Another week, another conference. Just a few days ago, Gynvael and I had the pleasure to attend and present at the CONFidence 2013 infosec conference traditionally held in Cracow, Poland. The event requires no further introduction – it has been simply the best Polish conference in the security area since it first started, and this [...]
The first edition of the NoSuchCon security conference held in Paris ended just a few days ago. Before anything else, I would like to thank all of the organizers (proudly listed at nosuchcon.org) for making the event such a blast! Both the location, venue and speaker line-up were amazing, with lots of free beer and [...]
Disclaimer: the things I am writing about are new to me. Although I do my best to have a solid (well, decent in this case) understanding of the covered topics, some inaccuracies might have slipped through. Feel free to point them out in the comments. Hey guys, or anyone who still happens to visit this [...]
A rather short blog post today, as I am currently on my vacations. After publishing two, quite extensive write-ups regarding vulnerabilities in the Windows “CSRSS” component at Microsoft July Patch Tuesday: CVE-2011-1281: A story of a Windows CSRSS Privilege Escalation vulnerability CVE-2011-1282: User-Mode NULL Pointer Dereference & co. I would like to shortly discuss the [...]
Today, I would like to present a detailed description of the CVE-2011-1281 vulnerability [1], which was reported by me several months ago and patched today, together with four other bugs marked as the Elevation of Privileges class, on the occasion of the monthly Microsoft Patch Tuesday cycle (see Microsoft Security Bulletin MS11-056, a summary of [...]
Once upon a time, an interesting software vulnerability vector called DLL Hijacking became very popular, thanks to a Slovenian security research outfit – ACROS Security, as well as HD Moore and his DLL Hijacking Audit Kit. In short, the vulnerability class allowed an attacker to execute arbitrary code in the context of an application, which [...]
The segmentation functionality has been present on the Intel processors since early stages of the CPU manufacturing. In real-mode, segments were the basis of 16-bit memory management, allowing the operating system or application to specify separate memory areas for different types of information, i.e. code, regular data, stack and so on. When a more complex [...]
(Collaborative post by Mateusz ‘j00ru’ Jurczyk & Gynvael Coldwind) Early Sunday morning discussion has resulted in j00ru coming up with an idea to mitigate some variants of kernel exploitation techniques by introducing a CPU feature that would disallow execution control transfers in kernel-mode to code residing in user memory area pages (e.g. addresses < 0×80000000 [...]
Around three weeks ago, Bartek announced a competition called “Pimp My CrackMe” on his http://secnews.pl/ website. The main prize was a free pass to the CONFidence 2011 conference, which is going to take place in on 24-25 May, in Cracow. The task was to create an interesting CrackMe program, which would then be judged based [...]
Hello, Today, I would like to present the results of the research, performed by me and Gynvael Coldwind, during the last three or four weeks – an almost forty-page long article, entitled “Exploiting the otherwise non-exploitable: Windows Kernel-mode GS cookies subverted” (yes, that’s an obvious reference to the “Exploiting the otherwise non-exploitable on Windows” by [...]