Hinn blákaldi sannleikur maður er alltaf óöruggur

Aa6b7d3a12a61bfe0ce9c8a12405bd75?s=47 Rich Smith
February 08, 2013

Hinn blákaldi sannleikur maður er alltaf óöruggur

A talk I gave with Syndis co-founder Ýmir Vigfússon at UTMessan 2013 in Reykjavík, Iceland where we discuss the value of using offensive techniques to inform good defense.
The title roughly translates to 'The ice cold truth of the fact that one is always insecure' :)

Aa6b7d3a12a61bfe0ce9c8a12405bd75?s=128

Rich Smith

February 08, 2013
Tweet

Transcript

  1. Ýmir Vigfússon Rich Smith

  2. None
  3. None
  4. None
  5. None
  6. None
  7. None
  8. None
  9. None
  10. None
  11. None
  12. None
  13. None
  14. None
  15. None
  16. None
  17. None
  18. None
  19. None
  20. None
  21. Understanding a real-world attack Bug seen exploited in the wild

    in December 2012 §  Hacked the Council of Foreign Affairs Fully patched Windows 7 §  Internet Explorer 8.0 §  Java 1.6 §  DEP Memory Protection We will demonstrate and explain our exploit CVE-2012-4792 A REAL-WORLD ATTACK
  22. DEMO

  23. Under the hood divelm formelm bu#on   Use after free

    appendChild used by the system 0c0c0c0c   CVE-2012-4792 Analogy 8256443
  24. c7316931c9dead07beef013 ac978f3ff196569ba83144cc 4401018971c7316931c9dea d07beef013ac978f3ff19656 9ba83144cc4401018971c73 dead07beef013ac978f3ff19 6569ba83144cc4401018971 c7316931c9dead07beef013 ac978f3ff196569ba83144cc 4401018971c7316931c9dea

    d07beef013ac978f3ff19656 9ba83144cc4401018971c73 16931c9dead07beef013ac9 78f3ff196569ba83144cc440 dead07beef013ac978f3ff19 dead07beef013ac978f3ff19 6569ba83144cc4401018971 c7316931c9dead07beef013 ac978f3ff196569ba83144cc 4401018971c7316931c9dea d07beef013ac978f3ff19656 9ba83144cc4401018971c73 badc0dedead07beef013ac9 78f3ff19dead07beef013ac9 78f3ff196569ba83144cc440 1018971c7316931c9dead07 beef013ac978f3ff196569ba8 3144cc4401018971c731693 1c9dead07beef013ac978f3ff 19656dead07beef013ac978f 3ff196569ba83144cc440101 8971c7316569ba83144cc44 01018971c7316931c9dead0 7beef013ac978f3ff196569ba 83144cc4401018971c73169 31cad07beef013ac978f3ff19 6569ba83144cc44eef013ac9 78f3ff196569ba83144cc440 1018971c7316931c9dead07 beef013ac978f3ff1965   Computer memory used by the system 0c0c0c0c   0x0c0c0c0c   system trusts the reference therefore, system executes
  25. c7316931c9dead07beef013 ac978f3ff196569ba83144cc 4401018971c7316931c9dea d07beef013ac978f3ff19656 9ba83144cc4401018971c73 dead07beef013ac978f3ff19 6569ba83144cc4401018971 c7316931c9dead07beef013 ac978f3ff196569ba83144cc 4401018971c7316931c9dea

    d07beef013ac978f3ff19656 9ba83144cc4401018971c73 16931c9dead07beef013ac9 78f3ff196569ba83144cc440 dead07beef013ac978f3ff19 dead07beef013ac978f3ff19 6569ba83144cc4401018971 c7316931c9dead07beef013 ac978f3ff196569ba83144cc 4401018971c7316931c9dea d07beef013ac978f3ff19656 9ba83144cc4401018971c73 badc0dedead07beef013ac9 78f3ff19dead07beef013ac9 78f3ff196569ba83144cc440 1018971c7316931c9dead07 beef013ac978f3ff196569ba8 3144cc4401018971c731693 1c9dead07beef013ac978f3ff 19656dead07beef013ac978f 3ff196569ba83144cc440101 8971c7316569ba83144cc44 01018971c7316931c9dead0 7beef013ac978f3ff196569ba 83144cc4401018971c73169 31cad07beef013ac978f3ff19 6569ba83144cc44eef013ac9 78f3ff196569ba83144cc440 1018971c7316931c9dead07 beef013ac978f3ff1965   Computer memory ff19656dead07beef013ac97 8f3ff196569ba83144cc4401 018971c7316569ba83144cc 4401018971c7316931c9dea d07beef013ac978f3ff19656 9ba83144cc4401018971c73 16931cad07beef013ac978f3 ff196569ba83144cc44eef01 3ac978f3ff196569ba83144c c4401018971c7316931c9de ad07beef013ac978f3ff1965   c7316931c9dead07beef013 ac978f3ff196569ba83144cc 4401018971c7316931c9dea d07beef013ac978f3ff19656 9ba83144cc4401018971c73 dead07c0ded13ac978f3ff19 6569ba83144cc4401018971 c7316931c9dead07beef013 ac978f3ff196569ba83144cc 4401018971c7316931c9dea   d07beef013ac978f3ff18f3 ff196569ba831018971c73 16569ba83144cc4401018 971c7316931c9dead07be ef01dead07c0ded13ac3ff1 96569ba83144cbadc0de   Data Execution Prevention d07beef013ac978f3ff18f3 ff196569ba831018971c73 16569ba83144cc4401018 971c7316931c9dead07be ef01dead07c0ded13ac3ff1 96569ba83144cbadc0de   Defeated by Return-Oriented Programming (ROP) ROP exploit relies entirely on existing code! 0x0c0c0c0c  
  26. Exploit that overcomes modern memory defenses WHAT ABOUT OTHER DEFENSES?

    FIREWALLS, ANTI-VIRUS, IDS/IPS, ...
  27. ATTACKS ARE INVOLVED Found the original bug by fuzzing Wrote

    a proof-of- concept exploit Wrote a DEP- resistant exploit Weaponized the exploit Created post- exploitation framework Sponsored the attacks Administered deployment
  28. None
  29. None
  30. None
  31. None
  32. None
  33. HOW MUCH DO I SPEND ON DEFENSE X? HOW MUCH

    DOES AN ATTACKER HAVE TO SPEND TO BYPASS X? HOW MUCH IS DEFENSE X ACTUALLY WORTH TO ME? WHAT IS BYPASSING DEFENSE X WORTH TO AN ATTACKER ?
  34. None
  35. None
  36. None