SlideShare a Scribd company logo

Discovering Vulnerabilities For Fun and Profit

Download as PPTX, PDF
A
Abhisek Datta

This document discusses discovering vulnerabilities for fun and profit. It introduces the author and their security tools and research involving Microsoft Office, IBM Tivoli Endpoint Manager, HP Siteprotect, and more. It describes techniques like fuzzing, mutation generation, and attack surface analysis that were used to find vulnerabilities. XML mutation and attribute fuzzing of Microsoft OOXML formats are highlighted. Architecture analysis, intercepting traffic, and developing custom tools are discussed for fuzzing IBM Tivoli EM and analyzing the Dameware Mini Remote Control binary protocol. The document concludes by discussing ongoing security research and a balance between finding vulnerabilities and developing secure systems.

Technology
1 of 24
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Discovering Vulnerabilities For Fun and Profit
Who Am I • Founder, 3S Labs – Information Security Services Startup • Security Tools • Wireplay – TCP Session Replay for Network Protocol Fuzzing • RbWinDBG – Ruby interface to Windows Debugger API • HiDump – Injected Code Extraction Tool (Windows only) • […] • Security Research (CVE) • Microsoft Office • IBM Tivoli Endpoint Manager • HP Siteprotect • […] @abh1sek abhisek
Linus Law “Given enough eyeballs, all bugs are shallow”
Fuzzing Mutation Generation
The “Practical” Shallow Bugs ActiveX1.bin – Rich Control Embedded in Word Document MSCOMCTL!DLLGetDocumentation+XXX: 6f5164d2 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
The Magic Technique
Now .. The Magic Tool http://lcamtuf.coredump.cx/afl/
An approach towards Finding Vulnerabilities Features Attack Surfaces Architecture & Components Protocol Analysis Targeted Fuzzing Static Analysis
Attack Surface Analysis – Microsoft OOXML • The Past • Multiple vulnerabilities while processing binary records • Multiple vulnerabilities in processing embedded objects (image / flash) • […] • What’s new? • Microsoft OOXML File Format • (Almost) all features of Office Binary File Format represented through XML • ZIP File Format based container (instead of OLE Structured Storage)
Attack Surface Analysis – Microsoft OOXML https://msdn.microsoft.com/en-us/library/aa338205(v=office.12).aspx
Fuzzing Microsoft Office - OOXML • What will probably not work? • Binary fuzzing (bit flip) on input file. • They are just ZIP files ! • XML tag mutation • It will just hit the XML parser which should be matured. • What will probably work ? • XML mutation • Hit the application states and NOT the XML parser • XML attributes • Not very different from blind binary fuzzing (bit flip) • These are used to prepare and render objects
OOXML – XML Mutation CVE 
OOXML – XML Attribute Fuzzing CVE 
OOXML – XML Attribute Fuzzing CVE 
Architecture Analysis – IBM Tivoli EM • Enterprise endpoint management • Single agent for endpoint self-assessment and policy enforcement • Near real-time visibility and control from single dashboard • Target specific actions to an exact type of endpoint configuration or user type • Primary Components • Root Server • Reports Server • Agent
Architecture Analysis – IBM Tivoli EM Root Server AgentAgentAgentAgentTCP: 5231 S/MIME Signed HTTP https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Tivoli+Endpoint+Manager/page/REST+API • All HTTP transactions are S/MIME signed. • Any HTTP request with signature mismatch will be ignored. • Now?
Fuzzing – IBM Tivoli EM Root Server TCP: 5231 S/MIME Signing Proxy HTTP Request Fuzzer ( Burp / SPIKE / !! ) • Intercept communication between Agent and Root Server • Replay and fuzz intercepted HTTP requests • S/MIME sign HTTP requests through proxy Burp plugin to sign HTTP request for Tivoli EM: https://gist.github.com/abhisek/f69f0ead1d9292cfc68260423819780d
Static Analysis – Dameware Mini Remote Control • Why? • Custom binary protocol • Encrypted packets • No documentation on protocol • Not too much prior work on DMRC reverse engineering • Objective • Identify “crypto container” • Fuzz DMRC by replaying interception communication • Decrypt > Mutate > Encrypt > Send to Server
Static Analysis – DMRC Protocol DMRC Client to Agent Communication – Whats This?
Static Analysis – DMRC Client
DMRC Case • 1 day to setup and analyze network infrastructure • 1 day to survey protocol documentation without luck • ~3 days to reverse engineer the handshake protocol encryption • 2 days of fuzzing effort • Results? • 2 crashes – None exploitable • No CVE !!  Was it worth the effort ?
Static Analysis – Other Approaches • Taint Analysis • IDA Plugin to manually mark sinks & compute path from any point in code to sinks. • Binary Analysis Platform • A useful framework to implement various algorithms to “infer” possible vulnerabilities. https://github.com/BinaryAnalysisPlatform/bap
There will ALWAYS be another vulnerability.. • Security Researcher • How to find maximum exploitable vulnerabilities in minimum or at least practically feasible time window. • Developer • Maximize cost of finding exploitable vulnerabilities through securing coding practices and platform hardening.
Thanks for listening  Questions? @abh1sek abhisek

More Related Content

PDF
CNIT 127 Ch 16: Fault Injection and 17: The Art of Fuzzing
Sam Bowne
 
PPTX
My internwork
V C
 
PDF
CNIT 126: Ch 2 & 3
Sam Bowne
 
PDF
Software cracking and patching
Mayank Gavri
 
PPTX
Code review and security audit in private cloud - Arief Karfianto
idsecconf
 
PPTX
Game On! Exploring Microservices with a Text-Based Adventure Game
Erin Schnabel
 
PDF
BlueHat v18 || Linear time shellcode detection using state machines and opera...
BlueHat Security Conference
 
PDF
Robot Framework with actual robot
Eficode
 
CNIT 127 Ch 16: Fault Injection and 17: The Art of Fuzzing
Sam Bowne
 
My internwork
V C
 
CNIT 126: Ch 2 & 3
Sam Bowne
 
Software cracking and patching
Mayank Gavri
 
Code review and security audit in private cloud - Arief Karfianto
idsecconf
 
Game On! Exploring Microservices with a Text-Based Adventure Game
Erin Schnabel
 
BlueHat v18 || Linear time shellcode detection using state machines and opera...
BlueHat Security Conference
 
Robot Framework with actual robot
Eficode
 

What's hot (20)

PPT
SignalR
William Austin
 
PDF
CNIT 124 Ch 13: Post Exploitation (Part 1)
Sam Bowne
 
PPTX
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
Sam Bowne
 
PDF
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
Sam Bowne
 
PPTX
Chain of Responsibility Pattern
Hélio Costa e Silva
 
ODP
CouchDB @ PoliMi
Giorgio Sironi
 
PDF
Hyperledger Cello Feb 20, 2018
Arnaud Le Hors
 
PDF
CNIT 126 Ch 9: OllyDbg
Sam Bowne
 
PPTX
OWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRF
Paul Mooney
 
PPTX
Net Scheme English Version
Tod Morita
 
PDF
Go, Swarm and DevOps vs The Mighty Monolith
Igor Karpovich
 
PPTX
ROS - an open-source Robot Operating System
abirpahlwan
 
PDF
We don't need consensus: All agreed?
Weaveworks
 
PDF
RubyConf Taiwan 2016 - Large scale Rails applications
Florian Dutey
 
PPTX
Build software like a bag of marbles, not a castle of LEGO®
Hannes Lowette
 
PDF
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Sam Bowne
 
PDF
RubyConf China 2015 - Rails off assets pipeline
Florian Dutey
 
PPTX
Not my problem - Delegating responsibility to infrastructure
Yshay Yaacobi
 
PPTX
Transforming monolith systems to microservices
Alon Yair
 
PPTX
THE STATE OF OPENTELEMETRY, DOTAN HOROVITS, Logz.io
DevOpsDays Tel Aviv
 
SignalR
William Austin
 
CNIT 124 Ch 13: Post Exploitation (Part 1)
Sam Bowne
 
Practical Malware Analysis: Ch 2 Malware Analysis in Virtual Machines & 3: Ba...
Sam Bowne
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
Sam Bowne
 
Chain of Responsibility Pattern
Hélio Costa e Silva
 
CouchDB @ PoliMi
Giorgio Sironi
 
Hyperledger Cello Feb 20, 2018
Arnaud Le Hors
 
CNIT 126 Ch 9: OllyDbg
Sam Bowne
 
OWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRF
Paul Mooney
 
Net Scheme English Version
Tod Morita
 
Go, Swarm and DevOps vs The Mighty Monolith
Igor Karpovich
 
ROS - an open-source Robot Operating System
abirpahlwan
 
We don't need consensus: All agreed?
Weaveworks
 
RubyConf Taiwan 2016 - Large scale Rails applications
Florian Dutey
 
Build software like a bag of marbles, not a castle of LEGO®
Hannes Lowette
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Sam Bowne
 
RubyConf China 2015 - Rails off assets pipeline
Florian Dutey
 
Not my problem - Delegating responsibility to infrastructure
Yshay Yaacobi
 
Transforming monolith systems to microservices
Alon Yair
 
THE STATE OF OPENTELEMETRY, DOTAN HOROVITS, Logz.io
DevOpsDays Tel Aviv
 
Ad

Viewers also liked (20)

PDF
Масштабируемый и эффективный фаззинг Google Chrome
Positive Hack Days
 
PDF
Rainbow Over the Windows: More Colors Than You Could Expect
Peter Hlavaty
 
PDF
Moony li pacsec-1.8
PacSecJP
 
PDF
Fuzzing: The New Unit Testing
Dmitry Vyukov
 
PDF
CSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CanSecWest
 
PDF
D1T3-Anto-Joseph-Droid-FF
Anthony Jose
 
PDF
The Python bites your apple
Qidan He
 
PPTX
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
Alexandre Moneger
 
PPTX
What the fuzz
Christopher Frenz
 
PDF
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
Shakacon
 
PDF
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
CODE BLUE
 
PDF
Henrique Dantas - API fuzzing using Swagger
DevSecCon
 
PDF
SmartphoneHacking_Android_Exploitation
Malachi Jones
 
PPTX
American Fuzzy Lop
Michael Overmeyer
 
PDF
Bug Hunting with Media Formats
Russell Sanford
 
ODP
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
Joxean Koret
 
PDF
Making a Scalable Automated Hacking System by Artem Dinaburg
Shakacon
 
PDF
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Positive Hack Days
 
PPTX
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
PDF
High Definition Fuzzing; Exploring HDMI vulnerabilities
E Hacking
 
Масштабируемый и эффективный фаззинг Google Chrome
Positive Hack Days
 
Rainbow Over the Windows: More Colors Than You Could Expect
Peter Hlavaty
 
Moony li pacsec-1.8
PacSecJP
 
Fuzzing: The New Unit Testing
Dmitry Vyukov
 
CSW2017 Qinghao tang+Xinlei ying vmware_escape_final
CanSecWest
 
D1T3-Anto-Joseph-Droid-FF
Anthony Jose
 
The Python bites your apple
Qidan He
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
Alexandre Moneger
 
What the fuzz
Christopher Frenz
 
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
Shakacon
 
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
CODE BLUE
 
Henrique Dantas - API fuzzing using Swagger
DevSecCon
 
SmartphoneHacking_Android_Exploitation
Malachi Jones
 
American Fuzzy Lop
Michael Overmeyer
 
Bug Hunting with Media Formats
Russell Sanford
 
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
Joxean Koret
 
Making a Scalable Automated Hacking System by Artem Dinaburg
Shakacon
 
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Positive Hack Days
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
High Definition Fuzzing; Exploring HDMI vulnerabilities
E Hacking
 
Ad

Similar to Discovering Vulnerabilities For Fun and Profit (20)

PPT
Web Services Security
amiable_indian
 
PDF
Lares from LOW to PWNED
Chris Gates
 
PDF
SOHOpelessly Broken
The Security of Things Forum
 
PDF
Reversing Engineer: Dissecting a "Client Side" Vulnerability in the APT era
Nelson Brito
 
PPTX
How to get along with HATEOAS without letting the bad guys steal your lunch?
Graham Charters
 
PPTX
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
EC-Council
 
PDF
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
Felipe Prado
 
PPTX
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
lior mazor
 
PPT
shostack-blackhat-991.ppt YUGUUYGYGUUYUHJ
Abodahab
 
PPTX
Vulnerability, exploit to metasploit
Tiago Henriques
 
PDF
Thick Application Penetration Testing: Crash Course
Scott Sutherland
 
PDF
Inception: A reverse-engineer horror History
Nelson Brito
 
PPTX
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
lior mazor
 
PPTX
binary analysis for botnet reverse engineering.pptx
AhmedHamouda68
 
PDF
RIoT (Raiding Internet of Things) by Jacob Holcomb
Priyanka Aash
 
PDF
Malware Analysis -an overview by PP Singh
n|u - The Open Security Community
 
PDF
'Malware Analysis' by PP Singh
Bipin Upadhyay
 
PDF
A client-side vulnerability under the microscope!
Nelson Brito
 
PDF
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays
 
PDF
Awesome_fuzzing_for _pentester_red-pill_2017
Manich Koomsusi
 
Web Services Security
amiable_indian
 
Lares from LOW to PWNED
Chris Gates
 
SOHOpelessly Broken
The Security of Things Forum
 
Reversing Engineer: Dissecting a "Client Side" Vulnerability in the APT era
Nelson Brito
 
How to get along with HATEOAS without letting the bad guys steal your lunch?
Graham Charters
 
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
EC-Council
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
Felipe Prado
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
lior mazor
 
shostack-blackhat-991.ppt YUGUUYGYGUUYUHJ
Abodahab
 
Vulnerability, exploit to metasploit
Tiago Henriques
 
Thick Application Penetration Testing: Crash Course
Scott Sutherland
 
Inception: A reverse-engineer horror History
Nelson Brito
 
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
lior mazor
 
binary analysis for botnet reverse engineering.pptx
AhmedHamouda68
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
Priyanka Aash
 
Malware Analysis -an overview by PP Singh
n|u - The Open Security Community
 
'Malware Analysis' by PP Singh
Bipin Upadhyay
 
A client-side vulnerability under the microscope!
Nelson Brito
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays
 
Awesome_fuzzing_for _pentester_red-pill_2017
Manich Koomsusi
 

Recently uploaded (20)

PDF
Hybrid model detection and classification of lung cancer
IAESIJAI
 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PPTX
A Presentation on Touch Screen Technology
memembruh336
 
PPTX
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
PDF
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
PDF
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
PDF
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Hybrid model detection and classification of lung cancer
IAESIJAI
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
A Presentation on Touch Screen Technology
memembruh336
 
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 

Discovering Vulnerabilities For Fun and Profit

  • 2. Who Am I • Founder, 3S Labs – Information Security Services Startup • Security Tools • Wireplay – TCP Session Replay for Network Protocol Fuzzing • RbWinDBG – Ruby interface to Windows Debugger API • HiDump – Injected Code Extraction Tool (Windows only) • […] • Security Research (CVE) • Microsoft Office • IBM Tivoli Endpoint Manager • HP Siteprotect • […] @abh1sek abhisek
  • 3. Linus Law “Given enough eyeballs, all bugs are shallow”
  • 5. The “Practical” Shallow Bugs ActiveX1.bin – Rich Control Embedded in Word Document MSCOMCTL!DLLGetDocumentation+XXX: 6f5164d2 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
  • 7. Now .. The Magic Tool http://lcamtuf.coredump.cx/afl/
  • 8. An approach towards Finding Vulnerabilities Features Attack Surfaces Architecture & Components Protocol Analysis Targeted Fuzzing Static Analysis
  • 9. Attack Surface Analysis – Microsoft OOXML • The Past • Multiple vulnerabilities while processing binary records • Multiple vulnerabilities in processing embedded objects (image / flash) • […] • What’s new? • Microsoft OOXML File Format • (Almost) all features of Office Binary File Format represented through XML • ZIP File Format based container (instead of OLE Structured Storage)
  • 10. Attack Surface Analysis – Microsoft OOXML https://msdn.microsoft.com/en-us/library/aa338205(v=office.12).aspx
  • 11. Fuzzing Microsoft Office - OOXML • What will probably not work? • Binary fuzzing (bit flip) on input file. • They are just ZIP files ! • XML tag mutation • It will just hit the XML parser which should be matured. • What will probably work ? • XML mutation • Hit the application states and NOT the XML parser • XML attributes • Not very different from blind binary fuzzing (bit flip) • These are used to prepare and render objects
  • 12. OOXML – XML Mutation CVE 
  • 13. OOXML – XML Attribute Fuzzing CVE 
  • 14. OOXML – XML Attribute Fuzzing CVE 
  • 15. Architecture Analysis – IBM Tivoli EM • Enterprise endpoint management • Single agent for endpoint self-assessment and policy enforcement • Near real-time visibility and control from single dashboard • Target specific actions to an exact type of endpoint configuration or user type • Primary Components • Root Server • Reports Server • Agent
  • 16. Architecture Analysis – IBM Tivoli EM Root Server AgentAgentAgentAgentTCP: 5231 S/MIME Signed HTTP https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Tivoli+Endpoint+Manager/page/REST+API • All HTTP transactions are S/MIME signed. • Any HTTP request with signature mismatch will be ignored. • Now?
  • 17. Fuzzing – IBM Tivoli EM Root Server TCP: 5231 S/MIME Signing Proxy HTTP Request Fuzzer ( Burp / SPIKE / !! ) • Intercept communication between Agent and Root Server • Replay and fuzz intercepted HTTP requests • S/MIME sign HTTP requests through proxy Burp plugin to sign HTTP request for Tivoli EM: https://gist.github.com/abhisek/f69f0ead1d9292cfc68260423819780d
  • 18. Static Analysis – Dameware Mini Remote Control • Why? • Custom binary protocol • Encrypted packets • No documentation on protocol • Not too much prior work on DMRC reverse engineering • Objective • Identify “crypto container” • Fuzz DMRC by replaying interception communication • Decrypt > Mutate > Encrypt > Send to Server
  • 19. Static Analysis – DMRC Protocol DMRC Client to Agent Communication – Whats This?
  • 20. Static Analysis – DMRC Client
  • 21. DMRC Case • 1 day to setup and analyze network infrastructure • 1 day to survey protocol documentation without luck • ~3 days to reverse engineer the handshake protocol encryption • 2 days of fuzzing effort • Results? • 2 crashes – None exploitable • No CVE !!  Was it worth the effort ?
  • 22. Static Analysis – Other Approaches • Taint Analysis • IDA Plugin to manually mark sinks & compute path from any point in code to sinks. • Binary Analysis Platform • A useful framework to implement various algorithms to “infer” possible vulnerabilities. https://github.com/BinaryAnalysisPlatform/bap
  • 23. There will ALWAYS be another vulnerability.. • Security Researcher • How to find maximum exploitable vulnerabilities in minimum or at least practically feasible time window. • Developer • Maximize cost of finding exploitable vulnerabilities through securing coding practices and platform hardening.
  • 24. Thanks for listening  Questions? @abh1sek abhisek

Editor's Notes

  • #14: This resulted in a UaF
  • #15: OOB Memory Access