A new resource for security researchers, maintainers and people who discover flaws in general
has recently been set up by the Openwall project. I have just added it to my link section.
You can already find useful information there such as contact addresses for various security
teams, such as ours. Hopefully, since its wiki style, there soon appear code review reports,
tools and PoC's :-) They also drive a mailing list to discuss technical issues.
Wednesday, February 20, 2008
Monday, February 18, 2008
Mono trickery
I always spot the best bugs during coding. While coding tjmd5 (see last posting) I ran across
an interesting mono feature. For each 'foo' C# file that it compiles it lookups 'foo.so'
in /usr, /usr/lib etc directories and 'foo.so.la' in the cwd. This can be abused to execute
arbitrary code while someone is just compiling an C#-file. I am not sure about the impact since
you can say that the dude is executing the .exe after he was compiling it. Well.
Depending on the comments you all make I will decide whether this is something to tell Miguel :-)
Trapper John MD5
During hackweek in Nuremberg I lifted my C#-skills and wrote a MD5 based filesystem
and web integrity checker from scratch. In .NET, from scratch means you plug a few classes
and API calls together and get a complex application in 100 lines :-)
C# is fun coding nevertheless. Never heared again from tripwire, one of my faves
back in the 90's. You can download trapper john md5 here.
and web integrity checker from scratch. In .NET, from scratch means you plug a few classes
and API calls together and get a complex application in 100 lines :-)
C# is fun coding nevertheless. Never heared again from tripwire, one of my faves
back in the 90's. You can download trapper john md5 here.
Subscribe to:
Posts (Atom)
Posts
