Black Hat Europe资料eu-15-Pi-New-Tool-For-Discovering-Flash-Player-0-day-Attacks-In-The-Wild-From-Various-Channels.pdfVIP

New Tool for Discovering Flash Player 0-day Attacks in the Wild from Various Channels @ heisecode Agenda • Who am I • Background • Sample Channels • Tool to identify 0-day About me • Core Member of Trend Micro Zero-Day Discovery Team • Trend Micro Anti-APT engine developer • Interested in discovering vulnerabilities and writing exploit. • Flash/Android/OS X Agenda • Who am I • Background • Sample Channels • Tool to identify 0-day Flash Year • JAVA Click-to-Play • Browsers’ UAF mitigations • So Flash Player boom in 2015 Flash Year • Zero-day attacks’ targets are mostly Flash Player in 2015 CVE-2015-0310 CVE-2015-0311 CVE-2015-0313 CVE-2015-3043 CVE-2015-3113 CVE-2015-5119 CVE-2015-5122 … … Flash Year • In late 2014, I decided to catch Flash Player zero-day attacks in 2015. • There were two questions need to solve to achieve the goal. Two questions • How to get effective samples in the wild? Try any possible source channel to get effective samples. • How to identify 0-day from these samples? Need a processing tool, fast, low false alert. Agenda • Who am I • Background • Sample Channels • Tool to identify 0-day Sourcing Channels • Channel 1 - Products’ feedback Large number of SWF samples from products or engines’ detection feedback Most effective channel Sourcing Channels • Channel 2 - URL Crawl Several exploits integrated in one URL Trigger which exploit depends on software version installed in victim’s system Crawl