Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Black Hat USA
July 31 - August 5, 2021
Las Vegas, NV, USA
SecTor
November 4 - October 30, 2021
Toronto, ON, Canada
Black Hat Europe
November 8-11, 2021
Virtual Event
10/27/2015
11:00 AM
Black Hat Staff
Black Hat Staff
Event Updates
50%
50%

Black Hat Europe 2015: Just the Attacks, Ma'am

Allow us to channel an early 2000, sweating, hyperkinetic Steve Ballmer: exploits, exploits, exploits, exploits! Today's Black Hat Europe 2015 Briefing highlights are all about novel and sometimes devastating new attacks against systems of all kinds. Can they get you as pumped up as Steve? Let's find out.

This year's Pwn2Own competition switched the attack surface to Internet Explorer 64-bit. This meant stronger ASLR, negating simple heap-spraying techniques. But Yuki Chen and Linan Hao finally found a way in via two 0days, which they'll detail in Hey Man Have You Forgotten to Initialize Your Memory?. By going through the poc exploit they acheived ASLR & CFG bypass and remote code execution with a single uninitialized memory bug, and bypassed IE's EPM sandbox to achieve privilege elevation. Well played.

Despite the prevalence and high impact of command injection attacks, researchers have paid scant attention to this type of code injection, with no dedicated software that automatically detects and exploits command injection attacks. Commix: Detecting and Exploiting Command Injection Flaws will attempt to fill that gap by proposing an open-source tool that automates the process of detecting and exploiting command injection flaws on web applications. The new Commix (COMMand Injection eXploitation) tool can detect these vulnerabilities, and has already revealed several related 0days.

Macs used to be seen as something of a security refuge, but with the growing popularity of Apple products its operating systems paradise is under attack. Kernel exploit mitigations such as KASLR and SMEP have been overcome, and while "vm_map_copy" corruption has been mitigated in OSX 10.11 and iOS 9, Attacking the XNU Kernel in El Capitain will demonstrate new techniques to get around XNU's latest changes. One highlight: a real kernel exploit for the most recent version of El Capitain to bypass System Integrity Protection (rootless).

Finally, cloud providers use memory deduplication to increase the cost effectivness of virtual machines running on the same host. But the page faults caused by writing to these pages can be used by an attacker as a side-channel to detect whether a page has been shared. Silently Breaking ASLR in the Cloud will detail an attack that leverages this memory side-channel to leak the randomized base addresses of libraries and executables mapped in the processes of neighboring VMs, defeating ASLR.

Black Hat Europe 2015 takes place November 10-13 in Amsterdam. Did you register yet?

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-21547
PUBLISHED: 2021-09-17
Libsixel 1.8.2 contains a heap-based buffer overflow in the dither_func_fs function in tosixel.c.
CVE-2020-21548
PUBLISHED: 2021-09-17
Libsixel 1.8.3 contains a heap-based buffer overflow in the sixel_encode_highcolor function in tosixel.c.
CVE-2021-39218
PUBLISHED: 2021-09-17
Wasmtime is an open source runtime for WebAssembly & WASI. In Wasmtime from version 0.26.0 and before version 0.30.0 is affected by a memory unsoundness vulnerability. There was an invalid free and out-of-bounds read and write bug when running Wasm that uses `externref`s in Wasmtime. To trigger ...
CVE-2021-41387
PUBLISHED: 2021-09-17
seatd-launch in seatd 0.6.x before 0.6.2 allows privilege escalation because it uses execlp and may be installed setuid root.
CVE-2021-41390
PUBLISHED: 2021-09-17
In Ericsson ECM before 18.0, it was observed that Security Provider Endpoint in the User Profile Management Section is vulnerable to CSV Injection.