2010
Season’s Greetings
To all our customers, staff (past and present), business partners, friends and associates I’d like to wish a joyous and peaceful festive season. What started out as a depression is slowly becoming a success and I thank you for all your support during this past year. I look forward to seeing you all again soon and sharing with you an exciting and prosperous 2011!
Internal spotlight
As the year winds down, it’s time to mention a few internal victories that are fun to share:
Daniel Cuthbert and Rogan Dawes (both staunch OWASP proponents) have joined our assessment team, which is a big boost. Welcome guys! Glenn Wilkinson, a lead analyst, had his Masters thesis listed on Amazon Dominic White was interviewed in all his glory on .za teevee over Wikileaks
Playing with Python Pickle #3
[This is the third in a series of posts on Pickle. Link to part one and two.]
Thanks for stopping by. This is the third posting on the bowels of Python Pickle, and it’s going to get a little more complicated before it gets easier. In the previous two entries I introduced Pickle as an attack vector present in many memcached instances, and documented tricks for executing OS commands across Python versions as well as a mechanism for generically calling class instance methods from within the Pickle VM.
Playing with Python Pickle #2
[This is the second in a series of posts on Pickle. Link to part one.]
In the previous post I introduced Python’s Pickle mechanism for serializing and deserializing data and provided a bit of background regarding where we came across serialized data, how the virtual machine works and noted that Python intentionally does not perform security checks when unpickling.
In this post, we’ll work through a number of examples that depict exactly why unpickling untrusted data is a dangerous operation. Since we’re going to handcraft Pickle streams, it helps to have an opcode reference handy; here are the opcodes we’ll use:
Playing with Python Pickle #1
In our recent memcached investigations (a blog post is still in the wings) we came across numerous caches storing serialized data. The caches were not homogenous and so the data was quite varied: Java objects, ActiveRecord objects from RoR, JSON, pre-rendered HTML, .Net serialized objects and serialized Python objects. Serialized objects can be useful to an attacker from a number of standpoints: such objects could expose data where naive developers make use of the objects to hold secrets and rely on the user to proxy the objects to various parts of an application. In addition, altering serialized objects could impact on the deserialization process, leading to compromise of the system on which the deserialization takes place.
Black Hat Abu Dhabi – Full … NOT!
The bad news is that our course at Black Hat Abu Dhabi is completely full. The good news is … they’ve given us a bigger room! So if you’ve been told the course is full, or if you haven’t registered yet, please do it quickly before it fills up again.
Problems? Please contact us or mail training[at]sensepost[dot]com.
Analysis of a UDP worm
Introduction From time to time I like to delve into malware analysis as a pastime and post interesting examples, and recently we received a malware sample that had a low-detection rate. Anti-Virus coverage was 15/43 (35.7%) based on a virustotal.com report and Norman sandbox did not detect any suspicious activity as shown in the report below:
Norman sandbox report did not show any registry or network activity. This might be due to the use of virtual CPU or sandbox bypass techniques by the malware. Sunbelt sandbox was down at the time of the analysis.
Sensepost Training in November
Our next scheduled training sessions have been planned for November. If you’re interested in attending, the dates and locations are:
1) HBN Bootcamp Edition 7-9th November, BlackHat Abu Dhabi
‘Hacking By Numbers – Bootcamp Edition‘ is our ‘introduction to hacking’ course. It is strongly method-based and emphasizes structure, approach and thinking over tools and tricks. The course is popular with beginners, who gain their first view into the world of hacking, and experts, who appreciate the sound, structured approach.
Gitex 2010 Dubai
At the invitation of the South African Department of Trade and Industry SensePost will form part of a South African delegation represented at GITEX 2010 from 17-21 October 2010:
Dubai International Convention and Exhibition Centre (DICEC) Dubai, United Arab Emirates Hall 5, Stand C6-20B If you are in Dubai or intend to visit the Gitex event, come over and visit me, Shane Kemp, at the SensePost stand.
http://www.sensepost.com/gitex
Hacking By Numbers – South Africa – September ’10
From the team that won the world’s first Soccer Hack Cup, we bring you the latest and the greatest in computer hacking training – SensePost Hacking By Numbers Extended Edition – a local course that combines two of the brand new courses we just finished presenting at Black Hat Las Vegas.
The training will be offered in Brooklyn Pretoria from 14 – 17 September 2010. Here’s how it will work:
14 – 15 September: Cadet Edition 16 – 17 September: Bootcamp Edition Ok ok ok, so Pretoria is not exactly Vegas, but the courses are fresh and updated and packed full of exciting new content, tools and techniques.
Page 1 of 4
Next