SECURITY RESEARCH

White Papers

JIT spraying and mitigations
will present a short overview of JIT spraying techniques and also novel mitigation methods against this class of attack. An anti-JIT spraying library was created as part of our Zero Threat protection system.

JIT_Mitigations.pdf
Security Mitigations for Return-Oriented Programming Attacks
In this paper we present a short summary of novel and known mitigation techniques against return-oriented programming (ROP) attacks. The techniques described in this article are related mostly to x86-32 processors and Microsoft Windows operating systems.

ROP_Whitepaper.pdf

Cryptography

RSA Backdoor
what does smooth integer finding, error correction, and code-breaking have in common? See for yourself. Backdoors like this source code illustrates can be avoided by systematically auditing and reviewing code.

Sage_RSA.sage

Tools

NX Tracer
NX tracer is an advanced binary tracing tool for assisting in automated unpacking. It utilizes NX-Bit mechanism provided by IA32 PAE adressing mode.

nxtracer9b.zip

Public Advisory

IBM Tivoli Storage Manager (TSM) Local Root
When IBM TSM communicates with the suid root backup client dsmtca, it is handled through pipes. The function GeneratePassword() does not perform boundary checking, which can lead to a classic stack based buffer overflow - making local code execution possible.

Original Advisory
kryptoslogic-ibm-tivoli-dsmtca-exploit.c
Winamp 5.6 Arbitrary Code Execution in MIDI Parser
When AOL Winamp plays MUS files and other MIDI variants, it begins by converting them to a canonical format. Timestamps in MIDI files are encoded by serializing 32 bit integers into 1, 2, 3, 4 or 5 bytes, storing 7 data bits in each byte. The last bit is used to indicate whether or not a given byte is the last. The serialization is done into an 8 byte buffer, which should be large enough, but there is a logic bug in the code which allows an attacker to write one byte outside of the buffer.

Original Advisory
kryptoslogic-winamp-midi-exploit.c
Microsoft DirectShow Remote Code Execution
A remote user can create a specially crafted MJPEG file that, when loaded by the target user, will trigger a flaw in the Microsoft DirectShow component in the decompression of MJPEG files and execute arbitrary code on the target system. The code will run with the privileges of the target user.

Microsoft Technet Bulletin