Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - CODE BLUE 2015

Download as PPTX, PDF
CODE BLUE
CODE BLUE

Adobe Reader’s JavaScript APIs offer a rich set of functionality for document authors. These APIs allow for processing forms, controlling multimedia events, and communicating with databases, all of which provide end-users the ability to create complex documents. This complexity provides a perfect avenue for attackers to take advantage of weaknesses that exist in Reader’s JavaScript APIs. In this talk, we will provide insight into both the documented and undocumented APIs available in Adobe Reader. Several code auditing techniques will be shared to aid in vulnerability discovery, along with numerous proofs-of-concept which highlight real-world examples. We’ll detail out how to chain several unique issues to obtain execution in a privileged context. Finally, we’ll describe how to construct an exploit that achieves remote code execution without the need for memory corruption.

Related slideshows

Optimizing Hive Queries
Optimizing Hive QueriesOptimizing Hive Queries
Optimizing Hive Queries
 
Git and GitHub
Git and GitHubGit and GitHub
Git and GitHub
 
Geospatial Indexing at Scale: The 15 Million QPS Redis Architecture Powering ...
Geospatial Indexing at Scale: The 15 Million QPS Redis Architecture Powering ...Geospatial Indexing at Scale: The 15 Million QPS Redis Architecture Powering ...
Geospatial Indexing at Scale: The 15 Million QPS Redis Architecture Powering ...
 
1 of 46
Abusing Adobe Reader’s JavaScript APIs Brian Gorenc, Manager, Vulnerability Research AbdulAziz Hariri, Security Researcher
Agenda • Introduction • Understanding the Attack Surface • Vulnerability Discovery • Constructing the Exploit
Introduction
Introduction 4 HP Zero Day Initiative AbdulAziz Hariri - @abdhariri Security Researcher at the Zero Day Initiative Root cause analysis, vulnerability discovery, and exploit development Brian Gorenc - @maliciousinput Head of Zero Day Initiative Organizer of Pwn2Own Hacking Competitions
Internal research starting in December 2014 Bug Hunters Patched Vulnerabilities CVE-2015-5085, CVE-2015-5086, CVE-2015- 5090, CVE-2015-5091, CVE-2015-4438, CVE- 2015-4447, CVE-2015-4452, CVE-2015-5093, CVE-2015-5094, CVE-2015-5095, CVE-2015- 5101, CVE-2015-5102, CVE-2015-5103, CVE- 2015-5104, CVE-2015-5113, CVE-2015-5114, CVE-2015-5115, CVE-2015-5100, CVE-2015- 5111, CVE-2015-4435, CVE-2015-4441, CVE- 2015-4445, CVE-2015-3053, CVE-2015-3055, CVE-2015-3057, CVE-2015-3058, CVE-2015- 3065, CVE-2015-3066, CVE-2015-3067, CVE- 2015-3068, CVE-2015-3071, CVE-2015-3072, CVE-2015-3073, CVE-2015-3054, CVE-2015- 3056, CVE-2015-3061, CVE-2015-3063, CVE- 2015-3064, CVE-2015-3069, CVE-2015-3060, CVE-2015-3062 Unpatched Vulnerabilities ZDI-CAN-3058, ZDI-CAN-3059, ZDI-CAN- 3060, ZDI-CAN-3061, ZDI-CAN-3062, ZDI- CAN-3063, ZDI-CAN-3065, ZDI-CAN-3066, ZDI-CAN-3067, ZDI-CAN-3079, ZDI-CAN- 3081, ZDI-CAN-3083, ZDI-CAN-3085, ZDI- CAN-3086, ZDI-CAN-3087, ZDI-CAN-3088, ZDI-CAN-3089, ZDI-CAN-3090, ZDI-CAN- 3091, ZDI-CAN-3068, ZDI-CAN-3069, ZDI- CAN-3070, ZDI-CAN-3073, ZDI-CAN-3074, ZDI-CAN-3080, ZDI-CAN-3082, ZDI-CAN- 3084, ZDI-CAN-3103, ZDI-CAN-3111, ZDI- CAN-3051, ZDI-CAN-3050, ZDI-CAN-3049, ZDI-CAN-3048, ZDI-CAN-3047, ZDI-CAN- 3046, ZDI-CAN-3043, ZDI-CAN-3036, ZDI- CAN-3022, ZDI-CAN-3021, ZDI-CAN-2019, ZDI-CAN-3018, ZDI-CAN-3017, ZDI-CAN- 3016, ZDI-CAN-3015, ZDI-CAN-2998, ZDI- CAN-2997, ZDI-CAN-2958, ZDI-CAN-2816, ZDI-CAN-2892, ZDI-CAN-2893 …more to come. 5
Understanding the Attack Surface
Understanding Attack Surface 7 Prior research and resources • The life of an Adobe Reader JavaScript bug (CVE-2014-0521) - Gábor Molnár • First to highlight the JS API bypass issue • The bug was patched in APSB14-15 and was assigned CVE-2014-0521 • According to Adobe, this could lead to information disclosure • https://molnarg.github.io/cve-2014-0521/#/ • Why Bother Assessing Popular Software? – MWR Labs • Highlights various attack vectors on Adobe reader • https://labs.mwrinfosecurity.com/system/assets/979/original/Why_bother_assessing_p opular_software.pdf
Understanding Attack Surface 8 ZDI Research Stats • Primary Adobe research started internally in December 2014 • We were not getting many cases in Reader/Acrobat • Main goal was to kill as much bugs as possible • Internal discoveries varied in bug type – JavaScript API Restriction Bypasses – Memory Leaks – Use-After-Frees – Elevation of Privileges – etc.
Understanding Attack Surface 9 Insights Into Reader’s JavaScript API’s • Adobe Acrobat/Reader exposes a rich JS API • JavaScript API documentation is available on the Adobe website • A lot can be done through the JavaScript API (Forms, Annotations, Collaboration etc..) • Mitigations exist for the JavaScript APIs • Some API’s defined in the documentation are only available in Acrobat Pro/Acrobat standard • Basically JavaScript API’s are executed in two contexts: – Privileged Context – Non-Privileged Context
Understanding Attack Surface 10 Insights Into Reader’s JavaScript API’s • Privileged vs Non-Privileged contexts are defined in the JS API documentation: • A lot of API’s are privileged and cannot be executed from non-privileged contexts:
Understanding Attack Surface 11 Insights Into Reader’s JavaScript API’s • Privileged API’s warning example from a non-privileged context:
Trusted Functions 12 Executing privileged methods in a non-privileged context
Understanding Attack Surface 13 Folder-Level Scripts • Scripts stored in the JavaScript folder inside the Acrobat/Reader folder • Used to implement functions for automation purposes • Contains Trusted functions that execute privileged API’s • By default Acrobat/Reader ships with JSByteCodeWin.bin • JSByteCodeWin.bin is loaded when Acrobat/Reader starts up • It’s loaded inside Root, and exposed to the Doc when a document is open
Understanding Attack Surface 14 Decompiling • JSByteCodeWin.bin is compiled into SpiderMoney 1.8 XDR bytecode • JSByteCodeWin.bin contains interesting Trusted functions • Molnarg was kind enough to publish a decompiler for SpiderMonkey – https://github.com/molnarg/dead0007 – Usage: ./dead0007 JSByteCodeWin.bin > output.js – Output needs to be prettified – ~27,000 lines of Javascript
Vulnerability Discovery
Vulnerability Discovery 16 JavaScript Implicit Method Calls
Vulnerability Discovery 17 JavaScript Method/Property Overloading • __defineGetter__ and __defineSetter__
Vulnerability Discovery 18 JavaScript Method/Property Overloading • __proto__
Vulnerability Discovery 19 Code Auditing for Overloading Opportunities • Search for ‘eval’
Vulnerability Discovery 20 Code Auditing for Overloading Opportunities • Search for ‘app.beginPriv(“
Vulnerability Discovery 21 Achieving System-Level eval() • Overload property access with a custom function
Vulnerability Discovery 22 Executing Privileged APIs • Replace a property with a privileged function
Vulnerability Discovery 23 Vulnerability Chaining • Set up the system-level eval such that it executes the bulk of the payload • Create the replacement attribute such that it now calls a privileged API • Trigger the call
Vulnerability Discovery 24 Proof of Concept – CVE-2015-3073
Normal Behavior 25
Privilege Escalation Exploit 26
Vulnerability Discovery 27 Adobe Reader 11.0.10 – Before Patch
Vulnerability Discovery 28 Adobe Reader DC – After Patch
Vulnerability Discovery 29 Recap • To achieve a JavaScript bypass we need to • Achieve execution within the system context • Escalate privileges by overriding an object method – Must be in a privileged block within a trusted function
Constructing the Exploit
Constructing the exploit 31 Overview • Research triggered from https://helpx.adobe.com/security/products/reader/apsb14-15.html: • Challenge: Gain Remote Code Execution through the bypass issue • We might be able to do that through the JS API’s that we know about
Constructing the exploit 32 Because documentation sucks.. • We needed to find a way to dump a file on disk • The file can be of any type (try to avoid restrictions) • Let’s have a look at the Collab object…through the JS API from Adobe:
Constructing the exploit 33 “If you want to keep a secret, you must also hide it from yourself.” – G. Orwell • From all the 128 undocumented methods, the Collab.uri* family is specifically interesting:
Constructing the exploit 34 “The more you leave out, the more you highlight what you leave in.” - H. Green • Too good to be true, so I consulted uncle Google before digging more:
Constructing the exploit 35 Show me what you got... • Quick overview of the interesting methods:
Constructing the exploit 36 • Overview of the Collab.uri* API’s: – The API’s are used for “Collaboration” – uriDeleteFolder/uriDeleteFile/uriPutData/uriCreateFolder are privileged API’s – uriEnumerateFiles is NOT privileged – The Collab.uri* methods take a URI path as an argument (at least) – The path expected should be a UNC path – The UNC path should start with smb:// or file:// • The API’s fail to: – Sanitize the UNC path (smb://localhost/C$/XXX works) – Check the filetype of the filename to be written on disk (in the case of uriPutData) – Check the content of oData object to be dumped (in the case of uriPutData)
Constructing the exploit 37 • What we have so far: – We can dump files on disk using the Collab.uriPutData() method – The file contents that we want to dump should be passed as an oData object – Stream objects do work!
Constructing the exploit 38 – We can attach files in PDF documents and extract the contents – We should chain the uriPutData call with one of the bypasses that we discussed earlier Then what ? How can we get RCE? Actually there are two obvious ways...
Constructing the exploit 39 Gaining RCE • First way…a la Chaouki: Basically write a file to the startup and wait for a logoff/logon  • Second way is writing a DLL that would be loaded by Adobe Acrobat
Vulnerable Versions 40 Product Windows MacOSX Adobe Reader Vulnerable – Limited (Sandbox) Vulnerable Adobe Reader DC Vulnerable – Limited (Sandbox) Vulnerable Adobe Acrobat Pro Vulnerable Vulnerable Adobe Acrobat Pro DC Vulnerable Vulnerable
Constructing the exploit 41 Putting it all together (Adobe Acrobat Pro) 1. Attach our payload to the PDF 2. Create a JS that would execute when the document is open 3. JS is composed of: 1. Extraction of the attachment 2. Bypass JS privileges 3. Execute Collab.uriPutData to output our payload (startup/dll) Extract Attachment Bypass JS Privileges Call uriPutData with the extracted attachment RCE
Windows Exploit Demo 42
Reader for MacOSX DEMO 43
Conclusion
Recap 45 Abusing Adobe Reader’s JavaScript APIs • Goal – Leverage JavaScript APIs to gain remote code execution on Adobe Reader/Acrobat – No memory corruption • Plan of Attack 1. Obtain an arbitrary eval() by JavaScript property overloading and redefinition 2. Chain eval() with privilege escalation through app.trustedFunction 3. Leverage undocumented APIs to execute malicious code 4. Profit?
Thank you

More Related Content

What's hot

Optimizing Hive Queries
Optimizing Hive QueriesOptimizing Hive Queries
Optimizing Hive Queries
Owen O'Malley
 
Git and GitHub
Git and GitHubGit and GitHub
Git and GitHub
James Gray
 
Geospatial Indexing at Scale: The 15 Million QPS Redis Architecture Powering ...
Geospatial Indexing at Scale: The 15 Million QPS Redis Architecture Powering ...Geospatial Indexing at Scale: The 15 Million QPS Redis Architecture Powering ...
Geospatial Indexing at Scale: The 15 Million QPS Redis Architecture Powering ...
Daniel Hochman
 
Securing Hadoop with Apache Ranger
Securing Hadoop with Apache RangerSecuring Hadoop with Apache Ranger
Securing Hadoop with Apache Ranger
DataWorks Summit
 
Introduction to Redis
Introduction to RedisIntroduction to Redis
Introduction to Redis
Dvir Volk
 
Apache Nifi Crash Course
Apache Nifi Crash CourseApache Nifi Crash Course
Apache Nifi Crash Course
DataWorks Summit
 
Building robust CDC pipeline with Apache Hudi and Debezium
Building robust CDC pipeline with Apache Hudi and DebeziumBuilding robust CDC pipeline with Apache Hudi and Debezium
Building robust CDC pipeline with Apache Hudi and Debezium
Tathastu.ai
 
All about Zookeeper and ClickHouse Keeper.pdf
All about Zookeeper and ClickHouse Keeper.pdfAll about Zookeeper and ClickHouse Keeper.pdf
All about Zookeeper and ClickHouse Keeper.pdf
Altinity Ltd
 
Node Labels in YARN
Node Labels in YARNNode Labels in YARN
Node Labels in YARN
DataWorks Summit
 
Distributed tracing 101
Distributed tracing 101Distributed tracing 101
Distributed tracing 101
Itiel Shwartz
 
Cost-based query optimization in Apache Hive
Cost-based query optimization in Apache HiveCost-based query optimization in Apache Hive
Cost-based query optimization in Apache Hive
Julian Hyde
 
Hello, kafka! (an introduction to apache kafka)
Hello, kafka! (an introduction to apache kafka)Hello, kafka! (an introduction to apache kafka)
Hello, kafka! (an introduction to apache kafka)
Timothy Spann
 
Apache Kafka at LinkedIn
Apache Kafka at LinkedInApache Kafka at LinkedIn
Apache Kafka at LinkedIn
Discover Pinterest
 
Open ebs 101
Open ebs 101Open ebs 101
Open ebs 101
LibbySchulze
 
Introduction to Storm
Introduction to Storm Introduction to Storm
Introduction to Storm
Chandler Huang
 
Distributed Databases Deconstructed: CockroachDB, TiDB and YugaByte DB
Distributed Databases Deconstructed: CockroachDB, TiDB and YugaByte DBDistributed Databases Deconstructed: CockroachDB, TiDB and YugaByte DB
Distributed Databases Deconstructed: CockroachDB, TiDB and YugaByte DB
YugabyteDB
 
Presto: Optimizing Performance of SQL-on-Anything Engine
Presto: Optimizing Performance of SQL-on-Anything EnginePresto: Optimizing Performance of SQL-on-Anything Engine
Presto: Optimizing Performance of SQL-on-Anything Engine
DataWorks Summit
 
Hive 3 a new horizon
Hive 3 a new horizonHive 3 a new horizon
Hive 3 a new horizon
Artem Ervits
 
Shipping Data from Postgres to Clickhouse, by Murat Kabilov, Adjust
Shipping Data from Postgres to Clickhouse, by Murat Kabilov, AdjustShipping Data from Postgres to Clickhouse, by Murat Kabilov, Adjust
Shipping Data from Postgres to Clickhouse, by Murat Kabilov, Adjust
Altinity Ltd
 
HBase Storage Internals
HBase Storage InternalsHBase Storage Internals
HBase Storage Internals
DataWorks Summit
 

What's hot (20)

Optimizing Hive Queries
Optimizing Hive QueriesOptimizing Hive Queries
Optimizing Hive Queries
 
Git and GitHub
Git and GitHubGit and GitHub
Git and GitHub
 
Geospatial Indexing at Scale: The 15 Million QPS Redis Architecture Powering ...
Geospatial Indexing at Scale: The 15 Million QPS Redis Architecture Powering ...Geospatial Indexing at Scale: The 15 Million QPS Redis Architecture Powering ...
Geospatial Indexing at Scale: The 15 Million QPS Redis Architecture Powering ...
 
Securing Hadoop with Apache Ranger
Securing Hadoop with Apache RangerSecuring Hadoop with Apache Ranger
Securing Hadoop with Apache Ranger
 
Introduction to Redis
Introduction to RedisIntroduction to Redis
Introduction to Redis
 
Apache Nifi Crash Course
Apache Nifi Crash CourseApache Nifi Crash Course
Apache Nifi Crash Course
 
Building robust CDC pipeline with Apache Hudi and Debezium
Building robust CDC pipeline with Apache Hudi and DebeziumBuilding robust CDC pipeline with Apache Hudi and Debezium
Building robust CDC pipeline with Apache Hudi and Debezium
 
All about Zookeeper and ClickHouse Keeper.pdf
All about Zookeeper and ClickHouse Keeper.pdfAll about Zookeeper and ClickHouse Keeper.pdf
All about Zookeeper and ClickHouse Keeper.pdf
 
Node Labels in YARN
Node Labels in YARNNode Labels in YARN
Node Labels in YARN
 
Distributed tracing 101
Distributed tracing 101Distributed tracing 101
Distributed tracing 101
 
Cost-based query optimization in Apache Hive
Cost-based query optimization in Apache HiveCost-based query optimization in Apache Hive
Cost-based query optimization in Apache Hive
 
Hello, kafka! (an introduction to apache kafka)
Hello, kafka! (an introduction to apache kafka)Hello, kafka! (an introduction to apache kafka)
Hello, kafka! (an introduction to apache kafka)
 
Apache Kafka at LinkedIn
Apache Kafka at LinkedInApache Kafka at LinkedIn
Apache Kafka at LinkedIn
 
Open ebs 101
Open ebs 101Open ebs 101
Open ebs 101
 
Introduction to Storm
Introduction to Storm Introduction to Storm
Introduction to Storm
 
Distributed Databases Deconstructed: CockroachDB, TiDB and YugaByte DB
Distributed Databases Deconstructed: CockroachDB, TiDB and YugaByte DBDistributed Databases Deconstructed: CockroachDB, TiDB and YugaByte DB
Distributed Databases Deconstructed: CockroachDB, TiDB and YugaByte DB
 
Presto: Optimizing Performance of SQL-on-Anything Engine
Presto: Optimizing Performance of SQL-on-Anything EnginePresto: Optimizing Performance of SQL-on-Anything Engine
Presto: Optimizing Performance of SQL-on-Anything Engine
 
Hive 3 a new horizon
Hive 3 a new horizonHive 3 a new horizon
Hive 3 a new horizon
 
Shipping Data from Postgres to Clickhouse, by Murat Kabilov, Adjust
Shipping Data from Postgres to Clickhouse, by Murat Kabilov, AdjustShipping Data from Postgres to Clickhouse, by Murat Kabilov, Adjust
Shipping Data from Postgres to Clickhouse, by Murat Kabilov, Adjust
 
HBase Storage Internals
HBase Storage InternalsHBase Storage Internals
HBase Storage Internals
 

Similar to Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - CODE BLUE 2015

Defcon 23 - hariri spelman gorenc - abusing adobe readers java sc
Defcon 23 - hariri spelman gorenc - abusing adobe readers java scDefcon 23 - hariri spelman gorenc - abusing adobe readers java sc
Defcon 23 - hariri spelman gorenc - abusing adobe readers java sc
Felipe Prado
 
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
hackersuli
 
Getting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestGetting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfest
Csaba Fitzl
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)
Krzysztof Kotowicz
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9
Alexey Dremin
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
Mike Felch
 
Continuous Integration with Cloud Foundry Concourse and Docker on OpenPOWER
Continuous Integration with Cloud Foundry Concourse and Docker on OpenPOWERContinuous Integration with Cloud Foundry Concourse and Docker on OpenPOWER
Continuous Integration with Cloud Foundry Concourse and Docker on OpenPOWER
Indrajit Poddar
 
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugManual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A Bug
Lewis Ardern
 
Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"
Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"
Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"
Andi Rustandi Djunaedi
 
api-driven-development.pdf
api-driven-development.pdfapi-driven-development.pdf
api-driven-development.pdf
DivyanshGupta922023
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application Security
Egor Tolstoy
 
Krzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesKrzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comes
Yury Chemerkin
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated Testing
Andrew McNicol
 
Recon in Pentesting
Recon in PentestingRecon in Pentesting
Recon in Pentesting
Komal Armarkar
 
How to really obfuscate your pdf malware
How to really obfuscate your pdf malwareHow to really obfuscate your pdf malware
How to really obfuscate your pdf malware
zynamics GmbH
 
How to really obfuscate your pdf malware
How to really obfuscate your pdf malwareHow to really obfuscate your pdf malware
How to really obfuscate your pdf malware
zynamics GmbH
 
Something wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceSomething wicked this way comes - CONFidence
Something wicked this way comes - CONFidence
Krzysztof Kotowicz
 
Philly CocoaHeads 20160414 - Building Your App SDK With Swift
Philly CocoaHeads 20160414 - Building Your App SDK With SwiftPhilly CocoaHeads 20160414 - Building Your App SDK With Swift
Philly CocoaHeads 20160414 - Building Your App SDK With Swift
Jordan Yaker
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
Amazon Web Services
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode review
Anant Shrivastava
 

Similar to Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - CODE BLUE 2015 (20)

Defcon 23 - hariri spelman gorenc - abusing adobe readers java sc
Defcon 23 - hariri spelman gorenc - abusing adobe readers java scDefcon 23 - hariri spelman gorenc - abusing adobe readers java sc
Defcon 23 - hariri spelman gorenc - abusing adobe readers java sc
 
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
 
Getting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestGetting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfest
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)
 
Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9Aleksei Dremin - Application Security Pipeline - phdays9
Aleksei Dremin - Application Security Pipeline - phdays9
 
Offensive Python for Pentesting
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
 
Continuous Integration with Cloud Foundry Concourse and Docker on OpenPOWER
Continuous Integration with Cloud Foundry Concourse and Docker on OpenPOWERContinuous Integration with Cloud Foundry Concourse and Docker on OpenPOWER
Continuous Integration with Cloud Foundry Concourse and Docker on OpenPOWER
 
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugManual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A Bug
 
Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"
Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"
Tech IT Easy x DevTalk : "Secure Your Coding with OWASP"
 
api-driven-development.pdf
api-driven-development.pdfapi-driven-development.pdf
api-driven-development.pdf
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application Security
 
Krzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesKrzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comes
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated Testing
 
Recon in Pentesting
Recon in PentestingRecon in Pentesting
Recon in Pentesting
 
How to really obfuscate your pdf malware
How to really obfuscate your pdf malwareHow to really obfuscate your pdf malware
How to really obfuscate your pdf malware
 
How to really obfuscate your pdf malware
How to really obfuscate your pdf malwareHow to really obfuscate your pdf malware
How to really obfuscate your pdf malware
 
Something wicked this way comes - CONFidence
Something wicked this way comes - CONFidenceSomething wicked this way comes - CONFidence
Something wicked this way comes - CONFidence
 
Philly CocoaHeads 20160414 - Building Your App SDK With Swift
Philly CocoaHeads 20160414 - Building Your App SDK With SwiftPhilly CocoaHeads 20160414 - Building Your App SDK With Swift
Philly CocoaHeads 20160414 - Building Your App SDK With Swift
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode review
 

More from CODE BLUE

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
CODE BLUE
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl
CODE BLUE
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
CODE BLUE
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
CODE BLUE
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
CODE BLUE
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
CODE BLUE
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
CODE BLUE
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
CODE BLUE
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
CODE BLUE
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
CODE BLUE
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
CODE BLUE
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
CODE BLUE
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
CODE BLUE
 

More from CODE BLUE (20)

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
 

Recently uploaded

How to Choose the Right Partner for Outsource Website Development
How to Choose the Right Partner for Outsource Website DevelopmentHow to Choose the Right Partner for Outsource Website Development
How to Choose the Right Partner for Outsource Website Development
Rollout IT
 
Limited Time Offer! Pay One Time to Access to Sociosight for Only $95
Limited Time Offer! Pay One Time to Access to Sociosight for Only $95Limited Time Offer! Pay One Time to Access to Sociosight for Only $95
Limited Time Offer! Pay One Time to Access to Sociosight for Only $95
Sri Damayanti
 
Literals - A Machine Independent Feature
Literals - A Machine Independent FeatureLiterals - A Machine Independent Feature
Literals - A Machine Independent Feature
21h16charis
 
Software Development Company in Florida.pdf
Software Development Company in Florida.pdfSoftware Development Company in Florida.pdf
Software Development Company in Florida.pdf
Getweys
 
Enhancing Safety Protocols with Permit to Work (PTW) Software
Enhancing Safety Protocols with Permit to Work (PTW) SoftwareEnhancing Safety Protocols with Permit to Work (PTW) Software
Enhancing Safety Protocols with Permit to Work (PTW) Software
CryotosCMMSSoftware
 
Automating Enterprise Workflows with Node.pdf
Automating Enterprise Workflows with Node.pdfAutomating Enterprise Workflows with Node.pdf
Automating Enterprise Workflows with Node.pdf
Jane Brewer
 
Navigating the Digital Supply Chain_ Odoo ERP’s Impact on Logistics.pdf
Navigating the Digital Supply Chain_ Odoo ERP’s Impact on Logistics.pdfNavigating the Digital Supply Chain_ Odoo ERP’s Impact on Logistics.pdf
Navigating the Digital Supply Chain_ Odoo ERP’s Impact on Logistics.pdf
Banibro IT Solutions
 
Guide to Improving QA Testing with Gen AI.pdf
Guide to Improving QA Testing with Gen AI.pdfGuide to Improving QA Testing with Gen AI.pdf
Guide to Improving QA Testing with Gen AI.pdf
kalichargn70th171
 
JavaScript API Deprecation in the Wild: A First Assessment (SANER 2020)
JavaScript API Deprecation in the Wild: A First Assessment (SANER 2020)JavaScript API Deprecation in the Wild: A First Assessment (SANER 2020)
JavaScript API Deprecation in the Wild: A First Assessment (SANER 2020)
Andre Hora
 
Googling for Software Development: What Developers Search For and What They F...
Googling for Software Development: What Developers Search For and What They F...Googling for Software Development: What Developers Search For and What They F...
Googling for Software Development: What Developers Search For and What They F...
Andre Hora
 
How and Why Developers Migrate Python Tests (SANER 2022)
How and Why Developers Migrate Python Tests (SANER 2022)How and Why Developers Migrate Python Tests (SANER 2022)
How and Why Developers Migrate Python Tests (SANER 2022)
Andre Hora
 
SOCRadar-2024-Mid-Year-Cybersecurity-Report.pdf
SOCRadar-2024-Mid-Year-Cybersecurity-Report.pdfSOCRadar-2024-Mid-Year-Cybersecurity-Report.pdf
SOCRadar-2024-Mid-Year-Cybersecurity-Report.pdf
SOCRadar
 
Viswanath_Cover letter_Scrum Master_10+yrs
Viswanath_Cover letter_Scrum Master_10+yrsViswanath_Cover letter_Scrum Master_10+yrs
Viswanath_Cover letter_Scrum Master_10+yrs
cviswanathsai
 
Cloud Databases and Big Data - Mechlin.pptx
Cloud Databases and Big Data - Mechlin.pptxCloud Databases and Big Data - Mechlin.pptx
Cloud Databases and Big Data - Mechlin.pptx
Mitchell Marsh
 
Top 10 ERP Companies in UAE Banibro IT Solutions.pdf
Top 10 ERP Companies in UAE Banibro IT Solutions.pdfTop 10 ERP Companies in UAE Banibro IT Solutions.pdf
Top 10 ERP Companies in UAE Banibro IT Solutions.pdf
Banibro IT Solutions
 
Learning Rust with Advent of Code 2023 - Princeton
Learning Rust with Advent of Code 2023 - PrincetonLearning Rust with Advent of Code 2023 - Princeton
Learning Rust with Advent of Code 2023 - Princeton
Henry Schreiner
 
Augmented Reality (AR) in Ionic Apps Transforming User Experiences.pdf
Augmented Reality (AR) in Ionic Apps Transforming User Experiences.pdfAugmented Reality (AR) in Ionic Apps Transforming User Experiences.pdf
Augmented Reality (AR) in Ionic Apps Transforming User Experiences.pdf
Grey Space Computing
 
Alluxio Webinar | What’s new in Alluxio Enterprise AI 3.2: Leverage GPU Anywh...
Alluxio Webinar | What’s new in Alluxio Enterprise AI 3.2: Leverage GPU Anywh...Alluxio Webinar | What’s new in Alluxio Enterprise AI 3.2: Leverage GPU Anywh...
Alluxio Webinar | What’s new in Alluxio Enterprise AI 3.2: Leverage GPU Anywh...
Alluxio, Inc.
 
Top 5 ERP Companies in India Banibro IT Solutions.pdf
Top 5 ERP Companies in India Banibro IT Solutions.pdfTop 5 ERP Companies in India Banibro IT Solutions.pdf
Top 5 ERP Companies in India Banibro IT Solutions.pdf
Banibro IT Solutions
 
A House In The Rift 0.7.10 b1 (Gallery Unlock, MOD)
A House In The Rift 0.7.10 b1 (Gallery Unlock, MOD)A House In The Rift 0.7.10 b1 (Gallery Unlock, MOD)
A House In The Rift 0.7.10 b1 (Gallery Unlock, MOD)
Apk2me
 

Recently uploaded (20)

How to Choose the Right Partner for Outsource Website Development
How to Choose the Right Partner for Outsource Website DevelopmentHow to Choose the Right Partner for Outsource Website Development
How to Choose the Right Partner for Outsource Website Development
 
Limited Time Offer! Pay One Time to Access to Sociosight for Only $95
Limited Time Offer! Pay One Time to Access to Sociosight for Only $95Limited Time Offer! Pay One Time to Access to Sociosight for Only $95
Limited Time Offer! Pay One Time to Access to Sociosight for Only $95
 
Literals - A Machine Independent Feature
Literals - A Machine Independent FeatureLiterals - A Machine Independent Feature
Literals - A Machine Independent Feature
 
Software Development Company in Florida.pdf
Software Development Company in Florida.pdfSoftware Development Company in Florida.pdf
Software Development Company in Florida.pdf
 
Enhancing Safety Protocols with Permit to Work (PTW) Software
Enhancing Safety Protocols with Permit to Work (PTW) SoftwareEnhancing Safety Protocols with Permit to Work (PTW) Software
Enhancing Safety Protocols with Permit to Work (PTW) Software
 
Automating Enterprise Workflows with Node.pdf
Automating Enterprise Workflows with Node.pdfAutomating Enterprise Workflows with Node.pdf
Automating Enterprise Workflows with Node.pdf
 
Navigating the Digital Supply Chain_ Odoo ERP’s Impact on Logistics.pdf
Navigating the Digital Supply Chain_ Odoo ERP’s Impact on Logistics.pdfNavigating the Digital Supply Chain_ Odoo ERP’s Impact on Logistics.pdf
Navigating the Digital Supply Chain_ Odoo ERP’s Impact on Logistics.pdf
 
Guide to Improving QA Testing with Gen AI.pdf
Guide to Improving QA Testing with Gen AI.pdfGuide to Improving QA Testing with Gen AI.pdf
Guide to Improving QA Testing with Gen AI.pdf
 
JavaScript API Deprecation in the Wild: A First Assessment (SANER 2020)
JavaScript API Deprecation in the Wild: A First Assessment (SANER 2020)JavaScript API Deprecation in the Wild: A First Assessment (SANER 2020)
JavaScript API Deprecation in the Wild: A First Assessment (SANER 2020)
 
Googling for Software Development: What Developers Search For and What They F...
Googling for Software Development: What Developers Search For and What They F...Googling for Software Development: What Developers Search For and What They F...
Googling for Software Development: What Developers Search For and What They F...
 
How and Why Developers Migrate Python Tests (SANER 2022)
How and Why Developers Migrate Python Tests (SANER 2022)How and Why Developers Migrate Python Tests (SANER 2022)
How and Why Developers Migrate Python Tests (SANER 2022)
 
SOCRadar-2024-Mid-Year-Cybersecurity-Report.pdf
SOCRadar-2024-Mid-Year-Cybersecurity-Report.pdfSOCRadar-2024-Mid-Year-Cybersecurity-Report.pdf
SOCRadar-2024-Mid-Year-Cybersecurity-Report.pdf
 
Viswanath_Cover letter_Scrum Master_10+yrs
Viswanath_Cover letter_Scrum Master_10+yrsViswanath_Cover letter_Scrum Master_10+yrs
Viswanath_Cover letter_Scrum Master_10+yrs
 
Cloud Databases and Big Data - Mechlin.pptx
Cloud Databases and Big Data - Mechlin.pptxCloud Databases and Big Data - Mechlin.pptx
Cloud Databases and Big Data - Mechlin.pptx
 
Top 10 ERP Companies in UAE Banibro IT Solutions.pdf
Top 10 ERP Companies in UAE Banibro IT Solutions.pdfTop 10 ERP Companies in UAE Banibro IT Solutions.pdf
Top 10 ERP Companies in UAE Banibro IT Solutions.pdf
 
Learning Rust with Advent of Code 2023 - Princeton
Learning Rust with Advent of Code 2023 - PrincetonLearning Rust with Advent of Code 2023 - Princeton
Learning Rust with Advent of Code 2023 - Princeton
 
Augmented Reality (AR) in Ionic Apps Transforming User Experiences.pdf
Augmented Reality (AR) in Ionic Apps Transforming User Experiences.pdfAugmented Reality (AR) in Ionic Apps Transforming User Experiences.pdf
Augmented Reality (AR) in Ionic Apps Transforming User Experiences.pdf
 
Alluxio Webinar | What’s new in Alluxio Enterprise AI 3.2: Leverage GPU Anywh...
Alluxio Webinar | What’s new in Alluxio Enterprise AI 3.2: Leverage GPU Anywh...Alluxio Webinar | What’s new in Alluxio Enterprise AI 3.2: Leverage GPU Anywh...
Alluxio Webinar | What’s new in Alluxio Enterprise AI 3.2: Leverage GPU Anywh...
 
Top 5 ERP Companies in India Banibro IT Solutions.pdf
Top 5 ERP Companies in India Banibro IT Solutions.pdfTop 5 ERP Companies in India Banibro IT Solutions.pdf
Top 5 ERP Companies in India Banibro IT Solutions.pdf
 
A House In The Rift 0.7.10 b1 (Gallery Unlock, MOD)
A House In The Rift 0.7.10 b1 (Gallery Unlock, MOD)A House In The Rift 0.7.10 b1 (Gallery Unlock, MOD)
A House In The Rift 0.7.10 b1 (Gallery Unlock, MOD)
 

Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - CODE BLUE 2015

  • 1. Abusing Adobe Reader’s JavaScript APIs Brian Gorenc, Manager, Vulnerability Research AbdulAziz Hariri, Security Researcher
  • 2. Agenda • Introduction • Understanding the Attack Surface • Vulnerability Discovery • Constructing the Exploit
  • 4. Introduction 4 HP Zero Day Initiative AbdulAziz Hariri - @abdhariri Security Researcher at the Zero Day Initiative Root cause analysis, vulnerability discovery, and exploit development Brian Gorenc - @maliciousinput Head of Zero Day Initiative Organizer of Pwn2Own Hacking Competitions
  • 5. Internal research starting in December 2014 Bug Hunters Patched Vulnerabilities CVE-2015-5085, CVE-2015-5086, CVE-2015- 5090, CVE-2015-5091, CVE-2015-4438, CVE- 2015-4447, CVE-2015-4452, CVE-2015-5093, CVE-2015-5094, CVE-2015-5095, CVE-2015- 5101, CVE-2015-5102, CVE-2015-5103, CVE- 2015-5104, CVE-2015-5113, CVE-2015-5114, CVE-2015-5115, CVE-2015-5100, CVE-2015- 5111, CVE-2015-4435, CVE-2015-4441, CVE- 2015-4445, CVE-2015-3053, CVE-2015-3055, CVE-2015-3057, CVE-2015-3058, CVE-2015- 3065, CVE-2015-3066, CVE-2015-3067, CVE- 2015-3068, CVE-2015-3071, CVE-2015-3072, CVE-2015-3073, CVE-2015-3054, CVE-2015- 3056, CVE-2015-3061, CVE-2015-3063, CVE- 2015-3064, CVE-2015-3069, CVE-2015-3060, CVE-2015-3062 Unpatched Vulnerabilities ZDI-CAN-3058, ZDI-CAN-3059, ZDI-CAN- 3060, ZDI-CAN-3061, ZDI-CAN-3062, ZDI- CAN-3063, ZDI-CAN-3065, ZDI-CAN-3066, ZDI-CAN-3067, ZDI-CAN-3079, ZDI-CAN- 3081, ZDI-CAN-3083, ZDI-CAN-3085, ZDI- CAN-3086, ZDI-CAN-3087, ZDI-CAN-3088, ZDI-CAN-3089, ZDI-CAN-3090, ZDI-CAN- 3091, ZDI-CAN-3068, ZDI-CAN-3069, ZDI- CAN-3070, ZDI-CAN-3073, ZDI-CAN-3074, ZDI-CAN-3080, ZDI-CAN-3082, ZDI-CAN- 3084, ZDI-CAN-3103, ZDI-CAN-3111, ZDI- CAN-3051, ZDI-CAN-3050, ZDI-CAN-3049, ZDI-CAN-3048, ZDI-CAN-3047, ZDI-CAN- 3046, ZDI-CAN-3043, ZDI-CAN-3036, ZDI- CAN-3022, ZDI-CAN-3021, ZDI-CAN-2019, ZDI-CAN-3018, ZDI-CAN-3017, ZDI-CAN- 3016, ZDI-CAN-3015, ZDI-CAN-2998, ZDI- CAN-2997, ZDI-CAN-2958, ZDI-CAN-2816, ZDI-CAN-2892, ZDI-CAN-2893 …more to come. 5
  • 7. Understanding Attack Surface 7 Prior research and resources • The life of an Adobe Reader JavaScript bug (CVE-2014-0521) - Gábor Molnár • First to highlight the JS API bypass issue • The bug was patched in APSB14-15 and was assigned CVE-2014-0521 • According to Adobe, this could lead to information disclosure • https://molnarg.github.io/cve-2014-0521/#/ • Why Bother Assessing Popular Software? – MWR Labs • Highlights various attack vectors on Adobe reader • https://labs.mwrinfosecurity.com/system/assets/979/original/Why_bother_assessing_p opular_software.pdf
  • 8. Understanding Attack Surface 8 ZDI Research Stats • Primary Adobe research started internally in December 2014 • We were not getting many cases in Reader/Acrobat • Main goal was to kill as much bugs as possible • Internal discoveries varied in bug type – JavaScript API Restriction Bypasses – Memory Leaks – Use-After-Frees – Elevation of Privileges – etc.
  • 9. Understanding Attack Surface 9 Insights Into Reader’s JavaScript API’s • Adobe Acrobat/Reader exposes a rich JS API • JavaScript API documentation is available on the Adobe website • A lot can be done through the JavaScript API (Forms, Annotations, Collaboration etc..) • Mitigations exist for the JavaScript APIs • Some API’s defined in the documentation are only available in Acrobat Pro/Acrobat standard • Basically JavaScript API’s are executed in two contexts: – Privileged Context – Non-Privileged Context
  • 10. Understanding Attack Surface 10 Insights Into Reader’s JavaScript API’s • Privileged vs Non-Privileged contexts are defined in the JS API documentation: • A lot of API’s are privileged and cannot be executed from non-privileged contexts:
  • 11. Understanding Attack Surface 11 Insights Into Reader’s JavaScript API’s • Privileged API’s warning example from a non-privileged context:
  • 12. Trusted Functions 12 Executing privileged methods in a non-privileged context
  • 13. Understanding Attack Surface 13 Folder-Level Scripts • Scripts stored in the JavaScript folder inside the Acrobat/Reader folder • Used to implement functions for automation purposes • Contains Trusted functions that execute privileged API’s • By default Acrobat/Reader ships with JSByteCodeWin.bin • JSByteCodeWin.bin is loaded when Acrobat/Reader starts up • It’s loaded inside Root, and exposed to the Doc when a document is open
  • 14. Understanding Attack Surface 14 Decompiling • JSByteCodeWin.bin is compiled into SpiderMoney 1.8 XDR bytecode • JSByteCodeWin.bin contains interesting Trusted functions • Molnarg was kind enough to publish a decompiler for SpiderMonkey – https://github.com/molnarg/dead0007 – Usage: ./dead0007 JSByteCodeWin.bin > output.js – Output needs to be prettified – ~27,000 lines of Javascript
  • 17. Vulnerability Discovery 17 JavaScript Method/Property Overloading • __defineGetter__ and __defineSetter__
  • 19. Vulnerability Discovery 19 Code Auditing for Overloading Opportunities • Search for ‘eval’
  • 20. Vulnerability Discovery 20 Code Auditing for Overloading Opportunities • Search for ‘app.beginPriv(“
  • 21. Vulnerability Discovery 21 Achieving System-Level eval() • Overload property access with a custom function
  • 22. Vulnerability Discovery 22 Executing Privileged APIs • Replace a property with a privileged function
  • 23. Vulnerability Discovery 23 Vulnerability Chaining • Set up the system-level eval such that it executes the bulk of the payload • Create the replacement attribute such that it now calls a privileged API • Trigger the call
  • 24. Vulnerability Discovery 24 Proof of Concept – CVE-2015-3073
  • 27. Vulnerability Discovery 27 Adobe Reader 11.0.10 – Before Patch
  • 29. Vulnerability Discovery 29 Recap • To achieve a JavaScript bypass we need to • Achieve execution within the system context • Escalate privileges by overriding an object method – Must be in a privileged block within a trusted function
  • 31. Constructing the exploit 31 Overview • Research triggered from https://helpx.adobe.com/security/products/reader/apsb14-15.html: • Challenge: Gain Remote Code Execution through the bypass issue • We might be able to do that through the JS API’s that we know about
  • 32. Constructing the exploit 32 Because documentation sucks.. • We needed to find a way to dump a file on disk • The file can be of any type (try to avoid restrictions) • Let’s have a look at the Collab object…through the JS API from Adobe:
  • 33. Constructing the exploit 33 “If you want to keep a secret, you must also hide it from yourself.” – G. Orwell • From all the 128 undocumented methods, the Collab.uri* family is specifically interesting:
  • 34. Constructing the exploit 34 “The more you leave out, the more you highlight what you leave in.” - H. Green • Too good to be true, so I consulted uncle Google before digging more:
  • 35. Constructing the exploit 35 Show me what you got... • Quick overview of the interesting methods:
  • 36. Constructing the exploit 36 • Overview of the Collab.uri* API’s: – The API’s are used for “Collaboration” – uriDeleteFolder/uriDeleteFile/uriPutData/uriCreateFolder are privileged API’s – uriEnumerateFiles is NOT privileged – The Collab.uri* methods take a URI path as an argument (at least) – The path expected should be a UNC path – The UNC path should start with smb:// or file:// • The API’s fail to: – Sanitize the UNC path (smb://localhost/C$/XXX works) – Check the filetype of the filename to be written on disk (in the case of uriPutData) – Check the content of oData object to be dumped (in the case of uriPutData)
  • 37. Constructing the exploit 37 • What we have so far: – We can dump files on disk using the Collab.uriPutData() method – The file contents that we want to dump should be passed as an oData object – Stream objects do work!
  • 38. Constructing the exploit 38 – We can attach files in PDF documents and extract the contents – We should chain the uriPutData call with one of the bypasses that we discussed earlier Then what ? How can we get RCE? Actually there are two obvious ways...
  • 39. Constructing the exploit 39 Gaining RCE • First way…a la Chaouki: Basically write a file to the startup and wait for a logoff/logon  • Second way is writing a DLL that would be loaded by Adobe Acrobat
  • 40. Vulnerable Versions 40 Product Windows MacOSX Adobe Reader Vulnerable – Limited (Sandbox) Vulnerable Adobe Reader DC Vulnerable – Limited (Sandbox) Vulnerable Adobe Acrobat Pro Vulnerable Vulnerable Adobe Acrobat Pro DC Vulnerable Vulnerable
  • 41. Constructing the exploit 41 Putting it all together (Adobe Acrobat Pro) 1. Attach our payload to the PDF 2. Create a JS that would execute when the document is open 3. JS is composed of: 1. Extraction of the attachment 2. Bypass JS privileges 3. Execute Collab.uriPutData to output our payload (startup/dll) Extract Attachment Bypass JS Privileges Call uriPutData with the extracted attachment RCE
  • 43. Reader for MacOSX DEMO 43
  • 45. Recap 45 Abusing Adobe Reader’s JavaScript APIs • Goal – Leverage JavaScript APIs to gain remote code execution on Adobe Reader/Acrobat – No memory corruption • Plan of Attack 1. Obtain an arbitrary eval() by JavaScript property overloading and redefinition 2. Chain eval() with privilege escalation through app.trustedFunction 3. Leverage undocumented APIs to execute malicious code 4. Profit?