- Популярные видео
- Авто
- Видео-блоги
- ДТП, аварии
- Для маленьких
- Еда, напитки
- Животные
- Закон и право
- Знаменитости
- Игры
- Искусство
- Комедии
- Красота, мода
- Кулинария, рецепты
- Люди
- Мото
- Музыка
- Мультфильмы
- Наука, технологии
- Новости
- Образование
- Политика
- Праздники
- Приколы
- Природа
- Происшествия
- Путешествия
- Развлечения
- Ржач
- Семья
- Сериалы
- Спорт
- Стиль жизни
- ТВ передачи
- Танцы
- Технологии
- Товары
- Ужасы
- Фильмы
- Шоу-бизнес
- Юмор
#NullconBerlin2025 | RDP and The Power of Deterministic Snapshot Fuzzing by Pascal Beyer
Presentation: https://berlin2025.nullcon.net/berlin-2025/recordings
Speaker: Pascal Beyer
Talk Title: RDP and The Power of Deterministic Snapshot Fuzzing
As critical surface becomes more and more secure and mitigations become more and more effective, it has become a recent trend for security researchers to develop complex tooling specialized to attack specific targets. For attacking an operating system kernel this tooling is usually required to include a hypervisor or emulator. Especially emulators provide an excellent analysis platform for root-causing bugs and implementing scalable and deterministic tools like coverage-driven fuzzers.
In 2022, Colas Le Guernic and Jérémy Rubert showed that snapshot fuzzing can be very useful for attacking targets like the Remote Desktop Client, by using the bochscpu and/or kvm based system "What the Fuzz" to target the graphical component of the Microsoft RDP Client and finding CVE-2022-30221, a vulnerability inside the D3D11 software rasterizer implementation.
Expanding on that topic, in this talk, we aim to showcase the advantages of using an emulator specifically designed for snapshot fuzzing. We will do this, by looking at three recent CVE's discovered using our own system: SNAFUzz.
First, we will introduce the basics of snapshot fuzzing by discussing CVE-2025-[Undisclosed_0], a simple kernel vulnerability. Then we will target RDP and see how, inside an emulator, one can introduce allocation tracking and out-of-bounds detection to find heap memory leak vulnerabilities like CVE-2025-32715. Finally, we take a look at a remote code execution vulnerability found in a pre-release version of the RDP Client. It will serve as an example how the complete determinacy of an emulator can be used to fully understand a somewhat complicated and convoluted vulnerability, by reproducing and debugging it over and over again.
-----------------
Follow Nullcon on Facebook: https://www.facebook.com/nullcon
X: https://twitter.com/nullcon
LinkedIn: https://www.linkedin.com/company/7593034/admin/feed/posts/
Website: https://nullcon.net/
Видео #NullconBerlin2025 | RDP and The Power of Deterministic Snapshot Fuzzing by Pascal Beyer канала nullcon
Speaker: Pascal Beyer
Talk Title: RDP and The Power of Deterministic Snapshot Fuzzing
As critical surface becomes more and more secure and mitigations become more and more effective, it has become a recent trend for security researchers to develop complex tooling specialized to attack specific targets. For attacking an operating system kernel this tooling is usually required to include a hypervisor or emulator. Especially emulators provide an excellent analysis platform for root-causing bugs and implementing scalable and deterministic tools like coverage-driven fuzzers.
In 2022, Colas Le Guernic and Jérémy Rubert showed that snapshot fuzzing can be very useful for attacking targets like the Remote Desktop Client, by using the bochscpu and/or kvm based system "What the Fuzz" to target the graphical component of the Microsoft RDP Client and finding CVE-2022-30221, a vulnerability inside the D3D11 software rasterizer implementation.
Expanding on that topic, in this talk, we aim to showcase the advantages of using an emulator specifically designed for snapshot fuzzing. We will do this, by looking at three recent CVE's discovered using our own system: SNAFUzz.
First, we will introduce the basics of snapshot fuzzing by discussing CVE-2025-[Undisclosed_0], a simple kernel vulnerability. Then we will target RDP and see how, inside an emulator, one can introduce allocation tracking and out-of-bounds detection to find heap memory leak vulnerabilities like CVE-2025-32715. Finally, we take a look at a remote code execution vulnerability found in a pre-release version of the RDP Client. It will serve as an example how the complete determinacy of an emulator can be used to fully understand a somewhat complicated and convoluted vulnerability, by reproducing and debugging it over and over again.
-----------------
Follow Nullcon on Facebook: https://www.facebook.com/nullcon
X: https://twitter.com/nullcon
LinkedIn: https://www.linkedin.com/company/7593034/admin/feed/posts/
Website: https://nullcon.net/
Видео #NullconBerlin2025 | RDP and The Power of Deterministic Snapshot Fuzzing by Pascal Beyer канала nullcon
Комментарии отсутствуют
Информация о видео
17 ноября 2025 г. 20:00:51
00:40:50
Другие видео канала
nullcon Goa 2014:- Attacking WPA/WPA2 in the Cloud by Vivek Ramachandran
Nullcon Berlin 2023 | Not So Famous Attack Vectors In The World Of Smart Contract Security!
Saikat Datta at NULLCON | #Nullcon2020 Diary
nullcon Goa 2014:- Evil Twin Detection by Rushikesh & Amrita
AI vs. Pandemic by Sneha Banerjee | Winja Talks 2021
CXO Panel | Securing India The CERTIn Way | Nullcon Goa 2022
Predicting Danger: Building the Ideal Threat Intelligence Model | CXO Panel Discussion | NULLCON
nullcon Goa 2017 - DevOpSec: Rapid Security In The AWS Cloud by Mikhail Advani and Rajesh Tamhane
nullcon Goa 2013 - JailBreak Part 3
Nullcon Goa 2023 | Uncovering Azure's Silent Threats: A Journey Into Cloud Vulnerabilities by Nitesh
Bhadra framework: Threat modeling for mobile communication systems by Sid Rao | Nullcon Webinar 2021
nullcon Goa 2014: Flowinspect A Network Inspection Tool by Ankur Tyagi @7h3rAm
nullcon Goa 2015: The NSA Playset RF Retroreflectors by Michael Ossmann
Nullcon Berlin 2023 | (In)Secure Remote Operations: What Sucks, Rocks, And A Super-CLI by Yossi
Nullcon Berlin 2024 | Fuzzing At Mach Speed: Uncovering IPC Vulnerabilities On MacOS By Dillon
macOS Security Features Bypasses by Example | Jonathan Bar Or (JBO) | Nullcon Webinars 2022
nullcon Goa 2017 - CXO Panel 'Digital Warriors: India And The Future Of Conflict On The Internet'
What is Cyber Threat Intelligence | Rishika Desai | Winja Unplugged
nullcon Goa 2013: Bug Bounty Programs Crowd Sourcing Security by Raymond Forbes
Securing the Human Factor | CXO Panel Discussion | NULLCON Goa 2020
#NullconBerlin2025 | Derandomizing Kernel Object Locations w Software Hardware-Induced Side Channels
