Видео [Off-by-One 2024] Make N-Day Great Again - The Story of N-Day Full Chain from browser in guest to SYSTEM in host

[weaver]

Description

During the last year, numerous vulnerabilities were patched, and some of them were proven to be exploitable, as they were exploited in the wild, Pwn2Own, and so on.

We have continuously tracked these issues and written the Proof-of-Concepts and exploits to keep them in our vulnerability database.

Although each vulnerability itself has a critical impact, we think it would become more powerful if they are chained into a full chain exploit.

Therefore, we wrote an exploit chaining several vulnerabilities chosen from our database and demonstrated the exploit on X; the exploit starts from a Chrome browser running in a VMware guest and then manages to achieve SYSTEM privileges in a Windows host.

This scenario mimics a situation where a security analyst clicks a malicious link in a virtual machine. The N-Day full chain includes six unique vulnerabilities; three of them were exploited in the wild, two of them were used in Pwn2Own 2023, and the last one, a variant of a Pwn2Own 2023 vulnerability, was found by one of our team members.

In this presentation, we will explain the root causes and the exploit techniques of each vulnerability and how we connected them into a full chain exploit.

We will also discuss chaining details to glue our exploit pieces together successfully, including how to bypass V8 pointer compression, implant browser sandbox escape vulnerability in JavaScript code, escape the browser sandbox with the pickup window, and drop the exploit binary on the host of VMware.

This presentation will cover overall concepts from browser to virtualization and OS, and you will have a comprehensive understanding of them after this talk.

https://offbyone.sg

Статьи
Chaining N-days to Compromise All: Part 1 — Chrome Renderer RCE
https://blog.theori.io/chaining-n-days-to-compromise-all-part-1-chrome-renderer-rce-1afccf56721b
Chaining N-days to Compromise All: Part 2 — Windows Kernel LPE (a.k.a Chrome Sandbox Escape)
https://blog.theori.io/chaining-n-d...-lpe-a-k-a-chrome-sandbox-escape-44cb49d7a4f8
Chaining N-days to Compromise All: Part 3 — Windows Driver LPE: Medium to System
https://blog.theori.io/chaining-n-d...dows-driver-lpe-medium-to-system-12f7821d97bb
Chaining N-days to Compromise All: Part 4 — VMware Workstation Information leakage
https://blog.theori.io/chaining-n-d...-workstation-information-leakage-44476b05d410
Chaining N-days to Compromise All: Part 5 — VMware Workstation Guest-to-Host Escape
https://blog.theori.io/chaining-n-d...workstation-host-to-guest-escape-5a1297e431b5
Chaining N-days to Compromise All: Part 6 — Windows Kernel LPE: Get SYSTEM
https://blog.theori.io/chaining-n-d...-6-windows-kernel-lpe-get-system-83cd756ce90a

slides
https://github.com/star-sg/OBO/blob...n from browser in guest to SYSTEM in host.pdf