ColdFusion directory traversal FAQ (CVE-2010-2861)

A new Adobe hotfix for ColdFusion has been released recently. The vulnerability which was discovered by Richard Brain, was rated as important by Adobe and could affect a large number of Internet-facing web servers. The FAQ bellow is meant to shed some light on this vulnerability so that ColdFusion administrators can understand what they’re up against. [...]

more | comments | comments rss | posted by

CVE-2009-1151: phpMyAdmin Remote Code Execution Proof of Concept

I couldn’t find any public PoC/exploit for this phpMyAdmin vulnerability, despite it being a serious bug affecting a popular open-source project. I think this vulnerability is a nice reminder that it’s still possible to perform remote command execution these days without relying on SQL injection (i.e.: xp_cmdshell) or a memory corruption bug (i.e.: heap overflow). [...]

more | comments | comments rss | posted by

Exploit Sweatshop

When I was playing/introducing the partial disclosure practice an year and something ago, I did get contacted by numerous dodgy characters willing to buy yet undisclosed vulnerabilities for substantial amount of money. Of course, requests of that nature were kindly ignored. I couldn’t believe that someone was willing to give me so much money for something I virtually spent 2-3 hours maximum to produce. [...]

more | comments | comments rss | posted by

Hijacking Innocent Frames

Magic tricks are all about suggestion, psychology, misdirection and showmanship (see Tricks of the Mind), or as Cutter perhaps will say, every magic trick has tree parts: the pledge (where the magician shows you something ordinary), the turn (where the ordinary becomes something extraordinary), and the prestige (where the extraordinary turns into something you have never seen before). [...]

more | comments | comments rss | posted by

Even More Advanced Clickjacking

Clickjacking is one of these types of attacks which are incredibly simplistic to perform, yet very powerful in today’s web-driven world. In this post I would like to draw you attention to one more technique that can be used to perform successful clickjacking.

Basically the browser slowly becomes a quite powerful graphical environment. This is due to two relatively new features such as the canvas and support for SVG (Simply Vector Graphic). Interestingly enough, SVG is not so simple. [...]

more | comments | comments rss | posted by

Gmail Security Flaw

I woke up today to realize that GNUCITIZEN’s web server is bombarded with requests. Good that we are running from a scalable infrastructure. The reason for the storm was a recent disclosure of apparently new Gmail bug similar to the one which I partially and than fully disclosed here, of course after working with the vendor to resolve the problem, which is always the right thing to do. [...]

more | comments | comments rss | posted by

Details of the QuickTime Vulnerability

In this post I intend to give a brief overview of the QuickTime vulnerability which I partially-disclosed over here. I should have made these details public long time ago but better late than never. The vulnerability has been fixed for several months now and I believe it is safe to talk about it in the public.

Let’s start with an example. The following is the source code of a malicious QuickTime SMIL file:

First of all, we start with the SMIL header (SMILtext). [...]

more | comments | comments rss | posted by

More on GIFARS and Other Dangerous Attacks

This is a continuation from my previous post. The reasons why GIFARs, although in my case it was JPGAR (from JPG + JAR), work was explained to me by FX (Recurity Labs) after my talk during the last Black Hat in Amsterdam.

Basically, when you combine GIF/JPG and JAR/ZIP you have a hybrid file which have two heads. The head of GIF/JPG file is at the top. The head of the JAR/ZIP file is at the bottom. [...]

more | comments | comments rss | posted by

GIFARs and Other Issues

A lot of people have asked me (especially reporters) about the GIFAR attack since it resembles what I have already spoken about here and presented at the last Black Hat in Amsterdam. So, I decided to shed some light without being too revealing as the talk, which will demonstrate and explains the attack in more details, will give away the awesome stuff.

So yes, the whole notion of combining JAR files with other types of files is not new. [...]

more | comments | comments rss | posted by

Ghost Busters

A special guest blogger for this month is Eduardo Vela, also known as sirdarckcat, a security researcher from Mexico. Eduardo has been on the field for a couple of years, mainly focusing on web-app based vulnerabilities, privilege escalation, and IDS/filter evasion. Today, he is a student of computer sciences, does some research on his free time, and works for an important website as a security engineer. [...]

more | comments | comments rss | posted by