Black Hat USA 2025 | HTTP/1.1 Must Die! The Desync Endgame

Some people think the days of critical HTTP request smuggling attacks on hardened targets have passed. Unfortunately, this is an illusion propped up by wafer-thin mitigations that collapse as soon as you apply a little creativity. As long as HTTP/1.1 lives, desync attacks will thrive. In this session, I'll introduce multiple new classes of desync attack, enabling mass compromise of user credentials across hundreds of targets, including tech giants, SaaS providers, US government systems, and almost every company using a certain CDN. Every technique has been honed for maximum impact with minimum effort, with an unplanned collaboration yielding over $200,000 in bug bounties in two weeks. I'll also share the research methodology and open-source toolkit that made this possible, replacing outdated, canned-exploit probes with focused analysis that reveals each target's unique weak spots. This strategy creates an avalanche of desync research leads, yielding results ranging from entire new attack classes, down to exotic implementation flaws that bleed server memory into attackers' welcoming arms. You'll witness attacks meticulously crafted from theoretical foundations alongside accidental exploits with a root cause so incomprehensible, the developers ended up even more confused than me. You'll leave this talk equipped with everything you need to join me in the desync research endgame: the mission to kill HTTP/1. By: James Kettle | Director of Research, PortSwigger Presentation Materials Available at: https://ift.tt/CxqeYvS

source https://www.youtube.com/watch?v=FJbuAyxTTWc

Black Hat USA 2025 | "Dead Pixel Detected" - A Security Assessment of Apple's Graphics Subsystem

As one of the most significant attack surfaces in Operating Systems, the graphics subsystem has always been a focus of the security community. Given the lack of source code and technical documentation, conducting a comprehensive security assessment of such subsystems, particularly their kernel-mode components, remains an arduous task. Let's consider the Apple Silicon platform as a reference. Upon examining the security advisories from the past year, it is clear that the number of kernel vulnerabilities has diverged from the theoretical error rate per ten thousand lines of binary code. In the meantime, the AI revolution is accelerating, and large language models are placing more stringent demands on platform security. As security researchers, it is our obligation to step forward and safeguard these critical infrastructures. This presentation will delve into the Apple's Intel-based GPU, Apple Graphics Accelerator (AGX GPU), IOMobileFrameBuffer (IOMFB) and Display Co-processor (DCP), from the perspectives of system architecture and implementation, reverse engineering and attack surface evaluation, fuzzing and vulnerability hunting. As part of the findings, this presentation will share with you more than a dozen kernel vulnerabilities, including CVE-2024-40854, CVE-2024-44197, CVE-2024-44199, CVE-2025-24111, CVE-2025-24257, CVE-2025-24273, etc. These brand new issues impact each of the components mentioned above. Through these case studies, you might gain a deeper understanding of the architecture design of Apple's graphics subsystem, as well as the security challenges emerging in the era of Apple Private Cloud Compute. By: Yu Wang | Co-founder and CEO, CyberServal Weiteng Chen | Researcher, Microsoft Research, Redmond Presentation Materials Available at: https://ift.tt/RuOxmbG

source https://www.youtube.com/watch?v=JYmh7gCoIFo

Black Hat USA 2025 | Peril at the Plug: Investigating EV Charger Security and Safety Failures

The past few years have seen a rapid increase in Level 2 EV charging equipment (EVSE) options for consumers. Along with choosing the right equipment, EV owners face installation decisions, such as hiring specialized installers or doing it themselves. However, many consumers are unaware of the cybersecurity risks inherent in all chargers. Vulnerability bounty programs have shown that even simple remote attacks can take full control of these devices. These challenges create an environment of safety risks that can endanger life and property. Our research examines the real-world consequences of compromised EVSE through the destructive testing of seven different products. We begin by reviewing common remote attacks found across various EV chargers and disclose several recently identified zero-day vulnerabilities. We then introduce a testing methodology simulating a worst-case scenario where a malicious actor bypasses safety mechanisms to cause maximum damage. The results include video footage of the tests, showcasing any destruction, collateral damage, and latent hazards. Lastly, we offer recommendations for enhancing safety through security best practices, hardware design, and implementation. Attendees will gain insight into the current state of EVSE security, how to assess EVSE safety mechanisms and the real-world dangers of using EVSE with safety features that can be bypassed via compromise. By: Jonathan Andersson | Sr. Manager Security Research, Trend Micro Thanos Kaliyanakis | Vulnerability Researcher, Trend Micro Full Session Details Available at: https://ift.tt/8B4w6Hz

source https://www.youtube.com/watch?v=4l6hsv8IlWE

Black Hat USA 2025 | Racing for Privilege

Racing for Privilege: Leaking Privileged Memory From Any Intel System Using a Microarchitectural Race Condition Enhanced Indirect Branch Restricted Speculation (eIBRS) is Intel's primary defense against Branch Target Injection-style (BTI) Spectre attacks. eIBRS prevents misuse of untrusted branch target predictions in higher privilege domains (i.e., kernel/hypervisor mode) by restricting predictions from other privilege domains other than the one they were created for. Since its inception in late 2018, eIBRS remains the best-suited BTI defense that all major operating systems and hypervisors rely on, and it has so far successfully prevented attackers from injecting arbitrary branch target predictions across privilege boundaries. However, our research finds that microarchitectural mitigations like eIBRS, much like software, are vulnerable to race conditions. Consequently, we will demonstrate an exploitation technique that allows attackers to inject branch target predictions not only into higher privilege domains, but also across prediction barriers (i.e., IBPB) meant to invalidate all such predictions. Tracing back the bug to its origin, we find that it has been present ever since the eIBRS was first introduced, meaning systems have been vulnerable for over 7 years! We will demonstrate that this issue is easy to exploit by building an arbitrary privileged memory read primitive, evaluated (5.6 kB/s) on an up-to-date Ubuntu 24.04 system with all default mitigations enabled. This attack shows how easily hardware mitigations can fall apart when integrated into a complex CPU design, and it gives us a reminder of how much trust the computer industry faithfully puts into hardware vendors' security claims. By: Sandro Rüegge | Security Researcher, ETH Zürich Johannes Wikner | CPU Therapist, PhD, ETH Zurich Presentation Materials Available at: https://ift.tt/0UQ7idh

source https://www.youtube.com/watch?v=ULXuhxj-WgA

Black Hat USA 2025 | Hackers Dropping Mid-Heist Selfies

Hackers Dropping Mid-Heist Selfies: LLM Identifies Information Stealer Infection Vector and Extracts IoCs Information stealer malware has become one of the most prolific and damaging threats in today's cybercrime landscape, siphoning off everything from browser-stored credentials to session tokens and other system secrets. In 2024 alone, we witnessed more than 30 million stealer logs traded on underground markets. Yet buried within these logs is an underexplored goldmine: screenshots captured at the precise moment of infection. Think of it as a thief taking a selfie mid-heist, unexpected but convenient for us, right? Surprisingly, these crime scene snapshots have been largely overlooked until now. Leveraging infostealer infection screenshots and Large Language Models (LLMs), we propose a new approach to identify infection vectors, extract indicators of compromise (IoCs) and track infostealer campaigns at scale. Our approach found several hundred potential IoCs in the form of URLs leading to the download of the malware-laden payload. By applying this method to "fresh" stealer logs, we can detect and mitigate infection vectors almost instantaneously, reducing further infections. Our analysis uncovered distribution strategies, lure themes and social engineering techniques used by threat actors in successful infection campaigns. We will break down three distinct campaigns to illustrate the tactics they use to deliver malware and deceive victims: cracked versions of popular software, ads pointing to popular software and free AI image generators. This presentation, with its live demonstration, shows how LLMs can be harnessed to extract IoCs at scale while addressing the challenges and costs of implementation. Attendees will walk away with a deeper understanding of the modern infostealer ecosystem and will want to apply LLM to other illicit artifacts to extract actionable intelligence. By: Estelle Ruellan | Threat Intelligence Researcher, Flare Olivier Bilodeau | Principal Security Researcher, Flare Presentation Materials Available at: https://ift.tt/1GYAekO

source https://www.youtube.com/watch?v=WQFIfORignI

Black Hat USA 2025 | Unix Underworld: Tales from the Dark Side of z/OS

You may have heard tales of mainframe pentesting and exploitation before - mostly from us! Those stories often focused on the MVS/ISPF side of the IBM z/OS. But did you know that all those same tricks (and more!) can be pulled off in z/OS Unix System Services (OMVS) as well? I bet you didn't even know z/OS had a UNIX side! Over the years, we've discovered multiple unique attack paths when it comes to Unix on the mainframe. In this talk, we'll present live demos of real-world scenarios we've encountered during mainframe penetration tests. These examples will showcase what can happen with poor file hygiene leading to database compromises, inadequate file permissions enabling privilege escalation, a lack of ESM resource understanding allowing for privileged command execution, and how dataset protection won't save you from these attacks. We'll also be demonstrating what can happen when we overflow the buffer in an APF authorized dataset. Attendees will learn how to test these controls themselves using freely available open-source tools and how to (partially) detect these attacks. While privesc in UNIX isn't game over for your mainframe, it's pretty close. By the end, it will be clear that simply granting superuser access to Unix can be just as dangerous, if not more so, than giving access to TSO on the mainframe. By: Philip Young | Director Mainframe Penetration Testing Services, NetSPI Chad Rikansrud | Software Security Researcher, Broadcom Presentation Materials Available at: https://ift.tt/DOXYWFE

source https://www.youtube.com/watch?v=3wQHhGxVTuo

Black Hat USA 2025 | Booting into Breaches: Hunting Windows SecureBoot's Remote Attack Surfaces

SecureBoot, designed to protect against firmware-level tampering, has long been dismissed as a "local-only" attack surface. This research shatters that assumption, exposing systemic flaws that enable remote exploitation of SecureBoot—culminating in Pre-Auth RCE on fully patched systems. With 31 CVEs discovered and fixed in Microsoft's SecureBoot implementation, we reveal how attackers can weaponize bootloader components (network stacks, BCD registries, filesystems) to bypass critical security guarantees. We dissect novel attack surfaces in Windows' UEFI environment, including an overlooked network protocol parser and a single 100-line BCD registry function harboring 6 vulnerabilities. Our custom debugging and fuzzing frameworks can assist vulnerability hunting in the UEFI environment efficiently. Beyond the bootloader, we demonstrate how kernel and userland components inherit these weaknesses, including a RCE demo on a SecureBoot-enforced Hyper-V host. By chaining logical flaws in SecureBoot's trust model, we illustrate how attackers can pivot from firmware to OS-level control without physical access. We conclude with actionable mitigations and a critical call to re-evaluate firmware security paradigms in an era where remote exploitation nullifies the "local access" defense. By: Jietao Yang | Security Researcher, Cyber Kunlun Lab Presentation Materials Available at: https://ift.tt/z6oEmWw

source https://www.youtube.com/watch?v=p4EXzE0dvWE

Black Hat USA 2025 | I'm in Your Logs Now, Deceiving Your Analysts and Blinding Your EDR

What if you could leverage Event Tracing for Windows (ETW) to manipulate telemetry data, challenging the trust placed in endpoint detection and response (EDR) tools? ETW is a critical component to the operating system for Event Log generation as well as EDR telemetry collection. By injecting custom events into the ETW stream, I've found a safe way for blue teams to replicate attack telemetry without executing these risky processes on production systems. Additionally, red teams can exploit this same technique to mislead incident analysts or, worse, trigger capping mechanisms in EDRs, effectively rendering them partially blind to malicious activities. Current Windows protection mechanisms mostly allow these techniques to be executed from any un-elevated process, in user mode. I will demonstrate the injection of telemetry events and the exploitation of event capping—illustrating how an overflow in event generation can cause the Defender for Endpoint to disregard subsequent logs, including those from genuine threats. I will showcase how automated risk assessment can lead to the revocation of tenant access for that device. By: Olaf Hartong | Security Researcher, FalconForce Presentation Materials Available at: https://ift.tt/uRoVyUj

source https://www.youtube.com/watch?v=G3Ft0gtmm4I

Black Hat USA 2025 | Analyzing Smart Farming Automation Systems for Fun and Profit

The digital transformation of agriculture has led to a change in technology. This includes modernized farming equipment with smart capabilities and the development and widespread adoption of retrofit automation systems for legacy farming equipment to extend the lifespan and use existing legacy resources, similar to security efforts for legacy systems in OT. This research presents a security analysis of the FJ Dynamics Steering Kit, a leading aftermarket solution for autonomous tractor capabilities, which is sold under different labels in Asia, Europe and the United States. Our investigation revealed critical vulnerabilities enabling unauthorized global tracking of tractors, system manipulation, and potential safety compromises, highlighting significant risks to agricultural operations and public safety. By: Tracking the Tractors: Analyzing Smart Farming Automation Systems for Fun and Profit Presentation Materials Available at: https://ift.tt/Km1QEL5

source https://www.youtube.com/watch?v=OxnY_25suS8

Black Hat USA 2025 | BitUnlocker: Leveraging Windows Recovery to Extract BitLocker Secrets

In Windows, the cornerstone of data protection is BitLocker, a Full Volume Encryption technology designed to secure sensitive data on disk. This ensures that even if an adversary gains physical access to the device, the data remains secure and inaccessible. One of the most critical aspects of any data protection feature is its ability to support recovery operations in case of failure. To enable BitLocker recovery, significant design changes were implemented in the Windows Recovery Environment (WinRE). This led us to a pivotal question: did these changes introduce any new attack surfaces impacting BitLocker? In this talk, we will share our journey of researching a fascinating and mysterious component: WinRE. Our exploration begins with an overview of the WinRE architecture, followed by a retrospective analysis of the attack surfaces exposed with the introduction of BitLocker. We will then discuss our methodology for effectively researching and exploiting these exposed attack surfaces. Our presentation will reveal how we identified multiple 0-day vulnerabilities and developed fully functional exploits, enabling us to bypass BitLocker and extract all protected data in several different ways. Notably, the findings described reside entirely in the software stack, not requiring intrusive hardware attacks to be exploited. After identifying these vulnerabilities as attackers, we then took on the role of defenders. We will share the insights Microsoft gained from this research and explain our approach to hardening and further securing WinRE, which in turn strengthens BitLocker. By: Alon Leviev | Security Researcher, Microsoft Netanel Ben Simon | Senior Security Researcher, Microsoft Yair Netzer | Principal Security Research Manager, Microsoft Amit Dori | Senior Security Research Manager, MORSE Team, Microsoft Full Presentation Materials Available at: https://ift.tt/5qkCOdG

source https://www.youtube.com/watch?v=2CJl6mTtgws

Black Hat USA 2025 | ECS-cape – Hijacking IAM Privileges in Amazon ECS

Amazon Elastic Container Service (ECS) is a popular container orchestration service that relies on IAM roles for fine-grained access control. Our research uncovered a critical privilege escalation vulnerability that allows a low-privileged task running on an ECS instance to hijack the IAM privileges of higher-privileged containers on the same EC2 machine. This talk will unveil the details of this previously undisclosed vulnerability, dubbed ECS-cape, which exploits an undocumented ECS protocol to escalate privileges. By taking advantage of shared infrastructure in containerized environments, attackers can use this technique to gain unauthorized access to cloud resources. We will demonstrate ECS-cape live, showcasing how an attacker can leverage this flaw to escalate privileges. The session will also cover practical defense strategies, detailing why co-locating high-privilege and low-privilege workloads on the same ECS instance is risky and how organizations can architect their cloud environments to mitigate this attack vector. Attendees will leave with a clear understanding of how to detect, mitigate, and prevent similar privilege escalation risks in their cloud infrastructure. By: Naor Haziz | Senior Software Developer, Sweet Security Presentation Materials Available at: https://ift.tt/KiPDspS

source https://www.youtube.com/watch?v=UV-hS-DTeik