morph3us.org

Here is a screenshot of my first Royal Flush:

The topic of this blog post is already more than one and a half year old - have a look at the thread posted at BuHa forums (sry, German only). In fact it's pretty possible that this issue is much more longer known but regrettably I could not find any information regarding this topic.

If a user with unsufficient privileges (e.g. users in users or power users group) tries to terminate a privileged process using the Windows task manager `taskmgr.exe' (or another arbitrary task manager like Sysinternals's process explorer) the manager will display an access denied message and nothing will happen. Alright, but how the system reacts if we try to kill it's system process with a privileged user account? Please note that I'm talking about the real system process with PID 4 (at least if we use Windows XP). We would suppose that the task manager displays a message which informs the user that it's not possible to terminate this process like it does it for `winlogon.exe', `lsass.exe', `csrss.exe' and so on but it does not.

As I already mentioned in a previous blog posting titled XSS on heise.de there was a XSS vulnerability on heise.de. I informed heise's webmaster about this bug on December 23, 2005 and received the answer mail which stated that this issue was addressed on January 06, 2006. It's almost unbelievable that this bug is still present to this day.

Yesterday I could not fall asleep immediately so I decided to test some applications which are by default included in Windows. I had a look at the Windows games (Freecell, Hearts, Minesweeper, Pinball and so on) and during fooling around a feature namely saving game scores of Spider Solitaire sparked my interest in having a deeper look at it.
You can not choose the file where to save the highscore in and you overwrite the stored highscore everytime you save another game so I started Filemon and found the file `spider.sav' which is located at "%USERPROFILE%\Own Files".

Unfortunately, my last blog entry was almost three weeks ago so it's time for a new entry..

Presumably, I'm going to release several new advisories next week. Two advisories will cover multiple stack based overflows in W3C's browser Amaya, three advisories are about DoS vulnerabilities in the latest release of Internet Explorer 6 SP2 with all patches applied and another advisory will deal with multiple vulnerabilities in a rather unknown web application - but I'm not sure yet if I'll publish this advisory this time.

So stay tuned..

  Yogurt,
  Dark Balsamico,
  Olive oil
  Onion
  Garlic
  Curry
  Mustard
  Chive
  Salt
  Pepper
----------
+ Tomatoes
  Sweetcorn
  Salad
  Carrots
----------
= Yummy !1! (o:

First of all, I should explain what "dotless ip addresses" are because I think this term is not very common. Simply spoken this is an address which does not consist of octets seperated by points. You may ask the question how to convert an ip adress into a dotless one..

In fact there are several different methods to convert an ip address into a dotless one and there are much more possibilities to obfuscate an URL but not all of them work in every browser.

Here are some examples, in which I'll use the domain 'buha.info' for demonstration purposes:

The BuHa ExploitMe Contest is organized in multiple levels with increasing difficulty. In each of this levels you'll find a exploitable ANSI C program and a small advice about the kind of shellcode which should be used. The first and the second level do not require the usage of any shellcode because people which are not familar with security related bugs in C programs should be able to complete them too.

The contest started almost a week ago and until now there are 19 different participants. I was surprised about three brazilian guys which also take part in the contest and found the contest site with Google.

Check it out: https://www.buha.info/projects/exploitme-contest/