SlideShare a Scribd company logo

Defcon 23 - hariri spelman gorenc - abusing adobe readers java sc

Felipe Prado
Felipe Prado

Defcon 23 - hariri spelman gorenc - abusing adobe readers java sc

Technology
1 of 34
Download to read offline
AbusingAdobeReader’s JavaScriptAPIs Brian Gorenc, Manager, Vulnerability Research AbdulAziz Hariri, Security Researcher Jasiel Spelman, Security Researcher
Agenda •  Introduction •  Understanding the Attack Surface •  Vulnerability Discovery •  Constructing the Exploit
Introduction
Introduction 4 HP Zero Day Initiative AbdulAziz Hariri - @abdhariri Security Researcher at the Zero Day Initiative Root cause analysis, vulnerability discovery, and exploit development Jasiel Spelman - @WanderingGlitch Security Researcher at the Zero Day Initiative Root cause analysis, vulnerability discovery, and exploit development Brian Gorenc - @maliciousinput Head of Zero Day Initiative Organizer of Pwn2Own Hacking Competitions
Research starting in December 2014 Bug Hunters Patched Vulnerabilities CVE-2015-5085, CVE-2015-5086, CVE-2015-5090, CVE-2015-5091, CVE-2015-4438, CVE-2015-4447, CVE-2015-4452, CVE-2015-5093, CVE-2015-5094, CVE-2015-5095, CVE-2015-5101, CVE-2015-5102, CVE-2015-5103, CVE-2015-5104, CVE-2015-5113, CVE-2015-5114, CVE-2015-5115, CVE-2015-5100, CVE-2015-5111, CVE-2015-4435, CVE-2015-4441, CVE-2015-4445, CVE-2015-3053, CVE-2015-3055, CVE-2015-3057, CVE-2015-3058, CVE-2015-3065, CVE-2015-3066, CVE-2015-3067, CVE-2015-3068, CVE-2015-3071, CVE-2015-3072, CVE-2015-3073, CVE-2015-3054, CVE-2015-3056, CVE-2015-3061, CVE-2015-3063, CVE-2015-3064, CVE-2015-3069, CVE-2015-3060, CVE-2015-3062 Unpatched Vulnerabilities ZDI-CAN-3051, ZDI-CAN-3050, ZDI-CAN-3049, ZDI-CAN-3048, ZDI-CAN-3047, ZDI-CAN-3046, ZDI-CAN-3043, ZDI-CAN-3036, ZDI-CAN-3022, ZDI-CAN-3021, ZDI-CAN-2019, ZDI-CAN-3018, ZDI-CAN-3017, ZDI-CAN-3016, ZDI-CAN-3015, ZDI-CAN-2998, ZDI-CAN-2997, ZDI-CAN-2958, ZDI-CAN-2816, ZDI-CAN-2892, ZDI-CAN-2893 …more to come. 5
UnderstandingtheAttackSurface
Understanding Attack Surface 7 Prior research and resources •  The life of an Adobe Reader JavaScript bug (CVE-2014-0521) - Gábor Molnár •  First to highlight the JS API bypass issue •  The bug was patched in APSB14-15 and was assigned CVE-2014-0521 •  According to Adobe, this could lead to information disclosure •  https://molnarg.github.io/cve-2014-0521/#/ •  Why Bother Assessing Popular Software? – MWR Labs •  Highlights various attack vectors on Adobe reader •  https://labs.mwrinfosecurity.com/system/assets/979/original/Why_bother_assessing_popular_software.pdf
Understanding Attack Surface 8 ZDI Research Stats •  Primary Adobe research started internally in December 2014 •  We were not getting many cases in Reader/Acrobat •  Main goal was to kill as much bugs as possible •  Internal discoveries varied in bug type –  JavaScript API Restriction Bypasses –  Memory Leaks –  Use-After-Frees –  Elevation of Privileges –  etc.
Understanding Attack Surface 9 Insights Into Reader’s JavaScript API’s •  Adobe Acrobat/Reader exposes a rich JS API •  JavaScript API documentation is available on the Adobe website •  A lot can be done through the JavaScript API (Forms, Annotations, Collaboration etc..) •  Mitigations exist for the JavaScript APIs •  Some API’s defined in the documentation are only available in Acrobat Pro/Acrobat standard •  Basically JavaScript API’s are executed in two contexts: –  Privileged Context – Only Trusted functions can call it (app.trustedFunction) –  Non-Privileged Context
Understanding Attack Surface 10 Insights Into Reader’s JavaScript API’s •  Privileged vs Non-Privileged contexts are defined in the JS API documentation: •  A lot of API’s are privileged and cannot be executed from non-privileged contexts:
Understanding Attack Surface 11 Insights Into Reader’s JavaScript API’s •  Privileged API’s warning example from a non-privileged context:
Understanding Attack Surface 12 Folder-Level Scripts •  Scripts stored in the JavaScript folder inside the Acrobat/Reader folder •  Used to implement functions for automation purposes •  Contains Trusted functions that execute privileged API’s •  By default Acrobat/Reader ships with JSByteCodeWin.bin •  JSByteCodeWin.bin is loaded when Acrobat/Reader starts up •  It’s loaded inside Root, and exposed to the Doc when a document is open
Understanding Attack Surface 13 Decompiling •  JSByteCodeWin.bin is compiled into SpiderMoney 1.8 XDR bytecode •  JSByteCodeWin.bin contains interesting Trusted functions •  Molnarg was kind enough to publish a decompiler for SpiderMonkey –  https://github.com/molnarg/dead0007 –  Usage: ./dead0007 JSByteCodeWin.bin > output.js –  Output needs to be prettified –  ~27,000 lines of Javascript
VulnerabilityDiscovery
Vulnerability Discovery 15 JavaScript Method/Property Overloading •  __defineGetter__ and __defineSetter__
Vulnerability Discovery 16 JavaScript Method/Property Overloading •  __proto__
Vulnerability Discovery 17 Code Auditing for Overloading Opportunities •  Search for ‘eval’
Vulnerability Discovery 18 Code Auditing for Overloading Opportunities •  Search for ‘app.beginPriv(“
Vulnerability Discovery 19 Achieving System-Level eval() •  Overload property access with a custom function
Vulnerability Discovery 20 Executing Privileged APIs •  Replace a property with a privileged function
Vulnerability Discovery 21 Vulnerability Chaining •  Set up the system-level eval such that it executes the bulk of the payload •  Create the replacement attribute such that it now calls a privileged API •  Trigger the call
Vulnerability Discovery 22 Proof of Concept – CVE-2015-3073
ConstructingtheExploit
Constructing the exploit 24 Overview •  Research triggered from https://helpx.adobe.com/security/products/reader/apsb14-15.html: •  Challenge: Gain Remote Code Execution through the bypass issue •  We might be able to do that through the JS API’s that we know about
Constructing the exploit 25 Because documentation sucks.. •  We needed to find a way to dump a file on disk •  The file can be of any type (try to avoid restrictions) •  Let’s have a look at the Collab object…through the JS API from Adobe: •  Through the console:
Constructing the exploit 26 “If you want to keep a secret, you must also hide it from yourself.” – G. Orwell •  From all the 128 undocumented methods, the Collab.uri* family is specifically interesting:
Constructing the exploit 27 “The more you leave out, the more you highlight what you leave in.” - H. Green •  Too good to be true, so I consulted uncle Google before digging more:
Constructing the exploit 28 Show me what you got... •  Quick overview of the interesting methods:
Constructing the exploit 29 •  Overview of the Collab.uri* API’s: –  The API’s are used for “Collaboration” –  uriDeleteFolder/uriDeleteFile/uriPutData/uriCreateFolder are privileged API’s –  uriEnumerateFiles is NOT privileged –  The Collab.uri* methods take a URI path as an argument (at least) –  The path expected should be a UNC path –  The UNC path should start with smb:// or file:// •  The API’s fail to: –  Sanitize the UNC path (smb://localhost/C$/XXX works) –  Check the filetype of the filename to be written on disk (in the case of uriPutData) –  Check the content of oData object to be dumped (in the case of uriPutData)
Constructing the exploit 30 •  What we have so far: –  We can dump files on disk using the Collab.uriPutData() method –  The file contents that we want to dump should be passed as the oData object –  We can attach files in PDF documents and extract the contents –  We should chain the uriPutData call with one of the bypasses that we discussed earlier Then what ? How can we get RCE? Actually there are two obvious ways..
Constructing the exploit 31 Gaining RCE •  First way…a la Vupen: Basically write a file to the startup and wait for a logoff/logon ! •  Second way is writing a DLL that would be loaded by Adobe Acrobat:
Constructing the exploit 32 Putting it all together (Adobe Acrobat Pro) 1.  Attach our payload to the PDF 2.  Create a JS that would execute when the document is open 3.  JS is composed of: 1.  Extraction of the attachment 2.  Bypass JS privileges 3.  Execute Collab.uriPutData to output our payload (startup/dll) Extract Attachment Bypass JS Privileges Call uriPutData with the extracted attachment RCE
Constructing the exploit 33 Putting it all together (Adobe Acrobat Pro) DEMO
Thankyou

Recommended

Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015CODE BLUE
 
API Design & Security in django
API Design & Security in djangoAPI Design & Security in django
API Design & Security in djangoTareque Hossain
 
Exploiting XPC in AntiVirus
Exploiting XPC in AntiVirusExploiting XPC in AntiVirus
Exploiting XPC in AntiVirusCsaba Fitzl
 
GateKeeper - bypass or not bypass?
GateKeeper - bypass or not bypass?GateKeeper - bypass or not bypass?
GateKeeper - bypass or not bypass?Csaba Fitzl
 
Apigility – Lightning Fast API Development - OSSCamp 2014
Apigility – Lightning Fast API Development - OSSCamp 2014 Apigility – Lightning Fast API Development - OSSCamp 2014
Apigility – Lightning Fast API Development - OSSCamp 2014 OSSCube
 
Aci programmability
Aci programmabilityAci programmability
Aci programmabilityCisco DevNet
 
Entomology 101
Entomology 101Entomology 101
Entomology 101snyff
 
Getting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestGetting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestCsaba Fitzl
 

Recommended

Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015CODE BLUE
 
API Design & Security in django
API Design & Security in djangoAPI Design & Security in django
API Design & Security in djangoTareque Hossain
 
Exploiting XPC in AntiVirus
Exploiting XPC in AntiVirusExploiting XPC in AntiVirus
Exploiting XPC in AntiVirusCsaba Fitzl
 
GateKeeper - bypass or not bypass?
GateKeeper - bypass or not bypass?GateKeeper - bypass or not bypass?
GateKeeper - bypass or not bypass?Csaba Fitzl
 
Apigility – Lightning Fast API Development - OSSCamp 2014
Apigility – Lightning Fast API Development - OSSCamp 2014 Apigility – Lightning Fast API Development - OSSCamp 2014
Apigility – Lightning Fast API Development - OSSCamp 2014 OSSCube
 
Aci programmability
Aci programmabilityAci programmability
Aci programmabilityCisco DevNet
 
Entomology 101
Entomology 101Entomology 101
Entomology 101snyff
 
Getting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestGetting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestCsaba Fitzl
 
Mitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint SecurityMitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint SecurityCsaba Fitzl
 
Ruby on Rails Penetration Testing
Ruby on Rails Penetration TestingRuby on Rails Penetration Testing
Ruby on Rails Penetration Testing3S Labs
 
Intro to Pentesting Jenkins
Intro to Pentesting JenkinsIntro to Pentesting Jenkins
Intro to Pentesting JenkinsBrian Hysell
 
Picking gem ruby for penetration testers
Picking gem ruby for penetration testersPicking gem ruby for penetration testers
Picking gem ruby for penetration testersPaolo Perego
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Zend con 2016 bdd with behat for beginners
Zend con 2016 bdd with behat for beginnersZend con 2016 bdd with behat for beginners
Zend con 2016 bdd with behat for beginnersAdam Englander
 
Django rest framework tips and tricks
Django rest framework tips and tricksDjango rest framework tips and tricks
Django rest framework tips and tricksxordoquy
 
Introduction to Apache Ant
Introduction to Apache AntIntroduction to Apache Ant
Introduction to Apache AntMuhammad Hafiz Hasan
 
Building and deploying PHP applications with Phing
Building and deploying PHP applications with PhingBuilding and deploying PHP applications with Phing
Building and deploying PHP applications with PhingMichiel Rook
 
Malicious Payloads vs Deep Visibility: A PowerShell Story
Malicious Payloads vs Deep Visibility: A PowerShell StoryMalicious Payloads vs Deep Visibility: A PowerShell Story
Malicious Payloads vs Deep Visibility: A PowerShell StoryDaniel Bohannon
 
DevSec Defense
DevSec DefenseDevSec Defense
DevSec DefenseDaniel Bohannon
 
Best Practices in PHP Application Deployment
Best Practices in PHP Application DeploymentBest Practices in PHP Application Deployment
Best Practices in PHP Application DeploymentShahar Evron
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNEDChris Gates
 
Build your APIs with apigility
Build your APIs with apigilityBuild your APIs with apigility
Build your APIs with apigilityChristian Varela
 
Pentesting Modern Web Apps: A Primer
Pentesting Modern Web Apps: A PrimerPentesting Modern Web Apps: A Primer
Pentesting Modern Web Apps: A PrimerBrian Hysell
 
Php Dependency Management with Composer ZendCon 2016
Php Dependency Management with Composer ZendCon 2016Php Dependency Management with Composer ZendCon 2016
Php Dependency Management with Composer ZendCon 2016Clark Everetts
 
DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...
DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...
DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...Cisco DevNet
 
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsCusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsAugust Detlefsen
 
AppSec USA 2015: Customizing Burp Suite
AppSec USA 2015: Customizing Burp SuiteAppSec USA 2015: Customizing Burp Suite
AppSec USA 2015: Customizing Burp SuiteAugust Detlefsen
 
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...CODE BLUE
 
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
[Hackersuli][HUN]MacOS - Going Down the Rabbit Holehackersuli
 

More Related Content

What's hot

Mitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint SecurityMitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint SecurityCsaba Fitzl
 
Ruby on Rails Penetration Testing
Ruby on Rails Penetration TestingRuby on Rails Penetration Testing
Ruby on Rails Penetration Testing3S Labs
 
Intro to Pentesting Jenkins
Intro to Pentesting JenkinsIntro to Pentesting Jenkins
Intro to Pentesting JenkinsBrian Hysell
 
Picking gem ruby for penetration testers
Picking gem ruby for penetration testersPicking gem ruby for penetration testers
Picking gem ruby for penetration testersPaolo Perego
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricksGarethHeyes
 
Zend con 2016 bdd with behat for beginners
Zend con 2016 bdd with behat for beginnersZend con 2016 bdd with behat for beginners
Zend con 2016 bdd with behat for beginnersAdam Englander
 
Django rest framework tips and tricks
Django rest framework tips and tricksDjango rest framework tips and tricks
Django rest framework tips and tricksxordoquy
 
Building and deploying PHP applications with Phing
Building and deploying PHP applications with PhingBuilding and deploying PHP applications with Phing
Building and deploying PHP applications with PhingMichiel Rook
 
Malicious Payloads vs Deep Visibility: A PowerShell Story
Malicious Payloads vs Deep Visibility: A PowerShell StoryMalicious Payloads vs Deep Visibility: A PowerShell Story
Malicious Payloads vs Deep Visibility: A PowerShell StoryDaniel Bohannon
 
Best Practices in PHP Application Deployment
Best Practices in PHP Application DeploymentBest Practices in PHP Application Deployment
Best Practices in PHP Application DeploymentShahar Evron
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNEDChris Gates
 
Build your APIs with apigility
Build your APIs with apigilityBuild your APIs with apigility
Build your APIs with apigilityChristian Varela
 
Pentesting Modern Web Apps: A Primer
Pentesting Modern Web Apps: A PrimerPentesting Modern Web Apps: A Primer
Pentesting Modern Web Apps: A PrimerBrian Hysell
 
Php Dependency Management with Composer ZendCon 2016
Php Dependency Management with Composer ZendCon 2016Php Dependency Management with Composer ZendCon 2016
Php Dependency Management with Composer ZendCon 2016Clark Everetts
 
DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...
DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...
DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...Cisco DevNet
 
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsCusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsAugust Detlefsen
 
AppSec USA 2015: Customizing Burp Suite
AppSec USA 2015: Customizing Burp SuiteAppSec USA 2015: Customizing Burp Suite
AppSec USA 2015: Customizing Burp SuiteAugust Detlefsen
 

What's hot (20)

Mitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint SecurityMitigating Exploits Using Apple's Endpoint Security
Mitigating Exploits Using Apple's Endpoint Security
 
Ruby on Rails Penetration Testing
Ruby on Rails Penetration TestingRuby on Rails Penetration Testing
Ruby on Rails Penetration Testing
 
Intro to Pentesting Jenkins
Intro to Pentesting JenkinsIntro to Pentesting Jenkins
Intro to Pentesting Jenkins
 
Picking gem ruby for penetration testers
Picking gem ruby for penetration testersPicking gem ruby for penetration testers
Picking gem ruby for penetration testers
 
XSS Magic tricks
XSS Magic tricksXSS Magic tricks
XSS Magic tricks
 
Zend con 2016 bdd with behat for beginners
Zend con 2016 bdd with behat for beginnersZend con 2016 bdd with behat for beginners
Zend con 2016 bdd with behat for beginners
 
Django rest framework tips and tricks
Django rest framework tips and tricksDjango rest framework tips and tricks
Django rest framework tips and tricks
 
Introduction to Apache Ant
Introduction to Apache AntIntroduction to Apache Ant
Introduction to Apache Ant
 
Building and deploying PHP applications with Phing
Building and deploying PHP applications with PhingBuilding and deploying PHP applications with Phing
Building and deploying PHP applications with Phing
 
Malicious Payloads vs Deep Visibility: A PowerShell Story
Malicious Payloads vs Deep Visibility: A PowerShell StoryMalicious Payloads vs Deep Visibility: A PowerShell Story
Malicious Payloads vs Deep Visibility: A PowerShell Story
 
DevSec Defense
DevSec DefenseDevSec Defense
DevSec Defense
 
Best Practices in PHP Application Deployment
Best Practices in PHP Application DeploymentBest Practices in PHP Application Deployment
Best Practices in PHP Application Deployment
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNED
 
Build your APIs with apigility
Build your APIs with apigilityBuild your APIs with apigility
Build your APIs with apigility
 
Pentesting Modern Web Apps: A Primer
Pentesting Modern Web Apps: A PrimerPentesting Modern Web Apps: A Primer
Pentesting Modern Web Apps: A Primer
 
Php Dependency Management with Composer ZendCon 2016
Php Dependency Management with Composer ZendCon 2016Php Dependency Management with Composer ZendCon 2016
Php Dependency Management with Composer ZendCon 2016
 
DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...
DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...
DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...
 
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsCusomizing Burp Suite - Getting the Most out of Burp Extensions
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
 
AppSec USA 2015: Customizing Burp Suite
AppSec USA 2015: Customizing Burp SuiteAppSec USA 2015: Customizing Burp Suite
AppSec USA 2015: Customizing Burp Suite
 

Similar to Defcon 23 - hariri spelman gorenc - abusing adobe readers java sc

Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...CODE BLUE
 
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
[Hackersuli][HUN]MacOS - Going Down the Rabbit Holehackersuli
 
Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Zack Meyers
 
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugManual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugLewis Ardern
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application SecurityEgor Tolstoy
 
Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdf
Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdfFinding vulnerabilities with Burp Suite Custom Scan Profiles.pdf
Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdfNullHyderabad
 
DevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer ToolsDevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer ToolsAmazon Web Services
 
Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Amazon Web Services
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavAbhay Bhargav
 
Continuous Integration with Cloud Foundry Concourse and Docker on OpenPOWER
Continuous Integration with Cloud Foundry Concourse and Docker on OpenPOWERContinuous Integration with Cloud Foundry Concourse and Docker on OpenPOWER
Continuous Integration with Cloud Foundry Concourse and Docker on OpenPOWERIndrajit Poddar
 
The API Primer (OWASP AppSec Europe, May 2015)
The API Primer (OWASP AppSec Europe, May 2015)The API Primer (OWASP AppSec Europe, May 2015)
The API Primer (OWASP AppSec Europe, May 2015)Greg Patton
 
Beyond the 'cript practical i os reverse engineering lascon
Beyond the 'cript practical i os reverse engineering lasconBeyond the 'cript practical i os reverse engineering lascon
Beyond the 'cript practical i os reverse engineering lasconNino Ho
 
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptxThe Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptxlior mazor
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingAndrew McNicol
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) Volkan Özçelik
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsAmazon Web Services
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsAmazon Web Services
 
Pentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and ManipulationPentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and ManipulationAndreas Kurtz
 

Similar to Defcon 23 - hariri spelman gorenc - abusing adobe readers java sc (20)

Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...
Abusing Adobe Reader’s JavaScript APIs by Abdul-Aziz Hariri & Brian Gorenc - ...
 
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
[Hackersuli][HUN]MacOS - Going Down the Rabbit Hole
 
Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101
 
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugManual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A Bug
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application Security
 
Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdf
Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdfFinding vulnerabilities with Burp Suite Custom Scan Profiles.pdf
Finding vulnerabilities with Burp Suite Custom Scan Profiles.pdf
 
iOS Application Exploitation
iOS Application ExploitationiOS Application Exploitation
iOS Application Exploitation
 
DevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer ToolsDevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
 
Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration Continuous Delivery, Continuous Integration
Continuous Delivery, Continuous Integration
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
 
Continuous Integration with Cloud Foundry Concourse and Docker on OpenPOWER
Continuous Integration with Cloud Foundry Concourse and Docker on OpenPOWERContinuous Integration with Cloud Foundry Concourse and Docker on OpenPOWER
Continuous Integration with Cloud Foundry Concourse and Docker on OpenPOWER
 
The API Primer (OWASP AppSec Europe, May 2015)
The API Primer (OWASP AppSec Europe, May 2015)The API Primer (OWASP AppSec Europe, May 2015)
The API Primer (OWASP AppSec Europe, May 2015)
 
Beyond the 'cript practical i os reverse engineering lascon
Beyond the 'cript practical i os reverse engineering lasconBeyond the 'cript practical i os reverse engineering lascon
Beyond the 'cript practical i os reverse engineering lascon
 
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptxThe Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated Testing
 
Burpsuite yara
Burpsuite yaraBurpsuite yara
Burpsuite yara
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1)
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
 
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer ToolsDevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools
 
Pentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and ManipulationPentesting iOS Apps - Runtime Analysis and Manipulation
Pentesting iOS Apps - Runtime Analysis and Manipulation
 

More from Felipe Prado

DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryFelipe Prado
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...Felipe Prado
 
DEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsDEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsFelipe Prado
 
DEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionDEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionFelipe Prado
 
DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101Felipe Prado
 
DEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentDEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentFelipe Prado
 
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareDEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareFelipe Prado
 
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...Felipe Prado
 
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationDEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationFelipe Prado
 
DEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceDEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceFelipe Prado
 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistDEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistFelipe Prado
 
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksDEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksFelipe Prado
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityDEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityFelipe Prado
 
DEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsDEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsFelipe Prado
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchFelipe Prado
 
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...Felipe Prado
 
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksDEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksFelipe Prado
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationFelipe Prado
 
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncDEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncFelipe Prado
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesDEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesFelipe Prado
 

More from Felipe Prado (20)

DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
 
DEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsDEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got ants
 
DEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionDEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryption
 
DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101
 
DEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentDEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a government
 
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareDEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
 
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
 
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationDEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
 
DEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceDEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interface
 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistDEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
 
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksDEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityDEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud security
 
DEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsDEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portals
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitch
 
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
 
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksDEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
 
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncDEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesDEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devices
 

Recently uploaded

Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 

Recently uploaded (20)

Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 

Defcon 23 - hariri spelman gorenc - abusing adobe readers java sc

  • 1. AbusingAdobeReader’s JavaScriptAPIs Brian Gorenc, Manager, Vulnerability Research AbdulAziz Hariri, Security Researcher Jasiel Spelman, Security Researcher
  • 2. Agenda •  Introduction •  Understanding the Attack Surface •  Vulnerability Discovery •  Constructing the Exploit
  • 4. Introduction 4 HP Zero Day Initiative AbdulAziz Hariri - @abdhariri Security Researcher at the Zero Day Initiative Root cause analysis, vulnerability discovery, and exploit development Jasiel Spelman - @WanderingGlitch Security Researcher at the Zero Day Initiative Root cause analysis, vulnerability discovery, and exploit development Brian Gorenc - @maliciousinput Head of Zero Day Initiative Organizer of Pwn2Own Hacking Competitions
  • 5. Research starting in December 2014 Bug Hunters Patched Vulnerabilities CVE-2015-5085, CVE-2015-5086, CVE-2015-5090, CVE-2015-5091, CVE-2015-4438, CVE-2015-4447, CVE-2015-4452, CVE-2015-5093, CVE-2015-5094, CVE-2015-5095, CVE-2015-5101, CVE-2015-5102, CVE-2015-5103, CVE-2015-5104, CVE-2015-5113, CVE-2015-5114, CVE-2015-5115, CVE-2015-5100, CVE-2015-5111, CVE-2015-4435, CVE-2015-4441, CVE-2015-4445, CVE-2015-3053, CVE-2015-3055, CVE-2015-3057, CVE-2015-3058, CVE-2015-3065, CVE-2015-3066, CVE-2015-3067, CVE-2015-3068, CVE-2015-3071, CVE-2015-3072, CVE-2015-3073, CVE-2015-3054, CVE-2015-3056, CVE-2015-3061, CVE-2015-3063, CVE-2015-3064, CVE-2015-3069, CVE-2015-3060, CVE-2015-3062 Unpatched Vulnerabilities ZDI-CAN-3051, ZDI-CAN-3050, ZDI-CAN-3049, ZDI-CAN-3048, ZDI-CAN-3047, ZDI-CAN-3046, ZDI-CAN-3043, ZDI-CAN-3036, ZDI-CAN-3022, ZDI-CAN-3021, ZDI-CAN-2019, ZDI-CAN-3018, ZDI-CAN-3017, ZDI-CAN-3016, ZDI-CAN-3015, ZDI-CAN-2998, ZDI-CAN-2997, ZDI-CAN-2958, ZDI-CAN-2816, ZDI-CAN-2892, ZDI-CAN-2893 …more to come. 5
  • 7. Understanding Attack Surface 7 Prior research and resources •  The life of an Adobe Reader JavaScript bug (CVE-2014-0521) - Gábor Molnár •  First to highlight the JS API bypass issue •  The bug was patched in APSB14-15 and was assigned CVE-2014-0521 •  According to Adobe, this could lead to information disclosure •  https://molnarg.github.io/cve-2014-0521/#/ •  Why Bother Assessing Popular Software? – MWR Labs •  Highlights various attack vectors on Adobe reader •  https://labs.mwrinfosecurity.com/system/assets/979/original/Why_bother_assessing_popular_software.pdf
  • 8. Understanding Attack Surface 8 ZDI Research Stats •  Primary Adobe research started internally in December 2014 •  We were not getting many cases in Reader/Acrobat •  Main goal was to kill as much bugs as possible •  Internal discoveries varied in bug type –  JavaScript API Restriction Bypasses –  Memory Leaks –  Use-After-Frees –  Elevation of Privileges –  etc.
  • 9. Understanding Attack Surface 9 Insights Into Reader’s JavaScript API’s •  Adobe Acrobat/Reader exposes a rich JS API •  JavaScript API documentation is available on the Adobe website •  A lot can be done through the JavaScript API (Forms, Annotations, Collaboration etc..) •  Mitigations exist for the JavaScript APIs •  Some API’s defined in the documentation are only available in Acrobat Pro/Acrobat standard •  Basically JavaScript API’s are executed in two contexts: –  Privileged Context – Only Trusted functions can call it (app.trustedFunction) –  Non-Privileged Context
  • 10. Understanding Attack Surface 10 Insights Into Reader’s JavaScript API’s •  Privileged vs Non-Privileged contexts are defined in the JS API documentation: •  A lot of API’s are privileged and cannot be executed from non-privileged contexts:
  • 11. Understanding Attack Surface 11 Insights Into Reader’s JavaScript API’s •  Privileged API’s warning example from a non-privileged context:
  • 12. Understanding Attack Surface 12 Folder-Level Scripts •  Scripts stored in the JavaScript folder inside the Acrobat/Reader folder •  Used to implement functions for automation purposes •  Contains Trusted functions that execute privileged API’s •  By default Acrobat/Reader ships with JSByteCodeWin.bin •  JSByteCodeWin.bin is loaded when Acrobat/Reader starts up •  It’s loaded inside Root, and exposed to the Doc when a document is open
  • 13. Understanding Attack Surface 13 Decompiling •  JSByteCodeWin.bin is compiled into SpiderMoney 1.8 XDR bytecode •  JSByteCodeWin.bin contains interesting Trusted functions •  Molnarg was kind enough to publish a decompiler for SpiderMonkey –  https://github.com/molnarg/dead0007 –  Usage: ./dead0007 JSByteCodeWin.bin > output.js –  Output needs to be prettified –  ~27,000 lines of Javascript
  • 15. Vulnerability Discovery 15 JavaScript Method/Property Overloading •  __defineGetter__ and __defineSetter__
  • 17. Vulnerability Discovery 17 Code Auditing for Overloading Opportunities •  Search for ‘eval’
  • 18. Vulnerability Discovery 18 Code Auditing for Overloading Opportunities •  Search for ‘app.beginPriv(“
  • 19. Vulnerability Discovery 19 Achieving System-Level eval() •  Overload property access with a custom function
  • 20. Vulnerability Discovery 20 Executing Privileged APIs •  Replace a property with a privileged function
  • 21. Vulnerability Discovery 21 Vulnerability Chaining •  Set up the system-level eval such that it executes the bulk of the payload •  Create the replacement attribute such that it now calls a privileged API •  Trigger the call
  • 22. Vulnerability Discovery 22 Proof of Concept – CVE-2015-3073
  • 24. Constructing the exploit 24 Overview •  Research triggered from https://helpx.adobe.com/security/products/reader/apsb14-15.html: •  Challenge: Gain Remote Code Execution through the bypass issue •  We might be able to do that through the JS API’s that we know about
  • 25. Constructing the exploit 25 Because documentation sucks.. •  We needed to find a way to dump a file on disk •  The file can be of any type (try to avoid restrictions) •  Let’s have a look at the Collab object…through the JS API from Adobe: •  Through the console:
  • 26. Constructing the exploit 26 “If you want to keep a secret, you must also hide it from yourself.” – G. Orwell •  From all the 128 undocumented methods, the Collab.uri* family is specifically interesting:
  • 27. Constructing the exploit 27 “The more you leave out, the more you highlight what you leave in.” - H. Green •  Too good to be true, so I consulted uncle Google before digging more:
  • 28. Constructing the exploit 28 Show me what you got... •  Quick overview of the interesting methods:
  • 29. Constructing the exploit 29 •  Overview of the Collab.uri* API’s: –  The API’s are used for “Collaboration” –  uriDeleteFolder/uriDeleteFile/uriPutData/uriCreateFolder are privileged API’s –  uriEnumerateFiles is NOT privileged –  The Collab.uri* methods take a URI path as an argument (at least) –  The path expected should be a UNC path –  The UNC path should start with smb:// or file:// •  The API’s fail to: –  Sanitize the UNC path (smb://localhost/C$/XXX works) –  Check the filetype of the filename to be written on disk (in the case of uriPutData) –  Check the content of oData object to be dumped (in the case of uriPutData)
  • 30. Constructing the exploit 30 •  What we have so far: –  We can dump files on disk using the Collab.uriPutData() method –  The file contents that we want to dump should be passed as the oData object –  We can attach files in PDF documents and extract the contents –  We should chain the uriPutData call with one of the bypasses that we discussed earlier Then what ? How can we get RCE? Actually there are two obvious ways..
  • 31. Constructing the exploit 31 Gaining RCE •  First way…a la Vupen: Basically write a file to the startup and wait for a logoff/logon ! •  Second way is writing a DLL that would be loaded by Adobe Acrobat:
  • 32. Constructing the exploit 32 Putting it all together (Adobe Acrobat Pro) 1.  Attach our payload to the PDF 2.  Create a JS that would execute when the document is open 3.  JS is composed of: 1.  Extraction of the attachment 2.  Bypass JS privileges 3.  Execute Collab.uriPutData to output our payload (startup/dll) Extract Attachment Bypass JS Privileges Call uriPutData with the extracted attachment RCE
  • 33. Constructing the exploit 33 Putting it all together (Adobe Acrobat Pro) DEMO