This paper describes in detail the exploitation of the libc locale format string vulnerability on Solaris/SPARC. The full source code for the exploit is presented and some details of the implementation are discussed.
7b17fe99c5995c3700f946e8abe827d958a46295cd8e9068e1a590b08b7ef993
This paper describes a vulnerability in several implementations of the Secure Hash Algorithm 3 (SHA-3) that have been released by its designers. The vulnerability has been present since the final-round update of Keccak was submitted to the National Institute of Standards and Technology (NIST) SHA-3 hash function competition in January 2011, and is present in the eXtended Keccak Code Package (XKCP) of the Keccak team. It affects all software projects that have integrated this code, such as the scripting languages Python and PHP Hypertext Preprocessor (PHP). The vulnerability is a buffer overflow that allows attacker-controlled values to be eXclusive-ORed (XORed) into memory (without any restrictions on values to be XORed and even far beyond the location of the original buffer), thereby making many standard protection measures against buffer overflows (e.g., canary values) completely ineffective.
e5ce94c802fc96b96a37593074295283819a7abf859a04a1c1cbfcdb566dcdb1
This paper describes an attack which can lead to Windows credentials theft, affecting the default configuration of the most popular browser in the world today, Google Chrome, as well as all Windows versions supporting it.
88f2619b5a29a05dfc2991bd8091e6af81c3ee03407380cea432941cad18af7a
This paper describes the results of the research conducted by SEC Consult Vulnerability Lab on the security of McAfee Application Control. This product is an example of an application whitelisting solution which can be used to further harden critical systems such as server systems in SCADA environments or client systems with high security requirements like administrative workstations. Application whitelisting is a concept which works by whitelisting all installed software on a system and after that prevent the execution of not whitelisted software. This should prevent the execution of malware and therefore protect against advanced persistent threat (APT) attacks. McAfee Application Control is an example of such a software. It can be installed on any system, however, the main field of application is the protection of highly critical infrastructures. While the core feature of the product is application whitelisting, it also supports additional security features including write and read protection as well as different memory corruption protections.
447953aeb8d3c594011048fcd1518b83478ae1bf8164d0159859893f8caa6b18
This paper describes some of the common problems faced in biometrics and possible solutions to these problems.
1e2342519676a56045378295699ec80a758236ce205376eff99f6166e1ce8163
This paper describes the PE (Portable Executable) file format used by Windows executables (.exe), dynamic link libraries (.dll) and other files: system drivers or ActiveX controls. It is written in Romanian.
a2646c777b4db6e736b6d280dbe7880941e981053a622f50cc9a96c813f0425e
This paper describes a pre-auth server-side NULL pointer dereference vulnerability in Call Of Duty: Modern Warfare 3, which is due to an issue related to the DemonWare6 query packets. This vulnerability can be exploited to perform Denial of Service (DoS) attacks against game servers.
1db66d6df1c094eebc40c0809e56c80069be073ae8a823feafea42632a3104da
This paper describes an attack of the iterated use of hashing functions used as key stretching algorithms where the state of a hash can be transferred to the next hash function.
52f96766730e53dd9b718a0a0d0d999d36d38002c0a17023db1db12a5d4196c7
Whitepaper called Indexed Blind SQL Injection. Time based blind SQL attacks suffer from low bit/request ratios. Each request produces only one valuable bit of information. This paper describes a tweak that produces higher yield at the expense of a longer runtime. Along the way, some issues and notes of applicability are also discussed.
84e74daa46ea6185f1c1f4ee9764bc2315f2a4cf39e46f8dfcea99039a5ecb21
This paper describes the results of a thorough examination of Sophos Antivirus internals. The author presents a technical analysis of claims made by the vendor, and publishes the tools and reference material required to reproduce their results. Furthermore, they examine the product from the perspective of a vulnerability researcher, exploring the rich attack surface exposed, and demonstrating weaknesses and vulnerabilities.
57ecb0848e5b99ef5678dc00d7aabb2718195a8bb23f387f2d5ff429df854455
This paper describes the basic process of using the proxmark3 to clone Proxcards and then introduces ProxBrute, a new tool for brute forcing valid proxcard values.
2d0fd9f79fb7dbb051b1d0d095dea1dd28993622fb07d852518c7f7100181d3b
The revised Google Chrome Math.random algorithm (included in version 3.0 of Google Chrome) is predictable. This paper describes how Google Chrome 3.0 Math.random's internal state can be reconstructed, and how it can be rolled forward and backward, and how (in Windows) the exact seeding time can be extracted.
7b9c83dd2e7273c2190b761a57b11ae0110031308ec5b9aabd23733fed32ae97
Whitepaper called Cisco IOS Router Exploitation. This paper describes the challenges with the exploitation of memory corruption software vulnerabilities in Cisco IOS. The goal is to map out the problem space in order to allow for the anticipation of developments in the future, as current research suggests that exploitation of such vulnerabilities in the wild is not currently the case. By understanding the challenges that an attacker faces, defensive strategies can be better planned, a required evolution with the current state of Cisco IOS router networks.
c8f425e5b59d8610a92403e4d24fbd0a74109b64e2b2600c739f8f66b44a6701
This paper describes a practical attack against the protocol used by SAP for client server communication. The purpose of this paper is to clarify the fact that the protocol does not sufficiently protect sensitive information like user names and passwords.
f6435814e3afad6ebb4262a9c614cacd418277717cf925da94343a17ae06aa57
For My Next Trick: Client-Side Hacking - This paper describes numerous techniques for attacking Clients-side technologies. The content of the paper is based the research that has been conducted over past year by the GNUCITIZEN Ethical Hacker Outfit.
5114d549b8788fd32a3a932d6dc7a62491c96edcf00a8827b0992a195405db27
This paper describes how to detect Honeypots / Honeywalls by using hping to send an ICMP packet containing shellcode and analyzing the response.
9239f109f0a37a9b7bfba5c3af51feee113b633f86cd3cd17248aa31a91adb27
Detecting the Presence of Virtual Machines Using the Local Data Table - This paper describes a method for determining the presence of virtual machine emulation in a non-privileged operating environment. This attack is useful for triggering anti-virtualization attacks and evading analysis.
48ac374b43d646206bf8a59b9cc0aed6ac19a76791acaea176314b493393c68e
Story of a dumb patch - This paper describes a mistake made by Microsoft in patch MS05-018 where Microsoft failed to properly fix a vulnerability having to release a new patch MS05-049. Hopefully this paper will open the eyes of software vendors to not repeat these kind of mistakes.
a79eb3b5aa2f5d80efad97626f1bd81b439fa096671c52ff737b3558b91a75e0
This paper describes an attempt to write Win32 shellcode that is as small as possible, to perform a common task subject to reasonable constraints. The solution presented implements a bindshell in 191 bytes of null-free code, and outlines some general ideas for writing small shellcode.
a4631261a3729136f9d6a5d804e1c7cdf1a8baf9350860bdca03b63296b139a2
This paper describes several techniques for exposing file contents using the site search functionality. It is assumed that a site contains documents which are not visible/accessible to external users. Such documents are typically future PR items, or future security advisories, uploaded to the website beforehand. However, the site is also searchable via an internal search facility, which does have access to those documents, and as such, they are indexed by it not via web crawling, but rather, via direct access to the files. Therein lies the security breach.
95d07a72940beb4eb7d8ef7e8dce89e68ae8dd623e9569d62e531063c6e241f1
Advanced Cross-Site-Scripting with Real-time Remote Attacker Control - Some people think XSS attacks are no big deal, but I plan to change that perception with the release of this paper and an accompanying tool called XSS-Proxy which allows XSS attacks to be fully controlled by a remote attacker. This paper describes current XSS attacks and introduces new methods/tool for making XSS attacks interactive, bi-directional, persistent and much more evil. This is not a detailed XSS HowTo, but an explanation of methods for taking XSS attacks much further. Attackers can access sites as the victim or forward specific blind requests to other servers.
8f3f833faade0f8c6add6576e39ff2be36df99d31657b8eb6613799fa7945aa6
This paper describes a Blind XPath Injection attack that enables an attacker to extract a complete XML document used for XPath querying, without prior knowledge of the XPath query.
007c04289ec7cfd707f78efcc1903cb5ebf8636ba697af09bdef3416f86c5cbb
Analysis of an Electronic Voting System - This paper describes several security flaws in Diebold electronic voting machines. Voters may be able to cast multiple ballots with little built in traceability, administrative functions can be performed by regular voters, and inside poll workers, software developers, and janitors can rig the vote. The smart card system is insecure and uses plaintext passwords. The code appears unaudited and there is no ability to do a paper recount.
4195f132bcaecb86b41e4710a96c5bfb1819b0c3bcee08b19876dba8e2cfdd2e
One Byte Frame Pointer Overwrite Hardcoded Exploits - This paper describes how to exploit overflows which are off by only one byte. Includes sample code.
003c664e2339c4874046201145c181f17ebdd3ea4be562a3990168bb8426da4e
This paper describes FILE stream overflow vulnerabilities and illustrates how they can be exploited. The author uses a FILE stream overflow in dvips as a case study.
1ba52e016c0392136d39eef96e00aa376e076ea025a6eab55d090bf725634635
Rights Amplification in Master-Keyed Mechanical Locks - This paper describes a relatively unknown procedure for obtaining a master key if given access to a tumbler based master keyed lock and any low level key in the system. No special skill or equipment beyond a small number of blank keys and a file is needed, and the attacker does not need to engage in any suspicious behavior at the locks location. Countermeasures are described with provide limited protection under certain circumstances.
562ab51f68cdb767a008ead12ba2e6dff9f5b95fde08373041067c0cc80dbfa9