‘Biologger – A Biometric Keylogger’

In the paper linked in the end IRM realized a proof-of-concept implementation of a biometric keylogger, or ‘Biologger’. While conventional keyloggers are typically used to obtain passwords or encryption keys to circumvent specific security measures, IRM’s Biologger will aim to capture biometric-related data between a biometric device and other processing units, to be used and exploited in a number potential attack vectors against the biometric system, such as manipulation of biometric data and control signals, as per traditional man-in-the middle attacks.’

Read More »

‘Having Fun with Sensor Appliance Proventia GX5108 and GX5008 Insecurities (Part One)’

Several security vulnerabilities have been found in ISS’s Proventia appliance, these vulnerabilities allow remote attackers to cause cross site scripting vulnerabilities in their user interface, cause the PHP scripts running on the server to include remote files as well as due to the usage of old OpenSSH (and in compatibility mode) to allow brute forcing of usernames and passwords with a timing attack.’

Read More »

‘Buffer Truncation Abuse in Microsoft SQL Server Based Applications’

‘This paper is designed to document an attack technique Sec-1 recently adopted during the course of their application assessments. The basic principal of this technique has existed for some time; however we hope this paper we will provide an insight of how a variation of the technique can be adopted to attack common forgotten password functionality within web applications.

The document is split into two sections. The first section covers the principals of the technique and the second is an attack case study against a commercial application (Removed in this release).’

Read More »

‘Cisco IOS Exploitation Techniques Paper’

‘It has been more than a year since Michael Lynn first demonstrated a reliable code execution exploit on Cisco IOS at Black Hat 2005. Although his presentation received a lot of media coverage in the security community, very little is known about the attack and the technical details surrounding the IOS check_heaps() vulnerability. This paper is a result of research carried out by IRM to analyse and understand the check_heaps() attack and its impact on similar embedded devices. Furthermore, it also helps developers understand security-specific issues in embedded environments and developing mitigation strategies for similar vulnerabilities. The paper primarily focuses on the techniques developed for bypassing the check_heaps() process, which has traditionally prevented reliable exploitation of memory-based overflows on the IOS platform. Using inbuilt IOS commands, memory dumps and open source tools IRM was able to recreate the vulnerability in a lab environment. The paper is divided in three sections, which cover the ICMPv6 source-link attack vector, IOS Operating System internals, and finally the analysis of the attack itself.’

Read More »

‘Manipulating FTP Clients Using the PASV Command’

This paper discusses a common implementation flaw in the File Transfer Protocol (FTP). Several popular FTP clients are affected including web browsers. Some proof of concept code is presented to demonstrate how the vulnerability can be used to extend existing JavaScript-based port scans. Finally, some consideration is given to other ways in which this flaw could present a security risk to other FTP clients.’

Read More »

‘Phinding Phish: An Evaluation of Anti-Phishing Toolbars’

‘There are currently dozens of freely available tools to help combat phishing and other web-based scams. Many of these tools come in the form of web browser extensions that warn users when they are browsing a suspected phishing site. We used verified phishing URLs and legitimate URLs to test the effectiveness of 10 popular antiphishing toolbars. Overall, we found that the anti-phishing toolbars that were examined in this study left a lot to be desired. SpoofGuard did a very good job at identifying fraudulent sites, but it also incorrectly identified a large fraction of legitimate sites as fraudulent. EarthLink, Google, Netcraft, Cloudmark, and Internet Explorer 7 identified most fraudulent sites correctly and had few, if any, false positives, but they still missed more than 15% of fraudulent sites. The TrustWatch, eBay, and Netscape 8 toolbars could correctly identify less than half the fraudulent sites, and McAfee SiteAdvisor did not correctly identify any fraudulent sites. Many of the toolbars we tested were vulnerable to some simple exploits as well. In this paper we describe the anti-phishing toolbar test bed we developed, summarize our findings, and offer observations about the usability and overall effectiveness of these toolbars. Finally, we suggest ways to improve anti-phishing toolbars.’

Read More »

‘New Report on Teredo Security’

‘Teredo is a platform-independent protocol developed by Microsoft, which is enabled by default in Windows Vista. Teredo provides a way for nodes located behind an IPv4 NAT to connect to IPv6 nodes on the Internet. However, by tunneling IPv6 traffic over IPv4 UDP through the NAT and directly to the end node, Teredo raises some security concerns. Primary concerns include bypassing security controls, reducing defense in depth, and allowing unsolicited traffic. Additional security concerns associated with the use of Teredo include the capability of remote nodes to open the NAT for themselves, benefits to worms, ways to deny Teredo service, and the difficulty in finding all Teredo traffic to inspect.’

Read More »

‘Access over Ethernet: Insecurities in AoE’

‘ATA over Ethernet (AoE) is an open standards based protocol which allows direct network access to disk drives by client hosts. AoE has been incorporated into the mainstream Linux kernel, recently been the subject of a Slashdot article, and it appears that it is a SAN technology which is here to stay. This paper investigates the insecurities present in the AoE protocol and suggests how you can deploy AoE infrastructure without worrying about a wide scale compromise.’

Read More »

‘Assessing Java clients with the BeanShell’

‘Assessing the security of Java applications, and particularly client-server applications, can be a tedious process of modifying the code, compiling, deploying, testing and repeat. This becomes even more difficult when the source code to the application is not available. What we require is an easy means of interacting with the internals of a Java application during execution without recompiling the code. The BeanShell provides an interpreted, scripting environment that can plug in to any Java application or applet and allows users to inspect and manipulate objects dynamically. This paper demonstrates a technique for using the BeanShell to assess the security of a typical Java client-server application.’

Read More »

‘IPv6 Address Cookies’

‘It has long been known to researchers that address spoofing on the Internet is a serious problem. While a great deal of effort has been put into finding theoretical and practical solutions, spoofed attacks are still globally endemic. They represent a simple nuisance to many, but a business-halting bane to others. Enter IPv6. IPv6 is the next generation of the Internet protocol designed to alleviate the existing global address shortage and improve the scalability and extensibility of the aging IPv4 protocol. This new protocol provides an enormous 128-bit address space, which should provide enough addresses for several decades, if not centuries, of Internet expansion. In this paper, we propose methods which utilize the large IPv6 address space to mitigate spoofed attacks.’

Read More »

‘Advanced Topics on SQL Injection Protection’

‘SQL injection is now one of the most common attacks in the Internet. Simply go to Yahoo! or Google and search for ‘SQL injection’ and we can find tones of related documents.
Although the awareness of SQL injection is rising, still many people do not have very concrete ideas on how to prevent SQL injection attack.
This article is not going to tell you what SQL injection is, nor going to tell you the latest techniques in SQL injection attacks, but more important, how to prevent SQL injection correctly and in a more integrated approach.’

Read More »

‘Browser Cache Poisoning using IE and Caching Servers’

This paper demonstrate the attack vector mentioned on ‘Exploiting The XmlHttpRequest Object In IE.

While this is not a new vulnerability, and in some sense not even a new attack vector, according to the author the net effect demonstrated here is disturbing to say the least: IE with the latest service pack, when used with many popular forward proxy servers (which in our opinion is quite a common scenario – think corporate America, universities, some ISPs), is vulnerable to XSS (regardless of the target website) and ‘local defacement’.’

Read More »
Brought to you by:
TyphoonCon 2019 // All offensive security conference
Stay up-to-date