2009

article thumbnail

Linux kernel minor "seccomp" vulnerability

Scary Beasts Security

I just released some technical details on why and how "seccomp" is vulnerable to the Linux kernel syscall filtering problems that I previously blogged about. The full details may be found here: [link] The actual bug is of little significance because pretty much no-one uses seccomp: This searches for the PR_SET_SECCOMP string on Google Code Search In addition, even if people did use this -- the bug is not a full break out, just some leakage of filesystem names via stat() or mischief via unrestric

article thumbnail

Concerned about security? Then pay attention.

CompTIA on Cybersecurity

Todd was featured on WGN Midday News today giving some tips on how to keep your mobile devices and information safe while travelling this holiday season. The CompTIA President and CEO urged travelers to keep their devices password-protected and to use secure connections.But “the overwhelming biggest security risk is just people not paying attention,” Thibodeaux told anchor Steve Sanders.

Mobile 52
Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

article thumbnail

Generic cross-browser cross-domain theft

Scary Beasts Security

Well, here's a nice little gem for the festive season. I like it for a few distinct reasons: It's one of those cases where if you look at web standards from the correct angle, you can see a security vulnerability specified. Accordingly, it affected all 5 major browsers. And likely the rest. You can still be a theft victim even with plugins and JavaScript disabled!

51
article thumbnail

Cross-domain search timing

Scary Beasts Security

I've been meaning to fiddle around with timing attacks for a while. I've had various discussions in the past about the significance of login determination attacks (including ones I found myself) and my usual response would be "it's all moot -- the attacker could just use a timing attack". Finally, here's some ammo to support that position. And -- actual cross-domain data theft using just a timing attack, as a bonus.

50
article thumbnail

Prevent Data Breaches With Zero-Trust Enterprise Password Management

Keeper Security is transforming cybersecurity for people and organizations around the world. Keeper’s affordable and easy-to-use solutions are built on a foundation of zero-trust and zero-knowledge security to protect every user on every device. Our next-generation privileged access management solution deploys in minutes and seamlessly integrates with any tech stack to prevent breaches, reduce help desk costs and ensure compliance.

article thumbnail

Bypassing the intent of blocking "third-party" cookies

Scary Beasts Security

[Aside: I'm not sure anyone cares, particularly because the "block third party cookies" option tends to break legitimate web sites. But I'll document it just in case :)] Major browsers tend to have an option to block "third-party" cookies. The main intent of this is to disable tracking cookies used by iframe'd ads. It turns out that you can bypass this intent by abusing "HTML5 Local Storage".

50
article thumbnail

vsftpd-2.2.2 released

Scary Beasts Security

Just a quick note that I released vsftpd-2.2.2. Most significantly, a regression was fixed in the inbuilt listener. Heavily loaded sites could see a session get booted out just after the initial connect. If you saw "500 OOPS: child died", that was probably this.

50

More Trending

article thumbnail

Chromium and Linux sandboxing

Scary Beasts Security

It was great to talk to so many people about Chromium security at HITB Malaysia. I was quite amused to be at a security conference and have a lot of conversations like: Me : What browser do you use? Other : Google Chrome. Me : Why is that? Other : Oh, it's so much faster. Me : Oh, you saw that awesome JSNES, huh? ( [link] ) It's a sobering reminder that users -- and even security experts -- are often making decisions on things like speed and stability.

Risk 50
article thumbnail

vsftpd-2.2.1 released

Scary Beasts Security

Nothing too exciting, just two regressions fixed: "pasv_address" should work again, and SSL data connections should no longer fail after a long previous transfer or an extended idle period.

50
article thumbnail

HITB Malaysia 2009 and sandboxing

Scary Beasts Security

No time for details at the moment, but I'm just back from HITB Malaysia and a great time was had by all! The hospitality and warmth of the organizing crew surpassed anything I've ever encountered before. I presented with my colleague Julien Tinnes. See awesome blog: [link] We presented on various intriguing aspects of sandboxing on Linux, covering vsftpd and Chromium as test cases.

article thumbnail

Patching ffmpeg into shape

Scary Beasts Security

Preface: unless otherwise noted, the bugs discussed here were found via fuzzing by Will Dormann of CERT -- and my involvement was to fix them. In other news, I recently moved to work on the Chromium project / Google Chrome, which I'm very excited about. It is in this new role that this piece of work was conducted, as part of HTML5 features. I recently fixed a lot of security bugs in ffmpeg, across a subset of the supported containers and codecs.

Malware 50
article thumbnail

Optimizing The Modern Developer Experience with Coder

Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.

article thumbnail

vsftpd-2.2.0 released

Scary Beasts Security

Not much of interest to add beyond the interesting network isolation support previously discussed. Some minor bugs were fixed. A bunch of compile errors were addressed. There is now support for PAM modules which remap the underlying user account. There is also a new command-line option to pass config file options directly.

article thumbnail

Apple ColorSync heap overflow

Scary Beasts Security

Apple just released the Mac OS X 10.5.8 update, which includes security fixes: [link] One of the fixes is for a heap-based buffer overflow in the ColorSync component (which handles the parsing of ICC profiles). Limited details are here: [link] This vulnerability could likely be used to execute arbitrary code in contexts such as Safari browsing to a malicious page.

50
article thumbnail

iPhone and Safari advisories

Scary Beasts Security

Catching up on a few items. I seem to have gotten a mention in a couple of recent Apple advisories: iPhone 3.0 security fixes Safari 4.0.2 It's one of the Safari bugs that interests me today, CVE-2009-1725 or an off-by-one heap memory corruption in Webkit. The patch says it all, really: [link] Here's the faulty code: checkBuffer(10); // ignore the sequence, add it to the buffer as plaintext *dest++ = '&'; for (unsigned i = 0; i < cBufferPos; i++) dest[i] = m_cBuffer[i]; Turns out, that 10 sho

50
article thumbnail

Beware the little pieces you use in your web app

Scary Beasts Security

I've just released the technical details behind some recently fixed vulnerabilities in mimetex: [link] "mimetex" is a little binary (written in the C language) used to render mathematical equations based on the TeX language. It looks very nice and is a cool concept to embed it in web apps. You can use a Google search to locate places that use it: [link] Unfortunately, the binary suffered from various classic stack-based buffer overflows as well as some commands that might leak inappropriate info

50
article thumbnail

The Tumultuous IT Landscape Is Making Hiring More Difficult

After a year of sporadic hiring and uncertain investment areas, tech leaders are scrambling to figure out what’s next. This whitepaper reveals how tech leaders are hiring and investing for the future. Download today to learn more!

article thumbnail

vsftpd-2.2.0pre1 and network separation

Scary Beasts Security

Following on from vsftpd-2.1.2 , I've just released vsftpd-2.1.0pre1: ftp://vsftpd.beasts.org/users/cevans/vsftpd-2.1.0pre1.tar.gz This further plays with the new Linux container flags: this time, CLONE_NEWNET. This flag creates a process with a separate (and empty) list of network devices and bindings. A process isolated in such a way can create network sockets but any attempt to e.g. do an IPv4 connect() to localhost (or any other destination) will get ENETUNREACH.

article thumbnail

Clusterfuzzing

Scary Beasts Security

I've just noticed that a Google search for "clusterfuzzing" (including the quotes) has no hits. Therefore, I'm reserving the term :) All I need now is a new fuzzing angle and then I've got all the makings of a great presentation! Actually, I do have a new twist on fuzzing. All I need is the bugs. Watch this space!

50
article thumbnail

Bonus Safari XXE (only affecting Safari 4 Beta)

Scary Beasts Security

Here's another XXE bug for you (resulting in file theft), just to make the point that this class of bugs is well worth watching out for in client-side applications (such as a browser :) [link] The good news here is that this WebKit regression was quickly fixed by Apple -- and in time for the Safari 4 final release -- so no production browser should ever have been affected.

50
article thumbnail

Apple's Safari 4 also fixes cross-domain XML theft

Scary Beasts Security

Safari 4 also fixes an interesting cross-domain XML theft. Full technical details live here: [link] XML theft can include highly sensitive data thanks to things like XHTML, AJAX-y RPCs using XML and authenticated RSS feeds. The example I have steals XML representing a logged-in Gmail user's inbox: Safari 3 demo for users logged in to Gmail I think there's a lot more room for browser-based cross-domain leaks (sometimes called UXSS or universal XSS).

article thumbnail

The Importance of User Roles and Permissions in Cybersecurity Software

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

article thumbnail

Apple's Safari 4 fixes local file theft attack

Scary Beasts Security

Safari 4 was just released and among the various improvements is a range of security fixes. One of these fixes is for an XXE attack against the parsing of the XSL XML. Full technical details may be found here: [link] Or for the lazy, you can skip straight to the: Demo for Safari 3 / MacOS Demo for Safari 3 / Windows I found it interesting that Safari 3 seemed robust against XXE attacks in general -- there are a lot of places that browsers find themselves parsing XML (XmlHttpRequest, prettifying

50
article thumbnail

vsftpd-2.1.2 released and new security tricks

Scary Beasts Security

(Note: v2.1.2 is the same as v2.1.1 but with a compile fix) vsftpd-2.1.2 is released with full details as always on the vsftpd home page: [link] For users, a couple of nasty regressions are fixed: SSL transfers would drop due to an errant timeout firing; this is now fixed. Also, an absent per-user config file was fine with v2.0.7 but an error in v2.1.0. v2.1.2 restores v2.0.7 behaviour.

50
article thumbnail

A more plausible E4X attack

Scary Beasts Security

As a quick recap, "E4X" is the name of a Javascript standard relating to strong XML support in the language. Firefox has had an implementation for quite some time but no other major browser seems to have followed suit. My colleages Filipe Almeida and Michal Zalewski led the way in E4X security; check out: [link] However, the attack scenarios in that document are in my opinion not likely to occur in many web apps.

Banking 50
article thumbnail

HiTB Dubai: all over apart from the blogging

Scary Beasts Security

I recently had the pleasure to be invited by Dhillon to present at HackInTheBox (HiTB) Dubai with Billy Rios on our "Cross Domain Leakiness" work. Here is a link to our updated slides: [link] It was a very productive conference, all told. The sort of conference where new attacks materialise over breakfast conversations. In terms of new and pending material, I'll do separate posts regarding: My latest E4X cross-domain theft attack (building on the work of my colleagues Filipe and Michal) A new "d

Hacking 50
article thumbnail

IDC Analyst Report: The Open Source Blind Spot Putting Businesses at Risk

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

article thumbnail

LittleCMS exploit

Scary Beasts Security

Now that new packages are out for lcms and OpenJDK, I'll publish my LittleCMS exploit. It's harmless in that if it actually works on your machine, all it does it put your CPU into a spin -- watch out for 100% CPU usage. It's also relatively harmless in that it doesn't work on many systems out of the box. I targeted my 32-bit Ubuntu 8.10 laptop which happens to have an executable heap, executable stack, no stack cookies but does have ASLR.

Hacking 50
article thumbnail

LittleCMS vulnerabilities

Scary Beasts Security

Today, vendor updates should be flowing for vulnerabilities in LittleCMS, sometimes known just as "lcms" or "liblcms". LittleCMS is a very useful open-source colour profile parsing and conversion tool. Some technical details of the various vulnerabilities (stack-based buffer overflows, integer overflows, etc). are given here: [link] The most interesting thing about LittleCMS is how quickly it has become a very critical building block for UNIX desktops.

article thumbnail

Linux kernel minor signal vulnerability

Scary Beasts Security

I recently came up with a little API abuse of the clone() system call. Not earth shattering, but definitely fun. Essentially, you can send any signal you want at any time to your parent process, even if it is running with real and effective user id of someone else (e.g. root ). Full technical details and an example may be found here: [link] Maybe someone more devious that me can come up with better abuse scenarios than I can.

50
article thumbnail

vsftpd-2.1.0 and ptrace() sandboxing

Scary Beasts Security

The new sandboxing support mentioned in the vsftpd-2.1.0 announcement post is actually a ptrace() based sandbox. It is experimental and therefore off by default. It only currently supports i386 Linux (but there's no reason you couldn't hack the Makefile to build 32-bit on 64-bit Linux). When enabled, it only engages when using one_process_model , i.e. simple anonymous-only configurations.

article thumbnail

Beware of Pixels & Trackers on U.S. Healthcare Websites

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

article thumbnail

vsftpd-2.1.0 released

Scary Beasts Security

I just released vsftpd-2.1.0, with full details being available on the vsftpd web page: [link] It fixes a bunch of bugs and compile errors, introduces a few minor new features, has some code clean ups, etc. etc. vsftpd-2.1.0 is interesting from a security perspective because of its changes to SSL support. It actual contains a reasonable resolution to the connection theft attack I blogged about here: [link] In the linked advisory I said "I have a crazy idea to use the SSL session cache as a cheez

article thumbnail

Bypassing syscall filtering technologies on Linux x86_64

Scary Beasts Security

For those interested in syscall filtering technologies, check out my latest advisory on how policies can be bypassed under certain circumstances: [link] There's a neat trick on the x86_64 kernel; this kernel supports both 32-bit and 64-bit processes, and interestingly, the syscall tables are different in either case. However, with a bit of trickery, a 64-bit process can call a 32-bit syscall (and visa versa), and confuse the syscall filter.

article thumbnail

Sun Java JRE Pack200 bugs

Scary Beasts Security

A friend of mine, Rich Cannings, spotted my name in a Sun security advisory so I guess this means my Pack200 crashes are fixed: [link] This bug continues a trend of looking to native code parsers within the JRE, in order to break out of it. The most obvious application is to take over desktops via evil applets which abuse these bugs to cause memory corruptions.

50