Infiltrate and Syscan 360

Hi everyone,

I spent the last weeks traveling to Singapore and Miami to present my Xenpwn research about double fetch vulnerabilities in paravirtualized devices at Infiltrate and Syscan360. You can find my slides here. Both conferences had great organization, very technical talks and a cool audience. In the following I want to give a short recap of some of the talks I liked the most:

Sean Heelan – Automatic Root-Cause Identification for Crashing Executions (Infiltrate)

Sean Heelan talked about his work on automated root cause analysis. The goal of this research is to give a human researcher a detailed analysis of the potential root causes (in the form of violated predicates) that triggered a crash during a fuzzing run. Sean summarizes the core idea of his research much better than I would be able to in his blog post, which also contains a link to his slides. I’m always a big fan of his talks because he is one of the few peoples working in the intersection between the academic program verification community and the IT security industry.

Sebastian Apelt – Pwning Adobe Reader (Syscan360 + Infiltrate)

Sebastian presented his research on the internals ofAdobe’s XML Forms Architecture (XFA), which is used by Adobe Reader for handling interactive forms.  Thanks to its incredibly complicated spec (around 1550 pages) and the integrated javascript engine, XFA offers a perfect attack surface for exploiting Adobe Reader. Sebastian discusses how he reversed the layout of XFA objects in memory, as well as the internals of Adobe’s custom heap allocator known as jfCacheManager. In comparison to modern OS allocators, jfCacheManager does not include any serious security features which allows the exploitation of even very limited memory corruptions: Sebastian discussed a powerful exploitation primitive based on (partial) corruption of an flink pointer and demonstrated this approach on two example vulnerabilities.

The talk was a great mix of reverse engineering and exploitation techniques and you should definitely check out the slides (maybe the PPTX ones 😉 ) published here.

Matthias Kaiser – Java deserialization vulnerabilities – The forgotten bug class (Infiltrate)

Matthias talked about Java deserialization vulnerabilities, their root causes, history and exploitation techniques. After discussing his approach for finding these bugs (search for or break on ObjectInputStream.readObject()) and useful properties of gadget chains, he walked through a recent vulnerability in Oracle Weblogic and dropped a 0day in the SAP Netweaver P4 protocol.

While most pentesters and security researchers know that the deserialization of arbitrary user input is evil, this still does not seem to be the case for many software developers. Due to the prevalence of “enterprise” Java-based software stacks in many corporate environments, this bug class will probably be a source of vulnerabilities for a really long time. This makes Matthias slides a must read for every pentester ;).

– Best, Felix