0days, exploits and bug bounties - pwn2own · aug 2014 –sept 2015, chasing the bounties...
Post on 20-May-2020
3 Views
Preview:
TRANSCRIPT
Nicholas, I’m French, no H please!
• Before at Vupen, at MSRC UK now, fixing stuff I used to break
• Been to CanSec’ before
@n_joly to find cool cat pics
Aug 2014 – Sept 2015, chasing the bounties
• Getting ready for big bounties
• Dealing with last minute mitigations
• Why you do absolutely need your lucky charm
• Collisions, when you feel bad for a day
pwn2own Mobile at PacSec
• Competing on my own for the first time
• Spent 1 month+ on that challenge
• Failed at pwning the sandbox but uncovered 3 escapes for IE desktop
• Great holidays!
Trophy!
Lucky charm, exploiter’s best friend
December, playing with Reader
• Playing first with known areas, uncovered some UAFs
• Opened some IDBs, was looking for 3D stuff
• Spent one month to get 2 working exploits
By early Feb, 3 exploits for 3 targets
• Built the escapes found earlier in November
• Built a certain number of Flash exploits, just in case
• Built a VBScript exploit for IE x64
• Built 2 PDF exploits sharing the same escape
But…
Had to rethink about everything
• Reader “safe”, not compiled with the flag
• Sandbox escapes partially affected
• Flash and IE :SFlash.ocx 17.0.0.34
And then registering for the contest
• On Tuesday, 3 exploits
• On Wednesday, 2 ½ exploits
• But on Friday…
Junctions!
C:\dir1\dir2\dir3\Junction\..\dir4\dir5\file
With Junction pointing to an untrusted location,such as %temp%\low
FILE_ATTRIBUTE_REPARSE_POINT
k33nteam reported 3 bugs, but missed that one!
• Had to code everything on site but fortunately the ferry to Vancouver Island takes quite some time:
• First time I coded an exploit on a ferry in my life, but that was worth it!
But my story was nothing compared to that guy
But what is it about?
• Heap overflow in GdiConvertBitmapV5
http://blog.talosintel.com/2015/10/dangerous-clipboard.html
The art of being suspect no1CVE-2014-0574 ba.clearCVE-2014-0588 ba.uncompressvialzmaCVE-2015-0359 ba.writeObjectCVE-2015-0312 ba.compress…
That is NOT me
That is me
Time needed to pay/patch a bug
Spartan bounty: payment issued 46 days after report, patches out after 79 days
An amazing experience
• Finally decided to join Microsoft in the UK
• So many challenges to take on!
Chromium’s Xmasgifts
• Created a company
• Travelled everywhere
• Even gave a talk at MOSEC!
Want some bounties? https://aka.ms/BugBounty
Have some cool bugz? secure@microsoft.com
Wanna wear the blue Hat? http://careers.microsoft.com
Thanks :)
Got a question
References• Spartan Bounty https://technet.microsoft.com/en-us/dn972323.aspx
• Dangerous Clipboard http://blog.talosintel.com/2015/10/dangerous-clipboard.html
• Control Flow Guard https://msdn.microsoft.com/en-us/library/windows/desktop/mt637065(v=vs.85).aspx
• Exploring CFG in Windows 10 http://blog.trendmicro.com/trendlabs-security-intelligence/exploring-control-flow-guard-in-windows-10/
• CFG effects to memory space http://www.alex-ionescu.com/?p=246
• JavaScript™ for Acrobat® 3D Annotations API Reference http://wwwimages.adobe.com/content/dam/Adobe/en/devnet/acrobat/pdfs/AcrobatDC_js_3d_api_reference.pdf
• HackingTeam Flash Exploit http://blogs.360.cn/blog/hacking-team-part2/
• Camera.copyPixelsToByteArray https://code.google.com/p/chromium/issues/detail?id=424981
• DisplayObject.opaqueBackground https://code.google.com/p/chromium/issues/detail?id=508009
• AS2 Filters Confusion https://code.google.com/p/chromium/issues/detail?id=457261 and https://code.google.com/p/google-security-research/issues/detail?id=244
• CVE-2015-0313 http://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-cve-2015-0313-the-new-flash-player-zero-day/
top related