Show all posts

Posts with the given tag:

"CONFidence 2010 - video from our lecture about the Windows vulnerabilities";

"Just some old PHP research";

"CONFidence 2010 slides and original vulnerability advisories";

"Windows CSRSS cross-version API Table";

"[HISPASEC Research] Windows Kernel Vulnerabilities... x5 :)";

"Microsoft Windows CSRSS Local Privilege Elevation Vulnerability";

"GDT and LDT in Windows kernel vulnerability exploitation";

"CONFidence 2.0, slideshow, SilkProxy 0.0.1";

"PHP getimagesize internals (part 3): PNG";

"PHP getimagesize internals (part 2): GIF";

"PHP getimagesize internals (part 1)";

"A step beyond the drivers\etc\hosts file";

"Random thoughs, 2nd edition";

"Banker trojans - a return to the past";

"Random security thoughts";

"SysDay 2009 post conference materials (and the unicorn)";

"OS X vs Write-What-Where Condition";

"Someone forgot to finish the spam generator. Again.";

"Return-oriented exploiting";

"ExcpHook ver 0.0.5-rc2";

"A malware "stealing" AppInit_DLLs entrypoint";

"Forgot something?";

"Format bug, Vista and %n";

"An interesting anti-RE schema";

"Security Days - task 3, 4";

"Security Days 6 - task 2";

"Quick news - final results of Security Days 6 and photos from the SekIT conference";

"Security Days 6, day 1 - solution";

"Security Days 6, day 1";

"Is function hooking in Chrome really a security mechanism?";

"Is automatic file download in Google Chrome really a vulnerability?";

"Remote Buffer Overflow in Google Chrome";

"Google Chrome's Sandbox";

"Security Days 6";

"Old advisories";

All posts with the given tag are shown below.

The videos from some CONFidence 2010 lectures have been published. Inter alia, the video from my and j00ru's lecture "Case study of recent Windows vulnerabilities" is available. The video is in a downloadable form (i.e. no online player is currently available).

Read more...

Yesterday in the night we've published (on j00ru's blog) some old, low severity, PHP advisories (well, they are more research papers than actual advisories). Basically we've done the research to test a new (i.e. new for us) method of application review, which I find quite cool.

Read more...

Just a short (almost copy-pasted from j00ru's blog) post with the original advisories of the vulnerabilities we've talked about on CONFidence (and earlier on Hack In The Box Dubai), with slides used by as on the CONFidence conference. The advisories contain most of the technical details we've discussed during the lectures (and some time even more ;>).

Read more...

Just a redirect-post for all you Windows researcher: Matthew has published a CSRSS opcode table on his blog - go and take a look - http://j00ru.vexillium.org/?p=349&lang=en :)

Read more...

I've already written, in February, about the first vulnerability found by our team (that would be j00ru and me). Today, Microsoft has published reports about 5 more (well, there were 6 actually, but Microsoft decided to merge two into one, because of the way both of them could be fixed by the same change in the code) :)

Read more...

Today is Exploit Wednesday, so it means that yesterday was Patch Tuesday. So, as every month, Microsoft published Microsoft Security Bulletin Summary (for February 2010) and a couple of patches. One of the vulnerabilities included in the summary (there are 25 altogether) was researched by j00ru and me (in this exact order - j00ru has found it, and we cooperated in researching the possibility of a successful exploitation) - it's the csrss.exe one, which could allow, inter alia, local privilege elevation or information disclosure.

Read more...

A few weeks ago j00ru has visited me, and, as one can figure out, some more or less interesting ideas came to be. One of such ideas was to use the Call-Gate mechanism in kernel/driver exploit development on Windows, or, to be more precise, to use a write-what-where condition to convert a custom LDT entry into a Call-Gate (this can be done by modifying just one byte), and using the Call-Gate to elevate the code privilege from user-land to ring0. The idea was turned into some PoC exploits, and finally, into the paper presented below.

Read more...

Below I present the download links for the slideshow (PDF) from my "Practical security in computer games" lecture, and a 0.0.1 alpha version of SilkProxy. A few more words about that last position: it's a multi-tunnel written in C++, scriptable in Python, that can be used for a few various things like protocol analysis, network traffic fuzzing or as a proxy/tunnel for some application. The version I publish is the version I've used while doing research for my lecture, and it's an alpha version - it means that not everything works as I would like it to work, the python API is undocumented, and some functionality is still (like replaying packets/network traffic and application-replay tunnel) missing - so, currently it might interest some curious programmers, but it's not yet usable for most of the researchers. However, I encourage you to take a look at it anyway (see the http.py script for a simple usage example; you run it by typing ./SilkProxy script.py, however the script is optional; to compile it you need to have Python installed with libs/headers, and GCC compiler (MinGW is OK)) ;>

Read more...

Seems I'm a little behind on the English side of the mirror, so it's time to fix that with another PHP internals topic! This time I'll tell you the story of the PNG format, of course in the context of it's support in the getimagesize function.

Read more...

Time has come to write the second part of the PHP getimagesize story (yes, that means that there was a first part *grin*). This time I'll focus more on what getimagesize is supposed to do - on acquiring the image sizes from different file formats. I'll also write about why you should NOT use getimagesize to validate if an uploaded file is really an image.

Read more...

The getimagesize function is, in my humble opinion of course, one of the most interesting functions of the standard PHP library (yes, the standard library, even while it's documentation is placed among the GD extension functions). Why is it so interesting? Firstly, it's implementation is long, and as one knows, long code = many occasions to make minor or bigger mistakes. Secondly, the functions is commonly misused by php coders, introducing interesting bugs into the php code.

Read more...

(Be sure to checkout the demonstration video at the bottom of the page). Two months ago I've written about banker troyans, that some change DNS settings, other add a list of domains (used by financial institutions) to the c:\windows\system32\drivers\etc\hosts file. Of course both mentioned behaviors result in redirecting the user to some evil phishing site (sometimes an unlucky user might loose some money in effect).

Read more...

For some random reasons my blog became quiet recently, but don't worry, it's only temporary. It's time to catch up, and write about this and that.

Read more...

It happened so that I got back to reversing banker trojans the other day, and celebrated it with a 24-hour marathon with many different foreign malware entities. Looks like that when I played with other stuff, the malware authors have also not slept! They thought of newer ways to make their malware more... weakly constructed ;p

Read more...

Recently while reading some press news / blog posts, a few things came to my attention, which I would like to discuss (as in "rant about them") in this post.

Read more...

I'm sorry, but the slides are, again, in Polish (well, the source codes and demo videos don't have Polish in them, mostly because they don't have any text at all). I've been informed that a video from the lecture will available, so I'll take my time and attach English subtitles if anyone will be interested in it (let me know if you are interested).

Read more...

As my readers may know, for some time now I have access to a MacBook with OS X. Finally I found some time to test the standard exploiting techniques on OS X. I must admit that OS X surprised me positively once or even twice. However, this post is about another time, when the surprise was not positive in terms of security, additionally, it was kinda funny (in a hermetic way) ;>

Read more...

I've received another spam message generated with an 'almost' finished spam generator. Take a look:

Read more...

Todays post will be contain some technical security stuff - I'll write about a technique called "return-oriented programming" or "return-oriented exploiting" or "ret-to-libc without returning to functions" or "ret-to-anything" (or by some other names as well). As always, I'll write about this technique from my point of view - meaning that, like always, I used this technique before reading any papers about it (it's related to my habit of reinventing the wheel).

Read more...

Yesterday I've finally got some time to finish the changes in the new version of ExcpHook. So, version 0.0.5-rc2 (rc2 of alpha ;p) is ready for download, and might be even usable ;D

Read more...

I've caught in my hands some malware, that had a very interesting idea about using one of Windows's entrypoint for making sure it would be run after a reboot.

Read more...

Few days ago two identical e-mails arrived at my mail box. Both with a job offer that smelled like dirty money laundry. The funny thing was the signature:

Read more...

Recently I've talked with my teammate oshogbo about the format bug (aka format string attack), and when we got to testing a sample code, a thing that should work - the %n tag, didn't work at all. What's more interesting, this behavior was Vista specific, since everything else worked well on XP. I've decided to take a look inside, and here's what I've found out...

Read more...

Some time ago I've analyzed a piece of malware, which was protected using an interesting schema...

Read more...

The new post is so late because I've got sucked in by C++ the previous Fridays night, and released Monday in the morning (with a few short breaks for sleeping, and another break which I used to go to the cinema to see Babylon A.D., which imho is a quite good and action packet movie, and it has a great dark climate, but the ending... well, it's easy to see that the studio has cut out 70 minutes of the movie, even when the director opposed... guess we'll just have to wait for the uncut directors version).

Read more...

It's 3am, and I have some time to finally write about the next tasks at SD6. Well, but since it's 3am, and I'm a little tired, I'll just describe one task (that will be the task from the second day) for now (the rest will be described later). Btw, Polish speaking users can find the solutions on the official forum of SD6.

Read more...

I still have a stupid cold, so most of the time I lie in bed trying to get better, hence another short news (I hope that tomorrow I can manage to write something more interesting for you guys).

Read more...

The second part of the first phase of SD6 started this evening, so I can finally write something about the first part.

Read more...

As one may know, yesterday at 8pm, the first day of the Internet phase of the Security Days 6 tournament began. The deadline for sending solutions to the first practical task was initially set to today, 9pm, but because of an attack on the main webpage of the tournament (a DDoS I was told) the deadline was changed to tomorrow 9pm. I'm not amused, since I wanted to post today some info about the first practical task, which imho was just about right for the first day - pretty easy, but still interesting. Well, I guess I'll write about it tomorrow ;>

Read more...

Below my post about Chrome's sandbox I engaged in a discussion with AlienRancher regarding the function hooking (or 'interception' as Google calls it) really being a security mechanism. I must confess that I really thought it was, and I even liked the idea. But in fact it came out that function hooking is for compatibility purposes only. If a plugin has trouble running in a restricted environment due to problems with limited access to some keys/files, the hooking mechanism can transfer the calls to the browser, and they will be done with browser privileges (of course if a certain rule allows it).

Read more...

Yesterday another method of making Google Chrome automatically download a file was posted on bugtraq. Of course an old discussion was restarted - is automatic file download a bug, feature, or a vulnerability?

Read more...

A short info. Someone (Le Duc Anh - SVRT - Bkis) posted on the FD list about a Remote Buffer Overflow in Chrome, needing a little interaction from the user - the user needs to click 'Save as...' (the buffer overflow is related to the handling of the <title> while saving files). The researcher has provided two PoC exploits, one is said to run a calculator (on XP SP2, but it didn't work for me), and the other is just a DoS. It must be noted that that both the renderers and browser processes are crashed, so the vuln is located either in the browser, or is magically transfered from the renderer to the browser.

Read more...

Yesterday I had some free time to look into the Google Chrome's sandbox, so I'll write a little 'bout it today.

Read more...

Hi,

Read more...

A short news...

Read more...