| |
I am a hacker and you are afraid and that makes you more dangerous than I ever could be. |
|
Topic: Technology |
1:49 pm EDT, May 27, 2007 |
A remote user can send specially crafted data to trigger a buffer overflow in the UPnP Internet Gateway Device Standardized Device Control Protocol code and execute arbitrary code on the target system. The code will run with the privileges of the target service.
"privileges of target service" == root Apple credits Michael Lynn of Juniper Networks with reporting this vulnerability.
Mike's fuzzing DNS again which is oh so Dan Kaminski-esque. update: My name is Billy, and I am retarded. This is UPnP. Too much Book, not enough sleep. Remote root in Mac OS-X |
|
The day before the rapture |
|
|
Topic: Miscellaneous |
2:12 pm EDT, May 25, 2007 |
There are maybe 15 people in the Engineering today. We are thinking about playing kickball... |
|
Topic: Technology |
4:04 am EDT, May 22, 2007 |
Canonicalization, much like life, is a bitch. Yet another way higher character encodings get downgraded into lower character encodings, bypassing IDS/IPS signatures. Oh course, this is just another example of the fundamental problem: IDS aren't looking at the same bytes the destination service is looking at. Arian Evans does a good job scoping this: Somewhere along the path from HTTP protocol --> to app untrusted entry point --> to parser, there are several possible layers of decoding. These could include: -Web Sever itself -Web Server plugin -Canonicalization in framework (e.g.-some .NET modules) -Canonicalization steps in web app code. -Decoding and interpretation by shellscripts and the like. -Decoding certain encoding types for normalization (see this a lot in PHP, or cookies base64 file-system encoded, etc.) -etc. This means that: It is possible for an app to have one or more layers of canonicalization/conversion, allowing for even crazy things like double and triple-encoding, which IDS/IPS do not handle at all over HTTP
My homies in X-Force are going to have a shitty day tomorrow... ... but not as shitty as Bob Auger is going to have. I remember him starting to do this about 6 months ago, but he wasn't the one who broke the news. Bummer. Web hackers 9999, IDS 0 |
|
RE: Flickr Photo Download: pwn your city |
|
|
Topic: Miscellaneous |
11:05 am EDT, May 21, 2007 |
Decius wrote:
Stencil that has gone up all over Alanta...
... wait... wasn't Rattle in town this weekend? Man, I know I should have skipped Korean karaoke on Saturday. To quote Repo Man: Fuck this, let's go do some crime! RE: Flickr Photo Download: pwn your city |
|
Topic: Technology |
1:47 pm EDT, May 17, 2007 |
Microsoft's blog on JScript development JScript Blog |
|
Efficient JavaScript - Opera Developer Community |
|
|
Topic: Technology |
1:45 pm EDT, May 17, 2007 |
Traditionally, a Web page would not contain much scripting, or at least, not much that would affect the performance of that Web page. However, as Web pages become more like applications, the performance of scripts is having a bigger effect. With more and more applications being developed using Web technologies, improving the performance of scripts is becoming increasingly important.
JavaScript optimization is cool. Automated optimization would be 1337. Efficient JavaScript - Opera Developer Community |
|
Some JavaScript Links To Chew On |
|
|
Topic: Technology |
2:37 am EDT, May 17, 2007 |
Yahoo! Video: Advanced JavaScript Part I, Part II, Part III. A lecture by Douglas Crockford. IEBlog: Jscript Inefficiencies Part I, Part II, Part III. Rick Strahl: "FireBug 1.0 Beta Rocks". FireBug is a JavaScript debugger with some remarkable features. Rick again: "HREF links and javascript : Navigation". Jason Diamond: "Not Delegates". Jim Ley: "JavaScript Closures". Sergio Pereira: Quick Guide To Somewhat Advanced JavaScript. Pathfinder: JsUnit – Agile AJAX Development Mike West: Scope In JavaScript
Some things to check for JavaScript analysis. Some JavaScript Links To Chew On |
|
Information Security Sell Out |
|
|
Topic: Technology |
2:32 pm EDT, May 16, 2007 |
Bask in the awesomeness that is the infosec sell out blog. Information Security Sell Out |
|
The Word of the Day: Polymorphic |
|
|
Topic: Miscellaneous |
10:50 am EDT, May 16, 2007 |
And now children, its time for the Word of the Day! The Word of the Day is Polymorphic. Can you say Polymorphic? Pol-y-mor-phic |
|