Reversemode
Home
Saturday, 19 April 2014
 
 
BYTES & WORDS
Silent bug is silent.
Written by Rubén   
Wednesday, 10 August 2011

Hi there,
During the last months, completed in this Patch Tuesday, Microsoft has 'abruptly' changed a policy that was working for years: http://blogs.msdn.com/b/ieinternals/archive/2011/03/09/internet-explorer-9-xbap-disabled-in-the-internet-zone.aspx

I guess that XBAP apps were posing a risk level too high to get accepted. At the same price, they have silently fixed a blatant method to bypass IE protected mode I discovered long time ago...let me explain it briefly.

There are 3 main integrity levels: low, medium, high. IE8/9 launches two differente process.

-> Broker/Monitor (medium integrity) (parent)
-> Browser (low integrity) (child)

The low integrity instance is where those funny shellcodes are executed, so we should understand this flaw as the second stage within a client-side exploitation scenario. Therefore, a remote code execution is mandatory before taking advantage of this flaw.

A common scenario would be the following:

1. Ban Ki-Moon visits a malicious U.N website where a RCE vulnerability is triggered within the context of the low integrity IE
2. Local exploit is executed to bypass IE Protected mode.
3. VLC playing Nyan Cat video is launched as a medium integrity process.

Last Updated ( Monday, 15 August 2011 )
Read more...
Analyzing CVE-2010-4284 - Samsung Data Management Server SQLi
Written by Rubén   
Monday, 09 May 2011
Hi

Several months ago the spanish security researcher ( ese wachi!! ;) ) José Antonio Guasch discovered a SQLi in the login panel of a Samsung HVAC device . Thus, an attacker successfully exploiting this flaw can bypass authentication and access the web server as an administrative user.

Samsung, ICS-CERT and Jose Antonio were coordinating this issue and finally the advisory and the patch have been released.

The first curious thing I came across while reading http://www.dvmcare.com/SRM/dms/HowToUpgradeDMSSW.pdf was the fact that in the whole document there was not a single line or picture explaining how to do authentication before updating the firmware. The reason is simple; you don't need to be authenticated at all. Let's analyze the updater http://www.dvmcare.com/SRM/dms/DMSUpdaterPlus.zip

Using ILSpy

Last Updated ( Wednesday, 10 August 2011 )
Read more...
Reverse engineering a SCADA hoax
Written by Rubén   
Monday, 18 April 2011

Well, before the snowball becomes bigger (too late I guess) I'll try to explain why I think the FPL hack is an hoax.

Context: FD ...

Let's analyze the email:

Here comes my revenge for illegitimate firing from Florida Power & Light Company (FPL)
   ... ain't nothing you can do with it, since your electricity is turned off !!! 
D'Oh, not very original, disgruntled former engineer...if real, too many clues...

Secure you SCADA better! Leaked files are attached ...
1)http://img838.imageshack.us/i/49986845.png/

Taking into account it claims he hacked a 200 MW /136 turbines wind farm, those 3945KW/135KWh make non sense for a large wind energy facility. Another weird thing is the "energie" button (energy in german language). Wind speed metered in m/s without mentioning mph is still possible so it's ok for me.

2) http://img838.imageshack.us/i/24380855.png/
3) http://img24.imageshack.us/i/58868342.png/

Either you have WinCC or GIMP/Paint/Photshop you'll be able to create this creepy sinoptic. If you manage to convince me that a 200MW facility is controlled by this sinoptic, I'll kiss your shiny metal ass.
Even the lines are malformed. The input voltage line for the sinamics s120 is used as feeder for 'whatever' those fans are representing . Absurd.

Also note the custom messages in german...Everybody knows that at FPL german is the corporate language ¬¬

4) http://img228.imageshack.us/i/85258364.png/

ftp://goxftp01.fpl.com/pub/oasis/ ...no comment

5) http://img163.imageshack.us/i/90736853.png/
6) http://img217.imageshack.us/i/55439027.png/
7) http://img40.imageshack.us/i/87526089.png/
8) http://img864.imageshack.us/i/94061747.png/

Lifted from the following public document ftp://goxftp01.fpl.com/pub/oasis/switchyardreliability/switchyardreliability.pdf ...no comment


161.154.232.65 

HTTP/1.0 401 Unauthorized
Date: Sat, 05 Feb 2011 23:43:13 GMT
Server: VTS 9.0.05
Content-Type: text/html
Content-Length: 622
Cache-Control: no-cache
WWW-Authenticate: Basic realm="Ft. Sumner SCADA"
Cache-control: no-cache="set-cookie"
Cache-control: private
Set-Cookie: VTS=9.0005;Version=1;Path=/
Set-Cookie: SessionID=0;Version=1;Path=/Ft. Sumner SCADA/cc8620ba-ad1a-4ae9-96ed-036c22c3576a
Set-Cookie: SessionID=0;Version=1;Path=/Ft%2e%20Sumner%20SCADA/cc8620ba-ad1a-4ae9-96ed-036c22c..

IP does not match the headers.

Headers correspond to a computer running water-treatment HMI software developed by Trihedral. Server: VTS is the key.Some time ago I reported to ICS-CERT that dozens of facilities running this software could be accessed by using default password. People behind this hoax probably used this info to reinforce the hoax due to "WWW-Authenticate: Basic realm="Ft. Sumner SCADA" linking it to Fort Sumner, where this wind farm is located.

Morever, according to public docs the wind farm operates 136 1.5 MW GE turbines, likely controlled by GE's hardware/software...WindControl,WindSCADA...

The CISCO IOS config is not anything special...

Conclusion: FAKE.

Last Updated ( Monday, 18 April 2011 )
<< Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>

Results 5 - 8 of 64