PornoSecurity

A Linksys video and an IGSuite exploit

Posted on 2008-06-23 00:01:56 in PornoSecurity

Well, i got bored. I notified Cisco PSIRT and Linksys security on 04/21, they confimed some of the vulnerabilities and asked for more details. I sent them a pretty dumb-proof report a couple of days after their email, now it's time to disclose! Here is a sexy video demonstrating the flaws, there's really no need for even a single line of code :)

 

I also posted to milw0rm a fully automated reverse shell exploit(currently waiting for it to be published) that take advantage of a blind SQL injection vulnerability in IGSuite <=3.2.4, enjoy.

A Sneak Preview

Posted on 2008-05-23 15:36:15 in PornoSecurity

Hi there, some time has passed since the last post on this weblog, I'm now auditing a web application written by some italian guys and I am focusing on the steps from an SQL Injection to a real command shell. Too many times SQL Injection flaws are considered as a low/medium threat due to the fact that they are often [ab]used to conduct low-impact attacks(such as defacing).
This has to change, SQL Injection flaws are a *really* dangerous threat. Here is a sneak preview regarding some of the (for now) 0-day flaws i discovered in this webapp.

I have also discovered some vulnerabilities in some Cisco/Linksys products, and I'm in contact with the Cisco Product Security Incident Response Team (PSIRT) and the Linksys security team to coordinate pubblic disclosure.

More news soon.

xine-lib NSF Demuxer Buffer Overflow Vulnerability

Posted on 2008-04-17 12:40:27 in PornoSecurity

I found a stack-based buffer overflow in the NES Sound Format demuxer(demux_nsf.c) of xine-lib <= 1.1.12. The vulnerability is caused due to a boundary error within the "demux_nsf_send_chunk()" function in src/demuxers/demux_nsf.c and can be exploited to run arbitrary code while processing an NSF file with an overly large NSF title tag.

 

Secunia advisory