ECL Labs ECL Labs security releases directly to your bloodstream MetaBreaking MetaTrader (and FCXM Trading Station too!) <p>Security in proprietary financial application stacks is something the security community rarely talks about. Either due to the fact its difficult to obtain access to such setups, or because they are not in widespread use, basic security issues in such platforms have mostly flown under the radar.</p> <p>Today, we would like to announce the slides from our <a href="">PacSec 2013</a> talk on the state of affairs in proprietary FOREX trading platforms. In our research, we discovered several vulnerabilities and design issues in the way MetaQuotes MetaTrader 4 and FXCM’s Trading Station (and SDK) communicate over the internet, transmit credentials and authenticate to their respective services.</p> <p>The slides can be downloaded from <a href="/papers/metabreaking-mt4-v6.pdf">here</a>. Thanks to everyone who attended, gave us feedback and bought us beer!</p> Roboo - HTTP Robot Mitigator released! <p>We’re happy to announce the release of Roboo - the first and most advanced open-source HTTP Robot mitigator of its kind!</p> <p>Roboo uses advanced non-interactive HTTP challenge/response mechanisms to detect and subsequently mitigate HTTP robots, by verifying the existence of HTTP, HTML, DOM, Javascript and Flash stacks at the client side.</p> <p>Such deep level of verification weeds out the larger percentage of HTTP robots which do not use real browsers or implement full browser stacks, resulting in the mitigation of various web threats:</p> <ul> <li>HTTP Denial of Service tools - e.g. Low Orbit Ion Cannon</li> <li>Vulnerability Scanning - e.g. Acunetix Web Vulnerability Scanner, Metasploit Pro, Nessus</li> <li>Web exploits</li> <li>Automatic comment posters/comment spam as a replacement of conventional CAPTCHA methods</li> <li>Spiders, Crawlers and other robotic evil</li> </ul> <p>You can find the first public version <a href="/code/Roboo-0.50-BH.tar.gz">here</a> - for more information, refer to the presentation “Building Floodgates: Cutting-Edge Denial of Service Mitigation” given at <a href="">Black Hat Europe 2011</a> (<a href="/papers/yg-ab-building_floodgates.pptx">slides</a>) and the <a href="">Roboo source code repository</a>.</p> A tool for creating IDS/IPS signatures for SMTP based worms <p><strong>Worminator</strong> (<a href="/code/Worminator-src.tgz">source</a> &amp; <a href="/code/Worminator-bin.tgz">binary</a>) - A Win32 tool for easing/automating the process of creating IDS/IPS signatures for SMTP based worms, providing a comfortable GUI, including raw base64 variants and Snort signatures support. Written in Delphi.</p> PoC exploit for the NetFilter SNMP ALG helper DoS vulnerability <p>Proof of concept <a href="/code/ecl-nf-snmpwn.c">exploit code</a> for the double-free vulnerability in NetFilter’s <code class="language-plaintext highlighter-rouge">snmp_trap_decode()</code> function in Linux kernels and older, causing a kernel panic (CVE-2006-2444)</p> NIDS polymorphic evasion - The End? <p>Today’s Network Intrusion Detection Systems, alarmed of the dangers brought by polymorphic shellcodes, try to detect them using desperate methods that eat up CPU cycles. This is done so the claim can be made that such NIDS foil even the most devious crackers. The truth of the matter is, they don’t.</p> <p><a href="/papers/ecl-poly.txt">This paper</a> demonstrates the weaknesses in today’s polymorphism detection methods, and explores techniques to exploit them. The accompanying ECL-Polynop tool can be obtained from <a href="/code/ecl-poly.tar.gz">here</a>.</p> Exploit for a stack-based buffer overflow in MySQL MaxDB <p>An <a href="/code/ecl-maxdb.c">exploit</a> for the HTTP GET request with long file parameter after a percent (“%”) character vulnerability in MySQL MaxDB and earlier (CVE-2005-0684)</p> PoC remote DoS code for MS05-019 <p>Proof of concept <a href="/code/ecl-winipdos.c">exploit code</a> for the IP options parsing off-by-one vulnerability in Microsoft Windows: Vulnerabilities in TCP/IP Could Allow Remote Code Execution and Denial of Service <a href="">MS05-019</a> (CVE-2005-0048)</p> Exploit code for Exim's SPA vulnerability <p>Release of <a href="/code/ecl-eximspa.c">exploit code</a> for a buffer bounds checking vulnerability in <a href="">Exim</a>’s SPA authentication routines (CVE-2005-0022)</p> Advisory for privilege escalation vulnerabilities in W-Channel embedded Linux <p>TC-IDE’s W-Channel embedded Linux contains multiple local vulnerabilities in versions prior to v1.54. The advisory is <a href="/advisories/ecl-channel.adv">here</a></p>