Exploiting nginx chunked overflow bug, the undisclosed attack vector

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Exploiting nginx chunked overflow bug, the undisclosed attack vector"

Transcription

1 Exploiting nginx chunked overflow bug, the undisclosed attack vector Long Le

2 About VNSECURITY.NET CLGT CTF team 2 VNSECURITY.NET

3 In this talk Nginx brief introduction Nginx chunked overflow bug The analysis The exploit The undisclosed attack vector x86-64 ROP tricks Demo 3 VNSECURITY.NET

4 Nginx [engine x] HTTP and reverse proxy server Fast, light-weight Popular 4 VNSECURITY.NET

5 Nginx architecture Non-blocking IO Event driven Single threaded Single master, multiple workers Resources efficient Highly modular ref: 5 VNSECURITY.NET

6 Nginx architecture big picture ref: 6 VNSECURITY.NET

7 The vulnerability 7 VNSECURITY.NET

8 The analysis (1) HTTP header: Transfer-Encoding: chunked 8 VNSECURITY.NET

9 The analysis (2) 9 VNSECURITY.NET

10 The analysis (3) 10 VNSECURITY.NET

11 The analysis (4) stack based overflow 11 VNSECURITY.NET

12 The exploit Stack cookie bruteforcing May require hundred/thousand of connections Noisy error logs nginx < binaries from nginx.org has no stack cookie ASLR return to binary Default is non PIE NX ROP https://github.com/danghvu/nginx-1.4.0/blob/master/exp-nginx.rb 12 VNSECURITY.NET

13 The humble mitigation 13 VNSECURITY.NET

14 Quick summary Default nginx settings (static contents) Stack based overflow Straight to exploit Stack cookie slows down attack 14 VNSECURITY.NET

15 Practical Nginx deployment Nginx + FastCGI backend E.g: Wordpress Nginx + Apache/Lighttpd Reverse proxy 15 VNSECURITY.NET

16 The undisclosed attack vector Same vulnerability Different configuration More targets Heap based overflow! No worry about stack cookie Not straight to exploit 16 VNSECURITY.NET

17 The analysis (1) 17 VNSECURITY.NET

18 The analysis (2) 18 VNSECURITY.NET

19 The analysis (3) 19 VNSECURITY.NET

20 The analysis (4) 20 VNSECURITY.NET

21 The analysis (5) heap based overflow 21 VNSECURITY.NET

22 POC trigger 22 VNSECURITY.NET

23 Crash dump 23 VNSECURITY.NET

24 The exploit Send enough data Crafted payload to pass some checks ROP stuff Run n Pray! It s unreliable 24 VNSECURITY.NET

25 The unreliable issue Interfered by events Connections coming Connections have data Connections closing Heap metadata corruption Nginx internal pool libc Difficult to debug Event driven 25 VNSECURITY.NET

26 Crash madness VNSECURITY.NET

27 Nginx internals (1) ref: 27 VNSECURITY.NET

28 Nginx internals (2) 28 VNSECURITY.NET

29 Nginx internals (3) 29 VNSECURITY.NET

30 The solution Heap spraying Open many connections Force each connection to allocate large chunk Reserve contiguous memory Overflow the handler and trigger read_event_handler() Send more data to trigger read event 30 VNSECURITY.NET

31 The refined POC 31 VNSECURITY.NET

32 Heap spraying (1) 32 VNSECURITY.NET

33 Heap spraying (2) header N buffer N header N+1 buffer N+1 header N+2 33 VNSECURITY.NET

34 Overflow the handler (1) header N buffer N header N+1 buffer N+1 header N+2 34 VNSECURITY.NET

35 Overflow the handler (2) 35 VNSECURITY.NET

36 The refined exploit Open N connections (e.g N=32) All connections send the chunk trigger For connections from N/2 to N send same ROP payload Jump to controlled, contiguous memory before overflowing 36 VNSECURITY.NET

37 x86-64 ROP tricks (1) Use 32-bits gadgets Heap address is 32-bits xchg rsp, rax xchg esp, eax 37 VNSECURITY.NET

38 x86-64 ROP tricks (2) RET blocks RIP call [rax+0x30] RAX heap payload RAX RIP ret ret ret ret ret pop_ret xchg_ret real payload address growth 38 VNSECURITY.NET

39 x86-64 ROP tricks (3) Use less argument functions for ret2plt, ret2libc mprotect() vs mmap64() mmap64() rdi => address rsi => size rdx => proto rcx => flags r8 => fd r9 => offset mprotect() rdi => address rsi => size rdx => proto libc offset: mprotect mmap = 0x60 39 VNSECURITY.NET

40 Shellcode tricks Continue to serve normal HTTP requests fork() then parent exit() Advanced socket reuse stage-1: fd hunting loop read from fd check for tag jump to stage-2 with found fd stage-2: normal socket reuse shell 40 VNSECURITY.NET

41 Demo 41 VNSECURITY.NET

42 Conclusion We found another (now known) attack vector of the ngxin chunked overflow bug Not only stack based overflow Impact to almost practical deployments We built a reliable heap based overflow exploit No worry about stack cookie bruteforcing Fast to gain shell Exploit on x86 should be the same but easier 42 VNSECURITY.NET

43 Questions? 43 VNSECURITY.NET

Bypassing Memory Protections: The Future of Exploitation

Bypassing Memory Protections: The Future of Exploitation Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Research into reliable exploitation techniques: Heap Feng Shui in JavaScript

More information

Bypassing Browser Memory Protections in Windows Vista

Bypassing Browser Memory Protections in Windows Vista Bypassing Browser Memory Protections in Windows Vista Mark Dowd & Alexander Sotirov markdowd@au1.ibm.com alex@sotirov.net Setting back browser security by 10 years Part I: Introduction Thesis Introduction

More information

I Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation. Mathias Payer, ETH Zurich

I Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation. Mathias Payer, ETH Zurich I Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation Mathias Payer, ETH Zurich Motivation Applications often vulnerable to security exploits Solution: restrict application

More information

telnetd exploit FreeBSD Telnetd Remote Exploit Für Compass Security AG Öffentliche Version 1.0 Januar 2012

telnetd exploit FreeBSD Telnetd Remote Exploit Für Compass Security AG Öffentliche Version 1.0 Januar 2012 telnetd exploit FreeBSD Telnetd Remote Exploit Für Compass Security AG Öffentliche Version 1.0 Januar 2012 Content Part I Info Bug Telnet Exploit Part II Advanced Exploitation Meta Information Disclosed

More information

Tuning WebSphere Application Server ND 7.0. Royal Cyber Inc.

Tuning WebSphere Application Server ND 7.0. Royal Cyber Inc. Tuning WebSphere Application Server ND 7.0 Royal Cyber Inc. JVM related problems Application server stops responding Server crash Hung process Out of memory condition Performance degradation Check if the

More information

Using a Patched Vulnerability to Bypass Windows 8 x64 Driver Signature Enforcement. MJ0011 th_decoder@126.com

Using a Patched Vulnerability to Bypass Windows 8 x64 Driver Signature Enforcement. MJ0011 th_decoder@126.com Using a Patched Vulnerability to Bypass Windows 8 x64 Driver Signature Enforcement MJ0011 th_decoder@126.com Agenda Background A Patched Vulnerability: CVE-2010-4398 Bypass DSE on Windows7 x64 Windows8

More information

Practical taint analysis for protecting buggy binaries

Practical taint analysis for protecting buggy binaries Practical taint analysis for protecting buggy binaries So your exploit beats ASLR/DEP? I don't care Erik Bosman Traditional Stack Smashing buf[16] GET / HTTP/1.100baseretnarg1arg2 Traditional

More information

ASL IT SECURITY XTREME XPLOIT DEVELOPMENT

ASL IT SECURITY XTREME XPLOIT DEVELOPMENT ASL IT SECURITY XTREME XPLOIT DEVELOPMENT V 2.0 A S L I T S e c u r i t y P v t L t d. Page 1 Overview: The most dangerous threat is the one which do not have a CVE. Until now developing reliable exploits

More information

Google Apps Engine. G-Jacking AppEngine-based applications. Presented 30/05/2014. For HITB 2014 By Nicolas Collignon and Samir Megueddem

Google Apps Engine. G-Jacking AppEngine-based applications. Presented 30/05/2014. For HITB 2014 By Nicolas Collignon and Samir Megueddem Google Apps Engine G-Jacking AppEngine-based applications Presented 30/05/2014 For HITB 2014 By Nicolas Collignon and Samir Megueddem Introduction to GAE G-Jacking The code The infrastructure The sandbox

More information

Custom Penetration Testing

Custom Penetration Testing Custom Penetration Testing Compromising a Vulnerability through Discovery and Custom Exploitation Stephen Sims Advanced Penetration Testing - 2009 SANS 1 Objectives Penetration Testing Precompiled Tools

More information

Modern Binary Exploitation Course Syllabus

Modern Binary Exploitation Course Syllabus Modern Binary Exploitation Course Syllabus Course Information Course Title: Modern Binary Exploitation Course Number: CSCI 4968 Credit Hours: 4 Semester / Year: Spring 2015 Meeting Days: Tuesday/Friday

More information

Google Apps Engine. G-Jacking AppEngine-based applications. Presented 20/11/2014. For NoSuchCon 2014 By Nicolas Collignon

Google Apps Engine. G-Jacking AppEngine-based applications. Presented 20/11/2014. For NoSuchCon 2014 By Nicolas Collignon Google Apps Engine G-Jacking AppEngine-based applications Presented 20/11/2014 For NoSuchCon 2014 By Nicolas Collignon Introduction to GAE G-Jacking The code The infrastructure The sandbox Conclusion Introduction

More information

Memory management in C: The heap and the stack

Memory management in C: The heap and the stack Memory management in C: The heap and the stack Leo Ferres Department of Computer Science Universidad de Concepción leo@inf.udec.cl October 7, 2010 1 Introduction When a program is loaded into memory, it

More information

ERNW Newsletter 51 / September 2015

ERNW Newsletter 51 / September 2015 ERNW Newsletter 51 / September 2015 Playing With Fire: Attacking the FireEye MPS Date: 9/10/2015 Classification: Author(s): Public Felix Wilhelm TABLE OF CONTENT 1 MALWARE PROTECTION SYSTEM... 4 2 GAINING

More information

Bug hunting. Vulnerability finding methods in Windows 32 environments compared. FX of Phenoelit

Bug hunting. Vulnerability finding methods in Windows 32 environments compared. FX of Phenoelit Bug hunting Vulnerability finding methods in Windows 32 environments compared FX of Phenoelit The goal: 0day What we are looking for: Handles network side input Runs on a remote system Is complex enough

More information

64-Bit NASM Notes. Invoking 64-Bit NASM

64-Bit NASM Notes. Invoking 64-Bit NASM 64-Bit NASM Notes The transition from 32- to 64-bit architectures is no joke, as anyone who has wrestled with 32/64 bit incompatibilities will attest We note here some key differences between 32- and 64-bit

More information

Lecture 26: Obfuscation

Lecture 26: Obfuscation Lecture 26: Obfuscation 15411: Compiler Design Robbie Harwood and Maxime Serrano 21 November 2013 1 Introduction We have previously (lecture 20) considered the problem of doing compilation backwards (i.e.,

More information

Hacking Techniques & Intrusion Detection. Ali Al-Shemery arabnix [at] gmail

Hacking Techniques & Intrusion Detection. Ali Al-Shemery arabnix [at] gmail Hacking Techniques & Intrusion Detection Ali Al-Shemery arabnix [at] gmail All materials is licensed under a Creative Commons Share Alike license http://creativecommonsorg/licenses/by-sa/30/ # whoami Ali

More information

Format string exploitation on windows Using Immunity Debugger / Python. By Abysssec Inc WwW.Abysssec.Com

Format string exploitation on windows Using Immunity Debugger / Python. By Abysssec Inc WwW.Abysssec.Com Format string exploitation on windows Using Immunity Debugger / Python By Abysssec Inc WwW.Abysssec.Com For real beneficiary this post you should have few assembly knowledge and you should know about classic

More information

Compromise-as-a-Service

Compromise-as-a-Service ERNW GmbH Carl-Bosch-Str. 4 D-69115 Heidelberg 3/31/14 Compromise-as-a-Service Our PleAZURE Felix Wilhelm & Matthias Luft {fwilhelm, mluft}@ernw.de ERNW GmbH Carl-Bosch-Str. 4 D-69115 Heidelberg Agenda

More information

SECURITY B-SIDES: ATLANTA STRATEGIC PENETRATION TESTING. Presented by: Dave Kennedy Eric Smith

SECURITY B-SIDES: ATLANTA STRATEGIC PENETRATION TESTING. Presented by: Dave Kennedy Eric Smith SECURITY B-SIDES: ATLANTA STRATEGIC PENETRATION TESTING Presented by: Dave Kennedy Eric Smith AGENDA Penetration Testing by the masses Review of current state by most service providers Deficiencies in

More information

EMET 4.0 PKI MITIGATION. Neil Sikka DefCon 21

EMET 4.0 PKI MITIGATION. Neil Sikka DefCon 21 EMET 4.0 PKI MITIGATION Neil Sikka DefCon 21 ABOUT ME Security Engineer on MSRC (Microsoft Security Response Center) I look at 0Days EMET Developer I enjoy doing security research on my free time too:

More information

Hacking your perimeter. Social-Engineering. Not everyone needs to use zero. David Kennedy (ReL1K) http://www.secmaniac.com Twitter: Dave_ReL1K

Hacking your perimeter. Social-Engineering. Not everyone needs to use zero. David Kennedy (ReL1K) http://www.secmaniac.com Twitter: Dave_ReL1K Hacking your perimeter. Social-Engineering Not everyone needs to use zero days David Kennedy (ReL1K) http://www.secmaniac.com Twitter: Dave_ReL1K About the speaker Wrote the Social-Engineer Toolkit (SET),

More information

Unix Security Technologies. Pete Markowsky <peterm[at] ccs.neu.edu>

Unix Security Technologies. Pete Markowsky <peterm[at] ccs.neu.edu> Unix Security Technologies Pete Markowsky What is this about? The goal of this CPU/SWS are: Introduce you to classic vulnerabilities Get you to understand security advisories Make

More information

風 水. Heap Feng Shui in JavaScript. Alexander Sotirov. asotirov@determina.com

風 水. Heap Feng Shui in JavaScript. Alexander Sotirov. asotirov@determina.com 風 水 Heap Feng Shui in JavaScript Alexander Sotirov asotirov@determina.com Black Hat Europe 2007 Introduction What is Heap Feng Shui? the ancient art of arranging heap blocks in order to redirect the program

More information

XNU:asecurityevaluation

XNU:asecurityevaluation XNU:asecurityevaluation XNU: a security evaluation D Keuper (s1019775) University of Twente and Certified Secure December 13, 2012 Abstract The XNU kernel is the kernel that powers Apple s OS X and ios

More information

Penetration Testing with Kali Linux

Penetration Testing with Kali Linux Penetration Testing with Kali Linux PWK Copyright 2014 Offensive Security Ltd. All rights reserved. Page 1 of 11 All rights reserved to Offensive Security, 2014 No part of this publication, in whole or

More information

============================================================= =============================================================

============================================================= ============================================================= Stephan Lantos Subject: FW: @RISK: The Consensus Security Vulnerability Alert: Vol. 13, Num. 23 In partnership with SANS and Sourcefire, Qualys is pleased to provide you with the @RISK Newsletter. This

More information

CVE-2012-1535 Adobe Flash Player Integer Overflow Vulnerability Analysis

CVE-2012-1535 Adobe Flash Player Integer Overflow Vulnerability Analysis Your texte here. CVE-2012-1535 Adobe Flash Player Integer Overflow Vulnerability Analysis October 11 th, 2012 Brian MARIANI & Frédéric BOURLA A FEW WORDS ABOUT FLASH PLAYER Your Adobe texte Flash here

More information

Security & Exploitation

Security & Exploitation Security & Exploitation Operating Systems Spring 2015 RPISEC - 05/11/2015 OS Security 1 whoami Markus Gaasedelen B.S. Computer Science 15 Security Enthusiast I like to hack things President of RPISEC http://rpis.ec

More information

Application Denial of Service Is it Really That Easy?

Application Denial of Service Is it Really That Easy? Application Denial of Service Is it Really That Easy? Shay Chen Agenda Introduction to Denial of Service Attacks Application Level DoS Techniques Case Study Denial of Service Testing Mitigation Summary

More information

CSC 2405: Computer Systems II

CSC 2405: Computer Systems II CSC 2405: Computer Systems II Spring 2013 (TR 8:30-9:45 in G86) Mirela Damian http://www.csc.villanova.edu/~mdamian/csc2405/ Introductions Mirela Damian Room 167A in the Mendel Science Building mirela.damian@villanova.edu

More information

Dynamic Behavior Analysis Using Binary Instrumentation

Dynamic Behavior Analysis Using Binary Instrumentation Dynamic Behavior Analysis Using Binary Instrumentation Jonathan Salwan jsalwan@quarkslab.com St'Hack Bordeaux France March 27 2015 Keywords: program analysis, DBI, DBA, Pin, concrete execution, symbolic

More information

Monitoring Nginx Server

Monitoring Nginx Server Monitoring Nginx Server eg Enterprise v6 Restricted Rights Legend The information contained in this document is confidential and subject to change without notice. No part of this document may be reproduced

More information

Bromium Labs Research Brief. Endpoint Exploitation Trends H1 2014

Bromium Labs Research Brief. Endpoint Exploitation Trends H1 2014 Bromium Labs Research Brief Endpoint Exploitation Trends H1 2014 1 Table of Contents Executive Brief... 3 and exploit trends H1, 2014... 3 Zero day trends... 3 Internet Explorer release to patch timeline...

More information

Linux exploit development part 2 (rev 2) - Real app demo (part 2)

Linux exploit development part 2 (rev 2) - Real app demo (part 2) Linux exploit development part 2 (rev 2) - Real app demo (part 2) This will be a short tutorial demonstrating a "buffer overflow" exploit on a real application which is freely available using the techniques

More information

PHP web serving study Performance report

PHP web serving study Performance report PHP web serving study Performance report by Stefan "SaltwaterC" Rusu Date: May - June 2010 Contact: http://saltwaterc.net/contact or admin [at] saltwaterc [dot] net Hardware Configurations Web Server:

More information

Intro to Load-Balancing Tomcat with httpd and mod_jk

Intro to Load-Balancing Tomcat with httpd and mod_jk Intro to Load-Balancing Tomcat with httpd and mod_jk Christopher Schultz Chief Technology Officer Total Child Health, Inc. * Slides available on the Linux Foundation / ApacheCon2015 web site and at http://people.apache.org/~schultz/apachecon

More information

TFE listener architecture. Matt Klein, Staff Software Engineer Twitter Front End

TFE listener architecture. Matt Klein, Staff Software Engineer Twitter Front End TFE listener architecture Matt Klein, Staff Software Engineer Twitter Front End Agenda TFE architecture overview TSA architecture overview TSA hot restart Future plans Q&A TFE architecture overview Listener:

More information

A Dozen Years of Shellphish From DEFCON to the Cyber Grand Challenge

A Dozen Years of Shellphish From DEFCON to the Cyber Grand Challenge A Dozen Years of Shellphish From DEFCON to the Cyber Grand Challenge Antonio Bianchi antoniob@cs.ucsb.edu University of California, Santa Barbara HITCON Enterprise August 27th, 2015 Agenda Shellphish The

More information

Sandy. The Malicious Exploit Analysis. http://exploit-analysis.com/ Static Analysis and Dynamic exploit analysis. Garage4Hackers

Sandy. The Malicious Exploit Analysis. http://exploit-analysis.com/ Static Analysis and Dynamic exploit analysis. Garage4Hackers Sandy The Malicious Exploit Analysis. http://exploit-analysis.com/ Static Analysis and Dynamic exploit analysis About Me! I work as a Researcher for a Global Threat Research firm.! Spoke at the few security

More information

Attacking Hypervisors via Firmware and Hardware

Attacking Hypervisors via Firmware and Hardware Attacking Hypervisors via Firmware and Hardware Mikhail Gorobets, Oleksandr Bazhaniuk, Alex Matrosov, Andrew Furtak, Yuriy Bulygin Advanced Threat Research Agenda Hypervisor based isolation Firmware rootkit

More information

Painless Web Proxying with Apache mod_proxy

Painless Web Proxying with Apache mod_proxy Painless Web Proxying with Apache mod_proxy Justin R. Erenkrantz University of California, Irvine and Google, Inc. http://www.erenkrantz.com/oscon/ justin@erenkrantz.com Why should I pay attention? Apache

More information

Software Vulnerabilities

Software Vulnerabilities Software Vulnerabilities -- stack overflow Code based security Code based security discusses typical vulnerabilities made by programmers that can be exploited by miscreants Implementing safe software in

More information

Introduction. Application Security. Reasons For Reverse Engineering. This lecture. Java Byte Code

Introduction. Application Security. Reasons For Reverse Engineering. This lecture. Java Byte Code Introduction Application Security Tom Chothia Computer Security, Lecture 16 Compiled code is really just data which can be edit and inspected. By examining low level code protections can be removed and

More information

Review and Exploit Neglected Attack Surface in ios 8. Tielei Wang, Hao Xu, Xiaobo Chen of TEAM PANGU

Review and Exploit Neglected Attack Surface in ios 8. Tielei Wang, Hao Xu, Xiaobo Chen of TEAM PANGU Review and Exploit Neglected Attack Surface in ios 8 Tielei Wang, Hao Xu, Xiaobo Chen of TEAM PANGU BlackHat 2015 Agenda ios Security Background Review of Attack Surfaces Fuzz More IOKit and MIG System

More information

Ripples in the Gene Pool. Creating Genetic Mutations to Survive the Vulnerability Window Chris Eagle Defcon 14

Ripples in the Gene Pool. Creating Genetic Mutations to Survive the Vulnerability Window Chris Eagle Defcon 14 Ripples in the Gene Pool Creating Genetic Mutations to Survive the Vulnerability Window Chris Eagle Defcon 14 Standard Disclaimer The views expressed in this presentation are my own and do not necessarily

More information

Tool-based Approaches to Software Security. Prof. Dr. Eric Bodden Andreas Follner

Tool-based Approaches to Software Security. Prof. Dr. Eric Bodden Andreas Follner Tool-based Approaches to Software Security Prof. Dr. Eric Bodden Andreas Follner Outline General Information Timeline Term Paper / Review / Talk Grading Next Steps Topics General Information Purpose of

More information

MSc Computer Science Dissertation

MSc Computer Science Dissertation University of Oxford Computing Laboratory MSc Computer Science Dissertation Automatic Generation of Control Flow Hijacking Exploits for Software Vulnerabilities Author: Sean Heelan Supervisor: Dr. Daniel

More information

Attacking Obfuscated Code with IDA Pro. Chris Eagle

Attacking Obfuscated Code with IDA Pro. Chris Eagle Attacking Obfuscated Code with IDA Pro Chris Eagle Outline Introduction Operation Demos Summary 2 First Order Of Business MOVE UP AND IN! There is plenty of room up front I can't increase the font size

More information

Lecture 7: Machine-Level Programming I: Basics Mohamed Zahran (aka Z) mzahran@cs.nyu.edu http://www.mzahran.com

Lecture 7: Machine-Level Programming I: Basics Mohamed Zahran (aka Z) mzahran@cs.nyu.edu http://www.mzahran.com CSCI-UA.0201-003 Computer Systems Organization Lecture 7: Machine-Level Programming I: Basics Mohamed Zahran (aka Z) mzahran@cs.nyu.edu http://www.mzahran.com Some slides adapted (and slightly modified)

More information

From SQL Injection to MIPS Overflows

From SQL Injection to MIPS Overflows From SQL Injection to MIPS Overflows Rooting SOHO Routers Zachary Cutlip Black Hat USA 2012 Acknowledgements Tactical Network Solutions Craig Heffner What I m going to talk about Novel uses of SQL injection

More information

Recon 2011 - Montreal

Recon 2011 - Montreal How to develop a rootkit for Broadcom NetExtreme network cards Guillaume Delugré Sogeti / ESEC R&D guillaume(at)security-labs.org Recon 2011 - Montreal . Delugré How to develop a rootkit for Broadcom NetExtreme

More information

http://www.nologin.org Bypassing Windows Hardware-enforced Data Execution Prevention

http://www.nologin.org Bypassing Windows Hardware-enforced Data Execution Prevention http://www.nologin.org Bypassing Windows Hardware-enforced Data Execution Prevention Oct 2, 2005 skape mmiller@hick.org Skywing Skywing@valhallalegends.com One of the big changes that Microsoft introduced

More information

Classification of Security Issues

Classification of Security Issues Classification of Security Issues By Mark J Cox Abstract Red Hat has implemented a scheme from Red Hat Enterprise Linux 4 to publicly classify the impact of security issues found in our products and services..customers

More information

Lecture 10: Dynamic Memory Allocation 1: Into the jaws of malloc()

Lecture 10: Dynamic Memory Allocation 1: Into the jaws of malloc() CS61: Systems Programming and Machine Organization Harvard University, Fall 2009 Lecture 10: Dynamic Memory Allocation 1: Into the jaws of malloc() Prof. Matt Welsh October 6, 2009 Topics for today Dynamic

More information

Testing for Security

Testing for Security Testing for Security Kenneth Ingham September 29, 2009 1 Course overview The threat that security breaches present to your products and ultimately your customer base can be significant. This course is

More information

Learn Ethical Hacking, Become a Pentester

Learn Ethical Hacking, Become a Pentester Learn Ethical Hacking, Become a Pentester Course Syllabus & Certification Program DOCUMENT CLASSIFICATION: PUBLIC Copyrighted Material No part of this publication, in whole or in part, may be reproduced,

More information

A Comparative Study on Vega-HTTP & Popular Open-source Web-servers

A Comparative Study on Vega-HTTP & Popular Open-source Web-servers A Comparative Study on Vega-HTTP & Popular Open-source Web-servers Happiest People. Happiest Customers Contents Abstract... 3 Introduction... 3 Performance Comparison... 4 Architecture... 5 Diagram...

More information

Serving Media with NGINX Plus

Serving Media with NGINX Plus Serving Media with NGINX Plus Published June 11, 2015 NGINX, Inc. Table of Contents 3 About NGINX Plus 3 Using this Guide 4 Prerequisites and System Requirements 5 Serving Media with NGINX Plus 9 NGINX

More information

WHITEPAPER. Nessus Exploit Integration

WHITEPAPER. Nessus Exploit Integration Nessus Exploit Integration v2 Tenable Network Security has committed to providing context around vulnerabilities, and correlating them to other sources, such as available exploits. We currently pull information

More information

Attacking Hypervisors via Firmware and Hardware

Attacking Hypervisors via Firmware and Hardware Attacking Hypervisors via Firmware and Hardware Alex Matrosov (@matrosov), Mikhail Gorobets, Oleksandr Bazhaniuk (@ABazhaniuk), Andrew Furtak, Yuriy Bulygin (@c7zero) Advanced Threat Research Agenda Hypervisor

More information

HOW I MET YOUR MODEM EXPLOIT & TROJAN DEV FOR CONSUMER DSL DEVICES HACK IN THE BOX 2013 AMSTERDAM - PETER GEISSLER & STEVEN KETELAAR

HOW I MET YOUR MODEM EXPLOIT & TROJAN DEV FOR CONSUMER DSL DEVICES HACK IN THE BOX 2013 AMSTERDAM - PETER GEISSLER & STEVEN KETELAAR HOW I MET YOUR MODEM EXPLOIT & TROJAN DEV FOR CONSUMER DSL DEVICES HACK IN THE BOX 2013 AMSTERDAM - PETER GEISSLER & STEVEN KETELAAR WHO ARE WE? STEVEN Software developer Security fanatic Produces dance

More information

Firefox, Opera, Safari for Windows BMP file handling information leak. September 2008. Discovered by: Mateusz j00ru Jurczyk, Hispasec Labs

Firefox, Opera, Safari for Windows BMP file handling information leak. September 2008. Discovered by: Mateusz j00ru Jurczyk, Hispasec Labs Firefox, Opera, Safari for Windows BMP file handling information leak September 2008 Discovered by: Mateusz j00ru Jurczyk, Hispasec Labs 1. Introduction The bitmap format implementations in Mozilla Firefox

More information

Leak Check Version 2.1 for Linux TM

Leak Check Version 2.1 for Linux TM Leak Check Version 2.1 for Linux TM User s Guide Including Leak Analyzer For x86 Servers Document Number DLC20-L-021-1 Copyright 2003-2009 Dynamic Memory Solutions LLC www.dynamic-memory.com Notices Information

More information

Extending Tizen Native Framework with Node.js

Extending Tizen Native Framework with Node.js Extending Tizen Native Framework with Node.js Nishant Deshpande Hyunju Shin Ph.D. Samsung Electronics Contents Native or Web? Why JavaScript, Node.js? Proposed Architecture Sample Applications Going Forward

More information

Common Server Setups For Your Web Application - Part II

Common Server Setups For Your Web Application - Part II Common Server Setups For Your Web Application - Part II Introduction When deciding which server architecture to use for your environment, there are many factors to consider, such as performance, scalability,

More information

One Server Per City: C Using TCP for Very Large SIP Servers. Kumiko Ono Henning Schulzrinne {kumiko, hgs}@cs.columbia.edu

One Server Per City: C Using TCP for Very Large SIP Servers. Kumiko Ono Henning Schulzrinne {kumiko, hgs}@cs.columbia.edu One Server Per City: C Using TCP for Very Large SIP Servers Kumiko Ono Henning Schulzrinne {kumiko, hgs}@cs.columbia.edu Goal Answer the following question: How does using TCP affect the scalability and

More information

Return-oriented programming without returns

Return-oriented programming without returns Faculty of Computer Science Institute for System Architecture, Operating Systems Group Return-oriented programming without urns S. Checkoway, L. Davi, A. Dmitrienko, A. Sadeghi, H. Shacham, M. Winandy

More information

WebLogic Server Admin

WebLogic Server Admin Course Duration: 1 Month Working days excluding weekends Overview of Architectures Installation and Configuration Creation and working using Domain Weblogic Server Directory Structure Managing and Monitoring

More information

PHP on IBM i: What s New with Zend Server 5 for IBM i

PHP on IBM i: What s New with Zend Server 5 for IBM i PHP on IBM i: What s New with Zend Server 5 for IBM i Mike Pavlak Solutions Consultant mike.p@zend.com (815) 722 3454 Function Junction Audience Used PHP in Zend Core/Platform New to Zend PHP Looking to

More information

Computer Security: Principles and Practice

Computer Security: Principles and Practice Computer Security: Principles and Practice Chapter 24 Windows and Windows Vista Security First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Windows and Windows Vista Security

More information

Varnish the Drupal way

Varnish the Drupal way Varnish the Drupal way About me Boyan Borisov Team Leader @ Propeople boyanb@propeople.dk @boyan_borisov Skype: boian.borisov hap://linkedin.com/in/ boyanborisov What is Varnish? Reverse proxy cache server...

More information

Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda 1. Introductions for new members (5 minutes) 2. Name of group 3. Current

More information

Apache Tomcat. Load-balancing and Clustering. Mark Thomas, 20 November 2014. 2014 Pivotal Software, Inc. All rights reserved.

Apache Tomcat. Load-balancing and Clustering. Mark Thomas, 20 November 2014. 2014 Pivotal Software, Inc. All rights reserved. 2 Apache Tomcat Load-balancing and Clustering Mark Thomas, 20 November 2014 Introduction Apache Tomcat committer since December 2003 markt@apache.org Tomcat 8 release manager Member of the Servlet, WebSocket

More information

Where s the FEEB? The Effectiveness of Instruction Set Randomization

Where s the FEEB? The Effectiveness of Instruction Set Randomization Where s the FEEB? The Effectiveness of Instruction Set Randomization Ana Nora Sovarel David Evans Nathanael Paul University of Virginia, Department of Computer Science http://www.cs.virginia.edu/feeb Abstract

More information

Attacking Host Intrusion Prevention Systems. Eugene Tsyrklevich eugene@securityarchitects.com

Attacking Host Intrusion Prevention Systems. Eugene Tsyrklevich eugene@securityarchitects.com Attacking Host Intrusion Prevention Systems Eugene Tsyrklevich eugene@securityarchitects.com Agenda Introduction to HIPS Buffer Overflow Protection Operating System Protection Conclusions Demonstration

More information

Advanced Endpoint Protection Overview

Advanced Endpoint Protection Overview Advanced Endpoint Protection Overview Advanced Endpoint Protection is a solution that prevents Advanced Persistent Threats (APTs) and Zero-Day attacks and enables protection of your endpoints by blocking

More information

I decided to write a quick document about the techniques I used to exploit Internet Explorer 8 on windows 7 with ASLR and DEP enabled.

I decided to write a quick document about the techniques I used to exploit Internet Explorer 8 on windows 7 with ASLR and DEP enabled. Pwn2Own 2010 Windows 7 Internet Explorer 8 exploit I decided to write a quick document about the techniques I used to exploit Internet Explorer 8 on windows 7 with ASLR and DEP enabled. The exploit consists

More information

Tomcat Tuning. Mark Thomas April 2009

Tomcat Tuning. Mark Thomas April 2009 Tomcat Tuning Mark Thomas April 2009 Who am I? Apache Tomcat committer Resolved 1,500+ Tomcat bugs Apache Tomcat PMC member Member of the Apache Software Foundation Member of the ASF security committee

More information

Unix Security Technologies: Host Security Tools. Peter Markowsky <peterm[at]ccs.neu.edu>

Unix Security Technologies: Host Security Tools. Peter Markowsky <peterm[at]ccs.neu.edu> Unix Security Technologies: Host Security Tools Peter Markowsky Syllabus An Answer to last week s assignment Four tools SSP W^X PaX Systrace Last time You were assigned to get a

More information

Exploit Test Tool Manual

Exploit Test Tool Manual Exploit Test Tool Manual HitmanPro.Alert Exploit Test Tool Manual 1.6 Page 1 Table of contents 1 Introduction to the Exploit Test Tool... 4 Individual exploit techniques... 4 Dynamic searching for ROP

More information

CS 161 Computer Security

CS 161 Computer Security Paxson Spring 2013 CS 161 Computer Security Homework 1 Due: Friday, February 15, at 10PM Instructions. You must submit this homework electronically. To submit, put a single solution file hw1.pdf in a directory

More information

Client vs. Server Implementations of Mitigating XSS Security Threats on Web Applications

Client vs. Server Implementations of Mitigating XSS Security Threats on Web Applications Journal of Basic and Applied Engineering Research pp. 50-54 Krishi Sanskriti Publications http://www.krishisanskriti.org/jbaer.html Client vs. Server Implementations of Mitigating XSS Security Threats

More information

An introduction to the Return Oriented Programming. Why and How

An introduction to the Return Oriented Programming. Why and How An introduction to the Return Oriented Programming Why and How Course lecture at the Bordeaux university for the CSI Master Jonathan Salwan Keywords: ROP Intel / ARM, Tools, ROP chain generation, gadgets'

More information

SoK: Eternal War in Memory

SoK: Eternal War in Memory SoK: Eternal War in Memory László Szekeres, Mathias Payer, Tao Wei, Dawn Song Stony Brook University University of California, Berkeley Peking University Abstract Memory corruption bugs in software written

More information

Introducing the Microsoft IIS deployment guide

Introducing the Microsoft IIS deployment guide Deployment Guide Deploying Microsoft Internet Information Services with the BIG-IP System Introducing the Microsoft IIS deployment guide F5 s BIG-IP system can increase the existing benefits of deploying

More information

Cisco IOS Router Exploitation

Cisco IOS Router Exploitation Recurity Labs GmbH http://www.recurity-labs.com July 26, 2009 Cisco IOS Router Exploitation A map of the problem space Abstract This paper describes the challenges with the exploitation of memory corruption

More information

F-Secure Internet Security 2014 Data Transfer Declaration

F-Secure Internet Security 2014 Data Transfer Declaration F-Secure Internet Security 2014 Data Transfer Declaration The product s impact on privacy and bandwidth usage F-Secure Corporation April 15 th 2014 Table of Contents Version history... 3 Abstract... 3

More information

HTML5 Web Security. Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona

HTML5 Web Security. Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona HTML5 Web Security Thomas Röthlisberger thomas.roethlisberger@csnc.ch IT Security Analyst Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch

More information

Security Products Development. Leon Juranic leon@defensecode.com

Security Products Development. Leon Juranic leon@defensecode.com Security Products Development Leon Juranic leon@defensecode.com Security Products Development Q: Why I picked this boring topic at all? A: Avoidance of any hackingrelated topics for fsec (khm.) :) Security

More information

The best reverse proxy around. Kristian Lyngstøl PRODUCTS CONSULTING APPLICATION MANAGEMENT IT OPERATIONS SUPPORT TRAINING

The best reverse proxy around. Kristian Lyngstøl PRODUCTS CONSULTING APPLICATION MANAGEMENT IT OPERATIONS SUPPORT TRAINING The best reverse proxy around Kristian Lyngstøl Who we are Redpill Linpro is a Scandinavian free software company offering development services, operations, support, training and more. Varnish Software

More information

Hotpatching and the Rise of Third-Party Patches

Hotpatching and the Rise of Third-Party Patches Hotpatching and the Rise of Third-Party Patches Alexander Sotirov asotirov@determina.com BlackHat USA 2006 Overview In the next one hour, we will cover: Third-party security patches _ recent developments

More information

MAGENTO HOSTING Progressive Server Performance Improvements

MAGENTO HOSTING Progressive Server Performance Improvements MAGENTO HOSTING Progressive Server Performance Improvements Simple Helix, LLC 4092 Memorial Parkway Ste 202 Huntsville, AL 35802 sales@simplehelix.com 1.866.963.0424 www.simplehelix.com 2 Table of Contents

More information

Pwning Intranets with HTML5

Pwning Intranets with HTML5 Javier Marcos de Prado Juan Galiana Lara Pwning Intranets with HTML5 2009 IBM Corporation Agenda How our attack works? How we discover what is in your network? What does your infrastructure tell us for

More information

Java Troubleshooting and Performance

Java Troubleshooting and Performance Java Troubleshooting and Performance Margus Pala Java Fundamentals 08.12.2014 Agenda Debugger Thread dumps Memory dumps Crash dumps Tools/profilers Rules of (performance) optimization 1. Don't optimize

More information

ZEN LOAD BALANCER EE v3.02 DATASHEET The Load Balancing made easy

ZEN LOAD BALANCER EE v3.02 DATASHEET The Load Balancing made easy ZEN LOAD BALANCER EE v3.02 DATASHEET The Load Balancing made easy OVERVIEW The global communication and the continuous growth of services provided through the Internet or local infrastructure require to

More information

Defense in Depth: Protecting Against Zero-Day Attacks

Defense in Depth: Protecting Against Zero-Day Attacks Defense in Depth: Protecting Against Zero-Day Attacks Chris McNab FIRST 16, Budapest 2004 Agenda Exploits through the ages Discussion of stack and heap overflows Common attack behavior Defense in depth

More information

HEALERS: A Toolkit for Enhancing the Robustness and Security of Existing Applications

HEALERS: A Toolkit for Enhancing the Robustness and Security of Existing Applications HEALERS: A Toolkit for Enhancing the Robustness and Security of Existing Applications Christof Fetzer, Zhen Xiao AT&T Labs Research 180 Park Avenue Florham Park, N.J. 07932 christof, xiao @research.att.com

More information