http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2009-06-14 20:57:40 - gynvael.coldwind vx.log en : It happened so that I got back to reversing banker trojans the other day,and celebrated it with a 24-hour marathon with many different foreignmalware entities Looks like that when I played with othhttp://www.secuobs.com/revue/news/109540.shtmlhttp://www.secuobs.com/revue/news/109540.shtml Secuobs.com : 2009-06-01 12:21:37 - gynvael.coldwind vx.log en - Recently while reading some press news / blog posts, a few things came tomy attention, which I would like to discuss as in "rant about them"in this post The first thing will be about news/posthttp://www.secuobs.com/revue/news/104357.shtmlhttp://www.secuobs.com/revue/news/104357.shtml Secuobs.com : 2009-05-31 16:43:19 - gynvael.coldwind vx.log en - Finally has arrived the day when I take a look at creating OS X GUIapplications Applications on Mac are usually created using ObjectiveC language which I didn't have the pleasure to meet yet and http://www.secuobs.com/revue/news/103777.shtmlhttp://www.secuobs.com/revue/news/103777.shtml Secuobs.com : 2009-05-31 16:43:19 - gynvael.coldwind vx.log en - Sunday, from 5pm till 8pm, another gamedevpl compo took place Thistime, it was a 3 hour compo during which one had to create a 'gamethat has both a cow and a pig' a strange topic I must say I dhttp://www.secuobs.com/revue/news/103776.shtmlhttp://www.secuobs.com/revue/news/103776.shtml Secuobs.com : 2009-05-31 16:43:19 - gynvael.coldwind vx.log en - The results of the GDPL compo have been posted available also hereSeems my predictions were right and Krzysiek K has won he earned it; Second was maskl ex aequo with me, and third came Reg http://www.secuobs.com/revue/news/103775.shtmlhttp://www.secuobs.com/revue/news/103775.shtml Secuobs.com : 2009-05-31 16:43:19 - gynvael.coldwind vx.log en - I'm sorry, but the slides are, again, in Polish well, the source codesand demo videos don't have Polish in them, mostly because they don'thave any text at all I've been informed that a video fromhttp://www.secuobs.com/revue/news/103774.shtmlhttp://www.secuobs.com/revue/news/103774.shtml Secuobs.com : 2009-05-31 16:43:19 - gynvael.coldwind vx.log en - Recently I've been working on a function written in assembly NASMdialect that was to be compiled and then loaded and executed atruntime by an Objective C application The function was to searchinhttp://www.secuobs.com/revue/news/103773.shtmlhttp://www.secuobs.com/revue/news/103773.shtml Secuobs.com : 2009-05-31 16:43:19 - gynvael.coldwind vx.log en - Two days ago j00ru informed me that my cmdexe add-on the one that addsthe ultra important feature - colors does not work on Windows 7 RC -so I decided to have a look, and so version 0004d came http://www.secuobs.com/revue/news/103772.shtmlhttp://www.secuobs.com/revue/news/103772.shtml Secuobs.com : 2009-05-31 16:43:19 - gynvael.coldwind vx.log en - Welcome back after a short break It looks like that after posting on thePolish side of the mirror about a binary I've received from a friend,the post was posted on wykoppl - a Polish site like dighttp://www.secuobs.com/revue/news/103771.shtmlhttp://www.secuobs.com/revue/news/103771.shtml Secuobs.com : 2009-05-31 16:43:19 - gynvael.coldwind vx.log en - Time to update the English side of my mirror As I've written before, Ihad the opportunity to be present at this years edition of theCONFidence conference, and, starting with a spoiler, I think it whttp://www.secuobs.com/revue/news/103770.shtmlhttp://www.secuobs.com/revue/news/103770.shtml Secuobs.com : 2009-05-31 16:43:19 - gynvael.coldwind vx.log en - At last A technical post in which, I'll describe the ESET crackmefrom this years edition of the CONFidence conference The CONFidencecrackme made especially for the conference - it was NOT theihttp://www.secuobs.com/revue/news/103769.shtmlhttp://www.secuobs.com/revue/news/103769.shtml Secuobs.com : 2009-05-31 16:43:19 - gynvael.coldwind vx.log en - The previous Sunday I decided to play a little with graphicalinterpretation of files again Graphical interpretation, orvisualizations as one may call it, is a large topic, there are evensome interhttp://www.secuobs.com/revue/news/103768.shtmlhttp://www.secuobs.com/revue/news/103768.shtml http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2016-04-15 19:57:39 - gynvael.coldwind vx.log en : ReReThe CONFidence Teaser CTF 2016 by Dragon Sector is now over and the results are in congratz 9447 Therefore I decided to share the sources of my task called ReRe, which was a Python rainbow-heavy obfuscation-heavy bytecode-all-around challenge I won't spoil too much in case you would like to try to solve it crackme rerepy in the archive , but if you would like to read more on it, just see the SOLUTIONmd file in the zip file I'll add, that the obfuscation used self-modifying bytecode, some bytecode-level obfuscation and minor string obfuscation as well, so if you would like to learn more about Python 27 internal code representation, try your luck with ReRe It was solved 5 times btw Download confidence-teaser-2016-ds-gynvael-rerezip Video rere_animgif a 3 MB gif, you have been warned IMAGE Have fun, good luck http://www.secuobs.com/revue/news/603897.shtmlhttp://www.secuobs.com/revue/news/603897.shtml Secuobs.com : 2015-10-23 12:28:31 - gynvael.coldwind vx.log en - PyConPl'15 logoJust a short note that the video from my talk Python in a hacker's toolbox PyConPl'15 is already available on youtube The slides can be found here Abstract A classical language set used by a security specialist included assembly and C, sometimes joined by C and usually quite a lot of Bash as well A few years ago it seemed that Perl, and later Ruby, will become the scripting language of choice in the security field, however another contender - Python - was gaining user base too Today it's rather obvious that Python won its place in the hacker's toolbox, especially given that a great deal of important tools of trade allow to be instrumented scripted using it - examples include even the most basic utensils - IDA, GDB and Burp Furthermore, Python with its set of standard libraries makes it extremely easy to create ad-hoc tools whenever they're needed At the same time, due to rich introspection mechanisms, the language itself is an object of fascination from the security scene The talk will focus on a few selected cases of Python intertwining with the security world The talk is basically a mix of Python related topics I've touched during other talks I gave commonly with j00ru - this includes Data, data, data English, blog post video On the battlefield with the dragons English, blog post video Ataki na systemy i sieci komputerowe Polish, slides Pwning sometimes with style - Dragons' notes on CTFs English, slides Video Cheers, http://www.secuobs.com/revue/news/587738.shtmlhttp://www.secuobs.com/revue/news/587738.shtml Secuobs.com : 2015-03-27 23:39:37 - gynvael.coldwind vx.log en - IMAGE A couple of hours ago I found myself, together with a couple of friends, locked in a small vault in a basement of an old tenement house in Wrocław Poland Objective escape the room in 60 minutes complete a side quest To do this we had to look for clues, solve riddles, break codes not unlike some crypto challenges I've seen on CTFs, though much simpler and do quite a lot of creative thinking In the end we failed we were so close it's painful But we had A LOT of fun on the way anyway This kind of game is called Live Escape Room and the one we went to, which I strongly recommend, was the room Vault by Piwnica Quest While I shouldn't write anything about the room it would just spoil the fun for others and that's definitely an anti-objective of this post , I'll mention that our group was 5 people which is the max for Piwnica Quest as far as I know and that I was really amazed by some of the riddles they created there And yes, the riddles are in English as well, so you don't have to know Polish So again, a link to their site http wwwpiwnica-questcom And I wish you the usual HF GL PS Full-disclosure No, this is NOT a sponsored post - there are no sponsored posts on this blog I really had fun and that's why I'm recommending it PS2 I've been told there are more Live Escape Rooms in Wrocław as well - seems to be a good city for fans of this kind of activity http://www.secuobs.com/revue/news/565149.shtmlhttp://www.secuobs.com/revue/news/565149.shtml Secuobs.com : 2015-03-24 19:55:12 - gynvael.coldwind vx.log en - IMAGE Collaborative post by Gynvael Coldwind and Mateusz j00ru Jurczyk Just three days ago another edition of the great Insomni'hack conference held in Geneva came to an end While the event was quite short, lasting for just one day, it featured three tracks of security talks, including some very interesting ones such as Automotive security by Chris Valasek, or Copy Pest A case-study on the clipboard, blind trust and invisible cross-application XSS by Mario Heiderich This year we were also invited to the conference to talk about CTF techniques, experiences and entertaining tasks encountered by the Dragon Sector team we lead and actively play in We thus gave a presentation called Pwning sometimes with style Dragons notes on CTFs, and are now making the slide deck publicly available for your enjoyment Pwning sometimes with style Dragons notes on CTFs 386MB, PDF While the conference was very well organized and had many interesting talks, the main event of the evening was only about to start at 18 00 the CTF competition organized by the Insomni'hack crew, which attracted hundreds of players from all around the world, including many top teams from the CTF scene eg StratumAuhuur, int3pids, dcua, penthackon, 0x8F Since we really liked the finals from last year, Dragon Sector also came back in a large squad of 9 players one of whom played in a different team due to a strict 8-person limit We did our best to defend last year's title top 1 and eventually succeeded, but it was not an easy task for sure The most intense moment was when the StratumAuhuur team submitted a flag 4 minutes before the end of the CTF at 3 56 23 AM , closing our point advantage to only 20 points, which was so close that it could have easily changed in favor of Stratum regardless of our actions due to this year's variable nature of tasks scoring, which accounted for the total number of teams solving each challenge Fortunately, Gynvael and I were on a verge of solving another networking task at the time and barely managed to get it a little more than a minute before the end of the competition, consequently securing a win The situation is well illustrated in the photo of the final ranking below The organizers, SCRT, have also published their own summary of the CTF with a full ranking and some interesting stats Insomni hack finals CTF results IMAGE http://www.secuobs.com/revue/news/564663.shtmlhttp://www.secuobs.com/revue/news/564663.shtml Secuobs.com : 2015-02-27 08:26:46 - gynvael.coldwind vx.log en - That's actually a real question with no solution though some links posted in this blog post And the keyword here is automatically Let's starts by me making sure that the problem is stated clearly we assume, that we have a large memory blog anything between 500 MB to 1 TB and we want to find all raw bitmaps and their width in it Furthermore, since this is kinda ambiguous, by raw bitmaps I mean neither camera RAW formats used in digital photography NEF, ORF, CR2 and the like nor image files like PNG, BMP, JPG, GIF, TIFF and the like - how to find most of these things is of course common knowledge that can be summarized by find magic or pattern that's commonly at the beginning This approach has been used by many old school ripper programs like Multi Ripper seen around in late '90, though I remember such apps from at least a few years earlier or other similar though older apps, as well as newer stuff like binwalk or PhotoRec What we're looking for is just plain bitmap data 8 24 32 bpp for starters without any magic values, headers, compression or other strange encodings IMAGE Where would this be useful In analyzing various memory dumps or disk dumps where you can't make any smart calls about kernel FS heap app memory structures or if parts of said are missing have been wiped so volatility Slueth Kit are useless Usually the way I did this and still do was to open the file in IrfanView as raw, set width to something around 1024, height to a large value, offset to whatever part I was analyzing and then I scrolled through the huge bitmap counting on my brain to spot any patterns I'm not going to describe the exact details of this method, since Bernardo beat me to it and I have really nothing to add though his GIMP method seems more friendly as you have a scroll bar to set the width which looks waaay better than putting the number manually in IrfanView The thing I found surprising about his post is that the CTF task he gives as an example - coor coor from 9447 - is the exact task I had in mind when spawning the discussion with Ange which later moved to twitter and made Bernardo write his post Here are three of my findings from that task IMAGE IMAGE IMAGE The discussion at twitter included several interesting links ideas - doegox pointed to his tool https doegoxgithubio ElectronicColoringBook - jchillerup pointed to the cantor dust talk tool which doesn't solve the problem, but is ie looks like probably the best non-automatic tool for this purpose some patterns remind me of one of my previous blog posts, which spawns an idea I guess on how to find candidate bitmaps in the binary blob - scanlime pointed to the autocorrelation problem, which names the problem I was thinking about and points to the solution - hanno pointed to JPEG compression tested on various widths offsets, which would be another idea to find candidate bitmaps - sqaxomonophonen pointed to FFT and looking for spikes, which would be a way to determine the width - CrazyLogLad suggested something similar - aeliasen said this I'd calculate the autocorrelation of the bytes period with strongest autocorr should give width http futureboyus fsp colorizefsp f correlationfrink You might have to throw out small periods like 1-3 and divide by pixel depth Seems I need to do some reading on autocorrelation FFT to move this forward If someone would like to try his lack, the coor coor dump is here link shamelessly taken from Bernardo's blog coorcoortarbz2 If you have any other ideas, comments or links, feel free to add them in the comment section Cheers, http://www.secuobs.com/revue/news/561425.shtmlhttp://www.secuobs.com/revue/news/561425.shtml Secuobs.com : 2014-07-19 11:19:49 - gynvael.coldwind vx.log en - Just a quick note the video from j00ru's and my talk from this year's CONFidence edition is now online As mentioned in the previous post on the topic, the talk was called On the battlefield with the Dragons and consisted of a selection of interesting CTF task solutions with some useful tips and trick near the end Links video, slides Let us know what you think http://www.secuobs.com/revue/news/526003.shtmlhttp://www.secuobs.com/revue/news/526003.shtml Secuobs.com : 2014-06-03 11:23:48 - gynvael.coldwind vx.log en - IMAGE Yesterday I had the pleasure to co-present with Ange Albertini angealbertini - if you are into binary stuff, you probably know his website - corkami, which has all sorts of cool stuff, from posters detailing binary format eg PE 101 to binary polyglots, etc We talked about schizophrenic files , ie various file formats which get interpreted differently depending on what program you use eg a BMP image which, when viewed in one viewer, shows a cat but when using a different one shows a flying shark Basically the story goes that we both did separately some more or less random digging on or more accurately in my case randomly stumbling on behaviors which allow one to create a file which is open to creative interpretation by the software, or more commonly parser authors just decide to not follow the specs or understand them in a different way we decided to gather all this in one place and hence the talk We presented it at Area41 in Zurich which btw turned out to be really well organized and awesome conference Slides and PoCs are available below Slides Schizophrenic files Ange Albertini, Gynvael Coldwind PoCs Schizophrens PoC All PoCszip contains all the files from the directories As usual, feedback is most welcome Cheers, http://www.secuobs.com/revue/news/516825.shtmlhttp://www.secuobs.com/revue/news/516825.shtml Secuobs.com : 2014-04-27 19:28:36 - gynvael.coldwind vx.log en - Just to be clear, this post is not going to be about the float vs float comparison Instead, it will be about trying to compare a floating point value with an integer value in an accurate, precise way It will also be about why just doing int_value float_value in some languages C, C , PHP, and some other doesn't give you the result you would expect - a problem which I recently stumbled on when trying to fix a certain library I was using The problem explained --------------------- Let's start by demonstrating a the problem by running the following code that compares subsequent integers with a floating point value float a 1000000000f printf 99 -- pourcentsu n , a 99999999 printf 00 -- pourcentsu n , a 100000000 printf 01 -- pourcentsu n , a 100000001 printf 02 -- pourcentsu n , a 100000002 printf 03 -- pourcentsu n , a 100000003 printf 04 -- pourcentsu n , a 100000004 printf 05 -- pourcentsu n , a 100000005 The result 99 -- 1 00 -- 1 01 -- 1 02 -- 1 03 -- 1 04 -- 1 05 -- 0 Sadly this was to be expected in the floating point realm However, while in this world both 99999999 and 100000004 might be equal to 100000000, this is sooo not true for common sense nor standard arithmetic Let's look at another example - an attempt to sort a collection of numbers by value in PHP php testphp 20000000000000002 20000000000000000 20000000000000003 Side note The code above must be executed using 64-bit PHP The 32-bit PHP has integers limited to 32-bit, so the numbers I used in the example would exceed their limit and would get silently converted to doubles This results in the following output 20000000000000000 20000000000000000 20000000000000004 So, what's going on It all boils down to floats having to little precision for larger integers this is a good time to look at this and this For example, the 32-bit float has only 23 bits dedicated to the significand - this means that if an integer value that is getting converted to float needs more than 24 bits sic keep in mind that in floats there is a hardcoded 1 at the top position, which is not present in the bit-level representation to be represented, it will get truncated - ie the least significant bits will be treated as zeroes In the C-code case above the decimal value 100000001 actually requires 27 bits to be properly represented 0b101111101011110000100000 However, since only the leading 1 and following 23-bits will fit inside a float, the 1 at the very end gets truncated Therefore, this number actually becomes another number 0b101111101011110000100000000 Which in decimal is 100000000 and therefore is equal to the float constant of 1000000000f Same problem exists between 64-bit integers and 64-bit doubles - the latter have only 52 bits dedicated for storing the value A somewhat amusing side note ---------------------------- Actually, it gets even better Let's re-write the first code shown above the C one to use a loop float a 1000000000f int i for i 100000000 - 5 i pourcentsu n , a, i, a i As you can see, there are no big changes Now let's compile it and run it gcc testc a 1000000000 99999995 -- 0 1000000000 99999996 -- 0 1000000000 99999997 -- 0 1000000000 99999998 -- 0 1000000000 99999999 -- 0 1000000000 100000000 -- 1 1000000000 100000001 -- 0 1000000000 100000002 -- 0 1000000000 100000003 -- 0 1000000000 100000004 -- 0 1000000000 100000005 -- 0 The result is magically correct How about we compile it with optimization then gcc testc -O3 a 1000000000 99999995 -- 0 1000000000 99999996 -- 1 1000000000 99999997 -- 1 1000000000 99999998 -- 1 1000000000 99999999 -- 1 1000000000 100000000 -- 1 1000000000 100000001 -- 1 1000000000 100000002 -- 1 1000000000 100000003 -- 1 1000000000 100000004 -- 1 1000000000 100000005 -- 0 Why is that Well, in both cases the compiler needs to convert the integer to a float and then compare it with the second float value This however can be done in two different ways Option 1 The integer is converted to a floating point value, then is stored in memory as a 32-bit float and then loaded into the FPU for the comparison OR in case of constants the integer constant can be converted to a 32-bit float constant at compilation time and then it will be loaded into the FPU for comparison at runtime Option 2 The integer is directly loaded into the FPU for comparison using fild FPU instruction or similar The difference here is related to the FPU internally operating on larger floating point values with more precision by default it's 80-bits, though you can change this - so the 32-bit integer isn't truncated on load, as it would happen if it gets converted explicitly to a 32-bit float which, again, has only 24-bits for the actual value Which option is selected depends strictly on the compiler - it's mood, version, options used at compilation, etc The perfect comparison ---------------------- Of course, it's possible to do a perfect comparison The simplest and most straightforward way is to cast both the int value and the float value to a double before comparing them - double has large enough significand to store all possible 32-bit int values And for the 64-bit integers you can use the 80-bit long double which has exactly 64 bits dedicated for storing the value plus the ever-present 1 But that's too easy Let's try to do the actual comparison without converting to larger types This can be done in two ways the mathematical way or value-specific way and the encoding-specific way Both are presented below The mathematical way -------------------- We basically do it the other way around - ie we try to convert the float to an integer There are a couple of problems here which we need to deal with 1 The float value might be bigger than INT_MAX or smaller than INT_MIN In such case this might happen and we wouldn't be able to catch it after the conversion, so we need to deal with it sooner 2 The float value might have a non-zero fractional part This would get truncated when converted to an int eg int 11f is equal to 1 - we don't want this to happen either The implementation of this method with some comments is presented below bool IntFloatCompare int i, float f Simple case if float i f return false Note The constant used here CAN be represented as a float Normally you would want to use INT_MAX here instead, but that value cannot be represented as a float const float TooBigForInt float 0x80000000u if f TooBigForInt return false if f 31 uint32_t exp fu32 23 0xff uint32_t frac fu32 0x7fffff NaN Inf if exp 0xff return false Subnormal representation if exp 0 Check if fraction is 0 If so, it's true if i is 0 as well Otherwise it's false in all cases return frac 0 i 0 int exp_decoded int exp - 127 If exponent is negative, the number has a fraction part, which means it's not equal if exp_decoded 31 return false There is one case where exp_decoded equal to 31 makes sens - when float is equal to INT_MIN, ie sign is - and fraction part is 0 if exp_decoded 31 sign 1 frac 0 return false What is left is in range of integer, but still can have a fraction part Check if any fraction part will be left uint32_t value_frac frac -shift_diff else value PS Did you know that there are exactly 75'497'471 positive integer values that can be precisely represented as a float Not a lot for the total of 2'147'483'647 positive integers http://www.secuobs.com/revue/news/510544.shtmlhttp://www.secuobs.com/revue/news/510544.shtml Secuobs.com : 2014-03-27 13:47:32 - gynvael.coldwind vx.log en - Some time ago I decided to spend a few evenings playing with bug bounties I've looked around and finally decided to focus on Prezi, since, being a user of their product, I was already somewhat familiar with it As I seem to be naturally drawn to low-level areas, this quickly turned into an ActionScript reverse-engineering exercise with digging into the internals of SWF file format I found a couple of interesting and fun bugs eg an integer overflow that led to ActionScript code execution - you don't commonly see these this far from the C C kingdom , and a few of them are worth sharing in my opinion At the bottom of the post I've put some information about the tools I've used, just in case you're curious Random announcement not really having anything to do with the post Dragon Sector is looking for sponsors that would help us play at DEF CON CTF Thank you Now back to our show What is Prezi -------------- Before I get to the juicy part, let's do a really quick intro to get everyone into context Prezi prezicom is basically a huge Flash application that allows you to make cool-looking animated presentations in a really easy way They provide both online service and storage, and a desktop version which basically is just a standalone Flash application I focused only on the online application and the surrounding web service As far as Prezi Bug Bounty Program goes, you can read all about it at http prezicom bugbounty I'll just add that everything communication, fixing bugs, etc went smoothly and that Prezi has a really friendly security team Bug 1 SWF sanitization incomplete blacklist into AS code execution XSS ------------------------------------------------------------------- One of Prezi's features is embedding user-provided Flash applets into the presentation Of course, before the SWF is embedded, it's scrubbed for any parts that contain ActionScript or import other SWF files - this is done to prevent executing user's attacker's code As soon as the SWF is clean, it gets loaded into the Prezi's context The SWF under the optional DEFLATE compression layer is basically a chunk based format Each chunk starts with a header and the data follows , that looks like this Short chunk data size 6 bits tag ID 10 bits Long chunk 0x3f tag ID 10 bits data size 32 bits Both the formats of the chunks and the tag IDs are defined in SWF File Format Specification released by Adobe As of today the current version is 19 updated April 23, 2013, and as to be expected, it has only 243 pages There are currently 94 tag IDs defined from 0 to 93, with a couple missing, eg ID 92 or ID 79-81 , with some of them being just iterations of a given chunk type eg ID 2 - DefineShape, ID 22 - DefineShape2, ID 32 - DefineShape3 and ID 83 - DefineShape4 As mentioned, the scrubbing basically went after the chunks which might lead to code execution - if such chunk was found, it was removed from the SWF There are basically three groups of chunks that may result in code execution 1 Chunks which just execute code, eg ID 59 - DoInitAction or ID 12 - DoAction 2 Chunks which import resources chunks from other SWF files, eg ID 57 - ImportAssets or the second version of this chunk with ID 71 3 Chunks representing graphical objects which may have some actions defined - eg ID 7 DefineButton, which can perform actions ie run ActionScript when eg it's clicked As one can imagine, Prezi did contain three functions responsible for recognizing these groups private static function isTagTypeCode param1 uint Boolean return param1 12 param1 59 param1 76 param1 82 end function private static function isTagTypeImports param1 uint Boolean return param1 57 param1 71 end function private static function isTagTypeContainsActions param1 uint Boolean return param1 7 param1 26 param1 34 param1 39 param1 70 end function Here's the catch isTagTypeContainsActions was never called So basically embedding a Flash file with eg a button that had actions defined eg the on mouse over action led to arbitrary ActionScript code execution in the context of Prezi, which is basically an XSS and a stored wormable at that IMAGE The tricky part with the fix here is that ideally you don't want to remove graphical elements from the SWF, so removing whole chunks in this case is an overkill What you want to do is to remove the actions alone and that requires more code and digging deeper into the format, making the simple solution more complex On a more general note using blacklist is usually a bad idea for example, a new SWF File Format Specification comes out with Tag ID 95 defined as DoInitAction2 and you have to update the application You miss a beat and you have an XSS again A cleaner solution here would be to have a whitelist of allowed tags and just remove everything else Bug 2 Integer overflow in AS into XSS -------------------------------------- Digging deeper into the chunk removing code I notice the following code private static function skipTag param1 ByteArray void var _loc_2 getTagLengthAndSkipHeader param1 param1position param1position _loc_2 return end function The red line retrieves an attacker-controlled chunk length from the SWF file - as noted in the previous bug, for long chunks this can be a a 32-bit value, and the returned type is uint The yellow line does basically an addition assignment to basically skip past the chunk-that-is-OK in the data stream The param1position is also uint according to AS documentation You know here this is going In ActionScript uint is a 32-bit unsigned value with modulo arithmetic, so the result of the above addition is also truncated to 32-bit, regardless of its true value So yes, it's an integer overflow And it allowed one to bypass the SWF sanitizer Exploiting this turned out to be quite interesting and included a small twist which made things even more entertaining Starting with the basic idea, here is how the sanitizer worked from a high level perspective in pseudocode I'll omit code added after patching previous bug, since it changes nothing SWF decompress SWF SWFposition 0 SWFheadersfileLength SWFlength skip SWF headers while SWFbytesAvailable 0 if Tag at SWFposition is in blacklist eraseTag continue skipTag The skipTag was already shown above, so that leaves just the eraseTag method old_position SWFposition skipTag temp_buffer new ByteArray temp_bufferwriteBytes SWFreadFromPositionToEOF SWFposition old_position SWFwriteBytes temp_buffer SWFlength old_position temp_bufferlength SWFposition old_position So eraseTag basically copies whatever is past the tag-to-be-removed on top of that tag and fixes the total data size SWFlength afterwards The above allows us to basically jump backwards into a middle of a chunk that's the consequence of the integer overflow and remove however many bytes we like This of course leads to changing how the Adobe Flash SWF interpreter will see the file, which is different than how the sanitizer originally saw it Let's look at an example IMAGE So basically this is what's happening here in chronological order The sanitizer reaches the overflowing tag and jumps backward into the first shown tag's data The data contains a valid chunk header, which described a tag which is on the blacklist This chunk gets removed The next tag which originally was just second chunk's data has a huge length which sends the sanitizer to EOF and so the sanitizer exits When the Adobe Flash SWF parsers sees the output, it sees the send to EOF chunk, the overflowing chunk and the padding just as the first tags data, and ignores is ShowFrame has no meaningful data from SWF parsers perspective And it reaches the hidden evil tags which contain ActionScript to execute The sanitizer never had a chance to see and sanitize these tags, since it was sent backwards and then to EOF Now, here's the catch Prezi's sanitizing code has a bug which triggers a quirky behavior in Adobe Flash, which prevents execution of any ActionScript Remember these lines SWF decompress SWF SWFheadersfileLength SWFlength This fixes the SWF length after decompression However, the file length in the SWF headers should also be fixed if any chunk gets removed and it's not For some reason incorrect size causes Flash to ignore any ActionScript I never got into the bottom of why exactly is this happening though though it acted very peculiarly So, to exploit this I needed to make the sanitizer fix the headers for me This turned out to be both simple and a little more tricky Simple, because the overflow allowed me to send the sanitizer back as far as I wanted - eg to the beginning of the SWF headers And more tricky, because the DWORD representing the file size is just after the SWF magic and version, so that means I had to make the file size be at the same time a valid chunk header for a blacklisted chunk but that turned out to not be a problem The final setup looked like this in the data of the hidden junks the sanitizer was sent to EOF of course IMAGE The NASM code it's the way I prefer to generate simple binary files - don't worry, it's Ange Approved to generate a PoC according to the above schema looks like this bits 32 org 0 start SWF file ----------------------- HEADERS db FWS db 6 version 6 size_of_data_header dd end_of_file size of data db 0x78, 0, 5,0x5f,0,0,0xf,0xa0,0 RECT 200x200 db 0, 12 120 FPS dw 1 1 Frame ----------------------- TAGS pourcentsmacro TAG_SHORT 2 dw pourcents2 pourcents1 6 pourcentsendmacro pourcentsmacro TAG_LONG 2 pourcents2 dw 0x3f pourcents1 6 dd end - 4 pourcentsendmacro pourcentsmacro TAG_LONG_MANUAL 2 dw 0x3f pourcents1 6 dd pourcents2 pourcentsendmacro pourcentsdefine TAG_End 0 pourcentsdefine TAG_ShowFrame 1 pourcentsdefine TAG_DefineShape 2 pourcentsdefine TAG_SetBackgroundColor 9 pourcentsdefine TAG_PlaceObject2 26 pourcentsdefine TAG_DoAction 12 Start of tags Trigger the integer overflow to go back to the size of data field TAG_LONG_MANUAL TAG_ShowFrame, - - size_of_data_header 4 times 41 db 0xaa Data continues here Or actually it's the headers we need to rebuild dd 766 New file size It's equal to tag 11, size 62 db 0x78, 0, 5,0x5f,0,0,0xf,0xa0,0 RECT 200x200 db 0, 12 120 FPS dw 1 1 Frame There are 47 bytes left here before that crazy thing returns times 47 db 0xaa TAG_LONG TAG_DoAction, MyAction1 ACTIONSCRIPT v2 db 0x83 dw StringsEnd1 - 2 Size db javascript prompt documentdomain, Fun fact - in 4 bytes the crazy thing returns db ' ' It's here Well, send it back to the void or something db 0x3f Long tag size it's actually ' ' db ' ' Tag ID Whatever db ' ' 0x20202020 - this should be enough to get rid of it for good db ' ' And were done here Let's continue were we left, shall we db documentcookie , 0 db , 0 _blank StringsEnd1 ActionsEnd db 0 EndOfAction Flag end TAG_SHORT TAG_ShowFrame, 0 TAG_LONG TAG_End, MyEnd End 12 6 768 0x3e 830 times 12 6 0x3e - -start db 0xcc end end_of_file Of course ideally you wouldn't redirect the sanitizer into the middle of your AS JS payload, but it's just a PoC, so no sense thinking too much about it I guess especially that it worked IMAGE Again, I would classify this as a stored wormable XSS Bug 3 unexploitable Abusing the AES-128-CBC IV ------------------------------------------------- Let's document some failures as well This bug did exist so it wasn't a false-positive , but it turned out to be non-exploitable due to how bloated the SWF headers are Still, it's a pretty fun example of what you can attempt to do with crypto in certain, very specific, scenarios Let's start by discussing how Prezi is was loaded I'll simplify it a little to focus on the important part 1 The website actually embeds a loader called preziloader- swf 2 The loader fetches a 128-bit AES key and a 128-bit AES IV key from api embed yes, it's a relative path 3 The loader loads into a ByteArray the main module main- swf from prezicom the domain is verified 4 The first 2064 bytes of the main SWF file are decrypted using AES-128-CBC, using the retrieved keys The rest of the bytes are already plain-text 5 The main SWF is loaded into the same security context This means that We don't control main- swf at all But we do control both AES key and IV And, whoever controls the AES-128-CBC IV, fully controls the first 16 bytes of the decrypted main- swf This is because AES in CBC mode works like this 1 Take the next 16-byte block 2 Decrypt the block using AES KEY and AES algorithm 3 XOR the result with the 16-byte IV and that's the decrypted block 4 GOTO 1 until end of data So basically 1 The we know the result of the decryption of the first block we can just grab main- swf and decrypt it using either their AES key or a different key that will give wrong data, that doesn't really matter 2 And we can choose what to XOR it with IV So, basically, we choose the result of the decryption of the first block and get trashed data in all the other blocks - actually, if we think of the data as 16-byte rows, then we control one byte in each column, in a row of our choice all bytes don't have to be in the same row There are a couple of important things to note The IV gives us only 16-bytes to control Doing some AES key brute forcing it might be possible to control additionally 2-5 bytes - however the time to get the additional bytes grows exponentially - it's 256 N operations AES decryptions basically, where N is the number of additional bytes we would like to control This is also tricky for another reason it will create additional constraints for byte values due to the IV changes we will have to make Prezi actually uses AES-128-CBC with PKCS 5, so padding bytes have to have the value of padding length eg 5-byte padding has to look like this 05 05 05 05 05 And remember if we choose a different key IV, the original padding will be destroy This can be bypassed by choosing such an IV, that the last byte in the last block is 0x00 or 0x01 then the padding is not checked because it's assumed that there is no padding at all, or it's a one-byte padding only So this is not a huge problem If we choose the ZWS format for the SWF file, Prezi loader is nice enough to fix the magic and file size in the SWF header, so that's 7 bytes we wouldn't have to worry about But there is an additional LZMA header which we would have to start worrying about, so it gives us nothing Probably some of the bytes in the SWF header can have a broken value and the SWF will still work So we don't have to worry about these bytes To sum up we would control about 18-21 bytes, wouldn't have to worry about a few more and everything else would be random bytes the result of decrypting data with wrong key and IV Sadly thankfully depending on the perspective in the end this is not exploitable with SWFs, because one would need to control about 50 bytes of SWF to make a valid file that has some meaningful code which gives you code execution So close, but no cigar Tools used ---------- In no particular order Sothink SWF Decompiler - Pretty fast and accurate tool Had minor problems with a function or two, but that's still really good You can re-compile the code it generates without any changes at all very useful for testing JPEXS Free Flash Decompiler aka FFDec - A free and opensource SWF decompiler Takes its time when decompiling, but sometimes does a better job than Sothink It can also extract SWF files from process' think browser's memory - this proved useful I didn't try to re-compile the code it generates Netwide Assembler aka NASM - An x86 assembler which I commonly misuse to assemble non-complex binary files Adobe Flex - Your basic ActionScript compiler Python - For additional scripts and mini-tools Firefox Fiddler - HTTP communication monitoring And that's about it Let me know if you have any questions or if I got something wrong http://www.secuobs.com/revue/news/505136.shtmlhttp://www.secuobs.com/revue/news/505136.shtml Secuobs.com : 2014-03-19 14:58:24 - gynvael.coldwind vx.log en - As you probably know, we've run into some serious technical problems during the webinar who would suspect a hangouts outage, huh , which caused both a 40 minute delay, changing the platform and some minor problems on the line like lack of recording So, as promised, I did record the talk again and I've just posted it on YouTube, to be enjoyed by everyone who couldn't see the live one, or decided to wait for the video for other reasons the technical problems being a good one Context please refer to this post Data, data, data I can't make bricks without clay A few practical notes on reverse-engineering Direct YouTube link click The talk was done as part of Garage4Hackers Ranchoddas Series http wwwgarage4hackerscom Slides here Scripts, etc here Once again sorry for the technical issues during the live talk Let me know what you think about the talk questions are welcome as well Cheers, http://www.secuobs.com/revue/news/503755.shtmlhttp://www.secuobs.com/revue/news/503755.shtml Secuobs.com : 2014-03-11 09:59:41 - gynvael.coldwind vx.log en - Next week I will be doing a free webinar on Reverse Engineering - Data, data, data I can't make bricks without clay I will focus on practical RE tips and tricks I'm using day-to-day, which generally speed up the whole process or are simply cool imo The webinar will be hosted by Garage4Hackers as part of the Ranchoddas Series see the details below Title Data, data, data I can't make bricks without clay Few practical notes on reverse-engineering Sir Arthur Conan Doyle, The Adventure of the Copper Beeches one of the Sherlock Holmes short stories Date 17 March 2014 Time Switzerland EU aka UTC 01 00 aka CET aka GMT 1 00 18 00 Time IST aka GMT 5 30 22 30 Time other places http wwwtimeanddatecom worldclock fixedtimehtml iso 20140317T1700 Registration link click We will be sending out the video link via e-mail, once we have it - probably just before the webinar we'll also post that link on G4H forum facebook twitter probably around here The presentation will be focused on various practical tips and tricks that can speed up the process of reverse-engineering The presented information will not be strictly tied to any specific platform or tool - most of it can be applied on any architecture or operating system Examples of topics - how to start with an unknown architecture - debugger scripting - creating your own useful tools - etc Prerequisites - some reverse-engineering experience or general interest in reverse-engineering - basic programming skills - basic knowledge of how the CPU and operating systems work garage4hackers ranchoddas sersier poster Big thanks to Garage4Hackers Team for organizing this Let me know if you are planning to attend and see you there http://www.secuobs.com/revue/news/502222.shtmlhttp://www.secuobs.com/revue/news/502222.shtml Secuobs.com : 2014-02-17 09:42:44 - gynvael.coldwind vx.log en - As some of you may know, I've published a little over a hundred podcasts in my native language and it seems I finally got around to try and record something in English The podcast is about one of the solutions and a lazy one at that to the HackMe Binathlon 400 task it was basically a ZX Spectrum crackme from the Olympic CTF Sochi 2014 run by the MSLC I hope you'll enjoy the video Feel free to ask any questions ideally in the YouTube comments with regards to the task that you have If you like the idea of me recording podcasts on security, reverse-engineer and programming related topic, let me know - I might make a habit out of it http://www.secuobs.com/revue/news/498232.shtmlhttp://www.secuobs.com/revue/news/498232.shtml Secuobs.com : 2014-01-10 19:23:03 - gynvael.coldwind vx.log en - Collaborative post by Mateusz j00ru Jurczyk and Gynvael Coldwind a short version is available at the Google Online Security blog Following more than two years of work, the day has finally came - the FFmpeg project has incorporated more than a thousand fixes to bugs including some security issues we have discovered in the project thus far git log grep Jurczyk grep -c Coldwind 1120 As this event clearly marks an important day in our ongoing fuzzing effort, we decided to provide you with some background on one of the activities we are currently working on FFmpeg repository logs with a logs of Found-by j00ru and Gynvael At Google, security is a top priority -- not only for our own products, but across the entire Internet That s why members of the Google Security Team and other Googlers frequently perform audits of software and report the resulting findings to the respective vendors or maintainers, as shown in the official Vulnerabilities - Application Security list We also try to employ the extensive computing power of our data centers in order to solve some of the security challenges by performing large-scale automated testing, commonly known as fuzzing Back in December 2011 we were really inspired by Tobias Klein, his Bug Hunter's Diary book and specifically the NULL POINTER FTW section discussing the discovery and exploitation process of a write-what-where condition vulnerability identified by the author in one of the FFmpeg demuxers responsible for parsing 4X Media 4xm in short , with its source code residing in the libavformat 4xmc source file The security flaw was not difficult to find through manual analysis, since the affected code was contained within several continuous lines of text while it was just a single example of a trivial programming error, it got us thinking After all, if there was a simple vulnerability in a C module of less than 400 lines of code performing a relatively simple task, chances were there could have been more similar or less obvious problems in the entire FFmpeg codebase, currently at about 832,000 lines of code and definitely with more than 05MLOC back at the time While reading about the 4xm demuxer vulnerability, we thought that we could help FFmpeg eliminate many potential low-hanging problems from the code by making use of the Google fleet and fuzzing infrastructure we already had in place There were also several other reasons why we decided that taking the project as a fuzzing target would be a good idea FFmpeg had a history of reliability and security issues prior to Tobias' discovery, see FFmpeg Security website Feeding input to the software and triggering relevant code paths was as trivial as using the standalone ffmpeg executable with appropriate command line options The project was strictly about parsing complex, often proprietary file format structures in native C code - essentially, a paradise for any bug hunter There were lots of dynamic allocations, arithmetic operations, indexing buffers based on input data, moving memory around and other operations known to be frequently prone to various types of programming mistakes As a bonus, different parsing modules were developed by different contributors, typically with varying security awareness Input data was readily available - the internet was full of audio video files in a variety of formats and encoded with different codecs There were also dedicated corpuses of files designed to be used for media decoder testing Two examples of such data sets are samplesmplayerhqhu and the FFmpeg FATE project Roughly at the same time the Google-developed AddressSanitizer run-time memory error detector was gaining recognition The utility offered instant and accurate detection of common classes of memory-related problems such as out-of-bounds read and write access to stack, heap, static arrays, use-after-free, invalid free, double free and more, at the cost of a 2-3x average slow down and some insignificant memory overhead The utility seemed to be a perfect candidate for improving the detection rate of fuzzing-incurred errors which would otherwise not be detected at all or would manifest themselves in areas of code completely unrelated to the root cause location As a bonus, the ASan team decided to make it compatible with FFmpeg at early stages of the development and later ran the ASan-instrumented FFmpeg over a set of valid input files not malformed or mutated in any way Only by doing this, they were able to identify four bugs see Found Bugs , providing us with more evidence that the codebase might require further investigation in search of programming errors in dealing with incorrectly formatted input bitstreams All of the above arguments discuss how the nature of FFmpeg made it suitable for automated testing, but there is also the matter of whether finding and having bugs fixed in the product is worthwhile, or precisely, who would benefit from the improved security posture of the project FFmpeg and its derivatives such as the spin-off Libav project are the foundation of many other media-processing programs used both by desktop PC users and companies alike For a fairly comprehensive list of products built upon, relying on or using parts of FFmpeg, see http ffmpegorg projectshtml notable examples include Google Chrome, MPlayer, VLC and xine As a result, it was expected that any discovered and fixed bug would make millions of users directly or indirectly more secure, being enough of a justification to proceed and take the effort from idea to realization Before any fuzzing actually takes place, it is usually crucial for the success of the operation to gather a set of files with extensive code coverage, so that more potentially unexpected program states can be triggered during the fuzzing itself, spinned off the original coverage We approached the problem by collecting around 7,000 sample media files from the aforementioned samplesmplayerhqhu website and the FFmpeg FATE regression test suite, later adding more exotic files from the public web in order to further improve the subset of formats and codecs covered by the corpus Once we were finally happy with the total number of basic blocks touched while processing the test cases being a good measure of the total code coverage achieved , we made use of some 2,000 cores and relatively simple algorithms such as bitflipping, swapping bytes, truncating the files and so forth to mutate the input data, feed it to FFmpeg and save information about any resulting crashes The first fuzzing iteration ran for approximately one week and was able to uncover around 130 unique problems in the code, ranging from simple assertion failures to stack-based buffer overflows and other severe conditions NULL pointer dereferences, Invalid pointer arithmetic leading to SIGSEGV due to unmapped memory access, Out-of-bounds reads and writes to stack, heap and static-based arrays, Invalid free calls, Double free calls over the same pointer, Division errors, Assertion failures, Use of uninitialized memory Our personal feeling is that between 10pourcents and 20pourcents of the problems could be considered easily exploitable security issues however, the estimation has not been formally confirmed in any way We subsequently contacted the project maintainer - Michael Niedermayer - who submitted the first fix on the 24th of January, 2012 see commit c77be3a35a0160d6af88056b0899f120f2eef38e Since then, we have carried out several dozen fuzzing iterations each typically resulting in less crashes than the previous ones over the last two years using similar resources, occasionally improving our original corpus and tweaking the mutation configuration eg fiddling with mutation ratios or getting them to match the internal structure of the tested files Ever since we started the effort, we have been working closely with Michael, who has been extremely keen to work with us and fix all issues we would send his way The numbers speak for themselves - out of over thousand commits submitted to FFmpeg as fixes to our findings, at least 750 were authored by Michael, which gives an outstanding average of one commit each single day for the last 23 months We would like to thank him for all the work he has done and continues to do to improve the stability and security of the product finding the bugs is just the start of a success The other 350 commits in FFmpeg were mostly submitted by Libav project developers Ronald S Bultje, Luca Barbato, Alex Converse, Martin Storsjö and Anton Khirnov We have been concurrently reporting issues in Libav during the last several months and similarly to FFmpeg, the maintainers are doing a great job writing and submitting patches, which FFmpeg is also cherry-picking to their own git repository large chunks of the two projects are shared, as Libav started as a fork of FFmpeg While the former project is doing their best to catch up with the latter, the figures speak for themselves again there are only 413 commits tagged Jurczyk or Coldwind in Libav, so even though some of the FFmpeg bugs might not apply to Libav, there are still many unresolved issues there which are already fixed in FFmpeg Consequently, we advise users to use the FFmpeg upstream code where possible, or the latest stable version currently 211 otherwise It is also a good idea to carefully consider which formats and codecs are necessary for your use case and disable all other parsers during compilation time, in order to reduce the attack surface to a minimum We are presently still improving our corpus and fuzzing methods and will continue to work with both FFmpeg and Libav to ensure the highest quality of the software as used by millions of users behind multiple media players If interested in the effort, please keep an eye on the master branches for commits marked as Found by Mateusz j00ru Jurczyk and Gynvael Coldwind and watch out for new stable versions of the software packages Hopefully, one day we will be able to declare both project fuzz clean against most publicly available samples and simple mutation algorithms Until then, we recommend to refrain from using either of the two projects to process untrusted media files or alternatively to use privilege separation on your PC or production environment, where absolutely required Complete lists of developers who have ever submitted patches for bugs we identified in FFmpeg and Libav are shown below sorted by the number of commits They clearly illustrate that as of today, FFmpeg includes virtually all fixes developed for Libav, while Libav only has 50 out of a total of 750 Michael's commits as previously mentioned, not all FFmpeg bugs affect Libav in the first place, though FFmpeg 750 Michael Niedermayer 108 Ronald S Bultje 91 LucaBarbato 77 Martin Storsjö 48 Anton Khirnov 29 AlexConverse 5 Kostya Shishkov 4 Thilo Borgmann 1 VitorSessak 1 Reinhard Tartler 1 Paul B Mahol 1 MashiatSarker Shakkhar 1 Mans Rullgard 1 Justin Ruggles 1 Janne Grunau 1 Aurelien Jacobs Libav 107 Ronald S Bultje 89 Luca Barbato 77 Martin Storsjö 50 Michael Niedermayer 48 Anton Khirnov 27 Alex Converse 5 Kostya Shishkov 2 Thilo Borgmann 1 Vitor Sessak 1 Reinhard Tartler 1 Paul B Mahol 1 Mashiat Sarker Shakkhar 1 Mans Rullgard 1 Justin Ruggles 1 Janne Grunau 1 Aurelien Jacobs We would like to thank all of the above developers for their hard work on making both media libraries better with every single day http://www.secuobs.com/revue/news/490891.shtmlhttp://www.secuobs.com/revue/news/490891.shtml Secuobs.com : 2013-12-04 13:27:32 - gynvael.coldwind vx.log en - Ange reminded me that I never published the English version of the slides from my Ten Thousand Traps ZIP, RAR, etc talk I gave the talk in May this year, in Krakow, on a small Polish conference called SEConference Apart from the slides there are also several weird ZIP examples, including a schizophrenic as Ange calles them - and it's an accurate and easy to remember name abstractzip, which seems to contain different files while viewing it under various ZIP parsers libraries unpackers see slides 24 to 27 for results Download links the slides 28 Mb the weird zips 14 Kb I don't have this talk recorded in English, but you can see the demos in the recording of my Polish talk in Polish - see below DEMO 1 at 2 00 - Unreal Commander exploit ZIP unpack path traversal into DLL spoofing due to wrong directory privileges DEMO 2 at 12 23 - Abstractzip viewed from Python, PHP and Java DEMO 3 at 18 18 - File names in ZIP, exploit from DEMO 1 explained DEMO 4 at 21 15 - Files with same name in ZIP DEMO 5 at 26 10 - Memory content disclosure in Unreal Commander And that's it PS If you're into ZIP files, you might want to check out the Android Master Key bug and other - just google for it http://www.secuobs.com/revue/news/484210.shtmlhttp://www.secuobs.com/revue/news/484210.shtml Secuobs.com : 2013-11-23 02:29:03 - gynvael.coldwind vx.log en - Some time ago I was reading a random Python JSON parsing library which was partly implemented in C At one point I thought I spotted a bug in custom float number parsing - I've written a short PoC to trigger it and it worked ie crashed Python , but behaved differently than I expected it to and seemed to work only on Windows So I got back to looking at the code and in the end decided it was only my imagination - there was no bug So why did that PoC actually work It turned out that in some cases the library fell back to using the good-old strtod for float parsing instead and yes, there was a bug - in the underlying msvcrtdll strtod implementation TL DR The strtod et al string-to-double has a char endptr output parameter, in which it stores the address of the next character after the parsed converted-to-double number in the input buffer This parameter is used by parsers to determine where to continue parsing after a number has been read Since internally strtod or actually _fltin2 and _wfltin2 which are used deep inside uses a 32-bit int type to store the number-of-parsed-characters, the final calculation of endptr startptr number-of-parsed-characters may result in an address that is outside in front of the input text buffer on 64-bit systems This results in introducing DoS class, information leak class, or other types of bugs in parsers that rely on strtod and the endptr parameter Note Both glibc and MinGW statically linked strtod implementation don't have this bug - it's msvcr dll specific Note 2 PoCs are at the bottom Root cause Direct problem is in the _flt structure used by _fltin2 and _wfltin2 functions, which are used to do the actual string-to-double conversion in strtod etc see Affected versions and functions below This structure looks as follows Visual C CRT source code, file crt src fltintrnh typedef struct _flt int flags int nbytes number of characters read long lval double dval the returned floating point number FLT This causes problems with overly long numbers on 64-bit platforms, since the nbytes might overflow for numbers of length 2GB and nbytes A reasonably common way to use strtod in parsers think a JSON XML CSV etc parser is to do something like this if looks_like_a_double p char ep val strtod p, errno checking usage of val here p ep continue This in fact leads to p pointing outside of the buffer up to 2GB in front of the buffer and the parsing continues there Impact Since this is a low-level library function the impact depends on what is it used for Here are a couple of examples assuming that strtod is part of a parser that is passed untrusted input, eg a JSON or CSV file Infinite loop DoS - if the input string is 4 GB long, the result end pointer will be identical as the start pointer, so the parser will jump into an infinite loop strtod doesn't report any errors of course, since the number is correctly parsed Crash DoS - setting end pointer so that it points to an unallocated memory eg for a number of length 2GB the end pointer will be start pointer minus 2GB, which probably points to some unallocated memory or isn't even a canonical pointer Information disclosure - since you could redirect the read pointer of the parser to any buffer in memory that is on lower addresses than the start pointer, you could make it read arbitrary data from memory if the read data would be later reflected back, you could fetch it back Other - there might be other, less probable but still possible examples one would be a more complicated scenario where the parsed text code is verified beforehand, and then parsed and executed In such case this bug could be used to redirect the parser to jump into eg a middle of the string comment containing unsafe code similar to jumping in the middle of an instruction in ROP, but on scripting language level This would make an awesome CTF challenge, but I don't expect it to be found in real products Affected versions and functions 64-bit Windows only This has been confirmed on default, fully patched Windows 7 msvcrtdll msvcr90dll, msvcr110dll newest Visual Studio 2013 redistributables msvcr120dll Windows 81 preview default msvcrtdll I guess we can extrapolate this to all 64-bit versions Affected functions generally everything that directly or indirectly uses _fltnbytes for anything meaningful _fltin2 wfltin2 - these incorrectly calculate the _fltnbytes _strtod_l wcstod_l - these directly use _fltnbytes strtod wcstod - these are just wrappers for the above functions _Stodx Stod Stofx Stof - these use strtod Worth looking for variants eg __strgtold12_l strgtold12 Proof of concept This proof of concept prints the correct and strtod returned end pointer include include include int main void SZ INT_MAX some more bytes define SZ 0x80000016 char number char malloc SZ memset number, '1', SZ number SZ-1 'm' Break syntax number 1 '' This is probably not needed char end_good number SZ - 1 char end_strtod strtod number, is OK too unless you use MinGW which uses it's own strtod, then it's better to just use _strtod_l for PoC _strtod_l number, end_strtod, NULL printf number pourcentsp n , number printf end_good pourcentsp n , end_good printf end_strtod pourcentsp n , end_strtod Example faulty results number 000000007FFF0040 end_good 00000000FFFF0055 end_strtod FFFFFFFFFFFF0055 return 0 Real world example A random JSON parser for Python with native code - ujson 133 FASTCALL_ATTR JSOBJ FASTCALL_MSVC decodePreciseFloat struct DecoderState ds char end double value errno 0 value strtod ds-start, if errno ERANGE return SetError ds, -1, Range error when decoding numeric as double ds-start end return ds-dec-newDouble ds-prv, value And a crash DoS PoC in Python 27 AMD64 import ujson n 4 3 0x7fffffff x ujsonloads n, precise_float True WinDBG says 20881fa4 Access violation - code c0000005 first chance ujson JSON_DecodeObject 0x8c 00000001 800050dc 8a0a mov cl,byte ptr rdx ds 00000001 00010061 rdx 0x100010061 Report I've reported the bug to Microsoft and the decision was to fix it in the future releases of Microsoft Visual C Microsoft Windows I think that's OK, especially taking into account that the possibility of severe vulnerabilities appearing as a result of this Microsoft C runtime library bug is minimal that said, if you find one, let me know Timeline Note A lot of e-mails were flying back and forth, so I'm not going to list all dates 2013-Aug-21 Send the report to Microsoft 2013-Sep-17 Confirmation that the bugs works as described and are planned to be fixed 2013-Oct-26 More information - the bug will be fixed in the next versions of msvcr dll 2013-Nov-13 Microsoft receives the draft of this blog post from me for comments 2013-Nov-23 Blogpost is public And that's it http://www.secuobs.com/revue/news/482682.shtmlhttp://www.secuobs.com/revue/news/482682.shtml Secuobs.com : 2013-08-14 03:09:47 - gynvael.coldwind vx.log en - Collaborative post by Mateusz j00ru Jurczyk and Gynvael Coldwind Two weeks ago we're running late, sorry j00ru and I had the pleasure to attend one of the largest, most technical and renowned c http://www.secuobs.com/revue/news/462767.shtmlhttp://www.secuobs.com/revue/news/462767.shtml Secuobs.com : 2013-06-24 22:08:34 - gynvael.coldwind vx.log en - In September last year I received a programming question regarding multi-level multiple same-base inheritance in C , under one of my video tutorials on YouTube I started playing with some tests and http://www.secuobs.com/revue/news/453358.shtmlhttp://www.secuobs.com/revue/news/453358.shtml Secuobs.com : 2013-06-18 13:55:06 - gynvael.coldwind vx.log en - Collaborative post by Mateusz j00ru Jurczyk and Gynvael Coldwind It was six weeks ago when we first introduced our effort to locate and eliminate the so-called double fetch eg time-of-check-to-t http://www.secuobs.com/revue/news/452049.shtmlhttp://www.secuobs.com/revue/news/452049.shtml Secuobs.com : 2013-01-02 16:04:42 - gynvael.coldwind vx.log en - The PHP equality operator is based on my experience probably the weirdest and most overused comparison operator in popular programming languages Looking back I had my attempts at trying to work http://www.secuobs.com/revue/news/419501.shtmlhttp://www.secuobs.com/revue/news/419501.shtml Secuobs.com : 2012-11-19 22:35:53 - gynvael.coldwind vx.log en - I've published the newest version of NetSock, my simple C socket library think TCP and UDP for Windows and Linux, that's distributed under the terms of Apache License, Version 20 There aren't ma http://www.secuobs.com/revue/news/412327.shtmlhttp://www.secuobs.com/revue/news/412327.shtml Secuobs.com : 2012-09-28 01:26:46 - gynvael.coldwind vx.log en - Seems a new version - 082 - of cr-gpg the GPG browser extension for Gmail for Chrome was released today, so a brief note on a few bugs I reported in late August The cr-gpg extension for Chrome http://www.secuobs.com/revue/news/402280.shtmlhttp://www.secuobs.com/revue/news/402280.shtml Secuobs.com : 2012-09-17 00:58:50 - gynvael.coldwind vx.log en - Collaborative post by Gynvael Coldwind, Mateusz j00ru Jurczyk and Adam Iwaniuk Friday, the 7th of September 2012 we were supposed to play the securitytrapsno-iporg CTF Unfortunately, the competi http://www.secuobs.com/revue/news/399961.shtmlhttp://www.secuobs.com/revue/news/399961.shtml Secuobs.com : 2012-08-04 02:38:55 - gynvael.coldwind vx.log en - Mateusz Pstruś the owner of http securitytrapsno-ippl - a site with a lot of interesting hackmes challenges has informed me that there will be a team Capture the Flag on Security Traps in Septe http://www.secuobs.com/revue/news/391617.shtmlhttp://www.secuobs.com/revue/news/391617.shtml Secuobs.com : 2012-07-12 10:37:04 - gynvael.coldwind vx.log en - Sometimes it's fun to forget about why an Undefined Behavior in C is bad and just write some code that works here now, but not necessarily will work tomorrow with a different compiler version o http://www.secuobs.com/revue/news/386809.shtmlhttp://www.secuobs.com/revue/news/386809.shtml Secuobs.com : 2012-05-19 20:55:47 - gynvael.coldwind vx.log en - DLL shared sections have long been infamous for introducing security problems A few months ago I decided to take a look if one can still find applications that use PE modules with shared sections in http://www.secuobs.com/revue/news/376539.shtmlhttp://www.secuobs.com/revue/news/376539.shtml Secuobs.com : 2012-04-26 23:32:45 - gynvael.coldwind vx.log en - IGK is an annual game development conference in Poland and quite a fun one at that not that I've been at many gamedev conferences This year it started 29 of March and ended 1 of April in the evenin http://www.secuobs.com/revue/news/372318.shtmlhttp://www.secuobs.com/revue/news/372318.shtml Secuobs.com : 2012-04-12 08:17:57 - gynvael.coldwind vx.log en - Just in case you missed it HITB Magazine 8 is out http magazinehitborg PDF Download link is on the right 2MB and in addition you can order a printed copy on the bottom of the page I' http://www.secuobs.com/revue/news/369536.shtmlhttp://www.secuobs.com/revue/news/369536.shtml Secuobs.com : 2012-03-19 01:19:41 - gynvael.coldwind vx.log en - Some time ago I've learned that you could connect two joysticks to the one-joystick-port CPC464 you know, the old 8-bit computer I've already mentioned in few posts So, I decided to practice my ele http://www.secuobs.com/revue/news/364400.shtmlhttp://www.secuobs.com/revue/news/364400.shtml Secuobs.com : 2011-11-16 02:24:23 - gynvael.coldwind vx.log en - Michal Zalewski's who is better known as lcamtuf new book went public a couple of hours ago Since I was one of the lucky ones to get to see the book before it was published, I decided to write a sh http://www.secuobs.com/revue/news/340897.shtmlhttp://www.secuobs.com/revue/news/340897.shtml Secuobs.com : 2011-11-01 11:12:43 - gynvael.coldwind vx.log en - Recently I've stumbled on a review of a 1993 Amiga RPG game called Perihelion I've never played this game which I've heard is pretty good btw , but after looking at the screenshots I was amazed by w http://www.secuobs.com/revue/news/337980.shtmlhttp://www.secuobs.com/revue/news/337980.shtml Secuobs.com : 2011-10-13 12:47:52 - gynvael.coldwind vx.log en - NetSock is a simple socket networking lib wrapper for C I've wrote back in 2007 or 2006, actually not sure and update from time to time Even though I've been using it in random projects I'm relea http://www.secuobs.com/revue/news/334537.shtmlhttp://www.secuobs.com/revue/news/334537.shtml Secuobs.com : 2011-10-08 15:32:07 - gynvael.coldwind vx.log en - A few years back, we've been ie j00ru and Gynvael working on a bootkit-related project some polish SecDay'09 presentation slides can be found here Bootkit vs Windowspdf One of its basic requi http://www.secuobs.com/revue/news/333579.shtmlhttp://www.secuobs.com/revue/news/333579.shtml Secuobs.com : 2011-09-17 23:29:51 - gynvael.coldwind vx.log en - The interesting difference between ASCII and Unicode is that the first had only one group of digits defined 30h to 39h , and the latter defines 42 decimal digit groups I think it actually defines mo http://www.secuobs.com/revue/news/329521.shtmlhttp://www.secuobs.com/revue/news/329521.shtml Secuobs.com : 2011-09-09 09:26:33 - gynvael.coldwind vx.log en - In march I've published some research related to Just another PHP LFI exploitation method that used the fact that the PHP engine stores on disk uploaded files rfc1867 for a short period of time, e http://www.secuobs.com/revue/news/327934.shtmlhttp://www.secuobs.com/revue/news/327934.shtml Secuobs.com : 2011-08-07 21:22:16 - gynvael.coldwind vx.log en - For various reasons I've decided to take a deeper look at the evolving HTML 5 standard and related new HTTP extensions or proposals of extensions To tell you the truth, I was extremely surprised ab http://www.secuobs.com/revue/news/321607.shtmlhttp://www.secuobs.com/revue/news/321607.shtml Secuobs.com : 2011-08-01 00:18:14 - gynvael.coldwind vx.log en - Since I don't have any material for a bigger post, I decided to make another 'random thoughts' one, with a couple of smaller things discussed Table of Content for today 1 Bugs in terminal emu http://www.secuobs.com/revue/news/320244.shtmlhttp://www.secuobs.com/revue/news/320244.shtml Secuobs.com : 2011-07-14 02:11:07 - gynvael.coldwind vx.log en - I never given too much thought to the problem of initialization of a in-function static variable in C C mostly C though I just blindly assumed that the static variable works identically to a gl http://www.secuobs.com/revue/news/316857.shtmlhttp://www.secuobs.com/revue/news/316857.shtml Secuobs.com : 2011-06-19 15:14:55 - gynvael.coldwind vx.log en - Some time ago I had a crazy funny idea for a local privilege escalation run a privilege granting operation in an infinite loop and wait for a random bit flip in CPU RAM that would make a 'can this us http://www.secuobs.com/revue/news/312207.shtmlhttp://www.secuobs.com/revue/news/312207.shtml Secuobs.com : 2011-06-13 11:53:42 - gynvael.coldwind vx.log en - The important stuff download http magazinehackintheboxorg issues HITB-Ezine-Issue-006pdf some more info about the issue at j00ru's blog http j00ruvexilliumorg p 817 Content http://www.secuobs.com/revue/news/310778.shtmlhttp://www.secuobs.com/revue/news/310778.shtml Secuobs.com : 2011-06-12 22:05:10 - gynvael.coldwind vx.log en - A few years ago I would answer the above question with because NULL is defined as a void pointer to 0 , which is only half correct and close to being wrong The answer to this question is much more http://www.secuobs.com/revue/news/310715.shtmlhttp://www.secuobs.com/revue/news/310715.shtml Secuobs.com : 2011-06-06 15:04:35 - gynvael.coldwind vx.log en - A friend of mine has asked me to ask on his behalf for filling of a survey for his master thesis The survey is about optimization of project build time https spreadsheetsgooglecom spreadsheet vi http://www.secuobs.com/revue/news/309352.shtmlhttp://www.secuobs.com/revue/news/309352.shtml Secuobs.com : 2011-04-07 05:16:00 - gynvael.coldwind vx.log en - A video recording of Unavowed's and mine lecture from Recon 2010 was published yestarday about porting Syndicate Wars to modern OSes You might or might not find this interesting Recon 20 http://www.secuobs.com/revue/news/296762.shtmlhttp://www.secuobs.com/revue/news/296762.shtml Secuobs.com : 2011-03-22 09:36:58 - gynvael.coldwind vx.log en - Several links I've received in the last few days, related to PHP security PHP filesystem attack vectors PHP filesystem attack vectors - Take Two Local File Inclusion LFI of session files to http://www.secuobs.com/revue/news/293236.shtmlhttp://www.secuobs.com/revue/news/293236.shtml Secuobs.com : 2011-03-18 23:26:09 - gynvael.coldwind vx.log en - A few days ago I had an interesting discussion with a friend hi Felix about methods of exploiting Local File Inclusion bug in PHP During it, an interesting idea came to my mind, about using temp http://www.secuobs.com/revue/news/292721.shtmlhttp://www.secuobs.com/revue/news/292721.shtml Secuobs.com : 2011-02-06 01:42:25 - gynvael.coldwind vx.log en - I've received the title riddle from furio and I found it interesting enough to pass it during the next few days to everyone that might be even remotely interested in C C problems The interesting th http://www.secuobs.com/revue/news/283233.shtmlhttp://www.secuobs.com/revue/news/283233.shtml Secuobs.com : 2011-01-11 21:16:48 - gynvael.coldwind vx.log en - After the CVE-2010-4398 win32ksys stack-based buffer overflow aka UAC bypassing exploit published on Code Project was published a discussion appears on the net at least on the Polish side of the http://www.secuobs.com/revue/news/277476.shtmlhttp://www.secuobs.com/revue/news/277476.shtml Secuobs.com : 2010-12-16 04:06:13 - gynvael.coldwind vx.log en - Quick request to anyone who has Windows even on VM http j00ruvexilliumorg ticks http://www.secuobs.com/revue/news/272142.shtmlhttp://www.secuobs.com/revue/news/272142.shtml Secuobs.com : 2010-11-24 12:45:19 - gynvael.coldwind vx.log en - While discussing a few days ago a piece of code with aps, we've encountered some interesting imho differences in the implementation of atoi and sf scanf between different versions of msvcrt Micros http://www.secuobs.com/revue/news/267158.shtmlhttp://www.secuobs.com/revue/news/267158.shtml Secuobs.com : 2010-10-28 11:14:24 - gynvael.coldwind vx.log en - When I came up with the idea of the 'Random' series, I've also created a separate notepad in electronic form ofc , where I would note down things that I found interesting a very subjective criteri http://www.secuobs.com/revue/news/260547.shtmlhttp://www.secuobs.com/revue/news/260547.shtml Secuobs.com : 2010-10-16 20:17:45 - gynvael.coldwind vx.log en - A few days ago I've received a piece of PHP 5 code, and got asked if it's OK Basically, the code was validating user input, and was checking if only letters are used both latin letters A-Z and add http://www.secuobs.com/revue/news/257584.shtmlhttp://www.secuobs.com/revue/news/257584.shtml Secuobs.com : 2010-10-14 16:06:08 - gynvael.coldwind vx.log en - Yep, the fourth issue of the Hack In The Box Magazine is out There is some cool stuff there, including a few reader chosen papers from previous issues http magazinehitborg issues HITB-Ezine-I http://www.secuobs.com/revue/news/256964.shtmlhttp://www.secuobs.com/revue/news/256964.shtml Secuobs.com : 2010-10-13 16:20:41 - gynvael.coldwind vx.log en - Recently I'm working on some C code that ab uses many language features in a deep way, and hence, I found it necessary to do some digging to check if a given behavior is a result of standard fulfil http://www.secuobs.com/revue/news/256581.shtmlhttp://www.secuobs.com/revue/news/256581.shtml Secuobs.com : 2010-10-10 13:55:22 - gynvael.coldwind vx.log en - Yet another post with random stuff I found interesting Mainly links, but also some assembly code just some though Have fun - Programowanie http js1kcom home Magic in 1024 characters, http://www.secuobs.com/revue/news/255650.shtmlhttp://www.secuobs.com/revue/news/255650.shtml Secuobs.com : 2010-10-10 05:21:51 - gynvael.coldwind vx.log en - Another portion of things that I found interesting Mostly but not only low-level stuff - Research Windows internals http wwwpiotrbaniacom all articles allocate_deadlocktxt Why you http://www.secuobs.com/revue/news/255618.shtmlhttp://www.secuobs.com/revue/news/255618.shtml Secuobs.com : 2010-10-08 16:54:29 - gynvael.coldwind vx.log en - Well, this was supposed to be another Random post, but as the typing went on, it grew quite long, so I've decided to post this as a normal post So, today's post will be about some new ie new for http://www.secuobs.com/revue/news/255356.shtmlhttp://www.secuobs.com/revue/news/255356.shtml Secuobs.com : 2010-10-03 02:14:38 - gynvael.coldwind vx.log en - After this years CONFidence I came to conclusion that it would be fun to play with the old-school hardware software solutions, like ANTIC, P M, HAM6, etc So, how to do that The obvious way is to http://www.secuobs.com/revue/news/253814.shtmlhttp://www.secuobs.com/revue/news/253814.shtml Secuobs.com : 2010-10-03 02:14:38 - gynvael.coldwind vx.log en - Yesterday I've received a photo from a friend, in JPEG format The face of the person on the photo was concealed by a black rectangle And that would be the end of the story, if my friend didn't notic http://www.secuobs.com/revue/news/253813.shtmlhttp://www.secuobs.com/revue/news/253813.shtml Secuobs.com : 2010-10-03 02:14:38 - gynvael.coldwind vx.log en - Some time ago I've considered publishing brief posts with links to interesting from my PoV stuff, useful again, from my PoV tips tricks, and other short stuff that doesn't really fill a fully- http://www.secuobs.com/revue/news/253812.shtmlhttp://www.secuobs.com/revue/news/253812.shtml Secuobs.com : 2010-07-21 17:19:15 - gynvael.coldwind vx.log en - The videos from some CONFidence 2010 lectures has been published Inter alia, the video from my and j00ru's lecture Case study of recent Windows vulnerabilities is available The video is in a downl http://www.secuobs.com/revue/news/242481.shtmlhttp://www.secuobs.com/revue/news/242481.shtml Secuobs.com : 2010-07-20 15:54:12 - gynvael.coldwind vx.log en - Yesterday in the night we've published on j00ru's blog some old, low severity, PHP advisories well, they are more research papers than actual advisories Basically we've done the research to test http://www.secuobs.com/revue/news/242074.shtmlhttp://www.secuobs.com/revue/news/242074.shtml Secuobs.com : 2010-07-20 01:18:12 - gynvael.coldwind vx.log en - Looking through my directories I've found some tools that I've kept hidden in my desk, unpublished for some strange reasons I'm thinking about finalizing the basic functionality of these, and finally http://www.secuobs.com/revue/news/241882.shtmlhttp://www.secuobs.com/revue/news/241882.shtml Secuobs.com : 2010-07-18 22:09:08 - gynvael.coldwind vx.log en - The evening of 12 December 2006 I've written on my OpenRCE blog a post, in which I've explained that I'm looking for a job as a reverse engineer programmer After a few hours I've got an e-mail from http://www.secuobs.com/revue/news/241518.shtmlhttp://www.secuobs.com/revue/news/241518.shtml Secuobs.com : 2010-07-10 00:56:04 - gynvael.coldwind vx.log en - A very short post - the slides from out presentation from RECON 2010 about the Syndicate Wars Port recon_swarspdf 1MB I'll write more later http://www.secuobs.com/revue/news/239294.shtmlhttp://www.secuobs.com/revue/news/239294.shtml Secuobs.com : 2010-05-30 12:28:08 - gynvael.coldwind vx.log en - Just a short almost copy-pasted from j00ru's blog post with the original advisories of the vulnerabilities we've talked about on CONFidence and earlier on Hack In The Box Dubai , with slides used b http://www.secuobs.com/revue/news/227001.shtmlhttp://www.secuobs.com/revue/news/227001.shtml Secuobs.com : 2010-05-05 19:53:19 - gynvael.coldwind vx.log en - A few months ago we've with Unavowed sent a submission for the CFP for RECON, a Canadian Montreal conference that takes place from 9th till 11th July Yesterday our topic was published on the offi http://www.secuobs.com/revue/news/219144.shtmlhttp://www.secuobs.com/revue/news/219144.shtml Secuobs.com : 2010-04-22 18:39:58 - gynvael.coldwind vx.log en - A few moments ago I've finished my talk at Hack In The Box in Dubai, on which I couldn't of course be in the flesh, since mrEyjafjallajökull canceled my flights, hence I've presented by phone and liv http://www.secuobs.com/revue/news/214979.shtmlhttp://www.secuobs.com/revue/news/214979.shtml Secuobs.com : 2010-04-19 10:56:04 - gynvael.coldwind vx.log en - Well it looks like that, due to the mess that the Island volcano Eyjafjoell made, they canceled my flights to Dubai As a reminder - I was going to give a speech on the Hack In The Box conference a http://www.secuobs.com/revue/news/213573.shtmlhttp://www.secuobs.com/revue/news/213573.shtml Secuobs.com : 2010-04-13 21:55:57 - gynvael.coldwind vx.log en - I've already written, in February, about the first vulnerability found by our team that would be j00ru and me Today, Microsoft has published reports about 5 more well, there were 6 actually, but M http://www.secuobs.com/revue/news/211679.shtmlhttp://www.secuobs.com/revue/news/211679.shtml Secuobs.com : 2010-02-22 16:58:06 - gynvael.coldwind vx.log en - About a month ago I've sent a CFP submission for the Hack In The Box 2010 Dubai conference, and yesterday I've officially got informed that my lecture was accepted So, it looks like I'll be speaking http://www.secuobs.com/revue/news/194200.shtmlhttp://www.secuobs.com/revue/news/194200.shtml Secuobs.com : 2010-02-10 14:03:00 - gynvael.coldwind vx.log en - Today is Exploit Wednesday, so it means that yesterday was Patch Tuesday So, as every month, Microsoft published Microsoft Security Bulletin Summary for February 2010 and a couple of patches One o http://www.secuobs.com/revue/news/190439.shtmlhttp://www.secuobs.com/revue/news/190439.shtml Secuobs.com : 2010-01-26 01:50:35 - gynvael.coldwind vx.log en - Syndicate Wars is a game published in 1996, created by Bullfrog The game was written in C Watcom for the DOS4GW DOS extender And of course it has stopped working natively ie without emulators l http://www.secuobs.com/revue/news/185264.shtmlhttp://www.secuobs.com/revue/news/185264.shtml Secuobs.com : 2010-01-17 03:40:30 - gynvael.coldwind vx.log en - A few weeks ago j00ru has visited me, and, as one can figure out, some more or less interesting ideas came to be One of such ideas was to use the Call-Gate mechanism in kernel driver exploit developm http://www.secuobs.com/revue/news/182488.shtmlhttp://www.secuobs.com/revue/news/182488.shtml Secuobs.com : 2010-01-11 19:14:46 - gynvael.coldwind vx.log en - The Hack In The Box ezine, which was published in the years 2000-2005 37 issues total has been revived The newest issue contains 6 articles including mine , which gives 44 pages of text, in PDF l http://www.secuobs.com/revue/news/180294.shtmlhttp://www.secuobs.com/revue/news/180294.shtml Secuobs.com : 2010-01-05 21:29:16 - gynvael.coldwind vx.log en - This post will be similar to the previous one, and will be about small, but interesting, details of x86 architecture, that might be and sometimes are easily overlooked by creators of emulators and v http://www.secuobs.com/revue/news/178489.shtmlhttp://www.secuobs.com/revue/news/178489.shtml Secuobs.com : 2009-12-29 19:13:32 - gynvael.coldwind vx.log en - About two days ago the net started to fill with information about a new programming language, created by people at Google The language is called Go, and is something between a low-level language lik http://www.secuobs.com/revue/news/176472.shtmlhttp://www.secuobs.com/revue/news/176472.shtml Secuobs.com : 2009-12-29 19:13:32 - gynvael.coldwind vx.log en - Just a quick info j00ru has published on his blog a syscall number name table for the Win32k syscall shadow table user32dll, gdi32dll and DirectX use it - http j00ruvexilliumorg win32k_syscal http://www.secuobs.com/revue/news/176471.shtmlhttp://www.secuobs.com/revue/news/176471.shtml Secuobs.com : 2009-12-29 19:13:32 - gynvael.coldwind vx.log en - Below I present the download links for the slideshow PDF from my Practical security in computer games lecture, and a 001 alpha version of SilkProxy A few more words about that last position it http://www.secuobs.com/revue/news/176470.shtmlhttp://www.secuobs.com/revue/news/176470.shtml Secuobs.com : 2009-12-29 19:13:32 - gynvael.coldwind vx.log en - In the last few days I've been playing with osdev again last time I've coded something more than a boot menu sorry, PL , was in 2003 , so expect a few posts about assembler, x86 emulators and simila http://www.secuobs.com/revue/news/176469.shtmlhttp://www.secuobs.com/revue/news/176469.shtml Secuobs.com : 2009-10-14 12:13:43 - gynvael.coldwind vx.log en - Seems I'm a little behind on the English side of the mirror, so it's time to fix that with another PHP internals topic This time I'll tell you the story of the PNG format, of course in the context of http://www.secuobs.com/revue/news/150328.shtmlhttp://www.secuobs.com/revue/news/150328.shtml Secuobs.com : 2009-09-03 10:39:21 - gynvael.coldwind vx.log en - And now for something completely different - my first laptop It wasn't a Pentium as some might suspect It wasn't even a 386 No, it was something, even older If you are interested in computer arche http://www.secuobs.com/revue/news/137298.shtmlhttp://www.secuobs.com/revue/news/137298.shtml Secuobs.com : 2009-08-29 12:06:48 - gynvael.coldwind vx.log en - Time has come to write the second part of the PHP getimagesize story yes, that means that there was a first part grin This time I'll focus more on what getimagesize is supposed to do - on acquiri http://www.secuobs.com/revue/news/135875.shtmlhttp://www.secuobs.com/revue/news/135875.shtml Secuobs.com : 2009-08-28 13:11:26 - gynvael.coldwind vx.log en - The getimagesize function is, in my humble opinion of course, one of the most interesting functions of the standard PHP library yes, the standard library, even while it's documentation is placed amon http://www.secuobs.com/revue/news/135540.shtmlhttp://www.secuobs.com/revue/news/135540.shtml Secuobs.com : 2009-08-26 11:08:15 - gynvael.coldwind vx.log en - Today's post will be about something totally different Mainly, I have a new SOHO router for a half of year or so at my place - yep, the D-Link DI-524 revB , which replaced my old DI-604 which I li http://www.secuobs.com/revue/news/134639.shtmlhttp://www.secuobs.com/revue/news/134639.shtml Secuobs.com : 2009-08-08 05:07:54 - gynvael.coldwind vx.log en - Be sure to checkout the demonstration video at the bottom of the page Two months ago I've written about banker troyans, that some change DNS settings, other add a list of domains used by financial http://www.secuobs.com/revue/news/129137.shtmlhttp://www.secuobs.com/revue/news/129137.shtml Secuobs.com : 2009-07-15 02:10:28 - gynvael.coldwind vx.log en - Today I'll write about an interesting mistake or misinterpretation in this case I've spoted in my friends code, and also I'll mention a certain link I found in the referers I'll start with the link http://www.secuobs.com/revue/news/120636.shtmlhttp://www.secuobs.com/revue/news/120636.shtml Secuobs.com : 2009-07-12 19:40:32 - gynvael.coldwind vx.log en - For some random reasons my blog became quiet recently, but don't worry, it's only temporary It's time to catch up, and write about this and that PHP as a preprocessor not only for HTML Recently http://www.secuobs.com/revue/news/119767.shtmlhttp://www.secuobs.com/revue/news/119767.shtml