SlideShare ist ein Scribd-Unternehmen logo

Real_World_0days.pdf

D
distortdistort

2021 0-days found in wild

Technologie
1 von 98
Downloaden Sie, um offline zu lesen
0-days Detected In-the-Wild in 2021 Real World 0-days Maddie Stone @maddiestone OffensiveCon 2022
Make 0day hard.
0-day exploits exploited in-the-wild.
0-day exploits detected & disclosed as in-the-wild.
57 0-days detected in-the-wild
https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=0
https://googleprojectzero.github.io/0days-in-the-wild/rca.html
Caveat: These are my takes & thoughts. I’d love to hear yours.
The uptick in 0-days is due to progress in security.
The uptick in 0-days is due to progress in security. The data points show that all the 0-days actually look a lot like what we’ve seen before.
The uptick in 0-days is due to progress in security. The data points show that all the 0-days actually look a lot like what we’ve seen before. While we have more data than ever before, we’re still missing a lot.
The uptick in 0-days is due to progress in security.
https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-review-of-0.html
https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-review-of-0.html As a community, our ability to detect 0-days being used in the wild is severely lacking to the point that we can’t draw significant conclusions due to the lack of (and biases in) the data we have collected.
More detection More disclosure
More detection More disclosure
2019 Reporters 2020 Reporters 2021 Reporters Alibaba Cloud Intelligence Security Team Andy cPanel Security Team Coinbase Security Codesafe Team of Legendsec at Qi'anxin Group DBAppSecurity Co., Ltd ESET Francisco Alonso & Javier Marcos DEVCORE Research Team Google Project Zero Google Project Zero Dubex Google Threat Analysis Group Google Threat Analysis Group Enki Kaspersky Lab Kaspersky Lab EXPMON Microsoft Security Response Center National Security Agency Github Security Lab Resecurity, Inc. Qihoo 360 ATA Google Project Zero Trend Micro Trend Micro Research Google Threat Analysis Group Trend Micro’s Zero Day Initiative Kaspersky Lab Mandiant Mattias Buelens Microsoft Browser Vulnerability Research Microsoft Security Response Center Microsoft Threat Intelligence Center Qihoo 360 ATA Sangfor The Citizen Lab Tianfu Volexity
More detection More disclosure
Nothing is all that new.* * one exception
Memory Corruption is still the name of the game.
39 Memory Corruption Bugs
17 use-after-free 6 out of bounds r/w 4 buffer overflow 4 integer overflow
Browsers
14 Chromium 7 WebKit (Safari) 4 Internet Explorer 0-days detected in-the-wild
Chromium
6 Javascript Engine (v8) 2 DOM Engine (Blink) 1 WebGL 1 IndexedDB 1 webaudio 1 Portals 2 Other
WebKit
4 Javascript Engine (JSC) 1 IndexedDB 1 Storage 1 UXSS
Use-after-free in WebKit CVE-2021-30858
CVE-2021-30858 https://support.apple.com/en-us/HT212807
https://github.com/WebKit/WebKit/commit/fbf37d27e313d8d0a150a74cc8fab956eb7f3c59
https://github.com/googleprojectzero/0days-in-the-wild/commit/67fde24b17e0defe07208d7a7f63563168ed5e62
var fontFace1 = new FontFace("font1", "", {}); var fontFaceSet = new FontFaceSet([fontFace1]); fontFace1.family = "font2";
“Greetings from Apple Product Security”
https://trac.webkit.org/changeset/281384/webkit
- template<typename T, typename std::enable_if<std::is_base_of<ThreadSafeRefCounted<T>, T>::value, int>::type = 0, typename... Parameters, typename... Arguments> + template<typename T, typename std::enable_if<std::is_base_of<ThreadSafeRefCountedBase, T>::value, int>::type = 0, typename... Parameters, typename... Arguments> CrossThreadTask createCrossThreadTask(T& callee, void (T::*method)(Parameters...), const Arguments&... arguments) { return CrossThreadTask([callee = makeRefPtr(&callee), method, arguments = std::make_tuple(crossThreadCopy(arguments)...)]() mutable { callMemberFunctionForCrossThreadTask(callee.get(), method, WTFMove(arguments)); }); } - template<typename T, typename std::enable_if<!std::is_base_of<ThreadSafeRefCounted<T>, T>::value, int>::type = 0, typename... Parameters, typename... Arguments> + template<typename T, typename std::enable_if<!std::is_base_of<ThreadSafeRefCountedBase, T>::value, int>::type = 0, typename... Parameters, typename... Arguments> CrossThreadTask createCrossThreadTask(T& callee, void (T::*method)(Parameters...), const Arguments&... arguments)
class IDBOpenDBRequest final : public IDBRequest {
class IDBOpenDBRequest final : public IDBRequest { class IDBRequest : public EventTargetWithInlineData, public IDBActiveDOMObject, public ThreadSafeRefCounted<IDBRequest> {
class IDBOpenDBRequest final : public IDBRequest { class IDBRequest : public EventTargetWithInlineData, public IDBActiveDOMObject, public ThreadSafeRefCounted<IDBRequest> {
- template<typename T, typename std::enable_if<std::is_base_of<ThreadSafeRefCounted<T>, T> ::value, int>::type = 0, typename... Parameters, typename... Arguments> + template<typename T, typename std::enable_if<std::is_base_of<ThreadSafeRefCountedBase, T>::value, int>::type = 0, typename... Parameters, typename... Arguments> CrossThreadTask createCrossThreadTask(T& callee, void (T::*method)(Parameters...), const Arguments&... arguments) { return CrossThreadTask([callee = makeRefPtr(&callee), method, arguments = std::make_tuple(crossThreadCopy(arguments)...)]() mutable { callMemberFunctionForCrossThreadTask(callee.get(), method, WTFMove(arguments)); }); } - template<typename T, typename std::enable_if<!std::is_base_of<ThreadSafeRefCounted<T>, T>::value, int>::type = 0, typename... Parameters, typename... Arguments> + template<typename T, typename std::enable_if<!std::is_base_of<ThreadSafeRefCountedBase, T>::value, int>::type = 0, typename... Parameters, typename... Arguments> CrossThreadTask createCrossThreadTask(T& callee, void (T::*method)(Parameters...), const Arguments&... arguments)
- template<typename T, typename std::enable_if<std::is_base_of<ThreadSafeRefCounted<T>, T> ::value, int>::type = 0, typename... Parameters, typename... Arguments> + template<typename T, typename std::enable_if<std::is_base_of<ThreadSafeRefCountedBase, T>::value, int>::type = 0, typename... Parameters, typename... Arguments> CrossThreadTask createCrossThreadTask(T& callee, void (T::*method)(Parameters...), const Arguments&... arguments) { return CrossThreadTask([callee = makeRefPtr(&callee), method, arguments = std::make_tuple(crossThreadCopy(arguments)...)]() mutable { callMemberFunctionForCrossThreadTask(callee.get(), method, WTFMove(arguments)); }); } - template<typename T, typename std::enable_if<!std::is_base_of<ThreadSafeRefCounted<T>, T>::value, int>::type = 0, typename... Parameters, typename... Arguments> + template<typename T, typename std::enable_if<!std::is_base_of<ThreadSafeRefCountedBase, T>::value, int>::type = 0, typename... Parameters, typename... Arguments> CrossThreadTask createCrossThreadTask(T& callee, void (T::*method)(Parameters...), const Arguments&... arguments)
- template<typename T, typename std::enable_if<std::is_base_of<ThreadSafeRefCounted<T>, T> ::value, int>::type = 0, typename... Parameters, typename... Arguments> + template<typename T, typename std::enable_if<std::is_base_of<ThreadSafeRefCountedBase, T>::value, int>::type = 0, typename... Parameters, typename... Arguments> CrossThreadTask createCrossThreadTask(T& callee, void (T::*method)(Parameters...), const Arguments&... arguments) { return CrossThreadTask([callee = makeRefPtr(&callee), method, arguments = std::make_tuple(crossThreadCopy(arguments)...)]() mutable { callMemberFunctionForCrossThreadTask(callee.get(), method, WTFMove(arguments)); }); } is_base_of<ThreadSafeRefCounted<IDBRequest>, IDBOpenDBRequest>
index.html: <script>w = new Worker('idbworker.js');</script> idbworker.js: function gc() { for (var i = 0; i < 1000; i++) { a = new Uint8Array(1024*1024); } } let ev = new Event('mine'); let req = http://indexedDB.open('db'); req.dispatchEvent(ev); req = 0; ev = 0; gc(); https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-30858.html
Internet Explorer
Known Internet Explorer itw 0-days MSHTML JScript VBScript JScript9 Info Leak Total 2021 3 1 4 2020 1 1 2 2019 2 1 3 2018 1 1 2017 1 2 3 2016 1 1 2 4 2015 1 2 3
Known Internet Explorer itw 0-days MSHTML JScript VBScript JScript9 Info Leak Total 2021 3 1 4 2020 1 1 2 2019 2 1 3 2018 1 1 2017 1 2 3 2016 1 1 2 4 2015 1 2 3
● Malicious Office docs that loaded web content in Internet Explorer ● Spawned an Internet Explorer process via VBA macros to navigate to a web page ● Web page fingerprinted than delivered exploit ● Out-of-bounds write in MSHTML ○ Size of the string of the inner html element is truncated (size&0x1FFFFFF) in the CTreePos structure while the non-truncated size is still in the text data object. Memory at is allocated based on the size in the CTreePos structure, the truncated size. The memcpy is based on the non-truncated size. CVE-2021-33742: Out of Bounds Write in MSHTML https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-33742.html
<script> var b = document.createElement("html"); b.innerHTML = Array(40370176).toString(); b.innerHTML = ""; </script> CVE-2021-33742 https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-33742.html
https://blogs.windows.com/windowsexperience/2021/05/19/the-future-of-internet-explorer-on-windows-10-is-in-microsoft-edge/
https://blogs.windows.com/windowsexperience/2021/05/19/the-future-of-internet-explorer-on-windows-10-is-in-microsoft-edge/ This retirement does not affect [...] It also does not affect the MSHTML (Trident) engine.
Windows
10 Windows 0-days detected in-the-wild
● 2 Enhanced crypto provider ● 2 NTOS kernel ● 2 win32k ● 1 Windows update medic ● 1 SuperFetch ● 1 dwmcore.dll ● 1 ntfs.sys
In 2019, 75% of Windows 0-days targeted win32k.
iOS & macOS
4 iOS & 1 macOS 0-days detected in-the-wild ● 2 IOMobileFrameBuffer ● 2 XNU (1 iOS & 1 macOS) ● 1 CoreGraphics
4 iOS & 1 macOS 0-days detected in-the-wild ● 2 IOMobileFrameBuffer ● 2 XNU (1 iOS & 1 macOS) ● 1 CoreGraphics
4 iOS & 1 macOS 0-days detected in-the-wild ● 2 IOMobileFrameBuffer ● 2 XNU (1 iOS & 1 macOS) ● 1 CoreGraphics
Drum roll please for the best bug of the year….
The Zero Click iMessage Bug CVE-2021-30860
Guint numSyms; // (1) numSyms = 0; for (i = 0; i < nRefSegs; ++i) { if ((seg = findSegment(refSegs[i]))) { if (seg->getType() == jbig2SegSymbolDict) { numSyms += ((JBIG2SymbolDict *)seg)->getSize(); // (2) } else if (seg->getType() == jbig2SegCodeTable) { codeTables->append(seg); } } else { error(errSyntaxError, getPos(), "Invalid segment reference in JBIG2 text region"); delete codeTables; return; } } ... // get the symbol bitmaps syms = (JBIG2Bitmap **)gmallocn(numSyms, sizeof(JBIG2Bitmap *)); // (3) kk = 0; for (i = 0; i < nRefSegs; ++i) { if ((seg = findSegment(refSegs[i]))) { if (seg->getType() == jbig2SegSymbolDict) { symbolDict = (JBIG2SymbolDict *)seg; for (k = 0; k < symbolDict->getSize(); ++k) { syms[kk++] = symbolDict->getBitmap(k); // (4) } } } https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html
“My other compression format is turing-complete!” Ian Beer’s blog post
Android
7 Android 0-days detected in-the-wild ● 3 Qualcomm Adreno GPU ● 2 ARM Mali GPU ● 2 upstream kernel
7 Android 0-days detected in-the-wild ● 3 Qualcomm Adreno GPU ● 2 ARM Mali GPU ● 2 upstream kernel
7 Android 0-days detected in-the-wild ● 3 Qualcomm Adreno GPU ● 2 ARM Mali GPU ● 2 upstream kernel
CVE-2021-1048 2020-09-02 11:30:48 -0400 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=77f4689de17c0887775bb77896f4cc11a39bf848
https://source.android.com/security/bulletin/2021-11-01#2021-11-06-security-patch-level-vulnerability-details Not included in Android Security Bulletin until November 2021. 14 months after upstream patch.
Fixes: a9ed4a6560b8 ("epoll: Keep a reference on files added to the check list") https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=77f4689de17c0887775bb77896f4cc11a39bf848
“The more you know, the more you realize you don’t know.” - Aristotle
Where are the Messaging app Other phone components Linux Cloud Specific Android OEM 0-days?
Detection, Disclosure, or Both?
2019 Reporters 2020 Reporters 2021 Reporters Alibaba Cloud Intelligence Security Team Andy cPanel Security Team Coinbase Security Codesafe Team of Legendsec at Qi'anxin Group DBAppSecurity Co., Ltd ESET Francisco Alonso & Javier Marcos DEVCORE Research Team Google Project Zero Google Project Zero Dubex Google Threat Analysis Group Google Threat Analysis Group Enki Kaspersky Lab Kaspersky Lab EXPMON Microsoft Security Response Center National Security Agency Github Security Lab Resecurity, Inc. Qihoo 360 ATA Google Project Zero Trend Micro Trend Micro Research Google Threat Analysis Group Trend Micro’s Zero Day Initiative Kaspersky Lab Mandiant Mattias Buelens Microsoft Browser Vulnerability Research Microsoft Security Response Center Microsoft Threat Intelligence Center Qihoo 360 ATA Sangfor The Citizen Lab Tianfu Volexity
Do these bug patterns look like previous bugs because that’s what we know how to detect?
Where are the spl0itz?
5 out of 57 0-days have the exploit sample publicly available.
Big uptick in in-the-wild 0-days = 😁
Big uptick in in-the-wild 0-days = 😁 Bug patterns & types are similar to previous years = 😐
Big uptick in in-the-wild 0-days = 😁 Bug patterns & types are similar to previous years = 😐 Still room for improvement on detection & disclosure = 🧐󰚤
What do you think?
● Root cause analysis, patch analysis, and variant analysis performed on every in-the-wild 0-day. ● Exploit samples are shared widely. ● Vendors transparently annotate exploited status. ● More, more, more detection. Hopes & Dreams
THANK YOU! @maddiestone
RCE in Windows Defender CVE-2021-1647
● Heap buffer overflow when mpengine.dll is processing the section table to unpack an ASProtect packed executable. ● Each entry in the section table has two values: ○ Virtual address of section & section size CVE-2021-1647
Example section table: [ (0,0), (0,0), (0x2000,0), (0x2000,0x3000) ] if ( next_sect_addr > sect_addr ) { sect_addr = next_sect_addr; sect_sz = (next_sect_sz + 0xFFF) & 0xFFFFF000; } // if next_sect_addr <= sect_addr we continue on to next entry in the table [...] new_sect_alloc = operator new[](sect_sz + sect_addr); [...] CAsprotectDLLAndVersion::RetrieveVersionInfoAndCreateObjects
Example section table: [ (0,0), (0,0), (0x2000,0), (0x2000,0x3000) ] if ( next_sect_addr > sect_addr ) { sect_addr = next_sect_addr; sect_sz = (next_sect_sz + 0xFFF) & 0xFFFFF000; } // if next_sect_addr <= sect_addr we continue on to next entry in the table [...] new_sect_alloc = operator new[](sect_sz + sect_addr); [...] CAsprotectDLLAndVersion::RetrieveVersionInfoAndCreateObjects
Example section table: [ (0,0), (0,0), (0x2000,0), (0x2000,0x3000) ] if ( next_sect_addr > sect_addr ) { sect_addr = next_sect_addr; sect_sz = (next_sect_sz + 0xFFF) & 0xFFFFF000; } // if next_sect_addr <= sect_addr we continue on to next entry in the table [...] new_sect_alloc = operator new[](sect_sz + sect_addr); [...] CAsprotectDLLAndVersion::RetrieveVersionInfoAndCreateObjects
Example section table: [ (0,0), (0,0), (0x2000,0), (0x2000,0x3000) ] if ( next_sect_addr > sect_addr ) { sect_addr = next_sect_addr; sect_sz = (next_sect_sz + 0xFFF) & 0xFFFFF000; } // if next_sect_addr <= sect_addr we continue on to next entry in the table [...] new_sect_alloc = operator new[](sect_sz + sect_addr); [...] CAsprotectDLLAndVersion::RetrieveVersionInfoAndCreateObjects

Empfohlen

Troubleshooting SEO for JS Frameworks - Patrick Stox - DTD 2018
Troubleshooting SEO for JS Frameworks - Patrick Stox - DTD 2018Troubleshooting SEO for JS Frameworks - Patrick Stox - DTD 2018
Troubleshooting SEO for JS Frameworks - Patrick Stox - DTD 2018patrickstox
 
He stopped using for/while loops, you won't believe what happened next!
He stopped using for/while loops, you won't believe what happened next!He stopped using for/while loops, you won't believe what happened next!
He stopped using for/while loops, you won't believe what happened next!François-Guillaume Ribreau
 
Spingy camp
Spingy campSpingy camp
Spingy campRob Nunez
 
Analyzing the Performance of Mobile Web
Analyzing the Performance of Mobile WebAnalyzing the Performance of Mobile Web
Analyzing the Performance of Mobile WebAriya Hidayat
 
Back To The Future.Key 2
Back To The Future.Key 2Back To The Future.Key 2
Back To The Future.Key 2gueste8cc560
 
Beyond PHP - it's not (just) about the code
Beyond PHP - it's not (just) about the codeBeyond PHP - it's not (just) about the code
Beyond PHP - it's not (just) about the codeWim Godden
 
The current status of html5 technology and standard
The current status of html5 technology and standardThe current status of html5 technology and standard
The current status of html5 technology and standardWonsuk Lee
 
Advanced Web Scraping or How To Make Internet Your Database #seoplus2018
Advanced Web Scraping or How To Make Internet Your Database #seoplus2018Advanced Web Scraping or How To Make Internet Your Database #seoplus2018
Advanced Web Scraping or How To Make Internet Your Database #seoplus2018Esteve Castells
 

Empfohlen

Troubleshooting SEO for JS Frameworks - Patrick Stox - DTD 2018
Troubleshooting SEO for JS Frameworks - Patrick Stox - DTD 2018Troubleshooting SEO for JS Frameworks - Patrick Stox - DTD 2018
Troubleshooting SEO for JS Frameworks - Patrick Stox - DTD 2018patrickstox
 
He stopped using for/while loops, you won't believe what happened next!
He stopped using for/while loops, you won't believe what happened next!He stopped using for/while loops, you won't believe what happened next!
He stopped using for/while loops, you won't believe what happened next!François-Guillaume Ribreau
 
Spingy camp
Spingy campSpingy camp
Spingy campRob Nunez
 
Analyzing the Performance of Mobile Web
Analyzing the Performance of Mobile WebAnalyzing the Performance of Mobile Web
Analyzing the Performance of Mobile WebAriya Hidayat
 
Back To The Future.Key 2
Back To The Future.Key 2Back To The Future.Key 2
Back To The Future.Key 2gueste8cc560
 
Beyond PHP - it's not (just) about the code
Beyond PHP - it's not (just) about the codeBeyond PHP - it's not (just) about the code
Beyond PHP - it's not (just) about the codeWim Godden
 
The current status of html5 technology and standard
The current status of html5 technology and standardThe current status of html5 technology and standard
The current status of html5 technology and standardWonsuk Lee
 
Advanced Web Scraping or How To Make Internet Your Database #seoplus2018
Advanced Web Scraping or How To Make Internet Your Database #seoplus2018Advanced Web Scraping or How To Make Internet Your Database #seoplus2018
Advanced Web Scraping or How To Make Internet Your Database #seoplus2018Esteve Castells
 
JavaScript front end performance optimizations
JavaScript front end performance optimizationsJavaScript front end performance optimizations
JavaScript front end performance optimizationsChris Love
 
Efficient Context-sensitive Output Escaping for Javascript Template Engines
Efficient Context-sensitive Output Escaping for Javascript Template EnginesEfficient Context-sensitive Output Escaping for Javascript Template Engines
Efficient Context-sensitive Output Escaping for Javascript Template Enginesadonatwork
 
HTML5 and Other Modern Browser Game Tech
HTML5 and Other Modern Browser Game TechHTML5 and Other Modern Browser Game Tech
HTML5 and Other Modern Browser Game Techvincent_scheib
 
Stefan Judis "Did we(b development) lose the right direction?"
Stefan Judis "Did we(b development) lose the right direction?"Stefan Judis "Did we(b development) lose the right direction?"
Stefan Judis "Did we(b development) lose the right direction?"Fwdays
 
How to prevent cyber terrorism taragana
How to prevent cyber terrorism taraganaHow to prevent cyber terrorism taragana
How to prevent cyber terrorism taraganaGilles Sgro
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APIKevin Hakanson
 
It is not HTML5. but ... / HTML5ではないサイトからHTML5を考える
It is not HTML5. but ... / HTML5ではないサイトからHTML5を考えるIt is not HTML5. but ... / HTML5ではないサイトからHTML5を考える
It is not HTML5. but ... / HTML5ではないサイトからHTML5を考えるSadaaki HIRAI
 
Web_of_Things_2013
Web_of_Things_2013Web_of_Things_2013
Web_of_Things_2013Max Kleiner
 
Even faster web sites
Even faster web sitesEven faster web sites
Even faster web sitesFelipe Lavín
 
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...DevSecCon
 
A miało być tak... bez wycieków
A miało być tak... bez wyciekówA miało być tak... bez wycieków
A miało być tak... bez wyciekówKonrad Kokosa
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CorePositive Hack Days
 
JS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложение
JS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложениеJS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложение
JS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложениеJSFestUA
 
Monitoring Big Data Systems Done "The Simple Way" - Demi Ben-Ari - Codemotion...
Monitoring Big Data Systems Done "The Simple Way" - Demi Ben-Ari - Codemotion...Monitoring Big Data Systems Done "The Simple Way" - Demi Ben-Ari - Codemotion...
Monitoring Big Data Systems Done "The Simple Way" - Demi Ben-Ari - Codemotion...Codemotion
 
Monitoring Big Data Systems "Done the simple way" - Demi Ben-Ari - Codemotion...
Monitoring Big Data Systems "Done the simple way" - Demi Ben-Ari - Codemotion...Monitoring Big Data Systems "Done the simple way" - Demi Ben-Ari - Codemotion...
Monitoring Big Data Systems "Done the simple way" - Demi Ben-Ari - Codemotion...Demi Ben-Ari
 
Three20 framework for iOS development
Three20 framework for iOS developmentThree20 framework for iOS development
Three20 framework for iOS developmentRichard Lee
 
Shifting Gears
Shifting GearsShifting Gears
Shifting GearsChristian Heilmann
 
Protect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesProtect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesLeo Loobeek
 
HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the BadXavier Mertens
 
Enjoying the full stack - Frontend 2010
Enjoying the full stack - Frontend 2010Enjoying the full stack - Frontend 2010
Enjoying the full stack - Frontend 2010Christian Heilmann
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 

Weitere ähnliche Inhalte

Ähnlich wie Real_World_0days.pdf

JavaScript front end performance optimizations
JavaScript front end performance optimizationsJavaScript front end performance optimizations
JavaScript front end performance optimizationsChris Love
 
Efficient Context-sensitive Output Escaping for Javascript Template Engines
Efficient Context-sensitive Output Escaping for Javascript Template EnginesEfficient Context-sensitive Output Escaping for Javascript Template Engines
Efficient Context-sensitive Output Escaping for Javascript Template Enginesadonatwork
 
HTML5 and Other Modern Browser Game Tech
HTML5 and Other Modern Browser Game TechHTML5 and Other Modern Browser Game Tech
HTML5 and Other Modern Browser Game Techvincent_scheib
 
Stefan Judis "Did we(b development) lose the right direction?"
Stefan Judis "Did we(b development) lose the right direction?"Stefan Judis "Did we(b development) lose the right direction?"
Stefan Judis "Did we(b development) lose the right direction?"Fwdays
 
How to prevent cyber terrorism taragana
How to prevent cyber terrorism taraganaHow to prevent cyber terrorism taragana
How to prevent cyber terrorism taraganaGilles Sgro
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APIKevin Hakanson
 
It is not HTML5. but ... / HTML5ではないサイトからHTML5を考える
It is not HTML5. but ... / HTML5ではないサイトからHTML5を考えるIt is not HTML5. but ... / HTML5ではないサイトからHTML5を考える
It is not HTML5. but ... / HTML5ではないサイトからHTML5を考えるSadaaki HIRAI
 
Web_of_Things_2013
Web_of_Things_2013Web_of_Things_2013
Web_of_Things_2013Max Kleiner
 
Even faster web sites
Even faster web sitesEven faster web sites
Even faster web sitesFelipe Lavín
 
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...DevSecCon
 
A miało być tak... bez wycieków
A miało być tak... bez wyciekówA miało być tak... bez wycieków
A miało być tak... bez wyciekówKonrad Kokosa
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CorePositive Hack Days
 
JS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложение
JS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложениеJS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложение
JS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложениеJSFestUA
 
Monitoring Big Data Systems Done "The Simple Way" - Demi Ben-Ari - Codemotion...
Monitoring Big Data Systems Done "The Simple Way" - Demi Ben-Ari - Codemotion...Monitoring Big Data Systems Done "The Simple Way" - Demi Ben-Ari - Codemotion...
Monitoring Big Data Systems Done "The Simple Way" - Demi Ben-Ari - Codemotion...Codemotion
 
Monitoring Big Data Systems "Done the simple way" - Demi Ben-Ari - Codemotion...
Monitoring Big Data Systems "Done the simple way" - Demi Ben-Ari - Codemotion...Monitoring Big Data Systems "Done the simple way" - Demi Ben-Ari - Codemotion...
Monitoring Big Data Systems "Done the simple way" - Demi Ben-Ari - Codemotion...Demi Ben-Ari
 
Three20 framework for iOS development
Three20 framework for iOS developmentThree20 framework for iOS development
Three20 framework for iOS developmentRichard Lee
 
Protect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesProtect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesLeo Loobeek
 
HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the BadXavier Mertens
 
Enjoying the full stack - Frontend 2010
Enjoying the full stack - Frontend 2010Enjoying the full stack - Frontend 2010
Enjoying the full stack - Frontend 2010Christian Heilmann
 

Ähnlich wie Real_World_0days.pdf (20)

JavaScript front end performance optimizations
JavaScript front end performance optimizationsJavaScript front end performance optimizations
JavaScript front end performance optimizations
 
Efficient Context-sensitive Output Escaping for Javascript Template Engines
Efficient Context-sensitive Output Escaping for Javascript Template EnginesEfficient Context-sensitive Output Escaping for Javascript Template Engines
Efficient Context-sensitive Output Escaping for Javascript Template Engines
 
HTML5 and Other Modern Browser Game Tech
HTML5 and Other Modern Browser Game TechHTML5 and Other Modern Browser Game Tech
HTML5 and Other Modern Browser Game Tech
 
Stefan Judis "Did we(b development) lose the right direction?"
Stefan Judis "Did we(b development) lose the right direction?"Stefan Judis "Did we(b development) lose the right direction?"
Stefan Judis "Did we(b development) lose the right direction?"
 
How to prevent cyber terrorism taragana
How to prevent cyber terrorism taraganaHow to prevent cyber terrorism taragana
How to prevent cyber terrorism taragana
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography API
 
It is not HTML5. but ... / HTML5ではないサイトからHTML5を考える
It is not HTML5. but ... / HTML5ではないサイトからHTML5を考えるIt is not HTML5. but ... / HTML5ではないサイトからHTML5を考える
It is not HTML5. but ... / HTML5ではないサイトからHTML5を考える
 
Web_of_Things_2013
Web_of_Things_2013Web_of_Things_2013
Web_of_Things_2013
 
Even faster web sites
Even faster web sitesEven faster web sites
Even faster web sites
 
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...
DevSecCon Singapore 2018 - Remove developers’ shameful secrets or simply rem...
 
A miało być tak... bez wycieków
A miało być tak... bez wyciekówA miało być tak... bez wycieków
A miało być tak... bez wycieków
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
JS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложение
JS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложениеJS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложение
JS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложение
 
Monitoring Big Data Systems Done "The Simple Way" - Demi Ben-Ari - Codemotion...
Monitoring Big Data Systems Done "The Simple Way" - Demi Ben-Ari - Codemotion...Monitoring Big Data Systems Done "The Simple Way" - Demi Ben-Ari - Codemotion...
Monitoring Big Data Systems Done "The Simple Way" - Demi Ben-Ari - Codemotion...
 
Monitoring Big Data Systems "Done the simple way" - Demi Ben-Ari - Codemotion...
Monitoring Big Data Systems "Done the simple way" - Demi Ben-Ari - Codemotion...Monitoring Big Data Systems "Done the simple way" - Demi Ben-Ari - Codemotion...
Monitoring Big Data Systems "Done the simple way" - Demi Ben-Ari - Codemotion...
 
Three20 framework for iOS development
Three20 framework for iOS developmentThree20 framework for iOS development
Three20 framework for iOS development
 
Shifting Gears
Shifting GearsShifting Gears
Shifting Gears
 
Protect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying TechniquesProtect Your Payloads: Modern Keying Techniques
Protect Your Payloads: Modern Keying Techniques
 
HTTP For the Good or the Bad
HTTP For the Good or the BadHTTP For the Good or the Bad
HTTP For the Good or the Bad
 
Enjoying the full stack - Frontend 2010
Enjoying the full stack - Frontend 2010Enjoying the full stack - Frontend 2010
Enjoying the full stack - Frontend 2010
 

Kürzlich hochgeladen

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 

Kürzlich hochgeladen (20)

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 

Real_World_0days.pdf

  • 1. 0-days Detected In-the-Wild in 2021 Real World 0-days Maddie Stone @maddiestone OffensiveCon 2022
  • 8. Caveat: These are my takes & thoughts. I’d love to hear yours.
  • 9. The uptick in 0-days is due to progress in security.
  • 10. The uptick in 0-days is due to progress in security. The data points show that all the 0-days actually look a lot like what we’ve seen before.
  • 11. The uptick in 0-days is due to progress in security. The data points show that all the 0-days actually look a lot like what we’ve seen before. While we have more data than ever before, we’re still missing a lot.
  • 12. The uptick in 0-days is due to progress in security.
  • 13.
  • 15. https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-review-of-0.html As a community, our ability to detect 0-days being used in the wild is severely lacking to the point that we can’t draw significant conclusions due to the lack of (and biases in) the data we have collected.
  • 18. 2019 Reporters 2020 Reporters 2021 Reporters Alibaba Cloud Intelligence Security Team Andy cPanel Security Team Coinbase Security Codesafe Team of Legendsec at Qi'anxin Group DBAppSecurity Co., Ltd ESET Francisco Alonso & Javier Marcos DEVCORE Research Team Google Project Zero Google Project Zero Dubex Google Threat Analysis Group Google Threat Analysis Group Enki Kaspersky Lab Kaspersky Lab EXPMON Microsoft Security Response Center National Security Agency Github Security Lab Resecurity, Inc. Qihoo 360 ATA Google Project Zero Trend Micro Trend Micro Research Google Threat Analysis Group Trend Micro’s Zero Day Initiative Kaspersky Lab Mandiant Mattias Buelens Microsoft Browser Vulnerability Research Microsoft Security Response Center Microsoft Threat Intelligence Center Qihoo 360 ATA Sangfor The Citizen Lab Tianfu Volexity
  • 20.
  • 21.
  • 22. Nothing is all that new.* * one exception
  • 23. Memory Corruption is still the name of the game.
  • 25.
  • 26. 17 use-after-free 6 out of bounds r/w 4 buffer overflow 4 integer overflow
  • 28. 14 Chromium 7 WebKit (Safari) 4 Internet Explorer 0-days detected in-the-wild
  • 29.
  • 31. 6 Javascript Engine (v8) 2 DOM Engine (Blink) 1 WebGL 1 IndexedDB 1 webaudio 1 Portals 2 Other
  • 33. 4 Javascript Engine (JSC) 1 IndexedDB 1 Storage 1 UXSS
  • 38. var fontFace1 = new FontFace("font1", "", {}); var fontFaceSet = new FontFaceSet([fontFace1]); fontFace1.family = "font2";
  • 39. “Greetings from Apple Product Security”
  • 41. - template<typename T, typename std::enable_if<std::is_base_of<ThreadSafeRefCounted<T>, T>::value, int>::type = 0, typename... Parameters, typename... Arguments> + template<typename T, typename std::enable_if<std::is_base_of<ThreadSafeRefCountedBase, T>::value, int>::type = 0, typename... Parameters, typename... Arguments> CrossThreadTask createCrossThreadTask(T& callee, void (T::*method)(Parameters...), const Arguments&... arguments) { return CrossThreadTask([callee = makeRefPtr(&callee), method, arguments = std::make_tuple(crossThreadCopy(arguments)...)]() mutable { callMemberFunctionForCrossThreadTask(callee.get(), method, WTFMove(arguments)); }); } - template<typename T, typename std::enable_if<!std::is_base_of<ThreadSafeRefCounted<T>, T>::value, int>::type = 0, typename... Parameters, typename... Arguments> + template<typename T, typename std::enable_if<!std::is_base_of<ThreadSafeRefCountedBase, T>::value, int>::type = 0, typename... Parameters, typename... Arguments> CrossThreadTask createCrossThreadTask(T& callee, void (T::*method)(Parameters...), const Arguments&... arguments)
  • 42. class IDBOpenDBRequest final : public IDBRequest {
  • 43. class IDBOpenDBRequest final : public IDBRequest { class IDBRequest : public EventTargetWithInlineData, public IDBActiveDOMObject, public ThreadSafeRefCounted<IDBRequest> {
  • 44. class IDBOpenDBRequest final : public IDBRequest { class IDBRequest : public EventTargetWithInlineData, public IDBActiveDOMObject, public ThreadSafeRefCounted<IDBRequest> {
  • 45. - template<typename T, typename std::enable_if<std::is_base_of<ThreadSafeRefCounted<T>, T> ::value, int>::type = 0, typename... Parameters, typename... Arguments> + template<typename T, typename std::enable_if<std::is_base_of<ThreadSafeRefCountedBase, T>::value, int>::type = 0, typename... Parameters, typename... Arguments> CrossThreadTask createCrossThreadTask(T& callee, void (T::*method)(Parameters...), const Arguments&... arguments) { return CrossThreadTask([callee = makeRefPtr(&callee), method, arguments = std::make_tuple(crossThreadCopy(arguments)...)]() mutable { callMemberFunctionForCrossThreadTask(callee.get(), method, WTFMove(arguments)); }); } - template<typename T, typename std::enable_if<!std::is_base_of<ThreadSafeRefCounted<T>, T>::value, int>::type = 0, typename... Parameters, typename... Arguments> + template<typename T, typename std::enable_if<!std::is_base_of<ThreadSafeRefCountedBase, T>::value, int>::type = 0, typename... Parameters, typename... Arguments> CrossThreadTask createCrossThreadTask(T& callee, void (T::*method)(Parameters...), const Arguments&... arguments)
  • 46. - template<typename T, typename std::enable_if<std::is_base_of<ThreadSafeRefCounted<T>, T> ::value, int>::type = 0, typename... Parameters, typename... Arguments> + template<typename T, typename std::enable_if<std::is_base_of<ThreadSafeRefCountedBase, T>::value, int>::type = 0, typename... Parameters, typename... Arguments> CrossThreadTask createCrossThreadTask(T& callee, void (T::*method)(Parameters...), const Arguments&... arguments) { return CrossThreadTask([callee = makeRefPtr(&callee), method, arguments = std::make_tuple(crossThreadCopy(arguments)...)]() mutable { callMemberFunctionForCrossThreadTask(callee.get(), method, WTFMove(arguments)); }); } - template<typename T, typename std::enable_if<!std::is_base_of<ThreadSafeRefCounted<T>, T>::value, int>::type = 0, typename... Parameters, typename... Arguments> + template<typename T, typename std::enable_if<!std::is_base_of<ThreadSafeRefCountedBase, T>::value, int>::type = 0, typename... Parameters, typename... Arguments> CrossThreadTask createCrossThreadTask(T& callee, void (T::*method)(Parameters...), const Arguments&... arguments)
  • 47. - template<typename T, typename std::enable_if<std::is_base_of<ThreadSafeRefCounted<T>, T> ::value, int>::type = 0, typename... Parameters, typename... Arguments> + template<typename T, typename std::enable_if<std::is_base_of<ThreadSafeRefCountedBase, T>::value, int>::type = 0, typename... Parameters, typename... Arguments> CrossThreadTask createCrossThreadTask(T& callee, void (T::*method)(Parameters...), const Arguments&... arguments) { return CrossThreadTask([callee = makeRefPtr(&callee), method, arguments = std::make_tuple(crossThreadCopy(arguments)...)]() mutable { callMemberFunctionForCrossThreadTask(callee.get(), method, WTFMove(arguments)); }); } is_base_of<ThreadSafeRefCounted<IDBRequest>, IDBOpenDBRequest>
  • 48. index.html: <script>w = new Worker('idbworker.js');</script> idbworker.js: function gc() { for (var i = 0; i < 1000; i++) { a = new Uint8Array(1024*1024); } } let ev = new Event('mine'); let req = http://indexedDB.open('db'); req.dispatchEvent(ev); req = 0; ev = 0; gc(); https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-30858.html
  • 50.
  • 51. Known Internet Explorer itw 0-days MSHTML JScript VBScript JScript9 Info Leak Total 2021 3 1 4 2020 1 1 2 2019 2 1 3 2018 1 1 2017 1 2 3 2016 1 1 2 4 2015 1 2 3
  • 52. Known Internet Explorer itw 0-days MSHTML JScript VBScript JScript9 Info Leak Total 2021 3 1 4 2020 1 1 2 2019 2 1 3 2018 1 1 2017 1 2 3 2016 1 1 2 4 2015 1 2 3
  • 53. ● Malicious Office docs that loaded web content in Internet Explorer ● Spawned an Internet Explorer process via VBA macros to navigate to a web page ● Web page fingerprinted than delivered exploit ● Out-of-bounds write in MSHTML ○ Size of the string of the inner html element is truncated (size&0x1FFFFFF) in the CTreePos structure while the non-truncated size is still in the text data object. Memory at is allocated based on the size in the CTreePos structure, the truncated size. The memcpy is based on the non-truncated size. CVE-2021-33742: Out of Bounds Write in MSHTML https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-33742.html
  • 54. <script> var b = document.createElement("html"); b.innerHTML = Array(40370176).toString(); b.innerHTML = ""; </script> CVE-2021-33742 https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-33742.html
  • 58.
  • 60. ● 2 Enhanced crypto provider ● 2 NTOS kernel ● 2 win32k ● 1 Windows update medic ● 1 SuperFetch ● 1 dwmcore.dll ● 1 ntfs.sys
  • 61. In 2019, 75% of Windows 0-days targeted win32k.
  • 63.
  • 64. 4 iOS & 1 macOS 0-days detected in-the-wild ● 2 IOMobileFrameBuffer ● 2 XNU (1 iOS & 1 macOS) ● 1 CoreGraphics
  • 65. 4 iOS & 1 macOS 0-days detected in-the-wild ● 2 IOMobileFrameBuffer ● 2 XNU (1 iOS & 1 macOS) ● 1 CoreGraphics
  • 66. 4 iOS & 1 macOS 0-days detected in-the-wild ● 2 IOMobileFrameBuffer ● 2 XNU (1 iOS & 1 macOS) ● 1 CoreGraphics
  • 67. Drum roll please for the best bug of the year….
  • 68.
  • 69. The Zero Click iMessage Bug CVE-2021-30860
  • 70. Guint numSyms; // (1) numSyms = 0; for (i = 0; i < nRefSegs; ++i) { if ((seg = findSegment(refSegs[i]))) { if (seg->getType() == jbig2SegSymbolDict) { numSyms += ((JBIG2SymbolDict *)seg)->getSize(); // (2) } else if (seg->getType() == jbig2SegCodeTable) { codeTables->append(seg); } } else { error(errSyntaxError, getPos(), "Invalid segment reference in JBIG2 text region"); delete codeTables; return; } } ... // get the symbol bitmaps syms = (JBIG2Bitmap **)gmallocn(numSyms, sizeof(JBIG2Bitmap *)); // (3) kk = 0; for (i = 0; i < nRefSegs; ++i) { if ((seg = findSegment(refSegs[i]))) { if (seg->getType() == jbig2SegSymbolDict) { symbolDict = (JBIG2SymbolDict *)seg; for (k = 0; k < symbolDict->getSize(); ++k) { syms[kk++] = symbolDict->getBitmap(k); // (4) } } } https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html
  • 71. “My other compression format is turing-complete!” Ian Beer’s blog post
  • 73.
  • 74. 7 Android 0-days detected in-the-wild ● 3 Qualcomm Adreno GPU ● 2 ARM Mali GPU ● 2 upstream kernel
  • 75. 7 Android 0-days detected in-the-wild ● 3 Qualcomm Adreno GPU ● 2 ARM Mali GPU ● 2 upstream kernel
  • 76. 7 Android 0-days detected in-the-wild ● 3 Qualcomm Adreno GPU ● 2 ARM Mali GPU ● 2 upstream kernel
  • 79. Fixes: a9ed4a6560b8 ("epoll: Keep a reference on files added to the check list") https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=77f4689de17c0887775bb77896f4cc11a39bf848
  • 80. “The more you know, the more you realize you don’t know.” - Aristotle
  • 81. Where are the Messaging app Other phone components Linux Cloud Specific Android OEM 0-days?
  • 83. 2019 Reporters 2020 Reporters 2021 Reporters Alibaba Cloud Intelligence Security Team Andy cPanel Security Team Coinbase Security Codesafe Team of Legendsec at Qi'anxin Group DBAppSecurity Co., Ltd ESET Francisco Alonso & Javier Marcos DEVCORE Research Team Google Project Zero Google Project Zero Dubex Google Threat Analysis Group Google Threat Analysis Group Enki Kaspersky Lab Kaspersky Lab EXPMON Microsoft Security Response Center National Security Agency Github Security Lab Resecurity, Inc. Qihoo 360 ATA Google Project Zero Trend Micro Trend Micro Research Google Threat Analysis Group Trend Micro’s Zero Day Initiative Kaspersky Lab Mandiant Mattias Buelens Microsoft Browser Vulnerability Research Microsoft Security Response Center Microsoft Threat Intelligence Center Qihoo 360 ATA Sangfor The Citizen Lab Tianfu Volexity
  • 84. Do these bug patterns look like previous bugs because that’s what we know how to detect?
  • 85. Where are the spl0itz?
  • 86. 5 out of 57 0-days have the exploit sample publicly available.
  • 87. Big uptick in in-the-wild 0-days = 😁
  • 88. Big uptick in in-the-wild 0-days = 😁 Bug patterns & types are similar to previous years = 😐
  • 89. Big uptick in in-the-wild 0-days = 😁 Bug patterns & types are similar to previous years = 😐 Still room for improvement on detection & disclosure = 🧐󰚤
  • 90. What do you think?
  • 91. ● Root cause analysis, patch analysis, and variant analysis performed on every in-the-wild 0-day. ● Exploit samples are shared widely. ● Vendors transparently annotate exploited status. ● More, more, more detection. Hopes & Dreams
  • 93. RCE in Windows Defender CVE-2021-1647
  • 94. ● Heap buffer overflow when mpengine.dll is processing the section table to unpack an ASProtect packed executable. ● Each entry in the section table has two values: ○ Virtual address of section & section size CVE-2021-1647
  • 95. Example section table: [ (0,0), (0,0), (0x2000,0), (0x2000,0x3000) ] if ( next_sect_addr > sect_addr ) { sect_addr = next_sect_addr; sect_sz = (next_sect_sz + 0xFFF) & 0xFFFFF000; } // if next_sect_addr <= sect_addr we continue on to next entry in the table [...] new_sect_alloc = operator new[](sect_sz + sect_addr); [...] CAsprotectDLLAndVersion::RetrieveVersionInfoAndCreateObjects
  • 96. Example section table: [ (0,0), (0,0), (0x2000,0), (0x2000,0x3000) ] if ( next_sect_addr > sect_addr ) { sect_addr = next_sect_addr; sect_sz = (next_sect_sz + 0xFFF) & 0xFFFFF000; } // if next_sect_addr <= sect_addr we continue on to next entry in the table [...] new_sect_alloc = operator new[](sect_sz + sect_addr); [...] CAsprotectDLLAndVersion::RetrieveVersionInfoAndCreateObjects
  • 97. Example section table: [ (0,0), (0,0), (0x2000,0), (0x2000,0x3000) ] if ( next_sect_addr > sect_addr ) { sect_addr = next_sect_addr; sect_sz = (next_sect_sz + 0xFFF) & 0xFFFFF000; } // if next_sect_addr <= sect_addr we continue on to next entry in the table [...] new_sect_alloc = operator new[](sect_sz + sect_addr); [...] CAsprotectDLLAndVersion::RetrieveVersionInfoAndCreateObjects
  • 98. Example section table: [ (0,0), (0,0), (0x2000,0), (0x2000,0x3000) ] if ( next_sect_addr > sect_addr ) { sect_addr = next_sect_addr; sect_sz = (next_sect_sz + 0xFFF) & 0xFFFFF000; } // if next_sect_addr <= sect_addr we continue on to next entry in the table [...] new_sect_alloc = operator new[](sect_sz + sect_addr); [...] CAsprotectDLLAndVersion::RetrieveVersionInfoAndCreateObjects