Slides from PHDays 2013 (http://www.phdays.com)
The past few years show frequent use of e-mail messages with electronic documents containing exploits. Attackers use this technique to enlarge botnets or to spy on the industrial secrets of an organization. The report will describe dynamic detection of shellcode in electronic documents without signature analysis to enhance security of employees engaged in document flow. A zero-day vulnerability detected in Yandex.Browser will be used to demonstrate how the software use can decrease incident response time spent by the information security service of a company.
https://twitter.com/shanker_sec
3. WHOAMI_2
Markov Pavel:
Found zero-day in Windows (execute arbitrary
code by manipulating with folder settings)
Just a developer
Agievich Igor:
Found vulnerability in Outpost Security Suite
(2012), VirtualBox (2011), vBulletin (2005-2006)
Not even a developer :)
4. Actually, we are trying to create a
fuzzer...
Yet another bicycle?
5. Our goals
We want to fuzz filetypes of our company
But actually any file types can be fuzzed with our
fuzzer, depending on how much you know about
specific file format (that's how we've found a
bug in Yandex browser)
6. Our own fuzzing: how does it work?
It's a client-server based software
Basicly consists of:
ïŹ
Generator (one or more)
ïŹ
Clients for testing generated samples (one or more). At the
moment of development they could only detect exceptions.
Using IdebugClient with Python wrapper (allows faster
development than using Debug API).
In addition we found out:
ïŹ
Also this approach helps to find shell code in electronic
documents
8. Let's use a new source for testing
our fuzzing
We tried using a real file from some received
email and we found... Exceptions! It was CVE-
2012-0158 (.rtf)
Then uploaded this file to Virtest, which returned:
9. Let's try to play with exploit
Original file from email (on the left) and modified
file, still working (on the right)
ïŹ
10. What can shell code do
ïŹ
Has functions for download andor execution
11. We can find suspicious workflow
Suspicious workflow depends on tested software.
For example, creation of the new process is
suspicious for:
Word 2003, Internet Explorer 6, Adobe Reader 8
Not suspicious for:
Google Chrome, Adobe Reader 11, Internet Explorer
8-9)
12. Our soft in action
ïŹ
Full video:
http://www.youtube.com/watch?v=v3h_H5ZGIT8
13. And a good marksman may miss
Does Yandex know about fuzzing?
I think they do...
But we've found a new bug anyway!
14. Our results
We tested our programm on:
ïŹ
> 20 000 *.pdf files (was open in Adobe Reader 9-11, Foxit
Reader 3-6, Google Chrome, Yandex.Browser)
ïŹ
> 10 000 *.doc, *.docx, *.rtf files (was open in MS Word 2003,
2007, Libre Office 4.0)
ïŹ
OS Win XP, Win 7
We've found:
ïŹ
Some APT attacks with some known CVE (CVE-2012-0158
and some else) for MS Word 2003, 2007
ïŹ
Bug in Yandex.Browser (fixed in latest version)
15. Any questions?
If you have got any questions in English please
wait until I am drunk and my speaking skills of
English are leveled up :)
Anyway, you can contact me on Internet
@shanker_sec