Birk Kauer – Insinuator.net

Misc

November 13, 2020 by Birk Kauer

Forklift <=3.3.9 and <=3.4 Local Privilege Escalations on macOS (CVE-2020-15349/CVE-2020-27192)

I have started to have a look at my local installed helpers on macOS. These helpers are used as an interface for applications to perform privileged operations on the system. Thus, it is quite a nice attack surface to search for Local Privilege Escalations.

Forklift is an advanced dual pane file manager for macOS. It is well known under macOS power users.

As part of my investigation I identified vulnerabilities in Forklift allowing local privilege escalation.

By now all vulnerabilities are fixed by the vendor I can release the details: https://binarynights.com/versionhistory

Continue reading “Forklift <=3.3.9 and <=3.4 Local Privilege Escalations on macOS (CVE-2020-15349/CVE-2020-27192)”

Misc

January 10, 2019 by Birk Kauer

macOS Mojave Hardening Guide

Due to the new release of macOS Mojave in September we updated the El Capitan hardening guide.

Continue reading “macOS Mojave Hardening Guide”

Breaking

October 3, 2018 by Birk Kauer

Spraying arbitrary objects into the non-paged pool

Recently, I had some time to play around with HEVD [1], an extremly vulnerable Windows driver available for 32-bit and 64-bit systems.

Since exploits for all vulnerabilities of the 32-bit variant are publically available, I was wondering why this is not the case for the 64-bit version, especially for the pool corruption and UAF vulnerabilities.

Continue reading “Spraying arbitrary objects into the non-paged pool”

Misc

February 24, 2017 by Birk Kauer

Cloudflare Incident #Cloudbleed

Exactly one week ago I noticed an “urgent” tweet from Tavis Ormandy to get in contact with the Cloudflare team.
Normally when a tweet like this appears from Tavis, something is horribly broken. Well, today we know the background of this tweet as the bug tracker issue went public and it exposed quite a bug from Cloudflare. Continue reading “Cloudflare Incident #Cloudbleed”

Breaking

January 24, 2017 by Birk Kauer

Insomni’hack pwn50 write-up

Hi all,

i´ve looked a bit at the Insomni’hack CTF which took place on the 21st January and lasted for 36 hours.
For the sake of warming up a bit for our Troopers workshop Windows and Linux Exploitation,
I decided to create a write-up of the first pwn50 challenge.

To grab your own copy of the presented files you can also find it in our Github repository:

Continue reading “Insomni’hack pwn50 write-up”

Events

October 27, 2016 by Birk Kauer

Day-Con X Recap

Just a few days ago I had the pleasure of visiting Day-Con X. I listened to some great talks in the closed and public sessions. Since the first day was the security summit (closed session) I will just name a few titles with some brief words.

Continue reading “Day-Con X Recap”

Events

August 9, 2016 by Birk Kauer

Black Hat 2016 Summary

Just a few days ago I had a blast again at this year’s Black Hat. Some of the talks were really worth listening to, so I wanted to point them out and give a short summary.

USING UNDOCUMENTED CPU BEHAVIOR TO SEE INTO KERNEL MODE AND BREAK KASLR IN THE PROCESS – Anders Fogh & Daniel Gruss

They had the last slot at the last day of Black Hat which resulted in a kind of empty room, but in my opinion it was an awesome talk and I even had the pleasure to meet these two guys at our ERNW dinner.

The talk was about a very weirdly documented Intel instruction which does not check for privileges or throw exceptions:

Continue reading “Black Hat 2016 Summary”

Events

March 31, 2016 by Birk Kauer

Keynote #1 Troopers 2016

The first Keynote directly after the Opening by Enno Rey was held by Ben Zevenbergen. At the beginning he pointed out that he is not a very technical guy rather he specialized in Information Law and a policy advisor to the European Parliament. Before he started to dive into his Keynote he talked about some rant story’s which happened to him while trying to make his point clear on previous conferences and that he came in peace to Troopers ;).

Continue reading “Keynote #1 Troopers 2016”

Events

March 28, 2016 by Birk Kauer

Attacking Next-Generation Firewalls

Felix Wilhelm presented in his talk various ways to attack his new target – The PA-500 which is produced by Palo Alto Networks.

He discovered vulnerabilities in 3 different exposed aspects of the device. The first vulnerability occurred inside of an unauthenticated API from the Management-Website which could only be accessed within the Admin Network. This vulnerability was a typical off-by-one Command Injection, which could be abused by reaching out to the API with a special client=wget Request.

Continue reading “Attacking Next-Generation Firewalls”

Breaking

January 28, 2016 by Birk Kauer

Dynamic IDA Enrichment (aka. DIE)

Last year on the Hex-rays plugin Contest the Dynamic IDA Enrichment (DIE) plugin won first place, so we decided to have a look and play around with it.

DIE extends IDA to add Dynamic Data to the static analysis. So after the installation, we are able to perform the static analysis using a lot of supporting information from the actual execution of the binary under assessment.

Since DIE is purely written in Python you will need at least Python 2.7 and IDA Versions prior to 6.8 won´t work. In the current version DIE will only work on Windows which will hopefully soon be available cross-platform.

To setup the environment for DIE just use pip install –r requirements.txt (requirements.txt are shipped with DIE).
Copy die_proxy.py to the IDA Plugin directory and add an environment Variable named DIEDIR including the path to the DIE directory. Continue reading “Dynamic IDA Enrichment (aka. DIE)”