We describe return-oriented programming, a generalization of return-into-libc that allows an attacker to undertake arbitrary, Turing-complete computation without injecting code.
New computations are constructed by linking together code snippets that end with a “ret” instruction. The ret instructions allow an attacker who controls the stack to chain instruction sequences together. Because the executed code is stored in memory marked executable, W^X and DEP will not prevent it from running.
W^X and DEP, along with many other security systems, make the assumption that preventing the introduction of malicious code is sufficient to prevent the introduction of malcious computation. With the return-oriented computing approach, this assumption is false: subverting control flow on the stack is sufficient to construct arbitrary computation from “known-good” code.
On the x86 one can obtain useful instruction sequences by jumping into the middle of intended instructions, but return-oriented programming is possible even on RISC platforms that are very different from the x86
[Network World] WPA2 vulnerability found. Trobada una vulnerabilitat a WPA2 que permet als usuaris de la xarxa sense fils realitzats atacs d'interceptació ("man-in-the-middle") i desxifrar les dades d'altres connexions.
Presentació (HTTP Parameter Pollution) que tracta sobre el comportament de les diverses capes habitualment existent en les aplicacions accessibles des de la web i com es comporten en situacions anòmales (per exemple, quan reben diverses vegades un mateix paràmetre).
Un exemple bàsic. La majoria de sistemes són capaços de detectar com un atac una petició del tipus:
/index.aspx?page=select 1,2,3 from table where id=1
però en canvi, no detecten aquesta altra:
/index.aspx?page=select 1&page=2,3 from table where id=1
La presentació analitza el comportament de les diverses plataformes i les possibles tècniques que permeten la creació d'atacs.
El Tabnapping és una tècnica de suplantació consistent en substituir la icona identificativa d'una pàgina web que surt a les pestanyes del navegador per tal d'induir a l'usuari a introduir les seves dades en un atac phishing.
La tècnica com a tal és ben simple:
Es carrega una pàgina
Es detecta quan la pàgina perd el focus (per exemple, quan l'usuari canvi de tabulador)
Es modifica el favicon (per exemple, el de Gmail)
Es realitza un atac clàssic de suplantació (en l'exemple anterior, carrega una versió falsa del formulari de connexió a GMail).
La idea consisteix en que, un cop veus al tabulador que la icona és la del lloc de confiança, difícilment verificaràs que la URL és realment la que et pensaves…
Podeu veure una prova de concepte a http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/. Després de carregar la pàgina, canvieu de pestanya i en tornar veureu com surt el formulari d'accés a GMail i la icona de la pestanya és la de GMail (no introduïu les vostres credencials!!!).
Ho he provat amb el Firefox 3.6.6 i funciona. Amb el Chrome i l'Internet Explorer no es canvi la icona de la pestanya.
A l'informe de Panda Labs del segon trimestre del 2010 s'indica que la tècnica s'està començant a utilitzar.
With software-as-a-service becoming mainstream, more and more applications are delivered to the client through the Web. Unlike a desktop application, a web application is split into browser-side and server-side components. A subset of the application’s internal information flows are inevitably exposed on the network. We show that despite encryption, such a side-channel information leak is a realistic and serious threat to user privacy. Specifically, we found that surprisingly detailed sensitive information is being leaked out from a number of high-profile, top-of-the-line web applications in healthcare, taxation, investment and web search: an eavesdropper can infer the illnesses/medications/surgeries of the user, her family income and investment secrets, despite HTTPS protection; a stranger on the street can glean enterprise employees' web search queries, despite WPA/WPA2 Wi-Fi encryption. More importantly, the root causes of the problem are some fundamental characteristics of web applications: stateful communication, low entropy input for better interaction, and significant traffic distinctions. As a result, the scope of the problem seems industry-wide. We further present a concrete analysis to demonstrate the challenges of mitigating such a threat, which points to the necessity of a disciplined engineering practice for side-channel mitigations in future web application developments.
Una imatge .ISO d'una distribució Linux configurada per actuar com a un DNS sinkhole. Disponible en edicions de 32-bit i de 64-bit. Aquestes són les instruccions d'instal·lació.
Browser history detection through the Cascading Style Sheets visited pseudoclass has long been known to the academic security community and browser vendors, but has been largely dismissed as an issue of marginal impact.
In this paper we present several crucial real-world considerations of CSS-based history detection to assess the feasibility of conducting such attacks in the wild. We analyze Web browser behavior and detectability of content returned via various protocols and HTTP response codes. We develop an algorithm for efficient examination of large link sets and evaluate its performance in modern browsers. Compared to existing methods our approach is up to 6 times faster, and is able to detect as many as 30,000 links per second in recent browsers on modern consumer-grade hardware.
We present a web-based system capable of effectively detecting clients’ browsing histories and categorizing detected information. We analyze and discuss real-world results obtained from 271,576 Internet users. Our results indicate that at least 76% of Internet users are vulnerable to history detection; for a test of most popular Internet websites we were able to detect, on average, 62 visited locations.
Web framing attacks such as clickjacking use iframes to hijack a user's web session. The most common defense, called frame busting, prevents a site from functioning when loaded inside a frame. We study frame busting practices for the Alexa Top-500 sites and show that all can be circumvented in one way or another. Some circumventions are browser-speci c while others work across browsers. We conclude with recommendations for proper frame busting.
Ja n'havia parlat d'ElcomSoft en altres ocasions: és un software per trencar les contrasenyes utilitzades en xarxes WiFi WPA i WPA2, utilitzant la capacitat de processament de les targetes de vídeo.
Ara, utilitzant la targeta de vídeo dual ATI HD 5970 s'ha batut un nou rècord, vint vegades més ràpid que el processador més portent d'Intel:
Capacitat de trencar contrasenyes WPA-PSK amb diversos processadors
Si no s'indica expressament el contrari, el material publicat està subjecte a una llicència Creative Commons. Els continguts i opinions d'aquest bloc són de caràcter exclusivament personal, sense cap relació amb les meves activitats professionals.
— Classificat com a: Tècniques — Comentaris (0)
to keep the CPU busy. nice.
