| Real Name | Amit Klein |
|---|---|
| Email address | private |
| First Active | 2004-03-04 |
| Last Active | 2010-12-03 |
The IE9 (platform preview) Javascript Math.random implementation is vulnerable to seed reconstruction. The seed reveals the computer's boot time (and on Windows 7 - also CPU clock speed). These can be used to finger-print computers and track users within the same Windows session even if they close and open their IE9 (platform preview) browser multiple times. Interestingly enough, this technique also provides some information regarding the client hardware (namely clock source and possibly CPU clock speed), and may be used to detect virtualized machines "over the web". Additionally, the Math.random implementation is flawed in such way that it returns non-uniform values (this holds for IE9 beta as well).
dc3a27c47ed6ce29faabb5f4c266ab07Apple Safari versions 4.02 through 4.05 and Windows versions 5.0 through 5.0.2 suffer from cross-domain information leakage and temporary user tracking vulnerabilities.
28db4d386f23e077633ed5f86b4bd510Firefox versions 3.6.4 through 3.6.8, 3.5.10 through 3.5.11 and 4.0 Beta1 suffer from a cross-domain information leakage vulnerability.
73dcee853d65a620493c112d0cabfa02The revised Google Chrome Math.random algorithm (included in version 3.0 of Google Chrome) is predictable. This paper describes how Google Chrome 3.0 Math.random's internal state can be reconstructed, and how it can be rolled forward and backward, and how (in Windows) the exact seeding time can be extracted.
fdb68ab2881cfc3327ad2611ba03816aWhitepaper called Temporary user tracking in major browsers and Cross-domain information leakage and attacks.
9ff8a1a014c0102d1c507359f91e7d15Address Bar Spoofing Attacks Against Microsoft Internet Explorer 6. Due to formatting issues when sent , additional notes regarding the attacks are appended.
5bf24bf420c7b4f9d6da416472832ec8It appears that Microsoft may have incorrectly stated a few things regarding MS08-020 on their blog and are reluctant to fix it.
5e1a39dbeaa19feb74181d88d9a056beThis paper shows that Windows DNS stub resolver queries are predictable - i.e. that the source UDP port and DNS transaction ID can be effectively predicted. A predictability algorithm is described that, in optimal conditions, provides very few guesses for the "next" query, thereby overcoming whatever protection offered by the transaction ID mechanism. This enables a much more effective DNS client poisoning than the currently known attacks against Windows DNS stub resolver.
9eb4409051bfcd2a72603538ea3fdeb1PowerDNS Recursor versions 3.0 through 3.1.4 suffer form a DNS cache poisoning vulnerability.
fa4b275780e8c3c8525b2a691501e68fThe paper describes a weakness in the pseudo random number generator (PRNG) in use by OpenBSD, Mac OS X, Mac OS X Server, Darwin, NetBSD, FreeBSD and DragonFlyBSD to produce random DNS transaction IDs (OpenBSD) and random IP fragmentation IDs.
332befca44ef5d6c54abd8159a3e667cThe paper shows that Microsoft Windows DNS Server outgoing queries are predictable, allowing for cache poisoning attacks.
c7dca7c83704ebd8758d6992e6a13942The paper shows that BIND 8 DNS queries are predictable, allowing for cache poisoning attacks.
afa7cbe1cff10408511bad6d1f436a51A new weakness has been discovered in the BIND 9 DNS server that allows for DNS forgery pharming.
5fa6300ec5a825d63b978a0cee207a3bFormal write up discussing how arbitrary HTTP requests can be crafted using Flash 7/8 with Internet Explorer.
211b836130d25cc1e62f50c3f63cdcdbBy forging HTTP request headers with flash, virtual hosted systems can be susceptible to cookie theft using IE.
2777e8c2e5632edcfbb7a1ec727cf509Whitepaper titled "Forging HTTP Request Headers With Flash".
6b97464da5cf5a4ea42215c97ec35944Whitepaper entitled "HTTP Response Smuggling". It discusses evasion techniques to bypass anti-HTTP response splitting strategies.
028a2ccfa04710b1e9b0329c14a9e4eeWhitepaper entitled "Exploiting the XmlHttpRequest object in IE - Referrer spoofing, and a lot more."
b35c1b9ca1f4d300051b8c530d0e19d0This technical note describes a detection/prevention technique that works in many cases both with HTTP Response Splitting and with HTTP Request Smuggling.
6dd02db0137701d3c42986ed49b1c661Interesting write up regarding the faulty logic of using NTLM HTTP authentication and how it does not mix well with HTTP proxies.
0da67587751762cebd0c64d797eaf2efThis paper describes several techniques for exposing file contents using the site search functionality. It is assumed that a site contains documents which are not visible/accessible to external users. Such documents are typically future PR items, or future security advisories, uploaded to the website beforehand. However, the site is also searchable via an internal search facility, which does have access to those documents, and as such, they are indexed by it not via web crawling, but rather, via direct access to the files. Therein lies the security breach.
87eb98b564a55d22d12c7b83e9641965Microsoft IIS 5.x and 6.0 suffer from a denial of service vulnerability regarding the WebDAV XML parser. An attacker can craft a malicious WebDAV PROPFIND request, which uses XML attributes in a way that inflicts a denial of service condition on the target machine (IIS web server). The result of this attack is that the XML parser consumes all the CPU resources for a long period of time (from seconds to minutes, depending on the size of the payload).
d636fbfbfd62a943037a1b53f5ac87d5Xerces-C++ versions below 2.6.0 allow an attacker to craft a malicious XML document using XML attributes in a way that inflicts a denial of service condition on the target machine.
cc1cf7946f46578c9b750ee4474e0a29Microsoft Outlook Web Access (OWA) for Exchange 5.5 is vulnerable to an HTTP Response Splitting attack.
8bf66d3a4df3ada9dac211e1232790e8This paper describes a Blind XPath Injection attack that enables an attacker to extract a complete XML document used for XPath querying, without prior knowledge of the XPath query.
e7b01772daac419ef8451d1e2780969c
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed