microsoft patches little sister but forgets big brotherpowerofcommunity.net/poc2009/moti.pdf ·...
TRANSCRIPT
![Page 2: Microsoft patches little sister but forgets big brotherpowerofcommunity.net/poc2009/moti.pdf · Agenda Microsoft patches little sister but forgets big brother In the next hour, we](https://reader036.vdocuments.mx/reader036/viewer/2022070801/5f026b207e708231d4042d86/html5/thumbnails/2.jpg)
Who Am I?
Independent Security researcher (Previously worked at
Websense Security Labs,Checkpoint)
Hunting for vulnerabilities
reverse engineering Microsoft patches
writing plug-in for IDA and OllyDbg
Mobile developer (iPhone,BlackBerry)
Founder of the Gamepe project www.gamepe.com
Multi-IM software for PC games
![Page 3: Microsoft patches little sister but forgets big brotherpowerofcommunity.net/poc2009/moti.pdf · Agenda Microsoft patches little sister but forgets big brother In the next hour, we](https://reader036.vdocuments.mx/reader036/viewer/2022070801/5f026b207e708231d4042d86/html5/thumbnails/3.jpg)
Agenda
Microsoft patches little sister but forgets big brother
In the next hour, we will cover:
Introduce past zero-day exploits
Discuss how software vulnerabilities are found
How a programmer’s bug is a hacker’s treasure silently
Why attackers hunt for zero-days
Microsoft silently fixed vulnerabilities
Hunting zero-days the easy way: DIFFING!
NOTE: a talk from a hacker perspective.
![Page 4: Microsoft patches little sister but forgets big brotherpowerofcommunity.net/poc2009/moti.pdf · Agenda Microsoft patches little sister but forgets big brother In the next hour, we](https://reader036.vdocuments.mx/reader036/viewer/2022070801/5f026b207e708231d4042d86/html5/thumbnails/4.jpg)
A zero-day (or zero-hour) attack or threat is a computer threat
that tries to exploit computer software
vulnerabilities
which are unknown to others, undisclosed to the softwae vendor,
or without an available security fix
![Page 5: Microsoft patches little sister but forgets big brotherpowerofcommunity.net/poc2009/moti.pdf · Agenda Microsoft patches little sister but forgets big brother In the next hour, we](https://reader036.vdocuments.mx/reader036/viewer/2022070801/5f026b207e708231d4042d86/html5/thumbnails/5.jpg)
by Stefan Frei
![Page 6: Microsoft patches little sister but forgets big brotherpowerofcommunity.net/poc2009/moti.pdf · Agenda Microsoft patches little sister but forgets big brother In the next hour, we](https://reader036.vdocuments.mx/reader036/viewer/2022070801/5f026b207e708231d4042d86/html5/thumbnails/6.jpg)
0day 2007
Windows URI Protocol Handling
Date Disclosed: 7/25/2007
MSN Messenger Video Conversation Heap Overflow
Date Disclosed: 1/31/2007
Microsoft DNS RPC Buffer Overflow
Date Disclosed: 4/7/2007
Windows .ANI Processing
Date Disclosed: 3/28/2007
Word Unspecified Exploit(3)
Date Disclosed: 1/25/2007
![Page 7: Microsoft patches little sister but forgets big brotherpowerofcommunity.net/poc2009/moti.pdf · Agenda Microsoft patches little sister but forgets big brother In the next hour, we](https://reader036.vdocuments.mx/reader036/viewer/2022070801/5f026b207e708231d4042d86/html5/thumbnails/7.jpg)
Microsoft Internet Explorer XML Processing
Date Disclosed: 11/15/2008
Microsoft Word XP/2002 SP3 Exploit
Date Disclosed: 7/8/2008
Microsoft Access Snapshot Viewer ActiveX
Date Disclosed: 7/7/2008
Microsoft Vulnerability in Server service
Date Disclosed:10/15/2008
0day 2008
![Page 8: Microsoft patches little sister but forgets big brotherpowerofcommunity.net/poc2009/moti.pdf · Agenda Microsoft patches little sister but forgets big brother In the next hour, we](https://reader036.vdocuments.mx/reader036/viewer/2022070801/5f026b207e708231d4042d86/html5/thumbnails/8.jpg)
0day 2009
Excel Invalid Object
Microsoft Service Message Block (SMB)
Microsoft Internet Information Services (IIS)
Microsoft Windows ActiveX Controls ATL
"OleLoadFromStream()" Vulnerability
![Page 9: Microsoft patches little sister but forgets big brotherpowerofcommunity.net/poc2009/moti.pdf · Agenda Microsoft patches little sister but forgets big brother In the next hour, we](https://reader036.vdocuments.mx/reader036/viewer/2022070801/5f026b207e708231d4042d86/html5/thumbnails/9.jpg)
Who hunt vulnerability
Security Company ,(eEye,NGIS,ISS,NSFOCUS.Secunia)
Independed Researcher/Hackers
grey,black,white hat
Vendor
![Page 10: Microsoft patches little sister but forgets big brotherpowerofcommunity.net/poc2009/moti.pdf · Agenda Microsoft patches little sister but forgets big brother In the next hour, we](https://reader036.vdocuments.mx/reader036/viewer/2022070801/5f026b207e708231d4042d86/html5/thumbnails/10.jpg)
Who use 0day
Intelligence department
Hackers
Pen-tester
Worms exploits
![Page 11: Microsoft patches little sister but forgets big brotherpowerofcommunity.net/poc2009/moti.pdf · Agenda Microsoft patches little sister but forgets big brother In the next hour, we](https://reader036.vdocuments.mx/reader036/viewer/2022070801/5f026b207e708231d4042d86/html5/thumbnails/11.jpg)
Who is the target
Military
Business
You ?Me? And everybody
![Page 12: Microsoft patches little sister but forgets big brotherpowerofcommunity.net/poc2009/moti.pdf · Agenda Microsoft patches little sister but forgets big brother In the next hour, we](https://reader036.vdocuments.mx/reader036/viewer/2022070801/5f026b207e708231d4042d86/html5/thumbnails/12.jpg)
Why hunt 0-day?
![Page 13: Microsoft patches little sister but forgets big brotherpowerofcommunity.net/poc2009/moti.pdf · Agenda Microsoft patches little sister but forgets big brother In the next hour, we](https://reader036.vdocuments.mx/reader036/viewer/2022070801/5f026b207e708231d4042d86/html5/thumbnails/13.jpg)
They will buy it?
![Page 14: Microsoft patches little sister but forgets big brotherpowerofcommunity.net/poc2009/moti.pdf · Agenda Microsoft patches little sister but forgets big brother In the next hour, we](https://reader036.vdocuments.mx/reader036/viewer/2022070801/5f026b207e708231d4042d86/html5/thumbnails/14.jpg)
But some will never sell !
![Page 15: Microsoft patches little sister but forgets big brotherpowerofcommunity.net/poc2009/moti.pdf · Agenda Microsoft patches little sister but forgets big brother In the next hour, we](https://reader036.vdocuments.mx/reader036/viewer/2022070801/5f026b207e708231d4042d86/html5/thumbnails/15.jpg)
How to hunt 0day
Source code audit
Binary Audit
Fuzzing
Surfing
![Page 16: Microsoft patches little sister but forgets big brotherpowerofcommunity.net/poc2009/moti.pdf · Agenda Microsoft patches little sister but forgets big brother In the next hour, we](https://reader036.vdocuments.mx/reader036/viewer/2022070801/5f026b207e708231d4042d86/html5/thumbnails/16.jpg)
Surfing the Web for a zero-day?
A forum member by the name of "Caveman" posted this
code on a gaming forum. He claimed that he succeeded
in "crashing" someone's computer with the posted script.
![Page 17: Microsoft patches little sister but forgets big brotherpowerofcommunity.net/poc2009/moti.pdf · Agenda Microsoft patches little sister but forgets big brother In the next hour, we](https://reader036.vdocuments.mx/reader036/viewer/2022070801/5f026b207e708231d4042d86/html5/thumbnails/17.jpg)
OWNED!
![Page 18: Microsoft patches little sister but forgets big brotherpowerofcommunity.net/poc2009/moti.pdf · Agenda Microsoft patches little sister but forgets big brother In the next hour, we](https://reader036.vdocuments.mx/reader036/viewer/2022070801/5f026b207e708231d4042d86/html5/thumbnails/18.jpg)
Just a DoS ? 2006-09-19
![Page 19: Microsoft patches little sister but forgets big brotherpowerofcommunity.net/poc2009/moti.pdf · Agenda Microsoft patches little sister but forgets big brother In the next hour, we](https://reader036.vdocuments.mx/reader036/viewer/2022070801/5f026b207e708231d4042d86/html5/thumbnails/19.jpg)
The day after ! 2006-09-20
![Page 20: Microsoft patches little sister but forgets big brotherpowerofcommunity.net/poc2009/moti.pdf · Agenda Microsoft patches little sister but forgets big brother In the next hour, we](https://reader036.vdocuments.mx/reader036/viewer/2022070801/5f026b207e708231d4042d86/html5/thumbnails/20.jpg)
Let's go hunting
![Page 21: Microsoft patches little sister but forgets big brotherpowerofcommunity.net/poc2009/moti.pdf · Agenda Microsoft patches little sister but forgets big brother In the next hour, we](https://reader036.vdocuments.mx/reader036/viewer/2022070801/5f026b207e708231d4042d86/html5/thumbnails/21.jpg)
Let's go huntingBinary Audit
![Page 22: Microsoft patches little sister but forgets big brotherpowerofcommunity.net/poc2009/moti.pdf · Agenda Microsoft patches little sister but forgets big brother In the next hour, we](https://reader036.vdocuments.mx/reader036/viewer/2022070801/5f026b207e708231d4042d86/html5/thumbnails/22.jpg)
DIFFING FOR 0DAY!Microsoft patches little sister but forgets big brother
vs
![Page 23: Microsoft patches little sister but forgets big brotherpowerofcommunity.net/poc2009/moti.pdf · Agenda Microsoft patches little sister but forgets big brother In the next hour, we](https://reader036.vdocuments.mx/reader036/viewer/2022070801/5f026b207e708231d4042d86/html5/thumbnails/23.jpg)
BINARY DIFFING SUITE
![Page 24: Microsoft patches little sister but forgets big brotherpowerofcommunity.net/poc2009/moti.pdf · Agenda Microsoft patches little sister but forgets big brother In the next hour, we](https://reader036.vdocuments.mx/reader036/viewer/2022070801/5f026b207e708231d4042d86/html5/thumbnails/24.jpg)
![Page 25: Microsoft patches little sister but forgets big brotherpowerofcommunity.net/poc2009/moti.pdf · Agenda Microsoft patches little sister but forgets big brother In the next hour, we](https://reader036.vdocuments.mx/reader036/viewer/2022070801/5f026b207e708231d4042d86/html5/thumbnails/25.jpg)
Safe API
![Page 26: Microsoft patches little sister but forgets big brotherpowerofcommunity.net/poc2009/moti.pdf · Agenda Microsoft patches little sister but forgets big brother In the next hour, we](https://reader036.vdocuments.mx/reader036/viewer/2022070801/5f026b207e708231d4042d86/html5/thumbnails/26.jpg)
Example #1 Fully Patched Vista
Safe “strcpy”
![Page 27: Microsoft patches little sister but forgets big brotherpowerofcommunity.net/poc2009/moti.pdf · Agenda Microsoft patches little sister but forgets big brother In the next hour, we](https://reader036.vdocuments.mx/reader036/viewer/2022070801/5f026b207e708231d4042d86/html5/thumbnails/27.jpg)
Example #1 Fully Patched XP
![Page 28: Microsoft patches little sister but forgets big brotherpowerofcommunity.net/poc2009/moti.pdf · Agenda Microsoft patches little sister but forgets big brother In the next hour, we](https://reader036.vdocuments.mx/reader036/viewer/2022070801/5f026b207e708231d4042d86/html5/thumbnails/28.jpg)
Example #2 Fully Patched VISTA
Boundary Check for string length >16 bytes
![Page 29: Microsoft patches little sister but forgets big brotherpowerofcommunity.net/poc2009/moti.pdf · Agenda Microsoft patches little sister but forgets big brother In the next hour, we](https://reader036.vdocuments.mx/reader036/viewer/2022070801/5f026b207e708231d4042d86/html5/thumbnails/29.jpg)
Example #2 Fully Patched XP
No Boundary Check for string length >16 bytes
![Page 30: Microsoft patches little sister but forgets big brotherpowerofcommunity.net/poc2009/moti.pdf · Agenda Microsoft patches little sister but forgets big brother In the next hour, we](https://reader036.vdocuments.mx/reader036/viewer/2022070801/5f026b207e708231d4042d86/html5/thumbnails/30.jpg)
Example #3 Fully Patched VISTA
Boundary Check for length >0x4C4B40 bytes
![Page 31: Microsoft patches little sister but forgets big brotherpowerofcommunity.net/poc2009/moti.pdf · Agenda Microsoft patches little sister but forgets big brother In the next hour, we](https://reader036.vdocuments.mx/reader036/viewer/2022070801/5f026b207e708231d4042d86/html5/thumbnails/31.jpg)
Example #3 Fully Patched XP
No Boundary Check for length >0x4C4B40 bytes
![Page 32: Microsoft patches little sister but forgets big brotherpowerofcommunity.net/poc2009/moti.pdf · Agenda Microsoft patches little sister but forgets big brother In the next hour, we](https://reader036.vdocuments.mx/reader036/viewer/2022070801/5f026b207e708231d4042d86/html5/thumbnails/32.jpg)
Example #4 Fully Patched Vista
Boundary Check for INT overflow ULongAdd API
![Page 33: Microsoft patches little sister but forgets big brotherpowerofcommunity.net/poc2009/moti.pdf · Agenda Microsoft patches little sister but forgets big brother In the next hour, we](https://reader036.vdocuments.mx/reader036/viewer/2022070801/5f026b207e708231d4042d86/html5/thumbnails/33.jpg)
Example #4 Fully Patched XP
NO ULongAdd API
![Page 34: Microsoft patches little sister but forgets big brotherpowerofcommunity.net/poc2009/moti.pdf · Agenda Microsoft patches little sister but forgets big brother In the next hour, we](https://reader036.vdocuments.mx/reader036/viewer/2022070801/5f026b207e708231d4042d86/html5/thumbnails/34.jpg)
Example #5 Fully Patched Vista
A Safe check for the DIB Size
![Page 35: Microsoft patches little sister but forgets big brotherpowerofcommunity.net/poc2009/moti.pdf · Agenda Microsoft patches little sister but forgets big brother In the next hour, we](https://reader036.vdocuments.mx/reader036/viewer/2022070801/5f026b207e708231d4042d86/html5/thumbnails/35.jpg)
Example #5 Fully Patched XP
Not Safe DIB Size calc
![Page 36: Microsoft patches little sister but forgets big brotherpowerofcommunity.net/poc2009/moti.pdf · Agenda Microsoft patches little sister but forgets big brother In the next hour, we](https://reader036.vdocuments.mx/reader036/viewer/2022070801/5f026b207e708231d4042d86/html5/thumbnails/36.jpg)
Example #6 Fully Patched Vista
![Page 37: Microsoft patches little sister but forgets big brotherpowerofcommunity.net/poc2009/moti.pdf · Agenda Microsoft patches little sister but forgets big brother In the next hour, we](https://reader036.vdocuments.mx/reader036/viewer/2022070801/5f026b207e708231d4042d86/html5/thumbnails/37.jpg)
Example #6 Fully Patched XP
INT OVERFLOW
![Page 38: Microsoft patches little sister but forgets big brotherpowerofcommunity.net/poc2009/moti.pdf · Agenda Microsoft patches little sister but forgets big brother In the next hour, we](https://reader036.vdocuments.mx/reader036/viewer/2022070801/5f026b207e708231d4042d86/html5/thumbnails/38.jpg)
Example #7 Fully Patched Vista
A check for valid path
![Page 39: Microsoft patches little sister but forgets big brotherpowerofcommunity.net/poc2009/moti.pdf · Agenda Microsoft patches little sister but forgets big brother In the next hour, we](https://reader036.vdocuments.mx/reader036/viewer/2022070801/5f026b207e708231d4042d86/html5/thumbnails/39.jpg)
Example #7 Fully Patched XP
![Page 40: Microsoft patches little sister but forgets big brotherpowerofcommunity.net/poc2009/moti.pdf · Agenda Microsoft patches little sister but forgets big brother In the next hour, we](https://reader036.vdocuments.mx/reader036/viewer/2022070801/5f026b207e708231d4042d86/html5/thumbnails/40.jpg)
A day in a life of a Hacker
Diffing for 0day [LIVE DEMO]
VS