Cognitive and Scientific Brainology http://andreicostin.com/index.php/brain andrei costin andreicostin costinandrei zveriu en-US http://backend.userland.com/rss 60 ADS-B research was worth it - ICAO to create Cyber Security Task Force (CSTF)! http://andreicostin.com/index.php/brain/2012/10/21/ads_b_research_was_worth_it_icao_to_crea Sun, 21 Oct 2012 18:58:04 +0000 zveriu Hack Hack Conference 267@http://andreicostin.com/ ADS-B research was worth it! ICAO to create Cyber Security Task Force (CSTF) - Our research is mentioned as key points! Download/view here Thanks to Aimee Turner for notifying us. Errata: In the above PDF, it is wrongly mentioned “Dr. Andrei Costin” - wish I :). It’s still a long way, until than it should read “PhD candidate” ADS-B research was worth it!

ICAO to create Cyber Security Task Force (CSTF) - Our research is mentioned as key points!

Download/view here

Thanks to Aimee Turner for notifying us.

Errata: In the above PDF, it is wrongly mentioned “Dr. Andrei Costin” - wish I :). It’s still a long way, until than it should read “PhD candidate”

]]> http://andreicostin.com/index.php/brain?p=267&c=1&tb=1&pb=1#comments AthCon3 2012 Day2, Track1, 18:00-18:50 "Advances in BeEF: RESTful API, WebSockets, XssRays enhancements" http://andreicostin.com/index.php/brain/2012/09/19/athcon3_2012_day2_track1_18_00_18_50_adv Tue, 18 Sep 2012 20:12:31 +0000 zveriu Conference AthCon Write-up 265@http://andreicostin.com/ Download here. Code:athcon.org Athens, 3-4 May, 2012 Day2, Track1, 18:00-18:50 "Advances in BeEF: RESTful API, WebSockets, XssRays enhancements", Michele Orru   "Advances in BeEF: RESTful API, WebSockets, XssRays enhancements"   BeEF   Demo Using the BeEF restuful api 1. beef programatically accessing metasploit 2. injects beef into some victim browser 3. inject an applet, then use the javascript to java communication to ge tthe hava version based on the hdk 4. then in meterpreter sysinfo to get the system info 5. then inject the "execute calc.exe" in the victim's machien thru the injjected java applet   New additions     ajax calls posioning (xml request object is overriding)     the module can have the target+_blank not to lose the victim     getting the Persistence (history) from the civtim vrowsaer   New feature (in a testing branch - to be added soon)     websocket support     currently beef uses XHR, but for speed needs websocket   XHR in beef pro - works everywhere (ie, chrome) cons - (TODO)   if beef.browser.hasWebSocket(), don't use XHR pollin, open a websocket channel support: firefox, chrome, safari, also mozwebsocket https://github.com/radoen/beef-radoen - the experimental phase   Possibilities with WS     real time VNC like hooked browser control     faster tunneling proxy (fuzzin thru the hooked browser 4-5 times faster)     general faster communication     Demo - BeEF with WS     launch 1000 XHR-polling vs WS-based request   XssRays     originally as pure JS-based XSS scanner, then integarted in beef   xssrays operation     a page with links/forms which do get/post request intra or cross domain     it adds the hidden iframe for each of the requests     if the iframe is loading, then the resource was XSS-vulnerable     it also works CROSS-DOMAINS (respecting the SOP!) Download here.

Code:

athcon.org
Athens, 3-4 May, 2012
Day2, Track1, 18:00-18:50
"Advances in BeEF: RESTful API, WebSockets, XssRays enhancements",
Michele Orru
 
"Advances in BeEF: RESTful API, WebSockets, XssRays enhancements"
 
BeEF
 
Demo Using the BeEF restuful api
1. beef programatically accessing metasploit
2. injects beef into some victim browser
3. inject an applet, then use the javascript to java communication to ge tthe hava version based on the hdk
4. then in meterpreter sysinfo to get the system info
5. then inject the "execute calc.exe" in the victim's machien thru the injjected java applet
 
New additions
    ajax calls posioning (xml request object is overriding)
    the module can have the target+_blank not to lose the victim
    getting the Persistence (history) from the civtim vrowsaer
 
New feature (in a testing branch - to be added soon)
    websocket support
    currently beef uses XHR, but for speed needs websocket
 
XHR in beef
pro - works everywhere (ie, chrome)
cons - (TODO)
 
if beef.browser.hasWebSocket(), don't use XHR pollin, open a websocket channel
support: firefox, chrome, safari, also mozwebsocket
https://github.com/radoen/beef-radoen - the experimental phase
 
Possibilities with WS
    real time VNC like hooked browser control
    faster tunneling proxy (fuzzin thru the hooked browser 4-5 times faster)
    general faster communication
 
 
Demo - BeEF with WS
    launch 1000 XHR-polling vs WS-based request
 
XssRays
    originally as pure JS-based XSS scanner, then integarted in beef
 
xssrays operation
    a page with links/forms which do get/post request intra or cross domain
    it adds the hidden iframe for each of the requests
    if the iframe is loading, then the resource was XSS-vulnerable
    it also works CROSS-DOMAINS (respecting the SOP!)
]]> http://andreicostin.com/index.php/brain?p=265&c=1&tb=1&pb=1#comments Ghost is in the Air(Traffic) - BlackHat 2012 - ADS-B ATC hacking - real airplane replay, fake airplane spoofing/impersonation http://andreicostin.com/index.php/brain/2012/09/05/ghost_is_in_the_air_traffic_blackhat_201 Wed, 05 Sep 2012 00:13:12 +0000 zveriu Conference 263@http://andreicostin.com/ Ghost is in the Air(Traffic) - BlackHat 2012 - ADS-B ATC hacking - real airplane replay, fake airplane spoofing/impersonation Downloads “Ghost is in the Air(Traffic)” BlackHat 2012 Slides “Ghost is in the Air(Traffic)” BlackHat 2012 Whitepaper Timelines Jun-2011 - Jul-2011 - Initial interest and research started Jul-2011 - Feb-2012 - Some low-pace experiments, study of specifications, experiments, additional hardware acquisition Feb-2012 - Mar-2012 - Revived interest Mar-2012 - May-2012 - Development and preparation for BlackHat 2012 application May-2012 - Application for BlackHat 2012 application 07-Jul-2012 - Whitepaper and slides limited access available to BlackHat 2012 organizers only 23-Jul-2012 - Whitepaper and slides public access available to all Demo Ghost is in the Air(Traffic) - BlackHat 2012 - Airplane replay, fake airplane spoofing/impersonation [...] Read more! Ghost is in the Air(Traffic) - BlackHat 2012 - ADS-B ATC hacking - real airplane replay, fake airplane spoofing/impersonation

Downloads

Timelines

  • Jun-2011 - Jul-2011 - Initial interest and research started
  • Jul-2011 - Feb-2012 - Some low-pace experiments, study of specifications, experiments, additional hardware acquisition
  • Feb-2012 - Mar-2012 - Revived interest
  • Mar-2012 - May-2012 - Development and preparation for BlackHat 2012 application
  • May-2012 - Application for BlackHat 2012 application
  • 07-Jul-2012 - Whitepaper and slides limited access available to BlackHat 2012 organizers only
  • 23-Jul-2012 - Whitepaper and slides public access available to all

Demo Ghost is in the Air(Traffic) - BlackHat 2012 - Airplane replay, fake airplane spoofing/impersonation

Read more! »

]]> http://andreicostin.com/index.php/brain?p=263&c=1&tb=1&pb=1#comments [ACSA-2012-16] - Microsoft Office CGM Images Memory Corruption CVE-2012-2524 Remote Code Execution Vulnerability http://andreicostin.com/index.php/brain/2012/08/15/acsa_2012_16_microsoft_office_cgm_images Wed, 15 Aug 2012 11:08:48 +0000 zveriu ACSA 264@http://andreicostin.com/ [ACSA-2012-16] - Microsoft Office CGM Images Memory Corruption CVE-2012-2524 Remote Code Execution Vulnerability More on Microsoft security front. As you might know, MS12-AUG is out on 14 Aug 2012. Among the patches, there is one which addresses a vulnerability on CGM images corruption that I have reported to MS. Details follow: ACSA-2012-16 - MSOffice CGM buffer overflow crashes MS12-057 Vulnerability in Microsoft Office Could Allow Remote Code Execution (2731879) CVE-2012-2524 Microsoft Office Memory Corruption Remote Code Execution Vulnerability Related (older) reports, CVEs, patches: MS10-105 - Vulnerabilities in Microsoft Office Graphics Filters Could Allow for Remote Code Execution Microsoft Office CGM Image Converter (CVE-2010-3945) Buffer Overflow Vulnerability ACSA-2012-05 - MSOffice EPS Stack based overflow crash Stay secure! Securely yours, Andrei [ACSA-2012-16] - Microsoft Office CGM Images Memory Corruption CVE-2012-2524 Remote Code Execution Vulnerability

More on Microsoft security front.

As you might know, MS12-AUG is out on 14 Aug 2012.

Among the patches, there is one which addresses a vulnerability on CGM images corruption that I have reported to MS.

Details follow:

Related (older) reports, CVEs, patches:

Stay secure!

Securely yours,
Andrei

]]> http://andreicostin.com/index.php/brain?p=264&c=1&tb=1&pb=1#comments HIP2012 - Overview http://andreicostin.com/index.php/brain/2012/07/01/hip2012_overview Sat, 30 Jun 2012 22:27:22 +0000 zveriu Conference Hack In Paris Write-up 261@http://andreicostin.com/ Hack in Paris 2012 and Nuid du Hack 2012 are over - these were quite some nice days :)! I would like to first thank the organizers, Sysdream and all the crews, for these two great events. Hack In Paris is a all-in-all fun event, with great audience and smooth organization! Nuid de Hack, on the over hand is a crazy gathering of enormous number of people under one roof (literally) and where you have the opportunity to meet from fiercful hard core hackers to pretty creative and constructive robot/cnc-mill makers who will share their great ideas and experience as part of the multitude of workshops taking place during the entire night! [...] Read more! Hack in Paris 2012 and Nuid du Hack 2012 are over - these were quite some nice days :)!

I would like to first thank the organizers, Sysdream and all the crews, for these two great events.

Hack In Paris is a all-in-all fun event, with great audience and smooth organization!

Nuid de Hack, on the over hand is a crazy gathering of enormous number of people under one roof (literally) and where you have the opportunity to meet from fiercful hard core hackers to pretty creative and constructive robot/cnc-mill makers who will share their great ideas and experience as part of the multitude of workshops taking place during the entire night!

Read more! »

]]> http://andreicostin.com/index.php/brain?p=261&c=1&tb=1&pb=1#comments