Archive

Callisto Group

By on November 6, 2019 at 3:23 AM

The Callisto Group is an advanced threat actor whose known targets include military personnel, government officials, think tanks, and journalists in Europe and the South Caucasus.

The Dukes

By on November 6, 2019 at 3:20 AM

This whitepaper explores the tools - such as MiniDuke, CosmicDuke, OnionDuke, CozyDuke, etc - of the Dukes, a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since…

Slides

3D Accelerated Exploitation

By Jason Matthyser on February 22, 2019 at 10:03 AM

VirtualBox is arguably one of the best examples of a target that accommodates novice vulnerability researchers.

Slides

Intro to Binary Analysis with Z3 and angr

By Sam Brown on November 8, 2018 at 1:18 PM

If you’ve ever wanted to play with angr but found the barrier to entry too high? Or have you seen people do what may as well be straight up magic using tools like Z3? This workshop…

Slides

Big Game Fuzzing Pwn2Own Safari T2

By Fabian Beterke on October 29, 2018 at 11:22 AM

This talk discussed the trials and tribulations of our Pwn2Own preparation this year for targeting Apple macOS Safari.

Whitepaper

Apple Safari Pwn2Own 2018 Whitepaper

By Fabian Beterke on October 29, 2018 at 11:22 AM

This whitepaper describes the vulnerabilities used for Desktop PWN2OWN 2018 and details of the exploits produced. These issues were tested against the latest release Safari (Version 11. 0. 3 13604. 5.

Slides

The Mate Escape - Huawei Pwn2Owning

By James Loureiro on October 13, 2018 at 1:56 PM

James Loureiro and Alex Plaskett presented The Mate Escape - Huawei Pwn2Owning at Hacktivity 2018.

Blog

EQL Injection (not a typo) and Oracle Endeca

By William Jardine on June 13, 2018 at 10:26 AM

Oracle Endeca is a used by a number of online retailers for implementing search functionality. This post introduces the concept of EQL injection attacks and how to defend against them.

Slides

Chainspotting: Building Exploit Chains with Logic Bugs

By on June 13, 2018 at 10:21 AM

Last year at CanSecWest, we celebrated the advantages of logic bugs over memory corruptions and showcased a nice and shiny bug in Chrome on Android from Mobile Pwn2Own 2016.

Whitepaper

Huawei Mate 9 Pro Mobile Pwn2Own 2017

By James Loureiro on April 26, 2018 at 8:22 AM

This document attached contains the vulnerabilities which were used for Mobile Pwn2Own 2017 (https://www. thezdi. com/blog/2017/11/2/the-results-mobile-pwn2own-2017-day-two) to compromise the Huawei Mate 9 Pro (LON-AL00 variant). The Huawei Reader issues were fixed within the patch: http://www.

Whitepaper

Apple Safari - Wasm Section Exploit

By Fabian Beterke on April 16, 2018 at 9:18 AM

As part of our preparation for Pwn2own 2018 we started investigating Web Assembly (Wasm) as this feature is a relatively new component added to Safari, which was likely to have undergone less assurance than some of the…

Blog

Some Brief Notes on WebKit Heap Hardening

By Sam Brown on April 13, 2018 at 1:41 PM

Apple recently pushed some substantial heap hardening changes to the allocator used within WebKit and JavaScriptCore (JSC), luckily just after pwn2own, but in order to target Safari again next year these new hardening changes will need…