Hunting Windows Desktop Window Manager bugs for Privilege Escalation
In the past few years, Windows win32k privilege escalation vulnerabilities have emerged in an endless stream. Researchers discovered new attack surfaces such as win32k Callback, DirectX, DirectComposition, etc. Even so, it's still difficult to discover new vulnerabilities inside win32k attack surface. Are there still other attack surfaces inside the windows graphics component?
[KEYNOTE]: The People vs. The Tools: Why Can't We All Just Get Along?
A plethora of shiny new tools and techniques for solving complex problems are making headlines today with mixed reactions from the crowd. Popular news regularly mentions AI, blockchain, metaverse, and other terms that were previously jargon – intended for use by professionals! Everyone has an opinion on the integration of these tools into our world. How do we determine who/what can be trusted to do what? This presentation will discuss some of the issues facing the roll-out of new tools and approaches in our rapidly evolving digital landscape with a focus on reverse engineering and data science.
Proactive Application Hardening with SCA Runtime Protection
In this talk, we explain how Runtime Protection works technically and then will show a live demo with an actual application being owned by Metasploit initially via an Apache Struts CVE, followed by the same attack thwarted by Runtime Protection after blocking the vulnerable method from being executed.
Synthetic Memory Protections - Beyond R, W, and X
The attack method described in "Smash the Stack For Fun and Profit" (1996) depended upon the stack being executable. Within a few years, most processors came with MMU capabilities allowing the stack to be marked non-executable. This capability was extended to apply to all memory and named the W^X policy. Attackers then switched to ROP methods instead, which utilize the stack to point at fragments of code ("gadgets") which must remain executable. In response, Address Space Randomization to hide the location of the gadgets became commonplace over the next decade. Sadly, other software bugs can produce info-leaks which reveal the gadget locations, so the principle of "Never Reuse An Address Space" was introduced (meaning, always fork+execve), but adoption is still slowgoing. A variety of Control-Flow-Integrity mechanisms (such as RETGUARD) were also invented to reduce primary "function-tail" gadgets, but X86-style polymorphic gadgets remain a problem. OpenBSD was first to market with each of these responses. This talk will summarize the situation briefly, and then describe new mechanisms being explored in OpenBSD to make ROP exploitation more difficult.
[KEYNOTE]: Commercial Warfare
This presentation covers the usage of commercial products and open source platforms in war, with a comparison between military grade equipment, commercial products and what can be made at home.
Sandboxing ClamAV
ClamAV is a popular open-source antivirus scanner with a daily updated signature set from Cisco's Talos team. It is very easy to integrate the ClamAV library into your application for customized scanning - but this adds a piece of code that parses malicious data from unknown sources, a huge increase in attack surface.
We set out to explore if we could do better - by moving the scanner into a separate, sandboxed process. Our goal was:
To make the sandboxing completely transparent, maintaining the current library interface
Sandbox on all major platforms, that is Windows, Linux, MacOS, and FreeBSD
Restrict the sandboxed process further regarding FS access, network access, ...
Develop in Rust, a much safer programming language than C
In this presentation we'll tell you how we achieved all of this - giving you the pain points in the migration, the performance impact and an attack-surface assessment pre- and post-sandboxing. We hope that our experience will serve as a blueprint for migrating your own library handling potentially malicious data to a sandbox with very little effort and minimal performance impact.
Evolution of Stealth Packet Filter Rootkits
Last year, we saw several headlines about newly discovered "nearly impossible to detect" nation state network backdoors. Meanwhile in the past year leaked network backdoors from CIA and NSA have been analyzed and documented for the first time and are using the same techniques employing packet filters for stealthy beaconing. This talk will analyze nation state beaconing tactics and discuss how network filters work, including a deep dive in to Linux networking and the many layers of the Linux kernel where packet monitoring and manipulation can occur. Finally we will look forward into the future of network filter backdoors and how they will work using Linux eBPF. We will discuss low level network hooks available to eBPF and demonstrate a modern implementation of nation state beaconing tactics using eBPF including a cross platform implementation that works on both Linux and Windows.
S3W: Snort 3.0 comes to Windows
In this research we want to show how our Endpoint Detection and Response (EDR) system can be augmented by connecting inbound and outbound network flow information with application behavior. To this end, we have ported a state-of-the-art HIPS, Snort 3, to the Windows platform.
While Snort 3 on Windows already meets Snort 2.X achievements on Windows platforms this research will show our efforts toward Snort 3.0 in Active mode / IPS, a complete novelty for Snort on Windows since also Snort 2.X does not support active mode in Windows.
xIoT Hacking Demonstrations & Strategies to Disappoint Bad Actors
We’ve unleashed our dark allies from the nightmare dimension on an unholy crusade to demonstrate cyberattacks for your enlightenment. If you love seeing devices compromised as much as we do, join us for some hacking demonstrations, detailed security research findings, and threat mitigation techniques that will disappoint bad actors. Share your new knowledge around the water cooler, apply these preventative security strategies within your own organization, and become the cool person at the office party everyone wants to hang out with regardless of that cat sweater you insist on wearing.
Two bugs with one PoC: Rooting Pixel 6 from Android 12 to Android 13
In this talk, I will first review an old and public vulnerability exploited in the wild, and detail how to create the PoC step by step. Even without Variable Analysis, you can find another similar issue and create a new PoC in less than 1 minute. And the same PoC implicitly triggers another Use-After-Free vulnerability without the kernel panic. Before diving into how to exploit those two bugs, I will briefly discuss the changes and challenges for rooting Android 12/13 devices. Then, I will respectively detail how to exploit those two vulnerabilities, bypass the general mitigations(KASLR, UAO, PAN, etc), and root Pixel 6 from Android 12 to Android 13 with a 100% success rate.
Kubernetes Bakery Attacks : Stealing Cloud Roles
You’ve seen Kubernetes cluster hacks, but the Kubernetes defenses are getting stronger. Breaking your way to full cluster admin isn’t nearly as easy as it used to be… But, it’s still possible on a ton of clusters, particularly when the defenses don’t work the way it seems they’re supposed to work.
In this demo-dominated talk, we’ll demonstrate how a single node compromise on a cloud provider could lead to entire cluster compromise, working through an escalating option of defenses. In the course of the talk, we’ll demonstrate a previously-unknown weakness in one cloud-related defense, as well as weaknesses that are known, but not widely-understood. In each case, we’ll show or discuss what you can do to make your cluster safer.
Hacking around with COSPAS-SARSAT 406MHz, Aerospace Hacks, and their Growing Importance.
In this talk, I will mainly introduce COSPAS-SARSAT 406MHz system that is used in quasi-global Search-And-Rescure (SAR) operations supported by Satellite-Aided-Tracking (SAT) - to the best of our knowledge this is the first-ever publicly-known work/demo on hacking and exploiting COSPAS-SARSAT 406MHz.
The Attack you Dreamed of with Simulation
This presentation focuses on reconstructing the attack footprint, network traffic and log data to verify security without interacting with any vendor's device. We are launching to the CanSecWest community as the public is highly technical and expectations are really high. We will go over the technical details: creating the BAS (Breach and Attack Simulation) programming language to accurately describe attacks, translating it into data and verifying it from the SIEM.
Purple Clouds: PowerZure
Presenting a purple teaming analysis of PowerZure, an open source offensive security tool that targets Microsoft Azure. Come learn how to use it for offensive research, or how to detect many of it's modules in Azure's telemetry (complete with Sigma detection rules where applicable). The talk is based on my independent research into how to detect the tool from a defensive perspective, but will also include a demo of offensive functionality.
An Insider's Perspective on Integer Overflow Vulnerabilities
Challenges and Solutions from Identification to Mitigation at Microsoft
This talk will delve deep into one of the most prevalent memory safety issues on Windows: Integer Overflows. Over the past few years, MSRC has seen hundreds of Integer Overflow vulnerabilities, ranging from size overflows, integer truncations, overflows in checks, and reference counting overflows. We will cover the differences between these categories and investigate common pitfalls about the vulnerability root causes and their fixes.
AMI : Take a picture of your app code using the new Android MRI Interpreter
Magnetic Resonance Imaging (MRI), a medical device, allows tomographic imaging of human organs and measurement of blood flow. Using these features, modern doctors can easily detect diseases without having to perform open surgery as in the past. If it were possible to perform tomography on the app's code through a simple procedure, such as taking a picture like an MRI without invasion the app's process, and trace the flow of data used within the code, it would be an effective way to find vulnerabilities. Therefore, this paper proposes a new OS (interpreter, runtime, kernel) that performs MRI functions based on Android 12. On this new Interpreter, the Android app takes a picture of the dalvik instruction and register value at runtime when the target (data or function) is used, generating a Control Flow Graph (CFG) that traces the target's forward and backward execution, providing an effective environment for analyzing the app and finding vulnerabilities. Furthermore, I will explain the vulnerabilities discovered in mobile apps using the developed OS.