Make N-Day Great Again – The Story of N-Day Full Chain from browser in guest to SYSTEM in host
Abstract
During the last year, numerous vulnerabilities were patched, and some of them were proven to be exploitable, as they were exploited in the wild, Pwn2Own, and so on.
We have continuously tracked these issues and written the Proof-of-Concepts and exploits to keep them in our vulnerability database.
Although each vulnerability itself has a critical impact, we think it would become more powerful if they are chained into a full chain exploit.
Therefore, we wrote an exploit chaining several vulnerabilities chosen from our database and demonstrated the exploit on X; the exploit starts from a Chrome browser running in a VMware guest and then manages to achieve SYSTEM privileges in a Windows host.
This scenario mimics a situation where a security analyst clicks a malicious link in a virtual machine. The N-Day full chain includes six unique vulnerabilities; three of them were exploited in the wild, two of them were used in Pwn2Own 2023, and the last one, a variant of a Pwn2Own 2023 vulnerability, was found by one of our team members.
In this presentation, we will explain the root causes and the exploit techniques of each vulnerability and how we connected them into a full chain exploit.
We will also discuss chaining details to glue our exploit pieces together successfully, including how to bypass V8 pointer compression, implant browser sandbox escape vulnerability in JavaScript code, escape the browser sandbox with the pickup window, and drop the exploit binary on the host of VMware.
This presentation will cover overall concepts from browser to virtualization and OS, and you will have a comprehensive understanding of them after this talk.
Speakers
JeongOh Kyea is a researcher at Theori Korea and has an interest in automatic vulnerability detection, binary analysis, and exploit techniques. He received a BS and MS degree in KAIST. He was selected as the Most Valuable Researcher(MVR) in 2020, 2021, 2022 from Microsoft.
Gwangun Jung is a security researcher at Theori. His main research areas are operating systems, virtualization, red teaming. He is the Pwn2own Vancouver 2024 Virtualization category winner targeting VMware Workstation and received CVEs from Linux/VMware/etc.
Follow Gwangun on X @pr0ln.
Yeonghun Kim is a security researcher working at Theori. His main research areas are web browsers and JavaScript engines, especially Chrome and V8.
[ad_2]
source
