HackerOne – Telegram
HackerOne
@HackerOne
11K subscribers
644 photos
31 videos
79 files
2.74K links
Community : @Sec0x01
@Bug0x
Download Telegram
About
Blog
Apps
Platform
Join
HackerOne
11K subscribers
HackerOne
CVE-2017-17712 net/ipv4/raw.c: raw_sendmsg() race condition

#######   BUG DETAILS  ############
in net/ipv4/raw.c:
static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)

{
  ...

  struct raw_frag_vec rfv;         [1]
  ...
  ...

  if (!inet->hdrincl) {           [2]

    rfv.msg = msg;
    rfv.hlen = 0;
    err = raw_probe_proto_opt(&rfv, &fl4);
    if (err)
      goto done;
  }
  ...
  ...
  if (inet->hdrincl)  [3]
    err = raw_send_hdrinc(sk, &fl4, msg, len,
              &rt, msg->msg_flags, &ipc.sockc);
   else {
    sock_tx_timestamp(sk, ipc.sockc.tsflags, &ipc.tx_flags);
    if (!ipc.addr)
      ipc.addr = fl4.daddr;
    lock_sock(sk);
    err = ip_append_data(sk, &fl4, raw_getfrag,
             &rfv, len, 0,    [4]
             &ipc, &rt, msg->msg_flags);
  ...
}


[1] rfv is not initialized and contains a pointer to a msghdr header structure.
[2], [3] There are multiple checks against inet->hdrincl without a lock.

When we achieve (by racing inet->hdrincl via setsockopt()) inet->hdrincl=1 in [1], and inet->hdrincl=0 in [2], rfv variable remains uninitialized and used in [4].
By spraying the stack with controlled user data , we can take control of msg pointer which is used later in ip_append_data().

Fixed here : https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8f659a03a0ba9289b9aeb9b4470e6fb263d6f483
775 viewsRamin Farajpour Cami
HackerOne
The 2017 SANS Holiday Hack Challenge
https://holidayhackchallenge.com/2017/
799 viewsAwdel יהונתן
HackerOne
https://youtu.be/RWw1UTeZee8
YouTube
Boxug/Trape (SQL Injection and taking over the hacker's SQLite Tracking database PoC) - Part 1
729 viewsRamin Farajpour Cami
HackerOne
https://twitter.com/taviso/status/941724872169766912
Twitter
Tavis Ormandy
Everyone wants there to be simple answers in security, but sometimes there are no simple answers.
680 viewsRamin Farajpour Cami
HackerOne
https://blog.kchung.co/rfid-hacking-with-the-proxmark-3/
Kevin Chung
RFID Hacking with The Proxmark 3
Radio-frequency identification (RFID) is a widely used technology for the
tracking and identification of objects that have been "tagged" with small RFID
tags. These tags often come in the shape of little keychains, cards, and
stickers. They can be seen in…
655 viewsAmir OFFensive
HackerOne
Docker container for django development in Ubuntu 17.10 #Tutorial

https://github.com/raminfp/docker_django
GitHub
raminfp/docker_django
docker_django - Docker container for django development in Ubuntu 17.10
657 viewsRamin Farajpour Cami
HackerOne
http://www.mediafire.com/download/u3h9z522snygr5f/TOR_Browser_Handbook.pdf
MediaFire
TOR Browser Handbook
MediaFire is a simple to use free service that lets you put all your photos, documents, music, and video in a single place so you can access them anywhere and share them everywhere.
698 viewsعلیرضا هستم.
HackerOne
https://www.coresecurity.com/blog/making-something-out-zeros-alternative-primitive-windows-kernel-exploitation
Coresecurity
Making something out of Zeros: Alternative primitive for Windows Kernel Exploitation
While working on the NVIDIA DxgDdiEscape Handler exploit, it became obvious that The GDI primitives approach discussed the last couple of years would be of no help to reliably exploit this vulnerability. So we came up with another solution: We could map some…
796 viewsعلیرضا هستم.
HackerOne
Ransomware Decryption Tools Link List (in Persian)
https://cysec-co.com/ir/ransomware-decryption-tools
Cysec-Co
بانک ابزار رمزگشایی باج افزار - اطلاعات خود را رایگان بازگردانید
اگر کامپیوتر شما به باج افزار آلوده شود چه کاری انجام می دهید ؟ آیا پرداخت انجام می دهید و یا به دنبال ابزار رمزگشایی باج افزار می گردید؟ چنانچه شما قصد تسلیم شدن در مقابل باج
961 viewsعلیرضا هستم.
HackerOne
https://blogs.securiteam.com/index.php/archives/3569
816 viewsAmir OFFensive
HackerOne
https://github.com/ctfs/write-ups-2015/tree/master/32c3-ctf-2015/web/kummerkasten-300
GitHub
ctfs/write-ups-2015
Wiki-like CTF write-ups repository, maintained by the community. 2015 - ctfs/write-ups-2015
748 viewsAmir OFFensive
HackerOne
https://www.kaspersky.com/blog/loapi-trojan/20510/
Kaspersky
Loapi — this Trojan is hot!
The new Loapi Trojan will recruit your smartphone for DDoS attacks, bombard it with ads, or use it to mine cryptocurrency, making it red-hot.
650 viewsعلیرضا هستم.
HackerOne
http://securityscrapbook.com/2016/12/17/cuckoo-sandbox-installation-configuration-guide/
669 viewsAmir OFFensive
HackerOne
https://www.youtube.com/watch?v=mkv8aoJzGSo
YouTube
Exploiting Insecure Cross Origin Resource Sharing ( CORS ) | api.artsy.net
Insecure CORS Artsy [ api.artsy.net ]
Exploiting Insecure Cross Origin Resource Sharing ( CORS ) | api.artsy.net



Thanks,

Muhammad Khizer Javed
https://bugcrowd.com/MuhammadKhizerJaved
https://hackerone.com/babayaga_
654 viewsAmir OFFensive
HackerOne
Code Execution Flaws Patched in Several VMware Products
http://feedproxy.google.com/~r/Securityweek/~3/RZIW08BqLtg/code-execution-flaws-patched-several-vmware-products

VMware has released patches and updates for its ESXi, vCenter Server Appliance (vCSA), Workstation and Fusion products to address a total of four vulnerabilities, including ones that can be exploited for arbitrary code execution.
read more (http://www.securityweek.com/code-execution-flaws-patched-several-vmware-products)
Securityweek
Code Execution Flaws Patched in Several VMware Products | SecurityWeek.Com
VMware patches code execution and other vulnerabilities in ESXi, vCenter Server Appliance, Workstation and Fusion products
583 viewsיהונתן
HackerOne
Code Execution Flaws Patched in Several VMware Products
http://feedproxy.google.com/~r/Securityweek/~3/RZIW08BqLtg/code-execution-flaws-patched-several-vmware-products

VMware has released patches and updates for its ESXi, vCenter Server Appliance (vCSA), Workstation and Fusion products to address a total of four vulnerabilities, including ones that can be exploited for arbitrary code execution.
read more (http://www.securityweek.com/code-execution-flaws-patched-several-vmware-products)
Securityweek
Code Execution Flaws Patched in Several VMware Products | SecurityWeek.Com
VMware patches code execution and other vulnerabilities in ESXi, vCenter Server Appliance, Workstation and Fusion products
687 viewsיהונתן
HackerOne
Trend Micro Smart Protection Server Multiple Vulnerabilities
https://www.coresecurity.com/advisories/trend-micro-smart-protection-server-multiple-vulnerabilities
Coresecurity
Trend Micro Smart Protection Server Multiple Vulnerabilities | CoreLabs Advisories
1. Advisory Information Title: Trend Micro Smart Protection Server Multiple VulnerabilitiesAdvisory ID: CORE-2017-0008Advisory URL: https://www.coresecurity.com/core-labs/advisories/trend-micro-smart-protection-server-multiple-vulnerabilitiesDate published:…
756 viewsיהונתן
HackerOne
Reversing EVM bytecode with radare2 – ICO Security
https://blog.positive.com/reversing-evm-bytecode-with-radare2-ab77247e5e53
Medium
Reversing EVM bytecode with radare2
Howdy ya’ll. Today we will look into the insides of Ethereum Virtual Machine (EVM), how Solidity language is translated into bytecode, how…
800 viewsיהונתן
HackerOne
https://hawkinsecurity.com/2017/12/13/rce-via-spring-engine-ssti/
756 viewsAmir OFFensive
HackerOne
https://github.com/blechschmidt/massdns
GitHub
GitHub - blechschmidt/massdns: A high-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration)
A high-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration) - blechschmidt/massdns
816 viewsAmir OFFensive
HackerOne
https://github.com/x-Ai/BurpUnlimitedre
GitHub
x-Ai/BurpUnlimitedre
This project !replace! BurpUnlimited of depend (BurpSutie version 1.7.27). It is NOT intended to replace them! - x-Ai/BurpUnlimitedre
927 viewsAmir OFFensive