Privilege Escalation in IBM Notes Diagnostics #3-5

This is the fourth blog post in a series documenting various bugs found in installed software during customer engagements. Vulnerabilities will be published, when the vendor has provided fixes, or our deadline for the vendor to take action expires. This process is aligned with the Improsec Responsible Disclosure Policy.

In these blog posts I tend to be a bit verbose and give some insights into the process. Concrete exploitation steps and code is listed at the bottom

Privilege Escalation in IBM Notes Smart Update Service

This is the third blog post in a series documenting various bugs found in installed software during customer engagements. Vulnerabilities will be published, when the vendor has provided fixes, or our deadline for the vendor to take action expires. This process is aligned with the Improsec Responsible Disclosure Policy

In these blog posts I tend to be a bit verbose and give some insights into the process. Concrete exploitation steps and code is listed at the bottom.

Privilege Escalation in IBM Notes Diagnostics #2

This is the second blog post in a series documenting various bugs found in installed software during customer engagements. Vulnerabilities will be published, when the vendor has provided fixes, or our deadline for the vendor to take action expires. This process is aligned with the Improsec Responsible Disclosure Policy

In this blog post I will tend to be a bit verbose and give some insights into the process. Concrete exploitation steps and code is listed at the bottom.

Privilege Escalation in IBM Notes Diagnostics #1

This is the first blog post in a series documenting various bugs found in installed software during customer engagements. Vulnerabilities will be published, when the vendor has provided fixes, or our deadline for the vendor to take action expires. This process is aligned with the Improsec Responsible Disclosure Policy

In these blog posts I will be a bit verbose and give insights into the process. Concrete exploitation steps and code is listed at the bottom.

Sikkerhedsekspert maner til besindelse efter kæmpe-sikkerhedshul i computere, smartphones og tablets: “Ingen grund til panik”

Sårbarhederne Meltdown og Spectre rammer stort set alle computere og smartphones fra de seneste 20 år. Men ifølge en dansk sikkerhedsekspert har almindelige virksomheder og borgere ikke den store grund til bekymring.

Meltdown og Spectre. 

Det lyder som titlerne på henholdsvis en energisk popsang og en James Bond-film, men navnene dækker over to sårbarheder i processorer fra Intel, ARM og AMD, der berører langt de fleste enheder, der er produceret over de seneste 20 år.

Meltdown og Spectre har skabt overskrifter over hele verden, og verdens største it-virksomheder arbejder på højtryk for at sikre deres produkter.

Bombardement med store datamængder kan finde sårbarheder i kode

Fuzzing-teknikken kan bruges til at finde sikkerhedsmæssige sårbarheder i kode.

Denne artikel er skrevet til et særtema om softwareudvikling i avisen Ingeniøren.

Der er mange måder at teste software på. En automatiseret metode, som blandt andet er populær blandt folk, der søger efter it-sikkerhedshuller i software, kaldes fuzzing.

Teknikken går ud på at teste et hav af input-parametre på et stykke software. Input er i denne sammenhæng et vidt begreb. Det kan være alt fra en pdf-fil til forskellige input sendt til en tjeneste via et netværk - eksempelvis en webserver på internettet.

Tag sikkerheden alvorligt - også når ingen kigger - White Hat vs. Black Hat

Hver dag står it-kriminelle og andre ondsindede aktører verden over bag mere eller mindre alvorlige sikkerhedshændelser. Heldigvis arbejder mange gode sikkerhedsfolk på at identificere og udbedre sårbarheder i software – selvom det med stor sandsynlighed ville være en bedre forretning at sælge deres research til højestbydende. Man skal tage sikkerheden alvorligt, også når ingen kigger.

Improsec: Hacking, Cracking og Sikkerhed

Interview med: Claus Vesthammer, COO og Security Advisor hos Improsec ApS

Improsec er specialister i pragmatisk IT-sikkerhed og er netop flyttet ind i på Univate (en del af Symbion) for blandt andet at være tæt på de mange interessante tech-virksomheder, der til dagligt holder til i iværksættermiljøet. Improsec foretager vurderinger af virksomheders forsvarsmekanismer og rådgiver om prioritering og implementering af organisatoriske såvel som tekniske tiltag.

Læs mere her.

Data Only Attacks Are Still Alive

The past week I have been fortunate enough to present at both Black Hat USA and DEF CON. My topic was on leveraging Write-What-Where vulnerabilities for Windows 10 Creators Update. You can find the slides here. In my DEFCON talk I mentioned additional KASLR bypasses, one of those use the field Win32ThreadInfo from the TEB to leak a pointer to ntoskrnl.exe. This pointer can be used to achieve arbitrary kernel mode code execution as explained in my presentation.

A couple of months ago I did a blogpost on data only attacks in kernel exploitation, which you can find here. I used the tagWND object to locate the EPROCESS of the current thread, while that technique is still perfectly valid, I wanted to present another way of doing it which does not involve creating a tagWND object.

The enterprise-ready workaround I would have expected from IBM

When IBM promised to release a workaround for the vulnerability we found in their product, I truly expected such a widely respected company to release an enterprise-ready workaround, and not just a manual approach to setting registry permissions in the GUI.