I have started to have a look at my local installed helpers on macOS. These helpers are used as an interface for applications to perform privileged operations on the system. Thus, it is quite a nice attack surface to search for Local Privilege Escalations.
Forklift is an advanced dual pane file manager for macOS. It is well known under macOS power users.
As part of my investigation I identified vulnerabilities in Forklift allowing local privilege escalation.
Recently, I had some time to play around with HEVD , an extremly vulnerable Windows driver available for 32-bit and 64-bit systems.
Since exploits for all vulnerabilities of the 32-bit variant are publically available, I was wondering why this is not the case for the 64-bit version, especially for the pool corruption and UAF vulnerabilities.
Exactly one week ago I noticed an “urgent” tweet from Tavis Ormandy to get in contact with the Cloudflare team.
Normally when a tweet like this appears from Tavis, something is horribly broken. Well, today we know the background of this tweet as the bug tracker issue went public and it exposed quite a bug from Cloudflare. Continue reading “Cloudflare Incident #Cloudbleed”
i´ve looked a bit at the Insomni’hack CTF which took place on the 21st January and lasted for 36 hours.
For the sake of warming up a bit for our Troopers workshop Windows and Linux Exploitation,
I decided to create a write-up of the first pwn50 challenge.
To grab your own copy of the presented files you can also find it in our Github repository:
Just a few days ago I had the pleasure of visiting Day-Con X. I listened to some great talks in the closed and public sessions. Since the first day was the security summit (closed session) I will just name a few titles with some brief words.
They had the last slot at the last day of Black Hat which resulted in a kind of empty room, but in my opinion it was an awesome talk and I even had the pleasure to meet these two guys at our ERNW dinner.
The talk was about a very weirdly documented Intel instruction which does not check for privileges or throw exceptions:
The first Keynote directly after the Opening by Enno Rey was held by Ben Zevenbergen. At the beginning he pointed out that he is not a very technical guy rather he specialized in Information Law and a policy advisor to the European Parliament. Before he started to dive into his Keynote he talked about some rant story’s which happened to him while trying to make his point clear on previous conferences and that he came in peace to Troopers ;).
Felix Wilhelm presented in his talk various ways to attack his new target – The PA-500 which is produced by Palo Alto Networks.
He discovered vulnerabilities in 3 different exposed aspects of the device. The first vulnerability occurred inside of an unauthenticated API from the Management-Website which could only be accessed within the Admin Network. This vulnerability was a typical off-by-one Command Injection, which could be abused by reaching out to the API with a special client=wget Request.
Last year on the Hex-rays plugin Contest the Dynamic IDA Enrichment (DIE) plugin won first place, so we decided to have a look and play around with it.
DIE extends IDA to add Dynamic Data to the static analysis. So after the installation, we are able to perform the static analysis using a lot of supporting information from the actual execution of the binary under assessment.
Since DIE is purely written in Python you will need at least Python 2.7 and IDA Versions prior to 6.8 won´t work. In the current version DIE will only work on Windows which will hopefully soon be available cross-platform.
To setup the environment for DIE just use pip install –r requirements.txt (requirements.txt are shipped with DIE).
Copy die_proxy.py to the IDA Plugin directory and add an environment Variable named DIEDIR including the path to the DIE directory. Continue reading “Dynamic IDA Enrichment (aka. DIE)”