-
John Fitzpatrick Luke Jennings - 20 Dec 2013
Hack the Gibson - Deepsec Edition
A presentation at Deepsec 2013 explored security vulnerabilities in supercomputer technologies. John Fitzpatrick and Luke Jennings from MWR discussed potential attacks against common supercomputer systems. The presentation slides are available for download, providing insights into supercomputer security challenges.
- 20 Dec 2013
HackFu 2013: The Movie
A teaser video for HackFu 2013 was released, presenting a puzzle for viewers to solve without hacking or brute force methods. The video hints at the upcoming HackFu 2014 event scheduled for June 26-28, 2014. Participants are challenged to solve the puzzle while allowing others the opportunity to do so independently.
- 20 Dec 2013
PontiFlex Ad Library - Remote JavaScript Command Execution
A critical vulnerability was discovered in the PontiFlex ad library for Android that enables remote JavaScript command execution. The flaw allows attackers to download and execute arbitrary code, perform directory traversal, and potentially steal files from mobile applications through manipulated WebView JavaScript interfaces. The vulnerability impacts Android apps using the PontiFlex ad library, potentially exposing millions of users to remote code execution risks.
- 29 Nov 2013
Advanced Persistent Timelords
A thought experiment explores cybersecurity challenges if attackers could manipulate time. The analysis examines potential vulnerabilities in physical access, document security, personnel management, and digital systems under a hypothetical temporal manipulation scenario. The exploration demonstrates how traditional security controls would break down if an attacker could jump to different points in time or pause time itself.
- 29 Nov 2013
Debug All the Android Things
This blog post describes a technique for enabling debugging on Android applications using Cydia Substrate. The method involves hooking the Android process startup method to force debugging flags, allowing developers to use jdb to interact with and manipulate running Android applications, even for apps not marked as debuggable in their manifest.
- 27 Nov 2013
Millenial Media Ad Library
A critical vulnerability was discovered in the Millenial Media SDK across mobile platforms. The SDK's WebView implementation allows attackers to perform dangerous actions like file manipulation, clipboard access, audio recording, and cross-application exploitation through malicious JavaScript injection. These security flaws could enable comprehensive mobile device compromise and unauthorized access to sensitive user information.
- 20 Nov 2013
AppLovin Ad Library SDK: Remote Command Execution via Update Mechanism
A critical vulnerability was discovered in the AppLovin Ad Library SDK for Android that enables remote command execution through an insecure update mechanism. The vulnerability allows attackers to inject malicious code into applications by exploiting the SDK's dynamic class loading process during updates. An attacker can craft a malicious SDK update that gets automatically downloaded and executed when an application starts.
- 12 Nov 2013
Run SAP, Run
Metasploit modules for SAP system security assessment were developed to comprehensively test SAP enterprise environments. The modules enable penetration testers to discover SAP services, enumerate clients, perform bruteforce attacks, and execute remote commands across different SAP connectors. Multiple attack techniques were demonstrated, including information gathering, credential extraction, and obtaining interactive shells on both Linux and Windows SAP systems.
- 25 Oct 2013
HackFu - The Final Wrap Up
HackFu 2013 was an immersive cybersecurity event hosted by MWR at the RAF Air Defence Radar Museum. The event featured a Crystal Maze-themed competition with four themed zones: Aztec, Industrial, Medieval, and Futuristic. Teams competed across multiple technical challenges testing skills in networking, forensics, hacking, and problem-solving.
- 24 Sep 2013
WebView addJavascriptInterface Remote Code Execution
A critical remote code execution vulnerability was discovered in Android WebViews using JavaScript interfaces. The vulnerability allows attackers to execute arbitrary system commands by injecting malicious JavaScript into applications using advertising network SDKs. Analysis revealed that a significant number of Android applications could potentially be compromised through this security flaw.
- John Fitzpatrick Luke Jennings
- 18 Sep 2013
Hack the Gibson - 44CON
A presentation at 44CON revealed significant security vulnerabilities in top supercomputers. The talk demonstrated novel attack techniques for compromising large-scale computing infrastructure. Penetration testing exposed lower security standards in high-performance computing systems compared to typical enterprise environments.
- Nils Jon Butler
- 6 Sep 2013
MWR Labs Pwn2Own 2013 Write-up - Kernel Exploit
A kernel pool overflow vulnerability in Windows 7's Win32k system was demonstrated at Pwn2Own 2013. The exploit involved manipulating message buffer allocations to corrupt kernel memory structures. By carefully controlling message handling and window object properties, kernel-mode code execution was achieved, enabling a sandbox escape in Google Chrome.