OFFICE IS STILL YUMMY – HOW TO DEFEAT MEMORY PROTECTIONS IN OFFICE DOCUMENT EXPLOITATION

It has been a long time since researchers started looking for Office vulnerabilities. Not only keep patching vulnerabilities, Microsoft has also implemented many advanced and effective memory protection techniques to against malicious Office document attack.

Exploiting Office document has been getting harder and harder. Recently many researchers have changed to work on PDF, Flash, and other document formats. Has Office document become safer now? We don't think so. In this paper, you will see the Office document is still yummy!

This work introduces three major steps that how we effectively exploit an Office document:

1. how to defeat DEP protection;
2. how to defeat ASLR protection;
3. get a free exploit.

駭客的美味大餐- 攻擊辦公室文書軟體記憶保護

從研究者開始找尋辦公室文書軟體的弱點至今已經過了很長一段時間了。不止於修補弱點，微軟更執行了許多先進和有效的記憶保護技術來對抗針對辦公室檔案的惡意攻擊。

攻擊辦公室檔案已經變得越來越難。最近，很多研究者已經改為鑽研PDF、Flash和其它格式的檔案。辦公室檔案先在算是安全了嗎? 我們並不認為。在這一份報告中，你會發現辦公室檔案仍然很美味！

這裡會介紹三個我們如何有效的攻擊辦公室檔案的主要步驟：

1. 如何突破資料執行保護;
2. 如何突破空間編排隨機化保護;
3. 達到攻擊目的

COSEINC AUTOMATED MALWARE ANALYSIS LAB (CAMAL)

Thousands of malware are being detected each day and the sheer volume made it impossible to perform manual analysis on each of them.

This talk will introduce CAMAL (COSEINC Automated Malware Analysis Lab) an automated malware analysis framework that can produce both static and network analysis snapshots of a malware.

The main objective of such a framework is to speed up a malware analyst's job by automatically profiling the malware's binary characteristics, its interaction with the operating system, its access to the file system and its communication through the network.

During the talk, we will be first discuss the general framework, followed by technical details on how the whole process can be automated seamlessly. We will also touch on the potential usage of such a framework and how it can help to provide an accurate malware characterization within a shorter timeframe.

CAMAL自動化惡意軟體分析-如何天衣無縫的執行自動化

每天都有上千個惡意軟體被偵查到，單純就它的量來看，就知道要親手分析每一個是不可能的任務。

這次的討論會介紹CAMAL (COSEINC Automated Malware Analysis Lab)， 它是一個用於自動分析惡意軟體的架構，可以提供惡意軟體的靜態和網路分析方面的簡要了解。

這樣的一個架構的主要目的，是要透過自動依惡意軟體的特性、它和作業系統之間的互動、它 取得系統和檔案的方法以及它透過網路的訊息傳遞，將惡意軟體分類，好讓惡意軟體研究者的工作可以加速進行。

討論的過程中，我們會先討論基本架構，再來是技術上的細節，以及這整個過程是怎麼樣能無縫隙的自動作業。我 們也會稍微討論這個架構在運用上的可能性，以及它如何可以在較短的時間內做到正確的惡意軟體分類。

UFO: OPERATING SYSTEM FINGERPRINTING FOR VIRTUAL MACHINES

In computer security field, Operating System fingerprinting (OSF) is the process of identifying the OS variant and version. OSF is considered an important stage to decide security policy enforced on protected Virtual Machine (VM). OSF is also the first step of VM introspection process. Unfortunately, current OSF techniques suffer many problems, such as: they fail badly against modern Operating System (OS), they are slow, and only support limited OS-es and hypervisors.

This paper analyzes the drawbacks of current OSF approaches against VM, then introduces a novel method named \emph{UFO} to fingerprint OS running inside VM. Our solution fixes all the above problems: Firstly, it can recognize all the available OS variants and (in lots of cases) exact OS versions with excellent accuracy, regardless of OS tweaking. Secondly, UFO is extremely fast. Last but not least, it is hypervisor-independent: we proved that by implementing UFO on Xen and Hyper-V.

The presentation includes some demos, so the audience can see how UFO really works. The full source code of the tool will be released under GPL license.

虛擬化技術中的作業系統指紋建檔(首次公佈)

在電腦安全的領域中，作業系統指紋建檔是辨別作業系統變數和版本的過程。 作業系統指紋建檔被視為決定實施在受保護的虛擬機器的安全準則的一個重要階段。作業系統指紋建檔也是虛擬機器內視過程的第一步。 不幸的是，目前的作業系統指紋建檔還面臨許多問題，像是：它們使用在現代的作業系統時完全失敗、它們很慢，而且只有支援有限的作業系統和虛擬機器管理員。

這一份報告會分析目前作業系統指紋建檔在虛擬機器上作面臨的困難，然後再介紹一個叫做\emph{UFO}的新方法， 以達到在虛擬機器中的作業系統指紋建檔。我們的方案可以解決上述的所有問題：第一，它可以非常正確的辨認所有目前有的作業系統變數， 和(在很多案例中)作業系統版本，無論是否有調整過作業系統。第二，UFO 非常的快速。最後，但也同樣重要的，它 不需要依賴虛擬機器管理員：我們已經在Xen和Hyper-V上證實了這一點。

這次報告會包括一些現場的呈現，所以觀眾可以了解UFO 是怎麼運作的。這個工具完整的原始碼會在通用公共授權下發佈。

DO NOT TOUCH MY WINNY

The presentation introduces a private 0day on the popular encrypted Japanese P2P Program. Summary of the points we plan to cover:

1. The Story behind the popular Japanese P2P application
2. P2P information disclosure in Japan
3. Tools used by hackers to hunt for a 0day
4. Reverse engineering and debugging the encrypted P2P application from ground to a fully working 0day
5. Live Demo of hunting and crafting a fully working 0day that was never published yet!!

現場DEMO-示範 My Winny 0day漏洞(首次公佈)

這個報告會介紹受歡迎的加密日本P2P程式上的一個的私人0day。我們計劃涵蓋的主題摘要有：

1. 受歡迎的日本P2P 應用程式背後的故事
2. 日本的P2P諮詢揭露
3. 駭客用來狩獵0day 的工具
4. 從無到一個可以完全運作的0day，將加密的P2P 應用程式逆向操作和除錯
5. 現場呈現獵捕和製造一個尚未被發表的可正常運作的0day！！

BASE JUMPING: ATTACKING GSM BASE STATION SYSTEMS AND MOBILE PHONE BASE BANDS

Technological advances have finally placed GSM tools within the reach of security researchers and hackers. Finally it is possible to directly explore the lowest levels of the GSM stack.

This talk focuses on both sides of the GSM network where the users and network directly interact: the Um (air) interface.

The primary technological focus of this talk is on the exposed interfaces between the GSM networks and users. This covers the base station system -- the network components which communicate with mobile phones -- and the base band -- the component of the mobile phone which communicates with the network.

During the talk the two main components of the attack system will be demoed - malicious basestations and malicious basebands. The base station enables fuzzing mobile phone basebands, as well as other attacks. The baseband is used to test GSM network equipment for flaws, as well as exploit backend systems.

Trust us, you'll *want* to turn off your phone for the duration of this talk!

攻擊GSM基地收發台及手機基頻- 我們不是故意讓大家關手機

科技的進步發展終於使得GSM工具對於資安研究者和駭客來說唾手可得。如今已有可能直接探索最底層的GSM棧。

這次討論同時著重於GSM網路兩端，也就是使用者和網路進行直接交互的地方：無線介面。

這次討論的技術面重點在於GSM網路和使用者之間暴露出來的介面上。這涵蓋了基地收發台－與手機通信的網路元件－以及基頻—與網路通信的手機元件。

在討論過程中，攻擊系統的兩個主要元件會被呈現出來—惡意基地收發台和惡意基頻。這裡的基地收發臺能夠針對手機基頻啟動fuzzing，以及其它攻擊。這裡的基頻可用於測試GSM網路設備的缺陷並利用後台系統。

相信我們，在講習時，你會想要關掉你的手機的！

AN RIA SECURITY SOLUTION - FLASH AND PDF THREAT HANDLER

Rich Internet Application, known as RIA, is a new concept of modern web2.0. Moving logic from the server to an untrusted client may open up security holes that never present in the page-oriented "Web 1.0" architecture. (Adobe?) Flash and PDF are 2 of the most important RIA formats and are most widely used by internet users. During past 2 years hackers have pay more attention to RIA exploits especially to Adobe's vulnerabilities through internet, Adobe software was believed to be the 2nd Microsoft.

In this presentation, we will start with the threat trend of SWF and PDF applications, various kinds of attacks rely on vulnerabilities through web browsers spreading to in the internet. Followed by showing how AV handles and how hackers manage to bypass them. We'll then demonstrate technical details on the format change and advancement of the malicious SWF and PDF files aimed to bypass antivirus software. To fight against these Web2.0 based attacks, we will present a research project on an analysis tool for malicious content parser. In the end, we will present a frame of real-time RIA scanner between gateway and user browser.

This presentation has never been published to public before.

RIA系統安全

豐富的網際網路應用程式，也就是所謂的RIA，是一個現代web2.0的新概念。將邏輯從伺服器移到不能信任的客戶端時， 可能會出現安全漏洞，而這是在"Web 1.0" 的頁面為主的結構中不會出現的情況。(Adobe?) Flash 和PDF是RIA最重要的兩個格式， 也是最常被網路使用者所使用的。在過去的兩年，駭客已經更著重於攻擊RIA，特別是透過網路攻擊Adobe的弱點。Adobe更是被認為是第二個微軟。

在這個報告中，我們會從SWF和PDF應用程式的威脅趨勢開始討論，不同的攻擊利用網路瀏覽器的弱點散播到網路上。 之後我們會討論 AV 如何處理還有駭客如何辦到規避它們。再來，我們會呈現以規避防毒軟體為目的的惡意SWF和PDF檔案在格式改變和進化方面的技術細節。 為了對抗這些Web2.0的攻擊，我們會提出一個研究專案，專案內容是惡意程式語法分析的工具。最後，我們會呈現一個在網路閘道和使用者瀏覽起之間即時的RIA 掃描。

這次的報告在此之前尚未被公開發表過。

TESTING FOR VULNERABILITIES WITHOUT TRIGGERING IPS SIGNATURES

While it’s true that many exploits simply blindly send payload waiting for a shell, many exploits written today, contain pre-checks to determine whether a host is vulnerable or not, and if so, then the payload is sent. This scenario is often mirrored in malware, worms, and even vulnerability assessment checks. This paper and talk will focus on educating attendees, with detailed examples, on how to detect whether vulnerabilities are present, without triggering IPS signatures. It is important to note however, this is not a talk on fragmentation or other ways to exploit the vulnerability while evading an IPS. This is a talk on crafting the pre-checks in such a way that the vulnerability is never triggered or disclosed, thus automatically bypassing IPS systems. This is particularly useful for security vendors to ensure stability and cross-product compatibility, and this is useful from an attacker’s perspective, especially in the case of non-public vulnerabilities, where an attacker may want to build up a list of vulnerable targets while at the same time not disclosing what vulnerability is actually being tested for.

偵測漏洞-越過IPS特徵碼(首次公佈)

雖然說真的很多攻擊單純且盲目的傳遞payload病毒並等待一個shell，很多近日被撰寫的攻擊程式擁有事先辨別主機弱點的能力，如果主機被發現有弱點，payload病毒就會被傳送。這樣的情況通常可以在惡意軟體、蠕蟲病毒，甚至在弱點檢驗中看到。這份報告和討論的重點是透過詳細的案例，告訴與會者要如何在不啟動IPS 特徵偵測的情況下偵測到現有的弱點。但要注意的地方是，這次的討論不是關於分片或其它利用弱點侵入IPS 的方法。這次的討論是關於塑造一個弱點不會被啟動或暴露的事前偵測，進而自動規避IPS 系統。這對提供安全性產品的廠商特別有用，它可以確保穩定性和不同產品的相容性。從一個攻擊者的角度來看，特別是在面對非公開的弱點，當一位攻擊者可能需要建立一個弱點目標的清單卻又不想把偵測的弱點暴露出來的時候，這也是有用的。

INDUSTRIAL BUG MINING - EXTRACTING, GRADING AND ENRICHING THE ORE OF EXPLOITS

If bugs are the raw ore of exploits - Rootite, if you like - then we're mining in areas where the Rootite is rare and deeply buried. Industrial scale bug mining starts with very, very fast fuzzing. In contrast to the MS Fuzzing Botnet, we use a dedicated, single purpose cluster of virtual machines which is optimised for fuzzing. Last year we released some metrics, then MS released better ones. So, we rebuilt the whole system and made it faster and more scalable - can we outperform the Redmond Botnet in one small rack? After a fuzz run, we are left with massive piles of low-grade Rootite, full of impurities such as Nullpointium, which needs to be graded and enriched before it is valuable. After grading, We "enrich" our highest grade Rootite by using differential runtracing of crashes to assist root cause analysis. The runtraces are tens of millions of lines long, but we postprocess them using magic, funky graphs and compression before comparing them side by side with the clean run. Our diff files are plaintext, small enough for us to eyeball them, and allow us navigate to any point in the trace using any debugger we choose. Feel free to drop by for a guided tour of the mine. Bring a beer.

漏洞工業採礦-帶啤酒來跟我們一起挖挖挖

如果說程式漏洞是攻擊－或者你想稱之為Rootite－的原始礦石，那麼我們就是在Rootite非常稀有並且被埋在深處的礦區進行挖掘採礦。工業級的程式漏洞挖掘首先需要使用一個非常快速的fuzzing方法。相對於微軟的Fuzzing殭屍網路，我們使用了一種專用的、單一目的的虛擬機器群，並且為達到fuzzing做了最優化處理。去年我們公佈了一些資料，不過微軟很快公佈了更好的。因此我們重新設計了整個系統使它更快速並且更靈活，我們可能在某些方面比Redmond 殭屍網路更出色嗎? 執行一次fuzz之後，我們獲得了大量低層級的Rootite，例如空指標引用，這些程式漏洞需要分級並處理後才能有價值。在分級後，我們會使用不同的執行追蹤記錄分析來使那些最高級別的Rootite更富有價值。執行追蹤記錄有上百萬行那麼長，我們在與正常的執行流程比較前使用了魔術般奇異的圖表和壓縮等方法進行處理。我們的diff檔是明文的，並且小到足以用肉眼進行判斷，並且允許我們在指定的追蹤點使用除錯工具。過來體驗一次有導引的採礦之旅吧。記得要帶一瓶啤酒。

(TOO MUCH) ACCESS POINTS - EXPLOITATION ROUNDUP

Embedded devices are getting more and more pervasive, but not so much material is currently available regarding the exploitation of such devices, and in particular referring to the Linux/MIPS. Few vulnerabilities are published and even less regarding the possibility of executing arbitrary code, while exploits and shellcodes are nearly absent. Thorough security reviews are rarely performed and release of patches and fixes is usually lagging behind. Research has focused mostly on the security of the wireless communications and the related implementation, or techniques for attacking devices with private addressing, while not much has been published regarding the actual exploitation, that may, in some cases, be non-trivial due to specific challenges discussed in the presentation.

In this talk remote arbitrary code execution on Access Points, with specific reference to Linux/MIPS platform, will be demonstrated by leveraging vulnerabilities discovered by the author. Devices from major manufacturers, all loaded with their stock firmware will be targeted, multiple exploitation demos will be performed and a remote root shell will be gained on each target. Different kind of flaws bring different opportunities, depending on the attack range (eg: can be carried over the Internet or from internal LAN) or the need for authentication: the proposed vulnerabilities and demos have been chosen and designed for providing sample of different attacks, scenarios and attack opportunities. A "no-auth remote blind" attack will be also demonstrated, providing the first known example of an attacker gaining a remote root shell over an embedded device, by using a smartphone as a "reflector" and leveraging it for the actual exploitation.

Outline:

1. overview of embedded networking devices
2. Specific coverage of Access Points.
3. Security considerations on AP
4. Overview of typical attacks
5. Linux/MIPS specific works
6. AP exploitation: advantages
7. Exploitation goals set-up
8. Challenges
9. Attacks: Different flavours
10. Exploitation Roundup: 3 APs from different Manufacturers
11. For each target:
    1. Vulnerabilities discussion
    2. Exploitation strategy
    3. Demo(S)
    4. Improvements
12. Conclusions

無線基地台-典型的攻擊手法 (現場DEMO)(首次公佈)

嵌入式儀器越來越普遍，但目前並沒有那麼多關於攻擊這些儀器的資料，特別是針對Linux/MIPS的部份。只有少數的弱點被發表，而任意執行代碼的可能性則更少被發表，再來攻擊和shellcodes 更是幾乎沒有。徹底的安全性檢驗鮮少被執行，補救或修復的發佈更是經常落後。研究者的重點通常都放在無線通信的安全性和其相關的執行作業，或是攻擊擁有私人位置儀器的手法，很少發表關於實際的，且在一些案例中，可能因這次報告中所討論到的特殊挑戰而並非是不重要的攻擊。

討論的過程中，在無線基地台遠端任意執行代碼，特別針對Linux/MIPS 平台的部份，將會透過利用作者所發現的弱點來呈現。目標是主要製造廠已經灌入軟件的儀器設備，呈現出多種攻擊類型，遠端root shell會被置入每個目標。依照不同的攻擊範圍(例: 可透過網際網路傳遞或是從內部區域網路)，或是認證的需求，不同的缺陷會帶來不同的機會：這邊提出的弱點和呈現是為了提供不同攻擊、情境和攻擊機會而被設計和挑選出來的。也會展示一個”no-auth remote blind”的攻擊，提供一個第一件攻擊者在嵌入式儀器得到遠端root shell的發現案例，呈現的方法會使用智慧型手機，並利用它作實際的攻擊。

架構:

1. 嵌入式網路設備概論
2. 詳細探討無線基地台
3. 無線基地台的安全考量
4. 典型攻擊概論
5. 針對Linux/MIPS 的案例
6. 攻擊網路基地台：優勢
7. 準備攻擊目標
8. 挑戰
9. 攻擊：不同種類
10. 攻擊綜述：三種不同製造廠的無線基地台
11. 針對每個目標：
    1. 弱點討論
    2. 攻擊策略
    3. 呈現
    4. 進步
12. 結論

HACKING PRINTERS FOR FUN AND PROFIT

While more and more new devices (routers, smartphones, etc.) are getting connected to our SOHO/enterprise environments, all-colour hats are getting plenty of focus on their security: defend and harden on one side; exploit and develop malware on the other.

However, a special class of network devices (specifically network printers/scanners/MFPs), which are networked for more than 15 years, are constantly out of the modern security watchful eye. And even though we entrust them even the most confidential documents or the most sacred credentials (LDAP, RFID badges, etc.), we don’t realize closely how weak and unsecured they are, despite the few minor security bulletins started to pop-up here and there in the recent few months.

In this presentation, we will try to analyse the reasons why hacking network printers/MFPs is a reasonable and accomplishable idea. Also, we will take a look at current state of (weak) affairs in the vulnerability and security research available. Then we will try to envision types of possible exploitation scenarios, backed-up with a printer remote-exploit demo. We will conclude the presentation with possible solutions and what can be done to protect ourselves as well as our network environments.

您的網路印表機安全嗎? (現場DEMO)(首次公佈)

當越來越多的新電子產品　(分享器、智慧型手機和其它) 被連結到我們的SOHO/企業環境之中，各個顏色帽子的駭客在他們的安全性上得到了眾多關注：一方面防禦並加強；另一方面利用並開發惡意軟體。

但是，一個特殊層級的網路裝置(特別是網路印表機/掃描機/MFPs)，已經以網路連結達15年之久，卻一直被排除在現代資訊安全的關注之外。雖然我們在處理最機密的文件或最重要的憑證時(LDAP、RFID badges和其它)給予他們完全的信任，我們卻沒有發現他們有多麼的脆弱和不安全，即使最近幾個月有一些較小的安全注意事項不時被提及。

在這一個報告中，我們會嘗試分析為什麼駭入網路連結的印表機/MFPs是一個合乎常理並可以做到的事情。同時，我們也會探討一下現有的弱點和安全性研究中目前的(脆弱)狀態。之後我們將會試著設想可能的攻擊情境，並以呈現一個遠端印表機攻擊來支持此說。最後我們會以可能的解決方案和可以保護我們自己以及我們的網路環境的措施來作報告的總結。

UTILIZING CODE REUSE/RETURN ORIENTED PROGRAMMING IN PHP WEB APPLICATION EXPLOITS

In 2009 one of the hottest topics has been code reuse and return oriented programming as means to bypass exploitation mitigation features in modern operating systems. We have seen ROP being applied to x86, SPARC, ARM and even election machines. Time has come to take ROP into the world of web application security.

This presentation consists of two parts that will apply code reuse and ROP techniques to modern PHP exploits. The first part will show how ROP is applied entirely at the PHP level, reusing code parts of the already running PHP application to eventually achieve arbitrary code execution. It will be detailed how different PHP vulnerability classes can be used for these attacks, demonstrating some lesser known facts and tricks in PHP exploitation on the way.

The second part of the presentation will go below the PHP level and feature a memory corruption in PHP itself that is exposed to remote attackers through several widespread PHP applications. It will be demonstrated step by step how it is possible to develop a remote exploit for this vulnerability, defeating ASLR and NX/DEP on the way, by utilizing an information leak and returning into the PHP interpreter to execute arbitrary PHP code.

PHP網路應用開發中利用代碼重用/ Return Oriented程式設計

在2009年，最熱門的議題之一就是透過代碼重用和return oriented程式設計來越過現在運作系統的攻擊緩解功能。我們已經看過ROP被應用在x86、SPARC、ARM，甚至電子機械上。而今，時間已經帶領ROP進入網路應用程式安全的領域。

這個報告包含兩個部份，這兩個部份都是將代碼重用和ROP技術應用在現代PHP攻擊。第一部份將會呈現ROP是如何完全應用在PHP層級，重用已經在執行的PHP應用程式的部份代碼，最後達到任意執行代碼。深入探討不同的類別的PHP弱點如何被利用於這些攻擊，過程中也會呈現一些比較不為人知的真相和PHP攻擊的手法。

這個報告的第二部份將會探討PHP層級之下，也就是PHP本身的記憶毀損並藉由幾個常見的PHP應用程式暴露於遠端攻擊者。我們將會一步一步的呈現，一個遠端的攻擊如何被發展來利用這個弱點，並在過程中打敗ASLR和NX/DEP，而這都是透過運用一個資訊漏洞和返回PHP解譯程式以達到任意執行PHP碼。

PACKER GENETICS: THE SELFISH CODE

As the title suggests, we will be talking about genetics. Not human genetics but the gene concept applied to executable files. We will use that concept to see what completely different executables have in common and how we can use that knowledge to build a generic unpacker, and generic in a way that we will not use any special case to handle any packer. Running inside a x86 emulator like Bochs, makes the tool quite useful for automated malware unpacking.

如何破解封包軟體

就如標題所示，我們將會討論關於基因的議題。這裡指的不是人類基因學，而是被應用在執行檔案的基因概念。我們會用這個概念來解讀兩個完全不同執行檔有什麼相同之處，並利用這樣的原理來創造一個通用的解封包程式，而通用的意思就是我們不會使用任何特殊案例來處理任何封包軟體。在像是Bochs的X86模擬器上運作，使得這個工具在自動破解惡意軟體上相當有用。