The Dynamite of Next Generation (Y) Attack

1,069 views

Published on

The Hacker Secret #2: The Dynamite of Next Generation (Y) Attack focus on client-side exploitation with Software bugs, latest windows vulnerabilities, etc...

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,069
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
31
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • www.citec.us/levelcwh3
  • The Dynamite of Next Generation (Y) Attack

    1. 1. The Dynamite of Next Generation (Y) Attack Prathan Phongthiproek (Lucifer@CITEC) Senior Information Security Consultant ACIS ProfessionalCenter
    2. 2. Who am I ?  CITEC Evolution  Code Name “Lucifer”, Moderator, Speaker  Instructor: Web Application (In) Security 101  Instructor: Mastering in Exploitation  ACIS ProfessionalCenter  RedTeam : Penetration Tester  Instructor / Speaker  Security Consultant / Researcher  Founder of CWH Underground Hacker  Exploits,Vulnerabilities, Papers Disclosure  Milw0rm, Exploit-db, Security Focus, Secunia, Zeroday, etc  http://www.exploit-db.com/author/?a=1275
    3. 3. Let’sTalk !?  Next Generation (Y) Attack from Software holes  Latest Microsoft Windows system vulnerabilities  StuxnetWorm From USB
    4. 4. Next Generation (Y) Attack from Software holes
    5. 5. Malicious PDF  Still Hot !!!
    6. 6. Malicious PDF  Adobe Collect Email Info  Adobe GetIcon  Adobe Jbig2Decode  Adobe UtilPrintf  Adobe U3D Mesh Declaration  Adobe PDF Embedded EXE (Affect Adobe Reader < 9.4 and Foxit )  Adobe Cooltype Sing (Affect Adobe Reader < 9.4)  Adobe to implement ReaderSandbox on version 9.4+
    7. 7. Malicious PDF – Attack via MetaData
    8. 8. Malicious PDF – Open PDF file
    9. 9. Malicious PDF – Bypass Antivirus Malicious PDF File
    10. 10. Malicious PDF – Disable JavaScript
    11. 11. PDF Embedded EXE Exploit
    12. 12. Web BrowserVulnerabilities
    13. 13. Web BrowserVulnerabilities  Google Chrome still secure !!  IE / Firefox / Safari still PWNED !!  ActiveX Control and JavaApplet stillTOP Hit for Attack!!  Web BrowserToolbar coming with other software  Using Heap Spraying via JavaScript  Focus on Client-Side Exploitation
    14. 14. Web BrowserVulnerabilities - IE  IE DHTML Behaviours User After Free  IETabular Data Control ActiveX Memory Corruption  IEWinhlp32.exe MsgBox Code Execution  Zero-Day: IE 6/7/8 CSS SetUserClip Memory Corruption (mshtml.dll) – No DEP/ASLR
    15. 15. Web BrowserVulnerabilities -Toolbars
    16. 16. Web BrowserVulnerabilities – Drive By Download Attack
    17. 17. Web BrowserVulnerabilities – Drive By Download Attack
    18. 18. Web BrowserVulnerabilities – Drive By Download Attack
    19. 19. Web BrowserVulnerabilities – Drive By Download Attack
    20. 20. Web BrowserVulnerabilities – Drive By Download Attack
    21. 21. Web BrowserVulnerabilities – Drive By Download Attack
    22. 22. Drive By Download Attack via JavaApplet
    23. 23. Latest MicrosoftWindows system vulnerabilities + StuxnetWorm From USB
    24. 24. MS Shortcut (LNK) Exploit  MSWindows Shell CouldAllow Remote Code Execution  Use DLL HijackingTechniques for exploitation  Affect every release of theWindows NT kernel (2000,XP,Server 2003,Vista,Server 2008,7)  Patch release MS10-046 on August 24 2010  Attack Layer 8 – Client-Side Exploitation  New Generation ofTargetedAttacks – StuxnetWorm  StuxnetWorm – First Attack SCADA System and Iran nuclear reactor via USB and Fileshares with Zero-dayWindows vulnerabilities  Stuxnet abused Auto-Run feature to spread (Just open it)
    25. 25. StuxnetWorms  MS Server Service Code Execution MS08-067 (Conficker worms)  MS SMBv2 Remote Code Execution MS09-050  MS Shortcut (LNK)Vulnerability MS10-046  MS Print Spooler Service Code Execution MS10-061  MS Local Ring0 Kernel Exploit MS10-015  MS Keyboard Layout File MS10-073  Zero Day – MSTask Scheduler
    26. 26. Latest Zero Day – MS Local Kernel Exploit (Win32k.sys)  MSWindows Local Kernel Exploit  Zero Day until Now !! – Still No Patch…  Affect every release of theWindows NT kernel (2000,XP,Server 2003,Vista,Server 2008,7)  Elevate Privilege from USER to SYSTEM  The Exploit takes advantage of a bug inWin32k.sys  Bypass User Account Control (UAC) GetThe Hell Outta Here !!
    27. 27. Latest Attack Methodology
    28. 28. MS Shortcut (LNK) Exploit
    29. 29. Thank you  It’s not the END !!  See you tmr in “Rock'n Roll in Database Security”

    ×