Fuzzing Samsung Kies

Android fuzzing is always fun – seems that whenever we fuzz an android app it crashes within seconds.

Samsung Kies was no different. With the help of the talented Juan Yacubian (who built the Kies module in no time) we launched beSTORM against Kies… And saw it crash in record 23 seconds (just over 1,100 attack combinations).

Next on the agenda: install gdb for Android and build the proper payload.

Samsung Kies Crash

 

Share

S. Korea Cyber Attack Crashes Navigation Devices. Time to fuzz your GPS?

South Korea suffered a major cyber attack yesterday. The origin of the attack seems to be China at the moment, but that is far from being definite.

I happened to be in one of the (several) cyber security operation centers, by pure coincidence. I had a chance to see events unravel in real time. Several banks have been hit (including the very large shinhan bank) and a few broadcasting channels.

The damage is hard to assess, since it’s now in everyone’s advantage to blame the cyber attack on anything from a system crash to the coffee machine running out of capsules. Budget and political moves will dominate most of the data that will be released in the next few days.
It’s clear, however, that the damage substantial. I reached out to a few friends in technical positions at various MSPs and most had a sleepless night. They’ve been hit hard.

The most interesting part of this incident, in my opinion, was a report on car GPS crashing while the attack was taking place. I haven’t seen a news report about that yet, and I couldn’t personally verify it (as I mentioned, I was stationary at the time, watching the frantic cyber-security team getting a handle on a difficult situation) but this is making rounds in security forums and a couple of friends confirmed to me that their car navigation system crashed and had to be restarted, at the exact time the attack was taking place.

The most likely explanation is that the broadcasting companies, who send TPEG data to the GPS devices (almost every car in Korea has a GPS device, almost all get real-time updates via TPEG), had sent malformed data which caused the devices to crash. This data could have been just a result of a domino effect from the networks crashing, or it could have been a very sophisticated proof-of-concept by the attacker to see if they can create a distruption. Traffic in Seoul is bad even on a normal day; without GPS devices it can be a nightmare.

Which brings up an interesting point about fuzzing network devices. TPEG fuzzers have been available for a while now (beSTORM has a TPEG module, and you can easily write your own TPEG fuzzer). The difficult part is getting the GPS device to communicate with the fuzzing generator; this is something the GPS developer can do (but probably won’t) but it is also possible for a government entity to do the necessary configuration to make that happen, given the proper resources or simply by forcing the vendors to cooperate.

The choice of the attacker to bring down the broadcasting networks might be deliberate: other than knocking TV and radio off the air (an obvious advantage in a pre-attack strike) the broadcasting networks control many devices who rely on their data. Forcing them to send malformed data to crash a variety of devices can have interesting implications. If I was a little more naive, I would predict that this will push governments around the world to focus more on fuzzing to discover these kind of vulnerabilities before they see their adversaries exploit them. But in the world we live in, they will instead throw around the phrase “APT” and buy more “APT detection products” (an oximoron if I’ve ever heard one). Thank god for APT, the greatest job saving invention since bloodletting.

An detailed analysis of the attack here:

http://training.nshc.net/KOR/Document/virus/20130321_320CyberTerrorIncidentResponseReportbyRedAlert(EN).pdf

Share

Malformed input?

Came back to the computer after some time away, to find the sun shining full on the desk and part of the screen.  And, of course, the screen has blanked from lack of input during that time.

So, I pull the drapes forward to shade the screen–and the screen pops up, even though I haven’t touched the keyboard or the mouse.

Considering this, I realize that a) it’s an optical mouse, and b) it was on the part of the desk that was in the sun, and is now shaded when I pulled the drapes.

So, being a security geek, I start to wonder:

a) how the system interpretted that light?
b) how hard it would be to figure out how to get a laser to create specific “actions” on the computer?  (And if the optical sensor’s range is wide enough that you can do it with an IR laser, so the user doesn’t realize what you are doing?)

Share

Windows Device Driver Fuzzing

We recently received a request to adapt the beSTORM  fuzzing framework to fuzz a series of Windows Device Drivers. It appears that there is little documentation and practically no commercial tools to provide proper fuzzing for Windows Drivers.

Adding support for device driver fuzzing required us to add a few function to our already existing File Utils library. This library allows you to create and read files with the intent of using the information inside these files to either fuzz something else, or provide a file to a piece of software that you intend to test.

With a device driver you basically do the same, but instead of opening an ordinary file, you open a device driver – usually in the form of “\\.\AAA”. The AAA is replaced by a string that tells the Windows operating system what device he should open. To provide this function inside beSTORM we introduced the Win32CreateFile wrapper function which receives the device driver’s name. This function returns a HANDLE that is then fed to the Win32CloseHandle wrapper function to close the opened handle.

The next step in fuzzing a Windows Device Driver is to send it information and in some cases read from it information. This is done through our Win32DeviceIoControl wrapper function, which receives the HANDLE from Win32CreateFile, and is passed an InBuffer as well as a IoControlCode value. Most commonly this value will be generated through the CTL_CODE macro under Visual Studio, and since it is usually very difficult to calculate this value by “hand” we provide a wrapper function called Win32CtlCode to allow you to do this inside the module you create.

Here is a complete “block” that utilizes all these wrapper functions and exploits a vulnerability in DVWDDriver – which was built with vulnerabilities inside it as an educational tool.

<SC Name="Sequence">
<SP Name="Win32CreateFile" Procedure="Win32CreateFile" Library="File Utils.dll">
<S Name="Filename">
<EV Name="Filename value" ASCIIValue="\\.\DVWD" Description="CreateFile Filename" />
</S>
<S Name="DesiredAccess">
<C Name="DesiredAccess value" Value="C0 00 00 00" />
</S>
<S Name="ShareMode">
<C Name="ShareMode value" Value="00 00 00 07" />
</S>
<S Name="CreationDisposition">
<C Name="CreationDisposition value" Value="00 00 00 03" />
</S>
</SP>
<SP Name="Win32DeviceIoControl" Procedure="Win32DeviceIoControl" Library="File Utils.dll">
<S Name="HANDLE">
<PC Name="HANDLE" ConditionedName="Win32CreateFile" Parameter="HANDLE"/>
</S>
<S Name="InBuffer">
<B Name="InBuffer value" />
</S>
<SP Name="IoControlCode" Procedure="Win32CtlCode" Library="File Utils.dll">
<S Name="DeviceType">
<C Name="DeviceType value" Value="00000022" Comment="FILE_DEVICE_UNKNOWN" />
</S>
<S Name="Function">
<C Name="Function value" Value="00 00 08 01" />
</S>
<S Name="Method">
<C Name="Method value" Value="00 00 00 03" Comment="METHOD_NEITHER" />
</S>
<S Name="Access">
<C Name="Access value" Value="00 00 00 03" Comment="FILE_READ_DATA | FILE_WRITE_DATA" />
</S>
</SP>
</SP>
<SP Name="Win32CloseHandle" Procedure="Win32CloseHandle" Library="File Utils.dll">
<S Name="HANDLE">
<PC Name="HANDLE" ConditionedName="Win32CreateFile" Parameter="HANDLE"/>
</S>
</SP>
</SC>

Share

About the reported beSTORM “Vulnerability”

A few people asked me about the advisory posted on exploit db (Now also on SecurityFocus) that talks about a security vulnerability in beSTORM, which would be ironic since it’s a fairly simple vulnerability to find by fuzzing, and beSTORM is, after all, a fuzzer.

I always thought security holes in security products were especially funny. You expect security companies to know better, right? Well, as usual, it’s much less funny when it happens to you. Seeing reports about a vulnerability in beSTORM wasn’t amusing.

The thing is, the vulnerability is not in beSTORM, it is not remote, and on top of all – the exploit PoC does not work as advertised. Now comes the second irony: I’ve been on the management team of a security database for the past 14 years, and I’m sure more than one vendor cursed me to walk a mile in their shoes. Well, vendors: I am! Trying to explain to vulnerability databases that just because someone posted something doesn’t mean it’s true, is not easy. But you knew that already.

Now for the details:

The vulnerability described is a problem in WizGraphviz.dll, a graphic library that has been abandoned by its developer. It is not a part of beSTORM, and never was. You could, in early versions of beSTORM, install that DLL in order to view SVG files. beSTORM would have downloaded it on request. But it hasn’t been the case in a while now.

The vulnerability is also not remote. This ActiveX is marked not safe for scripting, which means you have to manually enable it to get the exploit code to run.

In other words, you need to download an ActiveX from the Internet, go into the settings to mark it safe for scripting (and ignore the huge warnings) and then you will be vulnerable to an ActiveX attack when visiting a rogue site. And all this is only true for an old version of beSTORM which is no longer available for download.

Life is full of ironies: This attack is simple enough that we could (should?) have found it by fuzzing this DLL ourselves. Hell, there’s a good chance the good guys that published this advisory did exactly that. For being lazy, we deserve the public flogging. But just to set the record straight, a security vulnerability it ain’t.

 

 

 

Share

Who’s behind Stuxnet?

Stuxnet is a worm that focuses on attacking SCADA devices. This is interesting on several levels.

First, we get to see all of those so-called isolated networks get infected, and wonder how that happened (here’s a clue: in 2010, isolated means in a concrete box buried underground with no person having access to it).

Then, we get to see how weak SCADA devices really are. No surprise to anyone who has ever fuzzed one.

After that, we get to theorize on who’s behind it and who is the target. What’s your guess?

Share

Apple iPhone/iPod Touch/iPad Security Update

Yesterday Apple released a security update that patches the Jailbreakme vulnerabilities to stop people Jailbreaking their Apple devices.

Okay, so maybe I’m looking at this the wrong way around, but it seems that when a vulnerability gets a lot of media attention, Apple work the backsides off to get this one patched. I understand that we are talking serious vulnerabilities here, but still. I’ve personally been in contact with Apple for a couple of months now in regards to a DoS vulnerability that I discovered, and still have no time line on when a patch for this will be released, so maybe all that’s needed is to turn this into some media hype, hmmm.

So the vulnerabilities that this patches are the following:

  • FreeTypeCVE-ID: CVE-2010-1797

    Available for: iOS 2.0 through 4.0.1 for iPhone 3G and later, iOS 2.1 through 4.0 for iPod touch (2nd generation) and later

    Impact: Viewing a PDF document with maliciously crafted embedded fonts may allow arbitrary code execution

    Description: A stack buffer overflow exists in FreeType’s handling of CFF opcodes. Viewing a PDF document with maliciously crafted embedded fonts may allow arbitrary code execution. This issue is addressed through improved bounds checking.

  • IOSurfaceCVE-ID: CVE-2010-2973

    Available for: iOS 2.0 through 4.0.1 for iPhone 3G and later, iOS 2.1 through 4.0 for iPod touch (2nd generation) and later

    Impact: Malicious code running as the user may gain system privileges

    Description: An integer overflow exists in the handling of IOSurface properties, which may allow malicious code running as the user to gain system privileges. This issue is addressed through improved bounds checking.

Share

Where To Sell Software Vulnerabilities/Exploits?

So the last post that I wrote, and Aviram’s follow on post really got me thinking, unless you know where to sell software vulnerabilities or exploits, finding places isn’t really that easy at all. I knew about ZDI and VPC, but that was it really, and it took me ages to remember VPC.

So I spent some time Googling, and well that didn’t help me much to me honest. So I’ve decided to compile a list on here, with a subject that’s easy enough to search for.

So what I’m asking all our readers is that if you know of anywhere that buys software vulnerabilities legitimately, please let me know by leaving a comment and I’ll update the list here accordingly.

So without any further ado, here’s the definitive list of where you can sell those exploits and vulnerabilities that you worked so hard on discovering and writing.

Beyond Security

Zero Day Initiative (Tippingpoint)

Vulnerability Contributor Program (iDefense)

Global Vulnerability Partnership

Share

Backtrack – The Future, The Funding, The Roadmap

Great news, Backtrack now has funding to move ahead with scheduled releases, and a roadmap moving forward up to Backtrack 5. You can view the roadmap here. It seems that the worlds leader in penetration testing training, namely Offensive Security is going to be funding the BackTrack Linux distribution’s development going forward. No need to worry though, BackTrack is still going to remain an Open Source distro.

Other news on this front is that the Exploit Database now has new EDB Research and Development teams that are actively working on vulnerability discovery and development, so watch this space for more news and good things to come. It’s also very worthwhile checking out the Exploit Database Blog.

Share

Hack In The Box Security Conference Comes to Europe

The first ever HITB Security conference will be help in Amsterdam on the 1st and 2nd July, so apologies for only posting this now, but there’s still time to register.

The full conference agenda can be found here.

Some of the talks listed are:

- Breaking Virtualization by Switching to Virtual 8086 Mode

- Attacking SAP Users Using sapsploit

- Fireshark – A tool to Link the Malicious Web

- Having Fun with Apple’s IOKit

So all in all, it looks like it’s going to be an interesting couple of days.

Leave a comment if you’re going, it’d be good to hook up.

Share

Interview with Charlie Miller

For those of you who don’t know who Charlie Miller is (really, you don’t? Maybe it’s time to get out from under the pile of paperwork for a change then.) He’s the guy who’s managed to pwn 3 Apple products at Pwn2Pwn over the last three consecutive years. I got to thinking recently, and the last person that I interviewed for the SecuriTeam Blogs was Fyodor, and that feels like a lifetime ago! So I dropped Charlie a line to see if he’d be up for it, and thankfully he was.

xyberpix: How and what got you get started in vulnerability discovery?

0xcharlie: It was back at the NSA so I can’t really talk about it.  But I really like the concept of vulnerability analysis.  Its slightly adversarial in nature.  Smart people write software and I have to try to find mistakes that they’ve made.

Also,it appeals to me in the same way that collecting baseball cards does to people.  I like having a bunch of bugs that only I know about.  There is something intellectually satisfying about that.

xyberpix: What made you pick OS X as what seems to be your primary target?

0xcharlie: I had never owned, or really even used, a Mac until I started at ISE 4 years ago. ISE got me a Mac as my primary computer since that is the standard company issue. We also had some clients that were interested in Macs and OS X so I was forced to learn a bit about how they worked.  So I was in a position to play with a Mac, which I actually learned to like once I got used to it.  I quickly found it was rather easy to find bugs in it and I like to go after the easy targets.  Another thing is I take joy in ruining the day of the fanboys.  One interesting point is that exploitation is very OS (and even application) dependent, but vulnerability analysis is basically OS independent.

xyberpix: What tools do you typically use to find bugs on OS X?

0xcharlie: Mostly home brewed fuzzers.  But I also do source code analysis when available and occasionally reverse engineering.

xyberpix: What does your testing setup consist of for vulnerability research?

0xcharlie: I have a Win XP box with IDA Pro on it.  I also use this box for Windows bug hunting, so it has a bunch of debuggers (Olly, WinDbg, ImmDbg), hex editors and stuff on it.  I have an old Linux box that I mostly use for Source Navigator.  I also have a bunch of Macs, obviously.  My main computer is a 4 year old MacBook. Its got everything I need on it as well as every bug or exploit I’ve written at ISE. It also has various fuzzers I’ve written (Python), bunches of fuzzed test cases, PyDbg, PaiMei, etc.

xyberpix: You’ve mentioned on Twitter recently that you have quite a few exploits for OS X, have you considered selling these, and if not, why not?

0xcharlie: No.  My employment contract forbids it.

xyberpix: As you have a stockpile of exploits for OS X, what made you choose to use the one that you did for Pwn2Pwn over the others?

0xcharlie: It was the easiest one to exploit.  As you’ve probably noticed, I’m basically lazy which is why I like fuzzing.

xyberpix: Will you be bringing out any more books in the near future?

0xcharlie: No plans at the moment.  Its a huge endeavor to take on.  At one point Dino Dai Zovi, Ralf-Phillip Weinmann (one of the iPhone Pwn2Own guys) and I were signed on to write an iPhone security book, which would have been pretty awesome, but it never materialized.

xyberpix: How’s it feel to have won Pwn2Pwn 3 years in a row now, and will you be going for 4?

0xcharlie: It felt a little anti-climatic actually.  It was way more fun the first year when it was a bit more of a surprise.  For the last month or two I’ve been saying I’m retiring after this Pwn2Own.  Its a lot of stress and the rules are always changing so its tough.  Also, Snow Leopard exploits are much harder to write than Leopard exploits, to the point it isn’t much fun.  But maybe I’ll reconsider next year. Call me the Brett Favre of hacking.

xyberpix: Have you thought of offering a training course to developers to teach them how to find bugs, if so would this be internationally available?

0xcharlie: Yes, I’ve thought about it.  Again, this would be a big time investment to develop the course which I’m too busy to undertake at the moment.  Of course, I work for a consulting company so if enough people throw money at them, they’ll make me do it!

xyberpix: How would you advise someone starting from scratch on how to identify vulnerabilities and write exploits for them?

0xcharlie: I get this question a lot and I don’t have a great answer for it.  I went to the NSA for 5 years but not many people have that option.  Make sure you understand C/C++, then assembly, then reverse engineering for starters.  For bug finding, find out about all the bugs that are being discussed and what they look like so you know what to look for.  Then start fuzzing and trying to triage all the crashes.  For writing exploits, find some good exploits and see how they work.  Then start trying to write some for known vulnerabilities or ones you’ve found.  If you’ve got the cash, take
Dino and Alex’s training course.  My main advice is to get your hands dirty and just jump in and do it.

xyberpix: On a scale of 1-10 how would you compare the skill level required to identify and exploit security vulnerabilities in the following Operating Systems Windows, OS X, Linux?

0xcharlie: This is one of the reasons its hard to get into this field these days.  10 years ago it took a skill level of 2, 5 years ago a skill level of 6 and now a skill level of 8 or 9.  As for the various OS’s I’d say something like a 9 for windows and an 8 for the others.

xyberpix: You started the No More Free Bugs Movement, what was/is your reasoning behind this, and have you had much success with selling vulnerabilities/exploits to the vendors? Would you say that the vendors are reacting positively or negatively to this?

0xcharlie: The idea was that finding bugs is hard work.  Big vendors have teams of researchers and QA people who are paid lots of money to find bugs.  So, on the rare event one slips by and puts their users at risk, vendors should be falling all over themselves to get this information and get fixes available for their customers.  Instead, they expect researchers to give them the bugs, deal with them, convince them the bugs are real, provide POC’s, take legal liability, etc and all for charity.  Well, as a professional consultant, I get paid to find bugs by our customers, so I started to wonder why my customers paid me and for the same work, vendors don’t.

As for what’s come out of it, hopefully researchers have begun to ask this question too.  I’d like to think I’ve helped ZDI to get more researchers participating, although I don’t know for sure.  Vendors pretty much ignore the whole NMFB’s
movement.  They only care about their bottom line and NMFB doesn’t affect it.  The only positive thing I’ve seen is someone from Mozilla recently said they were thinking of raising their bug bounty from $500 and wanted to know what I thought was a fair amount.  That made me happy.  Besides Mozilla, I’ve never heard of anyone who sold a bug to a vendor, although Chrome offers a program.

xyberpix: What do you feel the greatest risk to Web Browsers is at the moment, and why?

0xcharlie: Probably the biggest weakness is that web browsers are a big attack surface and the attacker has a lot of control.  The attack surface includes html, JavaScript, images, plugins (Java, Flash, Silverlight, etc).  Attackers can manipulate the heap using the languages at their disposal.  These make for a powerful combination for attackers.

xyberpix: What do you feel the greatest risk on the Internet is at this point in time, and why?

0xcharlie: The biggest risk is how companies store your personal information and then lose it. I can manage my own computer (most of the time) but when sites lose my info, I’m powerless to do anything about it (or prevent it).

xyberpix: If you were to give one bit of advice to developers that they’d all listen to, what would that be?

0xcharlie: Just to think defensively.  Every time you write a line of code or a function, think about ways bad guys might try to present data to it to cause an error.  Think about all the things that could go wrong and then you can think of ways to try to prevent them from happening.

xyberpix: You and Steve Jobs are sitting have a cup of coffee, tell me how how that conversation would go?

0xcharlie: Great question!  First I’d have to tell him who I was because he’d have no idea. I’d try to tell him that eventually this security thing is going to bite him in the ass when the malware authors notice enough Macs.  I’d then patiently listen to his explanation of why I’m wrong and how its going to all play out.  He’d probably convince me.  Finally, I’d bitch that iPad doesn’t have Flash.  Lame.

Thanks again to Charlie for taking the time out to answer these questions, it really is appreciated.

Share

Fuzzing anything that moves

<meta content="OpenOffice.org 3.0 (Linux)" name="GENERATOR" /><br /> <style type="text/css"> <!-- @page { margin: 0.79in } P { margin-bottom: 0.08in } A:link { so-language: zxx } --></style> <p style="margin-bottom: 0in">I’m in New Delhi, for the local <a href="(http://www.owasp.org/index.php/SecurityByte_and_OWASP_Asia_AppSec_Conference_2009">OWASP Conference</a>. There’s a <a href="http://www.owasp.org/index.php/SecurityByte_and_OWASP_Asia_AppSec_Conference_2009#tab=Conference">really nice lineup</a> and if you’re in the New Delhi area I highly recommend attending.</p> <p style="margin-bottom: 0in"> <p style="margin-bottom: 0in">I’ll be speaking twice. On Tuesday about blackbox testing. The abstract can be paraphrased from the immortal words of the great fuzzing master Ice-T:</p> <blockquote> <p style="margin-bottom: 0in">If you’re from Mars, and you have inputs, we will fuzz you.</p> </blockquote> <p style="margin-bottom: 0in">(Look up the <a href="http://www.rhapsody.com/body-count/body-count/kkk-bitch/lyrics.html">original text</a>, I guarantee it’s worth it)</p> <p style="margin-bottom: 0in"> <p style="margin-bottom: 0in">On Wednesday I’ll be talking a bit about breaking JSON applications, relying on the great research done by Amit Klein, Blueinfy, Jeremiah Grossman, Fortify, and many others.</p> <p style="margin-bottom: 0in"> <p style="margin-bottom: 0in">If you spot any errors in either of my presentations let me know and I will buy you a beer. This offer does not include anything stupid I say while on a discussion panel…</p> <p style="margin-bottom: 0in"> <p style="margin-bottom: 0in"> <script type='text/javascript'> <!-- //OBSTART:do_NOT_remove_this_comment var OutbrainPermaLink="http://blogs.securiteam.com/index.php/archives/1332"; if(typeof(OB_Script)!='undefined'){OutbrainStart();} else { var OB_PlugInVer="7.0.0.0_Regular";;var OB_raterMode="stars";var OB_recMode="rec";var OBITm="1330324210";var OB_Script=true;var OB_langJS="";document.write(unescape("%3Cscript src='http://widgets.outbrain.com/OutbrainRater.js' type='text/javascript'%3E%3C/script%3E"));} //OBEND:do_NOT_remove_this_comment //--> </script> <div class="addtoany_share_save_container"><div class="a2a_kit a2a_target addtoany_list" id="wpa2a_12"><a class="a2a_dd addtoany_share_save" href="http://www.addtoany.com/share_save"><img src="http://blogs.securiteam.com/wp-content/plugins/add-to-any/share_save_171_16.png" width="171" height="16" alt="Share"/></a></div></div> <!-- <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:trackback="http://madskills.com/public/xml/rss/module/trackback/"> <rdf:Description rdf:about="http://blogs.securiteam.com/index.php/archives/1332" dc:identifier="http://blogs.securiteam.com/index.php/archives/1332" dc:title="Fuzzing anything that moves" trackback:ping="http://blogs.securiteam.com/index.php/archives/1332/trackback" /> </rdf:RDF> --> </div> </div> <div class="post" id="post-1307"> <h2><a href="http://blogs.securiteam.com/index.php/archives/1307" rel="bookmark" title="When source code audit fails">When source code audit fails</a></h2> <p class="postinfo"> Posted on July 17th, 2009 by <a href="http://blogs.securiteam.com/index.php/archives/author/noam" title="Posts by noam" rel="author">noam</a><br /> Filed under: <a href="http://blogs.securiteam.com/index.php/archives/category/commentary" title="View all posts in Commentary" rel="category tag">Commentary</a>, <a href="http://blogs.securiteam.com/index.php/archives/category/full-disclosure" title="View all posts in Full Disclosure" rel="category tag">Full Disclosure</a>, <a href="http://blogs.securiteam.com/index.php/archives/category/fuzzing" title="View all posts in Fuzzing" rel="category tag">Fuzzing</a> | <a href="http://blogs.securiteam.com/index.php/archives/1307#comments" title="Comment on When source code audit fails"><span class="dsq-postid" rel="1307 http://blogs.securiteam.com/index.php/archives/1307">1 Comment »</span></a> </p> <div class="entry"> <p>A <a href="http://xorl.wordpress.com/2009/07/17/linux-kernel-devnettun-null-pointer-dereference/">NULL reference vulnerability</a> in the <em>tun</em> source code of the Linux kernel has been discovered to be “immune” if the code is audited, and vulnerable once GCC has put into place its code optimizations.</p> <p>The vulnerability allows executing arbitrary code and gaining root access.</p> <p>An exploit has been released proving that the vulnerability is not just “theoretically” there, but can be actually exploited.</p> <p>Need we say <a href="http://www.beyondsecurity.com/black-box-testing.html">Black Box Fuzzing</a>? a API fuzzer such as <a href="http://www.beyondsecurity.com/comparison.html">beSTORM</a> would have easily caught as beSTORM can be told to open the /dev/net/tun driver and write data directly to it, one of the first tests it will preform will be the “old” nothing (NULL) data transfer.</p> <p>BTW: If you want to test the vulnerability on your kernel here is a code snip:</p> <pre>int fd; struct pollfd pfd; fd = open("/dev/net/tun", O_RDWR); pfd.fd = fd; pfd.events = POLLIN | POLLOUT; poll(&pfd, 1, 0);</pre> <script type='text/javascript'> <!-- //OBSTART:do_NOT_remove_this_comment var OutbrainPermaLink="http://blogs.securiteam.com/index.php/archives/1307"; if(typeof(OB_Script)!='undefined'){OutbrainStart();} else { var OB_PlugInVer="7.0.0.0_Regular";;var OB_raterMode="stars";var OB_recMode="rec";var OBITm="1330324210";var OB_Script=true;var OB_langJS="";document.write(unescape("%3Cscript src='http://widgets.outbrain.com/OutbrainRater.js' type='text/javascript'%3E%3C/script%3E"));} //OBEND:do_NOT_remove_this_comment //--> </script> <div class="addtoany_share_save_container"><div class="a2a_kit a2a_target addtoany_list" id="wpa2a_13"><a class="a2a_dd addtoany_share_save" href="http://www.addtoany.com/share_save"><img src="http://blogs.securiteam.com/wp-content/plugins/add-to-any/share_save_171_16.png" width="171" height="16" alt="Share"/></a></div></div> <!-- <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:trackback="http://madskills.com/public/xml/rss/module/trackback/"> <rdf:Description rdf:about="http://blogs.securiteam.com/index.php/archives/1307" dc:identifier="http://blogs.securiteam.com/index.php/archives/1307" dc:title="When source code audit fails" trackback:ping="http://blogs.securiteam.com/index.php/archives/1307/trackback" /> </rdf:RDF> --> </div> </div> <div class="post" id="post-1300"> <h2><a href="http://blogs.securiteam.com/index.php/archives/1300" rel="bookmark" title="milw0rm will stay open, but needs your help">milw0rm will stay open, but needs your help</a></h2> <p class="postinfo"> Posted on July 11th, 2009 by <a href="http://blogs.securiteam.com/index.php/archives/author/aviram" title="Posts by Aviram" rel="author">Aviram</a><br /> Filed under: <a href="http://blogs.securiteam.com/index.php/archives/category/commentary" title="View all posts in Commentary" rel="category tag">Commentary</a>, <a href="http://blogs.securiteam.com/index.php/archives/category/culture" title="View all posts in Culture" rel="category tag">Culture</a>, <a href="http://blogs.securiteam.com/index.php/archives/category/fuzzing" title="View all posts in Fuzzing" rel="category tag">Fuzzing</a>, <a href="http://blogs.securiteam.com/index.php/archives/category/web" title="View all posts in Web" rel="category tag">Web</a> | <a href="http://blogs.securiteam.com/index.php/archives/1300#comments" title="Comment on milw0rm will stay open, but needs your help"><span class="dsq-postid" rel="1300 http://blogs.securiteam.com/index.php/archives/1300">1 Comment »</span></a> </p> <div class="entry"> <p>Seems like milw0rm will stay up for the near future. In an email from Str0ke, he wrote:</p> <blockquote><p>Way to[o] many people unhappy with me over the<br /> idea of closing shop.  I just needed help which I have alot of people to choose from now</p></blockquote> <p>So the good news, is that we’ll still see milw0rm posting information. But for all of you who were disappointed by milw0rm almost closing: if you want to see it stay open, here’s your chance to help. Just write to str0ke and offer him help – managing a vulnerability database is one of the best ways to gain expertise and learn the field. Plus, you’ll be helping a valuable resource, and making friends along the way.</p> <p>From a personal experience, I can very much recommend it. We started our own <a href="http://www.securiteam.com/">vulnerabilities database</a> much like milw0rm a while back, and it gave us the expertise to build a <a href="http://www.beyondsecurity.com/vulnerability-assessment.html">vulnerability scanner</a>, a <a href="http://www.beyondsecurity.com/beSTORM">fuzzer</a>, and build a profitable business while having fun doing it. So much so, that the original SecuriTeam team is still actively working on editing and posting information.</p> <p>So whether you are looking to sharpen your skills for fun or want to give a boost to your professional career, I highly recommend joining milw0rm (do it now, while str0ke is still accepting applications!)</p> <script type='text/javascript'> <!-- //OBSTART:do_NOT_remove_this_comment var OutbrainPermaLink="http://blogs.securiteam.com/index.php/archives/1300"; if(typeof(OB_Script)!='undefined'){OutbrainStart();} else { var OB_PlugInVer="7.0.0.0_Regular";;var OB_raterMode="stars";var OB_recMode="rec";var OBITm="1330324210";var OB_Script=true;var OB_langJS="";document.write(unescape("%3Cscript src='http://widgets.outbrain.com/OutbrainRater.js' type='text/javascript'%3E%3C/script%3E"));} //OBEND:do_NOT_remove_this_comment //--> </script> <div class="addtoany_share_save_container"><div class="a2a_kit a2a_target addtoany_list" id="wpa2a_14"><a class="a2a_dd addtoany_share_save" href="http://www.addtoany.com/share_save"><img src="http://blogs.securiteam.com/wp-content/plugins/add-to-any/share_save_171_16.png" width="171" height="16" alt="Share"/></a></div></div> <!-- <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:trackback="http://madskills.com/public/xml/rss/module/trackback/"> <rdf:Description rdf:about="http://blogs.securiteam.com/index.php/archives/1300" dc:identifier="http://blogs.securiteam.com/index.php/archives/1300" dc:title="milw0rm will stay open, but needs your help" trackback:ping="http://blogs.securiteam.com/index.php/archives/1300/trackback" /> </rdf:RDF> --> </div> </div> <div class="post" id="post-1216"> <h2><a href="http://blogs.securiteam.com/index.php/archives/1216" rel="bookmark" title="SCTP fuzzing made easy">SCTP fuzzing made easy</a></h2> <p class="postinfo"> Posted on December 21st, 2008 by <a href="http://blogs.securiteam.com/index.php/archives/author/noam" title="Posts by noam" rel="author">noam</a><br /> Filed under: <a href="http://blogs.securiteam.com/index.php/archives/category/commentary" title="View all posts in Commentary" rel="category tag">Commentary</a>, <a href="http://blogs.securiteam.com/index.php/archives/category/fuzzing" title="View all posts in Fuzzing" rel="category tag">Fuzzing</a> | <a href="http://blogs.securiteam.com/index.php/archives/1216#respond" title="Comment on SCTP fuzzing made easy"><span class="dsq-postid" rel="1216 http://blogs.securiteam.com/index.php/archives/1216">No Comments »</span></a> </p> <div class="entry"> <p>With the recent introduction of a native <a href="http://en.wikipedia.org/wiki/SCTP">SCTP</a> library into <a href="http://www.beyondsecurity.com/bestorm_overview.html">beSTORM</a> you can easily <a href="http://www.beyondsecurity.com/black-box-testing.html">fuzz</a> your SCTP based protocols with beSTORM.</p> <p>This includes all our existing protocols as well as SCTP dedicated protocols such as M3UA and MGCP.</p> <p>SCTP for those that aren’t familiar with it is a fairly common protocol in the VoIP and Telecommunication industry it sits upon IP and ‘replaces’ the TCP/UDP layers. It has several benefits over TCP and UDP but it is mainly used because it has been endorsed by the SIGTRAN group as the primary way of communication between two telecommunication providers.</p> <script type='text/javascript'> <!-- //OBSTART:do_NOT_remove_this_comment var OutbrainPermaLink="http://blogs.securiteam.com/index.php/archives/1216"; if(typeof(OB_Script)!='undefined'){OutbrainStart();} else { var OB_PlugInVer="7.0.0.0_Regular";;var OB_raterMode="stars";var OB_recMode="rec";var OBITm="1330324210";var OB_Script=true;var OB_langJS="";document.write(unescape("%3Cscript src='http://widgets.outbrain.com/OutbrainRater.js' type='text/javascript'%3E%3C/script%3E"));} //OBEND:do_NOT_remove_this_comment //--> </script> <div class="addtoany_share_save_container"><div class="a2a_kit a2a_target addtoany_list" id="wpa2a_15"><a class="a2a_dd addtoany_share_save" href="http://www.addtoany.com/share_save"><img src="http://blogs.securiteam.com/wp-content/plugins/add-to-any/share_save_171_16.png" width="171" height="16" alt="Share"/></a></div></div> <!-- <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:trackback="http://madskills.com/public/xml/rss/module/trackback/"> <rdf:Description rdf:about="http://blogs.securiteam.com/index.php/archives/1216" dc:identifier="http://blogs.securiteam.com/index.php/archives/1216" dc:title="SCTP fuzzing made easy" trackback:ping="http://blogs.securiteam.com/index.php/archives/1216/trackback" /> </rdf:RDF> --> </div> </div> <div class="post" id="post-1208"> <h2><a href="http://blogs.securiteam.com/index.php/archives/1208" rel="bookmark" title="Fuzzing’s Impact on Vulnerability Discovery">Fuzzing’s Impact on Vulnerability Discovery</a></h2> <p class="postinfo"> Posted on December 18th, 2008 by <a href="http://blogs.securiteam.com/index.php/archives/author/jbrown" title="Posts by jbrown" rel="author">jbrown</a><br /> Filed under: <a href="http://blogs.securiteam.com/index.php/archives/category/commentary" title="View all posts in Commentary" rel="category tag">Commentary</a>, <a href="http://blogs.securiteam.com/index.php/archives/category/corporate-security" title="View all posts in Corporate Security" rel="category tag">Corporate Security</a>, <a href="http://blogs.securiteam.com/index.php/archives/category/culture" title="View all posts in Culture" rel="category tag">Culture</a>, <a href="http://blogs.securiteam.com/index.php/archives/category/full-disclosure" title="View all posts in Full Disclosure" rel="category tag">Full Disclosure</a>, <a href="http://blogs.securiteam.com/index.php/archives/category/fuzzing" title="View all posts in Fuzzing" rel="category tag">Fuzzing</a>, <a href="http://blogs.securiteam.com/index.php/archives/category/sec-tools" title="View all posts in Sec Tools" rel="category tag">Sec Tools</a> | <a href="http://blogs.securiteam.com/index.php/archives/1208#comments" title="Comment on Fuzzing’s Impact on Vulnerability Discovery"><span class="dsq-postid" rel="1208 http://blogs.securiteam.com/index.php/archives/1208">1 Comment »</span></a> </p> <div class="entry"> <p><img alt="fuzzing" src="http://ecx.images-amazon.com/images/I/41RxE0SJEiL.jpg" /></p> <p>I just seen the <a title="new advisory" href="http://www.securityfocus.com/archive/1/499315/30/0/threaded">new advisory</a> for Opera, headlining a ‘memory corruption’ vulnerability that sounds like its triggered by specially crafted html construction, that is gathered from this almost incoherent ‘detailed’ description of the bug:</p> <p>“Certain HTML constructs affecting an internal heap structure. As a result of a pointer calculation, memory may be corrupted in such a way that an attacker could execute arbitrary code.”</p> <p>I often wonder when I see advisories like this if the vulnerabilities have been found by fuzzing.</p> <p>Another bug found in Adobe Flash Player that I also discuss <a title="new isec advisory for adobe" href="http://jbrownsec.blogspot.com/2008/11/new-isec-advisory-for-adobe.html">here</a>, found by <a title="iSEC Partners, Inc" href="http://www.isecpartners.com">iSEC</a>, looks also to be found by <a href="http://www.beyondsecurity.com/black-box-testing.html">fuzzing</a>, but more (nearly directly) implied in the advisory.</p> <p>“iSEC applied targeted fuzzing to the ActionScript 2 virtual machine used by the Adobe Flash player, and identified several issues which could lead to denial of service, information disclosure or code execution when parsing a malicious SWF file. The majority of testing occurred during 120 hours of automated SWF-specific fault injection testing in which several hundred unique control paths were identified that trigger bugs and/or potential vulnerabilities in the Adobe Flash Player. Paths leading to duplicate issues where condensed down to a number of unique problems in the Adobe Flash Player. The primary cause for these vulnerabilities appears to be simple failures in verifying the bounds of compartmentalized structures.”</p> <p>Now, both of these examples could have been found by other means than fuzzing, but I know every time I see scrupulous advisories like those it just makes me wonder. By the way, IMHO Fuzzing: Brute Force Vulnerability Discovery is a great book and a great read. Kudos to the swift, engineering authors as well.</p> <p>You can <a title="browse a list of fuzzers" href="http://packetstormsecurity.org/fuzzer/">browse a list of fuzzers</a> hosting by <a title="PacketStorm Security" href="http://www.packetstormsecurity.org">PacketStorm</a> to exercise your mind even more.</p> <p>So what do you think? Have <a href="http://www.beyondsecurity.com/black-box-testing.html">fuzzers</a>, being at the most ‘trivial’ to write in ideal conditions (well documented protocol, continued aggressive latency, etc), taken a strong hold in many security researcher’s work?</p> <script type='text/javascript'> <!-- //OBSTART:do_NOT_remove_this_comment var OutbrainPermaLink="http://blogs.securiteam.com/index.php/archives/1208"; if(typeof(OB_Script)!='undefined'){OutbrainStart();} else { var OB_PlugInVer="7.0.0.0_Regular";;var OB_raterMode="stars";var OB_recMode="rec";var OBITm="1330324210";var OB_Script=true;var OB_langJS="";document.write(unescape("%3Cscript src='http://widgets.outbrain.com/OutbrainRater.js' type='text/javascript'%3E%3C/script%3E"));} //OBEND:do_NOT_remove_this_comment //--> </script> <div class="addtoany_share_save_container"><div class="a2a_kit a2a_target addtoany_list" id="wpa2a_16"><a class="a2a_dd addtoany_share_save" href="http://www.addtoany.com/share_save"><img src="http://blogs.securiteam.com/wp-content/plugins/add-to-any/share_save_171_16.png" width="171" height="16" alt="Share"/></a></div></div> <!-- <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:trackback="http://madskills.com/public/xml/rss/module/trackback/"> <rdf:Description rdf:about="http://blogs.securiteam.com/index.php/archives/1208" dc:identifier="http://blogs.securiteam.com/index.php/archives/1208" dc:title="Fuzzing’s Impact on Vulnerability Discovery" trackback:ping="http://blogs.securiteam.com/index.php/archives/1208/trackback" /> </rdf:RDF> --> </div> </div> <script type="text/javascript"> // <![CDATA[ var disqus_shortname = 'securiteamblogs'; (function () { var nodes = document.getElementsByTagName('span'); for (var i = 0, url; i < nodes.length; i++) { if (nodes[i].className.indexOf('dsq-postid') != -1) { nodes[i].parentNode.setAttribute('data-disqus-identifier', nodes[i].getAttribute('rel')); url = nodes[i].parentNode.href.split('#', 1); if (url.length == 1) { url = url[0]; } else { url = url[1]; } nodes[i].parentNode.href = url + '#disqus_thread'; } } var s = document.createElement('script'); s.async = true; s.type = 'text/javascript'; s.src = '//' + 'disqus.com/forums/' + disqus_shortname + '/count.js'; (document.getElementsByTagName('HEAD')[0] || document.getElementsByTagName('BODY')[0]).appendChild(s); }()); //]]> </script> <div class="browse"><a href="http://blogs.securiteam.com/index.php/archives/category/fuzzing/page/2" >Next Page »</a></div> <div class="clear"></div> </div> <div class="sidebar sidebar2"> <ul> <li id="a2a_share_save_widget-3" class="widget widget_a2a_share_save_widget"><div class="a2a_kit a2a_target addtoany_list" id="wpa2a_17"><a class="a2a_dd addtoany_share_save" href="http://www.addtoany.com/share_save"><img src="http://blogs.securiteam.com/wp-content/plugins/add-to-any/share_save_171_16.png" width="171" height="16" alt="Share"/></a></div></li> <li id="text-6" class="widget widget_text"> <div class="textwidget"><BR/><BR/><BR/><BR/><BR/><BR/><BR/></div> </li> <li id="categories-3" class="widget widget_categories"><h2 class="widgettitle">Categories</h2> <select name='cat' id='cat' class='postform' > <option value='-1'>Select Category</option> <option class="level-0" value="11">Apple  (57)</option> <option class="level-0" value="18">Ask the Expert  (46)</option> <option class="level-0" value="41">Book Reviews  (45)</option> <option class="level-0" value="27">Botnets  (72)</option> <option class="level-0" value="12">Cisco  (25)</option> <option class="level-0" value="5">Commentary  (1345)</option> <option class="level-0" value="21">Corporate Security  (397)</option> <option class="level-0" value="10">Culture  (404)</option> <option class="level-0" value="26">DDoS  (40)</option> <option class="level-0" value="17">Digest  (41)</option> <option class="level-0" value="33">Earl  (11)</option> <option class="level-0" value="23">Encryption  (44)</option> <option class="level-0" value="7">Full Disclosure  (216)</option> <option class="level-0" value="25">Funnies  (71)</option> <option class="level-0" value="20">Funny  (96)</option> <option class="level-0" value="30" selected="selected">Fuzzing  (35)</option> <option class="level-0" value="2">Gadgets  (88)</option> <option class="level-0" value="19">Google  (53)</option> <option class="level-0" value="34">Hacked  (13)</option> <option class="level-0" value="31">InSecurity  (17)</option> <option class="level-0" value="22">Insider Threat  (53)</option> <option class="level-0" value="24">Interviews  (10)</option> <option class="level-0" value="9">Law  (86)</option> <option class="level-0" value="4">Linux  (41)</option> <option class="level-0" value="40">malware  (69)</option> <option class="level-0" value="32">Memory Leak  (24)</option> <option class="level-0" value="3">Microsoft  (234)</option> <option class="level-0" value="28">Networking  (119)</option> <option class="level-0" value="38">OPSEC  (121)</option> <option class="level-0" value="14">OT  (213)</option> <option class="level-0" value="16">Phishing  (109)</option> <option class="level-0" value="15">Physical Security  (89)</option> <option class="level-0" value="6">Privacy  (145)</option> <option class="level-0" value="29">Rootkits  (32)</option> <option class="level-0" value="39">Sec Tools  (90)</option> <option class="level-0" value="42">Social Engineering  (69)</option> <option class="level-0" value="8">Spam  (163)</option> <option class="level-0" value="35">The NULL Terminated  (5)</option> <option class="level-0" value="44">Tips & Tricks  (49)</option> <option class="level-0" value="13">Virus  (249)</option> <option class="level-0" value="1">Web  (453)</option> <option class="level-0" value="36">Zoned Out  (4)</option> </select> <script type='text/javascript'> /* <![CDATA[ */ var dropdown = document.getElementById("cat"); function onCatChange() { if ( dropdown.options[dropdown.selectedIndex].value > 0 ) { location.href = "http://blogs.securiteam.com/?cat="+dropdown.options[dropdown.selectedIndex].value; } } dropdown.onchange = onCatChange; /* ]]> */ </script> </li> <li id="text-7" class="widget widget_text"> <div class="textwidget"><BR/> <!-- Place this tag where you want the +1 button to render --> <g:plusone></g:plusone> <!-- Place this render call where appropriate --> <script type="text/javascript"> (function() { var po = document.createElement('script'); po.type = 'text/javascript'; po.async = true; po.src = 'https://apis.google.com/js/plusone.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(po, s); })(); </script></div> </li> </ul> </div> <div class="sidebar"> <a style="font-size: 150%;" href="/index.php/feed/"><img src="http://blogs.securiteam.com/wp-content/themes/securiteam.new/images/rss-icon-48x48.gif" width="24" ALT="Security RSS"> Subscribe</a> <br><br> <ul> <li id="text-4" class="widget widget_text"> <div class="textwidget"><div class="fb-like" data-href="http://blogs.securiteam.com" data-send="true" data-width="400" data-show-faces="true"></div></div> </li> <li id="text-3" class="widget widget_text"> <div class="textwidget"><div id="fb-root"></div> <script>(function(d, s, id) { var js, fjs = d.getElementsByTagName(s)[0]; if (d.getElementById(id)) return; js = d.createElement(s); js.id = id; js.src = "//connect.facebook.net/en_US/all.js#xfbml=1"; fjs.parentNode.insertBefore(js, fjs); }(document, 'script', 'facebook-jssdk'));</script></div> </li> <li id="rss-3" class="widget widget_rss"><h2 class="widgettitle"><a class='rsswidget' href='http://www.securiteam.com/securiteam.rss' title='Syndicate this content'><img style='border:0' width='14' height='14' src='http://blogs.securiteam.com/wp-includes/images/rss.png' alt='RSS' /></a> <a class='rsswidget' href='http://www.securiteam.com/' title='Welcome to the SecuriTeam RSS Feed - sponsored by Beyond Security. Know Your Vulnerabilities! Visit BeyondSecurity.com for your web site, network and code security audit and scanning needs.'>More Securiteam</a></h2> <ul><li><a class='rsswidget' href='http://www.securiteam.com/securitynews/5CP362AE0A.html' title='Heap-based buffer overflow in Autodesk SketchBook Pro before 6.2.6 allows remote attackers to execute arbitrary code via crafted layer bitmap data in a PXD file. […]'>Autodesk SketchBook Pro PSD And PXD File Processing Two Vulnerabilities</a></li><li><a class='rsswidget' href='http://www.securiteam.com/securitynews/5DP372AE0A.html' title='Cross-site scripting (XSS) vulnerability in Adobe Flash Player before 13.0.0.223 and 14.x before 14.0.0.125 on Windows and OS X and before 11.2.202.378 on Linux, Adobe AIR before 14.0.0.110, Adobe AIR SDK before 14.0.0.110, and Adobe AIR SDK & Compiler before 14.0.0.110 allows remote attackers to inject arbitrary web script or HTML via unspecified vector […]'>Adobe Flash Player 14.0.0.125 And AIR Cross Site Scripting Vulnerabilities</a></li><li><a class='rsswidget' href='http://www.securiteam.com/securitynews/5DP372AE0A.html' title='Cross-site scripting (XSS) vulnerability in Adobe Flash Player before 13.0.0.223 and 14.x before 14.0.0.125 on Windows and OS X and before 11.2.202.378 on Linux, Adobe AIR before 14.0.0.110, Adobe AIR SDK before 14.0.0.110, and Adobe AIR SDK & Compiler before 14.0.0.110 allows remote attackers to inject arbitrary web script or HTML via unspecified vector […]'>Adobe Flash Player 14.0.0.125 And AIR Cross Site Scripting Vulnerabilities</a></li><li><a class='rsswidget' href='http://www.securiteam.com/securitynews/5BP311FE0K.html' title='The File module in Drupal 7.x before 7.29 does not properly check permissions to view files, which allows remote authenticated users with certain permissions to bypass intended restrictions and read files by attaching the file to content with a file field. […]'>Drupal 7.29 Multiple Remote Security Vulnerabilities</a></li><li><a class='rsswidget' href='http://www.securiteam.com/securitynews/5DP331FE0M.html' title='The PPPoL2TP feature in net/l2tp/l2tp_ppp.c in the Linux kernel through 3.15.6 allows local users to gain privileges by leveraging data-structure differences between an l2tp socket and an inet socket. […]'>Linux Kernel PPP Over L2TP Implementation Privilege Escalation Vulnerabilities</a></li><li><a class='rsswidget' href='http://www.securiteam.com/securitynews/5EP341FE0A.html' title='jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not properly implement the JSR 160 specification, which allows remote attackers to execute arbitrary code via unspecified vectors. […]'>Red Hat JBoss Products Remote Arbitrary Code Execution Vulnerabilities</a></li><li><a class='rsswidget' href='http://www.securiteam.com/securitynews/5AP301FE0W.html' title='Mozilla Firefox before 31.0 does not properly restrict use of drag-and-drop events to spoof customization events, which allows remote attackers to alter the placement of UI icons via crafted JavaScript code that is encountered during (1) page, (2) panel, or (3) toolbar customization. […]'>Mozilla Firefox Event Spoofing Vulnerabilities</a></li><li><a class='rsswidget' href='http://www.securiteam.com/securitynews/5NP2X1FE0U.html' title='Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7 allow remote attackers to execute arbitrary code via crafted WebGL content constructed with the Cesium JavaScript library. […]'>Mozilla Firefox 31.0/Thunderbird 24.7 Remote Code Execution Vulnerabilities</a></li><li><a class='rsswidget' href='http://www.securiteam.com/securitynews/5CP321FE0Y.html' title='The WebContentsDelegateAndroid::OpenURLFromTab function in components/web_contents_delegate_android/web_contents_delegate_android.cc in Google Chrome before 36.0.1985.122 on Android does not properly restrict URL loading, which allows remote attackers to spoof the URL in the Omnibox via unspecified vectors. […]'>Google Chrome For Android Prior Multiple Security Vulnerabilities</a></li><li><a class='rsswidget' href='http://www.securiteam.com/securitynews/5OP2Y1FE0W.html' title='Multiple cross-site scripting (XSS) vulnerabilities in Cisco Unified Customer Voice Portal (CVP) allow remote attackers to inject arbitrary web script or HTML via a crafted parameter […]'>Cisco Unified Customer Voice Portal Multiple Cross Site Scripting Vulnerabilities</a></li></ul></li> <li id="recent-posts-3" class="widget widget_recent_entries"> <h2 class="widgettitle">New</h2> <ul> <li> <a href="http://blogs.securiteam.com/index.php/archives/2418" title="Windows 2012 R2 Certification Authority installation guide">Windows 2012 R2 Certification Authority installation guide</a> </li> <li> <a href="http://blogs.securiteam.com/index.php/archives/2415" title="Best Email Retention Policy Practices">Best Email Retention Policy Practices</a> </li> <li> <a href="http://blogs.securiteam.com/index.php/archives/2407" title="AV is dead … again …">AV is dead … again …</a> </li> <li> <a href="http://blogs.securiteam.com/index.php/archives/2400" title="Settle for nothing now … Settle for nothing later!">Settle for nothing now … Settle for nothing later!</a> </li> <li> <a href="http://blogs.securiteam.com/index.php/archives/2393" title="Big Government vs Big Corp – which is worse?">Big Government vs Big Corp – which is worse?</a> </li> </ul> </li> <li id="recent-comments-3" class="widget widget_recent_comments"><h2 class="widgettitle">Comments</h2> <ul id="recentcomments"><li class="recentcomments">Hellen Pedro on <a href="http://blogs.securiteam.com/index.php/archives/1468#comment-894970">Non-Functional Email (or Blog) System Disclaimer</a></li><li class="recentcomments">Hellen Pedro on <a href="http://blogs.securiteam.com/index.php/archives/1468#comment-894965">Non-Functional Email (or Blog) System Disclaimer</a></li><li class="recentcomments">hsbc customer on <a href="http://blogs.securiteam.com/index.php/archives/1701#comment-894444">Howto: Phish HSBC credit card numbers</a></li><li class="recentcomments">Duqyaha Sultanovich on <a href="http://blogs.securiteam.com/index.php/archives/2365#comment-865918">CyberSec Tips – “Computer Maintenance Department”</a></li><li class="recentcomments">intrest on <a href="http://blogs.securiteam.com/index.php/archives/2352#comment-865660">BananaGlee</a></li></ul></li> <li id="text-5" class="widget widget_text"><h2 class="widgettitle">Admin</h2> <div class="textwidget"><a href="http://blogs.securiteam.com/wp-admin/">Login</a></div> </li> </ul> </div> <div class="clear"></div> <div id="footer"> <p><a href="http://blogs.securiteam.com" title="SecuriTeam Blogs home page">SecuriTeam Blogs</a> is powered by Word Press.</p> </div> </div><!-- end page --> </div> <script type="text/javascript"><!-- wpa2a.targets=[ {title:'Fuzzing Samsung Kies',url:'http://blogs.securiteam.com/index.php/archives/2162'}, {title:'S. Korea Cyber Attack Crashes Navigation Devices. Time to fuzz your GPS?',url:'http://blogs.securiteam.com/index.php/archives/2089'}, {title:'Malformed input?',url:'http://blogs.securiteam.com/index.php/archives/1941'}, {title:'Windows Device Driver Fuzzing',url:'http://blogs.securiteam.com/index.php/archives/1914'}, {title:'About the reported beSTORM “Vulnerability”',url:'http://blogs.securiteam.com/index.php/archives/1785'}, {title:'Who’s behind Stuxnet?',url:'http://blogs.securiteam.com/index.php/archives/1445'}, {title:'Apple iPhone/iPod Touch/iPad Security Update',url:'http://blogs.securiteam.com/index.php/archives/1428'}, {title:'Where To Sell Software Vulnerabilities/Exploits?',url:'http://blogs.securiteam.com/index.php/archives/1396'}, {title:'Backtrack – The Future, The Funding, The Roadmap',url:'http://blogs.securiteam.com/index.php/archives/1393'}, {title:'Hack In The Box Security Conference Comes to Europe',url:'http://blogs.securiteam.com/index.php/archives/1392'}, {title:'Interview with Charlie Miller',url:'http://blogs.securiteam.com/index.php/archives/1352'}, {title:'Fuzzing anything that moves',url:'http://blogs.securiteam.com/index.php/archives/1332'}, {title:'When source code audit fails',url:'http://blogs.securiteam.com/index.php/archives/1307'}, {title:'milw0rm will stay open, but needs your help',url:'http://blogs.securiteam.com/index.php/archives/1300'}, {title:'SCTP fuzzing made easy',url:'http://blogs.securiteam.com/index.php/archives/1216'}, {title:'Fuzzing’s Impact on Vulnerability Discovery',url:'http://blogs.securiteam.com/index.php/archives/1208'}, {title:document.title,url:location.href}]; wpa2a.html_done=true;if(wpa2a.script_ready&&!wpa2a.done)wpa2a.init();wpa2a.script_load(); //--></script> <script type="text/javascript"> var _gaq = _gaq || []; _gaq.push(['_setAccount', 'UA-29522810-1']); _gaq.push(['_setDomainName', 'securiteam.com']); _gaq.push(['_trackPageview']); (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })(); </script> </body> </html>