csw2016 nicolas joly-0_days_exploits_and_bug_bounties
TRANSCRIPT
![Page 1: Csw2016 nicolas joly-0_days_exploits_and_bug_bounties](https://reader033.vdocuments.site/reader033/viewer/2022051404/58eff7001a28abbb4f8b4637/html5/thumbnails/1.jpg)
0days, Exploits and Bug bounties
![Page 2: Csw2016 nicolas joly-0_days_exploits_and_bug_bounties](https://reader033.vdocuments.site/reader033/viewer/2022051404/58eff7001a28abbb4f8b4637/html5/thumbnails/2.jpg)
Nicholas, I’m French, no H please!
• Before at Vupen, at MSRC UK now, fixing stuff I used to break
• Been to CanSec’ before
@n_joly to find cool cat pics
![Page 3: Csw2016 nicolas joly-0_days_exploits_and_bug_bounties](https://reader033.vdocuments.site/reader033/viewer/2022051404/58eff7001a28abbb4f8b4637/html5/thumbnails/3.jpg)
Aug 2014 – Sept 2015, chasing the bounties
• Getting ready for big bounties
• Dealing with last minute mitigations
• Why you do absolutely need your lucky charm
• Collisions, when you feel bad for a day
![Page 4: Csw2016 nicolas joly-0_days_exploits_and_bug_bounties](https://reader033.vdocuments.site/reader033/viewer/2022051404/58eff7001a28abbb4f8b4637/html5/thumbnails/4.jpg)
Get ready for action!
![Page 5: Csw2016 nicolas joly-0_days_exploits_and_bug_bounties](https://reader033.vdocuments.site/reader033/viewer/2022051404/58eff7001a28abbb4f8b4637/html5/thumbnails/5.jpg)
pwn2own Mobile at PacSec
• Competing on my own for the first time
• Spent 1 month+ on that challenge
• Failed at pwning the sandbox but uncovered 3 escapes for IE desktop
• Great holidays!
Trophy!
Lucky charm, exploiter’s best friend
![Page 6: Csw2016 nicolas joly-0_days_exploits_and_bug_bounties](https://reader033.vdocuments.site/reader033/viewer/2022051404/58eff7001a28abbb4f8b4637/html5/thumbnails/6.jpg)
Meanwhile, between two sushis…
![Page 7: Csw2016 nicolas joly-0_days_exploits_and_bug_bounties](https://reader033.vdocuments.site/reader033/viewer/2022051404/58eff7001a28abbb4f8b4637/html5/thumbnails/7.jpg)
December, playing with Reader
• Playing first with known areas, uncovered some UAFs
• Opened some IDBs, was looking for 3D stuff
• Spent one month to get 2 working exploits
![Page 8: Csw2016 nicolas joly-0_days_exploits_and_bug_bounties](https://reader033.vdocuments.site/reader033/viewer/2022051404/58eff7001a28abbb4f8b4637/html5/thumbnails/8.jpg)
Where to look at?
![Page 9: Csw2016 nicolas joly-0_days_exploits_and_bug_bounties](https://reader033.vdocuments.site/reader033/viewer/2022051404/58eff7001a28abbb4f8b4637/html5/thumbnails/9.jpg)
JavaScript™ for Acrobat® 3D Annotations API Reference
![Page 10: Csw2016 nicolas joly-0_days_exploits_and_bug_bounties](https://reader033.vdocuments.site/reader033/viewer/2022051404/58eff7001a28abbb4f8b4637/html5/thumbnails/10.jpg)
Spot the bugz, you have 2 secs
![Page 11: Csw2016 nicolas joly-0_days_exploits_and_bug_bounties](https://reader033.vdocuments.site/reader033/viewer/2022051404/58eff7001a28abbb4f8b4637/html5/thumbnails/11.jpg)
Has anybody heard of that before?
![Page 12: Csw2016 nicolas joly-0_days_exploits_and_bug_bounties](https://reader033.vdocuments.site/reader033/viewer/2022051404/58eff7001a28abbb4f8b4637/html5/thumbnails/12.jpg)
But what’s dumped?
That’s a return address to ScCore.dll
![Page 13: Csw2016 nicolas joly-0_days_exploits_and_bug_bounties](https://reader033.vdocuments.site/reader033/viewer/2022051404/58eff7001a28abbb4f8b4637/html5/thumbnails/13.jpg)
By early Feb, 3 exploits for 3 targets
• Built the escapes found earlier in November
• Built a certain number of Flash exploits, just in case
• Built a VBScript exploit for IE x64
• Built 2 PDF exploits sharing the same escape
But…
![Page 14: Csw2016 nicolas joly-0_days_exploits_and_bug_bounties](https://reader033.vdocuments.site/reader033/viewer/2022051404/58eff7001a28abbb4f8b4637/html5/thumbnails/14.jpg)
Let’s add mitigations to the game!
![Page 15: Csw2016 nicolas joly-0_days_exploits_and_bug_bounties](https://reader033.vdocuments.site/reader033/viewer/2022051404/58eff7001a28abbb4f8b4637/html5/thumbnails/15.jpg)
What’s that CFG thing people keep talking about?
![Page 16: Csw2016 nicolas joly-0_days_exploits_and_bug_bounties](https://reader033.vdocuments.site/reader033/viewer/2022051404/58eff7001a28abbb4f8b4637/html5/thumbnails/16.jpg)
An optional feature…
![Page 17: Csw2016 nicolas joly-0_days_exploits_and_bug_bounties](https://reader033.vdocuments.site/reader033/viewer/2022051404/58eff7001a28abbb4f8b4637/html5/thumbnails/17.jpg)
How does that work?
https://msdn.microsoft.com/en-us/library/windows/desktop/mt637065(v=vs.85).aspx
![Page 18: Csw2016 nicolas joly-0_days_exploits_and_bug_bounties](https://reader033.vdocuments.site/reader033/viewer/2022051404/58eff7001a28abbb4f8b4637/html5/thumbnails/18.jpg)
So basically, before the optional update:
With CFG:
Net result: Net result:
![Page 19: Csw2016 nicolas joly-0_days_exploits_and_bug_bounties](https://reader033.vdocuments.site/reader033/viewer/2022051404/58eff7001a28abbb4f8b4637/html5/thumbnails/19.jpg)
Had to rethink about everything
• Reader “safe”, not compiled with the flag
• Sandbox escapes partially affected
• Flash and IE :SFlash.ocx 17.0.0.34
![Page 20: Csw2016 nicolas joly-0_days_exploits_and_bug_bounties](https://reader033.vdocuments.site/reader033/viewer/2022051404/58eff7001a28abbb4f8b4637/html5/thumbnails/20.jpg)
And then the Wassenaar drama
![Page 21: Csw2016 nicolas joly-0_days_exploits_and_bug_bounties](https://reader033.vdocuments.site/reader033/viewer/2022051404/58eff7001a28abbb4f8b4637/html5/thumbnails/21.jpg)
Let’s find permit A-38
![Page 22: Csw2016 nicolas joly-0_days_exploits_and_bug_bounties](https://reader033.vdocuments.site/reader033/viewer/2022051404/58eff7001a28abbb4f8b4637/html5/thumbnails/22.jpg)
The March black Tuesday
When you need to be lucky!
![Page 23: Csw2016 nicolas joly-0_days_exploits_and_bug_bounties](https://reader033.vdocuments.site/reader033/viewer/2022051404/58eff7001a28abbb4f8b4637/html5/thumbnails/23.jpg)
Here goes the crazy week
“A” vulnerability.
Not 27!!But obviously mine!!!!
![Page 24: Csw2016 nicolas joly-0_days_exploits_and_bug_bounties](https://reader033.vdocuments.site/reader033/viewer/2022051404/58eff7001a28abbb4f8b4637/html5/thumbnails/24.jpg)
And then registering for the contest
• On Tuesday, 3 exploits
• On Wednesday, 2 ½ exploits
• But on Friday…
![Page 25: Csw2016 nicolas joly-0_days_exploits_and_bug_bounties](https://reader033.vdocuments.site/reader033/viewer/2022051404/58eff7001a28abbb4f8b4637/html5/thumbnails/25.jpg)
![Page 26: Csw2016 nicolas joly-0_days_exploits_and_bug_bounties](https://reader033.vdocuments.site/reader033/viewer/2022051404/58eff7001a28abbb4f8b4637/html5/thumbnails/26.jpg)
Time to go to Vancouver, with my 1 ½ exploits
![Page 27: Csw2016 nicolas joly-0_days_exploits_and_bug_bounties](https://reader033.vdocuments.site/reader033/viewer/2022051404/58eff7001a28abbb4f8b4637/html5/thumbnails/27.jpg)
Junctions!
C:\dir1\dir2\dir3\Junction\..\dir4\dir5\file
With Junction pointing to an untrusted location,such as %temp%\low
FILE_ATTRIBUTE_REPARSE_POINT
k33nteam reported 3 bugs, but missed that one!
![Page 28: Csw2016 nicolas joly-0_days_exploits_and_bug_bounties](https://reader033.vdocuments.site/reader033/viewer/2022051404/58eff7001a28abbb4f8b4637/html5/thumbnails/28.jpg)
• Had to code everything on site but fortunately the ferry to Vancouver Island takes quite some time:
• First time I coded an exploit on a ferry in my life, but that was worth it!
But my story was nothing compared to that guy
![Page 29: Csw2016 nicolas joly-0_days_exploits_and_bug_bounties](https://reader033.vdocuments.site/reader033/viewer/2022051404/58eff7001a28abbb4f8b4637/html5/thumbnails/29.jpg)
What do I do with my escapes?
![Page 30: Csw2016 nicolas joly-0_days_exploits_and_bug_bounties](https://reader033.vdocuments.site/reader033/viewer/2022051404/58eff7001a28abbb4f8b4637/html5/thumbnails/30.jpg)
Spartan bug bounty comes at rescue!
http://blog.talosintel.com/2015/10/dangerous-clipboard.html
![Page 31: Csw2016 nicolas joly-0_days_exploits_and_bug_bounties](https://reader033.vdocuments.site/reader033/viewer/2022051404/58eff7001a28abbb4f8b4637/html5/thumbnails/31.jpg)
But what is it about?
• Heap overflow in GdiConvertBitmapV5
http://blog.talosintel.com/2015/10/dangerous-clipboard.html
![Page 32: Csw2016 nicolas joly-0_days_exploits_and_bug_bounties](https://reader033.vdocuments.site/reader033/viewer/2022051404/58eff7001a28abbb4f8b4637/html5/thumbnails/32.jpg)
Collisions, the true taste of peanuts
Or when you’re grumpy for a week…
![Page 33: Csw2016 nicolas joly-0_days_exploits_and_bug_bounties](https://reader033.vdocuments.site/reader033/viewer/2022051404/58eff7001a28abbb4f8b4637/html5/thumbnails/33.jpg)
Collisions 1/4
![Page 34: Csw2016 nicolas joly-0_days_exploits_and_bug_bounties](https://reader033.vdocuments.site/reader033/viewer/2022051404/58eff7001a28abbb4f8b4637/html5/thumbnails/34.jpg)
Collisions 2/4
And by the way…
This one was reported against AS2 only!
![Page 35: Csw2016 nicolas joly-0_days_exploits_and_bug_bounties](https://reader033.vdocuments.site/reader033/viewer/2022051404/58eff7001a28abbb4f8b4637/html5/thumbnails/35.jpg)
Collisions 3/4
![Page 36: Csw2016 nicolas joly-0_days_exploits_and_bug_bounties](https://reader033.vdocuments.site/reader033/viewer/2022051404/58eff7001a28abbb4f8b4637/html5/thumbnails/36.jpg)
Collisions 4/4
That’s k33nteam’s entry, which was also my 2nd!
![Page 37: Csw2016 nicolas joly-0_days_exploits_and_bug_bounties](https://reader033.vdocuments.site/reader033/viewer/2022051404/58eff7001a28abbb4f8b4637/html5/thumbnails/37.jpg)
The art of being suspect no1CVE-2014-0574 ba.clearCVE-2014-0588 ba.uncompressvialzmaCVE-2015-0359 ba.writeObjectCVE-2015-0312 ba.compress…
That is NOT me
That is me
![Page 38: Csw2016 nicolas joly-0_days_exploits_and_bug_bounties](https://reader033.vdocuments.site/reader033/viewer/2022051404/58eff7001a28abbb4f8b4637/html5/thumbnails/38.jpg)
After one year..
![Page 39: Csw2016 nicolas joly-0_days_exploits_and_bug_bounties](https://reader033.vdocuments.site/reader033/viewer/2022051404/58eff7001a28abbb4f8b4637/html5/thumbnails/39.jpg)
Time needed to pay/patch a bug
Spartan bounty: payment issued 46 days after report, patches out after 79 days
![Page 40: Csw2016 nicolas joly-0_days_exploits_and_bug_bounties](https://reader033.vdocuments.site/reader033/viewer/2022051404/58eff7001a28abbb4f8b4637/html5/thumbnails/40.jpg)
An amazing experience
• Finally decided to join Microsoft in the UK
• So many challenges to take on!
Chromium’s Xmasgifts
• Created a company
• Travelled everywhere
• Even gave a talk at MOSEC!
![Page 41: Csw2016 nicolas joly-0_days_exploits_and_bug_bounties](https://reader033.vdocuments.site/reader033/viewer/2022051404/58eff7001a28abbb4f8b4637/html5/thumbnails/41.jpg)
Want some bounties? https://aka.ms/BugBounty
Have some cool bugz? [email protected]
Wanna wear the blue Hat? http://careers.microsoft.com
Thanks :)
Got a question
![Page 42: Csw2016 nicolas joly-0_days_exploits_and_bug_bounties](https://reader033.vdocuments.site/reader033/viewer/2022051404/58eff7001a28abbb4f8b4637/html5/thumbnails/42.jpg)
References• Spartan Bounty https://technet.microsoft.com/en-us/dn972323.aspx
• Dangerous Clipboard http://blog.talosintel.com/2015/10/dangerous-clipboard.html
• Control Flow Guard https://msdn.microsoft.com/en-us/library/windows/desktop/mt637065(v=vs.85).aspx
• Exploring CFG in Windows 10 http://blog.trendmicro.com/trendlabs-security-intelligence/exploring-control-flow-guard-in-windows-10/
• CFG effects to memory space http://www.alex-ionescu.com/?p=246
• JavaScript™ for Acrobat® 3D Annotations API Reference http://wwwimages.adobe.com/content/dam/Adobe/en/devnet/acrobat/pdfs/AcrobatDC_js_3d_api_reference.pdf
• HackingTeam Flash Exploit http://blogs.360.cn/blog/hacking-team-part2/
• Camera.copyPixelsToByteArray https://code.google.com/p/chromium/issues/detail?id=424981
• DisplayObject.opaqueBackground https://code.google.com/p/chromium/issues/detail?id=508009
• AS2 Filters Confusion https://code.google.com/p/chromium/issues/detail?id=457261 and https://code.google.com/p/google-security-research/issues/detail?id=244
• CVE-2015-0313 http://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-cve-2015-0313-the-new-flash-player-zero-day/