SyScan
Alfred and I we’ll be giving our talk “Persistent BIOS Infection” at SyScan ‘09, Singapore. This time with some added content and of course, with our multiple cOOl demos, including the one with the dismembered real box (i hope not to have problems when traveling with the hardware).
If someone wants to meet and go out for a beer or something i’ll be glad. Just drop me some line here or at als.alsx@gmail.com
c ya there!
We finally did it. Our paper is out, and the phrack #66 is the best place i can imagine to release it. We had to run a lot this last days for getting the paper ready on time. I would like to thank the whole Phrack team for putting together the outstanding issue that you can read right here.
Continue reading ‘Our paper ‘Persistent BIOS Infection’ has been released… on Phrack!’
Poor little CUPS… I feel bad for him.
I swear, i wasn’t looking for bugs in it (not for *new* bugs at least 
). It just crashed in my face…
At the beginning i didn’t give so much importance to it but CUPS is shipped as the default printing service for OS X and almost all Linux distributions. Besides, it’s a pre-auth vulnerability so… i think it was worth to release an advisory for it – with the appropiated PoC and technical info, as usual -
So, here you have it. have phun. :p
Continue reading ‘Apple CUPS IPP_TAG_UNSUPPORTED Handling null pointer Vulnerability’
HotFuzz
Mario Vilas, a very good friend of mine (and coworker) has released a very cool python module that allows developers to quickly code instrumentation scripts in Python under a Windows environment.
I’ve been folowing this project very close, testing some pre-releases, and i must say that i cant wait to fuzz some stuff with this final version.
Ok, so, CanSecWest has finished. And i must say, It was an excellent conference.
We ‘ve talked on the second day and, although it was very early, there was a lot of -amazingly not drunk- people there.
Continue reading ‘CanSecWest was great!. Here, the presentation slides.’
After some time without news -as is usual around here- im back again, ready to say that i was confirmed as speaker at the CanSecWest conference that will be held March 16-20, at Vancouver, BC.
We will give a talk about a project what we’ve been working on with Alfredo Ortega (you know, the OpenBSD guy 
) about a new generic binary method to get malicious code injected and executed into the computer BIOS. Yeah, that cute little chip…
I will post more details about the conference in some time. In the meanwhile, you can get more info at the CanSecWest website.
For those who are planning to attend the conference, we (Alfred & I) will be arriving 16/3, and of course, we are up for some beers.
Hey all. I’ve written an article called “The METHOD_NEITHER Odyssey” for the latest issue of the (IN)SECURE Magazine and you can download it here.
(IN)SECURE Magazine Nr. 18
I’ve released a new advisory this past days addressing a new vulnerability i’ve found in the Windows Driver of VSun xVM VirtualBox. This is another example of the problems that must be faced when the METHOD_NEITHER method is used.
The vulnerability is deeply explained in the advisory. So, lets see it:
Continue reading ‘Sun xVM VirtualBox Privilege Escalation Vulnerability’
Hey hey. How are you ppl?
I’ve been working a lot with OS X lately. It looks very similar to any Unix-like OS. But, of course, it has its own implications.
Basically im writing this post to have some kind of sticky with the things i’ve discovered, read on some blog or seen in some presentation. So, i’ll keep this post ‘in progress’ adding the stuff that i think will be useful to develop reliable exploits.
This advisory addresses a few driver vulnerabilities we found at core. One is a bug i’ve found in the Rising Antivirus when testing the matousec’s tool (bsodhook) to fuzz common windows api parameters looking for bad implemented kernelmode hooks that doesnt validate correctly the parameters before passing it to the real function.
Damian Saura has also used it against other AVs and Personal Firewalls, discovering a few more.
I’ve researched the vulnerabilities one by one and released a full-detailed advisory analysing the bug in depth.
It is a trivial bug, a DoS could be made crashing the whole terminal.
This is the advisory i’ve released through Core.
Continue reading ‘Insufficient argument validation of hooked SSDT functions on multiple Antivirus & Personal Firewalls’
