Ivan Teblin Kaspersky Lab
download slides (PDF)
Everybody's heard about Duqu, haven't they? While all these interesting topics about the different stages of its penetration into the system and various guesses about the people and organizations behind the malware are closely investigated, this particular research focuses on the very beginning of the intervention's storyline: delivering an active CVE-2011-3402 exploit from email directly into the Windows kernel.
One popular Internet assumption about the Duqu exploit was its dependency on a new vulnerability in Microsoft Word parsing OLE2 document format and allowing CVE-2011-3402 to be activated in the kernel. In turn, the newer OpenDocument format (.docx) was considered to be more secure, probably thanks to this misconception. This presentation will prove that many formats (including these two) can be a trigger of the same kind of vulnerabilities as long as we have a) ordinary clicking users b) a suitable clickable format c) an exploitable kernel-based parser such as TTF processor. The real mechanics of the exploit will be investigated and several attacking scenarios will be demonstrated on live samples containing safe demo-shellcode.
We'll also investigate another interesting attack vector by applying the same technique to HTML5 web pages and email bodies. As the demonstration will show distinctly reacting browsers, we'll analyse the difference in their behaviour.
