Pwned in Translation - from Subtitles to RCE
What if I told you, that when you're watching a movie on your PC or streamer - someone might also be watching you? And he might be doing so - using subtitles.
Yes, subtitles, those innocent looking text lines at the bottom of your screen.
Millions of people use them without a second thought – never wondering where they come from, where they're parsed or how they are rendered.
You might be surprised to find that there are actually more than 25 subtitle formats out there, most of which support exotic features such as HTML tags, raw images or even freeform binary (What?). Moreover, there is usually no standard library designed to parse subtitles, which leaves this task to be independently implemented by the various media players.
What can go wrong?
Well, basically - everything.
It seems there is no limit to what can be achieved by using these supposedly minor text files.
But wait, the plot thickens. Our presentation will delve even further into the subtitle supply chain. Some media players download subtitles automatically from shared online repositories (such as OpenSubtitles) where they are indexed and ranked.
By manipulating the website's ranking algorithm, we were able to guarantee our crafted malicious subtitles would be the ones downloaded by the video player, allowing us to take complete control over the entire subtitle supply chain - Look ma, no MITM or user interaction.
Do you like scary movies?
Omri Herscovici is a security researcher at Check Point Software Technologies. Omri is a developer and network security expert with extensive technical experience in software development, exploit and vulnerability research, and security architecture. In his past, Omri served seven years as an officer and R&D leader in an elite Israeli intelligence unit.
Omer has been a security researcher at Check Point Software Technologies LTD for the past year. Omer has diverse security background which includes networking, web application pentesting and exploit research. Previously Omer served in an elite IDF intelligence unit as an IT specialist.
Butterfly Effect and Program Mistake- Exploit an "Unexploitable" Chrome Bug
Does the flap of a butterfly’s wings in Brazil set off a tornado in Texas? I don’t know. But I do know a negligible tiny logical bug in v8 engine can lead to remote code execution in Chrome. In PwnFest contest 2016, I exploited a logical mistake (CVE-2016-9651) in V8 to allow remote code execution. This logical mistake was very small and it appeared unexploitable at first glance. But by the combination of several unusual exploitation tricks, I got a stable exploit at last. The journey of exploiting this vulnerability tells me: Never give up easily on “unexploitable” bugs
Guang Gong(@oldfresher) is a senior security researcher of the 360 Alpha Team. His research interests include Windows rootkits, virtualization and cloud computing. He currently focuses on mobile security, especially on hunting and exploiting Android’s vulnerabilities. He has spoken at several security conferences such as Black Hat, CanSecWest, PHDays, SysCan360, MOSEC, PacSec . He is the winner of Pwn2Own 2015, Pwn0Rama 2016 (the category of mobile devices), and Pwn2Own 2016 (the target: Chrome).
Moniker Magic: Running Scripts Directly in Microsoft Office
In this presentation, we will be looking at a very interesting Office vulnerability that (should be) patched in April. It's a logical bug, it may be a feature, it does everything you want Office to do, and it all comes from one single magic string.
Haifei is a security researcher with McAfee, previously worked for Microsoft and Fortinet. His work include real-world attack surface analysis, trying new ideas for "next-gen" vulnerability discovery and exploitation, as well as (zero-day) exploit detection. He mainly focuses on Microsoft ecosystem, recent years he did something on Office
Bing Sun is a senior information security researcher, and leads the IPS security research team of McAfee. He has extensive experiences in operating system kernel layer and information security R&D, with especially deep diving in advanced vulnerability exploitation and detection, Rootkits detection, firmware security, and virtualization technology.
Enhancing Symbolic Fuzzing with Learning
This talk presents our recent effort of using various learning efforts to improve symbolic execution’s navigation ability for vulnerability discovery. Our effort benefits from machine learning on multiple fronts, including seed input generation, and path scheduling during symbolic exploration. Our preliminary effort of identifying program phase behaviors on average helped our symbolic execution covers code twice as much as what the popular symbolic engine does. This effort has discovered 21 previously unknown vulnerabilities (and resulted in 7 CVEs) in popular image parsing libraries in Linux, which has been well studied before.
Kang Li is a professor of Computer Science at the University of Georgia, and the director of Cyber Immunity Lab.
Towards Mitigating Arbitrary Native Code Execution in Windows 10
Over the course of many years, Microsoft has made strategic investments into technologies like Data Execution Prevent (DEP), control flow integrity, and code integrity restrictions that help provide the foundation for protecting against arbitrary native code execution. In this presentation, we’ll frame the strategy we’ve been pursuing and dive into the technical details of multiple security features that are present in the 1703 update of Windows 10 and Microsoft Edge. Along the way, we’ll provide insights into the challenges we’ve faced with implementing disruptive mitigation technology for an operating system that is used by over a billion people. We will also highlight how Microsoft takes advantage of world-class offensive exploit developers to aide in the design, development, and validation of these technologies.Finally, we’ll provide some examples of how the mitigations present in Windows 10 are continuously evolving and improving.
Matt Miller is a security engineer working for the Microsoft Security Response Center (MSRC) where he focuses on studying trends and driving improvements into Microsoft's products that help eliminate vulnerabilities and make it more difficult to exploit them.
Nation-State Capabilities, Lone Wolf Budget
We all know that every action we take with digital devices leaves a footprint. Sometimes this is in the form of logged network traffic with identifiable information or characteristics. Sometimes, it’s wireless transmissions. Sometimes it’s even just RF noise. Some respond to this with extreme paranoia, avoiding ‘smart’ devices and never doing anything online without 7 proxies. The rest of us judge the likelihood and impact of being surveilled by a nation-state against usability and convenience.
Low cost hardware, amazingly capable microcontrollers, and high capacity batteries dramatically reduce the cost and increase the ease of this kind of surveillance. I’ll present hardware and techniques that make it possible to log when vehicles that visit a specific location via TPMS for under $50, collect bulk data on vehicles’ and pedestrians’ routes through a small city for under $1000, and propose methods to thumbprint even ‘radio-silent’ people within a certain range.
As a takeaway, you might be a little better equipped to consider whether you should don a tin foil hat, give up opsec as a lost cause, or something in between.
Joe (@securelyfitz) is an Instructor and Researcher at https://SecuringHardware.com. Joe spent over a decade working on low-level silicon debug, security validation, and penetration testing of CPUS, SOCs, and microcontrollers. He has spent the past 5 years developing and leading hardware security related training for security researchers, pen testers and hardware validators worldwide. When not teaching Applied Physical Attacks training, Joe is busy developing new course content or working on contributions to the NSA Playset and other misdirected hardware projects.
Exploring Your System Deeper is Not Naughty
You wanted to explore deep corners of your system but didn’t know how? System boot firmware, ROMs on expansion cards, I/O devices and their firmware, microprocessors, embedded controllers, memory devices, low-level hardware interfaces, virtualization and hypervisors. You could discover if any of these have known vulnerabilities, configured insecurely or even discover new vulnerabilities and develop proof-of-concept exploits to test these vulnerabilities. Ultimately, you can verify security state of platform components of your system and how effective are the platform security defenses: hardware or virtualization based TEE, secure or trusted boot, firmware anti-tampering mechanisms, hypervisor based isolation... Or maybe you just want to explore hardware and firmware components your system has.
CHIPSEC framework can help you with all of that. Since releasing it three years ago at CanSecWest 2014 significant improvements have been made in the framework - from making it easy to install and use to adding lots of new security capabilities. We’ll go over certain representative examples of what you can do with it such as finding vulnerabilities in SMM firmware, analyzing UEFI firmware vulnerabilities,testing hardware security mechanisms of the hypervisors, finding backdoors in UEFI images and more.
Oleksandr Bazhaniuk is a security researcher in the Advanced Threat Research team at Intel, Inc. His primary interests are low-level hardware security, bios/uefi security, and automation of binary vulnerability analysis. His work has been presented at many conferences, including Black Hat USA, Hack In The Box, Hackito Ergo Sum, Positive Hack Days, Toorcon, CanSecWest, Troopers, USENIX. He is also a co-founder of DCUA, the first DefCon group in Ukraine.
Yuriy Bulygin (@c7zero) is the lead for Advanced Threat Research team at Intel Security (http://www.intelsecurity.com/atr). Previously, Yuriy led microprocessor vulnerability analysis team at Intel. Yuriy is the author of open source CHIPSEC framework for platform security assessment (https://github.com/chipsec/chipsec).
A Story of Exploiting macOS Sierra Kernel
Teaming up with Lokihardt, we successfully exploited fully patched Apple Safari on macOS Sierra and got root privilege at PWNFEST 2016. After gaining arbitrary code execution in a strictly sandboxed Safari Web Process , we first exploited an uninitialized kernel heap issue to bypass KASLR, and then exploited an uninitialized kernel stack issue to gain arbitrary code execution in the kernel. In this talk, we will uncover such kernel vulnerabilities, and discuss the whole kernel exploitation chain in detail.
Team Pangu consists of several senior security researchers and focuses on mobile security research. Team Pangu is known for the multiple releases of jailbreak tools for iOS 7, iOS 8, and iOS 9. Team Pangu actively shares knowledge with the community and presents the latest research at well known security conferences including BlackHat, CanSecWest, POC, and Ruxcon.
Helium, Argon & Xenon: The Noble Gases of Windows Containers
Windows 10 comes with support for a very interesting technology that Microsoft has barely talked about: Containerization, through native support of Docker for Windows. Anniversary Update extended this capability even further, and Creators Update adds yet another layer for Game Mode and Desktop Bridge applications. In this talk, we'll describe the internals of the Windows "Silo" Object, and dive into Application Silos (Helium) and Server Silos (Argon), while also briefly describing the Hyper-V Container support (Xenon). We'll look at what real security boundaries Silos really offer, and showcase a few ways that the Container boundary can be broken. We'll also talk about interesting ways that Containers can mess with security software on the machine, due to the various virtualization and mirroring technologies applied on the file system, registry, network stack, and object manager. Finally, we'll end with a demo of a live Argon Container-to-Host bypass.
Alex Ionescu is the Vice President of EDR Strategy at CrowdStrike, IncAlex is aworld-class security architect and consultant expert in low-level systemsoftware the founder of Winsider Seminars & Solutions Inc.
Glibc vulnerability CVE-2015-7547 and Google
During this talk Fermin will explain technical details about the Glibc vulnerabiliyt (CVE-2015-7547) that affected half of the internet (the Linux one) in a remote unauthenticated way. High level concepts around DNS, different scenarios leading to exploit details bypassing stack cookies, ASLR, ...
Fermin J. Serna is a *Computer Science Engineer* graduated at the UCM, and currently works for *Google * leading the *Information Security Engineering TPS team* responsible for fuzzing, mitigations, api hardening, sandboxing and third party policy. Previously he has worked for Microsoft at the *MSRC Engineering team*. Fermin has lots of things that attract his attention, mainly security ones such as exploitation techniques, fuzzing, binary static analysis, reverse engineering, coding... but also Artificial Intelligence, chess... Fermin has found and published *multiple security vulnerabilities* on software developed by Microsoft, Google, Adobe, Oracle, ... Fermin is also a *regular speaker at security conferences* such as BlackHat, Syscan, Bluehat, H2HC, Rootecon, DeepSec, Source, Summercon, ... More information at: http://zhodiac.hispahack.com
Exploit iOS 9.x Userland with LLDB JIT
In this presentation I will talk about an iOS 9.x userland security bug which I found in 2016. Using this bug, We can gain userland code execution and escape from sandbox. I also use this bug to bypass iOS userland restrictions in my private jailbreak.
1. iOS Security Overview
2. How found the bug
3. How to gain code execution
4. How to escape from sandbox - 1st Try
5. How to escape from sandbox - 2nd Try
6. Exploit with LLDB JIT
Wei Wang is senior security researcher of Qihoo 360 Nirvan Team. He is focusing on the security of Apple’s products, including the os, developer toolchain, and fundamental frameworks, and has found many vulnerabilities. He also has 6+ years long experience in software development and software architecture, so he is also good at developing security tools. Twitter: @ProteasWang
The wounded android WIFI driver New attack surface in cfg80211
In the android security bulletin of the past several months, many vendor related vulnerabilities were found. But most vulnerabilities are found in the ioctl interface of the character device registered in the vendor driver.In the Linux kernel based system, ioctl is a universal method to transfer data between kernel and userspace. So, ioctl interface has been the focus of the root fans. But in fact, there are some other ways to connect the kernel and userspace.For example, the netlink socket. Netlink socket family is a Linux kernel interface used for interprocess communication (IPC) between both the kernel and userspace processes, and between different userspace processes, in a way similar to the Unix domain sockets.
Hao Chen is a security researcher of 360 Alpha Team. He had much experience in Linux kernel development. He is now mainly focused on vulnerability discovery and kernel exploitation in Android. He has found more than 30 CVEs in Android frameworks and kernel.
Perf Vs Security: The Virtio Security in Qemu
QEMU is a fundamental part of modern open source virtualization solution, especially in KVM and Xen.
As a complete virtualization solution, QEMU should emulate the processor, memory and peripheral device.
In order to improve the performance of the virtual machine, the virtio architecture has been proposed.
For now, nearly all of the cloud platform uses the virtio device by default.
But as the history has always demonstrated, you can't get the high performance and high security at the same time.
In this presentation, I will talk about the security of virtio. It will include the detail of virtio architecture and why it improve the performance. I will also discuss the attack surface of virtio with the full data flow/resource management and then the weak link in the data flow chain, include the logical and implementation vulns. As we found a lot of virtio-related vulnerabilities we will also show a lot of cases and with one/two full detail in writing PoC for virtio vulns.
Qiang Li is a security researcher of Gear Team at Qihoo 360, mainly focus on vulnerability discovery and vulnerability analysis. He has been a low level system programmer for several years both on Windows and Linux. He is currently working on cloud and virtualization security and discovered 70+ vulnerabilities in the last year. His talk has been accepted by CanSecWest 2017(But not attend because of visa issue). He has given talks in Ruxcon 2016(Melbourne, AUS), ISC 2016(Beijing, China).
ZhiBin Hu is a security researcher of Gear Team at Qihoo 360, last several years mainly focus on vulnerability discovery and analysis on windows, and receive msrc top 19 in 2015. Recent two years interested in cloud security. He has made talks both in CanSecWest 2017 and Ruxcon 2016(Melbourne, AUS).
Let Math be The Beacon of Your Vulnerability Discovery
This talk will discuss a system used math to assist vulnerability mining of binary program. There are many methods to help security researcher to find vulnerability in software, but no matter fuzz or code audit, it is very difficult to find an effective test path. The presented system uses several defined engines to search different suspicious paths and then use algebraic methods to decide whether the suspicious paths should be manual confirmed or reroute to fuzz next. Compared with the existing technologies similar, our system imports the algebraic calculation method and improves the performance of fuzzing. On the other hand, it is very easy to extend, artificial intelligence will be included as engines in the future work.
Lei Shi is a security researcher of the Gear Team of Qihoo 360 Inc., mainly focus on cryptography security and vulnerability discovery. He has discovered 100+ bugs and gained 9 CVEs on OpenSSL in the last year. He obsesses with math and computer security, and currently is working on kernel security and development of vulnerability discovery tools.
Mei Wang is a security researcher of the Gear Team of Qihoo 360 Inc., mainly focus on vulnerability discovery and fuzz technology. In the last year, she already gained 10+ CVEs from Firefox, Safari, Solr, Libtiff. She has made a talk in CanSecWest 2017. She is currently working on browser security and fuzz tools development using math and machine learning.
Protecting bare-metal smart devices with EPOXY
Embedded systems are ubiquitous in every aspect of modern life. As the Internet of Things expands, our dependence on these systems increases. Many of these interconnected systems are and will be low cost bare-metal systems, i.e.,executing without an operating system due to mobility, power, and performance considerations. Bare-metal systems rarely employ any security protection mechanisms and their development assumptions (unrestricted access to all memory and instructions), and constraints (hardware features, runtime, energy, and memory) makes applying protections challenging
To address these challenges we present EPOXY, an LLVM-based embedded compiler and runtime system. We apply a novel technique, called privilege overlaying, wherein operations requiring privileged execution are identified and only these operations execute in privileged mode. This provides the foundation on which code-integrity, adapted control-flow hijacking defenses, and protections for sensitive IO are applied. We also design fine-grained randomization schemes,that work within the constraints of bare-metal systems to provide further protection against control-flow and data corruption attacks.
These defenses prevent code injection attacks and ROP attacks from scaling across large sets of devices. We evaluate the performance of our combined defense mechanisms for a suite of 75 benchmarks and 3 real-world IoT applications. Our results for the application case studies show that EPOXY has, on average, a 1.8% increase in execution time and a 0.5% increase in energy usage.
Mathias Payer is a security researcher and an assistant professor in computer science at Purdue university, leading the HexHive group. His research focuses on protecting applications in the presence of vulnerabilities, with a focus on memory corruption. He is interested in system security, binary exploitation,user-space software-based fault isolation, binary translation/recompilation, and (application) virtualization. Before joining Purdue in 2014 he spent two years as PostDoc in Dawn Song's BitBlaze group at UC Berkeley. He graduated from ETH Zurich with a Dr. sc. ETH in 2012, focusing on low-level binary translation and security. He analyzed different exploit techniques and wondered how we can enforce integrity for a subset of data (e.g., code pointers). All prototype implementations are open-source. In 2014, he founded the b01lers Purdue CTF team.