This site uses cookies to improve your experience. To help us insure we adhere to various privacy regulations, please select your country/region of residence. If you do not select a country, we will assume you are from the United States. Select your Cookie Settings or view our Privacy Policy and Terms of Use.
Cookie Settings
Cookies and similar technologies are used on this website for proper function of the website, for tracking performance analytics and for marketing purposes. We and some of our third-party providers may use cookie data for various purposes. Please review the cookie settings below and choose your preference.
Used for the proper function of the website
Used for monitoring website traffic and interactions
Cookie Settings
Cookies and similar technologies are used on this website for proper function of the website, for tracking performance analytics and for marketing purposes. We and some of our third-party providers may use cookie data for various purposes. Please review the cookie settings below and choose your preference.
Strictly Necessary: Used for the proper function of the website
Performance/Analytics: Used for monitoring website traffic and interactions
I just released some technical details on why and how "seccomp" is vulnerable to the Linux kernel syscall filtering problems that I previously blogged about. The full details may be found here: [link] The actual bug is of little significance because pretty much no-one uses seccomp: This searches for the PR_SET_SECCOMP string on Google Code Search In addition, even if people did use this -- the bug is not a full break out, just some leakage of filesystem names via stat() or mischief via unrestric
Todd was featured on WGN Midday News today giving some tips on how to keep your mobile devices and information safe while travelling this holiday season. The CompTIA President and CEO urged travelers to keep their devices password-protected and to use secure connections.But “the overwhelming biggest security risk is just people not paying attention,” Thibodeaux told anchor Steve Sanders.
Well, here's a nice little gem for the festive season. I like it for a few distinct reasons: It's one of those cases where if you look at web standards from the correct angle, you can see a security vulnerability specified. Accordingly, it affected all 5 major browsers. And likely the rest. You can still be a theft victim even with plugins and JavaScript disabled!
I've been meaning to fiddle around with timing attacks for a while. I've had various discussions in the past about the significance of login determination attacks (including ones I found myself) and my usual response would be "it's all moot -- the attacker could just use a timing attack". Finally, here's some ammo to support that position. And -- actual cross-domain data theft using just a timing attack, as a bonus.
Many cybersecurity awareness platforms offer massive content libraries, yet they fail to enhance employees’ cyber resilience. Without structured, engaging, and personalized training, employees struggle to retain and apply key cybersecurity principles. Phished.io explains why organizations should focus on interactive, scenario-based learning rather than overwhelming employees with excessive content.
[Aside: I'm not sure anyone cares, particularly because the "block third party cookies" option tends to break legitimate web sites. But I'll document it just in case :)] Major browsers tend to have an option to block "third-party" cookies. The main intent of this is to disable tracking cookies used by iframe'd ads. It turns out that you can bypass this intent by abusing "HTML5 Local Storage".
Just a quick note that I released vsftpd-2.2.2. Most significantly, a regression was fixed in the inbuilt listener. Heavily loaded sites could see a session get booted out just after the initial connect. If you saw "500 OOPS: child died", that was probably this.
Recently, I've been getting pretty behind on executing my various research ideas. The only sane thing to do is blog the idea in case someone else wants to run with it and pwn up a bunch of stuff. The general concept I'd like to see explored is perhaps best explained with a couple of concrete bugs I have found and fixed recently: Dimensions error parsing XBM image.
Recently, I've been getting pretty behind on executing my various research ideas. The only sane thing to do is blog the idea in case someone else wants to run with it and pwn up a bunch of stuff. The general concept I'd like to see explored is perhaps best explained with a couple of concrete bugs I have found and fixed recently: Dimensions error parsing XBM image.
It was great to talk to so many people about Chromium security at HITB Malaysia. I was quite amused to be at a security conference and have a lot of conversations like: Me : What browser do you use? Other : Google Chrome. Me : Why is that? Other : Oh, it's so much faster. Me : Oh, you saw that awesome JSNES, huh? ( [link] ) It's a sobering reminder that users -- and even security experts -- are often making decisions on things like speed and stability.
Nothing too exciting, just two regressions fixed: "pasv_address" should work again, and SSL data connections should no longer fail after a long previous transfer or an extended idle period.
No time for details at the moment, but I'm just back from HITB Malaysia and a great time was had by all! The hospitality and warmth of the organizing crew surpassed anything I've ever encountered before. I presented with my colleague Julien Tinnes. See awesome blog: [link] We presented on various intriguing aspects of sandboxing on Linux, covering vsftpd and Chromium as test cases.
Preface: unless otherwise noted, the bugs discussed here were found via fuzzing by Will Dormann of CERT -- and my involvement was to fix them. In other news, I recently moved to work on the Chromium project / Google Chrome, which I'm very excited about. It is in this new role that this piece of work was conducted, as part of HTML5 features. I recently fixed a lot of security bugs in ffmpeg, across a subset of the supported containers and codecs.
The DHS compliance audit clock is ticking on Zero Trust. Government agencies can no longer ignore or delay their Zero Trust initiatives. During this virtual panel discussion—featuring Kelly Fuller Gordon, Founder and CEO of RisX, Chris Wild, Zero Trust subject matter expert at Zermount, Inc., and Principal of Cybersecurity Practice at Eliassen Group, Trey Gannon—you’ll gain a detailed understanding of the Federal Zero Trust mandate, its requirements, milestones, and deadlines.
Not much of interest to add beyond the interesting network isolation support previously discussed. Some minor bugs were fixed. A bunch of compile errors were addressed. There is now support for PAM modules which remap the underlying user account. There is also a new command-line option to pass config file options directly.
Apple just released the Mac OS X 10.5.8 update, which includes security fixes: [link] One of the fixes is for a heap-based buffer overflow in the ColorSync component (which handles the parsing of ICC profiles). Limited details are here: [link] This vulnerability could likely be used to execute arbitrary code in contexts such as Safari browsing to a malicious page.
Catching up on a few items. I seem to have gotten a mention in a couple of recent Apple advisories: iPhone 3.0 security fixes Safari 4.0.2 It's one of the Safari bugs that interests me today, CVE-2009-1725 or an off-by-one heap memory corruption in Webkit. The patch says it all, really: [link] Here's the faulty code: checkBuffer(10); // ignore the sequence, add it to the buffer as plaintext *dest++ = '&'; for (unsigned i = 0; i < cBufferPos; i++) dest[i] = m_cBuffer[i]; Turns out, that 10 sho
I've just released the technical details behind some recently fixed vulnerabilities in mimetex: [link] "mimetex" is a little binary (written in the C language) used to render mathematical equations based on the TeX language. It looks very nice and is a cool concept to embed it in web apps. You can use a Google search to locate places that use it: [link] Unfortunately, the binary suffered from various classic stack-based buffer overflows as well as some commands that might leak inappropriate info
Keeper Security is transforming cybersecurity for people and organizations around the world. Keeper’s affordable and easy-to-use solutions are built on a foundation of zero-trust and zero-knowledge security to protect every user on every device. Our next-generation privileged access management solution deploys in minutes and seamlessly integrates with any tech stack to prevent breaches, reduce help desk costs and ensure compliance.
Following on from vsftpd-2.1.2 , I've just released vsftpd-2.1.0pre1: ftp://vsftpd.beasts.org/users/cevans/vsftpd-2.1.0pre1.tar.gz This further plays with the new Linux container flags: this time, CLONE_NEWNET. This flag creates a process with a separate (and empty) list of network devices and bindings. A process isolated in such a way can create network sockets but any attempt to e.g. do an IPv4 connect() to localhost (or any other destination) will get ENETUNREACH.
I've just noticed that a Google search for "clusterfuzzing" (including the quotes) has no hits. Therefore, I'm reserving the term :) All I need now is a new fuzzing angle and then I've got all the makings of a great presentation! Actually, I do have a new twist on fuzzing. All I need is the bugs. Watch this space!
Here's another XXE bug for you (resulting in file theft), just to make the point that this class of bugs is well worth watching out for in client-side applications (such as a browser :) [link] The good news here is that this WebKit regression was quickly fixed by Apple -- and in time for the Safari 4 final release -- so no production browser should ever have been affected.
Safari 4 also fixes an interesting cross-domain XML theft. Full technical details live here: [link] XML theft can include highly sensitive data thanks to things like XHTML, AJAX-y RPCs using XML and authenticated RSS feeds. The example I have steals XML representing a logged-in Gmail user's inbox: Safari 3 demo for users logged in to Gmail I think there's a lot more room for browser-based cross-domain leaks (sometimes called UXSS or universal XSS).
Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.
Safari 4 was just released and among the various improvements is a range of security fixes. One of these fixes is for an XXE attack against the parsing of the XSL XML. Full technical details may be found here: [link] Or for the lazy, you can skip straight to the: Demo for Safari 3 / MacOS Demo for Safari 3 / Windows I found it interesting that Safari 3 seemed robust against XXE attacks in general -- there are a lot of places that browsers find themselves parsing XML (XmlHttpRequest, prettifying
(Note: v2.1.2 is the same as v2.1.1 but with a compile fix) vsftpd-2.1.2 is released with full details as always on the vsftpd home page: [link] For users, a couple of nasty regressions are fixed: SSL transfers would drop due to an errant timeout firing; this is now fixed. Also, an absent per-user config file was fine with v2.0.7 but an error in v2.1.0. v2.1.2 restores v2.0.7 behaviour.
As a quick recap, "E4X" is the name of a Javascript standard relating to strong XML support in the language. Firefox has had an implementation for quite some time but no other major browser seems to have followed suit. My colleages Filipe Almeida and Michal Zalewski led the way in E4X security; check out: [link] However, the attack scenarios in that document are in my opinion not likely to occur in many web apps.
I recently had the pleasure to be invited by Dhillon to present at HackInTheBox (HiTB) Dubai with Billy Rios on our "Cross Domain Leakiness" work. Here is a link to our updated slides: [link] It was a very productive conference, all told. The sort of conference where new attacks materialise over breakfast conversations. In terms of new and pending material, I'll do separate posts regarding: My latest E4X cross-domain theft attack (building on the work of my colleagues Filipe and Michal) A new "d
How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.
Now that new packages are out for lcms and OpenJDK, I'll publish my LittleCMS exploit. It's harmless in that if it actually works on your machine, all it does it put your CPU into a spin -- watch out for 100% CPU usage. It's also relatively harmless in that it doesn't work on many systems out of the box. I targeted my 32-bit Ubuntu 8.10 laptop which happens to have an executable heap, executable stack, no stack cookies but does have ASLR.
Today, vendor updates should be flowing for vulnerabilities in LittleCMS, sometimes known just as "lcms" or "liblcms". LittleCMS is a very useful open-source colour profile parsing and conversion tool. Some technical details of the various vulnerabilities (stack-based buffer overflows, integer overflows, etc). are given here: [link] The most interesting thing about LittleCMS is how quickly it has become a very critical building block for UNIX desktops.
I recently came up with a little API abuse of the clone() system call. Not earth shattering, but definitely fun. Essentially, you can send any signal you want at any time to your parent process, even if it is running with real and effective user id of someone else (e.g. root ). Full technical details and an example may be found here: [link] Maybe someone more devious that me can come up with better abuse scenarios than I can.
The new sandboxing support mentioned in the vsftpd-2.1.0 announcement post is actually a ptrace() based sandbox. It is experimental and therefore off by default. It only currently supports i386 Linux (but there's no reason you couldn't hack the Makefile to build 32-bit on 64-bit Linux). When enabled, it only engages when using one_process_model , i.e. simple anonymous-only configurations.
In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.
I just released vsftpd-2.1.0, with full details being available on the vsftpd web page: [link] It fixes a bunch of bugs and compile errors, introduces a few minor new features, has some code clean ups, etc. etc. vsftpd-2.1.0 is interesting from a security perspective because of its changes to SSL support. It actual contains a reasonable resolution to the connection theft attack I blogged about here: [link] In the linked advisory I said "I have a crazy idea to use the SSL session cache as a cheez
For those interested in syscall filtering technologies, check out my latest advisory on how policies can be bypassed under certain circumstances: [link] There's a neat trick on the x86_64 kernel; this kernel supports both 32-bit and 64-bit processes, and interestingly, the syscall tables are different in either case. However, with a bit of trickery, a 64-bit process can call a 32-bit syscall (and visa versa), and confuse the syscall filter.
A friend of mine, Rich Cannings, spotted my name in a Sun security advisory so I guess this means my Pack200 crashes are fixed: [link] This bug continues a trend of looking to native code parsers within the JRE, in order to break out of it. The most obvious application is to take over desktops via evil applets which abuse these bugs to cause memory corruptions.
50
50
Input your email to sign up, or if you already have an account, log in here!
Enter your email address to reset your password. A temporary password will be e‑mailed to you.
We organize all of the trending information in your field so you don't have to. Join 28,000+ users and stay up to date on the latest articles your peers are reading.
You know about us, now we want to get to know you!
Let's personalize your content
Let's get even more personalized
We recognize your account from another site in our network, please click 'Send Email' below to continue with verifying your account and setting a password.
53 
Let's personalize your content