Latest from CoreLabs

Read blog posts from CoreLabs, the research division of Core Security. CoreLabs prides itself on taking a holistic view of information security with a focus on developing solutions to complex, real-world security problems that affect our customers.

I started this research trying to simplify the techniques used during a WIFI pen-test. The idea was to play with WIWO,  a tool released by Core Security last year, in order to make a transparent channel between a network interface located in my…

Read More

Continuing with my Getting Physical blog posts series (CanSec2016’s presentation), in this third episode I’m going to talk about how Windows Paging is related to the HAL's heap and how it can be abused by kernel exploits. This is probably the simplest way of abusing Windows paging structures, because…

Read More

You may think that July is a little early to publish a “best of” blog but we thought, why wait? Our Core Labs team is busy working on new vulnerabilities, patches, and exploits but we wanted to take a minute and review all…

Read More

Continuing with the previous Getting Physical blog posts series (CanSec2016's presentation), this time I'm going to talk about what paging implementation has been chosen by Windows and how it works. At the same time and according to Alex Ionescu's blog post, it's interesting to see that Microsoft has…

Read More

This is the second installment of a blog series titled "Exploiting Internet Explorer's MS15-106". If you haven't read part one, I recommend you to do so before starting with this second part. As mentioned in the previous blog post, in October 13, 2015…

Read More

In October 13, 2015 Microsoft published security bulletin MS15-106, addressing multiple vulnerabilities in Internet Explorer. Zero Day Initiative published advisory ZDI-15-521 for one of those vulnerabilities affecting IE: Microsoft Windows VBScript Filter Function Remote Code Execution Vulnerability (CVE-2015-6055), so I decided to…

Read More

Vulnerability Overview After Adobe released a patch for this vulnerability, it was made public that this bug was already being exploited in the wild by some exploit kits like Angler and Nuclear Pack. This vulnerability is about an integer overflow in Adobe Flash Player…

Read More

On September 8, 2015 Microsoft published security bulletin MS15-100, which fixed a remote code execution vulnerability in Windows Media Center when opening specially crafted Media Center link (.MCL) files. The MCL file format is based on XML; an MCL file can be as…

Read More

Every once in a while I get to work on something special, something that leaves me with the keys to open new doors. Introduction: Not long ago I came across a certain font related vulnerability, it was a 0day being exploited in the wild. The…

Read More

On August 11, 2015 Microsoft released 14 security fixes, including an SMB Server fix. In this post I'll explain how I triggered the SMB Server bug. Microsoft Security Bulletin MS15-083: Of all the available patches, I focused in this one: Server Message Block Memory Corruption Vulnerability - CVE-2015-2474 "An authenticated remote…

Read More