Abstract
My presentation will focus on analyzing vulnerabilities in macOS system components: PackageKit, softwareupdated, and CoreSimulator.framework. During my investigation, I identified critical vulnerabilities that enable local privilege escalation (LPE) from a regular user level to root.

Specifically, I discovered that the softwareupdated service improperly allows the installation of any Apple-signed packages, bypassing the intended restrictions for Rosetta 2 installation. This vulnerability (TOCTOU) opens a pathway for attackers to achieve LPE by exploiting these Apple-signed packages. In the CoreSimulator.framework, I found a vulnerability that permits the mounting of dmg images with arbitrary content through the XPC interface, without altering the original root:wheel permissions. This flaw facilitates unauthorized content copying into the CoreSimulator directory, achieving LPE from a regular user level. PackageKit was found to contain multiple vulnerabilities that allow bypassing the System Integrity Protection (SIP) mechanism. My analysis of Apple-signed pkg files, including their installation requirements and scripts, revealed methods to circumvent these requirements and manipulate environment variables during script execution. This research uncovered approximately 6 CVEs capable of SIP bypass.

Additionally, I intended to discuss a Sandbox Escape vulnerability, which remains unaddressed by Apple for over a year and a half, highlighting an ongoing security risk.

Brief biography

Arsenii Kostromin

Abstract
With some of the first phones with MTE hitting the market, we are once more facing the seemingly imminent doom of our beloved industry. Wait! What about our trusty old friends, the logic bugs? While some turn their attention to weaker SoC components, we're back at Mobile Pwn2Own to show you how a few silly bugs can be chained to effortlessly pwn the latest Samsung and Xiaomi flagships.

In this talk, we will cover some of the more interesting and bizarre bugs that we have disclosed at Pwn2Own over the past 10 years. We will of course focus on last year's issues and also share a rather spicy story with a shameless vendor.

Come for the bugs, stay for the cat memes. Pay close attention and you might even spot a 0day or two.

Georgi Geshev hacks stuff.

Joffrey Guilbon is a Security Researcher at Interrupt Labs working on mobile and embedded systems. His usual work includes low-level systems, reverse engineering (on several targets such as operating systems, trusted execution environment components, secure boot implementations, bootroms, etc.), vulnerability research, binary exploitation, and tools development to ease things out.

Mateusz Fruba is specialised in reviewing, reverse-engineering and exploitation of Android devices in both userland and kernel space. He used to work for mobile vendors including Samsung and Huawei as Security Researcher focusing on vulnerability discovery and exploitation. Currently ping mobile vendors in Interrupt Labs.

Max Van Amerongen is a Principle Vulnerability Researcher at Interrupt Labs who focuses on finding security holes in critical software. Before joining Interrupt, he had previously worked at SentinelOne and F-Secure Labs (Previously MWR Labs), where he successfully participated in the Pwn2Own hacking contest a number of times.

Abstract
Memory safety vulnerabilities pose a critical threat to modern computer systems, allowing adversaries to leak or modify security-critical data.

In response to this, ARM has introduced PAC and MTE, designed primarily for code pointer and UAF protection. Some mobile devices (e.g., pixel8) have started incorporating these features for security.

On adversary side, while there has been substantial amount attention on bypassing PAC, there has been yet little attention to MTE.
We examined the security of MTE, to bridge the gap, and discovered two side-channel vulnerabilties residing in Pixel8.

In this talk, we first provide a comparative analysis of PAC/MTE from an attacker's perspective, hightlighting why MTE is more challenging to bypass. Second, we explain two new side-channel vulnerabilities and how we confirmed them in Pixel8.
Third, we delve into exploit techniques to bypass MTE in a real world setting, speicifically the linux kernel.

Note that a huge credit goes to Juhee Kim et al (at SNU CompSec) for discovereing and reporting the two side-channel vulnerabilities for the first time, leading this research.

Brief biography

Jinbum Park is a security researcher, working for Security and Privacy Team, Samsung Research. He is mainly working as a blue team member but has a huge interest in offensive techniques.
His main research interests cover from system security to machine learning security. He currently spends most time on Islet project (github.com/islet-project), which aims to bring ARM CCA (a new confidential computing hardware primitive) into mobile devices.

Abstract
As the quality of Android code gradually improves and mitigation measures strengthen, we observe an increasing difficulty in discovering security vulnerabilities that could have significant impacts in recent years. However, we still witness the continual emergence of new vulnerabilities in certain well-known attack surfaces. Does this suggest that we may have overlooked something?

In this talk, I will draw from my own experiences to retrospectively review my research achievements in vulnerability discovery and exploration across various layers of the Android ecosystem over the past few years. I will specifically focus on two techniques — fuzzing and static analysis. The discussed vulnerability landscape encompasses privileged applications, service processes, system libraries, and ;)

Brief biography

Juntao Wu(@Dawuge3) is a security researcher at CertiK and the founder of Shuffle Team, mainly focusing on mobile/web3 vulnerability discovery and exploitation. He used to be a researcher at Pangu Team. He was inducted into the Samsung Mobile Security Hall of Fame 2021/2022/2023.

Abstract
This talk will showcase techniques to jailbreak iOS 16 using an n-day kernel exploit together with the recent hardware bug showcased in the Operation Triangulation presentation. The main focus of the talk is on post exploitation techniques. The information shared in this talk is based on the Dopamine 2.0 jailbreak released by the author, this is also the first PPL-bypass-based jailbreak that does not also include a PAC bypass, which poses additional challenges due to the lack of Kcall primitives.

The talk will demonstrate

- How to combine the kfd kernel exploit with the Operation Triangulation PPL bypass
- How to construct stable physical read/write primitives based on only a PPL bypass
- How to use these primitives to allow non Apple signed binaries to execute
- How to archive system wide code injection, including allowing modifications of executable pages

Brief biography

Lars Fröder Twitter: opa334dev
GitHub: opa334

iOS developer since 2017
iOS researcher since 2022
Employed at Cellebrite Labs

Active in the iOS jailbreaking scene, released public tools such as TrollStore and Dopamine

Abstract
The offensive cybersecurity industry is going through significant changes that are reshaping the industry as a whole. In this talk, I will explore the entities that make up the market, their interaction with each other, the trends and events that lead us where we are today, and the challenges the industry has to face moving forward.

I will start with a quick recap of the industry history and the phases it went through from the point of view of the Vendors, Supply chain, End-to-end companies, Brokers, Clearing houses, and Governments. This recap will lay the foundation to talk about the current trends, events, and challenges that shape the industry with a focus on the Government’s dilemma (regulation VS market), the future of End-to-end companies, and the role of the Supply chain.

After reviewing the current challenges, I will talk about the potential applications for the supply chain and what the near-mid future might look like.

Brief biography

Maor Shwartzhas been part of the offensive cyber industry for more than 7 years now (side note, the offensive cyber industry is ~20 years old). My roles have included helping researchers, companies, research groups, brokers, and governments to navigate the offensive cyber industry from a supply-chain (vulnerabilities/researchers) standpoint.

Abstract
In recent years, nftables has become one of the most targeted components in the Linux kernel by attackers. Vulnerabilities in nftables were successfully exploited in Pwn2Own 2022 and 2023, with nearly 40 flags captured from exploiting these vulnerabilities submitted to kernelCTF.

In this talk, we will present a vulnerability that we discovered in nftables, along with an exploit we developed for kernelCTF. Interestingly, while the vulnerability was patched in the upstream kernel, it was missed for more than 8 months in the stable kernels, despite nftables being intensively targeted by many attackers. In addition, we will introduce three Linux kernel mitigations — CONFIG_SLAB_VIRTUAL, CONFIG_KMALLOC_SPLIT_VARSIZE, and CONFIG_RANDOM_KMALLOC_CACHES — used by the mitigation kernel of kernelCTF, and we will present techniques to bypass these protections.

Brief biography

Mingi Cho is a senior vulnerability researcher at Theori. His research interests include Linux kernel security and fuzzing. He has recently received rewards from bounty programs such as the KernelCTF, Android VRP, and ChromeOS VRP, and successfully demonstrated an Ubuntu LPE at Pwn2Own 2023. He received his Ph.D. degree in Information Systems from Yonsei University and has published security research papers at conferences, including ACM CCS and USENIX Security.

Abstract
With the widespread use of JavaScript, Javascript engines are becoming more and more feature-rich. From runtime support to compilation optimization, V8 introduces a lot of code, but more security issues are hidden behind it. We found two high-risk vulnerabilities, one related to the classic callback issue in the new implementation of runtime support, and the other related to type confusion caused by missing type checking in compilation optimization.

In this talk, we will present exploitation techniques for these two discovered vulnerabilities. Our talk will delve into the root cause of these vulnerabilities and shed light on how we went from a simple heap memory corruption to a highly damaging exploit primitive. This talk will end with a demonstration of the RCE vulnerabilities.

Brief biography

Nan Wang(@eternalsakura13) is a senior security researcher at the 360 Vulnerability Research Institute. His main focus is on hunting for vulnerabilities in the Chrome browser and finding ways to exploit them. He consistently ranked as a Chrome Top10 VRP Researcher for 2021, 2022, and 2023, and was also recognized by Facebook as a Top3 whitehat hacker in 2023. He has also been a speaker at security conferences, including BlackHat Asia 2023 and BlackHat USA 2023.

Zhenghang Xiao(@Kipreyyy) is a 1st-year Master's candidate at the Institute of Network Science and Cyberspace, Tsinghua University, belonging to the Network and Information Security Lab (NISL). He has a keen interest in browser security and fuzzing, and he successfully discovered several vulnerabilities and assigned CVE IDs, being acknowledged by major companies such as Google, Facebook, and other notable vendors. Also, he ranked as a Google Chrome VRP Top4 researcher in 2023 and gets his presentations accepted by top industry security conferences like Black Hat USA 2023.

Abstract
"Not your keys, not your crypto." As agreed upon by many hardcore crypto hackers/holders, one should own their own crypto in their own wallet. However, does storing your coins on a small device really protect you from crypto heists? It's not always that simple. We have analyzed a hardware crypto wallet, discovered and exploited a remote code execution bug, and extracted the private keys. In this talk, we will explain the security concerns surrounding hardware wallets, including their origin, history, and current trends, and demonstrate one of our hacks on hardware wallets.

Brief biography

NWMonster & slipper are senior security researchers at Offside Labs, specializing in the exploration of the connections and vulnerabilities that emerge when web2 and web3 hacking intersect.

Our research brings diversity to the conference topics and offers captivating content through intuitive insights, live hacking demonstrations, and valuable takeaways. 😊

Abstract
While hardware security is a topic of interest for decades, devices are constantly getting smaller, more powerful and more complicated. Most would assume that this resulted in higher security standards, but from our 100+ penetration tests in the (heavily hardware based) automotive industry, we beg to differ.

With automotive suppliers trying to make everything work under heavily constrained environments, with limited resources both for energy and processing power, understandably many things are getting left out of the table, with one of the biggest victim being security. One of the most common ones, the random number generation, which in most of the cases we managed to prove insecure in a couple of minutes, as we will demonstrate.

In this talk, we will go through some of the biggest misconfigurations related to hardware in the automotive sector, as a result of a 5-year journey and more than 100 penetration tests with some of the biggest OEMs and Tier 1 suppliers. Going through different paths of exploitation, we will demonstrate practically (targeting a real ECU on stage) how easy is to exploit a current generation vehicles, due to lack of proper implementation of a true random generator, how we automated this process to efficiently prove this vulnerability in a couple of minutes even in full vehicles, how manufacturers many times chose to not accept this as a security issue due to the fact that it’s “unfixable” and how one of the smaller manufacturers managed to resolve all those issues from the ground up with 10$ hardware while everyone else struggled.

Brief biography

Thomas Sermpinis(a.k.a. Cr0wTom) is the Technical Director of Auxilium Cyber Security and independent security researcher with main topics of interest in the automotive, industrial control, embedded device and cryptography sectors. During his research, he published several academic papers, 0days and tools with the ultimate goal of making the world a safer place, but also helped almost 100 OEMs and Tier 1 automotive suppliers to achieve better security and develop more secure products.

Abstract
In this talk, we will make a comparison of the attack surfaces for different sandboxes on Windows.
We will also provide two exploitation cases for escaping the Chrome sandbox and the Adobe sandbox on Windows.

Brief biography
Dr. Zhiniang Peng(@edwardzpeng) is the Chief Architect and the Principal Security Researcher at Sangfor. His current research areas include applied cryptography, software security and artificial intelligence. He has more than 10 years of experience in both offensive and defensive security and published many research in both academia and industry.

R4nger is a security researcher, his research focus on reverse engeerning and artificial intelligence.

Q4n is a security researcher, his research focus on binary exploitation and artificial intelligence.