Home > Uncategorized > Security News #0x80

Security News #0x80

  • ET Pwn Phone? (Thanks to Ryan for the idea!) This is a Metasploit module that exploits the futex_requeue bug in Android phones prior to June 2014. This exploits CVE 2014-3153.
  • It is possible to crash the Google email application with a single email. What makes this denial of service particularly problematic is that the target then needs to find a way to delete the malicious email without using the Google mail application.
  • Internet Explorer 10 and 11 are vulnerable to a universal cross site scripting attack. As yet, this is unpatched; there isn’t even a CVE number. Of course, Metasploit has a module. A technical description is available.
  • An attacker that has gained a foothold on a network often needs to obtain network credentials before moving laterally. One interesting approach is to ask the user. This is a new Metasploit module to phish credentials by popping up a dialog box on a compromised system.
  • Linux is not immune to this type of attack. Here is a Metasploit module that steals passwords used to unlock the screensaver or use the Policy Kit
  • Are you interested in learning more about how a Linux system boots?
  • Recent Samsung televisions allow for voice control. The catch is that the voice recognition is not done on the television, but rather at a remote site. Now imagine that every word you speak in your living room is sent to a third party. Maybe I don’t need a TV with voice recognition.
  • LD_PRELOAD is a way of modifying code execution in Linux without modifying the code; this is done by changing the library functions that the code relies on. One malicious use of LD_PRELOAD is as a way to hide malware and rootkits. haxelion has one of the best write-ups on the topic I have seen, especially the question of detection.
  • Nat McHugh has provided a step-by-step method to generate MD5 collisions using Amazon AWS and HashClash at a cost of roughly 65 cents per collision.
  • Stephen Brennan has a nice tutorial on how to write your own shell. Well worth a read.
Categories: Uncategorized
  1. No comments yet.
  1. February 15, 2015 at 11:34 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: