So I’ve been trying to get down to pcaps lately and watch more of what actually goes on. It’s in this spirit that L1pht.com is launching and sharing “What the PCAP”. Similar challenges were given in the past by The Honeynet Project in their “Scan of the Month”.  The idea is that we will post a .pcap file that contains something semi-interesting for you to analyze.  Though ours will likely not be the result of “in the wild” capture.  More than likely it’ll be a very tight and short capture that won’t take you more than a few minutes to analyze.  There are no prizes.  Just free tasty .pcaps for you to munch on. Read more…

Challenge attacks, Challenge, pcap

Recently I’ve decided to pull my ‘pdf_plus_js.pl‘ perl script out of retirement and repurpose it for fuzzing javascript functions in PDFs.  With some very minor tweaks we can loop through arrays of fuzz data and multipliers to quickly generate decent samples of PDFs to test with.

This started as a pretty nasty hack.  I’m not above saying so.  Hold on to your peanuts though, it gets nastier.

Read more…

Code 0day, adobe, javascript

What: DC405 – May 2009 Meeting
Where: Oklahoma City Coworking Collaborative (OKCCoCo)
723 North Hudson Ave
Oklahoma City, OK 73102
When: Friday, 5/15/2009, 7-9pm

This is the first meeting at the OKCCoCo so be sure to get there early.

Agenda:

Network Architecture: You’re Doing it Wrong! by ri0t and Janus
Ham Radios & RF Hacking by baudfish

This should be an excellent set of talks so if you haven’t been out to a meeting in a while, come out, socialize and take a look at the CoCo.  See you there!

Security News DC405

In the hope that more people will build on ideas of clickjacking and developers will become aware, I decided to post the proof-of-concept that I had worked up a little while ago.

The fun thing about this particular example is that we are taking a base URL of a WordPress blog and dynamically iframing in the clickjacked content.  Of course this isn’t necessary for targeted attacks, it’s just an example of making something that would otherwise have to be targeted, more generic.

It’s worth noting that if we choose to go the targeted attack route, we can place the link in a comment, which in many cases a moderator will review (logged in).

With this one we can set the title and address of a link by setting the parameters CSRF style to the link-add.php script.  Once the user clicks, the link is automatically added to the default Blogroll.  A malicious attacker might leverage this to coerce readers into clickfraud, donations sites or drive them to a page with more direct attacks.

Devs, watch those admin pages.  You’re going to need to bust frames if you want to avoid the LOLs.

Try it out for yourself.

Note:  This has been fixed on the WordPress.com community. 

Update 6/15/09:  Not fixed in WordPress 2.8

Code 0day, clickjacking, wordpress