0days, exploits and bug bounties - pwn2own aug 2014 –sept 2015, chasing the bounties...

Download 0days, Exploits and Bug bounties - Pwn2Own Aug 2014 –Sept 2015, chasing the bounties •Getting ready

Post on 20-May-2020




0 download

Embed Size (px)


  • 0days, Exploits and Bug bounties

  • Nicholas, I’m French, no H please!

    • Before at Vupen, at MSRC UK now, fixing stuff I used to break

    • Been to CanSec’ before

    @n_joly to find cool cat pics

  • Aug 2014 – Sept 2015, chasing the bounties

    • Getting ready for big bounties

    • Dealing with last minute mitigations

    • Why you do absolutely need your lucky charm

    • Collisions, when you feel bad for a day

  • Get ready for action!

  • pwn2own Mobile at PacSec

    • Competing on my own for the first time

    • Spent 1 month+ on that challenge

    • Failed at pwning the sandbox but uncovered 3 escapes for IE desktop

    • Great holidays!


    Lucky charm, exploiter’s best friend

  • Meanwhile, between two sushis…

  • December, playing with Reader

    • Playing first with known areas, uncovered some UAFs

    • Opened some IDBs, was looking for 3D stuff

    • Spent one month to get 2 working exploits

  • Where to look at?

  • JavaScript™ for Acrobat® 3D Annotations API Reference

  • Spot the bugz, you have 2 secs

  • Has anybody heard of that before?

  • But what’s dumped?

    That’s a return address to ScCore.dll

  • By early Feb, 3 exploits for 3 targets

    • Built the escapes found earlier in November

    • Built a certain number of Flash exploits, just in case

    • Built a VBScript exploit for IE x64

    • Built 2 PDF exploits sharing the same escape


  • Let’s add mitigations to the game!

  • What’s that CFG thing people keep talking about?

  • An optional feature…

  • How does that work?


  • So basically, before the optional update:

    With CFG:

    Net result: Net result:

  • Had to rethink about everything

    • Reader “safe”, not compiled with the flag

    • Sandbox escapes partially affected

    • Flash and IE :S Flash.ocx

  • And then the Wassenaar drama

  • Let’s find permit A-38

  • The March black Tuesday

    When you need to be lucky!

  • Here goes the crazy week

    “A” vulnerability. Not 27!!

    But obviously mine!!!!

  • And then registering for the contest

    • On Tuesday, 3 exploits

    • On Wednesday, 2 ½ exploits

    • But on Friday…

  • Time to go to Vancouver, with my 1 ½ exploits

  • Junctions!


    With Junction pointing to an untrusted location, such as %temp%\low


    k33nteam reported 3 bugs, but missed that one!

  • • Had to code everything on site but fortunately the ferry to Vancouver Island takes quite some time:

    • First time I coded an exploit on a ferry in my life, but that was worth it!

    But my story was nothing compared to that guy

  • What do I do with my escapes?

  • Spartan bug bounty comes at rescue!


  • But what is it about?

    • Heap overflow in GdiConvertBitmapV5


  • Collisions, the true taste of peanuts

    Or when you’re grumpy for a week…

  • Collisions 1/4

  • Collisions 2/4

    And by the way…

    This one was reported against AS2 only!

  • Collisions 3/4

  • Collisions 4/4

    That’s k33nteam’s entry, which was also my 2nd!

  • The art of being suspect no1 CVE-2014-0574 ba.clear CVE-2014-0588 ba.uncompressvialzma CVE-2015-0359 ba.writeObject CVE-2015-0312 ba.compress …

    That is NOT me

    That is me

  • After one year..

  • Time needed to pay/patch a bug

    Spartan bounty: payment issued 46 days after report, patches out after 79 days

  • An amazing experience

    • Finally decided to join Microsoft in the UK

    • So many challenges to take on!

    Chromium’s Xmas gifts

    • Created a company

    • Travelled everywhere

    • Even gave a talk at MOSEC!

  • Want some bounties? https://aka.ms/BugBounty

    Have some cool bugz? secure@microsoft.com

    Wanna wear the blue Hat? http://careers.microsoft.com

    Thanks :)

    Got a question

    https://aka.ms/BugBounty mailto:secure@microsoft.com http://careers.microsoft.com/

  • References • Spartan Bounty https://technet.microsoft.com/en-us/dn972323.aspx

    • Dangerous Clipboard http://blog.talosintel.com/2015/10/dangerous-clipboard.html

    • Control Flow Guard https://msdn.microsoft.com/en- us/library/windows/desktop/mt637065(v=vs.85).aspx

    • Exploring CFG in Windows 10 http://blog.trendmicro.com/trendlabs-security- intelligence/exploring-control-flow-guard-in-windows-10/

    • CFG effects to memory space http://www.alex-ionescu.com/?p=246

    • JavaScript™ for Acrobat® 3D Annotations API Reference http://wwwimages.adobe.com/content/dam/Adobe/en/devnet/acrobat/pdfs/AcrobatDC_js_3d_ api_reference.pdf

    • HackingTeam Flash Exploit http://blogs.360.cn/blog/hacking-team-part2/

    • Camera.copyPixelsToByteArray https://code.google.com/p/chromium/issues/detail?id=424981

    • DisplayObject.opaqueBackground https://code.google.com/p/chromium/issues/detail?id=508009

    • AS2 Filters Confusion https://code.google.com/p/chromium/issues/detail?id=457261 and https://code.google.com/p/google-security-research/issues/detail?id=244

    • CVE-2015-0313 http://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-cve-2015- 0313-the-new-flash-player-zero-day/

    https://technet.microsoft.com/en-us/dn972323.aspx http://blog.talosintel.com/2015/10/dangerous-clipboard.html https://msdn.microsoft.com/en-us/library/windows/desktop/mt637065(v=vs.85).aspx http://blog.trendmicro.com/trendlabs-security-intelligence/exploring-control-flow-guard-in-windows-10/ http://www.alex-ionescu.com/?p=246 http://wwwimages.adobe.com/content/dam/Adobe/en/devnet/acrobat/pdfs/AcrobatDC_js_3d_api_reference.pdf http://blogs.360.cn/blog/hacking-team-part2/ https://code.google.com/p/chromium/issues/detail?id=424981 https://code.google.com/p/chromium/issues/detail?id=508009 https://code.google.com/p/chromium/issues/detail?id=457261 https://code.google.com/p/google-security-research/issues/detail?id=244 http://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-cve-2015-0313-the-new-flash-player-zero-day/