"Exploiting archive formats can lead to steganographic data hiding and to processing errors with serious forensic consequences. These formats are very interesting as they are commonly found on every PC, Apple or Linux machine, and it is popularly believed that they are well understood and trusted. Can exploits ever be present in file formats that have been in use for over ten or even twenty years?

Through deep format analysis, beyond fuzzing, we look at what goes wrong when the format specifications are interpreted differently. Can you trust programs that work with archives? Can you even trust your antivirus? We will answer these questions and disclose for the first time 15 newly discovered vulnerabilities in ZIP, 7ZIP, RAR, CAB and GZIP file formats revealing the impact they have on anti-malware scanners, digital forensic, security gateways and IPS appliances.

This talk will include demo of ArchiveInsider, a new forensics tool that detects and extracts hidden data and fully validates vulnerable file formats. We will demonstrate file format steganography, file malformation, and even data "self destruction," all with tools that you use and trust."

See you there...

Recently we have seen an increase of malware attacks targeting multimedia formats. One of the formats targeted recently was PDF, a popular document format. Latest and still un-patched exploit targeting this format CVE-2009-4324 is particularly dangerous because it allows download of malicious content and its execution on the affected system or if it is unsuccessful denial of service attack. Statical analysis of the exploit showed how it operates and it described to bug inside out but we couldn't helped but wonder... Could we have prevented such an attack on the live system? Can we prevent future attacks that work similarly?

Having those questions in mind and the phrase "Swiss army knife for reverse engineering" used to describe our TitanEngine we decided to create a small project that could help us prevent these attacks. That project is called TitanGuard and it is a simple sandbox built around TitanEngine that prevents download of malicious content and its execution. Once installed this program monitors the application actions and queries user for response on suspicious behavior. This way CVE-2009-4324 and all future attacks targeting PDF file format and its most popular viewer can be prevented. Furthermore this kind of tool enables safe run-time analysis regardless of the exploit used since we can always block the file execution and study downloaded files. Until next time...

BOOL APIENTRY DllMain(HMODULE hModule,
   DWORD  ul_reason_for_call, LPVOID lpReserved){
	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
		if(GetModuleHandleA("BadGuy.dll") == NULL){
			LoadLibraryA("BadGuy.dll");
			return false;
		}
	case DLL_THREAD_ATTACH:
	case DLL_THREAD_DETACH:
	case DLL_PROCESS_DETACH:
		break;
	}
	return TRUE;
}

Returning false at DLL_PROCESS_ATTACH makes Windows unload our GetModuleHandleA.dll but not before BadGuy.dll gets loaded. Simple code above ensures that our BadGuy.dll gets loaded only once (Windows also prevents this so this isn't really needed) since MEW 10 packed file can import GetModuleHandleA multiple times. Our BadGuy.dll only creates a new thread which displays a message box about it being successfully loaded. This could have been done with a single DLL file but we wanted to keep it short and simple.

There are many examples of design flaws in PE shell modifiers which could seriously threaten system security. Such example are not only limited to arbitrary code execution but could also lead to privilege elevation. We will continue to write about such shell modifier flaws in the future.

Download MEW 10 LoadLibrary exploit POC