Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hinn blákaldi sannleikur maður er alltaf óöruggur

Rich Smith
February 08, 2013

Hinn blákaldi sannleikur maður er alltaf óöruggur

A talk I gave with Syndis co-founder Ýmir Vigfússon at UTMessan 2013 in Reykjavík, Iceland where we discuss the value of using offensive techniques to inform good defense.
The title roughly translates to 'The ice cold truth of the fact that one is always insecure' :)

Rich Smith

February 08, 2013
Tweet

More Decks by Rich Smith

Other Decks in Technology

Transcript

  1. Understanding a real-world attack Bug seen exploited in the wild

    in December 2012 §  Hacked the Council of Foreign Affairs Fully patched Windows 7 §  Internet Explorer 8.0 §  Java 1.6 §  DEP Memory Protection We will demonstrate and explain our exploit CVE-2012-4792 A REAL-WORLD ATTACK
  2. Under the hood divelm formelm bu#on   Use after free

    appendChild used by the system 0c0c0c0c   CVE-2012-4792 Analogy 8256443
  3. c7316931c9dead07beef013 ac978f3ff196569ba83144cc 4401018971c7316931c9dea d07beef013ac978f3ff19656 9ba83144cc4401018971c73 dead07beef013ac978f3ff19 6569ba83144cc4401018971 c7316931c9dead07beef013 ac978f3ff196569ba83144cc 4401018971c7316931c9dea

    d07beef013ac978f3ff19656 9ba83144cc4401018971c73 16931c9dead07beef013ac9 78f3ff196569ba83144cc440 dead07beef013ac978f3ff19 dead07beef013ac978f3ff19 6569ba83144cc4401018971 c7316931c9dead07beef013 ac978f3ff196569ba83144cc 4401018971c7316931c9dea d07beef013ac978f3ff19656 9ba83144cc4401018971c73 badc0dedead07beef013ac9 78f3ff19dead07beef013ac9 78f3ff196569ba83144cc440 1018971c7316931c9dead07 beef013ac978f3ff196569ba8 3144cc4401018971c731693 1c9dead07beef013ac978f3ff 19656dead07beef013ac978f 3ff196569ba83144cc440101 8971c7316569ba83144cc44 01018971c7316931c9dead0 7beef013ac978f3ff196569ba 83144cc4401018971c73169 31cad07beef013ac978f3ff19 6569ba83144cc44eef013ac9 78f3ff196569ba83144cc440 1018971c7316931c9dead07 beef013ac978f3ff1965   Computer memory used by the system 0c0c0c0c   0x0c0c0c0c   system trusts the reference therefore, system executes
  4. c7316931c9dead07beef013 ac978f3ff196569ba83144cc 4401018971c7316931c9dea d07beef013ac978f3ff19656 9ba83144cc4401018971c73 dead07beef013ac978f3ff19 6569ba83144cc4401018971 c7316931c9dead07beef013 ac978f3ff196569ba83144cc 4401018971c7316931c9dea

    d07beef013ac978f3ff19656 9ba83144cc4401018971c73 16931c9dead07beef013ac9 78f3ff196569ba83144cc440 dead07beef013ac978f3ff19 dead07beef013ac978f3ff19 6569ba83144cc4401018971 c7316931c9dead07beef013 ac978f3ff196569ba83144cc 4401018971c7316931c9dea d07beef013ac978f3ff19656 9ba83144cc4401018971c73 badc0dedead07beef013ac9 78f3ff19dead07beef013ac9 78f3ff196569ba83144cc440 1018971c7316931c9dead07 beef013ac978f3ff196569ba8 3144cc4401018971c731693 1c9dead07beef013ac978f3ff 19656dead07beef013ac978f 3ff196569ba83144cc440101 8971c7316569ba83144cc44 01018971c7316931c9dead0 7beef013ac978f3ff196569ba 83144cc4401018971c73169 31cad07beef013ac978f3ff19 6569ba83144cc44eef013ac9 78f3ff196569ba83144cc440 1018971c7316931c9dead07 beef013ac978f3ff1965   Computer memory ff19656dead07beef013ac97 8f3ff196569ba83144cc4401 018971c7316569ba83144cc 4401018971c7316931c9dea d07beef013ac978f3ff19656 9ba83144cc4401018971c73 16931cad07beef013ac978f3 ff196569ba83144cc44eef01 3ac978f3ff196569ba83144c c4401018971c7316931c9de ad07beef013ac978f3ff1965   c7316931c9dead07beef013 ac978f3ff196569ba83144cc 4401018971c7316931c9dea d07beef013ac978f3ff19656 9ba83144cc4401018971c73 dead07c0ded13ac978f3ff19 6569ba83144cc4401018971 c7316931c9dead07beef013 ac978f3ff196569ba83144cc 4401018971c7316931c9dea   d07beef013ac978f3ff18f3 ff196569ba831018971c73 16569ba83144cc4401018 971c7316931c9dead07be ef01dead07c0ded13ac3ff1 96569ba83144cbadc0de   Data Execution Prevention d07beef013ac978f3ff18f3 ff196569ba831018971c73 16569ba83144cc4401018 971c7316931c9dead07be ef01dead07c0ded13ac3ff1 96569ba83144cbadc0de   Defeated by Return-Oriented Programming (ROP) ROP exploit relies entirely on existing code! 0x0c0c0c0c  
  5. ATTACKS ARE INVOLVED Found the original bug by fuzzing Wrote

    a proof-of- concept exploit Wrote a DEP- resistant exploit Weaponized the exploit Created post- exploitation framework Sponsored the attacks Administered deployment
  6. HOW MUCH DO I SPEND ON DEFENSE X? HOW MUCH

    DOES AN ATTACKER HAVE TO SPEND TO BYPASS X? HOW MUCH IS DEFENSE X ACTUALLY WORTH TO ME? WHAT IS BYPASSING DEFENSE X WORTH TO AN ATTACKER ?