Hey there! Another quick post.
After our presentation in SAS2014, we kept working together with Vitaly and Sergey on this topic and decided to go to BH with all the results.
It was really cool. I think this time more people realized the risk of having such kind of technology preinstaled on their BIOS/UEFI…
Anyway, you can take a look to our slides and whitepaper here.
I will update this post later with more stuff.
See you!
Yeah, well. A bit late… I know.
This last months have been a complete madness. But, a good madness, I have to say.
So I will try to catch up with a few quick posts.
I’ve been contacted by the Kaspersky guys, and invited to give a joint talk at his private summit about Computrace. This guys: Vitaly Kamluk and Sergey Belov are two amazing researchers that, after finding an activated instance of computrace in his personal computers, did what it wass needed to do. Research it and attack it.
In this joint talk I’ve presented our (with Alfredo Ortega) original findings, and introduced the topic so them could show yours, together with some new -remote- attacks they’ve worked on.
This was an extremely cool conference. Really good researchers, good presentations with several parallel tracks that allow you to choose the one that fits better with your interests.
Honestly. The Hard Rock Hotel is an excellent place to held a security conference. Definitely Kaspersky knows how to do it 😉
Here you can take a look to the report published by kaspersky about his findings and attacks: http://securelist.com/analysis/publications/58278/absolute-computrace-revisited/
The day finally came. This is Cubica Labs.
You will find more information on LinkedIn here. Or, eventually, at our webpage: www.cubicalabs.com
Eight years has passed since my first interview at Core Security.
I’ve got to say, it has been an amazing experience. I’ve had the luck to work with some of the greatest researchers of the infosec industry (and others industries too). But, as you can imagine, 8 years developing binary exploits and researching for (only) one company can be too much.
It has its pros and its cons, though. It’s ridiculous how much I’ve learned there, and I couldn’t be more thankful but, at the same time, it can be a complex scenario when your main interest is to try to research (and break) every new technology out there. So, after thinking this for a long time, I decided It was time of a fresh start.
This is, in part, the reason of the low activity in the blog. I have some projects that I’m working on and, hopefully, will see the light soon.
In the meantime, I’m on my own. So I’ll be glad to hear from you 😉
HTML5 Heap Spray – EUSecWest 2012
Federico and I have just come back from our holidays after EUSecWest.
The conference was awesome, as usual. Very interesting talks, great ppl, and of course, great hosts.
In our talk, we presented a new technique to populate the heap in a multithreaded fashion making use of HTML5.
It’s very simple and it offers several benefits:
Still using strings to heap spray & feng shui? Take a look to the slides.
You can download it here or view it online here. Alternatively, if you dont like Prezi, you can obtain a pdf version here.
Very often, you find yourself reversing a completely unknown firmware from some memory dump, and know very little about it. Probably, the processor architecture, the kind of work it makes, etc.
Generally, you can search for patterns (like the opcodes from the function prologue) to try to define the first functions , look for strings that could add some extra info, look for headers giving us an idea of how the firmware is structured and of course, try to identify the libc itself and its location.
This last two points are, in my opinion, the most important ones.
Often, we have to go without all this important information. Maybe we don’t have any strings. Or we have it but there are no code references to it so we can’t link them to the code. Maybe, we can’t reproduce the in-memory layout of the firmware and its structure.
Well, this is the exact situation that made me think on developing this script.
Heappie!
Today, I’m releasing through Core a python tool (with an amazing ultra l337 GUI) that helps the exploit writer to add reliability to its exploits by tracking his heap sprays in a graphical way. Then, this graphics can be analyzed together in order to find heap spray intersections between several runs of different software versions and platforms.
Heappie! counts with 3 main scripts:
– heappie-analyzer.py: Is the script in charge of the process/dump analysis, it finds the patterns in memory and generates a log to be visualized with the viewer:
– heappie-viewer.py: The script that generates the graphics.
– Heappie.py: The front end. It’s just a cheap gui I made to simplify the whole process of running the scripts .
WhatTheFunct?
Hey folks! This time I’m gonna share with you a small IDAPython tool made by Federico Muttis (aka @acid_. Maybe you remember him from the -pretty awesome- pidgin vulnerability or the WebEx one). This is one of those scripts that you have to use and reuse several times when working with obscure firmwares, memory dumps or even unknown pieces of code. A lot of us made something like this in the past. It’s a must. But I felt that we really needed something with a little more generical approach. Like Acid did.
Let’s see what he has to say about it 😉
Continue reading ‘Quickpost: IDAPython script to identify unrecognized functions.’
Nice seatbelt.
Hey guys!
Today I wanna mention a little bug we found together with Matias Eissler. It’s not the big thing, that’s clear. But it’s potentially dangerous and it shows the complexity of a sandbox implementation.
This is the story: After a few hours fooling around with the sandbox, we found this method that allowed us to bypass the network access restriction. The funny thing here is that we did a quick search on google about the topic to see if some of this was reported before and guess what? Charlie Miller publicly disclosed the same thing (that apple events were allowed in a sandbox profile) in the quicklookd profile like 3 years ago.
Continue reading ‘Apple OS X Sandbox Predefined Profiles Bypass’
Ph-Neutral
And the day finally came. The last (public, at least) edition of Ph-Neutral is very close and i gotta say: I’m very excited about being there. Luckily, I’ll be arriving two days before the conference so I’m gonna have enough time to recover myself after the flight. I wanna be in good shape to deal with the -pretty insane- Ph-Neutral rhythm that usually consist in the mix of highly technical talks with amazing parties at night.
Exploiting Stuff. 