Vtpin: Practical Vtable Hijacking Protection for Binaries
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
Technical Intelligence ISSUE: 19.04.21
Technical Intelligence ISSUE: 19.04.21 The CyberScotland Technical Threat Intelligence Bulletin is designed to provide you with information about updates, exploits and countermeasures. We hope that you benefit from this resource and we ask that you circulate this information to your networks, adapting where you see fit. Jump To TECHNICAL THREAT AWARENESS AND HUNTING Microsoft Patch Tuesday (April 2021) Adobe Patches Slew of Critical Security Bugs Patch Chrome to Remediated In-The-Wild 0-Day Exploits F5 urges customers to patch critical BIG-IP pre-auth RCE bug Wordpress Privilege-Escalation and Authentication Bypass Apple rushes to patch zero‑day flaw in iOS, iPadOS Cisco Will Not Patch Critical RCE Flaw Affecting End-of-Life Business Routers Threat Intelligence Bulletin Technical Threat Awareness and Hunting Microsoft Patch Tuesday (April 2021) Microsoft released its monthly security update Tuesday 13th April 2021, disclosing 114 vulnerabilities across its suite of products1. Four new remote code execution vulnerabilities in Microsoft Exchange Server are included, beyond those that were release out-of-band last month. The detection of the vulnerabilities which led to these patches has been attributed to the US’s National Security Agency (NSA)2. Given the recent focus on Microsoft Exchange by varying threat actors, NCSC has produced an alert encouraging organisations to install the critical updates immediately3. More patches are likely to follow for Microsoft’s Exchange servers as, at a recent hacking contest called pwn2own a team called DEVCORE combined an authentication bypass and a local privilege escalation to complete take over the Exchange server. As a result they won $200,000.4 In all, there are 20 critical vulnerabilities as part of this release and one considered of “moderate” severity. -
WEKA Manual for Version 3-7-8
WEKA Manual for Version 3-7-8 Remco R. Bouckaert Eibe Frank Mark Hall Richard Kirkby Peter Reutemann Alex Seewald David Scuse January 21, 2013 ⃝c 2002-2013 University of Waikato, Hamilton, New Zealand Alex Seewald (original Commnd-line primer) David Scuse (original Experimenter tutorial) This manual is licensed under the GNU General Public License version 3. More information about this license can be found at http://www.gnu.org/licenses/gpl-3.0-standalone.html Contents ITheCommand-line 11 1Acommand-lineprimer 13 1.1 Introduction . 13 1.2 Basic concepts . 14 1.2.1 Dataset . 14 1.2.2 Classifier . 16 1.2.3 weka.filters . 17 1.2.4 weka.classifiers . 19 1.3 Examples . 23 1.4 Additional packages and the package manager . .24 1.4.1 Package management . 25 1.4.2 Running installed learning algorithms . 26 II The Graphical User Interface 29 2LaunchingWEKA 31 3PackageManager 35 3.1 Mainwindow ............................. 35 3.2 Installing and removing packages . 36 3.2.1 Unofficalpackages ...................... 37 3.3 Usingahttpproxy.......................... 37 3.4 Using an alternative central package meta data repository . 37 3.5 Package manager property file . 38 4SimpleCLI 39 4.1 Commands . 39 4.2 Invocation . 40 4.3 Command redirection . 40 4.4 Command completion . 41 5Explorer 43 5.1 The user interface . 43 5.1.1 Section Tabs . 43 5.1.2 Status Box . 43 5.1.3 Log Button . 44 5.1.4 WEKA Status Icon . 44 3 4 CONTENTS 5.1.5 Graphical output . 44 5.2 Preprocessing . 45 5.2.1 Loading Data . -
HTTP Cookie - Wikipedia, the Free Encyclopedia 14/05/2014
HTTP cookie - Wikipedia, the free encyclopedia 14/05/2014 Create account Log in Article Talk Read Edit View history Search HTTP cookie From Wikipedia, the free encyclopedia Navigation A cookie, also known as an HTTP cookie, web cookie, or browser HTTP Main page cookie, is a small piece of data sent from a website and stored in a Persistence · Compression · HTTPS · Contents user's web browser while the user is browsing that website. Every time Request methods Featured content the user loads the website, the browser sends the cookie back to the OPTIONS · GET · HEAD · POST · PUT · Current events server to notify the website of the user's previous activity.[1] Cookies DELETE · TRACE · CONNECT · PATCH · Random article Donate to Wikipedia were designed to be a reliable mechanism for websites to remember Header fields Wikimedia Shop stateful information (such as items in a shopping cart) or to record the Cookie · ETag · Location · HTTP referer · DNT user's browsing activity (including clicking particular buttons, logging in, · X-Forwarded-For · Interaction or recording which pages were visited by the user as far back as months Status codes or years ago). 301 Moved Permanently · 302 Found · Help 303 See Other · 403 Forbidden · About Wikipedia Although cookies cannot carry viruses, and cannot install malware on 404 Not Found · [2] Community portal the host computer, tracking cookies and especially third-party v · t · e · Recent changes tracking cookies are commonly used as ways to compile long-term Contact page records of individuals' browsing histories—a potential privacy concern that prompted European[3] and U.S. -
Tinkertool System 7 Reference Manual Ii
Documentation 0642-1075/2 TinkerTool System 7 Reference Manual ii Version 7.5, August 24, 2021. US-English edition. MBS Documentation 0642-1075/2 © Copyright 2003 – 2021 by Marcel Bresink Software-Systeme Marcel Bresink Software-Systeme Ringstr. 21 56630 Kretz Germany All rights reserved. No part of this publication may be redistributed, translated in other languages, or transmitted, in any form or by any means, electronic, mechanical, recording, or otherwise, without the prior written permission of the publisher. This publication may contain examples of data used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. This publication could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. The publisher may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Make sure that you are using the correct edition of the publication for the level of the product. The version number can be found at the top of this page. Apple, macOS, iCloud, and FireWire are registered trademarks of Apple Inc. Intel is a registered trademark of Intel Corporation. UNIX is a registered trademark of The Open Group. Broadcom is a registered trademark of Broadcom, Inc. Amazon Web Services is a registered trademark of Amazon.com, Inc. -
$Hell on Earth: from Browser to System Compromise
$hell on Earth: From Browser to System Compromise Matt Molinyawe, Abdul-Aziz Hariri, and Jasiel Spelman A Zero Day Initiative Research Paper TREND MICRO LEGAL DISCLAIMER The information provided herein is for general information Contents and educational purposes only. It is not intended and should not be construed to constitute legal advice. The information contained herein may not be applicable to all situations and may not reflect the most current situation. 3 Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing Introduction herein should be construed otherwise. Trend Micro reserves the right to modify the contents of this document at any time without prior notice. Translations of any material into other languages are 4 intended solely as a convenience. Translation accuracy is not guaranteed nor implied. If any questions arise related to the accuracy of a translation, please refer to Mitigation Evolution the original language official version of the document. Any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes. 6 Although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein, Trend Micro History and Anatomy makes no warranties or representations of any kind as to its accuracy, currency, or completeness. You agree of Pwn2Own Remote that access to and use of and reliance on this document and the content thereof is at your own risk. Trend Micro Browser to Super-User disclaims all warranties of any kind, express or implied. -
Apple Safari – PWN2OWN Desktop Exploit
Apple Safari – PWN2OWN Desktop Exploit 2018-10-29 (Fabian Beterke, Georgi Geshev, Alex Plaskett) Contents Contents ........................................................................................................ 1 1. Introduction ............................................................................................... 2 2. Browser Vulnerability Details ...................................................................... 3 3. Browser Exploitation ................................................................................ 11 3.1 Memory Layout and Trigger Objects ................................................................... 11 3.2 Heap RefPtr Information Leak ............................................................................. 12 3.3 Arbitrary Decrement Primitive ............................................................................. 13 3.4 Read Primitive ..................................................................................................... 13 3.5 JIT Page Location ................................................................................................ 17 3.6 Shell Code Execution .......................................................................................... 18 4. Dock Vulnerability Details ........................................................................ 20 5. Dock Exploitation ..................................................................................... 25 6. Appendix ................................................................................................ -
User Interface Specification for Interactive Software Systems
User Interface Specification for Interactive Software Systems Process-, Method- and Tool-Support for Interdisciplinary and Collaborative Requirements Modelling and Prototyping-Driven User Interface Specification Dissertation zur Erlangung des akademischen Grades des Doktor der Naturwissenschaften (Dr. rer. nat.) Universität Konstanz Mathematisch-Naturwissenschaftliche Sektion Fachbereich Informatik und Informationswissenschaft Vorgelegt von Thomas Memmel Betreuer der Dissertation: Prof. Dr. Harald Reiterer Tag der mündlichen Prüfung: 29. April 2009 1. Referent: Prof. Dr. Harald Reiterer 2. Referent: Prof. Dr. Rainer Kuhlen Prof. Dr. Rainer Kuhlen For Cathrin Acknowledgements I thank my advisor, Prof. Dr. Harald Reiterer, for more than 6 years of great Prof. Dr. Harald Reiterer teamwork. Since I joined his work group as a student researcher, his guidance and friendship have helped me to reach high goals and achieve scientific recognition. I thank Harald for his creative contributions and his unfailing support, which made him the best supervisor I could imagine. Every time I read the Dr. in front of my name, I will think about the person who made it possible. It was Harald! Moreover, I thank him for teaching me many skills, of which especially purposefulness and per- suasive power opened up a world of possibilities. Among the other researchers in the human-computer interaction work group, spe- My colleague and friend Fredrik cial thanks are due to my colleague Fredrik Gundelsweiler. Fredrik and I started working for Harald at the same time, and since then we have shared many experi- ences. I worked with Fredrik at Siemens AG in Munich, and we both gained interna- tional work experience during our stay at DaimlerChrysler AG in Singapore. -
Trend Micro's Zero Day Initiative
Trend Micro’s Zero Day Initiative Who we are, bug bounties and how to get the most bang for your bugs! Shannon Sabens ZDI Program Manager Trend Micro Agenda • Introduction • What’s the ZDI? • Submitting to the ZDI – I submitted, now what? • Pwn2Own • Questions? 2 Copyright 2017 Trend Micro Inc. Introduction 3 Copyright 2017 Trend Micro Inc. Introduction – Shannon Sabens • Program Manager, ZDI, since 2013 • Formerly Microsoft Malware Protection Center and Symantec • Purchased and disclosed 3000+ vulnerability reports on behalf of ZDI community 4 Copyright 2017 Trend Micro Inc. What’s the ZDI? 5 Copyright 2017 Trend Micro Inc. ZDI Objectives – Augment the TippingPoint Roughly 4000 vulnerabilities product filters and protection for our clients have been patched and disclosed – Build a community working to to date as a result of the efforts secure the greater enterprise of the ZDI community. ecosphere – Encourage growth in this space by investing in security research – Contribute to the maturation of vulnerability disclosure and response processes 6 Copyright 2017 Trend Micro Inc. Similar (?) programs - iDefense - HackerOne Some of the tips to follow can help - BugCrowd you submit to programs that may - Cobalt.io be the right fit in your case, or to … various vendor and/or product the vendor, with success! specific bounties… 7 Copyright 2017 Trend Micro Inc. Vulnerability/Exploit Intelligence Marketplace 8 Copyright 2017 Trend Micro Inc. Looking at what we know about bug bounties – What do they tell us about themselves? • An agnostic bug bounty like ZDI vs. Vendors and web businesses with bounties • ZDI see a higher quality bar – 57% of all submissions were accepted in 2016 – On par with previous years and is much higher than the rate of other programs 9 Copyright 2017 Trend Micro Inc. -
United States Patent (19) 11 Patent Number: 6,061,061 Conrad Et Al
US006061061A United States Patent (19) 11 Patent Number: 6,061,061 Conrad et al. (45) Date of Patent: *May 9, 2000 54) COMPUTER SYSTEM WITH GRAPHICAL 2693810 6/1991 France. USER INTERFACE INCLUDING SPRING LOADED ENCLOSURES OTHER PUBLICATIONS 75 Inventors: Thomas J. Conrad, San Jose; Yin Yin tiMy“M ft WindowSTM 7 User’sSer's Guide.Oude, MiMicroSOIL ft UorporaC Wong, Menlo Park, both of Calif. “Screen Dumps from Microsoft WindowsTM v3.1.” 73 ASSignee: Apple Computer, Inc., Cupertino, Microsoft Corporation, 1985-1992, pp. 1-10. Calif. Jeff Johnson, et al., “The Xerox Star: A Retrospective,” Computer, Sep. 1989, pp. 11-27. * Notice: This patent is subject to a terminal dis- Brad W. Myers, “Window Interfaces, A Taxonomy of Win claimer. dow Manager User Interfaces.” IEEE Computer Graphics and Applications, Sep. 1988, pp. 65-83. 21 Appl. No.: 08/889,719 “Automatic Window Management Mode.” IBM Technical 9 Disclosure Bulletin, vol. 35, No. 4B, Sep. 1992. 22 Filed: Jul. 8, 1997 (List continued on next page.) Related U.S. Application Data Primary Examiner-Crescelle N. dela Torre 63 Continuation of application No. 08/482,186, Jun. 7, 1995, Attorney, Agent, or Firm Blakely, Sokoloff Taylor & Pat. No. 5,680,562, which is a continuation of application Zafman No. 08/076.253, Jun. 11, 1993, Pat. No. 5,583,984. (51) Int. Cl. ................................................ G06F 15/00 57 ABSTRACT 52 U.S. Cl. ............................................. 345/340; 345/348 A new behavior in a graphical user interface allows the user 58 Field of Search ..................................... 345/340, 326, to open and close enclosures, while dragging an object. -
X41 D-SEC Gmbh Dennewartstr
Browser Security White PAPER Final PAPER 2017-09-19 Markus VERVIER, Michele Orrù, Berend-Jan WEVER, Eric Sesterhenn X41 D-SEC GmbH Dennewartstr. 25-27 D-52068 Aachen Amtsgericht Aachen: HRB19989 Browser Security White PAPER Revision History Revision Date Change Editor 1 2017-04-18 Initial Document E. Sesterhenn 2 2017-04-28 Phase 1 M. VERVIER, M. Orrù, E. Sesterhenn, B.-J. WEVER 3 2017-05-19 Phase 2 M. VERVIER, M. Orrù, E. Sesterhenn, B.-J. WEVER 4 2017-05-25 Phase 3 M. VERVIER, M. Orrù, E. Sesterhenn, B.-J. WEVER 5 2017-06-05 First DrAFT M. VERVIER, M. Orrù, E. Sesterhenn, B.-J. WEVER 6 2017-06-26 Second DrAFT M. VERVIER, M. Orrù, E. Sesterhenn, B.-J. WEVER 7 2017-07-24 Final DrAFT M. VERVIER, M. Orrù, E. Sesterhenn, B.-J. WEVER 8 2017-08-25 Final PAPER M. VERVIER, M. Orrù, E. Sesterhenn, B.-J. WEVER 9 2017-09-19 Public Release M. VERVIER, M. Orrù, E. Sesterhenn, B.-J. WEVER X41 D-SEC GmbH PAGE 1 OF 196 Contents 1 ExECUTIVE Summary 7 2 Methodology 10 3 Introduction 12 3.1 Google Chrome . 13 3.2 Microsoft Edge . 14 3.3 Microsoft Internet Explorer (IE) . 16 4 Attack Surface 18 4.1 Supported Standards . 18 4.1.1 WEB TECHNOLOGIES . 18 5 Organizational Security Aspects 21 5.1 Bug Bounties . 21 5.1.1 Google Chrome . 21 5.1.2 Microsoft Edge . 22 5.1.3 Internet Explorer . 22 5.2 Exploit Pricing . 22 5.2.1 ZERODIUM . 23 5.2.2 Pwn2Own . -
Over the Air Baseband Exploit: Gaining Remote Code Execution on 5G Smartphones
Over The Air Baseband Exploit: Gaining Remote Code Execution on 5G Smartphones Marco Grassi (@marcograss)1, Xingyu Chen (@0xKira233)1 1Keen Security Lab of Tencent Abstract In recent years we saw the widespread adoption of 5G Cellular Networks, both for consumer devices, IoT, and critical infrastructure. The estimate of number of devices connected to a 5G network varies, but statistics show they are vastly present in the market [1]. Every one of these devices, in order to join the 5G network, must be equipped with a 5G modem, in charge of modulating the signal, and implementing the radio protocols. This component is also commonly referred as baseband. It is of enormous importance to secure these components, since they process untrusted data from a radio network, making them particularly attractive for a remote attacker. In our previous work [2] we examined the security modem for previous generation networks (such as 2G, 3G or 4G) and we achieved full remote code execution over the air. In this paper we will explore what changed on 5G networks, what improved in terms of security and what did not. We will demonstrate that it is still possible to fully compromise, over the air, a 5G modem, and gaining remote code execution on a new 5G Smartphone. Keywords 5G, baseband, modem, exploitation, memory corruption, RCE, SDR, Over The Air 1. Introduction In recent years we saw the widespread adoption of 5G Cellular Networks, both for consumer devices and for IoT and critical infrastructure. The estimate of number of devices connected to a 5G network varies, but they are all a huge number [1]. -
Android Pwn2owning
++ Android Pwn2Owning Hacktivity 2018 PUBLIC Introduction Agenda • Background • Bug Hunting Approach • Tooling / Automation • Mobile Pwn2Own 2017 Vulnerabilities • Demo 2 About us • James Loureiro (@NerdKernel) – Head of Security Research @ MWR primarily focused on VR and reverse engineering (as well as herding other researchers) • Alex Plaskett (@alexjplaskett) – Offensive security researcher @ MWR primarily doing VR (WP7 jailbreak, Pwn2Own Safari 2018, mobile security) 3 Background • How hard can it be?! 4 PWN2OWN 2017 5 Huawei Mate 9 Pro 6 PWN2OWN Execute arbitrary instructions… …retrieve sensitive information… …a full sandbox escape is required… …without any user interaction. 8 Pwn2Own Categories and Choice 9 PWN2OWN – Results 10 PUBLIC Bug Hunting Approach Browser attack surface 12 Exploit Mitigation Advancement • Memory Safety Mitigations – ASLR, PIE, RELTO, PartitionAlloc • Means you need mitigation bypass vulnerabilities too • Time consuming debugging memory corruption exploits on a real device 13 Attackers - Positives of Logic Bug Chains • Often design issues – Hard to fix (long bug lives) – Increased reliability • Architectural agnostic – No problems with shellcode • Android IPC specifically is complex as hell • Harder to detect? 14 Attackers - Negatives of Logic Bug Chains • They can get ridiculously long (11 Bugs in S8) – One bug gets fixed and the whole chain is screwed! – Usually not particularly stealthy . Samsung phone rebooted. Huawei phone switches apps twice. • Often requires a deeper understanding of the application • Automated detection is harder – how do you fuzz for logic bugs? 15 Bug Hunting Tips • Want to rapidly find high risk issues in a large amount of apps • How too prioritise? – External Attack Surface (Reachable from browser) – Permissions? . Less of an issue for initial foothold – Dangerous words 16 PUBLIC Tooling and Automation Toolset (Static vs Dynamic) • Android: What do we care about? – BROWSABLE intents (Need to be web accessible) and Intents – Content we can load into the applications (either via a WebView or Media).