Gera's Documents

Analysis of the Windows Vista Security Model

Matthew Conover — 2006-09-04T12:06:50-03:00

by Matthew Conover.

Although most (all?) of the specific bugs here used to escalate from low integrity to medium integrity, then to high integrity and finally to LocalSystem are already fixed in newer Vista beta builds, the article is interesting in the tricks used, and, at least for me, in the description of the new security features introduced in Vista. Notably the Registry and File Virtualizations, together with the more complex impersonation schemes (lots of processes, including services and COM objects, running on different Integrity Levels, all talking to each other on LPC or RPC), make me think that although Microsoft put a lot of effort in the design of this new security scheme, there's a lot of [new] space for [new] bugs.

All in all, an interesting read if only to see Matt pull out things that made me think "how the fuck he found this info!" (of course I thought it in spanish, so the translation may not be accurate). I guess he reversed a good deal of Vista already... I've seen him reversing stuff, and he's awesome :-)

Eavesdropping attacks on computer displays

Markus G. Kuhn — 2006-09-01T14:53:55-03:00

by Markus G. Kuhn.

This is the short version of Markus Kuhn's PhD thesis (167 pages). In this article the author briefly explains, with some examples, how Eavesdropping on cathode-ray tube displays, on Flat-Panel Displays are possible abusing their electromagnetic emanations, and how optical eavesdropping of CRTs is possible (and quite simple).

Although the subjects are old (probably from 1952?), I've never seen before a simple explanation of Flat-Display and optical eavesdropping.

cached copy of original article.

Alien vs. Quine, the Vanishing Circuit and Other Tales from the Industry’s Crypt

Vanessa Gratzer — 2006-07-25T00:00:00Z

by Vanessa Gratzer, David Naccache.

This article presents an interesting (and new?) way of adding functionality to a firmware so it's possible to detect, externally, whether it has been corrupted (by malware) or not.

My first impression was "hey, if malware is changing firmware then it can make the new firmware behave just like if it was not infected", but the authors present a way so the fake firmware either is the same as the original or it can be detected.

I'm not saying they solve the problem, but they show an interesting approach to the problem. I still want to see how this works in other processors and architectures.

cached copy of original article.

The Final Nail in WEP’s Coffin

riq — 2006-08-16T19:18:08-03:00

by Andrea Bittau, Mark Handley, Joshua Lackey.

This excelent paper puts an end to WEP. By ussing 802.11 fragmentation they can, first, send arbitrary packets on the WEP network immediately after sniffing a single packet. With this, which is enough for lots of things, they build a little more complicated attacks to be able to decript any sniffed packet in almost no time (specially compared to previous attacks). They improve their own attack several times, until they are satisfied, explaining every detail in the process.

The authors also talk about a few low level implementation details. For example, how they used the debug (AUX) port on Prism2 cards to be able to spoof any packets (method taken from someone else).

cached copy of original article.

Mailslot bug (MS06-035) vs non-Mailslot bug (CVE-2006-3942)

2006-08-14T00:00:00Z

Last month's patch Tuesday started with a nice challenge: A remotely exploitable code execution kernel bug for most Microsoft's OSes (most supported Windows). As my job is to write exploits, I jumped to that as soon as I could (which was latter than what I liked because we were closing a new version of our product). I got something working in a short time, sent it to QA to test and released before the end of the day... I was truly amazed... to only find out, a little bit later, that I had accidentally found a different (yet unpatched today) bug.

In this pseudo-advisory I will describe the Details of this new bug, the process of how I [also] "discovered" it, and why I think it's not exploitable (only to be proved later by someone else that I'm a moron)

SqueakNOS: Building, changing, booting and installing

2006-08-04T00:00:00Z

To roll your own version of SqueakNOS, either changing the native side or the .image side, you need to know how to rebuild and boot it. This process should be as easy and fast as possible.

This article will explain the building process and the boot process, describing how to rebuild everything from scratch, how to create a new .iso image, and how to use GRUB to boot SqueakNOS from a fat/vfat, NTFS, ext2/3 or other file system, from either a harddisk or USB disk.

cached copy of original article.

SqueakNOS: A simple guide to writing HardwareDevices

2006-06-10T00:00:00Z

SqueakNOS currently has support for PC Keyboards, PS/2 Mouse, Serial ports and the Real Time functionality of the CMOS chip on PCs. In this article I will use the latter as an example to explain how new HardwareDevice could be implemented.

I will also include a list of the most wanted devices, and some open questions I'd like to discuss with interested people. The current status of SqueakNOS calls for collaboration on many aspects, and supporting more hardware is one of the most important.

cached copy of original article.

New SMB and DCERPC features in Impacket v0.9.6.0

2006-05-23T00:00:00Z

Written with Alberto Soliño.

This is a description of how to generate SMB and DCE-RPC traffic from python using the Impacket library. It includes a decent description of some interesting features such as SMB and DCE-RPC fragmentation, batched requests and authentication among others.

cached copy of original article.

SqueakNOS is back!

2006-05-16T00:00:00Z

After almost 5 years of official inactivity, SqueakNOS, apparently, has come back from its ashes. This article will try to describe what we are releasing today as a bootable ISO image, talk a little bit about how we got here and a little bit about what's coming next. And quite probably, about some other related things too.

cached copy of original article.

Thirty years later : lessons from the Multics security evaluation

2003-01-01T00:00:00Z

This is an amazing article. The two authors originally worked in the evaluation of Multics security. Thirty years latter they talk about a trapdor they introduced in "the 645 processor" which was saddly never shipped, and then they talk about a software backdoor they planted in "the 6180 development system at MIT". This later backdoor was actually shipped by Honeywell to the 6180 processor that was installed at the Air Force Data Services Center. An amazing read, incredibly current today, 30 years after they atually did it. You can also read the original paper: Multics Security Evaluation: Vulnerability Analysis, which, being from 1974, is incredibly complete.

Vulnerability Report For Linksys Devices

2002-12-02T00:00:00Z

Many Linksys' network appliances have a remote administration and configuration interface via HTTP, either from the local network, or, if it's enabled, from any host across the internet. The implementation of the embedded HTTP server presents several different exploitable vulnerabilities, some of them allow an unauthorized user to gain control of the appliance, some let an attacker reboot it, and some are of an unknown severity.

This advisory includes some partial reverse engenineering of the ARM firmware, as well as a proof of concept exploit executing code in the device.

Advances in format string exploitation

riq — 2002-07-15T00:00:00Z

Written with riq.

Is there anything else to say about format strings after all this time? probably yes, or at least we are trying... To start with, go get scut's excellent paper on format strings [1] and read it.

This text deals with 2 different subjects. The first is about different tiny tricks that may help speeding up bruteforcing when exploiting format strings bugs, and the second is about exploting heap based format strings bugs.

So fasten your seatbelts, the trip has just begun.

cached copy of original article.

The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments

2002-11-07T00:00:00Z

I don't really rememeber what this paper is about. I read it a while ago and now I quickly went over it to see if I remember anything, but I didn't. Sorry :-(

Four different tricks to bypass StackShield and StackGuard protection

2002-04-11T00:00:00Z

Stack shielding technologies have been developed to protect programs against exploitation of stack based buffer overflows. Among different types of protections, we can separate two mayor groups. Those that modify the environment where applications are executed, for example PaX now integrated into the OpenWall project, and those that alter the way programs are compiled. We will focus on the last groups, specially in StackGuard, StackShield, and Microsoft's new stack smashing protection.

Techniques that exploit stack based buffer overflows on protected programs and environment have been presented in the past. Here we'll describe how the studied protections work, and then we'll present four more tricks to bypass stack smashing protections, some of which are extentions of older techniques, and some we think are novel.

cached copy of original article.

Story of a Quake Packet

Luciano Notarfrancesco — 2001-08-08T00:00:00Z

Written with Luciano Notarfrancesco.

Description of a modest framework for playing with network, which Luciano finally turned in what we now know as NetSqueak

RICE: Regeneración Individualizada del Código Encriptador

1994-01-11T00:00:00Z

This is probably the second "serious" paper I write. It's about what we may call today a mutant (polimorphic or metamorpgic, I don't really know the modern terms) engine for viruses.

cached copy of original article.

Curso de assembler

1991-01-01T00:00:00Z

This is one of the first "serious" things I wrote a while back. It's an introductory assembly course in spanish.