http://secdocs.lonerunners.net Latest security documents RSS feed for author Cesar Cerrudo en-us <b>Authors</b>: <a href="http://secdocs.lonerunners.net/authors/details/75-cesar-cerrudo">Cesar Cerrudo</a> <br/><b>Tags</b>: <a href="http://secdocs.lonerunners.net/tags/details/34-shellcode">shellcode</a> <br/><b>Event</b>: <a href="http://secdocs.lonerunners.net/events/details/96-black-hat-eu-2006">Black Hat EU 2006</a> <br/> Fri, 13 Jan 2012 06:34:03 +0100 http://secdocs.lonerunners.net/documents/details/4730-wlsi---windows-local-shellcode-injection http://secdocs.lonerunners.net/documents/details/4730-wlsi---windows-local-shellcode-injection <b>Authors</b>: <a href="http://secdocs.lonerunners.net/authors/details/75-cesar-cerrudo">Cesar Cerrudo</a> <br/><b>Tags</b>: <a href="http://secdocs.lonerunners.net/tags/details/45-windows">Windows</a> <a href="http://secdocs.lonerunners.net/tags/details/83-exploiting">exploiting</a> <br/><b>Event</b>: <a href="http://secdocs.lonerunners.net/events/details/93-black-hat-eu-2005">Black Hat EU 2005</a> <br/> Tue, 27 Dec 2011 06:34:16 +0100 http://secdocs.lonerunners.net/documents/details/4628-hacking-windows-internals http://secdocs.lonerunners.net/documents/details/4628-hacking-windows-internals <b>Authors</b>: <a href="http://secdocs.lonerunners.net/authors/details/75-cesar-cerrudo">Cesar Cerrudo</a> <br/><b>Tags</b>: <a href="http://secdocs.lonerunners.net/tags/details/7-sql-server">SQL Server</a> <a href="http://secdocs.lonerunners.net/tags/details/9-oracle">Oracle</a> <br/><b>Event</b>: <a href="http://secdocs.lonerunners.net/events/details/92-black-hat-usa-2005">Black Hat USA 2005</a> <br/> Sat, 24 Dec 2011 06:28:30 +0100 http://secdocs.lonerunners.net/documents/details/4608-demystifying-ms-sql-server--oracle-database-server-security http://secdocs.lonerunners.net/documents/details/4608-demystifying-ms-sql-server--oracle-database-server-security <b>Authors</b>: <a href="http://secdocs.lonerunners.net/authors/details/75-cesar-cerrudo">Cesar Cerrudo</a> <br/><b>Tags</b>: <a href="http://secdocs.lonerunners.net/tags/details/79-activex">ActiveX</a> <br/><b>Event</b>: <a href="http://secdocs.lonerunners.net/events/details/90-black-hat-windows-security-2004">Black Hat Windows Security 2004</a> <br/> Tue, 13 Dec 2011 06:33:15 +0100 http://secdocs.lonerunners.net/documents/details/4539-auditing-activex-controls http://secdocs.lonerunners.net/documents/details/4539-auditing-activex-controls <b>Authors</b>: <a href="http://secdocs.lonerunners.net/authors/details/5-aaron-newman">Aaron Newman</a> <a href="http://secdocs.lonerunners.net/authors/details/75-cesar-cerrudo">Cesar Cerrudo</a> <br/><b>Tags</b>: <a href="http://secdocs.lonerunners.net/tags/details/7-sql-server">SQL Server</a> <br/><b>Event</b>: <a href="http://secdocs.lonerunners.net/events/details/76-black-hat-windows-security-2003">Black Hat Windows Security 2003</a> <br/> Thu, 20 Oct 2011 08:54:07 +0200 http://secdocs.lonerunners.net/documents/details/4199-hunting-flaws-in-ms-sql-server http://secdocs.lonerunners.net/documents/details/4199-hunting-flaws-in-ms-sql-server <b>Authors</b>: <a href="http://secdocs.lonerunners.net/authors/details/5-aaron-newman">Aaron Newman</a> <a href="http://secdocs.lonerunners.net/authors/details/75-cesar-cerrudo">Cesar Cerrudo</a> <br/><b>Tags</b>: <a href="http://secdocs.lonerunners.net/tags/details/7-sql-server">SQL Server</a> <br/><b>Event</b>: <a href="http://secdocs.lonerunners.net/events/details/76-black-hat-windows-security-2003">Black Hat Windows Security 2003</a> <br/> Thu, 20 Oct 2011 08:54:07 +0200 http://secdocs.lonerunners.net/documents/details/4200-hunting-flaws-in-ms-sql-server http://secdocs.lonerunners.net/documents/details/4200-hunting-flaws-in-ms-sql-server <b>Authors</b>: <a href="http://secdocs.lonerunners.net/authors/details/75-cesar-cerrudo">Cesar Cerrudo</a> <br/><b>Tags</b>: <a href="http://secdocs.lonerunners.net/tags/details/45-windows">Windows</a> <a href="http://secdocs.lonerunners.net/tags/details/83-exploiting">exploiting</a> <br/><b>Event</b>: <a href="http://secdocs.lonerunners.net/events/details/71-black-hat-usa-2010">Black Hat USA 2010</a> <br/><b>Abstract</b>: On April 14, 2009 Microsoft released a patch (documented here) to fix the issues detailed in my previous Token Kidnapping presentation (download PDF). The patch properly fixed the issues but... This new presentation will detail new design mistakes and security issues that can be exploited to elevate privileges on all Windows versions including the brand new Windows 2008 R2 and Windows 7. These new attacks allow to bypass new Windows services protections such as Per service SID, Write restricted token, etc. It will be demonstrated that almost any process with impersonation rights can elevate privileges to Local System account and completely compromise Windows OSs. While the issues are not critical in nature since impersonation rights are required, they allow to exploit services such as IIS 6, IIS 7, SQL Server, etc. in some specific scenarios. Exploits code for those services will be released. The presentation will be given in a very practical way showing how the new issues were found, with what tools, techniques, etc. allowing the participants to learn how to easily find these kind security issues in Windows operating systems. Wed, 07 Sep 2011 19:04:26 +0200 http://secdocs.lonerunners.net/documents/details/3974-token-kidnappings-revenge http://secdocs.lonerunners.net/documents/details/3974-token-kidnappings-revenge <b>Authors</b>: <a href="http://secdocs.lonerunners.net/authors/details/75-cesar-cerrudo">Cesar Cerrudo</a> <br/><b>Tags</b>: <a href="http://secdocs.lonerunners.net/tags/details/45-windows">Windows</a> <a href="http://secdocs.lonerunners.net/tags/details/83-exploiting">exploiting</a> <br/><b>Event</b>: <a href="http://secdocs.lonerunners.net/events/details/71-black-hat-usa-2010">Black Hat USA 2010</a> <br/><b>Abstract</b>: On April 14, 2009 Microsoft released a patch (documented here) to fix the issues detailed in my previous Token Kidnapping presentation (download PDF). The patch properly fixed the issues but... This new presentation will detail new design mistakes and security issues that can be exploited to elevate privileges on all Windows versions including the brand new Windows 2008 R2 and Windows 7. These new attacks allow to bypass new Windows services protections such as Per service SID, Write restricted token, etc. It will be demonstrated that almost any process with impersonation rights can elevate privileges to Local System account and completely compromise Windows OSs. While the issues are not critical in nature since impersonation rights are required, they allow to exploit services such as IIS 6, IIS 7, SQL Server, etc. in some specific scenarios. Exploits code for those services will be released. The presentation will be given in a very practical way showing how the new issues were found, with what tools, techniques, etc. allowing the participants to learn how to easily find these kind security issues in Windows operating systems. Wed, 07 Sep 2011 19:04:10 +0200 http://secdocs.lonerunners.net/documents/details/3973-token-kidnappings-revenge http://secdocs.lonerunners.net/documents/details/3973-token-kidnappings-revenge <b>Authors</b>: <a href="http://secdocs.lonerunners.net/authors/details/75-cesar-cerrudo">Cesar Cerrudo</a> <br/><b>Tags</b>: <a href="http://secdocs.lonerunners.net/tags/details/9-oracle">Oracle</a> <br/><b>Event</b>: <a href="http://secdocs.lonerunners.net/events/details/70-black-hat-dc-2007">Black Hat DC 2007</a> <br/> Thu, 28 Jul 2011 21:15:47 +0200 http://secdocs.lonerunners.net/documents/details/3896-practical-10-minute-security-audit-the-oracle-case http://secdocs.lonerunners.net/documents/details/3896-practical-10-minute-security-audit-the-oracle-case <b>Authors</b>: <a href="http://secdocs.lonerunners.net/authors/details/75-cesar-cerrudo">Cesar Cerrudo</a> <br/><b>Tags</b>: <a href="http://secdocs.lonerunners.net/tags/details/9-oracle">Oracle</a> <br/><b>Event</b>: <a href="http://secdocs.lonerunners.net/events/details/70-black-hat-dc-2007">Black Hat DC 2007</a> <br/> Thu, 28 Jul 2011 21:15:15 +0200 http://secdocs.lonerunners.net/documents/details/3895-practical-10-minute-security-audit-the-oracle-case http://secdocs.lonerunners.net/documents/details/3895-practical-10-minute-security-audit-the-oracle-case <b>Authors</b>: <a href="http://secdocs.lonerunners.net/authors/details/75-cesar-cerrudo">Cesar Cerrudo</a> <a href="http://secdocs.lonerunners.net/authors/details/1118-esteban-mart%C3%ADnez-fay%C3%B3">Esteban Martínez Fayó</a> <br/><b>Tags</b>: <a href="http://secdocs.lonerunners.net/tags/details/3-database">database</a> <a href="http://secdocs.lonerunners.net/tags/details/70-sql-injection">SQL injection</a> <br/><b>Event</b>: <a href="http://secdocs.lonerunners.net/events/details/69-black-hat-eu-2007">Black Hat EU 2007</a> <br/> Fri, 08 Jul 2011 01:04:35 +0200 http://secdocs.lonerunners.net/documents/details/3858-hacking-databases-for-owning-your-data http://secdocs.lonerunners.net/documents/details/3858-hacking-databases-for-owning-your-data <b>Authors</b>: <a href="http://secdocs.lonerunners.net/authors/details/75-cesar-cerrudo">Cesar Cerrudo</a> <a href="http://secdocs.lonerunners.net/authors/details/1118-esteban-mart%C3%ADnez-fay%C3%B3">Esteban Martínez Fayó</a> <br/><b>Tags</b>: <a href="http://secdocs.lonerunners.net/tags/details/3-database">database</a> <a href="http://secdocs.lonerunners.net/tags/details/70-sql-injection">SQL injection</a> <br/><b>Event</b>: <a href="http://secdocs.lonerunners.net/events/details/69-black-hat-eu-2007">Black Hat EU 2007</a> <br/> Fri, 08 Jul 2011 01:04:18 +0200 http://secdocs.lonerunners.net/documents/details/3857-hacking-databases-for-owning-your-data http://secdocs.lonerunners.net/documents/details/3857-hacking-databases-for-owning-your-data <b>Authors</b>: <a href="http://secdocs.lonerunners.net/authors/details/75-cesar-cerrudo">Cesar Cerrudo</a> <br/><b>Tags</b>: <a href="http://secdocs.lonerunners.net/tags/details/45-windows">Windows</a> <a href="http://secdocs.lonerunners.net/tags/details/83-exploiting">exploiting</a> <br/><b>Event</b>: <a href="http://secdocs.lonerunners.net/events/details/65-defcon-18">DEFCON 18</a> <br/> Sat, 29 Jan 2011 12:19:50 +0100 http://secdocs.lonerunners.net/documents/details/3351-token-kidnappings-revenge http://secdocs.lonerunners.net/documents/details/3351-token-kidnappings-revenge <b>Authors</b>: <a href="http://secdocs.lonerunners.net/authors/details/75-cesar-cerrudo">Cesar Cerrudo</a> <br/><b>Tags</b>: <a href="http://secdocs.lonerunners.net/tags/details/45-windows">Windows</a> <a href="http://secdocs.lonerunners.net/tags/details/83-exploiting">exploiting</a> <br/><b>Event</b>: <a href="http://secdocs.lonerunners.net/events/details/65-defcon-18">DEFCON 18</a> <br/> Sat, 29 Jan 2011 12:01:21 +0100 http://secdocs.lonerunners.net/documents/details/3350-token-kidnappings-revenge http://secdocs.lonerunners.net/documents/details/3350-token-kidnappings-revenge <b>Authors</b>: <a href="http://secdocs.lonerunners.net/authors/details/75-cesar-cerrudo">Cesar Cerrudo</a> <br/><b>Tags</b>: <a href="http://secdocs.lonerunners.net/tags/details/45-windows">Windows</a> <a href="http://secdocs.lonerunners.net/tags/details/83-exploiting">exploiting</a> <br/><b>Event</b>: <a href="http://secdocs.lonerunners.net/events/details/65-defcon-18">DEFCON 18</a> <br/> Sat, 29 Jan 2011 12:01:02 +0100 http://secdocs.lonerunners.net/documents/details/3349-token-kidnappings-revenge http://secdocs.lonerunners.net/documents/details/3349-token-kidnappings-revenge <b>Authors</b>: <a href="http://secdocs.lonerunners.net/authors/details/75-cesar-cerrudo">Cesar Cerrudo</a> <br/><b>Tags</b>: <a href="http://secdocs.lonerunners.net/tags/details/45-windows">Windows</a> <a href="http://secdocs.lonerunners.net/tags/details/83-exploiting">exploiting</a> <br/><b>Event</b>: <a href="http://secdocs.lonerunners.net/events/details/65-defcon-18">DEFCON 18</a> <br/> Sat, 29 Jan 2011 12:00:33 +0100 http://secdocs.lonerunners.net/documents/details/3348-token-kidnappings-revenge http://secdocs.lonerunners.net/documents/details/3348-token-kidnappings-revenge <b>Authors</b>: <a href="http://secdocs.lonerunners.net/authors/details/75-cesar-cerrudo">Cesar Cerrudo</a> <br/><b>Tags</b>: <a href="http://secdocs.lonerunners.net/tags/details/7-sql-server">SQL Server</a> <a href="http://secdocs.lonerunners.net/tags/details/8-forensic">forensic</a> <br/><b>Event</b>: <a href="http://secdocs.lonerunners.net/events/details/15-black-hat-dc-2009">Black Hat DC 2009</a> <br/> Tue, 31 Aug 2010 11:17:00 +0200 http://secdocs.lonerunners.net/documents/details/2838-sql-server-anti-forensics http://secdocs.lonerunners.net/documents/details/2838-sql-server-anti-forensics <b>Authors</b>: <a href="http://secdocs.lonerunners.net/authors/details/75-cesar-cerrudo">Cesar Cerrudo</a> <br/><b>Tags</b>: <a href="http://secdocs.lonerunners.net/tags/details/7-sql-server">SQL Server</a> <a href="http://secdocs.lonerunners.net/tags/details/8-forensic">forensic</a> <br/><b>Event</b>: <a href="http://secdocs.lonerunners.net/events/details/15-black-hat-dc-2009">Black Hat DC 2009</a> <br/> Tue, 31 Aug 2010 11:17:00 +0200 http://secdocs.lonerunners.net/documents/details/2839-sql-server-anti-forensics http://secdocs.lonerunners.net/documents/details/2839-sql-server-anti-forensics <b>Authors</b>: <a href="http://secdocs.lonerunners.net/authors/details/75-cesar-cerrudo">Cesar Cerrudo</a> <br/><b>Tags</b>: <a href="http://secdocs.lonerunners.net/tags/details/7-sql-server">SQL Server</a> <a href="http://secdocs.lonerunners.net/tags/details/8-forensic">forensic</a> <br/><b>Event</b>: <a href="http://secdocs.lonerunners.net/events/details/15-black-hat-dc-2009">Black Hat DC 2009</a> <br/> Tue, 31 Aug 2010 11:17:00 +0200 http://secdocs.lonerunners.net/documents/details/2840-sql-server-anti-forensics http://secdocs.lonerunners.net/documents/details/2840-sql-server-anti-forensics <b>Authors</b>: <a href="http://secdocs.lonerunners.net/authors/details/75-cesar-cerrudo">Cesar Cerrudo</a> <br/><b>Tags</b>: <a href="http://secdocs.lonerunners.net/tags/details/7-sql-server">SQL Server</a> <a href="http://secdocs.lonerunners.net/tags/details/8-forensic">forensic</a> <br/><b>Event</b>: <a href="http://secdocs.lonerunners.net/events/details/15-black-hat-dc-2009">Black Hat DC 2009</a> <br/> Thu, 19 Feb 2009 13:30:00 +0100 http://secdocs.lonerunners.net/documents/details/389-sql-server-anti-forensics http://secdocs.lonerunners.net/documents/details/389-sql-server-anti-forensics <b>Authors</b>: <a href="http://secdocs.lonerunners.net/authors/details/75-cesar-cerrudo">Cesar Cerrudo</a> <br/><b>Tags</b>: <a href="http://secdocs.lonerunners.net/tags/details/7-sql-server">SQL Server</a> <a href="http://secdocs.lonerunners.net/tags/details/70-sql-injection">SQL injection</a> <a href="http://secdocs.lonerunners.net/tags/details/83-exploiting">exploiting</a> <br/> Sun, 08 Jun 2008 16:23:00 +0200 http://secdocs.lonerunners.net/documents/details/210-manipulating-microsoft-sql-server-using-sql-injection http://secdocs.lonerunners.net/documents/details/210-manipulating-microsoft-sql-server-using-sql-injection <b>Authors</b>: <a href="http://secdocs.lonerunners.net/authors/details/75-cesar-cerrudo">Cesar Cerrudo</a> <br/><b>Tags</b>: <a href="http://secdocs.lonerunners.net/tags/details/7-sql-server">SQL Server</a> <a href="http://secdocs.lonerunners.net/tags/details/70-sql-injection">SQL injection</a> <br/><b>Abstract</b>: This paper will not cover basic SQL syntax or SQL Injection. It is assumed that the reader has a strong understanding of these topics already. This paper will focus on advanced techniques that can be used in an attack on a (web) application utilizing Microsoft SQL Server as a backend. These techniques demonstrate how an attacker could use a SQL Injection vulnerability to retrieve the database content from behind a firewall and penetrate the internal network. This paper is meant to educate security professionals of the potential devastating effects SQL Injection could have on an organization. Web applications are becoming more secure because of the growing awareness of attacks such as SQL Injection. However, in large and complex applications, a single oversight can result in the compromise of the entire system. Specifically, many developers and administrators of (web) applications may have a false sense of security because they use stored procedures or mask an error messages returned to the browser. This may lead them to believe that they can not be compromised by this vulnerability. While we discuss Microsoft SQL Server in this paper, this is no way indicative that Microsoft SQL Server is any less secure than other database platforms such as Oracle or IBM DB2. SQL injection is not a defect of Microsoft SQL Server – it is also a problem for every other database vendor as well. Perhaps the biggest issue with Microsoft SQL Server is the flexibility of the system. This flexibility is what allows it to be subverted so far by SQL injection. This paper is meant to show that any time an administrator or developer allows arbitrary SQL to be executed, their system is open to being rooted. It is not meant to show that Microsoft SQL Server is inherently flawed. Sat, 26 Apr 2008 13:50:00 +0200 http://secdocs.lonerunners.net/documents/details/198-manipulating-microsoft-sql-server-using-sql-injection http://secdocs.lonerunners.net/documents/details/198-manipulating-microsoft-sql-server-using-sql-injection <b>Authors</b>: <a href="http://secdocs.lonerunners.net/authors/details/75-cesar-cerrudo">Cesar Cerrudo</a> <br/><b>Tags</b>: <a href="http://secdocs.lonerunners.net/tags/details/45-windows">Windows</a> <a href="http://secdocs.lonerunners.net/tags/details/83-exploiting">exploiting</a> <a href="http://secdocs.lonerunners.net/tags/details/122-internals">internals</a> <a href="http://secdocs.lonerunners.net/tags/details/123-windows-vista">Windows Vista</a> <br/> Sun, 20 Apr 2008 00:29:00 +0200 http://secdocs.lonerunners.net/documents/details/195-token-kidnapping http://secdocs.lonerunners.net/documents/details/195-token-kidnapping