In-the-Wild 0-day Exploits Maddie Stone (@maddiestone) Google Project Zero

Security Researcher on Google Project Zero Focusing on 0-days used in the wild Previously, Google’s Android Sec team Reverse all the things Speaker at REcon, OffensiveCon, BlackHat, & more! BS in Computer Science, Russian, & Applied Math, MS in Computer Science https://www.wired.com/story/maddie-stone-project-zero-reverse-engineering/ @maddiestone Who am I? - Maddie Stone (she/her)

Vulnerability: a weakness (or bug) in code/hardware/product that has a security implication Exploit: A method of using a vulnerability to break the security of a product Attacker: A person using an exploit against a user or organization Defender: A person working to secure code, organizations, devices itw: “in-the-wild” Reverse engineering: To disassemble and analyze in detail to discover how something works 0-day: A vulnerability defenders don’t yet know about N-day: A vulnerability defenders know about Glossary

Hacker: A hacker is a person skilled in information technology who uses their technical knowledge to achieve a goal or overcome an obstacle, within a computerized system by non-standard means. https://en.wikipedia.org/wiki/Hacker Glossary:

0-day exploit: an exploit targeting a vulnerability that defenders don’t yet know about

What you think a hacker looks like:

How hackers may actually look:

Exploit #3 Privilege Escalation Exploit #2 Sandbox Escape Exploit #1 Browser Renderer 📱 🔥

https://googleprojectzero.blogspot.com/2021/03/in-wild-series-october-2020-0-day.html Delivered a 0-day or an n-day based on the browser’s Chromium version. Only began responding to Android user agents after exploit server #2 went down

Why 0-day exploits?

Learn from 0-days exploited in the wild to make 0-day hard.

Make 0-day hard .

Increase cost per exploit. Increase number of exploits required. Make 0-day hard 📈 📈

Increase cost per exploit. Increase number of exploits required. Make 0-day hard ( cont.) 📈 Time Expertise Money 📈

Costs more for a less useful 0-day.

2016 LPE: Local Privilege Escalation MTB: Mitigation Bypass RCE: Remote Code Execution RJB: Remote Jailbreak SBX: Sandbox Escape VME: Virtual Machine Escape * All payment amounts are chosen at the discretion of ZERODIUM and are subject to change or cancellation without notice. ZERODIUM Payout Ranges

2016 ZERODIUM Payout Ranges LPE: Local Privilege Escalation MTB: Mitigation Bypass RCE: Remote Code Execution RJB: Remote Jailbreak SBX: Sandbox Escape VME: Virtual Machine Escape * All payment amounts are chosen at the discretion of ZERODIUM and are subject to change or cancellation without notice. Apple iOS - $1.5M

2016 ZERODIUM Payout Ranges LPE: Local Privilege Escalation MTB: Mitigation Bypass RCE: Remote Code Execution RJB: Remote Jailbreak SBX: Sandbox Escape VME: Virtual Machine Escape * All payment amounts are chosen at the discretion of ZERODIUM and are subject to change or cancellation without notice. Android - $200k

2019 ZERODIUM Payouts for Mobiles FCP: Full Chain with Persistence RCE: Remote Code Execution LPE: Local Privilege Escalation SBX: Sandbox Escape * All payment amounts are chosen at the discretion of ZERODIUM and are subject to change or cancellation without notice.

2019 ZERODIUM Payouts for Mobiles FCP: Full Chain with Persistence RCE: Remote Code Execution LPE: Local Privilege Escalation SBX: Sandbox Escape * All payment amounts are chosen at the discretion of ZERODIUM and are subject to change or cancellation without notice. Apple iOS - $2M

2019 ZERODIUM Payouts for Mobiles FCP: Full Chain with Persistence RCE: Remote Code Execution LPE: Local Privilege Escalation SBX: Sandbox Escape * All payment amounts are chosen at the discretion of ZERODIUM and are subject to change or cancellation without notice. Android - $2.5M

The price of an Android exploit chain increased 1150%.

Regular security updates with advisories Application sandbox Exploit mitigations More mature software development lifecycle

The price of an Android exploit increased 1150%. CAVEAT: The price of an exploit is not always equal to the cost of an exploit.

37/56 bugs this year are memory corruption vulnerabilities.

Bug class: Heap buffer overflow [ (0, 0), (0,0), (0x2000,0), (0x2000,0x3000)] if ( next_sect_addr > sect_addr ) { sect_addr = next_sect_addr; sect_sz = (next_sect_sz + 0xFFF) & 0xFFFFF000; } // if next_sect_addr <= sect_addr we continue on to next entry in the table [...] new_sect_alloc = operator new[](sect_sz + sect_addr); [...] CVE-2021-1647 Windows Defender remote code execution https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1647.html

Bug class: Heap buffer overflow [ (0,0), (0,0), (0x2000,0), (0x2000,0x3000)] if ( next_sect_addr > sect_addr ) { sect_addr = next_sect_addr; sect_sz = (next_sect_sz + 0xFFF) & 0xFFFFF000; } // if next_sect_addr <= sect_addr we continue on to next entry in the table [...] new_sect_alloc = operator new[](sect_sz + sect_addr); [...] CVE-2021-1647 Windows Defender remote code execution pt.1 https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1647.html

Bug class: Heap buffer overflow [ (0,0), (0,0), (0x2000,0), (0x2000,0x3000)] if ( next_sect_addr > sect_addr ) { sect_addr = next_sect_addr; sect_sz = (next_sect_sz + 0xFFF) & 0xFFFFF000; } // if next_sect_addr <= sect_addr we continue on to next entry in the table [...] new_sect_alloc = operator new[](sect_sz + sect_addr); [...] CVE-2021-1647 Windows Defender remote code execution pt. 2 https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1647.html

Bug class: Heap buffer overflow [ (0,0), (0,0), (0x2000,0), (0x2000,0x3000)] if ( next_sect_addr > sect_addr ) { sect_addr = next_sect_addr; sect_sz = (next_sect_sz + 0xFFF) & 0xFFFFF000; } // if next_sect_addr <= sect_addr we continue on to next entry in the table [...] new_sect_alloc = operator new[](sect_sz + sect_addr); [...] CVE-2021-1647 Windows Defender remote code execution pt. 3 https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1647.html

The size of the innerHTML element is truncated ( size & 0x1FFFFFF ) in the CTreePos structure while the non-truncated size is used in the TextData structure. The size in CTreePos is used for allocating the buffer, but the size in the TextData structure is used for the memcpy , leading to the out-of-bounds write. CVE-2021-33742: Internet Explorer Out-of-bounds write https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-33742.html

https://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/

https://blog.google/threat-analysis-group/analyzing-watering-hole-campaign-using-macos-exploits/

So you want to do… Vulnerability research Reverse engineering Exploit development Malware/exploit analysis

Coding, especially C/C++. Rust is becoming more and more important. Classes: Operating systems, compilers, computer architecture Analyzing fixed vulnerabilities and understanding how they work. Try to exploit them. Lots of folks in security publish their research on Twitter Project Zero blog: https://googleprojectzero.blogspot.com/ Capture the Flag (CTFs) competitions Android Exploits 101 Workshop Reverse Engineering 101 Workshop by Malware Unicorn https://googleprojectzero.blogspot.com/p/working-at-project-zero.html

AusCERT 2021 Keynote [ video ] 2020 Year in Review blog post discussing how 25% of the 0-days detected in 2020 are closely related to previously publicly disclosed vulnerabilities. [ video ] 2019 Year in Review blog post about struggles in 0-day detection. Project Zero 0-day in-the-wild tracking sheet 0-day in-the-wild root cause analyses Presentation about performing root cause analyses Presentation about performing variant analysis References

“More Attackers Have Begun Using Zero-Day Exploits”: https://www.darkreading.com/attacks-breaches/more-attackers-have-begun-using-zero-day-exploits-/d/d-id/1337493 “An Elite Spy Group Used 5 Zero-Days to Hack North Koreans”: https://www.wired.com/story/north-korea-hacking-zero-days-google/ “This Map Shows the Global Spread of Zero-Day Hacking Techniques”: https://www.wired.com/story/zero-day-hacking-map-countries/ “Zero-click iMessage zero-day used to hack the iPhones of 36 journalists”: https://arstechnica.com/information-technology/2020/12/zero-click-imessage-zeroday-used-to-hack-the-iphones-of-36-journalists/ “Microsoft patches 3 Windows 0-days under active exploit”: https://arstechnica.com/information-technology/2020/04/4-windows-0days-under-active-exploit-get-fixes-in-this-months-update-tuesday/ “Google fixes two more Chrome zero-days that were under active exploit”: https://arstechnica.com/information-technology/2020/11/google-fixes-two-more-chrome-zerodays-that-were-under-active-exploit/ Sources for Headlines on Slide #6

In-the-Wild 0-day Exploits Maddie Stone (@maddiestone) Google Project Zero

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

In-the-Wild 0-day Exploits Maddie Stone (@maddiestone) Google Project Zero

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37

Slide 38

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Pray For The Peace Of Jerusalem and You Will Prosper

Don_t_Waste_Your_Life_God.....powerpoint

VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf

Fertility awareness methods for women in the society

Chapter 5 Arithmetic Functions Computer Organisation and Architecture

syakira bhasa inggris (1) (1).pptx.......