* Tiago Assumpcao
* Alex Rice (Facebook) facebook.com/rice
* Pedram Amini (ZDI) @pedramamini
* Erik Cabetas
* Dino A. Dai Zovi (Trail Of Bits) @dinodaizovi
* Alexander Sotirov @alexsotirov
* Barnaby Jack (IOActive) @barnaby_jack
* Charlie Miller (SecurityEvaluators) @0xcharlie
* David Litchfield (V3rity Software) @dlitchfield
* Lurene Grenier (Harris) @pusscat
* Alex Ionescu @aionescu
selection and wanted to remind everyone that we'll be closing the CFP
at the end of the week. All CFP information can be found at
<http://sandiego.toorcon.org/content/section/3/9/>. Here's a list of
some of the talks we've already picked:
Alexander Sotirov - How To Impress Girls With Browser Memory Protection Bypass
Andre Gironda - A little TLC for your SDL
Ben Feinstein - Loaded Dice: SSH Key Exchange & the OpenSSL PRNG Vuln
Bruno G Oliveira - Knowing and Enjoying the Cold Boot Attack
Chema Alonso & Jose Parada - RFD (Remote File Downloading) using Blind
Techniques
For more last minute information, follow @PwnieAwards on Twitter,
http://twitter.com/PwnieAwards
For questions, please email info@pwnie-awards.org
Alexander Sotirov
Dino Dai Zovi
Pwnie Awards 2010
These projects include the METASM pure-ruby assembler developed by
Yoann Guillot and Julien Tinnes, the "Hacking the iPhone" effort
outlined in the Metasploit Blog, the Windows kernel-land payload
staging system developed by Matt Miller, the heapLib browser
exploitation library written by Alexander Sotirov, the Lorcon 802.11
raw transmit library created by Joshua Wright and Mike Kershaw, Scruby,
the Ruby port of Philippe Biondi's Scapy project, developed by Sylvain
Sarmejeanne, and a contextual encoding system for Metasploit payloads.
"Contextual encoding breaks most forms of shellcode analysis by
encoding a payload with a target-specific key" said I)ruid, author of
* Tiago Assumpcao (RIM)
* Alex Rice (Facebook) facebook.com/rice
* Pedram Amini @pedramamini
* Erik Cabetas (Include Security)
* Dino A. Dai Zovi (Trail Of Bits) @dinodaizovi
* Alexander Sotirov @alexsotirov
* Barnaby Jack (McAfee) @barnaby_jack
* Charlie Miller (Accuvant) @0xcharlie
* David Litchfield (Accuvant) @dlitchfield
* Lurene Grenier (Harris) @pusscat
* Alex Ionescu @aionescu
I Service Console package security updates
a. OpenPegasus PAM Authentication Buffer Overflow
Alexander Sotirov from VMware Security Research discovered a
buffer overflow vulnerability in the OpenPegasus Management server.
This flaw could be exploited by a malicious remote user on the
service console network to gain root access to the service console.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
3. Problem description:
I OpenPegasus PAM Authentication Buffer Overflow
Alexander Sotirov from VMware Security Research discovered a
buffer overflow vulnerability in the OpenPegasus Management server.
This flaw could be exploited by a malicious remote user on the
service console network to gain root access to the service console.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
the Host.Cim.CimInteraction permission are not vulnerable.
This vulnerability cannot be exploited by users without valid login
credentials.
Discovery: Alexander Sotirov, VMware Security Research
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2008-2097 to this issue.
VMware Product Running Replace with/
Tuesday, May 26, 2009.
We look forward to your submissions.
Dan Boneh, Stanford University
Alexander Sotirov, independent security researcher
WOOT'09 Program Chairs
woot09chairs@usenix.org
For more last minute information, follow @PwnieAwards on Twitter,
http://twitter.com/PwnieAwards
For questions, please email info@pwnie-awards.org
Alexander Sotirov
Dino Dai Zovi
Pwnie Awards 2009
San Diego, CA 92101
http://www.sdccc.org
SATURDAY - 50 minute talks
Dan Kaminsky - TBA
Alexander Sotirov - How To Impress Girls With Browser Memory Protection Bypass
Ben Feinstein - Loaded Dice: SSH Key Exchange & the OpenSSL PRNG Vuln
grutz - One XSS To Rule The Enterprise
Jason Ostrom - Targeted VoIP Eavesdropping: An Attack From Within
Jay Beale - Owning the Users with The Middler
Joseph McCray - Advanced SQL Injection
visit the Pwnie Awards site at http://pwnie-awards.org/
For questions, please email info@pwnie-awards.org
Alexander Sotirov
This release of the Metasploit Framework was driven by numerous key
contributors, including James Lee, Yoann Guillot, Steve Tornio, MC,
Chris Gates, Alexander Kornbrust, Ramon Carvalle, Stephen Fewer, Ryan
Linn, Lurene Grenier, Mike Kershaw, Patrick Webster, Max Moser, Efrain
Torres, Alexander Sotirov, Ty Bodell, Joshua Drake, JR, Carlos Perez,
Kris Katterjohn and many others.
The startup speed up the Metasploit Console and all utilities has been
greatly improved due to performance patches by Yoann Guillot and a
string processing overhaul by James Lee. Metasploit now fully supports
