tag:blogger.com,1999:blog-932717656972193247Thu, 04 Mar 2010 11:36:53 +0000http://www.harmonysecurity.com/blog/noreply@blogger.com (Stephen Fewer)Blogger31125tag:blogger.com,1999:blog-932717656972193247.post-6805861379230099163Wed, 24 Feb 2010 12:13:00 +00002010-02-24T12:24:02.154ZTippingPoint's Zero Day Initiative (ZDI) has published an advisory for a remote pre authentication arbitrary file upload vulnerability in EMC HomeBase which leads to arbitrary code execution. This vulnerability was discovered by Stephen Fewer of Harmony Security.You can read the full ZDI advisory here:http://www.zerodayinitiative.com/advisories/ZDI-10-020/http://www.harmonysecurity.com/blog/2010/02/emc-homebase-arbitrary-file-upload.htmlnoreply@blogger.com (Harmony Security)0tag:blogger.com,1999:blog-932717656972193247.post-8842790243902450455Wed, 09 Dec 2009 11:54:00 +00002009-12-09T12:15:06.546ZAdvisoriesTippingPoint's Zero Day Initiative (ZDI) has published an advisory for a remote pre authentication stack buffer overflow vulnerability in the Hewlett-Packard Application Recovery Manager which leads to arbitrary code execution. This vulnerability was discovered by Stephen Fewer of Harmony Security.You can read the full ZDI advisory here:http://www.zerodayinitiative.com/advisories/ZDI-09-091/And http://www.harmonysecurity.com/blog/2009/12/hp-application-recovery-manager-stack.htmlnoreply@blogger.com (Harmony Security)0tag:blogger.com,1999:blog-932717656972193247.post-2830428847105305315Mon, 23 Nov 2009 15:36:00 +00002009-11-23T15:48:34.753ZAdvisoriesTippingPoint's Zero Day Initiative (ZDI) has published an advisory for a remote SYSTEM code execution vulnerability in the Hewlett-Packard Operations Manager Server for Windows, due principally to the presence of a hidden user account in the servers Apache Tomcat installation. Code execution is achieved via an arbitrary file upload using the credentials of the hidden user account. This http://www.harmonysecurity.com/blog/2009/11/hp-operations-manager-backdoor-account.htmlnoreply@blogger.com (Harmony Security)0tag:blogger.com,1999:blog-932717656972193247.post-5017348480182842566Thu, 05 Nov 2009 17:08:00 +00002009-11-05T20:39:32.137ZExploitationShellcodeIntroductionThis blog post will discuss the implementation of a win32 kernel mode shellcode which will deliver an independent user mode payload. Most of the techniques used in this shellcode are discussed in the excellent 2005 paper 'Kernel-mode Payloads on Windows' by bugcheck and skape. The shellcode works against all current Windows kernels and we will see how several assumptions regarding http://www.harmonysecurity.com/blog/2009/11/implementing-win32-kernel-shellcode.htmlnoreply@blogger.com (Stephen Fewer)0tag:blogger.com,1999:blog-932717656972193247.post-5077712021934838745Thu, 29 Oct 2009 11:18:00 +00002009-10-29T11:27:49.555ZAdvisoriesTippingPoint's Zero Day Initiative (ZDI) has published an advisory for a remote pre authentication stack buffer overflow vulnerability that leads to SYSTEM code execution in the Hummingbird STR Service. The vulnerable service is deployed by multiple vendor products, specifically EMC Documentum eRoom, OpenText Hummingbird and OpenText Search Server. This vulnerability was discovered by Stephen http://www.harmonysecurity.com/blog/2009/10/emc-opentext-hummingbird-str-service.htmlnoreply@blogger.com (Harmony Security)0tag:blogger.com,1999:blog-932717656972193247.post-7105922136505693774Wed, 23 Sep 2009 20:22:00 +00002009-09-23T21:31:18.960+01:00AdvisoriesTippingPoint's Zero Day Initiative (ZDI) has published an advisory for an arbitrary file upload vulnerability that leads to SYSTEM code execution in the Adobe RoboHelp Server which was discovered by Stephen Fewer of Harmony Security.You can read the full ZDI advisory here:http://www.zerodayinitiative.com/advisories/ZDI-09-066/And the Adobe advisory here:http://www.adobe.com/support/security/http://www.harmonysecurity.com/blog/2009/09/adobe-robohelp-server-arbitrary-file.htmlnoreply@blogger.com (Harmony Security)0tag:blogger.com,1999:blog-932717656972193247.post-6022455457549381591Wed, 05 Aug 2009 18:59:00 +00002009-08-07T16:48:44.593+01:00Reverse EngineeringExploitationShellcodeIntroductionAn alternative approach for position independent code, such as shellcode, to call Windows API functions is shown below. Their are all ready many existing methods available, typically relying on parsing either the Import Address Table (IAT) or Export Address Table (EAT) of a specific module in order to locate the address of a required function. Some methods use a variation of the abovehttp://www.harmonysecurity.com/blog/2009/08/calling-api-functions.htmlnoreply@blogger.com (Stephen Fewer)1tag:blogger.com,1999:blog-932717656972193247.post-7767058783329220100Wed, 22 Jul 2009 22:06:00 +00002009-07-23T00:10:43.100+01:00AdvisoriesiDefense have published an advisory for a stack buffer overflow vulnerability in the Akamai Download Manager which was discovered by Stephen Fewer of Harmony Security. The vulnerability effects the ActiveX version of the download manager (Versions <= 2.2.3.7) and results in arbitrary code execution through the victims browser after the victim visits a malicious web page.You can read the full http://www.harmonysecurity.com/blog/2009/07/akamai-download-manager-stack-buffer.htmlnoreply@blogger.com (Harmony Security)0tag:blogger.com,1999:blog-932717656972193247.post-8232219741337447399Wed, 22 Jul 2009 09:50:00 +00002009-07-22T11:01:33.546+01:00AdvisoriesTippingPoint's Zero Day Initiative (ZDI) has published an advisory for a critical remote pre-authentication arbitrary DLL injection vulnerability in the Novell Privileged User Manager which was discovered by Stephen Fewer of Harmony Security.You can read the full ZDI advisory here:http://www.zerodayinitiative.com/advisories/ZDI-09-046/And the Novell advisory here:http://www.novell.com/support/http://www.harmonysecurity.com/blog/2009/07/novell-privileged-user-manager-remote.htmlnoreply@blogger.com (Harmony Security)0tag:blogger.com,1999:blog-932717656972193247.post-903232467843483237Fri, 19 Jun 2009 16:28:00 +00002009-06-22T23:58:04.206+01:00Reverse EngineeringExploitationFor shellcode, a common method to resolve the addresses of library functions needed, is to get the base address of the kernel32.dll image in memory and retrieve the addresses of GetProcAddress and LoadLibraryA by parsing the kernel32 images Export Address Table (EAT). These two functions can then be used to resolve the remaining functions needed by the shellcode. To retrieve the kernel32.dll basehttp://www.harmonysecurity.com/blog/2009/06/retrieving-kernel32s-base-address.htmlnoreply@blogger.com (Stephen Fewer)7tag:blogger.com,1999:blog-932717656972193247.post-797043065094416489Tue, 28 Apr 2009 22:24:00 +00002009-05-01T16:53:46.398+01:00AdvisoriesiDefense have published an advisory for a critical remote pre-authentication code execution vulnerability (CVE-2009-1291) in the TIBCO SmartSockets framework which was discovered by Stephen Fewer of Harmony Security. The effected components are as follows:TIBCO SmartSockets®TIBCO SmartSockets® Product Family Modules (formerly RTworks)TIBCO Enterprise Message Service™You can read the full iDefensehttp://www.harmonysecurity.com/blog/2009/04/tibco-smartsockets-stack-buffer.htmlnoreply@blogger.com (Harmony Security)0tag:blogger.com,1999:blog-932717656972193247.post-2556446548459841094Sat, 07 Mar 2009 16:57:00 +00002009-05-01T17:11:42.303+01:00Reverse EngineeringExploitationAfter firing up an old Windows 2000 SP4 VM during the week to code up a heap overflow PoC, I came across a small oddity when attempting to gain code execution by overwriting kernel32's top level Unhandled Exception Filter (Halvar Flake - Third Generation Exploitation) after I had run Windows Update.Previously, overwriting kernel32's top level UEF would give you control after an unhandled http://www.harmonysecurity.com/blog/2009/03/windows-2000-uef-overwrite-oddity.htmlnoreply@blogger.com (Stephen Fewer)1tag:blogger.com,1999:blog-932717656972193247.post-5047380747273002946Fri, 31 Oct 2008 11:58:00 +00002009-05-01T17:12:07.974+01:00ToolsNewsPapersExploitationJust released a new paper about Reflective Dll Injection.Abstract:Reflective DLL injection is a library injection technique in which the concept of reflective programming is employed to perform the loading of a library from memory into a host process. As such the library is responsible for loading itself by implementing a minimal Portable Executable (PE) file loader.You can download the paper http://www.harmonysecurity.com/blog/2008/10/new-paper-reflective-dll-injection.htmlnoreply@blogger.com (Stephen Fewer)0tag:blogger.com,1999:blog-932717656972193247.post-3839392205108270004Tue, 14 Oct 2008 21:09:00 +00002009-05-01T17:12:31.947+01:00AdvisoriesiDefense have published an advisory for a critical remote command execution vulnerability (CVE-2008-3466 and MS08-059) in Microsoft's Host Integration Server which was discovered by Stephen Fewer of Harmony Security. The specific versions affected are as follows:Microsoft Host Integration Server 2006 Enterprise Edition (both x86 & x64 based systems)Microsoft Host Integration Server 2006 (both x86http://www.harmonysecurity.com/blog/2008/10/microsoft-host-integration-server-2006.htmlnoreply@blogger.com (Harmony Security)0tag:blogger.com,1999:blog-932717656972193247.post-5505554679725298460Thu, 21 Aug 2008 12:46:00 +00002008-08-21T13:50:18.502+01:00ToolsReverse EngineeringOllyDbgOllySocketTrace is a plugin for OllyDbg to trace the socket operations being performed by a process. It will record all buffers being sent and received. All parameters as well as return values are recorded and the trace is highlighted with a unique color for each socket being traced.The socket operations currently supported are: WSASocket, WSAAccept, WSAConnect, WSARecv, WSARecvFrom, WSASend, http://www.harmonysecurity.com/blog/2008/08/new-tool-ollysockettrace.htmlnoreply@blogger.com (Harmony Security)tag:blogger.com,1999:blog-932717656972193247.post-3416477586687474531Wed, 20 Aug 2008 16:36:00 +00002008-08-20T17:53:56.198+01:00servicesWe are soon to be offering several new services, including:Malware AnalysisThis service offers detailed malware reports and customised solutions for malware outbreaks.Vulnerability DiscoveryThis service offers to discover critical vulnerabilities in your software products.Exploit DevelopmentThis service offers the development of reliable proof of concept exploits for software http://www.harmonysecurity.com/blog/2008/08/new-services.htmlnoreply@blogger.com (Harmony Security)tag:blogger.com,1999:blog-932717656972193247.post-6539119454885828695Thu, 05 Jun 2008 14:28:00 +00002008-06-25T15:09:20.234+01:00AdvisoriesiDefense have published an advisory for a local privilege escalation vulnerability (CVE-2007-5671) in the VMware Tools HGFS driver which was discovered by Stephen Fewer of Harmony Security.You can read the full iDefense advisory here:http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=712And the VMware advisory here:http://www.vmware.com/security/advisories/VMSA-2008-0009.htmlhttp://www.harmonysecurity.com/blog/2008/06/vmware-tools-hgfs-local-privilege.htmlnoreply@blogger.com (Harmony Security)tag:blogger.com,1999:blog-932717656972193247.post-51170147509989981Wed, 28 May 2008 09:52:00 +00002008-06-25T15:09:20.235+01:00AdvisoriesiDefense have published advisories for multiple vulnerabilities in EMC AlphaStor which were discovered by Stephen Fewer of Harmony Security. You can read the full iDefense advisories here:EMC AlphaStor Server Agent Multiple Stack Buffer Overflow Vulnerabilitieshttp://labs.idefense.com/intelligence/vulnerabilities/display.php?id=702EMC AlphaStor Library Manager Arbitrary Command Execution http://www.harmonysecurity.com/blog/2008/05/emc-alphastor-multiple-vulnerabilities.htmlnoreply@blogger.com (Harmony Security)tag:blogger.com,1999:blog-932717656972193247.post-8538444105009757734Fri, 11 Apr 2008 09:29:00 +00002008-06-25T15:09:20.235+01:00AdvisoriesiDefense have published advisories for multiple vulnerabilities in EMC DiskXtender which were discovered by Stephen Fewer of Harmony Security. You can read the full iDefense advisories here:EMC DiskXtender Authentication Bypass Vulnerabilityhttp://labs.idefense.com/intelligence/vulnerabilities/display.php?id=683EMC DiskXtender File System Manager Buffer Overflow Vulnerabilityhttp://http://www.harmonysecurity.com/blog/2008/04/emc-diskxtender-multiple.htmlnoreply@blogger.com (Stephen Fewer)tag:blogger.com,1999:blog-932717656972193247.post-5135919079045739901Thu, 21 Feb 2008 13:57:00 +00002008-06-25T15:09:20.236+01:00AdvisoriesiDefense has published an advisory for multiple remote pre-authentication code execution vulnerabilities in the EMC RepliStor software suite which were discovered by Stephen Fewer of Harmony Security.You can read the full iDefense advisory here: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=664http://www.harmonysecurity.com/blog/2008/02/emc-replistor-multiple-heap-overflow.htmlnoreply@blogger.com (Stephen Fewer)tag:blogger.com,1999:blog-932717656972193247.post-5889353824297891228Thu, 10 Jan 2008 00:51:00 +00002008-06-25T15:09:20.237+01:00AdvisoriesiDefense has published an advisory for a vulnerability in the Novell NetWare Client which was discovered by Stephen Fewer of Harmony Security. It is a local privilege escalation vulnerability whereby an unprivileged user can execute malicious code in kernel mode by exploiting an insecure IOCTL in the NCIM device driver.You can read the full iDefense advisory here:http://labs.idefense.com/http://www.harmonysecurity.com/blog/2008/01/novell-netware-client-nicmsys-local.htmlnoreply@blogger.com (Stephen Fewer)tag:blogger.com,1999:blog-932717656972193247.post-4603960331728900546Thu, 10 Jan 2008 00:44:00 +00002008-06-25T15:09:20.237+01:00AdvisoriesiDefense has published an advisory for a vulnerability in the Motorola netOctopus Agent which was discovered by Stephen Fewer of Harmony Security. It is a local privilege escalation vulnerability whereby an unprivileged user can reliably execute malicious code in ring 0 by hijacking the SYSENTER_EIP_MSR via an improperly exposed interface in the NantSys device driver.You can read the full http://www.harmonysecurity.com/blog/2008/01/motorola-netoctopus-agent-msr-write.htmlnoreply@blogger.com (Stephen Fewer)tag:blogger.com,1999:blog-932717656972193247.post-7582043074456525990Thu, 10 Jan 2008 00:40:00 +00002008-06-25T15:09:20.238+01:00AdvisoriesiDefense has published an advisory for a vulnerability in the Novell ZENworks Endpoint Security Management (ESM) Security Client which was discovered by Stephen Fewer of Harmony Security. It is a local privilege escalation vulnerability whereby an unprivileged user can trivially run executables with SYSTEM privileges.You can read the full iDefense advisory here:http://labs.idefense.com/http://www.harmonysecurity.com/blog/2008/01/novell-zenworks-endpoint-security.htmlnoreply@blogger.com (Stephen Fewer)tag:blogger.com,1999:blog-932717656972193247.post-4653228930642584283Thu, 13 Dec 2007 22:19:00 +00002008-06-25T15:09:33.852+01:00ToolsOllyHeapTrace is a plugin for OllyDbg (version 1.10) to trace the heap operations being performed by a process. It will monitor heap allocations and frees for multiple heaps, as well as operations such as creating or destroying heaps and reallocations. All parameters as well as return values are recorded and the trace is highlighted with a unique colour for each heap being traced.The primary http://www.harmonysecurity.com/blog/2007/12/new-tool-ollyheaptrace.htmlnoreply@blogger.com (Stephen Fewer)tag:blogger.com,1999:blog-932717656972193247.post-8683011937397147052Tue, 13 Nov 2007 22:06:00 +00002008-06-25T15:09:20.238+01:00AdvisoriesiDefense has published an advisory for a vulnerability in the Novell NetWare Client which was discovered by Stephen Fewer of Harmony Security. It is a local privilege escalation vulnerability whereby an unprivileged user can exploit the vulnerable driver nwfilter.sys and gain kernel mode code execution. Novell is issuing a patch that will remove the vulnerable driver.You can read the full http://www.harmonysecurity.com/blog/2007/11/novell-netware-client-privilege.htmlnoreply@blogger.com (Stephen Fewer)