{"id":1582,"date":"2019-09-18T16:59:10","date_gmt":"2019-09-18T14:59:10","guid":{"rendered":"http:\/\/hacktivity.com\/?p=1582"},"modified":"2019-09-19T09:57:34","modified_gmt":"2019-09-19T07:57:34","slug":"shelob-streams-endlessly-logic-bugs","status":"publish","type":"post","link":"https:\/\/2022.hacktivity.com\/index.php\/shelob-streams-endlessly-logic-bugs\/","title":{"rendered":"S(H)ELOB &#8211; Streams Endlessly Logic Bugs"},"content":{"rendered":"<div>\n<p data-usually-unique-id=\"285065137929704611046190\"><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">We have developed a system that discovers 0day vulnerabilities automatically.<\/span><\/p>\n<\/div>\n<div><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">The preparation for the upcoming Hactivity conference<\/span> <span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6 h-lbracket\">[25-26<\/span><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\"> October 2019] goes really well.\u00a0<\/span><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">This week we also launched the mass production of our new electronic hardware-hacking badge that is going to be handed over to our ticket buyers. These are the things you might already know, but here&#8217;s a new announcement which is for sure new and exciting for you.<\/span><\/div>\n<div><\/div>\n<p><!--more--><\/p>\n<div><\/div>\n<div><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">In the background, The Hacktivity Team have created a new department called <\/span><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\"><b>Hacktivity Labs<\/b><\/span><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">. \\o\/<\/span><\/div>\n<div><\/div>\n<div><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">What is this about? In general, Hacktivity Labs will focus on reverse engineering all kinds of techniques to discover software &amp; hardware vulnerabilities.<\/span> <span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6 h-lbracket\">[This<\/span><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\"> department is responsible for the production and development of the hardware-hacking badge as well.]<\/span><\/div>\n<div><\/div>\n<div>\n<h2 data-usually-unique-id=\"285065137929704611046190\"><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">Finding bugs automatically<\/span><\/h2>\n<\/div>\n<div><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">If you have ever searched for software or any kind of bugs you may know that after being happy about it, the next thought is that: OK, how can I find a lot more of this? So the first project of Hacktivity Labs was to develop a tool that can automatically find software vulnerabilities efficiently on Windows operating system.\u00a0<\/span><\/div>\n<div><\/div>\n<div><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\"><br \/>\nThe leader of this project is Attila Marosi-Bauer. In his free time, he likes to dive deep in the process of reverse engineering to get a better understanding of how these products are operating, and more importantly to find the vulnerabilities and weaknesses of these kinds of software.<\/span><\/div>\n<div><\/div>\n<div><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\"><br \/>\nOk, we recognized that we have the obsession to find software bugs on Windows systems. One of the easiest test cases is to run the tested application while Sysinternals ProcMon or any kind of system monitoring service running to collect information about the discussion of the application and the Operation System. <\/span><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\"><b>After harvesting enough behavior information, the one that can query well may find software vulnerabilities.<\/b><\/span><\/div>\n<div><\/div>\n<div><span class=\"ace-all-bold-hthree\"><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\"><b>For example:<\/b><\/span><\/span><\/div>\n<ul class=\"listtype-bullet listindent1 list-bullet1\">\n<li><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">DLL search order hijacking<\/span>\n<ul class=\"listtype-bullet listindent2 list-bullet2\">\n<li><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">DLL injection<\/span><\/li>\n<li><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">DLL hijack<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">loading DLL by COM objects<\/span> <span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6 h-lparen\">(com<\/span><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\"> object hijacking)<\/span>\n<ul class=\"listtype-bullet listindent2 list-bullet2\">\n<li><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">here we have the same ability: hijack and\/or add dll to the application<\/span> <span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6 h-lparen\">(depends<\/span><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\"> on the application)<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<div><\/div>\n<div><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">If an application has one of this type of vulnerabilities and its running in highest integrity level, then a folder<\/span> <span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6 h-lparen\">(or<\/span><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\"> registry hive) can be written, that leads to <\/span><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\"><b>privilege escalation<\/b><\/span><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">.<\/span><\/div>\n<div><\/div>\n<div><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">However this approach seems quite<\/span> <span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6 h-ldquo\">\u201cnoob\u201d<\/span><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\"> and these bugs can be detected quite quickly, <\/span><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\"><b>most of you may think that<\/b><\/span><b>\u00a0<\/b><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6 h-quot\"><b>&#8220;big&#8221;<\/b><\/span><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\"><b> names have already tested their applications in this way to stay away from these stupid bugs. But the reality shows something else.<\/b><\/span><\/div>\n<div><\/div>\n<div><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">We did it many times and found many vulnerabilities but after a time we get bored with it. The path was clear: we need automation.\u00a0<\/span><\/div>\n<div><\/div>\n<div><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">Automation of the process:<\/span><\/div>\n<ul class=\"listtype-bullet listindent1 list-bullet1\">\n<li><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">start a VM<\/span><\/li>\n<li><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">start monitoring tools<\/span><\/li>\n<li><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">harvest collected data<\/span><\/li>\n<\/ul>\n<div><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">and then, here we had the real challenge. Turn into a code what was in our mind. We had many best practices to find vulnerabilities. So we had to clean them to be able to write a code that can replace us. \ud83d\ude42<\/span><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">\u00a0Now we\u2019re done with it.<\/span><\/div>\n<div><\/div>\n<div>\n<p><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">It was pretty clear at the beginning of this process that simply grepping the logs to find<\/span> <span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6 h-quot\">&#8220;NOT<\/span><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\"> FOUND&#8221; and such will result in more false-positive records then valuable hints. <\/span><b><\/b><\/p>\n<p>So we decided to create a system that can<b> <\/b><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6 h-quot\"><b>&#8220;rebuild&#8221;<\/b><\/span><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\"><b> processes by the logs and can understand the events by the time they occur. By this approach, the system can easily make differences between events that are good for nothing, and taking care of them is just a waste of time or events that may highlight vulnerabilities that can be exploited for sure.\u00a0<\/b><\/span><\/p>\n<\/div>\n<div><\/div>\n<div><span class=\"ace-all-bold-hthree\"><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\"><b>This system now can recognize:<\/b><\/span><\/span><\/div>\n<ul class=\"listtype-bullet listindent1 list-bullet1\">\n<li><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\"><b>dll hijack<\/b><\/span><\/li>\n<li><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\"><b>com object hijack<\/b><\/span><\/li>\n<\/ul>\n<div><span class=\"ace-all-bold-hthree\"><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\"><b>Also, it understands process integrity levels, thus it can also highlight the vulnerabilities that may be used for privilege escalation.<\/b><\/span><\/span><\/div>\n<div><\/div>\n<div><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">Our automated system has been designed to have the ability to be extended. Currently, the above-mentioned vulnerabilities can be detected by it, but in the future, some more will come. What makes this special is that it is able to audit Windows applications within minutes as well.<\/span><\/div>\n<div><\/div>\n<div>\n<h2 data-usually-unique-id=\"541124539508757357941962\"><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">How deep is the rabbit hole?<\/span><\/h2>\n<\/div>\n<div><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">In this section, we would like to provide some proof of our service. After working out the beta system, we tested it with many application of different vendors. The best target of this tool is the desktop agent applications, especially if they have\/need admin rights. Maybe because we are working in this industry for a long time, maybe not, but our first candidates were AntiVirus agents. As you can see, with this tool vulnerabilities can be found in other types of applications as well<\/span><\/div>\n<div><\/div>\n<h3><span class=\"ace-all-bold-hthree\"><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\"><b>VMware Workstation 14.1.5 \/ VMware Player 15 &#8211; Host VMX Process COM Class Hijack Privilege Escalation<\/b><\/span><\/span><\/h3>\n<div><\/div>\n<div><span class=\"ace-all-bold-hthree\"><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\"><b>This vulnerability was not found by our system but it could have been.<\/b><\/span><\/span><\/div>\n<div><\/div>\n<div><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">The description which can be found on the exploit-db.com is very clean.<\/span> <span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6 h-lparen\">(https:\/\/www.exploit-db.com\/exploits\/46601)<\/span><\/div>\n<div><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">\u201c<\/span><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\"><i>The VMX process<\/i><\/span><i> <\/i><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6 h-lparen\"><i>(vmware-vmx.exe)<\/i><\/span><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\"><i> process configures and hosts an instance of VM. As is common with desktop virtualization platforms the VM host usually has privileged access into the OS such as mapping physical memory which represents a security risk. To mitigate this the VMX process is created with an elevated integrity level by the authentication daemon<\/i><\/span><i> <\/i><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6 h-lparen\"><i>(vmware-authd.exe)<\/i><\/span><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\"><i> which runs at SYSTEM. This prevents a non-administrator user opening the process and abusing its elevated access.<\/i><\/span><\/div>\n<div><\/div>\n<div><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\"><i>Unfortunately the process is created as the desktop user which results in the elevated process sharing resources such as COM registrations with the normal user who can modify the registry to force an arbitrary DLL to be loaded into the VMX process.<\/i><\/span><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">\u201c<\/span><\/div>\n<div><\/div>\n<div><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">If we check this application in our system we get this result:<\/span><\/div>\n<div><span class=\"gallery author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\"><span class=\"gallery-wrapper\" data-ace-gallery-urls=\"https:\/\/paper-attachments.dropbox.com\/s_FB43844785D51947C5A4F45A385EF794E287CE971729342DD3CC949C3D906E39_1568806016725_image.png\" data-ace-gallery-clipboard-json=\"{&quot;items&quot;:[{&quot;type&quot;:&quot;image&quot;,&quot;url&quot;:&quot;https:\/\/paper-attachments.dropbox.com\/s_FB43844785D51947C5A4F45A385EF794E287CE971729342DD3CC949C3D906E39_1568806016725_image.png&quot;,&quot;serializedZonesForClipboard&quot;:{&quot;captionZone&quot;:{&quot;atext&quot;:{&quot;text&quot;:&quot;\\n&quot;,&quot;attribs&quot;:&quot;|1+1&quot;},&quot;pool&quot;:{&quot;numToAttrib&quot;:{},&quot;attribToNum&quot;:{},&quot;nextNum&quot;:0,&quot;dirty&quot;:false,&quot;firstDirtyNum&quot;:null}}}}]}\"><img class=\"lazyload\" decoding=\"async\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" data-src=\"https:\/\/paper-attachments.dropbox.com\/s_FB43844785D51947C5A4F45A385EF794E287CE971729342DD3CC949C3D906E39_1568806016725_image.png\" \/><\/span><\/span><\/div>\n<div><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">So, we have an alert! Check out the details of it!<\/span><\/div>\n<div><span class=\"gallery author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\"><span class=\"gallery-wrapper\" data-ace-gallery-urls=\"https:\/\/paper-attachments.dropbox.com\/s_FB43844785D51947C5A4F45A385EF794E287CE971729342DD3CC949C3D906E39_1568811095622_image.png\" data-ace-gallery-clipboard-json=\"{&quot;items&quot;:[{&quot;type&quot;:&quot;image&quot;,&quot;url&quot;:&quot;https:\/\/paper-attachments.dropbox.com\/s_FB43844785D51947C5A4F45A385EF794E287CE971729342DD3CC949C3D906E39_1568811095622_image.png&quot;,&quot;serializedZonesForClipboard&quot;:{&quot;captionZone&quot;:{&quot;atext&quot;:{&quot;text&quot;:&quot;\\n&quot;,&quot;attribs&quot;:&quot;|1+1&quot;},&quot;pool&quot;:{&quot;numToAttrib&quot;:{},&quot;attribToNum&quot;:{},&quot;nextNum&quot;:0,&quot;dirty&quot;:false,&quot;firstDirtyNum&quot;:null}}}}]}\"><img class=\"lazyload\" decoding=\"async\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" data-src=\"https:\/\/paper-attachments.dropbox.com\/s_FB43844785D51947C5A4F45A385EF794E287CE971729342DD3CC949C3D906E39_1568811095622_image.png\" \/><\/span><\/span><\/div>\n<div><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">The owner of the process is <\/span><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\"><b>DESKTOP-HVNOCSA\\dev<\/b><\/span><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\"> This user has admin rights but we did not grant added rights for it<\/span> <span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6 h-lparen\">(by<\/span><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\"> UAC).\u00a0<\/span><\/div>\n<div><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">The integrity level of the process is <\/span><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\"><b>System<\/b><\/span><\/div>\n<div><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">The system also flags the process as:<\/span><\/div>\n<ul class=\"listtype-bullet listindent1 list-bullet1\">\n<li style=\"list-style-type: none;\">\n<ul class=\"listtype-bullet listindent2 list-bullet2\">\n<li><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">can be hijacked by CLSID<\/span><\/li>\n<li><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">can be hijacked by dll injection<\/span><\/li>\n<li><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">or any of the vulnerabilities can be turned into a privilege escalation<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<div><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">If we scroll down in the log we get the most interesting part of it.<\/span><\/div>\n<div><span class=\"gallery author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\"><span class=\"gallery-wrapper\" data-ace-gallery-urls=\"https:\/\/paper-attachments.dropbox.com\/s_FB43844785D51947C5A4F45A385EF794E287CE971729342DD3CC949C3D906E39_1568811672243_image.png\" data-ace-gallery-clipboard-json=\"{&quot;items&quot;:[{&quot;type&quot;:&quot;image&quot;,&quot;url&quot;:&quot;https:\/\/paper-attachments.dropbox.com\/s_FB43844785D51947C5A4F45A385EF794E287CE971729342DD3CC949C3D906E39_1568811672243_image.png&quot;,&quot;serializedZonesForClipboard&quot;:{&quot;captionZone&quot;:{&quot;atext&quot;:{&quot;text&quot;:&quot;\\n&quot;,&quot;attribs&quot;:&quot;|1+1&quot;},&quot;pool&quot;:{&quot;numToAttrib&quot;:{},&quot;attribToNum&quot;:{},&quot;nextNum&quot;:0,&quot;dirty&quot;:false,&quot;firstDirtyNum&quot;:null}}}}]}\"><img class=\"lazyload\" decoding=\"async\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" data-src=\"https:\/\/paper-attachments.dropbox.com\/s_FB43844785D51947C5A4F45A385EF794E287CE971729342DD3CC949C3D906E39_1568811672243_image.png\" \/><\/span><\/span><\/div>\n<div><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">By this summary we immediately know that:<\/span><\/div>\n<ul class=\"listtype-bullet listindent1 list-bullet1\">\n<li><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">5 COM object has to be used by the process<\/span><\/li>\n<li><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">DLLLoaded: True = From the 5, only 3 loaded during the analysis. This is one of the best features of the tool. According to the logs, these were many many COM actions but only these can give you a chance to exploit them.<\/span>\n<ul class=\"listtype-bullet listindent2 list-bullet2\">\n<li><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">{CB8555CC-9128-11D1-AD9B-00C04FD8FDFF}<\/span><\/li>\n<li><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">{7C857801-7381-11CF-884D-00AA004B2E24}<\/span><\/li>\n<li><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">{D68AF00A-29CB-43FA-8504-CE99A996D9EA}<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">DLLLoaded: False = These are the COM objects that are queried by the process but during the analysis<\/span> <span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6 h-lparen\">()<\/span><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\"> they not loaded. Maybe later, in other circumstances, there will be an event that leads to DLL load, but in our analysis, they did not load.<\/span>\n<ul class=\"listtype-bullet listindent2 list-bullet2\">\n<li><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">{E7D35CFA-348B-485E-B524-252725D697CA}<\/span><\/li>\n<li><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<div><\/div>\n<div><span class=\"ace-all-bold-hthree\"><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\"><b>However, this bug was not found by our system, finding it would require some more minutes.<\/b><\/span><\/span><\/div>\n<div><\/div>\n<div><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">Since we don\u2019t want this post to become too much technical, we won\u2019t share any further details, only some statistics. If you are interested in the bugs we found in a deeper way, please contact us! At the end of this article, you can find some more information on getting a live demo about our project.<\/span><\/div>\n<div><\/div>\n<h3><span class=\"ace-all-bold-hthree\"><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\"><b>AntiVirus systems<\/b><\/span><\/span><\/h3>\n<div><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">We had a quick test about 7 different AV vendors\u2019 products and we immediately found vulnerabilities in 5 of them.<\/span><\/div>\n<div><\/div>\n<div><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">However a few of the bugs we found have already been patched and released, here we won\u2019t share details about them. Also, we won\u2019t share the name of the vendors right now.<\/span> <span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6 h-lparen\">(this<\/span><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\"> is not the right time for it)<\/span><\/div>\n<div><\/div>\n<h3><span class=\"ace-all-bold-hthree\"><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\"><b>Vulnerabilities overall<\/b><\/span><\/span><\/h3>\n<div><span class=\"ace-all-bold-hthree\"><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\"><b>According to our tests, 70% of the applications have some kind of vulnerability, meaning that we have much more bugs<\/b><\/span><b> <\/b><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6 h-lparen\"><b>(0day)<\/b><\/span><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\"><b> in the drawer then we can handle.<\/b><\/span><\/span><\/div>\n<div><\/div>\n<div>\n<h2 data-usually-unique-id=\"862473298853523017915634\"><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">S(H)ELOB &#8211; Streams Endlessly Logic Bugs<\/span><\/h2>\n<\/div>\n<div><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">Ok, so we have the project, now we have to find a name for it.\u00a0<\/span><\/div>\n<div class=\" ace-float-left \"><span class=\"gallery\"><span class=\"gallery-wrapper\" data-ace-gallery-urls=\"https:\/\/paper-attachments.dropbox.com\/s_FB43844785D51947C5A4F45A385EF794E287CE971729342DD3CC949C3D906E39_1568793904528_insect-2884460_1920.jpg\" data-ace-gallery-clipboard-json=\"{&quot;items&quot;:[{&quot;type&quot;:&quot;image&quot;,&quot;url&quot;:&quot;https:\/\/paper-attachments.dropbox.com\/s_FB43844785D51947C5A4F45A385EF794E287CE971729342DD3CC949C3D906E39_1568793904528_insect-2884460_1920.jpg&quot;,&quot;serializedZonesForClipboard&quot;:{&quot;captionZone&quot;:{&quot;atext&quot;:{&quot;text&quot;:&quot;\\n&quot;,&quot;attribs&quot;:&quot;|1+1&quot;},&quot;pool&quot;:{&quot;numToAttrib&quot;:{},&quot;attribToNum&quot;:{},&quot;nextNum&quot;:0,&quot;dirty&quot;:false,&quot;firstDirtyNum&quot;:null}}}}]}\"><img class=\"lazyload\" decoding=\"async\" src=\"data:image\/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==\" data-src=\"https:\/\/paper-attachments.dropbox.com\/s_FB43844785D51947C5A4F45A385EF794E287CE971729342DD3CC949C3D906E39_1568793904528_insect-2884460_1920.jpg\" \/><\/span><\/span><\/div>\n<div><\/div>\n<div><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">The name of the tool is very close to S(h)elob, that is a fictional demon in the form of a giant spider from J. R. R. Tolkien&#8217;s Middle-earth legendarium. However s(h)elob is not a positive character in the story, our tool definitely is. <\/span><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\"><b>We would think about this tool and the service as something that can provide a safety net for products that may fall without it.<\/b><\/span><\/div>\n<div><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">(<\/span><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6 url\"><a class=\"dynamiclink\" href=\"https:\/\/en.wikipedia.org\/wiki\/Shelob\" target=\"_blank\" rel=\"noreferrer nofollow noopener\">https:\/\/en.wikipedia.org\/wiki\/Shelob<\/a><\/span><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">)<\/span><\/div>\n<div>\n<h2 data-usually-unique-id=\"732948386096770391694406\"><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">Pros &#8211; Cons\u00a0<\/span><\/h2>\n<\/div>\n<div><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">As usual in the project life, we have to summarize the positive and negative results, to find out where to go. In this current state, all the processed data are generated from running applications that have some pros and cons.<\/span><\/div>\n<div><\/div>\n<h3><span class=\"ace-all-bold-hthree\"><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\"><b>Pros:<\/b><\/span><\/span><\/h3>\n<ul class=\"listtype-bullet listindent1 list-bullet1\">\n<li><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">No need to understand the code<\/span>\n<ul class=\"listtype-bullet listindent2 list-bullet2\">\n<li><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">no source code needed<\/span><\/li>\n<li><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">no need to decompile<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">Finds logical software bugs quickly and efficiently<\/span><\/li>\n<li>Generate vulnerability report in Markdown format (each type of vulnerability has its own template). Contains all information which needs to reproduce the bug<\/li>\n<li><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">Capable of generating Proof of Concept<\/span> <span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6 h-lparen\">(PoC)<\/span><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\"> codes automatically<\/span><\/li>\n<li><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">This framework has a good base to extend to find more type of bugs<\/span><\/li>\n<\/ul>\n<div><\/div>\n<h3><span class=\"ace-all-bold-hthree\"><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\"><b>Cons:<\/b><\/span><\/span><\/h3>\n<ul class=\"listtype-bullet listindent1 list-bullet1\">\n<li><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">We have to be able to run the application. Sometimes it not so trivial:<\/span>\n<ul class=\"listtype-bullet listindent2 list-bullet2\">\n<li><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">system compatibility issues<\/span><\/li>\n<li><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">licensing&#8230; etc.<\/span><\/li>\n<\/ul>\n<\/li>\n<li><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">We can only test the code path that we can run<\/span>\n<ul class=\"listtype-bullet listindent2 list-bullet2\">\n<li><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">if there is a code path we did not reach<\/span> <span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6 h-lparen\">(or<\/span><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\"> cannot reach) we won&#8217;t find any vulnerabilities<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<div><\/div>\n<div>\n<h2 data-usually-unique-id=\"942226267462363146626840\"><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">Way to go<\/span><\/h2>\n<\/div>\n<div><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\">Our main goal with this project is to use these techniques in an ethical way in order to help vendors discovering and fixing software vulnerabilities. We have hundreds of 0days in the drawer and we are looking for partners who would use these vulnerabilities ONLY for respectable &amp; ethical purposes!<\/span><\/div>\n<div><\/div>\n<div><span class=\"ace-all-bold-hthree\"><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\"><b>If you would like to get more information about this tool and the service, do not hesitate to contact us via info@hacktivity.com! \u00a0At <\/b><\/span><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6 url hashtag\"><a class=\"dynamiclink\" href=\"https:\/\/paper.dropbox.com\/?q=%23Hacktivity2019\" target=\"_blank\" rel=\"noreferrer nofollow noopener\"><b>#Hacktivity2019<\/b><\/a><\/span><span class=\" author-d-iz88z86z86za0dz67zz78zz78zz74zz68zjz80zz71z9iz90z9fnz72z80a6z85zz70z9oz69zhb6wz71zz90z1z90zz79zmz76z7z75zblz80zi6\"><b>, we would like to provide some live demos for those who are interested in this project and for wannabe partners as well. Please note, that pre-arranged appointment is needed for these live demo sessions.<\/b><\/span><\/span><\/div>\n","protected":false},"excerpt":{"rendered":"<p>We have developed a system that discovers 0day vulnerabilities automatically. The preparation for the upcoming Hactivity conference [25-26 October 2019] goes really well.\u00a0This week we&hellip;<\/p>\n<p><a href=\"https:\/\/2022.hacktivity.com\/index.php\/shelob-streams-endlessly-logic-bugs\/\" class=\"read-more-link\"><span class=\"read-more-icon\"><\/span>Read more<\/a><\/p>\n","protected":false},"author":2,"featured_media":1589,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[19,20],"tags":[],"_links":{"self":[{"href":"https:\/\/2022.hacktivity.com\/index.php\/wp-json\/wp\/v2\/posts\/1582"}],"collection":[{"href":"https:\/\/2022.hacktivity.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/2022.hacktivity.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/2022.hacktivity.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/2022.hacktivity.com\/index.php\/wp-json\/wp\/v2\/comments?post=1582"}],"version-history":[{"count":19,"href":"https:\/\/2022.hacktivity.com\/index.php\/wp-json\/wp\/v2\/posts\/1582\/revisions"}],"predecessor-version":[{"id":1607,"href":"https:\/\/2022.hacktivity.com\/index.php\/wp-json\/wp\/v2\/posts\/1582\/revisions\/1607"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/2022.hacktivity.com\/index.php\/wp-json\/wp\/v2\/media\/1589"}],"wp:attachment":[{"href":"https:\/\/2022.hacktivity.com\/index.php\/wp-json\/wp\/v2\/media?parent=1582"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/2022.hacktivity.com\/index.php\/wp-json\/wp\/v2\/categories?post=1582"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/2022.hacktivity.com\/index.php\/wp-json\/wp\/v2\/tags?post=1582"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}