what you don't know can hurt you
Showing 1 - 25 of 29 RSS Feed

Files from Amit Klein

Real NameAmit Klein
Email addressprivate
First Active2004-03-04
Last Active2016-02-11
View User Profile
Node.js HTTP Response Splitting
Posted Feb 11, 2016
Authored by Amit Klein

Node.js suffers from an HTTP response splitting vulnerability. Node.js versions 5.6.0, 4.3.0, 0.12.10, and 0.10.42 contain a fix for this vulnerability.

tags | exploit, web
advisories | CVE-2016-2216
MD5 | b4347de1f70a4ee9859e0a6f8dcd08bd
VM Detection Via Browsers
Posted Oct 7, 2015
Authored by Amit Klein

In three browser families researched (Edge, Internet Explorer and Firefox - all on Windows 7 or above), it is possible to extract the frequency of the Windows performance counter, using standard HTML and Javascript. With the Windows performance counter frequency, it is possible to remotely detect some virtual machines and to coarse-grain fingerprint physical machines.

tags | advisory, javascript
systems | windows, 7
MD5 | e1e2a25800808a4566b1f107d28f4ac4
Microsoft IE9 Math.random Vulnerability
Posted Dec 3, 2010
Authored by Amit Klein | Site trusteer.com

The IE9 (platform preview) Javascript Math.random implementation is vulnerable to seed reconstruction. The seed reveals the computer's boot time (and on Windows 7 - also CPU clock speed). These can be used to finger-print computers and track users within the same Windows session even if they close and open their IE9 (platform preview) browser multiple times. Interestingly enough, this technique also provides some information regarding the client hardware (namely clock source and possibly CPU clock speed), and may be used to detect virtualized machines "over the web". Additionally, the Math.random implementation is flawed in such way that it returns non-uniform values (this holds for IE9 beta as well).

tags | advisory, web, javascript
systems | windows, 7
MD5 | dc3a27c47ed6ce29faabb5f4c266ab07
Cross-Domain Information Leakage / Temporary User Tracking In Safari
Posted Nov 23, 2010
Authored by Amit Klein | Site trusteer.com

Apple Safari versions 4.02 through 4.05 and Windows versions 5.0 through 5.0.2 suffer from cross-domain information leakage and temporary user tracking vulnerabilities.

tags | advisory, vulnerability
systems | windows, apple
MD5 | 28db4d386f23e077633ed5f86b4bd510
Cross-Domain Information Leakage In Firefox
Posted Sep 15, 2010
Authored by Amit Klein | Site trusteer.com

Firefox versions 3.6.4 through 3.6.8, 3.5.10 through 3.5.11 and 4.0 Beta1 suffer from a cross-domain information leakage vulnerability.

tags | advisory
advisories | CVE-2010-3171
MD5 | 73dcee853d65a620493c112d0cabfa02
Google Chrome 3.0 Beta Math.random Vulnerability
Posted Sep 2, 2009
Authored by Amit Klein | Site trusteer.com

The revised Google Chrome Math.random algorithm (included in version 3.0 of Google Chrome) is predictable. This paper describes how Google Chrome 3.0 Math.random's internal state can be reconstructed, and how it can be rolled forward and backward, and how (in Windows) the exact seeding time can be extracted.

tags | paper
systems | windows
MD5 | fdb68ab2881cfc3327ad2611ba03816a
Temporary User Tracking
Posted Jun 8, 2009
Authored by Amit Klein | Site trusteer.com

Whitepaper called Temporary user tracking in major browsers and Cross-domain information leakage and attacks.

tags | paper
MD5 | 9ff8a1a014c0102d1c507359f91e7d15
address-spoof.txt
Posted Oct 27, 2008
Authored by Amit Klein | Site trusteer.com

Address Bar Spoofing Attacks Against Microsoft Internet Explorer 6. Due to formatting issues when sent , additional notes regarding the attacks are appended.

tags | paper, spoof
MD5 | 5bf24bf420c7b4f9d6da416472832ec8
msswi-blog.txt
Posted Apr 28, 2008
Authored by Amit Klein | Site trusteer.com

It appears that Microsoft may have incorrectly stated a few things regarding MS08-020 on their blog and are reluctant to fix it.

tags | advisory
MD5 | 5e1a39dbeaa19feb74181d88d9a056be
Microsoft_Windows_resolver_DNS_cache_poisoning.pdf
Posted Apr 9, 2008
Authored by Amit Klein | Site trusteer.com

This paper shows that Windows DNS stub resolver queries are predictable - i.e. that the source UDP port and DNS transaction ID can be effectively predicted. A predictability algorithm is described that, in optimal conditions, provides very few guesses for the "next" query, thereby overcoming whatever protection offered by the transaction ID mechanism. This enables a much more effective DNS client poisoning than the currently known attacks against Windows DNS stub resolver.

tags | paper, udp
systems | windows
MD5 | 9eb4409051bfcd2a72603538ea3fdeb1
PowerDNS_recursor_DNS_Cache_Poisoning.pdf
Posted Apr 1, 2008
Authored by Amit Klein | Site trusteer.com

PowerDNS Recursor versions 3.0 through 3.1.4 suffer form a DNS cache poisoning vulnerability.

tags | paper
MD5 | fa4b275780e8c3c8525b2a691501e68f
OpenBSD_DNS_Cache_Poisoning_and_Multiple_OS_Predictable_IP_ID_Vulnerability.pdf
Posted Feb 6, 2008
Authored by Amit Klein | Site trusteer.com

The paper describes a weakness in the pseudo random number generator (PRNG) in use by OpenBSD, Mac OS X, Mac OS X Server, Darwin, NetBSD, FreeBSD and DragonFlyBSD to produce random DNS transaction IDs (OpenBSD) and random IP fragmentation IDs.

tags | paper
systems | netbsd, freebsd, openbsd, apple, osx
MD5 | 332befca44ef5d6c54abd8159a3e667c
Windows DNS Cache Poisoning Whitepaper
Posted Nov 14, 2007
Authored by Amit Klein | Site trusteer.com

The paper shows that Microsoft Windows DNS Server outgoing queries are predictable, allowing for cache poisoning attacks.

tags | paper
systems | windows
MD5 | c7dca7c83704ebd8758d6992e6a13942
BIND 8 DNS Cache Poisoning Whitepaper
Posted Aug 28, 2007
Authored by Amit Klein | Site trusteer.com

The paper shows that BIND 8 DNS queries are predictable, allowing for cache poisoning attacks.

tags | paper
MD5 | afa7cbe1cff10408511bad6d1f436a51
bind9forgery.txt
Posted Jul 25, 2007
Authored by Amit Klein

A new weakness has been discovered in the BIND 9 DNS server that allows for DNS forgery pharming.

tags | paper
MD5 | 5fa6300ec5a825d63b978a0cee207a3b
HeaderFlash.txt
Posted Aug 27, 2006
Authored by Amit Klein

Formal write up discussing how arbitrary HTTP requests can be crafted using Flash 7/8 with Internet Explorer.

tags | paper, web, arbitrary
MD5 | 211b836130d25cc1e62f50c3f63cdcdb
flashTheft.txt
Posted Aug 27, 2006
Authored by Amit Klein

By forging HTTP request headers with flash, virtual hosted systems can be susceptible to cookie theft using IE.

tags | advisory, web
MD5 | 2777e8c2e5632edcfbb7a1ec727cf509
Forge-Amit.txt
Posted Jul 26, 2006
Authored by Amit Klein

Whitepaper titled "Forging HTTP Request Headers With Flash".

tags | paper, web
MD5 | 6b97464da5cf5a4ea42215c97ec35944
httpResponseSmuggle.txt
Posted Feb 25, 2006
Authored by Amit Klein

Whitepaper entitled "HTTP Response Smuggling". It discusses evasion techniques to bypass anti-HTTP response splitting strategies.

tags | paper, web
MD5 | 028a2ccfa04710b1e9b0329c14a9e4ee
xmlhttpRequestpaper.txt
Posted Sep 26, 2005
Authored by Amit Klein

Whitepaper entitled "Exploiting the XmlHttpRequest object in IE - Referrer spoofing, and a lot more."

tags | paper, spoof
MD5 | b35c1b9ca1f4d300051b8c530d0e19d0
httpsplit.txt
Posted Aug 17, 2005
Authored by Amit Klein

This technical note describes a detection/prevention technique that works in many cases both with HTTP Response Splitting and with HTTP Request Smuggling.

tags | paper, web
MD5 | 6dd02db0137701d3c42986ed49b1c661
NTLMhttp.txt
Posted Jul 19, 2005
Authored by Amit Klein

Interesting write up regarding the faulty logic of using NTLM HTTP authentication and how it does not mix well with HTTP proxies.

tags | paper, web
MD5 | 0da67587751762cebd0c64d797eaf2ef
022805.txt
Posted Mar 1, 2005
Authored by Amit Klein | Site webappsec.org

This paper describes several techniques for exposing file contents using the site search functionality. It is assumed that a site contains documents which are not visible/accessible to external users. Such documents are typically future PR items, or future security advisories, uploaded to the website beforehand. However, the site is also searchable via an internal search facility, which does have access to those documents, and as such, they are indexed by it not via web crawling, but rather, via direct access to the files. Therein lies the security breach.

tags | paper, web
MD5 | 87eb98b564a55d22d12c7b83e9641965
iis5x60.txt
Posted Oct 13, 2004
Authored by Amit Klein, Ory Segal aka Watchfire

Microsoft IIS 5.x and 6.0 suffer from a denial of service vulnerability regarding the WebDAV XML parser. An attacker can craft a malicious WebDAV PROPFIND request, which uses XML attributes in a way that inflicts a denial of service condition on the target machine (IIS web server). The result of this attack is that the XML parser consumes all the CPU resources for a long period of time (from seconds to minutes, depending on the size of the payload).

tags | advisory, web, denial of service
MD5 | d636fbfbfd62a943037a1b53f5ac87d5
xercesAmit.txt
Posted Oct 13, 2004
Authored by Amit Klein

Xerces-C++ versions below 2.6.0 allow an attacker to craft a malicious XML document using XML attributes in a way that inflicts a denial of service condition on the target machine.

tags | advisory, denial of service
MD5 | cc1cf7946f46578c9b750ee4474e0a29
Page 1 of 2
Back12Next

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    1 Files
  • 24
    Jul 24th
    19 Files
  • 25
    Jul 25th
    1 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close