The following security research was performed whilst at NCC Group between 2021-now.
Exploit Engineering – Attacking the Linux Kernel
On the 19th of May 2023, Alex Plaskett and Cedric Halbronn presentered this talk at Offensivecon 2023 in Berlin.
The abstract from the talk was as follows:
Over the last year the Exploit Development Group (EDG) at NCC Group found and exploited three different 0-day Linux kernel local privilege escalation vulnerabilities (CVE-2022-0185, CVE-2022-0995, CVE-2022-32250) against fully patched OSs with all mitigations enabled. The most recent vulnerability was patched against versions of the kernel going back 6 years affecting most stable Linux distributions.
Unlike developing proof of concepts, our exploits need to be ultra-reliable and support many different OS variations and kernel versions so they can be used by our security assessment consultants or Red Teams. This calls for a much more rigorous engineering process to be followed.
In this talk, we start with an overview of our bug hunting processes and approach to rapidly find high impact vulnerabilities within the Linux kernel. The talk will then describe key vulnerability details, discuss the challenges of reliable exploitation across multiple targets and describe the exploitation techniques used (and what is appropriate in 2023). We discuss rigorous exploit engineering approaches – including tooling which we have developed for heap analysis libslub and automation for mining, creation, deployment and scaling across many different environments (TargetMob). Finally, we will conclude with our thoughts on areas where more strategic hardening and attack surface reduction can be introduced to hinder against advanced attackers using 0-days in the Linux kernel. We will leave you with a release of our tooling for heap analysis libslub and the knowledge to go out there and find, analyse and exploit your own Linux kernel vulnerabilities!
This research was performed by Alex Plaskett, Cedric Halbronn, Aaron Adams and presented at Offensivecon 23.
Your Not so “Home” Office – Soho Hacking at Pwn2Own
On the 20th April 2023, Alex Plaskett and McCaulay Hudson presented this talk at HITB AMS. The talk showcased NCC EDG in Pwn2Own 2022 Toronto targeting all consumer routers (Netgear, TP-Link and Synology) from both a LAN and WAN perspective. The talk also described how we compromised a small business device (Ubiquiti) via the WAN and used that to pivot to attack a device on the LAN (a printer). In total we created 7 different exploit chains and found many more vulnerabilities within the process.
This research was performed by Alex Plaskett, Cedric Halbronn, Aaron Adams, McCaulay Hudson and presented at HITB AMS 2023.
Toner Deaf – Printing your next persistence
In November 2021, NCC Group won at the Pwn2Own hacking contest against a Lexmark printer. This talk is about the journey from purchase of the printer, having zero knowledge of its internals, remotely compromising it using a vulnerability which affected 235 models, developing a persistence mechanism and more.
This talk is particularly relevant due to printers having access to a wide range of documents within an organisation, the printers often being connected to internal/sensitive parts of a network, their lack of detection/monitoring capability and often poor firmware update management processes.
This research was performed by Alex Plaskett, Cedric Halbronn, Aaron Adams, Catalin Visinescu and presented at Hexacon 2022.
Pwn2Own 2021 - Remotely Exploiting 3 Embedded Devices
This research demonstrates the process taken and vulnerabilities used for Pwn2Own Austin 2021 which were used to compromise a Western Digital PR4100 NAS, a Lexmark MC3224i and outside of the competition a Netgear R6700v3.
Remotely Exploiting 3 Embedded Devices Slides
How to win $$$ at a hacking contest? Slides
This research was performed by Alex Plaskett, Cedric Halbronn, Aaron Adams, Catalin Visinescu and presented at NCC Con Europe 2021.
Pwning the Windows 10 Kernel with NTFS and WNF
A local privilege escalation vulnerability (CVE-2021-31956) 0-day was identified as being exploited in the wild by Kaspersky. At the time it affected a broad range of Windows versions (right up to the latest and greatest of Windows 10). With no access to the exploit or details of how it worked other than a vulnerability summary the following plan was enacted:
- Understand how exploitable the issue was in the presence of features such as the Windows 10 Kernel Heap-Backed Pool (Segment Heap).
- Determine how the Windows Notification Framework (WNF) could be used to enable novel exploit primitives.
- Understand the challenges an attacker faces with modern kernel pool exploitation and what factors are in play to reduce reliability and hinder exploitation.
- Gain insight from this exploit which could be used to enable detection and response by defenders.
The talk covered the above key areas and provides a detailed walk through, moving from introducing the subject, all the way up to the knowledge which is needed for both offense and defence on modern Windows versions.
The following security research was performed whilst at MWR InfoSecurity (now F-Secure Consulting) between 2011-2018.
Big Game Fuzzing - Pwn2Own Apple Safari
This research describes the vulnerabilities used for Pwn2Own Desktop 2018 to compromise Apple macOS Safari. It describes the tools developed and the process taken in order to identify these vulnerabilities. The slides and whitepaper also describe the exploit development process and techniques used for exploitation of the vulnerabilities. The vulnerabilities described within these documents are a Wasm vulnerability (CVE-2018-4121), an SVG vulnerability (CVE-2018-4199) and a sandbox escape within the Dock component (CVE-2018-4196).
This research was performed by Fabian Beterke, Georgi Geshev and Alex Plaskett and presented at T2 2018.
The Mate Escape - Huawei Pwn2Own
This research demonstrates the process taken and vulnerabilities used for Pwn2Own Mobile 2018 which were used to compromise a Android Huawei Mate 9 Pro device. The vulnerabilities used within this chain were logic type bugs and no memory corruption issues were used. Whilst memory corruption protections and mitigations are offering additional protection to the platform, logic bugs are often neglected and can be used to equally damaging effect.
This research was performed by Alex Plaskett and James Louerio and presented at Snoopcon 2018, Hacktivity 2018.
Apple Safari - Wasm Section Exploit
This whitepaper describes the process taken when investigating a potential vulnerability for Pwn2Own. Web Assembly was a relatively new feature added the browser and therefore was expected to not have undergone as much security assurance at other areas. Unfortunately whilst performing exploit development of the issue, the issue was fixed by Apple (and therefore would not qualify for Pwn2Own). The issue was addressed publicly with macOS 10.13.4 and was found independently by Natalie Silvanovich of Google Project Zero.
This research was performed by Fabian Beterke, Alex Plaskett and Georgi Geshev in 2018 and presented at T2.fi.
Biting the Apple That Feeds You - macOS Kernel Fuzzing
This research demonstrated techniques for macOS kernel fuzzing in order to find security issues with macOS. Previously, only a small amount of research had been published about automating finding vulnerabilities within the macOS kernel. The slides describe the tooling which was developed and the issues which were found (and addressed by Apple) as part of this research. The slides demonstrate that different fuzzer approaches can lead to different vulnerabilities being found. macOS IPC subsystem was also discussed and tooling produced to target these features.
This research was performed by Alex Plaskett and James Louerio and presented at Warcon 2017, 44CON 2017, Deepsec 2017.
QNX - 99 Problems But A Microkernel Ain’t One!
This research investigated the security of the QNX operating system and outlined methods for finding vulnerabilities in this area. There are a large number of devices which run QNX under the hood. These are often Cars, Turbines and Safety Critical Systems, therefore the security of these devices in paramount. This research focused on Blackberry 10’s version of QNX, however, this research is applicable to all QNX based devices. The slides and whitepaper provide an overview of the operating system, our methods for identifying vulnerabilities and any issues identified. The research also described how the subsystems on QNX communicate and methods an attacker may used to perform privilege escalation across the trust boundaries.
This research was performed by Alex Plaskett and Georgi Geshev and presented in 2016 at Confidence 2016, Troopers 16, BSides NYC 2016.
Windows Phone 8 - Navigating A Sea Of Pwn
This research investigated the security of Windows Phone 8 applications and described methods which could be used to test them. Whilst Windows Phone 8 is now a deprecated platform, at the time it was Microsoft’s latest mobile operating system. This research shows approaches which can be taken when assessing a Windows Phone 8 application and potential security issues which can arise.
The research was performed by Nick Walker and Alex Plaskett and presented at Syscan and Qualcomm Security Summit in 2014.
Windows Phone 7 - Owned Every Mobile
This talk presented the research performed into Windows Phone 7 and demonstrated one of the first browser (Internet Explorer) exploits against the platform. It demonstrated weaknesses the OEMs had also introduced into the platform and demonstrated methods to bypass sandbox restrictions.
The research was presented at 44CON, T2.fi, DeepSec and Microsoft BlueHat in 2011.
Windows Phone 7 - Microsoft BlueHat v11 Executive Briefings
This talk presented a higher level view of the security research performed against Windows Phone 7 to a number of Microsoft Execs during BlueHat v11.
This research was presented at Microsoft’s BlueHat Executive Briefings in 2011.