<< Previous Next >>
Black Hat
- Nguyen Anh Quynh (Japan)
Memory forensic and incident response for live virtual machine (VM)
- Nguyen Anh Quynh (Japan)
Internet Marketing vs. Web Security: Guide to Extreme Black Hat Online
Profits!
- Anselmus Ricky (Indonesia)
New Algorithms for Attack Planning
- Carlos Sarraute (CORE Security) (Argentina)
only saw one instance of the .exe running. The first thing I thought was
"Voodoo!!" I then said to myself, "Self, even though you launched it in
a completely different user context, it hopped out of that user's space
and hijacked your concurrent logon's files! WTF?"
During last year's Microsoft Ninjitsu training at Black Hat Vegas, I
brought it up to my class and we all concurred that voodoo was afoot -
even some Microsoft guys (who shall remain nameless) thought so and told
me to STFU and to contact MSRC before talking about it anymore since it
looked like Outlook was actually crossing user context borders.
True to "responsible disclosure," I called upon the skillz of Jason
We will also release a whitepaper on a variant of the new DNS poisoning
attack tomorrow. We wrote this whitepaper along with an exploit a while
ago, and somehow managed NOT to leak it to the press before the Kaminsky
talk :)
The presentations and whitepapers, along with our past presentations
from Blackhat and Deepsec, can be found at:
http://www.sec-consult.com/publikationen_e.html
crash the PHP interpreter or to utilize existing classes for attacks.
In combination with the classes available in the Zend Framework this
results in file upload and PHP code execution vulnerabilities. Taken
in consideration the research in interruption vulnerability exploits
that was demonstrated by SektionEins at Syscan and Blackhat this
vulnerability has to be considered an arbitrary code execution
vulnerability.
Details:
BugCON can offer work tables for continuing your talk); the conference
language can be spanish (prefereably) or english. Remeber that BugCON
is totally uncensored, so the public can start a discussion about your
conference, and it's totally acceptable.
BugCON has two lines, “white hat” topic and “black hat” topic the
technical reviewers going to collocate your conferences in the most
adecuate clasification. BugCON reserves the right to accept or reject
any paper.
All proposals should be sent to secretary@bugcon.org with a little
03/27/2009 Microsoft reports status
04/23/2009 Microsoft reports status, predicts September release
05/13/2009 Microsoft reports status, predicts October release
05/21/2009 Microsoft requests conference call
06/03/2009 Conference call takes place
07/29/2009 Material presented at BlackHat USA
08/11/2009 Public disclosure via MS09-037
IX. CREDIT
This vulnerability was discovered by Ryan Smith of iDefense Labs.
On 10/11/07, Andy Davis <andy.davis@irmplc.com> wrote:
Halvar,
The primary objective of the research was to understand how to create a
remote high privilege shell on IOS (as Michael Lynn demonstrated at
BlackHat 2005) - this was achieved and in the process, we discovered
three ways of doing it. Because we had worked out how to use gdb with
IOS, the easiest way for us to develop the shellcode was by using gdb to
upload the code to some spare IOS memory and hook into an IOS process
that was already running to execute it.
List, I've prepared a paper to accompany a presentation at
blackhat las vegas discussing Sophos Antivirus design. It might be of
interest to those evaluating or deploying Sophos Antivirus.
http://lock.cmpxchg8b.com/Sophail.pdf
I've also created some tools to help understand and dump Sophos
signature files, which I'll release soon.
My impression of Sophos technology is not positive, however Sophos have
Coincidentally, the discovery of these vulnerabilities was aligned with Twitter's announcement to increase the security of third-party apps: "Starting August 31, all applications will be required to use “OAuth” to access your Twitter account". This service switch didn't make any difference regarding this vulnerability, as HTC Peep still works through its OAuth capabilities. However, as this advisory demonstrate, technology must be implemented properly. Historically, Twitter developers have been able to choose one of two authentication methods: Basic Authentication or OAuth. Somehow, HTC Peep is using both methods simultaneously, exposing the user credentials.
Modern mobile devices implement multiple communication technologies, such as IrDa, Bluetooth, Wi-Fi, and mobile (2G/3G). The last two, Wi-Fi and 2G/3G, are the most commonly used methods to establish data communications from the mobile device to other entities. Therefore, this vulnerability can be exploited on targeted attacks when the mobile device is using any of these two technologies:
• Wi-Fi: When the mobile device connects to a Wi-Fi (802.11) network, an attacker can intercept all your web traffic if it is an open or WEP Wi-Fi network. If the network is based on WPA(2)-PSK, any user with access to that network can also collect all your traffic. You can protect your Wi-Fi data communications if you only connect to WPA2-Enterprise Wi-Fi networks (or, potentially, if you thoroughly make use of VPN technologies). Unfortunately, even when your device is not connected to any Wi-Fi network, still this vulnerability can be exploited in combination with other vulnerabilities, such as Karma-like attacks. See "TAD-2010-003: Full 802.11 Preferred Network List (PNL) disclosure in Windows Mobile 6.5".
• 2G/3G: When the mobile device connects to a mobile network (2G or 2.5G: GPRS or EDGE) an attacker can intercept all your web traffic. You can protect your mobile data communications if you only connect to +3G data networks. For more information see the "GPRS/EDGE Security" blog post and the recent "A practical attack against GPRS/EDGE/UMTS/HSPA mobile data communications" BlackHat DC 2011 Taddong presentation, by David and Jose.
Independently of the data network access used by the mobile device, at some point the web traffic will enter on the public Internet in the clear (unencrypted), where it can be intercepted by anyone with access to capture the traffic on any of the intermediate network segments between the mobile device and Twitter.
The fact that Twitter credentials can be easily eavesdropped has a pretty significant impact, as most users assume other users credentials have not been hijacked, therefore, they blindly trust tweets (or microblog/blog posts) coming from trusted parties (their friends, people they frequently follow, public personalities...). Twitter account hijacking can be used for web-based & client-based targeted attacks (specially through the use of short URLs), and can cause a significant damage to the image and credibility of the victim user.
Debian-specific: no
CVE ID : CVE-2009-2666
It was discovered that fetchmail, a full-featured remote mail retrieval
and forwarding utility, is vulnerable to the "Null Prefix Attacks Against
SSL/TLS Certificates" recently published at the Blackhat conference.
This allows an attacker to perform undetected man-in-the-middle attacks
via a crafted ITU-T X.509 certificate with an injected null byte in the
subjectAltName or Common Name fields.
Note, as a fetchmail user you should always use strict certificate
Dear list,
We are glad to announce the first public release of pmcma (Post Memory
Corruption Memory Analyzer), a tool first presented at Blackhat US
earlier this year. More information at http://www.pmcma.org/ .
--[ Synopsis:
Pmcma aims at automating exploitation of invalid memory writes (being
In August 2005 at Black Hat Las Vegas, Michael Lynn delivered his
infamous presentation entitled "Cisco IOS Shellcode and Exploitation
Techniques". For the first time ever, remote exploitation of Cisco IOS
was publicly demonstrated using shellcode that spawned a connect-back or
"reverse" shell. His shellcode was never released outside Cisco.
Over the last few months IRM have been researching the security of Cisco
IOS which has resulted in the discovery of a series of serious security
vulnerabilities (including three new stack overflows). Advisories and
associated IOS patches will be released over the coming months, starting
Solution: Upgrade to version 2.2
By becoming an Ethical Hacker, you can stop Black Hat Hackers. Learn with out
having to pay thousands! - The most comprehensive security pack you will ever
find on the net! - http://kit.hackerscenter.com
Hi all,
If you plan to take my "Application Security: For Hackers and
Developers" at ShakaCon, BlackHat, ToorCon, and others;
I finally got off my can and finished the prerequisite white paper.
It can be found here:
http://www.crucialsecurity.com/index.php?option=com_content&task=view&id=94&Itemid=136
Blessings,
04/23/2009 Microsoft reports status, predicts September release
05/13/2009 Microsoft reports status, predicts October release
05/21/2009 Microsoft requests conference call
06/03/2009 Conference call takes place
07/28/2009 Public disclosure via MS09-035 out-of-band bulletin
07/29/2009 Material presented at BlackHat USA
IX. CREDIT
This vulnerability was discovered by Ryan Smith of iDefense Labs.
projector in time for the meet, but if anyone has one we can borrow for
the evening as a standby please get in touch with me or alien...
we will have some special guests this month:
Jeff "Dark Tangent" Moss - founder of DEFCON & BlackHat
Matt "Barkode" Lewis of Ninja Networks party fame :)
Dave "H1kari" Hulton - FPGA guru and Toorcon organisor
i'm hoping H1kari and Steve can be prevailed upon to give a potted
version of their GSM cracking talk, but at the least i'm sure they'll be
Not affected: fetchmail release 6.3.11 and newer
Corrected: 2009-08-04 fetchmail SVN (rev 5389)
References: "Null Prefix Attacks Against SSL/TLS Certificates",
Moxie Marlinspike, 2009-07-29, Defcon 17, Blackhat 09.
CVE-2009-2408, Mozilla Firefox <3.5 and NSS <3.12.3
improper handling of '\0' characters in domain names in
the Subject CN field of X.509 certificates.
05/13/2009 Microsoft reports status, predicts October release
05/21/2009 Microsoft requests conference call
06/03/2009 Conference call takes place
06/05/2009 Microsoft supplies corrected ATL headers and requests review
07/28/2009 Public disclosure via MS09-035 out-of-band bulletin
07/29/2009 Material presented at BlackHat USA
08/11/2009 Microsoft publishes MS09-037
IX. CREDIT
This vulnerability was discovered by Ryan Smith of iDefense Labs.
=============
* sqlmap user's manual: http://sqlmap.sourceforge.net/doc/README.pdf
* "Advanced SQL injection to operating system full control"
whitepaper[1] and slides[2] presented at Black Hat Europe 2009 in
Amsterdam (The Netherlands) on April 16, 2009
[1] http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf
[2] http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-slides
It's time to get rid of those threats, and to show that there are other
non-standard solutions when you are under attack. Stay tuned...
We would like to thank the big and small companies who trusted our
services and who asked for assistance by also sharing some logs and some
blackhat tools that they caught when they were under attack. If you have
such web security issues, do not hesitate to contact us, so that we can
help and assist you with our innovative technologies or our trainings.
Laurent OUDOT, Founder and CEO of TEHTRI-Security
http://www.tehtri-security.com
At Black Hat 2007 and Defcon 15, Valsmith and I gave a talk
entitled "Tactical Exploitation". This talk introduced a tactical
approach to penetration testing that does not rely on exploiting known
vulnerabilities. During the talk, we used a combination of new tools and
lesser-known techniques to walk through the process of compromising a
target network. The materials for this talk are now online, including the
slides, white paper, and videos. These materials can be found online at:
- http://metasploit.com/confs/
For those who missed both the talks or couldn't stay for all of one, the
NOTE: We do not accept product or vendor related pitches. If you would
like to showcase your company's products or technology, please contact
us for further participation opportunities.
NOTE 2: Speakers who got rejected by BlackHat - we welcome your papers
and promise they'll be given a proper review! ;)
===
Event Website:
within the webserver's document root which usually exist in a
standard Piwik installation. In newer versions of Piwik it is
also possible to execute arbitrary PHP code directly.
Combined with the interruption vulnerability exploits demonstrated
by SektionEins at Syscan and Blackhat it is possible to disable
all internal PHP security protections and execute arbitrary code
e.g. local kernel exploits to become root.
Details:
for clients and here have been and are still many vulnerabilities.
Vendors make steps to defend us from it. Software vendors patch vulnerabilities and OS vendors
use new mechanisms to prevent attacks at all. But security researchers are trying to find way to bypass these mechanisms.
The new versions of browsers (Internet Explorer 8 and FireFox 3.5) use permanent DEP.
And the new versions of OS use the ASLR mechanism. All this makes the old methods of attacks impossible.
But on BlackHat DC 2010 the interesting way to bypass DEP and ASLR in browsers (not only)
and Just-In-Time compilers was presented. This method is called JIT-SPRAY. But here was no one public PoC until now.
In this text we are describe how to write a shellcode for new JIT-Spray attacks and make universal STAGE 0 shellcode
that gives control to any common shellcode from MetaSploit, for example.
...and there's a blog on the topic over at -
http://technicalinfodotnet.blogspot.com/2009/04/who-cloned-web-site-heres-ho
w-to-tell.html
Hope the paper proves insightful for some of you having to advise your
customers directly. I'll offer a beer at BlackHat Las Vegas this year to the
first person to name 3 large international banks that already use this
tracing process, and the algorithm they went with :-)
Cheers,
Halvar,
The primary objective of the research was to understand how to create a
remote high privilege shell on IOS (as Michael Lynn demonstrated at
BlackHat 2005) - this was achieved and in the process, we discovered
three ways of doing it. Because we had worked out how to use gdb with
IOS, the easiest way for us to develop the shellcode was by using gdb to
upload the code to some spare IOS memory and hook into an IOS process
that was already running to execute it.
2) refuse to enable DMA for a firewire device, also preventing many
devices from working properly, e.g. the linux approach
The only approach I am aware of that might be called a 'viable technical
solution' was just demonstrated at BlackHat for altering the content of
the DMA controller to redirect certain memory accesses. I do not
believe this has been turned into anything like a usable tested patch
for any major operating system to defend it's privileged kernel memory,
and unless API's were created to designate the need for 'secured' memory
storage for things like passwords to be stored in these areas that the
No extra points for unix beards, apple ][ era tattoos or other ostentatious
nerd-uppery[1].
Kiwicon is a single stream of talks, so timeslots will be allocated to the
length you need - if you've got 20 mins of material, submit 20 mins, not
padded out to an hour. This ain't no blackhat bizniss. There will be a
dedicated slot for a bunch of lighting talks, so if you've got 5 minutes of
justice, then wheel it on out.
-----[ ADMINISTRIVIA, FINE PRINT AND ACCURACY IN PRODUCT LABELLING
> Solaris, then I'm sure Sun would address it, but where is the benefit
> for them to do so at present?
It's not about OpenBSD on sparc - the OpenBSD people don't
really care - the fact that it's possible at all means anyone with
clue and a less than black hat can go take an OpenBSD kernel, figure
out what it's doing there, and likely make a solaris kernel module
to do the same thing - then they have a nice little tool. This indicates
that something is broken, and can likely be taken advantage of.
Frankly, the OpenBSD people aren't going to bother doing it.
http://www.hackerscenter.com/public/images/2.jpg
http://www.hackerscenter.com/public/images/3.jpg
Only becoming a Ethical Hacker, you can stop Black Hat Hackers. Learn with out
having to pay thousands!- http://kit.hackerscenter.com - The most comprehensive
security pack you will ever find on the net!
<<Previous Next>>
|
