Create an Account
username: password:
 
  MemeStreams Logo

Curiouser and Curiouser

search

Acidus
Picture of Acidus
My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

Acidus's topics
Arts
Business
Games
Health and Wellness
Home and Garden
Miscellaneous
Current Events
Recreation
Local Information
Science
Society
Sports
Technology

support us

Get MemeStreams Stuff!


 
I am a hacker and you are afraid and that makes you more dangerous than I ever could be.

Remote root in Mac OS-X
Topic: Technology 1:49 pm EDT, May 27, 2007

A remote user can send specially crafted data to trigger a buffer overflow in the UPnP Internet Gateway Device Standardized Device Control Protocol code and execute arbitrary code on the target system. The code will run with the privileges of the target service.

"privileges of target service" == root

Apple credits Michael Lynn of Juniper Networks with reporting this vulnerability.

Mike's fuzzing DNS again which is oh so Dan Kaminski-esque.

update: My name is Billy, and I am retarded. This is UPnP. Too much Book, not enough sleep.

Remote root in Mac OS-X


The day before the rapture
Topic: Miscellaneous 2:12 pm EDT, May 25, 2007

There are maybe 15 people in the Engineering today. We are thinking about playing kickball...


flash_App_testing_Owasp07.pdf (application/pdf Object)
Topic: Technology 10:35 am EDT, May 22, 2007

Stefano Di Paola is a smart dude.

flash_App_testing_Owasp07.pdf (application/pdf Object)


Web hackers 9999, IDS 0
Topic: Technology 4:04 am EDT, May 22, 2007

Canonicalization, much like life, is a bitch. Yet another way higher character encodings get downgraded into lower character encodings, bypassing IDS/IPS signatures.

Oh course, this is just another example of the fundamental problem: IDS aren't looking at the same bytes the destination service is looking at. Arian Evans does a good job scoping this:

Somewhere along the path from HTTP protocol --> to app untrusted entry point --> to parser, there are several possible layers of decoding. These could include:

-Web Sever itself
-Web Server plugin
-Canonicalization in framework (e.g.-some .NET modules)
-Canonicalization steps in web app code.
-Decoding and interpretation by shellscripts and the like.
-Decoding certain encoding types for normalization (see this a lot in PHP, or cookies base64 file-system encoded, etc.)
-etc.

This means that:

It is possible for an app to have one or more layers of canonicalization/conversion, allowing for even crazy things like double and triple-encoding, which IDS/IPS do not handle at all over HTTP

My homies in X-Force are going to have a shitty day tomorrow...

... but not as shitty as Bob Auger is going to have. I remember him starting to do this about 6 months ago, but he wasn't the one who broke the news. Bummer.

Web hackers 9999, IDS 0


RE: Flickr Photo Download: pwn your city
Topic: Miscellaneous 11:05 am EDT, May 21, 2007

Decius wrote:

Stencil that has gone up all over Alanta...

... wait... wasn't Rattle in town this weekend? Man, I know I should have skipped Korean karaoke on Saturday. To quote Repo Man: Fuck this, let's go do some crime!

RE: Flickr Photo Download: pwn your city


JScript Blog
Topic: Technology 1:47 pm EDT, May 17, 2007

Microsoft's blog on JScript development

JScript Blog


Efficient JavaScript - Opera Developer Community
Topic: Technology 1:45 pm EDT, May 17, 2007

Traditionally, a Web page would not contain much scripting, or at least, not much that would affect the performance of that Web page. However, as Web pages become more like applications, the performance of scripts is having a bigger effect. With more and more applications being developed using Web technologies, improving the performance of scripts is becoming increasingly important.

JavaScript optimization is cool. Automated optimization would be 1337.

Efficient JavaScript - Opera Developer Community


Some JavaScript Links To Chew On
Topic: Technology 2:37 am EDT, May 17, 2007

Yahoo! Video: Advanced JavaScript Part I, Part II, Part III. A lecture by Douglas Crockford.

IEBlog: Jscript Inefficiencies Part I, Part II, Part III.

Rick Strahl: "FireBug 1.0 Beta Rocks". FireBug is a JavaScript debugger with some remarkable features.

Rick again: "HREF links and javascript : Navigation".

Jason Diamond: "Not Delegates".

Jim Ley: "JavaScript Closures".

Sergio Pereira: Quick Guide To Somewhat Advanced JavaScript.

Pathfinder: JsUnit – Agile AJAX Development

Mike West: Scope In JavaScript

Some things to check for JavaScript analysis.

Some JavaScript Links To Chew On


Information Security Sell Out
Topic: Technology 2:32 pm EDT, May 16, 2007

Bask in the awesomeness that is the infosec sell out blog.

Information Security Sell Out


The Word of the Day: Polymorphic
Topic: Miscellaneous 10:50 am EDT, May 16, 2007

And now children, its time for the Word of the Day! The Word of the Day is Polymorphic. Can you say Polymorphic?

Pol-y-mor-phic


(Last) Newer << 59 ++ 69 - 70 - 71 - 72 - 73 - 74 - 75 - 76 - 77 ++ 87 >> Older (First)
 
 
Powered By Industrial Memetics
RSS2.0