[New Paper] Reflective Dll Injection
31 October 2008

Just released a new paper about Reflective Dll Injection.

Abstract:

Reflective DLL injection is a library injection technique in which the concept of reflective programming is employed to perform the loading of a library from memory into a host process. As such the library is responsible for loading itself by implementing a minimal Portable Executable (PE) file loader.

You can download the paper here:
http://www.harmonysecurity.com/files/HS-P005_ReflectiveDllInjection.pdf

And the PoC code here:
http://www.harmonysecurity.com/files/ReflectiveDllInjection_v1.0.zip

Support for Reflective DLL Injection has also been added to Metasploit in the form of a payload stage and a modified VNC DLL.
http://www.metasploit.com/

Labels: , , ,

Digg This Story Bookmark in del.icio.us Slashdot This!


Microsoft Host Integration Server 2006 Command Execution Vulnerability
14 October 2008

iDefense have published an advisory for a critical remote command execution vulnerability (CVE-2008-3466 and MS08-059) in Microsoft's Host Integration Server which was discovered by Stephen Fewer of Harmony Security. The specific versions affected are as follows:

  • Microsoft Host Integration Server 2006 Enterprise Edition (both x86 & x64 based systems)
  • Microsoft Host Integration Server 2006 (both x86 & x64 based systems)
  • Microsoft Host Integration Server 2004 Service Pack 1, when used with:
    • Microsoft Host Integration Server 2004 Enterprise Edition
    • Microsoft Host Integration Server 2004 Standard Edition
  • Microsoft Host Integration Server 2000 SP2, when used with:
    • Microsoft Host Integration Server 2000 Standard Edition

You can read the full iDefense advisory here:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=745

And the Microsoft advisory here:
http://www.microsoft.com/technet/security/bulletin/ms08-059.mspx

Update: SecurityFocus has a news item mentioning this vulnerability which you can read here:
http://www.securityfocus.com/brief/838

It contains a nice quote from Sheldon Malm of nCircle about the vulnerability and software in question. As quoted from the article:

"Host Integration Server is the de facto gateway linking Windows hosts to business critical mainframes and AS/400 systems, which in turn host databases and Customer Information Control System (CICS) applications that are believed to run in 90 percent of Fortune 500 corporations."

...lets hope they all patch!

Labels:

Digg This Story Bookmark in del.icio.us Slashdot This!


[New Tool] OllySocketTrace
21 August 2008

OllySocketTrace is a plugin for OllyDbg to trace the socket operations being performed by a process. It will record all buffers being sent and received. All parameters as well as return values are recorded and the trace is highlighted with a unique color for each socket being traced.

The socket operations currently supported are: WSASocket, WSAAccept, WSAConnect, WSARecv, WSARecvFrom, WSASend, WSASendTo, WSAAsyncSelect, WSAEventSelect, WSACloseEvent, listen, ioctlsocket, connect, bind, accept, socket, closesocket, shutdown, recv, recvfrom, send and sendto.

OllySocketTraceScreenshot1

OllySocketTraceScreenshot2

You can download OllySocketTrace from here:

http://www.harmonysecurity.com/OllySocketTrace.html

Labels: , ,

Digg This Story Bookmark in del.icio.us Slashdot This!


New Services
20 August 2008

We are soon to be offering several new services, including:

Malware Analysis
This service offers detailed malware reports and customised solutions for malware outbreaks.

Vulnerability Discovery
This service offers to discover critical vulnerabilities in your software products.

Exploit Development
This service offers the development of reliable proof of concept exploits for software vulnerabilities.

Please contact us for further information.

Labels:

Digg This Story Bookmark in del.icio.us Slashdot This!


VMware Tools HGFS Local Privilege Escalation Vulnerability
05 June 2008

iDefense have published an advisory for a local privilege escalation vulnerability (CVE-2007-5671) in the VMware Tools HGFS driver which was discovered by Stephen Fewer of Harmony Security.

You can read the full iDefense advisory here:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=712

And the VMware advisory here:
http://www.vmware.com/security/advisories/VMSA-2008-0009.html

Labels:

Digg This Story Bookmark in del.icio.us Slashdot This!


EMC AlphaStor Multiple Vulnerabilities
28 May 2008

iDefense have published advisories for multiple vulnerabilities in EMC AlphaStor which were discovered by Stephen Fewer of Harmony Security. You can read the full iDefense advisories here:

EMC AlphaStor Server Agent Multiple Stack Buffer Overflow Vulnerabilities
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=702

EMC AlphaStor Library Manager Arbitrary Command Execution Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=703

Labels:

Digg This Story Bookmark in del.icio.us Slashdot This!


EMC DiskXtender Multiple Vulnerabilities
11 April 2008

iDefense have published advisories for multiple vulnerabilities in EMC DiskXtender which were discovered by Stephen Fewer of Harmony Security. You can read the full iDefense advisories here:

EMC DiskXtender Authentication Bypass Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=683

EMC DiskXtender File System Manager Buffer Overflow Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=684

EMC DiskXtender MediaStor Format String Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=685

Labels:

Digg This Story Bookmark in del.icio.us Slashdot This!


Archives


Copyright © Harmony Security 2008