Latest from CoreLabs

Read blog posts from CoreLabs, the research division of Core Security. CoreLabs prides itself on taking a holistic view of information security with a focus on developing solutions to complex, real-world security problems that affect our customers.

 1. Introduction In this blog post, we will cover the analysis and exploitation of a simple heap buffer overflow found in SAPCAR a few weeks ago. SAP published security note #2441560 classifying the issue as "Potential Denial of Service". This post is our attempt to show…

Read More

During the past few years, there has been an increasing amount of research around Kerberos security, leading to the discovery of very interesting attacks against environments supporting this authentication protocol. In this blog post, I will cover some findings (and still remaining open questions)…

Read More

In November 8, 2016 Microsoft released a security update for Windows Authentication Methods (MS16-137) which included 3 CVEs: Virtual Secure Mode Information Disclosure Vulnerability CVE-2016-7220 Local Security Authority Subsystem Service Denial of Service Vulnerability CVE-2016-7237 Windows NTLM Elevation of Privilege Vulnerability CVE-2016-7238 Talking specifically about CVE-2016-7237, this…

Read More

  I started this research trying to simplify the techniques used during a WIFI pen-test. The idea was to play with WIWO,  a tool released by Core Security last year, in order to make a transparent channel between a network interface located in my…

Read More

Continuing with my Getting Physical blog posts series (CanSec2016’s presentation), in this third episode I’m going to talk about how Windows Paging is related to the HAL's heap and how it can be abused by kernel exploits. This is probably the simplest way of abusing Windows paging structures, because deep…

Read More

You may think that July is a little early to publish a “best of” blog but we thought, why wait? Our Core Labs team is busy working on new vulnerabilities, patches, and exploits but we wanted to take a minute and review all…

Read More

On April 12, 2016 Microsoft released 13 security bulletins. In this blogpost I'm going to talk about how I triggered and exploited the CVE-2016-0165, one of the MS16-039 fixes. Diffing Stage For  MS16-039, Microsoft released a fix for all Window versions, either for 32 and 64 bits. Four…

Read More

Continuing with the previous Getting Physical blog posts series (CanSec2016's presentation), this time I'm going to talk about what paging implementation has been chosen by Windows and how it works. At the same time and according to Alex Ionescu's blog post, it's interesting to see that Microsoft has started…

Read More

This is the second installment of a blog series titled "Exploiting Internet Explorer's MS15-106". If you haven't read part one, I recommend you to do so before starting with this second part. As mentioned in the previous blog post, in October 13, 2015 Microsoft…

Read More

In October 13, 2015 Microsoft published security bulletin MS15-106, addressing multiple vulnerabilities in Internet Explorer. Zero Day Initiative published advisory ZDI-15-521 for one of those vulnerabilities affecting IE: Microsoft Windows VBScript Filter Function Remote Code Execution Vulnerability (CVE-2015-6055), so I decided to…

Read More