Niels Provos - Security

Anatomy of a PDF Exploit

nospam@example.com (Niels Provos) — Thu, 19 Aug 2010 17:10:08 -0700

PDF has become the de-facto standard for formatting print documents. Over the years, it has evolved into a feature rich and very complex system. PDF supports embedded Javascript that can be used for form validation and contains support for different image formats and 3D models, etc. As a result, PDF implementations have numerous vulnerabilities that can be exploit by adversaries to gain control over a user’s computer. Here are a number of CVEs that are currently being exploited in the wild: CVE-2007-5659, CVE-2008-2992, CVE-2009-0927, CVE-2009-2994, CVE-2009-4324, CVE-2010-0188.

In this blog post, we are going to look at current exploitation of CVE-2010-0188: An integer overflow in the parsing of the dot range option in TIFF files. The vulnerability was publicly announced in February 2010. Examples of exploit code are readily available on the Internet and a very good explanation of how the exploit works has been provided by Fortinet.

The exploit described by Fortinet utilizes an AcroForm described in XML. The XML contains an image field with an embedded TIFF image that triggers the vulnerability.

Continue reading "Anatomy of a PDF Exploit"

LEET '10 Call for Papers

nospam@example.com (Niels Provos) — Sat, 29 Aug 2009 12:35:46 -0700

The call for papers for the 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET '10) Botnets, Spyware, Worms, and More just went out. It will be held on April 27, 2010 in San Jose, CA.

LEET '10 will be co-located with the 7th USENIX Symposium on Networked Systems Design and Implementation (NSDI '10), which will take place April 28–30, 2010.

Important Dates

Submissions due: Thursday, February 25, 2010, 11:59 p.m. PST
Notification of acceptance: Wednesday, March 24, 2010
Final papers due: Monday, April 5, 2010

Workshop Organizers
Program Chair

Michael Bailey, University of Michigan

Program Committee

Dan Boneh, Stanford University
Nick Feamster, Georgia Institute of Technology
Jaeyeon Jung, Intel Labs, Seattle
Christian Kreibich, International Computer Science Institute
Patrick McDaniel, Pennsylvania State University
Fabian Monrose, University of North Carolina, Chapel Hill
Jose Nazario, Arbor Networks, Inc.
Stefan Savage, University of California, San Diego
Matt Williamson, AVG Technologies
Yinglian Xie, Microsoft Research
Vinod Yegneswaran, SRI International

Go submit your work!

DirectShow Vulnerability Exploited Everywhere

nospam@example.com (Niels Provos) — Sat, 11 Jul 2009 09:38:16 -0700

The DirectShow vulnerabilities are being exploited all over the place now. Unfortunately, the second vulnerability in DirectShow is still unpatched and exploit sites seem to be jumping on this. There is even some evidence that it's possible to successfully exploit the vulnerability without even using JavaScript. New exploit domains are popping after every day. DirectShow now seems to be what Flash and PDF were earlier in the year.

Cybercrime 2.0: When the Cloud Turns Dark

nospam@example.com (Niels Provos) — Wed, 01 Jul 2009 08:19:59 -0700

We recently published an article on web-based malware in ACM's Queue Magazine. It provides a short overview of some of the challenges with detecting malicious web sites such as social engineering and examples of techniques for compromising web sites, e.g. htaccess redirection on Apache, etc. This is the article on which my recent ISSNet talk was based.

Top 10 Malware Sites

nospam@example.com (Niels Provos) — Sat, 06 Jun 2009 10:03:02 -0700

A list of the top-10 malware sites found by Google's infrastructure over the last two months is available at the Google Online Security Blog. Gumblar and Martuz are among them as well as googleanalytlcs.net. There certainly have been lots of compromised web servers recently.

LEET'09: Large Scale Exploits and Emergent Threats

nospam@example.com (Niels Provos) — Tue, 14 Apr 2009 17:25:08 -0700

The 2nd USENIX LEET workshop is going to take place on April 21st in Boston next week. The workshop program looks really interesting. There are a number of really interesting talks; here are just a few:

Spamcraft: An Inside Look At Spam Campaign Orchestration
A Foray into Conficker's Logic and Rendezvous Points
A View on Current Malware Behaviors

Last year's workshop was a blast and I expect that next week is going to be lots of fun, too. It is still possible to register on-site for the workshop.

LEET '09 Call for Papers

nospam@example.com (Niels Provos) — Wed, 12 Nov 2008 18:48:12 -0800

The CfP for the 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET '09): Botnets, Spyware, Worms, and More is up at:

http://www.usenix.org/event/leet09/cfp/.

LEET '09 will be held on April 21, 2009 in Boston, MA immediately before the 6th USENIX Symposium on Networked Systems Design and Implementation (NSDI '09), which will take place April 22–24, 2009.

Important Dates

Submissions due: January 16, 2009, 11:59 p.m. EST
Notification of acceptance: March 2, 2009
Electronic files due: March 30, 2009

This will be the second edition of LEET, which had evolved from the combination of two other successful workshops, the ACM Workshop on Recurring Malcode (WORM) and the USENIX Workshop on Hot Topics in Understanding Botnets (HotBots). These two workshops have each dealt with aspects of this problem. However, while papers relating to both worms and botnets are explicitly solicited, LEET has a broader charter than its predecessors. We encourage submissions of papers that focus on any aspect of the underlying mechanisms used to compromise and control hosts, the large-scale "applications" being perpetrated upon this framework, or the social and economic networks driving these threats.

DNS And Responsible Disclosure

nospam@example.com (Niels Provos) — Tue, 22 Jul 2008 09:15:00 -0700

As everyone was upgrading their DNS infrastructure to be ready for August 7th, some security reseachers independently discovered the DNS flaw and disclosed it. For those of us, who were either informed or had figured out the problem ourselves, it is surprising to find irresponsible and grossly negligent disclosure from respected members of our community. There was a reason that Kaminsky did not disclose the flaw publicly when he found it. The DNS infrastructure needed to be upgraded and repaired.

Well, the time has run out. A current study by David Dagon and myself puts the number of open recursive resolvers using static source ports at about 78%. That is a lot of servers that need to be patched. Two more weeks till August 7th could have helped to fix many of them. Unfortunately, we will not find out now.

DNS Testing Image

nospam@example.com (Niels Provos) — Tue, 15 Jul 2008 19:11:50 -0700

As we are all trying to patch and upgrade our resolvers and NAT devices, I created a small image tag that automatically assesses the randomess of a visitor's resolver:

This is still in reference to the CERT Advisory on Multiple DNS implementations vulnerable to cache poisoning. You can place the image tag on your web page to test your visitors:

<center><a href="http://www.provos.org/index.php?/archives/42-DNS-and-Randomness.html"><img src="http://porttest.honeyd.org/-s-_dns.png" border=0></a></center>

The a href link can of course point to a more helpful web page and the image itself can also be changed according to need.

If you want to show this on your pages with different images, just let me know.