Remote control manager FAIL

Hey guys, Today, I thought it'd be fun to take a good look at a serious flaw in some computer-management software. Basically, the software is designed for remotely controlling systems on networks (for installing updates or whatever). As far as I know, this vulnerability is currently unpatched; there are allegedly mitigations, but you have to […]

A deeper look at ms11-058

Hey everybody, Two weeks ago today, Microsoft released a bunch of bulletins for Patch Tuesday. One of them - ms11-058 - was rated critical and potentially exploitable. However, according to Microsoft, this is a simple integer overflow, leading to a huge memcpy leading to a DoS and nothing more. I disagree. Although I didn't find […]

Locks that can re-key themselves?

Hey everybody, As I'm sure you all know, I normally post about IT security here. But, once in awhile, I like to take a look at physical security, even if it's just in jest. Well, this time it isn't in jest. I was at Rona last week buying a lead/asbestos/mold-rated respirator (don't ask!), when I […]

Watch out for exim!

Hey everybody, Most of you have probably heard of the exim vulnerability this week. It has potential to be a nasty one, and my brain is stuffed with its inner workings right now so I want to post before I explode! First off, if you're concerned that you might have vulnerable hosts, I wrote a […]

Taking apart the Energizer trojan – Part 4: writing a probe

Now that we know what we need to send and receive, and how it's encoded, let's generate the actual packet. Then, once we're sure it's working, we'll convert it into an Nmap probe! In most of this section, I assume you're running Linux, Mac, or some other operating system with a built-in compiler and useful […]

Taking apart the Energizer trojan – Part 3: disassembling

In Part 2: runtime analysis, we discovered some important addresses in the Energizer Trojan -- specifically, the addresses that make the call to recv() data. Be sure to read that section before reading this one. Now that we have some starting addresses, we can move on to a disassembler and look at what the code's […]

Taking apart the Energizer trojan – Part 2: runtime analysis

In Part 1: setup, we infected the system with the Trojan. It should still be running on the victim machine. If you haven't read that section, I strongly recommend you go back and read it. Now that we've infected a test machine, the goal of this step is to experiment a little with the debugger […]

Taking apart the Energizer trojan – Part 1: setup

Hey all, As most of you know, a Trojan was recently discovered in the software for Energizer's USB battery charger. Following its release, I wrote an Nmap probe to detect the Trojan and HDMoore wrote a Metasploit module to exploit it. I mentioned in my last post that it was a nice sample to study […]