Events of POC2008
Reverse Engineering Contest - Hackers' Dream ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * The contest will start at 08, October, 2009 00:00:00 GMT * You can download the files which you must analyze here. * You must send me your reporter by 13, October, 2009 24:00:00 GMT * Your reporter must be written in English or Korean. * The more detailed your reporter is, the higher points you can get. * The result will be announced in this page on 16, October, 2009. The prize will be given to the top three (teams). The winner(s) can be a speaker(s) of POC2009. If the winner is a foreigner, POC will give air tickets for him to come to Seoul. And he can enjoy all the privileges of speaker. * If you have any question, mail me, please. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - Result 516 unique IPs from the world participated in the contest. AhnLab & POC picked out two teams that submitted complete reports and satisfied the standard POC. The two highest rank teams are as follows: #1. linz, alonglog, binoopang(IS119 team of Chonnam National University) #2. JZ, Maple Congratulation! One of these teams will present it's analysis in POC2009. The team will have all the privileges of POC2009 speaker. And the 5 members of these teams will be invited to POC2009 as guests regardless of the rank. The report of champion team will be included in POC2009 CD. Thank you, all participants. May you be a next champion! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * You can download the files here. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Alexander Sotirov, "Is Exploitation Over? Bypassing Memory Protections on Windows 7"
Alexander Sotirov is an independent security researcher with more than ten years of experience with vulnerability research, reverse engineering and advanced exploitation techniques. His most recent work includes exploiting MD5 collisions to create a rogue Certificate Authority, bypassing the exploitation mitigations on Windows Vista and developing the Heap Feng Shui browser exploitation technique. His professional experience includes positions as a security researcher at Determina and VMware. Currently he is working as an independent security consultant in NewYork.
He is a regular speaker at security conferences around the world, including CanSecWest, BlackHat and Recon. Alexander is a program chair of the USENIX Workshop on Offensive Technologies and is one of the founders of the Pwnie Awards.
The difficulty in exploitation of memory corruption vulnerabilities has increased significantly with the introduction of the exploitation mitigation features in modern operating systems. The combination of GS stack cookies, SEHOP, ASLR and DEP in Windows 7 in theory prevents almost all cases of control flow modification in a vulnerable application. Vulnerabilities on Linux and the iPhone are also much more difficult to exploit than they have been at any point in the past.
Is exploitation over? This presentation will discuss the challenges facing exploit developers on hardened systems today and will outline the most promising directions for future exploitation research. I will focus not on failure of common software to opt-in into the protections, but on the future of exploitation assuming that all current protections are universally applied.
MJ0011, "Analyzing VMWare Operating System and Detect Rootkit from Outside"
MJ0011 is working at 360safe as a kernal security researcher and windows driver engineer. His long time experiences on windows kernel security , Rootkit / Anti-Rootkit,reverse engineering,kernel mode vulnerability attack & defense, enables him to provide more 200 million 360safe users with stable kernel-level safety protection product. He uncovered many kernel secuirty vulnerabilites and faults in Windows operating systems including Windows XP and Windows 7. At Xcon2008 he introduced Tophet, a Bootkit with multi high-level attacking methods. This presentation will present a mechanism to analyse VMWare's inner operating system from outside and detect Rootkit in it. This method, which does not depend on any interface or backdoor provided by VMWare, can stably hidden detect and clear Rootkit outside the operating system . What will also be introduced here includes the method to read and write the physical memory of Vmware virtual machine at run time and how to achieve the complete Rootkit detection function using this method such as detect and dump of the hidden kernel module, detect and terminate hidden process,detect and clear inline hook and object hook. A Rootkit detecting tool, WMXARK, based on the Vmware virtual machine's memory access library will be published for the first time. WMXARK will implement the complete Anti-Rootkit function towards the inner operation system of VMWare virtual machine.
Moti Joseph, "Microsoft Patches Little Sister But Forgets Big Brother"
Moti Joseph has been involved in computer security since 2000. For the past 9 years, he has been working on reverse engineering exploit code and developing security products . was a speaker in Blackhat USA 2007 & ShakaCon Security Conferences and he is currently a Senior Security Researcher with Websense Security Labs. In this presentation, some past 0-day exploits and the easy way to hunt 0-days will be introduced. And the speaker discuss how software vulnerabilities are found and something about 0-days.
Raditya lryandi, "Hacking VSAT: Play around with Physical till Session Layer"
Raditya Iryandi has been a technology junkie since he was a teenager. He loves dealing with telecommunication systems such as satellite, Wi-Fi and modern phreaking. Recently he joined Bellua Asia Pacific as an information security consultant. Prior to joining Bellua, he was Technical Director at C2PRO Consulting. Since mid 1950s, satellite communication systems have made enormous advances in capability and performance. Internet access over satellite, digital content distribution, wide area network (WAN) connectivity, video teleconferencing, distance learning, and telephony services sent over satellites have become integral to our society. Unfortunately, security has not kept pace and the current satellite systems are vulnerable to a variety of attacks.
Sandro Gauci, "When the Internet and Telephony Mix: Security Flaws in VoIP Systems"
Sandro Gauci is the owner and Founder of EnableSecurity where he performs R&D and security consultancy for mid-sized companies. Sandro has over 9 years experience in the security industry and is focused on analysis of security challenges and providing solutions to such threats. His passion is vulnerability research and has previously worked together with various vendors such as Microsoft and Sun to fix security holes. Sandro is the author of the free VoIP security scanning suite SIPVicious, VOIPPACK for CANVA and VOIPSCANNER.com This presentation will describe security flaws in VoIP systems that are exposed on the Internet. Such issues can be remotely exploited by attackers operating from the safety of their home. He will explore security vulnerabilities that may seem to be valid features of the system. Apart from theoretical attacks, He will also look at how some of these security holes are being abused by attackers for profit.
Sionics & kaientt, "7.7 DDoS: Unknown Secrets & Botnet Counter Attack"
Sionics is a security researcher of the global anti-virus company, Hauri. He is on the alternative military service with the technical research personnel. His main concerns are reverse engineering and vulnerability analysis. Now, he is doing research in the field of recent security threat analysis and proactive response. kaientt is a student of department of information security engineering of SoonChunHyang university and a member of SSM(Samsung Software Membership). He was also a speaker of DISC2009 and ISEC2009. This presentation will give a brief description of 7.7 DDoS attack and a detailed analysis of attack codes which was used in 7.7 DDoS attack. The different communication protocol types of three malicious codes and the features of 7.7 DDoS attack will be explained in details through the restoration of source codes. And the condition and total process, and organic relationship of the malicious code operation will be explained. In addition, background history of 7.7 DDos will be given.
Stefan Esser, "Shocking News in PHP Exploitation"
Stefan Esser is best known in the security community as the PHP security guy. Since he became a PHP core developer in 2002 he devoted a lot of time to PHP and PHP application vulnerability research. However in his early days he released lots of advisories about vulnerabilities in software like CVS, Samba, OpenBSD or Internet Explorer. In 2003 he was the first to boot linux directly from the harddisk of an unmodified XBOX through a buffer overflow in the XBOX font loader. In 2004 he founded the Hardened-PHP Project to develop a more secure version of PHP, known as Hardened-PHP, which evolved into the Suhosin PHP Security System in 2006. Since 2007 he works as head of research and development for the german web application company SektionEins GmbH that he co-founded. He was a speaker of POC2008 and Black Hat USA 2009.
Remote code execution vulnerabilities in modern PHP applications have become more difficult to find and exploit due to better education of developers and the wide adoption of Suhosin, web application firewalls and other PHP environment hardening. E.g. the class of remote file inclusion vulnerabilities is practically dead in modern PHP installations.
This talk will demonstrate how a well known class of PHP application vulnerabilities that is widely believed to be a DoS vulnerability only, can result in arbitrary PHP code being executed. Furthermore it will be demonstrated how attacks on PHP applications can be tunneled through web application firewalls like mod_security with ease, bypassing the whole rule engine. And last but not least we will take a look at the recently introduced protections against interruption vulnerabilities in PHP and how it is still possible to perform post exploitation tricks as presented at Syscan and Blackhat.
Stefan Esser will show a PHP application 0-day, a mod_security bypass 0-day, and 0-day tricks to still perform interruption vulnerabilities.
Tielei Wang, "Detecting Integer Overflow Vulnerabilities in Binaries"
Wang Tielei , PHD of Peking University institute of computer, is interested in web and information security, especially in the discovery of binary vulnerabilities and the analysis of malicious code. He had made a speech on NDSS’09 about the technical of detecting integer overflow vulnerability in binary program. And he was the first one, came from China mainland and gave a speech at NDSS as the first author affiliation. The presentation is about the research of detecting integer overflow vulnerability in binary system. According to the system the author developed by them own, there were dozens of zero-day integer overflow vulnerabilities in several popular software packages had been detected. Some of them have been released via VUPEN and Secunia and been collected into CVE.
Tora, "Vunerability Discovery with Happy Reverse Engineering"
Tora is a reverse engineer and computer forensic analyst currently working in Spain, but probably he's better known as the captain of the Sexy Pandas. He's been doing RCE since the late 90's and in the last few years he's been working on RCE-helper tools and analysis automation. There are several methods to analyze binaries and look for security vulnerabilities. We can fuzz protocols or file formats, we can diff security patches or we can reverse engineer the binaries. In this talk we will focus on the hird option, and how we can improve our bug finding speed and analysis even when working with big and complex binaries.
Xu Hao, "Attacking Certificate-based Authentication System & Microsoft InfoCard"
Xu Hao graduated from Information Security Department of Shanghai Jiaotong University. Now he works on developing information security products and researching advanced security technology. He began to focus on researching information security technologies five years ago, the main direction of research: Windows kernel, Rootkit and malware, hardware virtualization technology, reverse engineering, smart card & PKI. And he has spoken at XCon2008, XCon2009.
Authentication system is widely used to control user access authority. Individuals, companies, governments need the authentication system to protect sensitive information. Username and password authentication system is easy to implement, but there are many disadvantages of such system. By comparison, certificate-based authentication system and Microsoft CardSpace is thought to be much safer.
This paper will firstly introduce some basic knowledge about cryptography, certificate, PKI. And then analyzes local certificate management of Windows, proposes methods to steal certificate and talks about some real cases. After that, the paper talks about Microsoft CardSpace feature and gives the way to steal personal information card stored in CardSpace. At the end, the paper describes the concepts of smart card and the components of a smart card product. The paper also raises the possible way to attack smart card and discusses online bank case.
linz, alonglog, binoopang, "Analysis of Reverse Engineering Contest Files"
UK, "Topic That Can't Be Here, But Interesting..."
This topic will be presented on the last day of POC2009. POC think it's better not to disclose it now.
Sponsors
Please contact "pocadm at gmail.com" if your corporation is interested in the sponsorship of POC. We will post the banner of your corporation in the web site of POC forever. And we will give you a chance for you and your company to show your possibility and to advertise your products. Your sponsorship will be quite helpful to upgrade the image of your corporation.
Supporting Friends
SP
