Bojan Zdrnja Diaries

Back to Handlers

• The amazingly scary xz sshd backdoor
• Scanning and abusing the QUIC protocol
• Survival time for web sites
• Some things never change ? such as SQL Authentication ?encryption?
• Importance of signing in Windows environments
• Critical vulnerability in Splunk Enterprise?s deployment server functionality
• Local privilege escalation vulnerability in polkit's pkexec (CVE-2021-4034)
• RCE in log4j, Log4Shell, or how things can get bad quickly
• Active Directory Certificate Services (ADCS - PKI) domain admin vulnerability
• Summer of SAM - incorrect permissions on Windows 10/11 hives
• Abusing Google Chrome extension syncing for data exfiltration and C&C
• Dynamically analyzing a heavily obfuscated Excel 4 macro malicious file
• Scoping web application and web service penetration tests
• Scanning with nmap?s NSE scripts
• Summing up CVE-2020-0601, or the Let?s Decrypt vulnerability
• Getting the best value out of security assessments
• Testing TLSv1.3 and supported ciphers
• Verifying SSL/TLS configuration (part 2)
• Verifying SSL/TLS configuration (part 1)
• Time is (partially) on our side: the new Exim vulnerability
• Getting (proper) value out of security assessments
• UAC is not all that bad really
• Relaying Exchange?s NTLM authentication to domain admin (and more)
• Tunneling scanners (or really anything) over SSH
• The end of the lock icon
• Exfiltrating data from (very) isolated environments
• One hash to rule them all: drupalgeddon2
• Side-channel information leakage in mobile applications
• SQL injection and division by zero exceptions
• Those pesky registry keys required by critical security patches
• Meltdown and Spectre: clearing up the confusion
• Battling e-mail phishing
• Free Bitcoins? Why not?
• Attacking NoSQL applications (part 2)
• Investigation of BitTorrent Sync (v.2.0) as a P2P Cloud Service (Part 4 ? Windows Thumbnail Cache, Registry, Prefetch Files, and Link Files artefacts)
• Investigation of BitTorrent Sync (v.2.0) as a P2P Cloud Service (Part 3 ? Physical Memory artefacts)
• Uberscammers
• OAUTH phishing against Google Docs ? beware!
• Powershelling with exploits
• SSL/TLS on port 389. Say what?
• Attacking NoSQL applications
• Verifying SSL/TLS certificates manually
• Security through obscurity never works
• YAFP (Yet Another Flash Patch)
• Abusing Oracles
• Exploiting (pretty) blind SQL injections
• When encoding saves the day
• Outsourcing critical infrastructure (such as DNS)
• Web security subtleties and exploitation of combined vulnerabilities
• When automation does not help
• Blindly confirming XXE
• New OpenSSL release fixes 2 moderate and 6 low vulnerabilities
• Assessing the risk of POODLE
• Verifying preferred SSL/TLS ciphers with Nmap
• Windows Previous Versions against ransomware
• Watching the watchers
• Massive PHP RFI scans
• Is XXE the new SQLi?
• DRG online challenge(s)
• Arrays in requests, PHP and DedeCMS
• MS13-056 (false positive)? alerts
• XATattacks (attacks on xat.com)
• Sessions with(out) cookies
• The race for resources
• SSHD rootkit in the wild
• Auditd is your friend
• Memory acquisition traps
• Analyzing outgoing network traffic (part 2)
• Analyzing outgoing network traffic
• DShield for Splunk
• Windows Firewall Bypass Vulnerability and NetBIOS NS
• Monitoring VMWare logs
• Monitoring Remote Desktop Services logs ... or not?
• pcAnywhere users – patch now!
• Is it time to get rid of NetBIOS?
• The tale of obfuscated JavaScript continues
• Beauty and the BEAST
• Bitcoin – crypto currency of future or heaven for criminals?
• When the FakeAV coder(s) fail
• Harry Potter and the Rogue anti-virus: Part 1
• Android, HTTP and authentication tokens
• More on Google image poisoning
• SQL injection: why can’t we learn?
• Adobe Flash 0-day being used in targeted attacks
• Tsunami in Japan and self modifying RogueAV code
• iOS 4.3 released, numerous security vulnerabilities patched
• Oracle padding attacks (Codegate crypto 400 writeup)
• HBGary hack: lessons learned
• Google Chrome and (weird) DNS requests
• Android malware enters 2011
• Secunia's DNS/domain hijacked?
• Privilege escalation 0-day in almost all Windows versions
• SSH password authentication insight and analysis by DRG
• Interesting PHP injection
• DLL hijacking vulnerabilities
• Do you like Bing? So do the RogueAV guys!
• Stored XSS vulnerability on YouTube actively abused?
• Down the RogueAV and Blackhat SEO rabbit hole (part 2)
• Down the RogueAV and Blackhat SEO rabbit hole
• Clickjacking attacks on Facebook's Like plugin
• Malware modularization and AV detection evasion
• Who needs exploits when you have social engineering?
• JavaScript obfuscation in PDF: Sky is the limit
• Dangers of copy&paste
• 0-day vulnerability in Internet Explorer 6, 7 and 8
• DRG (Dragon Research Group) Distro available for general release
• Rogue AV exploiting Haiti earthquake
• PDF Babushka
• Sophisticated, targeted malicious PDF documents exploiting CVE-2009-4324
• Distributed Wordpress admin account cracking
• iPhone worm in the wild
• Opachki, from (and to) Russia with love
• Snort 2.8.5 is out
• Why is Rogue/Fake AV so successful?
• SMB2 remote exploit released
• Flash attack vectors (and worms)
• MS09-039 exploit in the wild?
• BIND 9 DoS attacks in the wild
• Increasing number of attacks on security sites
• YA0D (Yet Another 0-Day) in Adobe Flash player
• A new fascinating Linux kernel vulnerability
• Nmap 5.0 released
• OWC exploits used in SQL injection attacks
• Make sure you update that Java
• OpenSSH 0day FUD
• More on ColdFusion hacks
• Cold Fusion web sites getting compromised
• New VMWare Security Advisory
• Mobile phone trojans
• New Thunderbird out, patches couple of vulnerabilities
• Slowloris and Iranian DDoS attacks
• Apache HTTP DoS tool mitigation
• Apache HTTP DoS tool released
• Iranian hacktivism
• Advanced blind SQL injection (with Oracle examples)
• Health database breached
• Every dot matters
• Web application vulnerabilities
• Twitter worm copycats
• Advanced JavaScript obfuscation (or why signature scanning is a failure)
• JavaScript insertion and log deletion attack tools
• When web application security, Microsoft and the AV vendors all fail
• Massive ARP spoofing attacks on web sites
• MS09-002, XML/DOC and initial infection vector
• MS09-002 exploit in the wild
• More tricks from Conficker and VM detection
• Some tricks from Conficker's bag
• Conficker's autorun and social engineering
• An Israeli patriot program or a trojan
• 0-day exploit for Internet Explorer in the wild
• Rogue DHCP servers
• Finjan blocking access to isc.sans.org
• Adobe Reader vulnerability exploited in the wild
• Watch that .htaccess file on your web site
• VMWare ESX(i) 3.5 security patches
• Monitoring HTTP User-Agent fields
• When spammers use your own e-mails
• Mozilla releases Thunderbrid 2.0.0.16, fixes security vulnerabilities
• What's brewing in Danmec's pot?
• New Opera v9.51 fixes couple of security issues
• Detecting scripts in ASF files (part 2)
• Safari on Windows - not looking good
• INFOCon yellow: update your Debian generated keys/certs ASAP
• Debian and Ubuntu users: fix your keys/certificates NOW
• War of the worlds?
• (Minor) evolution in Mac DNS changer malware
• Windows Service Pack blocker tool
• Scripts in ASF files
• The 10.000 web sites infection mystery solved
• Opera fixes vulnerabilities and Microsoft announces April's fixes
• VB detection: is it so difficult?
• A bag of vulnerabilities (and fixes) in QuickTime
• Mixed (VBScript and JavaScript) obfuscation
• Linux, FreeBSD and Mac (!) bot
• Abusing Image File Execution Options
• More about mass web infections
• Deja Vu: Valentine's Storm
• Mass exploits with SQL Injection
• Treacherous malware: the story of Advatrix
• Gone in 3600 seconds: story about TCP Keep-Alives
• DNS changer Trojan for Mac (!) in the wild
• Anti Virus industry and VBScript/JavaScript detection
• Cyber Security Awareness Tip #1: Penetrating the This Does Not Apply To Me Attitude
• Spammers feeling lucky with Google
• Deobfuscating VBScript
• Arguments.callee.toString() demystified
• Raising the bar: dynamic JavaScript obfuscation
• Apple’s patch flood
• E-cards don’t like virtual environments
• Mass website hosting = mass defacements
• Fake Adobe Shockwave Player download page
• Yahoo! Messenger exploits seen in the wild
• 2 Yahoo! Messenger vulnerabilities (with PoCs)
• DDoS on anti-spam groups
• A Java exploit
• Analyzing (malicious) SWF file actions
• p0f, spam detection and OOF e-mails
• Better Business Bureau targeted malware spam
• Multiple vulnerabilities in Cisco IOS SSL implementation
• Opera fixes the torrent vulnerability
• Analyzing an obfuscated ANI exploit
• Dangerous document formats and social engineering
• Security update for QuickTime (7.1.5)
• phpMyFAQ being exploited
• JavaScript traps for analysts
• New Java update (1.5.0u11) and a Microsoft Word 2000 vulnerability
• Encrypted malware and code reusability
• Vulnerability in Acer’s LunchApp.APlunch ActiveX control
• Who needs sophisticated malware?
• Multiple vulnerabilities in Symantec Veritas NetBackup
• Sun JDK 5.0 Update 10
• Malware with new features
• Critical security vulnerability in WinZip 10
• MSXML 4.0 exploit in the wild
• Vulnerabilities in RFID-enabled credit cards
• Mozilla Firefox 2 officially released
• New Internet Explorer and an old vulnerability
• Heap overflow vulnerability in Opera 9.0, 9.01
• The Sleuth Kit (TSK) for Windows released
• More about the host based firewall on Windows XP SP2
• Tip of the day: using host based firewall on Windows XP SP2
• Wireshark (ex Ethereal) multiple vulnerabilities
• Problems with Intel wireless drivers
• MS06-040 exploit(s) publicly available
• Critical Ruby on Rails security vulnerability
• Browser *does* matter, not only for vulnerabilities - a story on JavaScript deobfuscation
• Security patches for Mozilla Firefox/Thunderbird/SeaMonkey
• “Order” e-mails and how to block them
• And *another* 0-day Linux kernel vulnerability
• 0-day exploit for Microsoft PowerPoint
• Perl bot exploiting vulnerabilities in Joomla and Mambo components
• Linux kernel PRCTL local privilege escalation
• MS06-039: vulnerabilities in Microsoft Office GIF and PNG parsers
• MS06-034 - unchecked IIS buffer vulnerability in ASP files processing
• Yahoo! user account phishing
• Two new Internet Explorer vulnerabilities disclosed including PoC
• Word macro trojan dropper and (another) downloader
• New Mambo, Joomla releases fix security vulnerabilities
• E-mails with malicious links targeting Australia
• More on Symantec vulnerabilities
• Multiple security vulnerabilities in Secure Elements Class 5 AVR (EVM)
• Link to 'a new Microsoft patch' being spammed
• Different strokes for different folks, spyware and browsers
• Critical vulnerability in Sophos Anti-Virus products
• Veritas pulls (some) patches for Backup Exec
• Vulnerabilities in L-Soft's LISTSERV and Microsoft's Visual Studio
• Sophos false positives on Mac OS X
• More spam for your inbox
• Corrupted Nyxems
• More on Nyxem
• New mass mailer spreading (Blackmal/Grew/Nyxem)
• What do the bad guys do with WMF?
• Ilfak Guilfanov's website, Hexblog.com back again
• Vulnerabilities in phpMyAdmin, Dell's TrueMobile 2300 Wireless Router and couple of PoC exploits.
• New AIM worm
• Apple Security Update 2005-009
• Strange phishing/spam e-mails
• Problems with Bloodhound.Exploit.45 pattern in Symantec AV
• ClamAV 0.87.1 released, fixes multiple security vulnerabilities
• New version of QuickTime (7.0.3)
• New Bagle variants