Events of poc2018
Belluminar by POC
Belluminar, hacking contest of POC, started at POC2015 in KOREA for the first time. Belluminar is from ‘Bellum’(war in Latin) and ‘seminar’. It is not a just hacking contest but a kind of festival consisted of CTF & seminar for the solution about challenges. Only invited teams can join Belluminar. Each team can show its ability to attack what other teams want to protect and can defend what others want to attack.
DATE: 2018.11.8 ~ 9
VENUE: TheK-Hotel
EMAIL: belluminar@gmail.com
OPERATING: POC
Power of XX by POC
Who can show the power of XX this year? 'Power of XX' is the only one hacking contest for women.
DATE: 2018.10.13(preliminary round, online)
2017.11.08(the final)
VENUE: TheK-Hotel
EMAIL: Spowerofxx@gmail.com
OPERATING: SISS & Demon Team
VR Challenge by TeamSCP
Welcome to video game challenge! TeamSCP has prepared casual VR games for you. Challenge for VR Game, get score and go for top.
DATE: 2018.11.08~09
VENUE: TheK-Hotel
CONTACT: http://www.facebook.com/HackingTeamSCP
OPERATING: TeamSCP
MORE INFO: https://github.com/pinebudweiser/Memo/blob/master/Notice(EN).md
Speed Hack by Theori
How fast can you solve our challenges?
- You get 2 challenges (Web, x86-64 Pwnable).
- You have 15 minutes to solve both of the challenges.
- Python, C/C++ compilers, Pwntools, pwndbg are provided.
- Only one try per person.
- You can choose in which order you want to open the challenges.
- You cannot go back to the old challenge once you give up!
* There will be awards given to the top players after the event is over!
DATE: 2018.11.08
VENUE: TheK-Hotel
HOST/OPERATING: Theori
Denis Kolegov, Oleg Broslavsky, "WebGoat.SDWAN.Net in Depth"
Denis Kolegov is a security researcher and an associated professor in computer security at Tomsk State University. His research focuses on network security, web application security, access control, and covert communications. Prior to this, Denis was the Application Firewall team lead at Positive Technologies. He holds a PhD and associated professor degree in computer security. Denis has presented at different international security conferences including Area41, Zero Nights, Positive Hack Days, and SibeCrypt.. Oleg Broslavsky is a security enthusiast, PhD student at Tomsk State University, and member of the SiBears CTF team. He has given talks about aspects of web security and post-exploitation techniques at some practical security conferences (Positive Hack Days, ZeroNights), developer conferences (HighLoad++) and even academical ones (SibeCrypt). [Abstract] ========== Today, «SD-WAN» is a very hot and attractive topic. Software-defined WAN (SD-WAN) is a technology based on software-defined network (SDN) approach applied to wide area networks (WAN) in enterprise networks. According to Gartner’s predictions study, more than 50% of routers will be replaced with SD-WAN solutions by 2020. In this presentation, we disclose a set of vulnerabilities in widespread and most popular SD-WAN products including Citrix NetScaler and Silver Peak EdgeConnect. We present the new results of our research, consider some technical details of the insecure design and found vulnerabilities, and describe different attack scenarios that may allow an attacker to compromise SD-WAN control and data planes.
Gmliu, "Windows Kernel Fuzzing"
Gmliu is a researcher in Tencent Zhanlu Lab. [Abstract] ========== In recent years, Windows kernel security has been highly regarded and Microsoft has enhanced Windows kernel security. Owing to this, kernel issue is fewer and fewer and it is much harder for security researchers to find kernel bugs. So I developed a tool to help the security researchers to fuzz Windows kernel. In this talk, I will introduce a new method to fuzz Windows kernel first. And then, I will show a fuzzing framework, how it works, and discuss some methods of Windows kernel fuzzing. The fuzzing focuses on Windows kernel objects and the relationship with different objects. This talk will cover the GDI object and some other Windows kernel objects. And I will show some crash cases that I found with the fuzzing framework. In the end, I will share some Windows crash details and show an exploit demo.
Jaanus Kääp, "Document parsers "research" as passive income"
Jaanus Kääp works as a penetration tester, security researcher and developer at Clarified Security (Estonia). Over the last years he has mostly focused on Windows and Android but also trying to find vulnerabilities in Office products as lazily as possible. Current talk is about how laziness can still take you as far as 11th place in MSRC Top 100 list. [Abstract] ========== Starting from the end of 2015 I have used same basic method and tools for vulnerability research in MS Office products and Adobe applications. After the initial development, these tools (with only minor improvements over the years) have brought me new CVE-s in almost a stable manner -making it an average of 2+ CVE-s per month from Adobe and Microsoft for almost no work (“passive income”). The method for finding these vulnerabilities originates from the corpus distillation and basic fuzzing without using any advanced methods or special workarounds. This talk describes used methods and small tricks that have been of help and I will also make public my full toolset.
Jiafeng Li, Zuotong Feng, "How to Exploit Blockchain Public Chain and Smart Contract Vulnerability"
Jiafeng Li a Senior Security Research Engineer on Qihoo 360 0keeTeam&RedTeam and white hat tutor. Zuotong Feng s a student at Chongqing University of Posts and Telecommunications and words as a security researcher on Qihoo 360 RedTeam. [Abstract] ========== The blockchain is not perfect, there are many challenges, and security threats are one of the most important issues facing the blockchain. As its economic value continues to rise, it has prompted attackers to use various means of attack to gain benefits. This presentation will introduce the attack methods discovered by our team in the blockchain research and public vuln, such as the Ethereum Geth node Dos, EOS node attack, smart contract call injection attack, integer overflow and other attacks, And I will show in detail how I found it, I will introduce what methods are used, what functions are tracked, the tools used, etc. Each of these vulnerabilities is very interesting and I am looking forward to sharing it with everyone. To the best of our knowledge, this presentation will be the first to release the 2018 blockchain security white paper. Outline 1. Introduction & Background 2. Blockchain public chain vulnerability Research(About 3 vulnerabilities) 3. Blockchain public chain vulnerability Demo 4. Blockchain Smart Contract Vulnerability Research(At least 3 vulnerabilities) 5. Blockchain Smart Contract Vulnerability Demo 6. Conclusion
Jin Liu & Chong Xu, "Pwning Microsoft Edge Browser: From Memory Safety Vulnerability to Remote Code Execution"
Jin Liu is a security researcher of McAfee IPS Research Team. Jin is mainly focused on vulnerability research, and he is specialized in vulnerability analysis and exploitation, with especially deep diving in browser vulnerability research on Windows platform. Chong Xu received his PhD degree from Duke University with networking and security focus. He is currently a director leading McAfee Labs IPS team, which leads the McAfee Labs vulnerability research, malware and APT detection, botnet detection, and feeds security content and advanced detection features to McAfee's network IPS, host IPS, and firewall products, as well as global threat intelligence. [Abstract] ========== In the past few years, the attack and defense of vulnerability exploitation has rapidly evolved, especially for those high-risk applications, such as Microsoft Edge browser. Many new mitigation features have been introduced to Edge browser and Windows operating system, such as CFG, ACG and Win32K Type Isolation. Although these mitigations do help raise the bar for the exploit writer, this cat-and-mouse game is far from over. In this talk, we will present several interesting examples of vulnerability and exploitation tricks, and discuss how to make reliable Edge RCE exploit on Windows 10 x64.
Kang Li, "Practical evading attacks on commercial AI image recognition services"
[Speaker Info] ========== Kang Li is a professor of computer science and the director of the Institute for Cybersecurity and Privacy at the University of Georgia. His research results have been published at academic venues, such as IEEE S&P, ACM CCS and NDSS, as well as industrial conferences, such as BlackHat, DEFCON, SyScan, and ShmooCon. Dr. Kang Li is the founder and mentor of multiple CTF security teams, including SecDawg and Blue-Lotus. He was also a founder and player of the Team Disekt, a finalist team in the 2016 DARPA Cyber Grand Challenge. [Abstract] ========== In the past year, we have showed various attacks on AI applications by exploiting software vulnerabilities and algorithm flaws. This talk presents new evading attacks to public available image recognition APIs offered by major Internet companies. Attacks to AI-based image recognition is a hot topic in the field of AI especially in the forms of adversarial machine learning. Generating adversarial attacks is a very active research topic. However, adversarial samples generated by academia tools, although successful in research settings, do not create mis-classification effects in practice against commercial AI services and APIs. Most commercial AI-based image recognition systems adopt defensive methods to filter their inputs, and these filters make academic adversarial examples ineffective. The setup and parameters of these defensive filters are not known to public, and thus we design methods and tools to blindly bypass and defeat such filters. We have successfully demonstrate targeted evading attacks to most of the commercially available AI-based image recognition services. In this talk we will show methods and threat examples that allow attackers to trick multiple well-known AI-based commercial services.
Liang Chen, "Era of iOS 12 with A12: End of iOS War?"
Liang Chen is a senior security researcher at KeenLab of Tencent (formerly known as Keen Team). Liang has a strong research experience on software vulnerability exploitation and vulnerability discovery. During these years, Liang's major research area was browser exploitation including Safari, Chrome, Internet Explorer, etc on both PC and mobile platform. Also Liang researches sandbox escape technology on various platforms. Liang led Tencent Security Team Sniper to win "Master of Pwn" in Pwn2own 2016. Liang is also the winner of iPhone Safari category in Mobile Pwn2own 2013 and Mavericks Safari category in Pwn2Own 2014. Liang has spoken at several security conferences including XCON 2013, BlackHat Europe 2014, CanSecWest 2015/2016, POC 2015, etc. [Abstract] ========== NA
Lidong LI & Naijie XU, "802.11 Smart Fuzzing"
Lidong LI is a security researcher at AD-LAB of CyberPeace. His research interests include wireless protocols such as WIFI, BLE, and exploits for smart devices. He has reported and discovered vulnerabilities to vendors such as qihoo and gee router. Naijie XU is an intern engineer at CyberPeace and a computer science student at Jiangnan University. His main research interests are research on pwn and reverse engineering. [Abstract] ========== In recent years, wifi has not only been used as a home network, but more IOT devices and Internet cars are using the wifi interface. This topic is mainly for fuzzing of the 802.11-wifi protocol. We will show some tips on 802.11 fuzzing and our research.
Ned Williamson, "Exploiting Chrome IPC"
Ned Williamson is an independent security researcher who started by playing CTFs, then transitioned to console hacking and vulnerability research. [Abstract] ========== Since the win32k lockdown on the Chrome renderer process, escaping the Chrome sandbox on Windows has become much harder. The most recent successful competition exploit occurred in 2015. While everyone was focusing on win32k, the security of the Chrome sandbox over IPC went overlooked. By applying new fuzzing strategies many vulnerabilities can be revealed, one of which I used to demonstrate a full chain exploit at Hack2Win this year with the help of saelo and niklasb. In this talk I hope to show how I found these bugs by using targeted fuzzing in a way that was easy to setup but reliably had great results, and briefly cover how we leveraged one use after free bug to fully escape the sandbox.
Nikita Tarakanov, "Automating Windows Kernel Pool Overflow/Corruption Exploits Development"
Nikita Tarakanov is an independent information security researcher. He has worked as an IS researcher in Positive Technologies, Vupen Security, CISS, Intel corporation. He likes writing exploits, especially for Windows NT Kernel. He won the PHDays Hack2Own contest in 2011 and 2012. He has published a several papers about kernel mode drivers and their exploitation. He is currently, engaged in reverse engineering research and vulnerability discovery automation. [Abstract] ========== Writing a working exploit for a vulnerability is generally challenging, time-consuming, and labour-intensive. To address this issue, automated exploit generation techniques can be adopted. In practice, existing techniques however exhibit an insufficient ability to craft exploits, particularly for the kernel vulnerabilities. In this talk, we will introduce a new exploitation framework to automate the exploitation of Windows kernel pool overflow/corruption vulnerabilities. Technically speaking, our framework utilizes a kernel pool manipulation technique and various exploitation techniques (some of them are new and have never been published). We demonstrate that this new exploitation framework facilitates exploit crafting from many aspects. First, it works on all Windows versions from Windows 7 up to Windows 10 RedStone 4. Second it bypasses all kernel security mitigations including Pool Metadata hardening, Object Header TypeIndex encoding, SMEP, KMCI. Bonus: Overview of new challenges in automating kernel pool overflow/corruption exploit development in the upcoming Windows 10 RedStone 5.
Samuel Groß, "IPC MitM: Exploiting a Fun Logic Bug for Kernel-Mode Code Execution on MacOS
Samuel Groß is an independent security researcher and, in his spare time, a Master's student at Karlsruhe Institute of Technology. He has been researching browser security for some years now and has published multiple articles on the subject, including a Phrack paper about JavaScript engine exploitation techniques at the example of JavaScriptCore, the JavaScript engine inside WebKit/Safari. He successfully participated in the yearly Pwn2Own contest in 2017 and 2018, both times demonstrating a remote exploit against Safari which also gained root or kernel-mode code execution on the underlying macOS system. Recently he has started offering trainings on browser exploitation in which he dedicates a full day to JIT compiler internals. [Abstract] ========== With many operating system services implemented in userland, inter-process communication (IPC) is a fundamental feature in Apple's operating systems. From an security point of view, these userland services pose an interesting target as many of them run with higher privileges. Besides memory corruption vulnerabilities in services reachable through IPC, logic bugs are also not uncommon due to the high complexity of the system as a whole. This talk will first revisit the basic IPC primitives on macOS and iOS as well as their general OS design. Afterwards, an interesting logic vulnerability, allowing an attacker to intercept and manipulate IPC traffic between userland processes, will be explained. Finally different ways of exploiting this vulnerability will be presented: first by targeting sudo to gain root privileges, then by tricking kextutil into loading an unsigned kext into the kernel, thus bypassing SIP and gaining kernel-mode code execution. This vulnerability was used in Pwn2Own 2018 as the final part of an exploit chain against Safari on macOS. A full exploit together with a library implementing the parts of the XPC protocol required for exploitation will be released.
Tielei Wang, Hao Xu, "IOService Becomes a Grandpa"
Tielei Wang is a member of Team Pangu. He was a research scientist at the Georgia Institute of Technology from 2012 to 2014 and received his Ph.D. degree in 2011. His research interests include system security, software security, and mobile security. He discovered a number of zero-day vulnerabilities and won the Secunia Most Valued Contributor Award in 2011. He has published many papers in top research conferences including IEEE Security and Privacy, USENIX Security, ACM CCS, and NDSS, and gave several presentations at BlackHat USA, CanSecWest, POC, and RUXCON. Hao Xu is a member of Team Pangu. He has been involved in information security for over 10 years. His research interests range from OSX/iOS/Windows kernel security, rootkit and malware analysis, hardware virtualization technology, and reverse engineering. He is a regular speaker at Syscan 360, POC, Xcon. [Abstract] ========== This talk will start with an introduction to IOKit, the object-oriented device driver framework of the XNU kernel, with a dive into implementations of features such as class inheritance. We will then review the IOKit userclient creation process and analyze a neglected attack surface. Guided by this discovery, we will introduce and analyze a few new similar vulnerabilities on the latest iOS/macOS kernel.
WYP, "Vulnerability analysis of Z-wave products used in Korea"
WYP is a team of Best of Best 7th members(Ki-Yoon Cho, Ji-Hwan Lim, Min-Seok Sung, Yoong-Ho Jeong, Sung-Bum Kim). [Abstract] ========== This presentation focuses on vulnerabilities of products that use the Z-Wave wireless communication protocol which has the advantage of good usability, scalbility, and low power protocol. The presentation will mainly be divided into two parts: the first part introduces the related research and trends of ZWave and presents the results of the directly analyzed Z-Wave products from the viewpoint of security. The second part demonstrates the process of controlling commercial products through arbitrarily created packets using the Z-Wave spoofing tool that we created. First, the necessary information is sniffed through sniffing, and then the malicious control packet created based on the information that the attacker took is used to control the product. We will demonstrate attacks on several products, including some kinds of smart door lock which are equipped with major company's communication modules. It also introduces and demonstrates various attack vectors, which include DoS attacks and Replay attacks. Althoguh this demonstration is based on the specific products from some companies, the vulnerability and attack can generally be applied to all the products that use z-Wave protocol.
Yannay Livneh, "Baby I can drive your car: remotely hacking Telematics CAN-connected devices"
Yannay is a security researcher interested in Linux, Low-Level Vulnerabilities and Exploits, Embedded Devices and everything nice. Yannay also enjoys playing CTF every now and then, injure his tendons on V8 bouldering problems and write about himself in third person. In the last years Yannay found some nice vulnerabilities and developed some general exploitation techniques which he published in conferences, blogs and magazines such as PoC, CCC, Troopers, PoC||GTFO and others. Before having an adult civil life, Yannay served as a researcher and developer in the IDF after graduating his bachelor’s degree in C.S. at the age of 18. [Abstract] ========== In recent years the Telematics industry - the industry which provides additional services to vehicles management - is on the rise. Small boxes packed with capabilities are installed in vehicles and used to provide many services such as fleet management, usage-based insurance, real-time position tracking, in-vehicle connectivity and others. To improve the services provided by Telematics devices (such as real-time malfunction reports), many of them are connected to vehicle's computer network and also to the external world - e.g. the Internet. As such, they serve as a lucrative target to an attacker that wants to remotely connect to the vehicle’s electronic systems. If such a scenario is executed successfully it may yield grave results and impact the safety of the vehicle. In our research, we analyzed the security of a common Telematics device. We found (too) many ways an attacker can compromise the device (locally and remotely). Using a compromised device, an attacker can send messages to the in-vehicle CAN network over cellular modem connection, allowing the attacker to control critical vehicle functions. The hypothetical scenario outlined above is possible today. Now. An attacker from the other side of the world can take over these devices, in scale, and cause the vehicles in which they are installed to misbehave. The possibilities are only limited by the imagination. In our talk we discuss our research and its results. We explain the multiple vulnerabilities and attack vectors by which an attacker can make the device execute commands. We then describe a viable attack plan by which the attacker can take full control over the device. Eventually, we conclude with a full POC showing what an attack scenario would look like. How an attacker can activate car functionalities over the internet without ever being in the vicinity of the car.
Yongtao Wang, Sai Cheng, Jie Fu, "SSRF To RCE In Java "
Yongtao Wang(sanr) works in Qihoo 360, a senior security researcher in PegasusTeam team. He specializes in penetration testing and wireless security research. He has extensive experience in security research and penetration testing. He is a lecturer at the China Internet Security Conference (ISC) security training camp, Blackhat、CodeBlue, etc. Conference speaker. Sai Cheng(Exist) is a student at Chengdu University of Information Technology. He is a security researcher at Syclover Team and worked as an intern at Qihoo 360 PegasusTeam Team. He specializes in penetration testing, Web security, and Windows security research. He has reported security vulnerabilities to some famous vendors such as Microsoft and Oracle. Jie Fu is Senior researcher of PegasusTeam at 360 Radio Security Research Department in 360 Technology , with rich experience in embedded software and hardware security development and reverse development; Research and development of the first active NFC protective equipment --360 saferfid , and obtained a number of NFC security invention patents; International renowned security conference Blackhat, HITB (HackInTheBox) speaker. [Abstract] ========== SSRF is not a new technology. Over the past decades, many security researchers have proposed various attacks. Our research found that there are high-risk security flaws in the JDK, and WINDOWS credentials can be obtained by exploiting this security flaw. In the case of application has SSRF vulnerabilities, the effect of RCE can be achieved, this vulnerability has already been admitted by the official website of Oracle as an important patch update. In this speech, I will introduce the vulnerability principle, the discovery process, the attack scenario, and the attack process in detail. After that, we will release the exploit tool for this vulnerability.
Yunhai Zhang, "Diving into Windows Defender Application Guard"
Yunhai Zhang is a security researcher of NSFOCUS security team. He has worked on information security for more than a decade. He has spoken at BlackHat, DefCon, BlueHat, POC, CSS, XCon. He has won Microsoft Mitigation Bypass Bounty 5 years in a row since 2014. [Abstract] ========== With the release of Windows 10 RS3, a unique hardware-based isolation technique, called Windows Defender Application Guard (WDAG), was introduced. With the use of the native Windows Hypervisor, WDAG aims to isolate untrusted websites and PDF documents inside a lightweight container that is separated from the operating system, keeping the desktop PC protected. In this presentation, we will delving deep into the internals of WDAG. The first part will focus on the inner workings of WDAG where topics such as how the container is created, how app is launched in the container, the security mechanism of the container, and more are discussed. The second part will show how to modify the container to build a debug environment inside the container. Finally, the last part will discuss the attack surface of WDAG.
Sponsors
Supporting Friends
<
