SMM unchecked pointer vulnerability

Mon 30 May 2016 by Bruno

TL;DR

This article explains the exploitation of an SMM unchecked pointer vulnerability present in several firmwares. As this vulnerability is a memory corruption, it only applies to firmwares including the unpatched vulnerable DXE driver.

It first explains the SMM mode and some of its mechanisms, then the reversing of ...

read more

Bypassing ASLR and DEP on Adobe Reader X

Fri 22 June 2012 by guillaume

Due to their complexity and their large deployment on users' machines, Adobe products (especially Flash and Reader) have often received a lot of attention from attackers. Being aware of this fact, Adobe has taken one step forward in security with the latest version of their PDF reader, Adobe Reader X ...

read more

Analysis of the jailbreakme v3 font exploit

Sat 16 July 2011 by jean

Two weeks ago, comex released the third version of jailbreakme. Two exploits are used to jailbreak Apple devices by opening a PDF file in the MobileSafari browser: initial code execution is obtained through a vulnerability in the Freetype Type 1 font parser, allowing subsequent exploitation of a kernel vulnerability to ...

read more

CVE-2010-3830 - iOS < 4.2.1 packet filter local kernel vulnerability

Thu 09 December 2010 by jean

This post will describe a recent iPhone kernel vulnerability discovered by comex and used in the limera1n and Greenpois0n jailbreaking tools. Both tools exploit a BootROM vulnerability found by geohot to get initial code execution on the device, and comex's kernel exploit is then used to make the jailbreak ...

read more

Padding Oracle attack and its applications on ASP.NET

Fri 03 December 2010 by thomas

ASP.NET is a group of Web development technologies created by Microsoft, which offers developers an easy way to create dynamic web sites, web applications, or XML web services. To use it, a compatible web server is needed (like Microsoft IIS for example). ASP.NET is part of Microsoft.NET ...

read more

Thank you, Mario, but our printSeps() is in another castle!

Fri 26 November 2010 by julien

This post details the way Adobe patched the printSeps() vulnerability in Adobe Reader (CVE-2010-4091). You'll see that the way Adode fixed the vulnerability is quite surprising...

Very lately a vulnerability in the undocumented JavaScript method printSeps() of Adobe Reader was disclosed (CVE-2010-4091). A few days later Adobe released a ...

read more

Protecting against the RDS Linux local root exploit with grsec

Tue 26 October 2010 by Christophe Devine

On october 19h, Dan Rosenberg, a security researcher at Virtual Security Research LLC, disclosed a flaw in the handling of iovec structures by the rds kernel module (original VSR advisory). Due to the lack of checks, a userland program could directly read or write at arbitrary locations, including inside kernel ...

read more

Exploitation de format string avec Metasm

Fri 09 July 2010 by thomas

Metasm est à la mode en ce moment dans le lab, après le post d'Ivan et celui de jj, c'est à mon tour de m'y coller.

Depuis que j'exploite des vulnérabilités de type Format String, j'ai toujours eu l'envie de me coder rapidement un ...

read more

Automatic exploitation with Metasm

Sat 19 June 2010 by jj

Ivan wrote a post on a script he wrote using metasm to automatically find most parameters needed when exploiting a simple stack-based buffer overflow.

I want to add a few lights on other ways to achieve the same result, and take this opportunity to bring his work to our english-speaking ...

read more