Igor Agievich, Pavel Markov. Dynamic Detection of Shellcode in Electronic Documents

630 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
630
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Igor Agievich, Pavel Markov. Dynamic Detection of Shellcode in Electronic Documents

  1. 1. First of allIm sorry for my English...
  2. 2. WHOAMImany people know me from this image
  3. 3. WHOAMI_2Markov Pavel:Found zero-day in Windows (execute arbitrarycode by manipulating with folder settings)Just a developerAgievich Igor:Found vulnerability in Outpost Security Suite(2012), VirtualBox (2011), vBulletin (2005-2006)Not even a developer :)
  4. 4. Actually, we are trying to create afuzzer...Yet another bicycle?
  5. 5. Our goalsWe want to fuzz filetypes of our companyBut actually any file types can be fuzzed with ourfuzzer, depending on how much you know aboutspecific file format (thats how weve found abug in Yandex browser)
  6. 6. Our own fuzzing: how does it work?Its a client-server based softwareBasicly consists of:Generator (one or more)Clients for testing generated samples (one or more). At themoment of development they could only detect exceptions.Using IdebugClient with Python wrapper (allows fasterdevelopment than using Debug API).In addition we found out:Also this approach helps to find shell code in electronicdocuments
  7. 7. Our own fuzzing: how does it work?
  8. 8. Lets use a new source for testingour fuzzingWe tried using a real file from some receivedemail and we found... Exceptions! It was CVE-2012-0158 (.rtf)Then uploaded this file to Virtest, which returned:
  9. 9. We need to go deeper and create somethingnew!
  10. 10. Lets try to play with exploitOriginal file from email (on the left) and modifiedfile, still working (on the right)
  11. 11. What can shell code doHas functions for download andor execution
  12. 12. We can find suspicious workflowSuspicious workflow depends on tested software.For example, creation of the new process issuspicious for:Word 2003, Internet Explorer 6, Adobe Reader 8Not suspicious for:Google Chrome, Adobe Reader 11, Internet Explorer8-9)
  13. 13. Our soft in actionFull video:http://www.youtube.com/watch?v=v3h_H5ZGIT8
  14. 14. And a good marksman may missDoes Yandex know about fuzzing?I think they do...But weve found a new bug anyway!
  15. 15. Our resultsWe tested our programm on:> 20 000 *.pdf files (was open in Adobe Reader 9-11, FoxitReader 3-6, Google Chrome, Yandex.Browser)> 10 000 *.doc, *.docx, *.rtf files (was open in MS Word 2003,2007, Libre Office 4.0)OS Win XP, Win 7Weve found:Some APT attacks with some known CVE (CVE-2012-0158and some else) for MS Word 2003, 2007Bug in Yandex.Browser (fixed in latest version)
  16. 16. Any questions?If you have got any questions in English pleasewait until I am drunk and my speaking skills ofEnglish are leveled up :)Anyway, you can contact me on Internettwitter: @shanker_sec

×