content type attack dark hole in the secure environment by raman gupta
DESCRIPTION
With the increased in security awareness it’s very difficult to compromise the network/workstation, as most of network administrator put very restrictive firewalll policy for incoming network traffic i.e. allow only traffic for http/https service and antivirus software can easily detect any virus/worm infected file. This talk is about content type attack that cannot be blocked at network perimeter/firewall and undetectable by antivirus. The discussion also includes demonstration of attack vector to compromise the system. At last it includes analysis of malicious file used to compromise the system.TRANSCRIPT
![Page 1: Content Type Attack Dark Hole in the Secure Environment by Raman Gupta](https://reader036.vdocuments.us/reader036/viewer/2022082511/546393aeb1af9fb5588b4596/html5/thumbnails/1.jpg)
Content Type Attack-Dark hole in a secure
environment
![Page 2: Content Type Attack Dark Hole in the Secure Environment by Raman Gupta](https://reader036.vdocuments.us/reader036/viewer/2022082511/546393aeb1af9fb5588b4596/html5/thumbnails/2.jpg)
Who I amI am working with TCS as Information
Security Consultant.Work area includes vulnerability assessment ,
Penetration Testing and secure environment setup.
Interested in reverse engineering and exploit writing.
![Page 3: Content Type Attack Dark Hole in the Secure Environment by Raman Gupta](https://reader036.vdocuments.us/reader036/viewer/2022082511/546393aeb1af9fb5588b4596/html5/thumbnails/3.jpg)
TitleContent-Type Attack : Content-Type attack is related to
the vulnerability in client side software that are use to read the content like adobe reader , Microsoft office , Image viewer. Attackers attempt to exploit programming flaws in that code to induce memory corruption issues, resulting in their own attack code being run on the victim computer that opened the PDF or DOC file.
Dark Hole in a secure environment : This is due to following reasons.
1) Un-detective Nature2) Ignorance
3) False sense of security
![Page 4: Content Type Attack Dark Hole in the Secure Environment by Raman Gupta](https://reader036.vdocuments.us/reader036/viewer/2022082511/546393aeb1af9fb5588b4596/html5/thumbnails/4.jpg)
ContentContent-Type Attack processMalicious attack document structureAttack demoPDF File StructureIntro to the PDF file formatPDF object type overviewDemo : PDF analysis using scriptsContent-Type Attack protection technique
![Page 5: Content Type Attack Dark Hole in the Secure Environment by Raman Gupta](https://reader036.vdocuments.us/reader036/viewer/2022082511/546393aeb1af9fb5588b4596/html5/thumbnails/5.jpg)
Content-Type Attack process
![Page 6: Content Type Attack Dark Hole in the Secure Environment by Raman Gupta](https://reader036.vdocuments.us/reader036/viewer/2022082511/546393aeb1af9fb5588b4596/html5/thumbnails/6.jpg)
Content-Type Attack process
This attack document is sent by an attacker to a victim, perhaps using a compromised machine to relay the e-mail to help conceal the attacker’s identify.
If the victim double-clicks the file attached to the e-mail, the application registered for the file type launches and starts parsing the file.
In this malicious file, the attacker will have embedded malformed content that exploits a file-parsing vulnerability, causing the application to corrupt memory on the stack or heap.
Successful exploits transfer control to the attacker’s shell code that has been loaded from the file into memory.
The shell code often instructs the machine to write out an EXE file embedded at a fixed offset and run that executable. After the EXE file is written and run, the attacker’s code writes out a ”clean file” also contained in the attack document and opens the application with the content of that clean file.
In the meantime, the malicious EXE file that has been written to the file system is run, carrying out whatever mission the attacker intended.
![Page 7: Content Type Attack Dark Hole in the Secure Environment by Raman Gupta](https://reader036.vdocuments.us/reader036/viewer/2022082511/546393aeb1af9fb5588b4596/html5/thumbnails/7.jpg)
Malicious attack document structure
![Page 8: Content Type Attack Dark Hole in the Secure Environment by Raman Gupta](https://reader036.vdocuments.us/reader036/viewer/2022082511/546393aeb1af9fb5588b4596/html5/thumbnails/8.jpg)
Attack Demo
![Page 9: Content Type Attack Dark Hole in the Secure Environment by Raman Gupta](https://reader036.vdocuments.us/reader036/viewer/2022082511/546393aeb1af9fb5588b4596/html5/thumbnails/9.jpg)
PDF File Structure
![Page 10: Content Type Attack Dark Hole in the Secure Environment by Raman Gupta](https://reader036.vdocuments.us/reader036/viewer/2022082511/546393aeb1af9fb5588b4596/html5/thumbnails/10.jpg)
PDF file format overview
The language to describe a PDF file is based on the PostScript programming language.
Test PDF File Test PDF file code
![Page 11: Content Type Attack Dark Hole in the Secure Environment by Raman Gupta](https://reader036.vdocuments.us/reader036/viewer/2022082511/546393aeb1af9fb5588b4596/html5/thumbnails/11.jpg)
Stream objects may contain compressed, obfuscated binary data between the opening “stream” tag and closing “endstream” tag. Here is an example:
5 0 bj<</Subtype/Type1C/Length=5416/Filter/FlateDecode>>streamH%|T}T#W#Ÿ!d&"FI#Å%NFW#åC...endstreamendobj
In this example, the stream data is compressed using the /Flate Compressed stream data is a popular trick used by malware authors to evade detection.
![Page 12: Content Type Attack Dark Hole in the Secure Environment by Raman Gupta](https://reader036.vdocuments.us/reader036/viewer/2022082511/546393aeb1af9fb5588b4596/html5/thumbnails/12.jpg)
PDF objects type overview/Page/Encrypt/ObjStm/JS/JavaScript/AA/OpenAction/JBIG2Decode/RichMedia/Launch
![Page 13: Content Type Attack Dark Hole in the Secure Environment by Raman Gupta](https://reader036.vdocuments.us/reader036/viewer/2022082511/546393aeb1af9fb5588b4596/html5/thumbnails/13.jpg)
Demo:PDF analysis using scripts
![Page 14: Content Type Attack Dark Hole in the Secure Environment by Raman Gupta](https://reader036.vdocuments.us/reader036/viewer/2022082511/546393aeb1af9fb5588b4596/html5/thumbnails/14.jpg)
Content-Type Attack protection technique
All security update must be available.Disable java script in adobe reader.Enable DEP for un-trusted application.Don’t open attach file in mail from unknown
or un-trusted source.Implement white-list based proxy.Implement strong outbound firewall policy.
![Page 15: Content Type Attack Dark Hole in the Secure Environment by Raman Gupta](https://reader036.vdocuments.us/reader036/viewer/2022082511/546393aeb1af9fb5588b4596/html5/thumbnails/15.jpg)
CreditDidier StevensNikhil MittalClubHack
![Page 16: Content Type Attack Dark Hole in the Secure Environment by Raman Gupta](https://reader036.vdocuments.us/reader036/viewer/2022082511/546393aeb1af9fb5588b4596/html5/thumbnails/16.jpg)
Thank you
Presented by : Raman Gupta
( Twitter : Raman_gupta1)