CVE-2012-4366: Insecure default WPA2 passphrase in multiple Belkin wireless...
I. Background Belkin ships many wireless routers with an encrypted wireless network configured by default. The network name (ESSID) and the (seemingly random) password is printed on a label at the...
View ArticleInformationsleak bei vielen Webseiten und Online-Bewerbungsportalen
English version of this post 1. Zusammenfassung Für die Nutzung vieler Webseiten wie z.B. Foren, Partnerbörsen, Bewerbungsportalen, Newslettern oder sozialen Netzwerken muss man sich als Benutzer...
View ArticleInformation leakage in many websites and job application portals
German version of this post 1. Summary Many websites such as forums, dating sites, job application portals, newsletters or social networks require a user registration. This registration generally...
View ArticleQuick Blind TCP Connection Spoofing with SYN Cookies
Abstract TCP uses 32 bit Seq/Ack numbers in order to make sure that both sides of a connection can actually receive packets from each other. Additionally, these numbers make it relatively hard to spoof...
View ArticleAdvanced grepping through directory trees with binary data
When reverse engineering stuff you often get a directory tree with a whole bunch of files (both binaries and text files) and you want to quickly find all occurrences of keywords you are interested in....
View ArticleReal-World CSRF attack hijacks DNS Server configuration of TP-Link routers
IntroductionAnalysis of the exploitAnalysis of the CSRF payloadConsequences of a malicious DNS serverPrevalence of the exploitRecommendations to mitigate the problemAffected DevicesReferences...
View ArticleMultiple vulnerabilities in SMF forum software
I. IntroductionII. Username faking via Unicode homoglyphs or duplicate spaces allows user impersonationIII. Clickjacking in SMF forum allows user-assisted remote arbitrary code executionIV. Affected...
View ArticleClik here to view.
Practical malleability attack against CBC-Encrypted LUKS partitions
I. AbstractII. Attack scenarioIII. Description of CBC malleability attackIV. Technical considerations and practical attack against Ubuntu 12.04V. SolutionVI. References I. Abstract The most popular...
View Article[Hacking-Contest] Introduction
The hacking contest is a yearly competition taking place at the LinuxTag in Berlin. The setup consists of two notebooks with a projector attached to each of them. In phase 1 both teams get a root shell...
View Article[Hacking-Contest] Process hiding with mount
On Linux systems, process management tools like ps or top use the contents of the /proc directory to get a listing of all running processes and the contents of the /proc/[pid] directory for getting...
View Article[Hacking-Contest] Disabling password protection with a small binary patch
This blogpost shows how to create a backdoor by changing a few binary instructions in the pam_unix.so shared library file, which is responsible for checking the user password. Unlike most other binary...
View Article[Hacking-Contest] Hiding stuff from the terminal
The file /proc/sys/kernel/core_pattern typically contains the name of the coredump file which is created if a process crashes. Instead of a simple filename, /proc/sys/kernel/core_pattern can also...
View Article[Hacking-Contest] Backdooring rsyslogd
The following few lines add a backdoor to rsyslogd, which can be remotely exploited given that the backdoored host runs an SSH server: man -a rsyslogd syslog|perl -pe'print "auth.* ^/bin/atg...
View Article[Hacking-Contest] Rootkit
Basic operation of rootkit Shell script version of rootkit C version of rootkit Using the rootkit to hide stuff File hiding below the proc filesystem Netcat remote shell Using tcpdump as a covert...
View Article[Hacking-Contest] Binary planting
Most Linux distributions have some kind of checksum support in the package manager which can be used to detect manipulations of existing programs in the filesystem. However, these checksums only verify...
View Article[Hacking-Contest] SSH Server wrapper
This blogpost shows how the SSH server can be replaced with a small wrapper script to allow full unauthenticated remote root access without disturbing the normal operation of the service. In order to...
View Article[Hacking-Contest] Invisible configuration file backdooring with Unicode...
Imagine that you want to check a small configuration file for malicious manipulations. Let’s further assume that the file is very small (only 5 non-comment lines) and that you know the expected...
View Article
