Speakers
Exploitations of XNU Port Type Confusion
Tielei Wang
ABSTRACT

We shared a port type confusion vulnerability in the XNU kernel on Zer0Con’21, and demonstrated how to exploit the vulnerability to gain the root privilege on macOS Big Sur with M1 chip. In this talk, we will continue to analyze this vulnerability and discuss its giant attack vector. Based on this type confusion primitive, we will explore different ways to trigger other kernel memory corruption issues including UAF, overflow and out-of-bounds access, and also bypass the sandbox to access any Mach services on iOS.

SPEAKER BIO

Tielei Wang a member of Team Pangu. He was a research scientist at the Georgia Institute of Technology from 2012 to 2014 and received his Ph.D. degree in 2011. His research interests include system security, software security, and mobile security.

The Achilles' Heel of Android
Hongli Han Rong Jian Xiaodong Wang Peng Zhou
ABSTRACT

Binder is the most widely used communication mechanism for inter process communication in Android system, and it is also one of the few drivers that can be accessed in sandbox, so it has always been the focus of security research.

We have found several vulnerabilities in Binder, and some of them have been proved to be able to be used to elevate the privilege to root or system.

In this topic, we will introduce how to achieve sandbox escape through a Binder vulnerability, and how to achieve remote root with a RCE vulnerability in browser.

SPEAKER BIO

Hongli Han (@hexb1n) is a security researcher at 360 Alpha Lab. He is interested in Aosp&Kernel bug hunting and exploitation. He has published related topics on BlackHat USA, HITB, MOSEC and QPSS.

Rong Jian (@__R0ng) is a security researcher at 360 Alpha Lab. His research focuses on Browser security. He was a winner of the Chrome category in the Tianfu Cup 2020 Cybersecurity Contest.

Xiaodong Wang (@d4gold4) is a security researcher at 360 Alpha Lab. He has found many vulnerabilities in the Linux Kernel. He was a winner of the CentOS category in the TianFu Cup 2020 Cybersecurity Contest.

Peng Zhou(@bluecake) is a security researcher at 360 Alpha Lab. He focuses on kernel vulnerability hunting and exploitation. He has published related topics on BlackHat USA.

Exploiting a Modern 5G Phone Modem
Marco Grassi Xingyu Chen
ABSTRACT

Cellular communications and baseband have always been obscure and not publicly explored topics, until the very last couple of years where more public research has surfaced. Recently we saw widespread adoption of 5G, especially in China.

In our talk we will analyze and exploit a modern 5G smartphone modem. The exploit is a remote memory corruption over the air affecting the 5G network part of the phone without user interaction. We will also show what mitigations are enabled and what is not and what difficulties we had triggering the bug.

SPEAKER BIO

Marco Grassi (@marcograss) is currently a Senior Security Researcher of the KeenLab of Tencent (previously known as Keen Team). He is part of the team that won the "Mobile Master of Pwn" title in Tokyo for Mobile Pwn2Own 2016, working on iOS. He was also one of the main contributors at Desktop Pwn2Own 2016 for the Safari target with sandbox escape to root. He is a member of the team that won the title of "Master Of Pwn" at Pwn2Own 2016. He found a VMWare escape at Desktop Pwn2Own 2017, and baseband RCE and wifi iOS at Mobile Pwn2Own 2017 where they were awarded "Master Of Pwn" for the third time. He has spoken at several international security conferences such as Black Hat USA, DEF CON, Infiltrate, CanSecWest, ZeroNights, Codegate, HITB and ShakaCon.

Xingyu Chen (@0xKira233) is a security researcher at Keen Lab of Tencent. He has a lot of interests in bug hunting. He currently focuses on virtualization and mobile security. He has found many critical vulnerabilities in different cloud products and low-level firmware in smartphones. He is also a CTF player in team eee & A*0*E, which participated in DEFCON 25 & 26. He has spoken at conferences such as OffensiveCon, Zer0Con, and Tensec.

Hacking Android GPU For Fun
slipper
ABSTRACT

Both geeks and hackers are super interested in the GPU of modern mobile devices. However, they are attracted by the mutually exclusive features: performance and security. In this talk, we are going to review a few logical bugs in the most popular Android GPU kernel drivers. In addition, we will discuss some advanced techniques in kernel exploitation.

SPEAKER BIO

slipper, a security researcher from Pangu Team. He used to play in hacking games like Pwn2Own/DEFCON CTF/GeekPWN/TianfuCup. He has hacked many targets in public: iPhone8/PlayStation4/Cisco ASA/Safari/Firefox/MacOS/Docker/Cent OS/Ubuntu/Adobe Reader. Sometimes he livestreams hackings.

Use JIT Compiler to bypass iOS PAC mitigation
S0rryMyBad
ABSTRACT

PAC is a hardware level mitigation that Apple introduced into the iPhone since A12. Its introduction greatly enhances the security of the iPhone, at least after 2018 when introduced iPhone XS series with PAC, the iPhone was no longer broken in public competition.

In the Tianfu cup 2020, we have pwned the iPhone 11 with PAC protection in the open competition for the first time in the world.

In this topic, we will talk about the principle and mechanism of PAC briefly.Then we will explain the rce bug we use in the competition in detail, and how to bypass PAC mitigation after we have AARB R/W in render process and get RCE at last.

SPEAKER BIO

@S0rryMybad:Senior Security Researcher at Beijing CyberKunlun Technology Co., Ltd,Mainly focus on browser and iOS system security and related mitigations.

In pwn2own / Tianfu cup, he pwned iPhone and got remote jailbreak, pwned browsers of Edge (edgehtml) / Chrome / Safari / Firefox,the first Grand Slam of browsers items in China.

He is the first security researcher in China to win the Pwnie Award, ranking 2 in the world in MSRC 2019

In Tianfu cup 2020, for the first time in the world, he pwned the iPhone 11 with PAC protection in the open competition

checkm30
Guanxing Wen slipper
ABSTRACT

The bootrom is the first significant code that runs on a Smartphone. It will load and verify code from external storage, hand over its execution step by step to the generally speaking OS. Finding exploits in the bootrom level is a big achievement since it affects the entire secure boot chain from the very beginning.

checkm8, which is a very spectacular vulnerability inside the bootrom of iDevice, has been a game changer ever since its release. Many people are benefit from this sky ladder to get into iOS security research.

This presentation, checkm30 (checkmate30), based on a similar concept, is also about vulnerabilities of bootrom. However, the target is Huawei Hisilicon Smartphones.

We will start by introducing the secure boot chain of Huawei Smartphones.

Then we will discuss the running environment of bootrom, usb communication protocol, vulnerability and exploit in turn.

Finally, let us enjoy several demos that utilize the exploit to achieve: unlocking the bootloader, JTAG debugging and etc.

SPEAKER BIO

Guanxing Wen is member of Pangu Team. In recent years, his primary interests are low-level security, such as kernel, bootloader, trustzone. Previously, his work has been presented at Infiltrate, Black Hat EU, 44CON, etc.

slipper, a security researcher from Pangu Team. He used to play in hacking games like Pwn2Own/DEFCON CTF/GeekPWN/TianfuCup. He has hacked many targets in public: iPhone8/PlayStation4/Cisco ASA/Safari/Firefox/MacOS/Docker/Cent OS/Ubuntu/Adobe Reader. Sometimes he livestreams hackings.

Schedule

08:00 - 09:00

On-site Registration

09:00 - 09:50

Exploiting a Modern 5G Phone Modem

09:50 - 10:40

Exploitations of XNU Port Type Confusion

10:40 - 11:00

Break

11:00 - 11:50

The Achilles' Heel of Android

12:00 - 13:30

Lunch

13:30 - 14:20

Hacking Android GPU For Fun

14:20 - 15:10

Use JIT Compiler to bypass iOS PAC mitigation

15:10 - 16:00

checkm30

16:00 - 16:30

Break
 

16:30 - 18:00

BaiJiuCon (hosted by Thomas Lim)

18:00 - 18:10

Close

 

 

Hotel
Wanda Reign on the Bund
2021/07/30 (Friday)
No 538 Zhong Shan Dong Er Road Huangpu District