An introduction to format string vulnerabilities within the Windows Intel Architecture environment. During this presentation will introduce the audience to the concepts of format strings and associated vulnerabilities. I will take the audience from the basics of what is a format string and how it’s used, through discovering and leveraging of format string vulnerabilities. I will show how format strings vulnerabilities can be used to read data from process stack, arbitrary memory and also methods used to write data to arbitrary memory. Leveraging vulnerable format string functions we will also discuss the basics of triggering various exceptions to gain control of the flow of execution within a vulnerable application. This presentation will include a number of live demonstrations.

Deral Heiland

Deral Heiland CISSP, serves as a Senior Security Engineer for CDW where he is responsible for security assessments, and consulting for corporations and government agencies. In addition, Deral is the founder of Ohio Information Security Forum a not for profit organization that focuses on information security training and education. Deral Is also a member of the foofus.net security team.Deral has presented at numerous conferences including ShmooCon, Defcon, CarolinaCon, Securitybyte India, and has also been a guest lecturer at the Airforce Institute of Technology (AFIT). Deral has over 18 years of experience in the Information Technology field, and has held multiple positions including: Senior Network Analyst, Network Administrator, Database Manager, Financial Systems Manager and Senior Information Security Analyst where he was responsible for delivering security guidance and leadership in the area of risk and vulnerability management for a global Fortune 500 manufacturer.
 

Back to Derbycon 2012 video list