recon2015
Recon 2015
2015-06-19
2015-06-21
3
00:15
2015-06-19T08:00:00-04:00
08:00
01:30
Grand Salon
recon2015_-_61_-__-_grand_salon_-_201506190800_-_registration
false
Registration
other
2015-06-19T09:30:00-04:00
09:30
00:30
Grand Salon
recon2015_-_62_-_en_-_grand_salon_-_201506190930_-_opening_ceremony
false
Opening Ceremony
lecture
en
2015-06-19T10:00:00-04:00
10:00
01:00
Grand Salon
recon2015_-_35_-_en_-_grand_salon_-_201506191000_-_totally_spies_-_joan_calvet_-_marion_marshalek_-_paul_rascagneres
false
Totally Spies!
A Tour in Espionage Cartoons
lecture
en
For some months now, there were rumors of cartoon-named malware employed in espionage operations. It actually started in March 2014 with a set of slides leaked from the Communications Security Establishment Canada (CSEC) -- Canada equivalent of NSA. CSEC then described to its spook friends a malware dubbed Babar by its authors, which they attributed "with moderate certainty" to a French intelligence agency.
The group behind Babar is now commonly referred as "AnimalFarm" in antimalware industry, because Babar was only a small piece of a much bigger puzzle.
Since CSEC slides' publication, a group of valorous adventurers, animated by the thrill of understanding complex malware operations, has
been relentlessly following AnimalFarm's trail. Along its path, this group found several pieces of AnimalFarm's arsenal, for example stealthy
Casper, exotic Bunny and even big ears Babar itself.
This presentation aims at presenting the results of this group's research. In particular, we will provide a global picture on AnimalFarm's operations, and also delve into technical quirks of their malware. We will also explain how we assessed the connection between their various piece of software from a code reverse-engineering perspective, and what are the technical hints we found regarding
attribution.
Joan Calvet
Marion Marschalek
Paul Rascagnères
2015-06-19T11:00:00-04:00
11:00
01:00
Grand Salon
recon2015_-_32_-_en_-_grand_salon_-_201506191100_-_abusing_silent_mitigations_-_brian_gorenc_-_simon_zuckerbraun_-_abdul-aziz_hariri
false
Abusing Silent Mitigations
Understanding weaknesses within Internet Explorer's Isolated Heap and MemoryProtection
lecture
en
In the summer of 2014, Microsoft silently introduced two new exploit mitigations into Internet Explorer with the goal of disrupting the threat landscape. These mitigations increase the complexity of successfully exploiting a use-after-free vulnerability. June's patch (MS14-035) introduced a separate heap, called Isolated Heap, which handles most of the DOM and supporting objects. July's patch (MS14-037) introduced a new strategy called MemoryProtection for freeing memory on the heap.
This talk covers the evolution of the Isolated Heap and MemoryProtection mitigations, examines how they operate, and studies their weaknesses. It outlines techniques and steps an attacker must take to attack these mitigations to gain code execution on use-after-free vulnerabilities where possible. It describes how an attacker can use MemoryProtection as an oracle to determine the address at which a module will be loaded to bypass ASLR. Finally, additional recommended defenses are laid out to further harden Internet Explorer from these new attack vectors.
Brian Gorenc
Simon Zuckerbraun
Abdul-Aziz Hariri
2015-06-19T12:00:00-04:00
12:00
01:00
Grand Salon
recon2015_-_63_-__-_grand_salon_-_201506191200_-_lunch_-_location_soprano_rooms
false
Lunch - Location: Soprano Rooms
The Soprano rooms are located on the 4th floor of the hotel.
other
2015-06-19T13:00:00-04:00
13:00
00:30
Grand Salon
recon2015_-_53_-_en_-_grand_salon_-_201506191300_-_finish_him_-_exide
false
Finish Him!
Reversing Midway Arcade Audio With DeDCS
lecture
en
For a decade from the early 90's to the early 2000's, Williams' Digital Compression System (DCS) audio hardware reigned supreme in arcades and casinos, providing amazing sounding music, voice-overs, and effects, blowing competing systems out of the water.
This talk will reverse the DSP hardware, firmware, and algorithms powering the DCS audio compression system, used on Midway coin-ops and Williams/Bally pinballs, like Mortal Kombat II/3/4, Killer Instinct 1/2, Cruis'n USA, and Indiana Jones, among others.
A tool called DeDCS will be presented, which can extract, decompress, and convert the proprietary compressed audio data from a DCS game's sound ROMs into regular WAV format, taking you back to '92, when you tossed that first quarter into MKII, and Shao Kahn laughed in your face...
exide
2015-06-19T13:30:00-04:00
13:30
00:30
Grand Salon
recon2015_-_49_-_en_-_grand_salon_-_201506191330_-_radare2_building_a_new_ida_-_jeffrey_crowell_-_julien_voisin
false
Radare2, building a new IDA
Creating an open source reverse engineering ecosystem.
lecture
en
We will present radare2, a free, lgpl-licenced, modular reverse engineering framework. Focus will be on specific usage examples (embedded systems, ctf), and the future plans for the project.
Jeffrey Crowell
Julien Voisin
2015-06-19T14:00:00-04:00
14:00
01:00
Grand Salon
recon2015_-_22_-_en_-_grand_salon_-_201506191400_-_this_time_font_hunt_you_down_in_4_bytes_-_peter_hlavaty_-_jihui_lu
false
This Time Font hunt you down in 4 bytes
lecture
en
In our recent work we targeted also win32k, what seems to be fruit giving target. @promised_lu made our own TTF-fuzzer which comes with bunch of results in form of gigabytes of crashes and various bugs. Fortunately windows make great work and in February most of our bugs was dead - patched, but not all of them…
Whats left were looking as seemingly unexploitable kernel bugs with ridiculous conditions. We decided to check it out, and finally combine it with our user mode bug & emet bypass. Through IE & flash we break down system and pointed out at weak points in defensive mechanism.
In this talk we will present our research dedicated for pwn2own event this year. We will describe kernel part of exploit in detail, including bug description, resulting memory corruption conditions & caveats up to final pwn via one of our TTF bugs.
Throughout the talk we will describe how to break various exploit mitigations in windows kernel and why it is possible. We will introduce novel kernel exploitation techniques breaking all what stands { KASLR, SMEP, even imaginary SMAP or CFG } and bring you SYSTEM exec (from kernel driver to system calc).
Peter Hlavaty
Jihui Lu
2015-06-19T15:00:00-04:00
15:00
00:30
Grand Salon
recon2015_-_29_-_en_-_grand_salon_-_201506191500_-_exploiting_out-of-order-execution_-_sophia_d_antoine
false
Exploiting Out-of-Order-Execution
Processor Side Channels to Enable Cross VM Code Execution
lecture
en
Given the rise in popularity of cloud computing and platform-as-a-service, vulnerabilities inherent to systems which share hardware resources will become increasingly attractive targets to malicious software authors.
This talk first presents a classification of the possible cloud-based side channels which use hardware virtualization. Additionally, a novel side channel exploiting out-of-order-execution in the CPU pipeline is described and implemented.
Finally, this talk will show constructions of several adversarial applications and demo two. These applications are deployed across the novel side channel to prove the viability of each exploit. We then analyze successful detection and mitigation techniques of the side channel attacks.
Sophia D'Antoine
2015-06-19T15:30:00-04:00
15:30
00:30
Grand Salon
recon2015_-_67_-__-_grand_salon_-_201506191530_-_coffee_break
false
Coffee Break
other
2015-06-19T16:00:00-04:00
16:00
01:00
Grand Salon
recon2015_-_59_-_en_-_grand_salon_-_201506191600_-_polyglots_and_chimeras_in_digital_radio_modes_-_travis_goodspeed_-_sergey_bratus
false
Polyglots and Chimeras in Digital Radio Modes
Featuring Practical Matryoshka Protocols for a 21st Century Numbers Station
lecture
en
Ah Matryoshkas, who doesn't like these Russian nesting dolls? But why should the fun of chimeric nesting be limited to just application formats? It is possible to design PHY-layer digital modulation protocols that (1) are backward compatible with existing standards and (2) discretely contain additional information for reception by those who know the right tricks. When properly designed, these polyglot protocols look and sound much like the older protocols, causing an eavesdropping Eve to believe she has sniffed the contents of a transmission when in fact a second, hidden message is hitching a ride on the transmission. Mallory, on the other hand, may use these protocols-in-protocols to smuggle long Russian stories to all who will listen!
This fine technical lecture by two neighborly gentlemen describes techniques for designing polyglot modulation protocols, as well as concrete examples of such protocols that are fit for use in international shortwave radio communication.
Travis Goodspeed
Sergey Bratus
2015-06-19T17:00:00-04:00
17:00
00:30
Grand Salon
recon2015_-_20_-_en_-_grand_salon_-_201506191700_-_towards_transparent_dynamic_binary_instrumentation_using_virtual_machine_introspection_-_julian_kirsch
false
Towards Transparent Dynamic Binary Instrumentation using Virtual Machine Introspection
lecture
en
The idea is simple enough: Binary instrumentation as done by DynamoRIO and PIN can easily be detected and evaded by malicious binaries, as proven at last year's Black Hat USA by Li et al. [3]. To overcome this limitation I've built yet another prototype which uses virtual machine introspection techniques to do the instrumentation: Once the execution of a binary within a VM reaches the point where instrumented code should be executed, the following happens: First, the VM is stopped, and the instrumented code is injected into a new page within the guest. Afterwards the current execution context of the inspected binary is saved, the instruction pointer is set to the code on the new page executing the instrumentation callback. Once the callback finishes, the saved execution context of the guest is restored by the hypervisor and the instrumented binary continues along its normal execution path. This makes the instrumentation much harder to detect (only way I can think of are timing attacks) at the cost of instrumentation granularity. The system is surprisingly easy to use in practice: The user programs a callback function normally in C while still being able to access the whole execution context of the instrumented binary via pointers - if the ABI of the host and the guest OS match, it is even possible to make calls to libc functions. A compiled (a matter of typing "make") callback function can then be triggered by the system when reading/writing a certain memory location, once execution reaches a certain point or on each basic block. This is much less than PIN, DynamoRIO and others can do but suffices for most cases in which you have to deal with heavily obfuscated code. I've also successfully used the system in order to generate function call traces of a binary and to perform a timing attack on several poorly implemented software protection schemes (yes, this reads itself as "automatically bruteforcing a license key/ctf flag/whatever program input character by character").
In the presentation I'd explain the inner workings of the prototype and show some nice applications to real world and CTF code.
Julian Kirsch
2015-06-20T10:00:00-04:00
10:00
01:00
Grand Salon
recon2015_-_60_-_en_-_grand_salon_-_201506211000_-_attacking_and_defending_bios_in_2015_-_yuriy_bulygin_-_mikhail_gorobets_-_andrew_furtak_-_oleksandr_bazhaniuk_-_alexander_matrosov_-_mickey_shkatov
false
Attacking and Defending BIOS in 2015
lecture
en
In this presentation we will demonstrate multiple types of recently discovered BIOS vulnerabilities. We will detail how hardware configuration is restored upon resume from sleep and how BIOS can be attacked when waking up from sleep using "S3 resume boot script" vulnerabilities. Similarly, we will discuss the impact of insufficient protection of persistent configuration data in non-volatile storage and more. We'll also describe how to extract contents of SMRAM using above vulnerabilities and advanced methods such as Graphics aperture DMA to further perform analysis of the SMM code that would otherwise be protected. Additionally, we will detail "SMI input pointer" and other new types of vulnerabilities specific to SMI handlers. Finally, we will describe how each class of issues is mitigated as a whole and introduce new modules to CHIPSEC framework to test systems for these types of issues.
Yuriy Bulygin
Mikhail Gorobets
Andrew Furtak
Oleksandr Bazhaniuk
Alexander Matrosov
Mickey Shkatov
2015-06-20T11:00:00-04:00
11:00
01:00
Grand Salon
recon2015_-_15_-_en_-_grand_salon_-_201506201100_-_0x3e9_ways_to_die_-_yaniv_balmas
false
'0x3E9 Ways to DIE'
Introducing Dynamic IDA Enrichment framework (a.k.a DIE)
lecture
en
Along the years many attempts have been made to combine static and dynamic analysis results. Some were good, other were bad, however the fact is that those two approaches still remain mostly separated as most analysis tools focus on one of them only.
For many years, this lack of integration and mental passing of data between static and dynamic tools has caused lot of frustration among researchers.
This was the main motivation in creating DIE.
DIE is a new Hex-Rays IDA plugin that crosses the static-dynamic gap directly into the native IDA GUI. It gives the researcher access to runtime values from within his standard dissembler screen.
As opposed to previous projects with similar goals, DIE takes a different approach by using an extensive plugin framework which allows the community to constantly add logic in order to better analyze and optimize the retrieved runtime values.
With a click of a button, everything is accessible to the researcher: he can inspect handles passed to a function, analyze injected code or runtime strings, enumerate dynamic structures, follow indirect function calls and more (and the list keeps on growing). All of this happens without the researcher ever leaving his comfortable dissembler screen.
Even better, as DIE is tightly coupled with IDA, it will basically support any architecture, data type or signature supported by IDA.
DIE currently has a small but well-respected community of contributors. Starting with the alpha version, DIE users have been able to cut their research time by 20%-40%. As complex reverse engineering tasks may take several weeks or even several months to complete, DIE has already proved to be a valuable resource and a prominent part of the researcher`s toolkit.
My talk introduces DIE for the very first time to the research community. I explain the basic idea behind DIE, describe its architecture, and show live examples of how to use its extensive plugin framework to speed up the research process. The talk includes *live examples* which have been carefully selected from real research projects in various security fields and demonstrate how DIE can be used to speed up bypassing software protections, unpack malware, and super-quickly locate a malware de-obfuscation functions.
Yaniv Balmas
2015-06-20T12:00:00-04:00
12:00
01:00
Grand Salon
recon2015_-_64_-__-_grand_salon_-_201506201200_-_lunch_-_location_soprano_rooms
false
Lunch - Location: Soprano Rooms
The Soprano rooms are located on the 4th floor of the hotel.
other
2015-06-20T13:00:00-04:00
13:00
01:00
Grand Salon
recon2015_-_25_-_en_-_grand_salon_-_201506201300_-_introducing_pcbre_-_david_carne
false
Introducing PCBRE
An open source PCB reverse-engineering suite
lecture
en
PCB Reverse engineering is the process of taking a physical Printed Circuit Board, extracting the electrical connectivity between
components, and analyzing the overall circuit to understand function. This can be - and often is - done by a dedicated person equipped with a multimeter, or by abusing Photoshop, GIMP or Inkscape. These techniques are error prone and tedious, and take far longer than one wants!
This talk introduces the creatively-named PCBRE toolsuite, an open-source integrated software package for automation of certain PCB Reverse Engineering tasks. This talk will cover the tool itself, the techniques in use within the tool, and what you as a reverser can use the software for.
In addition, this talk will cover a number of related areas: - reverse-engineering for different goals (firmware extraction, security analysis, preservation, re-engineering) - reversing complex systems in a time and cost effective manner - assessing security properties of complex systems from a hardware perspective - how to acquire high-quality images of printed circuit boards
To wrap up, I will demo PCBRE on a piece (or two, time allowing) of *mystery* hardware to illustrate how software like this can help you go after real systems.
David Carne
2015-06-20T14:00:00-04:00
14:00
01:00
Grand Salon
recon2015_-_48_-_en_-_grand_salon_-_201506201400_-_hooking_nirvana_-_alex_ionescu
false
Hooking Nirvana
Stealthy Instrumentation Techniques for Windows 10
lecture
en
In this talk we will cover 5 novel instrumentation techniques that all rely on deep Windows Internals: AVRF Hooking, MinWin Hooking, Shim Hooking, Nirvana Hooking, and CFG Hooking. We will start by describing the intended use of these technologies in Windows and what their normal use cases and scenarios are, followed by explanations and demonstrations on how to abuse them to do your bidding. In turn, we will detail how to detect each of them from a defensive perspective, contrasting current hook detection methods and their inability to pick up on these techniques. These hooking techniques can be leveraged for code obfuscation, dynamic binary instrumentation, implementing stealthy hiding techniques and more.
Alex Ionescu
2015-06-20T15:00:00-04:00
15:00
00:30
Grand Salon
recon2015_-_31_-_en_-_grand_salon_-_201506201500_-_glitching_and_side-channel_analysis_for_all_-_colin_o_flynn
false
Glitching and Side-Channel Analysis for All
lecture
en
The super-cool area of side-channel power analysis and glitching attacks are devious methods of breaking embedded devices. Recent presentations (such as at RECON 2014) have shown that these attacks are possible even with lower-cost hardware, but it still requires a fair amount of hardware setup and experimentation. But we can do better.
This presentation sums up the most recent advances in the open-source ChipWhisperer project, which aims to bring side channel power analysis and fault injections into a wider realm than ever before. It provides an open-source base for experimentation in this field. The ChipWhisperer project won 2nd place in the Hackaday Prize in 2014, and in 2015 an even lower-cost version of the hardware was released, costing approximately $200.
Attacks on real physical devices is demonstrated including AES peripherals in microcontrollers, Raspberry Pi devices, and more. All of the attacks can be replicated with standard lab equipment – the demos here will use the open-source ChipWhisperer hardware, but it’s not required for your experimentation.
Colin O’Flynn
2015-06-20T15:30:00-04:00
15:30
00:30
Grand Salon
recon2015_-_68_-__-_grand_salon_-_201506201530_-_coffee_break
false
Coffee Break
other
2015-06-20T16:00:00-04:00
16:00
01:00
Grand Salon
recon2015_-_55_-_en_-_grand_salon_-_201506201600_-_the_m_o_vfuscator_-_christopher_domas
false
The M/o/Vfuscator
Turning 'mov' into a soul-crushing RE nightmare
lecture
en
Based on a paper that proves that the "mov" instruction is Turing complete, the M/o/Vfuscator takes source code and compiles it into a program that uses *only* mov instructions - no comparisons, no jumps, no math (and definitely no SMC cheating) - turning the program into one of the most painfully difficult reverse engineering targets you will ever encounter.
Christopher Domas
2015-06-20T17:00:00-04:00
17:00
00:30
Grand Salon
recon2015_-_7_-_en_-_grand_salon_-_201506201700_-_building_a_better_bluetooth_attack_framework_-_chris_weedon
false
Building a Better Bluetooth Attack Framework
Ubertooth attack and injection tool suite
lecture
en
Bluetooth attacks have been around for some time. Previously we did everything from hack and flash our own dongles, to pay out the nose for professional solutions. But then came the Ubertooth! When the Ubertooth was released, a light in the Bluetooth pentesting tunnel was finally seen... or was it? The Ubertooth, in its current state, lacks several key features that are necessary to make it the ultimate Bluetooth pentest device. This talk focuses on those short-comings, why they matter, and will drop the code to overcome them.
Chris Weedon
2015-06-21T10:00:00-04:00
10:00
01:00
Grand Salon
recon2015_-_9_-_en_-_grand_salon_-_201506201000_-_understaning_the_microsoft_office_protected-view_sandbox_-_yong_chuan_koh
false
Understaning the Microsoft Office Protected-View Sandbox
lecture
en
The first part of this talk will sketch the Protected-View sandbox internals by discussing about its architecture, its initialization sequence and the system resource restrictions. The second part will discuss the Inter-Process Communication (IPC) mechanism, including the mode of communication, undocumented objects involved, format of IPC messages and the semantics of selected IPC messages.
Yong Chuan, Koh
2015-06-21T11:00:00-04:00
11:00
01:00
Grand Salon
recon2015_-_43_-_en_-_grand_salon_-_201506211100_-_pandora_s_cash_box_the_ghost_under_your_pos_-_nitay_artenstein_-_shift_reduce
false
Pandora's Cash Box: The Ghost Under Your POS
lecture
en
We're all used to seeing the ubiquitous cash drawer - that steel box, usually under the point-of-sale terminal, which holds the money received from sales - without giving it a second thought. But in recent years, the cash drawer has imploded in complexity into a full-blown appliance: From USB and Bluetooth support to on-board accounting and verification firmware, this innocuous box has quietly turned itself into a central component of the POS.
And unsurprisingly, the security of these devices has not improved in lockstep with their feature set.
In this talk, we will take apart the design and features of a modern cash drawer, and show why these devices are the proverbial chink in the armour of a POS system. We will discuss how we reverse engineered the firmware and the proprietary protocols used by several cash drawer models, and provide the tools for other reversers interested in following up. Finally, we will demonstrate how, by exploiting several security and design vulnerabilities, we can cause cash to disappear without a trace from a targeted business.
Nitay Artenstein
Shift Reduce
2015-06-21T12:00:00-04:00
12:00
01:00
Grand Salon
recon2015_-_65_-__-_grand_salon_-_201506211200_-_lunch_-_location_soprano_rooms
false
Lunch - Location: Soprano Rooms
The Soprano rooms are located on the 4th floor of the hotel.
other
2015-06-21T13:00:00-04:00
13:00
01:00
Grand Salon
recon2015_-_1_-_en_-_grand_salon_-_201506211300_-_from_silicon_to_compiler_-_andrew_zonenberg
false
From Silicon to Compiler
Reverse-Engineering the CoolRunner-II Bitstream Format
lecture
en
Programmable logic devices have historically been locked up behind proprietary vendor toolchains and undocumented firmware formats, preventing the creation of a third-party compiler or decompiler. While the vendor typically prohibits reverse engineering of their software in the license agreement, no such ban applies to the silicon. Given the choice between REing gigabytes of spaghetti code and looking at clean, regular die layout, the choice is clear.
This talk describes my reverse engineering of the Xilinx XC2C32A, a 180nm 32-macrocell CPLD, at the silicon level and my progress toward a fully open-source toolchain (compiler, decompiler, and floorplanner) for the device. A live demonstration of firmware generated by my tools running on actual hardware is included.
Andrew Zonenberg
2015-06-21T14:00:00-04:00
14:00
01:00
Grand Salon
recon2015_-_42_-_en_-_grand_salon_-_201506211400_-_reversing_the_nintendo_64_cic_-_mike_ryan_-_john_mcmaster_-_marshall_hecht
false
Reversing the Nintendo 64 CIC
Reversing a 20 year old copy protection chip
lecture
en
This presentation covers our successful efforts to reverse engineer and clone the Nintendo 64's copy protection chip: the N64 CIC. We describe the processes and techniques we used to finally conquer this chip, nearly 20 years after its introduction.
Nintendo's NES, Super NES, and Nintendo 64 used a series of copy protection chips known as CICs. As the consoles grew more sophisticated, so did the chips. While the NES and Super NES CICs have been cracked and cloned, up until recently the Nintendo 64's has remained an elusive target.
Our team approached this chip by exposing the die (decapping) and optically imaging it, including its mask ROM. Through visual inspection we determined the CPU core and instruction set, and we were able to extract the program code from the mask ROM. We wrote an emulator on PC and ultimately cloned the chip on a PIC microcontroller.
Mike Ryan
John McMaster
marshallh
2015-06-21T15:00:00-04:00
15:00
00:30
Grand Salon
recon2015_-_17_-_en_-_grand_salon_-_201506211500_-_reverse_engineering_windows_afd_sys_-_steven_vittitoe
false
Reverse Engineering Windows AFD.sys
Uncovering the Intricacies of the Ancillary Function Driver
lecture
en
What happens when you make a socket() call in Windows? This presentation will briefly walk through the rather well documented winsock user mode framework before diving into the turmoil of ring 0. There is no map to guide us here. Our adventure will begin where MSDN ends and our first stop along the way is with an IOCTL to AFD.sys, or the awkwardly named ancillary function driver.
This driver is of particular interest because it is so widely used and yet most people that use it do not even know it exists. Nearly every Windows program managing sockets depends on this driver. Even more interesting is that the device created by AFD.sys is accessible from every sandbox Google Project Zero looked at. In fact, there isn't even support to restrict access to this device until Windows 8.1.
Staying true to Windows style AFD.sys is a complex driver with over 70 reachable IOCTL’s and support for everything from SAN to TCP. It is no wonder that this driver weighs in at 500KB. This complexity combined with accessibility breed a robust ring 0 attack surface. Current fuzzing efforts will also be shared in this presentation and the time we are done you should have a good idea of what happens when making a socket() call without having to spend hours in IDA to figure it out.
Steven Vittitoe
2015-06-21T15:30:00-04:00
15:30
00:30
Grand Salon
recon2015_-_69_-__-_grand_salon_-_201506211530_-_coffee_break
false
Coffee Break
other
2015-06-21T16:00:00-04:00
16:00
01:00
Grand Salon
recon2015_-_50_-_en_-_grand_salon_-_201506211600_-_one_font_vulnerability_to_rule_them_all_-_mateusz_j00ru_jurczyk
false
"One font vulnerability to rule them all"
"A story of cross-software ownage, shared codebases and advanced exploitation"
lecture
en
"Font rasterization software is clearly among the most desirable attack vectors of all time, due to multiple reasons: the wide variety of font file formats, their significant structural and logical complexity, typical programming language of choice (C/C++), average age of the code, ease of exploit delivery and internal scripting capabilities provided by the most commonly used formats (TrueType and OpenType). As every modern widespread browser, document viewer and operating system is exposed to processing external, potentially untrusted fonts, this area of security has a long history of research. As a result, nearly every major vendor releases font-related security advisories several times a year, yet we can still hear news about more 0-days floating in the wild.
Over the course of the last few months, we performed a detailed security audit of the implementation of OpenType font handling present in popular libraries, client-side applications and operating systems, which appears to have received much less attention in comparison to e.g. TrueType. During that time, we discovered a number of critical vulnerabilities, which could be used to achieve 100% reliable arbitrary code execution, bypassing all currently deployed exploit mitigations such as ASLR, DEP or SSP. More interestingly, a number of those vulnerabilities were found to be common across various products, enabling an attacker to create chains of exploits consisting of a very limited number of distinct security bugs.
In this presentation, we will outline the current state of the art with regards to font security research, followed by an in-depth analysis of the root cause and reliable exploitation process of a number of recently discovered vulnerabilities, including several full exploit chains. In particular, we will demonstrate how a universal PDF file could be crafted to fully compromise the security of a Windows 8.1 x86/x64 operating system via just a single vulnerability found in both Adobe Reader and the Adobe Type Manager Font Driver used by the Windows kernel."
Mateusz "j00ru" Jurczyk
2015-06-21T17:00:00-04:00
17:00
00:30
Grand Salon
recon2015_-_66_-_en_-_grand_salon_-_201506211700_-_closing_ceremony
false
Closing Ceremony
lecture
en