This paper describes a technique for tracing anonymous attacks in the Internet back to their source. This work is motivated by the increased frequency and sophistication of denial-of-service attacks and by the difficulty in tracing packets with incorrect, or "spoofed", source addresses. In this paper we describe a general purpose traceback mechanism based on probabilistic packet marking in the network. Our approach allows a victim to identify the network path(s) traversed by an attacker without requiring interactive operational support from Internet Service Providers (ISPs). Moreover, this traceback can be performed "post-mortem" -- after an attack has completed. We present one implementation of this technology that is incrementally deployable, (mostly) backwards compatible and can be efficiently implemented using conventional technology. In pdf and postscript format.
bb7e781a8fbc104cfd9119ecf7c8caf54c5aab786c654c2d11dd9b87b1c48922
This Metasploit module exploits a vulnerability in the FOLD command of the University of Washington ipop2d service. By specifying an arbitrary folder name it is possible to retrieve any file which is world or group readable by the user ID of the POP account. This vulnerability can only be exploited with a valid username and password. The From address is the file owner.
7540a17d98340b14edeee62ac93a3bf6146e98410f1e14f88e1b224d7393b12f
This paper describes a vulnerability in several implementations of the Secure Hash Algorithm 3 (SHA-3) that have been released by its designers. The vulnerability has been present since the final-round update of Keccak was submitted to the National Institute of Standards and Technology (NIST) SHA-3 hash function competition in January 2011, and is present in the eXtended Keccak Code Package (XKCP) of the Keccak team. It affects all software projects that have integrated this code, such as the scripting languages Python and PHP Hypertext Preprocessor (PHP). The vulnerability is a buffer overflow that allows attacker-controlled values to be eXclusive-ORed (XORed) into memory (without any restrictions on values to be XORed and even far beyond the location of the original buffer), thereby making many standard protection measures against buffer overflows (e.g., canary values) completely ineffective.
e5ce94c802fc96b96a37593074295283819a7abf859a04a1c1cbfcdb566dcdb1
uWSGI versions prior to 2.0.17 suffer from a directory traversal vulnerability.
e81a441330bd530dd0585c2f6ab174487c8c91e27174f850328ee26d1e4db873
This paper describes an attack which can lead to Windows credentials theft, affecting the default configuration of the most popular browser in the world today, Google Chrome, as well as all Windows versions supporting it.
88f2619b5a29a05dfc2991bd8091e6af81c3ee03407380cea432941cad18af7a
This paper describes the results of the research conducted by SEC Consult Vulnerability Lab on the security of McAfee Application Control. This product is an example of an application whitelisting solution which can be used to further harden critical systems such as server systems in SCADA environments or client systems with high security requirements like administrative workstations. Application whitelisting is a concept which works by whitelisting all installed software on a system and after that prevent the execution of not whitelisted software. This should prevent the execution of malware and therefore protect against advanced persistent threat (APT) attacks. McAfee Application Control is an example of such a software. It can be installed on any system, however, the main field of application is the protection of highly critical infrastructures. While the core feature of the product is application whitelisting, it also supports additional security features including write and read protection as well as different memory corruption protections.
447953aeb8d3c594011048fcd1518b83478ae1bf8164d0159859893f8caa6b18
This paper describes some of the common problems faced in biometrics and possible solutions to these problems.
1e2342519676a56045378295699ec80a758236ce205376eff99f6166e1ce8163
This paper describes the PE (Portable Executable) file format used by Windows executables (.exe), dynamic link libraries (.dll) and other files: system drivers or ActiveX controls. It is written in Romanian.
a2646c777b4db6e736b6d280dbe7880941e981053a622f50cc9a96c813f0425e
This paper describes a pre-auth server-side NULL pointer dereference vulnerability in Call Of Duty: Modern Warfare 3, which is due to an issue related to the DemonWare6 query packets. This vulnerability can be exploited to perform Denial of Service (DoS) attacks against game servers.
1db66d6df1c094eebc40c0809e56c80069be073ae8a823feafea42632a3104da
The University of Wisconsin suffers from a cross site scripting vulnerability on commarts.wisc.edu.
3c9dbcba637bf78582ce1f17faef4824ab22c796a14ea0dec8e3fac15a409641
This paper describes an attack of the iterated use of hashing functions used as key stretching algorithms where the state of a hash can be transferred to the next hash function.
52f96766730e53dd9b718a0a0d0d999d36d38002c0a17023db1db12a5d4196c7
Whitepaper called Indexed Blind SQL Injection. Time based blind SQL attacks suffer from low bit/request ratios. Each request produces only one valuable bit of information. This paper describes a tweak that produces higher yield at the expense of a longer runtime. Along the way, some issues and notes of applicability are also discussed.
84e74daa46ea6185f1c1f4ee9764bc2315f2a4cf39e46f8dfcea99039a5ecb21
This paper describes the results of a thorough examination of Sophos Antivirus internals. The author presents a technical analysis of claims made by the vendor, and publishes the tools and reference material required to reproduce their results. Furthermore, they examine the product from the perspective of a vulnerability researcher, exploring the rich attack surface exposed, and demonstrating weaknesses and vulnerabilities.
57ecb0848e5b99ef5678dc00d7aabb2718195a8bb23f387f2d5ff429df854455
This paper describes the basic process of using the proxmark3 to clone Proxcards and then introduces ProxBrute, a new tool for brute forcing valid proxcard values.
2d0fd9f79fb7dbb051b1d0d095dea1dd28993622fb07d852518c7f7100181d3b
uwss is a web security scanner and used for testing security holes in web applications. It can act as a fuzzer whose objective is to probe the application with various crafted attack strings. uwss is built upon a modular concept.
f5889f915e9116c5d6e219bc6ac51f19112545db98937dc7898dbe14386f4937
The revised Google Chrome Math.random algorithm (included in version 3.0 of Google Chrome) is predictable. This paper describes how Google Chrome 3.0 Math.random's internal state can be reconstructed, and how it can be rolled forward and backward, and how (in Windows) the exact seeding time can be extracted.
7b9c83dd2e7273c2190b761a57b11ae0110031308ec5b9aabd23733fed32ae97
Whitepaper called Cisco IOS Router Exploitation. This paper describes the challenges with the exploitation of memory corruption software vulnerabilities in Cisco IOS. The goal is to map out the problem space in order to allow for the anticipation of developments in the future, as current research suggests that exploitation of such vulnerabilities in the wild is not currently the case. By understanding the challenges that an attacker faces, defensive strategies can be better planned, a required evolution with the current state of Cisco IOS router networks.
c8f425e5b59d8610a92403e4d24fbd0a74109b64e2b2600c739f8f66b44a6701
uwss is a web security scanner and used for testing security holes in web applications. It can act as a fuzzer whose objective is to probe the application with various crafted attack strings. uwss is built upon a modular concept.
13057a6d9a4ce6617d07316cf3ac864b76984cb10985c54168293dbc49851d8a
This paper describes a practical attack against the protocol used by SAP for client server communication. The purpose of this paper is to clarify the fact that the protocol does not sufficiently protect sensitive information like user names and passwords.
f6435814e3afad6ebb4262a9c614cacd418277717cf925da94343a17ae06aa57
University of Washington IMAP c-client remote format string exploit.
93eb11e4dbaeefc8680706f86bafaf2e85fd7a33490442a5902f564abe43e571
For My Next Trick: Client-Side Hacking - This paper describes numerous techniques for attacking Clients-side technologies. The content of the paper is based the research that has been conducted over past year by the GNUCITIZEN Ethical Hacker Outfit.
5114d549b8788fd32a3a932d6dc7a62491c96edcf00a8827b0992a195405db27
This paper describes how to detect Honeypots / Honeywalls by using hping to send an ICMP packet containing shellcode and analyzing the response.
9239f109f0a37a9b7bfba5c3af51feee113b633f86cd3cd17248aa31a91adb27
Detecting the Presence of Virtual Machines Using the Local Data Table - This paper describes a method for determining the presence of virtual machine emulation in a non-privileged operating environment. This attack is useful for triggering anti-virtualization attacks and evading analysis.
48ac374b43d646206bf8a59b9cc0aed6ac19a76791acaea176314b493393c68e
Story of a dumb patch - This paper describes a mistake made by Microsoft in patch MS05-018 where Microsoft failed to properly fix a vulnerability having to release a new patch MS05-049. Hopefully this paper will open the eyes of software vendors to not repeat these kind of mistakes.
a79eb3b5aa2f5d80efad97626f1bd81b439fa096671c52ff737b3558b91a75e0
This paper describes an attempt to write Win32 shellcode that is as small as possible, to perform a common task subject to reasonable constraints. The solution presented implements a bindshell in 191 bytes of null-free code, and outlines some general ideas for writing small shellcode.
a4631261a3729136f9d6a5d804e1c7cdf1a8baf9350860bdca03b63296b139a2
This paper describes several techniques for exposing file contents using the site search functionality. It is assumed that a site contains documents which are not visible/accessible to external users. Such documents are typically future PR items, or future security advisories, uploaded to the website beforehand. However, the site is also searchable via an internal search facility, which does have access to those documents, and as such, they are indexed by it not via web crawling, but rather, via direct access to the files. Therein lies the security breach.
95d07a72940beb4eb7d8ef7e8dce89e68ae8dd623e9569d62e531063c6e241f1