The talk will first present the basics of this new vulnerability including the underlying technology, and will then explain in depth the different ways an attacker can exploit it using different vectors and services.
We will focus on exploiting RMI, LDAP and CORBA services as these are present in almost every Enterprise application.
Kernel exploitation using the browser as an initial vector was a rare sight in previous contests.
This presentation will detail the eight winning browser to super user exploitation chains (21 total vulnerabilities) demonstrated at this year's Pwn2Own contest.
Most vendors positively confirmed the issues, and some have applied fixes.
Our work consists of two pillars: (1) an in-house study of the OAuth protocol documentation that aims to identify what might be ambiguous or unspecified for mobile developers; (2) a field-study of over 600 popular mobile applications that highlights how well developers fulfill the authentication and authorization goals in practice.
This talk concentrates on examples of advanced techniques used in attacking Io T/embedded hardware devices.
TLS has experienced three major vulnerabilities stemming from "export-grade" cryptography in the last year---FREAK, Logajm, and Drown.
Examples of hacking various aspects of the system are presented, including how to bypass encrypted bootloaders to read sensitive information.
Details on the firmware in multiple versions of the Philips Hue smart lamps and bridges are discussed.