RVAsec 13

The game of bypassing defenses and detection continues to be a cat and mouse game. Attackers often find clever ways to use common tools and techniques to execute their code and the defenders continue to create detections and mitigations for these methods. As a red teamer, it is becoming increasingly difficult to get around these defenses and emulate those attackers. In this talk, I will cover some of the methods we use during engagements to thread the needle and bypass those defenses.

In this presentation, the development process of a remote code execution (RCE) exploit for CVE-2023-2033 is discussed. CVE-2023-2033 is an N-day type confusion vulnerability that affects Google Chrome for Windows, Mac, and Linux with which an attacker can exploit Chrome V8 engine to cause heap corruption via a crafted HTML page and gain RCE. Prior to this presentation, a public RCE exploit for this vulnerability did not exist. This exploit is based on publicly available proof of concept code that uses this vulnerability to implement v8 heap read/write/addrof primitives. This presentation focuses on weaponizing these primitives to achieve remote code execution consistently on an unsandboxed renderer process of an Electron version running a vulnerable version of Chrome. Methods to hijack the render process instruction pointer and to write and execute specially encoded chunks of shellcode using these primitives are discussed.

You know that little box in the corner of your house doing all the heavy lifting required to connect you (and, now that everyone is working from home, your company) with the rest of the world? Yeah, that one. It’s no secret that these things are oftentimes security nightmares for consumers, but have ISPs or the various networking vendors improved things over the years, or are they still just as terrible as we all think they are?

Over the last few years, we’ve done a deep dive into many of these devices to see what makes them tick and evaluate the risks posed to consumers. In this talk, we’ll provide a rapid fire assessment of a handful of these devices, showcase the commonalities between flaws discovered, shed some light on behind-the-scenes supply chain issues plaguing this industry, and discuss where we see things going from here.

Microsoft Exchange 2019 uses the Oracle Outside-In libraries to parse specific file types when attached to emails. This talk covers the process of discovering memory corruption vulnerabilities within the technology using AFL and Jackalope and the results of the fuzzing process.

Focusing on real stories from the trenches, Orion's Quest walks through a series of modern application and API attacks Kevin and his team have pulled off.  The talk describes how we found and exploited the flaws and provides information so you can test yourself.