Brandon Azad / @_bazad
Bio – Brandon Azad is a security researcher at Google Project Zero specializing in macOS and iOS.
Abstract – Among the vulnerabilities fixed in iOS 12.1.3 was CVE-2019-6225, a(nother) serious MIG reference counting issue in Apple’s kernel. Independently discovered by both me and Qixun Zhao (@S0rryMybad), this vulnerability was quite serious because it was reachable from within any sandbox and could be exploited very reliably. In this talk we’ll look at how this vulnerability was discovered and how to exploit it to achieve arbitrary kernel read/write on iOS 12.1.2.
NTLM Relay Risk Is Coming: A New Exploit Technique Makes It Reborn
Bio – Yongtao Wang(sanr) works in Qihoo360, a senior security researcher in PegasusTeam team. He specializes in penetration testing and wireless security research. He has extensive experience in security research and penetration testing. He is a lecturer at the China Internet Security Conference (ISC) security training camp, Blackhat, POC, CodeBlue, etc. Conference speaker.
Bio – Yang Zhang(izy) is an independent security researcher with rich experience in web security research and penetration testing, core member of XDSEC. He has received several acknowledgments from famous companies for his security reports. Currently focusing on the security research of web application security, cloud security, blockchain security.
Abstract – NTLM relay attacks have been around for more than a decade. The oldest method is SMB Relay, which can be traced back to a security tool released by Sir Dystic in 2001, it needs to be emphasized that it’s independent of application layer protocol (such as SMB). In fact, there is a security issue in the NT-LAN-Manager authentication protocol. As we all know, there are two ways to implement NTLN relay attack.
1. Relay credential to the victim machine (Credential Reflection), Microsoft released MS08-068 patch for this vulnerability.
2. Relay credential to another host (Credential Relay), that is a currently widely-used attack method because Credential Reflection has been fixed by Microsoft. Unfortunately, there are a lot of restrictions to implement Credential Relay in some attack scenarios.
We propose a new attack technology that can successfully implement the Credential Reflection attack and bypass all Microsoft defense strategies, which will directly lead to RCE. In this talk, we will first review the history of NTLM relay attacks. After that, we will introduce a new attack technique for Credential Reflection, that can bypass the Microsoft defense strategies(MS-08068) and implement the credential reflection attack by relaying The Net-NTLM hash to the machine itself, effect of RCE（Remote Command Execution) can be achieved. In addition, we will describe it in real-world attack scenarios and release a automated exploit tool for this vulnerability.
Liang Zhuo / @realBrightiup, Qixun Zhao / @S0rryMybad
Reverse engineering of CoreAnimation and steps to break it, Safari JIT and exploit techniques
Bio – Liang Zhuo(@realBrightiup), security researcher working at Qihoo 360 Vulcan Team,focus on macOS/iOS, was a security developer focused on IDS, worked at Qihoo 360 Nirvan Team and got many acknowledgments from Apple, macOS remote EoP at TianFuCup 2018.
Bio – Qixun Zhao (@S0rryMybad), a security researcher working at Qihoo 360 Vulcan Team. Focus on major browsers and macOS/iOS. Pwned safari category in Pwn2Own 2017/Mobile Pwn2Own 2017. Remote Jailbreak(from Safari to Kernel) on iPhoneX and finished Edge, Chrome, Safari(macOS) RCE at TianfuCup 2018. The “Best Solo Pwning” in TianfuCup 2018. Rank 23 in MSRC 2018 Top 100.
Abstract – WindowServer and backboardd processes were used as targets for compromising macOS and iOS systems for many times at Pwn2Own. Apple was aware of the weakness of those processes and put them into sandbox after iOS 12.0 and macOS 10.14 Mojave. And CoreAnimation is an important module which powers the aforementioned two processes and a strange part that no one talked about it before. In our presentation, we will talk about the CARenderService CoreAnimation provides and introduce the regular steps of auditing system service processes on iOS/macOS, understand the structure of the code thoroughly through reverse engineering. We will also disclose some issues, one of which was successfully used at TianFuCup 2018, we found in CoreAnimation recently and talk about how to exploit those issues. And we will talk about Safari JIT and its exploit techniques and also, the case used at TianFuCup 2018.
Jeremy Fetiveau / @__x86
Bio – Jeremy Fetiveau (@__x86) is an independant security researcher interested in browser exploitation. He contributes to the blog doar-e (@doar_e).
Ki Chan Ahn / @externalist
The journey on exploiting the Magellan bug on Chrome
Bio – Ki Chan Ahn (@externalist) is a security researcher working at Exodus Intelligence. His general field of interest is bughunting & exploitation in various operating systems, browsers, and hypervisors. In the past, he has been doing Pentesting and Web/Mobile Application auditing in the Financial Sector.