Confidence - (23-24.05 2012 Krakow)
Language: polski | engish

Nicolas Grégoire

Bio: Nicolas Grégoire has worked in Information Security for more than ten years. After a first (defensive) job in a start-up, he spent 4 years doing full-time pen-testing as a consultant. Afterwards, he moved to the nice region of Luberon and became an internal security auditor for one of the largest French PKI. In early 2011, he left this job to create Agarri, a small company dedicated to the offensive side of information security : pen-testing, white / gray / black-box audit, code review, vulnerability research, trainings, etc. Since then, he has published several vulnerabilities in well-known high-profile products such as Webkit, PHP, DotNetNuke, VMware ESX, Excel, HP SAN appliances, … His current research focus is XML technologies at large.

Topic of Presentation: Attacks on the XML data processing

Language: English

My previous research (published among others at PH-Neutral 0×7db and Hack In Paris 2011) about XML data was limited to file creation and code execution through XSLT “extensions” (which are considerably non-standard features specific to each XSLT engine). Since then, the scope was both widened and deepened, and numerous others XML-related formats, languages and technologies were examined.

The goal of this new talk is to document and publicize state of the art attacks in the area of XML data processing, including:
- Data obfuscation in XML containers (Adobe, VLC, …)
- DTD manipulation used to read (possibly binary) files, steal hashes or generate XSS
- Dangerous extensions in newly studied XSLT and XQuery engines (Adobe, Oracle, XT, 4Suite, …)
- Grammar and mutation-based fuzzing of XPath and XSLT engines
- Bizarre combinations of grammar, data, code and markup in a single XML file
- How to trigger XSLT code in security protocols (SAML, WS-Security, …)
- Advanced in-memory exploitation of Java based XSLT engines

Since the beginning of this study, vulnerabilities were found in Webkit, PHP, Liferay, Sharepoint, DotNetNuke, Firefox, MoinMoin, Adobe Reader, Oracle and several other products. A public Wiki has been installed to document my published PoC codes: