Show filters Hide filters

Refine your search

Publication Year
1-15 out of 15 results
Change view
  • Sort by:
1:02:44 REcon English 2015

Abusing Silent Mitigations

In the summer of 2014, Microsoft silently introduced two new exploit mitigations into Internet Explorer with the goal of disrupting the threat landscape. These mitigations increase the complexity of successfully exploiting a use-after-free vulnerability. June's patch (MS14-035) introduced a separate heap, called Isolated Heap, which handles most of the DOM and supporting objects. July's patch (MS14-037) introduced a new strategy called MemoryProtection for freeing memory on the heap. This talk covers the evolution of the Isolated Heap and MemoryProtection mitigations, examines how they operate, and studies their weaknesses. It outlines techniques and steps an attacker must take to attack these mitigations to gain code execution on use-after-free vulnerabilities where possible. It describes how an attacker can use MemoryProtection as an oracle to determine the address at which a module will be loaded to bypass ASLR. Finally, additional recommended defenses are laid out to further harden Internet Explorer from these new attack vectors.
  • Published: 2015
  • Publisher: REcon
  • Language: English
1:05:47 REcon English 2015

"One font vulnerability to rule them all" A story of cross-software ownage, shared codebases and advanced exploitation

"Font rasterization software is clearly among the most desirable attack vectors of all time, due to multiple reasons: the wide variety of font file formats, their significant structural and logical complexity, typical programming language of choice (C/C++), average age of the code, ease of exploit delivery and internal scripting capabilities provided by the most commonly used formats (TrueType and OpenType). As every modern widespread browser, document viewer and operating system is exposed to processing external, potentially untrusted fonts, this area of security has a long history of research. As a result, nearly every major vendor releases font-related security advisories several times a year, yet we can still hear news about more 0-days floating in the wild. Over the course of the last few months, we performed a detailed security audit of the implementation of OpenType font handling present in popular libraries, client-side applications and operating systems, which appears to have received much less attention in comparison to e.g. TrueType. During that time, we discovered a number of critical vulnerabilities, which could be used to achieve 100% reliable arbitrary code execution, bypassing all currently deployed exploit mitigations such as ASLR, DEP or SSP. More interestingly, a number of those vulnerabilities were found to be common across various products, enabling an attacker to create chains of exploits consisting of a very limited number of distinct security bugs. In this presentation, we will outline the current state of the art with regards to font security research, followed by an in-depth analysis of the root cause and reliable exploitation process of a number of recently discovered vulnerabilities, including several full exploit chains. In particular, we will demonstrate how a universal PDF file could be crafted to fully compromise the security of a Windows 8.1 x86/x64 operating system via just a single vulnerability found in both Adobe Reader and the Adobe Type Manager Font Driver used by the Windows kernel."
  • Published: 2015
  • Publisher: REcon
  • Language: English
1:07:51 REcon English 2015

Breaking Bad BIOS: Attacking and Defending BIOS in 2015

In this presentation we will demonstrate multiple types of recently discovered BIOS vulnerabilities. We will detail how hardware configuration is restored upon resume from sleep and how BIOS can be attacked when waking up from sleep using "S3 resume boot script" vulnerabilities. Similarly, we will discuss the impact of insufficient protection of persistent configuration data in non-volatile storage and more. We'll also describe how to extract contents of SMRAM using above vulnerabilities and advanced methods such as Graphics aperture DMA to further perform analysis of the SMM code that would otherwise be protected. Additionally, we will detail "SMI input pointer" and other new types of vulnerabilities specific to SMI handlers. Finally, we will describe how each class of issues is mitigated as a whole and introduce new modules to CHIPSEC framework to test systems for these types of issues.
  • Published: 2015
  • Publisher: REcon
  • Language: English
38:12 REcon English 2015

Understaning the Microsoft Office Protected-View Sandbox

The first part of this talk will sketch the Protected-View sandbox internals by discussing about its architecture, its initialization sequence and the system resource restrictions. The second part will discuss the Inter-Process Communication (IPC) mechanism, including the mode of communication, undocumented objects involved, format of IPC messages and the semantics of selected IPC messages.
  • Published: 2015
  • Publisher: REcon
  • Language: English
52:10 REcon English 2015

Totally Spies!

For some months now, there were rumors of cartoon-named malware employed in espionage operations. It actually started in March 2014 with a set of slides leaked from the Communications Security Establishment Canada (CSEC) -- Canada equivalent of NSA. CSEC then described to its spook friends a malware dubbed Babar by its authors, which they attributed "with moderate certainty" to a French intelligence agency. The group behind Babar is now commonly referred as "AnimalFarm" in antimalware industry, because Babar was only a small piece of a much bigger puzzle. Since CSEC slides' publication, a group of valorous adventurers, animated by the thrill of understanding complex malware operations, has been relentlessly following AnimalFarm's trail. Along its path, this group found several pieces of AnimalFarm's arsenal, for example stealthy Casper, exotic Bunny and even big ears Babar itself. This presentation aims at presenting the results of this group's research. In particular, we will provide a global picture on AnimalFarm's operations, and also delve into technical quirks of their malware. We will also explain how we assessed the connection between their various piece of software from a code reverse-engineering perspective, and what are the technical hints we found regarding attribution.
  • Published: 2015
  • Publisher: REcon
  • Language: English
40:23 REcon English 2015

Finish Him!

For a decade from the early 90's to the early 2000's, Williams' Digital Compression System (DCS) audio hardware reigned supreme in arcades and casinos, providing amazing sounding music, voice-overs, and effects, blowing competing systems out of the water. This talk will reverse the DSP hardware, firmware, and algorithms powering the DCS audio compression system, used on Midway coin-ops and Williams/Bally pinballs, like Mortal Kombat II/3/4, Killer Instinct 1/2, Cruis'n USA, and Indiana Jones, among others. A tool called DeDCS will be presented, which can extract, decompress, and convert the proprietary compressed audio data from a DCS game's sound ROMs into regular WAV format, taking you back to '92, when you tossed that first quarter into MKII, and Shao Kahn laughed in your face...
  • Published: 2015
  • Publisher: REcon
  • Language: English
45:41 REcon English 2015

This Time Font hunt you down in 4 bytes

In our recent work we targeted also win32k, what seems to be fruit giving target. @promised lu made our own TTF-fuzzer which comes with bunch of results in form of gigabytes of crashes and various bugs. Fortunately windows make great work and in February most of our bugs was dead - patched, but not all of them… Whats left were looking as seemingly unexploitable kernel bugs with ridiculous conditions. We decided to check it out, and finally combine it with our user mode bug & emet bypass. Through IE & flash we break down system and pointed out at weak points in defensive mechanism. In this talk we will present our research dedicated for pwn2own event this year. We will describe kernel part of exploit in detail, including bug description, resulting memory corruption conditions & caveats up to final pwn via one of our TTF bugs. Throughout the talk we will describe how to break various exploit mitigations in windows kernel and why it is possible. We will introduce novel kernel exploitation techniques breaking all what stands and bring you SYSTEM exec (from kernel driver to system calc).
  • Published: 2015
  • Publisher: REcon
  • Language: English
24:29 REcon English 2015

Reverse Engineering Windows AFD.sys

What happens when you make a socket() call in Windows? This presentation will briefly walk through the rather well documented winsock user mode framework before diving into the turmoil of ring 0. There is no map to guide us here. Our adventure will begin where MSDN ends and our first stop along the way is with an IOCTL to AFD.sys, or the awkwardly named ancillary function driver. This driver is of particular interest because it is so widely used and yet most people that use it do not even know it exists. Nearly every Windows program managing sockets depends on this driver. Even more interesting is that the device created by AFD.sys is accessible from every sandbox Google Project Zero looked at. In fact, there isn't even support to restrict access to this device until Windows 8.1. Staying true to Windows style AFD.sys is a complex driver with over 70 reachable IOCTL’s and support for everything from SAN to TCP. It is no wonder that this driver weighs in at 500KB. This complexity combined with accessibility breed a robust ring 0 attack surface. Current fuzzing efforts will also be shared in this presentation and the time we are done you should have a good idea of what happens when making a socket() call without having to spend hours in IDA to figure it out.
  • Published: 2015
  • Publisher: REcon
  • Language: English
25:28 REcon English 2015

Radare2, building a new IDA

We will present radare2, a free, lgpl-licenced, modular reverse engineering framework. Focus will be on specific usage examples (embedded systems, ctf), and the future plans for the project.
  • Published: 2015
  • Publisher: REcon
  • Language: English
1:06:06 REcon English 2015

Hooking Nirvana

In this talk we will cover 5 novel instrumentation techniques that all rely on deep Windows Internals: AVRF Hooking, MinWin Hooking, Shim Hooking, Nirvana Hooking, and CFG Hooking. We will start by describing the intended use of these technologies in Windows and what their normal use cases and scenarios are, followed by explanations and demonstrations on how to abuse them to do your bidding. In turn, we will detail how to detect each of them from a defensive perspective, contrasting current hook detection methods and their inability to pick up on these techniques. These hooking techniques can be leveraged for code obfuscation, dynamic binary instrumentation, implementing stealthy hiding techniques and more.
  • Published: 2015
  • Publisher: REcon
  • Language: English
55:45 REcon English 2015

Reversing the Nintendo 64 CIC

This presentation covers our successful efforts to reverse engineer and clone the Nintendo 64's copy protection chip: the N64 CIC. We describe the processes and techniques we used to finally conquer this chip, nearly 20 years after its introduction. Nintendo's NES, Super NES, and Nintendo 64 used a series of copy protection chips known as CICs. As the consoles grew more sophisticated, so did the chips. While the NES and Super NES CICs have been cracked and cloned, up until recently the Nintendo 64's has remained an elusive target. Our team approached this chip by exposing the die (decapping) and optically imaging it, including its mask ROM. Through visual inspection we determined the CPU core and instruction set, and we were able to extract the program code from the mask ROM. We wrote an emulator on PC and ultimately cloned the chip on a PIC microcontroller.
  • Published: 2015
  • Publisher: REcon
  • Language: English
1:05:02 REcon English 2015

Polyglots and Chimeras in Digital Radio Modes

Ah Matryoshkas, who doesn't like these Russian nesting dolls? But why should the fun of chimeric nesting be limited to just application formats? It is possible to design PHY-layer digital modulation protocols that (1) are backward compatible with existing standards and (2) discretely contain additional information for reception by those who know the right tricks. When properly designed, these polyglot protocols look and sound much like the older protocols, causing an eavesdropping Eve to believe she has sniffed the contents of a transmission when in fact a second, hidden message is hitching a ride on the transmission. Mallory, on the other hand, may use these protocols-in-protocols to smuggle long Russian stories to all who will listen! This fine technical lecture by two neighborly gentlemen describes techniques for designing polyglot modulation protocols, as well as concrete examples of such protocols that are fit for use in international shortwave radio communication.
  • Published: 2015
  • Publisher: REcon
  • Language: English
46:31 REcon English 2015

From Silicon to Compiler

Programmable logic devices have historically been locked up behind proprietary vendor toolchains and undocumented firmware formats, preventing the creation of a third-party compiler or decompiler. While the vendor typically prohibits reverse engineering of their software in the license agreement, no such ban applies to the silicon. Given the choice between REing gigabytes of spaghetti code and looking at clean, regular die layout, the choice is clear. This talk describes my reverse engineering of the Xilinx XC2C32A, a 180nm 32-macrocell CPLD, at the silicon level and my progress toward a fully open-source toolchain (compiler, decompiler, and floorplanner) for the device. A live demonstration of firmware generated by my tools running on actual hardware is included.
  • Published: 2015
  • Publisher: REcon
  • Language: English
49:14 REcon English 2015

The M/o/Vfuscator

Based on a paper that proves that the "mov" instruction is Turing complete, the M/o/Vfuscator takes source code and compiles it into a program that uses *only* mov instructions - no comparisons, no jumps, no math (and definitely no SMC cheating) - turning the program into one of the most painfully difficult reverse engineering targets you will ever encounter.
  • Published: 2015
  • Publisher: REcon
  • Language: English
24:28 REcon English 2015

Pandora's Cash Box: The Ghost Under Your POS

We're all used to seeing the ubiquitous cash drawer - that steel box, usually under the point-of-sale terminal, which holds the money received from sales - without giving it a second thought. But in recent years, the cash drawer has imploded in complexity into a full-blown appliance: From USB and Bluetooth support to on-board accounting and verification firmware, this innocuous box has quietly turned itself into a central component of the POS. And unsurprisingly, the security of these devices has not improved in lockstep with their feature set. In this talk, we will take apart the design and features of a modern cash drawer, and show why these devices are the proverbial chink in the armour of a POS system. We will discuss how we reverse engineered the firmware and the proprietary protocols used by several cash drawer models, and provide the tools for other reversers interested in following up. Finally, we will demonstrate how, by exploiting several security and design vulnerabilities, we can cause cash to disappear without a trace from a targeted business.
  • Published: 2015
  • Publisher: REcon
  • Language: English
out of 1 pages
Loading...
Feedback

Timings

  132 ms - page object
   88 ms - search
    3 ms - highlighting
    2 ms - highlighting/32812
    2 ms - highlighting/32814
    1 ms - highlighting/32816
    2 ms - highlighting/32809
    1 ms - highlighting/32807
    2 ms - highlighting/32817
    2 ms - highlighting/32820
    2 ms - highlighting/32804
    2 ms - highlighting/32810
    2 ms - highlighting/32818
    1 ms - highlighting/32805
    1 ms - highlighting/32819
    1 ms - highlighting/32806
    1 ms - highlighting/32803
    1 ms - highlighting/32815

Version

AV-Portal 3.8.0 (dec2fe8b0ce2e718d55d6f23ab68f0b2424a1f3f)