SMM unchecked pointer vulnerability
This article explains the exploitation of an SMM unchecked pointer vulnerability present in several firmwares. As this vulnerability is a memory corruption, it only applies to firmwares including the unpatched vulnerable DXE driver.
It first explains the SMM mode and some of its mechanisms, then the reversing of ...
Bypassing ASLR and DEP on Adobe Reader X
Due to their complexity and their large deployment on users' machines, Adobe products (especially Flash and Reader) have often received a lot of attention from attackers. Being aware of this fact, Adobe has taken one step forward in security with the latest version of their PDF reader, Adobe Reader X ...read more
Analysis of the jailbreakme v3 font exploit
Two weeks ago, comex released the third version of jailbreakme. Two exploits are used to jailbreak Apple devices by opening a PDF file in the MobileSafari browser: initial code execution is obtained through a vulnerability in the Freetype Type 1 font parser, allowing subsequent exploitation of a kernel vulnerability to ...read more
CVE-2010-3830 - iOS < 4.2.1 packet filter local kernel vulnerability
This post will describe a recent iPhone kernel vulnerability discovered by comex and used in the limera1n and Greenpois0n jailbreaking tools. Both tools exploit a BootROM vulnerability found by geohot to get initial code execution on the device, and comex's kernel exploit is then used to make the jailbreak ...read more
Padding Oracle attack and its applications on ASP.NET
ASP.NET is a group of Web development technologies created by Microsoft, which offers developers an easy way to create dynamic web sites, web applications, or XML web services. To use it, a compatible web server is needed (like Microsoft IIS for example). ASP.NET is part of Microsoft.NET ...read more
Thank you, Mario, but our printSeps() is in another castle!
This post details the way Adobe patched the printSeps() vulnerability in Adobe Reader (CVE-2010-4091). You'll see that the way Adode fixed the vulnerability is quite surprising...
Protecting against the RDS Linux local root exploit with grsec
On october 19h, Dan Rosenberg, a security researcher at Virtual Security Research LLC, disclosed a flaw in the handling of iovec structures by the rds kernel module (original VSR advisory). Due to the lack of checks, a userland program could directly read or write at arbitrary locations, including inside kernel ...read more
Exploitation de format string avec Metasm
Automatic exploitation with Metasm
Ivan wrote a post on a script he wrote using metasm to automatically find most parameters needed when exploiting a simple stack-based buffer overflow.
I want to add a few lights on other ways to achieve the same result, and take this opportunity to bring his work to our english-speaking ...read more