«
Expand/Collapse
62 items tagged "format"
Related tags:
memory corruption [+],
php [+],
phar [+],
object c [+],
factory [+],
c format string [+],
buffer overflow vulnerabilities [+],
sudo [+],
file [+],
nedit [+],
multiple buffer overflow [+],
buffer [+],
arbitrary code execution [+],
webkit [+],
vsprintf [+],
toweb [+],
testing tool [+],
static program analysis [+],
specifier [+],
slyk [+],
proof of concept [+],
ocx versions [+],
multiple [+],
message format [+],
message [+],
memory [+],
mathias payer [+],
information disclosure vulnerability [+],
format string attacks [+],
format specifier [+],
exploits [+],
excel [+],
escalation [+],
disk [+],
denial of service [+],
default service [+],
css format [+],
css [+],
chaos communication congress [+],
buffer overflows [+],
buffer overflow [+],
action [+],
Programming [+],
ubuntu [+],
target [+],
steganography [+],
source ports [+],
security gateways [+],
rpc [+],
poc [+],
pcnfsd [+],
paul haas [+],
mario vuksan [+],
linux machine [+],
libvirt [+],
jeremy nickurak [+],
forensic security [+],
condor [+],
brian karney [+],
backing store [+],
application [+],
aix versions [+],
advisory notes [+],
advanced [+],
adobe acrobat reader [+],
acrobat reader user [+],
string [+],
vmrc [+],
video [+],
usa [+],
stack data [+],
slides [+],
silc [+],
security [+],
samba [+],
print server [+],
michael sutton [+],
lprng [+],
hacks [+],
fuzzing [+],
format string attack [+],
format specifiers [+],
fedora [+],
client [+],
chris evans [+],
card reader [+],
bugtraq [+],
black hat [+],
attack [+],
art [+],
advisory [+],
adam greene [+],
access systems [+],
access cards [+],
access [+],
format string [+],
vulnerability [+]
-
-
![Permalink for '[Video] String Oriented Programming'](/themes/lilina/web//media/mark_off.gif)
21:34
»
SecDocs
Authors:
Mathias Payer Tags:
exploiting Event:
Chaos Communication Congress 28th (28C3) 2011 Abstract: The protection landscape is changing and exploits are getting more and more sophisticated. Exploit generation toolkits can be used to construct exploits for specific applications using well-defined algorithms. We present such an algorithm for leveraging format strings and introduce string oriented programming. String oriented programming takes format string exploits to the next level and turns an intrusion vector that needs hand-crafted exploits into arbitrary code execution. Similar to return oriented programming or jump oriented programming string oriented programming does not rely on existing code but concatenates gadgets in the application using static program analysis. This talk presents an algorithm and a technique that takes a vulnerable application that contains a format string exploit as a parameter and constructs a format string exploit that can be used to inject a dynamic jump oriented programming dispatcher into the running application. String oriented programming circumvents ASLR, DEP, and ProPolice.
-
21:34
»
SecDocs
Authors:
Mathias Payer Tags:
exploiting Event:
Chaos Communication Congress 28th (28C3) 2011 Abstract: The protection landscape is changing and exploits are getting more and more sophisticated. Exploit generation toolkits can be used to construct exploits for specific applications using well-defined algorithms. We present such an algorithm for leveraging format strings and introduce string oriented programming. String oriented programming takes format string exploits to the next level and turns an intrusion vector that needs hand-crafted exploits into arbitrary code execution. Similar to return oriented programming or jump oriented programming string oriented programming does not rely on existing code but concatenates gadgets in the application using static program analysis. This talk presents an algorithm and a technique that takes a vulnerable application that contains a format string exploit as a parameter and constructs a format string exploit that can be used to inject a dynamic jump oriented programming dispatcher into the running application. String oriented programming circumvents ASLR, DEP, and ProPolice.
-
21:34
»
SecDocs
Authors:
Mathias Payer Tags:
exploiting Event:
Chaos Communication Congress 28th (28C3) 2011 Abstract: The protection landscape is changing and exploits are getting more and more sophisticated. Exploit generation toolkits can be used to construct exploits for specific applications using well-defined algorithms. We present such an algorithm for leveraging format strings and introduce string oriented programming. String oriented programming takes format string exploits to the next level and turns an intrusion vector that needs hand-crafted exploits into arbitrary code execution. Similar to return oriented programming or jump oriented programming string oriented programming does not rely on existing code but concatenates gadgets in the application using static program analysis. This talk presents an algorithm and a technique that takes a vulnerable application that contains a format string exploit as a parameter and constructs a format string exploit that can be used to inject a dynamic jump oriented programming dispatcher into the running application. String oriented programming circumvents ASLR, DEP, and ProPolice.
-
-
14:45
»
Packet Storm Security Exploits
BroadWin WebAccess Client with bwocxrun.ocx versions 1.0.0.10 and below suffer from format string and memory corruption vulnerabilities. The OcxSpool function is affected by a format string vulnerability caused by the usage of the Msg string provided by the attacker directly with vsprintf() without the required format argument. WriteTextData and CloseFile allow to corrupt arbitrary zones of the memory through a fully controllable stream identifier in fclose() and fwrite().
-
14:45
»
Packet Storm Security Recent Files
BroadWin WebAccess Client with bwocxrun.ocx versions 1.0.0.10 and below suffer from format string and memory corruption vulnerabilities. The OcxSpool function is affected by a format string vulnerability caused by the usage of the Msg string provided by the attacker directly with vsprintf() without the required format argument. WriteTextData and CloseFile allow to corrupt arbitrary zones of the memory through a fully controllable stream identifier in fclose() and fwrite().
-
14:45
»
Packet Storm Security Misc. Files
BroadWin WebAccess Client with bwocxrun.ocx versions 1.0.0.10 and below suffer from format string and memory corruption vulnerabilities. The OcxSpool function is affected by a format string vulnerability caused by the usage of the Msg string provided by the attacker directly with vsprintf() without the required format argument. WriteTextData and CloseFile allow to corrupt arbitrary zones of the memory through a fully controllable stream identifier in fclose() and fwrite().
-
-
15:22
»
Packet Storm Security Recent Files
Action Message Format (AMF) Shell is testing tool that demonstrates weaknesses in PHPAMF, especially where the default service 'DiscoveryService' has been left behind.
-
15:22
»
Packet Storm Security Tools
Action Message Format (AMF) Shell is testing tool that demonstrates weaknesses in PHPAMF, especially where the default service 'DiscoveryService' has been left behind.
-
15:22
»
Packet Storm Security Misc. Files
Action Message Format (AMF) Shell is testing tool that demonstrates weaknesses in PHPAMF, especially where the default service 'DiscoveryService' has been left behind.
-
-
11:11
»
Hack a Day
iClass is a popular format of RFID enabled access cards. These are issued to company employees to grant them access to parts of a building via a card reader at each security door. We’ve known for a long time that these access systems are rather weak when it comes to security. But now you can [...]
-
15:50
»
Packet Storm Security Recent Files
Zero Day Initiative Advisory 11-077 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Acrobat Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the application's implementation of an image format supported by the Universal 3D compressed file format. When parsing a particular texture file specified by the format, the application will explicitly trust fields within the file in a multiply used to allocate space for the image data. Due to the application not accommodating for the result being larger than the architecture is able to store, the application will under allocate a buffer. When writing image data to this buffer the application will write outside the boundary of the allocation. This can lead to code execution under the context of the application.
-
15:50
»
Packet Storm Security Misc. Files
Zero Day Initiative Advisory 11-077 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Acrobat Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the application's implementation of an image format supported by the Universal 3D compressed file format. When parsing a particular texture file specified by the format, the application will explicitly trust fields within the file in a multiply used to allocate space for the image data. Due to the application not accommodating for the result being larger than the architecture is able to store, the application will under allocate a buffer. When writing image data to this buffer the application will write outside the boundary of the allocation. This can lead to code execution under the context of the application.
-
-
23:02
»
Packet Storm Security Recent Files
Ubuntu Security Notice 1008-2 - Libvirt in Ubuntu 10.04 LTS now no longer probes qemu disks for the image format and defaults to 'raw' when the format is not specified in the XML. This change in behavior breaks virt-install --import because virtinst in Ubuntu 10.04 LTS did not allow for specifying a disk format and does not specify a format in the XML. This update adds the 'format=' option when specifying a disk. Original advisory notes that it was discovered that libvirt would probe disk backing stores without consulting the defined format for the disk. A privileged attacker in the guest could exploit this to read arbitrary files on the host. This issue only affected Ubuntu 10.04 LTS. By default, guests are confined by an AppArmor profile which provided partial protection against this flaw. It was discovered that libvirt would create new VMs without setting a backing store format. A privileged attacker in the guest could exploit this to read arbitrary files on the host. This issue did not affect Ubuntu 8.04 LTS. In Ubuntu 9.10 and later guests are confined by an AppArmor profile which provided partial protection against this flaw. Jeremy Nickurak discovered that libvirt created iptables rules with too lenient mappings of source ports. A privileged attacker in the guest could bypass intended restrictions to access privileged resources on the host.
-
23:00
»
Packet Storm Security Advisories
Ubuntu Security Notice 1008-2 - Libvirt in Ubuntu 10.04 LTS now no longer probes qemu disks for the image format and defaults to 'raw' when the format is not specified in the XML. This change in behavior breaks virt-install --import because virtinst in Ubuntu 10.04 LTS did not allow for specifying a disk format and does not specify a format in the XML. This update adds the 'format=' option when specifying a disk. Original advisory notes that it was discovered that libvirt would probe disk backing stores without consulting the defined format for the disk. A privileged attacker in the guest could exploit this to read arbitrary files on the host. This issue only affected Ubuntu 10.04 LTS. By default, guests are confined by an AppArmor profile which provided partial protection against this flaw. It was discovered that libvirt would create new VMs without setting a backing store format. A privileged attacker in the guest could exploit this to read arbitrary files on the host. This issue did not affect Ubuntu 8.04 LTS. In Ubuntu 9.10 and later guests are confined by an AppArmor profile which provided partial protection against this flaw. Jeremy Nickurak discovered that libvirt created iptables rules with too lenient mappings of source ports. A privileged attacker in the guest could bypass intended restrictions to access privileged resources on the host.
-
-
19:00
»
Packet Storm Security Exploits
This Metasploit module exploits a format string vulnerability within version 10.0.4.x and 10.5.1 of the SonicWALL Aventail SSL-VPN Endpoint Interrogator/Installer ActiveX control (epi.dll). By calling the 'AuthCredential' method with a specially crafted Unicode format string, an attacker can cause memory corruption and execute arbitrary code. Unfortunately, it does not appear to be possible to indirectly re-use existing stack data for more reliable exploitation. This is due to several particulars about this vulnerability. First, the format string must be a Unicode string, which uses two bytes per character. Second, the buffer is allocated on the stack using the 'alloca' function. As such, each additional format specifier (%x) will add four more bytes to the size allocated. This results in the inability to move the read pointer outside of the buffer. Further testing showed that using specifiers that pop more than four bytes does not help. Any number of format specifiers will result in accessing the same value within the buffer. NOTE: It may be possible to leverage the vulnerability to leak memory contents. However, that has not been fully investigated at this time.
-
-
21:03
»
SecDocs
Authors:
Mario Vuksan Tomislav Pericin Brian Karney Tags:
forensic vulnerability steganography Event:
Black Hat EU 2010 Abstract: Exploiting archive formats can lead to steganographic data hiding and to processing errors with serious forensic consequences. These formats are very interesting as they are commonly found on every PC, Apple or Linux machine, and it is popularly believed that they are well understood and trusted. Can exploits ever be present in file formats that have been in use for over ten or even twenty years? Through deep format analysis, beyond fuzzing, we look at what goes wrong when the format specifications are interpreted differently. Can you trust programs that work with archives? Can you even trust your antivirus? We will answer these questions and disclose for the first time 15 newly discovered vulnerabilities in ZIP, 7ZIP, RAR, CAB and GZIP file formats revealing the impact they have on anti-malware scanners, digital forensic, security gateways and IPS appliances. This talk will include demo of ArchiveInsider, a new forensics tool that detects and extracts hidden data and fully validates vulnerable file formats. We will demonstrate file format steganography, file malformation, and even data "self destruction," all with tools that you use and trust.
-
21:03
»
SecDocs
Authors:
Mario Vuksan Tomislav Pericin Brian Karney Tags:
forensic vulnerability steganography Event:
Black Hat EU 2010 Abstract: Exploiting archive formats can lead to steganographic data hiding and to processing errors with serious forensic consequences. These formats are very interesting as they are commonly found on every PC, Apple or Linux machine, and it is popularly believed that they are well understood and trusted. Can exploits ever be present in file formats that have been in use for over ten or even twenty years? Through deep format analysis, beyond fuzzing, we look at what goes wrong when the format specifications are interpreted differently. Can you trust programs that work with archives? Can you even trust your antivirus? We will answer these questions and disclose for the first time 15 newly discovered vulnerabilities in ZIP, 7ZIP, RAR, CAB and GZIP file formats revealing the impact they have on anti-malware scanners, digital forensic, security gateways and IPS appliances. This talk will include demo of ArchiveInsider, a new forensics tool that detects and extracts hidden data and fully validates vulnerable file formats. We will demonstrate file format steganography, file malformation, and even data "self destruction," all with tools that you use and trust.
-
-
21:52
»
SecuriTeam
VMrc is vulnerable to format string attacks. Exploitation of this issue may lead to arbitrary code execution on the system where VMrc is installed.
-
Make your website safer. Use external penetration testing service. First report ready in one hour!
-
-
19:00
»
Packet Storm Security Exploits
This Metasploit module exploits a format string vulnerability in the LPRng print server. This vulnerability was discovered by Chris Evans. There was a publicly circulating worm targeting this vulnerability, which prompted RedHat to pull their 7.0 release. They consequently re-released it as 7.0-respin .
1337day (was: Inj3ct0r, 1337db)
OSVDB Vulnerabilities
Exploit-DB
SecurityFocus Vulnerabilities
Bugtraq
XSSed
Sophos security news
Penetration Testing
BackTrack Linux Forums
Threatpost
carnal0wnage.attackresearch.com
Carnal0wnage
Darknet
The Exploitant
Wirevolution