Close

HAVE QUESTIONS?

Contact us today.

Subscribe me to your mailing list

Research Revealed

Presentation “You can’t stop us: latest trends on exploit techniques” at CONFidence 2010

Here are the slides from CONFidence 2010 held Krakow, where DSecRG told about the weaknesses in modern technologies of protection against arbitrary code execution. GS, safeSEH, DEP and ASLR. How can it be bypassed? Modern techniques. Return-Oriented Programming (ROP). Attack on clients – JIT SPRAY method. How this kind of exploits can be written? Practical tips and tricks with real examples on the latest vulnerabilities provided.

Author: Alexey Sintsov

Download the presentation

Whitepaper “Penetration: from Application down to OS. Getting OS Access Using Lotus Domino Application Server Vulnerabilities”

Lotus

This whitepaper continues a series of publications describing various ways of obtaining access to the server operating system, using vulnerabilities in popular business applications which meet in the corporate environment.

Author: Alexandr Polyakov

This time we will talk about Lotus Domino — a very popular application that provides enterprise-grade e-mail, collaboration capabilities. This system stores a huge amount of critical corporate data and represents a good target for a potential attacker. Also people must be aware of that this system is usually available from the Internet and can be hacked to get access to the operation system of the server in DMZ and then to the internal servers of corporate environment and in this paper we will show how to do this.

Penetration from application down to OS (Lotus Domino)

whitepaper “Writing JIT-Spray Shellcode for fun and profit “

In this text we describe how to write a shellcode for new JIT-Spray attacks and make universal STAGE 0 shellcode that gives control to any common shellcode from MetaSploit, for example.

Author: Alexey Sintsov

Attacks on clients’ browsers have always been the real threat for everyone. And here vulnerabilities have been not only in the browser but also in plug-ins. Bank-clients, business software, antivirus software – all of them use ActiveX (for IE) for clients and here have been and are still many vulnerabilities. Vendors make steps to defend us from it. Software vendors patch vulnerabilities and OS vendors use new mechanisms to prevent attacks at all. But security researchers are trying to find a way to bypass these mechanisms. The new versions of browsers (Internet Explorer 8 and FireFox 3.5) use permanent DEP. And the new versions of OS use the ASLR mechanism. All this makes the old methods of attacks impossible. But on BlackHat DC 2010 the interesting way to bypass DEP and ASLR in browsers (not only) and Just-In-Time compilers was presented. This method is called JIT-SPRAY. But here was no one public PoC until now.

Writing JIT-Spray Shellcode for fun and profit

Whitepaper “Penetration: from application down to OS. Getting OS access using Apache Geromino Application Server vulnerabilities”

This whitepaper continues a series of publications describing different ways of obtaining access to the server operating system, using vulnerabilities and misconfigurations of the popular business applications which are found in the corporate environment.

Author: Stanislav Svistunovich

This article describes the ways of obtaining access to the server operating system through vulnerabilities in Apache Geromino application server.

Penetration: from application down to OS. Getting OS access using Apache Geromino Application Server vulnerabilities

Penetration: from application down to OS. Getting OS access using Oracle Database unprivileged user

oracle

This whitepaper is part of series of publications describing various ways of obtaining access to the server operating system, using vulnerabilities in popular business applications which meet in the corporate environment.

Author: Alexandr Polyakov

Once upon a time during a penetration test of corporate network I got a unprivileged account on Oracle Database and my plan was to get administrative shell on server where its database was installed. Server was running Windows 2003 server operation system and Oracle database was running with Administrator privileges (not LOCAL_SYSTEM) account. It is a quite common situation, though. Default way is to escalate privileges on database using one of the latest SQL Injection vulnerabilities and then using DBA privileges to gain access to OS using one of the popular methods such as ExtProc, Java, extjob etc. So it seems to be quite simple and I thought about other ways.
What if database is patched with latest CPU updates and additionally it has some kind of Intrusion Detection System which can find 0-day vulnerabilities or something like this and it is impossible to escalate privileges using SQL Injections? Of course, there are some methods of escalating privileges without exploits. For example: find clear-text passwords in the database or connect to listener internally and rewrite log file or escalate privileges using some dangerous roles such as ‘SELECT ANY DICTIONARY’, ‘CREATE ANY TRIGGER’ or something like this. But this methods can’t give you 100% success. I guess there must be another way, maybe it’s not all-applicable but better than the described one.

In short, this paper describes investigations to get administrative shell on server having unprivileged rights on Oracle Database.

[styled_link link=’/wp-content/uploads/pub/Penetration%20from%20application%20down%20to%20OS%20(Oracle%20database).pdf’ type=’attachment’]Penetration from application down to OS (Oracle database).pdf[/styled_link]

Penetration: from application down to OS. Getting OS access using IBM Websphere Application Server vulnerabilities

Websphere

This whitepaper opens a series of publications describing various ways of obtaining access to the server operating system, using vulnerabilities in popular business applications which meet in the corporate environment.

Author: Stanislav Svistunovich

In this article describes ways of obtaining access to the server operating system through vulnerabilities in IBM Websphere application server.

[styled_link link=’/wp-content/uploads/pub/Penetration%20from%20application%20down%20to%20OS%20(IBM%20Websphere).pdf’ type=’attachment’]Penetration from application down to OS (IBM Websphere).pdf[/styled_link]

Whitepaper “Different ways to guess Oracle database SID”

oracle

This whitepaper is a result of our research in Oracle security and guessing Oracle database SID. In this document I collected all well-known public information about SID guessing and added new techniques which had been succerfully tested during our security audits.

Author: Alexandr Polyakov

Nowadays there is a lot of public information about Oracle security and different vulnerabilities that hacker can use to get access to the database. Many of these steps are good explained in public resources and in my paper «Oracle database security». Default user accounts are a big known problem, there are many information about it. As for vulnerabilities, there are only 10 percent of DBA’s regularly installing Critical Patch Updates. Access to OS files and shell can be obtained using many different techniques such as Extproc, Java, DBMS_JOB, UTL_FILE, DBMS_LOB and others. As for rootkits and cleaning-audit data, in this field hackers are one step behind DBA’s. In this information about Oracle security there is one part that is not very good explained as the others. I’m talking about getting Oracle SID. Without knowing Oracle database, SID attacker cannot get access to the database even if he knows username and password. With Oracle 10g getting database SID is not so trivial as before. That’s why I’ve decided to research this area and write this document as a result of my researching. In this whitepaper I’ve collected all the ways to get the database SID and add some new techniques.

[styled_link link=’/wp-content/uploads/pub/Different%20ways%20to%20guess%20Oracle%20database%20SID.pdf’ type=’attachment’]Different ways to guess Oracle database SID.pdf[/styled_link]