Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: PoC

scr.im revisited

About a year back (Oct 2009) I wrote a quick technical review of the scr.im email protection service. I’ll save you the pain of rehashing it all here, and the pain of rewriting it all. If you’ve not read it, head over here to take a quick look!

There were a number of flaws in the way scr.im used captchas, as well as the way it handles requests (allowing multiple requests with the same token etc…). At the time I wrote the following :

I don’t think it would take much for a good scripter (that rules me out most likely) to script up something that could quite simply go through and harvest addresses from the site

Well I’m still not a good scripter… but I’m learning. So in the theme of #HackToLearn, I spent a few hours playing with Python and BeautifulSoup last night. At the end of it, I had a workable Proof of Concept script that does just what it says on the tin…. enter the scr.im ID  you want extracted, and it’ll return you the email address sitting behind the captcha. I called this PoC scr.im-jim ( a play on the slim-jim tool used to break into cars), because it sounded cool, and because I was really tired at the time!

You can find out more about the tool, watch the video demo and download the source from the scripts/tools section of the site.

links:

0-Day in Microsoft Windows Help Centre

Travis Ormandy (@Taviso) has just released the technical information about a bug he discovered in the
Microsoft Windows Help Centre. Travis has released a good technical breakdown of the vulnerability along with some hints for mitigation on his website –> (UPDATE: this link now forwards to the advisory on Full disclosure).

Having looked at the PoC it’s amazing in its simplicity. I’m sure there’s an art to making such complex things look so effortless 😉

PoC removed…. please check advisory for ful PoC

Currently there’s no patch available from Microsoft to fix this issue (although the Microsoft Security Team have been informed). Travis gives a few points of mitigation within the advisory that might be useful to reduce exposure. Please see the advisory for full technical information.

I’m sure this one will end up in Metasploit within a very (very) short time as the PoC seems to be simple enough to change into a workable module. So best mitigate this while you can!

Links:

  • Microsoft Windows Help Centre Handles Malformed Escape Sequences Incorrectly –> Advisory (Full Disclosure)
  • Link directly to PoC –> Use Caution!
  • Travis Ormandy –> Twitter, Homepage

26C3: Cryptographically Secure ? (lightning talk)

Cryptographically Secure ?
Cracking FIPS-Certified USB Flash Drives
Lightning talk – PoC – Matthias Deeg

Demo is performed using a SanDisk Cruzer Enterprise (FIPS Edition), however is possible on other devices.

  • Small mistakes often have a big impact, especially when it comes to complex devices.

USB FDU – (USB Flash Drive Unlocker)

The demo PoC tool was able to unlock the device (make it so that any arbitrary password works) within a few seconds. A number of vendors have already patched this issue and provided updates for their devices (see Links below).

Currently the PoC isn’t publicly available.

Links :