The Dynamite of Next Generation (Y) Attack

The Dynamite of Next Generation (Y) Attack

Prathan Phongthiproek (Lucifer@CITEC)Senior Information Security Consultant

ACIS Professional Center

Who am I ?

CITEC Evolution Code Name “Lucifer”, Moderator, Speaker Instructor: Web Application (In) Security 101 Instructor: Mastering in Exploitation

ACIS Professional Center Red Team : Penetration Tester Instructor / Speaker Security Consultant / Researcher

Founder of CWH Underground Hacker Exploits, Vulnerabilities, Papers Disclosure

Milw0rm, Exploit-db, Security Focus, Secunia, Zeroday, etc http://www.exploit-db.com/author/?a=1275

Let’s Talk !?

Next Generation (Y) Attack from Software holes

Latest Microsoft Windows system vulnerabilities

Stuxnet Worm From USB

Next Generation (Y) Attack from Software holes

Malicious PDF

Still Hot !!!

Malicious PDF

Adobe Collect Email Info

Adobe GetIcon

Adobe Jbig2Decode

Adobe UtilPrintf

Adobe U3D Mesh Declaration

Adobe PDF Embedded EXE (Affect Adobe Reader < 9.4 and Foxit )

Adobe Cooltype Sing (Affect Adobe Reader < 9.4)

Adobe to implement Reader Sandbox on version 9.4+

Malicious PDF – Attack via MetaData

Malicious PDF – Open PDF file

Malicious PDF – Bypass Antivirus

Malicious PDF File

Malicious PDF – Disable JavaScript

PDF Embedded EXE Exploit

Web Browser Vulnerabilities

Web Browser Vulnerabilities

Google Chrome still secure !!

IE / Firefox / Safari still PWNED !!

ActiveX Control and Java Applet still TOP Hit for Attack!!

Web Browser Toolbar coming with other software

Using Heap Spraying via JavaScript

Focus on Client-Side Exploitation

Web Browser Vulnerabilities - IE

IE DHTML Behaviours User After Free

IE Tabular Data Control ActiveX Memory Corruption

IE Winhlp32.exe MsgBox Code Execution

Zero-Day: IE 6/7/8 CSS SetUserClip Memory Corruption (mshtml.dll) – No DEP/ASLR

Web Browser Vulnerabilities - Toolbars

Web Browser Vulnerabilities – Drive By Download Attack

http://images.google.co.th/imgres?imgurl=http://www.finaid.org/about/images/MSN_logo.gif&imgrefurl=http://www.finaid.org/about/websites.phtml&usg=__U-kPq8lS8wqUbnyeqRMI7GF60bk=&h=166&w=297&sz=13&hl=th&start=2&um=1&itbs=1&tbnid=awRd89IW1rkzWM:&tbnh=65&tbnw=116&prev=/images?q=msn+logo&um=1&hl=th&sa=G&rlz=1T4ADBF_enTH334TH334&tbs=isch:1

http://images.google.co.th/imgres?imgurl=http://www.libertyabroad.com/private_folder/msn_messenger_logo.jpg&imgrefurl=http://www.libertyabroad.com/&usg=__c2FMqbJ4KZ6ORWfzcxD0JKi9eQ4=&h=254&w=313&sz=14&hl=th&start=17&um=1&itbs=1&tbnid=JJNp4e6BH-q9GM:&tbnh=95&tbnw=117&prev=/images?q=msn+logo&um=1&hl=th&sa=G&rlz=1T4ADBF_enTH334TH334&tbs=isch:1

http://images.google.co.th/imgres?imgurl=http://www.aiesec.ro/uploads/images/linkedin-logo.png&imgrefurl=http://www.aiesec.ro/en/alumni/communities-2/&usg=__IBoCiIt2D0kHRY24w2j9I9nsIIQ=&h=300&w=1062&sz=55&hl=th&start=4&um=1&itbs=1&tbnid=JnzQcG533mdHHM:&tbnh=42&tbnw=150&prev=/images?q=linkedin+logo&um=1&hl=th&sa=N&rlz=1T4ADBF_enTH334TH334&tbs=isch:1

http://images.google.co.th/imgres?imgurl=http://www.devwinner.com/images_post/94_windows-live-logo_350.gif&imgrefurl=http://www.devwinner.com/it-news/newsView.aspx?id=18&usg=__VocW9y0z7kL-yKEkjbk54_Ud-p4=&h=261&w=350&sz=20&hl=th&start=6&um=1&itbs=1&tbnid=BuWGTKKmJNgH1M:&tbnh=89&tbnw=120&prev=/images?q=hotmail+logo&um=1&hl=th&rlz=1T4ADBF_enTH334TH334&tbs=isch:1


All IE versionsActivex and

Add-ons


Affect All Browser

W00T W00T !!

Drive By Download Attack via JavaApplet

Latest Microsoft Windows system vulnerabilities + Stuxnet Worm From USB

MS Shortcut (LNK) Exploit

MS Windows Shell Could Allow Remote Code Execution

Use DLL Hijacking Techniques for exploitation

Affect every release of the Windows NT kernel (2000,XP,Server 2003,Vista,Server 2008,7)

Patch release MS10-046 on August 24 2010

Attack Layer 8 – Client-Side Exploitation

New Generation of Targeted Attacks – Stuxnet Worm

Stuxnet Worm – First Attack SCADA System and Iran nuclear reactor via USB and Fileshares with Zero-day Windows vulnerabilities

Stuxnet abused Auto-Run feature to spread (Just open it)

Stuxnet Worms

MS Server Service Code Execution MS08-067 (Conficker worms)

MS SMBv2 Remote Code Execution MS09-050

MS Shortcut (LNK) Vulnerability MS10-046

MS Print Spooler Service Code Execution MS10-061

MS Local Ring0 Kernel Exploit MS10-015

MS Keyboard Layout File MS10-073

Zero Day – MS Task Scheduler

Latest Zero Day – MS Local Kernel Exploit (Win32k.sys)

MS Windows Local Kernel Exploit

Zero Day until Now !! – Still No Patch…

Affect every release of the Windows NT kernel (2000,XP,Server 2003,Vista,Server 2008,7)

Elevate Privilege from USER to SYSTEM

The Exploit takes advantage of a bug in Win32k.sys

Bypass User Account Control (UAC)

Get The Hell Outta

Here !!

Latest Attack Methodology

MS Shortcut (LNK) Exploit

Thank you

It’s not the END !!

See you tmr in “Rock'n Roll in Database Security”

The Dynamite of Next Generation (Y) Attack

Technology

Transcript of The Dynamite of Next Generation (Y) Attack