Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

[2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study EN

870 views

Published on

2014 CodeEngn Conference 11

IE 원데이로 시작하는 실전 익스플로잇!

BOF, FSB, UAF 등의 메모리 커럽션 취약점을 워게임, CTF 통해서 배우게 되지만 비교적 더 낮은 난이도에도 불구하고 실제 상용 프로그램에 대해서는 막연한 느낌뿐인 학생들이 많은 것 같다. 웹브라우저에서 발견되는 취약점 중 가장 흔한 UAF에 대해 설명하고 비교적 최신에 발견된 CVE-2014-0322, CVE-2014-1776 두가지 전형적인 IE 브라우저 UAF 취약점을 익스플로잇하는 방법을 설명하려고 한다. 추후 사례로 소개되는 두 가지 취약점에 대해 직접 학습이 가능하도록 단계별 튜토리얼을 별도 제공하고자한다.

http://codeengn.com/conference/11
http://codeengn.com/conference/archive

Published in: Education
  • Be the first to comment

[2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study EN

  1. 1. IE 1Day Case Study www.CodeEngn.com 2014 CodeEngn Conference 11
  2. 2. Agenda * Who am I * Background * CVE-2014-0322 * CVE-2014-1776 * Q&A
  3. 3. Who am I * Darwin Park - Vulnerability discovery - Exploit Technique * Netguardian (Feat. Jaeyoung Kim) * Wiseguyz & B10S
  4. 4. Background * If you look at the M$'s security bulletins, you’ll notice many of the patched vulns were use-after-frees * Use-after-free is still a common bug class * That's why I'll walk you through UAF in IE today
  5. 5. DEMO!
  6. 6. Background * What does exploit look like? Magic? There's nothing special in exploits * By using learn-by-example methodology we can get understanding about exploitation
  7. 7. Background * Use After Free (Dangling Pointers) - result of the combined actions from different parts of an application - namely, the parts of the code that can cause the freeing of the object and the parts of the code that use the object
  8. 8. CVE-2014-0322
  9. 9. CVE-2014-0322 STEP1 minimized POC code
  10. 10. CVE-2014-0322
  11. 11. CVE-2014-0322
  12. 12. CVE-2014-0322 STEP2 filling a freed object's memory
  13. 13. CVE-2014-0322
  14. 14. CVE-2014-0322 00410000 = "A" 004100410000 = "AA" 0041004100410000 = "AAA"
  15. 15. eax=0x41414141
  16. 16. CVE-2014-0322 STEP3 memory leak
  17. 17. size unknown data1 data2 data3 data4 data5 data6 data.. data.. data.. data.. data.. data.. data.. data.. data1007 data1008 Null Null
  18. 18. CVE-2014-0322 STEP4 modify object size
  19. 19. 0x12120ff1 + 0x10 = 12121001 0x000003f0 [edx+esi*4+8],eax eax = value esi = offset edx = buffer
  20. 20. CVE-2014-0322 STEP5 EIP Control
  21. 21. Free & New Main Class Object Leak! Allocation V-Table Overwrite
  22. 22. Faked V-Table reference
  23. 23. CVE-2014-0322
  24. 24. CVE-2014-0322
  25. 25. CVE-2014-1776 * Similar to CVE-2014-0322, Just a typical UAF Case * We can use the same way as CVE- 2014-0322
  26. 26. Workshop
  27. 27. Q&A Questions? https://withgit.com/hdarwin89/codeengn-2014-ie-1day-case-study www.CodeEngn.com 2014 CodeEngn Conference 11

×