2. Nicholas, Iâm French, no H please!
⢠Before at Vupen, at MSRC UK now, fixing stuff I used to break
⢠Been to CanSecâ before
@n_joly to find cool cat pics
3. Aug 2014 â Sept 2015, chasing the bounties
⢠Getting ready for big bounties
⢠Dealing with last minute mitigations
⢠Why you do absolutely need your lucky
charm
⢠Collisions, when you feel bad for a day
5. pwn2own Mobile at PacSec
⢠Competing on my own for the first time
⢠Spent 1 month+ on that challenge
⢠Failed at pwning the sandbox but uncovered 3 escapes for IE desktop
⢠Great holidays!
Trophy!
Lucky charm,
exploiterâs best friend
7. December, playing with Reader
⢠Playing first with known areas, uncovered some UAFs
⢠Opened some IDBs, was looking for 3D stuff
⢠Spent one month to get 2 working exploits
13. By early Feb, 3 exploits for 3 targets
⢠Built the escapes found earlier in November
⢠Built a certain number of Flash exploits, just in case
⢠Built a VBScript exploit for IE x64
⢠Built 2 PDF exploits sharing the same escape
ButâŚ
19. Had to rethink about everything
⢠Reader âsafeâ, not compiled with the flag
⢠Sandbox escapes partially affected
⢠Flash and IE :S
Flash.ocx 17.0.0.34
28. ⢠Had to code everything on site but fortunately the ferry to Vancouver
Island takes quite some time:
⢠First time I coded an exploit on a ferry in my life, but that was worth it!
But my story was nothing compared to that guy
37. The art of being suspect no1
CVE-2014-0574 ba.clear
CVE-2014-0588 ba.uncompressvialzma
CVE-2015-0359 ba.writeObject
CVE-2015-0312 ba.compress
âŚ
That is NOT me
That is me
39. Time needed to pay/patch a bug
Spartan bounty: payment issued 46 days after report, patches out after 79 days
40. An amazing experience
⢠Finally decided to join Microsoft in the UK
⢠So many challenges to take on!
Chromiumâs Xmas
gifts
⢠Created a company
⢠Travelled everywhere
⢠Even gave a talk at
MOSEC!
41. Want some bounties? https://aka.ms/BugBounty
Have some cool bugz? secure@microsoft.com
Wanna wear the blue Hat? http://careers.microsoft.com
Thanks :)
Got a question
42. References
⢠Spartan Bounty https://technet.microsoft.com/en-us/dn972323.aspx
⢠Dangerous Clipboard http://blog.talosintel.com/2015/10/dangerous-clipboard.html
⢠Control Flow Guard https://msdn.microsoft.com/en-
us/library/windows/desktop/mt637065(v=vs.85).aspx
⢠Exploring CFG in Windows 10 http://blog.trendmicro.com/trendlabs-security-
intelligence/exploring-control-flow-guard-in-windows-10/
⢠CFG effects to memory space http://www.alex-ionescu.com/?p=246
⢠JavaScript⢠for AcrobatŽ 3D Annotations API Reference
http://wwwimages.adobe.com/content/dam/Adobe/en/devnet/acrobat/pdfs/AcrobatDC_js_3d_
api_reference.pdf
⢠HackingTeam Flash Exploit http://blogs.360.cn/blog/hacking-team-part2/
⢠Camera.copyPixelsToByteArray https://code.google.com/p/chromium/issues/detail?id=424981
⢠DisplayObject.opaqueBackground https://code.google.com/p/chromium/issues/detail?id=508009
⢠AS2 Filters Confusion https://code.google.com/p/chromium/issues/detail?id=457261 and
https://code.google.com/p/google-security-research/issues/detail?id=244
⢠CVE-2015-0313 http://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-cve-2015-
0313-the-new-flash-player-zero-day/