Ethers is a cryptocurrency designed to power smart-contracts, autonomous programs that define how an amount of money will behave. A simple race condition in a very large smart-contract code allowed an attacker to steal $59 million of value from the DAO account: Bitcoin’s Largest Competitor Hacked: Over $59 Million “Ethers” Stolen In Ongoing Attack. Details here […]

Java and Flash have been and still are terrible 3rd party components when it comes to the security of our PCs. While from a functional point of view they were rocket science in the ’90 (anybody who remember ActiveX would agree) nowadays they are sluggish, weakly integrated, rectangles in our web pages. Finally both Oracle and Adobe […]

On February 2016 we sent an Early Warnings to our customers for a remote code execution (RCE) in Cisco ASA (CVE-2016-1287 or cisco-sa-20160210-asa-ike). Today a POC has been published: https://github.com/exodusintel/disclosures/blob/master/CVE_2016_1287_PoC You can fond more details on: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1287 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike https://blog.exodusintel.com/2016/02/10/firewall-hacking/

Time to hack restricted SSH accounts thanks to an injection in the “xauth” command! Not an exploit for everyone but CVE-2016-3115 and CVE-2016-3116 details have just been published on Full Disclosure, and they will be useful to a lot of people for sure :) If your remote provider gives you a restricted SSH access using a forced-command […]

Renaud Dubourguais and Nicolas Collignon released a nice paper on Java Server Faces security titled JSF ViewState upside-down (http://www.synacktiv.fr/ressources/JSF_ViewState_InYourFace.pdf). JSF implementations are often used in J2EE applications. JSF uses ViewStates which have already been discussed for cryptographic weaknesses like with the oracle padding attack [PADDING]. ViewStates have also been abused to create client side attacks […]

#!/bin/bash # This little hack-job will grab credentials from a running openvpn process in Linux # Keep in mind this won’t work if the user used the –auth-nocache flag grep rw-p /proc/$1/maps | sed -n ‘s/^\([0-9a-f]*\)-\([0-9a-f]*\) .*$/\1 \2/p’ | while read start stop; do gdb –batch-silent –silent –pid $1 -ex “dump memory $1-$start-$stop.dump 0x$start 0x$stop”; […]

Fishing the AWS IP Pool for Dangling Domains: Amazon and other cloud providers have made it child’s play to spin up ephemeral server instances for quick deployment of various services. If you want a web server to host your new .io domain name, you can have it set up in no time at all. Starting a website […]

http://shadow-file.blogspot.it/2015/04/broken-abandoned-and-forgotten-code_22.html http://shadow-file.blogspot.it/2015/04/abandoned-part-01.html http://shadow-file.blogspot.it/2015/04/abandoned-part-02.html http://shadow-file.blogspot.it/2015/05/abandoned-part-03.html http://shadow-file.blogspot.it/2015/05/abandoned-part-04.html http://shadow-file.blogspot.it/2015/05/abandoned-part-05.html http://shadow-file.blogspot.it/2015/05/abandoned-part-06.html http://shadow-file.blogspot.it/2015/06/abandoned-part-07.html http://shadow-file.blogspot.it/2015/06/abandoned-part-08.html http://shadow-file.blogspot.it/2015/06/abandoned-part-09.html http://shadow-file.blogspot.it/2015/07/abandoned-part-10.html http://shadow-file.blogspot.it/2015/07/abandoned-part-11.html http://shadow-file.blogspot.it/2015/09/abandoned-part-12.html http://shadow-file.blogspot.it/2015/10/abandoned-part-13.html There is even a Github repository for the project!

Stack overflow in libtasn1: libtasn1 is a library to parse ASN.1 data structures. Its most prominent user is GnuTLS. Fuzzing libtasn1 led to the discovery of a stack write overflow in the function _asn1_ltostr (file parser_aux.c). It overflows a temporary buffer variable on certain inputs. This issue has been reported to the developers on 2015-03-26. A fix was released […]

JBoss JMXInvokerServlet Remote Command Execution: This code exploits a common misconfiguration in JBoss Application Server. Whenever the JMX Invoker is exposed with the default configuration, a malicious “MarshalledInvocation” serialized Java object allows to execute arbitrary code. This exploit works even if the “Web-Console” and the “JMX Console” are protected or disabled.