0days, Exploits and Bug bounties

Nicholas, I’m French, no H please!

• Before at Vupen, at MSRC UK now, fixing stuff I used to break

• Been to CanSec’ before

@n_joly to find cool cat pics

Aug 2014 – Sept 2015, chasing the bounties

• Getting ready for big bounties

• Dealing with last minute mitigations

• Why you do absolutely need your lucky charm

• Collisions, when you feel bad for a day

Get ready for action!

pwn2own Mobile at PacSec

• Competing on my own for the first time

• Spent 1 month+ on that challenge

• Failed at pwning the sandbox but uncovered 3 escapes for IE desktop

• Great holidays!

Trophy!

Lucky charm, exploiter’s best friend

Meanwhile, between two sushis…

December, playing with Reader

• Playing first with known areas, uncovered some UAFs

• Opened some IDBs, was looking for 3D stuff

• Spent one month to get 2 working exploits

Where to look at?

JavaScript™ for Acrobat® 3D Annotations API Reference

Spot the bugz, you have 2 secs

Has anybody heard of that before?

But what’s dumped?

That’s a return address to ScCore.dll

By early Feb, 3 exploits for 3 targets

• Built the escapes found earlier in November

• Built a certain number of Flash exploits, just in case

• Built a VBScript exploit for IE x64

• Built 2 PDF exploits sharing the same escape

But…

Let’s add mitigations to the game!

What’s that CFG thing people keep talking about?

An optional feature…

How does that work?

https://msdn.microsoft.com/en-us/library/windows/desktop/mt637065(v=vs.85).aspx

So basically, before the optional update:

With CFG:

Net result: Net result:

Had to rethink about everything

• Reader “safe”, not compiled with the flag

• Sandbox escapes partially affected

• Flash and IE :SFlash.ocx 17.0.0.34

And then the Wassenaar drama

Let’s find permit A-38

The March black Tuesday

When you need to be lucky!

Here goes the crazy week

“A” vulnerability.

Not 27!!But obviously mine!!!!

And then registering for the contest

• On Tuesday, 3 exploits

• On Wednesday, 2 ½ exploits

• But on Friday…

Time to go to Vancouver, with my 1 ½ exploits

Junctions!

C:\dir1\dir2\dir3\Junction\..\dir4\dir5\file

With Junction pointing to an untrusted location,such as %temp%\low

FILE_ATTRIBUTE_REPARSE_POINT

k33nteam reported 3 bugs, but missed that one!

• Had to code everything on site but fortunately the ferry to Vancouver Island takes quite some time:

• First time I coded an exploit on a ferry in my life, but that was worth it!

But my story was nothing compared to that guy

What do I do with my escapes?

Spartan bug bounty comes at rescue!

http://blog.talosintel.com/2015/10/dangerous-clipboard.html

But what is it about?

• Heap overflow in GdiConvertBitmapV5

http://blog.talosintel.com/2015/10/dangerous-clipboard.html

Collisions, the true taste of peanuts

Or when you’re grumpy for a week…

Collisions 1/4

Collisions 2/4

And by the way…

This one was reported against AS2 only!

Collisions 3/4

Collisions 4/4

That’s k33nteam’s entry, which was also my 2nd!

The art of being suspect no1CVE-2014-0574 ba.clearCVE-2014-0588 ba.uncompressvialzmaCVE-2015-0359 ba.writeObjectCVE-2015-0312 ba.compress…

That is NOT me

That is me

After one year..

Time needed to pay/patch a bug

Spartan bounty: payment issued 46 days after report, patches out after 79 days

An amazing experience

• Finally decided to join Microsoft in the UK

• So many challenges to take on!

Chromium’s Xmasgifts

• Created a company

• Travelled everywhere

• Even gave a talk at MOSEC!

Want some bounties? https://aka.ms/BugBounty

Have some cool bugz? secure@microsoft.com

Wanna wear the blue Hat? http://careers.microsoft.com

Thanks :)

Got a question

References• Spartan Bounty https://technet.microsoft.com/en-us/dn972323.aspx

• Dangerous Clipboard http://blog.talosintel.com/2015/10/dangerous-clipboard.html

• Control Flow Guard https://msdn.microsoft.com/en-us/library/windows/desktop/mt637065(v=vs.85).aspx

• Exploring CFG in Windows 10 http://blog.trendmicro.com/trendlabs-security-intelligence/exploring-control-flow-guard-in-windows-10/

• CFG effects to memory space http://www.alex-ionescu.com/?p=246

• JavaScript™ for Acrobat® 3D Annotations API Reference http://wwwimages.adobe.com/content/dam/Adobe/en/devnet/acrobat/pdfs/AcrobatDC_js_3d_api_reference.pdf

• HackingTeam Flash Exploit http://blogs.360.cn/blog/hacking-team-part2/

• Camera.copyPixelsToByteArray https://code.google.com/p/chromium/issues/detail?id=424981

• DisplayObject.opaqueBackground https://code.google.com/p/chromium/issues/detail?id=508009

• AS2 Filters Confusion https://code.google.com/p/chromium/issues/detail?id=457261 and https://code.google.com/p/google-security-research/issues/detail?id=244

• CVE-2015-0313 http://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-cve-2015-0313-the-new-flash-player-zero-day/