Presented at
REcon 2023,
June 11, 2023, 2 p.m.
(30 minutes).
ClamAV is an open-source antivirus engine maintained by Cisco. As it is freely available, it is widely used across a large number of software products, like email servers, and appliances. This means that if an attacker can fully compromise the AV engine running in one of those products, they could access incoming and outgoing emails and for an appliance even control the network traffic of an organization. It is well known that AV engines expose a large, externally reachable attack surface as they parse a variety of file-formats, often coming from the Internet. On the other hand, modern mitigations make the exploitation of antivirus software significantly harder because remote attackers cannot interact with the target and thus can’t leak memory addresses.
This talk is a case-study of reliably exploiting CVE-2023-20032, a heap-buffer-overflow as a remote-attacker and lessons learned from it. The exploit results in remote-code-execution impact and utilizes a unique exploit-technique to bypass ASLR that can be applied to similar targets.
ClamAV is an open-source antivirus engine maintained by Cisco. As it is freely available, it is widely used across a large number of software products, like email servers, and appliances. This means that if an attacker can fully compromise the AV engine running in one of those products, they could access incoming and outgoing emails and for an appliance even control the network traffic of an organization. It is well known that AV engines expose a large, externally reachable attack surface as they parse a variety of file-formats, often coming from the Internet. On the other hand, modern mitigations make the exploitation of antivirus software significantly harder because remote attackers cannot interact with the target and thus can’t leak memory addresses.
This talk is a case-study of reliably exploiting CVE-2023-20032, a heap-buffer-overflow as a remote-attacker and lessons learned from it. The exploit results in remote-code-execution impact and utilizes a unique exploit-technique to bypass ASLR that can be applied to similar targets.
Presenters:
-
Simon Scannell
Simon is a self-taught Vulnerability Researcher at Google who is passionate about playing CTF, traveling, and sports. He has come up with ways to find 0days in some of the most popular web applications such as WordPress, MyBB, and Magento2. He has also developed exploits for the Linux Kernel and Counter-Strike: Global Offensive.
Links:
Similar Presentations: