- 13 Sep 2012
SAP Smashing (Internet Windows)
SAProuter is a SAP network proxy that can route TCP connections through firewalls. A proof-of-concept technique was developed to establish native connections through SAProuter. The method allows routing network connections and was demonstrated by integrating with Metasploit to access systems behind the proxy.
-
Martyn Ruks Nils - 11 Sep 2012
Security Testing 4G (LTE) Networks
This presentation explores security testing methodologies for 4G (LTE) networks. The shift to IP-based communications in LTE networks introduces potential new security risks. The talk aims to provide insights into network security assessment and potential vulnerabilities in LTE deployments.
- 7 Sep 2012
Mercury v1.1 is Released
Mercury v1.1 is an Android security testing framework with enhanced compatibility for newer Android versions. The release introduces a Reflection Interface for dynamic feature addition and includes new modules for comprehensive security scanning of Android devices and applications. Key improvements enable security professionals to more efficiently analyze potential vulnerabilities in Android systems.
- 3 Sep 2012
SAP Parameter Injection
A vulnerability in SAP's Host Control service enables remote unauthenticated command execution on Windows SAP systems using SAP MaxDB. The attack involves manipulating parameters of the dbmcli executable to write and execute attacker-controlled commands. Metasploit modules were developed to demonstrate command injection across different SAP system interfaces.
- 1 Sep 2012
A Look at the BlackBerry OS as a Secure Platform for Third Party Applications
This article examines critical security vulnerabilities in the BlackBerry OS for third-party applications running in the BlackBerry Internet Service environment. Key security issues include unprotected data storage, insecure data transmission, and weak application sandboxing that could allow malicious apps to compromise device security. The study reveals multiple attack vectors such as database manipulation, input simulation, and unauthorized screenshots.
- Nils
- 1 Sep 2012
PinPadPwn
A presentation at BlackHat 2012 exposed critical security vulnerabilities in payment terminals. Memory corruption attacks were demonstrated to be possible through complex input handling and network interfaces. The research highlighted potential code execution risks in payment terminal systems.
- 23 Aug 2012
Mercury Reflection
Mercury developed a dynamic reflection interface for Android security assessment that enables runtime code execution and plugin creation. The interface allows developers to load Java code dynamically on the server side without modifying the core application. This approach provides flexible functionality for examining and interacting with Android applications through a simple set of reflection methods.
- 20 Jul 2012
Hacking Embedded Devices: UART Consoles
Hardware hacking techniques can provide root-level access to embedded devices through UART console interfaces. By physically inspecting circuit boards and identifying specific pins, access to hidden device consoles can be obtained. The methodology involves using tools like oscilloscopes and logic analyzers to locate and interact with serial interfaces on devices such as routers and modems.
- 18 Jul 2012
Incognito v2.0 Released
Incognito v2.0 is a Windows security tool for token enumeration and manipulation. The new version introduces multi-host input, multi-threading, grepable output, quiet mode, and improved handling of administrative privileges. Key improvements include better API compatibility, enhanced token discovery across multiple systems, and more flexible output options for security professionals.
- 11 Jun 2012
HackFu 2012
HackFu 2012, a cybersecurity event, is scheduled for June 28th. Multiple Twitter accounts will provide live updates during the event. Participants can follow the action on designated Twitter handles like @umd9, @_cyberdyne_, @r3dl4nd, and @neweurope_.
- 6 Jun 2012
veripy is Released
MWR Labs released veripy, an open-source testing tool for IPv6 network transition. The tool aims to build confidence in hardware and software products supporting IPv6 networking. veripy is designed to help organizations navigate the complex shift from IPv4 to IPv6 infrastructure.
- 30 Apr 2012
Building Android Java/JavaScript Bridges
This article explores security vulnerabilities in Android WebView implementations, focusing on Java/JavaScript bridges. It examines methods like addJavascriptInterface and method overriding that allow native code exposure to web content. The research highlights potential attack vectors in cross-platform mobile application development frameworks, particularly in PhoneGap.