HP TippingPoint DVLabs – Zero-Day Filter Protection for the Win!

We’re extremely excited to announce a clear confirmation of the strength of our zero-day filter protection feed.  Although we can't name the actual filter at this point due to the sensitive nature of the Pwn20wn vulnerabilities, we can share that the Digital Vaccine team shipped a filter in early 2012 that fully covers a zero-day vulnerability successfully exploited at Pwn2Own 2014. To put it another way, if the Pwn2Own contestant had attempted to demonstrate this exploit over a network deploying an HP TippingPoint IPS, the attack would have been blocked and logged. 

 

For this attempt, the bug was leveraged to demonstrate full remote code execution against the browser in question, ultimately spawning a calculator operating in medium integrity (escalated privileges).  This shellcode in the Pwn2Own entry is of course benign, but could trivially be replaced with a reverse shell or any number of malicious payloads.

 

The significance of this coverage should be clear: by deploying the HP TippingPoint IPS and its corresponding filter set, our customers are uniquely protected against vulnerabilities not publicly disclosed.  This is an enormous differentiator against our competitors, considering DVLabs has shipped 90 zero-day vulnerability filters in the last 3 months alone.  We fully expect that number to continue to grow due to increased partnership and collaboration with our ZDI team.  Once this specific vulnerability is patched and disclosed by the vendor, we'll post a follow-up blog with further details.  

Comments
anonymous3(anon) | ‎03-25-2014 05:21 PM

If is browser finding, but Javascript exploit is trivial to encode. How to catch? A duplicate find is likely for getting passed the sandbox. Or is it for Adobe Flash or Adobe Reader?

Was it always allowed to submit finding to ZDI and use same exploit in Pwn2Own?

spovolny | ‎03-26-2014 08:41 AM

Hi - thanks for the comment.  I'm unable to elaborate any further on the nature of what product this exploit was in until the vendor has patched.  However, I do want to clarify that the filter developed to cover the original vulnerability is NOT the same vulnerability as was demonstrated at Pwn2Own this year - because TippingPoint addresses the root cause of a vulnerability versus just an exploit of that vulnerability, the detection logic was able to trigger on what we know now is a different vulnerability despite the similarity to the 2012 CVE.  

 

On an unrelated note - yes you are correct, it is a challenging problem to account for the dynamic nature of scripting languages such as JavaScript.  That is why TippingPoint filters address the core issue, accounting for as many evasion/encodings as possible, and simultaneously, we have filters that detect generic obfuscation, encoding, and manipulation to standard scripting languages...

 

Finally, all submissions to ZDI are separate from Pwn2Own and may never be reused.  That is how the program has always worked, and will continue to operate.  Let me reiterate - this exploit was NOT from a submission to ZDI at any point.  Thanks for your interest!

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Steve Povolny manages the Digital Vaccine team at HP TippingPoint. The team is composed of security researchers and filter/signature develo...


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation