‘
‘
‘Many routers that provide an HTTPS administrative interface use default or hard-coded SSL keys that can be recovered by extracting the file system from the device’s firmware.
‘Thomas Duebendorfer Google Switzerland GmbH and Stefan Frei Communication Systems Group, ETH Zurich, Switzerland looked into the performance of Web browser update mechanisms. The analysis of anonymized Google Web server logs allowed us to compare and rank the update strategies deployed by Google Chrome, Mozilla Firefox, Apple Safari, and Opera.
We recommend any software vendor to seriously consider deploying silent updates as this benefits both the vendor and the user, especially for widely used attack-exposed applications like Web browsers and browser plug-ins.’
‘
‘This paper assumes you have read the proper background information and/or technical details about the above subject. If not, please do so, because this read does not include key concepts but instead technical exploitation examples. That being said, enjoy. Knowledge is power.’
‘This paper assumes you have read the proper background information and/or technical details about the above subject. If not, please do so, because this read does not include key concepts but instead technical exploitation examples. That being said, enjoy. Knowledge is power.’
‘
* Linksys WRT160N
* D-Link DIR-615
* Belkin F5D8233-4v3
* ActionTec MI424-WR’
‘
‘
‘
‘The Windows DNS stub resolver is a Windows service used by Windows desktop software to resolve DNS names into IP addresses. The DNS stub resolver forwards DNS queries to the DNS server configured for the workstation (or server) and returns the DNS server s response to the requesting software.
This paper shows that Windows DNS stub resolver queries are predictable – i.e. that the source UDP port and DNS transaction ID can be effectively predicted. A predictability algorithm is described that, in optimal conditions, provides very few guesses for the ‘next’ query, thereby overcoming whatever protection offered by the transaction ID mechanism. This enables a much more effective DNS client poisoning than the currently known attacks against Windows DNS stub resolver.’
‘
‘
‘For those researchers who are interested in the driver security and also for driver writers, the paper ‘Exploiting WDM Audio Drivers’ has been released.
The paper also covers the interesting case of es1371mp.sys, a vulnerable WDM driver that can be automatically installed through Windows Update, on systems with Ensoniq PCI 1371 based SoundCards (Certain VMware products emulate a soundcard of this type).’
‘
‘
‘The pseudo-random number generator (PRNG) used by the Windows operating system is the most commonly used PRNG. The pseudo-randomness of the output of this generator is crucial for the security of almost any application running in Windows. Nevertheless, its exact algorithm was never published.
We examined the binary code of a distribution of Windows 2000, which is still the second most popular operating system after Windows XP. (This investigation was done without any help from Microsoft.) We reconstructed, for the first time, the algorithm used by the pseudo-random number generator (namely, the function CryptGenRandom). We analyzed the security of the algorithm and found a non-trivial attack: given the internal state of the generator, the previous state can be computed in $O(2^{23})$ work (this is an attack on the forward-security of the generator, an $O(1)$ attack on backward security is trivial). The attack on forward-security demonstrates that the design of the generator is flawed, since it is well known how to prevent such attacks.
We also analyzed the way in which the generator is run by the operating system, and found that it amplifies the effect of the attacks: The generator is run in user mode rather than in kernel mode, and therefore it is easy to access its state even without administrator privileges. The initial values of part of the state of the generator are not set explicitly, but rather are defined by whatever values are present on the stack when the generator is called.Furthermore, each process runs a different copy of the generator, and the state of the generator is refreshed with system generated entropy only after generating 128 KBytes of output for the process running it. The result of combining this observation with our attack is that learning a single state may reveal 128 Kbytes of the past and future output of the generator.
‘