«
Expand/Collapse
689 items tagged "memory"
Related tags:
remote [+],
heap memory [+],
talk [+],
physical memory [+],
php [+],
ios [+],
internet [+],
heap [+],
freetype [+],
explorer [+],
code execution [+],
apple ios [+],
corruption [+],
truecrypt [+],
tcgetkey [+],
reader [+],
perl [+],
linux hosts [+],
linux [+],
internet explorer [+],
arbitrary code execution [+],
apple security [+],
advisory [+],
adobe reader version [+],
vulnerability [+],
poc [+],
konqueror [+],
icclib [+],
bounds [+],
yves younan [+],
wrf [+],
von neumann machine [+],
von neumann [+],
usa [+],
robertson [+],
perl 5 [+],
org [+],
openstack [+],
memory limit [+],
memory allocator [+],
memory access [+],
markus schaber [+],
libxml [+],
java [+],
ida [+],
first person shooters [+],
eregi [+],
cve [+],
code [+],
cisco webex [+],
beta [+],
allocator [+],
access [+],
Programming [+],
xml file [+],
wordperfect documents [+],
wireshark [+],
winlicense [+],
windows [+],
wavesurfer [+],
walker [+],
vulnerability research [+],
virtual memory [+],
virtual machine [+],
torrent [+],
tor [+],
sumatrapdf [+],
spotify [+],
software suite [+],
simatic [+],
siemens simatic s7 [+],
security technologies [+],
security advisory [+],
search box [+],
s7 300 [+],
reverse engineering tools [+],
proof [+],
program memory [+],
process [+],
plc [+],
pid [+],
peter vreugdenhil [+],
peter [+],
peamp [+],
pdo [+],
pc to [+],
passport [+],
paint version [+],
paint [+],
overwrite [+],
org versions [+],
oreans [+],
object memory [+],
nova cve [+],
mp3 file [+],
mobile devices [+],
microsoft paint [+],
metasploit [+],
memory space [+],
memory layout [+],
memory exhaustion [+],
memory access violation [+],
manager [+],
loading [+],
linux kernels [+],
libwpd [+],
libreoffice [+],
libavcodec [+],
kernel series [+],
kernel memory [+],
kernel driver [+],
jonathan brossard [+],
internet explorer object [+],
illustrator [+],
htc [+],
host memory [+],
host [+],
holdem [+],
gnupg [+],
ffmpeg [+],
extract [+],
exploitation [+],
exhaustion [+],
engineering [+],
denial [+],
default media player [+],
database corruption [+],
d remote [+],
cryptoloop [+],
critical vulnerability [+],
corruption issues [+],
corruption bug [+],
chm [+],
chaos communication camp [+],
bugtraq [+],
bogofilter [+],
attacker [+],
arctic [+],
apple tv [+],
alan bradley tags [+],
adobe illustrator [+],
addresses issues [+],
able [+],
Skype [+],
Hardware [+],
3g2 files [+],
proof of concept [+],
xpath expressions [+],
x 509 [+],
webkit [+],
vulnerabilities [+],
vmware [+],
taglib [+],
svg [+],
sun java runtime environment [+],
sun java runtime [+],
substr [+],
solid state disk drives [+],
solid state disk [+],
soffice [+],
slides [+],
set [+],
server [+],
samba [+],
rsa public keys [+],
publisher [+],
pro face [+],
openssl [+],
nand flash chips [+],
nand [+],
microsoft publisher [+],
microcontroller [+],
memory issues [+],
memory function [+],
libfpx [+],
joshua drake tags [+],
java runtime environment [+],
integer overflow [+],
infinite loop [+],
fuzzing [+],
expression [+],
escalation [+],
cisco [+],
bridge [+],
abu dhabi [+],
Bugs [+],
multiple [+],
xpra [+],
xnview [+],
xml [+],
webex [+],
web browser [+],
voc [+],
video player [+],
unspecified [+],
types of memory [+],
touch [+],
time hardware [+],
suite [+],
stunnel [+],
stale [+],
signalsec [+],
security [+],
rose white [+],
response [+],
red hat security [+],
ram [+],
python [+],
proxy logs [+],
proficy [+],
privilege [+],
powerpoint graphics [+],
power [+],
pmp [+],
playlist files [+],
plant applications [+],
physical [+],
php 5 [+],
perfect memory [+],
overflow [+],
nova [+],
non volatile memory [+],
nis [+],
new black authors [+],
nbsp [+],
mxf [+],
multiple products [+],
msxml [+],
module [+],
microcontrollers [+],
michael becher [+],
memory management [+],
memory leak [+],
memory allocations [+],
memorable moment [+],
maximillian dornseif [+],
maximillian [+],
matrix [+],
management [+],
local privilege escalation [+],
linux kernel [+],
libpng [+],
jorge luis borges [+],
james clark [+],
interface [+],
inspircd [+],
input matrix [+],
information store [+],
infinite [+],
html [+],
head mounted [+],
hash function [+],
hardware assistance [+],
hacks [+],
giovanni gola [+],
garbage [+],
fuzzers [+],
free memory [+],
free [+],
forensics [+],
firewire [+],
file format [+],
external memory interface [+],
expat [+],
everything [+],
escher [+],
dos [+],
disclosure [+],
digital [+],
detection [+],
denial of service attack [+],
cxx [+],
collector [+],
click of a button [+],
christian klein [+],
catcher [+],
capability maturity model [+],
cameras [+],
buzz [+],
blazevideo [+],
black hat [+],
becher [+],
backdoor [+],
available memory [+],
automatic memory management [+],
authors [+],
audioop [+],
application crash [+],
application [+],
apple quicktime [+],
apple itunes [+],
anomaly detection [+],
analysis [+],
agp [+],
adobe adobe [+],
chaos communication congress [+],
memory corruption [+],
denial of service [+],
exploits [+],
adobe [+],
realplayer [+],
microsoft [+],
service vulnerability [+],
openoffice [+],
exploit [+],
zsl,
zlib,
zip,
zach hoffman,
x. this,
x quicktime,
x physical,
x kernel,
x event,
x coretext,
word document,
whitepaper,
webcore,
vsprintf,
volatools,
volatile memory,
volatile,
visual classification,
virus,
virtual pc,
virtual,
vintage arcade,
vintage,
video,
vasiliy kulikov,
value,
user,
usb memory stick,
usb,
uninvited,
uninitialized,
uninitialised memory,
unified memory,
unified,
ubuntu,
uart driver,
type font,
txt,
tool,
tom sawyer software,
tom sawyer,
times,
time input,
tiff image,
tiff file,
tiff,
tgz,
textual window,
terabyte hard drive,
target user,
taichi,
table layout,
system programmer,
system privileges,
synthesizer,
subsystem,
string,
sslvpn,
srose,
sram,
speed commander,
space programs,
sol jerome,
snort,
sketchup,
size,
silberman,
shockwave player,
shockwave,
service,
security risk,
security notice,
secunia,
scsi subsystem,
script injection,
scoreboard,
score,
sched,
samba project,
safer use,
safari,
rtd,
rose protocol,
rose,
rootkit,
root privileges,
rich smith,
reverser,
reverse engineering,
reverse,
reuse,
research,
realnetworks inc,
realnetworks,
realaudio content,
real time,
read,
rdesktop,
rcsl,
rafal wojtczuk,
quicktime pict,
quicktime media player,
quicktime,
quantified,
qtextengine,
pseudo,
psd,
protocol,
protection,
program,
preview,
pre,
powerhmi,
point,
png image,
png file,
png,
player,
pktcdvd,
pki client,
pki,
pidgin,
petroni,
peter silberman,
persistent memory,
pentest,
pdf,
pcap,
pc. yes,
pc hypervisor,
patching,
passive network,
parser,
parent,
paper,
oscar plugin,
order,
oracle database,
oracle,
opiereadrec,
opie,
operation,
opera,
oliver nash,
ocx versions,
object pointer,
object element,
null pointer,
novell groupwise,
notice 974,
nguyen anh,
network stack,
ncss,
napster,
namoroka,
mp3 center,
mozilla firefox,
mozilla,
movie file,
movie,
movicon,
morris worm,
minimal memory,
microsoft virtual pc,
microsoft excel,
microsoft crash,
microsoft corp,
meterpreter,
memory resident,
memory registers,
memory protection,
memory pages,
memory memory,
memory issue,
memory information,
memory footprint,
memory error,
memory effects,
memory database,
memory consumption,
memory card,
memory board,
memory blocks,
memory analysis,
memory allocation,
memory address,
mdvsa,
martin barbella,
martijn wargers,
mark dowd,
mandriva linux,
mandriva,
malware,
malformed request,
mainline kernel,
magnetic core memory,
machine authors,
machine,
mac os x,
mac os,
lookaside,
local memory,
listener,
lighttpd,
libtiff,
lib,
li ming,
length,
layoutdata,
kernel stack,
kernel internals,
kernel extensions,
kernel changes,
kernel 32,
kernel 2,
kernel,
kerberos,
kdb,
jpeg image data,
jordi chancel,
jeff walden,
javascript event handler,
isapi,
irix,
irfanview,
investigation process,
invalid string,
invalid addresses,
invalid,
internet exploiter,
intelligent,
integrating,
insufficient space,
insufficient size,
information disclosure vulnerability,
information,
inclusion,
impress,
imageio,
image,
igor bukanov,
ieee,
idefense security advisory,
idefense,
icoolplayer,
how to impress girls,
history,
henry sivonen,
heavy lifting,
halo,
hacker folklore,
gustav rydstedt,
gustav,
groupwise,
greg conti,
granularity,
gourdin,
google,
glibc,
gig,
gateprotectcc,
gary kwong,
gain root privileges,
function pointers,
function,
frequent reader,
frank,
framework,
fpx,
format validation,
format string,
format,
forensic tools,
forensic,
flashpix,
flash memory,
flash,
fixed,
firefox,
file,
factory,
external hd,
extension,
extended,
exposed,
exploiting,
exploiter,
exploitation techniques,
exploitation activities,
exec system,
excel,
eviews,
event,
etoken,
ethernet,
eric rogers,
eric dumazet,
elements,
electronics kit,
dos vulnerability,
dominic chell,
disk blocks,
directory services,
directory,
director dirapi,
dino dai zovi,
del,
debugging,
dead authors,
david kerb,
dave chinner,
database,
data execution prevention,
daniel kozlowski,
dangling pointer,
dan rosenberg,
dae,
cups,
css clip,
css,
crash,
cpp,
corporate desktop,
core,
cook,
conversion tool,
controller area network,
consumption,
computer study,
completeftp,
commander,
com,
colin ames,
code microsoft,
client,
classic,
clamav,
cisco security advisory,
cisco security,
cisco ios software,
cisco ios,
chrome,
christian holler,
childhood,
chell,
checkpoint,
chancel,
card,
buffer overflows,
buffer overflow vulnerability,
buffer overflow vulnerabilities,
brutessh,
browser,
brad spengler,
boston,
boot,
blog entry,
bill blunden,
ben north,
ben hawkes,
barbella,
baptiste gourdin,
bad memories,
bad,
avr programming,
avr,
avi file,
audio,
asfheader,
arduino,
arbitrary code,
arbitrary,
apple safari,
apple quicktime player,
apple officeimport,
apple mac os x,
apple mac os,
apple directory,
apple coregraphics,
apple,
apache http server,
antimeter,
alpha,
alloca,
alexander sotirov,
alex shi,
alan cox,
aladdin etoken,
aladdin,
adobe systems inc,
adobe shockwave player,
adobe reader,
adobe director,
address,
act,
acrylic case,
aaron walters nick petroni,
Support,
Software,
Related,
Issues,
General,
Final,
BackTrack,
6 606
-
-
15:44
»
Packet Storm Security Recent Files
tcgetkey is a set of tools that deal with acquiring physical memory dumps via FireWire and then scan the memory dump to locate TrueCrypt keys and finally decrypt the encrypted TrueCrypt container using the keys. It is a proof of concept and only works against TrueCrypt running on Linux hosts.
-
15:44
»
Packet Storm Security Recent Files
tcgetkey is a set of tools that deal with acquiring physical memory dumps via FireWire and then scan the memory dump to locate TrueCrypt keys and finally decrypt the encrypted TrueCrypt container using the keys. It is a proof of concept and only works against TrueCrypt running on Linux hosts.
-
15:44
»
Packet Storm Security Tools
tcgetkey is a set of tools that deal with acquiring physical memory dumps via FireWire and then scan the memory dump to locate TrueCrypt keys and finally decrypt the encrypted TrueCrypt container using the keys. It is a proof of concept and only works against TrueCrypt running on Linux hosts.
-
15:44
»
Packet Storm Security Tools
tcgetkey is a set of tools that deal with acquiring physical memory dumps via FireWire and then scan the memory dump to locate TrueCrypt keys and finally decrypt the encrypted TrueCrypt container using the keys. It is a proof of concept and only works against TrueCrypt running on Linux hosts.
-
15:44
»
Packet Storm Security Misc. Files
tcgetkey is a set of tools that deal with acquiring physical memory dumps via FireWire and then scan the memory dump to locate TrueCrypt keys and finally decrypt the encrypted TrueCrypt container using the keys. It is a proof of concept and only works against TrueCrypt running on Linux hosts.
-
15:44
»
Packet Storm Security Misc. Files
tcgetkey is a set of tools that deal with acquiring physical memory dumps via FireWire and then scan the memory dump to locate TrueCrypt keys and finally decrypt the encrypted TrueCrypt container using the keys. It is a proof of concept and only works against TrueCrypt running on Linux hosts.
-
-
12:15
»
Packet Storm Security Recent Files
Nowadays, a wide range of techniques can be used to find vulnerabilities and bugs in binaries applications. The aim of this paper is to introduce the main concepts of In-Memory Fuzzing, to summarize its advantages and drawbacks and to present the debugging library which is currently developed by High-Tech Bridge to help building in-memory fuzzers.
-
12:15
»
Packet Storm Security Misc. Files
Nowadays, a wide range of techniques can be used to find vulnerabilities and bugs in binaries applications. The aim of this paper is to introduce the main concepts of In-Memory Fuzzing, to summarize its advantages and drawbacks and to present the debugging library which is currently developed by High-Tech Bridge to help building in-memory fuzzers.
-
-
16:00
»
SecuriTeam
The Konqueror web browser is vulnerable to a number of memory corruption vulnerabilities.
-
13:32
»
Carnal0wnage
People tend to focus on various areas as being important for computer security such as memory corruption vulnerabilities, malware, anomaly detection, etc. However the lurking and most critical issue in my opinion is staffing. The truth is, there is no pool of candidates out there to draw from at a certain level in computer security. As an example, we do a lot of consulting, especially in the area of incident response, for oil & gas, avionics, finance, etc. When we go on site we find that we have to have the following skills:
1. Soft skills. (often most important) The ability to talk to customers, dress appropriately, give presentations or speak publicly, assess the customer staff, culture and politics, and determine the real goals. I can't stress enough how important this is. It's not the 90s anymore, showing up with a blue mohawk, a spike in the forehead and leather pants, not a team player, cussing and surfing porn on the customers system doesn't cut it no matter how good you are technically. If you are that guy then you get to stay in the lab and I guarantee you will make far less money. Even if you can write ASLR bypass exploits and kernel rootkits.
2. Document. This ties with the above for number 1. If you didn't document it, you didn't do it. I don't care how awesome an 0day you discovered, or what race condition in the kernel you found. If you cant clearly document it, the customer doesn't care and sees no value in what you did. The documentation has to be clean, clear, layed out so that an executive can understand it and so that the other security firm the customer hires to validate your results doesn't make fun of you.
3.) The ability to mine disparate sets of data. This means taking in apache logs, windows Event logs, proxy logs, full packet captures. Handling, splitting and moving terabytes of data. Writing data mining code in sed/awk/bash/perl/python/ruby. Correlating events, cutting out desired fields, reassembling binary files from packets, etc. Using graphics visualization packages to map out an intruders connections on a network based on netflow data.
4.) Reverse Engineering. This means disassembling binaries in IDA, running binaries in a debugger such as Ollydbg, WinDBG, IDA, memory forensics, and especially de-obfuscation. Can you unpack a binary? How about if the packer is multi-stage and does memory page check summing? What if the packer carries its own virtual machine? Do you know what breakpoints to set, when to change the Z flag, or how to hot patch a binary in memory?
5.) Understanding programming. To be good at this stuff you need to know C, C++, .NET, VB, HTML, ASP, PHP, x86 assembly and another dozen languages, at least well enough to look up APIs, understand standard libraries, discover which imports are important.
6.) Operating systems. You should know the ins and outs including file systems, memory management, kernel, library system and key command line tools of at least half a dozen OS's, especially as they are used in enterprise environments. Domains, NFS, NIS, kerberos, LDAP. So not only windows, linux and OS X, but also solaris, AIX and some embedded or mobile systems.
7.) Exploit development. Often on engagements you run across an exploit or even an 0day that you must reverse engineer, replicate safely and test on the customers particular environment. You have to be able to take it apart, analyse the shellcode, understand everything its doing and re-write your own version of it.
8.) Versatility with a wide variety of tools, many of which are not easy to access outside of the enterprise. At a minimum enough technical base knowledge to use whatever tool is put in front of you. Examples include wireshark, splunk, fireeye, netwitness, arcsight, tippingpoint, snort / sourcefire, bluecoat, websense, TMI, Encase.
All of the members of your team whether you are a consulting shop or an internal incident response team need to be able to do these things and overlap with each other. Some can be stronger in RE than network forensics but everyone has to be able to do all of it to some extent, especially 1 and 2.
The problem with this? These people don't exist, they are unicorns. Those who can do this are either already employed, well payed and tackling more interesting problems than you can offer, or they are running/partners in their own company that you could (and should) outsource to. </shameless self promotion>. But even small boutiques that can do the above are rare, heavily booked, and are charging close to high powered lawyer hourly rates. (when people question rates I point out that big name IR shops are around $400/hr and even the BestBuy geek squad charges $120/hr to reload your OS).
A lot of big contractors are trying to approach security like they did IT in the 90s and 00's. Bid low, win a huge contract, then put out job ads for anyone who knows how to use a computer. The problem is, while you can come up to speed for a help desk or to admin a windows server relatively quickly, the above list of skills takes a decade + to master. So big contractors are failing, badly, and trying to buy up the small guys. But there is another problem there as well.
People who are able to do the above 1.) Value freedom highly and don't want to work 9 to 5 in a cube farm and 2.) Don't want to live or work long periods of time onsite where you are. They don't want to live in Houston or in Cleaveland or in Indianapolis or probably even in the DC area. They want to live in La Jolla and San Francisco and New York and someone, somewhere is willing to pay them a lot to do it, and probably do it remotely most of the time, so you are going to lose there.
In response, many companies try to follow the old plan of recruiting at colleges. In a lot of cases these students come out knowing some Office and probably some Java and that's about it. You might luck out and get a good RIT, Georgia Tech, New Mexico Tech student who knows more but most likely these have already been recruited to the government or somewhere else. And the learning curve time is long enough that by the time they are really good, they have already moved on. This kind of work is PRIME for remote. Let people come in for a week every other month. If you require internal security people to be on site all the time in some crappy city you will fail.
On the security company side you have the same problem, no one to hire. So many security companies, in order to grow (because the way you make money in services is via higher staffing levels) hire whatever they can find and field them. This continues the trend in mediocre security, companies getting owned, PCI, etc. Boutiques cannot grow to the size necessary to win the bigger contracts because there is no one to hire.
The solution many companies have been trying out is to focus on buying appliances and contracting pro services to set them up and hope that automation can solve the problem. It cannot. Here is a perfect example. A customer has a box that detects malware in email attachments. It flagged a PDF as highly malicious. We decided to check it out and at first glance it looked very bad. It had all the classic signs of an exploit, heap spray, etc. You couldn't tell the difference between it and another verified malicious PDF. However, upon further inspection we discovered that a popular autocad type program generated legitimate PDFs that looked this way. This is something that is not automatible. You must have an experienced and skilled analyst to do this. No amount of rack mount, fancy logo appliances will help you. And the bigger your enterprise the more you need. Every enterprise block of 30 - 50k IPs needs a team of 5 - 10 people.
Which leads me to the next issue. How you perceive your staffing resources. Example: One company I saw told they had a staff of 12 analysts to deal with security detection and response. I thought wow pretty good! Lets break the team down:
- A manager, full time in meetings, paperwork, etc.
- An assistant to the manager, secretarial work, etc.
- 3 senior advisers, i.e. guys about to retire, smart guys who give great advice and hold institutional knowledge, but not analysts
- 5 people involved in tool testing, stand up and maintenance (all those boxes I mentioned before). Great guys, not analysts or really involved in analysis
- 1 Developer mostly focused on designing queries and interfaces for the tools.
- 1 Actual analyst.
While management believes they have 12 people and doesn't understand why things take so long they actually have 1 person. This situation is very common in big companies. 1 good analyst for an enterprise is not NEARLY enough. And you can't be reliant on a specific person unless you want to set yourself up for a disaster (while at the same time you must cultivate and care for those star players).
That's my case for why staffing is the most important issue we face in computer security. What is the solution? Some would say training, but lets be honest, were you back home writing rootkits for work after taking Hoglund and Butler's class at Blackhat? Probably not. Have you found piles of valuable 0day after completing Halvar's most excellent course in Vegas? I doubt it. A 2 day - 1 week course isn't doing it. Going through the entire SANS curriculum isn't doing it and CISSP sure as hell isn't doing it.
You have to spend around 6hrs a day, after work, highly focused on coding, reversing, etc. for a minimum of 2 years to be decent. That is how the adversary does it. That's how the big name researchers and best staff does it, and unfortunately you only need a couple of attackers for every 10 defenders out there.
V.
-
-
15:46
»
Packet Storm Security Advisories
The Perl 5 interpreter is vulnerable to a memory corruption vulnerability which results in memory disclosure and potentially arbitrary code execution when large values are supplied to the x operator.
-
15:46
»
Packet Storm Security Recent Files
The Perl 5 interpreter is vulnerable to a memory corruption vulnerability which results in memory disclosure and potentially arbitrary code execution when large values are supplied to the x operator.
-
15:46
»
Packet Storm Security Misc. Files
The Perl 5 interpreter is vulnerable to a memory corruption vulnerability which results in memory disclosure and potentially arbitrary code execution when large values are supplied to the x operator.
-
-
17:00
»
SecuriTeam
This allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than other Flash Player memory corruption CVEs listed in APSB12-22.
-
-
17:00
»
SecuriTeam
This allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1.
-
-
21:28
»
SecDocs
Authors:
Giovanni Gola Vincenzo Iozzo Tags:
reverse engineering vulnerability static analysis Event:
Black Hat DC 2011 Abstract: Memory corruption bugs such as dangling pointers, double frees and uninitialized memory are some of the open issues in application security. Finding dangling pointers and similar vulnerabilities in large code bases it's arguably more difficult than overflows because of the complexity and heterogeneity of applications memory management. Fuzzing has been proved to be an effective method for finding such bugs in browsers and other similar COTS applications, nonetheless it's not uncommon to see bugs found by fuzzers burned after a short period of time because of multiple rediscovery of the same vulnerabilities. In this talk the challenges of finding such bugs with static analysis and the results we got will be discussed, specifically we will explore the algorithms and techniques borrowed from program analysis and graph theory that can be employed to achieve our goal. We will also discuss what improvements can be made in order to increase precision and reduce the number of false positives.
-
17:01
»
Packet Storm Security Advisories
Core Security Technologies Advisory - A vulnerability exists in atas32.dll affecting Cisco WebEx Player version 3.26 that allows an attacker to corrupt memory, which may lead to code execution in the context of the currently logged on user.
-
17:01
»
Packet Storm Security Recent Files
Core Security Technologies Advisory - A vulnerability exists in atas32.dll affecting Cisco WebEx Player version 3.26 that allows an attacker to corrupt memory, which may lead to code execution in the context of the currently logged on user.
-
17:01
»
Packet Storm Security Misc. Files
Core Security Technologies Advisory - A vulnerability exists in atas32.dll affecting Cisco WebEx Player version 3.26 that allows an attacker to corrupt memory, which may lead to code execution in the context of the currently logged on user.
-
-
6:00
»
Hack a Day
For the longest time, hardware tinkerers have only been able to play around with two types of memory. RAM, including Static RAM and Dynamic RAM, can be exceedingly fast but is volatile and loses its data when power is removed. Non-volatile memory such as EPROMS, EEPROMS, and Flash memory retains its state after power is removed, but [...]
-
-
21:47
»
SecDocs
Authors:
Markus Schaber Tags:
software development Event:
Chaos Communication Congress 21th (21C3) 2004 Abstract: Like in the last year, examples of strange programming (art)work will be shown. In addition to the funny and sportive disciplines known from last year, some examples of painful production code will be presented. Wie letztes Jahr werden wieder beispielhaft grenzwertige Programmier- (kunst)werke beleuchtet. Neben den spassig-sportlichen "Disziplinen" werden diesmal auch schmerzhafte Beispiele von Produktivcode vorgestellt. The first part of the presentation will - similar to last years presentation - shed some light on the funny and sportive disciplines of the art of programming. Besides new examples in disciplines that were presented last year, like obfuscated programming and shortest code, core wars and demo coding are new in the agenda. In core wars, we have a bunch of programmes running in parallel in the same memory. (This is a typical Von-Neumann machine with multitasking, but without memory protection.) The goal is to create a program that survives as long as possible, but at the same time quickly erases the other programs from memory. Demo coders try to exploit a given, limited (and often legacy) hardware through the use of crafty software, and thus create unexpected effects and surprising results. On so-called demo partys, those programs are presented, and sometimes even some high valued prices are put up. The winners are e. G. 3D first person shooters in 64k and video clips with sound in 4k. In the second part of the lessons, some creatively designed programming languages will be introduced. Especially, the two projects "Argh!" and "repsub" will be presented. Both of them evolved in the orbit of the CCC. Argh! and its derivative Aargh! are somehow similar to BeFunge in that they are two dimensional virtual machines. Argh! and Aargh! were both adjusted to fit the special needs of customary unix text mode terminals. Repsub has the high ideal to be a democratic programming environment. All memory cells enjoy equal rights, and can be processed highly parallel. It is mathematically proved that this pattern-matching and replacement based programming language is touring complete. Finally, the third part will introduce some extra painful examples of production code. A fertile source for those are some commercially developed projects that were open-sourced afterwards. From time to time, those create the impression that the developers lost control of their own code. They now hope the community will help them to find the way out of their maintainance nightmare. The CCC ErfA Group Ulm is planning to hold a shortest C coding contest on this Congress. We learned our lession from the last years contest, so the rules will be much simplified. Der erste Teil des Vortrages beleuchtet - ähnlich wie der letztjährige Vortrag - die spassig-sportlichen Disziplinen der Programmierkunst. Neben den bereits im letzten Jahr beleuchteten Disziplinen wie obfuscated Programming und shortest Code stehen auch Core Wars und Demo Coding auf dem Programm.
-
-
21:42
»
SecDocs
Authors:
Markus Schaber Tags:
software development Event:
Chaos Communication Congress 21th (21C3) 2004 Abstract: Like in the last year, examples of strange programming (art)work will be shown. In addition to the funny and sportive disciplines known from last year, some examples of painful production code will be presented. Wie letztes Jahr werden wieder beispielhaft grenzwertige Programmier- (kunst)werke beleuchtet. Neben den spassig-sportlichen "Disziplinen" werden diesmal auch schmerzhafte Beispiele von Produktivcode vorgestellt. The first part of the presentation will - similar to last years presentation - shed some light on the funny and sportive disciplines of the art of programming. Besides new examples in disciplines that were presented last year, like obfuscated programming and shortest code, core wars and demo coding are new in the agenda. In core wars, we have a bunch of programmes running in parallel in the same memory. (This is a typical Von-Neumann machine with multitasking, but without memory protection.) The goal is to create a program that survives as long as possible, but at the same time quickly erases the other programs from memory. Demo coders try to exploit a given, limited (and often legacy) hardware through the use of crafty software, and thus create unexpected effects and surprising results. On so-called demo partys, those programs are presented, and sometimes even some high valued prices are put up. The winners are e. G. 3D first person shooters in 64k and video clips with sound in 4k. In the second part of the lessons, some creatively designed programming languages will be introduced. Especially, the two projects "Argh!" and "repsub" will be presented. Both of them evolved in the orbit of the CCC. Argh! and its derivative Aargh! are somehow similar to BeFunge in that they are two dimensional virtual machines. Argh! and Aargh! were both adjusted to fit the special needs of customary unix text mode terminals. Repsub has the high ideal to be a democratic programming environment. All memory cells enjoy equal rights, and can be processed highly parallel. It is mathematically proved that this pattern-matching and replacement based programming language is touring complete. Finally, the third part will introduce some extra painful examples of production code. A fertile source for those are some commercially developed projects that were open-sourced afterwards. From time to time, those create the impression that the developers lost control of their own code. They now hope the community will help them to find the way out of their maintainance nightmare. The CCC ErfA Group Ulm is planning to hold a shortest C coding contest on this Congress. We learned our lession from the last years contest, so the rules will be much simplified. Der erste Teil des Vortrages beleuchtet - ähnlich wie der letztjährige Vortrag - die spassig-sportlichen Disziplinen der Programmierkunst. Neben den bereits im letzten Jahr beleuchteten Disziplinen wie obfuscated Programming und shortest Code stehen auch Core Wars und Demo Coding auf dem Programm.
-
21:42
»
SecDocs
Authors:
Markus Schaber Tags:
software development Event:
Chaos Communication Congress 21th (21C3) 2004 Abstract: Like in the last year, examples of strange programming (art)work will be shown. In addition to the funny and sportive disciplines known from last year, some examples of painful production code will be presented. Wie letztes Jahr werden wieder beispielhaft grenzwertige Programmier- (kunst)werke beleuchtet. Neben den spassig-sportlichen "Disziplinen" werden diesmal auch schmerzhafte Beispiele von Produktivcode vorgestellt. The first part of the presentation will - similar to last years presentation - shed some light on the funny and sportive disciplines of the art of programming. Besides new examples in disciplines that were presented last year, like obfuscated programming and shortest code, core wars and demo coding are new in the agenda. In core wars, we have a bunch of programmes running in parallel in the same memory. (This is a typical Von-Neumann machine with multitasking, but without memory protection.) The goal is to create a program that survives as long as possible, but at the same time quickly erases the other programs from memory. Demo coders try to exploit a given, limited (and often legacy) hardware through the use of crafty software, and thus create unexpected effects and surprising results. On so-called demo partys, those programs are presented, and sometimes even some high valued prices are put up. The winners are e. G. 3D first person shooters in 64k and video clips with sound in 4k. In the second part of the lessons, some creatively designed programming languages will be introduced. Especially, the two projects "Argh!" and "repsub" will be presented. Both of them evolved in the orbit of the CCC. Argh! and its derivative Aargh! are somehow similar to BeFunge in that they are two dimensional virtual machines. Argh! and Aargh! were both adjusted to fit the special needs of customary unix text mode terminals. Repsub has the high ideal to be a democratic programming environment. All memory cells enjoy equal rights, and can be processed highly parallel. It is mathematically proved that this pattern-matching and replacement based programming language is touring complete. Finally, the third part will introduce some extra painful examples of production code. A fertile source for those are some commercially developed projects that were open-sourced afterwards. From time to time, those create the impression that the developers lost control of their own code. They now hope the community will help them to find the way out of their maintainance nightmare. The CCC ErfA Group Ulm is planning to hold a shortest C coding contest on this Congress. We learned our lession from the last years contest, so the rules will be much simplified. Der erste Teil des Vortrages beleuchtet - ähnlich wie der letztjährige Vortrag - die spassig-sportlichen Disziplinen der Programmierkunst. Neben den bereits im letzten Jahr beleuchteten Disziplinen wie obfuscated Programming und shortest Code stehen auch Core Wars und Demo Coding auf dem Programm.
-
21:42
»
SecDocs
Authors:
Markus Schaber Tags:
software development Event:
Chaos Communication Congress 21th (21C3) 2004 Abstract: Like in the last year, examples of strange programming (art)work will be shown. In addition to the funny and sportive disciplines known from last year, some examples of painful production code will be presented. Wie letztes Jahr werden wieder beispielhaft grenzwertige Programmier- (kunst)werke beleuchtet. Neben den spassig-sportlichen "Disziplinen" werden diesmal auch schmerzhafte Beispiele von Produktivcode vorgestellt. The first part of the presentation will - similar to last years presentation - shed some light on the funny and sportive disciplines of the art of programming. Besides new examples in disciplines that were presented last year, like obfuscated programming and shortest code, core wars and demo coding are new in the agenda. In core wars, we have a bunch of programmes running in parallel in the same memory. (This is a typical Von-Neumann machine with multitasking, but without memory protection.) The goal is to create a program that survives as long as possible, but at the same time quickly erases the other programs from memory. Demo coders try to exploit a given, limited (and often legacy) hardware through the use of crafty software, and thus create unexpected effects and surprising results. On so-called demo partys, those programs are presented, and sometimes even some high valued prices are put up. The winners are e. G. 3D first person shooters in 64k and video clips with sound in 4k. In the second part of the lessons, some creatively designed programming languages will be introduced. Especially, the two projects "Argh!" and "repsub" will be presented. Both of them evolved in the orbit of the CCC. Argh! and its derivative Aargh! are somehow similar to BeFunge in that they are two dimensional virtual machines. Argh! and Aargh! were both adjusted to fit the special needs of customary unix text mode terminals. Repsub has the high ideal to be a democratic programming environment. All memory cells enjoy equal rights, and can be processed highly parallel. It is mathematically proved that this pattern-matching and replacement based programming language is touring complete. Finally, the third part will introduce some extra painful examples of production code. A fertile source for those are some commercially developed projects that were open-sourced afterwards. From time to time, those create the impression that the developers lost control of their own code. They now hope the community will help them to find the way out of their maintainance nightmare. The CCC ErfA Group Ulm is planning to hold a shortest C coding contest on this Congress. We learned our lession from the last years contest, so the rules will be much simplified. Der erste Teil des Vortrages beleuchtet - ähnlich wie der letztjährige Vortrag - die spassig-sportlichen Disziplinen der Programmierkunst. Neben den bereits im letzten Jahr beleuchteten Disziplinen wie obfuscated Programming und shortest Code stehen auch Core Wars und Demo Coding auf dem Programm.
-
-
23:55
»
Packet Storm Security Advisories
Apple Security Advisory 2012-09-24-1 - Apple TV 5.1 is now available and addresses issues relating to malicious media loading, memory corruption, and more.
-
23:55
»
Packet Storm Security Recent Files
Apple Security Advisory 2012-09-24-1 - Apple TV 5.1 is now available and addresses issues relating to malicious media loading, memory corruption, and more.
-
23:55
»
Packet Storm Security Misc. Files
Apple Security Advisory 2012-09-24-1 - Apple TV 5.1 is now available and addresses issues relating to malicious media loading, memory corruption, and more.
-
-
21:52
»
SecDocs
Authors:
Yves Younan Tags:
C / C++ Event:
Chaos Communication Congress 22th (22C3) 2005 Abstract: This talk will discuss a variety of memory allocators that are available for C and C++ and how they can be exploited. Afterwards I will describe our modification to one of these memory allocators that makes it more resilient to attacks. While stack-based buffer overflows have dominated the vulnerabilities which can cause code injection attacks, heap-based buffer overflows and dangling pointer references to heap memory are also important avenues of attack. In this talk we will describe how attackers can exploit many common memory allocators. We will discuss the memory allocator used in Linux (dlmalloc), the one from FreeBSD (phkmalloc), 2 academic allocators (CSRI, Quickfit) and Boehm's garbage collector. We will then discuss our more secure memory allocator (called dnmalloc) and will also describe several countermeasures that exist that protect against these attacks: Robertson's heap protector, GlibC 2.3.5's integrity checks and Contrapolice, .... This talk will also mark the first public release of dnmalloc which is the more secure memory allocator that I will be talking about.
-
21:52
»
SecDocs
Authors:
Yves Younan Tags:
C / C++ Event:
Chaos Communication Congress 22th (22C3) 2005 Abstract: This talk will discuss a variety of memory allocators that are available for C and C++ and how they can be exploited. Afterwards I will describe our modification to one of these memory allocators that makes it more resilient to attacks. While stack-based buffer overflows have dominated the vulnerabilities which can cause code injection attacks, heap-based buffer overflows and dangling pointer references to heap memory are also important avenues of attack. In this talk we will describe how attackers can exploit many common memory allocators. We will discuss the memory allocator used in Linux (dlmalloc), the one from FreeBSD (phkmalloc), 2 academic allocators (CSRI, Quickfit) and Boehm's garbage collector. We will then discuss our more secure memory allocator (called dnmalloc) and will also describe several countermeasures that exist that protect against these attacks: Robertson's heap protector, GlibC 2.3.5's integrity checks and Contrapolice, .... This talk will also mark the first public release of dnmalloc which is the more secure memory allocator that I will be talking about.
-
21:52
»
SecDocs
Authors:
Yves Younan Tags:
C / C++ Event:
Chaos Communication Congress 22th (22C3) 2005 Abstract: This talk will discuss a variety of memory allocators that are available for C and C++ and how they can be exploited. Afterwards I will describe our modification to one of these memory allocators that makes it more resilient to attacks. While stack-based buffer overflows have dominated the vulnerabilities which can cause code injection attacks, heap-based buffer overflows and dangling pointer references to heap memory are also important avenues of attack. In this talk we will describe how attackers can exploit many common memory allocators. We will discuss the memory allocator used in Linux (dlmalloc), the one from FreeBSD (phkmalloc), 2 academic allocators (CSRI, Quickfit) and Boehm's garbage collector. We will then discuss our more secure memory allocator (called dnmalloc) and will also describe several countermeasures that exist that protect against these attacks: Robertson's heap protector, GlibC 2.3.5's integrity checks and Contrapolice, .... This talk will also mark the first public release of dnmalloc which is the more secure memory allocator that I will be talking about.
-
21:52
»
SecDocs
Authors:
Yves Younan Tags:
C / C++ Event:
Chaos Communication Congress 22th (22C3) 2005 Abstract: This talk will discuss a variety of memory allocators that are available for C and C++ and how they can be exploited. Afterwards I will describe our modification to one of these memory allocators that makes it more resilient to attacks. While stack-based buffer overflows have dominated the vulnerabilities which can cause code injection attacks, heap-based buffer overflows and dangling pointer references to heap memory are also important avenues of attack. In this talk we will describe how attackers can exploit many common memory allocators. We will discuss the memory allocator used in Linux (dlmalloc), the one from FreeBSD (phkmalloc), 2 academic allocators (CSRI, Quickfit) and Boehm's garbage collector. We will then discuss our more secure memory allocator (called dnmalloc) and will also describe several countermeasures that exist that protect against these attacks: Robertson's heap protector, GlibC 2.3.5's integrity checks and Contrapolice, .... This talk will also mark the first public release of dnmalloc which is the more secure memory allocator that I will be talking about.
-
-
4:00
»
Hack a Day
NAND flash, the same memory chips found in everything from USB thumb drives to very expensive solid state disk drives, are increasingly common. As they (partially) serve as the storage for cellphones, Wiis, routers and just about every piece of consumer electronic devices, you’re probably surrounded by dozens of NAND chips at any one time. [...]
-
4:00
»
Hack a Day
NAND flash, the same memory chips found in everything from USB thumb drives to very expensive solid state disk drives, are increasingly common. As they (partially) serve as the storage for cellphones, Wiis, routers and just about every piece of consumer electronic devices, you’re probably surrounded by dozens of NAND chips at any one time. [...]
-
-
21:31
»
SecDocs
Authors:
Alan Bradley Tags:
reverse engineering rootkit Event:
Chaos Communication Congress 23th (23C3) 2006 Abstract: This talk will cover two rootkits used as reverse engineering tools, one rootkit support library, one IDA plugin, and talk setup material. The talk itself will be given over VOIP and VNC running over the Tor network to demonstrate a proof of concept on anonymous public speech. This talk will present Tron, an extension of the Shadow Walker memory cloaker technique. Tron is a kernel driver who can cloak userland memory, and provides an API that allows the user to cloak arbitrary process memory, set permissions, signal changes of trust, conceal DLLs, and read/write hidden memory. An accompanying IDA plugin that uses this API to conceal software breakpoints will be discussed, and Another Debugger Hiding Driver, or ADHD will be presented as well. While these tools have many legitimate uses from malware analysis to legal reverse engineering and program modding, it is possible that Tron in particular can be used as a component of a "copyright circumvention device", which renders it prohibited by the USA DMCA. For this reason, but more so out of a desire to demonstrate a "proof of concept" for how to anonymously speak publicly, the speaker will be giving the talk over VOIP and VNC relayed through the Tor network. In addition to taking questions over VOIP, the speaker will also be briefly available on IRC afterwords for questions + discussion about Tron, reverse engineering, and the speech setup.
-
21:31
»
SecDocs
Authors:
Alan Bradley Tags:
reverse engineering rootkit Event:
Chaos Communication Congress 23th (23C3) 2006 Abstract: This talk will cover two rootkits used as reverse engineering tools, one rootkit support library, one IDA plugin, and talk setup material. The talk itself will be given over VOIP and VNC running over the Tor network to demonstrate a proof of concept on anonymous public speech. This talk will present Tron, an extension of the Shadow Walker memory cloaker technique. Tron is a kernel driver who can cloak userland memory, and provides an API that allows the user to cloak arbitrary process memory, set permissions, signal changes of trust, conceal DLLs, and read/write hidden memory. An accompanying IDA plugin that uses this API to conceal software breakpoints will be discussed, and Another Debugger Hiding Driver, or ADHD will be presented as well. While these tools have many legitimate uses from malware analysis to legal reverse engineering and program modding, it is possible that Tron in particular can be used as a component of a "copyright circumvention device", which renders it prohibited by the USA DMCA. For this reason, but more so out of a desire to demonstrate a "proof of concept" for how to anonymously speak publicly, the speaker will be giving the talk over VOIP and VNC relayed through the Tor network. In addition to taking questions over VOIP, the speaker will also be briefly available on IRC afterwords for questions + discussion about Tron, reverse engineering, and the speech setup.
-
21:31
»
SecDocs
Authors:
Alan Bradley Tags:
reverse engineering rootkit Event:
Chaos Communication Congress 23th (23C3) 2006 Abstract: This talk will cover two rootkits used as reverse engineering tools, one rootkit support library, one IDA plugin, and talk setup material. The talk itself will be given over VOIP and VNC running over the Tor network to demonstrate a proof of concept on anonymous public speech. This talk will present Tron, an extension of the Shadow Walker memory cloaker technique. Tron is a kernel driver who can cloak userland memory, and provides an API that allows the user to cloak arbitrary process memory, set permissions, signal changes of trust, conceal DLLs, and read/write hidden memory. An accompanying IDA plugin that uses this API to conceal software breakpoints will be discussed, and Another Debugger Hiding Driver, or ADHD will be presented as well. While these tools have many legitimate uses from malware analysis to legal reverse engineering and program modding, it is possible that Tron in particular can be used as a component of a "copyright circumvention device", which renders it prohibited by the USA DMCA. For this reason, but more so out of a desire to demonstrate a "proof of concept" for how to anonymously speak publicly, the speaker will be giving the talk over VOIP and VNC relayed through the Tor network. In addition to taking questions over VOIP, the speaker will also be briefly available on IRC afterwords for questions + discussion about Tron, reverse engineering, and the speech setup.
-
-
17:00
»
SecuriTeam
OpenStack Nova is prone to a memory-corruption vulnerability.
-
-
21:48
»
SecDocs
Authors:
Torbjörn Pettersson Tags:
forensic cryptography Event:
Chaos Communication Camp 2007 Abstract: Cryptoloop and dm-crypt are the two disk encryption solutions provided by the stock Linux kernel. This lecture will describe in detail how to find and reuse cryptoloop and dm-crypt keys from kernel memory. When disk encryption is done right it is virtually impossible to break, but as with any security function it is never stronger than its weakest link. Out of necessity keys needs to be stored in cleartext in memory during usage and can be collected by anyone with access to a memory dump of the system. This presentation will go into the details of how cryptographic keys used by dm-crypt and cryptoloop are stored and used in the Linux 2.6 kernel-series and how they can be recovered and reused.
-
-
21:45
»
SecDocs
Authors:
Torbjörn Pettersson Tags:
forensic cryptography Event:
Chaos Communication Camp 2007 Abstract: Cryptoloop and dm-crypt are the two disk encryption solutions provided by the stock Linux kernel. This lecture will describe in detail how to find and reuse cryptoloop and dm-crypt keys from kernel memory. When disk encryption is done right it is virtually impossible to break, but as with any security function it is never stronger than its weakest link. Out of necessity keys needs to be stored in cleartext in memory during usage and can be collected by anyone with access to a memory dump of the system. This presentation will go into the details of how cryptographic keys used by dm-crypt and cryptoloop are stored and used in the Linux 2.6 kernel-series and how they can be recovered and reused.
-
21:45
»
SecDocs
Authors:
Torbjörn Pettersson Tags:
forensic cryptography Event:
Chaos Communication Camp 2007 Abstract: Cryptoloop and dm-crypt are the two disk encryption solutions provided by the stock Linux kernel. This lecture will describe in detail how to find and reuse cryptoloop and dm-crypt keys from kernel memory. When disk encryption is done right it is virtually impossible to break, but as with any security function it is never stronger than its weakest link. Out of necessity keys needs to be stored in cleartext in memory during usage and can be collected by anyone with access to a memory dump of the system. This presentation will go into the details of how cryptographic keys used by dm-crypt and cryptoloop are stored and used in the Linux 2.6 kernel-series and how they can be recovered and reused.
-
-
11:22
»
Packet Storm Security Exploits
This Metasploit module attempts to authenticate using a hard-coded backdoor password in the Simatic S7-300 PLC and dumps the device memory using system commands.
-
11:22
»
Packet Storm Security Recent Files
This Metasploit module attempts to authenticate using a hard-coded backdoor password in the Simatic S7-300 PLC and dumps the device memory using system commands.
-
11:22
»
Packet Storm Security Misc. Files
This Metasploit module attempts to authenticate using a hard-coded backdoor password in the Simatic S7-300 PLC and dumps the device memory using system commands.
-
-
15:14
»
SecDocs
Tags:
memory Event:
Chaos Communication Congress 24th (24C3) 2007 Abstract: Since Java is widespread, automatic memory management is a commonly used technology. There are several approaches to memory management, realtime, parallel, probabilistic algorithms. The lecture will give an overview of different algorithms and current research topics. Doing memory management by hand is a hard task, most programmers fail to do it correctly, which leads to memory leaks. There are automated algorithms which collect no longer needed memory. This lecture will give a brief overview of used algorithms in different programming language implementations/virtual machines, their deficiencies as well as current research topics in this field. The history of garbage collection starts in 1960, where McCarthy used mark and sweep garbage collector for Lisp at MIT. Reference counting (Collins, 1960, IBM) has been seen as an alternative to garbage collection. Nowadays, everything which reclaims memory automatically is considered garbage collection. A real-time garbage collector was developed by Baker in 1978 ("List Processing in Real Time on a Serial Computer"). It was a copying collector, doing incremental, but not concurrent collection. It had several deficiencies, required special hardware, didn't consider variable-sized requests for memory... but was extended by several researchers during the years. The Boehm GC is a conservative garbage collector for C and C++. It uses a mark and sweep algorithm. The memory pool system is a garbage collection framework, which integrates different algorithms for different purposes. There is no need to sweep through strings in the hope of finding pointers to somewhere else. This garbage collector is highly optimized and well designed and tested (implemented with Capability Maturity Model level 3), really few defects. Different programming language implementations use a custom garbage collector, an overview of selected language implementations and their garbage collector will be given.
-
-
12:01
»
Hack a Day
A picture’s worth a thousand words so what is a hat that can take 360 degree pictures worth? Just make sure you put it on whenever leaving the house and capturing that next memorable moment will be just one click of a button away. [Mikeasaurus] recently put together this… special… headgear. He used film-based disposable [...]
-
-
21:35
»
SecDocs
Authors:
Rose White Tags:
culture Event:
Chaos Communication Congress 25th (25C3) 2008 Abstract: Decades ago, Jorge Luis Borges wrote about infinite libraries and perfect memory with the slightly sad air of someone who'd seen those things and knew their faults. Today we work toward infinite libraries and perfect memory with little heed for the possible consequences. How could it be bad to have everything possible stored? To remember everything? I don't know that it will be bad, but I do know that it will be different from our current lives of loss and forgetting. Right now, storing pornography causes problems even for people who have nothing especially perverted to hide: A collection of pornography gets to the heart of what it means to be a private individual. As we move from mass media to individually produced media, from edited collections of porn (magazines, commercially produced films) to individual snapshots and youtube clips and stored bittorrents, the particularity of a collection of porn will be testimony to its owner's private set of tastes.
-
15:55
»
Packet Storm Security Advisories
Red Hat Security Advisory 2012-0731-01 - Expat is a C library written by James Clark for parsing XML documents. A denial of service flaw was found in the implementation of hash arrays in Expat. An attacker could use this flaw to make an application using Expat consume an excessive amount of CPU time by providing a specially-crafted XML file that triggers multiple hash function collisions. To mitigate this issue, randomization has been added to the hash function to reduce the chance of an attacker successfully causing intentional collisions. A memory leak flaw was found in Expat. If an XML file processed by an application linked against Expat triggered a memory re-allocation failure, Expat failed to free the previously allocated memory. This could cause the application to exit unexpectedly or crash when all available memory is exhausted.
-
-
7:53
»
Packet Storm Security Exploits
Wireshark versions 1.6.0 through 1.6.7 and versions 1.4.0 through 1.4.12 suffer from a misaligned memory denial of service vulnerability.
-
-
7:43
»
Packet Storm Security Advisories
OpenOffice.org includes the customized libwpd version 0.8.8 library for parsing WordPerfect documents. The used version of the libwpd library suffers from a memory overwrite vulnerability when reading a specially crafted WPD file. Successful exploitation of this vulnerability could result in an arbitrary code execution within the OpenOffice.org software suite.
-
7:43
»
Packet Storm Security Recent Files
OpenOffice.org includes the customized libwpd version 0.8.8 library for parsing WordPerfect documents. The used version of the libwpd library suffers from a memory overwrite vulnerability when reading a specially crafted WPD file. Successful exploitation of this vulnerability could result in an arbitrary code execution within the OpenOffice.org software suite.
-
7:43
»
Packet Storm Security Misc. Files
OpenOffice.org includes the customized libwpd version 0.8.8 library for parsing WordPerfect documents. The used version of the libwpd library suffers from a memory overwrite vulnerability when reading a specially crafted WPD file. Successful exploitation of this vulnerability could result in an arbitrary code execution within the OpenOffice.org software suite.
-
-
17:16
»
Packet Storm Security Recent Files
A review of the code in filter/source/msfilter msdffimp.cxx in OpenOffice.org versions 3.3 and 3.4 Beta revealed some unchecked memory allocations, which could be exploited via malformed Powerpoint graphics records ("escher") to cause bad_alloc exceptions. From this vulnerability a denial of service attack is possible.
-
-
12:22
»
Packet Storm Security Recent Files
Pro-face Pro-Server EX versions 1.30.000 and PCRuntime versions 3.1.00 suffer from memory related and integer overflow vulnerabilities. Proof of concept included.
-
12:22
»
Packet Storm Security Misc. Files
Pro-face Pro-Server EX versions 1.30.000 and PCRuntime versions 3.1.00 suffer from memory related and integer overflow vulnerabilities. Proof of concept included.
-
-
5:12
»
Packet Storm Security Advisories
The vulnerability described in this document could hypothetically be exploited by unprivileged code running in a VMware virtual machine (guest) in order to execute code in the host VMX process, thereby breaking out of the virtual machine; however, such exploitation has not been proven.
-
5:12
»
Packet Storm Security Recent Files
The vulnerability described in this document could hypothetically be exploited by unprivileged code running in a VMware virtual machine (guest) in order to execute code in the host VMX process, thereby breaking out of the virtual machine; however, such exploitation has not been proven.
-
5:12
»
Packet Storm Security Misc. Files
The vulnerability described in this document could hypothetically be exploited by unprivileged code running in a VMware virtual machine (guest) in order to execute code in the host VMX process, thereby breaking out of the virtual machine; however, such exploitation has not been proven.
-
-
16:22
»
Packet Storm Security Recent Files
OpenSSL versions up to and including 1.0.1 are affected by a memory corruption vulnerability. asn1_d2i_read_bio in OpenSSL contains multiple integer errors that can cause memory corruption when parsing encoded ASN.1 data. This error can be exploited on systems that parse untrusted data, such as X.509 certificates or RSA public keys.
-
16:22
»
Packet Storm Security Misc. Files
OpenSSL versions up to and including 1.0.1 are affected by a memory corruption vulnerability. asn1_d2i_read_bio in OpenSSL contains multiple integer errors that can cause memory corruption when parsing encoded ASN.1 data. This error can be exploited on systems that parse untrusted data, such as X.509 certificates or RSA public keys.
-
-
16:05
»
Packet Storm Security Exploits
LibreOffice version 3.5.2.2 suffers from a soffice.exe\soffice.bin memory corruption vulnerability when handling a malformed RTF file. This is a proof of concept exploit.
-
16:05
»
Packet Storm Security Misc. Files
LibreOffice version 3.5.2.2 suffers from a soffice.exe\soffice.bin memory corruption vulnerability when handling a malformed RTF file. This is a proof of concept exploit.
-
-
23:09
»
Packet Storm Security Exploits
Spotify version 0.8.2.610 suffers from a memory exhaustion vulnerability. The vulnerability is caused due to the Search box function not checking the boundary of user input.
-
23:09
»
Packet Storm Security Recent Files
Spotify version 0.8.2.610 suffers from a memory exhaustion vulnerability. The vulnerability is caused due to the Search box function not checking the boundary of user input.
-
23:09
»
Packet Storm Security Misc. Files
Spotify version 0.8.2.610 suffers from a memory exhaustion vulnerability. The vulnerability is caused due to the Search box function not checking the boundary of user input.
-
-
20:59
»
Packet Storm Security Exploits
This Metasploit module exploits a vulnerability found in Internet Explorer's mshtml component. Due to the way IE handles objects in memory, it is possible to cause a pointer in CTableRowCellsCollectionCacheItem::GetNext to be used even after it gets freed, therefore allowing remote code execution under the context of the user. This particular vulnerability was also one of 2012's Pwn2Own challenges, and was later explained by Peter Vreugdenhil with exploitation details. Instead of Peter's method, this module uses heap spraying like the 99% to store a specially crafted memory layout before re-using the freed memory.
-
20:59
»
Packet Storm Security Recent Files
This Metasploit module exploits a vulnerability found in Internet Explorer's mshtml component. Due to the way IE handles objects in memory, it is possible to cause a pointer in CTableRowCellsCollectionCacheItem::GetNext to be used even after it gets freed, therefore allowing remote code execution under the context of the user. This particular vulnerability was also one of 2012's Pwn2Own challenges, and was later explained by Peter Vreugdenhil with exploitation details. Instead of Peter's method, this module uses heap spraying like the 99% to store a specially crafted memory layout before re-using the freed memory.
-
20:59
»
Packet Storm Security Misc. Files
This Metasploit module exploits a vulnerability found in Internet Explorer's mshtml component. Due to the way IE handles objects in memory, it is possible to cause a pointer in CTableRowCellsCollectionCacheItem::GetNext to be used even after it gets freed, therefore allowing remote code execution under the context of the user. This particular vulnerability was also one of 2012's Pwn2Own challenges, and was later explained by Peter Vreugdenhil with exploitation details. Instead of Peter's method, this module uses heap spraying like the 99% to store a specially crafted memory layout before re-using the freed memory.
-
-
22:38
»
SecDocs
Authors:
Jonathan Brossard Tags:
memory Event:
Chaos Communication Congress 28th (28C3) 2011 Abstract: Pmcma is a tool aimed at automating the most time consuming taskes of exploitation. It for instance determine why an application is triggering a segmentention fault, evaluate if the faulting instruction can be used to write to memory or execute arbitrary code, and list all the function pointers potentially called from a given point in time by an application. Pmcma is a totally new kind of debugger, which allows for easy experimentation with a process in memory by forcing it to fork. The exact replicas of the process created in memory can then be intrumented while keeping the properties (eg: state of variables, ASLR, permissions...) of the original process. Pmcma is an easily extensible framework available under the Apache 2.0 license from http://www.pmcma.org/ . In this presentation, we introduce a new exploitation methodology of invalid memory reads and writes, based on dataflow analysis after a memory corruption bug has occured inside a running process. We will expose a methodology which shall help writting a reliable exploit out of a PoC triggering an invalid memory write, in presence of security defense mechanisme such as compiler enchancements (full RELRO, SSP...), or kernel anti exploitation features (ASLR, NX...). We will demonstrate how to:find all the function pointers inside a running process, how to determine which ones would have been dereferenced after the crash, which ones are truncable (in particular with 0x00000000). In case all of the above fail, how to test for specific locations overwrites in order to indirectly trigger a second vulnerability allowing greater control and eventually control flow hijacking. All of the above without source code, indeed ;) In the case of invalid memory reads, we will exemplify how indirectly influence the control flow of execution by reading arbitary values, how to trace all the unaligned memory access and how to test if an invalid read can be turned into an invalid write or used to infere the mapping of the binary. We will also introduce a new debugging technique which allows for very effective testing of all of the above by forcing the debugged process to fork(). Automatically. And with a rating of the best read/write location based on probabilities of mapping addresses (because of ASLR). Finally, since overwriting function pointers doesn't allow direct shellcode execution because of W^X mappings, we introduce a new exploitation technique which works even in the most hardcore kernels such as grsecurity. IT is called "stack desynchronization" and allows frame faking inside the stack itself. Those techniques are implemented in the form of a proof of concept tool available under the Apache 2.0 license at : http://www.pmcma.org/ .
-
22:38
»
SecDocs
Authors:
Jonathan Brossard Tags:
memory Event:
Chaos Communication Congress 28th (28C3) 2011 Abstract: Pmcma is a tool aimed at automating the most time consuming taskes of exploitation. It for instance determine why an application is triggering a segmentention fault, evaluate if the faulting instruction can be used to write to memory or execute arbitrary code, and list all the function pointers potentially called from a given point in time by an application. Pmcma is a totally new kind of debugger, which allows for easy experimentation with a process in memory by forcing it to fork. The exact replicas of the process created in memory can then be intrumented while keeping the properties (eg: state of variables, ASLR, permissions...) of the original process. Pmcma is an easily extensible framework available under the Apache 2.0 license from http://www.pmcma.org/ . In this presentation, we introduce a new exploitation methodology of invalid memory reads and writes, based on dataflow analysis after a memory corruption bug has occured inside a running process. We will expose a methodology which shall help writting a reliable exploit out of a PoC triggering an invalid memory write, in presence of security defense mechanisme such as compiler enchancements (full RELRO, SSP...), or kernel anti exploitation features (ASLR, NX...). We will demonstrate how to:find all the function pointers inside a running process, how to determine which ones would have been dereferenced after the crash, which ones are truncable (in particular with 0x00000000). In case all of the above fail, how to test for specific locations overwrites in order to indirectly trigger a second vulnerability allowing greater control and eventually control flow hijacking. All of the above without source code, indeed ;) In the case of invalid memory reads, we will exemplify how indirectly influence the control flow of execution by reading arbitary values, how to trace all the unaligned memory access and how to test if an invalid read can be turned into an invalid write or used to infere the mapping of the binary. We will also introduce a new debugging technique which allows for very effective testing of all of the above by forcing the debugged process to fork(). Automatically. And with a rating of the best read/write location based on probabilities of mapping addresses (because of ASLR). Finally, since overwriting function pointers doesn't allow direct shellcode execution because of W^X mappings, we introduce a new exploitation technique which works even in the most hardcore kernels such as grsecurity. IT is called "stack desynchronization" and allows frame faking inside the stack itself. Those techniques are implemented in the form of a proof of concept tool available under the Apache 2.0 license at : http://www.pmcma.org/ .
-
22:38
»
SecDocs
Authors:
Jonathan Brossard Tags:
memory Event:
Chaos Communication Congress 28th (28C3) 2011 Abstract: Pmcma is a tool aimed at automating the most time consuming taskes of exploitation. It for instance determine why an application is triggering a segmentention fault, evaluate if the faulting instruction can be used to write to memory or execute arbitrary code, and list all the function pointers potentially called from a given point in time by an application. Pmcma is a totally new kind of debugger, which allows for easy experimentation with a process in memory by forcing it to fork. The exact replicas of the process created in memory can then be intrumented while keeping the properties (eg: state of variables, ASLR, permissions...) of the original process. Pmcma is an easily extensible framework available under the Apache 2.0 license from http://www.pmcma.org/ . In this presentation, we introduce a new exploitation methodology of invalid memory reads and writes, based on dataflow analysis after a memory corruption bug has occured inside a running process. We will expose a methodology which shall help writting a reliable exploit out of a PoC triggering an invalid memory write, in presence of security defense mechanisme such as compiler enchancements (full RELRO, SSP...), or kernel anti exploitation features (ASLR, NX...). We will demonstrate how to:find all the function pointers inside a running process, how to determine which ones would have been dereferenced after the crash, which ones are truncable (in particular with 0x00000000). In case all of the above fail, how to test for specific locations overwrites in order to indirectly trigger a second vulnerability allowing greater control and eventually control flow hijacking. All of the above without source code, indeed ;) In the case of invalid memory reads, we will exemplify how indirectly influence the control flow of execution by reading arbitary values, how to trace all the unaligned memory access and how to test if an invalid read can be turned into an invalid write or used to infere the mapping of the binary. We will also introduce a new debugging technique which allows for very effective testing of all of the above by forcing the debugged process to fork(). Automatically. And with a rating of the best read/write location based on probabilities of mapping addresses (because of ASLR). Finally, since overwriting function pointers doesn't allow direct shellcode execution because of W^X mappings, we introduce a new exploitation technique which works even in the most hardcore kernels such as grsecurity. IT is called "stack desynchronization" and allows frame faking inside the stack itself. Those techniques are implemented in the form of a proof of concept tool available under the Apache 2.0 license at : http://www.pmcma.org/ .
-
-
17:36
»
Packet Storm Security Advisories
VUPEN Vulnerability Research Team discovered a critical vulnerability in Adobe Acrobat and Reader. The vulnerability is caused by a memory corruption error within the Matrix3D class when processing malformed 3D data within SWF files, which could be exploited by attackers to potentially compromise a vulnerable system or disclose memory information by tricking a user into visiting a specially crafted web page. Adobe Flash Player versions 11.1.102.62 and below are affected.
-
17:36
»
Packet Storm Security Recent Files
VUPEN Vulnerability Research Team discovered a critical vulnerability in Adobe Acrobat and Reader. The vulnerability is caused by a memory corruption error within the Matrix3D class when processing malformed 3D data within SWF files, which could be exploited by attackers to potentially compromise a vulnerable system or disclose memory information by tricking a user into visiting a specially crafted web page. Adobe Flash Player versions 11.1.102.62 and below are affected.
-
17:36
»
Packet Storm Security Misc. Files
VUPEN Vulnerability Research Team discovered a critical vulnerability in Adobe Acrobat and Reader. The vulnerability is caused by a memory corruption error within the Matrix3D class when processing malformed 3D data within SWF files, which could be exploited by attackers to potentially compromise a vulnerable system or disclose memory information by tricking a user into visiting a specially crafted web page. Adobe Flash Player versions 11.1.102.62 and below are affected.
-
15:00
»
0day.today (was: 1337day, Inj3ct0r, 1337db)
[local exploits] - VLC v. 2.0.1.0 .voc Memory Corruption
-
15:00
»
0day.today (was: 1337day, Inj3ct0r, 1337db)
[local exploits] - VLC v. 2.0.1.0 .tta Memory Corruption
-
-
15:00
»
0day.today (was: 1337day, Inj3ct0r, 1337db)
[local exploits] - VLC v. 1.1.11 .mxf Memory Corruption
-
15:00
»
0day.today (was: 1337day, Inj3ct0r, 1337db)
[local exploits] - VLC v. 2.0.1.0 .pmp Memory Corruption
-
15:00
»
0day.today (was: 1337day, Inj3ct0r, 1337db)
[local exploits] - VLC v. 2.0.1.0 .it Memory Corruption
-
-
15:00
»
0day.today (was: 1337day, Inj3ct0r, 1337db)
[local exploits] - VLC v. 1.1.11 .3gp Memory Corruption
-
15:00
»
0day.today (was: 1337day, Inj3ct0r, 1337db)
[local exploits] - VLC v. 1.1.11 .m4v Memory Corruption
-
-
21:37
»
SecDocs
Authors:
Joshua Drake Tags:
memory heap overflow exploiting Java Event:
Black Hat Abu Dhabi 2011 Abstract: The Oracle (previously Sun) Java Runtime Environment (JRE) is widely viewed by security researchers as one of the weakest links in the proverbial chain. That said, the exploitation of memory corruption vulnerabilities within the JRE is not always straight-forward. This talk will focus on a collection of techniques to overcome potential issues that one may face while developing exploits against memory corruption vulnerabilities within the JRE. The talk concludes with a demonstration of the techniques as used on a selection of contrived and real-world vulnerabilities.
-
21:37
»
SecDocs
Authors:
Joshua Drake Tags:
memory heap overflow exploiting Java Event:
Black Hat Abu Dhabi 2011 Abstract: The Oracle (previously Sun) Java Runtime Environment (JRE) is widely viewed by security researchers as one of the weakest links in the proverbial chain. That said, the exploitation of memory corruption vulnerabilities within the JRE is not always straight-forward. This talk will focus on a collection of techniques to overcome potential issues that one may face while developing exploits against memory corruption vulnerabilities within the JRE. The talk concludes with a demonstration of the techniques as used on a selection of contrived and real-world vulnerabilities.
-
-
8:26
»
Packet Storm Security Exploits
This is the Mempodipper local root exploit for Linux. /proc/pid/mem is an interface for reading and writing, directly, process memory by seeking around with the same addresses as the process's virtual memory space. In 2.6.39, the protections against unauthorized access to /proc/pid/mem were deemed sufficient, and so the prior #ifdef that prevented write support for writing to arbitrary process memory was removed. Anyone with the correct permissions could write to process memory. It turns out, of course, that the permissions checking was done poorly. This means that all Linux kernels greater than and equal to 2.6.39 are vulnerable.
-
8:26
»
Packet Storm Security Recent Files
This is the Mempodipper local root exploit for Linux. /proc/pid/mem is an interface for reading and writing, directly, process memory by seeking around with the same addresses as the process's virtual memory space. In 2.6.39, the protections against unauthorized access to /proc/pid/mem were deemed sufficient, and so the prior #ifdef that prevented write support for writing to arbitrary process memory was removed. Anyone with the correct permissions could write to process memory. It turns out, of course, that the permissions checking was done poorly. This means that all Linux kernels greater than and equal to 2.6.39 are vulnerable.
-
8:26
»
Packet Storm Security Misc. Files
This is the Mempodipper local root exploit for Linux. /proc/pid/mem is an interface for reading and writing, directly, process memory by seeking around with the same addresses as the process's virtual memory space. In 2.6.39, the protections against unauthorized access to /proc/pid/mem were deemed sufficient, and so the prior #ifdef that prevented write support for writing to arbitrary process memory was removed. Anyone with the correct permissions could write to process memory. It turns out, of course, that the permissions checking was done poorly. This means that all Linux kernels greater than and equal to 2.6.39 are vulnerable.
-
9:29
»
Packet Storm Security Exploits
HTCVideoPlayer is the default media player of HTC Windows Mobile devices. This media player is prone to a memory corruption vulnerability while parsing stbl atom of 3g2 video format.
-
9:29
»
Packet Storm Security Recent Files
HTCVideoPlayer is the default media player of HTC Windows Mobile devices. This media player is prone to a memory corruption vulnerability while parsing stbl atom of 3g2 video format.
-
9:29
»
Packet Storm Security Misc. Files
HTCVideoPlayer is the default media player of HTC Windows Mobile devices. This media player is prone to a memory corruption vulnerability while parsing stbl atom of 3g2 video format.
-
-
9:01
»
Hack a Day
Reading from a large number of inputs, like this piano keyboard, can be tedious. Even when multiplexing there’s a lot to keep track of. But if you choose the right microcontroller, you may have hardware assistance. Here’s an ATmega640 is using it’s external memory interface to read the key matrix. You may remember the Open [...]
OSVDB Vulnerabilities
Exploit-DB
SecurityFocus Vulnerabilities
Bugtraq
XSSed
Sophos security news
Penetration Testing
BackTrack Linux Forums
Threatpost
carnal0wnage.attackresearch.com
Darknet
The Exploitant
Wirevolution