How Many Million BIOSes Would you Like to Infect? http://legbacore.com/Research_files/HowManyMillionBIOSWouldYouLikeToInfect_Full2.pdf

During a code audit performed internally at Qualys, we discovered a buffer overflow in the __nss_hostname_digits_dots() function of the GNU C Library (glibc). This bug is reachable both locally and remotely via the gethostbyname*() functions, so we decided to analyze it — and its impact — thoroughly, and named this vulnerability “GHOST”. https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt https://www.qualys.com/research/security-advisories/exim_ghost_bof.rb

Diaphora, a program diffing plugin for IDA Pro: Some weeks ago I started developing a binary diffing plugin for IDA Pro (in IDA Python) like Zynamics BinDiff, DarunGrim or Turbo Diff. The reasons to create one more (open source) plugin for such task are various, but the following are the main ones: We need an Open Source […]

wishstudio/flinux: Foreign LINUX is a dynamic binary translator and a Linux system call interface emulator for the Windows platform. It is capable of running unmodified Linux binaries on Windows without any drivers or modifications to the system. This provides another way of running Linux applications under Windows in constrast to Cygwin and other tools. There […]

Citrix Netscaler NS10.5 WAF Bypass via HTTP Header Pollution: It is possible to bypass Netscaler WAF using a method which may be called HTTP Header Pollution. The setup: An Apache web server with default configuration on Windows (XAMPP). A SOAP web service which has written in PHP and vulnerable to SQL injection. Netscaler WAF with […]

How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last: In 2009, one or more prestigious researchers received a CD by mail that contained pictures and other materials from a recent scientific conference they attended in Houston. The scientists didn’t know it then, but the disc also delivered a malicious payload […]

Password cracking experts decipher elusive Equation Group crypto hash: Unraveling a mystery that eluded the researchers analyzing the highly advanced Equation Group the world learned about Monday, password crackers have deciphered a cryptographic hash buried in one of the hacking crew’s exploits. It’s Arabic for “unregistered.” Researchers for Moscow-based Kaspersky Lab spent more than two […]

USB Killer: It was a usual gloomy winter morning. My colleagues and I were drinking our morning coffee, sharing the news and there were no signs of trouble. But then a friend told about… (a quote from a chat in Skype): I read an article about how a dude in the subway fished out a […]

Rowhammer: Linux Kernel Privilege Escalation PoC: http://googleprojectzero.blogspot.ca/2015/03/exploiting-dram-rowhammer-bug-to-gain.html https://code.google.com/p/google-security-research/issues/detail?id=283 Full PoC: http://www.exploit-db.com/sploits/36310.tar.gz This is a proof-of-concept exploit that is able to gain kernel privileges on machines that are susceptible to the DRAM “rowhammer” problem.  It runs as an unprivileged userland process on x86-64 Linux. It works by inducing bit flips in page table entries (PTEs). For development purposes, the exploit […]

Two “WontFix” vulnerabilities in Facebook Connect: TL;DR Every website with “Connect Facebook account and log in with it” is vulnerable to account hijacking. Every website relying on signed_request (for example official JS SDK) is vulnerable to account takeover, as soon as an attacker finds a 302 redirect to other domain. I don’t think these will […]