TALKS & SPEAKERS

Abstract

This presentation describes the research we did for Pwn2Own Vancouver 2024, specifically targeting the Tesla Model 3.
Tesla has designed an Electronic Control Unit (ECU) for security access, named VCSEC. This critical component is responsible for interfacing with users’ smartphones to unlock and start the vehicle, as well as managing the Tire Pressure Monitoring System (TPMS) features.

TPMS sensors, integrated into the car tires, continuously monitor and report tire pressure to the central system. If the tire pressure deviates from the optimal range, the user receives a warning via the infotainment user interface.

VCSEC incorporates multiple communication interfaces. Both TPMS sensors and smartphones use Bluetooth Low Energy (BLE) to communicate with the ECU. Additionally, smartphones can employ the Ultra Wide Band (UWB) interface for enhanced communication.

The core of this presentation is based around a critical vulnerability identified in the TPMS message handling process. This flaw enables remote code execution within the VCSEC, a highly sensitive ECU, allowing attackers to inject and execute arbitrary code.

Consequently, the attacker can send Controller Area Network (CAN) messages across the vehicle’s bus, potentially manipulating other interconnected ECUs.

Furthermore, we will showcase a method to introduce a TPMS sensor without requiring any user interaction, thus demonstrating a true 0-click exploit scenario.

Abstract

As the interest in the automotive security domain dramatically increased throughout the past several years, In-Vehicle Infotainment (IVI) systems became desirable targets for security research activities. These systems, central to a car’s entertainment, navigation, and connectivity functions, have become prime targets for automotive security research due to their extensive integration with other vehicle systems and their potential exposure to external attacks. This led to their appearance as a separate category at the brand-new Pwn2Own Automotive 2024 competition in Tokyo.

The specific target Alpine Halo9 iLX-F509 IVI integrates a variety of external interfaces, including WLAN, Bluetooth, and USB. This rich combination of connectivity options has made the device an intriguing subject for security research. Each interface introduces its own set of potential vulnerabilities and attack vectors, prompting researchers to explore how these different communication channels could be exploited.

In this talk, we delve into the world of IVI systems, showcasing a 0-click RCE exploitation of a slick Use-After-Free (UAF) vulnerability in Bluetooth stack. The vulnerability was revealed during the Pwn2Own competition, where it demonstrated how the PCAutomotive team could achieve full RCE on behalf of the root user without any user interaction involved. We will guide you through the entire process, from the initial discovery of the vulnerability to the meticulous steps involved in crafting a 96% reliable exploit. The session begins with an overview of Alpine Halo9 hardware enumeration and the Bluetooth stack architecture within Alpine IVI systems, highlighting the specific components and mechanisms that are related to the UAF flaw. The exploitation phase will be discussed in detail, showing how the UAF vulnerability was leveraged to gain Arbitrary Address Read (AAR) and Arbitrary Address Write (AAW) primitives leading to remote code execution. Finally, we will explore the broader implications of this vulnerability, discussing its impact on the security of IVI systems and the potential risks it poses to the end-users.

Abstract

System Management Mode (SMM) is one of the most powerful execution modes in the x86 architecture and code at this level is invisible to the Hypervisor and OS-level protections, including anti-cheat engines and anti-virus systems. While the BIOS ecosystem’s complexity has led to a multitude of vulnerabilities in firmware over time, vendors are now making strides in delivering patches with greater speed and efficiency. Unfortunately, these efforts are not enough in the presence of a CPU vulnerability.

When studying the documentation of the AMD processor, our team noticed a flaw in one of the critical components required for securing SMM. This silicon-level issue appears to have remained undetected for nearly two decades.

This presentation starts by providing an introduction to SMM and the security mechanisms that the AMD processor provides to support it. Subsequently, it delves into the CPU design flaw and the complete methodology and engineering used to create a universal ring -2 privilege escalation exploit.

Abstract

Messenger is one of the most popular mobile messaging applications in the world with over 1 billion users. Messenger contains a significant amount of C and C++ code, much of which is remotely reachable by clients through messaging and calling attack vectors. Additionally, Messenger is transitioning to a default end to end encrypted experience for messaging and calls providing significant privacy benefits but at the same time shifting more of the application’s attack surface from the server to the client. These factors together contribute to the application being an attractive exploitation target.

To better understand what exploitation looks like on Messenger, we conducted an exercise to build an end to end exploit assuming a remote attacker. The goals were to understand the state of the application’s exploit mitigations and identify areas for improvement. Exploit development is often nuanced based on the target and we wanted to identify and create primitives that were unique to Messenger. The exercise was successful resulting in the creation of a 1-click calling exploit targeting Messenger for Android.

In this presentation, we will first introduce the exploitation scenario and highlight the four internally discovered vulnerabilities we leveraged. These vulnerabilities span features such as calling, messaging, and AR effects. Then we will walk through how we built individual primitives out of these vulnerabilities and chained them together. Specifically, we will explain in detail how we constructed our chain to execute arbitrary code in the Messenger application and how we bypassed modern Android exploit mitigations such as NX pages, ASLR, and the hardened Scudo allocator. Finally, we will walk through the exploit mitigation improvements we identified while building the exploit and how they would have made exploitation much more difficult.

Abstract

In this talk, we will analyze the vendor’s defense design for DMA reentrancy and explain the important flaws in detail. Then, we will detail a reentrancy case which can be used to construct a double free vulnerability in virtio-gpu device while bypass the reentrancy check. At the same time, we will show how to turn a double free vulnerabilty to a arbitrary address write(AAW) by leveraging DMA transfer of virtio devices, which makes the hard-to-exploit vulnerability exploitable-we call this cross-virtio attack. Besides, we will show another reentrancy case bypassing the reentrancy check, which can be used to leak information and affects most DMA devices. Finally, combine AAW with infomation leakage, we will demonstrate how to achieve a full guest-to-host escape exploitation.

Abstract

Have you ever discovered a file write vulnerability in a web application? If so, this was probably an easy win for RCE. In PHP, it’s enough to write and trigger a .php file. In Python, you can create a site-specific configuration hook, and in other languages, templating files make a good target. You could also employ more generic techniques like dropping an SSH pub key or creating a cronjob. Depending on the web application and the underlying operating system, there are plenty of ways to turn a file write into arbitrary code execution.

But what if your target’s file system is mounted read-only? This makes a file write vulnerability pretty useless. However, on Linux, everything is a file. By leveraging the procfs pseudo file system, unconventional attack surfaces can be reached that are usually not considered in common threat models.

In this talk, we will deep-dive into a Node.js case study and showcase how an HTTP request eventually triggers a ROP chain in Node.js itself to gain remote code execution. While the technique showcased reliably turns a file write vulnerability to RCE for a Node.js application, we see more potential in it and hope to inspire you to pop more shells in hardened environments.

Abstract

In this presentation, we talk about our VMware full chain exploitation showcased at Pwn2Own 2024. We discuss the architecture and attack surface of VMware, followed by a technical analysis into the vulnerabilities we exploited, including information leakage and arbitrary code execution. And we cover our approach to exploiting these vulnerabilities, especially focusing on the challenges we faced and the methodologies to overcome them. Additionally, we will cover a Windows Kernel Elevation of Privilege vulnerability, introducing new exploitation primitive techniques. We then demonstrate how we chained these exploits to achieve a comprehensive attack, concluding with insights and future implications of our work.

Abstract

A Hardware Security Module (HSM) is one of the most secure devices designed to store cryptographic keys securely and prevent attacks ranging from remote to physical access. This talk will offer an in-depth exploration of HSM security and present a vulnerability discovered in PowHSM, an open-source HSM solution built on the Ledger Nano S device. The presentation will detail the process of identifying the vulnerability in the USB stack and demonstrate a proof-of-concept (PoC) for recovering private keys from the device.

Abstract

Keynote

Abstract

Over the past few decades, the attack surface in in-the-wild vulnerabilities has gradually shifted from Win32k to CLFS. Microsoft has been consistently and actively patching these vulnerabilities. Who might become the next target? Last year, MSKSSRV became a hot target for hackers. However, it is just a part of the Kernel Stream.
In this presentation, we are going to reveal the long-overlooked attack surface for priviledge escalation in the Windows Kernel, which we exploited to identify over 10 vulnerabilities in just a few months. Our successful Windows LPE at Pwn2Own Vancouver 2024 was actually one of these vulnerabilities, and it was just the tip of the iceberg. That also allows us to compromise across systems from Windows 7 to Windows 11. Additionally, we delve into a novel proxy-based logical bug class used at Pwn2Own that enables us to pivot ourselves into the kernel to ignore most validations. Meanwhile, we will demonstrate how this kind of bug class can lead to severe consequences, making exploitation straightforward.
Through this talk, we’ll share our discovery of this attack surface and the bug class, providing some case studies on the power and elegance of this type of vulnerabilities. We’ll also introduce techniques for identifying and exploring similar vulnerability patterns, empowering attendees to discover and mitigate future security issues in the Windows ecosystem.

Abstract

Blockchain security is not all about smart contracts! While extensive research has been conducted on all kinds of smart contracts, analysis of the underlying infrastructure powering blockchains remains relatively rare. The lack of research in blockchain nodes leaves an enormous attack surface untapped, especially when considering that the complexity of blockchain is akin to browsers and virtual machines, often involving custom VMs, JIT, and not to mention other unique threat models such as consensus failure between validators.

Compared to smart contract bugs, vulnerabilities in the blockchain’s underlying node software can have a far greater impact. A compromised validator undermines the entire network’s integrity by enabling attackers to disrupt or control transactions, manipulate token balances, and eclipse the trustworthiness of the blockchain. With tens of billions of on-chain assets at stake, blockchains are definitely worthy targets to explore.

In this talk, we focus on Solana, a popular blockchain implemented in Rust, which is designed to maximize transaction throughput and address scalability limits seen in other blockchains. We will discuss an RCE bug in the Solana validator, which grants attackers the ability to virtually do anything to the blockchain, from minting new tokens out of thin air to taking over the servers running validators and stealing validator’s private keys. The bug was introduced during Solana’s transition from version 1.14 to 1.16, where a new runtime optimization was implemented. We will provide an overview of Solana’s architecture, examine its internal data storage model design, and explain how the Solana runtime VM interacts with the data storage. Finally, we will conduct a detailed analysis of the bug and its exploitation process, offering insights and guidance for future researchers.

Abstract

This talk dives into multiple vulnerabilities in Neverwinter Night Enhanced Edition, an RPG game developed by BioWare in 2002 and reedited by Beamdog in 2018. The game has been receiving regular updates since it’s re-release and there is a small community that play online. In this presentation i will explain how a malicious server can achieve arbitrary code execution on players.

Abstract

Some memory corruptions may seem unlikely to be exploitable but hide a secret power waiting to be awakened. In this presentation, I’ll discuss how achieving intermediate capabilities from constrained bugs can lead to generic and well-defined exploitation strategies.
To better understand this, we’ll visit a fairly restrictive Linux Kernel 0-day vulnerability I’ve discovered and exploited to capture the flag of the KernelCTF VRP and win a reward.

Abstract

The Linux kernel is widely used in cloud servers, mobile devices, automotive, and more, and its security is becoming increasingly important. To discover vulnerabilities in the Linux kernel, there are bug bounty programs such as Pwn2Own, KernelCTF, and Android VRP.

In this talk, we exploit two vulnerabilities CVE-2023-31248 and CVE-2024-36978. To exploit these vulnerabilities, we introduce a novel exploitation technique “Cross-CPU Allocation”. The first vulnerability is CVE-2023-31248, a vulnerability found in nftables, which was exploited at Pwn2Own 2023. The second vulnerability is CVE-2024-36978, a vulnerability found in the traffic control subsystem found by Hangyu Hua and was firstly exploited by Wongi Lee at the mitigation kernel of kernelCTF. We will discuss the challenges we encountered during the exploit and how we solved them.

Abstract

If you’ve ever opened an official Windows driver in IDA, you’ve likely been greeted with some nice quality of life features: the Windows SDK is fairly well documented, Microsoft is amazing and provides symbols that makes reversing so much easier, and so on. But not so fast buckaroo! Open the mysterious CLIP Service driver to be greeted with the sad-face message “.pdb not found” and even worse, half the code is complete gibberish (and by that we don’t mean AT&T syntax). Obfuscated code sections, obfuscated APIs, undocumented kernel structures, quite a mysterious conundrum that makes our reverser-spidey senses tingle. Is there anything spicy hiding in there? Well, let’s find out!

The talk will go over how to deobfuscate this driver implementing Licensing and System Policy, how to communicate with its various APIs and document some of these mysterious data structures the windows kernel uses to communicate with it. We will also cover the vulnerabilities we found and some potential exploitation strategies. Come for the mystery, stay for the exploration of an exciting attack surface!