News


Cleaning and modifying our web site

Image

Our web site remained almost the same for around 4 years, as we had no spare time to improve it. Of course, we are not experts in marketing. We just focus on our main goals: helping our customers to fight against the attackers and threats. It was time to clean our website and to change the design a little bit..

Sponsoring grsecurity to celebrate a decade of deployment

Image

For more than 10 years, our consultant used the power of grsecurity and PaX projects, created by genius geeks. They provide real protection against zero-days threats thanks to containment, detection, RBAC, etc. Most of the time, they have technical solutions years before they get (poorly) copied by commercial vendors. We wanted to celebrate more than 10 years of re-compilation of Linux Kernels with grsecurity, and decided to sponsor this tremendous opensource activity, sharing tools and experience to harden your systems. Long life to this project..

Security Advisory - 0day in Phraseanet Product: Remote Control

Image

During a penetration test, TEHTRI-Security found remote vulnerabilities on Phraseanet. This product is a complete answer to all kind of organizations that need to manage and distribute digital assets. It is built with standard open source components, and the dev team quickly created security patches that would help avoiding cyber-attacks. You should upgrade to version 3.7.3 available on GitHub and Sourceforge if you want to get rid of these security issues. Public exploits will not be shared because Phraseanet is widely used by big worldwide and national entities such as administrations, industry, TV channels, etc. These 0days were remote pre-authenticated exploits with multiple sharp privilege escalations to finish with a remote control of the box. We noticed the high quality and speed of the developers to propose a security patch, compared to some non-opensource products...

Security Advisory - 0day in Vormetric Product: Local Priv Escalation

Image

TEHTRI-Security found a UNIX security issue on Vormetric 4.4.1 during a pentest in May 2012. This vulnerability was silently fixed in version 5. The local user nobody could become root because of local flaws in the product (permissions issues on secfsd...). Vormetric Data Security allows enterprises to encrypt sensitive data, control access to that information, and report on who is accessing the protected data. If you are not sure about the local security of your Vormetric installation, have a full security check in your vormetric/DataSecurityExpert/agent/ directory. BTW, We do believe that all vendors should ask for penetration tests and security assessments on their products, with IT Security experts who regularly find dangerous security bugs..

About Mobile Device Management and Security

Image

According to TEHTRI-Security, like most IT products, many Mobile Device Management products are not hardened properly, because big companies do not want to hire real external pentesters, that would be skilled enough to lay down 0days and pown their tools. We are all vulnerable. Most IT Products are not analyzed properly. Economic crisis perhaps changed some rules, and vendors sadly do not have enough ressources to outsource this kind of analysis. This kind of behaviours will definitely help the gurus from the dark side. Hopefully, some vendors are able to create patches and remediation really quickly, which reduces the size of the surface of attack. Live and let die..

Security Advisory - 0days in McAfee EMM product: OTP..

Image

McAfee Security Bulletin SB10021: During a penetration test, TEHTRI-Security created 0days against McAfee EMMPortal products. When using McAfee EMM in OTP mode, a provisioning user must provide a one-time provisioning token. In order to simplify this process for a user, the EMM administrator can provide an EMM user with a clickable URL that launches the McAfee EMM Agent and limits the amount of data a user must type into the device. Due to the vulnerabilities of DNS SRV records upon which EMM depends for simplifying the user provisioning process, an attacker could retrieve a password of a user through a combination of social engineering and a fake EMM server attack. McAfee EMM users should be cognizant of social engineering attacks and should avoid going to unknown sites. The EMM Portal service through which these invalid authentication credentials are recorded should be protected via a web application firewall. The AuthorizationFailure table within the EMM database can be monitored and truncated if an excessive number of rows are encountered. McAfee EMM Agent 4.7 and earlier are affected. McAfee recommends that all customers verify that they have applied the latest updates..

Security Advisory - 0days in McAfee EMM product: EMM Portal

Image

McAfee Security Bulletin SB10022: During a penetration test, TEHTRI-Security created 0days against McAfee EMMPortal products. Several legacy features of the EMMPortal can be used in order to execute Man In The Middle attacks against EMM users. McAfee EMM 9.7.1 and earlier are affected. McAfee recommends that all customers verify that they have applied the latest updates..

Gmail App Security Issues on iPhone/iPad/iPod

Image

TEHTRIS published humble thoughts related to vulnerabilities of Gmail App for iPhone/iPad/iPod. Emails, contacts, etc, are cached in cleartext on the i-device. Moreover, authentication data, like some famous cookies, are not stored through secure Keychains capabilities, which can lead to Gmail hijacking issues. Read our blog for more information. By the way, many applications from the Apple Store are vulnerable..

CERT VU#584363: Zenprise Device Manager CSRF / Powning a GSM fleet

Image

The US-CERT released a vulnerability note VU#584363 explaining that the Zenprise Device Manager software is susceptible to a cross-site request forgery (CSRF) vulnerability that may result in the compromise of the fleet of mobile devices managed by the product. Thanks to our exploits, a skilled attacker could get the control of a complete fleet of iPad, BlackBerry, Android, iPhones, Windows Mobile, Symbian, etc. Some of our exploits could lead to a shred of the whole fleet of devices. Others could help at spying on the end-users of these phones and tablets. According to TEHTRI-Security, many big companies using Mobile Device Management tools could be attacked through these kind of vectors, because of lack of technical skilled penetration tests..

CVE-2011-3434: Our vuln was patched by Apple - iOS 5 Software update

Image

TEHTRI-Security found a vulnerability on iPod/iPhone/iPad [CVE-2011-3434]. Indeed, WiFi credentials were logged to a local file, including passphrases and encryption keys. This was readable by applications on the system. Apple resolved this problem by avoiding logging these credentials. You should definitely update your devices. This patch is available for iOS 3.0 through 4.3.5 for iPhone 3GS and iPhone 4, iOS 3.1 through 4.3.5 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.5 for iPad. We only shared complete issues with Apple support. Some details were shared with our attendees of SyScan Singapore 2011 and HITB Amsterdam 2011. If you want more 0days and exploits, you should definitely register to our next trainings (BlackHat AD, HITB India, etc). .

SPIP recently fixed 2 vulnerabilities notified by Tehtri-Security (0day)

Image

Our CTO, Laurent ESTIEUX, discovered two vulnerabilities in a well-known CMS product named SPIP : a local path disclosure (all SPIP version) + an SQL injection (SPIP 1.9.2 branch). As Tehtri-Security is engaged in a responsible disclosure policy, technical information were notified to the SPIP-Team for fixes. SPIP is now patched and latest version can be downloaded at http://www.spip.net/en_article5265.html .

New Event HITBGSEC 2012 + New Training about Strategic Cyber Attacks

Image

Join us at the India's Premier Global IT Security Conference next year. This will definitely be the place to be with some of the most influential thinkers in the security industry and India's leading CxO's. There, we will give a tremendous new training, called "Strategic cyber attacks, Advanced Persistent Threats and beyond". This will be the time to show and explain why every sensitive places get hacked in this cyber world, and how attackers work to steal data or destroy infrastructures. More information in the future. Stay tuned....

0days found in software used by banks, telcos, military, airports...

Image

During a penetration test, TEHTRI-Security found local and remote security issues in a product that is currently used to ensure 24x7 availabity and load balancing for military applications, as well as high availability in airports for air traffic control, plus banking or medical services, etc. As we created 0days that could be used to attack all those networks, we directly contacted the vendor to improve the security of their customers. With our exploits, the final effect could be a remote admin access on the infrastructure. .

Mobile Device Management Vulnerabilities (0days)

Image

To handle the awesome use of smartphones, large-scale companies and organizations came to MDM, Mobile Device Management. This allows to manage, to monitor and to secure a mobile fleet (more or less easily). Troubles might happen when remote attackers get an illegal access on the MDM, as this could lead to opportunities like locating employees, wiping phones/tablets, stealing data, etc. We recently discovered multiple vulnerabilities (0days) in some MDM clients and servers. To give an example, we found security flaws on iPhone/iPad clients, and on control panel of some MDM products (stealing remote credentials, XSRF, LDAP injection, remote wipe of the entire fleet, network protocol issues, etc). We strongly recommend to launch advanced technical penetration tests and to create an architecture that might apply containment and detection to follow potential future intruders. .

Facebook Security Issues through HTML Iframes

Image

Evil Facebook users could craft special web pages on facebook.com/* in order to abuse some end-users, thanks to the use of Iframe loading external web resources. This could potentially lead to privacy issues, phishing attempts, XSS/CSRF and client-side attacks. We shared humble demonstrations as a proof of concepts..

Facebook silently fixed our vulnerability shown at HITB Amsterdam 2011

Image

We recently discovered that Facebook patched its iPhone App without sharing any credit and without any advisory. They just silently fixed a vulnerability found by TEHTRI-Security. This one was only shared with the attendees during our talk at HITB Amsterdam 2011. And the proof of concept was only shared with Facebook and Apple support. Apple recently told us that the vulnerability was fixed by Facebook around July. This does explains why we had no news from Facebook. Disclose or not disclose, that's not a question, anymore..

GooglePlus Reader Privacy Issue

Image

Some Google Plus readers might reveal technical information and IP addresses while reading specially crafted G+ profiles with malicious behaviors. This could be used to commit targetted attacks against some G+ end users or to track them. More information on our blog..

TEHTRI-Security slides from HITB Amsterdam 2011

Image

Our slides from HITB Amsterdam 2011 are now available on HITB web site. We gave examples of new concepts of attacks in the iPhone world. For example we explained how fishing attacks could be done with telephone calls, and how to hijack a local application of the iPhone (with a demo where we have stolen the Facebook password, or Twitter or Paypal...). We also played with new fuzzing possibilities that helped at crashing some applications (FaceBook, Twitter). Finally, we gave a proof of concept to do a remote detection of a jailbroken device... We got many positive feedbacks and questions by emails, etc...

Client-Side Attack: Upgrade your BlackBerry devices

Image

TEHTRI-Security found a vulnerability on BlackBerry devices. This security issue was patched by RIM, with an official advisory displayed recently on their site. Basically, when a BlackBerry device user browses to a malformed web page, the BlackBerry browser application consumes sufficient resources to make the BlackBerry device appear unresponsive. Check CVE-2010-2599..

BlackHat DC 2011: 0days and exploiting web clients

Image

TEHTRI-Security gave a talk yesterday during BlackHat Briefings in Washington DC. We explained how we found some 0days against some devices (Apple, RIM, Android, HTC...) with client-side attacks. We got an awesome surprise for the attendees, with experts from RIM who came and explained how they mitigated the vulnerability we found, thanks to a worldwide patch, etc..

Safari Patch released by Apple with Credits to TEHTRI-Security

Image

CVE-ID: CVE-1010-1752, Available for: Safari 5.0.3 and Safari 4.1.3, on platforms Windows 7, Vista, XP SP2 or later -- Description: A stack overflow exists in CFNetwork's URL handling code. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory handling..

HITB - Advanced European Training : Hunting Web Attackers

Image

TEHTRI-Security will propose this offensive training to help administrators and IT Security staff who want to hunt down web attackers. It will contain plenty of cutting-edge hands-on exercices and 0days. During HITB Malaysia 2010, we gave this training, and the room was almost full, with students from Fortune 500, Government Agencies, etc. So, register quickly and join us in Amsterdam, Netherlands, during Hack In The Box HITBSecConf 2011. There, we will release some of our self-defense cyber weapons with 0days there....

MACOSX Patch released by Apple with Credits to TEHTRI-Security

Image

CVE-ID: CVE-2010-1752, Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4 -- Description: A stack overflow exists in CFNetwork's URL handling code. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking..

Security-Advisory: TEHTRI-SA-2010-031 - 0day on Safari for Windows

Image

TEHTRI-Security found a stack overflow in Safari for Windows (latest version 5.0.2 - 7533.18.5) from Apple Inc. IT Security crew from Apple contacted with an example of exploit plus a description (Vulnerable DLL, etc). This is a client-side attack against this web browser, without the interaction of the end-user (once the evil web page is loaded). No detail shared out of the Apple team..

New talk: Black-Hat Abu Dhabi 2010

Image

TEHTRI-Security will be part of Black-Hat Abu Dhabi 2010 for a new talk called "Extrusion and Web Hacking". We will focus on real threats and security issues related to extrusion, by explaining how attackers try to get a stealth control or an evil interaction of a remote web resource (real life covert channel, stealth bounces, etc)..

Credits from Apple

Image

TEHTRI-Security was recently added twice on an article that provides credit to people who have reported potential security issues in Apple.com web servers..

New Training : Hunting Web Attackers

Image

TEHTRI-Security will give a new offensive training to help administrators and IT Security staff to hunt down web attackers, with plenty of cutting-edge hands-on exercices. So join us in Kuala Lumpur, Malaysia, during Hack In The Box HITBSecConf 2010. We will release some of our self-defense cyber weapons with 0days there....

New Talk : Analyzing Massive Web Attacks

Image

The goal of this talk is to have a deep look at some recent web attacks that occured over the Internet, especially those that were used to target a huge number of people. Thanks to special forensics operations, we will be able to bring code used by attackers to get an access, to keep control, and to commit cyber crimes. Place : Kuala Lumpur, Malaysia, HITBSecConf 2010. .

CVE-2010-1752: TEHTRI-Security inside the iPhone iOS4

Image

TEHTRI-Security found a stack overflow in CFNetwork, through the code used to handle URL. By visiting a maliciously crafted website, we found that it might lead to an unexpected application termination or arbitrary code execution. This issue has been addressed by Apple through improved memory handling. Apple has given credit to TEHTRI-Security on their site for reporting this issue, as we provided the 0day directly to them, so that the security of their customers could be improved. This has been released to the public for the first time during Hack In The Box Europe..

Security-Advisory: TEHTRI-SA-2010-028 - 0day on BlackBerry

Image

During the first Hack In The Box conference in Europe, we have explained many security issues related to attacks against web clients in insecure environments. This particular advisory was about the BlackBerry. No technical detail was given to the public, so that the customers of this product might not be attacked because of our researches. Everything is in the hands of BlackBerry who are already working to fix this vulnerability..

Security-Advisory: TEHTRI-SA-2010-027 - 0day on HTC

Image

During the first Hack In The Box conference in Europe, we have explained many security issues related to attacks against web clients in insecure environments. This particular advisory was about the HTC. No technical detail was given to the public, so that the customers of this product might not be attacked because of our researches..

Security-Advisory: TEHTRI-SA-2010-026 - 0day on iPad

Image

During the first Hack In The Box conference in Europe, we have explained many security issues related to attacks against web clients in insecure environments. This particular advisory was about the iPad. No technical detail was given to the public, so that the customers of this product might not be attacked because of our researches. A live demo was given. Everything is in the hands of Apple who are already working to fix this vulnerability..

Security-Advisory: TEHTRI-SA-2010-029 - ThalysNet Insecure

Image

During the first Hack In The Box conference in Europe, we have explained many security issues related to attacks against web clients in insecure environments. This particular advisory was about the ThalysNet Internet service offered to 500000 end users in Europe. This service has many vulnerabilities and people in the train might be attacked. Read our slides if you want more details. ThalysNet was contacted..

TEHTRI-Security gave 13 0days against most black hats tools

Image

Today, during our humble new talk at SyScan 2010 Singapore, we have just released many 0days and new offensive concepts against most of the tools used by attackers currently, like web shells, exploit packs, etc. We have given new methods to counter-strike people with our new exploits giving you remote shells, remote SQL injection, permanent XSS and dangerous XSRF. We have shown how to identify, exploit or destroy attackers using those kind of tools. For example, we gave some of our 0days against known tools like Sniper Backdoor, Eleonore Exploit Pack, Liberty Exploit Pack, Lucky Exploit Pack, Neon Exploit Pack, Yes Exploit Pack... This was a way to explain that you can react when you are under attack. We hope that this will open new way to think about IT Security worldwide, and that it might help people sometimes. Do not hesitate to contact TEHTRI-Security if you need technical assistance with experts who know how work cyber conflicts for real, which is totally different from people who just do research in labs..

Security-Advisory: TEHTRI-SA-2010-023 - Vuln in NEON

Image

We just released this new 0day against the exploit pack called NEON. Remote and pre-authentication 0day. Permanent XSS and XSRF against the administrators in the admin panel. It can be used to steal cookies of authentication of the evil admins, to destroy their databases used for attack management, to identify the attackers, etc..

Security-Advisory: TEHTRI-SA-2010-020 - Vuln in YES

Image

We just released this new 0day against the exploit pack called YES. Remote and pre-authentication 0day. Permanent XSS and XSRF against the administrators in the admin panel, /admin/index.php. It can be used to steal cookies of authentication of the evil admins, to destroy their databases used for attack management, to identify the attackers, etc..

Security-Advisory: TEHTRI-SA-2010-018 - Vuln in LuckySploit

Image

We just released this new 0day against the exploit pack called LuckySploit. Remote and pre-authentication 0day. This gives you a remote control of the broken box, by allowing you to execute PHP code with a two phases attack. It can be used to counter-strike evil intruders, to destroy their databases used for attack management, to identify them, etc. Remote shell obtained with only two HTTP request..

Security-Advisory: TEHTRI-SA-2010-017 - Vuln in Liberty

Image

We just released this new 0day against the exploit pack called Eleonore. Remote and pre-authentication 0day. Permanent XSS and XSRF against the administrators in the admin panel. It can be used to steal cookies of authentication of the evil admins, to destroy their databases used for attack management, to identify the attackers….

Many 0days soon released at SyScan Singapore 2010

Image

Mid-June 2010, TEHTRI-Security will be at SyScan Singapore for an outstanding conference. There, we will release more than 13 0days against many different products (yes, 13 zero days...). We will also propose multiple generic technical solutions that might help white hats when they want to counter-strike most exploits packs systems and web attackers. And before we conclude, we wil also offer a complete web based botnet tracking and destruction. It's time to get rid of those threats, and to show that there are other non-standard solutions when you are under attack. Stay tuned....

HITB Dubai 2010: Our slides are available

Image

If you want to enjoy what we presented during HITBSecConf Dubai 2010, follow this link and read our slides. Our goal was to give a 1 hour overview about how web attackers behave to remain stealth on a network they were able to break-in....

Silent Steps: Improving the Stealthiness of Web Hacking

Image

We remind you that next 21st April, TEHTRI-Security will talk about web security, during this presentation: "Silent Steps: Improving the Stealthiness of Web Hacking". Our talk will include in particular: Funny 0-days against widely deployed web applications, new technical method and thoughts for web attackers to improve their stealthiness during an intrusion and how to detect them, a global analysis of fingerprints left by attackers during each step of a web attack (backdoors, bounces...) and how to mitigate those attacks... See you soon at HITBSecConf Dubai....

Cansecwest Security Training: Program Updated online

Image

Our Security Master's Dojo course that will occur during next Cansecwest 2010 (22-23 March 2010) has been updated and is available here. This session aims at providing a hands-on focused PHP Hacking experience. After this course, you will really know how attackers work and move through PHP hax0ring so that they can jump deeper down to your networks. This training will end with a final amazing exercise through a step by step live hacking simulation. It will help students at coming back to offensive and defensive hands-on actions seen during the whole day, thanks to a complete information warfare operation..

More about our Dubai talk during HITBSecConf 2010

Image

"Web and Stealth Hacking": TEHTRI-Security talk will aim at covering web hacking and stealth issues, showing how security staff and attackers play some kind of hide and seek war-games on the Internet from time to time. Before concluding, we will also introduce new offensive concepts that demonstrate how attackers like pentesters, blackhats, etc, can be helped to become stealthier on the wire, so that defenders understand some kind of limitations of the current situation and tools..

© 2010-2014 TEHTRI-Security - All rights reserved - All trademarks recognised