3. WHOAMI_2
Markov Pavel:
Found zero-day in Windows (execute arbitrary
code by manipulating with folder settings)
Just a developer
Agievich Igor:
Found vulnerability in Outpost Security Suite
(2012), VirtualBox (2011), vBulletin (2005-2006)
Not even a developer :)
4. Actually, we are trying to create a
fuzzer...
Yet another bicycle?
5. Our goals
We want to fuzz filetypes of our company
But actually any file types can be fuzzed with our
fuzzer, depending on how much you know about
specific file format (that's how we've found a
bug in Yandex browser)
6. Our own fuzzing: how does it work?
It's a client-server based software
Basicly consists of:
Generator (one or more)
Clients for testing generated samples (one or more). At the
moment of development they could only detect exceptions.
Using IdebugClient with Python wrapper (allows faster
development than using Debug API).
In addition we found out:
Also this approach helps to find shell code in electronic
documents
8. Let's use a new source for testing
our fuzzing
We tried using a real file from some received
email and we found... Exceptions! It was CVE-
2012-0158 (.rtf)
Then uploaded this file to Virtest, which returned:
10. Let's try to play with exploit
Original file from email (on the left) and modified
file, still working (on the right)
11. What can shell code do
Has functions for download andor execution
12. We can find suspicious workflow
Suspicious workflow depends on tested software.
For example, creation of the new process is
suspicious for:
Word 2003, Internet Explorer 6, Adobe Reader 8
Not suspicious for:
Google Chrome, Adobe Reader 11, Internet Explorer
8-9)
13. Our soft in action
Full video:
http://www.youtube.com/watch?v=v3h_H5ZGIT8
14. And a good marksman may miss
Does Yandex know about fuzzing?
I think they do...
But we've found a new bug anyway!
15. Our results
We tested our programm on:
> 20 000 *.pdf files (was open in Adobe Reader 9-11, Foxit
Reader 3-6, Google Chrome, Yandex.Browser)
> 10 000 *.doc, *.docx, *.rtf files (was open in MS Word 2003,
2007, Libre Office 4.0)
OS Win XP, Win 7
We've found:
Some APT attacks with some known CVE (CVE-2012-0158
and some else) for MS Word 2003, 2007
Bug in Yandex.Browser (fixed in latest version)
16. Any questions?
If you have got any questions in English please
wait until I am drunk and my speaking skills of
English are leveled up :)
Anyway, you can contact me on Internet
twitter: @shanker_sec