Archive

Callisto Group

By on 6 November 2019

The Callisto Group is an advanced threat actor whose known targets include military personnel, government officials, think tanks, and journalists in Europe and the South Caucasus.Their primary interest appears to be gathering intelligence related to foreign...

Read more

The Dukes

By on 6 November 2019

This whitepaper explores the tools - such as MiniDuke, CosmicDuke, OnionDuke, CozyDuke, etc - of the Dukes, a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since...

Read more

Slides

3D Accelerated Exploitation

By Jason Matthyser on 22 February 2019

VirtualBox is arguably one of the best examples of a target that accommodates novice vulnerability researchers. Owing to its open source codebase, and the vast amount of related vulnerability research published, it is fairly easy to...

Read more

Slides

Intro to Binary Analysis with Z3 and angr

By Sam Brown on 8 November 2018

If you’ve ever wanted to play with angr but found the barrier to entry too high? Or have you seen people do what may as well be straight up magic using tools like Z3? This workshop...

Read more

Slides

Big Game Fuzzing Pwn2Own Safari T2

By Alex Plaskett, Fabian Beterke and Georgi Geshev on 29 October 2018

This talk discussed the trials and tribulations of our Pwn2Own preparation this year for targeting Apple macOS Safari. Both in terms of the tools we have developed for browser vulnerability research and the experience gained whilst...

Read more

Whitepaper

Apple Safari Pwn2Own 2018 Whitepaper

By Alex Plaskett, Fabian Beterke and Georgi Geshev on 29 October 2018

This whitepaper describes the vulnerabilities used for Desktop PWN2OWN 2018 and details of the exploits produced. These issues were tested against the latest release Safari (Version 11.0.3 13604.5.6) at the time of writing running on macOS 10.13.3.

Read more

Slides

The Mate Escape - Huawei Pwn2Owning

By Alex Plaskett and James Loureiro on 13 October 2018

James Loureiro and Alex Plaskett presented The Mate Escape - Huawei Pwn2Owning at Hacktivity 2018.

Read more

Blog

EQL Injection (not a typo) and Oracle Endeca

By William Jardine on 13 June 2018

Oracle Endeca is a used by a number of online retailers for implementing search functionality. This post introduces the concept of EQL injection attacks and how to defend against them.

Read more

Slides

Chainspotting: Building Exploit Chains with Logic Bugs

By Georgi Geshev on 13 June 2018

Last year at CanSecWest, we celebrated the advantages of logic bugs over memory corruptions and showcased a nice and shiny bug in Chrome on Android from Mobile Pwn2Own 2016.

Read more

Whitepaper

Huawei Mate 9 Pro Mobile Pwn2Own 2017

By Alex Plaskett and James Loureiro on 26 April 2018

This document attached contains the vulnerabilities which were used for Mobile Pwn2Own 2017 (https://www.thezdi.com/blog/2017/11/2/the-results-mobile-pwn2own-2017-day-two) to compromise the Huawei Mate 9 Pro (LON-AL00 variant).

Read more

Whitepaper

Apple Safari - Wasm Section Exploit

By Alex Plaskett, Fabian Beterke and Georgi Geshev on 16 April 2018

As part of our preparation for Pwn2own 2018 we started investigating Web Assembly (Wasm) as this feature is a relatively new component added to Safari, which was likely to have undergone less assurance than some of...

Read more

Blog

Some Brief Notes on WebKit Heap Hardening

By Sam Brown on 13 April 2018

Apple recently pushed some substantial heap hardening changes to the allocator used within WebKit and JavaScriptCore (JSC), luckily just after pwn2own, but in order to target Safari again next year these new hardening changes will need...

Read more