Conference Talks
Modern desktop applications have become increasingly secure due to various mitigations, but Chrome and Adobe PDF reader are still the popular targets for top attackers.
Of course, sandbox escape is the primary challenge here and in this talk, we will discuss our journey of research on sandbox escape including the sandbox internals on Microsoft Windows and our sandbox escape methodology. We will also do a review on the attack surface of different sandboxes on Windows and we will of course show our exploits for escaping the Chrome and Adobe sandbox on Windows.
【The slides will be released after the conference】
VMware ESXi, also called VMware ESXi Server, is a bare-metal hypervisor developed by VMware for vSphere. ESXi is one of the primary components in the VMware infrastructure software suite. It’s the industry leader for efficient architecture, setting the standard for reliability, performance, and support. SLPD is a system service of ESXi, available before authentication, run with root privilege after ESXi 5.5, enabled by default before ESXi 7.0 U2c. It was reported that attackers are targeting multiple vulnerabilities in ESXi SLPD, for example, the massive ESXiArgs ransomware attack. Succeed to exploit Vulnerability in SLP, an attacker can get the root shell in ESXi and rule all the VM on it. However, there is no discussion about how to exploit these vulnerabilities. In this representation, we will talk about multiple vulnerabilities of SLP including preauth RCE and sandbox escape, including analyzing the root cause, and how to exploit these vulnerabilities stably. In the end, we also cover some novel techniques on how to do post-exploitation on ESXI.
OLE is a mechanism that allows users to create and edit documents containing items or "objects" created by multiple applications,and Microsoft Office provides an interface to support the OLE mechanism, which allows users to easily use some OLE objects in documents, such as Sound clips, spreadsheets, and bitmaps. While this design is user-friendly, the interface can load any CLSID, even if these objects are not intended for Office. This significantly expands the attack surface because any Windows machine will have thousands of COM objects designed to work in various scenarios. The presence of this attack surface has been discovered as early as 2010, and there have been many zero-day vulnerabilities in the following years. With the iteration of the windows system, many new com objects appeared in win10 and win11, but are they safe? With such questions in mind, we analyzed these COM objects and discovered 10+ new vulnerabilities, including two critical ones, which attackers could easily exploit for remote code execution in Office.
Component Object Model (COM) is a binary-interface standard for software components introduced by Microsoft in 1993. Thirty years after its first release, COM is still the basis to support many other core technologies of Microsoft. COM developers used many unions rather than structs in the coding to conserve memory in legacy computers. However, the excessive use of union architecture will most likely introduce type confusion vulnerabilities that can be taken advantage of by 100%-reliable exploits. According to our studies, the problem of union type confusion has long been overlooked and no solutions have been developed for off-the-shelf systems that employ COM.
In this paper, we propose COMFUSION, the first tool that detects union type confusion in COM. The crux is to infer union variables and their discriminants in COM binaries. This is challenging since existing type recovery techniques do not support union type in binaries. To resolve this problem, COMFUSION identifies union variables through taint propagation with the help of Microsoft Interface Definition Language (MIDL) files and then searches for union type confusion via symbolic execution. We evaluate COMFUSION on three popular releases of Windows operating system, including Windows 10 1809, Windows 10 21H2, and Windows 11 21H2. COMFUSION successfully found 36 union type confusions. Out of these, 19 type confusions have been confirmed to be capable of corrupting memory, exposing 4 confirmed CVEs.
VMware vSphere is a comprehensive cloud computing infrastructure virtualization platform under the VMware umbrella, with over 250,000 global customers. It encompasses various components, including ESXi, vSphere client, and vCenter. While vSphere is highly favored by customers, it is also a critical battleground in the realm of cybersecurity, with notable attention on vSphere ransomware activities this year. However, discussions about vSphere attack and defense are relatively limited within the industry. This topic will introduce several attack and defense techniques within vSphere, focusing on the following:
Introduction to stable exploitation methods of critical vulnerabilities in ESXi.
Lateral movement techniques within vSphere clusters.
Techniques for creating covert backdoors within vSphere.
Django-Simple-Captcha — JumpServer Preauth RCE Mosec BaijiuCon 2023
Django-Simple-Captcha is a captcha lib for Django' framework. We discovered captcha prediction issue and random seed leakage in it. And use it to achieve pre-auth RCE on JumpServer.
In recent years, targeted cyber operations have increased significantly, the complexity of attacks continues to rise, and network security has become an important factor in national security. The offensive and defensive confrontations surrounding cyberspace have continued to escalate. This topic will review the development of cyberspace security in the past few decades, from the first PC virus in the 1980s to national-level Advanced Persistent Threat (APT) attacks in 2023. From signature-based virus defense technology to Security Copliot based on LLM. This topic will introduce the important development trends of in both offensive and defensive cybersecurity , and sharing my views on APT and GPT.
The Microsoft Component Object Model (COM) is the foundation for many key Microsoft technologies and we develop COMRace, the first data race vulnerability detection tool for commercial off-the-shelf COM objects. COMRace targets a severe but previously overlooked flaw in the COM threading model, which makes COM objects prone to data race attacks. In COMRace, we apply static binary analyses to identify thread-unsafe interface methods in off-the-shelf COM binaries, then further verify binary analyses results with automatically synthesized proof-of-concept exploits (PoC). We have applied COMRace to 10,420 registered COM objects on the windows platform and the tool reports 186 vulnerable interface methods. COMRace automatically synthesizes 234 PoCs for 256 selected method pairs (82 unsafe methods) with conflict accesses, and there are 194 PoCs triggering race conditions. Furthermore, 145 PoCs lead to critical memory corruptions, exposing 26 vulnerabilities confirmed by the Common Vulnerabilities and Exposures (CVE) database.
Sharing mutiple vulnerabilities and exploits against exchange after proxyLogon era.
Windows Error Reporting (WER) provides the functionality for users to collect application faults, kernel faults and other application specific errors. Developers can use this infrastructure to receive information that can be used to improve their applications on Windows. Several years ago, a in-the-wild exploit (CVE-2019-0863) of WER made the security community start to do research on the internal of WER, and then many Logical bugs of WER have been discovered by security researchers in the recents years. Almost all of these bugs are related with the Path Redirection Attack. Attackers can abuse the junction to read/write/delete privileged filesystems then get EOP in the victim's system. To mitigate the Path Redirection Attack, Microsoft provides a Junctions Mitigation Policy to block these kinds of attacks. Nowadays, many windows services have enabled this mitigation policy which means Such kinds of bugs have become less and less. However, this does not mean that there are no other types of bugs in WER. After digging into the internal implementation of WER, we found a more subtle logical bug that has existed for many years. In this talk, We will introduce the basic infrastructure of WER, The history of its bugs, the new bug we found and our exploitation.
Ten years ago, an escalation of privilege bug in Windows Printer Spooler was used in Stuxnet, which is a notorious worm that destroyed the nuclear enrichment centrifuges of Iran and infected more than 45000 networks. In the past ten years, spooler still has an endless stream of vulnerabilities disclosed, some of which are not known to the world, however, they are hidden bombs that could lead to disasters. Therefore, we have focused on spooler over the past months and reaped fruitfully.
The beginning of the research is PrintDemon from which we get inspiration. After digging into this bug deeper, we found a way to bypass the patch of MS. But just after MS released the new version, we immediately found a new way to exploit it again. After the story of PrintDemon, we realized that spooler is still a good attack surface, although security researchers have hunted for bugs in spooler for more than ten years. We started to explore the inner working of Printer Spooler and discovered some 0-day Bugs in it. Some of them are more powerful than PrintDemon and easier to exploit, and the others can be triggered from remote which could lead to remote code execution.
The Component Object Model (COM) and Windows Runtime (WinRT) are widely used in windows systems, they are often used for cross-process communication and UWP Application. Both of them provide large attack surfaces for hackers to hunt for LPE, RCE and Sandbox Escape vulnerabilities. In the past year, we have found more than 100 bugs in COM/WinRT service. We classify these vulnerabilities according to their different types (UAF, OOB READ/WRITE, Type Confusion, Arbitrary READ/WRITE). We'll share how we found these bugs and our exploit tricks for some of these bugs.
Due current global issues of 2020, organizations have been forced to make changes in how their business model operates and as such, have opened the doors to remote working. Microsoft SharePoint is one of the most popular and trusted Content Management System's (CMS) deployed today. The product is used to share and manage content, internal knowledge with embeded applications to empower teamwork and seamlessly collaborate across an organization for a truly remote experience. After the efforts of countless talented engineers in Microsoft, SharePoint has been deployed in the Microsoft cloud as part of their office 365 offering.
This presentation will analyze the security architecture of SharePoint server and how it differs from other popular CMS products. From an offensive point of view, we will also reveal several attack surfaces and mitigations implemented and how those mitigations can be bypassed. Finally we will disclose several high impact vulnerabilities detailing the discovery and exploitation.
Many organizations are forced to make changes in how their business model operates to open the door for remote working due to the current global issues. They urgently need a Management System to manage and share their content, internal knowledge to empower teamwork and seamlessly collaborate across an organization. As a part of Office 365 Products, Microsoft SharePoint is one of the most popular and trusted Content Mangement System's (CMS), which don't need too much professional knowledge and skills to deploy and are concerned by many organizations. In this presentation, we will focus on the architecture, attack surfaces and mitigations of Sharepoint Server, and how to bypass those mitigations. Then We will present several high impact vulnerabilities detail and exploitation discovered in our research.
Blockchains promise to provide a tamper-proof medium for transactions, and thus enable many applications including cryptocurrency. As a system built on consensus, the correctness of a blockchain heavily relies on the consistency of states between its nodes. But consensus protocols of blockchains only guarantee the consistency in the transaction sequence rather than nodes’ internal states. Instead, nodes must replay and exe-cute all transactions to maintain their local states independently. When executing transactions, any different execution result could cause a node out-of-sync and thus gets isolated from other nodes.After systematically modeling the transaction execution process in blockchains, we present a new attack INCITE, which can lead different nodes to different states. Specifically, attackers could invoke an ambiguous transaction of a vulnerable smart contract, utilize software bugs in smart contracts to lead nodes that execute this transaction into different states. Unlike attacks that bring short-term inconsistencies, such as fork attacks, INCITE can cause nodes in the blockchain to fall into a long-term inconsistent state, which further leads to great damages to the chain (e.g., double-spending attacks and expelling mining power). We have discovered 7 0day vulnerabilities in 5 popular blockchains which can enable this attack. We also proposed a defense solution to mitigate this threat. Experiments showed that it is effective and lightweight.
NEO is one of the top public chains worldwide. It adopts a new consensus algorithm called delegated Byzantine Fault Tolerance (dBFT). In this article, we formalize dBFT via the state machine replication model and point out its potential issues. Our theoretical analysis indicates that dBFT could guarantee neither liveness nor safety, even if the number of Byzantine nodes is no more than the threshold, which has contradicted the established security claim. Then, we identify two attacks and successfully simulate them. Finally, we provide recommendations. Notably, NEO official team has accepted our suggested fixes.
The Microsoft Component Object Model (COM) is the foundation for many key Microsoft technologies and we develop COMRace, the first data race vulnerability detection tool for commercial off-the-shelf COM objects. COMRace targets a severe but previously overlooked flaw in the COM threading model, which makes COM objects prone to data race attacks. In COMRace, we apply static binary analyses to identify thread-unsafe interface methods in off-the-shelf COM binaries, then further verify binary analyses results with automatically synthesized proof-of-concept exploits (PoC). We have applied COMRace to 10,420 registered COM objects on the windows platform and the tool reports 186 vulnerable interface methods. COMRace automatically synthesizes 234 PoCs for 256 selected method pairs (82 unsafe methods) with conflict accesses, and there are 194 PoCs triggering race conditions. Furthermore, 145 PoCs lead to critical memory corruptions, exposing 26 vulnerabilities confirmed by the Common Vulnerabilities and Exposures (CVE) database.
Zero-Knowledge Proof technology is currently widely applied in blockchain projects, including Ethereum, Monero, Zcash, and more. However, the security and privacy risks in its practical applications are not well-known to the general public. This topic primarily aims to introduce some security and privacy issues in the application of Zero-Knowledge Proof technology within blockchain, through the analysis of security incidents and vulnerabilities in projects like Monero and Zcash. Additionally, we will share the vulnerabilities and risks we have discovered in the specific implementations of Zero-Knowledge Proofs.
Recently, Microsoft open source the Microsoft Simple Encryption Math Library version 3.1 (Microsoft SEAL). SEAL aims to provide a library of high performance, easy to use homomorphic encryption library. It has been used in several projects including the Intel Neural Network Compiler nGraph. Many companies are currently using SEAL to construct data security applications based on fully homomorphic encryption. It seems that the full homomorphic encryption is very close to practical. In this presentation, we will analyze the security risks of using SEAL and present several practical attacks on applications based on SEAL, we will also present countermeasures for those problems. Our research shows that fully homomorphic encryption still takes a while to be widely used and it’s extremely dangerous to use it without a crypto expert.
Many way to double spend your cryptocurrency NEO Devcon 2019
Bitcoin has been developed for ten years, and since then countless digital currencies have been created. But the discussion of double-spend attacks seems to still concentrate on 51% Attacks. In fact, our research has found that there are many other ways to achieve double-spend attacks, we got more than USD 300K+ bounty from the vedor for reporting these new bugs resulting double-spend. In this presentation, by intruducing a number of double-spend attack vulnerabilities that we have foud in EOS, NEO, ONT and other large blockchain paltforms, we summarized various reasons for causing double-spend attacks.
用户隐私及数据安全受到的关注越来越大,但是很好的解决用户隐私和数据安全问题缺一直是一个困难问题。全同态密码的出现给其带来了新的希望,不少公司目前正在基于全同态加密构造数据安全解决方案。然而我们的研究发现,全同态加密的使用会带来非常多新的安全问题。本议题讲介绍这些问题,并给出相应解决方案。
任何事物出现都有两面性,比如网络安全技术的出现是为了解决隐私泄露、勒索病毒、漏洞攻击、数据窃听等威胁,但技术本身也在运用过程中带来种种安全风险。在区块链场景,零知识证明(ZKP)的运用也是如此。
Blockchain technology is a really hot topic this year. It can be used to build a peer to peer cash system without any trusted authority. More and more people begin to trade on cryptocurrency, it indeed changes the world in some way. However, the cryptocurrency market also become a paradise for hackers. You can easily get a pseudonym in the cryptocurrency world, attacker can easily wash their money out. It was reported that more than 2 billion US dollars have been hacked related to blockchain security. So, the blockchain security, is not only a hot topic, but also a emergence. We begin to do some security research in blockchain security this year. In this topic, I will introduce the most dangerous attacks surface we found in public blockchain project. The smart contract virtual machine, the consensus mechanism, the P2P protocol and the smart contract. And We will give some real-world example of them.
My talk for P.O.D New BlockTrend 2018 TED talk, a TED liked simple and short talk. A very short and simple introduction to blockchain security.
Some Mining Related Attacks Monero village, Defcon26
This talk will introduce the fundamental concepts of Bitcoin mining and discuss several mining-related attacks, including double-spending attacks, 51% attacks, selfish mining attacks, and pool mining attacks.
EOS Node Remote Code Execution Vulnerability EOS devcon 2018
We found and successfully exploit a buffer out-of-bounds write vulnerability in EOS when parsing a WASM file. To use this vulnerability, attacker could upload a malicious smart contract to the nodes server, after the contract get parsed by nodes server, the malicious payload could execute on the server and taken control of it. After taken control of the nodes server, attacker could then pack the malicious contract into new block and further control all nodes of the EOS network.
ALL YOUR NODES ARE BELONG TO US:The Story of an EOS Chain RCE Bug HITCON 2018
一次新奇的区块链漏洞之旅 360 Openday 2018
BCH重启Op-code背后的安全故事 BCH meetup 2018
