Back in June, I was doing some analysis on a Windows driver and discovered that the INIT section had the read, write, and executable characteristics flags set. Windows executables (drivers included) use these flags to tell the kernel what memory protection flags should be applied to that section’s pages once the contents are mapped into… Read More W^X policy violation affecting all Windows drivers compiled in Visual Studio 2013 and previous
Another year has rolled by (damn, I really don’t update this blog much, do I?) and Securi-Tay IV is coming up. I’ll be speaking about security issues related to serialisation and deserialisation of data in modern programming languages, including PHP and C#. My colleague FreakyClown will be talking about robbing banks for a living, which… Read More Another year, another Securi-Tay, another talk… and this time we’re sponsoring the bar!
Just a quick tip for anyone doing a code review of a Java EE web application: LAPSE+ is a very useful tool to have in the arsenal, whether you’ve got the original source or just the JAR/WAR file. In my case, the client provided me with a single .WAR file which contained the application. As… Read More Pentesting Java EE web applications with LAPSE+
I’m doing a talk about cryptography at Securi-Tay 2014 on the 15th of January, up in Dundee, Scotland. The talk is aimed at people who are interested in cryptography from a practical perspective, but are put off by the slew of hieroglyphs and maths-speak that tends to plague the field. The talk is entitled “Breaking… Read More Talking about crypto at Securi-Tay 2014 (Dundee, Scotland)
In my previous post I talked about a vulnerability in Steam which allows you to bypass UAC. I’m going to be totally transparent here: I fucked up. I wrote the draft post a few days back, then did some more work on the vulnerability. I discovered something much more serious in the process. I posted… Read More Steam Code Execution – Privilege Escalation to SYSTEM (Part 2)
Like many other gamers, I love Steam. Not only is it ridiculously convenient, but it’s also become a pretty awesome platform for indie game developers to get their games out there. It provides a online store platform for 54 million users, and most of the time it does an excellent job. That’s partly the reason… Read More Steam UAC bypass via code execution
Dropbox has become a daily part of my life. I rely on it to synchronise data between my growing set of devices. But how much of an impact does it have on the security of my system? I decided to find out by digging around in exactly what it does to my machine, or more… Read More Installing Dropbox? Prepare to lose ASLR.
When I moved into my flat, I found that the previous tenant had left behind his Sky Broadband router. Awesome – a new toy to break! Sadly I got bogged down with silly things like moving house and going to work, so I didn’t get a chance to play with it. Until now, that is.… Read More The Router Review: From nmap to firmware
In light of the numerous recent attacks against SSL, I thought I’d offer up a quick and simple crypto lesson about why MAC-then-encrypt schemes are bad. This post will require only a minimum of knowledge about cryptography, so hopefully it’ll be useful to a wide range of people. This is not designed to be a… Read More A quick crypto lesson – why “MAC then encrypt” is a bad choice
I just came across a cool trick you can try which allows you to crack passwords on a remote system that is running the VMware Authentication Daemon. This service installs and runs by default on Windows host machines that have VMware Virtual Workstation installed, and listens on TCP port 912. It shows up on nmap… Read More Password cracking with VMware Authentication Daemon