SANS Digital Forensics and Incident Response Blog: Tag - fuzz

Arbitrary Code Execution on Examiner Systems via File Format Vulnerabilities

I attended ThotCon 0x1 on Friday, April 23rd, and watched a talk where the presenters disclosed and demonstrated an exploit embedded in a disk image that triggered arbitrary code execution when the same malicious file was examined using either EnCase or FTK. I'd like to talk a bit about this and it's implications, as well as a few things that we, as a community, might want to do in response.

The specific vulnerability in question appeared to actually exist in the Outside-In component, and was not triggered until the malicious file was actually viewed inside EnCase or FTK. The presenters stated that the vulnerability had been initially reported to Guidance and Access Data more than 3 versions of EnCase ago. Thinking back now, I was assuming they meant they had notified before 6.14, but it's possible that they were counting point releases.

When triggered, the exploit seemed