my journey on smbghost
play

My journey on SMBGhost Angelboy angelboy@chroot.org @scwuaptx - PowerPoint PPT Presentation

Dec 25, 2023 •268 likes •1.35k views

My journey on SMBGhost Angelboy angelboy@chroot.org @scwuaptx Whoami Angelboy Researcher at DEVCORE CTF Player HITCON / 217 Chroot Co-founder of pwnable.tw Speaker HITB GSEC 2018/AVTokyo 2018/VXCON Outline

  1. Exploitation of SMBGhost From crash to arbitrary memory writing Padding • SrvAllocStruct 0x8 Next • Flag 0x10 Flag 0x12 Lookaside index • Inused flag 表⽰該 bu ff er 是 freed 還是正在使 0x14 Allocate CPU ⽤ … 0x18 Buffer • Lookaside index 0x20 Size • 在 lookaside list 中的 index … • Allocate CPU 0x50 MDL … • 分配時的 cpu number

  2. Exploitation of SMBGhost From crash to arbitrary memory writing Padding • SrvAllocStruct 0x8 Next • Bu ff er 0x10 Flag 0x12 Lookaside index • 該結構所管理的記憶體區塊,也就是使⽤時 0x14 Allocate CPU … 會⽤的 bu ff er 0x18 Buffer • Size 0x20 Size • 該 Bu ff er 的⼤⼩ … 0x50 MDL …

  3. Exploitation of SMBGhost From crash to arbitrary memory writing Padding • SrvAllocStruct 0x8 Next • MDL 0x10 Flag 0x12 Lookaside index • 指向描述該 bu ff er 的 MDL ,在做記憶體讀 0x14 Allocate CPU … 寫、傳送封包時會使⽤該 MDL ,來做記憶 0x18 Buffer 體相關操作 0x20 Size • Next … • 指向下⼀塊 Freed SrvAllocStruct 0x50 MDL …

  4. Exploitation of SMBGhost From crash to arbitrary memory writing NetBu ff erLookasides structure ProcessorCount SrvAllocStruct Allocate Buffer (0x1100) … Padding Size srvnet!SrvNetBu ff erLookasides Next … _MDL Flag (0) SrvNetBufferLookasides[0] LookasisidesList * Next SrvNetBufferLookasides[1] Lookaside index (0) Size … Allocate CPU (1) LookasisidesList[cpu_cnt] MdlFlags … LookasisidesList[0] AllocationProdessorNumber Buffer LookasisidesList[1] Reserved 0x1100 LookasisidesList[2] Process … … MappedSystemVa MDL LookasisidesListEntry StartVa Depth ByteCount … ByteOffset SrvAllocStruct * Physical Address[x]

  5. Exploitation of SMBGhost From crash to arbitrary memory writing NetBu ff erLookasides structure ProcessorCount SrvAllocStruct Allocate Buffer (0x1100) … Padding Size srvnet!SrvNetBu ff erLookasides Next … _MDL Flag (0) SrvNetBufferLookasides[0] LookasisidesList * Next SrvNetBufferLookasides[1] Lookaside index (0) Size … Allocate CPU (1) LookasisidesList[cpu_cnt] MdlFlags … LookasisidesList[0] AllocationProdessorNumber Buffer LookasisidesList[1] Reserved 0x1100 LookasisidesList[2] Process … … MappedSystemVa MDL LookasisidesListEntry StartVa memory pool Depth ByteCount [0x1100,0x2100…] … ByteOffset SrvAllocStruct * Physical Address[x]

  6. Exploitation of SMBGhost From crash to arbitrary memory writing NetBu ff erLookasides structure ProcessorCount SrvAllocStruct Allocate Buffer (0x1100) … Padding Size srvnet!SrvNetBu ff erLookasides Next … _MDL Flag (0) SrvNetBufferLookasides[0] LookasisidesList * Next SrvNetBufferLookasides[1] Lookaside index (0) Different Cpu has different list Size … Allocate CPU (1) LookasisidesList[cpu_cnt] MdlFlags … LookasisidesList[0] AllocationProdessorNumber Buffer LookasisidesList[1] Reserved 0x1100 LookasisidesList[2] Process … … MappedSystemVa MDL LookasisidesListEntry StartVa Depth ByteCount … ByteOffset SrvAllocStruct * Physical Address[x]

  7. Exploitation of SMBGhost From crash to arbitrary memory writing NetBu ff erLookasides structure ProcessorCount SrvAllocStruct Allocate Buffer (0x1100) … Padding Size srvnet!SrvNetBu ff erLookasides Next … _MDL Flag (0) SrvNetBufferLookasides[0] LookasisidesList * Next SrvNetBufferLookasides[1] Lookaside index (0) Size … Allocate CPU (1) LookasisidesList[cpu_cnt] MdlFlags … LookasisidesList[0] AllocationProdessorNumber Buffer LookasisidesList[1] Reserved 0x1100 LookasisidesList[2] Process … … MappedSystemVa MDL LookasisidesListEntry StartVa Depth The return of Allocate ByteCount … ByteOffset SrvAllocStruct * Physical Address[x]

  8. Exploitation of SMBGhost From crash to arbitrary memory writing NetBu ff erLookasides structure ProcessorCount SrvAllocStruct Allocate Buffer (0x1100) … Padding Size srvnet!SrvNetBu ff erLookasides Next … _MDL Flag (0) SrvNetBufferLookasides[0] LookasisidesList * Next SrvNetBufferLookasides[1] Lookaside index (0) Size … Allocate CPU (1) LookasisidesList[cpu_cnt] MdlFlags … LookasisidesList[0] AllocationProdessorNumber Buffer LookasisidesList[1] Reserved 0x1100 LookasisidesList[2] Process … … MappedSystemVa MDL LookasisidesListEntry StartVa Depth ByteCount … ByteOffset SrvAllocStruct * Used in tcpip Physical Address[x]

  9. Exploitation of SMBGhost From crash to arbitrary memory writing • SrvNetAllocateBu ff er Allocate • 如果沒有在 SrvNetBu ff erLookasides 找到適合的 bu ff er ,則會使⽤系統的 動態記憶體分配 ExPoolAlloacate 分配 bu ff er + SrvAllocaStruct + MDL ⼤ ⼩的空間 • 並將 SrvAllocaStruct 及 MDL 初始化 • SrvAllocaStruct 及 MDL 會放在該 bu ff er 尾端

  10. Exploitation of SMBGhost From crash to arbitrary memory writing ExAllocatePoolWithTag

  11. Exploitation of SMBGhost From crash to arbitrary memory writing Padding Initialize MDL & SrvAllocaStruct … Flag Index CPU … Buffer … Size … … MDL addr MDL

  12. Exploitation of SMBGhost From crash to arbitrary memory writing Padding Decompress buffer … Flag Index CPU … Buffer … Size … … MDL addr MDL

  13. Exploitation of SMBGhost From crash to arbitrary memory writing Padding Ret of SrvNetAllocateBuffer … Flag Index CPU … Buffer … Size … … MDL addr MDL

  14. Exploitation of SMBGhost From crash to arbitrary memory writing Backdoor ? CTF Challenge ?

  15. Exploitation of SMBGhost From crash to arbitrary memory writing • We can craft a special size to use the vulnerability to overwrite Bu ff er pointer first • After decompressing, it will overwrite the bu ff er pointer with target address • If it decompresses successfully, it will copy the data which uncompress from the original data to the bu ff er. • That is, we can do arbitrary memory writing !

  16. Exploitation of SMBGhost From crash to arbitrary memory writing Padding AAAAAAAA AAAAAAAA … … Flag Index CPU … Target … Size … … MDL addr MDL

  17. Exploitation of SMBGhost

  18. Exploitation of SMBGhost Arbitrary memory writing memcpy(target,original data,offset)

  19. Outline • Introduction • Vulnerability - CVE-2020-0796 • Exploitation of SMBGhost • From crash to arbitrary memory writing • How can we get code execution from arbitrary memory writing in the past • Method 1 - System root hijack (need some condition) • Method 2 - Abusing MDL

  20. Exploitation of SMBGhost How can we get code execution from arbitrary memory writing in the past • Abusing the HalpInterruptController • IAT Overwrite • We need bypass KASLR and read only protection • …

  21. Exploitation of SMBGhost How can we get code execution from arbitrary memory writing in the past • Abusing the HalpInterruptController • HAL (hardware abstraction layer) • A loadable kernel-mode module (hal.dll) that provides the low level interface to the hardware platform • hide the low-level hardware details from drivers and the operating system • I/O interface, interrupt controller …

  22. Exploitation of SMBGhost How can we get code execution from arbitrary memory writing in the past • Abusing the HalpInterruptController • HalpInterruptController • We can overwrite HalpApicRequestInterrupt to control RIP • It will be called quite frequently by windows • 在 Windows 8 之前 HAL Heap 為固定且為可讀可寫可執⾏,因此可將 shell code 也寫上⾯跳過去就好 • EternalBlue

  23. Exploitation of SMBGhost How can we get code execution from arbitrary memory writing in the past • Abusing the HalpInterruptController • Win 8 之後, HAL 變成可讀可寫不可執⾏,控制 RIP 後,要到 shellcode 執 ⾏變得困難許多 • 因此後來須先想辦法繞掉 DEP 再去跑 shellcode • 因為在 windows 中,純 ROP 不像 linux 中可以直接有⽅便的 API 置換掉 token ,所以如果可以跑 shell code 會讓利⽤簡單很多

  24. Exploitation of SMBGhost How can we get code execution from arbitrary memory writing in the past • Abusing the HalpInterruptController • 在 Windows 10 1703 之前, HAL heap 位置固定在 0x ffffffffff d00000 • SMBGhost 在 1903 及 1909 , HAL 位置無法預測

  25. Outline • Introduction • Vulnerability - CVE-2020-0796 • Exploitation of SMBGhost • From crash to arbitrary memory writing • How can we get code execution from arbitrary memory writing in the past • Method 1 - System root hijack (need some condition) • Method 2 - Abusing MDL

  26. 任何的互動,我們也沒有當前⽬標的任何位置,變成有任意寫入卻不知道可寫 Exploitation of SMBGhost System Root hijack • 在有 SMBGhost 任意寫入後,因為是直接走 tcp ,無法在 target 機器上,有 哪 • Win 10 後絕⼤多數的記憶體位置都會有 KASLR ,因此無法參考 EternalBlue 直接寫 HAL 位置 (Win10 前都固定位置 )

  27. Exploitation of SMBGhost System Root hijack • 在搜尋 memory 後,發現 _KUSER_SHARED_DATA 永遠都會在 0x ffff f78000000000 ,從古⾄今 都沒變過,且都是可寫 • ⼤多數都是⽤來計算時間,取得系統資訊, User space 會 mapping 在 0x7 ff e0000 ,使得 user 取 ⼀些資訊時可以不⽤透過 system call • 上⾯不少系統資訊 • SystemTime • Syscall • 以前會把 syscall instruction 放這邊,類似 linux 中的 vdso • NtSystemRoot

  28. Exploitation of SMBGhost System Root hijack

  29. Exploitation of SMBGhost System Root hijack • NtSystemRoot • Used by ntdll!LdrpLoadDLL • 裡⾯會使⽤ ntdll!RtlGetNtSystemRoot 取得 dll 路徑,這個 api 就是直接 從 _KUSER_SHARED_DATA 取值 • 原本路徑為 (C:\Windows\) • 因此只要將該路徑改掉,就可以做 DLL Hijacking • 就算是 KnownDlls 也全都可以 Hijack

  30. Exploitation of SMBGhost System Root hijack

  31. Exploitation of SMBGhost System Root hijack • NtSystemRoot • C:\Windows\ -> \??\UNC\{IP}\Windows\ • Sechost.dll • Hijack svchost.exe (User : System) • Svchost 在 createthread 時會去 loaddll ,有時需等⼀下 • 如果有 kernel 任意寫入,亦可⽤於提權, Low integrity 也適⽤

  32. Exploitation of SMBGhost System Root hijack

  33. Exploitation of SMBGhost System Root hijack • NtSystemRoot • Problem • 走 UNC 的話需要 target access 過任何 unc ⼀次,讓 unc driver 做初始化 • 有機會造成 BSOD 原因是因為會讓 csrss.exe load dll 失敗,因為 csrss 只會 load 有微軟簽章過的 dll ,只要 load 失敗就會造成該 process 掛掉 ,就會造成 BSOD • 需要ㄧ hijack 到 svchost 就⾺上將 path 改回,但這之前不能先讓 csrss load dll • 在 SMBGhost 的例⼦中不夠通⽤ 😣 ,且易失敗

  34. Outline • Introduction • Vulnerability - CVE-2020-0796 • Exploitation of SMBGhost • From crash to arbitrary memory writing • How can we get code execution from arbitrary memory writing in the past • Method 1 - System root hijack (need some condition) • Method 2 - Abusing MDL

  35. Exploitation of SMBGhost Abusing MDL • Ricerca Security • @hugeh0ge @_N4NU_ • The first stable exploit • Only write a blog • Did not release exploit

  36. Exploitation of SMBGhost Abusing MDL • 在 _KUSER_SHARED_DATA 尾端空⽩處構造 MDL 結構 • SMB 在做 Response 時會⽤ SrvAllocStruct 結尾的 MDL ptr 所描述的記憶體 區塊來作為 Response bu ff er • tcpip.sys 回傳時,就會透過 DMA 讀取 MDL 中的 physical address 的內容來 回傳 • 如果可以構造 MDL 到就可以達成任意物理記憶體讀取 • 但正常情況下 Response bu ff er 會是新分配的 bu ff er

  37. Exploitation of SMBGhost Abusing MDL

  38. Exploitation of SMBGhost Abusing MDL • 如果在 SMB cmd 執⾏ error 時,會執⾏到 Smb2SetError • 其中會呼叫 Srv2SetResponseBu ff erToReceiveBu ff er • 也就是說在 decompress 後, Smb 執⾏ Error 的情況下,下⾯三個 bu ff er 會 相等 • Receive bu ff er • Response bu ff er • Decompress bu ff er

  39. Exploitation of SMBGhost Padding KUSER_SHARED_DATA … Flag Index CPU … Buffer Fake MDL … Size … … MDL addr MDL

  40. Exploitation of SMBGhost Physics addr Next Size \xfeSMB……. MdlFlags AllocationProdessorNumber Reserved Process MappedSystemVa SMB Data StartVa ByteCount ByteOffset 0x43a3 0x1337 _MDL

  41. Exploitation of SMBGhost Physics addr Next Size \xfeSMB……. MdlFlags AllocationProdessorNumber Secret Reserved Secret Process MappedSystemVa SMB Data StartVa ByteCount ByteOffset 0x2020 0x2021 Use DMA to leak secret data in physical memory _MDL

  42. Exploitation of SMBGhost Abusing MDL Server Client(Attacker) Negotiate request Negotiate Response Session setup (NTLM) Craft a special message Session setup resp Response message 
 by using DMA with our MDL SMB compressed srvnet!SrvNetSendData SMB decompress error response Get the content of 
 physical address

  43. Exploitation of SMBGhost Abusing MDL • 但在某些環境下 DMA 會失效 • SrvNetSendData • Smb 最後⽤來傳遞封包的 function ,會預先處理回傳的封包 bu ff er ,最後會 通過 tcpip 如果有使⽤ MDL 則會採⽤ MDL 所描述的記憶體來傳輸 • 我們可以構造特別的 MDL ,事先將 physical 事先⽤ double-mapping ⽅式 mapping 到 Virtual Address 中,之後 Response 時就會⽤該 system bu ff er 的 data

  44. Exploitation of SMBGhost Abusing MDL • SrvNetSendData

  45. Exploitation of SMBGhost Physics addr Next Size \xfeSMB……. MdlFlags User buffer AllocationProdessorNumber Reserved Secret buffer Process 0 SMB Data StartVa ByteCount Secret ByteOffset Secret 0x2020 0x2021 _MDL

  46. Exploitation of SMBGhost Physics addr Next Size \xfeSMB……. MdlFlags User buffer AllocationProdessorNumber Reserved Secret buffer Process MappedSystemVa SMB Data Secret buffer StartVa ByteCount Secret ByteOffset Secret 0x2020 0x2021 Double-mapped _MDL

  47. Exploitation of SMBGhost Abusing MDL • 我們可以從 physical address 0x1000 位置周圍讀取內容,在 windows 10 中 是固定 mapping 到 Hal heap • 可獲得 HAL Heap 的 Virtual Address • 也可獲得 hal.dll 位置 • From Alex lonescu’s talk Getting Physical with USB Type-C: Windows 10 RAM Forensics and UEFI Attacks

  48. Exploitation of SMBGhost Abusing MDL • 接下來可以再次構造 MDL • 我們只要可以構造 MDL->MappedSystemVA 就可以讓該 bu ff er 作為 response bu ff er • Arbitrary virtual memory reading • 可以從 hal.dll 獲得 nt 及 HalpInterruptController 位置

  49. Exploitation of SMBGhost Abusing MDL

  50. Exploitation of SMBGhost Abusing MDL • SrvNetSendData • 該 function 會初始化成 SMB 封包的格式,如填入 size of SMB header ,如 果 leak 的位置是無法寫入會造成 Access violation(BSOD)

  51. Exploitation of SMBGhost Abusing MDL • How to solve the access violation problem ? • 利⽤ compress 功能 (SrvNetCompressData) • 在 SrvNetSendData 中,如果啟⽤ compress ,則會分配新的 bu ff er 來放 mdl->MappedSystemVA ,因此會將要 leak 的 data 做 compress 後回 傳,寫入 SMB header 資訊也會使⽤新的 bu ff er

  52. Exploitation of SMBGhost Bypass DEP • Overwrite PTE to make some page to ERW • ExAllocatePool • Allocate a NonPagedPool memory

  53. Exploitation of SMBGhost Bypass DEP • PTE (Page Table Entry) • Each page of virtual address is associated with PTE, with contains the PA to which the virtual one is mapped. • Page 權限主要靠 PTE 來決定,如果我們可以修改到 PTE 也就可以任意修 改 memory 權限 bypass DEP

  54. Exploitation of SMBGhost 47 39 30 21 12 PML4 PDPT PD PT Byte Within Page CR3 RAM DirBase KPROCESS Byte PFN PFN PFN PFN Page Map Level 4 Page Directory Pointer Page Directory Page Table

  55. Exploitation of SMBGhost Bypass DEP 0x ffffff 8000000000 Page Table 0x ffff 800000000000 No Access (Not Canonical Address) 0x800000000000 No Access 0x7 ffffff f0000 User Space (exe, dll, process heap,process stack) 0x0

  56. Exploitation of SMBGhost Bypass DEP • How windows to manage page table ? • Self-ref entry • This technique consists of using one entry at the highest paging level by pointing to itself. • In 64 bits, this entry is located in the PML4 • That is, there is a PTE point to PML4 so that system can modify any PTE to manage page table.

  57. Exploitation of SMBGhost Bypass DEP RAM PFN Byte PFN PFN PFN Page Map Level 4 Page Directory Pointer Page Directory Page Table

  58. Exploitation of SMBGhost Bypass DEP RAM PFN PFN Self entry PFN PFN Page Map Level 4 Page Directory Pointer Page Directory Page Table

  59. Exploitation of SMBGhost Bypass DEP • How to locate PTE of 0 • Find the Self-ref entry • 0x ffff f00000000000 + 0x800000000*(self-ref entry) • It also the base of Page table

  60. Exploitation of SMBGhost Bypass DEP Assume self-ref entry is 0x1ed 0x ffff f00000000000 + 0x800000000*0x1ed = 0x ffffff 6800000000 0 0 0 RAM 0x1ed Page Map Level 4 Page Directory Pointer Page Directory Page Table

  61. 置 Exploitation of SMBGhost Bypass DEP • 在過去 windows 是以 0x1ed 作為 self-modify entry 因此 Page table 的位置 是固定的,導致 attack 可⽤這特性來輕易修改 page table • 在近期的版本中,這數值則是從 0x100-0x1 ff 隨機⼀個數值,每次開機都會 不同,如果有任意記憶體讀取,可從 nt!MmPteBase 獲得 Page table 位置 • 如果有任意 physical address 也可以從 0x1ad000 (PML4 of system process) 找出 self-entry 位置,從⽽推出 Page table 在 virtual address 的位

  62. Exploitation of SMBGhost Bypass DEP • 找到 Sef-ref entry 之後,我們可以算出想改權限 page 的位置的 PTE ,將最⾼ ⼀ bit (NX bit) 清除,該 page 就會有執⾏權限

  63. Exploitation of SMBGhost Bypass DEP • 我們可修改 _KUSER_SHARED_DATA page 權限,改為可讀可寫可執⾏ • 放 shellcode & recover shellcode ⾄ KUSER_SHARD_DATA 尾端 • 覆蓋 HalpApicRequestInterrupt • Control RIP ! • 因為 HalpApicRequestInterrupt 會不斷被呼叫到,需要⾺上先還原該 pointer 位置

  64. Exploitation of SMBGhost Padding KUSER_SHARED_DATA … Flag Index CPU … Buffer Fake MDL … Size … Flag … MDL addr Kernel APC Shellcode MDL

  65. Exploitation of SMBGhost Shellcode • APC Injection shellcode • 我們只有 kernel code execution 沒有 user mode 的 process 的互動 • 我們此時就可以利⽤ APC injection ⽅式,將 user mode APC inject 到⾼權 限的 Process 中 • 這邊需要特別注意 IRQL ,如果沒寫好,會踩到 paged memory

  66. Exploitation of SMBGhost Shellcode • KAPC shellcode • KAPC • Find the target thread (svchost.exe) • Allocate execute memory in user-space • Copy shellcode to the memory • Queue the use-mode APC • UAPC • Reverse shell

  67. Exploitation of SMBGhost Demo

Recommend

A MONUMENTAL JOURNEY A MONUMENTAL JOURNEY PURPOSE A MONUMENTAL JOURNEY, SCULPTURE TO PRESERVE

A MONUMENTAL JOURNEY A MONUMENTAL JOURNEY PURPOSE A MONUMENTAL JOURNEY, SCULPTURE TO PRESERVE

A MONUMENTAL JOURNEY A MONUMENTAL JOURNEY PURPOSE A MONUMENTAL JOURNEY, SCULPTURE TO PRESERVE THE LEGACY OF AFRICAN-AMERICAN LAWYERS WHO, IN 1925, FOUNDED THE NATIONAL BAR ASSOCIATION (NBA), FULLY DEDICATED TO CIVIL RIGHTS, JUSTICE, AND

677 views • 11 slides
The Heros Journey The Heros Journey the hero's journey, is the common template of stories

The Heros Journey The Heros Journey the hero's journey, is the common template of stories

The Heros Journey The Heros Journey the hero's journey, is the common template of stories that involves a hero who goes on an adventure to a new world, and in a decisive crisis wins a victory, and then comes home changed or transformed.

419 views • 9 slides
The journey so far Greater Manchester: a snapshot picture The journey so far Who we are

The journey so far Greater Manchester: a snapshot picture The journey so far Who we are

The journey so far T he 22 billion question how can data help Greater Manchester optimise the impact of public services on population health? Jon Rouse, Chief Officer The journey so far Greater Manchester: a snapshot picture The journey

528 views • 52 slides
Jo Journey of In Indonesia Accounting Standards Now committed towards our journey to 2018

Jo Journey of In Indonesia Accounting Standards Now committed towards our journey to 2018

Jo Journey of In Indonesia Accounting Standards Now committed towards our journey to 2018 introduce a fully IFRS convergence converged SAK (with journey continues, 2016 I FRS ), as part of maintain the 1-year Indonesia financial Issued a

167 views • 3 slides
Beyond Beyond Journey Journey Times Times Bluetooth journey time process Moving beyond basic

Beyond Beyond Journey Journey Times Times Bluetooth journey time process Moving beyond basic

Beyond Beyond Journey Journey Times Times Bluetooth journey time process Moving beyond basic journey times Modelling Route analysis Traveller segmentation Visualisation and interaction Raw observation vs modelling Moving from what

668 views • 28 slides
E F K ON IN D IA C O M P A N Y O V E R V I E W Smooth Journey, Safe Journey. CITIES | HIGHWAYS

E F K ON IN D IA C O M P A N Y O V E R V I E W Smooth Journey, Safe Journey. CITIES | HIGHWAYS

E F K ON IN D IA C O M P A N Y O V E R V I E W Smooth Journey, Safe Journey. CITIES | HIGHWAYS | TUNNELS | LOGISTICS | FINANCIAL INSTITUTIONS EFKON INDIA AT A GLANCE 700+ 30+ 100% subsidiary Top 25 innovative company award by CII

515 views • 17 slides
Our Journey Our Journey and the Future to 2030 DNA Arise into of Arise the Future Successes

Our Journey Our Journey and the Future to 2030 DNA Arise into of Arise the Future Successes

Our Journey Our Journey and the Future to 2030 DNA Arise into of Arise the Future Successes and Highlights The Story of Arise The start of our journey Arise Key Milestones September First close signing Supervisory Board in place 2015

556 views • 36 slides
THE JCB ACADEMY THE JCB ACADEMY THE CURRICULUM JOURNEY THE CURRICULUM JOURNEY

THE JCB ACADEMY THE JCB ACADEMY THE CURRICULUM JOURNEY THE CURRICULUM JOURNEY

THE JCB ACADEMY THE JCB ACADEMY THE CURRICULUM JOURNEY THE CURRICULUM JOURNEY The JCB Academ y Journey The catalyst! The catalyst! JCB needed many more young people of the right calibre and attitude who would be interested

675 views • 18 slides
Using Social Media for Health Studies Ingmar Weber Social Computing, Qatar Computing Research

Using Social Media for Health Studies Ingmar Weber Social Computing, Qatar Computing Research

Using Social Media for Health Studies Ingmar Weber Social Computing, Qatar Computing Research Institute @ingmarweber My Journey My Journey My Journey My Journey My Journey My Journey My Journey My Journey My Journey Treat all

1.38k views • 84 slides
Wine Journey - Wines for Singapore and Malaysia* Wine Journey Singapore: 18 Howard Road #06-08

Wine Journey - Wines for Singapore and Malaysia* Wine Journey Singapore: 18 Howard Road #06-08

Wine Journey - Wines for Singapore and Malaysia* Wine Journey Singapore: 18 Howard Road #06-08 Novelty Bizcenter, S369585 Tel: Jon - 81885650 Wine Journey started as a conversational topic between lifelong friends amongst good food and great

342 views • 21 slides
Sister Pat McDermott: Presentation on the Journey of Oneness Part One: Journey of Oneness Desire

Sister Pat McDermott: Presentation on the Journey of Oneness Part One: Journey of Oneness Desire

Sister Pat McDermott: Presentation on the Journey of Oneness Part One: Journey of Oneness Desire to explore three questions today: 1. Where did the Journey of Oneness come from and why are we doing it? 2. What grounds us for this journey? 3. What

390 views • 10 slides
1 IND SPO T HE BL ING T e ld IMINA T Charlie F HP Confidential EL 2 THE JOURNEY

1 IND SPO T HE BL ING T e ld IMINA T Charlie F HP Confidential EL 2 THE JOURNEY

1 IND SPO T HE BL ING T e ld IMINA T Charlie F HP Confidential EL 2 THE JOURNEY TECHNOLOGY EXPLOSION IT Everywhere Networked Computing - Internet Personal Mainframe 3 THE JOURNEY - BUSINESS 4 THE JOURNEY - BUSINESS Business

521 views • 30 slides
Journey Moment 1 The Journey to EHS Excellence DD.MM.YYYY 2 INTERNAL A case for change A

Journey Moment 1 The Journey to EHS Excellence DD.MM.YYYY 2 INTERNAL A case for change A

Journey Moment 1 The Journey to EHS Excellence DD.MM.YYYY 2 INTERNAL A case for change A disturbing trend in EHS performance Hurting 100 people per year! Spills & releases Process safety incidents Transportation

632 views • 30 slides
HIDDENNESS OF THE JOURNEY Series The Christian Journey #7 - Colossians 3:1-4 IBC Eindhoven,

HIDDENNESS OF THE JOURNEY Series The Christian Journey #7 - Colossians 3:1-4 IBC Eindhoven,

HIDDENNESS OF THE JOURNEY Series The Christian Journey #7 - Colossians 3:1-4 IBC Eindhoven, 1 November 2020 HIDDEN = NOT YET APPEARED Colossians 3:4 You will appear with Christ in glory Philippians 3:20-21 Jesus will transform our

301 views • 6 slides
Journey and key takeaways 1 Procurement - Making it Circular Journey and key takeaways of A

Journey and key takeaways 1 Procurement - Making it Circular Journey and key takeaways of A

CIPS Switzerland Event in Lausanne, April 26 th Patrick CARMINATI Head of Laser Supplies Manufacturing & Sourcing, Lexmark Procurement - Making it Circular Journey and key takeaways 1 Procurement - Making it Circular Journey and key

726 views • 23 slides
our container journey @beshippable shippable.com our container journey containers can

our container journey @beshippable shippable.com our container journey containers can

our container journey @beshippable shippable.com our container journey containers can make us way more efficient containers can save us money on hosting containers sound interesting company founded in 2013

848 views • 30 slides
The Maryland Journey to Population Health Howard Haft, MD, MMM, CPE, FACPE The Journey Reached a

The Maryland Journey to Population Health Howard Haft, MD, MMM, CPE, FACPE The Journey Reached a

The Maryland Journey to Population Health Howard Haft, MD, MMM, CPE, FACPE The Journey Reached a Crossroad VOLUME VALUE 2014 1970 2 Tragedy of the Com m ons- Volum e 3 4 Total Cost of Care Model Contract 9 July 20 18 Hospitals and

573 views • 7 slides
1. Collect your passport, then journey to the big top and meet the elf guides. Elves guide you

1. Collect your passport, then journey to the big top and meet the elf guides. Elves guide you

1. Collect your passport, then journey to the big top and meet the elf guides. Elves guide you on a journey to meet.. Biggle Wigglepop Mother Christmas The guided experience lasts 3 hours, with 3 shows, the journey to snow

404 views • 13 slides
Going Reactive An architectural journey Going Reactive An architectural journey Matthias

Going Reactive An architectural journey Going Reactive An architectural journey Matthias

Going Reactive An architectural journey Going Reactive An architectural journey Matthias Kppler October 2015 commit 24c61b35754ff5ca153ce37c5886279153f0d16f Author: Matthias Kaeppler <mk@soundcloud.com> Date: Wed Mar 13

700 views • 41 slides
The Journey to Pay by Finger Nick Dryden CEO AGREE? The Journey Through Identity Starting

The Journey to Pay by Finger Nick Dryden CEO AGREE? The Journey Through Identity Starting

The Journey to Pay by Finger Nick Dryden CEO AGREE? The Journey Through Identity Starting in 1999 we built the UKs Highest Circulating Music Magazine Distributed through 100 s of live Music venues across the UK Recruited teams of

754 views • 61 slides
journey! circulation: 667,000 1.2 million readers WHO ARE AAA journey READERS? 667,000 CIRCULATION

journey! circulation: 667,000 1.2 million readers WHO ARE AAA journey READERS? 667,000 CIRCULATION

did you know 250,000 AAA journey Readers visit Idaho each year. TRUSTED FOR 1 14 YEARS Reach with journey! circulation: 667,000 1.2 million readers WHO ARE AAA journey READERS? 667,000 CIRCULATION IN WASHINGTON & N. IDAHO (1.2 MILLION

181 views • 5 slides
What is a journey towards excellence? Why Baldrige? How did the journey benefit the City and

What is a journey towards excellence? Why Baldrige? How did the journey benefit the City and

What is a journey towards excellence? Why Baldrige? How did the journey benefit the City and the Community? Why Pursue the Malcolm Baldrige Award? Customer/Community Focus: Pursuing excellence starts with the needs, expectations and

453 views • 7 slides
Multimodal Dynamic Journey Planning Kalliopi Giannakopoulou, Andreas Paraskevopoulos &

Multimodal Dynamic Journey Planning Kalliopi Giannakopoulou, Andreas Paraskevopoulos &

Multimodal Dynamic Journey Planning Kalliopi Giannakopoulou, Andreas Paraskevopoulos & Christos Zaroliagis Journey Planning Journey Planners compute best journeys in public (scheduled-based) transport networks Optimization problems (also

169 views • 15 slides
Benefit & Risk Communication The Journey The Journey Speaking Today Michele Sharp,

Benefit & Risk Communication The Journey The Journey Speaking Today Michele Sharp,

Benefit & Risk Communication The Journey The Journey Speaking Today Michele Sharp, Director of Regulatory Affairs Melissa Barnes, Asst General Counsel Paula Garrett, Director of Consumer Marketing Lilly Vision Improved

877 views • 12 slides

More recommend