Exploit Sweatshop

When I was playing/introducing the partial disclosure practice an year and something ago, I did get contacted by numerous dodgy characters willing to buy yet undisclosed vulnerabilities for substantial amount of money. Of course, requests of that nature were kindly ignored. I couldn’t believe that someone was willing to give me so much money for something I virtually spent 2-3 hours maximum to produce. [...]

more | comments | comments rss | posted by

More Advanced Clickjacking – UI Redress Attacks

This will be a quick post just to share some POCs and more information regarding the recent Clickjacking technique, i.e. UI Redress Attack, a name suggested by Michael Zalewski.

Clickjacking is an oldie but, a goodie. You can track the origin of the attack back at the beginning of this decade. Clickjacking is essentially the anti-CSRF killer. It is also the killer of Flash, AJAX (because AJAX apps are sometimes easier to clickjack, look at Google) and some other technologies. [...]

more | comments | comments rss | posted by

New technique to perform universal website hijacking

I’m really excited that HITBSecConf2008 Malaysia is coming up soon: end of October to be precise. I highly recommend our readers to attend such event, as it’s organized by one of the finest security event crews I have ever dealt with. There are tons of talks I want to attend, which I will cover in another post. [...]

more | comments | comments rss | posted by

The QuickTime Vulnerability Overview

The details of the vulnerability were covered in my previous post. In this one I would like to briefly talk about the impact. Obviously, the vulnerability is very simple. Simple yet effective. However, this is not the type of vulnerability someone can exploit on a massive scale. Here is why.

Attack Vectors

The key element of the attack vector presented in my previous post is the attackers’ ability to point the victim to a file hosted on a NETBIOS share. [...]

more | comments | comments rss | posted by

Details of the QuickTime Vulnerability

In this post I intend to give a brief overview of the QuickTime vulnerability which I partially-disclosed over here. I should have made these details public long time ago but better late than never. The vulnerability has been fixed for several months now and I believe it is safe to talk about it in the public.

Let’s start with an example. The following is the source code of a malicious QuickTime SMIL file:

First of all, we start with the SMIL header (SMILtext). [...]

more | comments | comments rss | posted by

QuickTime 0day for Vista and XP

A remote vulnerability exists in the QuickTime player for Windows XP and Vista (latest service packs). Other versions are believed to be affected as well. For now, no details will be released regarding the method of exploitation.

The video above demonstrates the issue on Windows Vista and Windows XP. The Windows Vista demo is rather slow because it runs from a 512MB VMWare machine.

more | comments | comments rss | posted by

Holes in Embedded Devices: IP-based session management

Devices that implement IP address-based session management follow the algorithm described by the pseudocode shown below:

The implications are obvious: devices located in environments in which different users share the same proxy are vulnerable to administrative session hijacking attacks. Please note that this session hijacking attack has nothing to do with the classic TCP hijacking attack in which sequence numbers are predicted by the attacker. [...]

more | comments | comments rss | posted by

Name (mDNS) Poisoning Attacks inside the LAN

How easy is for attackers to compromise the LAN? Answer: Very easy! With a few simple tricks, attackers can easily poison the local name resolution system for the machines inside a given LAN. Network Devices and Apple products are most vulnerable among others of course.

It is all due to mDNS. From Wikipedia’s article:

The problem with mDNS is that it is spoof-able. Here is how it works. A mDNS enabled client will perform a mDNS query on a multicast address. [...]

more | comments | comments rss | posted by

Vulnerabilities in Skype

Aviv has already done most of the work but I would like to add a few more notes on the recently reported Skype Cross-site Scripting issue. In general, the issue is pretty much underestimated. The vulnerability is not of a type Cross-site Scripting bug, but mostly a Cross-site Scripting bug on DailyMotion, which results into a Cross-zone Scripting issue within Skype due to the unlocked IE controller Skype makes use of. [...]

more | comments | comments rss | posted by

Hacking The Interwebs

With great power comes great responsibility, but those with great power usually aren’t that responsible. Nevertheless, we try to be responsible as much as we can. In the following post, ap and I are going to expose some secrets, which may make you question our values at first, will definitely make you feel worried about Why is all this possible?, and may even make you hate us in your guts for what we have done. [...]

more | comments | comments rss | posted by