Tuesday, April 19, 2011

Fuzzing and exploitation of vulnerability CVE-2010-3856

The vulnerability “The GNU C library dynamic linker will dlopen arbitrary DSOs during setuid loads" detected by Tavis Ormandy at the end of 2010 force most users to patch their systems as soon as possible.

An unprivileged user can run arbitrary code with highest privileges in the system using LD_AUDIT mode in with spoofing $ORIGIN by hard-coded link and running a SUID program via file descriptor.

The vulnerability description includes only several potentially unsafe libraries: and But indeed, there can be much more of them in the system.
If your system does not include the libraries, it does not mean that your system is not vulnerable.

Wednesday, April 13, 2011

Positive Hack Days 2011

The Positive Technologies company carries out a unique event - the Positive Hack Days conference, which is devoted to practical security problems and represents a place to exchange views, to gain knowledge and to obtain contacts and practical skills.

The conference subjects were developed with a special accent on the practical sides of urgent information security issues. The main themes of the conference are: web application security, protection of cloud computing and virtual infrastructure, counteraction to 0-day attacks, investigation of incidents, protection from DDoS, fraud resistance, SCADA security, and protection of business applications and ERP.

Within the bounds of the conference, the following activities will take place:

- Business program with reports from the leading domestic and foreign experts.
- Round tables, both closed and open types, which allow you to discuss complex and even delicate issues of information security with colleagues.
- Master classes conducted by practitioner experts, which allow you to gain practical experience in solving complicated information security problems, such as vulnerability detection, analysis of break-in consequences, and analysis of instruments used to conduct attacks.
- Breaking-in contests, which allow anyone to try him/herself in breaking-in iPhones, cell phones, browsers, and protection mechanisms.
- PHD CTF 2011 competition, which is an open information security team competition organized according to the Capture the Flag rules; within the bounds of this competition, teams will protect their networks and attack the networks of contestants for 8 hours.

The conference program is addressed to a wide circle of information security specialists, and everyone will find something interesting in it.

- Directors, CISOs и CIOs will be able to estimate modern threats in practice, maintain their skills, and discuss information security problems with colleagues.
- Information security specialists will gain a lot of new and urgent information and will have an opportunity to improve their practical skills in solving a wide variety of information security issues.
- Vendors of security tools and systems will be able to estimate the efficiency of their solutions in practice by introducing them into the CTF competition tasks.
- Companies providing services in the field of information security can become sponsors and get professional employees involved.
- All participants will have a unique opportunity to find themselves on the other side of the barricade and to take part in practical master classes and information security contests.

We will be glad to see you at the Positive Hack Days conference!

Tuesday, April 5, 2011

Backdoor in Active Directory

Less than a year ago, there was a publication on with similar title [1]. Its author proposed a way how to hide domain administrator privileges using "Program data" system storage as a container for the "hidden" account with access limitations to prevent access to the account. But, despite author words, you can easily detect the "hidden" account and delete it with a couple of mouse clicks [2].

It means that this method does not work in practice. But is there more appropriate method (including without rootkits on domain controllers))?

Friday, April 1, 2011

Complete Guide to HackQuest 2010

This work contains the description of an algorithm to pass most stages of HackQuest 2010, which was held at the end of August within the scope of the Chaos Constructions 2010 festival and was available on-line in a shorter form in the end of 2010 on the basis of the SecurityLab portal.

Dmitry Evteev (Positive Technologies);
Sergey Rublev (Positive Technologies);
Alexander Matrosov (ESET);
Vladimir d0znp Vorontsov (ONsec.RU);
Taras oxdef Ivashchenko (Yandex);


HackQuest 2010 is an open competition in the field of information security, the essence of which is to carry out a number of various tasks relating to information security: web hacking, social engineering, reverse engineering, etc. The contestants are given full scope for choosing the methods to cope with tasks. To capture one key (flag), it is necessary to exploit several vulnerabilities existing in real production system. Thus, the contestants can feel themselves to be real hackers :)

The competition results showed that many tasks proved to be too intricate for most contestants. The materials given in this work represent a complete guide to solve most tasks of HackQuest 2010.