Andrew Wesie / @zoaedk

CTF Evolved

Over the past decade, cyber security competitions have grown to match, and often exceed, the challenges of real-world hacking. As members of Plaid Parliament of Pwning, a capture the flag team, we have experienced this first-hand and contribute with our own competition, PlaidCTF. While it was once possible to compete with a basic knowledge of assembly and reverse engineering, it is now expected that everyone can invent new heap exploitation methodologies on-the-fly and reverse heavily obfuscated binaries. This keeps the competitions interesting for those of us who have competed for years, but it also risks demoralizing those who want to learn and still have fun. While CTFs have been evolving, new competition formats, such as Pwn2Own and HackerOne, provide a completely different vision. The thrill of exploiting real software, with the bonus of a monetary reward, can excite those who have deemed CTF as a waste of time. Why analyze and exploit toy programs when vulnerable real world programs are plentiful? We believe that having this variety of competitions is a good thing. During this talk, we will review the recent history of both CTF and Pwn2Own-style competitions, along with our experiences and how we think they can fit together. We hope everyone will walk away with an appreciation for these competitions, and vision for how they will continue to evolve for the next decade.


Halvar Flake / @halvarflake

The good 0(ld) days

Software supply chains are complicated. Open-source has allowed for tremendous advances and democratization everywhere, but many organisations do not have good control over what open-source code they are using where – and who is responsible for making sure that code stays up-to-date. Vulnerabilities can often be found by back-porting bugs in open-source software into closed-source environments. This talk discusses some methods for the detection of FOSS code in binaries and examines some particular cases where bugs could be obtained by first identifying the open-source code in binaries and then going from there.


Adam Donenfeld /  @doadam

Viewer discretion is advised: (De)coding an iOS vulnerability

Over the years, ring-0 vulnerabilities in mobile devices have become increasingly difficult to find and exploit. Attackers and defenders alike must find new attack vectors, as well as develop tools to expedite the research process and increase coverage. One significant challenge is a more confining sandbox. While vendors usually put less emphasis on the security of mechanisms which are not operable from within the sandbox, sandboxing applications appropriately is not always that easy.
In this talk, a real-world journey of finding, we will be uncovering a deeply buried vulnerability in the iOS kernel cache. The vulnerability, which is hidden within the video-decoder driver, can be triggered by processing maliciously crafted codec frames. The driver is normally not accessible to the standard application. This vulnerability, however, is still exploitable from within a sandboxed process or application. During this talk, concepts and methods of work will be given: from initial investigation till getting familiar with a complete closed-source environment, as well as a real-world example of finding “sandbox-restrictive” vulnerabilities and exploiting them from the most narrowed context nevertheless.


Eric Sesterhenn / @X41Sec

In Sowjet Russia Smartcard Hacks You

The classic spy movie hacking sequence: The spy inserts a magic smartcard provided by the agency technicians into the enemy’s computer, …the screen unlocks… What we all laughed about is possible!
Smartcards are secure and trustworthy. This is the idea smartcard driver developers have in mind when developing drivers and smartcard software. The work presented in this talk not only challenges, but crushes this assumption by attacking smartcard drivers using malicious smartcards.
A fuzzing framework for *nix and Windows is presented along with some interesting bugs found by auditing and fuzzing smartcard drivers and middleware. Among them classic stack and heap buffer overflows, double frees, but also a replay attack against smartcard authentication. 
Since smartcards are used in the authentication process, a lot of vulnerabilities can be triggered by an unauthenticated user, in code running with high privileges. During the authors research, bugs were discovered in OpenSC (EPass, PIV, OpenPGP, CAC, Cryptoflex,…), YubiKey drivers, pam_p11, pam_pkc11, Apple smartcardservices…


James Lee / @windowsrcer

A Journey of Logical Vulnerabilities in Microsoft Browsers

We will have a look and go through some Logical Vulnerabilities in Microsoft Browsers, this includes Vulnerability that allows to escape from Sandbox using specific extensions. There are also Same-Origin Policy bypass vulnerabilities, we are able to conduct UXSS attack using some of them. We’ll go through how these Vulnerability works and its methodology of discovery and exploitation.


Max Bazaliy / @mbazaliy

Dual booting modern iOS devices

In this talk we will investigate and present on the ways in which to boot a custom firmware image on an iOS device. In order to show this we will detail how the secure iOS boot process functions, including many of the details of how the low level component verification works as well as the loading and running of processes at boot time. It’s known that iOS devices tightly integrate their software and hardware components in order to secure the system, but how is this done in practice? We will answer this question and others by focusing on one of these integrations, specifically the boot process for modern iOS devices. The iOS boot process is a critical part of a device’s system security as it helps to ensure that each component of the device can be trusted before it is used by the system. Each step of the iOS boot process contains components that are cryptographically signed by Apple to ensure their integrity and verify the chain of trust before allowing the device to continue booting. The chain of trust for iOS includes the system bootloader, XNU kernel, kernel extensions, SEP, Wi-Fi, and the baseband firmware. From our detailed understanding and explanation of how the boot process functions for iOS we will then discuss ways in which researchers can take these learnings to create and load a custom iOS firmware image on a device, including a custom XNU kernel and system disk image side by side with the device’s original iOS firmware image.


SungHyoun Song / @decashx

Bypass Android Security Mechanisms using Custom Android

Most Android hackers are researching application vulnerabilities using the rooting tool (SuperSU, MagiskSU) and the hooking framework (FRIDA, Xposed Framework, etc.). However, the rooting tool and the hooking framework are detected and blocked by the security mechanisms of the Android OS and the Application. So hackers have to circumvent the security mechanism applied to the Android OS and Applications which can allow an attacker to spend a lot of time analyzing and bypassing. Security mechanisms are constantly being updated, so the attackers and defenders are continuing to play cat and mouse. So in this lecture I will analyze the security mechanism applied to Android OS and Application in detail at code level, and by creating a new Android Kernel, it creates an undetected privilege escalation backdoor, dynamic intercept and manipulate execution environment, and bypasses security mechanisms.


Dennis Giese

Not all IoT Devices are Created Equal: Reverse Engineering of Xiaomi’s IoT ecosystem

While most IoT accessory manufacturers have a narrow area of focus, Xiaomi, an Asian based vendor, controls a vast IoT ecosystem, including smart lightbulbs, sensors, cameras, vacuum cleaners, network speakers, electric scooters and even washing machines. Their products are sold not only in Asia, but also in Europe and North America. The company claims to have the biggest IoT platform worldwide. Their devices may have a deep integration in the daily life and are able to collect a lot of personal data. However, not all devices in Xiaomi’s ecosystem are created equal. Whereas some devices are designed by Xiaomi itself, many IoT devices were developed by other companies and then integrated into their ecosystem. This results in different quality levels for software and designs. In this presentation, I will provide an overview over the most common Wi-Fi enabled IoT devices in Xiaomi’s ecosystem. We will take a look at their platforms, designs, features and vulnerabilities. How can we modify the devices to disconnect them from the cloud or to do something useful? Which device protections are deployed by the developers? And more important: What are the most common mistakes? After having reverse engineered over 40 different models of their ecosystem, I would like to share some interesting things I discovered while reverse engineering Xiaomi’s devices and discuss what the developers may have done better.

While most IoT accessory manufacturers have a narrow area of focus, Xiaomi, an Asian based vendor, controls a vast IoT ecosystem, including smart lightbulbs, sensors, cameras, vacuum cleaners, network speakers, electric scooters and even washing machines. Their products are sold not only in Asia, but also in Europe and North America. The company claims to have the biggest IoT platform worldwide. Their devices may have a deep integration in the daily life and are able to collect a lot of personal data. However, not all devices in Xiaomi’s ecosystem are created equal. Whereas some devices are designed by Xiaomi itself, many IoT devices were developed by other companies and then integrated into their ecosystem. This results in different quality levels for software and designs. In this presentation, I will provide an overview over the most common Wi-Fi enabled IoT devices in Xiaomi’s ecosystem. We will take a look at their platforms, designs, features and vulnerabilities. How can we modify the devices to disconnect them from the cloud or to do something useful? Which device protections are deployed by the developers? And more important: What are the most common mistakes? After having reverse engineered over 40 different models of their ecosystem, I would like to share some interesting things I discovered while reverse engineering Xiaomi’s devices and discuss what the developers may have done better.


Vitaly Nikolenko / @vnik5287

Dissecting a 17-old Linux Kernel Bug

In this talk we will present analysis and exploitation of the Linux kernel 0day affecting all major Linux distributions. This bug resulting in local privilege escalation has been around for almost 17 years making it one of the oldest kernel vulnerabilities. It affects all kernels starting from 2.4 and can be triggered reliably on most distributions without any special privileges or system requirements.

We will demonstrate a detailed analysis of the vulnerability and walk through the exploitation steps required to escalate privileges on x86_64.


Yunding Jian @WhiteA10n3 / KaiJern Lau @xwings

Wireless Hacking with ‘HackCUBE’

This is a small size (9.2cm^3) and battery powered cube box. It integrates Raspberry Pi, Arduino, 2.4/5.8G Wifi and HID etc, and can externally be connected with some SDR hardware, such as HackRF, RTL-SDR, CC2541 etc. The whole system (without external accessories) will be equal to Unicorn HackID Plus (RFID read/write/emulator) + Wifi Pineapple + rfcat (Sub-GHz transceiver). It can provide comprehensive and powerful wireless hacking capability.

In the session, we will talk about daily wiresless hacking with HackCUBE and HackCUBE mini.

We will bring some HackCubes (e.g. ~10) to the lab and the attendees can operate and program it to complete the two experiments, and even can try other ideas they have.

The highlights of the HackCUBE are its portability and multi-function. As a hackers, we also hope to have an unnoticeable and battery powered tool to do wireless hacking so we create this cube. Wish we have this opportunity to introduce it to people.

In this talk, we will officially introduce our brand new HackCUBE with more powerful features and functionality and first time to show a golf ball size HackCUBE mini.


Luat Nguyen / @l4wio

Tail of pdfium use-after-free series

pdfium is a pdf reader shipped along with Google Chrome. In this talk, I will talk about how did I choose the target and strategy to beat pdfium. Sharing tips and what I was thinking when doing code-review on a target. After 04 months, I successfully discovered 12 high-severity bugs results in 6 CVEs and $42,000 bounty in total.


Sheng-Hao Ma / @aaaddress1

Playing Malware Injection with Exploit thoughts

In the past, when hackers did malicious program code injection, they used to adopt RunPE, AtomBombing, cross-process creation threads, and other approaches. They could forge their own execution program as any critical system service. However with increasing process of anti-virus techniques, these sensitive approaches have been gradually proactively killed. Therefore, hackers began to aim at another place, namely memory-level weakness, due to the breakages of critical system service itself.

This lecture will introduce a new memory injection technique that emerged after 2013, PowerLoadEx. Based on this concept, three new injection methods will be disclosed as well. These makes good use of the memory vulnerability in Windows to inject malicious behavior into system critical services. The content will cover Windows reverse analysis, memory weakness analysis, how to use and utilize, and so on. The relevant PoC will be released at the end of the lecture.


Julian Rauchberger / Tobias Dam

Breaking the Bluetooth stack: Where to look and what to expect

From an attacker’s point of view, the Bluetooth stack is a really interesting yet often overlooked target. While there have been a number of practical attacks against the cryptography protocols used in Bluetooth in the past, this talk will focus on discovering memory corruptions that can be found in various layers.

The Bluetooth specification is extremely complex and repeatedly features questionable design decisions that are hard to implement correctly. This includes for instance a high number of length fields and packet fragmentation mechanisms that can be found in multiple places. These issues combined with the fact that the overall code quality suggests that little research has been conducted on common Bluetooth implementations in the past makes it a prime target for exploitation.

This talk will focus on giving an overview of the lower layer protocols of Bluetooth, how to iterate supported protocols and possible targets on a device and where to look for exploits. We will show how to create a test environment to start vulnerability research for anyone interested. An in-depth explanation of two real world vulnerabilities – an info leak and a heap corruption – that were found by the speakers in the BlueZ stack, will be presented as a practical example.


Niklas Baumstark / @_niklasb

Thinking outside the (Virtual)Box

Desktop virtualization solutions like Oracle VirtualBox and VMware Workstation are extremely useful for software development, kernel debugging and security research. They are also often used to isolate the host system from potentially malicious or vulnerable code, and thus present interesting targets for exploitation. While VMware Workstation has been a target at the annual Pwn2Own contest since 2016, this year’s edition added VirtualBox for the first time, and it ended up as the only hypervisor that was successfully attacked during the competition.

This talk briefly compares the architecture of VirtualBox to that of the VMware product, with a focus on the guest-to-host attack surface available in their respective default configurations. After laying out the internals of the VirtualBox-specific HGCM and HGSMI protocols, examples of VM escape exploits against VirtualBox on Windows 10 and Linux hosts will be discussed, including the one used at Pwn2Own 2018.

You will find in this presentation basic vulnerability discovery strategies as well as exploitation techniques for VirtualBox, including powerful heap grooming primitives. You will also learn how the weak boundary between the VirtualBox userland and kernel components can be abused to escalate privileges to SYSTEM/root in a reliable manner after achieving code execution on the host.


Brandon Azad / @_bazad

Crashing to root: How to escape the iOS sandbox using abort()

Apple has greatly improved iOS security in recent years, but many attack surfaces remain largely ignored. For example: is it possible to elevate privileges by crashing maliciously? I decided to investigate how crash handling is implemented in iOS and whether it poses a viable attack vector. What began as a seemingly absurd question ended with control over every userspace process on the phone.

In this talk, I will share how I reverse engineered a system service to find a critical Mach port replacement vulnerability, how to bypass protections in order to trigger the bug, and how to exploit the bug to escape the application sandbox and execute code with full system privileges. I’ll also explain a technique I discovered to obtain the coveted task_for_pid-allow entitlement, which grants control over any userspace process. This technique bypasses recent defenses designed to stop even unsandboxed root processes from taking control of other processes.

The talk will assume basic familiarity with iOS but I’ll briefly cover the concepts we’ll need (codesigning, sandboxing, Mach ports, MIG, launchd) before diving into the core of the vulnerability. The complete exploit code and documentation is available online.


Nikita Tarakanov / @NTarakanov

Exploiting Kernel Pool Overflows on Windows 10 RS4

Each new version of Windows OS Microsoft enhances security by adding security mitigation mechanisms – Kernel land vulnerabilities are getting more and more valuable these days. For example, the easy way to escape from a sandbox is by using a kernel vulnerability. That’s why Microsoft struggles to enhance security of Windows kernel.

Kernel pool allocator plays a significant role in security of whole kernel. Since Windows 7, Microsoft started to enhance the security of the Windows kernel pool allocator. In Windows 8, Microsoft has eliminated almost all reliable (previously published) techniques of exploiting kernel pool corruptions.

Then Microsoft eliminated “0xBAD0B0B0” technique in Windows 8.1, and there was no easy technique to exploit Pool Overflows on Windows 8.1

Then DKOM/DKOHM technique was present that gave really nice primitives(arbitrary read/write/execute) for kernel exploitation.

Following up Microsoft obfuscated TypeIndex in an object header leaving DKOM/DKOHM technique useless.

But Microsoft left unprotected optional headers that gave born to DKOOHM technique.

Sadly enough, techniques don?t live long life these days and Microsoft eliminated DKOOHM as well leaving all known techniques not working…

This talk presents a new technique of exploiting pool overflows for Windows 10 RS4.

Bonus: overview of enhancement in the upcoming Windows RS5.


Seunghun Han / @kkamagui1

The Last Man Standing: The Only Practical, Lightweight and Hypervisor-Based Kernel Protector Struggling with the Real World Alone

– Rootkits and kernel exploits can neutralize protection mechanisms running in the kernel- level (Ring 0). This means that the protection mechanisms need the higher privilege (Ring – 1). Because of this reason, I presented Shadow-box v1 and v2 at Black Hat Asia. Shadow-box is a security monitoring framework for operating systems using Intel virtualization technologies and ARM TrustZone technologies. Shadow-box has a novel architecture inspired by a shadow play. It supports multi-platform, Intel and ARM, and I made Shadow-box from scratch. I have been developing it as an open-source project.

– Shadow-box v1 (for x86) is primarily composed of a lightweight hypervisor and a security monitor. The lightweight hypervisor, Light-box, efficiently isolates an OS inside a guest machine and projects static and dynamic kernel objects of the guest into the host machine so that the security monitor in the host can investigate the projected images. The security monitor, Shadow-watcher, places event monitors on static kernel elements and tests security of dynamic kernel elements. I manipulate address translations from the guest physical address to the host physical address in order to exclude unauthorized accesses to the host and the hypervisor spaces. Shadow-box v2 (ARM version) also has similar architecture and it was turned for IoT devices. Unlike the mobile phone, the processor of IoT device has lower resources and functions. Because of this reason, I used only security extension, ARM TrustZone, with Open Platform Trusted Execution Environment (OP-TEE).

– In this talk, I propose a Shadow-box as a practical and lightweight security framework and show how it protects the kernel from rootkits and kernel exploits with a demo. Unlike other academic research results, I have been operating and updating Shadow-box in real world for 3 years. I share my know-how about it.