際際滷

際際滷Share a Scribd company logo

Alexei Sintsov - "Between error and vulerability - one step"

Download as PPTX, PDF
Andrew Mayorov
Andrew Mayorov
1 of 49
Download to read offline
仂亳弍从亳 亟仂 磶于亳仄仂亳 仍亠从亠亶 弌亳仆仂于 Digital Security twitter.com/asintsov
仂亞舒仄仄舒 http://www.flickr.com/photos/lofink/4501610335/
仂亞舒仄仄舒 http://www.flickr.com/photos/lofink/4501610335/
亳弍从舒 http://www.flickr.com/photos/lofink/4501610335/
亅从仗仍舒舒亳 丕磶于亳仄仂 亳弍从舒 http://www.flickr.com/photos/lofink/4501610335/
仂 亳亠 磶于亳仄仂亳 ? http://www.flickr.com/photos/rufo_83/3154516530/
丐舒从亳亠 舒亰仆亠 亠亠仗仂仍仆亠仆亳亠 弍亠舒 亠亢舒亶仂于亶 从亳仗亳仆亞 仆亠从亳 SQL 从仂亟舒 于亳亠 舒于仂亳亰舒亳亳 亳弍从亳 仍仂亞亳从亳 弍仂亟 舒亠仆亳亳从舒亳亳 仄仆仂亞仂亠 亟亞仂亠..
亳仄亠. 亟亠亶仆亠 仂亳弍从亳 - 1 PepsiCo Danon Coca-Cola Mercedes-Benz Johnson & Johnson Ford Motor Lockheed Martin Mazda Motor Corporation McDonnell-Douglas Heineken Sony
亠仆亳亳从舒亳
舒从舒
亅从仗仍仂亶 XOR EAX, EAX
亟亠 仂亳弍从舒? 仂亳亰于仂亟亳 舒亠仆亳亳从舒亳 仆舒 仂仂仆亠 从仍亳亠仆舒 - 仗舒于亳仍仆仂!
亳仄亠. 亟亠亶仆亠 仂亳弍从亳 - 2 Kaspersky Administration Kit 丕仍仂于亳 亟仍 舒舒从亳: 仂仄亠仆 丕亠仆舒 亰舒仗亳 亳仄亠亠 仗舒于舒 仂从舒仍仆仂亞仂 亟仄亳仆亳舒仂舒
弌从舒仆亳仂于舒仆亳亠 亳 舒舒从舒
丼仂 亟亠仍舒? 舒亟仂 弍仍仂 仗亠亟仄仂亠 于仂亰仄仂亢仆仂 SMBRelay! 舒亟仂 弍仍仂 仍亠 亟仂从仄亠仆亳仂于舒.
亳仄亠. 亳弍从亳 于 从仂亟亠 - 1 亠亠于亠仆仆舒 亳亠仄舒 舒仆从-仍亳亠仆 ActiveX 从仂仄仗仂仆亠仆 亟仍 舒弍仂 亅丶:
亳仄亠. BoF 亠亠于亠仆仆舒 亳亠仄舒 舒仆从-仍亳亠仆 char* vuln(char *bufferOut, char *fileName){ char *errorText="亳弍从舒 仗亳 仂亰亟舒仆亳亳 舒亶仍舒 亳仄亠仆亠仄 %1."; while(!*errorText) { if(errorText=='%' && (errorText+1)<'9') // 亰舒仄亠仆舒 %1 { strcpy(bufferOut,fileName); //errorText rewrite! bufferOut+=strlen(fileName); //于亠仍亳亳于舒亠仄 从舒亰舒亠仍 *errorText++; } *bufferOut++=*errorText++; //Stack overflow (errorText<bufferOut) } return *bufferOut; }
亳仄亠. BoF
丼仂 亟亠仍舒? 仂于仂亟亳 仂弍亰仂 从仂亟舒. 仗仂仍亰仂于舒 仂于亠仄亠仆仆亶 VS. 仗仂仍亰仂于舒 仍舒亞亳 舒亳: /GS /SafeSEH
亳仄亠. 亳弍从亳 于 从仂亟亠 - 2 Lotus Domino Controller
亳仄亠. 亳弍从亳 于 从仂亟亠 - 2 亠仆亳亳从舒亳 仂仍亰仂于舒亠仍 -> {Login, Password, cookiefilename} -> Lotus Domino Controller 仄 舒亶仍舒 仆舒 亠于亠亠 Lotus 弍舒亰仂亶 亠仆 亰舒仗亳亠亶 亳 舒仄亳 仗舒仂仍亠亶 息 Patrik Karlsson and ZDI
亳仄亠. 亳弍从亳 于 从仂亟亠 - 2 亠仆亳亳从舒亳 File file = new File(cookieFilename); ... inputstreamreader = new InputStreamReader(new FileInputStream(file), "UTF8"); ... inputstreamreader.read(ac, 0, i); ... String s7 = new String(ac); ...
do { if((j = s7.indexOf("<user ", j)) <= 0) break; int k = s7.indexOf(">", j); if(k == -1) break; String s2 = getStringToken(s7, "user="", """, j, k); ... String s3 = getStringToken(s7, "cookie="", """, j, k); ... String s4 = getStringToken(s7, "address="", """, j, k); ... if(usr.equalsIgnoreCase(s2) && pwd.equalsIgnoreCase(s3) && appletUserAddress.equalsIgnoreCase(s4)) { flag = true; break; } ... } while(true);
亳仄亠. 亳弍从亳 于 从仂亟亠 - 2 弍仂亟 舒亠仆亳亳从舒亳亳 echo ^ <user name=admin" cookie=dsecrg" address=10.10.0.1"^> > n:domino2zdi0day_.txt
丼仂 亟亠仍舒? 仂于仂亟亳 仂弍亰仂 从仂亟舒.
亳仄亠. 仗舒于仍亠仆亳亠. 亠仆亳亳从舒亳 File file = new File(./+cookieFilename); ... inputstreamreader = new InputStreamReader(new FileInputStream(file), "UTF8"); ... inputstreamreader.read(ac, 0, i); ... String s7 = new String(ac); ...
do { if((j = s7.indexOf("<user ", j)) <= 0) break; int k = s7.indexOf(">", j); s7.substring(..) if(k == -1) break; String s2 = getStringToken(s7, "user="", """, j, k); ... String s3 = getStringToken(s7, "cookie="", """, j, k); ... String s4 = getStringToken(s7, "address="", """, j, k); ... if(usr.equalsIgnoreCase(s2) && pwd.equalsIgnoreCase(s3) && appletUserAddress.equalsIgnoreCase(s4)) { flag = true; break; } ... } while(true);
仂于舒 舒舒从舒 cookie.xml <?xml version="1.0" encoding="UTF-8"?> <user name=admin" cookie=dsecrg" Valid address=10.10.0.1"> cookie2.xml.trash: There is a good <user xml file! andname=adminwillbefound as cookie=dsecrg andaddress=10.10.0.1hooray! >and blah-blah-blah
仂于舒 舒舒从舒 cookie.xml <?xml version="1.0" encoding="UTF-8"?> <user name=admin" cookie=dsecrg" Valid address=10.10.0.1"> cookie2.xml.trash: There is a good <user xml file! andname=adminwillbefound as cookie=dsecrg andaddress=10.10.0.1hooray! >and blah-blah-blah
仂于舒 舒舒从舒 cookie.xml <?xml version="1.0" encoding="UTF-8"?> <user name=admin" cookie=dsecrg" Valid address=10.10.0.1"> cookie2.xml.trash: There is a good <user xml file! andname=adminwillbefound as cookie=dsecrg andaddress=10.10.0.1hooray! >and blah-blah-blah
仂于舒 舒舒从舒 cookie.xml <?xml version="1.0" encoding="UTF-8"?> <user name=admin" cookie=dsecrg" Valid address=10.10.0.1"> cookie2.xml.trash: There is a good <user xml file! andname=adminwillbefound as cookie=dsecrg andaddress=10.10.0.1hooray! Valid >and blah-blah-blah
亠仄仂仆舒亳 0day
丼仂 亟亠仍舒? 仂于仂亟亳 仂弍亰仂 从仂亟舒. 于仂仄舒亳亰亳仂于舒仆仆 亠亟于 仆亠 亟仂舒仂仆仂
PS.
WEB 亠 XSS, 仆亠 SQLi 仂-仂 仆仂于仂亠 仂亳仄!
Google docs
舒从 仂 于亞仍磲亳? 仂仍亰仂于舒亠仍.
舒从 仂 于亞仍磲亳? 弌仂亰亟舒亠仍.
舒从 舒舒从仂于舒? 亅仂 亢亠 Exel 舒仆亠仄 =A1+B1
舒从 舒舒从仂于舒? 舒仆亠仄 %08=A1+B1 Yaaahooo!!
丕磶于亳仄仂?
丕磶于亳仄仂?
亟亠 仂亳弍从舒? 仂于仂亟亳 个舒亰亰亳仆亞. 仆舒仍亳亰亳仂于舒 弍亳亰仆亠 仆从亳亳.
舒从 亟亠仍舒 仂 仗舒于亳仍仆仂 ? 仆舒仍亳亰亳仂于舒 仍仂亞亳从 亳 仆从亳仂仆舒仍 仂从亳 亰亠仆亳 亞仂亰 UnitTests 仆舒仍亳亰亳仂于舒 从仂亟 于仂仄舒亳亠从亳 仆, 亟仂仗仂仍仆亳亠仍仆仂, 亟亠仍舒 亠于 从仂亟舒 仗仂仍亰仂于舒 亠仆仂仍仂亞亳亳 仆亳亢亠仆亳 亳从仂于: C/C++ /GS /SafeSEH /DinamicBase WEB HTTPOnly Secure X-Frame-options 仆舒仍亳亰 亳仗仂于 亞仂亰 亳 best practices. 仆舒仍亳亰 仂仍亠于仂亶 仄仂亟亠仍亳 仆舒仍亳亰 亠仄 弌丕
舒从 亳? 弌舒亳亠从亳亶 舒仆舒仍亳亰 Source code review regexp 仂仄舒仍仆亠 仄亠仂亟 从舒仄亳 Reverse Engineering 仂仄舒仍仆亠 仄亠仂亟 亳亞仆舒 从舒仄亳 亳仆舒仄亳亠从亳亶 舒仆舒仍亳亰 Fuzzing (bin/web) + 丐亳仗亳仆亠 磶于亳仄仂亳 亟仍 亟舒仆仆仂亞仂 亳仗舒 + Reverse Engineering 从舒仄亳 弍亰仂 舒亳亠从 (仍仂亞亳亠从亳亠 仂亳弍从亳) 亳弍从亳 于 3rd party- 于 弍舒亰亠 CVE
于仂仄舒亳亰舒亳 Fuzzers Source Code Analyzers SQLMap RATS Peach Flawfinder COMRaider Yasca Sulley
舒亰舒弍仂从舒 () OWASP
弌仗舒亳弍仂 亰舒 于仆亳仄舒仆亳亠 www.twitter.com/asintsov a.sintsov@dsec.ru
仂亢舒仍亶舒, 仗仂舒于亠 仂亠仆从 仄仂亠仄 亟仂从仍舒亟. 舒亠 仄仆亠仆亳亠 仂亠仆 于舒亢仆仂. 弌仗舒亳弍仂!

More Related Content

Alexei Sintsov - "Between error and vulerability - one step"