«
Expand/Collapse
208 items tagged "client"
Related tags:
remote [+],
local [+],
ftp client [+],
txt [+],
exploits [+],
vpn [+],
usa [+],
mandriva linux [+],
vpn client [+],
ubuntu [+],
tls [+],
servers [+],
secure [+],
proof of concept [+],
opc client [+],
opc [+],
memory corruption [+],
local privilege escalation [+],
game servers [+],
game [+],
cvs client [+],
cvs [+],
black hat [+],
based buffer overflow [+],
bacnet [+],
ultravnc [+],
program execution [+],
privilege [+],
nathan mcfeters [+],
escalation [+],
day [+],
arbitrary program [+],
zero day [+],
zdi [+],
windows [+],
terminal server client [+],
terminal [+],
stack overflow [+],
smbfs [+],
red [+],
privilege escalation vulnerability [+],
phpmyadmin [+],
multiple [+],
mountpoint [+],
memory [+],
linux security [+],
http [+],
hacks [+],
gain privileges [+],
dsa [+],
code [+],
activex control [+],
activex [+],
Skype [+],
zero [+],
xftp [+],
valve steam client [+],
valve [+],
unix systems [+],
transport layer security [+],
thin client [+],
tcp [+],
symantec [+],
steam [+],
ssl [+],
sql [+],
secure client [+],
rumba [+],
rob carter tags [+],
rob carter [+],
remote buffer overflow [+],
red hat security [+],
option [+],
opentext [+],
novell client [+],
nickname [+],
ncp [+],
matthew hall [+],
mandriva [+],
malicious server [+],
malicious attacker [+],
mail client [+],
magic packets [+],
magic packet [+],
mac os [+],
local buffer overflow [+],
joomla [+],
john heasman [+],
java [+],
host configuration protocol [+],
hijacking [+],
first class client [+],
exploit [+],
dynamic host configuration protocol [+],
download [+],
directory traversal vulnerability [+],
dhcp [+],
denial of service exploit [+],
cryptographic algorithms [+],
crash proof [+],
control [+],
concurrent version system [+],
client proxy [+],
client exec [+],
client component [+],
cisco vpn [+],
cisco security advisory [+],
cisco security [+],
character array [+],
bulletproof [+],
bugtraq [+],
buffer [+],
backend [+],
automation [+],
attacker [+],
array bounds [+],
arbitrary code execution [+],
application version [+],
alban crequy [+],
advisory [+],
x google [+],
win2k3 [+],
vulnerabilities [+],
video [+],
vendor [+],
uri [+],
thunderbird mail [+],
stephen de vries [+],
slides [+],
security vulnerabilities [+],
security tools [+],
rsa securid [+],
rsa [+],
proxy [+],
protecao [+],
penetration [+],
ocx [+],
mitm [+],
microsoft client [+],
microsoft [+],
mallory [+],
mail [+],
mac chat [+],
juniper edition [+],
jeremy allen raj [+],
jeremy allen [+],
java client server [+],
integrity protection [+],
input validation [+],
google [+],
filename [+],
felix [+],
enterprise [+],
encrypted traffic [+],
ejabberd [+],
eficacia [+],
debian linux [+],
d ftp [+],
cookie [+],
content disposition [+],
command execution [+],
client versions [+],
client server applications [+],
client server application [+],
client security [+],
client privilege [+],
client platforms [+],
cisco systems inc [+],
cisco [+],
chaos communication congress [+],
bssid [+],
authenticator [+],
authentication client [+],
authentication [+],
audio [+],
asia [+],
arbitrary code [+],
application protocol [+],
apple [+],
code execution [+],
novell [+],
denial of service [+],
novell iprint [+],
iprint [+],
zywall [+],
x mail [+],
windows client [+],
web interface [+],
vncviewer [+],
version [+],
utpal [+],
usb peripherals [+],
usb [+],
unknown origins [+],
u web [+],
trial [+],
traversal [+],
tpti [+],
thinner [+],
temporary file [+],
teamspeak 2 [+],
teamspeak [+],
system [+],
station [+],
something [+],
smb [+],
silc [+],
server side [+],
seh [+],
security problem [+],
security assessments [+],
script kiddies [+],
scada hmi [+],
rhinosoft [+],
remote management [+],
remote exploit [+],
remote desktop [+],
remote buffer overflow vulnerability [+],
read [+],
rdesktop [+],
peripherals [+],
penetration test [+],
package [+],
overflow vulnerability [+],
ntsc television [+],
ntsc [+],
novell zenworks [+],
novell groupwise [+],
novell client for windows [+],
nfspy [+],
net [+],
nav [+],
mount nfs [+],
microsoft windows client [+],
microsoft smb [+],
microcontrollers [+],
metadata [+],
max caceres [+],
manager c client [+],
manager [+],
management [+],
mac os x mail [+],
mac os x [+],
mac [+],
local security [+],
linux [+],
key manager [+],
kernel stack [+],
kernel [+],
juniper vpn [+],
java serialization [+],
java event [+],
ivs [+],
internet explorer [+],
internet [+],
infrared emitter [+],
id spoofing [+],
ica [+],
home server [+],
home [+],
heap [+],
header code [+],
hat [+],
hacking [+],
groupwise client [+],
groupwise [+],
green [+],
gnu [+],
games [+],
format string [+],
format [+],
file deletion [+],
file [+],
feature [+],
exec script [+],
enterprise infrastructure [+],
dll [+],
disclosure of information [+],
disassembling [+],
directory traversal [+],
directory [+],
desktop [+],
debian [+],
david cranor [+],
darknet [+],
daniel grzelak [+],
creation vulnerability [+],
command directory [+],
client tools [+],
client tool [+],
client server [+],
client kernel [+],
client directory [+],
client challenge [+],
client certificate [+],
click [+],
citrix ica client [+],
citrix [+],
cisco css [+],
chatbox [+],
charlie miller [+],
character lcd [+],
cap [+],
caceres [+],
c station [+],
c client [+],
bug hunters [+],
buffer overflow vulnerabilities [+],
arm architecture [+],
arduino [+],
arbitrary [+],
anyone [+],
antivirus client [+],
antivirus [+],
and [+],
alftp [+],
airodump [+],
aireplay [+],
administrative privileges [+],
activex control buffer overflow [+],
ace [+],
Wireless [+],
Tools [+],
Requests [+],
BackTrack [+],
service vulnerability [+],
vulnerability [+],
safer use [+],
samba [+],
data protector [+],
buffer overflow [+],
side [+],
buffer overflow vulnerability [+],
server [+],
protector [+],
ftp [+],
data [+],
samba client [+],
cisco anyconnect [+]
-
-
18:31
»
Packet Storm Security Advisories
Ubuntu Security Notice 1418-1 - Alban Crequy discovered that the GnuTLS library incorrectly checked array bounds when copying TLS session data. A remote attacker could crash a client application, leading to a denial of service, as the client application prepared for TLS session resumption. Matthew Hall discovered that the GnuTLS library incorrectly handled TLS records. A remote attacker could crash client and server applications, leading to a denial of service, by sending a crafted TLS record. Various other issues were also addressed.
-
18:31
»
Packet Storm Security Recent Files
Ubuntu Security Notice 1418-1 - Alban Crequy discovered that the GnuTLS library incorrectly checked array bounds when copying TLS session data. A remote attacker could crash a client application, leading to a denial of service, as the client application prepared for TLS session resumption. Matthew Hall discovered that the GnuTLS library incorrectly handled TLS records. A remote attacker could crash client and server applications, leading to a denial of service, by sending a crafted TLS record. Various other issues were also addressed.
-
18:31
»
Packet Storm Security Misc. Files
Ubuntu Security Notice 1418-1 - Alban Crequy discovered that the GnuTLS library incorrectly checked array bounds when copying TLS session data. A remote attacker could crash a client application, leading to a denial of service, as the client application prepared for TLS session resumption. Matthew Hall discovered that the GnuTLS library incorrectly handled TLS records. A remote attacker could crash client and server applications, leading to a denial of service, by sending a crafted TLS record. Various other issues were also addressed.
-
-
17:16
»
Packet Storm Security Advisories
Mandriva Linux Security Advisory 2012-044 - A vulnerability has been found and corrected in cvs. A heap-based buffer overflow flaw was found in the way the CVS client handled responses from HTTP proxies. A malicious HTTP proxy could use this flaw to cause the CVS client to crash or, possibly, execute arbitrary code with the privileges of the user running the CVS client. The updated packages have been patched to correct this issue.
-
17:16
»
Packet Storm Security Recent Files
Mandriva Linux Security Advisory 2012-044 - A vulnerability has been found and corrected in cvs. A heap-based buffer overflow flaw was found in the way the CVS client handled responses from HTTP proxies. A malicious HTTP proxy could use this flaw to cause the CVS client to crash or, possibly, execute arbitrary code with the privileges of the user running the CVS client. The updated packages have been patched to correct this issue.
-
17:16
»
Packet Storm Security Misc. Files
Mandriva Linux Security Advisory 2012-044 - A vulnerability has been found and corrected in cvs. A heap-based buffer overflow flaw was found in the way the CVS client handled responses from HTTP proxies. A malicious HTTP proxy could use this flaw to cause the CVS client to crash or, possibly, execute arbitrary code with the privileges of the user running the CVS client. The updated packages have been patched to correct this issue.
-
-
19:06
»
Packet Storm Security Advisories
Red Hat Security Advisory 2012-0429-01 - The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security. A flaw was found in the way GnuTLS decrypted malformed TLS records. This could cause a TLS/SSL client or server to crash when processing a specially-crafted TLS record from a remote TLS/SSL connection peer. A boundary error was found in the gnutls_session_get_data() function. A malicious TLS/SSL server could use this flaw to crash a TLS/SSL client or, possibly, execute arbitrary code as the client, if the client passed a fixed-sized buffer to gnutls_session_get_data() before checking the real size of the session data provided by the server.
-
19:06
»
Packet Storm Security Recent Files
Red Hat Security Advisory 2012-0429-01 - The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security. A flaw was found in the way GnuTLS decrypted malformed TLS records. This could cause a TLS/SSL client or server to crash when processing a specially-crafted TLS record from a remote TLS/SSL connection peer. A boundary error was found in the gnutls_session_get_data() function. A malicious TLS/SSL server could use this flaw to crash a TLS/SSL client or, possibly, execute arbitrary code as the client, if the client passed a fixed-sized buffer to gnutls_session_get_data() before checking the real size of the session data provided by the server.
-
19:06
»
Packet Storm Security Misc. Files
Red Hat Security Advisory 2012-0429-01 - The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security. A flaw was found in the way GnuTLS decrypted malformed TLS records. This could cause a TLS/SSL client or server to crash when processing a specially-crafted TLS record from a remote TLS/SSL connection peer. A boundary error was found in the gnutls_session_get_data() function. A malicious TLS/SSL server could use this flaw to crash a TLS/SSL client or, possibly, execute arbitrary code as the client, if the client passed a fixed-sized buffer to gnutls_session_get_data() before checking the real size of the session data provided by the server.
-
13:38
»
Packet Storm Security Exploits
This Metasploit module exploits a buffer overflow in UltraVNC Viewer 1.0.2 Release. If a malicious server responds to a client connection indicating a minor protocol version of 14 or 16, a 32-bit integer is subsequently read from the TCP stream by the client and directly provided as the trusted size for further reading from the TCP stream into a 1024-byte character array on the stack.
-
13:38
»
Packet Storm Security Recent Files
This Metasploit module exploits a buffer overflow in UltraVNC Viewer 1.0.2 Release. If a malicious server responds to a client connection indicating a minor protocol version of 14 or 16, a 32-bit integer is subsequently read from the TCP stream by the client and directly provided as the trusted size for further reading from the TCP stream into a 1024-byte character array on the stack.
-
13:38
»
Packet Storm Security Misc. Files
This Metasploit module exploits a buffer overflow in UltraVNC Viewer 1.0.2 Release. If a malicious server responds to a client connection indicating a minor protocol version of 14 or 16, a 32-bit integer is subsequently read from the TCP stream by the client and directly provided as the trusted size for further reading from the TCP stream into a 1024-byte character array on the stack.
-
-
22:36
»
SecDocs
Authors:
Felix 'FX' Lindner Tags:
Mac OS X Google iPhone Event:
Chaos Communication Congress 28th (28C3) 2011 Abstract: We will discuss the two different approaches Apple and Google take for the client platforms iPad and Chromebook, how they are similar and how they are not. From the security architecture and integrity protection details to your account and identity that links you firmly back to the respective vendor, we will provide the big picture with occasional close-up shots. Here is what powers the vendor has over you, or what powers he gives to arbitrary unwashed attackers at conferences through fails in logic, binary or HTML.
-
22:36
»
SecDocs
Authors:
Felix 'FX' Lindner Tags:
Mac OS X Google iPhone Event:
Chaos Communication Congress 28th (28C3) 2011 Abstract: We will discuss the two different approaches Apple and Google take for the client platforms iPad and Chromebook, how they are similar and how they are not. From the security architecture and integrity protection details to your account and identity that links you firmly back to the respective vendor, we will provide the big picture with occasional close-up shots. Here is what powers the vendor has over you, or what powers he gives to arbitrary unwashed attackers at conferences through fails in logic, binary or HTML.
-
-
18:10
»
Packet Storm Security Advisories
Red Hat Security Advisory 2012-0321-01 - Concurrent Version System is a version control system that can record the history of your files. A heap-based buffer overflow flaw was found in the way the CVS client handled responses from HTTP proxies. A malicious HTTP proxy could use this flaw to cause the CVS client to crash or, possibly, execute arbitrary code with the privileges of the user running the CVS client. All users of cvs are advised to upgrade to these updated packages, which contain a patch to correct this issue.
-
18:10
»
Packet Storm Security Recent Files
Red Hat Security Advisory 2012-0321-01 - Concurrent Version System is a version control system that can record the history of your files. A heap-based buffer overflow flaw was found in the way the CVS client handled responses from HTTP proxies. A malicious HTTP proxy could use this flaw to cause the CVS client to crash or, possibly, execute arbitrary code with the privileges of the user running the CVS client. All users of cvs are advised to upgrade to these updated packages, which contain a patch to correct this issue.
-
18:10
»
Packet Storm Security Misc. Files
Red Hat Security Advisory 2012-0321-01 - Concurrent Version System is a version control system that can record the history of your files. A heap-based buffer overflow flaw was found in the way the CVS client handled responses from HTTP proxies. A malicious HTTP proxy could use this flaw to cause the CVS client to crash or, possibly, execute arbitrary code with the privileges of the user running the CVS client. All users of cvs are advised to upgrade to these updated packages, which contain a patch to correct this issue.
-
-
14:19
»
Packet Storm Security Recent Files
trixd00r is an advanced and invisible userland backdoor based on TCP/IP for UNIX systems. It consists of a server and a client. The server sits and waits for magic packets using a sniffer. If a magic packet arrives, it will bind a shell over TCP or UDP on the given port or connecting back to the client again over TCP or UDP. The client is used to send magic packets to trigger the server and get a shell.
-
14:19
»
Packet Storm Security Tools
trixd00r is an advanced and invisible userland backdoor based on TCP/IP for UNIX systems. It consists of a server and a client. The server sits and waits for magic packets using a sniffer. If a magic packet arrives, it will bind a shell over TCP or UDP on the given port or connecting back to the client again over TCP or UDP. The client is used to send magic packets to trigger the server and get a shell.
-
14:19
»
Packet Storm Security Misc. Files
trixd00r is an advanced and invisible userland backdoor based on TCP/IP for UNIX systems. It consists of a server and a client. The server sits and waits for magic packets using a sniffer. If a magic packet arrives, it will bind a shell over TCP or UDP on the given port or connecting back to the client again over TCP or UDP. The client is used to send magic packets to trigger the server and get a shell.
-
-
16:49
»
SecuriTeam
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell Groupwise Client.
-
Make your website safer. Use external penetration testing service. First report ready in one hour!
-
-
16:04
»
SecuriTeam
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell iPrint Client.
-
Make your website safer. Use external penetration testing service. First report ready in one hour!
-
-
10:39
»
SecuriTeam
A design error vulnerability within Cisco Systems Inc's AnyConnect VPN Java client allows attackers to execute arbitrary code with the privileges of the targeted user.
-
Make your website safer. Use external penetration testing service. First report ready in one hour!
-
-
9:01
»
Hack a Day
While watching his thin client boot up [Nav] noticed that it’s using some type of Linux kernel. He wondered if it were possible to run a full-blow desktop distribution on the device. A little poking around he got a Debian desktop distribution running on a thin client. The hardware he’s working with is an HP [...]
-
-
6:00
»
Hack a Day
It’s not environmentally friendly, but most of us run a small home server 24 hours a day. A small server is a useful tool to have that unfortunately wastes a lot of energy. [kekszumquadrat]‘s thin client home server is actually a passable LAMP box that doesn’t draw a ton of power. [kekszumquadrat] started looking at [...]
-
-
12:53
»
SecDocs
Authors:
Stephen de Vries Tags:
Java Event:
Black Hat USA 2010 Abstract: The presentation will demonstrate a complete analysis and compromise of a Java client-server application using entirely open source tools. Performing penetration testing on Java clients, both applications and applets is often problematic because the data transport (typically RMI) is difficult to manipulate in a meaningful way and complex applications require more refined techniques than direct byte code manipulation. Java development approaches and tools have been steadily improving and many of these new paradigms and tools can be used to fully decompose and manipulate client side Java without resorting to decompiling the binary. Due to the high level nature of developer tools, it is very easy for developers to misplace trust in client-server applications and erroneously or deliberately include security controls on the client instead of on the server side. By using testing and profiling tools and aspect oriented programming, it is possible to build a clear picture of the application's logic flow and to identify private objects that should not ordinarily be editable by the user. Injecting an interactive console into the running application allows you to change these objects at will and to call any methods on the client side, thereby bypassing client side security controls.
-
12:53
»
SecDocs
Authors:
Stephen de Vries Tags:
Java Event:
Black Hat USA 2010 Abstract: The presentation will demonstrate a complete analysis and compromise of a Java client-server application using entirely open source tools. Performing penetration testing on Java clients, both applications and applets is often problematic because the data transport (typically RMI) is difficult to manipulate in a meaningful way and complex applications require more refined techniques than direct byte code manipulation. Java development approaches and tools have been steadily improving and many of these new paradigms and tools can be used to fully decompose and manipulate client side Java without resorting to decompiling the binary. Due to the high level nature of developer tools, it is very easy for developers to misplace trust in client-server applications and erroneously or deliberately include security controls on the client instead of on the server side. By using testing and profiling tools and aspect oriented programming, it is possible to build a clear picture of the application's logic flow and to identify private objects that should not ordinarily be editable by the user. Injecting an interactive console into the running application allows you to change these objects at will and to call any methods on the client side, thereby bypassing client side security controls.
-
-
14:22
»
SecDocs
Authors:
Jeremy Allen Raj Umadas Tags:
network debugger debugging MITM Event:
Black Hat USA 2010 Abstract: Using the same techniques that governments use to surreptitiously read private email and SSL encrypted traffic, you can easily find more bugs in all types of client and server apps! Sometimes the easiest way to quickly understand a client, a server, or just the protocol they use to communicate with, is to become the "man in the middle." Many client side proxies - such as Burp, Paros, and WebScarab - already exist to let you tamper with HTTP and proxy aware clients. But sometimes your client might not be proxy aware, nor your protocol as simple as HTTP or HTTPS. What to do? You can start with Wireshark, but be limited to viewing traffic on the wire and not tampering with it. You can debug the client or server, which can be effective, but also time consuming. Or you can try becoming the "man in the middle" with tools like Ettercap, or the Middler, which might work - but might also fail. Or you can use our new tool, named Mallory. Mallory is a MITM capable of intercepting any TCP or UDP base network stream. Why is Mallory different? Well first of all, you don't need to configure it. Just turn her on, and she starts intercepting traffic. Mallory is designed to be an undetectable, transparent proxy, capable of intercepting any known or unknown application protocol, just like those super-duper SSL MITM devices documented in the "Certified Lies" paper. The same techniques that allow over bearing governments to snoop on private email, we've been using to easily own up tons of mobile applications running on arbitrary platforms. And did we mention how much fun it is to MITM SSH?
-
14:20
»
SecDocs
Authors:
Jeremy Allen Raj Umadas Tags:
network debugger debugging MITM Event:
Black Hat USA 2010 Abstract: Using the same techniques that governments use to surreptitiously read private email and SSL encrypted traffic, you can easily find more bugs in all types of client and server apps! Sometimes the easiest way to quickly understand a client, a server, or just the protocol they use to communicate with, is to become the "man in the middle." Many client side proxies - such as Burp, Paros, and WebScarab - already exist to let you tamper with HTTP and proxy aware clients. But sometimes your client might not be proxy aware, nor your protocol as simple as HTTP or HTTPS. What to do? You can start with Wireshark, but be limited to viewing traffic on the wire and not tampering with it. You can debug the client or server, which can be effective, but also time consuming. Or you can try becoming the "man in the middle" with tools like Ettercap, or the Middler, which might work - but might also fail. Or you can use our new tool, named Mallory. Mallory is a MITM capable of intercepting any TCP or UDP base network stream. Why is Mallory different? Well first of all, you don't need to configure it. Just turn her on, and she starts intercepting traffic. Mallory is designed to be an undetectable, transparent proxy, capable of intercepting any known or unknown application protocol, just like those super-duper SSL MITM devices documented in the "Certified Lies" paper. The same techniques that allow over bearing governments to snoop on private email, we've been using to easily own up tons of mobile applications running on arbitrary platforms. And did we mention how much fun it is to MITM SSH?
-
-
14:07
»
Carnal0wnage
I remember many years ago writing my first buffer overflow, a standard stack bug privilege escalation in I think RedHat 7x which I thought was awesome. I remember writing my first SEH overwrite on windows and marveling at POP POP RET's and spending hours pouring through memory in Windbg wondering why my shellcode was getting trashed. I even remember the moment when I "got" return to libc. Somewhat in contrast to many "researcher" exploit developers and bug hunters, I also break into computers, lots of them. At last count I was well over the 100,000 mark of computers I have personally gotten into, control over and extracted data from. This is not to tell you how awesome I think I am (I'm not, there are IRC script kiddies with 10x the amount of compromises under their belt) but rather provide a statistical frame of reference for what I am going to say next.
Several years ago I decided to pull back from the memory corruption rat race, but I never really talked about why.
When breaking into computers, I almost never use memory corruption bugs. I occasionally, but rarely develop new memory corruption bugs into exploits. Memory corruption bugs IMO are a bad long term return on investment. Sure someone like Charlie Miller can crank out 100 Adobe product crashes in the blink of an eye, but how much skilled time investment is required to take a bug from a crash to a highly reliable, continuation of execution, ASLR / DEP bypassing exploit ready for serious use? Average numbers I have heard from friends who do this all day long are 1 - 3 months, with 6 months for particularly sticky bugs. How many people are there that can do this? Not many. So you have a valuable resource tied up for months at a time to produce a bug which may get discovered and published in the interm ( a process you have no real control over), patched and killed. When was the last time you heard about a really bitchin Windows 7 64bit remote? Its been a while. So you put in all that time and investment to produce a nice 0day only to watch it get killed. Then you start looking for the next one. What's the going price on the market for an 0day? 100k, 200k, etc. Expensive for something with a potentially limited life putting aside that fact that people don't patch anyway for a moment.
So what do I like instead then? I like design flaws that are integral to the way a system works and are extremely costly to fix, that don't barf a bunch of shellcode across a potentially IDS/IPS ridden wire, that simply take advantage of the way things are supposed to work anyway. Lest you think I spend all my time keylogging "password123" let me give some real world examples:
- Proprietary & custom hardware/OS and software system used for some interesting applications. System has a UDP listening service. After reversing the service binary we discovered that it takes a cleartext, unauthenticated protocol blob. The process then, based on whats in the blob, calls another process that execs a variety of system commands. One of these commands sends out a message to the various systems in the network to mount a given network file system and load specified software. So we craft our own protocol blobs build our own network file system with specially crafted malicious software and take over all the systems at once. We spoke with the designers of the system about what it would take to change it, and due to various rules and policies we were looking at 18-24 months to push out a redesign, and thats after whatever time was needed to develop the new system.
- Foreign Client/Server ERP system that handles supply chain and even has some tie ins with some SCADA components. Authentication works as follows: Client enters a username and password. Client app connects to the server and sends an authentication request with the provided Username. The server checks to see if the username exists and if so it sends a hash of the user's password back to the client app. The client app checks to see if the local password hash matches the one sent from the server and if it matches the client informs the server the the account is valid and the server then successfully authenticates the client. So yes, very broken client side authentication. But to figure that out we had to analyse the network traffic between the two as well as reverse engineer the client application and binary patch the client app to always respond with a positive match. And the data or effects gained from compromising this system are way more interesting than your windows 7 home gaming system.
- Large company virtualization cluster using hardware from a well known vendor. Servers provide remote console / kvm functionality for management. Because of a previously unknown authentication vulnerability in the remote console app we were able to boot the server to remote media under our control (i.e. a linux boot disk). We had reverse engineered the virtualization technology in question and developed a custom backdoor which we then implanted by mounting the hard drive from our remotly loaded linux boot environment, allowing us to take control of the cluster.
With the exception of the last server reboot none of these above examples generated any traffic or logs that were flagged by any security system. No IDS or AV to evade. No DEP or ASLR to get around. And low chance of these bugs getting killed due to the cost and time frame involved in fixing them.
I believe that researchers should consider putting some of their time and resources into the above types of design flaws as well as in sophisticated post-exploitation activities. The market value for memory corruption bugs will go up for a while but so will the difficulty and time required to find them, and we have often seen patch release times decrease as well. Eventually that bubble will burst.
V.
-
-
18:59
»
SecuriTeam
A design error within Cisco Systems Inc's AnyConnect VPN client allows attackers to execute arbitrary code with the privileges of a user running Internet Explorer.
-
Make your website safer. Use external penetration testing service. First report ready in one hour!
-
-
7:30
»
Packet Storm Security Recent Files
Whitepaper called Protecao Client-side: Testando a eficacia das ferramentas de protecao Microsoft para estacoes de trabalho e desktops. It describes how to protect against malicious threats by testing some Microsoft client security tools. Written in Portuguese.
-
7:30
»
Packet Storm Security Misc. Files
Whitepaper called Protecao Client-side: Testando a eficacia das ferramentas de protecao Microsoft para estacoes de trabalho e desktops. It describes how to protect against malicious threats by testing some Microsoft client security tools. Written in Portuguese.
-
-
14:29
»
SecuriTeam
A potential security problem has been identified with HP Client Automation Enterprise software running on Windows.
-
Make your website safer. Use external penetration testing service. First report ready in one hour!
-
-
7:19
»
Packet Storm Security Advisories
The 64 Bit Cisco VPN Client for Windows 7 is affected by a local privilege escalation vulnerability that allows non-privileged users to gain administrative privileges.
-
-
16:55
»
Packet Storm Security Exploits
Valve Steam Client Application version 1.0.968.628 is vulnerable to an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice.
-
16:55
»
Packet Storm Security Recent Files
Valve Steam Client Application version 1.0.968.628 is vulnerable to an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice.
-
16:55
»
Packet Storm Security Misc. Files
Valve Steam Client Application version 1.0.968.628 is vulnerable to an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice.
-
-
11:01
»
Hack a Day
While some people know that you should be wary of USB drives with unknown origins, the same care is rarely, if ever exercised with USB peripherals. The security firm Netragard recently used this to their advantage when performing a penetration test at a client’s facility. When the client ruled out the use of many common [...]
-
-
8:38
»
Packet Storm Security Exploits
This Metasploit module exploits a vulnerability in the Cisco AnyConnect VPN client vpnweb.ocx ActiveX control. This control is typically used to install the VPN client. An attacker can set the 'url' property which is where the control tries to locate the files needed to install the client. The control tries to download two files from the site specified within the 'url' property. One of these files it will be stored in a temporary directory and executed.
-
8:38
»
Packet Storm Security Recent Files
This Metasploit module exploits a vulnerability in the Cisco AnyConnect VPN client vpnweb.ocx ActiveX control. This control is typically used to install the VPN client. An attacker can set the 'url' property which is where the control tries to locate the files needed to install the client. The control tries to download two files from the site specified within the 'url' property. One of these files it will be stored in a temporary directory and executed.
-
8:38
»
Packet Storm Security Misc. Files
This Metasploit module exploits a vulnerability in the Cisco AnyConnect VPN client vpnweb.ocx ActiveX control. This control is typically used to install the VPN client. An attacker can set the 'url' property which is where the control tries to locate the files needed to install the client. The control tries to download two files from the site specified within the 'url' property. One of these files it will be stored in a temporary directory and executed.
-
-
12:46
»
Packet Storm Security Advisories
Cisco Security Advisory - The Cisco AnyConnect Secure Mobility Client, previously known as the Cisco AnyConnect VPN Client, is affected by arbitrary program execution and local privilege escalation vulnerabilities. There are no workarounds for the vulnerabilities described in this advisory.
-
12:46
»
Packet Storm Security Recent Files
Cisco Security Advisory - The Cisco AnyConnect Secure Mobility Client, previously known as the Cisco AnyConnect VPN Client, is affected by arbitrary program execution and local privilege escalation vulnerabilities. There are no workarounds for the vulnerabilities described in this advisory.
-
12:46
»
Packet Storm Security Misc. Files
Cisco Security Advisory - The Cisco AnyConnect Secure Mobility Client, previously known as the Cisco AnyConnect VPN Client, is affected by arbitrary program execution and local privilege escalation vulnerabilities. There are no workarounds for the vulnerabilities described in this advisory.
-
-
23:03
»
Packet Storm Security Advisories
Red Hat Security Advisory 2011-0840-01 - The Dynamic Host Configuration Protocol is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. It was discovered that the DHCP client daemon, dhclient, did not sufficiently sanitize certain options provided in DHCP server replies, such as the client hostname. A malicious DHCP server could send such an option with a specially-crafted value to a DHCP client. If this option's value was saved on the client system, and then later insecurely evaluated by a process that assumes the option is trusted, it could lead to arbitrary code execution with the privileges of that process. Various other issues were also addressed.
-
23:03
»
Packet Storm Security Recent Files
Red Hat Security Advisory 2011-0840-01 - The Dynamic Host Configuration Protocol is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. It was discovered that the DHCP client daemon, dhclient, did not sufficiently sanitize certain options provided in DHCP server replies, such as the client hostname. A malicious DHCP server could send such an option with a specially-crafted value to a DHCP client. If this option's value was saved on the client system, and then later insecurely evaluated by a process that assumes the option is trusted, it could lead to arbitrary code execution with the privileges of that process. Various other issues were also addressed.
-
23:03
»
Packet Storm Security Misc. Files
Red Hat Security Advisory 2011-0840-01 - The Dynamic Host Configuration Protocol is a protocol that allows individual devices on an IP network to get their own network configuration information, including an IP address, a subnet mask, and a broadcast address. It was discovered that the DHCP client daemon, dhclient, did not sufficiently sanitize certain options provided in DHCP server replies, such as the client hostname. A malicious DHCP server could send such an option with a specially-crafted value to a DHCP client. If this option's value was saved on the client system, and then later insecurely evaluated by a process that assumes the option is trusted, it could lead to arbitrary code execution with the privileges of that process. Various other issues were also addressed.
-
-
19:09
»
SecuriTeam
Cisco VPN Client contains a High risk vulnerability related to Privilege Escalation.
-
Make your website safer. Use external penetration testing service. First report ready in one hour!
-
-
18:44
»
SecuriTeam
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP Client Automation.
-
Make your website safer. Use external penetration testing service. First report ready in one hour!
-
-
10:06
»
Hack a Day
[Utpal Solanki] wanted to do some text chatting from the comfort of the couch. He built this wireless chat client that he calls Chatbox using a microcontroller, a character LCD screen, and a keypad that he built himself. The device communicates via an Infrared emitter and receiver. It pairs up with an Arduino using an [...]
-
-
14:10
»
SecuriTeam
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell iPrint Client.
-
Make your website safer. Use external penetration testing service. First report ready in one hour!
-
-
13:10
»
SecuriTeam
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell iPrint Client.
-
Make your website safer. Use external penetration testing service. First report ready in one hour!
-
13:05
»
SecuriTeam
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell iPrint Client.
-
Make your website safer. Use external penetration testing service. First report ready in one hour!
-
13:05
»
SecuriTeam
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell iPrint Client.
-
Make your website safer. Use external penetration testing service. First report ready in one hour!
-
13:05
»
SecuriTeam
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell iPrint Client.
-
Make your website safer. Use external penetration testing service. First report ready in one hour!
-
-
20:20
»
SecuriTeam
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell iPrint Client.
-
Make your website safer. Use external penetration testing service. First report ready in one hour!
-
-
10:34
»
Packet Storm Security Advisories
Zero Day Initiative Advisory 11-056 - This vulnerability allows an attacker to execute remote code on vulnerable installations of the Hewlett-Packard Data Protector client. User interaction is not required to exploit this vulnerability. The specific flaw exists within the implementation of the EXEC_SETUP command. This command instructs a Data Protector client to download and execute a setup file. A malicious attacker can instruct the client to access a file off of a share thus executing arbitrary code under the context of the current user.
-
10:34
»
Packet Storm Security Recent Files
Zero Day Initiative Advisory 11-056 - This vulnerability allows an attacker to execute remote code on vulnerable installations of the Hewlett-Packard Data Protector client. User interaction is not required to exploit this vulnerability. The specific flaw exists within the implementation of the EXEC_SETUP command. This command instructs a Data Protector client to download and execute a setup file. A malicious attacker can instruct the client to access a file off of a share thus executing arbitrary code under the context of the current user.
-
10:34
»
Packet Storm Security Misc. Files
Zero Day Initiative Advisory 11-056 - This vulnerability allows an attacker to execute remote code on vulnerable installations of the Hewlett-Packard Data Protector client. User interaction is not required to exploit this vulnerability. The specific flaw exists within the implementation of the EXEC_SETUP command. This command instructs a Data Protector client to download and execute a setup file. A malicious attacker can instruct the client to access a file off of a share thus executing arbitrary code under the context of the current user.
-
-
21:25
»
SecDocs
Authors:
Daniel Grzelak Tags:
Java Event:
Ruxcon 2010 Abstract: We have recently been asked to perform a number of security assessments which use Java serialised objects to communicate information between client and server. This approach is quite common, particularly in applications which implement some form of thick(ish) client. However, whenever I see these things flying across my proxy I always get excited and think "there has to be something wrong here..." So is there something really wrong? What should we be concentrating on when trying to attack these applications?
-
-
4:43
»
Packet Storm Security Exploits
Juniper VPN client with remote desktop lets an attacking spawn Internet Explorer prior to authentication.
-
-
8:54
»
Packet Storm Security Exploits
This Metasploit module exploits a stack overflow in SCADA Engine BACnet OPC Client v1.0.24. When the BACnet OPC Client parses a specially crafted csv file, arbitrary code may be executed.
-
8:54
»
Packet Storm Security Recent Files
This Metasploit module exploits a stack overflow in SCADA Engine BACnet OPC Client v1.0.24. When the BACnet OPC Client parses a specially crafted csv file, arbitrary code may be executed.
-
8:54
»
Packet Storm Security Misc. Files
This Metasploit module exploits a stack overflow in SCADA Engine BACnet OPC Client v1.0.24. When the BACnet OPC Client parses a specially crafted csv file, arbitrary code may be executed.
-
-
15:02
»
SecuriTeam
A memory corruption vulnerability was identified in Citrix ICA Client ActiveX control.
-
Make your website safer. Use external penetration testing service. First report ready in one hour!
-
-
15:01
»
Packet Storm Security Recent Files
RSA Authentication Client 2.0.x, 3.0, and 3.5.x contain a potential vulnerability that could allow the unintended extraction, by a properly authenticated user, of secret (or symmetric) key objects stored on an RSA SecurID 800 Authenticator. This potential vulnerability is corrected in RSA Authentication Client 3.5.3.
-
15:01
»
Packet Storm Security Advisories
RSA Authentication Client 2.0.x, 3.0, and 3.5.x contain a potential vulnerability that could allow the unintended extraction, by a properly authenticated user, of secret (or symmetric) key objects stored on an RSA SecurID 800 Authenticator. This potential vulnerability is corrected in RSA Authentication Client 3.5.3.
-
-
11:00
»
Hack a Day
[David Cranor], along with [Max Lobovsky's] help, managed to build a thin client that uses an NTSC television as a monitor for only $6. This is his first foray into the world of ARM architecture and he has vowed to never use an AVR again. The powerful little chip uses timers to manage sync and DMA to [...]
-
-
17:30
»
SecuriTeam
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Novell iPrint Client browser plugin.
-
Make your website safer. Use external penetration testing service. First report ready in one hour!
-
17:25
»
SecuriTeam
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Novell iPrint client.
-
Make your website safer. Use external penetration testing service. First report ready in one hour!
-
17:25
»
SecuriTeam
This vulnerability allows remote attackers to delete all files on a system with a vulnerable installation of the Novell iPrint Client.
-
Make your website safer. Use external penetration testing service. First report ready in one hour!
-
-
12:56
»
SecuriTeam
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Novell iPrint Client Browser Plugin.
-
Make your website safer. Use external penetration testing service. First report ready in one hour!
-
-
14:00
»
Packet Storm Security Advisories
The parental controls built into the Mac OS X Mail client can be easily bypassed by anyone who knows the email address of the child and his/her parent.
-
-
0:00
»
Packet Storm Security Advisories
Zero Day Initiative Advisory 10-145 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell ZENWorks Remote Management. Access to a single node with Remote Management client installed and configured is required. The specific flaw exists within the storage of Remote Management authentication information on the client. The client utilizes a password stored in the registry that is common among all nodes. This can be exploited by an attacker to execute remote code on any target with the client installed.
-
-
16:01
»
Packet Storm Security Recent Files
Debian Linux Security Advisory 2085-1 - It was discovered that in lftp, a command-line HTTP/FTP client, there is no proper validation of the filename provided by the server through the Content-Disposition header; attackers can use this flaw by suggesting a filename they wish to overwrite on the client machine, and then possibly execute arbitrary code (for instance if the attacker elects to write a dotfile in a home directory).
-
16:01
»
Packet Storm Security Advisories
Debian Linux Security Advisory 2085-1 - It was discovered that in lftp, a command-line HTTP/FTP client, there is no proper validation of the filename provided by the server through the Content-Disposition header; attackers can use this flaw by suggesting a filename they wish to overwrite on the client machine, and then possibly execute arbitrary code (for instance if the attacker elects to write a dotfile in a home directory).
-
-
11:40
»
remote-exploit & backtrack
That we connect in client
lock command aireplay-ng -1 0 -a bssid -c station wlan0 is good work
but how to connect to client to find handshark
aireplay-ng -0 10 -a bssid -c station wlan0 and nothing in airodump-ng
-
-
20:28
»
SecuriTeam
A vulnerability related to the disclosure of information was discovered in HP Client Automation Enterprise Infrastructure.
-
Make your website safer. Use external penetration testing service. First report ready in one hour!
-
-
18:37
»
SecuriTeam
Multiple vulnerabilities were discovered in Cisco CSS and Cisco ACE.
-
Make your website safer. Use external penetration testing service. First report ready in one hour!
-
-
17:00
»
Packet Storm Security Recent Files
Mandriva Linux Security Advisory 2010-090 - client/mount.cifs.c in mount.cifs in smbfs in Samba does not verify that the (1) device name and (2) mountpoint strings are composed of valid characters, which allows local users to cause a denial of service (mtab corruption) via a crafted string. client/mount.cifs.c in mount.cifs in smbfs in Samba allows local users to mount a CIFS share on an arbitrary mountpoint, and gain privileges, via a symlink attack on the mountpoint directory file. The updated packages have been patched to correct these issues. It was discovered that the previous Samba update required libtalloc from Samba4 package. Therefore, this update provides the required packages in order to fix the issue.
-
17:00
»
Packet Storm Security Advisories
Mandriva Linux Security Advisory 2010-090 - client/mount.cifs.c in mount.cifs in smbfs in Samba does not verify that the (1) device name and (2) mountpoint strings are composed of valid characters, which allows local users to cause a denial of service (mtab corruption) via a crafted string. client/mount.cifs.c in mount.cifs in smbfs in Samba allows local users to mount a CIFS share on an arbitrary mountpoint, and gain privileges, via a symlink attack on the mountpoint directory file. The updated packages have been patched to correct these issues. It was discovered that the previous Samba update required libtalloc from Samba4 package. Therefore, this update provides the required packages in order to fix the issue.
-
-
18:28
»
Packet Storm Security Recent Files
Mandriva Linux Security Advisory 2010-090 - client/mount.cifs.c in mount.cifs in smbfs in Samba does not verify that the (1) device name and (2) mountpoint strings are composed of valid characters, which allows local users to cause a denial of service (mtab corruption) via a crafted string. client/mount.cifs.c in mount.cifs in smbfs in Samba allows local users to mount a CIFS share on an arbitrary mountpoint, and gain privileges, via a symlink attack on the mountpoint directory file. The updated packages have been patched to correct these issues.
-
18:28
»
Packet Storm Security Advisories
Mandriva Linux Security Advisory 2010-090 - client/mount.cifs.c in mount.cifs in smbfs in Samba does not verify that the (1) device name and (2) mountpoint strings are composed of valid characters, which allows local users to cause a denial of service (mtab corruption) via a crafted string. client/mount.cifs.c in mount.cifs in smbfs in Samba allows local users to mount a CIFS share on an arbitrary mountpoint, and gain privileges, via a symlink attack on the mountpoint directory file. The updated packages have been patched to correct these issues.
-
-
21:00
»
Packet Storm Security Recent Files
Debian Linux Security Advisory 2025-1 - Several remote vulnerabilities have been discovered in the Icedove mail client, an unbranded version of the Thunderbird mail client.
-
21:00
»
Packet Storm Security Advisories
Debian Linux Security Advisory 2025-1 - Several remote vulnerabilities have been discovered in the Icedove mail client, an unbranded version of the Thunderbird mail client.
-
16:00
»
Packet Storm Security Exploits
Skype client versions prior to 4.2.0.1.55 suffer from a URI handling input validation vulnerability that allows for remote command execution.
-
-
16:57
»
remote-exploit & backtrack
How do I retrieve the client MAC from my cap file?
I'm using "airodump-ng -c 11 --bssid 00:11:22:33:44:55 -w output-home mon0" to filter by the AP I'm monitoring.
Apparently a client connected, because I see that I have collected 75 IVs, but I didn't see the client MAC (I'm assuming it refreshed out, or whatever) by the time I saw the data numbers. So, I'm hoping to get the client MAC from the cap file.
Feel free to point me to a related post, but I didn't find one via search.
Thanks!
1337day (was: Inj3ct0r, 1337db)
OSVDB Vulnerabilities
Exploit-DB
SecurityFocus Vulnerabilities
Bugtraq
XSSed
Sophos security news
Penetration Testing
BackTrack Linux Forums
Threatpost
carnal0wnage.attackresearch.com
Darknet
The Exploitant
Wirevolution