Cognitive and Scientific Brainology

Security - consulting,assessment,research,solutions,penetration tests.
Face - detect,track,recognize,extract features,learn emotions,character animation.

Category: ACSA

[ACSA-2012-16] - Microsoft Office CGM Images Memory Corruption CVE-2012-2524 Remote Code Execution Vulnerability

08/15/12 | by zveriu | Categories: ACSA

[ACSA-2012-16] - Microsoft Office CGM Images Memory Corruption CVE-2012-2524 Remote Code Execution Vulnerability

Leave a comment •

[XRX12-005] ... and how it relates to ACSA-2011-03, ACSA-2012-01, ACSA-2012-13

06/15/12 | by zveriu | Categories: ACSA

UPDATE: You can subscribe to postscript-sec@andreicostin.com for notifications and tools & PoC releases.

Small updates on the Xerox security front.

Few days back Xerox issued its Security Bulletin XRX12-005 and the P49 security patch.

Leave a comment •

[ACSA-2012-03] - Java Print Spooling Data Leak

06/15/12 | by zveriu | Categories: ACSA

Updates on the Oracle Java security front.

Few days back Oracle issued it’s June patch/CPU for Java marked as highly critical and containing a vulnerability (CVSS 2.1) numbered:

ACSA-2012-03 - Java Print Spooling Data Leak
Oracle S0154919 “DATA LEAK IN UNIXPRINTJOB AND PSPRINTERJOB”
Secunia SA49472
CVE-2012-1717

Leave a comment •

phdays 2012 Day1, Track2, 11:00, Smartcard vulnerabilities in modern banking malware

06/05/12 | by zveriu | Categories: ACSA

Download here

Code:

phdays.com, phdays.ru
Moscow, 2012
Day1, Track2, 11:00
Aleksandr Matrosov, Eugene Rodionov,
Smartcard vulnerabilities in modern banking malware
 
Impact since 2010
 
Blackhole
 
Nuclear pack Apr 2012
  carders moved from blackhole to nuclear pack
 
New in nuclear pack
  added check for legitimate user
  Java is one of the main vectors in attacking users
 
Example: google search for "ÐµÐ²Ñ€Ð¾Ð²Ð¸Ð´ÐµÐ½Ð¸Ðµ 2012"
  contains an injected iframe with yandeXXX.<trololo>.ru - valid looking domain
    this helps to void the AV/IDS detection of randomly generated domains
  then the iframe redirects to an exploit
 
Russia
  provides detection of 70% of worldwide carders activity
  3x increase in detection rate from Nov 2011 till Jun 2012
 
Biggest botnets
  Origami, Gizmo, Dudorov
 
BK-LOADER (BootKit)
  Ringo bundle (ZeroKit or 0kit)
  First bootkit to modify volume boot record
  version 1.0, 11/02/2011
 
Carberp sample
  Around 3000 bots receiving volume boot record BK debug messages
  Looks like GSVSoft supplied some parts of the BK code
  After screenshot publication, their start (because of high traffic incentive) -> started redirecting users to blackhole
 
Rovnix, Carberp with BK, Rovnix.B
  VBR
  Polimorphic VBR
  Malware driver storage
 
Anti-debugging
  Removes hooks of HIP systems
  WinAPI functions called by hash, not by name
 
Cards
  Attacks on APDU level
 
crackme.esetnod32.ru
  win ipad
  win amazon kindle
 
Feisty
  if there is any delay in protocol or program execution, the malware changes it's behaviour
  malicious plugins not saved on disk, directly loaded into kernel memory

Leave a comment •

[ACSA-2012-12] - HP WJA Multiple XSS vulnerabilities

05/28/12 | by zveriu | Categories: ACSA

[ACSA-2012-12] - HP WJA Multiple XSS vulnerabilities

First, I would like to thank HP SSRT security team for great communication and cooperation on the report.

Other advisory numbers: HPSBPI02779 SSRT100855, CVE-2012-2011

HP WJA
- uses non-secure transport protocol (read MITM)
- does not implement or at least verify secure-hashing i.e. authenticated&authorized origins of the DOWNLOADED files
- has several XSS vulnerabilities (perhaps many more to be discovered)

Leave a comment •

:: Next Page >>

HIRE! - My Resume

Contact

Upcoming talks

PHDays
Hack In Paris
BlackHat USA