ITSEC Newsletter
Posts
OffensiveCon 2024 - Summary

OffensiveCon 2024 - Summary

Henrik Falk
June 10, 2024

Dates: 2024-05-10 - 2024-05-11

Location: Hilton Berlin

https://www.offensivecon.org/

Practical Exploitation of Registry Vulnerabilities

"The registry is a very prominent but largely unexplored local attack surface in the Windows kernel. It has all the qualities of an attractive research target: it is over 30 years old, written in C, highly complex, and generally reachable from unprivileged user-mode contexts. Furthermore, due to its design and role in the system, it features some interesting properties such as a custom memory allocator or a x86 page table-like structure (so-called cell map) used to allow references between chunks of data in the hive. This opens up the potential for a new type of memory safety violation, a "hive-based memory corruption", which corrupts the internal representation of an actively loaded hive in the system."

The Mines of Kakadûm: Blindly Exploiting Load-Balanced Services

"Due to the constraint of knowledge requirements, a large attack-surface is rarely reported to be successfully exploited: Memory corruption exploits against server-side software with no access to the source code or binary. This includes open-source libraries with known CVE’s being compiled into an unknown environment. An additional challenge is dealing with load-balanced environments. Even if an attacker can defeat ASLR in one request, they have no guarantee that they are targeting the same worker in a follow-up request."

Beyond Android MTE: Navigating OEM's Logic Labyrinths

"With some of the first phones with MTE hitting the market, we are once more facing the seemingly imminent doom of our beloved industry. Wait! What about our trusty old friends, the logic bugs? While some turn their attention to weaker SoC components, we're back at Mobile Pwn2Own to show you how a few silly bugs can be chained to effortlessly pwn the latest Samsung and Xiaomi flagships. In this talk, we will discuss the types of bugs we target, the attack surface that expose them, and describe some of the more interesting and bizarre issues that we have disclosed at Pwn2Own over the past 10 years. We will of course focus on last year's issues, outlining the multiple failures we faced and also share a rather spicy story with a shameless vendor."