DEFCON 2025 lived up to its reputation as the world’s largest hacker convention, bringing together researchers, practitioners, and an ever-broader community of attendees. Alongside the traditional villages and hands-on challenges, the programme delivered both highly technical deep dives and new insights across a very wide range of topics. Once again, Connor Morley takes a closer look at some of the sessions that stood out.
One of the interesting observations of this year’s DEFCON events compared to my last attendance in 2022 is that it is much bigger. Additionally, the most popular talks used to be technically focused, whereas this year, the talks on anecdotal stories of DFIR or red teaming with insights into ideological success and failure were also big winners.
This talk focused on the concept of Machine Check Exception (MCE) being used to hijack control flow to achieve privilege escalation. An MCE is triggered during what is generally seen as a catastrophic hardware failure, such as CPU thermal limits being reached. An MCE is an absolute interrupt which is intended to perform a system shutdown to prevent hardware damage, and, as such, MCEs are typically linked to the physical state of the machine to trigger, rather than software-based. This is true for the most part, but can also be caused by radiation failures (bit flipping, etc.). The other key element about MCE is that they cannot be blocked and operate even during interrupt suppression states, allowing the hijacking of sensitive operations.
When a CPU MCE is encountered, a system has only two choices: either process the MCE immediately or rest the CPU (power cycle), with the former being the default elegant solution. But as an attacker may not be able to abuse the physical state of the hardware, can an MCE be triggered via software manipulation? The researcher highlighted the various methods which can be used to do just that, which were discovered via system fuzzing and explains them in detail. In their example, the NorthBridge driver has a “master connect” call between PCIE devices, which, with a custom bit sequence, can trigger an MCE at will.
The researcher then highlighted how by manipulating the Interrupt Descriptor Table (IDT) we can force the MCE to do what we want it to do when triggered. As MCE is processed at the kernel level, this manipulation of the MCE control flow to malicious/custom code allows ring-0 escalation via redirection. This can be further expanded upon to even access ring -2 for the SMM system, which allows for even more advanced system access via manipulation and tailoring of the exception handling to coincide with a specific SMM command window.
Targeting the Synology default OS of DSN, this talk explained how, due to the system's use of the VUE.js-based framework architecture and the default exposed ports of the OS, there is the potential to inject a malicious file onto the system when delimiters are used in specific inputs. Exposed in Pwn2Own Ireland, the exploit works by first enumerating the inputs using the VUE tool for access to the custom modules of the system to understand the input parameters.
The input parameters for login can include custom modules previously verified, but these custom modules incur a wrap-around module definition with a static string fore and after limiter. However, once this is understood, the custom module injection can include the module delimiter, allowing breakout. Due to the way VUE works, each line is interpreted as a CLI, and so if the attacker can escape input outside the custom module definition to a single line, they can execute custom commands. By injecting RTL sequences and the custom delimiter this is achieved to inject a crontab task into the DSM OS. Spaces are escaped in the input; however, a documented alternative is “tab”, which the attacker uses to inject a fully functional crontab file using the custom delimiters paired with LD_DEBUG to write a file to the crontab dir. Once executed, this can achieve anything, including reverse shell.
The exploit requires no offensive tooling or networking intercepting and can be performed by inputting the correct string sequencing into the login terminal for the DSM device. This effectively makes it a copy-paste exploit with full RCE on an exposed device, which has a CVS of 9+; this has since been patched.
Patrick Wardle is the MVP of macOS and IOS analysis in the cybersecurity industry, and his talk focused on the ease with which many macOS malware variants can be analysed without the need for full RE. In some instances, he highlighted how the use of full RE is a red herring designed to confuse defensive operators into wasting resources when the actual deployment is just a wrapped script file/deployment.
Tools such as pyinstaller, electron framework and Tauri are all used for creating macOS executables, but are commonly used by malware creators to deploy malware. They wrap the associated script file (python, apple script, etc) in a binary wrapper, which is used to trigger the internal script. Although the binary component may have additional functionality, the primary malicious capabilities tend to be stored in the script block with the intention of it being multi-format or platform compatible. Essentially, the same script is wrapped in different binaries to make it compatible with specific targets, be it Windows, macOS, EXE, Python, AScript, etc., all in the same framework’s payload generator.
As such, in most cases of macOS malware, a full RE is not necessary as most malicious operators use a specific set of malicious tools and frameworks which use this functionality. As such, a simple unwrapping using tools such as uncompyle6, NPX or Brolli can be used to extract the embedded script blocks for full analysis in a short time.
This talk again focused on the UEFI and how it can be leveraged to avoid the standard kill chain used in most offensive operations. As with prior talks they highlight active APT use-cases such as BlackLotus and their limitations whilst swiftly moving onto explaining their new and innovative UEFI deployment. The talk focuses on the fact SecureBoot is limited by the defined “untrust” DBX list provided by Microsoft and that some drivers on systems may still be available with known vulnerabilities. Once these are located, it provides a window to perform unwanted action at the firmware level with rootkit level capabilities and persistence.
The primary issue here is located vulnerable bootloader drivers which have the necessary or leverageable EFI command list, like syscalls but at the EFI shell layer. By finding a driver with file write capabilities such as Horizon Datasys shdloader.efi, the researchers demonstrate how this can be accomplished. The talk then expanded onto other vulnerable EFI driver components that can be leveraged in different ways to install rootkits, elevate to ring-0 and other malicious objectives in detail. One of the more interesting deployments is the use of Bring Your Own Vulnerable Driver (BYOVD), where attackers can install a device or driver on a system which is not in the DBX exclusion list which allows for such primitive actions in the EFI to be performed. As the DBX is driver specific, anything outside its blacklist is inherently permitted.
What is highlighted from this, and the prior talks is that the UEFI and firmware-based exploitation/kill chain is moving from the realm of APT actors and targeted deployments to a more mainstream and accessible method for full system exploitation. Ring-0 typically means game over, if you omit SMM etc., so the fact that multiple tools/exploits have been demonstrated in one week shows that this is no longer an edge case but instead becoming a mainstream concern.
Targeting the ControlVault hardware component of Dell laptops, the researcher showed how this security-focused component (used to validate biometric peripheral devices) can be leveraged to run arbitrary code, install persistent malware and more. Although not UEFI-focused, this is another firmware exploit used to gain almost limitless access to the targeted system and allow full bypassing of biometric or smart card peripheral-based security systems.
As a summary, the researcher reverses the SBI of the ControlVault firmware, which, with the API access to the system via the bcmbipdll.dllfacilitates direct command access. The researcher identified the decryption function in the SBI and how it operates. With this, they then proceeded to alter the flash memory on the device to anything custom they desire, such as always permitting access regardless of peripheral input ( in their demo using a green onion on the fingerprint reader, for example).
As the deployment in the ControlVault hardware firmware allows both attached driver control and SYSTEM interaction with privileged access, it creates a situation where both the physical device and the OS of the host can be compromised. As the hardware’s flash memory is independent, it is also persistent regardless of OS alteration and is in a memory area typically isolated from OS access by design for security (ironically). Therefore, such a compromise like other firmware-based deployments, is persistent even after OS reinstall or system reimaging.
Focused on ZTPN providers, it identified that although they are touted as being the ultimate replacement to VPNs, they effectively have consolidated their risks into one platform. As the risks are now all in one place, one flaw creates a single point of failure which they then go on to demonstrate against two well-known solutions.
Providing a full red team analysis of the ZTPN architecture and its purported security operations, the researchers systematically pick apart the secure design, identifying multiple fundamental flaws which allowed them direct and unrestricted access to the ZTPN and all connected devices via multiple methods. These methods include authentication bypass, device token spoofing (changing username to admin, for example) and even cross-tenant bypass, where a legitimate user of one organisation can alter the orgkey and be authorised in a different environment entirely.
The core of this presentation was highlighting that pushing new technological paradigms sounds great, but if the implantation is flawed, then the whole thing is a vulnerability waiting to be exploited. As ZTPN is supposed to be the zero-trust enterprise deployment solution in one system, the fact that such fundamental flaws exist in the initial versions of the systems shines a light on the difference between expected/marketed security and what is delivered.
Connor is a highly experienced security expert and researcher with a strong background in threat hunting, detection and remediation. At Glasswall, he focuses on threat analysis, research and defense development (theoretical and POC).
Eliminate malware before it reaches your network and ensure your files are always safe and secure with Glasswall’s Zero Trust and intelligent file protection.
.avif)
