1. POC
2. 2020
3. Event

Events of poc2020

Power of XX by POC
Power of XX is the one and only CTF for female hackers. It was established in 2011. And now it is not a simple CTF, it became one of the 'community' in Korea. To cultivate women cyber security researchers and retain women who already in the field. POC have established an active and sociable networking community.

DATE: 2020.11.11 ~ 12
VENUE: Online
EMAIL: powerofxx@gmail.com
OPERATING: POC & POXX team

 
BinggoCTF by HypwnLab
BingoCTF is an individual CTF with bingo concept. The time limit is three hours, and regardless of the number of problem-solving questions, the player who completes the most bingos wins. The more important the position is to complete a line of bingo, the more difficult the problems are placed. From easy to difficult questions, we have a variety of questions ready, so complete the bingo and become the winner of the CTF and get rewards!

DATE: 2020.11.12
VENUE: Online
EMAIL: hypwnlab@gmail.com
OPERATING: HypwnLab

          

1. POC
2. 2020
3. Speaker

Aleksei Stennikov & Timur Yunusov, "POSWorld. Should you be afraid of hands-on payment devices?"

Aleksei Stennikov is a security engineer, hardware expert, ICS/SCADA, and ATMs researcher, passionate in hardware and low-level security. He has conducted numerous ATM, ICS/SCADA systems and hardware audits and researches. He is a speaker and co-author of research presented at numerous conferences including Black Hat USA, Positive Hack Days, and OffZone.

Timur Yunusov is the head of offensive security research and security expert in the area of payment security and application security. He regularly speaks at conferences and has previously spoken at CanSecWest, PacSec. DEF CON, Black Hat USA, and Black Hat Europe.

[Abstract]
==========
The dark market is full of cloned Point of Sales terminals and offers for fake merchant accounts. But how do they get there if every terminal is built to have anti-tampering mechanisms, segregated memory for private crypto keys, and multiple other layers of protection? In this talk we follow the life cycle of the most popular PoS terminals of major vendors. From their release onto the retail market through to breaking the device and cloning the terminal.
We show you exactly what it takes for hackers to use PoS terminals to cash out.

Alexandru-Vlad Niculae, "Enabling coverage-guided binary fuzzing on macOS"

Alexandru-Vlad Niculae is a former Google Project Zero intern and currently a third-year Computer Science student at University College London. He was a competitive programmer during highschool and he lately became interested in software security.

[Abstract]
==========
Coverage-guided fuzzing is generally the most effective fuzzing technique, which can be used to find security bugs in software with little effort. While this technique is widely available on open-source software, there’s little support for closed-source applications. This is where TinyInst, a lightweight dynamic binary instrumentation library, comes into play. This talk goes through the process of porting TinyInst to macOS and how this successfully enabled coverage-guided binary fuzzing on Apple’s platform. The talk will include:

What porting such a library involves
The process of writing a custom debugger for macOS
Challenges encountered during development
Results and how this tool can be used to find bugs

Alisa Esage, "Hypervisor Vulnerability Research: State of the Art"

Alisa Esage is an independent vulnerability researcher and low-level hacker, founder of Zero Day Engineering Trainings [0days.engineer]. She was awarded Zero Day Initiative Silver bounty hunter 2018, Phrack magazine author 2015, won the "Critical infrastructure attack" competition 2014, and was recognized in the "Halls of Fame" of multiple major software vendors' security bounty programs for discovering zero-day vulnerabilities.

[Abstract]
==========
This talk is a journey from the top of the research hill, starting with a big picture of modern hypervisors offensive security landscape with nowadays' unique challenges and blank spaces, down to deep undocumented internals of an essential kernel-level component of one of the world's hardest hypervisors. As part of the talk, details of a curious vulnerability that I found in Microsoft Hyper-V will be exposed for the first time.

Andrea Zapparoli Manzoni, "Hacking the 0-day Market: next steps"

Andrea Zapparoli Manzoni manages Crowdfense Limited, a UAE based vulnerability R&D hub, which he designed in 2017 with a multidisciplinary team of ethical hackers, lawyers and vulnerability researchers.

[Abstract]
==========
The 0-day vulnerability market developed over the years in a way that is unsafe, chaotic and rather inefficient. Bad business practices, lack of professionalism and low levels of trust are still spread in this market even today and can seriously hamper the ability of Law Enforcement and Intelligence Agencies to acquire and maintain strategic cyber capabilities in order to fight organized crime, terrorism and hostile geopolitical actors.

Having a deep understanding of these issues and of their solutions, Crowdfense is “hacking the 0day market” to create a better working environment for all the parties involved (researchers, brokers, integrators and end users), by introducing new platforms (as the Vulnerability Research Hub and the upcoming Vulnerability Research Marketplace) and new quality standards / best practices related to products and services, in order to improve significantly the sustainability of the underlying business processes.

This session will share how Crowdfense is doing this, why, what are the results, some statistics about the 0-day market and what our next steps are going to be.

Bas Alberts & Agustin Gianni, "CodeQL as an Auditing Oracle"

Bas Alberts is a security researcher with the GitHub Security Lab. His background is in offense focused information security and vulnerability research. In his free time he enjoys pajama wrestling and opening and closing parentheses.

Agustin Gianni is a security researcher with the GitHub Security Lab. His background is in offense focused information security and vulnerability research. In his free time he enjoys lifting heavy things and trying to convince his puppy to not wake up at 3AM.

[Abstract]
==========
CodeQL is commonly used to detect known vulnerability patterns and their associated variants in code. CodeQL queries are usually written to find very specific vulnerabilities for variant analysis purposes and are often integrated into CI/CD pipelines to automatically detect bugs. However, CodeQL can also serve as an interactive SAST Swiss army knife to support more general code auditing workflows. Since CodeQL makes a program’s AST and dataflows queryable, it has the ability to effectively answer many of the general questions that commonly arise when auditing code, such as “which APIs are tainted by user controlled input?”, “which integer arithmetic may be influenced by network controlled data?” and “which parts of the code have a high bug density?”. In this talk Agustin Gianni and Bas Alberts of the GitHub Security Lab will demonstrate practical CodeQL auditing workflows that enhance your ability to efficiently explore new attack surfaces.

Beomjin Lee , "Practical Methods to Exploit JS Application using Prototype Pollution"

Beomjin Lee is a security researcher (known as POSIX) in Hayyim Security, contributes to nodejs ecosystem.
He is also a passionate CTF player who participates in many CTFs and also bug hunter, he found many vulnerabilities in nodejs libraries and published several papers on automation analysis for js library.

[Abstract]
==========
Over the years, interest in nodejs Server Side JavaScript has been growing.

prototype pollution is a unique vulnerability in prototype based language like javascript.
This has become a recent topic in modern web security and prototype vulnerabilities has been found in many popular libraries.
However, there has not been enough research on how this could have a ripple effect beyond DOS.

through personal research, I was able to increase the possibility of exploitation in the Real World from finding the vulnerabilities in the libraries frequently used in application configuration to nodejs internals and different types of parser, collected exploit methods from many edge cases.

In this presentation will be focused on how the context injection technique by prototype pollution vulnerability can actually be used practically in nodejs. I will introduce how to escalate the impact of the logical vulnerability that is overlooked, from DOS, to the RCE in many cases.

Denis Kolegov, "Breaking SD-WAN Crypto Protocols"

Denis Kolegov is a principal security researcher at BI.ZONE. His research focuses on network security, cryptography engineering, and covert communications. He holds a Ph.D. and an associate professor degree. Denis presented at various international security conferences including Power of Community, DeepSec, Area41, and InsomniHack.

Maria Nedyak is a developer at BI.ZONE company, a student at Tomsk State University, and a member of the SiBears CTF team. Maria presented at HITB Lockdown and ZeroNights conferences.


[Abstract]
==========
Software-defined networking in a wide area (SD-WAN) requires secure cryptographic protocols to protect control and data flows. In this talk, we will consider SD-WAN cryptographic protocols and their implementations. The main result presented in the talk will be devoted to IPsec UDP (IKE-less) protocol invented by SilverPeak company and employed within its Unity EdgeConnect SD-WAN product. We will introduce the IPsec UDP protocol in a way suitable for non-experts in cryptographic protocols and show that its design and implementation is totally compromised from a cryptographic perspective and fails to provide the claimed security properties. Additionally, we will discuss found vulnerabilities in other widely known SD-WAN products that can be exploited to reconstruct the cryptographic keys and decrypt all network traffic.

GilGil & Yubin Sim & Byoungjun Choi, "GUI based WiFi Attack tools over Android"

GilGil is a software engineer specializing in network vulnerability analysis and a professor at Joongbu and Korea University.

Yubin Sim is an undergraduate student at Department of Information Security in Seoul Women's University. She is interested in network security.

Byoungjun Choi is an undergraduate student at Department of Industrial Security in Chung-Ang University. He is interested in network security and privacy.


[Abstract]
==========
Currently known network attacks are very diverse. Most of these attacks are possible with computers such as laptops. However, in the real world, carrying a laptop and attacking will not be easy for an attacker. From this point of view, we made a network attack tool as an Android application. Based on the Android GUI, arp broadcast attack, deauth attack, and finally, search for nearby devices based on the signal strength of wireless packets were developed.

Grugq, "Cybercraft: Strategic Cyber in Great Power Competition"

The Grugq is a pioneering information security researcher with two decades of experience at almost every level of the field. He has worked extensively with threat intelligence, disinformation, digital forensic analysis, binary reverse engineering, rootkits, mobile phone security, Voice over IP, telecommunications and financial services security. The Grugq has been quoted and referenced routinely in The New York Times, Washington Post, Forbes, Wired, TechCrunch, BoingBoing, VICE and BBC News. Grugq’s quotes and insights are so frequently referenced at security conferences that he’s informally known as the “most quoted man in infosec".


[Abstract]
==========
This talk presents and examines cybercraft. Cybercraft is used to understand great power conflicts from a strategic level that includes the cyber domain, and operations within the cyber domain. Under this lens, the details of individual cyber operations are less interesting than how they are collectively advancing towards strategic objectives. This expands the understanding of cyber conflict beyond the constraints of CyberWar.

Existing discussions of CyberWar are severely hampered by focusing on cyber battles at the tactical or operational level, rather than the strategic level of war. Strategic cyber warfare is based on principles that have been around for a long time (e.g. Fabian strategy), but only recently formalised as doctrine in the West. None of this is new, but cyber operations can now achieve results typically reserved for kinetic warfare.

What makes this significant is the upheaval of the cyber dimension: it collapses information spheres, geolocation, and gatekeepered communities. The main impact of this is flattening the resource requirement differences between a state, a corporation and a person. Small groups of people can take actions that are as effective or more effective than states.

Jinbum Park, "Cache Attacks on Various CPU Architectures"

Jinbum Park is just one of the security researchers and passionate developers working for samsung research, security team. He mainly focuses on defensive security as a daily job but also has huge interest in offensive technique. He has experience on various low-level softwares such as OS Kernel, Hypervisor, TEE (Trusted Execution Environment), and so on.
These days, he is being mad about modern security technologies such as Rust, Web Assembly, HW-based TEE.


[Abstract]
==========
In recent years, side-channel or micro-architectural vulnerabilities have been getting more spotlighting as Meltdown and Spectre demonstrated their severity in practice.
In order for profit through the vulnerabilities, it is necessary for attackers to utilize a powerful exploitation technique such as cache attack, which has been well-studied by not only academia but also in-the-wild hackers.
Unfortunately, the studies tend to be focusing on a specific CPU architecture, Intel, even though other architectures such as ARM, AMD are as important as Intel in terms of security.
We therefore need to understand how different cache attacks are depending on each CPU. By doing so we can understand much better about the vulnerabilities and CPU itself, consequently it is able to exploit them regardless of CPU.
In this talk, I will explore how CPU design differentiates the way of cache attacks by walking through typical cache attack scenarios with relative academic papers including my research.
In particular, I will focus on explaining which features in ARM make attacks difficult— and in contrast— which features in Intel make attacks easier.
More technically speaking, we will look at the following topics and how those affect cache attacks— 1) flush or evict cache, 2) cache inclusiveness, 3) SMT (Simultaneous multithreading), 4) cache replacement policy, 5) miscellaneous things—.

Jun Yao, "Three Dark Clouds over the Android Kernel"

Jun Yao (@_2freeman) is a security researcher in Alpha lab of 360, focusing on Android security since 2016. These years he has found several critical vulnerabilities and completed some exploits. At the same time, the KSMA mitigation patch he implemented has been merged into the Linux mainline. He was a speaker at Black Hat Asia and HITCON.


[Abstract]
==========
This talk points out three attack methods that are still effective in the Android kernel: the ret2dir, the KSMA (Kernel Space Mirror Attack) and the SMA (SLAB Mirror Attack). The SMA can covert some UAF vulnerabilities into information disclosure or arbitrary writing. This meets the requirements of the KSMA. In order to demonstrate the power of this attack combination, I take the CVE-2020-3680 as an example to explain how to complete the exploitation. Finally, I analyze the corresponding mitigations. Unfortunately, some of them have not yet been enabled. I hope manufacturers can enable these mitigations as soon as possible to effectively protect user devices.

Liang Chen, "2020: a new year to research iOS security"

Liang Chen is director of Singular Security Lab. Liang has strong research background on browser exploitation, vulnerability discovery and exploitation techniques on Apple platform. He talked at several security conferences such as Black Hat, Infiltrate, RECon, PoC, Cansecwest, etc. Liang is also the winner of iPhone Safari category in Mobile Pwn2own 2013 and Mavericks Safari category in Pwn2Own 2014. He also led the team to win "Master of Pwn" in Pwn2Own 2016, Mobile Pwn2Own 2016 and Mobile Pwn2Own 2017 in his past job. He demonstrated jailbreaks on 'latest' iOS at several global conferences in the past few years.

[Abstract]
==========
iOS 14 is a big version in regarding to security enhancement. It kills the methedology of using fake kernel task port as arbitrary read/write primitive, thus make quite some bugs which is exploitable in iOS unexploitable. Furthermore, iOS 14 also enhanced its PAC (A12 or later): Data PAC, less zero-context PAC, etc. In this talk, I will explain how these mitigations and enhancements made exploitation harder. Also possible ways to bypass those mitigations and enhancements are also discussed.

Ned Williamson, "Fuzzing iOS Kernel Networking in Usermode"

Ned Williamson is a security researcher at Google Project Zero. He has worked on vulnerability research for a variety of targets, from Nintendo to Chrome to iOS. He has presented at POC in the past, where he got to share his love of Buldak noodles with attendees.

[Abstract]
==========
The networking stack in an important attack surface in the iOS kernel. This talk will describe the design and implementation of a usermode fuzzer that discovered SockPuppet, a single bug that led to an escape from the app sandbox to kernel.

Nikhil Mittal, "My Hacking Adventures With Safari Reader Mode"

Nikhil Mittal works as a security consultant at Payatu Software Labs. His primary area of research is client-side security. He loves finding security flaws in Microsoft Edge browser. Google, Microsoft, Mozilla, SANS, Sony, SourceForge, Intel, and several other companies have acknowledged Nikhil for reporting security issues in their applications. He was also a speaker at 36c3 and phdays9.

[Abstract]
==========
This talk is about a security analysis of safari reader mode available for macOS and IOS devices. Which reveals some major vulnerabilities in safari reader mode including the same-origin policy bypass along with other permissions like Video/Audio permission bypass.

Praveen Vadnala & Nils Wiersma, “Arbitrary code execution on RISC-V using fault injection"

Praveen Vadnala is a Senior Security Analyst at Riscure, Delft, the Netherlands. His work is mostly focused on analyzing and testing the security of embedded devices. He holds a Ph.D. in computer science from University of Luxembourg, Luxembourg. His research interests are related to side-channel and fault-injection attacks and their countermeasures. He co-authored and presented papers at several conferences including CHES, FSE and RSA conference.

Nils Wiersma, after receiving his BSc. degree in general Computing Science at the University of Groningen, moved on to pursue a MSc. degree in the field of Cyber Security offered in a joint-venture between the Radboud University of Nijmegen and Eindhoven University of Technology. During the thesis stage of this master's degree, he focused specifically on embedded security in the automotive context. Now, he works at Riscure as a Senor Security Analyst.

[Abstract]
==========
RISC-V is a new, free and open Instruction Set Architecture (ISA), that is becoming increasingly popular in the recent past. In RISC-V ISA, it is not possible to directly access Program Counter (PC), unlike other widely used architectures such as AArch32. Hence, corrupting a RISC-V instruction in order to to store the payload address into PC directly using fault injection is not possible. In this research, we propose alternative techniques to gain code execution using fault attacks by targeting the instructions that change the control flow of a program. They include corrupting return address register, stack pointer register, among others. Based on the experimental results, we identify new fault models that that cannot be explained using the programmer model of the ISA but requires understanding of the underlying hardware implementation. We demonstrate the practicality of these attacks on a commercially available RISC-V SoC. These results have wide-ranging implications on the security of embedded devices against attackers with physical access to the device, most notably the secure boot.

Ryan Sherstobitoff, "Hidden Cobra – A 2020 Outlook"

[Speaker Info]
==========
Ryan Sherstobitoff is a Senior Analyst for Major Campaigns – Advanced Threat Research in McAfee.
He specializes in threat intelligence in the Asia Pacific Region where he conducts cutting edge research into new adversarial techniques and adapts those to better monitor the threat landscape. He formerly was the Chief Corporate Evangelist at Panda Security, where he managed the US strategic response for new and emerging threats. Ryan is widely recognized as a security & cloud computing expert throughout the country.

[Abstract]
==========
In 2020 when the world went digital and more people began working from home, McAfee ATR observed an increase in cyber related operations attributed to the threat group Hidden Cobra. In previous years Hidden Cobra engaged in many cyber offensive operations around the world that included different kinds of implants, infrastructure, etc. Hidden Cobra has become a highly active threat actor involved in a diverse set of activity. This talk will review some of these operations in comparison to previous years and cover some never seen before activity.

In this talk McAfee Advanced Threat Research will detail how Hidden Cobra has changed and evolved in 2020. In this talk we will cover:
• How Hidden Cobra has evolved in 2020
• What are some of the possible motivating factors that drive changes in cyber offensive operations
• A quick operational review of some notable cyber events
	◦ Deep Dive into DTRACK research and Hidden Cobra’s interest in India’s Nuclear and Energy Sector
	◦ A review of Operation North Star – How Hidden Cobra is impersonating recruiters in the defense industry
• Deep dive into the technical side
	◦ Research methods to identify infrastructure belonging to Hidden Cobra
	◦ A look into new 2020 implants
• Wrap-up

Yong Wang, "Recovering the Attack: 1-click universal remote rooting from chrome sandbox"

Yong Wang(@ThomasKing2014) is a Security Engineer of Alibaba Security. Currently focusing on Android/Browser vulnerability hunting and exploitation. He was a speaker at several security conferences including BlackHat{Asia 2018, Europe 2019}, HITB Amsterdam 2018, Zer0Con 2019, QPSS 2019, etc. These years he has reported several vulnerabilities, and one of them was nominated at Pwine Award 2019. He has also shared some homemade exploitation techniques like KSMA.


[Abstract]
==========
Last year, Google Project Zero disclosed a UAF bug in Android binder, which exploited in the wild. Although the whitepaper and Proof-Of-Concept code are available, it's far from enough to build a universal full-chain exploit.
To recover the attack, there are two critical problems that must be solved. The first one is how to attack the 64-bit kernel in the 32-bit process. The apps published on Google Play have been enforced to support 64-bit architecture. However, Chrome app still ran in 32-bit mode at that time. And according to the design of Linux on ARM 64-bit Architecture, AArch32/AArch64 cannot interwork. The second one is how to build the kernel exploit for various kernel branches under the chrome sandbox circumstance, and satisfy the marketed capability - "The exploit requires little or no per-device customization".
In this talk, we will detail two totally different exploitation views to recover the attack. The first one is how to build the 64-bit exploit in the 32-bit sandboxed process. We will introduce a new exploitation technique, named Arch-flip. It derives from the classic features of Linux kernel, which we used to bypass one part of the Real-time Kernel Protection of Samsung's mobile kernel several years ago. With this technique, an attacker can execute 64-bit assembly instructions and make 64-bit syscalls in the 32-bit process and vice versa, breaking the abovementioned kernel restriction. We will detail how to use it in the sandboxed process and make the 64-bit exploit work in the 32-bit process smoothly. The second one is building the 32-bit exploit.
Under the sandbox circumstance, only a few syscalls are available, and some implementation of syscalls and kernel objects' structure can alter in different kernel branches, it's quite challenging to build the universal kernel exploit. Additionally, we still have to bypass the common(PXN/PAN/KASLR/CFI) and vendors' mitigations. We will discuss our tries and the final implementation of the full-chain exploit.
- During the presentation, we will give the full-chain exploit demos of different vendors' devices. And the videos were public last year. In summary, the ideas of exploitation are fresh and have never been discussed before.

Yonghwi Jin & Jungwon Lim, "Compromising the macOS kernel through Safari by chaining six vulnerabilities"

Yonghwi Jin is a PhD student at Georgia Institute of Technology. He is interested in binary analysis automation. He received a BS degree in Cyber Defense from Korea University in 2018.

Jungwon Lim is a PhD student at Georgia Institute of Technology. He is interested in information security in general, and binary exploitation and mitigations. He received many awards in hacking competitions. He was selected as Best 10 trainee in 2nd generation of South Korea's Ministry of Science and ICT's information security expert program (the program is also known as KITRI BoB).


[Abstract]
==========
Compromising a kernel through a browser is the ultimate goal for offensive security researchers. Because of continuous efforts to eliminate vulnerabilities and introduce various mitigations, a remote kernel exploit from a browser becomes extremely difficult, seemingly impossible.

In this talk, we will share our Safari exploit submitted to Pwn2Own 2020. Combining six different vulnerabilities, our exploit successfully compromises the macOS kernel starting from the Safari browser. It breaks every mitigation in macOS including ASLR, DEP, sandbox, and even System Integrity Protection (SIP). Inspecting every vulnerability used in this exploit, we will show not only state-of-the-art hacking techniques but also challenges in protecting complicated systems (i.e., browsers and operating systems) and in introducing their mitigations. Moreover, we will introduce a new technique that reliably exploits a TOCTOU vulnerability in macOS.

Yunhai Zhang, "Exploit Windows Kernel In 2020"

Yunhai Zhang is Director of NSFOCUS TIANJI LAB. He has worked on information security for more than a decade. He has spoken at many security conferences in the past, such as Blackhat, Bluehat, DEFCON, POC, TSec, XCon, etc.
He has won the Microsoft Mitigation Bypass Bounty 5 years in a row since 2014.


[Abstract]
==========
Exploit Windows kernel vulnerabilities used to be trivial, and then there were mitigations. Microsoft has introduced a lot of mitigations in kernel to break exploitation techniques. Nowadays, exploit a Windows kernel vulnerability need to bypass all enabled mitigations, such as KASLR, NX/DEP, SMEP, SMAP, TypeIsolation, KCFG, VBS and HVCI.
This presentation will go through these mitigations, discuss the trade-off between security and usability in its implementation and the potential attack surface. Based on that, this presentation will also demonstrate several tricks to achieve code execution in kernel with all the mitigations enabled.

1. POC
2. 2020
3. Training

Advanced Windows Logic Bug Hunting

There is no training course in POC2020

1. POC
2. 2020
3. Sponsor

Sponsors

Supporting Friends