Scribd
Upload
13 views

BSidesCanberra2023 WhenExploitsArentBinary

The document discusses a presentation about software exploits. It begins by listing several recent vulnerabilities discovered in various software like Android, iOS, Chrome, and Windows. It then discusses three common types of exploits: remote code execution, sandbox escapes, and privilege escalation. The presentation notes that attackers will only do what is necessary to accomplish their goals and encourages the audience to have vulnerabilities discovered in their own systems. It discusses the impact of zero-day exploits and the difference between zero-days and known vulnerabilities (n-days). The remainder of the document discusses challenges around zero-day disclosures, the meaning of the number of in-the-wild zero-days discovered, increasing the costs and difficulty of developing exploits, and examples of recent

Uploaded by

Baishampayan Ghose
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
13 views

BSidesCanberra2023 WhenExploitsArentBinary

The document discusses a presentation about software exploits. It begins by listing several recent vulnerabilities discovered in various software like Android, iOS, Chrome, and Windows. It then discusses three common types of exploits: remote code execution, sandbox escapes, and privilege escalation. The presentation notes that attackers will only do what is necessary to accomplish their goals and encourages the audience to have vulnerabilities discovered in their own systems. It discusses the impact of zero-day exploits and the difference between zero-days and known vulnerabilities (n-days). The remainder of the document discusses challenges around zero-day disclosures, the meaning of the number of in-the-wild zero-days discovered, increasing the costs and difficulty of developing exploits, and examples of recent

Uploaded by

Baishampayan Ghose
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 61

When Exploits Aren’t

Binary
Maddie Stone
@maddiestone
BSides Canberra 2023
Hi, I’m Maddie 󰗝
and exploits are my favorite
CVE-2023-0266 - Android Kernel
CVE-2023-26083 - Android Mali GPU
CVE-2023-21492 - Samsung
CVE-2023-28205 - Safari
CVE-2023-28206 - iOS
CVE-2023-2033 - Chrome
CVE-2023-2136 - Chrome
CVE-2023-32409 - Safari
CVE-2023-3079 - Chrome
CVE-2023-37580 - Zimbra
CVE-2023-36874 - Windows
CVE-2023-36884 - Microsoft Office/IE
CVE-2023-41993 - Safari
CVE-2023-41991 - iOS
CVE-2023-41992 - iOS
CVE-2023-5217 - Chrome
🔥
Exploit #1 Exploit #2 Exploit #3

Remote Code Sandbox Privilege


Execution Escape Escalation
Attackers will only do what is
necessary to accomplish their
goal.
Make them hack you with
0-days.
While 0-days may make up a
small minority of attacks, each
0-day has an outsized
impact on society.
0-day exploitation affects all of
us even when we’re not the one
being targeted.
Detect, analyze, and prevent 0-day* exploitation.
targeted
government backed
limited
sophisticated
0-day or n-day?
0-day: a vulnerability defenders
don’t yet know about
n-day: a vulnerability defenders
do know about
or…

0-day: a vulnerability that


doesn’t have a patch available
Where’s the confusion?
Cute lil product
I’ve purchased
that I expect to
receive security
updates to keep
me protected
Cute lil
licensed
library Cute lil open
sourced
kernel that
was forked

Cute lil GPU


driver
↑ Upstream releases a fix

↓ Downstream doesn’t release


the fix
- A bug fixed upstream without a security
advisory or CVE
- A product that doesn’t or hasn’t ever
received security updates
- A bug that has been fully disclosed, but
not patched
- A mitigation bypass
What are you trying to
communicate?
Are you trying to communicate that…

- Users don’t have a clear recourse to


protect themselves
- The attack required significant expertise
and resources
- There should be urgency
- It’s a bug defenders didn’t know exists
“N-days that function like
0-days”
https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY
What does the number of
in-the-wild 0-days mean? 🤔
dete
cte d&
disc
lose
d

What does the number of


in-the-wild 0-days mean? 🤔
The number of 0-days detected
and disclosed in-the-wild can’t
tell us much about the state of
security.
“Make 0day hard.”
- Google Project Zero’s Mission
1. Increase cost* per 0-day
✨ TANGENT ✨
https://twitter.com/opzero_en/status/1706762507631677760
https://twitter.com/opzero_en/status/1706762507631677760
https://twitter.com/opzero_en/status/1685621799311048705
https://twitter.com/opzero_en/status/1685621799311048705
Intellexa leak
August 2022

€8,000,000
1. Increase cost* per 0-day
Cost to develop a 0-day
!=
Cost to buy a 0-day
1. Increase cost* per 0-day
*time, money, expertise
1. Increase cost* per 0-day
*time, money, expertise

2. Increase number of 0-days required


1. Increase cost* per 0-day
*time, money, expertise

2. Increase number of 0-days required

Costs more for a less useful 0-day.


What does the number of
in-the-wild 0-days mean? 🤔
Causes Number to Go Up Causes Number to Go Down

● More folks disclosing when a


0-day is known to be in-the-wild
🎉
● Discovering & fixing 0-days more
quickly 🎉

● Adding security boundaries to


platforms 🎉
Causes Number to Go Up Causes Number to Go Down

● Discovering & fixing 0-days more


quickly 🎉
● More folks disclosing when a
0-day is known to be in-the-wild
🎉
● Adding security boundaries to
platforms 🎉
● Variant analysis is not performed
on reported vulnerabilities 😢
● Exploit techniques are not
mitigated 😢
● More exploitable vulnerabilities
are added to code than fixed 😢
Causes Number to Go Up Causes Number to Go Down

● Discovering & fixing 0-days more ● Fewer exploitable 0-day


quickly 🎉 vulnerabilities exist 🎉
● More folks disclosing when a ● Each new 0-day requires the
0-day is known to be in-the-wild creation of a new exploitation
🎉 technique 🎉
● Adding security boundaries to ● New vulnerabilities require
platforms 🎉 researching new attack surfaces
● Variant analysis is not performed 🎉
on reported vulnerabilities 😢
● Exploit techniques are not
mitigated 😢
● More exploitable vulnerabilities
are added to code than fixed 😢
Causes Number to Go Up Causes Number to Go Down

● Discovering & fixing 0-days more ● Fewer exploitable 0-day


quickly 🎉 vulnerabilities exist 🎉
● More folks disclosing when a ● Each new 0-day requires the
0-day is known to be in-the-wild creation of a new exploitation
🎉 technique 🎉
● Adding security boundaries to ● New vulnerabilities require
platforms 🎉 researching new attack surfaces
● Variant analysis is not performed 🎉
on reported vulnerabilities 😢 ● Slower to detect in-the-wild
● Exploit techniques are not 0-days so a bug has a longer
mitigated 😢 lifetime 😢
● More exploitable vulnerabilities ● Longer until users are able to
are added to code than fixed 😢 install a patch 😢
● Less sophisticated attack
methods are sufficient 😢
From the 2022 Year in Review Report:
N-days function like 0-days on Android due to long patching times. Across the Android ecosystem
there were multiple cases where patches were not available to users for a significant time. Attackers didn’t
need 0-day exploits and instead were able to use n-days that functioned as 0-days.

0-click exploits and new browser mitigations drive down browser 0-days. Many attackers have been
moving towards 0-click rather than 1-click exploits. 0-clicks usually target components other than the
browser. In addition, all major browsers also implemented new defenses that make exploiting a vulnerability
more difficult and could have influenced attackers moving to other attack surfaces.

Over 40% of the 0-days discovered were variants of previously reported vulnerabilities. Seventeen
out of the 41 in-the-wild 0-days from 2022 are variants of previously reported vulnerabilities. This continues
the unpleasant trend that we’ve discussed previously in both the 2020 Year in Review report and the
mid-way through 2022 report. More than 20% are variants of previous in-the-wild 0-days from 2021 and
2020.

Bug collisions are high. 2022 brought more frequent reports of attackers using the same vulnerabilities as
each other, as well as security researchers reporting vulnerabilities that were later discovered to be used by
attackers. When an in-the-wild 0-day targeting a popular consumer platform is found and fixed, it's
increasingly likely to be breaking another attacker's exploit as well.
CVE-2023-36802

Bug Collisions
https://twitter.com/jgrusko/status/1571921203723440135
Dec 2022 Variston Campaign in UAE

CVE-2023-21492
CVE-2022-4262 CVE-2022-3038
Info leak in
Chrome RCE Chrome SBX
Samsung

CVE-2023-0266 CVE-2022-22706
CVE-2023-26803
LPE to root in LPE to system in
Info leak in Mali
Kernel Mali
Dec 2022 Variston Campaign in UAE
n-day
in Sam , unpatche
sung d
Brow
ser
CVE-2023-21492
CVE-2022-4262 CVE-2022-3038
Info leak in
Chrome RCE Chrome SBX
Samsung

d
a y, u n patche
n-d roid
in And
CVE-2023-0266 CVE-2022-22706
CVE-2023-26803
LPE to root in LPE to system in
Info leak in Mali
Kernel Mali
Sept 2023 Intellexa Campaign in Egypt

CVE-2023-41991
iOS CVE-2023-41993
Safari RCE
CVE-2023-41992
Kernel LPE
Signature
Validation Issue

Android CVE-2023-4762
Chrome RCE
???
What can we do?
There has been significant
progress in security.
Don’t let perfection be the
enemy of good.
Vendor response to reported vulnerabilities

● Get fixes and mitigations to users quickly so that they


can protect themselves.
● Perform detailed analyses to ensure the root cause of
the vulnerability is addressed.
● Share as many technical details as possible.
● Capitalize on reported vulnerabilities to learn and fix as
much as we can from them.
Thank you!
@maddiestone
0day-in-the-wild <at> google <dot> com

You might also like