Gynvael Coldwind
multiple FTP-based vulnerabilities
Class : Remote directory traversal, Remote DoS
Threat level : HIGH
Discovered : 2007-09-06
Published : 2007-08-24
Credit : Gynvael Coldwind
Vulnerable : 0.92 (build 573), 0.92 (build 565), prior also may be affected
== Abstract ==
Client Directory Traversal
Class : Remote Directory Traversal
Threat level : HIGH
Discovered : 2007-08-14
Published : 2007-09-06
Credit : Gynvael Coldwind
Vulnerable : 3.32 built 2305 and prior, other versions may be affected
== Abstract ==
Name : Blizzard StarCraft Brood War Remote DoS
Class : Remote/Local DoS
Threat level : MED
Discovered : 2007-08-08
Published : 2007-08-29
Credit : Gynvael Coldwind
Vulnerable : StarCraft Brood War 1.15.1 and prior
StarCraft 1.15.1 and prior may also be affected
== Abstract ==
Directory Traversal
Class : Remote Directory Traversal
Threat level : HIGH
Discovered : 2007-08-25
Published : 2007-09-06
Credit : Gynvael Coldwind
Vulnerable : 7.01 and prior
== Abstract ==
Name : Fileinfo multiple vulnerabilities
Class : Local DoS, Information Spoofing
Threat level : Low
Discovered : 2007-08-05
Published : 2007-08-20
Credit : Gynvael Coldwind
Vulnerable : 2.0.9, prior versions also may be affected
== Abstract ==
Class : Local/Remote multiple directory traversal (Input
Validation Error)
Threat level : HIGH
Discovered : 2007-08-09
Published : 2007-08-23
Credit : Gynvael Coldwind
Vulnerable : 0.92 (build 573), 0.92 (build 565), prior also may be affected
== Abstract ==
+ Speakers
- Pierre-Marc Bureau and Joan Calvet - Understanding Swizzor's
Obfuscation Scheme
- Ero Carrera and Jose Duart - Packer Genetics: The Selfish Code
- Gynvael Coldwind and Unavowed - Syndicate Wars Port: How to port a DOS
game to modern systems
- Dino Dai Zovi - Mac OS X Return-Oriented Exploitation
- Nicolas Falliere - Reversing Trojan.Mebroot's Obfuscation
- Yoann Guillot and Alexandre Gazet - Metasm Feelings (30 minutes)
- Travis Goodspeed - Building hardware for exploring deeply embedded systems
Credit:
====================
Michal Bucko, Eleytt, www.eleytt.com/michal.bucko
Gynvael Coldwind (for providing a good example)
Name : FastStone Image Viewer v3.6 (malformed bmp image) DoS Exploit
Credit : suN8Hclf (DaRk-CodeRs Group), crimson.loyd@gmail.com
Download: : http://www.FastStone.org
Greetz : Luigi Auriemma, 0in, cOndemned, e.wiZz!, Gynvael Coldwind,
Katharsis, all from #dark-coders and others;]
PoC:
#!/usr/local/bin/perl
# Open file (File->Open) or simply click on the image miniature
1.) Daniel Mende (ERNW GmbH) with Oliver Roeschke (ERNW GmbH) -- Attacking CISCO WLAN Solutions
2) Dino Covotsos (Managing Director, Telspace Systems) -- Hiding a Giant: Analysis of a Next Generation Botnet
3.) Fredric Raynal (Head of Research, Sogeti/Cap Gemini) with Arnauld Mascret (Sogeti / Cap Gemini) & Christophe Devaux (Sogeti / Cap Gemini) -- Deception 2.0: Gathering and Exploiting Information
4.) Gynvael Coldwind (Researcher, Hispasec) -- A Case Study of Recent Windows Vulnerabilities
5.) Laurent Oudot (Founder, TEHTRI-Security) -- Silent Steps: Improving the Stealthiness of Web Hacking
6.) Marc Schoenefeld (Independent Network Security Specialist) -- Open Sesame: Examining Android Code with undx2
7.) Shawn Merdinger (Security Researcher) -- We Don't Need No Stinkin' Badges: Hacking Electronic Door Access Controllers
8.) The Grugq (Anti Forensics Specialist) -- Base Jumping: Attacking GSM Base Stations and Mobile Phone Basebands
* Name : FireFox 2.0.0.11 and Opera 9.50 beta Remote Memory Information Leak
* : FireFox 2.0.0.11 Remote Denial of Service
* Type : Remote Information Disclosure
* Impact : Medium / High
* Credits: Gynvael Coldwind / Hispasec / Team Vexillium
* Special thanks to udevd and porneL
* Brief
Opera and FireFox contains vulnerable code for handling BMP files with
* Name : SDL_Image 1.2.6 and prior GIF handling buffer overflow
* Type : (Remote) DoS / Code Execution (?)
* Impact : Low / Medium (?)
* Credits : Gynvael Coldwind / Team Vexillium
* Discovered: 2007-12-17
* Published : 2008-01-23
* Brief
* Jacob Appelbaum – keynote
* Jesse Burns
* Frank Breedijk
* Łukasz Bromirski
* Raoul Chiesa
* Gynvael Coldwind
* Claudio Criscione
* Bernardo Damele
* Nick DePetrillo
* Leonardo NVE Egea
* Przemysław Frasunek
* hong and Gregory Fleischer each reported a variant on earlier
reported bugs regarding focus shifting in file input controls
(CVE-2008-0414).
* Gynvael Coldwind (Vexillium) discovered that BMP images could be
used to reveal uninitialized memory, and that this data could be
extracted using a "canvas" feature (CVE-2008-0420).
* Chris Thomas reported that background tabs could create a
borderless XUL pop-up in front of pages in other tabs
loading library for the Simple DirectMedia Layer 1.2. The Common
Vulnerabilities and Exposures project identifies the following problems:
CVE-2007-6697
Gynvael Coldwind discovered a buffer overflow in GIF image parsing,
which could result in denial of service and potentially the
execution of arbitrary code.
CVE-2008-0544
Name : AyeView v2.20 (malformed gif image) DoS Exploit
Credit : suN8Hclf (DaRk-CodeRs Group), crimson.loyd@gmail.com
Download: : http://www.ayeview.com/downloads.htm
Greetz : Luigi Auriemma, 0in, cOndemned, e.wiZz!, Gynvael Coldwind,
Katharsis, all from #dark-coders and others;]
PoC:
* Name : Opera 9.50 beta / 9.24 Remote DoS
* Type : Remote DoS
* Credits: Gynvael Coldwind of Vexillium & Simey
* Impact : Low
* Short description
Opera is vulnerable to a remote DoS attack, using spacially crafted BMP
files, that causes the browser to freeze for a short amount of time
(around 4 minutes on fast computer). An attacker could create a web
===========
David Bloom reported two vulnerabilities where plug-ins (CVE-2007-6520)
and Rich text editing (CVE-2007-6522) could be used to allow cross
domain scripting. Alexander Klink (Cynops GmbH) discovered an issue
with TLS certificates (CVE-2007-6521). Gynvael Coldwind reported that
bitmaps might reveal random data from memory (CVE-2007-6524).
Impact
======
- Debugger-based Target-to-Host Cross-System Attacks
- Alex Ionescu
- Syndicate Wars Port: How to port a DOS game to modern systems
- Unavowed / Gynvael Coldwind
- DMS, 5ESS and Datakit VCS II: interfaces and internals
- Jonathan Stuart
+ CFP reminder
# Jacob Appelbaum - "Anonymity, Privacy, and Circumvention with Tor in the Real World
# Ulascan Aytlolun, Celil ‘karak0rsan’ Ünüver - "Analysis of Software Vulnerabilities"
# Axelle Apvrille - "The Four Horsemen – Malware for mobile"
# Frank Breedijk - "PKI is dead, long live PKI"
# Jesse Burns - "Aurora attacks" and "Android Reverse Engineering"
# Gynvael Coldwind - "Case study of recent Windows vulnerabilities"
# Sebastian Fernandez - "General notes about exploiting Windows x64"
# Tam Hanna - "Mobile attacks and preventions – how security will change the mobile market"
# Mario Heiderich - "The Presence and Future of Web Attacks Multi-Layer Attacks and XSSQLI"
# David Hulton - "The Data Encryption Standard (DES) – How broken is it?"
# Vincenzo Iozzo - "0-Knowledge fuzzing"
print "====================================================================="
print " Destiny Media Player 1.61 (.lst File) Local Stack Overflow Exploit\n"
print " Discovered by : Encrypt3d.M!nd"
print " exploit code by : suN8Hclf"
print " Tested on : Windows 2000 SP4 Polish"
print " Greetings to : 0in, Gynvael Coldwind, doctor, Katharsis, SkD"
print "====================================================================="
buffer = "\x41" * 2052
NEW_EIP = "\x33\x08\x3a\x77" #call ESP from atl.dll
nops = "\x90" * 10
loading library for the Simple DirectMedia Layer 1.2. The Common
Vulnerabilities and Exposures project identifies the following problems:
CVE-2007-6697
Gynvael Coldwind discovered a buffer overflow in GIF image parsing,
which could result in denial of service and potentially the
execution of arbitrary code.
CVE-2008-0544
KEYNOTE 2 - Sourcefire - Near Real Time Detection
D2 - Mariano Di Croce - SAP Penetration Testing with Bizsploit
D2 - Fred Raynal + Sogeti - Gathering and Exploiting Information
D2 - Marc Schoenefeld - Examining Android Code with undx2
D2 - Saumil Shah - Web Security - Going Nowhere?
D2 - Gynvael Coldwind - A Case Study of Recent Windows Vulnerabilities
Notes:
** - Speaker changed due to the fscking ash cloud mess!
|
