Marco Ortisi - Vulnerability Research and Exploitation on Edge Devices - DCTLV2025
Name of Training: Vulnerability Research and Exploitation on Edge Devices
Trainer(s): Marco Ortisi
Dates: August 11-12, 2025
Time: 8:00 am to 5:00 pm PT
Venue: Las Vegas Convention Center
Cost: $2,300
Course Description:
Edge devices attacks are on the rise. They provide attackers with an easily identifiable network entry point due to their deliberate internet exposure. Edge devices encompass a wide variety of different solutions such as virtual private network (VPN) servers, firewalls, load balancers, routers, mail systems, etc., and therefore they represent one of the most attractive targets for criminals and nation-state entities to establish initial access inside victim networks. Furthermore, bug bounty programs are increasingly looking for these types of vulnerabilities.
Whether you want to create a working proof of concept with only a few public technical details as a starting point, reproduce a 1-day exploit through patch diffing or discover new 0day vulnerabilities on your own, this class aims to teach and show students the approaches, techniques and tools to do so. No bullsh*t XSS or missing secure cookie attribute vulnerabilities here. Anything less than critical impact/RCE is banned from this course. What is really scary, students don't need to be l33t hackers to discover and exploit vulnerabilities with the potential of having devastating impacts in the edge device world.
If your answer to some of the following questions is yes, then this course is for you:
-
Stumbled upon a technical blog post that describes an edge device vulnerability but does not provide all the details necessary to create a weaponized poc? Students will be shown how to overcome all the untold obstacles and create a working poc.
-
Do you suspect a vendor did not tell all the truth when they released a security advisory and tended to minimize the real impact of a vulnerability? Students will see how often vendors' claims can be subverted, for example by turning a client-side issue into a server-side flaw or a post-auth bug into a pre-auth vulnerability.
-
Concerned a vendor did not follow the good rule of thumb that would suggest, after a vulnerability becomes public domain, to fix all the issues that follow the same pattern? Students will learn how common it is in the edge devices world to be able to discover bypasses of a previously fixed vulnerability, getting additional CVEs for fun and profit.
-
Interested in creating a weaponized poc for a vulnerability but no access to a patched firmware image? This course explains how to create a working RCE exploit just by following the little crumbles left in security advisories, starting from a vulnerable firmware image and without performing patch diffing.
This course is one of a kind. You can find courses teaching how to hack a mobile device, a hardware device, an IoT device, but no specific course for edge devices is currently available.
Other valuable points students will learn are:
- Create weaponized 1-day exploits via patch diffing
- Exploitation of edge device vulnerabilities without patch diffing
- Learn how to weaponize patched edge devices vulnerabilities even in absence of technical details/poc
- Fundamentals of edge device virtual images reverse engineering
- Bypass vendor patches
- Properly re-assessing criticality of edge device vulnerabilities
- Understand how to approach and what to prioritize during the edge device's vulnerability research process
Course Outline:
Day 1
- Why do edge devices keep getting hacked?
- Strategies to get edge devices firmware/VM images
-
Edge devices jailbreak: acquiring stable local root shell access
- Lab 1 - A practical jailbreak case
-
Attack surface mapping: plan of action
- Lab 2 - A Silently Fixed 0day Case - Undisclosed vendor (for now :) )
Day 2
-
The Sophos Firewall case (CVE of 2022)
- Lab 3: Analysis and Exploitation
-
The Citrix Netscaler case (CVE of 2024)
- Lab 4: Analysis and Exploitation
-
The PanOS case (CVE of 2024)
- Lab 5: Analysis and exploitation
Difficulty Level:
Intermediate. Students should have basic web application hacking knowledge, basic PHP programming skills and familiarity with Python.
Suggested Prerequisites:
Background research to help to understand the root-cause of the most common web application hacking attacks (command injection, SQL injection, etc...)
What Students Should Bring:
Trainer(s) Bio:
Marco has been professionally dealing with IT security since 1999. After several experiences in Italy and abroad as penetration tester, vulnerability researcher, team leader and ultimately red team manager, he went through a midlife crisis that made him decide to switch back to vulnerability research/analysis (especially 0days) and rediscover the pleasure of being the only person into his own business reporting line. Speaker & trainer at Blackhat, BruCON, hackinbo, e-privacy.
Registration Terms and Conditions:
Trainings are refundable before July 8, 2025, minus a non-refundable processing fee of $250.
Trainings are non-refundable after July 8, 2025.
Training tickets may be transferred. Please email us at training@defcon.org for specifics.
If a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).
Failure to attend the training without prior written notification, will be considered a no-show. No refund will be given.
By purchasing this ticket you agree to abide by the DEF CON Training Code of Conduct and the registration terms and conditions listed above.
Several breaks will be included throughout the day. Please note that food is not included.
All courses come with a certificate of completion, contingent upon attendance at all course sessions.