schedule
Alex Ionescu

aionescu
Winsider Solutions & Seminars Inc.

TOPIC
Ring 0 to Ring -1 Exploitation with Hyper-V IPC (Inter-Partition Communications)

ABSTRACT
2015 will finally be the year of virtualization on the desktop. With Intel's Haswell processor now supporting nested/shadow VMCS, virtualized operating systems can run inside of other virtual stacks, and soon, you'll be able to run a Windows with Hyper-V inside a VirtualBox VM inside of a Linux container inside of AWS (VMWare already supported this – but using software emulation).

Fully aware of the impact of virtualization, Microsoft first introduced Client Hyper-V in Windows 8.1, opening up the hypervisor to all customers. And in Windows 10, a number of new technologies, such as DrawBridge/Pico/Docker and Virtual Secure Machine (VSM)/Secured Processes will be announced and exposed to developers.

With Hyper-V already powering Azure, and poised to take an increasing presence in the very core of the Windows kernel (perhaps running in fully-virtualized mode at all times in a future version), does anyone really understand how Hyper-V works and what its security boundaries are?

By piecing together various pieces of information from the Web, forums, lost header files, and research projects, plus heavy reverse engineering, this talk will introduce attendees to a quick overview of Hyper-V internals (especially from the security angle), and focus on how inter-partition security boundaries are implemented, and what holes exist to permit IPC between guest(s) and host.

We'll end the talk with a live demonstration of a Hyper-V exploit that leverages the IPC mechanisms to attack a Windows 7 partition from a Windows 8.1 partition.

BIO
Alex Ionescu is the founder of Winsider Seminars & Solutions Inc., specializing in low-level system software for administrators and developers as well as reverse engineering and security trainings for various organizations and is a coauthor of the Windows Internals series.

From 2003-2007, Alex was the lead kernel developer for ReactOS, an open source clone of Windows XP/Server 2003 written from scratch, for which he wrote most of the Windows NT–based kernel. During his studies in Computer Science, Alex worked at Apple on the iOS kernel, boot loader, firmware, and drivers on the original core platform team behind the iPhone, iPad and AppleTV. Returning to his Windows security roots, Alex is now Chief Architect at CrowdStrike, a security startup focused on nation-state adversaries and other highly sophisticated actors.

Alex continues to be very active in the security research community, discovering and reporting several vulnerabilities related to the Windows kernel and presenting talks at conferences such as Blackhat, Breakpoint, SyScan, and Recon. His work has led to the fixing of many critical kernel vulnerabilities, as well as to over a few dozen non-security bugs


top ^

David Jorm


IIX

TOPIC
Finding and exploiting novel flaws in Java software

ABSTRACT
This presentation will introduce a range of poorly-known and novel attack vectors in Java applications.

* Authentication bypasses
* Path traversal
* SSL issues
* Parameter entity XXE
* CLI parameter injection, including OpenSSL parameter injection in an Apache project
* RCE: XML deserialization
* RCE: binary deserialization
* RCE: XSL extensions
* RCE: EL interpolation
* RCE: Unpublished binary<->XML mapping vector

For each vector the issue will be discussed in general, along with a concrete example found by the author, and an explanation of how it was found and how it can be exploited.

BIO
David has been involved in the security industry for the last 15 years. During this time he has found high-impact and novel flaws in dozens of major Java components. He has worked for Red Hat's security team, led a Chinese startup that failed miserably, wrote the core aviation meteorology system for the southern hemisphere, and has been quoted in a major newspaper as saying North Korea's nuclear program is "ready to rock".


top ^

Dmitry Kurbatov


ptsecurity.com

TOPIC
Attacks on telecom operators and mobile subscribers using SS7: from DoS to call interception.

ABSTRACT
Lately, phone communication records can be found in the Internet and even be heard on TV. It is obvious that such records were obtained without the knowledge of the subscribers. We will consider the range of possibilities of an intruder who accessed the holy of holies of telecom companies — SS7. The talk will address attacks aimed at: disclosure of subscriber’s sensitive data including his or her location, changing enabled services, call forwarding, unauthorized intrusion into a voice communication channel. Information about signaling messages, which can help to perform these attacks, is open for public access. The research also covers types of proactive protection against such attacks and methods of investigating incidents related to vulnerabilities in a signaling network.

BIO
Dmitry Kurbatov graduated from Moscow State Institute of Radio Engineering, Electronics and Automation with degree in Information Security of Telecommunication Systems. He has 7 years of experience in information security of corporate networks, business applications, and telecommunication equipment. An expert at the Positive Research Center, he participated in organizing all Positive Hack Days forums. Dmitry has published many articles on information security.


top ^

Fabien Duchene

@fabien_duchene
.

TOPIC
Fuzz in Black-Box like a Merlion!

ABSTRACT
Fuzzing is an active testing technique which consists in automatically generating and sending malicious inputs to an application in order to hopefully trigger a vulnerability. Fuzzing entails such questions as: Where to fuzz? Which parameter to fuzz? What kind of anomaly to introduce? Where to observe its effects?

Different test contexts depending on the degree of knowledge assumed about the target: recompiling the application (white-box), interacting only at the target interface (black-box), dynamically instrumenting a binary (grey-box).

In this paper, we focus on black-box test contest, and specifically address the questions: How to obtain a notion ofv coverage}on unstructured inputs? How to capture human testers intuitions and use it for the fuzzing? How to keep driving the search in various directions?

We specifically address the problems of detecting Memory Corruption in PDF interpreters and Cross Site Scripting (XSS) in web applications. We detail our approaches which use genetic algorithm, inference and anti-random testing. We empirically evaluate our implementations of XSS fuzzer KameleonFuzz and of PDF fuzzer ShiftMonkey.

BIO
Dr.-Ing. Fabien Duchene is a fuzzing researcher.

His current research focuses on combining artificial intelligence and evolutionary fuzzing techniques to improve the state-of-the-art of vulnerability detection in black-box and grey-box test contexts on mobile devices.

He previously discovered vulnerabilities in widely used software: media players, Evernote, SFR Box, Elgg, Mega.co.nz, VPN and Seebox providers...

He worked at LIG Lab, Microsoft and Sogeti-ESEC. He holds a PhD from IMAG LIG Lab and an MSc from the "Grande Ecole" Grenoble INP Ensimag, France, where he created the GreHack hardcore security conference and the SecurIMAG CTF team, and has been lecturing basics in fuzzing, memory corruption exploit writing, pen-testing, web security, and network security. He is an alumni of the University of Queensland, Australia and Universidad Politecnica de Madrid, Spain.


top ^

Greg Jones

Mr Jones
Digital Assurance

TOPIC
Fear & Loathing in the Dark Net

ABSTRACT
The talk will discuss:

- current Dark Net technologies
- intelligence gleaned from our research on the Dark Net over the last couple of years (which will include some of the big hacks that have occurred) - we run a fair bit of DN infrastructure and maintain many human sources which gives us good insight
- attacks and vulnerabilities in dark net systems
- hardening and deploying secure dark net systems
- deploying the dark net in your enterprise...
- the future of dark nets

BIO
I started penetration testing in 1997 following a career in development and system administration. Since 97 I have undertaken many hundreds of penetration tests and security assessments of all manner of organisations, systems, applications, devices and everything in between.

I developed some reasonably popular hacking tools back in in '99 (Brutus - The password cracker, Mingsweeper - A network recon tool) but generally like to keep myself to myself.


top ^

Ian Beer


Google

TOPIC
got root? Compromising OS X

ABSTRACT
You’ve popped a renderer on OS X. Now what? I’ve spent a good chunk of the past six months finding out.

The sandbox escape and local privilege escalation attack surface on OS X has provided an interesting mix of old school bugs (kernel NULL pointer dereferences are dead you say?) and more novel bug classes like type-confusions in objective-c.

This talk aims to explain to the audience the fundamentals of the OS X security model, what makes it unique and then to dive into as many varied VR and exploitation examples of real bugs as I can fit into the timeslot.

BIO
I do vulnerability research and binary exploitation. Previously on the Chrome security team I’m now part of Project Zero at Google and based in Zurich, Switzerland.

Speaker experience:

“How to Win Pwnium” at PacSec 2013
https://pacsec.jp/psj13/psj2013-day2_Beer_PacSec-Final-English.pdf


top ^

Jacob Torrey

@JacobTorrey
Assured Information Security, Inc.

TOPIC
HARES: Hardened Anti-Reverse Engineering System

ABSTRACT
I propose presenting my work: Hardened Anti-Reverse Engineering System (HARES), a prototype anti-reverse engineering technique providing a method to seamlessly execute AES-encrypted applications with neither the key nor any decrypted instructions residing in accessible memory (even to a compromised kernel) on an unmodified x86 computer. My work shows that with the combination of a thin-hypervisor implementing Intel's AES-NI instructions in a TRESOR-like configuration and TLB-splitting on Nehalem and newer CPUs can be used to transparently (without hardware modification) decrypt and execute a fully-encrypted (AES-128) application without leaking sensitive instruction information to readable memory (keys will never be in memory, thus additionally protected against cold-RAM attacks). Doing so will prevent any of the application's code from being accessible by software memory acquisition tools, cold-boot RAM attacks or debuggers (in-circuit emulators (ICE) and memory-bus snoopers excepted). The decrypted instructions are stored in "execute-only" memory, ensuring that any attempts to access them, even by a compromised kernel is prevented by hardware. An advantage of the HARES system is that due to the use of TLB-splitting, existing applications can be seamlessly encrypted without access to source code or requiring a re-compile. Our tests with a prototype system built in-house demonstrate successful execution of Windows 7 32-bit PE files (.exe) with an approximate performance hit of ~2% on our synthetic test-suite applications.

HARES provides a significant improvement in preventing the theft of algorithm IP by fully-encrypting the code sections of a binary. This proves a much harder technique to bypass than even the most sophisticated code-obfuscation and reordering techniques. An additional advantage of the HARES solution is since TLB-splitting creates a Harvard architecture on a per-process basis, code-injection attacks are thwarted, as well as mining an encrypted binary for ROP gadgets. The current prototype only supports user-space Windows 7 applications, however future versions are envisioned to support kernel-mode drivers as well.

BIO
Jacob Torrey is a Senior Research Engineer at Assured Information Security, Inc. where he leads the Computer Architectures group and acts as the site lead for the Colorado branch. Jacob has worked extensively with low-level x86 and MCU architectures, having written a BIOS, OS, hypervisor and SMM handler. His major interest is how to (mis)use an existing architecture to implement a capability currently beyond the limitations of the architecture.


top ^

James Forshaw

tyranid
Google

TOPIC
A Link to the Past: Abusing Symbolic Links on Windows

ABSTRACT
The dangers of symbolic links are well known on Unix-like operating systems. Through their misuse a privilege process can be tricked into writing files to a location under the attackers control leading to privilege escalation or disclosing sensitive information. On Windows there is comparatively little comparable research into these sorts of vulnerabilities even though Windows NT has supported symbolic links in various forms since its inception with version 3.1. To make matters worse the functionality is poorly documented making mitigation very difficult for Windows developers in both user and kernel mode applications.

This presentation will describe the potential for abusing the various types of symbolic links on the Windows operating system to break out of application sandboxes, gain administrator privileges or disclose sensitive information. Examples of vulnerabilities will be presented to demonstrate some of the attacks, and to allow attendees to better identify other similar issues within Windows and third party applications. It will also describe a few novel techniques for winning TOCTOU races and implementing filename level symbolic links without requiring administrator privileges on current versions of Windows.

BIO
James is a security researcher in Google’s Project Zero. He has been involved with computer hardware and software security for over 10 years looking at a range of different platforms and applications. With a great interest in logical vulnerabilities he has numerous disclosures in a wide range of products from web browsers to virtual machine breakouts as well as being a Pwn2Own and Microsoft Mitigation Bypass bounty winner. He has spoken at a number of security conferences including Black Hat USA, CanSecWest, Bluehat, HITB, and Infiltrate.


top ^

Jean-Philippe Aumasson

veorq
Kudelski Security

TOPIC
Cryptographic backdooring

ABSTRACT
This talk is about cryptographic backdoors, which despite all the discussions that followed Snowden's publications remain misunderstood. In particular, I'll try to convey the message that, like in many cases, reality is complicated and things aren't necessarily either "good" or "bad". I expect some ideas to be a bit provocative.

BIO
Jean-Philippe (JP) Aumasson is Principal Cryptographer at Kudelski Security, in Switzerland. He is known for designing the cryptographic functions BLAKE, BLAKE2, SipHash, and NORX. He has spoken at conferences such as Black Hat and CCC, and initiated the Crypto Coding Standard and the Password Hashing Competition projects. He is member of the technical advisory board of the Open Crypto Audit Project. JP tweets as @veorq.


top ^

Laura Bell

@lady_nerd
SafeStack

TOPIC
Caring Less - De-humanizing Human Vulnerability Assessment

ABSTRACT
We are on the whole, wired to be nice people. I have a real problem with this and so should you.

When we attack computer systems we remain objective. It is after all just mechanical systems and failures requiring logical solutions. When people are attacked however, the psychological dance of fear, compassion and vulnerability that follows often makes the situation worse.

This emotion makes us weak. It makes us targets and it prevents us from building defenses.

In fact most organisations feel so uncomfortable with human security that they don’t test it at all - hiding behind horrific security awareness e-learning modules and blind hope.

What if we could continuously monitor and test our human security risk? What if we could bring human security closer to technical and systems security?

It’s time for you to meet AVA, a brand new prototype human network vulnerability assessment tool.

AVA is designed to be a new way of continuously visualising and vulnerability assessing networks of connected people. By exposing these networks to risk, AVA is able to identify the human vulnerability points in these environments and assess the likely human consequence of attack.

But what is the cost of this dehumanisation? Should we be assessing human risk in a mechanical way? Is this progress or the slippery slope to a dystopian nightmare? Are we ready to harden up and remove emotion from the equation?

I hope so. The offensive world has been playing this game for years and we have a lot of catching up to do.

BIO
Part penetration tester, part software developer, part security consultant, Laura (@lady_nerd) is the founder of SafeStack.io a specialist agile information security firm.

She specialises in calling b/s on complicated archaic security processes, making vendors squirm during sales pitches and researching the murky world of human-centric security.

She lives in Auckland, New Zealand.


top ^

Luke Jennings


MWR InfoSecurity

TOPIC
How to own any windows network via group policy hijacking attacks

ABSTRACT
Group Policy is a key central management technology component of Microsoft Windows domain-based networks. Its power, flexibility, scalability and ease-of-use are probably one of the key reasons that Microsoft Windows has maintained complete dominance in the business desktop market in spite of significant competition in the consumer market by Apple and Google. However, with great power comes great responsibility (Could. Not. Resist.)

This talk will demonstrate how an attacker with the ability to intercept network traffic can gain SYSTEM level code execution on any domain member within a windows domain in default configuration up to and including Windows 8.1/2012R2. Additionally, two specific vulnerabilities will be described that allow this attack to work even when using more secure configuration options, such as those available via Microsoft Security Compliance Manager.

BIO
Luke is a security consultant at MWR InfoSecurity with focus on penetration testing and network forensics. He has presented a various security conferences in the past on topics including windows access token abuse (incognito), hacking enterprise deployment software and hacking supercomputers. His current areas of interest are anything affecting the security of active directory based Windows networks and finding ways to apply traditional forensics techniques at an enterprise scale.


top ^

Marion Marschalek

pinkflawd
Cyphort Inc.

TOPIC
Shooting Elephants

ABSTRACT
As malware reverse engineer one writes the fanciest software documentations. A former malware author once told me, I write the papers his customers would have liked to see from him. At the same time, when seeing another report on the next big advanced super threat, my inner self kicks back and puts on half-moon specs. She sees the alleged malware authors laugh out loud about the missed details in the documentation they never wrote, their clients getting down to the books as their purchase loses massive value, and - the funniest party - the threat detection industry, frankly speaking, go wild.

Threat intelligence is a fresh business, and a rather hopeless one, if it were not for the marketing. Threats nowadays have logos, some even have animal names. Showing off strength it is, what a recently discovered APT (means Advanced Persistent Threat, they say) does on blogs and papers. But not only there, and not only for the marketing, these kind of advanced threats are precious treasures. Knowing about a threat someone else cannot identify is worth money, and a lot of it one might think when looking at the booming industry.

Finding malware is hard enough though, thus holding back information makes life a little more risky than it should be. Free after Bruce Schneier, malware full disclosure is the new pink; so I'll be shooting elephants at threat intel industry, to see if subsequently a crouching monkey comes out of the woods.

BIO
Marion is malware reverse engineer. Some say she also does marketing, but at the time of writing she could not be reached to further comment on that. At daytime she hunts malware for Cyphort Inc., at nighttime she hunts ghosts. Two years ago Marion won Halvar Flake's reverse engineering challenge for females, since then she set out to rock and roll the industry. She practices martial arts and has a vivid passion to take things apart. Preferably, other people's things.


top ^

Mohamed Saher

halsten
NSS Labs

TOPIC
Releasing the Kraken "Like a Boss"

ABSTRACT
In this presentation I will talk about escaping from a completely isolated VMWare guest machine to the host (Fusion/Workstation) detailing some information to an extent for proper handling of the issue. The talk shall include a demo for different scenarios and explanation of the process of finding the bug, without giving away the bug details for the criticality of the bug.

BIO
A security researcher specializing in reverse engineering, windows internals and mathematics. My work and research spans numerous areas, including native software protection, copy protection technologies, compilers, virtualization and malware. In my spare time I enjoy contributing to various reverse engineering forums, solving crackmes and math problems. You can find me in OpenRCE, Project Euler, woodman, RCE and so forth. Also known for breaking KONAMI's Gaming Protocol which subsequently opened the door for others to use it as a foundation for other games as well.


top ^

Pedro Vilaça

fG!

TOPIC
BadXNU, a rotten apple!

ABSTRACT
Your latest OS X 0day exploit got you root and now what? Apple (finally) introduced mandatory code signing for kernel extensions in Yosemite so there's a new obstacle to your beautiful kernel rootkit. Are you an OPSEC ninja or too cheap to buy $99 a code signing certificate? You can't or don't want to steal (because it's morally wrong!) someone's else certificate?

This presentation is about solving these problems with techniques that allow you to bypass code signing requirements and regular kernel extensions loading interfaces. The goal is to convince you that kernel extensions code signing is a joke because its design is flawed. But this isn't enough for SyScan, challenging, or even fun. I'll show you how to abuse a public known vulnerability that is present in all available OS X versions and also a feature available in Mavericks and Yosemite, working around some "protections" in XNU kernel.

And because it's SyScan the full source code for both rootkit loaders will be released.

Hopefully this will be more than enough to convince you that there are serious issues in the OS X platform and something must change at Apple.

The only requirement for this talk is uid=0(root). Well, the world isn't perfect but there is hope. Google Project Zero has shown how easy is that. Since SyScan is fantastic, we will have Ian Beer talking about how he does that.

BIO
A leading expert in the field of not being an expert, plays with computers for more than 30 years, holds a degree in Economics and a MBA, writes a somewhat famous OS X related blog, breaks copy protections for fun and profit, annoys HackingTeam, trolls Apple's product security policy, loves to solve weird problems, tries to spread some knowledge and write a different bio for each conference. Lately very interested in improving OS X security and malware research. Wrote a long OS X rootkits article for Phrack and finally making that OS X rootkits book a reality.


top ^

Peter Fillmore


Payment Security Consulting

TOPIC
Crash & Pay: Owning and Cloning NFC Payment cards

ABSTRACT
With all this talk about NFC payments - why can't these cards being cloned?
This talk is about what you need to clone a card - and actually demonstrate live how this is possible. You will be guided through the tools needed - the protocols used and most importantly why it is possible to clone cards.

Additionally you'll learn how to fuzz test card readers using the same tools with an attack demonstrated through the NFC interface of a payment terminal.

If you have a credit card, iphone, apple watch or android phone this talk may be for you.

BIO
Peter Fillmore is an expert in the security of real world payment systems. He has worked to design and certify many different systems that we all rely on today. He provides consulting and training services to clients looking to implement and certify their systems to international standards.

Outside of these services he enjoys looking for WONTFIX bugs in big companies systems and trolling music streaming services with computer generated midi music .


top ^

Peter Hlavaty

zer0mem
KEEN

TOPIC
Back to the Core

ABSTRACT
In order to harden kernel exploitation as much as possible was introduced variety of features including KASLR, SMEP and sometimes also SMAP.
Even those are powerful techniques their effectiveness rely on their cooperation, environment and their implementation.

We will present new and some not so new exploitation techniques, show ideas behind breaking trough before mentioned security features and why it is possible, and we will take a look at pool spraying on x64 as well.

BIO
Peter (@zer0mem) is a security researcher at KEEN Team (@K33nTeam) and his primary focus is kernel exploitation. Peter has 4+ years’ experience at IT security in different areas as malware research, developing anti-APT solutions or windows kernel dev & research.


top ^

Raphaël Rigo


Airbus Group Innovations

TOPIC
A peek under the Blue Coat

ABSTRACT
Blue Coat ProxySG systems are widely deployed in big corporations to handle web traffic proxying and filtering. [1]

While they are very common, no work has ever been published regarding the internals of the system (except [2]).

With this talk, I intend to present the results of a detailed analysis of the entirely proprietary SG OS, which runs on commodity Intel hardware.

The talk will include a detailed description of :
- OS mechanisms
- file system internals
- security mechanisms (or lack thereof).
[1] report-gartner-magic-quadrant-for-security-web-gateway-2011-en.pdf
[2] http://ringzer0.wordpress.com/2011/05/24/bluecoat-cacheflow-bound-system/

BIO
I've been working in the past for Orange labs and the French Network and Information Security Agency (ANSSI). I am now a security researcher at Airbus Group Innovations.

I've been reverse engineering for 15 years and I am mostly interested in system security.


top ^

Saumil Shah

krafty | @therealsaumil
Net-Square

TOPIC
STEGOSPLOIT – HACKING WITH PICTURES

ABSTRACT
"A good exploit is one that is delivered in style". My work over the past couple of years involves exploring new and innovative means of exploit delivery. My research involves using perfectly valid images (JPG, GIF, BMP, etc) to not only deliver exploits but also trigger them.

Stegosploit is the result of malicious exploit code hidden within pixels of the image carrying it. The image however, is a multi format container, which also contains the code required to decode the steganographically encoded pixels to execute the exploit. A single file can be rendered as a perfectly valid HTML file, executed as a perfectly valid Javascript file, and displayed as a perfectly valid image, all at the same time.

Exploit delivery therefore happens through transmission of pure images. No known means of malware detection have been able to successfully identify these images.

BIO
Saumil Shah is the founder and CEO of Net-Square, providing cutting edge information security services to clients around the globe. Saumil is an internationally recognized speaker and instructor, having regularly presented at awesome conferences like Deepsec, Blackhat, RSA, CanSecWest, PacSec, EUSecWest, Hack.lu, Hack-in-the-box and others. He has authored two books titled "Web Hacking: Attacks and Defense" and "The Anti-Virus Book".

Saumil graduated with an M.S. in Computer Science from Purdue University, USA and a B.E. in Computer Engineering from Gujarat University. He spends his leisure time breaking software, flying kites, traveling around the world and taking pictures.


top ^

Stefan Esser

i0n1c
SektionEins GmbH

TOPIC
iOS 678 Security - A Study in Fail

ABSTRACT
With the release of iOS 6 that came with a large number of new security mitigations many information security professionals predicted the end of public jailbreaking, because developing exploits would be just too expensive to give away for free. But here we are, Apple just released iOS 8.1.2 and the current jailbreak was fixed in mere hours to adjust to this new release.

In this session we will discuss the exploit chains used to produce the iOS 6, 7 and 8 jailbreaks and show how Apple repeatedly made jailbreaking newer iOS versions easier by incorrectly fixing vulnerabilities, patching them only after a long time or not fixing them at all. We will furthermore discuss how this helps state sponsored attacks and why there is a change of guard in the jailbreaking community from western hobbyist to well funded chinese hackers.

BIO
Stefan Esser is best known in the security community as the PHP security guy. Since he became a PHP core developer in 2002 he devoted a lot of time to PHP and PHP application vulnerability research. However in his early days he released lots of advisories about vulnerabilities in software like CVS, Samba, OpenBSD or Internet Explorer. In 2003 he was the first to boot Linux directly from the hard disk of an unmodified XBOX through a buffer overflow in the XBOX font loader. In 2004 he founded the Hardened-PHP Project to develop a more secure version of PHP, known as Hardened-PHP, which evolved into the Suhosin PHP Security System in 2006. Since 2007 he works as head of research and development for the German web application company SektionEins GmbH that he co-founded.

In 2010 and 2011 he got a lot of attention for presenting about iPhone security topics and supplying the jailbreaking scene with an exploit that survived multiple updates by Apple.


top ^

trimo

trimo

TOPIC
Abusing IE Elevation Policy: Practical Sandbox Escape of IE with Protected Mode

ABSTRACT
Recently, most operating systems and applications have sandbox mechanisms to protect the systems from attackers. In case of Windows Internet Explorer (IE), a Tab process runs at a Low Integrity Level by default, which is one of levels in the Windows sandbox mechanism. Thus the sandbox escape must be satisfied at some point to compromise a Window system via IE in Protected Mode. In this talk, I will deliver the practical sandbox escapes of IE.

BIO
I am an independent security researcher. Once I built LTE and WCDMA base stations and did research the complex system of IEEE 802.11s. I was the speaker of several academic conferences such as MILCOM, ICC, VTC, CCNC, and I published several journal papers of IEEE Comm. Letter./IET Communications. My recent research interests includes offensive topics such as remote code executions via browser, sandbox escapes, local privilege escalations on Windows and OSX/iOS.


top ^

Yuki Chen

Yuki Chen
Qihoo 360

TOPIC
The Birth of a Complete IE11 Exploit Under the New Exploit Mitigations

ABSTRACT
In this presentation we will discuss how we developed a fully working exploit on IE11 + Windows 8.1. The exploit contains an unpublished UAF bug which can bypass the latest UAF exploit mitigation techniques (Isolated Heap and Deferred Free) as well as a sandbox escaping bug which can bypass the IE Enhanced Protected Mode Sandbox (EPM).

Since June 2014, Microsoft has introduced some new exploit mitigation techniques to Internet Explorer to defend against IE UAF exploits. Isolated Heap and Deferred Free are the two most effective methods within them.

With these two techniques, many UAF bugs cannot be used to achieve successfully exploit any more. However, under certain conditions, UAF bugs are still exploitable even if the freed element is in Isolated Heap and Deferred Free List. We will introduce our UAF bug as well as the method we used to bypass Isolate Heap & Deferred Free and achieve code execution with the bug.

After achieved code execution in the IE child process, the next goal is to bypass the IE protected mode (and even enhanced protected mode) sandbox. In this presentation, We will also discuss the bug we used to bypass IE protected mode sandbox.

Another new exploit mitigation technique is CFG (Control Flow Guard), which was first officially enabled on Windows 10 Preview, and later enabled on Windows 8.1 Update 3 by default. CFG is applied to the whole windows OS thus will also affect Internet Explorer. CFG is able to prevent unexpected control flow change (which usually happens after a virtual function table overwrite when exploiting UAF bugs in IE). However, the current implementation of CFG is not 100% perfect. By attacking the weakness of CFG, we are still able to control the execution flow to our code. We will use an modified version of our exploit library (Explib2) to demonstrate out method to bypass CFG.

BIO
Yuki Chen is a security researcher at Qihoo 360. He holds a master degree in software engineering and has 6+ years’ experience in security industry. He is mostly interested in vulnerability hunting & analyzing and exploit developing. He is also a hardcore ACG otaku and cannot live without animation & manga.


top ^

The topics and speakers may be subjected to changes without prior notice.