(Collaborative post by Mateusz "j00ru" Jurczyk and Gynvael Coldwind) A few days ago we (j00ru and I) gave a talk during the SyScan'13 conference in the fine city of Singapore, and as promised (though with a slight delay), today we are publishing both the slide deck and a white paper discussing memory access pattern analysis - a technique we recently employed with success to discover around 50 double-fetch vulnerabilities in Windows kernel and related drivers (Elevation of Privileges and Denial of Service class; see Microsoft Security Bulletins MS13-016, MS13-017, MS13-031 and MS13-036 released in February this year. Also, stay tuned for more security patches in May and June).
Szybka notka: wygląda na to, że w polskiej części Internetu pojawił się nowy serwis o sec/hack - BAD[SECTOR].pl (prowadzony przez think tank o tej samej nazwie). Wyróżnia się on dwoma cechami: po pierwsze, ekipą (mi osobiście rzuciły się w oczy przede wszystkim dwa nazwiska - Janusz Niewiadomski (isec.pl), oraz Borys Łącki (bothunters.pl) - pewnie dlatego, że są rozpoznawalnymi osobami na polskiej scenie pentesterskiej, świetnymi specami od sec/hack, a i miałem okazję z nimi wypić przysłowiowe piwo); a po drugie target docelowy: pentesterzy, programiści, specjaliści ds bezpieczeństwa oraz admini (zgodnie z pierwszym newsem). A więc RSS++ i z ciekawością będę śledził dalszy rozwój serwisu.
Five newest or recently updated notes (these are unfinished posts, code snippets, links or commands I find useful but always forget, and other notes that just don't fit on the blog):
GDT and LDT in Windows kernel vulnerability exploitation is another paper I've written with j00ru, this time about using call-gates in kernel exploitation - quite a cool method since it works even if you have only a 1-byte write-what-where condition.
Adobe Reader 9.5.1 and 10.1.3 multiple vulnerabilities - 62 unique crashes, from that 31 trivially exploitable and 9 more potentially exploitable, 11 CVE's assigned (CVE-2012-4149 to CVE-2012-4160). Some of these bugs were fixed for Windows and OSX releases of Adobe Reader in APSB12-16.
Contributed to discovery of multiple low-to-high vulnerabilities in Google Chrome (CVE-2012-2851, CVE-2012-2855, CVE-2012-2856, CVE-2012-2862, CVE-2012-2863 and some other) - some of these were mentioned in this post.
A lot of bugs in ffmpeg and libav which resulted in 388 (sic!) patches in ffmpeg and 155 patches in libav (CVE-2011-3930 to CVE-2011-3952 and some other).
Mozilla Firefox 2.0.0.11 and Opera 9.50 information leak, also midly affected Safair, Konqueror and some other products (CVE-2007-6524, CVE-2008-0420, CVE-2008-0894, CVE-2008-1573). A demo video is also available.
A small but funny bug in Total Commander 7.01 - an FTP client gets attacked by the server, leading to a path traversal.
The full list of vulnerabilities discovered by me (including collaborative work) can be found here (please note that the list might be out of date).
Coding (selected posts)
Unicode fun: PHP preg_match and UTF-8 with analysis of what happens when you forget that UTF-8 is multibyte; and a String-to-Integer vs Unicode - yes, the standard 0-9 digits are not the only ones supported by programming languages or unicode (see also this post).
PiXieServ is a simplified PXE (network boot) server for Windows and Linux-based OS, created for testing of very small home-made OS. See also the post about it.
ExcpHook, a system-wide exception monitor for Windows XP 32-bit. Useful if you're fuzzing something that doesn't like having a debugger attached.
Ent is an entropy measuring tool for reverse engineering reconnaissance (see also a post explaining how to use it).
HiperDrop is a simple command line process memory dumper for Windows, with a few different work modes.
asmloader - this little app executes headerless machine code (compiled assembly code). It's meant to be an aid in learning/teaching and playing with assembly, as well as the right tool when you just need to execute some machine code.
NetSock is a simple socket/networking lib/wrapper for C++ I've wrote back in 2003 and update from time to time - I use it for most of my network-enabled projects.
Dodatkowo: ReverseCraft - starsza seria podcastów o reverse engineeringu i assembly.
Edukacyjnie (wybrane posty)
Dla programistów:
Poradnik Początkującego Programisty - czyli jaki język wybrać, z czego się uczyć, jak samodzielnie rozwiązywać problemy i co dalej jak już się zna podstawy.