Show filters Hide filters

Refine your search

Publication Year
1-12 out of 12 results
Change view
  • Sort by:
1:02:44 REcon English 2015

Abusing Silent Mitigations

In the summer of 2014, Microsoft silently introduced two new exploit mitigations into Internet Explorer with the goal of disrupting the threat landscape. These mitigations increase the complexity of successfully exploiting a use-after-free vulnerability. June's patch (MS14-035) introduced a separate heap, called Isolated Heap, which handles most of the DOM and supporting objects. July's patch (MS14-037) introduced a new strategy called MemoryProtection for freeing memory on the heap. This talk covers the evolution of the Isolated Heap and MemoryProtection mitigations, examines how they operate, and studies their weaknesses. It outlines techniques and steps an attacker must take to attack these mitigations to gain code execution on use-after-free vulnerabilities where possible. It describes how an attacker can use MemoryProtection as an oracle to determine the address at which a module will be loaded to bypass ASLR. Finally, additional recommended defenses are laid out to further harden Internet Explorer from these new attack vectors.
  • Published: 2015
  • Publisher: REcon
  • Language: English
1:05:47 REcon English 2015

"One font vulnerability to rule them all" A story of cross-software ownage, shared codebases and advanced exploitation

"Font rasterization software is clearly among the most desirable attack vectors of all time, due to multiple reasons: the wide variety of font file formats, their significant structural and logical complexity, typical programming language of choice (C/C++), average age of the code, ease of exploit delivery and internal scripting capabilities provided by the most commonly used formats (TrueType and OpenType). As every modern widespread browser, document viewer and operating system is exposed to processing external, potentially untrusted fonts, this area of security has a long history of research. As a result, nearly every major vendor releases font-related security advisories several times a year, yet we can still hear news about more 0-days floating in the wild. Over the course of the last few months, we performed a detailed security audit of the implementation of OpenType font handling present in popular libraries, client-side applications and operating systems, which appears to have received much less attention in comparison to e.g. TrueType. During that time, we discovered a number of critical vulnerabilities, which could be used to achieve 100% reliable arbitrary code execution, bypassing all currently deployed exploit mitigations such as ASLR, DEP or SSP. More interestingly, a number of those vulnerabilities were found to be common across various products, enabling an attacker to create chains of exploits consisting of a very limited number of distinct security bugs. In this presentation, we will outline the current state of the art with regards to font security research, followed by an in-depth analysis of the root cause and reliable exploitation process of a number of recently discovered vulnerabilities, including several full exploit chains. In particular, we will demonstrate how a universal PDF file could be crafted to fully compromise the security of a Windows 8.1 x86/x64 operating system via just a single vulnerability found in both Adobe Reader and the Adobe Type Manager Font Driver used by the Windows kernel."
  • Published: 2015
  • Publisher: REcon
  • Language: English
1:07:51 REcon English 2015

Breaking Bad BIOS: Attacking and Defending BIOS in 2015

In this presentation we will demonstrate multiple types of recently discovered BIOS vulnerabilities. We will detail how hardware configuration is restored upon resume from sleep and how BIOS can be attacked when waking up from sleep using "S3 resume boot script" vulnerabilities. Similarly, we will discuss the impact of insufficient protection of persistent configuration data in non-volatile storage and more. We'll also describe how to extract contents of SMRAM using above vulnerabilities and advanced methods such as Graphics aperture DMA to further perform analysis of the SMM code that would otherwise be protected. Additionally, we will detail "SMI input pointer" and other new types of vulnerabilities specific to SMI handlers. Finally, we will describe how each class of issues is mitigated as a whole and introduce new modules to CHIPSEC framework to test systems for these types of issues.
  • Published: 2015
  • Publisher: REcon
  • Language: English
52:10 REcon English 2015

Totally Spies!

For some months now, there were rumors of cartoon-named malware employed in espionage operations. It actually started in March 2014 with a set of slides leaked from the Communications Security Establishment Canada (CSEC) -- Canada equivalent of NSA. CSEC then described to its spook friends a malware dubbed Babar by its authors, which they attributed "with moderate certainty" to a French intelligence agency. The group behind Babar is now commonly referred as "AnimalFarm" in antimalware industry, because Babar was only a small piece of a much bigger puzzle. Since CSEC slides' publication, a group of valorous adventurers, animated by the thrill of understanding complex malware operations, has been relentlessly following AnimalFarm's trail. Along its path, this group found several pieces of AnimalFarm's arsenal, for example stealthy Casper, exotic Bunny and even big ears Babar itself. This presentation aims at presenting the results of this group's research. In particular, we will provide a global picture on AnimalFarm's operations, and also delve into technical quirks of their malware. We will also explain how we assessed the connection between their various piece of software from a code reverse-engineering perspective, and what are the technical hints we found regarding attribution.
  • Published: 2015
  • Publisher: REcon
  • Language: English
40:23 REcon English 2015

Finish Him!

For a decade from the early 90's to the early 2000's, Williams' Digital Compression System (DCS) audio hardware reigned supreme in arcades and casinos, providing amazing sounding music, voice-overs, and effects, blowing competing systems out of the water. This talk will reverse the DSP hardware, firmware, and algorithms powering the DCS audio compression system, used on Midway coin-ops and Williams/Bally pinballs, like Mortal Kombat II/3/4, Killer Instinct 1/2, Cruis'n USA, and Indiana Jones, among others. A tool called DeDCS will be presented, which can extract, decompress, and convert the proprietary compressed audio data from a DCS game's sound ROMs into regular WAV format, taking you back to '92, when you tossed that first quarter into MKII, and Shao Kahn laughed in your face...
  • Published: 2015
  • Publisher: REcon
  • Language: English
23:28 REcon English 2015

Exploiting Out-of-Order-Execution

Given the rise in popularity of cloud computing and platform-as-a-service, vulnerabilities inherent to systems which share hardware resources will become increasingly attractive targets to malicious software authors. This talk first presents a classification of the possible cloud-based side channels which use hardware virtualization. Additionally, a novel side channel exploiting out-of-order-execution in the CPU pipeline is described and implemented. Finally, this talk will show constructions of several adversarial applications and demo two. These applications are deployed across the novel side channel to prove the viability of each exploit. We then analyze successful detection and mitigation techniques of the side channel attacks.
  • Published: 2015
  • Publisher: REcon
  • Language: English
25:28 REcon English 2015

Radare2, building a new IDA

We will present radare2, a free, lgpl-licenced, modular reverse engineering framework. Focus will be on specific usage examples (embedded systems, ctf), and the future plans for the project.
  • Published: 2015
  • Publisher: REcon
  • Language: English
1:05:02 REcon English 2015

Polyglots and Chimeras in Digital Radio Modes

Ah Matryoshkas, who doesn't like these Russian nesting dolls? But why should the fun of chimeric nesting be limited to just application formats? It is possible to design PHY-layer digital modulation protocols that (1) are backward compatible with existing standards and (2) discretely contain additional information for reception by those who know the right tricks. When properly designed, these polyglot protocols look and sound much like the older protocols, causing an eavesdropping Eve to believe she has sniffed the contents of a transmission when in fact a second, hidden message is hitching a ride on the transmission. Mallory, on the other hand, may use these protocols-in-protocols to smuggle long Russian stories to all who will listen! This fine technical lecture by two neighborly gentlemen describes techniques for designing polyglot modulation protocols, as well as concrete examples of such protocols that are fit for use in international shortwave radio communication.
  • Published: 2015
  • Publisher: REcon
  • Language: English
52:15 REcon English 2015

0x3E9 Ways to DIE

Along the years many attempts have been made to combine static and dynamic analysis results. Some were good, other were bad, however the fact is that those two approaches still remain mostly separated as most analysis tools focus on one of them only. For many years, this lack of integration and mental passing of data between static and dynamic tools has caused lot of frustration among researchers. This was the main motivation in creating DIE. DIE is a new Hex-Rays IDA plugin that crosses the static-dynamic gap directly into the native IDA GUI. It gives the researcher access to runtime values from within his standard dissembler screen. As opposed to previous projects with similar goals, DIE takes a different approach by using an extensive plugin framework which allows the community to constantly add logic in order to better analyze and optimize the retrieved runtime values. With a click of a button, everything is accessible to the researcher: he can inspect handles passed to a function, analyze injected code or runtime strings, enumerate dynamic structures, follow indirect function calls and more (and the list keeps on growing). All of this happens without the researcher ever leaving his comfortable dissembler screen. Even better, as DIE is tightly coupled with IDA, it will basically support any architecture, data type or signature supported by IDA. DIE currently has a small but well-respected community of contributors. Starting with the alpha version, DIE users have been able to cut their research time by 20%-40%. As complex reverse engineering tasks may take several weeks or even several months to complete, DIE has already proved to be a valuable resource and a prominent part of the researcher`s toolkit. My talk introduces DIE for the very first time to the research community. I explain the basic idea behind DIE, describe its architecture, and show live examples of how to use its extensive plugin framework to speed up the research process. The talk includes *live examples* which have been carefully selected from real research projects in various security fields and demonstrate how DIE can be used to speed up bypassing software protections, unpack malware, and super-quickly locate a malware de-obfuscation functions.
  • Published: 2015
  • Publisher: REcon
  • Language: English
46:31 REcon English 2015

From Silicon to Compiler

Programmable logic devices have historically been locked up behind proprietary vendor toolchains and undocumented firmware formats, preventing the creation of a third-party compiler or decompiler. While the vendor typically prohibits reverse engineering of their software in the license agreement, no such ban applies to the silicon. Given the choice between REing gigabytes of spaghetti code and looking at clean, regular die layout, the choice is clear. This talk describes my reverse engineering of the Xilinx XC2C32A, a 180nm 32-macrocell CPLD, at the silicon level and my progress toward a fully open-source toolchain (compiler, decompiler, and floorplanner) for the device. A live demonstration of firmware generated by my tools running on actual hardware is included.
  • Published: 2015
  • Publisher: REcon
  • Language: English
49:14 REcon English 2015

The M/o/Vfuscator

Based on a paper that proves that the "mov" instruction is Turing complete, the M/o/Vfuscator takes source code and compiles it into a program that uses *only* mov instructions - no comparisons, no jumps, no math (and definitely no SMC cheating) - turning the program into one of the most painfully difficult reverse engineering targets you will ever encounter.
  • Published: 2015
  • Publisher: REcon
  • Language: English
24:28 REcon English 2015

Pandora's Cash Box: The Ghost Under Your POS

We're all used to seeing the ubiquitous cash drawer - that steel box, usually under the point-of-sale terminal, which holds the money received from sales - without giving it a second thought. But in recent years, the cash drawer has imploded in complexity into a full-blown appliance: From USB and Bluetooth support to on-board accounting and verification firmware, this innocuous box has quietly turned itself into a central component of the POS. And unsurprisingly, the security of these devices has not improved in lockstep with their feature set. In this talk, we will take apart the design and features of a modern cash drawer, and show why these devices are the proverbial chink in the armour of a POS system. We will discuss how we reverse engineered the firmware and the proprietary protocols used by several cash drawer models, and provide the tools for other reversers interested in following up. Finally, we will demonstrate how, by exploiting several security and design vulnerabilities, we can cause cash to disappear without a trace from a targeted business.
  • Published: 2015
  • Publisher: REcon
  • Language: English
out of 1 pages
Loading...
Feedback

Timings

  119 ms - page object
   72 ms - search
    5 ms - highlighting
    2 ms - highlighting/32809
    2 ms - highlighting/32803
    3 ms - highlighting/32814
    1 ms - highlighting/32806
    2 ms - highlighting/32816
    2 ms - highlighting/32817
    2 ms - highlighting/32811
    3 ms - highlighting/32805
    1 ms - highlighting/32808
    4 ms - highlighting/32810
    5 ms - highlighting/32820
    3 ms - highlighting/32804

Version

AV-Portal 3.8.0 (dec2fe8b0ce2e718d55d6f23ab68f0b2424a1f3f)