RVAsec 13

The game of bypassing defenses and detection continues to be a cat and mouse game. Attackers often find clever ways to use common tools and techniques to execute their code and the defenders continue to create detections and mitigations for these methods. As a red teamer, it is becoming increasingly difficult to get around these defenses and emulate those attackers. In this talk, I will cover some of the methods we use during engagements to thread the needle and bypass those defenses.

In this presentation, the development process of a remote code execution (RCE) exploit for CVE-2023-2033 is discussed. CVE-2023-2033 is an N-day type confusion vulnerability that affects Google Chrome for Windows, Mac, and Linux with which an attacker can exploit Chrome V8 engine to cause heap corruption via a crafted HTML page and gain RCE. Prior to this presentation, a public RCE exploit for this vulnerability did not exist. This exploit is based on publicly available proof of concept code that uses this vulnerability to implement v8 heap read/write/addrof primitives. This presentation focuses on weaponizing these primitives to achieve remote code execution consistently on an unsandboxed renderer process of an Electron version running a vulnerable version of Chrome. Methods to hijack the render process instruction pointer and to write and execute specially encoded chunks of shellcode using these primitives are discussed.

You know that little box in the corner of your house doing all the heavy lifting required to connect you (and, now that everyone is working from home, your company) with the rest of the world? Yeah, that one. It’s no secret that these things are oftentimes security nightmares for consumers, but have ISPs or the various networking vendors improved things over the years, or are they still just as terrible as we all think they are?

Over the last few years, we’ve done a deep dive into many of these devices to see what makes them tick and evaluate the risks posed to consumers. In this talk, we’ll provide a rapid fire assessment of a handful of these devices, showcase the commonalities between flaws discovered, shed some light on behind-the-scenes supply chain issues plaguing this industry, and discuss where we see things going from here.

Microsoft Exchange 2019 uses the Oracle Outside-In libraries to parse specific file types when attached to emails. This talk covers the process of discovering memory corruption vulnerabilities within the technology using AFL and Jackalope and the results of the fuzzing process.

Focusing on real stories from the trenches, Orion's Quest walks through a series of modern application and API attacks Kevin and his team have pulled off.  The talk describes how we found and exploited the flaws and provides information so you can test yourself.

Are LLMs a revolutionary leap forward for security research—or just spicy auto-complete?

The truth lies somewhere in between. This talk cuts through the hype and offers a practical perspective that’s grounded in real-world analysis of critical bugs in widely used products. We’ll walk through our process of harnessing large language models (LLMs) for patch-diffing in the context of N-day vulnerability research. Given a vague security advisory and some complicated code diffs, can an LLM get you closer to finding the right spot in the code to dig deeper? Which models work best for this task, and why? Let’s ditch the theory and get our hands dirty with iterative experimentation. Whether you’re a seasoned pentester, applied researcher, or budding practitioner, you'll take away tactical lessons for incorporating AI into your security toolkit.

Join us for 'Unlocking Generative AI: Balancing Innovation with Security' as we navigate the complex landscape of generative AI in corporate environments. From understanding the fundamentals to exploring security threats like data poisoning and model theft, discover how large enterprises can safeguard sensitive data and AI models. Learn robust mitigation strategies to tackle these challenges head-on, ensuring a secure future for AI innovation. Don't miss this opportunity to delve into the promising yet challenging world of generative AI security.

When developing a product, software engineers often discuss the “what if?” user. What if a user builds their own frontend client? What if a user finds that embedded API key? What if a user notices that endpoint doesn’t have authorization? This talk has three real-life examples from the speaker’s perspective as the “what if?” user. Each example will delve into the motivation, the security flaws reverse engineered, and how to improve the security of each product. This talk will cover reverse engineering assets from an Android game, a waitlist to buy exercise equipment, and a Publish Subscribe system for an auction house. This talk aims to generate interest in identifying software design flaws and reverse engineering them, as well as helping teach about common security issues and practical methods of fixing them.

Deception engineering is a defence-in-depth strategy which many organisations overlook. Post achieving certain level of maturity over their infrastructure security processes, deception engineering is a great security project to enhance monitoring via high fidelity alerts and targeted knowledge of an attack in terms of where the attack's epicentre exists, what actions are the attackers taking, etc.

This session aims to share the overview of what entails when building a deception engineering charter, how to plan for deploying honeypots and honeytokens, and finally how to handle a potential incident that was detected via a honeypot.

We’re taking a fresh look at how to beat cyber attackers at their own games! It’s all about using our defender advantages wisely, controlling, constraining, and shaping the adversary’s moves before the attack even begins. We're ditching the old "Defender’s Dilemma" mindset and showing how smart defense strategies can make a huge difference. Let’s shift our thinking, use our advantages better, and boost our defense without breaking the bank.