In a recent engagement, we had the opportunity to audit a leading Antivirus Endpoint Protection solution, where we found a multitude of vulnerabilities. Some of these made it to CERT, while others have been scheduled for review during our upcoming AWE course at Black Hat 2014, Las Vegas. Ironically, the same software that was meant to protect the organization under review was the reason for its compromise.
With the nature of our business, we at Offensive Security take our system security very seriously and we appreciate the benefits of having “the crowd” scrutinize our internet presence for bugs. For this reason, we recently started our own Bug Bounty Program, which provides incentives for researchers to inform us of possible vulnerabilities in our sites in exchange for cash rewards.
In the past few days there has been some online chatter about a new Windows XP/2k3 privilege escalation, well documented by FireEye. Googling around, we came across a Twitter message which contained a link to a Chinese vulnerability analysis and PoC.
After discussing the recent Yahoo DOM XSS with Shahin from Abysssec.com, it was discovered that Yahoo’s fix is not effective as one would hope. According to Yahoo, this issue was fixed at 6:20 PM EST, Jan 7th, 2013. With little modification to the original proof of concept code written by Abysssec, it is still possible to exploit the original Yahoo vulnerability, allowing an attacker to completely take over a victim’s account. The victim has to be lured to click a link which contains malicious XSS code for the attack to succeed. This can demonstrated by the video we have created just this morning (Jan 8th, 2013) after Shahin kindly shared proof of concept code with us.
On a recent penetration test, we encountered an installation of CA ARCserve Backup on one of the target systems that piqued our interest. Like most “good” enterprise applications, ARCserve has processes that are running as SYSTEM so naturally, we went straight to work looking for vulnerabilities.
An interesting submission to EDB today from the guys at http://www.nullbyte.org.il – a PHP 6.0 0day buffer overflow.
Today (as promised in part 1 of the QuickZip Stack BOF exploit write-up), I will explain how to build the exploit for the quickzip vulnerability using a pop pop ret pointer from an OS dll. At the end of part 1, I challenged you, the Offensive Security Blog reader, to…
A few days ago, one of my friends (mr_me) pointed me to an application that appeared to be acting somewhat “buggy” while processing “specifically” crafted zip files. After playing with the zip file structure for a while (thanks again, mr_me, for documenting the zip file structure), I found a way…