Home > Uncategorized > Security News #0x7E

Security News #0x7E

  • A vulnerability in glibc that affects the gethostbyname was announced by Qualys. As seems to be all the rage, it was given a nickname, in this case “ghost”. I prefer the easier to remember CVE-2015-0235, though it should be noted that this is marked as reserved rather than assigned in the various databases. Ars Technica has a broad overview of the vulnerability. Because this affects a commonly used library, there are many applications that could potentially be vulnerable; for a list, check out the Sucuri blog. After some reading though, my conclusion is that the best technical analysis is available at lcamtuf’s blog; it should be required reading.
  • I read a wonderful blog post where they build and run a functioning C program without a main() function. In fact, the entire program (which prints “Hello World!” to the screen) consists of a single variable declaration. Intrigued? Check it out..
  • It turns out that Firefox and Chrome can be persuaded via a bit of Javascript to give up the local IP address of the system. This can be useful if, for example, an attacker wants to perform reconnaissance of a target’s internal network. Take a look at the GitHub page of the code; the lifars blog has a demo and defensive techniques.
  • Do you want root on a Nexus 5 with Android 4.4.4? Packetstorm has proof of concept code.
Advertisements
Categories: Uncategorized
  1. No comments yet.
  1. February 1, 2015 at 8:13 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: