X-Sploited Security

Researchers at Matousec said they have discovered a serious flaw in the traditional desktop-based anti-Virus protections offered by thirty-five vendors. The flaw allows someone to completely bypass those protections and attack the targeted system. The Tech Herald spoke to some of the vendors affected. Their statements and thoughts are below.

When contacted, each vendor was asked for a general statement and then asked to answer three additional questions about the Matousec research. Unfortunately, not all of the vendors contacted responded. Those that did gave a statement, commented on the questions, or both.

The questions asked are below.

What is your overall thought on the research?

What are you doing to address the issues raised by the paper?

Are there mitigating issues that need to be addressed that were not included in the research?

Given the headlines, we thought it was fair to allow the vendors impacted by the Matousec research to speak on their own. This follow-up contains their thoughts and nothing more. If you want to read the original story, you will find it here. (more…)

Tonight I was doing some fuzzing and decided to whip up a basic perl script to fuzz an application I was testing. If you’re not familiar with fuzzing then I suggest you Google it or check Wikipedia because this is not a fuzzing tutorial. Anyway, The idea is simple really. Send unexpected data to certain areas of input (potential attack vectors) within expected blocks of user data in the hopes that you will trigger an exploitable bug. In this short paper, I’ll quickly show you how easily a working fuzzer can be implemented. :-> (more…)

The popular sql pentesting tool has just been updated.

About the tool:

Sqlninja’s goal is to exploit SQL injection vulnerabilities on web applications that use Microsoft SQL Server as back end. It is released under the GPLv2.

Project homepage

(more…)

Cheesy DoS I just found in Hyplay media player. Maybe someone else can do more with it.

Exploit code

Here’s a further look at the post I made a while back regarding the story about how a team of security researchers  managed to find a method to bypass API hooks installed by antivirus products, rendering them pretty much useless.

In the report, Matousec outlines a bait-and-switch style attack which works via the kernel mode drivers used by almost all Windows antivirus programs. 34 are listed in the report, including favorites like Avast 5, AVG 9, Avira 10, Eset Smart Security, and just about every other big name you can think of. (more…)

Tonight I decided to Google a tool that could share input between 2 PCs when I got sick of switching back and forth between desktop computers. So I came accross a tool called synergy but I couldn’t get it to work so I kept searching and finally found Input Director (v1.2.2) . The only other option is to use remote desktop but even that can be a hassle. Now I can move my mouse off the edge of the screen and have full control of the monitor it shows up on .  It’s pretty easy to set up and get working. It runs on each computer you want to share input with. One being the ‘master’ and the other(s) being a ’slave(s)’. It’s pretty straight forward to configure and works very nicely as far as I can tell. I never previously had the need for this kind of tool but I just setup a box to do some pen-testing and I’m certain this tool is going to come in very handy!

Authors Homepage

I wrote this quite sometime ago (towards the end of 2009 after my trip to Defcon). This is my very first (and only thus far) poc (in-the-wild) exploit.  It’s pretty simple really, nothing special. Just a basic local SEH overwrite.

wmacon.pl.txt

Safely Searching Process Virtual Address Space

Overview
The fact that people tend to ignore when thinking about searching for a needle
in a haystack is the potential harm that can be brought about by groping around
for a sharp, pointy object in a mass of uncertainty. It is in this spirit that the
author hopes to bring about a certain sense of safety for those who sometimes
find it necessary to grope around haystacks in search of needles.

(more…)

Nice list of papers focusing on the subject. From what they are, what causes them to occur and how they can be exploited.

Via l0t3k.org

Researchers say they’ve devised a way to bypass protections built in to dozens of the most popular desktop anti-virus products, including those offered by McAfee, Trend Micro, AVG, and BitDefender.

The method, developed by software security researchers at matousec.com, works by exploiting the driver hooks the anti-virus programs bury deep inside the Windows operating system. In essence, it works by sending them a sample of benign code that passes their security checks and then, before it’s executed, swaps it out with a malicious payload.

The exploit has to be timed just right so the benign code isn’t switched too soon or too late. But for systems running on multicore processors, matousec’s “argument-switch” attack is fairly reliable because one thread is often unable to keep track of other simultaneously running threads. As a result, the vast majority of malware protection offered for Windows PCs can be tricked into allowing malicious code that under normal conditions would be blocked.

All that’s required is that the AV software use SSDT, or System Service Descriptor Table, hooks to modify parts of the OS kernel.

“We have performed tests with [most of] today’s Windows desktop security products,” the researchers wrote. “The results can be summarized in one sentence: If a product uses SSDT hooks or other kind of kernel mode hooks on similar level to implement security features it is vulnerable. In other words, 100% of the tested products were found vulnerable.”

The researchers listed 34 products that they said were susceptible to the attack, but the list was limited by the amount of time they had for testing. “Otherwise, the list would be endless,” they said.

The technique works even when Windows is running under an account with limited privileges.

(more…)