Untangling some mess around SHA-1 Deprecation Policy on Windows

Untangling some mess around SHA-1 Deprecation Policy on Windows

Windows recently announced updates to their SHA-1 deprecation policy [0]. According to the update, Win 7 and later platforms will no longer support SHA-1 certificate hash (CH) post 1st January 2016.  This means, all the binaries have to be signed with SHA2 after 1st Jan 2016 else Windows will pop up an alert!

Initially, this policy got me worried. WHY? Because as per [1], MS pushed SHA-2 support to Windows 7 and Windows Server 2008 R2 on 14/Oct/2014, that was later revoked due to some issues and re-pushed in their advisory KB3033929 [2] which was published on 10/Mar/2015 (Just a few months ago!).  So, all the users who aren't on KB3033929 will not be able to verify my valid SHA-2 certs? Yes, they can! Read on...


Read More

CVE-2015-2098: Analysis and Exploitation of eDVR Manager ActiveX control Vulnerability

CVE-2015-2098: Analysis and Exploitation of eDVR Manager ActiveX control Vulnerability
In this post, we would be analyzing CVE-2015-2098, a stack buffer overflow vulnerability and will be building a robust exploit for Windows XP and Windows 7.


We would be exploiting this vulnerability using SEH overwrite technique and will further use some methods to circumvent exploit mitigation techniques like DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization).

Read More

OSCP Certification: My Experience and some Concerning Trends

OSCP Certification: My Experience and some Concerning Trends
I did my OSCP certification back in 2013 and wanted to share my experience with that cert along with some industry trends that I am observing.

OSCP or Offensive Security Certified Professional is an awesome certification which pushes the cert challengers to think out of the box and align their concepts in real world applications. The most enjoyable part of my 29-day journey of OSCP was their labs. Their labs are designed in a way that will help your brain to run in the direction of a professional penetration tester. The machines in the lab are of  various flavours/configs/architecture.
Read More

Chrome XSS filter bypass for a DOM clobbering attack

Chrome XSS filter bypass for a DOM clobbering attack
I Found an Interesting Chrome XSS filter bypass in @0x6D6172696F's @nullcon training for this DOM clobbering attack


Window.opener can sometimes act nasty to launch XSS attacks. There is an interesting XSS filter bypass which I found during Mario Heiderich’s training at NullCon, Goa 2015.

In the below DOM clobbering attack (CKEditor DOM XSS issue), a page hosting the following malicious link will trigger DOM XSS on the target application once clicked:

<a href="vuln.html#<svg onload=alert(1)>" id="_cke_htmlToLoad" target="_blank">XSS ME!</a>
Read More