Security Research
Showing results for 
Search instead for 
Do you mean 

HP TippingPoint DVLabs – Zero-Day Filter Protection for the Win!

spovolny on ‎03-18-2014 12:41 PM

We’re extremely excited to announce a clear confirmation of the strength of our zero-day filter protection feed.  Although we can't name the actual filter at this point due to the sensitive nature of the Pwn20wn vulnerabilities, we can share that the Digital Vaccine team shipped a filter in early 2012 that fully covers a zero-day vulnerability successfully exploited at Pwn2Own 2014. To put it another way, if the Pwn2Own contestant had attempted to demonstrate this exploit over a network deploying an HP TippingPoint IPS, the attack would have been blocked and logged. 


For this attempt, the bug was leveraged to demonstrate full remote code execution against the browser in question, ultimately spawning a calculator operating in medium integrity (escalated privileges).  This shellcode in the Pwn2Own entry is of course benign, but could trivially be replaced with a reverse shell or any number of malicious payloads.


The significance of this coverage should be clear: by deploying the HP TippingPoint IPS and its corresponding filter set, our customers are uniquely protected against vulnerabilities not publicly disclosed.  This is an enormous differentiator against our competitors, considering DVLabs has shipped 90 zero-day vulnerability filters in the last 3 months alone.  We fully expect that number to continue to grow due to increased partnership and collaboration with our ZDI team.  Once this specific vulnerability is patched and disclosed by the vendor, we'll post a follow-up blog with further details.  

0 Kudos
About the Author


Steve Povolny is a Senior Manager for DVLabs Security Research and Development teams at HP TippingPoint.

on ‎03-25-2014 05:21 PM

If is browser finding, but Javascript exploit is trivial to encode. How to catch? A duplicate find is likely for getting passed the sandbox. Or is it for Adobe Flash or Adobe Reader?

Was it always allowed to submit finding to ZDI and use same exploit in Pwn2Own?

on ‎03-26-2014 08:41 AM

Hi - thanks for the comment.  I'm unable to elaborate any further on the nature of what product this exploit was in until the vendor has patched.  However, I do want to clarify that the filter developed to cover the original vulnerability is NOT the same vulnerability as was demonstrated at Pwn2Own this year - because TippingPoint addresses the root cause of a vulnerability versus just an exploit of that vulnerability, the detection logic was able to trigger on what we know now is a different vulnerability despite the similarity to the 2012 CVE.  


On an unrelated note - yes you are correct, it is a challenging problem to account for the dynamic nature of scripting languages such as JavaScript.  That is why TippingPoint filters address the core issue, accounting for as many evasion/encodings as possible, and simultaneously, we have filters that detect generic obfuscation, encoding, and manipulation to standard scripting languages...


Finally, all submissions to ZDI are separate from Pwn2Own and may never be reused.  That is how the program has always worked, and will continue to operate.  Let me reiterate - this exploit was NOT from a submission to ZDI at any point.  Thanks for your interest!

Nov 29 - Dec 1
Discover 2016 London
Learn how to thrive in a world of digital transformation at our biggest event of the year, Discover 2016 London, November 29 - December 1.
Read more
Each Month in 2016
Software Expert Days - 2016
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all