Your SlideShare is downloading. ×
Nikita Tarakanov. MS11-087. МИФИ 18/02/2012
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Nikita Tarakanov. MS11-087. МИФИ 18/02/2012

1,257
views

Published on

"Embedded FontApocalypse (MS11-87): всё, что вы хотели …

"Embedded FontApocalypse (MS11-87): всё, что вы хотели
знать про анализ уязвимсотей в ядре, но боялись спросить"*
Анализ известного эксплойта для шрифтов в MS Windows, которая
позволяет несанкционированно загружать системные драйверы, в том числе и не
имеющие цифровую подпись на x64 системах. Так же автор проведет экскурс в
анализ уязвимостей ядра и с чего стоит начинать изучать данную тематику.


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,257
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
16
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Embedded FontApocalypse: MS11-087 Никита Тараканов
  • 2. First of All• Я не связан ни с одной АВ компанией• У меня не было, нету оригинального семлпа, который используется Duqu• Методы тестирования АВ продуктов могут быть некорректными
  • 3. Небольшой ЛикБез• TTF – TrueType – win32k.sys• OTF – OpenType – atmfd.dll
  • 4. Хронология уязвимостей• MS10-037 – CFF memory Corruption• MS10-078 – OTF Parsing (2 vulns)• MS10-091 – OTF Parsing (3 vulns)• MS11-003 – OTF Encoded Char vuln• MS11-032 – OTF Parsing
  • 5. Хронология уязвимостей• MS09-065 – EOT Parsing• MS10-032 – TTF Parsing• MS11-041 – OTF(?) Validation• MS11-077 – TTF,FON vulns• MS11-084 – DoS in TTF Interpreter• MS11-087 – TTF sbit integer vulns
  • 6. MS11-087(Duqu vuln)
  • 7. TrueType Bitmap glyphs• EBLC – info about indexes(position) of bitmap data• EBDT – actual bitmap data• EBSC – info about scaling
  • 8. TrueType Assembler!• Over 100 instructions• Implemented in kernel(!!!) land• Vulns were discovered(MS11-084)• Itrp_XXX – example: itrp_PUSHB• Instructions in cvt table and fpgm
  • 9. TrueType Assembler
  • 10. TrueType Assembler
  • 11. TrueType Assembler
  • 12. TrueType Assembler
  • 13. TrueType Assembler
  • 14. GetSbitComponent• One parameter is TTF interpreter context• Integer overflow leads to kernel pool corruption• Corrupts TTF interpreter context!• This leads to full pwn at r0(!!!) remotely
  • 15. Lame lame cybercriminals• The guys behind Duqu has failed to exploit this vuln on x64 systems!• Actually, it’s real hardcore: you have to implement ROP program in TTF assembler• TODO: go pwn x64, crack your brain!
  • 16. MS11-087 attack vectors• TTF – good for Vista/2k8/7/8• DOC – Duqu attack vector• DOCX – same as DOC, but OOXML• IE – drive by download scenario• LPE – no comments…
  • 17. AV/HIPS vs MS11-087TTF vector detection:Avast,avira,bitdefender,bullguard,escan,gdata,k7,kl,lavasoft,rising,trustport,vipre,zonealarmLPE: FAIL, FAIL, FAIL!Even with MPAA info some AV FAILED to detectmine PoC
  • 18. MS11-087 Easter Egg
  • 19. Kernel Attack Surface• Interrrupts• Syscalls
  • 20. Interrupts• Exceptions• Interrupt transitions• NTVDM
  • 21. Syscalls• Ntoskrnl.exe• Win32k.sys
  • 22. Questions• @NTarakanov• Nikita.tarakanov.researcher@gmail.com