[2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study EN
•
2 j'aime•1,253 vues
2014 CodeEngn Conference 11 IE 원데이로 시작하는 실전 익스플로잇! BOF, FSB, UAF 등의 메모리 커럽션 취약점을 워게임, CTF 통해서 배우게 되지만 비교적 더 낮은 난이도에도 불구하고 실제 상용 프로그램에 대해서는 막연한 느낌뿐인 학생들이 많은 것 같다. 웹브라우저에서 발견되는 취약점 중 가장 흔한 UAF에 대해 설명하고 비교적 최신에 발견된 CVE-2014-0322, CVE-2014-1776 두가지 전형적인 IE 브라우저 UAF 취약점을 익스플로잇하는 방법을 설명하려고 한다. 추후 사례로 소개되는 두 가지 취약점에 대해 직접 학습이 가능하도록 단계별 튜토리얼을 별도 제공하고자한다. http://codeengn.com/conference/11 http://codeengn.com/conference/archive
Recommandé
Recommandé
Contenu connexe
En vedette
En vedette (10)
Similaire à [2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study EN
Similaire à [2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study EN (20)
Plus de GangSeok Lee
Plus de GangSeok Lee (20)
Dernier
Dernier (20)
[2014 CodeEngn Conference 11] 박세한 - IE 1DAY Case Study EN
- 1. IE 1Day Case Study www.CodeEngn.com 2014 CodeEngn Conference 11
- 2. Agenda * Who am I * Background * CVE-2014-0322 * CVE-2014-1776 * Q&A
- 3. Who am I * Darwin Park - Vulnerability discovery - Exploit Technique * Netguardian (Feat. Jaeyoung Kim) * Wiseguyz & B10S
- 4. Background * If you look at the M$'s security bulletins, you’ll notice many of the patched vulns were use-after-frees * Use-after-free is still a common bug class * That's why I'll walk you through UAF in IE today
- 5. DEMO!
- 6. Background * What does exploit look like? Magic? There's nothing special in exploits * By using learn-by-example methodology we can get understanding about exploitation
- 7. Background * Use After Free (Dangling Pointers) - result of the combined actions from different parts of an application - namely, the parts of the code that can cause the freeing of the object and the parts of the code that use the object
- 9. CVE-2014-0322 STEP1 minimized POC code
- 10. CVE-2014-0322
- 12. CVE-2014-0322
- 13. CVE-2014-0322 STEP2 filling a freed object's memory
- 14. CVE-2014-0322
- 15. CVE-2014-0322 00410000 = "A" 004100410000 = "AA" 0041004100410000 = "AAA"
- 19. eax=0x41414141
- 20. CVE-2014-0322 STEP3 memory leak
- 23. size unknown data1 data2 data3 data4 data5 data6 data.. data.. data.. data.. data.. data.. data.. data.. data1007 data1008 Null Null
- 24. CVE-2014-0322 STEP4 modify object size
- 26. 0x12120ff1 + 0x10 = 12121001 0x000003f0 [edx+esi*4+8],eax eax = value esi = offset edx = buffer
- 28. CVE-2014-0322 STEP5 EIP Control
- 30. Free & New Main Class Object Leak! Allocation V-Table Overwrite
- 33. CVE-2014-0322
- 34. CVE-2014-0322
- 35. CVE-2014-1776 * Similar to CVE-2014-0322, Just a typical UAF Case * We can use the same way as CVE- 2014-0322
- 38. Workshop
- 39. Q&A Questions? https://withgit.com/hdarwin89/codeengn-2014-ie-1day-case-study www.CodeEngn.com 2014 CodeEngn Conference 11