IMG_7862

CanSecWest 2010 banners

IMG_7865

Tom Gallagher and David Conger from Microsoft talk about distributed file fuzzing and the Microsoft Office 2010 security model.

IMG_7866

IMG_7867

IMG_7868  

Some other notes from their talk:

  • Office supports 300 file formats. each can have different sub formats .wpd extension has 3 different parsers. fuzzing surface=huge
  • Microsoft built their own distributed fuzzer system to assist in finding file parser bugs
  • Fixed Office bugs by fuzzing (not all sec issues) – 2007 RTM: 1800; 2003 SP3: 600; 2007 SP1: 300; 2007 SP2: 350; 2010 RTM: 1600 via joseph_gan
  • File block – push a policy to not allow opening of unused file formats in office
  • Gatekeeper dll – file integrity library to protect against unknown vulns in microsoft office 2010
  • One more layer of security in microsoft office is protectedview. can run in a sandbox mode.
  • winword.exe (1.5mb file size) is a small wrapper for wwlib.dll (25mb file size)

IMG_7876

Charlie Miller attacking the Apple Safari browser. Sorry about the colors. Forgot I had a filter on. 

IMG_7878

Charlie completes a three-peat at the pwn2own contest.

IMG_7885

IMG_7880

Dragos on the pwn2own phone at the conference floor. “What got owned this time?”

Other pwn2own notes:

IMG_7889

IMG_7892

Screenshots from the live demo by Yves-Alexis Perez and Loïc Duflot. The target device was running linux with a Broadcom network card and the exploit resulted in a root shell bound to a port.

Presentation notes:

IMG_7900

Summary slide from Shuichiro Suzuki’s talk on bypassing Windows protection mechanisms like SEHOP, SafeSEH, /GS, DEP, etc. Some other notes from this talk:

  • Bypass SafeSEH and software DEP by utilizing 3rd party librarys that arent compiled with those options
  • To bypass SafeSEH you need to recreate the SEH chain in the stack which then references the 3rd party module without safeseh
  • The addition of aslr makes it hard to to exploit as you cant recreate the seh chain in the stack
  • For aslr/dep exploitation … reference alex sotirov/mark dowds presentation at blackhat usa 2009

IMG_7903

Charlie Miller talking about his Python fuzzing setup.

IMG_7905

“If you want 0-days, run my 5 lines of Python”, “You’ll find some… I guarantee it!” – Charlie Miller.

IMG_7906

IMG_7908

Charlie’s main tools for fuzzing – libgmalloc, crashwrangler, memcheck, !exploitable, valgrind

IMG_7909

Adobe reader 9.2, 4 exploitable bugs. Adobe blog post "Fuzzer Lessons Learned" 9.3 had same 4 bugs. Adobe apparently not learning lessons.

Presentation notes:

  • "I had to teach my kids not to report bugs to Apple while fuzzing" – Charlie Miller
  • “I really wish they would fix this common bug, so i can fuzz easier” – Charlie Miller
  • Apple Preview crashed 5.6% of the time compared to .09% of the time with Adobe Reader
  • Crashwrangler was accurate 95% of the time on exploitables. !exploitable was only 26% accurate
  • Full slide deck at http://securityevaluators.com/files/slides/cmiller_CSW_2010.ppt. It was converted from Keynote, so forgive the formatting.

IMG_7913

Halvar Flake and Sebastian Porst the latest project from zynamics.

Presentation notes:

IMG_7915

Screenshot of IODIDE – The IOS Debugger and Integrated Disassembler Environment which will be released later this year. Too bad the Exploit Edition which was shown will not be publicly released.

IMG_7927

Thorsten Schroeder going over Keykeriki, a wireless sniffer and injector.

IMG_7928

IMG_7930  

IMG_7935

The live demo worked which targeted a Microsoft keyboard and injected some commands!

Presentation notes:

IMG_7936

Dr. Melanie Rieback talking about RFID hacking. Presentation notes:

IMG_7939

Charlie wanted a big check last year so here it is this year. But Charlie leaves for home early! Doh! Well, here is the proof that existed.

IMG_7938

Thanks to Dragos and his crew (Yuriko, Will, etc) for putting together another great CanSecWest conference. We’ve been attending for the last four years, and the environment he has created is just top notch. Hope to see you at the next one!

Update: A few more presentation notes: