In anticipation of Dan Rosenberg’s talk on exploiting the Linux kernel’s SLOB memory allocator at the Infiltrate security conference and because I recently had a discussion with some friends about the different kernel memory allocators in Linux, I decided to write this quick introduction. I will present some of the allocators’ characteristics and also provide references to public work on exploitation techniques.

Netvolution v2.5.8 is vulnerable to a blind SQL injection attack in the HTTP “referer” header. A malicious user may utilize this vulnerability to modify content on the vulnerable website, inject malicious javascript code to a visitor’s browser, collect CMS usernames and plaintext passwords and, in some cases, execute commands on the system hosting the database server. This is a critical vulnerability since it does not require authentication and its exploitation may go undetected.

My presentation slides from this year’s FOSSCOMM security sessions are now (also) available here.

The talk, entitled “Performing Digital Forensics with Open Source tools”, described the phases of the digital forensics investigation process and showed how these could be carried out with the aid of open source tools. The Q&A with students, administrators and security engineers in the audience led to a very interesting discussion on best practices for incident response.

All in all the presentation was a great success and I would like to thank both the organizers and the audience for making this such a wonderful event!

Presentation Material

• Presentation Slides (pdf)

census has participated once again at AthCon, the leading technical IT security conference in Greece. Our work entitled “Introducing the Parasite” presented a small device that is capable of creating a physical backdoor in an otherwise protected network.

Black Hat Europe 2011 is now over and we are very happy to have participated once again in the best European IT security conference!

Continuing from our last year’s presentation, our talk this year focused on operating system kernel protections. Specifically, our researchers Patroklos Argyroudis and Dimitris Glynos collected their experiences from kernel exploit development and presented the ways in which modern operating systems protect their kernels from memory corruption attacks.

AthCon 2010 is now over and I must say that I’m really looking forward to next year’s event! Kudos to Christian, Kyprianos, Fotis, Chariton, Bernardo, Sandro, Iftach, Corrado, Rodrigo, Alberto and everyone else for making this such a great event!

The main theme of my presentation was “Context-keyed payload encoding”, a shellcode encoding technique that allows attackers to evade detection from NIDS that employ dynamic payload analysis.

We have discovered two improper input validation vulnerabilities in the FreeBSD kernel’s NFS client-side implementation (FreeBSD 8.0-RELEASE, 7.3-RELEASE and 7.2-RELEASE) that allow local unprivileged users to escalate their privileges, or to crash the system by performing a denial of service attack.

In my recent Black Hat Europe 2010 talk I gave an overview of the kernel exploitation prevention mechanisms that exist on FreeBSD. A few people at the conference have subsequently asked me to elaborate on the subject. In this post I will collect all the information from my talk and the various discussions I had in the Black Hat conference hallways.

Black Hat Europe 2010 is now over and after a brief ash cloud caused delay I am back in Greece. It has been a great conference, flawlessly organised and with many outstanding presentations. I would like to thank everyone that attended my presentation but also all the kind people that spoke to me before and afterwards. I hope to meet all of you again at a future event.

This article is a followup to our last year’s advisory on canary randomisation for applications of the Debian distribution.

I was recently asked what the currently employed method is for canary randomisation in SSP-armoured Linux applications. I’ve been meaning to write an article on this for some time now, but didn’t have the necessary time. So here it is (albeit a little late).