seeing is believing
Showing 1 - 25 of 123 RSS Feed

Files from Michal Zalewski

Email addresslcamtuf at coredump.cx
First Active1999-11-03
Last Active2015-04-14
SQLite 22 Bugs
Posted Apr 14, 2015
Authored by Michal Zalewski

SQLite has had 22 security bugs reported including stack buffer overflow and uninitialized memory vulnerabilities. Version 3.8.9 addresses these issues.

tags | advisory, overflow, vulnerability
MD5 | 9bd144ede2ac306ffaa50f7f67794743
CUPS Filter Bash Environment Variable Code Injection
Posted Oct 28, 2014
Authored by Michal Zalewski, Stephane Chazelas | Site metasploit.com

This Metasploit module exploits a post-auth code injection in specially crafted environment variables in Bash, specifically targeting CUPS filters through the PRINTER_INFO and PRINTER_LOCATION variables by default.

tags | exploit, bash
advisories | CVE-2014-6271, CVE-2014-6278
MD5 | 29f7d463eabc5a2bc1364b1db48a8215
libbfd Out Of Bounds
Posted Oct 27, 2014
Authored by Michal Zalewski

Zalewski has noted that binaries which have dependencies on libbfd may be leveraged for attacks due to libbfd having a large range of possibly exploitable out-of-bounds crashes.

tags | advisory
MD5 | 1442c1b49bd15d2621b6e41a1886d483
Firefox / MSIE Memory Disclosure Bugs
Posted Oct 15, 2014
Authored by Michal Zalewski

Firefox versions prior to 33 leak bits of uninitialized memory when rendering certain types of truncated images onto canvas tags. Secondly, MSRC case #19611cz is a seemingly similar issue with Internet Explorer apparently using bits of uninitialized stack data when handling JPEG files with an oddball DHT.

tags | exploit, info disclosure
systems | linux
advisories | CVE-2014-1580
MD5 | a6fd1b857406db9ee6fa15a5da2c9a8b
Bash Me Some More
Posted Oct 1, 2014
Authored by Michal Zalewski, Paul Vixie

This is information regarding more bash vulnerabilities and how the original bash patches are ineffective.

tags | exploit, vulnerability, bash
advisories | CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-6279
MD5 | ca1ab0ec96da633346beaff825bd23c6
Mozilla Firefox Secret Leak
Posted Sep 3, 2014
Authored by Michal Zalewski

The recent release of Firefox 32 fixes another interesting image parsing issue found by afl. Following a refactoring of memory management code, the past few versions of the browser ended up using uninitialized memory for certain types of truncated images, which is easily measurable with a simple <canvas> + toDataURL() harness that examines all the fuzzer-generated test cases. Depending on a variety of factors, problems like that may leak secrets across web origins, or more prosaically, may help attackers bypass security measures such as ASLR. This code is a proof of concept for versions prior to 32.

tags | exploit, web, proof of concept, fuzzer
advisories | CVE-2014-1564
MD5 | 2235bb65ae6abe2af194f34a079a0f08
p0f 3.07b Windows Port
Posted May 23, 2014
Authored by Michal Zalewski, David Coomber | Site lcamtuf.coredump.cx

P0f is a tool that utilizes an array of sophisticated, purely passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP communications (often as little as a single normal SYN) without interfering in any way. Version 3 is a complete rewrite of the original codebase, incorporating a significant number of improvements to network-level fingerprinting, and introducing the ability to reason about application-level payloads (e.g., HTTP).

Changes: This is a Windows port of the latest release created by David Coomber.
tags | tool, web, scanner, tcp
systems | unix
MD5 | 63cf11bbdd003c67a41388faef8dfc49
IJG jpeg6b / libjpeg-turbo Uninitialized Memory
Posted Nov 12, 2013
Authored by Michal Zalewski | Site lcamtuf.coredump.cx

jpeg6b and some of its optimized clones (e.g., libjpeg-turbo) will use uninitialized memory when decoding images with missing SOS data for the luminance component (Y) in presence of valid chroma data (Cr, Cb).

tags | advisory
advisories | CVE-2013-6629, CVE-2013-6630
MD5 | c74e7593702f247838a41cf95581a50f
Javascript Page Interaction History Leak
Posted May 6, 2013
Authored by Michal Zalewski | Site lcamtuf.coredump.cx

Michal Zalewski put together a really amusing asteroids proof of concept to demonstrate how a modified version of the javascript ":visited" attack can be leveraged based on visibility. Proof of concept js included.

tags | exploit, javascript, proof of concept
systems | linux
MD5 | 7f707a1dc148724de8ff400cb97b6407
Skipfish Web Application Scanner 2.09b
Posted Sep 13, 2012
Authored by Michal Zalewski | Site code.google.com

Skipfish is a fully automated, active web application security reconnaissance tool. It is high speed, has a low false positive rate, and is easy to use.

Changes: Fixed a crash that could be triggered during 404 fingerprint failures. Signature IDs for detected issues are now stored in the report JSON files. Added mod_status, mod_info, MySQL dump, phpMyAdmin SQL dump and robots.txt signatures. Improved the Flash and Silverlight crossdomain policy signatures to only warn about them when they use wildcards.
tags | tool, web, scanner
systems | linux, unix
MD5 | 9fb6e388a2fa462e84496d3a4c3c198e
Browser Navigation Download Trick
Posted May 31, 2012
Authored by Michal Zalewski | Site lcamtuf.coredump.cx

It is an important and little-known property of web browsers that one document can always navigate other, non-same-origin windows to arbitrary URLs. Perhaps more interestingly, you can also navigate third-party documents to resources served with Content-Disposition: attachment, in which case, you get the original contents of the address bar, plus a rogue download prompt attached to an unsuspecting page that never wanted you to download that file. Proof of concept code included.

tags | exploit, web, arbitrary, proof of concept
systems | windows
MD5 | b7f9bc36728ff78b7ddc61970f1e20a5
p0f 3.03b Windows Port
Posted Jan 25, 2012
Authored by Michal Zalewski, David Coomber | Site lcamtuf.coredump.cx

P0f is a tool that utilizes an array of sophisticated, purely passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP communications (often as little as a single normal SYN) without interfering in any way. Version 3 is a complete rewrite of the original codebase, incorporating a significant number of improvements to network-level fingerprinting, and introducing the ability to reason about application-level payloads (e.g., HTTP).

Changes: This is a Windows port of the latest release created by David Coomber.
tags | tool, web, scanner, tcp
systems | windows
MD5 | aea524324828790b24a90be3bb7a0d93
P0f 3.0.0b
Posted Jan 17, 2012
Authored by Michal Zalewski | Site lcamtuf.coredump.cx

P0f is a tool that utilizes an array of sophisticated, purely passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP communications (often as little as a single normal SYN) without interfering in any way. Version 3 is a complete rewrite of the original codebase, incorporating a significant number of improvements to network-level fingerprinting, and introducing the ability to reason about application-level payloads (e.g., HTTP).

Changes: This complete rewrite adds a range of new TCP fingerprinting mechanisms, sophisticated NAT detection, HTTP inspection and fingerprinting, and updated signatures.
tags | tool, web, scanner, tcp
systems | linux, unix
MD5 | 8a7ea1821b4599bdd1749b6112865c41
P0f 3.0.0 Release Candidate 1
Posted Jan 10, 2012
Authored by Michal Zalewski | Site lcamtuf.coredump.cx

P0f is a tool that utilizes an array of sophisticated, purely passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP communications (often as little as a single normal SYN) without interfering in any way. Version 3 is a complete rewrite of the original codebase, incorporating a significant number of improvements to network-level fingerprinting, and introducing the ability to reason about application-level payloads (e.g., HTTP).

Changes: Complete rewrite.
tags | tool, web, scanner, tcp
systems | linux, unix
MD5 | c2b4417fce9bb70bee49a1225dbc10f1
ClickIt Proof Of Concept
Posted Dec 13, 2011
Authored by Michal Zalewski | Site lcamtuf.coredump.cx

JavaScript allows you to exploit human cognitive abilities to a remarkable extent; tools such as window positioning, history.forward() and history.back(), open some scary possibilities that we are completely unprepared to deal with. This proof-of-concept aims to demonstrate this; while it is intentionally crude and makes no real effort to conceal its operation, the transitions can be made seamless and very difficult to perceive. Very accurate click prediction can be achieved by carefully measuring mouse velocity and distance to destination, too.

tags | exploit, javascript
MD5 | 753f7c9a5e2186e19dff5a73e9ae8583
JavaScript Switcharoo Proof Of Concept 2
Posted Dec 9, 2011
Authored by Michal Zalewski | Site lcamtuf.coredump.cx

Firefox and Opera allow you to omit MIME type in data: URLs, possibly put random garbage into that section, and still get a valid HTML document. This is a natural extension of how the Content-Type header is handled in HTTP, but probably makes little or no sense here. With the use of Unicode homographs, you can create fairly believable URLs especially in Firefox.

tags | exploit, web
MD5 | 0b64bc5e8487abfa6e49c3b0e324b12a
JavaScript Switcharoo Proof Of Concept
Posted Dec 8, 2011
Authored by Michal Zalewski | Site lcamtuf.coredump.cx

It seems that relatively few people realize that holding a JavaScript handle to another window allows the attacker to tamper with the location and history objects at will, largely bypassing the usual SOP controls. With some minimal effort and the help of data: / javascript: URLs or precached pages, this can be leveraged to replace content in a manner that will likely escape even fairly attentive users.

tags | exploit, javascript
MD5 | fbb16e97002e8540980b677c7dab802b
Firefox CSS :visited Proof Of Concept
Posted Dec 3, 2011
Authored by Michal Zalewski | Site lcamtuf.coredump.cx

This code is a proof of concept that demonstrates history extraction in Firefox through non-destructive cache timing.

tags | exploit, proof of concept
systems | linux
MD5 | 40789638dd11c307730257784d663de0
Firefox 3.6.13 pseudo-URL SOP Check Bug
Posted Dec 9, 2010
Authored by Michal Zalewski

Firefox version 3.6.13 fixes an interesting bug in their same-origin policy logic for pseudo-URLs that do not have any inherent origin associated with them.

tags | advisory
MD5 | 8921c58a1c1c81afbc30fa2287b1a1f7
Skipfish Web Application Scanner 1.78b
Posted Nov 23, 2010
Authored by Michal Zalewski | Site code.google.com

Skipfish is a fully automated, active web application security reconnaissance tool. It is high speed, has a low false positive rate, and is easy to use.

Changes: Substantial bugs in coverage and security checks were fixed. Multiple feature and stability improvements were made. Differential scanning tools were added.
tags | tool, web, scanner
systems | linux, unix
MD5 | a9f9eef2f860cadcc86e12785dc3057f
Juniper SSL VPN Bypass / Cross Site Scripting
Posted Nov 9, 2010
Authored by Michal Zalewski

This is a list of older cross site scripting and bypass vulnerabilities associated with older Juniper IVE releases.

tags | exploit, vulnerability, xss, bypass
systems | juniper
MD5 | 7a4246773f02b62f12f3b55f5d6a30e8
Skipfish Web Application Scanner 1.52b
Posted Jul 23, 2010
Authored by Michal Zalewski | Site code.google.com

Skipfish is a fully automated, active web application security reconnaissance tool. It is high speed, has a low false positive rate, and is easy to use.

Changes: Fixed HTTP read loop after 1.48b.
tags | tool, web, scanner
systems | unix
MD5 | 5ac0a84afa132a5fc302f292c897a954
Safari SOP Bypass / Firefox Address Bar Spoofing
Posted Jun 29, 2010
Authored by Michal Zalewski

Michal Zalewski has noted some interested security bugs with Safari, Firefox and WebKit-based browsers.

tags | advisory
advisories | CVE-2010-0544, CVE-2010-1422, CVE-2010-1206
MD5 | 8449b98eede4be3f1cc45b1df06d73f6
Skipfish Web Application Scanner 1.11b
Posted Mar 22, 2010
Authored by Michal Zalewski | Site code.google.com

Skipfish is a fully automated, active web application security reconnaissance tool. It is high speed, has a low false positive rate, and is easy to use.

Changes: Multiple bug fixes and SIGWINCH support.
tags | tool, web, scanner
systems | unix
MD5 | 49b2e116808688c5e52378dfe568c885
Skipfish Web Application Scanner 1.03b
Posted Mar 20, 2010
Authored by Michal Zalewski | Site code.google.com

Skipfish is a fully automated, active web application security reconnaissance tool. It is high speed, has a low false positive rate, and is easy to use.

tags | tool, web, scanner
systems | unix
MD5 | b2a37c1049c03afc8b216e73e3112c39
Page 1 of 5
Back12345Next

File Archive:

September 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    5 Files
  • 2
    Sep 2nd
    5 Files
  • 3
    Sep 3rd
    3 Files
  • 4
    Sep 4th
    13 Files
  • 5
    Sep 5th
    16 Files
  • 6
    Sep 6th
    15 Files
  • 7
    Sep 7th
    20 Files
  • 8
    Sep 8th
    16 Files
  • 9
    Sep 9th
    4 Files
  • 10
    Sep 10th
    2 Files
  • 11
    Sep 11th
    15 Files
  • 12
    Sep 12th
    19 Files
  • 13
    Sep 13th
    20 Files
  • 14
    Sep 14th
    38 Files
  • 15
    Sep 15th
    31 Files
  • 16
    Sep 16th
    1 Files
  • 17
    Sep 17th
    7 Files
  • 18
    Sep 18th
    15 Files
  • 19
    Sep 19th
    40 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close