$hell on Earth: From Browser to System Compromise

Presented at Black Hat USA 2016, Aug. 3, 2016, 11:30 a.m. (50 minutes).

The winning submissions to Pwn2Own 2016 provided unprecedented insight into the state of the art in software exploitation. Every successful submission provided remote code execution as the super user (SYSTEM/root) via the browser or a default browser plugin. In most cases, these privileges were attained by exploiting the Microsoft Windows or Apple OS X kernel. Kernel exploitation using the browser as an initial vector was a rare sight in previous contests. This presentation will detail the eight winning browser to super user exploitation chains (21 total vulnerabilities) demonstrated at this year's Pwn2Own contest. We will cover topics such as modern browser exploitation, the complexity of kernel Use-After-Free exploitation, and the simplicity of exploiting logic errors and directory traversals in the kernel. We will analyze all attack vectors, root causes, exploitation techniques, and possible remediations for the vulnerabilities presented. Reducing attack surfaces with application sandboxing is a step in the right direction, but the attack surface remains expansive and sandboxes are clearly still just a speed bump on the road to complete compromise. Kernel exploitation is clearly a problem which has not disappeared and is possibly on the rise. If you're like us, you can't get enough of it; it's shell on earth.

Presenters:

  • Matt Molinyawe - Trend Micro - Zero Day Initiative
    Matt Molinyawe is a vulnerability analyst and exploit developer for the Zero Day Initiative (ZDI) program. In this role, Molinyawe analyzes and performs root-cause analysis on hundreds of vulnerabilities submitted to the Zero Day Initiative (ZDI) program, which represents the world's largest vendor-agnostic bug bounty program. His focus includes vulnerability research along with analyzing and performing root-cause analysis on hundreds of zero-day vulnerabilities submitted by ZDI researchers from around the world. He has presented at numerous security conferences including DEF CON, RuxCon, Power of Community, and PacSec. Prior to joining ZDI, Matt worked as a reverse engineer for General Dynamics Advanced Information Systems and a software engineer for both USAA and L3 Communications. In 2014, Matt was part of the ZDI team that exploited Internet Explorer 11 on Windows 8.1 x64 during the Pwn4Fun event at CanSecWest, which helped raise over $80K for charity. In his spare time, he was also a 2005 and 2007 US Finalist as a Scratch DJ. Matt has a B.S. in Computer Science from the University of Texas at Austin. Twitter: @djmanilaice
  • Jasiel Spelman - Trend Micro - Zero Day Initiative
    Jasiel Spelman is a vulnerability analyst and exploit developer for the Zero Day Initiative (ZDI) program. His primary role involves performing root cause analysis on ZDI submissions to determine exploitability, followed by developing exploits for accepted cases. Prior to being part of ZDI, Jasiel was a member of the Digital Vaccine team where he wrote exploits for ZDI submissions, and helped develop the ReputationDV service from TippingPoint. Jasiel's focus started off in the networking world but then shifted to development until transitioning to security. He has a BA in Computer Science from the University of Texas at Austin. Twitter: @WanderingGlitch
  • Abdul-Aziz Hariri - Trend Micro - Zero Day Initiative
    Abdul-Aziz Hariri is a security researcher with the Zero Day Initiative program. In this role, Hariri analyzes and performs root-cause analysis on hundreds of vulnerabilities submitted to the Zero Day Initiative (ZDI) program, which is the world's largest vendor-agnostic bug bounty program. His focus includes performing root-cause analysis, fuzzing and exploit development. Prior to joining ZDI, Hariri worked as an independent security researcher and threat analyst for Morgan Stanley emergency response team. During his time as an independent researcher, he was profiled by Wired magazine in their 2012 article, Portrait of a Full-Time Bug Hunter. In 2015, Abdul was part of the research team that submitted "Breaking Silent Mitigations - Gaining code execution on Isolated Heap and MemoryProtection hardened Internet Explorer" to the Microsoft bounty program. Their submission netted the highest payout to date from the Microsoft bounty program where the proceeds went to many STEM organizations. Twitter: @abdhariri
  • Joshua Smith - Trend Micro - Zero Day Initiative
    Kernelsmith is a senior vulnerability researcher with Trend Micro's Zero Day Initiative. In this role, he analyzes and performs root-cause analysis on hundreds of vulnerabilities submitted to the Zero Day Initiative (ZDI) program, which represents the world's largest vendor-agnostic bug bounty program. Josh also focuses on automation of vulnerability discovery and analysis as well as internal operations. He was a developer for the Metasploit Framework and has spoken at a few conferences and holds a few certifications. Prior to joining the Zero Day Initiative, Smith served in the U.S. Air Force in various roles but most relevantly as a penetration tester for the 92d Information Warfare Aggressor Squadron. Post-military, he became a security engineer at the Johns Hopkins University Applied Physics Lab. Smith performed research into weapons systems vulnerabilities as well as evasion and obfuscation techniques to add depth and realism to security device tests. He received a B.S. in Aeronautical Engineering from Rensselaer Polytechnic Institute and an M.A. in Management of Information Systems from the University of Great Falls. Twitter: @kernelsmith

Links:

Similar Presentations: