[FD] D-RamPage: POC for zero-risk row-hammer exploitation

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello List, Although I have no row-hammer affected hardware, I tried to build a POC that allows zero-risk exploitation of row-hammer affected DRAM setups, see [1]. The main idea of the POC is to * reserve complete rows of physical pages (verified v

Re: [FD] 'Rowhammer' - Software-triggered DRAM corruption

> On 13 Mar 2015, at 11:32, fulldisclosure > wrote: > > Am 12.03.2015 um 21:31 schrieb Aris Adamantiadis: >> Le 12/03/15 17:00, Nick Boyce a écrit : >> >>> Also, this may only affect SODIMMs, not DIMMs, as Google was only able >>> to make the attack work on laptops - desktop machines so far re

[FD] A local application could cause a denial-of-service to the audio_policy app in Android

# # # QIHU 360 SOFTWARE CO. LIMITED http://www.360safe.com/ # # # # CVE ID: CVE-2015-1525 # Product: Android # Vendor: Google # Subject: A

Re: [FD] 'Rowhammer' - Software-triggered DRAM corruption

On 12 March 2015 at 20:31, Aris Adamantiadis wrote: > Le 12/03/15 17:00, Nick Boyce a écrit : > >> ... Google was only able to make the attack >> work on laptops - desktop machines so far >> remaining unaffected. >> >> [I *knew* it was a good idea to hang on to >> that old Athlon XP desktop :-)] >

[FD] Citrix Netscaler NS10.5 WAF Bypass via HTTP Header Pollution

Document Title: Citrix Netscaler NS10.5 WAF Bypass via HTTP Header Pollution Release Date: === 12 Mar 2015 Product & Service Introduction: Citrix NetScaler AppFirewall is a comprehensive application security solution that blocks known and unknown att

[FD] Metasploit Project initial User Creation CSRF

# Exploit Title: Metasploit Project initial User Creation CSRF # Google Dork: N/A # Date: 14-2-2015 # Exploit Author: Mohamed Abdelbaset Elnoby (@SymbianSyMoh) # Vendor Homepage: http://www.metasploit.com/ # Software Link: http://www.rapid7.com/products/metasploit/editions-and-features.jsp # Versio

[FD] Jolla Phone tel URI Spoofing

__ -- NSOADV-2015-001 --- Jolla Phone tel URI Spoofing __ __

[FD] Defense in depth -- the Microsoft way (part 31): UAC is for binary planting

Hi @ll, the exploit shown here should be well-known to every Windows administrator, developer or QA engineer. In Microsoft's own terms it doesn't qualify as security vulnerability since UAC is a security feature, not a security boundary. Preconditions: * a user running as "protected Administra

[FD] Defense in depth -- the Microsoft way (part 30): on exploitable Win32 functions

Hi @ll, since Microsoft won't -- despite (hopefully not only) my constant nagging and quite some bug reports about unquoted command lines for more than a dozen years now -- fix the BRAINDEAD behaviour of Windows' CreateProcess*() functions to play try&error instead of returning on error to their c

[FD] Defense in depth -- the Mozilla way: return and exit codes are dispensable

Hi @ll, since some time Mozilla Firefox and Thunderbird for Windows come with a "maintenance service" (running privileged under the SYSTEM account): The maintenanceservice_installer.exe (which is extracted into the resp. ins

[FD] Having fun with dmesg

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello list, I guess this must be common knowledge somehow already, but although hidden in plain sight, it did not make it do me yet. So [1] is just a very quick, dirty and incomplete writeup of thoughts how to use dmesg to * Get knowledge about e.g

[FD] Multiple Buffer Overflows in Diagnostic Troubleshooting Wizard - msdt.exe - Win 8.0 Pro - x64

Multiple Buffer Overflows in Diagnostic Troubleshooting Wizard Researcher: Nicholas Prowse Filename: msdt.exe MD5:   (coming soon) File size:  1024000 bytes Operating System: Windows 8.0 OS Version: Pro Architecture: x64 Description field in Procmon: Buffer Overflow Operations (

[FD] Multiple Buffer Overflows in .NetFramework v4.03 - Win 8.0 Pro - x64

Multiple Buffer Overflows in .NetFramework v4.03 Researcher: Nicholas Prowse Filename: ngen.exe MD5: ca72696a9861f14cf76f1637b8e6bc44File size: 139264 bytes Operating System: Windows 8.0 OS Version: Pro Architecture: x64 Description: MS Common Language Runtime Native Compiler Image Path: C:\

[FD] 724CMS 5.01 Multiple XSS (Cross-site Scripting) Security Vulnerabilities

*724CMS 5.01 Multiple XSS (Cross-site Scripting) Security Vulnerabilities* Exploit Title: 724CMS Multiple XSS (Cross-site Scripting) Security Vulnerabilities Vendor: 724CMS Product: 724CMS Vulnerable Versions: 3.01 4.01 4.59 5.01 Tested Version: 5.01 Advisory Publication: March 15, 2015 Lat

[FD] 724CMS 5.01 Multiple SQL Injection Security Vulnerabilities

*724CMS 5.01 Multiple SQL Injection Security Vulnerabilities* Exploit Title: 724CMS Multiple SQL Injection Security Vulnerabilities Vendor: 724CMS Product: 724CMS Vulnerable Versions: 3.01 4.01 4.59 5.01 Tested Version: 5.01 Advisory Publication: March 14, 2015 Latest Update: March 14, 2015

[FD] 724CMS 5.01 Directory (Path) Traversal Security Vulnerabilities

*724CMS 5.01 Directory (Path) Traversal Security Vulnerabilities* Exploit Title: 724CMS /section.php Module Parameter Directory Traversal Security Vulnerabilities Vendor: 724CMS Product: 724CMS Vulnerable Versions: 3.01 4.01 4.59 5.01 Tested Version: 5.01 Advisory Publication: March 14, 201

[FD] 724CMS 5.01 Multiple Information Leakage Security Vulnerabilities

*724CMS 5.01 Multiple Information Leakage Security Vulnerabilities* Exploit Title: 724CMS Multiple Information Leakage Security Vulnerabilities Vendor: 724CMS Product: 724CMS Vulnerable Versions: 3.01 4.01 4.59 5.01 Tested Version: 5.01 Advisory Publication: March 14, 2015 Latest Upd

[FD] Innovative WebPAC Pro 2.0 Unvalidated Redirects and Forwards (URL Redirection) Security Vulnerabilities

*Innovative WebPAC Pro 2.0 Unvalidated Redirects and Forwards (URL Redirection) Security Vulnerabilities* Exploit Title: Innovative WebPAC Pro 2.0 /showres url parameter URL Redirection Security Vulnerabilities Vendor: Innovative Interfaces Inc Product: WebPAC Pro Vulnerable Versions: 2.0 Tested

Re: [FD] WPML WordPress plug-in SQL injection etc.

One more vulnerability reported on March 02 and fixed in version 3.1.9: *4. Unauthenticated administrative functions* An unauthenticated attacker may under certain conditions bypass WPML's nonce check and perform administrative functions. The administrative ajax functions are protected with non

Re: [FD] 'Rowhammer' - Software-triggered DRAM corruption

Am 12.03.2015 um 21:31 schrieb Aris Adamantiadis: > Le 12/03/15 17:00, Nick Boyce a écrit : > >> Also, this may only affect SODIMMs, not DIMMs, as Google was only able >> to make the attack work on laptops - desktop machines so far remaining >> unaffected. >> >> [I *knew* it was a good idea to hang

[FD] [SE-2014-02] Google App Engine Java security sandbox bypasses (details)

Hello All, Details of our SE-2014-02 project have been released to the public. A technical writeup and accompanying Proof of Concept codes can be found at the following location: http://www.security-explorations.com/en/SE-2014-02-details.html In case of Google App Engine for Java, its first la