Security News #0x4F
- High on this week’s list of coolness are the reports that the tool ZMap can scan the entire Internet in 45 minutes, assuming a good connection. It requires a 64 bit Linux, so I am sad- my home Kali is 32 bit. Hmm. Perhaps an upgrade is in my future? The Washington Post describes some of what the researchers who wrote the tool found.
- The folks at Packetstorm have a new Java attack that affects Java 7 Update 25; exploit code is provided. The problem lies in the function BytePackedRaster.verify(), which is vulnerable to overflow. I do not think that a CVE number has yet been assigned.
- You probably recall the PERF privilege escalation exploit for 64 bit Linux systems, which has a couple of exploits, with the most talked about one probably being semtex.c. Well, it looks like there is another exploit, this one targeting ARM systems. Interestingly, the code references CVE-2013-4254, though the MITRE database has not yet assigned that number.
- MWR Labs was able to bypass the sandbox on Google Chrome as part of the 2013 Pwn2Own event. PoC code now appears to be available.
- Has anyone tried this Firefox 3.6 exploit or this Firefox 3.5.4/3.0.4 exploit from x90c? The first exploits CVE 2010-1028, while the second exploits CVE 2009-3373.
- Did you know that there is an exploit circulating for Samsung DVRs?
- Did you know that it is possible to create very small files that when fully uncompressed become enormous? As an example, consider
root@kali:~/test# dd if=/dev/zero bs=10M count=1 | gzip -9 | gzip -9 > test.gz.gz 1+0 records in 1+0 records out 10485760 bytes (10 MB) copied, 0.0692819 s, 151 MB/s
ddto read 10 MB of zeros from the file-like object
/dev/zero. We then pass this through a round of gzip, with maximum compression (the
-9argument) and then do it again; the result is piped out to test.gz.gz. How big do you think the result might be?
root@kali:~/test# ls -l total 4 -rw-r--r-- 1 root root 117 Aug 25 16:16 test.gz.gz
Yep- 117 bytes. If you can compress 10 MB (of zeros) to 117 bytes, clearlyyou can "go large" if you want, and have the time:
root@kali:~/test# dd if=/dev/zero bs=100M count=1 | gzip -9 | gzip -9 > test100.gz.gz 1+0 records in 1+0 records out 104857600 bytes (105 MB) copied, 0.675504 s, 155 MB/s root@kali:~/test# dd if=/dev/zero bs=1000M count=1 | gzip -9 | gzip -9 > test100.gz.gz 1+0 records in 1+0 records out 1048576000 bytes (1.0 GB) copied, 56.5876 s, 18.5 MB/s root@kali:~/test# ls -al total 20 drwxr-xr-x 2 root root 4096 Aug 25 16:24 . drwxr-xr-x 20 root root 4096 Aug 25 16:03 .. -rw-r--r-- 1 root root 2588 Aug 25 16:22 test1000.gz.gz -rw-r--r-- 1 root root 369 Aug 25 16:24 test100.gz.gz -rw-r--r-- 1 root root 116 Aug 25 16:23 test.gz.gz
- Are you learning to write your own Windows shellcode? Then the primer at Exploit Monday may help you.
- While I am thinking about shellcode, did you know that there is an online dissassembler? It ain’t IDA Pro (what is?), but it might be useful if your copy is elsewhere.
- If you think that it is simple to look through the PHP source code of a website looking for backdoors, let me suggest that you take a look at how Riley Kidd can hide them.
- I did not see this earlier in the year, but Skeleton Scribe has a nice piece on attacking web applications via the HTTP Host header.
- Those of you who use the Cerberus anti-theft tool for Android phones should read about the recent attacks on the tool.
- It appears that there was a significant attack against Harbor Freight, involving the (possible) theft of large numbers of credit card numbers.