SlideShare a Scribd company logo

Igor Agievich, Pavel Markov. Dynamic Detection of Shellcode in Electronic Documents

Positive Hack Days
Positive Hack Days
Technology
1 of 16
First of all I'm sorry for my English...
WHOAMI many people know me from this image
WHOAMI_2 Markov Pavel: Found zero-day in Windows (execute arbitrary code by manipulating with folder settings) Just a developer Agievich Igor: Found vulnerability in Outpost Security Suite (2012), VirtualBox (2011), vBulletin (2005-2006) Not even a developer :)
Actually, we are trying to create a fuzzer... Yet another bicycle?
Our goals We want to fuzz filetypes of our company But actually any file types can be fuzzed with our fuzzer, depending on how much you know about specific file format (that's how we've found a bug in Yandex browser)
Our own fuzzing: how does it work? It's a client-server based software Basicly consists of:  Generator (one or more)  Clients for testing generated samples (one or more). At the moment of development they could only detect exceptions. Using IdebugClient with Python wrapper (allows faster development than using Debug API). In addition we found out:  Also this approach helps to find shell code in electronic documents
Our own fuzzing: how does it work?
Let's use a new source for testing our fuzzing We tried using a real file from some received email and we found... Exceptions! It was CVE- 2012-0158 (.rtf) Then uploaded this file to Virtest, which returned:
We need to go deeper and create something new!
Let's try to play with exploit Original file from email (on the left) and modified file, still working (on the right) 
What can shell code do  Has functions for download andor execution
We can find suspicious workflow Suspicious workflow depends on tested software. For example, creation of the new process is suspicious for: Word 2003, Internet Explorer 6, Adobe Reader 8 Not suspicious for: Google Chrome, Adobe Reader 11, Internet Explorer 8-9)
Our soft in action  Full video: http://www.youtube.com/watch?v=v3h_H5ZGIT8
And a good marksman may miss Does Yandex know about fuzzing? I think they do... But we've found a new bug anyway!
Our results We tested our programm on:  > 20 000 *.pdf files (was open in Adobe Reader 9-11, Foxit Reader 3-6, Google Chrome, Yandex.Browser)  > 10 000 *.doc, *.docx, *.rtf files (was open in MS Word 2003, 2007, Libre Office 4.0)  OS Win XP, Win 7 We've found:  Some APT attacks with some known CVE (CVE-2012-0158 and some else) for MS Word 2003, 2007  Bug in Yandex.Browser (fixed in latest version)
Any questions? If you have got any questions in English please wait until I am drunk and my speaking skills of English are leveled up :) Anyway, you can contact me on Internet twitter: @shanker_sec

Recommended

Symfony2 - A Short Introduction
Symfony2 - A Short IntroductionSymfony2 - A Short Introduction
Symfony2 - A Short Introduction
Andy Grunwald
 
Lisp in a Startup: the Good, the Bad, and the Ugly
Lisp in a Startup: the Good, the Bad, and the UglyLisp in a Startup: the Good, the Bad, and the Ugly
Lisp in a Startup: the Good, the Bad, and the Ugly
Vsevolod Dyomkin
 
Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012
Michele Orru
 
Mongo NYC 2011 2011 Windows BOF Session
Mongo NYC 2011 2011 Windows BOF SessionMongo NYC 2011 2011 Windows BOF Session
Mongo NYC 2011 2011 Windows BOF Session
zippy1981
 
Fuzzing - Part 2
Fuzzing - Part 2Fuzzing - Part 2
Fuzzing - Part 2
UTD Computer Security Group
 
Chrome OS: The Stateless Operating System
Chrome OS: The Stateless Operating SystemChrome OS: The Stateless Operating System
Chrome OS: The Stateless Operating System
Chatchai Wangwiwattana
 
Web application development
Web application developmentWeb application development
Web application development
Vikas Patial
 
Corporate Secret Challenge - CyberDefenders.org by Azad
Corporate Secret Challenge - CyberDefenders.org by AzadCorporate Secret Challenge - CyberDefenders.org by Azad
Corporate Secret Challenge - CyberDefenders.org by Azad
Azad Mzuri
 

Recommended

Symfony2 - A Short Introduction
Symfony2 - A Short IntroductionSymfony2 - A Short Introduction
Symfony2 - A Short Introduction
Andy Grunwald
 
Lisp in a Startup: the Good, the Bad, and the Ugly
Lisp in a Startup: the Good, the Bad, and the UglyLisp in a Startup: the Good, the Bad, and the Ugly
Lisp in a Startup: the Good, the Bad, and the Ugly
Vsevolod Dyomkin
 
Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012
Michele Orru
 
Mongo NYC 2011 2011 Windows BOF Session
Mongo NYC 2011 2011 Windows BOF SessionMongo NYC 2011 2011 Windows BOF Session
Mongo NYC 2011 2011 Windows BOF Session
zippy1981
 
Fuzzing - Part 2
Fuzzing - Part 2Fuzzing - Part 2
Fuzzing - Part 2
UTD Computer Security Group
 
Chrome OS: The Stateless Operating System
Chrome OS: The Stateless Operating SystemChrome OS: The Stateless Operating System
Chrome OS: The Stateless Operating System
Chatchai Wangwiwattana
 
Web application development
Web application developmentWeb application development
Web application development
Vikas Patial
 
Corporate Secret Challenge - CyberDefenders.org by Azad
Corporate Secret Challenge - CyberDefenders.org by AzadCorporate Secret Challenge - CyberDefenders.org by Azad
Corporate Secret Challenge - CyberDefenders.org by Azad
Azad Mzuri
 
Openoffice Portable In 2008conference
Openoffice Portable In 2008conferenceOpenoffice Portable In 2008conference
Openoffice Portable In 2008conference
Tony Liu
 
Delete prefetch automatically
Delete prefetch automaticallyDelete prefetch automatically
Delete prefetch automatically
Mrko3ko3
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
Krzysztof Kotowicz
 
Practical Exploitation - Webappy Style
Practical Exploitation - Webappy StylePractical Exploitation - Webappy Style
Practical Exploitation - Webappy Style
Rob Fuller
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014
Rob Fuller
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
Soroush Dalili
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
Zoltan Balazs
 
Why use version control software
Why use version control softwareWhy use version control software
Why use version control software
Jon Spriggs
 
Introduction of deno 1
Introduction of deno 1Introduction of deno 1
Introduction of deno 1
Vishal Sharma
 
Building dsl using groovy
Building dsl using groovyBuilding dsl using groovy
Building dsl using groovy
Puneet Behl
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while Persisting
CTruncer
 
Real time web: is there a life without socket.io and node.js?
Real time web: is there a life without socket.io and node.js?Real time web: is there a life without socket.io and node.js?
Real time web: is there a life without socket.io and node.js?
Eduard Trayan
 
Understand study
Understand studyUnderstand study
Understand study
Antonio Costa aka Cooler_
 
Android Presentation
Android Presentation Android Presentation
Android Presentation
Nik Sharma
 
Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012
Roberto Suggi Liverani
 
Google chrome os
Google chrome osGoogle chrome os
Google chrome os
devaj kumar
 
Profiling PHP with Xdebug / Webgrind
Profiling PHP with Xdebug / WebgrindProfiling PHP with Xdebug / Webgrind
Profiling PHP with Xdebug / Webgrind
Sam Keen
 
Real-time Web Application with Socket.IO, Node.js, and Redis
Real-time Web Application with Socket.IO, Node.js, and RedisReal-time Web Application with Socket.IO, Node.js, and Redis
Real-time Web Application with Socket.IO, Node.js, and Redis
York Tsai
 
Google chrome operating system
Google chrome operating systemGoogle chrome operating system
Google chrome operating system
kondalarao7
 
How to-remove-drm-from-epub
How to-remove-drm-from-epubHow to-remove-drm-from-epub
How to-remove-drm-from-epub
epuborwu
 
Red y estado del arte megaproética
Red y estado del arte megaproéticaRed y estado del arte megaproética
Red y estado del arte megaproética
Al Cougar
 
KAVCO VOLUNTEER LEADERSHIP MODULE ONE RECRUITMENT
KAVCO VOLUNTEER LEADERSHIP MODULE ONE RECRUITMENTKAVCO VOLUNTEER LEADERSHIP MODULE ONE RECRUITMENT
KAVCO VOLUNTEER LEADERSHIP MODULE ONE RECRUITMENT
Connie Piggott
 

More Related Content

What's hot

Delete prefetch automatically
Delete prefetch automaticallyDelete prefetch automatically
Delete prefetch automatically
Mrko3ko3
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
Soroush Dalili
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
Zoltan Balazs
 
Why use version control software
Why use version control softwareWhy use version control software
Why use version control software
Jon Spriggs
 
Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012
Roberto Suggi Liverani
 
Real-time Web Application with Socket.IO, Node.js, and Redis
Real-time Web Application with Socket.IO, Node.js, and RedisReal-time Web Application with Socket.IO, Node.js, and Redis
Real-time Web Application with Socket.IO, Node.js, and Redis
York Tsai
 
Google chrome operating system
Google chrome operating systemGoogle chrome operating system
Google chrome operating system
kondalarao7
 
How to-remove-drm-from-epub
How to-remove-drm-from-epubHow to-remove-drm-from-epub
How to-remove-drm-from-epub
epuborwu
 

What's hot (20)

Openoffice Portable In 2008conference
Openoffice Portable In 2008conferenceOpenoffice Portable In 2008conference
Openoffice Portable In 2008conference
 
Delete prefetch automatically
Delete prefetch automaticallyDelete prefetch automatically
Delete prefetch automatically
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
 
Practical Exploitation - Webappy Style
Practical Exploitation - Webappy StylePractical Exploitation - Webappy Style
Practical Exploitation - Webappy Style
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014
 
Flash it baby!
Flash it baby!Flash it baby!
Flash it baby!
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
 
Why use version control software
Why use version control softwareWhy use version control software
Why use version control software
 
Introduction of deno 1
Introduction of deno 1Introduction of deno 1
Introduction of deno 1
 
Building dsl using groovy
Building dsl using groovyBuilding dsl using groovy
Building dsl using groovy
 
The Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while PersistingThe Supporting Role of Antivirus Evasion while Persisting
The Supporting Role of Antivirus Evasion while Persisting
 
Real time web: is there a life without socket.io and node.js?
Real time web: is there a life without socket.io and node.js?Real time web: is there a life without socket.io and node.js?
Real time web: is there a life without socket.io and node.js?
 
Understand study
Understand studyUnderstand study
Understand study
 
Android Presentation
Android Presentation Android Presentation
Android Presentation
 
Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012
 
Google chrome os
Google chrome osGoogle chrome os
Google chrome os
 
Profiling PHP with Xdebug / Webgrind
Profiling PHP with Xdebug / WebgrindProfiling PHP with Xdebug / Webgrind
Profiling PHP with Xdebug / Webgrind
 
Real-time Web Application with Socket.IO, Node.js, and Redis
Real-time Web Application with Socket.IO, Node.js, and RedisReal-time Web Application with Socket.IO, Node.js, and Redis
Real-time Web Application with Socket.IO, Node.js, and Redis
 
Google chrome operating system
Google chrome operating systemGoogle chrome operating system
Google chrome operating system
 
How to-remove-drm-from-epub
How to-remove-drm-from-epubHow to-remove-drm-from-epub
How to-remove-drm-from-epub
 

Viewers also liked

Keri And Britt
Keri And BrittKeri And Britt
Keri And Britt
kpalm2010
 
ES Post-Event Report (For LinkedIn)
ES Post-Event Report (For LinkedIn)ES Post-Event Report (For LinkedIn)
ES Post-Event Report (For LinkedIn)
Pingkee Chan
 
Henley Outlook Aug 2012
Henley Outlook Aug 2012Henley Outlook Aug 2012
Henley Outlook Aug 2012
stujrankin
 
Impact of working memory on academic achievement of university science studen...
Impact of working memory on academic achievement of university science studen...Impact of working memory on academic achievement of university science studen...
Impact of working memory on academic achievement of university science studen...
Alexander Decker
 
Reducing Bacterial Contamination In Waterways
Reducing Bacterial Contamination In WaterwaysReducing Bacterial Contamination In Waterways
Reducing Bacterial Contamination In Waterways
Jason Schroeder
 
Mechanic 15. Sayı
Mechanic 15. SayıMechanic 15. Sayı
Mechanic 15. Sayı
Deko Medya
 

Viewers also liked (17)

Red y estado del arte megaproética
Red y estado del arte megaproéticaRed y estado del arte megaproética
Red y estado del arte megaproética
 
KAVCO VOLUNTEER LEADERSHIP MODULE ONE RECRUITMENT
KAVCO VOLUNTEER LEADERSHIP MODULE ONE RECRUITMENTKAVCO VOLUNTEER LEADERSHIP MODULE ONE RECRUITMENT
KAVCO VOLUNTEER LEADERSHIP MODULE ONE RECRUITMENT
 
At the coal face in spanish 240415 en la línea de fuego. presentación en español
At the coal face in spanish 240415 en la línea de fuego. presentación en españolAt the coal face in spanish 240415 en la línea de fuego. presentación en español
At the coal face in spanish 240415 en la línea de fuego. presentación en español
 
Keri And Britt
Keri And BrittKeri And Britt
Keri And Britt
 
The Hundert
The HundertThe Hundert
The Hundert
 
ES Post-Event Report (For LinkedIn)
ES Post-Event Report (For LinkedIn)ES Post-Event Report (For LinkedIn)
ES Post-Event Report (For LinkedIn)
 
Henley Outlook Aug 2012
Henley Outlook Aug 2012Henley Outlook Aug 2012
Henley Outlook Aug 2012
 
El bolero
El boleroEl bolero
El bolero
 
UN Guiding Principles on IDPs (1998 English)
UN Guiding Principles on IDPs (1998 English)UN Guiding Principles on IDPs (1998 English)
UN Guiding Principles on IDPs (1998 English)
 
• Somerville STEAM Academy slide show
• Somerville STEAM Academy slide show • Somerville STEAM Academy slide show
• Somerville STEAM Academy slide show
 
Glucidos
GlucidosGlucidos
Glucidos
 
Irma González
Irma González Irma González
Irma González
 
How to motivate a staff
How to motivate a staffHow to motivate a staff
How to motivate a staff
 
PUBLIC GAMING INTERNATIONAL MAGAZINE - April 2015
PUBLIC GAMING INTERNATIONAL MAGAZINE - April 2015PUBLIC GAMING INTERNATIONAL MAGAZINE - April 2015
PUBLIC GAMING INTERNATIONAL MAGAZINE - April 2015
 
Impact of working memory on academic achievement of university science studen...
Impact of working memory on academic achievement of university science studen...Impact of working memory on academic achievement of university science studen...
Impact of working memory on academic achievement of university science studen...
 
Reducing Bacterial Contamination In Waterways
Reducing Bacterial Contamination In WaterwaysReducing Bacterial Contamination In Waterways
Reducing Bacterial Contamination In Waterways
 
Mechanic 15. Sayı
Mechanic 15. SayıMechanic 15. Sayı
Mechanic 15. Sayı
 

Similar to Igor Agievich, Pavel Markov. Dynamic Detection of Shellcode in Electronic Documents

Showing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of TryingShowing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Dan Kaminsky
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
Mario Heiderich
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_en
Sunghun Kim
 
Building an Open Source iOS app: lessons learned
Building an Open Source iOS app: lessons learnedBuilding an Open Source iOS app: lessons learned
Building an Open Source iOS app: lessons learned
Wojciech Koszek
 

Similar to Igor Agievich, Pavel Markov. Dynamic Detection of Shellcode in Electronic Documents (20)

Showing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of TryingShowing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
 
You can now use PVS-Studio with Visual Studio absent; just give it the prepro...
You can now use PVS-Studio with Visual Studio absent; just give it the prepro...You can now use PVS-Studio with Visual Studio absent; just give it the prepro...
You can now use PVS-Studio with Visual Studio absent; just give it the prepro...
 
Contributing To The Mozilla Codebase
Contributing To The Mozilla CodebaseContributing To The Mozilla Codebase
Contributing To The Mozilla Codebase
 
FusionInventory at LSM/RMLL 2012
FusionInventory at LSM/RMLL 2012FusionInventory at LSM/RMLL 2012
FusionInventory at LSM/RMLL 2012
 
Operations security (OPSEC) in IT
Operations security (OPSEC) in ITOperations security (OPSEC) in IT
Operations security (OPSEC) in IT
 
Selje_Amazing VFP2C32 Library.pdf
Selje_Amazing VFP2C32 Library.pdfSelje_Amazing VFP2C32 Library.pdf
Selje_Amazing VFP2C32 Library.pdf
 
Exploit ie using scriptable active x controls version English
Exploit ie using scriptable active x controls version EnglishExploit ie using scriptable active x controls version English
Exploit ie using scriptable active x controls version English
 
Dev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT SecurityDev and Blind - Attacking the weakest Link in IT Security
Dev and Blind - Attacking the weakest Link in IT Security
 
Suse Studio: "How to create a live openSUSE image with OpenFOAM® and CFD tools"
Suse Studio: "How to create a live openSUSE image with OpenFOAM® and CFD tools"Suse Studio: "How to create a live openSUSE image with OpenFOAM® and CFD tools"
Suse Studio: "How to create a live openSUSE image with OpenFOAM® and CFD tools"
 
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerThe Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
 
Poitou-Charentes JUG 2016 Eclipse Che: The Next-Gen Eclipse IDE
Poitou-Charentes JUG 2016 Eclipse Che: The Next-Gen Eclipse IDEPoitou-Charentes JUG 2016 Eclipse Che: The Next-Gen Eclipse IDE
Poitou-Charentes JUG 2016 Eclipse Che: The Next-Gen Eclipse IDE
 
12 tricks to avoid hackers breaks your CI / CD
12 tricks to avoid hackers breaks your CI / CD12 tricks to avoid hackers breaks your CI / CD
12 tricks to avoid hackers breaks your CI / CD
 
How to convince a malware to avoid us
How to convince a malware to avoid usHow to convince a malware to avoid us
How to convince a malware to avoid us
 
Flash security past_present_future_final_en
Flash security past_present_future_final_enFlash security past_present_future_final_en
Flash security past_present_future_final_en
 
Eclipse Che: The Next-Gen Eclipse IDE - Bordeaux jug 2016
Eclipse Che: The Next-Gen Eclipse IDE - Bordeaux jug 2016Eclipse Che: The Next-Gen Eclipse IDE - Bordeaux jug 2016
Eclipse Che: The Next-Gen Eclipse IDE - Bordeaux jug 2016
 
File hippo
File hippoFile hippo
File hippo
 
Netbeans
NetbeansNetbeans
Netbeans
 
Building an Open Source iOS app: lessons learned
Building an Open Source iOS app: lessons learnedBuilding an Open Source iOS app: lessons learned
Building an Open Source iOS app: lessons learned
 
Beginning development in go
Beginning development in goBeginning development in go
Beginning development in go
 
LVPHP.org
LVPHP.orgLVPHP.org
LVPHP.org
 

More from Positive Hack Days

Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
Positive Hack Days
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
Positive Hack Days
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
Positive Hack Days
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Positive Hack Days
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
Positive Hack Days
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
Positive Hack Days
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
Positive Hack Days
 

More from Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
 

Recently uploaded

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Recently uploaded (20)

Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 

Igor Agievich, Pavel Markov. Dynamic Detection of Shellcode in Electronic Documents

  • 1. First of all I'm sorry for my English...
  • 2. WHOAMI many people know me from this image
  • 3. WHOAMI_2 Markov Pavel: Found zero-day in Windows (execute arbitrary code by manipulating with folder settings) Just a developer Agievich Igor: Found vulnerability in Outpost Security Suite (2012), VirtualBox (2011), vBulletin (2005-2006) Not even a developer :)
  • 4. Actually, we are trying to create a fuzzer... Yet another bicycle?
  • 5. Our goals We want to fuzz filetypes of our company But actually any file types can be fuzzed with our fuzzer, depending on how much you know about specific file format (that's how we've found a bug in Yandex browser)
  • 6. Our own fuzzing: how does it work? It's a client-server based software Basicly consists of:  Generator (one or more)  Clients for testing generated samples (one or more). At the moment of development they could only detect exceptions. Using IdebugClient with Python wrapper (allows faster development than using Debug API). In addition we found out:  Also this approach helps to find shell code in electronic documents
  • 7. Our own fuzzing: how does it work?
  • 8. Let's use a new source for testing our fuzzing We tried using a real file from some received email and we found... Exceptions! It was CVE- 2012-0158 (.rtf) Then uploaded this file to Virtest, which returned:
  • 9. We need to go deeper and create something new!
  • 10. Let's try to play with exploit Original file from email (on the left) and modified file, still working (on the right) 
  • 11. What can shell code do  Has functions for download andor execution
  • 12. We can find suspicious workflow Suspicious workflow depends on tested software. For example, creation of the new process is suspicious for: Word 2003, Internet Explorer 6, Adobe Reader 8 Not suspicious for: Google Chrome, Adobe Reader 11, Internet Explorer 8-9)
  • 13. Our soft in action  Full video: http://www.youtube.com/watch?v=v3h_H5ZGIT8
  • 14. And a good marksman may miss Does Yandex know about fuzzing? I think they do... But we've found a new bug anyway!
  • 15. Our results We tested our programm on:  > 20 000 *.pdf files (was open in Adobe Reader 9-11, Foxit Reader 3-6, Google Chrome, Yandex.Browser)  > 10 000 *.doc, *.docx, *.rtf files (was open in MS Word 2003, 2007, Libre Office 4.0)  OS Win XP, Win 7 We've found:  Some APT attacks with some known CVE (CVE-2012-0158 and some else) for MS Word 2003, 2007  Bug in Yandex.Browser (fixed in latest version)
  • 16. Any questions? If you have got any questions in English please wait until I am drunk and my speaking skills of English are leveled up :) Anyway, you can contact me on Internet twitter: @shanker_sec