You may think of Microsoft as a company that fixes vulnerabilities, but we frequently find security issues in other vendors’ products as well. Microsoft Vulnerability Research (MSVR) was created to help ensure that our company demonstrates the same behavior, in the role of a finder, that we’d like to see from other companies and researchers from all over the world. We make sure that our reports are complete and accurate and communicated securely and effectively to the right place. This presentation will cover how and why MSVR was created, an in-depth look at our operations and what we’ve learned so far with this program. We’ll also discuss how your company can have a centralized program to do the same. We’ll finish things off with a run through of an example vulnerability that one of our finders discovered, reported through MSVR, and what is was like working to get it fixed with an advisory we released thereafter.
CODE BLUE 2014 : Microsoft Vulnerability Research: How to be a Finder as a Ve...CODE BLUE
Here at Microsoft, our people often find security issues in other vendors' products, fueling the need for a coordinated approach to working with those vendors to get those bugs fixed. Microsoft Vulnerability Research (MSVR) was created to help ensure that our company demonstrates the same management, in the role of a finder, that we'd like to see from other companies and researchers when reporting vulnerabilities. MSVR has played an important role working with internal bug hunters to fix many vulnerabilities in top software during the lifetime of this proactive program. After you know how we work, you how you can start a vulnerability coordination program at your company too.
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...ESET Middle East
This white paper focuses on the dramatic growth in the number and severity of software vulnerabilities, and discusses how multilayered endpoint security is needed to mitigate the threats they pose.
Software Security Engineering (Learnings from the past to fix the future) - B...DebasisMohanty43
This talk was presented at BSides Delaware 2021. This talk covered some crucial aspects of software security engineering and strategy that most organisations have overlooked or ignored. Primarily the presentation provides some insights on why still we continue to two decades old bugs and recommendations to consider going ahead.
Note: I gave this talk earlier in the year at the OWASP Global 21st event, but this presentation is a slightly extended version of the OWASP talk. Therefore, treat this slide as the most up to date version.
The video recording of this talk is available via the BSides DE youtube channel.
Black Search Engine Optimisation (SEO), often referred as negative SEO, is a term that covers sabotage techniques aiming to reduce a web site's ranking in search engine results. Black SEO techniques are typically used in business and socio-political contexts, such as information warfare.
The presentation will focus on the use of these techniques to discredit a web site by making it vanish from the major search engine result pages. The discussion will also cover how to exploit common web application vulnerabilities such as Cross Site Scripting, SQL injection and other popular exploitation methods to leverage black SEO attacks. Examples will be included to demonstrate each method of exploitation, and how the vulnerabilities can be used to impact revenues and the reputation of business and political targets.
Black SEO attacks represent a unique class of threats and from a security perspective, any threat which can incur a potential loss should be considered a risk. So far, some of these techniques have only existed as a discussion topic in the SEO industry. Consequently, the intent of my presentation is to bring this complex topic to light to the security community.
CODE BLUE 2014 : Microsoft Vulnerability Research: How to be a Finder as a Ve...CODE BLUE
Here at Microsoft, our people often find security issues in other vendors' products, fueling the need for a coordinated approach to working with those vendors to get those bugs fixed. Microsoft Vulnerability Research (MSVR) was created to help ensure that our company demonstrates the same management, in the role of a finder, that we'd like to see from other companies and researchers when reporting vulnerabilities. MSVR has played an important role working with internal bug hunters to fix many vulnerabilities in top software during the lifetime of this proactive program. After you know how we work, you how you can start a vulnerability coordination program at your company too.
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...ESET Middle East
This white paper focuses on the dramatic growth in the number and severity of software vulnerabilities, and discusses how multilayered endpoint security is needed to mitigate the threats they pose.
Software Security Engineering (Learnings from the past to fix the future) - B...DebasisMohanty43
This talk was presented at BSides Delaware 2021. This talk covered some crucial aspects of software security engineering and strategy that most organisations have overlooked or ignored. Primarily the presentation provides some insights on why still we continue to two decades old bugs and recommendations to consider going ahead.
Note: I gave this talk earlier in the year at the OWASP Global 21st event, but this presentation is a slightly extended version of the OWASP talk. Therefore, treat this slide as the most up to date version.
The video recording of this talk is available via the BSides DE youtube channel.
Black Search Engine Optimisation (SEO), often referred as negative SEO, is a term that covers sabotage techniques aiming to reduce a web site's ranking in search engine results. Black SEO techniques are typically used in business and socio-political contexts, such as information warfare.
The presentation will focus on the use of these techniques to discredit a web site by making it vanish from the major search engine result pages. The discussion will also cover how to exploit common web application vulnerabilities such as Cross Site Scripting, SQL injection and other popular exploitation methods to leverage black SEO attacks. Examples will be included to demonstrate each method of exploitation, and how the vulnerabilities can be used to impact revenues and the reputation of business and political targets.
Black SEO attacks represent a unique class of threats and from a security perspective, any threat which can incur a potential loss should be considered a risk. So far, some of these techniques have only existed as a discussion topic in the SEO industry. Consequently, the intent of my presentation is to bring this complex topic to light to the security community.
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...Berezha Security Group
After the completeness of over 50 Penetration Testing and Application Security projects during the 2020 year and many more since 2014, the BSG team shares its expertise in finding security vulnerabilities across many business verticals and industries.
On the webinar, we will talk about:
1. Typical threat model of a modern business organization.
2. How the COVID-19 pandemic has changed that threat model?
3. What is Threat Modeling, and how it works for the BSG clients?
4. What is DARTS and how we secure sensitive customer data?
5. What is the BSG Web Application Pentester Training and why?
6. Top 10 critical cybersecurity vulnerabilities we found in 2020.
We help our customers address their future security challenges: prevent data breaches and achieve compliance.
*Slides - English language
*Webinar - Ukrainian language
The link on the webinar: https://youtu.be/fkdafStSgZE
BSG 2020 Business Outcomes and Security Vulnerabilities Report: https://bit.ly/bsg2020report
Contact details:
https://bsg.tech
hello@bsg.tech
The developers of our Java web application development company are well-versed in the programming language. With years of experience and knowledge, they are aware of all the Java security issues and the fixes that fortify security. If you want to create an application that is safe and robust, contact us at any time.
Open Source Security – A vendor's perspectiveMatthew Wilkes
This talk aims to let interested users in on the work of being a responsible vendor in the open source security world. It will have a particular focus on Plone, but will be applicable to anyone issuing public fixes for open source code.
With that in mind, here are 10 best DevSecOps tools for 2023 so you can get started on the right foot with the latest and greatest techniques. https://bit.ly/3Fd295g
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
Our technology, work processes, and activities all depend on if we trust our software to be developed in a safe and secure manner. Join us virtually for our upcoming "Secure Your DevOps Pipeline: Best Practices" Meetup to learn how to integrate security in the development process, DevSecOps advance methods, manage the implement secure coding analysis and how to manage software security risks.
AppSec How-To: Achieving Security in DevOpsCheckmarx
How do you integrate security within a Continuous Deployment (CD) environment, where every 5 minutes a feature, an enhancement, or a bug fix needs to be released? Find out in this Checkmarx How-To Paper.
Security engineering 101 when good design & security work togetherWendy Knox Everette
Security concerns are often dealt with as an afterthought—the focus is on building a product, and then security features or compensating controls are thrown in after the product is nearly ready to launch. Why do so many development teams take this approach? For one, they may not have an application security team to advise them. Or the security team may be seen as a roadblock, insisting on things that make the product less user friendly, or in tension with performance goals or other business demands. But security doesn’t need to be a bolt-on in your software process; good design principles should go hand in hand with a strong security stance. What does your engineering team need to know to begin designing safer, more robust software from the get-go?
Drawing on experience working in application security with companies of various sizes and maturity levels, Wendy Knox Everette focuses on several core principles and provides some resources for you to do more of a deep dive into various topics. Wendy begins by walking you through the design phase, covering the concerns you should pay attention to when you’re beginning work on a new feature or system: encapsulation, access control, building for observability, and preventing LangSec-style parsing issues. This is also the best place to perform an initial threat model, which sounds like a big scary undertaking but is really just looking at the moving pieces of this application and thinking about who might use them in unexpected ways, and why.
She then turns to security during the development phase. At this point, the focus is on enforcing secure defaults, using standard encryption libraries, protecting from malicious injection, insecure deserialization, and other common security issues. You’ll learn what secure configurations to enable, what monitoring and alerting to put in place, how to test your code, and how to update your application, especially any third-party dependencies.
Now that the software is being used by customers, are you done? Not really. It’s important to incorporate information about how customers interact as well as any security incidents back into your design considerations for the next version. This is the time to dust off the initial threat model and update it, incorporating everything you learned along the way.
Data Security in Fintech App Development: How PHP Can HelpNarola Infotech
Narola Infotech is a PHP development company with more than 17 years of experience. Our 350+ IT experts have worked with over 1500 clients around the world in every major industry. In fact, our clients have appreciated our efforts and results over the years.
Do you want to build a secure and functional fintech platform? Feel free to contact us at any time, and our experts will get back to you to discuss your dream project.
We've got some critical patches for Microsoft and Oracle for the month of April. Also, some insights on keeping your organization's Zoom users secure. Join Ivanti experts Chris Goettl, Todd Schell and Brian Secrist for their monthly Patch Tuesday webinar.
Introduction to the proposed EU cyber resilience act (CRA)Olle E Johansson
A short introduction to the proposed EU Cyber Resilience Act. It's a large document to parse, so please don't take my words as a truth, just indications of what will come. The CRA will impact everyone that distributes software and connected devices on the EU market, so it's important to stay up to date with this regulation.
DragonCon 2016
Attack surface on Windows is vast and full of opportunities. It has been explored upside down and inside out, although there's always room for other ways to look at it. In this talk, I'll be discussing how to discover attack surface by poking the OS in various ways to reveal interfaces and opportunities often otherwise found by either luck or winning a timing race. Starting a discussion on these components will shake out new bugs or design subtleties as they may have yet to be audited in depth. We'll walk through tooling for both the offensive and defensive angles. I'll be looking at the latest version of Windows 10 and also Server. If you're interested in finding vulnerabilities in the most prevalent platform on earth, or a developer with the urge to know more about application security, this talk is for you and will probably give you some new ideas.
Provoking Windows
For every action, there is a reaction
MSI installer creates many mutexes
Notably one called _MSIExecute
RW Everyone
Commonly checked to ensure only one installation at a time is occurring
Interesting #1
But, everyone can write to \BNO…
Turn on WLAN Autoconfig Service
New pipe with a very generous ACEs…
\\.\pipe\WiFiNetworkManagerTask
O:LSG:LSD:(A;;FA;;;WD)(A;;FA;;;CO)(A;;FA;;;IU)(A;;FA;;;RC)(A;;FA;;;BA)
Interesting #2
We can kill the pipe by looping large Write()s
But what happened?
svchost.exe @ wifinetworkmanager.dll
STATUS_STACK_BUFFER_OVERRUN
wifinetworkmanager.dll!__FatalError(char const *,unsigned long,char const *, …..)
AsyncPipe::ReadCompletedCallback(void)
AsyncPipe::Dispatch(int,void *,void *, …..)
Synchronizer::EnqueueEvent(…..)
\Driver\SoftwareDevice
BUILTIN_DRIVER (???)
SoftwareDevice class per c_swdevice.inf
Doesn’t have .sys loaded, nor many normal things
Exposes many devices during RDP sessions
Some of which are RW everyone
Windows Time
Creates an Event
W32TIME_NAMED_EVENT_SYSTIME_NOT_CORRECT
Squatting on this event produces an exception
svchost.exe @ ntdll.dll (w32time.dll in call stack)
STATUS_STACK_BUFFER_OVERRUN
Not likely a controllable crash, but notable nonetheless
wpa://C:\[trace file path here]/
Launches Windows Performance Analyzer on arbitrary file
Local bugs in WPA file parsing become remote
wpa://\\share\PhotosAppTracing.etl/
.etl, .wpa, .xml, .wpapk, .zip, .cab all fair game
The “crash immediately” club
com.microsoft.builder3d:///
hx-accounts:///
microsoft.windows.photos.crop:///
microsoft.windows.photos.picker:///
ms-wpdrmv:///
ms-apprep:/// (smartscreen)
read:/// (edge)
Tooling
Whale
“What happened at last exec?”
At the end of the day, the ones writing the code also wrote the bugs
No other people put bugs in your code (probably)
Thoughts on Disclosure
There’s no overall good way to disclose
Coordinated Disclosure
Great for vendor, not great for everyone else
Drop bug
Varies depending on your subscribed philosophy
Thinking of fuzzing applications on OS X can quickly lead to a passing conversation of "ooh exotic Mac stuff", "lets fuzz the kernel" or it can otherwise not be thought of as an exciting target, at least for looking for crashes in stuff other than Safari or the iPhone. While there are some intricacies and nuance involved, workaround for security protections to enable debugging and finding tools that work and work well, this research will detail how it can be done in a reliable way and make the topic more tangible and easier to digest, kind of like how people think about using AFL on Linux: it "just works". We'll explore some of the overlooked attack surface of file parsers and some network services on Mac, how to fuzz userland binaries and introduce a new fuzzer that makes setup and crash triage straightforward while poking at some Apple core apps and clients. Have you ever thought "This thing has got to have some bugs" but think twice because it's only on available on Mac and not worth the effort? If so, you may now find yourself both more motivated and better equipped to do some bug hunting on the sleek and eventually accommodating Mac OS.
More Related Content
Similar to Microsoft Vulnerability Research - How to be a finder as a vendor
Webinar | Cybersecurity vulnerabilities of your business - Berezha Security G...Berezha Security Group
After the completeness of over 50 Penetration Testing and Application Security projects during the 2020 year and many more since 2014, the BSG team shares its expertise in finding security vulnerabilities across many business verticals and industries.
On the webinar, we will talk about:
1. Typical threat model of a modern business organization.
2. How the COVID-19 pandemic has changed that threat model?
3. What is Threat Modeling, and how it works for the BSG clients?
4. What is DARTS and how we secure sensitive customer data?
5. What is the BSG Web Application Pentester Training and why?
6. Top 10 critical cybersecurity vulnerabilities we found in 2020.
We help our customers address their future security challenges: prevent data breaches and achieve compliance.
*Slides - English language
*Webinar - Ukrainian language
The link on the webinar: https://youtu.be/fkdafStSgZE
BSG 2020 Business Outcomes and Security Vulnerabilities Report: https://bit.ly/bsg2020report
Contact details:
https://bsg.tech
hello@bsg.tech
The developers of our Java web application development company are well-versed in the programming language. With years of experience and knowledge, they are aware of all the Java security issues and the fixes that fortify security. If you want to create an application that is safe and robust, contact us at any time.
Open Source Security – A vendor's perspectiveMatthew Wilkes
This talk aims to let interested users in on the work of being a responsible vendor in the open source security world. It will have a particular focus on Plone, but will be applicable to anyone issuing public fixes for open source code.
With that in mind, here are 10 best DevSecOps tools for 2023 so you can get started on the right foot with the latest and greatest techniques. https://bit.ly/3Fd295g
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
Our technology, work processes, and activities all depend on if we trust our software to be developed in a safe and secure manner. Join us virtually for our upcoming "Secure Your DevOps Pipeline: Best Practices" Meetup to learn how to integrate security in the development process, DevSecOps advance methods, manage the implement secure coding analysis and how to manage software security risks.
AppSec How-To: Achieving Security in DevOpsCheckmarx
How do you integrate security within a Continuous Deployment (CD) environment, where every 5 minutes a feature, an enhancement, or a bug fix needs to be released? Find out in this Checkmarx How-To Paper.
Security engineering 101 when good design & security work togetherWendy Knox Everette
Security concerns are often dealt with as an afterthought—the focus is on building a product, and then security features or compensating controls are thrown in after the product is nearly ready to launch. Why do so many development teams take this approach? For one, they may not have an application security team to advise them. Or the security team may be seen as a roadblock, insisting on things that make the product less user friendly, or in tension with performance goals or other business demands. But security doesn’t need to be a bolt-on in your software process; good design principles should go hand in hand with a strong security stance. What does your engineering team need to know to begin designing safer, more robust software from the get-go?
Drawing on experience working in application security with companies of various sizes and maturity levels, Wendy Knox Everette focuses on several core principles and provides some resources for you to do more of a deep dive into various topics. Wendy begins by walking you through the design phase, covering the concerns you should pay attention to when you’re beginning work on a new feature or system: encapsulation, access control, building for observability, and preventing LangSec-style parsing issues. This is also the best place to perform an initial threat model, which sounds like a big scary undertaking but is really just looking at the moving pieces of this application and thinking about who might use them in unexpected ways, and why.
She then turns to security during the development phase. At this point, the focus is on enforcing secure defaults, using standard encryption libraries, protecting from malicious injection, insecure deserialization, and other common security issues. You’ll learn what secure configurations to enable, what monitoring and alerting to put in place, how to test your code, and how to update your application, especially any third-party dependencies.
Now that the software is being used by customers, are you done? Not really. It’s important to incorporate information about how customers interact as well as any security incidents back into your design considerations for the next version. This is the time to dust off the initial threat model and update it, incorporating everything you learned along the way.
Data Security in Fintech App Development: How PHP Can HelpNarola Infotech
Narola Infotech is a PHP development company with more than 17 years of experience. Our 350+ IT experts have worked with over 1500 clients around the world in every major industry. In fact, our clients have appreciated our efforts and results over the years.
Do you want to build a secure and functional fintech platform? Feel free to contact us at any time, and our experts will get back to you to discuss your dream project.
We've got some critical patches for Microsoft and Oracle for the month of April. Also, some insights on keeping your organization's Zoom users secure. Join Ivanti experts Chris Goettl, Todd Schell and Brian Secrist for their monthly Patch Tuesday webinar.
Introduction to the proposed EU cyber resilience act (CRA)Olle E Johansson
A short introduction to the proposed EU Cyber Resilience Act. It's a large document to parse, so please don't take my words as a truth, just indications of what will come. The CRA will impact everyone that distributes software and connected devices on the EU market, so it's important to stay up to date with this regulation.
DragonCon 2016
Attack surface on Windows is vast and full of opportunities. It has been explored upside down and inside out, although there's always room for other ways to look at it. In this talk, I'll be discussing how to discover attack surface by poking the OS in various ways to reveal interfaces and opportunities often otherwise found by either luck or winning a timing race. Starting a discussion on these components will shake out new bugs or design subtleties as they may have yet to be audited in depth. We'll walk through tooling for both the offensive and defensive angles. I'll be looking at the latest version of Windows 10 and also Server. If you're interested in finding vulnerabilities in the most prevalent platform on earth, or a developer with the urge to know more about application security, this talk is for you and will probably give you some new ideas.
Provoking Windows
For every action, there is a reaction
MSI installer creates many mutexes
Notably one called _MSIExecute
RW Everyone
Commonly checked to ensure only one installation at a time is occurring
Interesting #1
But, everyone can write to \BNO…
Turn on WLAN Autoconfig Service
New pipe with a very generous ACEs…
\\.\pipe\WiFiNetworkManagerTask
O:LSG:LSD:(A;;FA;;;WD)(A;;FA;;;CO)(A;;FA;;;IU)(A;;FA;;;RC)(A;;FA;;;BA)
Interesting #2
We can kill the pipe by looping large Write()s
But what happened?
svchost.exe @ wifinetworkmanager.dll
STATUS_STACK_BUFFER_OVERRUN
wifinetworkmanager.dll!__FatalError(char const *,unsigned long,char const *, …..)
AsyncPipe::ReadCompletedCallback(void)
AsyncPipe::Dispatch(int,void *,void *, …..)
Synchronizer::EnqueueEvent(…..)
\Driver\SoftwareDevice
BUILTIN_DRIVER (???)
SoftwareDevice class per c_swdevice.inf
Doesn’t have .sys loaded, nor many normal things
Exposes many devices during RDP sessions
Some of which are RW everyone
Windows Time
Creates an Event
W32TIME_NAMED_EVENT_SYSTIME_NOT_CORRECT
Squatting on this event produces an exception
svchost.exe @ ntdll.dll (w32time.dll in call stack)
STATUS_STACK_BUFFER_OVERRUN
Not likely a controllable crash, but notable nonetheless
wpa://C:\[trace file path here]/
Launches Windows Performance Analyzer on arbitrary file
Local bugs in WPA file parsing become remote
wpa://\\share\PhotosAppTracing.etl/
.etl, .wpa, .xml, .wpapk, .zip, .cab all fair game
The “crash immediately” club
com.microsoft.builder3d:///
hx-accounts:///
microsoft.windows.photos.crop:///
microsoft.windows.photos.picker:///
ms-wpdrmv:///
ms-apprep:/// (smartscreen)
read:/// (edge)
Tooling
Whale
“What happened at last exec?”
At the end of the day, the ones writing the code also wrote the bugs
No other people put bugs in your code (probably)
Thoughts on Disclosure
There’s no overall good way to disclose
Coordinated Disclosure
Great for vendor, not great for everyone else
Drop bug
Varies depending on your subscribed philosophy
Thinking of fuzzing applications on OS X can quickly lead to a passing conversation of "ooh exotic Mac stuff", "lets fuzz the kernel" or it can otherwise not be thought of as an exciting target, at least for looking for crashes in stuff other than Safari or the iPhone. While there are some intricacies and nuance involved, workaround for security protections to enable debugging and finding tools that work and work well, this research will detail how it can be done in a reliable way and make the topic more tangible and easier to digest, kind of like how people think about using AFL on Linux: it "just works". We'll explore some of the overlooked attack surface of file parsers and some network services on Mac, how to fuzz userland binaries and introduce a new fuzzer that makes setup and crash triage straightforward while poking at some Apple core apps and clients. Have you ever thought "This thing has got to have some bugs" but think twice because it's only on available on Mac and not worth the effort? If so, you may now find yourself both more motivated and better equipped to do some bug hunting on the sleek and eventually accommodating Mac OS.
Your SSH server configs are secure, right? If you search for hardening SSH, you can read all day about how this or that option is dangerous, or never use that flag, etc. But what really is the risk of compromise? This talk will explore various (mis)configurations and ways to use the client that perhaps have been deemed risky, but also walk through how exactly to attack them to bypass restrictions on the server or even get a shell. We'll also discuss some options that sound really bad, but more nuance is required to fully grasp what it takes to exploit the issue. You might even learn about some new features that let SSH do things you didn't think were really possible, or worse case you'll get a refresher on many attacks that have been mostly forgotten or ignored. Instead of just looking at a config or script and saying "that's bad, shouldn't do that", after this talk you should be able to demo various attacks yourself.
In this talk, we'll break down how one can exploit an ecosystem that enables management, querying, processing, and storage of, yes you guessed it, copious amounts of data. Hadoop and its many friends have been making their way into companies analyzing (sometimes, after massively collecting...) such data for years now, but they also make it easy to find organizations deploying things internally with security either off by default or otherwise exposed to various critical misconfigurations and access control issues.
If you're running engagements, this should also give you a headstart on what to look for, how to attack networks where these products are running along with a few good ways to make them more defendable. Because if you want to defend well, you need to optimize towards mitigating actual risk vs theoretical, and there's no better way to determine if attacks are real than trying them out yourself. Let's say you just want to better understand how to shell out on servers running Apache Cassandra, Drill, Mesos... well, it may add a few pages to your playbook.
(FYI this is the version of the slides without a conference template-- hopefully NoConName will share the templated version online as well)
With the 'rise of containers' comes also the rise of container platforms. And while Docker is the way to do things for now, Podman has also been gaining traction as the new kid on the block especially after being somewhat embraced by RedHat and Fedora. Being new also comes with lack of heavy scrutiny and audit on the security side of things. Once you start integrating other protocols and pieces that compliment each other, such as Varlink, boundaries become fuzzy. Rather than focus on container breakouts, which are also very important, we'll focus on how Podman and Varlink interoperate and the authentication and security implications as such. We'll look at the remote API capabilities, secure configurations and how certain setups and projects out there by default can be vulnerable to compromise. By the end of the talk, we will have discussed various bugs, issues and hardening techniques around deploying Podman and Varlink together and if you don't know a lot about containers, you'll learn a bit along the way.
What happens when a company either doesn’t fully empower the Security team, or have one at all? Stuff like Goto fail, Equifax, unsandboxed AVs and infinite other buzz, or yet to be buzzed, words describe failures of not adequately protecting customers or services they rely on. Having a solid security team enables a company to set a bar, ensure security exists within the design, insert tooling at various stages of the process and continuously iterate on such results. Working with the folks building the products to give them solutions instead of just problems allows one to scale, earn trust and most importantly be effective and actually ship.
There’s a whole security industry out there with folks wearing every which hat you can think of. They have influence and the ability to find a bug one day and disclose it the next, so companies must adapt both engineering practices and perspectives in order to ‘navigate the waters of reality’ and not just hope one doesn’t take a look at their product. Having processes in place that reduce attack surface, automate testing and set a minimum bar can reduce bugs therefore randomization for devs therefore cost of patching and create a culture where security makes more sense as it demonstratively solves problems.
Nvidia is evolving in this space. Focused on the role of product security, I’ll go through the various components of a security team and how they each interact and complement each other, commodity and niche tooling as well as how relationships across organizations can give one an edge in this area. This talk balances the perspective of security engineers working within a large company with the independent nature of how things work in the industry.
Attendees will walk away with a breadth of knowledge, an inside view of the technical workings, tooling and intricacies of finding and fixing bugs and finding balance within a product-first world.
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015Jeremy Brown
The web client is critical software to secure from any perspective. No matter if you're an organization or a casual client, you're typically just as vulnerable as anyone else. OSes are often supplemented with hardening toolsets or built-in mitigations as an extra measure to avoid compromise, but as with all things, they aren't completely solid either. Thus the need for systems that break systems, some of which deploy fuzzing and almost all of them work to find implementation bugs. Browser fuzzing has been explored and improved in many different ways over the past several years. In this presentation, we'll be primarily talking about a mutation engine that provides a somewhat novel technique for finding bugs in a still-ripe attack surface: the browser's rendering engine. This technique has the flexibility to be applied even more broadly than browsers, for example, there's initial support for fuzzing PDF readers. We'll also be discussing the tooling and infrastructure areas of the process, detailing what's needed to build a system that will scale and enable your fuzzing strategies to be successful. Finally, we can conclude the talk with some incubation results and how you can start making use of these fuzzing techniques today to find the bugs you need to exploit browsers or identify and fix the code responsible for each vulnerability.
POC Conference 2015
Virtual Appliances have become very prevalent these days as virtualization is ubiquitous and hypervisors commonplace. More and more of the major vendors are providing literally virtual clones for many of their once physical-only products. Like IoT and the CAN bus, it's early in the game and vendors are late as usual. One thing that it catching these vendors off guard is the huge additional attack surface, ripe with vulnerabilities, added in the process. Also, many vendors see software appliances as an opportunity for the customer to easily evaluate the product before buying the physical one, making these editions more accessible and debuggable by utilizing features of the platform on which it runs. During this talk, I will provide real case studies for various vulnerabilities created by mistakes that many of the major players made when shipping their appliances. You'll learn how to find these bugs yourself and how the vendors went about fixing them, if at all. By the end of this talk, you should have a firm grasp of how one goes about getting remote root on appliances.
Your data is much safer at home than it is letting some corporation "take care of it" for you, right? Security reviews for some of the top vendors' devices reveal many interesting findings. Like everything else, there are bugs. But knowing what kinds of bugs and how the vendors have responded will allow you to better understand the impact of plugging these devices into your network. Jeremy will show you just how low access control and least privilege are their list of priorities. He'll also explore the amount of test collateral and debug interfaces sloppily left shipping to consumers. From remote roots to stealing social network tokens to just plain weird stuff, he'll expand on how it's not just about what they do, but also what they don't do. And, he'll give you some useful guidelines on how to close the gaps yourself.
A Bug Hunter's Perspective on Unix DriversJeremy Brown
The Unix driver space with regards to security has been understudied compared to it’s vast attack surface. One juicy area that can be especially buggy and accessible in drivers, I/O control, has received much more attention on Windows than Unix OSes. In this presentation, I will give an introduction to this particular attack surface on Linux, why bugs here are a significant threat and show you how get started looking for vulnerabilities in drivers on the platform. I’ll also go into some of the tools and techniques available and talk about a new tool I’ve written that can help bug hunters dig into Unix device drivers.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™UiPathCommunity
In questo evento online gratuito, organizzato dalla Community Italiana di UiPath, potrai esplorare le nuove funzionalità di Autopilot, il tool che integra l'Intelligenza Artificiale nei processi di sviluppo e utilizzo delle Automazioni.
📕 Vedremo insieme alcuni esempi dell'utilizzo di Autopilot in diversi tool della Suite UiPath:
Autopilot per Studio Web
Autopilot per Studio
Autopilot per Apps
Clipboard AI
GenAI applicata alla Document Understanding
👨🏫👨💻 Speakers:
Stefano Negro, UiPath MVPx3, RPA Tech Lead @ BSP Consultant
Flavio Martinelli, UiPath MVP 2023, Technical Account Manager @UiPath
Andrei Tasca, RPA Solutions Team Lead @NTT Data
2. WHO ARETHESE FINE GENTLEMEN
David Seidman
Manager of MSVR Program
Likes authentication, hates passwords
Jeremy Brown
MSVR Contributor since 2011
Likes bugs, but also likes making things more secure
3. AGENDA
What is MicrosoftVulnerability Research?
The MSVR Process
How it works
And how things can go wrong
4. AGENDA
Case Studies
Libavcodec
Comodo GeekBuddy
VMware Player
Blackberry “PrintTo Go”
Lessons Learned
5. WHATWE’RE NOT COVERING
How Microsoft handles vulnerabilities in 3rd party software distributed with our
products
Any information about MSVR bugs in the queue for public release
The ethics of disclosure or debating which philosophy is the greatest
7. ORIGINS
MSVR started in 2008
Founded by Katie Moussouris
Announced at the BlackHat conference
8. ORIGINS
MSRC cases and internal finds were affecting many other vendors
We needed a way to coordinate with vendors across the industry in order
to ensure fixes for these bugs materialize
9. MSVR ISN'T
MSRC
Microsoft Security ResponseCenter
Handles security incidents and vulnerabilities affecting Microsoft products
Microsoft Bounty Programs
Cash for defensive ideas and IE11 Preview bugs
10. MSVR ISN'T
HackerOne
Hosts of the Internet Bug Bounty program
“Rewards friendly hackers who contribute to a more secure internet”
Sponsored by both Microsoft and Facebook
11. MSVR IS…
A program to help Microsoft employees report security vulnerabilities to third
party software vendors
Provide assistance to finders
People to answer questions and ping the vendor
Security contact database
The resources to find contacts if no public ones exist
12. MSVR IS…
Objectives
Prevent miscommunication
Keep all parties informed
Provide transparency for both sides
13. MSVR ADVISORIES
Dedicated Microsoft webspace to display and archive vulnerability and fix
information
http://technet.microsoft.com/en-us/security/msvr
Each advisory credits the researcher for the find
Unless you want to be anonymous, of course
14. WHYTHE FOCUS ONTHIRD PARTY
Windows runs lots of third-party code.That code becomes attack surface for Microsoft
users.
Adobe Reader and Oracle Java account for the majority exploits used to compromise PCs
Not just PC software
Routers in our datacenters
Firmware in our devices
Apps in our software stores
Reference: http://download.microsoft.com/download/5/0/3/50310CCE-8AF5-4FB4-83E2-03F1DA92F33C/Microsoft_Security_Intelligence_Report_Volume_15_English.pdf
15. WHYTHE FOCUS ONTHIRD PARTY
Often the vulnerabilities affect Microsoft too
Protocol flaws
DNS
SSL
Common coding and design flaws
16. SECURINGTHE ECOSYSTEM
Here’s a short list of vendors we’ve worked with at MSVR
Adobe, AOL, Apple, Blackberry, CA, Cisco, Citibank, Comodo, Fidelity, Google,
Hex-Rays, HP, IBM, Intel, Intuit, Lenovo, Mozilla, Nullsoft, Nvidia, OpenOffice,
Opera, Oracle, PGP, RealNetworks, SAP, Symantec,VMware, Wireshark,
WordPress,Yahoo!
….as well as many, many more
17. GOALS
Ensure that Microsoft works with others the same way we’d like them to work
with us
Coordinated vulnerability disclosure so that Microsoft employees do not drop 0-days
Reproducible and interesting bugs
Good repro and explanation
Reference: http://blogs.technet.com/b/msrc/archive/2011/04/19/coordinated-vulnerability-disclosure-from-philosophy-to-practice.aspx
18. GOALS
Help Microsoft finders out
Make sure bugs get fixed
Release advisories
Help secure the Microsoft ecosystem
Build relationships with other vendors
19. WHO ARE FINDERS?
Individual Microsoft employees who find security bugs for various reasons
Hobby
Securing software they use
Product groups working extensively with a third party product
E.g. Office findingAdobe Reader bugs when testingWord’s Save as PDF function
Often many bugs are discovered at once, or a stream of bugs is generated on an
ongoing basis
Product groups hitting one-off bugs
It is not uncommon to hit a bug in a third-party component while just testing
functionality
20. WHICHVULNERABILITIES ARE ELIGIBLE?
Found by a Microsoft employee
Whether found on own time or otherwise, using company resources or not
Critical and Important on SDL Bug Bar
Remote code execution, server DoS, XSS, SQLi, MITM, a few others
Affects a product on a Microsoft platform or used in a Microsoft datacenter
E.g. iPhone apps are not eligible
These aren’t hard rules – designed to ensure high ROI
21. MSVR REQUIREMENTS
I am not a lawyer, so this is a paraphrase of the actual policy
Microsoft employees must use CVD under all circumstances
CVD: CoordinatedVulnerability Disclosure (the new one, not “responsible disclosure”)
=no 0days per Microsoft’s policy
Employees must notify MSVR of all vulnerabilities they report
Exception: existing working/support/partnership relationships can continue
Using MSVR to manage the process is optional for bugs found on personal time
22. MSVR REQUIREMENTS
Third-party bugs found outside company time and not using company assets may
be reported through a vuln broker using CVD
The employee can keep the money
This includes bug bounties too
25. STEP 1 MISFIRE: CLASSIC 0-DAY
<insert anyWindows 0day full disclosure post here in the last 20 years>
26. STEP 2: ENSURE QUALITY
MSVR ensures that all required elements are present:
Qualifying bug details
Proof of concept file or solid repro steps
Description of issue, including affected products and versions, severity, etc.
Stack trace
Ideas for workarounds or code fixes
We’ll go back-and-forth with finders until it meets quality bar
Won’t ship if it doesn’t
27. STEP 2 MISFIRE: NOT A BUG
When logging intoWindows
If you have the number 8 in your login password, and
You have NumLock off and
You use the number pad when typing the number 8
You will switch focus to the username field and might accidentally type the rest of your
password into the username field
28. STEP 3: CHECK FOR MICROSOFT IMPACT
Does Microsoft have code that could be similarly affected?
Does an SSL bug affect our SSL stack?
Does a browser bug affect Internet Explorer?
Etc.
If so, coordinate with third parties to align their fix schedule with ours
29. STEP 3 MISFIRE: WE 0-DAY OURSELVES
Microsoft researchers: Online ad networks’ payment processing can be
theoretically exploited for fraud!
Just like Bing’s
Researchers: “We thought it would be okay because we didn’t mention Bing”
30. STEP 4: REPORTVULNERABILITY
Find the vendor’s security contact point (email, web form, etc) if we don’t already
have it
If they don’t have one, we try harder
Tell them we have a vulnerability to report and request PGP or S/MIME key
Perhaps explain to them what PGP is…
Encrypt and send details
31. STEP 4 MISFIRE: SALES PURGATORY
Vendor:What’s your customer ID?
Microsoft: We don’t have a customer ID, we found a security problem with your
website.
Vendor: Oh, well with no customer ID we can’t help you.Would you like to buy our
product?
Microsoft: We don’t want help or to buy your product.We’re trying to help you.
Vendor:Thank you for contactingVendor.Your email is very important to us.
32. STEP 5: MONITOR
Follow up with company and internal finder to track their fix through release
Resolve questions about repro and severity
Vendor may send a private, fixed version for the finder to confirm the bug is fixed
Keep all parties up to date with plans for updates, blog post, conference
presentations, etc.
33. STEP 5 MISFIRE: SURPRISE!
Oh that bug?We patched that six months ago.
34. STEP 6: SHIP UPDATE
Vendor releases update
Implore them to credit our researcher
If they “forget”, we’ll ping them and recommend it again
35. STEP 6 MISFIRE: NO CREDIT
Vendor: Here’s the fix! <no credit to finder>
Finder: Hey!
36. STEP 7: MSVR ADVISORY
Released when we think a bug particularly merits Microsoft customers’ attention
Optional
Not all vulnerabilities get advisories
Released with or (typically) after the vendor releases a patch
In case of active attacks, we could release one proactively, but we have yet to do so
Purpose is to notify our customers of the patch and remind them to install it
Finder always has the option to release their own advisory in coordination with MSVR
once vendor has patched
37.
38. STEP 7B: MSVR CREDITS
When we don’t do a full advisory, still provide internal finders credit
40. CASE STUDY: LIBAVCODEC
MSVR12-017
Vulnerabilities in FFmpeg Libavcodec Could Allow Arbitrary Code Execution
FuzzingVLC with WMA files.. Boom
But it’s obviously easier to find a crash than to figure out what caused it
Reference: http://technet.microsoft.com/en-us/security/msvr/msvr12-017
41. CASE STUDY: LIBAVCODEC
!Exploitable says aWriteAV at libavcodec_plugin.dll
Looks like this isn’t a bug inVLC, but in the included A/V codec
Let’s diff to see what the fuzzer changed in the template to make our repro file!
43. CASE STUDY: LIBAVCODEC
We can see that the 0x0001 was changed to 0x0007
But what is that word value anyways?
And how do I already know it’s a word?
44. CASE STUDY: LIBAVCODEC
Meet OffVis
“The Microsoft OfficeVisualizationTool (OffVis) allows IT professionals, security
researchers and malware protection vendors to better understand the MicrosoftOffice
binary file format in order to deconstruct .doc-, .xls- and .ppt-based targeted attacks”
Free public version available on the Microsoft download website
But it’s not actually specifically for office documents. OffVis uses GUT templates, which
is the same concept as 010 editor binary templates: describing file formats in order to
parse and edit such files smarter.
Reference: http://www.microsoft.com/en-us/download/details.aspx?id=2096
46. CASE STUDY: LIBAVCODEC
So we know a few more things now!
ASF is the container format forWMA files
A quick search for “Number of Channels” in the ASF specification tells us
It’s a 16-bit value
It’s a member of theWAVEFORMATEX structure
It’s the “number of audio channels” for this content
Manual testing shows that changing the value from 0x0003 - 0x0008 causes a crash
Also noteworthy, changing it to 0x0009 results inVLC displaying an error dialog about howVLC
does not support the WMA2 file format
Reference: http://msdn.microsoft.com/en-us/library/bb643323.aspx
47. CASE STUDY: LIBAVCODEC
Now take a look at the couple of instructions before the crash
pop ebx
call dword ptr[ebx+30h]
Anyone else smiling?
For those not immediately enlightened, this is very promising for exploitation
As long as we have some kind of influence or control over the ebx register
And there’s a pop before the call.. well, the stack is our friend
48. CASE STUDY: LIBAVCODEC
We’ve got our original and repro files, quick write-up and ready to share with
msvr@microsoft.com
They packaged up the deliverables and sent them off to the vendor
Handled coordination
Status updates
Questions from the vendor
49. CASE STUDY: LIBAVCODEC
The vulnerability was patched in May, 2012 and the advisory was released a few
months later
51. CASE STUDY: COMODO GEEKBUDDY
CVE-2014-7872
Comodo GeekBuddy Privilege Escalation
What is GeekBuddy and how does it work?
52. CASE STUDY: COMODO GEEKBUDDY
Noticed GeekBuddyRSP.exe was listening on two familiar ports
5800, 5901 (VNC)
VNC server to tunnel technical support remoting makes sense
53. CASE STUDY: COMODO GEEKBUDDY
Let’s try to connect using aVNC client and see what happens
55. CASE STUDY: COMODO GEEKBUDDY
The attack goes as follows
Admin logs in
User (or guest) logs in and uses aVNC client to connect to localhost
User assumes Administrator’sVNC session via no server password set
Couple significant caveats
OS must support more than one simultaneous login, eg.Windows Server
GeekBuddy is known to be bundled with the following products
Comodo Anti-Virus, Comodo Firewall, Comodo Internet Security
But they only install on Windows Client
Comodo might have bundled GeekBuddy in some enterprise packages
56. CASE STUDY: COMODO GEEKBUDDY
What other vectors of exploitation can you think of?
Client-side CSRF-like attack
Host a modified JavaVNC Client on a webserver
GeekBuddy target browses to webpage with embedded VNC client
VNC client connects to localhost and does interesting things with the target’s session
Comodo released a fixed version October, 2014
58. CASE STUDY:VMWARE
Step 2:What is OVF?
OpenVirtual Machine Format
“an open, secure, portable, efficient and extensible format for the packing and
distribution of (collections of) virtual machines”
Reference: http://www.vmware.com/pdf/ovf_whitepaper_specification.pdf
59. CASE STUDY:VMWARE
TL;DR– It’s a xml-based file format for describing virtual machine data
And since XML implies describing and consuming untrusted data.. probably a worthy
target
60. CASE STUDY:VMWARE
Step 3: How doesVMware load OVF files?
Upon loading a OVF file, it executes ovftool.exe
Nearly the same as having the OVF parsing code inVMware player
65. CASE STUDY: BLACKBERRY PTG
Submitted as, “Blackberry PrintTo Go Auth Bypass”
But what can we gain from this bug?
What is Blackberry PTG?
Allows you to “print” documents from your computer to your BlackBerry Playbook
tablet
E.g. Install the software on your PC and you can send anything you can print as a PDF to
your Playbook
67. CASE STUDY: BLACKBERRY PTG
In order to send documents to the Playbook, the user must do the following
Log into the service using your BlackBerry ID (user/pass)
Encrypt the documents using a password generated from the PTG app on the Playbook
Find the device using the it’s PIN
We can bypass this locally
Therefore we won’t need to login to Blackberry to perhaps “print” documents to a
device
69. CASE STUDY: BLACKBERRY PTG
There’s something listening on port 1234.. interesting
With the BB login dialog open, start a web browser and simply point it to this URL
http://localhost:1234/myserverlet/
The login dialog will immediately continue to the next page
Therefore bypassing authentication
70. CASE STUDY: BLACKBERRY PTG
Theory
The login procedure checks if it receives data on listening port 1234, not the data’s
validity (at least well enough)
74. CASE STUDY: BLACKBERRY PTG
So what could one gain from bypassing this login page?
There wasn’t a Playbook tablet to completely test the exploit scenarios
We handed the report to BlackBerry security with our ideas so they could test internally
BB concluded that while this was undesirable behavior, it wasn’t a security issue
“Printing does not succeed as the Connector does not have the BlackBerry ID account
info and token needed for printing”
Without a Playbook on hand, it was tough to test this remaining step
We didn’t know if it would succeed or not with a real device connected
Better to submit anyways so they could confirm with us
75. LESSONS LEARNED
Vendors range greatly in their capacity
Which is not necessarily correlated with size
Some small development teams are very responsive, others are not
Some big companies have effective and established procedures, others mire you in
bureaucracy
76. LESSONS LEARNED
Setting limits is important
Pen-testing the web and dumped hundreds of bugs on us for most for relatively
unimportant sites doesn’t scale too well
Finders may report low-severity bugs that they think are very serious
Employees like this program!
77. WHYYOU SHOULD RUNYOUR OWN MSVR
Give employees a standard, end-to-end process for getting security bugs fixed
Inter-company bug reporting can be more coordinated and efficient
Relatively cheap to run, with high ROI
Boost employee morale
Secure the ecosystem, as your product likely depends on *something*
Eg. HackerOne bug bounty program has a bounty for “The Internet”
78. WHATWE'D LIKETO SEEWHEN REPORTING
VULNERABILITIES
Clearly identified point of contact
Public encryption key (PGP or S/MIME)
Direct line to a real person who understands security
Don't turn us away because we don't have a support contract!
79. WHATWE'D LIKETO SEEWHEN REPORTING
VULNERABILITIES
Clear communication
Acknowledgment receipt of the initial email
Repro, including affected platforms
Update release dates, including any delays
How we will be credited (ask us for our preference!)
Closure
Variant investigation
Relatively prompt fixes