Brandon Azad / @_bazad

Yongtao Wang / @by_sanr

Yang Zhang / @izykw

Liang Zhuo / @realBrightiup

Qixun Zhao / @S0rryMybad

Jeremy Fetiveau / @__x86

Ki Chan Ahn / @externalist


Brandon Azad / @_bazad

Voucher Swap

Bio – Brandon Azad is a security researcher at Google Project Zero specializing in macOS and iOS.

Abstract – Among the vulnerabilities fixed in iOS 12.1.3 was CVE-2019-6225, a(nother) serious MIG reference counting issue in Apple’s kernel. Independently discovered by both me and Qixun Zhao (@S0rryMybad), this vulnerability was quite serious because it was reachable from within any sandbox and could be exploited very reliably. In this talk we’ll look at how this vulnerability was discovered and how to exploit it to achieve arbitrary kernel read/write on iOS 12.1.2.

Yongtao Wang / @by_sanr, Yang Zhang / @izykw

NTLM Relay Risk Is Coming: A New Exploit Technique Makes It Reborn

Bio – Yongtao Wang(sanr) works in Qihoo360, a senior security researcher in PegasusTeam team. He specializes in penetration testing and wireless security research. He has extensive experience in security research and penetration testing. He is a lecturer at the China Internet Security Conference (ISC) security training camp, Blackhat, POC, CodeBlue, etc. Conference speaker.

BioYang Zhang(izy) is an independent security researcher with rich experience in web security research and penetration testing, core member of XDSEC. He has received several acknowledgments from famous companies for his security reports. Currently focusing on the security research of web application security, cloud security, blockchain security.

Abstract – NTLM relay attacks have been around for more than a decade. The oldest method is SMB Relay, which can be traced back to a security tool released by Sir Dystic in 2001, it needs to be emphasized that it’s independent of application layer protocol (such as SMB). In fact, there is a security issue in the NT-LAN-Manager authentication protocol. As we all know, there are two ways to implement NTLN relay attack.
1. Relay credential to the victim machine (Credential Reflection), Microsoft released MS08-068 patch for this vulnerability.
2. Relay credential to another host (Credential Relay), that is a currently widely-used attack method because Credential Reflection has been fixed by Microsoft. Unfortunately, there are a lot of restrictions to implement Credential Relay in some attack scenarios.

Read more

We propose a new attack technology that can successfully implement the Credential Reflection attack and bypass all Microsoft defense strategies, which will directly lead to RCE. In this talk, we will first review the history of NTLM relay attacks. After that, we will introduce a new attack technique for Credential Reflection, that can bypass the Microsoft defense strategies(MS-08068) and implement the credential reflection attack by relaying The Net-NTLM hash to the machine itself,  effect of RCEļ¼ˆRemote Command Execution) can be achieved. In addition, we will describe it in real-world attack scenarios and release a automated exploit tool for this vulnerability.

Liang Zhuo / @realBrightiup, Qixun Zhao / @S0rryMybad

Reverse engineering of CoreAnimation and steps to break it, Safari JIT and exploit techniques

Bio – Liang Zhuo(@realBrightiup), security researcher working at Qihoo 360 Vulcan Team,focus on macOS/iOS, was a security developer focused on IDS, worked at Qihoo 360 Nirvan Team and got many acknowledgments from Apple, macOS remote EoP at TianFuCup 2018.

Bio – Qixun Zhao (@S0rryMybad), a security researcher working at Qihoo 360 Vulcan Team. Focus on major browsers and macOS/iOS. Pwned safari category in Pwn2Own 2017/Mobile Pwn2Own 2017. Remote Jailbreak(from Safari to Kernel) on iPhoneX and finished Edge, Chrome, Safari(macOS) RCE at TianfuCup 2018. The “Best Solo Pwning” in TianfuCup 2018. Rank 23 in MSRC 2018 Top 100.

Abstract – WindowServer and backboardd processes were used as targets for compromising macOS and iOS systems for many times at Pwn2Own. Apple was aware of the weakness of those processes and put them into sandbox after iOS 12.0 and macOS 10.14 Mojave. And CoreAnimation is an important module which powers the aforementioned two processes and a strange part that no one talked about it before. In our presentation, we will talk about the CARenderService CoreAnimation provides and introduce the regular steps of auditing system service processes on iOS/macOS, understand the structure of the code thoroughly through reverse engineering. We will also disclose some issues, one of which was successfully used at TianFuCup 2018, we found in CoreAnimation recently and talk about how to exploit those issues. And we will talk about Safari JIT and its exploit techniques and also, the case used at TianFuCup 2018.

Jeremy Fetiveau / @__x86

Attacking TurboFan

Bio – Jeremy Fetiveau (@__x86) is an independant security researcher interested in browser exploitation. He contributes to the blog doar-e (@doar_e).

Abstract – In the area of browser exploitation, the current trend is to attack JavaScript engines, and more specifically the optimizing compiler. TurboFan is the one being used by the chrome browser and is part of the v8 engine.It has been affected by many interesting bugs, many of which allow very reliable exploitation.The objective of this talk is to discuss the engine’s internals and some reductions made on the sea of nodes before shifting the focus on security. In particular, this presentation will examine what kind of bugs have been recently affecting the optimizing compiler, how to reliably exploit those incorrect behaviors and what changes have been made to prevent this.

Ki Chan Ahn / @externalist

The journey on exploiting the Magellan bug on Chrome

Bio – Ki Chan Ahn (@externalist) is a security researcher working at Exodus Intelligence. His general field of interest is bughunting & exploitation in various operating systems, browsers, and hypervisors. In the past, he has been doing Pentesting and Web/Mobile Application auditing in the Financial Sector.

Abstract – This talk focuses on exploiting the Magellan bug found by the Tencent Blade team in Google Chrome Desktop. Nowadays, browser research is heavily focused on exploiting the JIT engine. This bug was a good example to test how resistant Chrome was to classic memory corruption bugs that occur outside the Javascript engine, and demonstrate the feasibility of exploiting such bugs. The presentation will discuss how the exploit was designed from scratch by constructing primitives built around WebSQL, and present various ideas to overcome exploitation hurdles to finally build a full exploit that runs arbitrary code in the Chrome renderer process.