Every one or two quarters, there’s the one day we all wait for – and that’s when the latest issue of the Hack in the Box Magazine is released :-) Thanks to the hard and awesome work of Zarul Shahrin and the entire editorial crew, we are very excited to announce that the eight edition is now out available on the project website. One big change we decided to make due to popular demand is a printer-friendly version of the mag, with a single logical page per a physical one, (hopefully) making it significantly easier to read it even when you don’t have a spare 24″ screen to use. Also, you can now order an original printed version through HP MagCloud. For more information, see the bottom of http://magazine.hitb.org/. I can’t see the “spread” version available on the website now, but if you’re interested, feel free to ping me for it.
Other than that, there are some quite interesting articles you should definitely check out. Traditionally, I took care of the Windows Security section with an article called “The Story of CVE-2011-2018 Exploitation”. Although the specific Windows kernel vulnerability was very fresh at the time of writing the paper (it was fixed in December 2011) and it’s almost half a year old now, it still required (unbashedly speaking) one of the most sophisticated chain of Windows kernel exploitation techniques I have seen in a long time. The document covers several interesting methods such as kernel pool and stack spraying or the usage of ring-0 virtual address space information leaks used together to create a working Windows XP/Vista/7 privilege escalation proof of concept. If you are into Windows internals and low-level vulnerability exploitation, you will definitely find something for yourself. On a side note, should you know any easier or simpler means of performing any of the discussed exploitation steps, I will be more than happy to hear from you!
As always, the magazine is in need for authorship support. If you believe you have an interesting IT security-related subject and are willing to write an article for us, don’t wait and drop us a line at firstname.lastname@example.org.
The magazine can be downloaded from here (HITB-Ezine-Issue-008.pdf, 2.18 MB)
The Exploit Distribution Mechanism in Browser Exploit Packs (04)
by Aditya K Sood, Richard J Enbody and Rohit Bansal
The Story of CVE-2011-2018 exploitation (12)
by Mateusz “j00ru” Jurczyk
Reverse Shell Traffic Obfuscation (36)
by Ben Toews
Jobs and Certifications. Looking at the 2012 Landscape (50)
by Clement Dupuis
From the Bookshelf
Practical Malware Analysis (54)
book by Michael Sikorski and Andrew Honig
The Tangled Web (56)
book by Michał Zalewski
A Bug Hunter’s Diary (58)
book by Tobias Klein, reviewed by Mateusz “j00ru” Jurczyk
Internet Security (featured)
Online Security at the Crossroads (60)
by Jonathan Kent