--- a/slides/slides03.tex Sat Oct 03 20:31:57 2015 +0100
+++ b/slides/slides03.tex Mon Oct 05 05:20:07 2015 +0100
@@ -34,112 +34,6 @@
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}}
-
-\begin{center}
- \begin{tikzpicture}[scale=1]
-
- \draw[line width=1mm] (-.3, 0) rectangle (1.5,2);
- \draw (4.7,1) node {Internet};
- \draw (-2.7,1.7) node {\footnotesize Application};
- \draw (0.6,1.7) node {\footnotesize Interface};
- \draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}};
- \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};
-
- \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);
-
- \draw[white] (1.7,1) node (X) {};
- \draw[white] (3.7,1) node (Y) {};
- \draw[red, <->, line width = 2mm] (X) -- (Y);
-
- \draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1);
- \end{tikzpicture}
-\end{center}
-
-\begin{itemize}
-\item the idea is make the attack surface smaller and
-mitigate the consequences of an attack
-\item you need an OS that supports different roles (root vs.~users)
-\end{itemize}
-
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{Weaknesses of Unix AC}
-
-\begin{itemize}
-\item if you have too many roles (for example too finegrained AC), then
- hierarchy is too complex\medskip\\ \textcolor{gray}{you invite situations
- like\ldots let's be root}\bigskip
-
-\item you can still abuse the system\ldots
-\end{itemize}
-
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{A ``Cron''-Attack}
-
-The idea is to trick a privileged person to do something on your
-behalf:
-
-\begin{itemize}
-\item root:\\\texttt{rm /tmp/*/*}\bigskip\bigskip\pause
-
-\small
-\begin{minipage}{1.1\textwidth}
-\textcolor{gray}{the shell behind the scenes:}\\
-\textcolor{gray}{\texttt{rm /tmp/dir$_1$/file$_1$ /tmp/dir$_1$/file$_2$ /tmp/dir$_2$/file$_1$ \ldots}}\bigskip\\
-
-\textcolor{gray}{this takes time}
-\end{minipage}
-\end{itemize}
-
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[c]
-\frametitle{A ``Cron''-Attack}
-
-\begin{enumerate}
-\item attacker \textcolor{gray}{(creates a fake passwd file)}\\
-\texttt{mkdir /tmp/a; cat > /tmp/a/passwd}\medskip
-\item root \textcolor{gray}{(does the daily cleaning)}\\
-\texttt{rm /tmp/*/*}\medskip\\
-\hspace{2cm}\textcolor{gray}{records that \texttt{/tmp/a/passwd}}\\
-\hspace{2cm}\textcolor{gray}{should be deleted, but does not do it yet}\medskip\\
-
-\item attacker \textcolor{gray}{(meanwhile deletes the fake passwd file, and establishes a link to
-the real passwd file)}\\
-\texttt{rm /tmp/a/passwd; rmdir /tmp/a;}\\\texttt{ln -s /etc /tmp/a}\\
-\item root now deletes the real passwd file
-\end{enumerate}
-
-\only<2>{
-\begin{textblock}{11}(2,5)
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
-{\normalsize\color{darkgray}
-\begin{minipage}{9.5cm}\raggedright
-To prevent this kind of attack, you need additional
-policies (don't do such operations as root).
-\end{minipage}};
-\end{tikzpicture}
-\end{textblock}}
-
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{\Large Buffer Overflow Attacks}
@@ -148,10 +42,10 @@
\begin{columns}[b]
\begin{column}{.4\textwidth}
\centering
-\includegraphics[scale=1.2]{../pics/barrier.jpg}\\
+\includegraphics[scale=0.3]{../pics/barrier.jpg}\\
lectures so far
\end{column}
-\begin{column}<2>{.4\textwidth}
+\begin{column}{.4\textwidth}
\centering
\includegraphics[scale=0.32]{../pics/trainwreck.jpg}\\
today
@@ -162,13 +56,13 @@
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Smash the Stack for Fun\ldots}
\begin{itemize}
-\item {\bf Buffer Overflow Attacks} or\\ {\bf Smashing the Stack Attacks}\medskip
+\item {\bf Buffer Overflow Attacks} or\\
+{\bf Smashing the Stack Attacks}\medskip
\item one of the most popular attacks, unfortunately\\
($>$ 50\% of security incidents reported at CERT are related
@@ -205,7 +99,7 @@
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
-\frametitle{Printing Out Zombies}
+\frametitle{Printing Out ``Zombies''}
\mbox{}\\[-10mm]
\footnotesize
@@ -254,8 +148,8 @@
\frametitle{Memory}
\begin{itemize}
-\item each process will get a chunk of memory that is organised as
-follows:
+\item each process will get a chunk of memory that is
+ organised as follows:
\end{itemize}
\begin{center}
@@ -458,6 +352,43 @@
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[c]
+\frametitle{Optimising Success}
+
+\begin{center}
+\begin{tabular}{l@{\hspace{2cm}}l}
+ \begin{tikzpicture}[scale=0.6]
+ \draw[line width=1mm] (-2, -1) rectangle (2,3);
+ \draw[line width=1mm,fill=blue!30] (-2, 1.9) rectangle (2,3);
+ \draw (0,2.5) node {\small\tt shell code};
+ \draw[line width=1mm,fill=black] (0.3, -1) rectangle (2,-0.7);
+ \draw[->,line width=0.3mm] (1.05, -1) -- (1.05,-1.7) --
+ (-3,-1.7) -- (-3, 3.7) -- (-1.9, 3.7) -- (-1.9, 3.1);
+ \end{tikzpicture}
+&
+ \onslide<2>{
+ \begin{tikzpicture}[scale=0.6]
+ \draw[gray!50,fill=red!30] (-2,0.3) rectangle (2,3);
+ \draw[line width=1mm] (-2, -1) rectangle (2,3);
+ \draw[line width=1mm,fill=blue!30] (-2, 0.3) rectangle (2, -0.7);
+ \draw (0,-0.2) node {\small\tt shell code};
+ \draw[line width=1mm,fill=black] (0.3, -1) rectangle (2,-0.7);
+ \draw [line width=0.5,decoration={brace,amplitude=2mm},decorate]
+ (2.3,3) -- (2.3,0.3);
+ \draw[line width=0.3mm] (1.05, -1) -- (1.05,-1.7) --
+ (3,-1.7) -- (3,1.65) -- (2.6, 1.65);
+ \end{tikzpicture}}
+\end{tabular}
+\end{center}\bigskip
+
+\onslide<2>{
+fill up the red part of the string with \pcode{NOP} operations
+(Intel \texttt{$\backslash$x90})}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
@@ -476,8 +407,6 @@
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Format String Vulnerability}
@@ -539,68 +468,100 @@
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
-\frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}}
-
+\frametitle{NIST Statistics about BOA}
\begin{center}
- \begin{tikzpicture}[scale=1]
-
- \draw[line width=1mm] (-.3, 0) rectangle (1.5,2);
- \draw (4.7,1) node {Internet};
- \draw (-2.7,1.7) node {\footnotesize Application};
- \draw (0.6,1.7) node {\footnotesize Interface};
- \draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}};
- \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};
+\begin{tikzpicture}
+\begin{axis}[
+ xlabel={year},
+ ylabel={\% of total attacks},
+ ylabel style={yshift=0em},
+ enlargelimits=false,
+ xtick={1997,1999,2001,...,2015},
+ xmin=1996.5,
+ xmax=2016,
+ ymax=21,
+ ytick={0,5,...,20},
+ scaled ticks=false,
+ axis lines=left,
+ width=11cm,
+ height=5cm,
+ ybar,
+ nodes near coords=
+ {\footnotesize
+ $\pgfmathprintnumber[fixed,fixed zerofill,precision=1,use comma]{\pgfkeysvalueof{/data point/y}}$},
+ x tick label style={font=\footnotesize,/pgf/number format/1000 sep={}}]
+\addplot
+ table [x=Year,y=Percentage] {../handouts/bufferoverflows.data};
+\end{axis}
+\end{tikzpicture}
+\end{center}
- \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);
+from the US National Vulnerability Database\\
+\small\url{http://web.nvd.nist.gov/view/vuln/statistics}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
- \draw[white] (1.7,1) node (X) {};
- \draw[white] (3.7,1) node (Y) {};
- \draw[red, <->, line width = 2mm] (X) -- (Y);
-
- \draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1);
- \end{tikzpicture}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[fragile]
+\frametitle{D-Link Wifi Router, BOA}
+\small
+
+As a proof-of-concept, the following URL allows
+attackers to control the return value saved on
+the stack (the vulnerability is triggered when
+executing \pcode{"/usr/sbin/widget"}):
+
+\begin{center}\footnotesize
+\pcode{curl http://<target ip>/post_login.xml?hash=AAA...AAABBBB}
\end{center}
-\begin{itemize}
-\item the idea is make the attack surface smaller and mitigate the
- consequences of an attack
-\end{itemize}
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+The value of the "hash" HTTP GET parameter consists of
+292 occurrences of the \pcode{'A'} character, followed by four
+occurrences of character \pcode{'B'}. In our lab setup, characters
+\pcode{'B'} overwrite the saved program counter (\pcode{\%ra}).\bigskip
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\mode<presentation>{
-\begin{frame}[c]
-\frametitle{\begin{tabular}{@ {}c@ {}}Infamous Security Flaws\\[-1mm] in Unix\end{tabular}}
+\begin{tabular}{@{}ll}
+Discovery date: & 06/03/2013\\
+Release date: & 02/08/2013
+\end{tabular}\bigskip
-\begin{itemize}
-\item \texttt{lpr} unfortunately runs with root privileges; you had the option to delete files after printing \ldots\pause\pause
-\item for debugging purposes (FreeBSD) Unix provides a ``core dump'', but allowed to follow links \ldots\pause
-\item \texttt{mkdir foo} is owned by root\medskip
-\begin{center}
-\texttt{-rwxr-xr-x 1 root wheel /bin/mkdir}
-\end{center}\medskip
-it first creates an i-node as root and then changes to ownership to the user's id\\ \textcolor{gray}{\small (race condition -- can be automated with a shell script)}
-\end{itemize}
+\footnotesize
+\hfill\url{http://roberto.greyhats.it/advisories/20130801-dlink-dir645.txt}
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[fragile]
+\frametitle{GHOST in Glibc}
+
+\small The GHOST vulnerability is a buffer overflow condition
+that can be easily exploited locally and remotely. This
+vulnerability is named after the GetHOSTbyname function
+involved in the exploit.\medskip
-\only<5->{
-\begin{textblock}{1}(3,7)
-\begin{tikzpicture}
-\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
-{\begin{minipage}{8cm}
-Only failure makes us experts.
- -- Theo de Raadt (OpenBSD, OpenSSH)
-\end{minipage}};
-\end{tikzpicture}
-\end{textblock}}
+The attack allows the attacker to execute arbitrary code and
+take control of the victim’s vulnerable machine.
+Unfortunately, the vulnerability exists in the GNU C Library
+(glibc), a code library originally released in 2000, meaning
+it has been widely distributed. Although an update released by
+Linux in 2013 mitigated this vulnerability, most systems and
+products have not installed the patch.\medskip
+
-\end{frame}}
+\begin{tabular}{@{}ll}
+Release date: & 01/28/2015
+\end{tabular}\smallskip
+
+
+\footnotesize
+\hfill\url{https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability}
+\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
--- a/slides/slides04.tex Sat Oct 03 20:31:57 2015 +0100
+++ b/slides/slides04.tex Mon Oct 05 05:20:07 2015 +0100
@@ -69,93 +69,73 @@
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[fragile]
-\frametitle{D-Link Wifi Router, BOA}
-\small
-
-As a proof-of-concept, the following URL allows
-attackers to control the return value saved on
-the stack (the vulnerability is triggered when
-executing \pcode{"/usr/sbin/widget"}):
-
-\begin{center}\footnotesize
-\pcode{curl http://<target ip>/post_login.xml?hash=AAA...AAABBBB}
-\end{center}
-
-The value of the "hash" HTTP GET parameter consists of
-292 occurrences of the \pcode{'A'} character, followed by four
-occurrences of character \pcode{'B'}. In our lab setup, characters
-\pcode{'B'} overwrite the saved program counter (\pcode{\%ra}).\bigskip
-
-
-\begin{tabular}{@{}ll}
-Discovery date: & 06/03/2013\\
-Release date: & 02/08/2013
-\end{tabular}\bigskip
-
-
-\footnotesize
-\hfill\url{http://roberto.greyhats.it/advisories/20130801-dlink-dir645.txt}
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[fragile]
-\frametitle{D-Link Backdoors}
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}}
-D-Link router flaw lets anyone login through "Joel's Backdoor":\medskip
-\begin{quote}\rm\small
-If you tell your browser to identify itself as Joel's backdoor, instead of (say)
-as Mozilla/5.0 AppleWebKit/536.30.1 Version/6.0.5, you're in without authentication.\medskip
+\begin{center}
+ \begin{tikzpicture}[scale=1]
-"What is this string," I hear you ask?
+ \draw[line width=1mm] (-.3, 0) rectangle (1.5,2);
+ \draw (4.7,1) node {Internet};
+ \draw (-2.7,1.7) node {\footnotesize Application};
+ \draw (0.6,1.7) node {\footnotesize Interface};
+ \draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}};
+ \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};
+
+ \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);
-You will laugh: it is\pause
-
-\begin{center}\large
-\pcode{xmlset_roodkcableoj28840ybtide}
+ \draw[white] (1.7,1) node (X) {};
+ \draw[white] (3.7,1) node (Y) {};
+ \draw[red, <->, line width = 2mm] (X) -- (Y);
+
+ \draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1);
+ \end{tikzpicture}
\end{center}
-\end{quote}\bigskip\bigskip
-\hfill\footnotesize October 15, 2013\\
-\hfill\footnotesize\url{http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/}
+\begin{itemize}
+\item the idea is make the attack surface smaller and mitigate the
+ consequences of an attack
+\end{itemize}
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[fragile]
-
-CVE-2014-0476 \pcode{chkrootkit} vulnerability 4 Jun'14\medskip
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Infamous Security Flaws\\[-1mm] in Unix\end{tabular}}
-\begin{quote}\rm\small
-Hi,
-
-we just found a serious vulnerability in the chkrootkit package, which
-may allow local attackers to gain root access to a box in certain
-configurations (\pcode{/tmp} not mounted noexec). Steps to reproduce:
\begin{itemize}
-\item Put an executable file named \pcode{update} with non-root owner in
-\pcode{/tmp} (not mounted noexec, obviously)
-\item Run chkrootkit (as uid \pcode{0})
+\item \texttt{lpr} unfortunately runs with root privileges; you had the option to delete files after printing \ldots\pause\pause
+\item for debugging purposes (FreeBSD) Unix provides a ``core dump'', but allowed to follow links \ldots\pause
+\item \texttt{mkdir foo} is owned by root\medskip
+\begin{center}
+\texttt{-rwxr-xr-x 1 root wheel /bin/mkdir}
+\end{center}\medskip
+it first creates an i-node as root and then changes to ownership to the user's id\\ \textcolor{gray}{\small (race condition -- can be automated with a shell script)}
\end{itemize}
-Result: The file \pcode{/tmp/update} will be executed as root, thus effectively
-rooting your box, if malicious content is placed inside the file.
+\only<5->{
+\begin{textblock}{1}(3,7)
+\begin{tikzpicture}
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
+{\begin{minipage}{8cm}
+Only failure makes us experts.
+ -- Theo de Raadt (OpenBSD, OpenSSH)
+\end{minipage}};
+\end{tikzpicture}
+\end{textblock}}
-If an attacker knows you are periodically running chkrootkit (like in
-\pcode{cron.daily}) and has write access to \pcode{/tmp} (not mounted noexec), he may
-easily take advantage of this.
-\end{quote}
-\mbox{}\\[-10mm]
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\hfill\footnotesize\url{http://seclists.org/oss-sec/2014/q2/430}
+
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]
\frametitle{Unix-Style Access Control}
@@ -302,6 +282,63 @@
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[fragile]
+\frametitle{D-Link Backdoors}
+
+D-Link router flaw lets anyone login through "Joel's Backdoor":\medskip
+
+\begin{quote}\rm\small
+If you tell your browser to identify itself as Joel's backdoor, instead of (say)
+as Mozilla/5.0 AppleWebKit/536.30.1 Version/6.0.5, you're in without authentication.\medskip
+
+"What is this string," I hear you ask?
+
+You will laugh: it is\pause
+
+\begin{center}\large
+\pcode{xmlset_roodkcableoj28840ybtide}
+\end{center}
+\end{quote}\bigskip\bigskip
+
+\hfill\footnotesize October 15, 2013\\
+\hfill\footnotesize\url{http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[fragile]
+
+CVE-2014-0476 \pcode{chkrootkit} vulnerability 4 Jun'14\medskip
+
+\begin{quote}\rm\small
+Hi,
+
+we just found a serious vulnerability in the chkrootkit package, which
+may allow local attackers to gain root access to a box in certain
+configurations (\pcode{/tmp} not mounted noexec). Steps to reproduce:
+
+\begin{itemize}
+\item Put an executable file named \pcode{update} with non-root owner in
+\pcode{/tmp} (not mounted noexec, obviously)
+\item Run chkrootkit (as uid \pcode{0})
+\end{itemize}
+
+Result: The file \pcode{/tmp/update} will be executed as root, thus effectively
+rooting your box, if malicious content is placed inside the file.
+
+If an attacker knows you are periodically running chkrootkit (like in
+\pcode{cron.daily}) and has write access to \pcode{/tmp} (not mounted noexec), he may
+easily take advantage of this.
+\end{quote}
+\mbox{}\\[-10mm]
+
+\hfill\footnotesize\url{http://seclists.org/oss-sec/2014/q2/430}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[c]