pacific. Maxwell is based out of Singapore and his primary focus is on providing penetration testing service to clients in the Asia-Pacific region.

Amihai Neiderman Amihai Neiderman Azimuth security


Hacking Tizen


Tizen​ ​is​ ​samsung's​ ​newest​ ​OS​ ​for​ ​it's​ ​devices​ ​and​ ​considered​ ​by​ ​them​ ​as​ ​the​ ​operation system​ ​of​ ​everything,​ ​aiming​ ​to​ ​run​ ​on​ ​every​ ​device​ ​from​ ​simple​ ​IoT,​ ​mobile​ ​phones, televisions​ ​to​ ​even...Cars.

Over​ ​the​ ​last​ ​few​ ​months​ ​I​ ​observed​ ​that​ ​samsung​ ​is​ ​laying​ ​the​ ​groundwork​ ​for​ ​a​ ​larger expansion​ ​of​ ​tizen​ ​in​ ​the​ ​mobile​ ​world.​ ​It​ ​appeared​ ​that​ ​samsung​ ​is​ ​adding​ ​more​ ​servers​ ​and more​ ​infrastructure​ ​to​ ​support​ ​an​ ​upcoming​ ​growth​ ​in​ ​the​ ​amount​ ​of​ ​tizen​ ​users​ ​worldwide and​ ​is​ ​planning​ ​to​ ​expand​ ​to​ ​new​ ​markets.

I​ ​then​ ​decided​ ​to​ ​start​ ​and​ ​research​ ​tizen​ ​due​ ​to​ ​the​ ​fact​ ​that​ ​it​ ​seems​ ​that​ ​nobody​ ​was ​doing​ ​it! The​ ​tizen​ ​mobile​ ​firmware​ ​was​ ​obtained​ ​pretty​ ​quickly​ ​and​ ​from​ ​a​ ​thorough​ ​investigation​ ​it seems​ ​that​ ​samsung​ ​hasn't​ ​learned​ ​anything​ ​from​ ​the​ ​publications​ ​about​ ​0days​ ​in​ ​the​ ​past few​ ​years.​ ​The​ ​code​ ​is​ ​not​ ​designed​ ​with​ ​security​ ​in​ ​mind,​ ​is​ ​not​ ​up​ ​to​ ​any​ ​modern​ ​security standards​ ​(you​ ​can​ ​find​ ​strcpy,​ ​memcpy,​ ​sprintf​ ​almost​ ​anywhere.​ ​and​ ​always​ ​to​ ​a​ ​fixed​ ​size buffers).

during​ ​the​ ​course​ ​of​ ​a​ ​few​ ​days​ ​I​ ​found​ ​over​ ​40​ ​different​ ​vulnerabilities​ ​in​ ​tizen​ ​-​ ​some​ ​logical and​ ​some​ ​just​ ​classic​ ​(really​ ​classic!)​ ​memory​ ​corruptions​ ​bugs.​ ​Almost​ ​every​ ​system​ ​app​ ​is vulnerable.


Amihai Neiderman is a security researcher in the field of vulnerability research. Amihai has worked on everything from embedded devices, IoT, OS exploitation and web security. In past years he has worked as an independent researcher for various companies and now works as a security researcher for Azimuth security.

Bertin Bervis Bertin Bervis Cybertrust Spa , Santiago Chile


Exploiting and abusing web applications flaws in industrial and network communication devices


PLCS, data acquisition servers and industrial network communication gateways/routers often comes with a web server/web service enable, these web applications usually are being put in production with a lot of bugs and issues. Vulnerablities like stored XSS , path traversal,LFI, or RCE those are really easy to find in this devices but task needs to be done manually since automated tools/scanners usually crash the web application during the scan execution .In the worse scenario these web servers are being publish in the internet and remote attackers can take over these vulnerablilities in order to get access ,remote execution or persistance in browsers.

In this presentation, i,m going to demonstrate real cases about several vulnerablities found in web servers from PLCs, Weather stations and industrial gateways/routers from well known vendors in the industrial field , i will demostrate practical exploitation step by step about issues that i found and have been reported to every vendor affected, i will share tips and techniques to spot easy and quickly vulnerablities in these web appications in industrial devices.


Bertin Bervis is a security researcher from Costa Rica currently working for a cyber security firm in Santiago de Chile called CyberTrust Spa as security consultant, Bertin has been speaker in several security conferences around the world like DEFCON , Blackhat And Ekoparty