PDA

View Full Version : CONFidence 2010 is over


j00ru vx tech blog
May 30th, 2010, 04:17
One of the biggest (best http://j00ru.vexillium.org/wp-includes/images/smilies/icon_wink.gif ) IT security-oriented conferences in Poland finished three days ago, in the wednesday evening. In the very first place, I would like to congratulate all the organisers, for their decision on where the event should be held, as well as how it should look like - during these two days, I had plenty of real fun!

CONFidence 2010 took place in Poland, on 25th and 26th of May, in the Kijów Cinema. The lectures were presented on two, independent tracks (thus everyone was able to find something for himself in any given moment), and regarded numerous, important security fields. In my opinion (and because of my specific interests), the best speeches were given by Sebastian Fernandez - "General notes about exploiting Windows x64", Mario Heidreich - "The Presence and Future of Web Attacks Multi-Layer Attacks and XSSQLI" and Alexey Tikhonow - "De-blackboxing of digital camera". I am really looking forward to see the slides being published as soon as possible. Meanwhile, you can find the complete conference schedule at http://2010.confidence.org.pl/agenda.

The ESET company (NOD32 software producent) has recently decided to organise two competitions with fun prizes - some detailed information can be found here ("http://www.eset.pl/nowosci/nowosci/wez-udzial-w-konkursie-eset-i-wygraj-jeden-z-dwoch-komputerow.html"). In short: the purpose of the first one was to create or project a security-related application of any kind. The second one was directed towards the conference attendees, as the goal was to find a correct serial key associated to a chosen user name, in a specially prepared executable file. A team consisting of Gynvael Coldwind ("http://gynvael.coldwind.pl/") and me managed to meet the latter objective, and therefore win the competition http://j00ru.vexillium.org/wp-includes/images/smilies/icon_smile.gif Due to the above, a short blog entry/article should be released soon, covering the exact way of generating a correct serial, having as little knowledge about the input data verification mechanisms, as only possible (stay tuned http://j00ru.vexillium.org/wp-includes/images/smilies/icon_wink.gif ). The CrackMe can be still downloaded from the CONFidence website: http://2010.confidence.org.pl/ESET/banner.html, and I encourage every one and each of you to take a look at this one.

Moreover, I had the pleasure (once more, with Gynvael's collaboration) to carry out one of the last presentations, dedicated to the Windows kernel vulnerabilities (related to CSRSS and the system registry), which I have often mentioned lately. I think this is a perfect opportunity to publish some advisory documents, containg more relevant, detailed information about the vulns, of a more technical nature. Below you can find a complete list of these:


Windows CSRSS Local Privilege Elevation Vulnerability ("http://vexillium.org/dl.php?HISPASEC_CSRSS_Priv_Escal.pdf") (CVE-2010-0023 ("http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0023"))
Windows Kernel Null Pointer Vulnerability ("http://vexillium.org/dl.php?HISPASEC_Local_DoS1.pdf") (CVE-2010-0234 ("http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0234"))
Windows Kernel Symbolic Link Value Vulnerability ("http://vexillium.org/dl.php?HISPSAEC_Local_DoS2.pdf") (CVE-2010-0235 ("http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0235"))
Windows Kernel Memory Allocation Vulnerability ("http://vexillium.org/dl.php?HISPASEC_Buffer_Overflow.pdf") (CVE-2010-0236 ("http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0236"))
Windows Kernel Symbolic link Creation Vulnerability ("http://vexillium.org/dl.php?HISPASEC_Registry_Local_Priv_Escal.pdf") (CVE-2010-0237 ("http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0237"))
Windows Kernel Symbolic link Information Disclosure ("http://vexillium.org/dl.php?HISPASEC_Info_Disclosure.pdf") (CVE-2010-0237 ("http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0237"))
Windows Kernel Registry Key Vulnerability ("http://vexillium.org/dl.php?HISPASEC_Race_Condition.pdf") (CVE-2010-0238 ("http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0238"))
Furthermore, a package including all the above advisories is available to be downloaded here ("http://vexillium.org/dl.php?Hispasec_Advisories.zip") (864 kB).

The slides presented during our lecture can be found here ("http://vexillium.org/dl.php?confidence_slideshow.pdf") (1.6 MB).

I strongly encourage every conference attendee to share your opinion regarding the conference itself, as well as specifically the material talked over by us. http://j00ru.vexillium.org/wp-includes/images/smilies/icon_wink.gif



http://j00ru.vexillium.org/?p=363&lang=en

evaluator
June 1st, 2010, 10:04
that crackme is Bit-machine.
8 handlers are:
0: ExitLoop
1: ConditionalJumpOver
2: Invert_Bit_InControlDword
3: Set_Bit_InControlDword
4: And_Bits_InControlDword
5: Copy_Bit_InControlDword
6: Copy_Bit_FromMemoryToControlDword
7: Copy_Bit_FromControlDwordToMemory

bits in Word used as 3-5-5-3 ...

j00ru
June 2nd, 2010, 04:12
Hi evaluator, so you took the time to actually look at the executable Good job!
There's nothing really special about it, I agree; but the way we solved it then could be interesting anyways

evaluator
June 2nd, 2010, 13:05
VM operates on Bits using Logic Gates.
emulated Instructions found MOV, XOR, ADD, SHL
this is optimised (LOOP added) code.

Code:
XOR D0 D014
MOV D034 0

mov ecx 0
@R1:
cmp ecx 020 | je @R1E
BT D04 ecx | jnc @SH1 | ADD D034 D028
@SH1:
SHL D028 1 | inc ecx | jmp @R1


@R1E:

XOR D08 D01C
MOV D03C 0

mov ecx 0

@R2:
cmp ecx 020 | je @R2E
BT D0C ecx | jnc @SH2 | ADD D03C D020
@SH2:
SHL D020 1 | inc ecx | jmp @R2

@R2E:
MOV D030 0

mov ecx 0
@R3:
cmp ecx 020 | je @R3E
BT D0C ecx | jnc @SH3 | ADD D030 D02C
@SH3:
SHL D02C 1 | inc ecx | jmp @R3

@R3E:
XOR D034 D010
MOV D038 0

mov ecx 0
@R4:
cmp ecx 020 | je @R4E
BT D0 ecx | jnc @SH4 | ADD D038 D024
@SH4:
SHL D024 1 | inc ecx | jmp @R4

@R4E:
XOR D03C D018

j00ru
June 2nd, 2010, 13:59
Wow, good work @ analyzing the VM implementation+virtual code
Hopefully this doesn't show up to people that would like to solve it on their own ;>