[Speaker Info]
==========
Antonio Cocomazzi(aka splinter_code) is a Senior Offensive Security Researcher at SentinelOne. Specializing in low-level exploitation and EDR evasion, he has a keen interest in unraveling the intricacies of Windows OS internals.
Antonio's primary research focus lies in identifying novel attack vectors against Windows operating systems and devising innovative techniques for maintaining stealth in highly monitored environments.
Beyond his work at SentinelOne, Antonio is an active independent researcher, continually seeking out new vulnerabilities. His enthusiasm for reverse engineering extends from unpacking sophisticated malware to dissecting Windows internal components.
His expertise has been recognized on international stages, having previously presented at prominent security conferences such as BlueHat IL, Black Hat Asia, Insomni Hack and Hack In The Box.

Andrea Pierini is Senior incident response and security consultant and independent Security Researcher with long-term experience and in-depth knowledge covering all aspects of IT: from SW development to system administration, network administration and IT security.
He defines himself as an “IT security enthusiast”, interested in all emerging technologies in offensive and defensive security and like writing and speaking about IT security and bug hunting. He had talks at various national and international conferences and published several CVE’s.
He has been rewarded in 2020 and 2022 by Microsoft in top 100 most valuable MSRC Security Researchers Program.

[Abstract]
==========

Back in early 2014, a new privilege escalation vulnerability was publicly disclosed, detailing a new way of performing a local NTLM reflection attack leveraging a DCOM trigger. Since then, a new Pandora's box has been opened, starting the "dynasty" of a series of exploits known as "Potatoes". Each exploit in this series relies on the DCOM trigger as its core exploitation method.
Most of these exploits allow an attacker to break the WSH (Windows Service Hardening) boundary, enabling privilege escalation from a limited service to SYSTEM: a common scenario when dealing with web services like IIS or MSSQL.

Interestingly, Microsoft does not consider WSH a security boundary but rather a safety boundary; for this reason, many Potato exploits work (and have been working) on fully updated Windows systems. Moreover, recent iterations of the Potato exploits enable privilege escalation even from an unprivileged user, eliminating the prerequisite of running as a service. Among these, our latest Potato exploit, LocalPotato (also known as CVE-2023-21746), stands out. This exploit employs a specific type of NTLM reflection attack targeting local authentication, and it allows for arbitrary file read/write and privilege escalation, all starting from an unprivileged user account.

In this talk, we will present our journey into the discovery of our Potato exploits, including RoguePotato, RemotePotato0, JuicyPotatoNG and LocalPotato. We'll delve into the vulnerabilities, the fixes, and the bypasses of those fixes, unfolding an intricate story of how a single unfixed bug has led to a long-running history of privilege escalation vulnerabilities on Windows systems.

As a bonus demo for the conference, we will release a new variant of LocalPotato that exploits the HTTP protocol and has been classified as "won't fix" by Microsoft, so it still works on updated systems.

[Speaker Info]
==========
Ben Barnea is a security researcher at Akamai with interest in and experience conducting low-level security research and vulnerability research across various architectures, including Windows, Linux, IoT, and mobile. He likes to learn how complex mechanisms work and, most important, how they fail.

[Abstract]
==========

The critical Microsoft Outlook vulnerability, known as CVE-2023-23397, gained significant attention upon its release in March. It has been actively exploited in the wild, targeting European organizations and government offices, with suspicions pointing towards APT28 - associated with the Russian military intelligence agency GRU. Interestingly, the root cause of this vulnerability was the lack of verification of an input Windows file path.

Windows paths, though commonly taken for granted, can be far more intricate than we often realize. Even minor adjustments, such as adding a single character to a custom path, can lead to intriguing security flaws.

This session aims to illuminate the complexities involved in constructing and parsing Windows paths while unveiling some lesser-known pitfalls and peculiarities. Additionally, we will showcase two vulnerabilities that we discovered in the Windows API. Each of these vulnerabilities allowed us to bypass Microsoft's mitigation that was put in place to address the critical Outlook vulnerability mentioned earlier, rendering the attempted fixes useless.

[Speaker Info]
==========
Ignat is a systems engineer at Cloudflare working mostly on Linux, platforms and hardware security. Ignat’s interests are cryptography, hacking, and low-level programming.
Before Cloudflare, Ignat worked as a senior security engineer for Samsung Electronics’ Mobile Communications Division. His solutions may be found in many older Samsung smart phones and tablets. Ignat started his career as a security researcher in the Ukrainian government’s communications services.

[Abstract]
==========

Unprivileged Linux user namespaces is a rather controversial topic in the security community, Linux Kernel community and in software engineering in general. On one side it allows building unprivileged and sandboxed services and applications, which would otherwise require elevated privileges to successfully run and provide features to their users. Not granting privileges to such applications follows the least privilege principle and makes our systems more secure.

On the other side, this mechanism has been repeatedly used in various vulnerabilities and exploits as a starting attack vector, multiplying the damage and impact of these exploits. And since it became so popular within the offensive industry, many Linux distributions and security guidances started recommending disabling this feature altogether.

There is an ongoing debate whether unprivileged user namespaces provide more security or make the system more vulnerable. In this presentation we will review how user namespaces might help building sandboxed secure applications. But we will also show how a recently discovered Linux kernel bug turned into a security vulnerability just because user namespaces are available on the system. Finally, we will give recommendations on how to get the best of both worlds: allow well-behaved applications to utilize user namespaces for better security, while blocking the feature for potentially malicious users/code.

[Speaker Info]
==========
James Forshaw is a security researcher in Google’s Project Zero. He has been involved with computer hardware and software security for over 10 years looking at a range of different platforms and applications. With a great interest in logical vulnerabilities he’s been listed as the #1 researcher for MSRC, as well as being a Pwn2Own and Microsoft Mitigation Bypass bounty winner. He has spoken at a number of security conferences including Black Hat USA, CanSecWest, Bluehat, HITB, and Infiltrate. He’s also the author of the upcoming book “Windows Security Internals with PowerShell” available from NoStarch Press.

[Abstract]
==========

One of the big targets for Windows security vulnerabilities in recent years has been insecure RPC services. It's also one of the harder areas to explore due a lack of good security tooling. For this reason I wrote .NET based tooling to extract and call arbitrary local RPC services on Windows which could be used for analysis testing and fuzzing.

However, local vulnerabilities are not the only important attack surface. RPC can be used remotely over various network protocols, resulting in some interesting security vulnerabilities such as Zerologon and PetitPotam. Therefore I spent time in the past year improving the tooling to provide a wider range of protocols and features.

This presentation will describe the changes I've been making to my tooling to support new RPC protocol sequences such as TCP, SMB and Hyper-V sockets. It also has gained cross platform RPC support including NTLM and Kerberos authentication on Linux or macOS with .NET core. I'll also discuss some of the issues that I've discovered and interesting attack surfaces to look into. All the new tooling will be released prior to the conference so attendees can immediately start using them.

[Speaker Info]
==========
Mark Brand is a software engineer on Google's Project Zero team, which aims to reduce harm caused by targeted attacks on the Internet. His current focus is on web browser security.

[Abstract]
==========

This talk will walk through the process of testing pre-production MTE hardware from a researcher's perspective. The technical results of this work have already been published (https://googleprojectzero.blogspot.com/2023/08/mte-as-implemented-part-1.html), so this talk will focus on the research process, the technical setbacks encountered during the testing, and the limits of how thoroughly we can test the behaviour of modern CPUs. We'll give a brief summary of the main results, and then finish with a deep-dive into some of the limitations of MTE when used for security purposes.

[Speaker Info]
==========
Ned Williamson is a security researcher at Google Project Zero. He has experience exploiting Chrome and iOS and focuses on novel and deep fuzzing techniques.

[Abstract]
==========

Traditional fuzzing techniques rely heavily on heuristic methods and code coverage, which can often lead to limitations in bug discovery. This presentation discusses the potential overlap between fuzzing and Reinforcement Learning (RL), especially in the context of recent transformer models. Using a framework that expands feedback mechanisms beyond code coverage, the talk aims to explore the possible pathways to build a more efficient bug-hunting methodology. Inspired by real-world case studies like Zenbleed, the discussion covers how an RL-guided system could better adapt to multiple feedback signals. The talk also opens a dialogue on modeling the broader landscape of bug hunting activities within an RL context, encouraging an exploration toward more adaptable and efficient security research methods.

[Speaker Info]
==========
Nikita is an independent security researcher with about 4 years of experience with security research. He mostly focuses on Apple platforms, but also explore Android/Linux and embedded devices occasionally. For 2 years he was researching WebKit, though now trying himself at hacking XNU.

[Abstract]
==========

iOS 14 and 15 have seen a large number of new mitigations in Safari that were gradually bypassed. In this talk I’ll discuss various methods that could be used to bypass PAC, APRR, etc. and finally execute custom code in the JIT region and how these evolved facing changes from Apple. Additionally I’ll tell about ways to find these bypasses and their generic structure.

[Speaker Info]
==========
Seth Jenkins is a security researcher at Google Project Zero. He primarily focuses on Linux kernel zero-day research but has dabbled across a broad variety of architectures, operating systems, and software, finding vulnerabilities and writing exploits in many different contexts. Seth particularly enjoys innovating novel strategies for exploit development.

[Abstract]
==========

While for a fair amount of time, null-dereferences were exploitable vulnerabilities in the Linux kernel, due to the introduction of modern exploit mitigations, null-deref bugs are generally not considered a security issue in modern Linux kernel versions. This research describes an innovative exploit technique for null-deref vulnerabilities that circumvents these mitigations to gain privilege escalation.

This research involved using state-desynchronization primitives that occur when the kernel tries to recover to a safe execution state after a null-dereference has occurred. The kernel does this by killing the faulting task and throwing out the associated kernel task stack, which can result in local state-cleanup steps not being performed. In some cases, this can lead to exploitable conditions!

This presentation will step through each stage of this process, from the original bug discovery and nondescript public report, to the discovery (and consequent horror) of the exploit technique. We'll then build from this idea to a powerful primitive where an attacker-controlled process and a privileged process are made to share the same address space, allowing us to complete our privilege elevation. We will then discuss the subsequent mitigation introduced to the Linux kernel to prevent this technique, and demonstrate the exploit.

[Speaker Info]
==========
@wh1tc is a security researcher at Sangfor. He has been engaged in Windows vulnerability hunting and fuzzing for 3 years . He was ranked #3 on the MSRC 2023 Q1 Security Researcher Leaderboard.

Dr. Zhiniang Peng (@edwardzpeng) is the chief architect at Sangfor. His current research areas include applied cryptography, software security and threat hunting. He has more than 10 years of experience in both offensive and defensive security and published many research in both academia and industry.

[Abstract]
==========

OLE is a mechanism that allows users to create and edit documents containing items or "objects" created by multiple applications，and Microsoft Office provides an interface to support the OLE mechanism, which allows users to easily use some OLE objects in documents, such as Sound clips, spreadsheets, and bitmaps.

While this design is user-friendly, the interface can load any CLSID, even if these objects are not intended for Office. This significantly expands the attack surface because any Windows machine will have thousands of COM objects designed to work in various scenarios.

The presence of this attack surface has been discovered as early as 2010, and there have been many zero-day vulnerabilities in the following years. With the iteration of the windows system, many new com objects appeared in win10 and win11, but are they safe?

With such questions in mind, we analyzed these COM objects and discovered 10+ new vulnerabilities, including two critical ones, which attackers could easily exploit for remote code execution in Office.

In this talk, we will share the details of these vulnerabilities and how to exploit them. Additionally, we will propose effective fixes and protective measures.

[Speaker Info]
==========
Yong Wang(@ThomasKing2014) is a Security Engineer at Alibaba Cloud Pandora Lab. Yong currently focuses on Android/Browser vulnerability hunting and exploitation. He was a speaker at several security conferences including Black Hat(Asia, Europe, USA), HITB Amsterdam, Zer0Con, POC, CanSecWest and QPSS. Over the years, he has reported several vulnerabilities, and one of them was nominated for Pwnie Award 2019.

[Abstract]
==========

In the past few years, the kernel attack surfaces that can be accessed by untrusted applications have been significantly reduced. And nowadays it becomes more and more difficult to hunt the bugs of high quality. With more and more hardware and software mitigations, it's common to label bugs of low quality as unexploitable bugs. From my own perspective, the advanced exploitation technique can significantly improve the exploitable possibility of low-quality bugs.

In this talk, I will first analyze a low-quality bug fixed last year. Back in 2015, there's no doubt that it's exploitable. But now the mitigations can hinder the exploitation directly. To exploit the bug, I will detail the idea of partially bypassing the KASLR mitigation and introduce a practical method to predict the addresses of attacker-controlled kernel objects. Then, I will detail how to gain the arbitrary physical memory Read/Write ability in one shot. Last but not least, since the affected devices are shipped with custom mitigations, I will also detail how to bypass them and gain the root privilege.

During the presentation, I will give the exploit demos of rooting the affected Android devices. In summary, the ideas of exploitation have not been thoroughly presented in any previous talks.

[Speaker Info]
==========
Zhaofeng Chen is a security researcher at CertiK, specializing in confidential computing, system security, and mobile security. He has delivered talks at security conferences such as Zer0Con, POC, BlackHat, and CanSecWest. He is passionate about researching offense and defense techniques, with a recent focus on Web3 infrastructure security.

[Abstract]
==========

This talk will present our experiences exploiting Move-based blockchains, such as Aptos and Sui. Move is a secure programming language that powers a new blockchain paradigm. The Move-based ecosystem is considered more secure than its predecessors, thanks to the on-chain bytecode verifiers and memory-safe VM implementations that safeguard against malformed bytecode.

However, the implementation of such security protection is not flaw-free. Through the past months, we have been rewarded over $500K bounties for discovering multiple severe vulnerabilities on the Move-based blockchains. By submitting small malformed payloads, attackers can bypass the type-safety checkers to fabricate arbitrary digital assets or make the entire network unable to process new transactions.

In this presentation, we will share three critical bugs, their root causes, and demonstrate their potential impact. Before delving into the vulnerabilities, we will first outline the benefits of Move’s built-in security features, providing examples of how they can be used in crypto and Defi applications. We will then focus on how Move implements these security protections, including using bytecode verifiers to ensure correct types and references at load and runtime. Finally, we will demonstrate the impact of the vulnerabilities on a local blockchain TestNet that potentially can cause catastrophic impacts to the systems if not fixed.