0days, exploits and bug bounties - pwn2own aug 2014 â€“sept 2015, chasing the bounties...
Post on 20-May-2020
Embed Size (px)
0days, Exploits and Bug bounties
Nicholas, I’m French, no H please!
• Before at Vupen, at MSRC UK now, fixing stuff I used to break
• Been to CanSec’ before
@n_joly to find cool cat pics
Aug 2014 – Sept 2015, chasing the bounties
• Getting ready for big bounties
• Dealing with last minute mitigations
• Why you do absolutely need your lucky charm
• Collisions, when you feel bad for a day
Get ready for action!
pwn2own Mobile at PacSec
• Competing on my own for the first time
• Spent 1 month+ on that challenge
• Failed at pwning the sandbox but uncovered 3 escapes for IE desktop
• Great holidays!
Lucky charm, exploiter’s best friend
Meanwhile, between two sushis…
December, playing with Reader
• Playing first with known areas, uncovered some UAFs
• Opened some IDBs, was looking for 3D stuff
• Spent one month to get 2 working exploits
Where to look at?
Spot the bugz, you have 2 secs
Has anybody heard of that before?
But what’s dumped?
That’s a return address to ScCore.dll
By early Feb, 3 exploits for 3 targets
• Built the escapes found earlier in November
• Built a certain number of Flash exploits, just in case
• Built a VBScript exploit for IE x64
• Built 2 PDF exploits sharing the same escape
Let’s add mitigations to the game!
What’s that CFG thing people keep talking about?
An optional feature…
How does that work?
So basically, before the optional update:
Net result: Net result:
Had to rethink about everything
• Reader “safe”, not compiled with the flag
• Sandbox escapes partially affected
• Flash and IE :S Flash.ocx 22.214.171.124
And then the Wassenaar drama
Let’s find permit A-38
The March black Tuesday
When you need to be lucky!
Here goes the crazy week
“A” vulnerability. Not 27!!
But obviously mine!!!!
And then registering for the contest
• On Tuesday, 3 exploits
• On Wednesday, 2 ½ exploits
• But on Friday…
Time to go to Vancouver, with my 1 ½ exploits
With Junction pointing to an untrusted location, such as %temp%\low
k33nteam reported 3 bugs, but missed that one!
• Had to code everything on site but fortunately the ferry to Vancouver Island takes quite some time:
• First time I coded an exploit on a ferry in my life, but that was worth it!
But my story was nothing compared to that guy
What do I do with my escapes?
Spartan bug bounty comes at rescue!
But what is it about?
• Heap overflow in GdiConvertBitmapV5
Collisions, the true taste of peanuts
Or when you’re grumpy for a week…
And by the way…
This one was reported against AS2 only!
That’s k33nteam’s entry, which was also my 2nd!
The art of being suspect no1 CVE-2014-0574 ba.clear CVE-2014-0588 ba.uncompressvialzma CVE-2015-0359 ba.writeObject CVE-2015-0312 ba.compress …
That is NOT me
That is me
After one year..
Time needed to pay/patch a bug
Spartan bounty: payment issued 46 days after report, patches out after 79 days
An amazing experience
• Finally decided to join Microsoft in the UK
• So many challenges to take on!
Chromium’s Xmas gifts
• Created a company
• Travelled everywhere
• Even gave a talk at MOSEC!
Want some bounties? https://aka.ms/BugBounty
Have some cool bugz? firstname.lastname@example.org
Wanna wear the blue Hat? http://careers.microsoft.com
Got a question
https://aka.ms/BugBounty mailto:email@example.com http://careers.microsoft.com/
References • Spartan Bounty https://technet.microsoft.com/en-us/dn972323.aspx
• Dangerous Clipboard http://blog.talosintel.com/2015/10/dangerous-clipboard.html
• Control Flow Guard https://msdn.microsoft.com/en- us/library/windows/desktop/mt637065(v=vs.85).aspx
• Exploring CFG in Windows 10 http://blog.trendmicro.com/trendlabs-security- intelligence/exploring-control-flow-guard-in-windows-10/
• CFG effects to memory space http://www.alex-ionescu.com/?p=246
• HackingTeam Flash Exploit http://blogs.360.cn/blog/hacking-team-part2/
• Camera.copyPixelsToByteArray https://code.google.com/p/chromium/issues/detail?id=424981
• DisplayObject.opaqueBackground https://code.google.com/p/chromium/issues/detail?id=508009
• AS2 Filters Confusion https://code.google.com/p/chromium/issues/detail?id=457261 and https://code.google.com/p/google-security-research/issues/detail?id=244
• CVE-2015-0313 http://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-cve-2015- 0313-the-new-flash-player-zero-day/
https://technet.microsoft.com/en-us/dn972323.aspx http://blog.talosintel.com/2015/10/dangerous-clipboard.html https://msdn.microsoft.com/en-us/library/windows/desktop/mt637065(v=vs.85).aspx http://blog.trendmicro.com/trendlabs-security-intelligence/exploring-control-flow-guard-in-windows-10/ http://www.alex-ionescu.com/?p=246 http://wwwimages.adobe.com/content/dam/Adobe/en/devnet/acrobat/pdfs/AcrobatDC_js_3d_api_reference.pdf http://blogs.360.cn/blog/hacking-team-part2/ https://code.google.com/p/chromium/issues/detail?id=424981 https://code.google.com/p/chromium/issues/detail?id=508009 https://code.google.com/p/chromium/issues/detail?id=457261 https://code.google.com/p/google-security-research/issues/detail?id=244 http://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-cve-2015-0313-the-new-flash-player-zero-day/