Year: 2014

Yesterday I gave a talk at a Polish security conference held in Warsaw, Poland, called “Ucieczka z Matrixa: (nie)bezpieczna analiza malware” (eng. “Escaping the Matrix: (in)secure malware analysis”). The presentation was lightly technical and concerned the different threats of using popular software to aid in interacting with and analyzing malware samples. While the talk was prepared entirely in Polish, most of the slides should be easily understandable by English speakers, and Google Translate works pretty well, so I decided to share them here anyway:

Ucieczka z Matrixa: (nie)bezpieczna analiza malware (3.85 MB, PDF)

A part of the presentation was dedicated to multiple memory corruption Hex-Rays IDA Pro vulnerabilities I discovered earlier this year (see the product Changelog). Below you will find the original reports I sent to the vendor in September:

• [COFF] [DBG] Heap Memory Corruption due to Integer Underflow.
• [EPOC] 4-Byte Heap Buffer Overflow due to an Off-By-One in bounds checking.
• [DEX] Heap Buffer Overflow due to Integer Overflow.
• [PEF] Multiple (4) instances of Heap Buffer Overflows due to integer problems.
• [PEF] Heap Memory Corruption due to logical bugs in memory management.
• [UNIVERSAL] Heap Buffer Overflows due to logical bugs in memory management (BADMEMSIZE constant), exploitable via multiple file formats on Linux.

Download: ida6.6_bugs.zip (1.71 MB)

Kudos to Ilfak Guilfanov and Hex-Rays for a very quick turnaround (less than two weeks from sending the reports to releasing bugfixes) and running the Bug Bounty Program! Keep up the good work!

(Collaborative post by Gynvael Coldwind and Mateusz “j00ru” Jurczyk)

Just yesterday another edition of the largest and most successful IT security conference held in Poland – CONFidence – ended. The Dragon Sector CTF team (which we founded and are running) actively participated in the organization of the event by hosting an onsite, individual CTF for the conference attendees and giving a talk about the most interesting challenges we have solved so far in our not too long CTF career.

The final standings of the CONFidence 2014 CTF can be found below. We will also publish a more detailed summary, together with some or all of the challenges, on our official Dragon Sector blog within a few days.

The slide deck from our presentation can be found below:

On the battlefield with the Dragons – the interesting and surprising CTF challenges (3.93MB, PDF)

As part of my daily routine, I tend to fuzz different popular open-source projects (such as FFmpeg, Libav or FreeType2) under numerous memory safety instrumentation tools developed at Google, such as AddressSanitizer, MemorySanitizer or ThreadSanitizer. Every now and then, I encounter an interesting report and spend the afternoon diving into the internals of a specific part of the project in question. One such interestingly-looking report came up a few months ago, while fuzzing the latest LibTIFF (version 4.0.3) with zlib (version 1.2.8) and MSan enabled:

This post outlines the details of this low severity, but nevertheless interesting issue.

Read more

(Collaborative post by Mateusz “j00ru” Jurczyk and Gynvael Coldwind; a short version is available at the Google Online Security blog).

Following more than two years of work, the day has finally came – the FFmpeg project has incorporated more than a thousand fixes to bugs (including some security issues) we have discovered in the project thus far:

$ git log | grep Jurczyk | grep -c Coldwind
1120

As this event clearly marks an important day in our ongoing fuzzing effort, we decided to provide you with some background on one of the activities we are currently working on.

Read more