For the third time in a row, RandoriSec sponsored Hexacon, an offensive security event in Paris. A team of a dozen people from RandoriSec attended trainings, workshops and the talks. As usual, you can find a quick review of what we liked the most.

Workshops and Trainings

iOS for security engineers (Quentin Meffre, Etienne Helluy-Lafont)

This training, given by Quentin Meffre and Etienne Helluy-Lafont, covered several topics on MacOS and iOS. It started with the basics : how to jailbreak a device, how to compile a native binary for IOS and how to write basic Objective-C programs. Then we discovered the different IPC mechanisms offered by MacOS/iOS : mach messages, XPC and NSXPC services.

We then took a tour of the kernel, discovering how the source code is organised, the two kernel parts (XNU/BSD), how to call undocumented syscalls and how the kernel manages its extensions. We also covered the protections implemented by MacOS/iOS: PAC, KTRR, the Mandatory Access Control Framework and the new SPTM.

We had several exercises during the training to put things into practice. The training was quite intense but very interesting and well done. Thank you to the trainers for this course.

Mobile Reversing and Security Analysis - iOS & Android (Jiska Classen)

This workshop was organized by BlackHoodie and conducted by Jiska Classen. It provided beginner-friendly training on the fundamentals of mobile reverse engineering for iOS and Android devices, structured over two days:

Day 1 – Android

The first day began with an introduction to Android applications and system permissions, covering both static and dynamic native code reverse engineering. Hands-on exercises were conducted using tools such as JADX, Frida (for hooking and tracing) and Ghidra. Below is the complete agenda:

• The internal structure of an Android app.
• Static analysis of applications written in Java/Kotlin using Ghidra and jadx.
• Android specifics: Java virtualization, native libraries, JNI, etc.
• Dynamic instrumentation of applications that mix Java and native code using Frida.
• Android security boundaries: Intents, content providers, Binder, SELinux, sandboxing.
• Inter-process communication: Understanding Binder internals and tracing its interactions.

Day 2 – iOS

On the second day, we delved into Apple frameworks and learned how to navigate Apple’s public documentation. The session covered topics such as jailbreaks, entitlements, and the structure of a Mach-O file. Additionally, we explored dumping an iOS app, reversing it using Ghidra, and dynamically modifying function behavior through Frida scripting. Below is the full agenda:

• Apple’s public documentation and source code.
• Attack surface and threat modeling: How to approach an App from a security point of view.
• The Apple App Store security model: Code signing, App Review, Entitlements, the iOS sandbox, and TCC.
• The internal structure of an iOS application: metadata and resources in Application Bundles, third-party frameworks, AppExtensions, and Mach-O internals, Fair- Play DRM & decrypting iOS Apps, introduction to the DYLD Shared Cache.
• Static analysis: Navigating through larger binaries, Objective-C and Swift calling conventions and name mangling.
• Dynamic analysis: Writing stand-alone Frida scripts to inject data and trigger bugs.
• Reading and interpreting crash logs.

Talks

0-click RCE on Tesla Model 3 through TPMS Sensors (David Berard, Vincent Dehors, Thomas Imbert)

A presentation of the research from David Berard, Vincent Dehors and Thomas Imbert from Synacktiv done for Pwn2Own Vancouver 2024, targeting the Tesla Model 3. They already targeted Tesla on previous Pwn2Own, so they are quite knowledgable on this topic. In this case, they attacked the Tire Pressure Monitoring System (TPMS) sensors that communicates with the VCSEC ECU. This ECU is designed by Tesla and notably manages security (locking/unlocking the car’s door, starting the vehicle, …) as well as the car’s safety, using Controller Area Network (CAN) messages across the vehicle’s bus.

TPMS sensors are embedded in each wheel and raise an alert if tire’s pressure is out of expected range. They communicate with VCSEC through Bluetooth Low Energy (BLE), and the communication is secured using certificates. Therefore an association phase is required to bind the VCSEC and known TPMS sensors. Certificates are too large to fit in a single BLE message, so multiple messages are necessary to provide this information to the VCSEC. Each part of a single certificate message includes an index to merge all the messages but this index is incorrectly validated and allows arbitrary write from a rogue TPMS sensor.

One fun fact is this vulnerability is only present for a specific version of the sensor that was not yet available for production.

The association phase has constraints:

• The engine must be started for a couple of minutes, with a minimum speed
• Fewer than 4 TPMS sensors must be reachable

The attack scenario used two BLE devices, one to connect to a TPMS sensor in order to block communication with the VCSEC, and another one to exploit the vulnerability when the VCSEC tries to associate with this fake sensor. Once exploited, they sent CAN messages to demonstrate their ability to compromise the vehicle.

Exploiting file writes in hardened environments - From HTTP request to ROP chain in Node.js (Stefan Schiller)

Exploiting an arbitrary file write in a web application is usually very straightforward. However, in the case of the presenter, the arbitrary file write vulnerability he found in a Nodejs application was not exploitable because the root filesystem was mounted as read-only. As a result, he could not gain remote code execution by writing files to the system, such as by pushing the attacker’s ssh key. Instead, he used the capabilities exposed in /proc to inject a ropchain into the Nodejs application using the bug he found.

Nodejs uses a library called libuv to provide an asynchronous and non-blocking event loop; this library uses unnamed pipes to send and receive events. These unnamed pipes are exposed in the /proc/self/fd directory just like normal file descriptors and are writable because pipes are handled by a filesystem called pipefs.

When an event is received, libuv will find a handler function using the information stored in the event structure. Using the arbitrary file write primitive, the speaker was able to send fake events to libuv by writing to these unnamed pipes. Thanks to the large codebase of Nodejs and the decision to disable PIE to improve performance, he had a lot of ROP gadgets and unaligned fake structures at his disposal without any information leakage to gain to build a ropchain.

His first payload crashed; by default, nodejs uses utf-8 encoding when writing to a file, which causes bytes within the payload to be replaced with utf-8 substitution characters. Finally, after carefully choosing the gadgets and fake structures within the binary, the speaker gained remote code execution on the web application.

Defense through Offense: Building a 1-click Calling Exploit targeting Messenger for Android (Andrew Calvano, Octavian Guzu, Ryan Hall)

The presentation outlines an exercise aimed at developing an advanced exploit for Messenger on Android. Messenger’s popularity, combined with its significant C and C++ codebase and the shift to end-to-end encryption, makes the app an attractive target for attackers. As encryption moves more of the app’s security responsibilities to the client, vulnerabilities in the client-side code become more valuable.

The team successfully engineered a “1-click” exploit, meaning a user could be compromised by a single action, such as accepting a call. They leveraged four vulnerabilities found in various features, including calling, messaging, and AR filters. These vulnerabilities were chained together to execute arbitrary code, overcoming Android’s built-in security defenses like non-executable memory (NX), address space layout randomization (ASLR), and the hardened memory allocator, Scudo.

Through this process, the team identified several areas where Messenger’s security could be improved, particularly in memory protection mechanisms, to better guard against future exploits.

Tales of a RCE in a video game (Thomas Dubier)

This talk was about presenting vulnerability research on Thomas’s collection of dusted video games from his library. He mainly focused his research on getting RCE, and thus selected games having an online mode. These types of targets are very interesting from a point of view of an attacker as they often embed custom format and protocols, and are thus prone to bugs. First RCE he presented was in Diablo I, where he found a buffer overflow when a player connects to a game session. He also found a second similar bug when a level is loaded. By chaining these two bugs, he was able to get a stack buffer overflow and gain PC control by overwriting the return value, and ropping to RCE. Second RCE was in Aliens versus Predator 2, where he found a bug in the parsing of chat messages. This bug leads directly to a stack overflow and thus he gains PC control easily. As stack isn’t executable, he searches for RWX section and ROP to write a shellcode there, leading to the awaited RCE! This talk was fun and a bit less serious than the others, which was refreshing.

0-click RCE on the IVI component: Pwn2Own Automotive edition (Mikhail Evdokimov)

Mikhail Evdokimov is a Senior Security Researcher at PCAutomotive’s Security Assessment Team. Its presentation was an overview of its entry at Pown2Own Automotive 2024. He presented a nice 0-click RCE vulnerability and its exploitation. The target was the Alpine Halo9 iLX-F509 In-Vehicle Infotainment. This IVI presents multiple interfaces (WLAN, USB, Bluetooth), and M.Evdokimov choose to focus on the Bluetooth interface. The vulnerability was an Use-After-Free located in the L2CAP layer, sitting above the Host Controller Interface HCI. This layer is implemented in an userland binary with few mitigations enabled (e.g.: no PIE). The function prh_l2_sar_data_ind manage the reception of data coming from the lower layer of the BT stack, it assembles the final L2CAP packet. M.Evdokimov turned the UAF into a heap buffer overflow and managed to find the primitives needed to shape the heap remotely. Even if the binary did not have any mitigation, as most vendor push updates a few days before the pown2own competition, he chooses to exploit the vulnerability as-if PIE was enabled, meaning he needed to bypass the ASLR. He detailed most of the exploit steps, and how he improved the exploit reliability to 96%, which is really impressive for a remote exploit. One of the most interesting talks for us, we hope that the slides will be released.

Unleashing a 0day: Pivoting Capabilities and Conquering the Linux Kernel (Pedro Pinto)

In this talk, Pedro Pinto takes us through a 0day vulnerability (CVE-2024-41010) they discovered and exploited in the Linux Kernel, which ultimately led to capturing the flag in the Google KernelCTF VRP and win a reward. The initial bug appeared relatively limited: the premature release of tcx_entry in the Linux’s traffic control (TC) subsystem leads to a Use-After-Free. However, by slowly using pivoting techniques and cross-cache manipulation, they were able to progressively escalate the impact of the vulnerability, unlocking more powerful and generic exploitation methods. The final exploit strategy was using the well-known pipe_buffer technique. The basic idea is to target the page pointer of the pipe_buffer structure that points to a page struct in the vmemmap_base array to achieve arbitrary read/write. They concluded the presentation with a demonstration of the exploit and an overview of the KernelCTF submission process.

Proxying to Kernel : Streaming vulnerabilities from the Windows Kernel (An-Jie Yang)

Angelboy presented his recent research on the Windows Kernel after having successfully exploited Windows 11 in Pwn2Own Vancouver 2024. The target of his research is the Microsoft Kernel Streaming Service (MSKSSRV), an already overlooked attack surface and he gives some details of two CVE’s (CVE-2023-29360, CVE-2023-36802). The research was mainly focused on the mskssrv.sys driver, but the Kernel Streaming is more complex and is made of many components like ks.sys, HdAudio.sys, ksthunk.sys and more.

Kernel Streaming is used for webcam and audio, and is made of three multimedia class driver models:

• Port class: Used for PCI and DMA-based audio device hardware drivers,
• AVStream: Multimedia driver provided by Microsoft that primarily supports video-only and integrated audio/video streaming,
• Stream class: Outdated.

He explains how some Kernel Streaming objects works, like KS Filters, KS Pins, KS Events and gives us some insights about the Kernel Streaming architecture.

The whole talk is about a bug pattern where a kernel driver would make some checks only when the RequestorMode is set to the User mode. Thus they found some bugs and managed to proxify their request to IOCTL handlers using ks!KsSynchronousIoControlDevice called during KS Property handling, which sets the RequestorMode to Kernel mode.

They managed to successfully exploit CVE-2024-35250 and CVE-2024-30084, using the previous technique, to compromise Windows 11 at Pwn2Own Vancouver 2024.

After Pwn2Own they dig into the KS Events internals in ksthunk.sys and found the same bug pattern during event handling. They got an arbitrary increment primitive and found a new way to get EoP by changing nt!SeDebugPrivilege from 0x14 to 0x17 to get SeDebugPrivilege the privilege.

This talk highlights a huge design flaw in Windows, developers must take into account information other than Irp->RequestorMode.

Utilizing Cross-CPU Allocation to Exploit Preempt-Disabled Linux Kernel (Mingi Cho, Wongi Lee)

In this presentation, the researchers have targeted the Linux kernel for the Google KernelCTF and Pwn2OWn. They presented two vulnerabilities (CVE-2023-31248 and CVE-2024-36978), where they needed to perform cross-CPU allocations. In the Linux kernel, the memory allocator (SLUB allocator) associates some memory regions to a specific core of the processor. Sometimes, in order to exploit a vulnerability, it is necessary to have different tasks running in parallel. The goal of “Cross-CPU Allocation” is to allocate an object belonging to a memory region associated with one core to another one. “Cross-CPU allocation” consists of allocating a large amount of memory regions to a specific core. When these regions are released, if there is too much free space associated with a core, these regions are stored in a global pool shared by all cores. The memory region can then be reallocated to another core. They also reproduced the technique on the page allocator which also has a mechanism to associate pages with a specific core. Finally, the researchers concluded the presentation with a demonstration of an exploit on the Google kernel CTF instances.