Resources(74)

Census

CENSUS provides cybersecurity engineering and intelligence for state and private defense. Key engagements include unmanned platforms (UxV), Zero Trust architectures for autonomous systems, and sovereign secure communications under contested RF.

• Cybersecurity Engineering
• Defence
• UxV
• Zero-Trust Architectures
• autonomous
• sovereign secure communications
• unmanned platforms

CENSUS

IDC's November 2025 white paper [1], based on its July 2025 study of 600 global IT leaders, shows that confidential computing has moved beyond early adoption. 75% of organizations are already using it, with 18% in production and 57% piloting, and participants are directly involved in systems that process confidential...

• Confidential Computing

CENSUS

CENSUS is honored to participate as a Grand Sponsor of the 2nd Cyber Intelligence Summit 2026, held under the theme "Information as Defense: From Everyday Practice to Global Strategy" on February 5 at the Athens Concert Hall.

• Cyber Defense
• Cyber In Athens
• Cyber Intelligence Summit
• Cyber Threats

Ioannis Stais

It was an honour to participate and contribute to kariera.gr's Developers Day event. The gathering provided an excellent opportunity for participants to connect, exchange insights, and spark new collaborations.

• adversary
• developers day
• karieragr
• red team
• tiger team

Census

Quantum computers pose an existential threat to modern cryptography, as algorithms like Shor's will break RSA, ECC, and Diffie-Hellman, the foundations of TLS, PKI, VPNs, and SSH. While large-scale quantum machines don't yet exist, "Store Now, Decrypt Later" attacks mean adversaries are already harvesting encrypted...

CENSUS

CENSUS has conducted an in-depth technical evaluation of Confidential AI workloads on Google Cloud Platform (GCP), focusing on the integration of Intel Trust Domain Extensions (TDX) and NVIDIA H100 GPUs within Confidential Virtual Machines (CVMs). The assessment explored whether hardware-based attestation could be...

• Applied Research
• Blog
• Confidential AI
• Confidential Computing
• Cybersecurity Engineering
• Zero Trust

CENSUS

Zenoh is a communication protocol designed to efficiently facilitate data exchange, storage, and computation across diverse computing environments — from powerful servers in data centers to resource-constrained microcontrollers in IoT devices. Its primary objective is to enable seamless integration and operation of...

• Automotive
• Blog
• E2EE
• Zenoh

Charalampos Maraziaris

CENSUS has discovered a stored cross site scripting (XSS) vulnerability in the Squidex "headless" open source CMS framework. The vulnerability affects all versions of Squidex prior to 7.9.0 and enables privilege escalation affecting authenticated victim users. The Squidex development team has addressed the issue in...

• Advisories
• Code Injection
• SVG
• Squidex
• Stored XSS
• XSS

Brian McDermot

The Tang open source software is used to bind data to network presence. It is commonly used along with Clevis clients to provide for unattended LUKS decryption of server storage volumes within the realms of a network, where a trusted Tang server is situated. CENSUS identified that the Tang software in versions 11, 12...

• advisories
• private keys
• race condition

Ioannis Christodoulakos

Reflected XSS vulnerabilities were discovered in Squidex (versions before 7.4.0) in the "/squid.svg" endpoint. Attackers can craft malicious links containing injected JavaScript that executes in victims' browsers when opened, potentially leading to session hijacking and account takeover. The issue was fixed in version...

• SVG
• XSS
• advisories
• code injection
• reflected XSS
• squidex

Charalampos Maraziaris

Multiple security vulnerabilities were found in Snipe-IT (versions before 6.0.14), including a stored Cross-Site Scripting (XSS) flaw and a username enumeration issue. The XSS vulnerability allows attackers to inject malicious code that executes in other users' browsers, potentially leading to privilege escalation....

CENSUS

It is very often the case that critical data or critical devices are co-managed by stakeholders from different domains. Any access to such resources should ideally be transparent to all stakeholders involved, and the access itself should comply with any policies set by the resource owner(s). However, this is not what...

• ABE
• HMBAC
• access control
• attribute based encryption
• blockchain
• electron app
• hashicorp vault
• hyperledger fabric
• medical devices
• software

Angelos T. Kalaitzidis

CENSUS identified a number of NULL pointer dereference and Heap buffer overflow bugs in the radare2 project code.

• Advisories
• Bugs
• NULL pointer dereference
• buffer overflow
• memory corruption
• null
• radare2

George Poulios

CENSUS identified several integer overflow problems in the flash_read, flash_write and flash_append functions of the Microchip ASF4 framework.

• ATMEL
• Advisories
• Microchip
• embedded systems
• firmware
• flash memory
• integer overflow
• mcu

CENSUS, Sofia Tsagiopoulou

Embedded systems are special purpose systems that cover a wide range of applications, from home electronics and industrial control systems, to medical devices and avionics. The remote management & telemetry features of the so called "Internet of Things" family of embedded devices, have made them quite popular and...

• SBOM
• embedded systems
• firmware
• mcu
• security
• software component analysis

Chariton Karamitas

CENSUS identified that versions prior to 2.21.4.18 of WhatsApp for Android allowed third party apps to access WhatsApp TLS 1.2 cryptographic material, as this was stored in "app-specific external storage".

• Advisories
• SSL
• TLS
• android
• man in the disk
• man in the middle
• remote code execution
• scoped storage
• whatsapp

Chariton Karamitas

CENSUS has been investigating for some time now the exploitation potential of Man-in-the-Disk (MitD) vulnerabilities in Android. Recently, CENSUS identified two such vulnerabilities in the popular WhatsApp messenger app for Android. The first of these was possibly independently reported to Facebook and was found to be...

• CVE-2021-24027
• Noise protocol
• SSL
• Signal protocol
• TLS
• android
• boringssl
• man in the disk
• man in the middle
• openssl
• remote code execution
• scoped storage
• whatsapp

Rayd Debbas

CENSUS identified that the Canary Mail software in versions 3.20 and 3.21 (and possibly previous versions) is missing a certificate validation check when performing an IMAP connection configured with STARTTLS.

• Advisories
• Mailcore2
• SSL
• STARTTLS
• TLS
• canary mail
• certificate validation
• iOS
• imap
• macos
• man in the middle

George Poulios

CENSUS identified a buffer overflow vulnerability in the atcab_sign_base function of the cryptoauthlib library. This library is part of the standard SDK provided by Microchip and is used to drive the operation of cryptographic co-processors sold by the vendor, such as the ATECC608A.

• ATMEL
• Microchip
• advisories
• buffer overflow
• cryptographic co-processor
• embedded systems
• firmware
• mcu
• memory corruption

Aris Thallas

CENSUS identified a bug in RKP, the Samsung EL2 Hypervisor implementation. The bug allows to write the zero 64-bit value to an arbitrary memory address. For the bug to be triggered, code execution is required in the context of the EL1 kernel.

• Advisories
• RKP
• android
• hypervisor
• memory corruption
• samsung

Aris Thallas

Hello, I'm Aris Thallas, a computer security researcher working at CENSUS. Back in February 2020 I had the pleasure of presenting my work on proprietary hypervisor emulation and bug discovery at the OffensiveCon 2020 conference.

• RKP
• android
• fuzzing
• hardware emulation
• hypervisor
• offensivecon
• qemu
• samsung
• vulnerability research

Dimitrios Glynos

During the security assessment of a firmware binary a number of NULL pointer dereference bugs were found caused by newlib-nano code. newlib-nano is a C library for use on 32-bit processors that have only a few kB of memory.

• ARM
• ATMEL
• Advisories
• Microchip
• NULL pointer dereference
• embedded systems
• firmware
• libc
• newlib
• newlib-nano
• picolibc

Dimitrios Tatsis

Attending Recon 2019 was an amazing experience with many interesting talks. I would like to thank the organizers for the excellent event and I definitely hope to return next year.

• DSP
• aDSP
• android
• fuzzing
• hardware hacking
• hexagon
• trustzone

Ioannis Stais

On March 18th 2019 myself and Dimitrios Valsamaras delivered a presentation on cybersecurity vulnerabilities of "smart" fitness equipment, entitled "Hitting the Gym: The Anatomy of a Killer Workout" at the TROOPERS 2019 conference (NGI track).

• ENISA
• FDA
• IoT
• MDR
• conference
• device assessment
• gym equipment
• penetration testing
• smart fitness equipment
• talk
• troopers
• vulnerabilities

Patroklos Argyroudis

On March 20th 2019 I presented at the 2019 CanSecWest conference a talk on reverse engineering the Apple iOS sandbox kernel extension entitled Vs com.apple.security.sandbox. I really enjoyed the conference, traveling to Vancouver, and meeting a lot of people interested in my research.

Patroklos Argyroudis

The FreeBSD kernel can be debugged with the ddb(4) interactive kernel debugger. Although the latest production release of FreeBSD (7.1 at the time of this writing) adds some very useful features, ddb is still lacking the flexibility of gdb.

• debugging
• freebsd
• gdb
• kernel
• research
• vmware

Zisis Sialveras

This post provides a short summary of my conference presentations at Microsoft's BlueHat v18 (Redmond, USA) and at Black Hat Europe 2018 (London, UK) on VMware workstation exploitation.

• VMWare Workstation
• Windows 10
• exploitation
• guest-to-host escape
• microsoft windows
• virtualization
• vmware

Nikos Sampanis

Hello, I'm Nikos Sampanis, a security researcher working at CENSUS. On February 16th, 2018 I presented at OffensiveCon a talk with the title "Windows 10 RS2/RS3 GDI data-only exploitation tales". The presentation focused on a mitigation introduced in the Win32k component of Microsoft Windows to prevent the...

• GDI
• Windows 10
• Windows Kernel
• conference
• data-only attack
• heap overflow
• kernel
• offensive security
• offensivecon
• talk

George Chatzisofroniou

The recent key reinstallation attacks (KRACK) against the WPA2 protocol revealed how an adversary can easily eavesdrop, and in some cases tamper, a Wi-Fi connection secured by the WPA2 protocol. At the same time, Wi-Fi automatic association attacks achieve a similar result (man-in-the-middle position) not by attacking...

• 34c3
• android
• conference
• iOS
• known beacons
• linux
• macos
• man in the middle
• research
• wifi
• wifiphisher
• wireless penetration testing

Patroklos Argyroudis

On December 27th 2017 I presented at the 34th Chaos Communication Congress (34C3) a talk on the technical details and the process of reverse engineering and re-implementation of the evasi0n7 jailbreak's main kernel exploit, titled "iOS kernel exploitation archaeology". Actually, I gave the same talk at the WarCon...

• 34c3
• XNU
• conference
• exploitation
• heap
• iOS
• kernel
• talk
• warcon

Anestis Bechtsoudis

Google promotes the SafetyNet Attestation API as a tool to query and assess the integrity status of an Android device. The official documentation, leaves no doubt that the main purpose of the SafetyNet Attestation API is to provide device integrity information to the server counterpart of mobile applications. The...

• android
• application integrity
• attestation
• binary protections
• certificate
• certificate pinning
• device integrity
• google play
• malware
• man in the middle
• mobile apps
• safetynet
• vulnerabilities

Ioannis Stais

This blog post serves as a followup to my summer B-Sides Athens 2017 talk entitled "Lightbulb framework – shedding light on the dark side of WAFs and Filters".

• GOFA
• SFADiff
• automata learning
• bsides athens
• burp plugin
• evasion
• lightbulb framework
• machine learning
• penetration testing
• web application filter
• web application firewall

John Torakis

OpenWebif is a Web application that is used in IP TVs and media boxes to provide an easy-to-use Web Interface. It is written mostly in Python (Backend) and JavaScript (Frontend). It can be found in DreamBox devices. A vulnerability was identified in the saveConfig() function.

• Advisories
• IoT
• code injection
• dreambox
• e2openplugin
• enigma2
• eval
• iptv
• media box
• openwebif
• python
• remote code execution
• root

Patroklos Argyroudis

About four months ago (April 2017), Vasilis Tsaousoglou and myself presented our work on exploiting Android's libc allocator at the 2017 INFILTRATE conference (Miami, Florida). Since version 5.0, Android has adopted the jemalloc allocator as its default libc malloc(3) implementation. For our talk we extended our...

• android
• conference
• exploitation
• heap
• infiltrate
• jemalloc
• libc
• malloc
• release
• research
• shadow
• software
• talk

George Chatzisofroniou

Lure10 is a novel technique presented at the Hack-in-the-Box 2017 conference in Amsterdam that enables an attacker to automatically achieve a man-in-the-middle position against wireless devices running the Windows operating system. The attack requires no user interaction and exploits the "Wi-Fi Sense" feature found in...

• MITM
• commsec
• hack in the box
• hitb2017ams
• microsoft
• penetration testing
• presentation
• research
• talk
• wifi
• wifi-sense
• windows
• windows location service

Anestis Bechtsoudis

Android provides a media playback engine at the native level called Stagefright. CENSUS engineers have discovered that the MPEG-2 software decoder invoked by libstagefright has multiple stack buffer overflows at the impeg2d_vld_decode() procedure.

• Advisories
• android
• libmpeg2
• libstagefright
• stack overflow

Anestis Bechtsoudis

Android provides a media playback engine at the native level called Stagefright that comes built-in with software-based codecs for several popular media formats. Stagefright features for audio and video playback include integration with OpenMAX codecs, session management, time-synchronized rendering, transport...

• Advisories
• android
• integer overflow
• libmpeg2
• libstagefright

Zisis Sialveras

Hello readers of the CENSUS blog, my name is Zisis Sialveras and I am happy to announce today the public release of our evolutionary knowledge-based fuzzer, Choronzon.

• choronzon
• cross-platform
• evolutionary
• fuzzer
• knowledge-based

George Chatzisofroniou

My last year's talk at BSides London introduced to the public Wifiphisher, a security tool that mounts the Evil Twin attack against Wi-Fi networks. The tool has since seen some heavy use by the wireless hacking community which has inspired further research into ways of making the Evil Twin attack more effective. This...

Anestis Bechtsoudis

Android provides a media playback engine at the native level called Stagefright that comes built-in with software-based codecs for several popular media formats. Stagefright features for audio and video playback include integration with OpenMAX codecs, session management, time-synchronized rendering, transport...

• advisories
• android
• heap overflow
• libavc
• libstagefright

Ioannis Stais

Hello, my name is Ioannis Stais and I'm a security consultant at CENSUS S.A.. At this year's Infocom Mobile World Conference I did a short presentation on "Side Channel Leaks in Mobile Applications".

Stelios Tsampas

There is a (remotely exploitable) heap overflow vulnerability in Kamailio version 4.3.4 and possibly in previous versions. The vulnerability takes place in the SEAS module

• Advisories
• heap overflow
• seas
• kamailio
• voip
• sip

Anestis Bechtsoudis

Android provides a media playback engine at the native level called Stagefright that comes built-in with software-based codecs for several popular media formats. CENSUS engineers have discovered that the MPEG-2 software decoder invoked by libstagefright has an out-of-bounds read at the impeg2d_dec_user_data()...

• ,
• ,libavc,libstagefright
• advisories
• advisories,android,
• androidheap overflow
• heap overflow
• libmpeg2
• libstagefright

Anestis Bechtsoudis

Android provides a media playback engine at the native level called Stagefright that comes built-in with software-based codecs for several popular media formats.CENSUS engineers have discovered that the libavcodec H.264 software decoder invoked by libstagefright has an OOB write heap overflow at the...

• ,
• libavc
• advisories,android,
• Advisories
• libstagefright
• heap overflowlibavc
• heap overflow
• ,libstagefright
• androidheap overflow

Stelios Tsampas

A flaw in GDCM versions before 2.6.2 allows an integer overflow in the ImageRegionReader::ReadIntoBuffer function, causing a buffer overflow that attackers can trigger using specially crafted DICOM image dimensions. Because the overflow bypasses internal size checks, it can lead to memory corruption, denial of...

• ,libgdcm,
• buffer overflow
• dicom
• gdcm
• grassroots
• imaging
• integer
• medical
• overflow
• research
• vulnerability

Stelios Tsampas

GDCM versions 2.6.0 and 2.6.1 (and possibly previous versions) are prone to an out-of-bounds read vulnerability due to missing checks.

• Advisories
• dicom
• gdcm
• grassroots dicom
• information leakage
• libgdcm
• medical imaging
• out of bounds read

Nikolaos Naziridis

CENSUS researchers Nikolaos Naziridis and Zisis Sialveras have recently presented their research on knowledge-based evolutionary fuzzing, at ZeroNights 2015 in Moscow, Russia. The talk introduced a cross-platform evolutionary fuzzing framework, that will be released as a free and open-source tool.

• choronzon
• conference
• cross-platform
• evolutionary
• fuzzing
• knowledge-based
• talk
• zeronights

Anestis Bechtsoudis

In the aftermath of the recent Android stagefright vulnerabilities, efficient fuzz testing techniques and tools for the Android ecosystem are again in the spotlight. In this post we would like to share some of the fuzz testing experience we have gained through our projects and show how it can be applied in the Android...

• android
• fuzzer
• fuzzing
• honggfuzz
• open source

George Chatzisofroniou

Hello. My name is George Chatzisofroniou (@_sophron) and I work as a security engineer at CENSUS. This summer I gave a talk at BSides London. The talk was called 'Introducing wifiphisher, a tool for automated WiFi phishing attacks' and revolved around the recently published tool.

• bsides london
• conference
• evil twin
• karma
• phishing
• talk
• wifi
• wifiphisher

Anestis Bechtsoudis

Hello, my name is Anestis Bechtsoudis and I'm a security engineer at CENSUS. I recently gave a talk on Android ART runtime fuzzing techniques at the Hack-in-the-Box 2015 Amsterdam security conference. The talk entitled "Fuzzing Objects d'ART — Digging Into the New Android L Runtime Internals", analyzed a series of DEX...

• android
• art runtime
• dex
• fuzzing
• hack in the box
• hitb2015ams

Patroklos Argyroudis

About two months ago (April 15th 2015) I visited Miami and presented at the INFILTRATE Security Conference a talk on Firefox heap exploitation, titled "OR'LYEH? The Shadow over Firefox". The organization of the conference was flawless and the people I met there were amazing. A special thank you to the Immunity team...

• conference
• exploitation
• firefox
• heap
• infiltrate
• jemalloc
• talk

Andrzej Dyjak

Hello, my name is Andrzej Dyjak and I'm part of the research team here at CENSUS. A few weeks ago (on May 26th) I gave a talk titled "DTrace + OS X = Fun" at CONFidence 2015 in which I have described how DTrace can be used in order to ease various tasks within the realm of dynamic analysis on the OS X platform.

Patroklos Argyroudis

I recently presented a talk on heap exploitation abstraction at two conferences, namely ZeroNights 2014 (Moscow, Russia) and BalCCon 2014 (Novi Sad, Serbia). The talk titled "Project Heapbleed", collected the experience of exploiting allocators in various different target applications and platforms. The talk focused...

• balccon
• conference
• exploitation
• heap
• memory corruption
• talk
• zeronights

Nikolaos Naziridis

Hello, my name is Nikos Naziridis and I am a security researcher at CENSUS. In this post, I will present how SystemTap and kernel instrumentation in general, could be used to aid the process of determining the exploitability of unbound memory overflows and the detection of thread race condition bugs.

• exploitability
• linux
• race condition
• systemtap
• unbound overflows

CENSUS

An information exposure flaw in Oracle WebCenter (Fusion Middleware 11.1.1.7 and 11.1.1.8) allows an unauthenticated attacker to access user profile data — including usernames, emails, phone numbers, and files — by abusing a default WebCenter account. Tracked as CVE‑2014‑0450, the issue enables full enumeration of...

• ,oracle,
• ,vulnerability,webcenter
• advisories,
• exposure
• information
• privacy
• violation

Patroklos Argyroudis

The slides from my short presentation on "How to enhance penetration testing through vulnerability research" from the 3rd Infocom Security conference, are now available here (in Greek).

• conference
• infocom security
• penetration testing
• talk
• vulnerability research

Patroklos Argyroudis

This year's OWASP AppSec Research conference took place in Athens, Greece and we were planning to be there as participants. However, the day before the conference, Konstantinos Papapanagiotou (General Chair) asked if we could do a presentation to replace a cancelled talk. Myself and Chariton Karamitas agreed to help...

• abstraction
• conference
• exploitation
• heap
• owasp
• talk

Patroklos Argyroudis

This year we have presented our jemalloc exploitation research work at Black Hat USA 2012, the leading information security conference. Our researchers Patroklos Argyroudis and Chariton Karamitas visited Caesar's Palace at Las Vegas, Nevada and delivered the talk.

• black hat
• conference
• exploitation
• firefox
• heap
• jemalloc
• las vegas
• talk

Patroklos Argyroudis

In anticipation of Dan Rosenberg's talk on exploiting the Linux kernel's SLOB memory allocator at the Infiltrate security conference and because I recently had a discussion with some friends about the different kernel memory allocators in Linux, I decided to write this quick introduction. I will present some of the...

• exploitation
• heap
• kernel
• linux
• slab
• slob
• slub

CENSUS

A blind SQL injection flaw in Netvolution v2.5.8 (ASP) allows attackers to inject arbitrary SQL commands through the HTTP Referer header. Because the CMS fails to sanitize this header, an unauthenticated attacker can extract database contents, modify site data, inject malicious JavaScript, harvest CMS usernames and...

• ,vulnerability
• advisories
• injection
• netvolution
• referer
• sql

Nikolaos Tsagkarakis

CENSUS has participated once again at AthCon, the leading technical IT security conference in Greece. Our work entitled "Introducing the Parasite" presented a small device that is capable of creating a physical backdoor in an otherwise protected network.

• athcon
• conference
• parasite
• pentest
• security
• talk

Patroklos Argyroudis

Black Hat Europe 2011 is now over and we are very happy to have participated once again in the best European IT security conference!

• android
• black hat
• canary
• conference
• freebsd
• gs
• iphone os
• kernel
• kernel pool
• linux
• macos
• memory corruption
• null page
• protection
• red zone
• safe unlinking
• security
• talk
• windows

Patroklos Argyroudis

.3‑RELEASE, and 8.0Short description:** Two improper input‑validation flaws in the FreeBSD NFS client (versions 7.2‑RELEASE, 7.3‑RELEASE, and 8.0‑RELEASE) allow local unprivileged users to trigger kernel stack and kernel heap overflows through crafted arguments to the mount(2) and nmount(2) system calls when...

• ,freebsd,kernel,nfsclient,research,vulnerability
• advisories,
• buffer
• overflow

Patroklos Argyroudis

In my recent Black Hat Europe 2010 talk I gave an overview of the kernel exploitation prevention mechanisms that exist on FreeBSD. A few people at the conference have subsequently asked me to elaborate on the subject. In this post I will collect all the information from my talk and the various discussions I had in the...

• canary
• freebsd
• kernel
• research
• ssp

Patroklos Argyroudis

Black Hat Europe 2010 is now over and after a brief ash cloud caused delay I am back in Greece. It has been a great conference, flawlessly organised and with many outstanding presentations. I would like to thank everyone that attended my presentation but also all the kind people that spoke to me before and afterwards....

• black hat
• conference
• freebsd
• security
• talk

Patroklos Argyroudis

A flaw in Monkey HTTPd versions 0.9.2 and earlier allows remote attackers to crash worker threads by sending HTTP requests with malformed Connection headers. Due to improper input validation and incorrect buffer‑end calculations in Request_Find_Variable(), certain crafted request bodies trigger signedness and...

• ,research,vulnerability
• advisories
• httpd
• imporper
• input
• monkey
• validation

Patroklos Argyroudis

A flaw in the CoreHTTP web server (versions 0.5.3.1 and earlier) allows remote attackers to trigger an off‑by‑one stack buffer overflow during parsing of malformed HTTP method names or URIs. Because the server's sscanf() call writes a full 256 bytes into 256‑byte buffers without ensuring NULL‑termination, crafted...

• ,corehttp,research,vulnerability
• advisories
• buffer
• overflow

Patroklos Argyroudis

An off‑by‑two stack buffer overflow in the Linux SUNRPC subsystem (kernel versions 2.6.32 through 2.6.32‑rc7) allows out‑of‑bounds writes in the function rpc_uaddr2sockaddr() when processing universal address strings of maximum length. Because the function writes two bytes past the end of a fixed‑size stack buffer, a...

• ,kernel,linux,research,sunrpc,vulnerability
• advisories,
• buffer
• overflow

Patroklos Argyroudis

A stack‑based buffer overflow in gif2png (versions 2.5.1 and earlier) allows attackers to overwrite memory by supplying an overly long filename on the command line. Because the program uses an unsafe strcpy() into a fixed‑size buffer, crafted input can cause a crash or potentially enable remote code execution when...

• ,cgi,research,vulnerability
• advisories,
• buffer
• overflow

Patroklos Argyroudis

Yesterday I helped my friend kargig to analyse a rootkit he has recovered from a compromised Linux system. You can find the complete write-up at his blog.

• incident
• ld-linuxvso1
• linux
• rootkit

Patroklos Argyroudis

About four months ago I developed a reliable exploit for vulnerability CVE-2008-3531, which is also addressed in the advisory FreeBSD-SA-08:08.nmount. In this post I will use this vulnerability to provide an overview of the development process for FreeBSD kernel stack exploits.

• freebsd
• kernel
• research
• vulnerability

CENSUS

A path‑sanitization flaw in Rasterbar libtorrent (versions 0.14.3 and earlier) allows attackers to craft malicious multi‑file .torrent metadata that includes directory components containing embedded relative paths (e.g., "../../"). Because libtorrent only checks for exact ".." matches, these malformed elements bypass...

• ,
• ,research,vulnerability
• advisories,
• file
• libtorrent
• overwrite
• rasterbar

Patroklos Argyroudis

Last May (2008-05-30) I presented my research on FreeBSD kernel stack overflows at the University of Piraeus Software Libre Society, Event #16: Computer Security. The slides from the talk are now available in our research section.

• freebsd
• kernel
• research
• talk

CENSUS

A vulnerability in older Debian GNU libc (libc6 ≤ 2.7) caused stack protection (SSP / -fstack-protector) to use a fixed, predictable canary value (0xff0a0000) instead of a random one. Normally, stack canaries are randomized at runtime to prevent attackers from guessing them during buffer overflow attacks. However,...

• ,research,ssp
• advisories
• canary
• debian
• gcc
• gnu
• libc