| 0900 - 1000 |
|
To be Announced
|
| 1000 - 1015 |
Cyber Coffee |
|
| 1015 - 1115 |
Many kernel exploits (and sometimes, user malware as well) often reach a point where it's time to inject/run a "second-stage" payload, especially during remote exploits, and thanks to the stability of user-mode, it's often the place to go. Running code in user-mode, or, if already in user-mode, running it in another context, has been talked about to death: APCs, user-mode callbacks, hand-written DLL loaders, remote thread injection, remote memory modification and thread context change, etc... But all of these techniques are either very complex, very unstable, or easily detected by any half-decent IDS or HIPS. This talk will show how to abuse undocumented Hotpatch APIs and data structures to silently inject a DLL into any process, from kernel or user, with only 5 lines of C and a little bit of PE magic. Then, we'll abuse the memory manager to fool the hotpatcher into injecting a "DLL" that is really raw memory, and not a file on disk. Through an understanding of both these two mechanisms, we'll be able to inject, load, link, relocate, and randomize a random blob of memory, just as if it was a real DLL, without writing a single line of code to do this -- and fooling any HIPS system into thinking this is just the kernel doing its job -- there's no remote thread to hunt down, nor file to scan.
|
Alex Ionescu(@aionescu)
|
| 1115 - 1130 |
Cyber Bar |
|
| 1130 - 1230 |
Operating systems' kernels written in non-managed programming languages, such as
Microsoft Windows or Linux, are regular pieces of software and therefore are subject to
typical classes of security vulnerabilities. Some of these classes are common for ring-
3 and ring-0 code alike - think buffer overflows or use-after-frees - while others are only
specific to certain execution modes. Race conditions while fetching and processing usermode
input data within the kernel doubtlessly belong to the second group; although
their existence is publicly known, we feel that they haven't received adequate amount of
attention from the security industry yet.
To prove the point we developed a project called Bochspwn several months ago. In
essence, it is a set of tools designed to effectively monitor ring-0 references to usermode
memory at run-time and examine the resulting information, in search of patterns
potentially indicating the presence of race condition vulnerabilities. As a direct outcome,
we have found dozens of elevation of privileges issues in the Windows operating
system, consequently leading to having around 50 unique security patches scheduled
for March and April alone. In our talk we will discuss the architecture of Bochspwn, and
provide a detailed coverage of the exploitation process for several particularly interesting
Windows bugs fixed by Microsoft by the time of the presentation, including novel
techniques and methodologies, ways to convert arbitrary kernel memory disclosure to an
almost regular privilege escalation, and others.
|
Mateusz Jurczyk (@j00ru) & Gynvael Coldwind (@gynvael)
|
| 1230 - 1330 |
Cyber Lunch |
|
| 1330 - 1430 |
The amount of known OS X rootkits and public knowledge is (very) scarce. At one
end we have advanced EFI rootkits researched by Snare and at the other
outdated rootkits source code (WeaponX, Dino's examples, Phrack 66 article),
newer but (very) incomplete Rubilyn, and (basic) binary rootkits (OS.X/Crisis).
Apple followed whatever knowledge was published and implemented some
barriers to "avoid" easy creation of OS X rootkits.
This talk aims to be a demonstration of how those barriers are easily bypassed
and rootkit quality can improve using a few tricks and abusing kernel features and
functions. The target is Mountain Lion but the techniques can be applied to (all)
previous versions. Memory forensics importance and effectiveness is increasing so there's also a
discussion about anti-forensics ideas to improve stealthiness or how to and what
to look for when searching for rootkits.
|
Pedro Vilaca (@osxreverser)
|
| 1430 - 1445 |
Cyber Bar |
|
| 1445 - 1545 |
Building a fuzz farm out of cheap Chinese ARM SoCs (Allwinner
A10, Rockchip RK3066 and the like) is tempting. Getting it to work requires automation,
sysadmining, tool smithing, and AliExpress. Luckily those are all good fun. The presentation will
cover how to set up and operate such a cluster, what to expect from it, what kind of targets run
well on it and whether it¡¯s worth the effort.
|
Michele Aubizieri
|
| 1545 - 1600 |
Cyber Coffee |
|
| 1600 - 1700 |
The 10th installation of SyScan Singapore deserves a special party. And what provides a
better party than dropping a number of 0-day vulnerabilities for the audience to play with.
This talk will discuss a number of 0-day security problems in and around Apple,
OSX Mountain Lion and iOS. We will look at the latest installments of these products and
reveal security problems in the kernel land and in user land. Areas covered will be the
Apple website, iOS enterprise development, kernel vulnerabilities, vulnerabilities in exploit
mitigations, vulnerabilities in Mountain Lion system tools and vulnerabilities or backdoors
in 3rd party iOS applications that went into the iOS App Store without Apple noticing.
|
Stefan Esser(@i0n1c)
|
| 1700 - 1715 |
Cyber Bar |
|
| 1715 - 1730 |
|
Collin Mulliner
|
| 1730 - 1745 |
|
Emmanuel Gadaix
|
| 1745 - 1800 |
|
Hubert Seiwert
|
| 1800 - 1830 |
|
5 minutes each talks
|
| 1830 - 1900 |
|
|