[Speaker Info]
==========
Andrey Konovalov is a security researcher focusing on the Linux kernel.
Andrey found multiple zero-day bugs in the Linux kernel and published proof-of-concept exploits for these bugs to demonstrate the impact.
Andrey contributed to several security-related Linux kernel subsystems and tools: KASAN — a fast dynamic bug detector; syzkaller — a production-grade kernel fuzzer; and Arm Memory Tagging Extension (MTE) — an exploit mitigation.

See [xairy.io](https://xairy.io/) for all of Andrey's articles, talks, and projects.

[Abstract]
==========

Are you one of the people who cover the laptop webcam with a sticker to avoid being secretly recorded? Even though the LED indicator supposedly shows whether the camera is actually active. As it turns out, your fear of being recorded without an indication is well-grounded!

This talk shows how malicious software can turn off the LED indicator of the webcam module used in a few classic ThinkPad laptops while keeping the camera recording. Demonstrating this required finding a way to reprogram the camera's 8051-based controller's EEPROM firmware over USB, leaking and reverse engineering the controller's Boot ROM, and infecting the camera's firmware to add custom USB commands for controlling the LED indicator.

[Speaker Info]
==========
Chih-Yen Chang, aka Pumpkin (@u1f383), is a security researcher at DEVCORE and a member of the Balsn CTF team. He focuses on Linux kernel, hypervisor, and browser security, and has received multiple CVEs for vulnerabilities in the Linux kernel ksmbd and net/sched subsystem, QEMU, and Chrome. He recently competed in the Ubuntu LPE category at Pwn2Own Vancouver 2024.

[Abstract]
==========

The network scheduling (net/sched) subsystem in the Linux kernel manages the queuing and scheduling of network packets. To provide more flexibility, it supports a variety of scheduling algorithms and fine-tuning options, consequently increasing its complexity. In preparation for Pwn2Own Vancouver 2024, we decided to delve into this subsystem, anticipating that its complexity might conceal potential vulnerabilities.

After thoroughly reviewing all algorithms, we uncovered an out-of-bounds (OOB) write vulnerability in the TAPRIO algorithm caused by incorrect type usage. However, further analysis revealed significant limitations that makes exploitation daunting. For instance, the data and the location of the write are range-bounded, and the OOB write occurs in the vmalloc memory space, rendering existing attack methods ineffective. To overcome these limitations, we innovated a new exploit approach and successfully compromised the latest version of Ubuntu. We are also confident that this method is reusable for vulnerabilities with similar primitives.

In this talk, we will briefly introduce the net/sched subsystem architecture and the root cause of the vulnerability. Then, we will primarily focus on the exploitation. Initially, we will analyze the primitive provided by the vulnerability. Subsequently, we will detail how to leverage this restricted primitive to inject BPF bytecode, even when eBPF is disabled by default, to achieve arbitrary writing of kernel data. Additionally, we will explain how we performed "Heap Feng Shui" in the vmalloc space and utilize the Linux signal mechanism to increase the success rate of the exploit. Finally, we will share some intriguing anecdotes from our first participation in Pwn2Own, making the competition thrilling and challenging.

[Speaker Info]
==========
Csaba Fitzl graduated in 2006 as a computer engineer. He worked for 6 years as a network engineer, troubleshooting and designing big networks. After that, he worked for 8 years as a blue and red teamer focusing on network forensics, malware analysis, adversary simulation, and defense bypasses. Then he moved on to the macOS world and developed a "macOS Exploitation and Penetration Testing" training at OffSec. Currently he works as a Principal macOS Security Researcher at Kandji. He gave talks and workshops at various international IT security conferences, including Hacktivity, BlackHat, Troopers, SecurityFest, DEFCON, and Objective By The Sea. Csaba spends his free time with his family, hikes and runs in the mountains.

[Abstract]
==========

In this talk I will share the details about four different vulnerabilities all related to disks. We will start by understanding how the diskarbitrationd system daemon works, what preventive measures it has. Then I will go through sandbox escape and full TCC bypass vulnerabilities impacted this daemon. Then we will move on to a new field and talk about diskutil, and storagekitd - what they are and what they can be used for. Once we are familiar with the tools I will detail several vulnerabilities, including full TCC bypasses and privilege escalations. Finally we will divert to diskutil's big brother, Disk Utility. There I will show how someone can use that to elevate privileges from admin to root if GUI access is available, for example in unattended workstations.

[Speaker Info]
==========
Haidar Kabibo is working as middle application security specialist in Kaspersky HQ in Moscow. He is part of industrial security service team. He is interested in windows internals, communication systems, network protocols and industrial infrastructure.

[Abstract]
==========

This presentation explores the details of MSRPC interfaces, focusing on the no authentication landscape thorough security research approach. The session starts by explaining the basics of Remote Procedure Call (RPC). Then, the research will discuss the link between famous null session and MS-RPC interfaces. As the result of this research will be new path for enumerating domain information including domain users.

In the research I will take you on a journey through my security research methodology against MS-RPC interfaces, which I developed after observing some interesting behavior from one of the Windows interfaces. As a result of this research, I will show how we can link this behavior to null sessions. Putting it all together, I will demonstrate how we can revive the legacy of null sessions by enumerating information from the domain controller and, most importantly, enumerating domain users without triggering any alerts and without being stopped by defenders.

A new Python tool will be introduced, implementing this innovative enumeration path alongside a corresponding Metasploit module.
The research will analyze why this type of enumeration cannot be effectively halted, providing examples related to some Windows services. The research will also show how the native Windows audit policy fails to effectively monitor such enumerations, and explore alternative methods that can be used.

This presentation is designed for security researchers, penetration testers and blue teamers eager to deepen their understanding of MSRPC interfaces and enhance their research techniques.

[Speaker Info]
==========
Heyi Wu graduated from Southeast University majoring in network security, has rich security work experience, has participated in the construction of multiple central ministries and commissions-level network security systems, as well as offensive and defensive drills and actual combat. End-to-end implementation of research and products in AI security, data security, cloud security, security development, intelligence hunting and other fields. Delivered speeches at well-known network security conferences at home and abroad, such as BH MEA, HITB, BSides, Kanxue SDC, XCon, Geekpwn, etc., participated in the compilation of multiple security standards at home and abroad (IEEE P2841, China self-developed operating system security, etc.), published many EI/SCI papers and patents , has a number of security certificates at home and abroad (CISP, CCSK, CDPSE, etc.), and has submitted several 0day vulnerabilities, general security issues of self-developed linux systems and advanced attack hunting traceability reports to the regulatory authorities.

[Abstract]
==========

Chinese government and enterprise organizations will replace domestic operating systems and application software on a large scale. However, most security vendors are currently unable to cover this area. Moreover, the domestic terminal security software has weak capability in detecting and killing malicious ELF samples. Some hackers and attack teams have targeted products that use domestic operating systems, and the existing detection capabilities are easily bypassed by attackers. Worse still, there is no established channel for exchanging malicious ELF samples among vendors. The situation is: There are very few domestically produced ELF malicious sample databases; There is zero work on the generation of adversarial malicious software targeting ELF; Currently, the existing work on countermeasures against PE malicious samples cannot generate executable binary files; there is no work on AI-based generation of malicious ELF samples. Thus, a system that generates adversarial malicious samples in the domestic environment using AI technology is needed to establish an advantage in the malicious sample library, and enhance the capability to detect and kill malicious software. We develop such a system and solve the above problems.

[Speaker Info]
==========
Meysam Firouzi is a software security researcher, with expertise in hypervisors, Windows, Unix-based systems, and XNU(macOS and iOS). You can read about him here https://r00tkitsmm.github.io/about/

[Abstract]
==========

This presentation will cover Pishi, an innovative method for structure-aware,feedback-driven fuzzing macOS kernel and its kernel extensions. Pishi is a static binary rewriting tool designed to instrument basic blocks in the XNUkernel and its macOS kernel extensions (kexts). It allows you to instrument the XNU kernelat a function, file, or folder level or address ranges. you can instrument everything in the XNU/bsd/net/ directory, all functions in content_filter.c, or just one specific function in theXNU source code, such as vnode_getfromfd. This enables targeted fuzzing. In the caseof KEXTs, you can also target one specific IOKit class or just one or more methods of a class.Similar to Linux and macOS’s KCOV, it collects the coverage and shares it with a fuzzer. You can hook Pishi into any off-the-shelf fuzzers.Pishi includes modified versions of LibFuzzer and libprotobuf-mutator, which have been adapted to be Pishi-aware, enabling them to fuzz the macOS kernel in a structure-aware, feedback-driven manner.

[Speaker Info]
==========
Mickey Jin (@patch1t) is an independent security researcher with a keen interest in malware analysis, threat campaign research, and vulnerability research.
Over the past few years, he has received over 200 CVEs from Apple, Inc.
He was also a speaker at various conferences such as HITB2021SIN/HITB2022SIN, PoC2022, and Objective By The Sea.

[Abstract]
==========

In the macOS system, most processes are running in a restricted sandbox environment, whether they are Apple's own services or third-party applications. Consequently, once an attacker gains Remote Code Execution (RCE) from these processes, their capabilities are constrained. The next step for the attacker is to circumvent the sandbox to gain enhanced execution capabilities and broader file access permissions.

But how to discover sandbox escape vulnerabilities? Upon reviewing the existing issues, I unearthed a significant overlooked attack surface and a novel attack technique. This led to the discovery of multiple new sandbox escape vulnerabilities: CVE-2023-27944, CVE-2023-23414, CVE-2023-32404, CVE-2023-41077, CVE-2023-42961, and CVE-2024-27864. Additionally, there are two other vulnerabilities affecting only beta versions that have been resolved and rewarded, but no specific CVE numbers have been assigned. There are three more sandbox escape issues currently awaiting processing by Apple’s security team.

In this presentation, I will delve into each of these new vulnerabilities - discussing their root causes while demonstrating how they can be exploited and explaining how Apple addressed them.

[Speaker Info]
==========
Nguyễn Hoàng Thạch (@hi_im_d4rkn3ss) is a security researcher at STARLabs, focusing on Browser/Virtualization/IoT bug hunting and exploitation.
In the past few years, I participated in several Pwn2Own events, and successfully demo exploitation on multiple targets (IoT, mobile and Virtual Machine).

[Abstract]
==========

VMware is a leading and widely used virtualization product. From a security perspective, it is one of the most challenging targets, alongside Hyper-V and KVM. This complexity inspired me to explore this targets further.

My research journey into VMware Workstation began in 2022. After extensively exploring its architecture, I discovered a new attack surface: the Virtual Bluetooth Device. By default, VMware Workstation guests can communicate with other Bluetooth devices through its Virtual Bluetooth Device. Although VMware has only implemented basic Bluetooth functions, the protocol's complexity increases potential for bugs. This attracts me and I decided to look deeper into this component.

In this talk, I will share my journey of working on the Virtual Bluetooth Device, providing fundamental knowledge about its architecture and focusing on several bugs I discovered. This includes two exploitations I successfully demonstrated at Pwn2Own Vancouver in 2023 and 2024. I will discuss the root causes, exploitation methods, and mitigation bypass techniques.

[Speaker Info]
==========
Pan Zhenpeng is a mobile security researcher at STAR LABS SG, focusing on Mobile(iOS/Android) and Web security, he was the speaker of Zer0Con, POC, OffensiveCon, 0x41Con and HITB Armory.

Jheng Bing Jhong is a security researcher at STAR LABS SG, focusing on Linux, VM and mobile security.

[Abstract]
==========

In July this year, Qualcomm patched a bug which was also discovered by us. By leveraging this specific vulnerability, we were able to root all affected Qualcomm-based Android phones.

In this presentation, we will first analyze the root cause of the bug and demonstrate how we turned it into a GPU Page Use-After-Free (GPUAF). We will then show how to exploit this bug through two distinct paths on different Samsung devices, bypassing all mitigations such as KNOX, physical address ASLR, and DEFEX. Next, we will share our experience on porting the exploit to other Qualcomm-based phones, detailing the challenges we faced during this process.

Finally, we will summarize the implications of this vulnerability for device security and provide recommendations for mitigating such risks in the future.

[Speaker Info]
==========
Seunghyun Lee, a.k.a. Xion (@0x10n), is a Ph.D. student in the Computer Science Department at Carnegie Mellon University. He received his bachelor's degree in CS/EE at KAIST, where he worked as a research intern in Hacking Lab. His research focuses on system security, binary analysis, automatic vulnerability discovery and exploit generation.

His recent works involve vulnerability research and exploitation of browsers and the Linux kernel, and have found and exploited multiple vulnerabilities in hacking competitions. His notable achievements include winning two browser entries in Pwn2Own Vancouver 2024, winning the top payout on TyphoonPWN 2024 with a Chrome entry, and winning multiple entries in Google kernelCTF and v8CTF. He has presented his research in domestic and international security conferences including POC2023. He is also an occasional CTF player and has received the DEF CON Black Badge for winning DEF CON CTF in '23/'24 as part of Maple Mallard Magistrates.

[Abstract]
==========

Browsers are a complex piece of software with multiple components integrated together. Every one of these components, as well as the integration layers between them, are potential sources of bugs. However, not all bugs are equal - exploitability of the initial bug is sometimes questionable, and mitigation bypasses are often required to obtain fully arbitrary code execution even within the renderer. In Chrome this mitigation is known as the V8 Sandbox, which attempts to prevent any memory corruption within the V8 Sandbox region from affecting any other memory region. This makes exploiting the initial bug to a fully arbitrary code execution much more challenging... or so was considered as such.

In this talk, I demonstrate how WebAssembly still serve as a great attack vector that provide troves of both the initial bug and V8 Sandbox bypass. I first share the story behind finding a WASM bug in V8 through variant analysis and exploiting it at TyphoonPWN 2024, and show how fixing this bug revealed another stunningly simple variant-of-a-variant bug exploited in v8CTF. I also introduce another bug in WASM TurboFan compiler caused by an innocent typo, and show how analyzing a seemingly unexploitable bug can reveal significant exploitability in some configurations and platforms. I continue on to a massive list of 10+ V8 Sandbox bypasses in WASM, opening up a whole new paradigm of bypass techniques that require significant efforts to fully patch. This research, while spanning over only a short period of approximately 2 months, enabled me to win multiple hacking competitions and VRPs for a total of $250K+.

Throughout the talk, I provide both the big picture and detailed technical walkthrough on finding bugs in Chrome's WASM implementation and exploiting them in the modern Chrome environment. I challenge the common misconception that "browser bugs are hard", whereas quite a few of them can be found and exploited without breaking a sweat. The talk will conclude with a sneak peek of future works on WASM implementation in other major browsers and a demonstration of the exploits.

[Speaker Info]
==========
Zhaofeng Chen is a security researcher at CertiK, specializing in Web3 infrastructure security, confidential computing, system security, and mobile security. With expertise in both offensive and defensive techniques, he has earned recognition for uncovering critical vulnerabilities in blockchain infrastructure, earning substantial bounties across multiple blockchain ecosystems. Beyond blockchain security, he has been acknowledged with over 30 CVEs by Samsung, Google, Microsoft, and Apple. These findings earned his team the MSRC Most Valuable Security Researcher award, and the Samsung Mobile Security Hall of Fame award.

[Abstract]
==========

Blockchain technology forms the backbone of Web3, prized for its decentralized, trustless nature and high availability. Innovations in VM layers, such as WebAssembly and Move Lang, aim to provide more secure programming paradigms and ease developer efforts. However, these security enhancements place an additional burden on on-chain validators. The assumption that distributed nodes inherently enhance reliability is increasingly questioned, especially when security flaws in critical paths, such as publishing and executing untrusted smart contract payloads, are exposed.

At POC 2023, we demonstrated methods to compromise on-chain security verifiers in Move-based blockchains. Our presentation revealed how to bypass type-safety enforcement to fabricate arbitrary crypto tokens and circumvent gas meters to introduce infinite loops into the blockchain network.

For POC 2024, we aim to expand our focus to a broader attack surface. We will explore the resource usage of various VM’s on-chain validators, specifically targeting how a single transaction can exhaust the resources of validator nodes, thereby disrupting the entire blockchain network's ability to produce new blocks. Over the past years, we have responsibly disclosed variants of such attack vectors in different blockchain ecosystems, earning more than $1.2 million in bounties.

We will discuss the fundamental reasons why this attack surface is common across modern blockchain VMs. Our presentation will detail three variants of resource exhaustion attacks in 2 popular blockchain ecosystems, demonstrated with real bug bounty vulnerabilities.

[Speaker Info]
==========


[Abstract]
==========