вторник, 14 мая 2013 г.

On PHDays 2013 I will speak about Dynamic detection of shell code in electronic documents

On PHDays 2013 FastTrack I will speak about Dynamic detection of shell code in electronic documents

The past few years show frequent use of e-mail messages with electronic documents containing exploits. Attackers use this technique to enlarge botnets or to spy on the industrial secrets of an organization. The report will describe dynamic detection of shellcode in electronic documents without signature analysis to enhance security of employees engaged in document flow. A zero-day vulnerability detected in Yandex.Browser will be used to demonstrate how the software use can decrease incident response time spent by the information security service of a company.

My speech will be on Russian, but I'll try to create slides on English.


My speech based on this article (in Russian)

We tested our programm on:
> 20 000 *.pdf files (was opened in Adobe Reader 9-11, Foxit Reader 3-6, Google Chrome, Yandex.Browser)
> 10 000 *.doc, *.docx, *.rtf files (was opened in MS Word 2003, 2007, Libre Office 4.0)
OS Win XP, Win 7

We'he found:

Some APT attacks with some known CVE (CVE-2012-0158 and some else) for MS Word 2003, 2007

Vulnerability on Yandex.Browser (must fixed in latest version, but I didn't check it at this time)

Many crashes on many programs, that we still researching.

Original message on Russian

четверг, 10 января 2013 г.

Russian researcher found 0day vulnerability on Firefox 18 and Opera 12.12

 Russian researcher found 0day vulnerability on Firefox 18 and Opera 12.12

Attacker can read  arbitrary file on victim host. Vulnerability is not sensitive for OS type. It must work on Windows, Linux etc.

The researcher announced about social engineering way to use this vulnerability. Attacker gives a link. A victim must save evil html-page into local computer. And then open saved evil html-page via victim browser (Firefox or Opera).

воскресенье, 23 декабря 2012 г.

Bypass proactive protection in Agnitum Outpost Security Suite. Full video demonstration.

 I have previously reported without technical details

Here is a video demonstration with technical details.


 Vulnerable: Agnitum Outpost Security Suite v 7.5.3 (3942.608.1810); other versions may also be affected.
Fixed in version 8.0 (4164.652.1856)

This video demonstration was first shown on zeroday show (ZeroNights conference 2012).


We can use Windows Lock to bypass proactive protection.


If you want to automate use bat-file below

start 1.exe
ping 127.0.0.1 -n 10 -w 10000 > NULL & rundll32.exe user32.dll,LockWorkStation


Original post in Russian

четверг, 20 декабря 2012 г.

Russian researcher found 0day vulnerability on Windows XP\Vista\7


Russian researcher found 0day vulnerability on Windows XP\Vista\7 (doesn't work on Windows 8). This vulnerability has much in common with
CVE-2010-2568 aka (StuxNet used it). At this time we do not know if is it possible to use this vulnerability as an autorun like Stuxnet use lnk-files on usb stick (some people believe it's possible).

The researcher announced only about social engineering way. Attacker must give evil DLL-file to victim and victim must point this DLL-file as source of icons for some folder (see image below):



Video demonstration

вторник, 2 октября 2012 г.

Bypass proactive protection in Agnitum Outpost Security Suite. Video demonstration.

Original post in Russian

Workflow:

1. Check that the driver is not present in the system directory (by trying to open it in notepad)
2. Run the exploit. You are prompted to install the driver of Outpost Security Suite. Inactivity (i.e., do not agree)
3. Try to open driver file via notepad again and voila: the driver is installed!

Vulnerable: Agnitum Outpost Security Suite v 7.5.3 (3942.608.1810); other versions may also be affected.

Technical details won't be disclosed until I contact with Agnitum staff.

Video:

суббота, 25 августа 2012 г.

Bypass proactive protection in Kaspersky Anti-Virus. Video demonstration.

Workflow:

1. Check that the driver is not present in the system directory (trying to open it in notepad)
2. Run the exploit. You are prompted to install the driver of Kaspersky. Inactivity (ie, do not agree)
3. Try to open driver file via notepad again and voila: the driver is installed!

Vulnerable: Kaspersky Crystal 12.0.1.228, KIS/KAV 2012, KIS/KAV 2011; other versions may also be affected.

Technical details won't be disclosed until I contact with Kaspersky Lab staff.


Original post in Russian