Tao Yan
41 posts
@ga1ois Ouch.. that sucks. A series of unfortunate events, but it doesnt take anything away from the research put into it. Not even 1 bit, nor that 1 bit ❤️🩹
English
[4]and our competition was scheduled as the first one in the morning right after Ascension Day so we can’t buy mbp to confirm right before the competition. All these occasional randoms must be accurately met in the same time to lead us fail. But it happened.God throw dice really?
Tao Yan@ga1ois
[3] The real life exploit is consist of a bunch of really occasional randoms: hardware changed the fixed software offset; receiving the hardware specification from p2o in the airport leading us can’t buy it at home; arriving at Berlin on Ascension Day and nowhere sell MacBook;
English
@0xcharlie That's so wild. I've heard some unbelievable stories from other legends too. Looks like everyone has a crazy story from Pwn2Own.
English
I remember one year I tested my pwn2own exploit on display iphones at the Apple store.
Tao Yan@ga1ois
[2]After our failed competition, we headed to Apple Store and bought the mbp m5 and spent less than half an hour to set it up and found a fixed offset is changed 1 bit on it, so we just change 1 bit on our exp and it worked with a 100% success rate. Yes just 1 bit change, 1 to 2.
English
@chompie1337 Thanks chompie, we actually did that right after they confirmed our registration. Anyway, congrats to your success at Pwn2Own this year : )
English
[2]After our failed competition, we headed to Apple Store and bought the mbp m5 and spent less than half an hour to set it up and found a fixed offset is changed 1 bit on it, so we just change 1 bit on our exp and it worked with a 100% success rate. Yes just 1 bit change, 1 to 2.
TrendAI Zero Day Initiative@thezdi
Unfortunately, Tao Yan & Edouard Bochin of Palo Alto Networks could not get their exploit of Apple Safari – Renderer Only working within the time allotted. #Pwn2Own #P2OBerlin
English
[3] The real life exploit is consist of a bunch of really occasional randoms: hardware changed the fixed software offset; receiving the hardware specification from p2o in the airport leading us can’t buy it at home; arriving at Berlin on Ascension Day and nowhere sell MacBook;
Tao Yan@ga1ois
[1] Our exp works on every system we have in hand and it works with a almost 100% success rate, we didn’t test it on the mbp m5 bare metal that pwn2own use because of a chain of real life exploit in which our exp was pwned.
English
[1] Our exp works on every system we have in hand and it works with a almost 100% success rate, we didn’t test it on the mbp m5 bare metal that pwn2own use because of a chain of real life exploit in which our exp was pwned.
TrendAI Zero Day Initiative@thezdi
Unfortunately, Tao Yan & Edouard Bochin of Palo Alto Networks could not get their exploit of Apple Safari – Renderer Only working within the time allotted. #Pwn2Own #P2OBerlin
English
Tao Yan retweetledi
Tao Yan retweetledi
First blood: Mozilla Firefox pwned at first attempt (in less than 2 seconds) using an out-of-bounds write vulnerability by Edouard Bochin (@le_douds) and Tao Yan (@Ga1ois) from Palo Alto Networks.
Hossein Lotfi@hosselot
There are two browser entries at #Pwn2Own Berlin 2025 both targeting "Mozilla Firefox". Let's see if it can be pwned.
English
Very nice to come back again to Pwn2Own this year at Berlin, great job @le_douds. Time to get some rest : )
TrendAI Zero Day Initiative@thezdi
Excellent! Edouard Bochin (@le_douds) and Tao Yan (@Ga1ois) from Palo Alto Networks used an Out-of-Bounds Write to exploit #Mozilla Firefox. They earn $50,000 and 5 Master of Pwn points. #Pwn2Own #P2OBerlin
English
Tao Yan retweetledi
Booyah! Edouard Bochin (@le_douds) and Tao Yan (@Ga1ois) from Palo Alto Networks made quick work of #Mozilla Firefox. If confirmed, they'll win $50,000 and 5 Master of Pwn points. They head off to the disclosure room with the details. #Pwn2Own #P2OBerlin
English
Nice finding and writeup for another map transition bug in V8 : ) @mmolgtm showed another "field confusion" example to escape V8 sandbox. As we mentioned in our BlackHat presentation, sandboxied object fields such as indices, offsets, internal pointers are the design of V8 sandbox, it would be challenging to patch all "field confusion" techniques. It is not a single bug, it is an idea, play more and have fun if you are interested : )
Man Yue Mo@mmolgtm
In this post I'll use CVE-2024-5830, a bug in object transitions in Chrome to gain RCE in the Chrome renderer sandbox: github.blog/security/vulne…
English
Really thrilled and truly honored to receive this year's Pwnie Award for Most Innovative Research with @le_douds. It's a wonderful wrap-up for our work. Can't wait to start the next journey of our research. Great thanks to @PwnieAwards! #defcon32
English
日本語
Congrats to all the pwnie award winners this year, especially to my friend @CodeColorist and @ga1ois! Met many new friends in the @PwnieAwards afterparty, a great experience.
Also made up for not being able to receive my award in person in 2022.
English
We finished our presentation at #BHUSA and the slides were published here: i.blackhat.com/BH-US-24/Prese…, you can also find the latest slides and demo here: github.com/ga1ois/BlackHa…, enjoy, especially for our new "field confusion" V8 sbx escape technique : ) @le_douds @BlackHatEvents
Tao Yan@ga1ois
#BHUSA We are glad our talk "Let the Cache Cache and Let the WebAssembly Assemble: Knockin’ on Chrome’s Shell" was accepted for Black Hat USA 2024, we'll disclose our #Chrome research demonstrated at #Pwn2Own 2024. Stay tuned : ) #let-the-cache-cache-and-let-the-webassembly-assemble-knockin-on-chromes-shell-39312" target="_blank" rel="nofollow noopener">blackhat.com/us-24/briefing…
@le_douds @BlackHatEvents English
#BHUSA We are glad our talk "Let the Cache Cache and Let the WebAssembly Assemble: Knockin’ on Chrome’s Shell" was accepted for Black Hat USA 2024, we'll disclose our #Chrome research demonstrated at #Pwn2Own 2024. Stay tuned : ) #let-the-cache-cache-and-let-the-webassembly-assemble-knockin-on-chromes-shell-39312" target="_blank" rel="nofollow noopener">blackhat.com/us-24/briefing… @le_douds @BlackHatEvents
English
We know "if you do not know the offense, how do you know the defense?", but in fact vice versa. When you have no idea for the offense, think about how to do the defense first : ) virusbulletin.com/conference/vb2…
English
Tao Yan retweetledi
@0x4E0x650x6F @BlackHatEvents Thanks man, we are glad you like it, we may release (at least part of) it later : )
English
@ga1ois @BlackHatEvents I would pay for that tool man comgrats amazing work (any plans of releasing any of it ) 😜
English
#BHEU Last month we presented our research "SELECT Bugs FROM Binary WHERE Pattern LIKE CVE-1337-DAYS" on BlackHat Europe. But some pretty interesting details were hidden due to the reason you know. Finally it is a good time to publish all. github.com/ga1ois/BlackHa… @BlackHatEvents
English