7 Vulns in 7 Days: Breaking Bloatware Faster Than It’s Built

Presented at DEF CON 33 (2025), Aug. 9, 2025, 4:30 p.m. (45 minutes).

Bloatware. We all hate it, and most of us are good at avoiding it. But some vendor tools – especially those managing critical drivers – can be useful when the Windows Update versions aren’t good enough for performance-critical computing. What started as a routine driver update took a sharp turn when I confirmed a reboot modal… from my browser. Wait, my browser shouldn’t be able to do that!? To my disappointment (and maybe some surprise), it turned out to be arbitrary code execution – right from the browser. This kicked off a week-long deep dive, uncovering seven CVEs in seven days across several prominent vendors, all exploiting a common pattern: privileged services managing software on Windows with little regard for security. In this talk, I’ll walk through the journey of discovery and exploitation of several vulnerabilities that lead to LPE/RCE. I'll cover everything from the initial attack surface discovery, reverse engineering and finally exploitation of several vulnerabilities. By the end, participants will probably be uninstalling similar software mid-session. While the exploitation journey is fun and impactful, this isn’t the kind of “access everywhere” anyone wants. It’s 2025 – we have everything we need to do better. References: - [0](https://learn.microsoft.com/en-us/windows/win32/api/wintrust/nf-wintrust-winverifytrust) - [1](https://github.com/secretsquirrel/SigThief) - [2](https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns) - [3](https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer) - [4](https://github.com/dnSpyEx/dnSpy) - [5](https://github.com/cyberark/PipeViewer) - [6](https://frida.re/) - [7](https://frida.re/docs/javascript-api/#interceptor) - [8](https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/ne-wdm-_security_impersonation_level) - [9](https://www.razer.com/synapse-4) - [10](https://oleview.net/) - [11](https://www.electronjs.org/docs/latest/tutorial/asar-archives) - [12](https://www.npmjs.com/package/@electron/asar) - [13](https://github.com/zhangyuang/node-ffi-rs) - [14](https://learn.microsoft.com/en-us/windows/win32/rpc/rpc-start-page) - [15](https://lolbas-project.github.io/lolbas/Libraries/Shell32/) - [16](https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/tree/main/NtObjectManager) - [17](https://learn.microsoft.com/en-us/windows/win32/api/rpcasync/nf-rpcasync-rpcserverinqcallattributesa)

Presenters:

• Leon "leonjza" Jacobs
  With over two decades in IT - 15 years focused on cybersecurity - Leon is the CTO of Orange Cyberdefense’s SensePost Team. His career has taken him from a Tier 1 ISP, a private investment bank and now into full-time consulting, giving him a broad, real-world view of security challenges across industries. Today, Leon spends his time researching and hacking everything from enterprise networks to web and mobile applications. Passionate about building and innovating, he’s a regular contributor to the InfoSec community, sharing tools, insights, and lessons learned to help push the field forward.

Similar Presentations:

• DEF CON 29 (2021) / Offensive Golang Bonanza: Writing Golang Malware
• DEF CON 31 (2023) / Spooky authentication at a distance
• DEF CON 29 (2021) / The Agricultural Data Arms Race: Exploiting a Tractor Load of Vulnerabilities In The Global Food Supply Chain.