Slides from PHDays 2013 (http://www.phdays.com)
The past few years show frequent use of e-mail messages with electronic documents containing exploits. Attackers use this technique to enlarge botnets or to spy on the industrial secrets of an organization. The report will describe dynamic detection of shellcode in electronic documents without signature analysis to enhance security of employees engaged in document flow. A zero-day vulnerability detected in Yandex.Browser will be used to demonstrate how the software use can decrease incident response time spent by the information security service of a company.
WHOAMI_2Markov Pavel:Found zero-day in Windows (execute arbitrarycode by manipulating with folder settings)Just a developerAgievich Igor:Found vulnerability in Outpost Security Suite(2012), VirtualBox (2011), vBulletin (2005-2006)Not even a developer :)
Actually, we are trying to create afuzzer...Yet another bicycle?
Our goalsWe want to fuzz filetypes of our companyBut actually any file types can be fuzzed with ourfuzzer, depending on how much you know aboutspecific file format (thats how weve found abug in Yandex browser)
Our own fuzzing: how does it work?Its a client-server based softwareBasicly consists of:Generator (one or more)Clients for testing generated samples (one or more). At themoment of development they could only detect exceptions.Using IdebugClient with Python wrapper (allows fasterdevelopment than using Debug API).In addition we found out:Also this approach helps to find shell code in electronicdocuments
Lets use a new source for testingour fuzzingWe tried using a real file from some receivedemail and we found... Exceptions! It was CVE-2012-0158 (.rtf)Then uploaded this file to Virtest, which returned:
Lets try to play with exploitOriginal file from email (on the left) and modifiedfile, still working (on the right)
What can shell code doHas functions for download andor execution
We can find suspicious workflowSuspicious workflow depends on tested software.For example, creation of the new process issuspicious for:Word 2003, Internet Explorer 6, Adobe Reader 8Not suspicious for:Google Chrome, Adobe Reader 11, Internet Explorer8-9)
Our soft in actionFull video:http://www.youtube.com/watch?v=v3h_H5ZGIT8
And a good marksman may missDoes Yandex know about fuzzing?I think they do...But weve found a new bug anyway!
Our resultsWe tested our programm on:> 20 000 *.pdf files (was open in Adobe Reader 9-11, FoxitReader 3-6, Google Chrome, Yandex.Browser)> 10 000 *.doc, *.docx, *.rtf files (was open in MS Word 2003,2007, Libre Office 4.0)OS Win XP, Win 7Weve found:Some APT attacks with some known CVE (CVE-2012-0158and some else) for MS Word 2003, 2007Bug in Yandex.Browser (fixed in latest version)
Any questions?If you have got any questions in English pleasewait until I am drunk and my speaking skills ofEnglish are leveled up :)Anyway, you can contact me on Internet@shanker_sec