Scary Beasts Security

FEBRUARY 25, 2009

I just released some technical details on why and how "seccomp" is vulnerable to the Linux kernel syscall filtering problems that I previously blogged about. The full details may be found here: [link] The actual bug is of little significance because pretty much no-one uses seccomp: This searches for the PR_SET_SECCOMP string on Google Code Search In addition, even if people did use this -- the bug is not a full break out, just some leakage of filesystem names via stat() or mischief via unrestric

Technology 53

Technology 53

CompTIA on Cybersecurity

DECEMBER 21, 2009

Todd was featured on WGN Midday News today giving some tips on how to keep your mobile devices and information safe while travelling this holiday season. The CompTIA President and CEO urged travelers to keep their devices password-protected and to use secure connections.But “the overwhelming biggest security risk is just people not paying attention,” Thibodeaux told anchor Steve Sanders.

Mobile 52

Mobile Passwords Risk 52

Scary Beasts Security

DECEMBER 28, 2009

Well, here's a nice little gem for the festive season. I like it for a few distinct reasons: It's one of those cases where if you look at web standards from the correct angle, you can see a security vulnerability specified. Accordingly, it affected all 5 major browsers. And likely the rest. You can still be a theft victim even with plugins and JavaScript disabled!

51

51

Scary Beasts Security

DECEMBER 11, 2009

I've been meaning to fiddle around with timing attacks for a while. I've had various discussions in the past about the significance of login determination attacks (including ones I found myself) and my usual response would be "it's all moot -- the attacker could just use a timing attack". Finally, here's some ammo to support that position. And -- actual cross-domain data theft using just a timing attack, as a bonus.

50

50

Advertisement

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

Cybersecurity

Scary Beasts Security

DECEMBER 22, 2009

[Aside: I'm not sure anyone cares, particularly because the "block third party cookies" option tends to break legitimate web sites. But I'll document it just in case :)] Major browsers tend to have an option to block "third-party" cookies. The main intent of this is to disable tracking cookies used by iframe'd ads. It turns out that you can bypass this intent by abusing "HTML5 Local Storage".

50

50

Scary Beasts Security

NOVEMBER 17, 2009

Just a quick note that I released vsftpd-2.2.2. Most significantly, a regression was fixed in the inbuilt listener. Heavily loaded sites could see a session get booted out just after the initial connect. If you saw "500 OOPS: child died", that was probably this.

50

50

Scary Beasts Security

OCTOBER 19, 2009

It was great to talk to so many people about Chromium security at HITB Malaysia. I was quite amused to be at a security conference and have a lot of conversations like: Me : What browser do you use? Other : Google Chrome. Me : Why is that? Other : Oh, it's so much faster. Me : Oh, you saw that awesome JSNES, huh? ( [link] ) It's a sobering reminder that users -- and even security experts -- are often making decisions on things like speed and stability.

Risk 50

Risk Software Media Accountability 50

Scary Beasts Security

OCTOBER 18, 2009

Nothing too exciting, just two regressions fixed: "pasv_address" should work again, and SSL data connections should no longer fail after a long previous transfer or an extended idle period.

50

50

Scary Beasts Security

OCTOBER 13, 2009

No time for details at the moment, but I'm just back from HITB Malaysia and a great time was had by all! The hospitality and warmth of the organizing crew surpassed anything I've ever encountered before. I presented with my colleague Julien Tinnes. See awesome blog: [link] We presented on various intriguing aspects of sandboxing on Linux, covering vsftpd and Chromium as test cases.

Software 50

Software 50

Scary Beasts Security

SEPTEMBER 22, 2009

Preface: unless otherwise noted, the bugs discussed here were found via fuzzing by Will Dormann of CERT -- and my involvement was to fix them. In other news, I recently moved to work on the Chromium project / Google Chrome, which I'm very excited about. It is in this new role that this piece of work was conducted, as part of HTML5 features. I recently fixed a lot of security bugs in ffmpeg, across a subset of the supported containers and codecs.

Malware 50

Malware 50

Advertiser: Revenera

In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.

Risk

Scary Beasts Security

AUGUST 12, 2009

Not much of interest to add beyond the interesting network isolation support previously discussed. Some minor bugs were fixed. A bunch of compile errors were addressed. There is now support for PAM modules which remap the underlying user account. There is also a new command-line option to pass config file options directly.

Accountability 50

Accountability 50

Scary Beasts Security

AUGUST 5, 2009

Apple just released the Mac OS X 10.5.8 update, which includes security fixes: [link] One of the fixes is for a heap-based buffer overflow in the ColorSync component (which handles the parsing of ICC profiles). Limited details are here: [link] This vulnerability could likely be used to execute arbitrary code in contexts such as Safari browsing to a malicious page.

50

50

Scary Beasts Security

JULY 10, 2009

Catching up on a few items. I seem to have gotten a mention in a couple of recent Apple advisories: iPhone 3.0 security fixes Safari 4.0.2 It's one of the Safari bugs that interests me today, CVE-2009-1725 or an off-by-one heap memory corruption in Webkit. The patch says it all, really: [link] Here's the faulty code: checkBuffer(10); // ignore the sequence, add it to the buffer as plaintext *dest++ = '&'; for (unsigned i = 0; i < cBufferPos; i++) dest[i] = m_cBuffer[i]; Turns out, that 10 sho

50

50

Scary Beasts Security

JULY 10, 2009

I've just released the technical details behind some recently fixed vulnerabilities in mimetex: [link] "mimetex" is a little binary (written in the C language) used to render mathematical equations based on the TeX language. It looks very nice and is a cool concept to embed it in web apps. You can use a Google search to locate places that use it: [link] Unfortunately, the binary suffered from various classic stack-based buffer overflows as well as some commands that might leak inappropriate info

50

50

Advertisement

The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

Healthcare

Scary Beasts Security

JULY 7, 2009

Following on from vsftpd-2.1.2 , I've just released vsftpd-2.1.0pre1: ftp://vsftpd.beasts.org/users/cevans/vsftpd-2.1.0pre1.tar.gz This further plays with the new Linux container flags: this time, CLONE_NEWNET. This flag creates a process with a separate (and empty) list of network devices and bindings. A process isolated in such a way can create network sockets but any attempt to e.g. do an IPv4 connect() to localhost (or any other destination) will get ENETUNREACH.

Architecture 50

Architecture Firewall 50

Scary Beasts Security

JUNE 18, 2009

I've just noticed that a Google search for "clusterfuzzing" (including the quotes) has no hits. Therefore, I'm reserving the term :) All I need now is a new fuzzing angle and then I've got all the makings of a great presentation! Actually, I do have a new twist on fuzzing. All I need is the bugs. Watch this space!

50

50

Scary Beasts Security

JUNE 10, 2009

Here's another XXE bug for you (resulting in file theft), just to make the point that this class of bugs is well worth watching out for in client-side applications (such as a browser :) [link] The good news here is that this WebKit regression was quickly fixed by Apple -- and in time for the Safari 4 final release -- so no production browser should ever have been affected.

50

50

Scary Beasts Security

JUNE 8, 2009

Safari 4 was just released and among the various improvements is a range of security fixes. One of these fixes is for an XXE attack against the parsing of the XSL XML. Full technical details may be found here: [link] Or for the lazy, you can skip straight to the: Demo for Safari 3 / MacOS Demo for Safari 3 / Windows I found it interesting that Safari 3 seemed robust against XXE attacks in general -- there are a lot of places that browsers find themselves parsing XML (XmlHttpRequest, prettifying

50

50

Speaker: Blackberry, OSS Consultants, & Revenera

Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?

Cybersecurity

Scary Beasts Security

JUNE 9, 2009

Safari 4 also fixes an interesting cross-domain XML theft. Full technical details live here: [link] XML theft can include highly sensitive data thanks to things like XHTML, AJAX-y RPCs using XML and authenticated RSS feeds. The example I have steals XML representing a logged-in Gmail user's inbox: Safari 3 demo for users logged in to Gmail I think there's a lot more room for browser-based cross-domain leaks (sometimes called UXSS or universal XSS).

Authentication 50

Authentication 50

Scary Beasts Security

MAY 29, 2009

(Note: v2.1.2 is the same as v2.1.1 but with a compile fix) vsftpd-2.1.2 is released with full details as always on the vsftpd home page: [link] For users, a couple of nasty regressions are fixed: SSL transfers would drop due to an errant timeout firing; this is now fixed. Also, an absent per-user config file was fine with v2.0.7 but an error in v2.1.0. v2.1.2 restores v2.0.7 behaviour.

50

50

Scary Beasts Security

MAY 1, 2009

I recently had the pleasure to be invited by Dhillon to present at HackInTheBox (HiTB) Dubai with Billy Rios on our "Cross Domain Leakiness" work. Here is a link to our updated slides: [link] It was a very productive conference, all told. The sort of conference where new attacks materialise over breakfast conversations. In terms of new and pending material, I'll do separate posts regarding: My latest E4X cross-domain theft attack (building on the work of my colleagues Filipe and Michal) A new "d

Hacking 50

Hacking Technology 50

Scary Beasts Security

MARCH 26, 2009

Now that new packages are out for lcms and OpenJDK, I'll publish my LittleCMS exploit. It's harmless in that if it actually works on your machine, all it does it put your CPU into a spin -- watch out for 100% CPU usage. It's also relatively harmless in that it doesn't work on many systems out of the box. I targeted my 32-bit Ubuntu 8.10 laptop which happens to have an executable heap, executable stack, no stack cookies but does have ASLR.

Hacking 50

Hacking 50

Speaker: Erika R. Bales, Esq.

When we talk about “compliance and security," most companies want to ensure that steps are being taken to protect what they value most – people, data, real or personal property, intellectual property, digital assets, or any other number of other things - and it’s more important than ever that safeguards are in place. Let’s step back and focus on the idea that no matter how complicated the compliance and security regime, it should be able to be distilled down to a checklist.

Scary Beasts Security

MARCH 17, 2009

Today, vendor updates should be flowing for vulnerabilities in LittleCMS, sometimes known just as "lcms" or "liblcms". LittleCMS is a very useful open-source colour profile parsing and conversion tool. Some technical details of the various vulnerabilities (stack-based buffer overflows, integer overflows, etc). are given here: [link] The most interesting thing about LittleCMS is how quickly it has become a very critical building block for UNIX desktops.

Software 50

Software 50

Scary Beasts Security

FEBRUARY 24, 2009

I recently came up with a little API abuse of the clone() system call. Not earth shattering, but definitely fun. Essentially, you can send any signal you want at any time to your parent process, even if it is running with real and effective user id of someone else (e.g. root ). Full technical details and an example may be found here: [link] Maybe someone more devious that me can come up with better abuse scenarios than I can.

50

50

Scary Beasts Security

FEBRUARY 20, 2009

The new sandboxing support mentioned in the vsftpd-2.1.0 announcement post is actually a ptrace() based sandbox. It is experimental and therefore off by default. It only currently supports i386 Linux (but there's no reason you couldn't hack the Makefile to build 32-bit on 64-bit Linux). When enabled, it only engages when using one_process_model , i.e. simple anonymous-only configurations.

Firewall 50

Firewall Hacking 50

Scary Beasts Security

FEBRUARY 18, 2009

I just released vsftpd-2.1.0, with full details being available on the vsftpd web page: [link] It fixes a bunch of bugs and compile errors, introduces a few minor new features, has some code clean ups, etc. etc. vsftpd-2.1.0 is interesting from a security perspective because of its changes to SSL support. It actual contains a reasonable resolution to the connection theft attack I blogged about here: [link] In the linked advisory I said "I have a crazy idea to use the SSL session cache as a cheez

Authentication 50

Authentication 50

Speaker: William Hord, Vice President of ERM Services

A well-defined change management process is critical to minimizing the impact that change has on your organization. Leveraging the data that your ERM program already contains is an effective way to help create and manage the overall change management process within your organization. Your ERM program generally assesses and maintains detailed information related to strategy, operations, and the remediation plans needed to mitigate the impact on the organization.

Risk

Scary Beasts Security

JANUARY 23, 2009

For those interested in syscall filtering technologies, check out my latest advisory on how policies can be bypassed under certain circumstances: [link] There's a neat trick on the x86_64 kernel; this kernel supports both 32-bit and 64-bit processes, and interestingly, the syscall tables are different in either case. However, with a bit of trickery, a 64-bit process can call a 32-bit syscall (and visa versa), and confuse the syscall filter.

Technology 50

Technology 50

Scary Beasts Security

MAY 20, 2009

As a quick recap, "E4X" is the name of a Javascript standard relating to strong XML support in the language. Firefox has had an implementation for quite some time but no other major browser seems to have followed suit. My colleages Filipe Almeida and Michal Zalewski led the way in E4X security; check out: [link] However, the attack scenarios in that document are in my opinion not likely to occur in many web apps.

Banking 50

Banking 50

Scary Beasts Security

MARCH 27, 2009

A friend of mine, Rich Cannings, spotted my name in a Sun security advisory so I guess this means my Pack200 crashes are fixed: [link] This bug continues a trend of looking to native code parsers within the JRE, in order to break out of it. The most obvious application is to take over desktops via evil applets which abuse these bugs to cause memory corruptions.

50

50