Trend Micro OfficeScan – A chain of bugs
Analyzing the security of security software is one of my favorite research areas: it is always ironic to see software originally meant to protect your systems open a gaping door for the attackers....
View ArticleHP-UX 0day local privilege escalation
We worked for a big company in Hungary and there were some HP-UX targets. I got local user access easily to the servers but the operating system was HP-UX 11.31 without public privilege escalation...
View ArticleHow to get root access on FireEye OS
1. Background A couple of months ago we had the opportunity to take a closer look at a FireEye AX 5400 malware analysis appliance. The systems of FireEye are famous for catching targeted attacks that...
View ArticleWebLogic undocumented hacking
During an external pentest – what a surprise – I found a WebLogic server with no interesting contents. I searched papers and tutorials about WebLogic hacking with little success. The public...
View ArticleCode Review on the Cheap
At the 31. Chaos Communication Congress I had the pleasure to watch the presentation of Fabian Yamaguchi about the code analysis platform Joern. I’ve heard about this tool before at Hacktivity but this...
View ArticleAIX for Penetration Testers
Renewal paper of my GIAC Penetration Tester certification: http://www.giac.org/paper/gpen/6684/aix-penetration-testers/125890 Enjoy!
View ArticleThe story of a pentester recruitment
Intro Last year we decided to expand our pentest team, and we figured that offering a hands-on challenge would be a good filter for possible candidates, since we’ve accumulated quite a bit of...
View ArticleCVE-2014-3440 – Symantec Critical System Protection Remote Code Execution
Today we release the details of CVE-2014-3440, a remote code execution vulnerability in Symantec Critical System Protection. You can get the detailed advisory on the following link: CVE-2014-3440 –...
View ArticleTesting Oracle Forms
SANS Institute accepted my GWAPT Gold Paper about testing Oracle Forms applications, the paper is now published in the Reading Room. Forms is a typical example of proprietary technology that back in...
View ArticlePoisonous MD5 – Wolves Among the Sheep
MD5 is known to be broken for more than a decade now. Practical attacks have been shown since 2006, and public collision generator tools are also available since that time. The dangers of the developed...
View ArticleVirtual Bank Robbery – In Real Life
Introduction This week a Polish bank was breached through its online banking interface. According to the reports the attacker stole 250.000 USD and now uses the personal information of 80.000 customers...
View ArticleFinding the salt with SQL inception
Introduction Web application penetration testing is a well researched area with proven tools and methodologies. Still, new techniques and interesting scenarios come up all the time that create new...
View ArticleProxying nonstandard HTTPS traffic
Depending on the time spent in IT, most professionals have seen an instance of two where developers based their implementations on specific quirks and other non-standard behaviors, a well-known example...
View ArticleTesting stateful web application workflows
SANS Institute accepted my GWAPT Gold Paper about testing stateful web application workflows, the paper is now published in the Reading Room. The paper introduces the problem we’ve been facing more and...
View ArticleYou’re not looking at the big picture
When serving image assets, many web developers find it useful to have a feature that scales the image to a size specified in a URL parameter. After all, bandwidth is expensive, latency is killing the...
View ArticleiOS HTTP cache analysis for abusing APIs and forensics
We’ve tested a number of iOS apps in the last few years, and got to the conclusion that most developers follow the recommendation to use APIs already in the system – instead of reinventing the wheel or...
View ArticleDetecting ImageTragick with Burp Suite Pro
After ImageTragick (CVE-2016–3714) was published, we immediately started thinking about detecting it with Burp, which we usually use for web application testing. Although collaborator would be a...
View ArticleAccessing local variables in ProGuarded Android apps
Debugging applications without access to the source code always has its problems, especially with debuggers that were built with developers in mind, who obviously don’t have this restriction. In one of...
View ArticleBake your own EXTRABACON
In the last couple of days we took a closer look at the supposed NSA exploit EXTRABACON, leaked by Shadow Brokers. As an initial analysis of XORcat concluded, the code is capable of bypassing...
View ArticleAn update on MD5 poisoning
Last year we published a proof-of-concept tool to demonstrate bypasses against security products that still rely on the obsolete MD5 cryptographic hash function. Summary: The method allows bypassing...
View Article
