‘Bypassing Internet Explorer’s XSS Filter’

Internet Explorer 9 has a security system with well known shortfalls, most notably that it does not attempt to address DOM based XSS or Stored XSS. This security system is built on an arbitrary philosophy which only accounts for the most straight forward of reflective XSS attacks. This paper covers three attack patterns that undermine Internet Explorer’s ability to prevent Reflective XSS.’

Read More »

‘LittleBlackBox Project: Default SSL Keys in Multiple Routers’

‘Many routers that provide an HTTPS administrative interface use default or hard-coded SSL keys that can be recovered by extracting the file system from the device’s firmware.

The LittleBlackBox project contains a database of over 2,000 (and growing) private SSL keys that are correlated with their respective public certificates, and hardware/firmware versions. While most of these certificates are from DD-WRT firmware, there are also private keys from other vendors including Cisco, Linksys, D-Link and Netgear.’

Read More »

‘Why Silent Updates Boost Security’

‘Thomas Duebendorfer Google Switzerland GmbH and Stefan Frei Communication Systems Group, ETH Zurich, Switzerland looked into the performance of Web browser update mechanisms. The analysis of anonymized Google Web server logs allowed us to compare and rank the update strategies deployed by Google Chrome, Mozilla Firefox, Apple Safari, and Opera.

Thomas Duebendorfer and Stefan Frei found considerable differences in the performance of the update techniques deployed by each browser by measuring the share of the latest minor version within the same major version during the first 21 days after its release.

We recommend any software vendor to seriously consider deploying silent updates as this benefits both the vendor and the user, especially for widely used attack-exposed applications like Web browsers and browser plug-ins.’

Read More »

‘Frame Pointer Overwrite Demonstration (Linux)’

‘This paper assumes you have read the proper background information and/or technical details about the above subject. If not, please do so, because this read does not include key concepts but instead technical exploitation examples. That being said, enjoy. Knowledge is power.’

Read More »

‘Format String Exploitation Demonstration (Linux)’

‘This paper assumes you have read the proper background information and/or technical details about the above subject. If not, please do so, because this read does not include key concepts but instead technical exploitation examples. That being said, enjoy. Knowledge is power.’

Read More »

‘Hacking SOHO Routers’

The purpose of this paper is to outline the security measures being taken by vendors to prevent such attacks in their home routing products, what those security measures accomplish, and where they fall short. We will use existing network tools to examine common vulnerabilities in a range of popular devices and demonstrate weaknesses in the security of those devices; additionally, we will examine common trends in security measures that have been duplicated across vendors, and examine how those trends help and hinder the security of their devices. In particular, we will examine the following home routers, which are some of the latest offerings from their respective vendors at the time of this writing:
 * Linksys WRT160N
 * D-Link DIR-615
 * Belkin F5D8233-4v3
 * ActionTec MI424-WR’

Read More »

‘Reflective Dll Injection’

Reflective DLL injection is a library injection technique in which the concept of reflective programming is employed to perform the loading of a library from memory into a host process. As such the library is responsible for loading itself by implementing a minimal Portable Executable (PE) loader.’

Read More »

‘Microsoft Windows DNS Stub Resolver Cache Poisoning (MS08-020)’

‘The Windows DNS stub resolver is a Windows service used by Windows desktop software to resolve DNS names into IP addresses. The DNS stub resolver forwards DNS queries to the DNS server configured for the workstation (or server) and returns the DNS server s response to the requesting software.

This paper shows that Windows DNS stub resolver queries are predictable – i.e. that the source UDP port and DNS transaction ID can be effectively predicted. A predictability algorithm is described that, in optimal conditions, provides very few guesses for the ‘next’ query, thereby overcoming whatever protection offered by the transaction ID mechanism. This enables a much more effective DNS client poisoning than the currently known attacks against Windows DNS stub resolver.’

Read More »

‘Cold Boot Attacks on Disk Encryption’

The below linked paper shows that disk encryption, the standard approach to protecting sensitive data on laptops, can be defeated by relatively simple methods. The paper also demonstrates the methods by using them to defeat three popular disk encryption products: BitLocker, which comes with Windows Vista; FileVault, which comes with MacOS X; and dm-crypt, which is used with Linux.’

Read More »

‘Exploiting WDM Audio Drivers’

‘For those researchers who are interested in the driver security and also for driver writers, the paper ‘Exploiting WDM Audio Drivers’ has been released.

This paper explains an attack vector inherent to certain WDM audio drivers running on Windows Vista, XP, 2000 and 2003. Successful exploitation could lead to local escalation of privileges.

The paper also covers the interesting case of es1371mp.sys, a vulnerable WDM driver that can be automatically installed through Windows Update, on systems with Ensoniq PCI 1371 based SoundCards (Certain VMware products emulate a soundcard of this type).’

Read More »

‘Cryptanalysis of the Random Number Generator of the Windows Operating System’

‘The pseudo-random number generator (PRNG) used by the Windows operating system is the most commonly used PRNG. The pseudo-randomness of the output of this generator is crucial for the security of almost any application running in Windows. Nevertheless, its exact algorithm was never published.

We examined the binary code of a distribution of Windows 2000, which is still the second most popular operating system after Windows XP. (This investigation was done without any help from Microsoft.) We reconstructed, for the first time, the algorithm used by the pseudo-random number generator (namely, the function CryptGenRandom). We analyzed the security of the algorithm and found a non-trivial attack: given the internal state of the generator, the previous state can be computed in $O(2^{23})$ work (this is an attack on the forward-security of the generator, an $O(1)$ attack on backward security is trivial). The attack on forward-security demonstrates that the design of the generator is flawed, since it is well known how to prevent such attacks.

We also analyzed the way in which the generator is run by the operating system, and found that it amplifies the effect of the attacks: The generator is run in user mode rather than in kernel mode, and therefore it is easy to access its state even without administrator privileges. The initial values of part of the state of the generator are not set explicitly, but rather are defined by whatever values are present on the stack when the generator is called.Furthermore, each process runs a different copy of the generator, and the state of the generator is refreshed with system generated entropy only after generating 128 KBytes of output for the process running it. The result of combining this observation with our attack is that learning a single state may reveal 128 Kbytes of the past and future output of the generator.

The implication of these findings is that a buffer overflow attack or a similar attack can be used to learn a single state of the generator, which can then be used to predict all random values, such as SSL keys, used by a process in all its past and future operation. This attack is more severe and more efficient than known attacks, in which an attacker can only learn SSL keys if it is controlling the attacked machine at the time the keys are used.’

Read More »

‘Windows Personal Firewall Analysis’

During Matousek security analyses of personal firewalls and other security-related software that uses SSDT hooking, Matousek found out that many vendors simply do not implement the hooks in a proper way. This allows local Denial of Service by unprivileged users or even privilege escalations exploits to be created. 100% of tested personal firewalls that implement SSDT hooks do or did suffer from this vulnerability! This article reviews the results of our testing and describes how a proper SSDT hook handler should be implemented. Matousek also introduced BSODhook – a handy tool for every developer that deals with SSDT hooks and a possible cure for the plague in today’s Windows drivers world.’

Read More »
Brought to you by:
TyphoonCon 2019 // All offensive security conference
Stay up-to-date