SlideShare ist ein Scribd-Unternehmen logo

CVE-2012-1889: Security Update Analysis

High-Tech Bridge SA (HTBridge)
High-Tech Bridge SA (HTBridge)

CVE-2012-1889: Security Update Analysis by Brian MARIANI & Frédéric BOURLA from High-Tech Bridge. Since the 30th of May 2012 hackers were abusing the Microsoft XML core services vulnerability. The 10th of July 2012 Microsoft finally published a security advisory which fixes this issue. The present document and video explains the details about this fix. As a lab test we used a Windows XP workstation with Service Pack 3. The Internet explorer version is 6.0. Presentation page (with video): https://www.htbridge.com/publications/cve_2012_1889_security_update_analysis.html

Technologie
1 von 27
Downloaden Sie, um offline zu lesen
Your texte here …. CVE 2012-1889 Security Update Analysis 19th July 2012 Brian MARIANI &ETHICAL HACKING ORIGINAL SWISS Frédéric BOURLA ©2012 High-Tech Bridge SA – www.htbridge.com
Timeline  Your texte here June 2012 Microsoft published a The 12th of …. security advisory with a temporary fix related to the msxml core services vulnerability which is heavily exploited in the wild.  On June 18th 2012 Metasploit released a working exploit.  On June 19th 2012 a 100% reliable exploit for Internet Explorer 6/7/8/9 on Windows XP/Vista, and Windows 7 SP1 was published by metasploit.  On July 9th 2012 Microsoft finally released a security update in order to patch this vulnerability. ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
Some important details  Your texte here …. is the continuation of the This document previous publication: “Microsoft XML core services uninitialized memory vulnerability”.  In this new presentation we will analyze the security update released on July 9th 2012 which fixes several DLL libraries, specially the msxml3.dll one.  The lab environment is an English Windows XP SP3 workstation.  For simplicity, ASLR and DEP security options are deactivated. ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
Security update Your texte here …. ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
Files' size comparison  Your identify all files implied in the security update We texte here …. process with monitoring tools, such as Process Monitor. Actually, the file which interests us is the msxml3.dll library.  To successfully compare unpatched and patched files, we first make a copy of the unpatched library to an analysis directory.  We apply the security update and we copy again the patched DLL file into the previous directory, with a new destination file name.  After downloading and applying the security update and comparing the size of this particular file, we can notice a tiny difference of 66 bytes. ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
Binary Diffing  Your texte here …. is a technique for performing Binary Diffing automated binary differential analysis.  This becomes very useful for reverse engineering patches as well as program updates.  Some of the available binary diffing tools are: – Bindiff – PatchDiff – Darumgrim – Turbodiff  Here, we used Turbodiff. ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
Turbodiff  Your texte here …. Turbodiff was programmed by Nicolás Economou.  It was presented at the Argentinian security conference Ekoparty in 2009.  It is a heuristic based IDA Plugin aimed for binary diffing.  This tools was developed in C++.  It provides an Architecture Independent Diffing. ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
Turbodiff results (1)  Your texte here …. two binary files, turbodiff creates an After analyzing the ana file from the IDA idb file.  The aforementioned ana file will be used later in order to detect the suspicious and changed functions.  Later turbodiff displays its results: ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
Turbodiff results (2)  Your texte herethe differences between the two files: After examining …. – 25 functions are marked as suspicious. – 72 functions are marked as changed. ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
Turbodiff results (3)  Your texte here …. Let’s check the changes in the DOMNode::get_definition(IXMLDOMNode) function which is the most important procedure involved in this vulnerability. before after  As we can see the instruction mov [edi], ebx was added into the get_definition function.  In order to understand this minor change let’s analyzed the whole process. ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
Flow analysis (1) 749bd756 _dispatchImpl::InvokeHelper Your texte here …. ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
Flow analysis (2) 749bd756 _dispatchImpl::InvokeHelper Your texte here …. 749bd7de call dword ptr [esi+0x20]{msxml3!DOMNode::_invokeDOMNode ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
Flow analysis (3) 749bd756 _dispatchImpl::InvokeHelper Your texte here …. 749bd7de call dword ptr [esi+0x20]{msxml3!DOMNode::_invokeDOMNode 749d42da msxml3!DOMNode::_invokeDOMNode ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
Flow analysis (4) 749bd756 _dispatchImpl::InvokeHelper Your texte here …. 749bd7de call dword ptr [esi+0x20]{msxml3!DOMNode::_invokeDOMNode 749d42da msxml3!DOMNode::_invokeDOMNode 749d6499 msxml3!DOMNode::get_definition ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
Flow analysis (5) 749bd756 _dispatchImpl::InvokeHelper Your texte here …. 749bd7de call dword ptr [esi+0x20]{msxml3!DOMNode::_invokeDOMNode 749d42da msxml3!DOMNode::_invokeDOMNode This is the local variable value that will be retrieved later by the 749d6499 msxml3!DOMNode::get_definition _dispatch::InvokeHelper function 749d64d2 mov edi,[ebp+0xc] ss:0023:0013dff8=0013e138 ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
Flow analysis (6) 749bd756 _dispatchImpl::InvokeHelper Your texte here …. 749bd7de call dword ptr [esi+0x20]{msxml3!DOMNode::_invokeDOMNode 749d42da msxml3!DOMNode::_invokeDOMNode This is the local variable value that will be retrieved later by the 749d6499 msxml3!DOMNode::get_definition _dispatch::InvokeHelper function 749d64d2 mov edi,[ebp+0xc] ss:0023:0013dff8=0013e138 ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
Flow analysis (7) 749bd756 _dispatchImpl::InvokeHelper Your texte here …. 749bd7de call dword ptr [esi+0x20]{msxml3!DOMNode::_invokeDOMNode 749d42da msxml3!DOMNode::_invokeDOMNode This is the local variable value that will be retrieved later by the 749d6499 msxml3!DOMNode::get_definition _dispatch::InvokeHelper function 749d64d2 mov edi,[ebp+0xc] ss:0023:0013dff8=0013e138 749d6514 mov [edi],ebx ds:0023:0013e138=0c0c0c08 ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
Flow analysis (8) 749bd756 _dispatchImpl::InvokeHelper Your texte here …. 749bd7de call dword ptr [esi+0x20]{msxml3!DOMNode::_invokeDOMNode 749d42da msxml3!DOMNode::_invokeDOMNode This is the local variable value that will be retrieved later by the 749d6499 msxml3!DOMNode::get_definition _dispatch::InvokeHelper function 749d64d2 mov edi,[ebp+0xc] ss:0023:0013dff8=0013e138 This instruction corresponds to the security update. The content of the edi will be initialized to zero 749d6514 mov [edi],ebx ds:0023:0013e138=0c0c0c08 ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
Flow analysis (9) After returning to the Your texte here …. _dispatchImpl::InvokeHelper function the previous sanitized pointer is moved into the eax register _dispatchImpl::InvokeHelper 749bd7e9 mov eax,[ebp-0x14] ss:0023:0013e138=00000000 ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
Flow analysis (10) After returning to the Your texte here …. _dispatchImpl::InvokeHelper function the previous sanitized pointer is moved into the eax register _dispatchImpl::InvokeHelper 749bd7e9 mov eax,[ebp-0x14] ss:0023:0013e138=00000000 749bd7ec cmp eax,ebx ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
Flow analysis (11) After returning to the Your texte here …. _dispatchImpl::InvokeHelper function the previous sanitized pointer is moved into the eax register _dispatchImpl::InvokeHelper 749bd7e9 mov eax,[ebp-0x14] ss:0023:0013e138=00000000 749bd7ec cmp eax,ebx ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
Flow analysis (12) After returning to the Your texte here …. _dispatchImpl::InvokeHelper function the previous sanitized pointer is moved into the eax register _dispatchImpl::InvokeHelper 749bd7e9 mov eax,[ebp-0x14] ss:0023:0013e138=00000000 749bd7ec cmp eax,ebx The conditional jump will be executed 749bd7f0 jz msxml3!_dispatchImpl::InvokeHelper+0xc2 (749bd818) ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
Flow analysis (13) After returning to the Your texte here …. _dispatchImpl::InvokeHelper function the previous sanitized pointer is moved into the eax register _dispatchImpl::InvokeHelper 749bd7e9 mov eax,[ebp-0x14] ss:0023:0013e138=00000000 749bd7ec cmp eax,ebx The conditional jump will be executed 749bd7f0 jz msxml3!_dispatchImpl::InvokeHelper+0xc2 (749bd818) The call responsible to execute the payload is no more reachable due to the conditional jump 749bd80a call dword ptr [ecx+0x18] ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
Conclusions  Yourwe have seen the main change in the XML security As texte here …. update for Windows XP-SP3 is the mov [edi],ebx instruction. 749d6514 891F mov [edi],ebx  This instruction sanitizes the value that will be retrieved later by the _dispatchImpl::InvokeHelper function.  If one modifies the two bytes instruction (891F) with NOP's instructions (9090) the whole security updated could be deactivate.  Apply the security update (KB2719985) as soon as you can since this vulnerability is heavily exploited in the wild nowadays. ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
References  Your texte here …. http://www.microsoft.com/fr- fr/download/details.aspx?id=30290  http://support.microsoft.com/kb/2719985  http://www.openrce.org/forums/posts/82  http://corelabs.coresecurity.com/index.php?modul e=Wiki&action=attachment&type=publication&pag e=Heuristicas_aplicadas_a_la_comparacion_%28_d iffeo_%29_de_binarios&file=Economou_2009- binary_diffing.pdf ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
Acknowledgments  Your texte here …. Thanks to Nicolas Economou from coresecurity for allowing us to publish the document using its utility Turbodiff :]  http://corelabs.coresecurity.com/index.php?modul e=Wiki&action=view&type=tool&name=turbodiff ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
Thanks for reading Your texte here …. Your questions are always welcome! brian.mariani@htbridge.ch frederic.bourla@htbridge.ch ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com

Empfohlen

Inline Hooking in Windows
Inline Hooking in WindowsInline Hooking in Windows
Inline Hooking in WindowsHigh-Tech Bridge SA (HTBridge)
 
Userland Hooking in Windows
Userland Hooking in WindowsUserland Hooking in Windows
Userland Hooking in WindowsHigh-Tech Bridge SA (HTBridge)
 
Client-side threats - Anatomy of Reverse Trojan attacks
Client-side threats - Anatomy of Reverse Trojan attacksClient-side threats - Anatomy of Reverse Trojan attacks
Client-side threats - Anatomy of Reverse Trojan attacksHigh-Tech Bridge SA (HTBridge)
 
Spying Internet Explorer 8.0
Spying Internet Explorer 8.0Spying Internet Explorer 8.0
Spying Internet Explorer 8.0High-Tech Bridge SA (HTBridge)
 
Manipulating Memory for Fun & Profit
Manipulating Memory for Fun & ProfitManipulating Memory for Fun & Profit
Manipulating Memory for Fun & ProfitHigh-Tech Bridge SA (HTBridge)
 
Defeating Data Execution Prevention and ASLR in Windows
Defeating Data Execution Prevention and ASLR in WindowsDefeating Data Execution Prevention and ASLR in Windows
Defeating Data Execution Prevention and ASLR in WindowsHigh-Tech Bridge SA (HTBridge)
 
Fuzzing: An introduction to Sulley Framework
Fuzzing: An introduction to Sulley FrameworkFuzzing: An introduction to Sulley Framework
Fuzzing: An introduction to Sulley FrameworkHigh-Tech Bridge SA (HTBridge)
 
Frontal Attacks - From basic compromise to Advanced Persistent Threat
Frontal Attacks - From basic compromise to Advanced Persistent ThreatFrontal Attacks - From basic compromise to Advanced Persistent Threat
Frontal Attacks - From basic compromise to Advanced Persistent ThreatHigh-Tech Bridge SA (HTBridge)
 

Empfohlen

Inline Hooking in Windows
Inline Hooking in WindowsInline Hooking in Windows
Inline Hooking in WindowsHigh-Tech Bridge SA (HTBridge)
 
Userland Hooking in Windows
Userland Hooking in WindowsUserland Hooking in Windows
Userland Hooking in WindowsHigh-Tech Bridge SA (HTBridge)
 
Client-side threats - Anatomy of Reverse Trojan attacks
Client-side threats - Anatomy of Reverse Trojan attacksClient-side threats - Anatomy of Reverse Trojan attacks
Client-side threats - Anatomy of Reverse Trojan attacksHigh-Tech Bridge SA (HTBridge)
 
Spying Internet Explorer 8.0
Spying Internet Explorer 8.0Spying Internet Explorer 8.0
Spying Internet Explorer 8.0High-Tech Bridge SA (HTBridge)
 
Manipulating Memory for Fun & Profit
Manipulating Memory for Fun & ProfitManipulating Memory for Fun & Profit
Manipulating Memory for Fun & ProfitHigh-Tech Bridge SA (HTBridge)
 
Defeating Data Execution Prevention and ASLR in Windows
Defeating Data Execution Prevention and ASLR in WindowsDefeating Data Execution Prevention and ASLR in Windows
Defeating Data Execution Prevention and ASLR in WindowsHigh-Tech Bridge SA (HTBridge)
 
Fuzzing: An introduction to Sulley Framework
Fuzzing: An introduction to Sulley FrameworkFuzzing: An introduction to Sulley Framework
Fuzzing: An introduction to Sulley FrameworkHigh-Tech Bridge SA (HTBridge)
 
Frontal Attacks - From basic compromise to Advanced Persistent Threat
Frontal Attacks - From basic compromise to Advanced Persistent ThreatFrontal Attacks - From basic compromise to Advanced Persistent Threat
Frontal Attacks - From basic compromise to Advanced Persistent ThreatHigh-Tech Bridge SA (HTBridge)
 
Cybercrime in nowadays businesses - A real case study of targeted attack
Cybercrime in nowadays businesses - A real case study of targeted attackCybercrime in nowadays businesses - A real case study of targeted attack
Cybercrime in nowadays businesses - A real case study of targeted attackHigh-Tech Bridge SA (HTBridge)
 
Become fully aware of the potential dangers of ActiveX attacks
Become fully aware of the potential dangers of ActiveX attacksBecome fully aware of the potential dangers of ActiveX attacks
Become fully aware of the potential dangers of ActiveX attacksHigh-Tech Bridge SA (HTBridge)
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware styleSander Demeester
 
Pp resume
Pp resumePp resume
Pp resume101390
 
rTraction_Policy Tool Presentation
rTraction_Policy Tool PresentationrTraction_Policy Tool Presentation
rTraction_Policy Tool Presentationdannykappy
 
New york
New yorkNew york
New yorkpepitogrillo23
 
Presentation media
Presentation media Presentation media
Presentation media Hannah Odonkor
 
E! Network
E! Network E! Network
E! Network newmediadlmsu
 
Discover A New Arthritis Treatment
Discover A New Arthritis TreatmentDiscover A New Arthritis Treatment
Discover A New Arthritis TreatmentDamian Kulczynski
 
triptico
tripticotriptico
tripticomarcelo112
 
Bab 5 penyimpangan dan peradilan sosial
Bab 5 penyimpangan dan peradilan sosialBab 5 penyimpangan dan peradilan sosial
Bab 5 penyimpangan dan peradilan sosialSilvester Nyawai
 
Bloody Mary
Bloody MaryBloody Mary
Bloody MaryBloodyMary2011
 
Living life Changing lives: Child Sexual Abuse
Living life Changing lives: Child Sexual AbuseLiving life Changing lives: Child Sexual Abuse
Living life Changing lives: Child Sexual AbuseBehind Closed Doors Ministries
 
Panjaa branding proposal
Panjaa branding proposalPanjaa branding proposal
Panjaa branding proposalmanojkumarvadde
 
MIME 484-Final
MIME 484-FinalMIME 484-Final
MIME 484-FinalAntoine Fournier
 
How self-tracking influences your enPironment from a different perspective - ...
How self-tracking influences your enPironment from a different perspective - ...How self-tracking influences your enPironment from a different perspective - ...
How self-tracking influences your enPironment from a different perspective - ...Ernesto Ramirez
 
Ptk
PtkPtk
Ptksawitriretnowidyaningsih
 
COMPLICAÇÕES DECORRENTES DA COLOCAÇÃO DE PIERCINGS EM CAVIDADE ORAL – RELATO ...
COMPLICAÇÕES DECORRENTES DA COLOCAÇÃO DE PIERCINGS EM CAVIDADE ORAL – RELATO ...COMPLICAÇÕES DECORRENTES DA COLOCAÇÃO DE PIERCINGS EM CAVIDADE ORAL – RELATO ...
COMPLICAÇÕES DECORRENTES DA COLOCAÇÃO DE PIERCINGS EM CAVIDADE ORAL – RELATO ...Fundecto
 
Anastasia
AnastasiaAnastasia
Anastasiabellisimo2389756434
 
Welcome in the World Wild Web
Welcome in the World Wild WebWelcome in the World Wild Web
Welcome in the World Wild WebHigh-Tech Bridge SA (HTBridge)
 
Novell GroupWise Multiple Untrusted Pointer Dereferences Exploitation
Novell GroupWise Multiple Untrusted Pointer Dereferences ExploitationNovell GroupWise Multiple Untrusted Pointer Dereferences Exploitation
Novell GroupWise Multiple Untrusted Pointer Dereferences ExploitationHigh-Tech Bridge SA (HTBridge)
 

Weitere ähnliche Inhalte

Andere mochten auch

Cybercrime in nowadays businesses - A real case study of targeted attack
Cybercrime in nowadays businesses - A real case study of targeted attackCybercrime in nowadays businesses - A real case study of targeted attack
Cybercrime in nowadays businesses - A real case study of targeted attackHigh-Tech Bridge SA (HTBridge)
 
Become fully aware of the potential dangers of ActiveX attacks
Become fully aware of the potential dangers of ActiveX attacksBecome fully aware of the potential dangers of ActiveX attacks
Become fully aware of the potential dangers of ActiveX attacksHigh-Tech Bridge SA (HTBridge)
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware styleSander Demeester
 
Pp resume
Pp resumePp resume
Pp resume101390
 
rTraction_Policy Tool Presentation
rTraction_Policy Tool PresentationrTraction_Policy Tool Presentation
rTraction_Policy Tool Presentationdannykappy
 
Discover A New Arthritis Treatment
Discover A New Arthritis TreatmentDiscover A New Arthritis Treatment
Discover A New Arthritis TreatmentDamian Kulczynski
 
Bab 5 penyimpangan dan peradilan sosial
Bab 5 penyimpangan dan peradilan sosialBab 5 penyimpangan dan peradilan sosial
Bab 5 penyimpangan dan peradilan sosialSilvester Nyawai
 
Panjaa branding proposal
Panjaa branding proposalPanjaa branding proposal
Panjaa branding proposalmanojkumarvadde
 
How self-tracking influences your enPironment from a different perspective - ...
How self-tracking influences your enPironment from a different perspective - ...How self-tracking influences your enPironment from a different perspective - ...
How self-tracking influences your enPironment from a different perspective - ...Ernesto Ramirez
 
COMPLICAÇÕES DECORRENTES DA COLOCAÇÃO DE PIERCINGS EM CAVIDADE ORAL – RELATO ...
COMPLICAÇÕES DECORRENTES DA COLOCAÇÃO DE PIERCINGS EM CAVIDADE ORAL – RELATO ...COMPLICAÇÕES DECORRENTES DA COLOCAÇÃO DE PIERCINGS EM CAVIDADE ORAL – RELATO ...
COMPLICAÇÕES DECORRENTES DA COLOCAÇÃO DE PIERCINGS EM CAVIDADE ORAL – RELATO ...Fundecto
 

Andere mochten auch (20)

Cybercrime in nowadays businesses - A real case study of targeted attack
Cybercrime in nowadays businesses - A real case study of targeted attackCybercrime in nowadays businesses - A real case study of targeted attack
Cybercrime in nowadays businesses - A real case study of targeted attack
 
Become fully aware of the potential dangers of ActiveX attacks
Become fully aware of the potential dangers of ActiveX attacksBecome fully aware of the potential dangers of ActiveX attacks
Become fully aware of the potential dangers of ActiveX attacks
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniques
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware style
 
Pp resume
Pp resumePp resume
Pp resume
 
rTraction_Policy Tool Presentation
rTraction_Policy Tool PresentationrTraction_Policy Tool Presentation
rTraction_Policy Tool Presentation
 
New york
New yorkNew york
New york
 
Presentation media
Presentation media Presentation media
Presentation media
 
E! Network
E! Network E! Network
E! Network
 
Discover A New Arthritis Treatment
Discover A New Arthritis TreatmentDiscover A New Arthritis Treatment
Discover A New Arthritis Treatment
 
triptico
tripticotriptico
triptico
 
Bab 5 penyimpangan dan peradilan sosial
Bab 5 penyimpangan dan peradilan sosialBab 5 penyimpangan dan peradilan sosial
Bab 5 penyimpangan dan peradilan sosial
 
Bloody Mary
Bloody MaryBloody Mary
Bloody Mary
 
Living life Changing lives: Child Sexual Abuse
Living life Changing lives: Child Sexual AbuseLiving life Changing lives: Child Sexual Abuse
Living life Changing lives: Child Sexual Abuse
 
Panjaa branding proposal
Panjaa branding proposalPanjaa branding proposal
Panjaa branding proposal
 
MIME 484-Final
MIME 484-FinalMIME 484-Final
MIME 484-Final
 
How self-tracking influences your enPironment from a different perspective - ...
How self-tracking influences your enPironment from a different perspective - ...How self-tracking influences your enPironment from a different perspective - ...
How self-tracking influences your enPironment from a different perspective - ...
 
Ptk
PtkPtk
Ptk
 
COMPLICAÇÕES DECORRENTES DA COLOCAÇÃO DE PIERCINGS EM CAVIDADE ORAL – RELATO ...
COMPLICAÇÕES DECORRENTES DA COLOCAÇÃO DE PIERCINGS EM CAVIDADE ORAL – RELATO ...COMPLICAÇÕES DECORRENTES DA COLOCAÇÃO DE PIERCINGS EM CAVIDADE ORAL – RELATO ...
COMPLICAÇÕES DECORRENTES DA COLOCAÇÃO DE PIERCINGS EM CAVIDADE ORAL – RELATO ...
 
Anastasia
AnastasiaAnastasia
Anastasia
 

Mehr von High-Tech Bridge SA (HTBridge)

Novell GroupWise Multiple Untrusted Pointer Dereferences Exploitation
Novell GroupWise Multiple Untrusted Pointer Dereferences ExploitationNovell GroupWise Multiple Untrusted Pointer Dereferences Exploitation
Novell GroupWise Multiple Untrusted Pointer Dereferences ExploitationHigh-Tech Bridge SA (HTBridge)
 
In-Memory Fuzzing with Java (Publication from High-Tech Bridge)
In-Memory Fuzzing with Java (Publication from High-Tech Bridge)In-Memory Fuzzing with Java (Publication from High-Tech Bridge)
In-Memory Fuzzing with Java (Publication from High-Tech Bridge)High-Tech Bridge SA (HTBridge)
 
CVE 2012-1889 Microsoft XML core services uninitialized memory vulnerability
CVE 2012-1889 Microsoft XML core services uninitialized memory vulnerabilityCVE 2012-1889 Microsoft XML core services uninitialized memory vulnerability
CVE 2012-1889 Microsoft XML core services uninitialized memory vulnerabilityHigh-Tech Bridge SA (HTBridge)
 

Mehr von High-Tech Bridge SA (HTBridge) (6)

Welcome in the World Wild Web
Welcome in the World Wild WebWelcome in the World Wild Web
Welcome in the World Wild Web
 
Novell GroupWise Multiple Untrusted Pointer Dereferences Exploitation
Novell GroupWise Multiple Untrusted Pointer Dereferences ExploitationNovell GroupWise Multiple Untrusted Pointer Dereferences Exploitation
Novell GroupWise Multiple Untrusted Pointer Dereferences Exploitation
 
In-Memory Fuzzing with Java (Publication from High-Tech Bridge)
In-Memory Fuzzing with Java (Publication from High-Tech Bridge)In-Memory Fuzzing with Java (Publication from High-Tech Bridge)
In-Memory Fuzzing with Java (Publication from High-Tech Bridge)
 
CVE 2012-1889 Microsoft XML core services uninitialized memory vulnerability
CVE 2012-1889 Microsoft XML core services uninitialized memory vulnerabilityCVE 2012-1889 Microsoft XML core services uninitialized memory vulnerability
CVE 2012-1889 Microsoft XML core services uninitialized memory vulnerability
 
Structured Exception Handler Exploitation
Structured Exception Handler ExploitationStructured Exception Handler Exploitation
Structured Exception Handler Exploitation
 
Fake malware and virus scanners
Fake malware and virus scannersFake malware and virus scanners
Fake malware and virus scanners
 

Kürzlich hochgeladen

Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 

Kürzlich hochgeladen (20)

Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 

CVE-2012-1889: Security Update Analysis

  • 1. Your texte here …. CVE 2012-1889 Security Update Analysis 19th July 2012 Brian MARIANI &ETHICAL HACKING ORIGINAL SWISS Frédéric BOURLA ©2012 High-Tech Bridge SA – www.htbridge.com
  • 2. Timeline  Your texte here June 2012 Microsoft published a The 12th of …. security advisory with a temporary fix related to the msxml core services vulnerability which is heavily exploited in the wild.  On June 18th 2012 Metasploit released a working exploit.  On June 19th 2012 a 100% reliable exploit for Internet Explorer 6/7/8/9 on Windows XP/Vista, and Windows 7 SP1 was published by metasploit.  On July 9th 2012 Microsoft finally released a security update in order to patch this vulnerability. ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  • 3. Some important details  Your texte here …. is the continuation of the This document previous publication: “Microsoft XML core services uninitialized memory vulnerability”.  In this new presentation we will analyze the security update released on July 9th 2012 which fixes several DLL libraries, specially the msxml3.dll one.  The lab environment is an English Windows XP SP3 workstation.  For simplicity, ASLR and DEP security options are deactivated. ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  • 4. Security update Your texte here …. ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  • 5. Files' size comparison  Your identify all files implied in the security update We texte here …. process with monitoring tools, such as Process Monitor. Actually, the file which interests us is the msxml3.dll library.  To successfully compare unpatched and patched files, we first make a copy of the unpatched library to an analysis directory.  We apply the security update and we copy again the patched DLL file into the previous directory, with a new destination file name.  After downloading and applying the security update and comparing the size of this particular file, we can notice a tiny difference of 66 bytes. ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  • 6. Binary Diffing  Your texte here …. is a technique for performing Binary Diffing automated binary differential analysis.  This becomes very useful for reverse engineering patches as well as program updates.  Some of the available binary diffing tools are: – Bindiff – PatchDiff – Darumgrim – Turbodiff  Here, we used Turbodiff. ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  • 7. Turbodiff  Your texte here …. Turbodiff was programmed by Nicolás Economou.  It was presented at the Argentinian security conference Ekoparty in 2009.  It is a heuristic based IDA Plugin aimed for binary diffing.  This tools was developed in C++.  It provides an Architecture Independent Diffing. ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  • 8. Turbodiff results (1)  Your texte here …. two binary files, turbodiff creates an After analyzing the ana file from the IDA idb file.  The aforementioned ana file will be used later in order to detect the suspicious and changed functions.  Later turbodiff displays its results: ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  • 9. Turbodiff results (2)  Your texte herethe differences between the two files: After examining …. – 25 functions are marked as suspicious. – 72 functions are marked as changed. ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  • 10. Turbodiff results (3)  Your texte here …. Let’s check the changes in the DOMNode::get_definition(IXMLDOMNode) function which is the most important procedure involved in this vulnerability. before after  As we can see the instruction mov [edi], ebx was added into the get_definition function.  In order to understand this minor change let’s analyzed the whole process. ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  • 11. Flow analysis (1) 749bd756 _dispatchImpl::InvokeHelper Your texte here …. ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  • 12. Flow analysis (2) 749bd756 _dispatchImpl::InvokeHelper Your texte here …. 749bd7de call dword ptr [esi+0x20]{msxml3!DOMNode::_invokeDOMNode ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  • 13. Flow analysis (3) 749bd756 _dispatchImpl::InvokeHelper Your texte here …. 749bd7de call dword ptr [esi+0x20]{msxml3!DOMNode::_invokeDOMNode 749d42da msxml3!DOMNode::_invokeDOMNode ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  • 14. Flow analysis (4) 749bd756 _dispatchImpl::InvokeHelper Your texte here …. 749bd7de call dword ptr [esi+0x20]{msxml3!DOMNode::_invokeDOMNode 749d42da msxml3!DOMNode::_invokeDOMNode 749d6499 msxml3!DOMNode::get_definition ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  • 15. Flow analysis (5) 749bd756 _dispatchImpl::InvokeHelper Your texte here …. 749bd7de call dword ptr [esi+0x20]{msxml3!DOMNode::_invokeDOMNode 749d42da msxml3!DOMNode::_invokeDOMNode This is the local variable value that will be retrieved later by the 749d6499 msxml3!DOMNode::get_definition _dispatch::InvokeHelper function 749d64d2 mov edi,[ebp+0xc] ss:0023:0013dff8=0013e138 ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  • 16. Flow analysis (6) 749bd756 _dispatchImpl::InvokeHelper Your texte here …. 749bd7de call dword ptr [esi+0x20]{msxml3!DOMNode::_invokeDOMNode 749d42da msxml3!DOMNode::_invokeDOMNode This is the local variable value that will be retrieved later by the 749d6499 msxml3!DOMNode::get_definition _dispatch::InvokeHelper function 749d64d2 mov edi,[ebp+0xc] ss:0023:0013dff8=0013e138 ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  • 17. Flow analysis (7) 749bd756 _dispatchImpl::InvokeHelper Your texte here …. 749bd7de call dword ptr [esi+0x20]{msxml3!DOMNode::_invokeDOMNode 749d42da msxml3!DOMNode::_invokeDOMNode This is the local variable value that will be retrieved later by the 749d6499 msxml3!DOMNode::get_definition _dispatch::InvokeHelper function 749d64d2 mov edi,[ebp+0xc] ss:0023:0013dff8=0013e138 749d6514 mov [edi],ebx ds:0023:0013e138=0c0c0c08 ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  • 18. Flow analysis (8) 749bd756 _dispatchImpl::InvokeHelper Your texte here …. 749bd7de call dword ptr [esi+0x20]{msxml3!DOMNode::_invokeDOMNode 749d42da msxml3!DOMNode::_invokeDOMNode This is the local variable value that will be retrieved later by the 749d6499 msxml3!DOMNode::get_definition _dispatch::InvokeHelper function 749d64d2 mov edi,[ebp+0xc] ss:0023:0013dff8=0013e138 This instruction corresponds to the security update. The content of the edi will be initialized to zero 749d6514 mov [edi],ebx ds:0023:0013e138=0c0c0c08 ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  • 19. Flow analysis (9) After returning to the Your texte here …. _dispatchImpl::InvokeHelper function the previous sanitized pointer is moved into the eax register _dispatchImpl::InvokeHelper 749bd7e9 mov eax,[ebp-0x14] ss:0023:0013e138=00000000 ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  • 20. Flow analysis (10) After returning to the Your texte here …. _dispatchImpl::InvokeHelper function the previous sanitized pointer is moved into the eax register _dispatchImpl::InvokeHelper 749bd7e9 mov eax,[ebp-0x14] ss:0023:0013e138=00000000 749bd7ec cmp eax,ebx ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  • 21. Flow analysis (11) After returning to the Your texte here …. _dispatchImpl::InvokeHelper function the previous sanitized pointer is moved into the eax register _dispatchImpl::InvokeHelper 749bd7e9 mov eax,[ebp-0x14] ss:0023:0013e138=00000000 749bd7ec cmp eax,ebx ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  • 22. Flow analysis (12) After returning to the Your texte here …. _dispatchImpl::InvokeHelper function the previous sanitized pointer is moved into the eax register _dispatchImpl::InvokeHelper 749bd7e9 mov eax,[ebp-0x14] ss:0023:0013e138=00000000 749bd7ec cmp eax,ebx The conditional jump will be executed 749bd7f0 jz msxml3!_dispatchImpl::InvokeHelper+0xc2 (749bd818) ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  • 23. Flow analysis (13) After returning to the Your texte here …. _dispatchImpl::InvokeHelper function the previous sanitized pointer is moved into the eax register _dispatchImpl::InvokeHelper 749bd7e9 mov eax,[ebp-0x14] ss:0023:0013e138=00000000 749bd7ec cmp eax,ebx The conditional jump will be executed 749bd7f0 jz msxml3!_dispatchImpl::InvokeHelper+0xc2 (749bd818) The call responsible to execute the payload is no more reachable due to the conditional jump 749bd80a call dword ptr [ecx+0x18] ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  • 24. Conclusions  Yourwe have seen the main change in the XML security As texte here …. update for Windows XP-SP3 is the mov [edi],ebx instruction. 749d6514 891F mov [edi],ebx  This instruction sanitizes the value that will be retrieved later by the _dispatchImpl::InvokeHelper function.  If one modifies the two bytes instruction (891F) with NOP's instructions (9090) the whole security updated could be deactivate.  Apply the security update (KB2719985) as soon as you can since this vulnerability is heavily exploited in the wild nowadays. ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  • 25. References  Your texte here …. http://www.microsoft.com/fr- fr/download/details.aspx?id=30290  http://support.microsoft.com/kb/2719985  http://www.openrce.org/forums/posts/82  http://corelabs.coresecurity.com/index.php?modul e=Wiki&action=attachment&type=publication&pag e=Heuristicas_aplicadas_a_la_comparacion_%28_d iffeo_%29_de_binarios&file=Economou_2009- binary_diffing.pdf ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  • 26. Acknowledgments  Your texte here …. Thanks to Nicolas Economou from coresecurity for allowing us to publish the document using its utility Turbodiff :]  http://corelabs.coresecurity.com/index.php?modul e=Wiki&action=view&type=tool&name=turbodiff ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com
  • 27. Thanks for reading Your texte here …. Your questions are always welcome! brian.mariani@htbridge.ch frederic.bourla@htbridge.ch ORIGINAL SWISS ETHICAL HACKING ©2012 High-Tech Bridge SA – www.htbridge.com