Security Techniques

Xen exploitation part 3: XSA

Xen exploitation part 3: XSA: This is the last part of our blogpost series about Xen security [1] [2]. This time we write about a vulnerability we found (XSA-182) [0] (CVE-2016-6258) and his exploitation on Qubes OS [3] project.

We first explain the methodology used to find the vulnerability and then the exploitation specificity on Qubes OS.

We would like to emphasize that the vulnerability is not in the code of Qubes OS. But since Qubes OS relies on Xen hypervisor, it is affected by this vulnerability. More information is provided by Qubes’ security bulletin #24 [8].

Security Techniques

Xen exploitation part 2: XSA

Xen exploitation part 2: XSA: This blog post describes the exploitation of Xen Security Advisory 148 (XSA-148) [1] (CVE-2015-7835). It has been discovered by Shangcong Luan of Alibaba and publicly disclosed in October 2015. At the time, we were working on writing an exploit and no public proof of concept nor exploit were available. Today, the security researcher responsible of the vulnerability disclosure has given a public talk [6] and will give conferences explaining his approach [7]. We decided to publish this blogpost anyway because our exploitation strategy is a little bit different.

Security Techniques

Xen exploitation part 1: XSA

Xen exploitation part 1: XSA: This blog post describes the exploitation of Xen Security Advisory 105 (XSA-105) [1] (CVE-2014-7155). This post explains the environment setup and shows the development of a fully working exploit on Linux 4.4.5.

We are not aware of any public exploit for this vulnerability, although Andrei Lutas wrote excellent articles [2] [3] [4] describing the root cause of the vulnerability and how to trigger it. This post explains the environment setup and shows the development of a fully working exploit on Linux 4.4.5 (it probably works with many others versions).

Security Techniques

Advanced Exploitation: Xen Hypervisor VM Escape

Advanced Exploitation: Xen Hypervisor VM Escape: The Xen is a widely used virtualization platform powering some of the largest clouds in production today.

For the purpose of cloud platform security reinforcement, our team have looked into the implementation of Xen hypervisor and found a series of  highly critical vulnerabilities that could be used to exploit the host machine. For example, the XSA-148/CVE-2015-7825, a 7 year old bug disclosed by our team two months ago, is one of the worst vulnerabilities ever hit to the Xen Project.

This presentation will center around the Xen hypervisor and exploitation technologies and covers the following topics:

1. The story of the awesome XSA-148/CVE-2015-7825 Xen vulnerability.

2. Xen Hypervisor internals – In this section, we will dive deep into the hypervisor and talk about a mass of runtime details which have not been previously disclosed.

3. Exploitation vectors in Xen environment – After exploring the Xen implemention, we will look into the various Xen exploitation vectors and how to bypass Xen security machanisms

4. VM Escape and Dom0/DomN r00t shell in reality – At last, we will expand on the XSA-148 exploitation technique and show root shells of the host machine and other guest virtual machines. XSA-148 exploitation is a well-chosen generic exploitation method and could be directly used in any other vulnerabilities like XSA-148 to perform VM escape.

With the exception of  the XSA-148 vulnerability itself, all other contents have never been published before. These details could help researchers start their virtualization security research work and also help cloud services providers enhance their products’ security or detect VM escape attacks.

Security Techniques

Decrypting Android M adopted storage

Android Explorations: Decrypting Android M adopted storage: One of the new features Android M introduces is adoptable storage. This feature allows external storage devices such as SD cards or USB drives to be ‘adopted’ and used in the same manner as internal storage. What this means in practice is that both apps and their private data can be moved to the adopted storage device. In other words, this is another take on everyone’s (except for widget authors…) favorite 2010 feature — AppsOnSD. There are, of course, a few differences, the major one being that while AppsOnSD (just like app Android 4.1 app encryption) creates per-app encrypted containers, adoptable storage encrypts the whole device. This short post will look at how adoptable storage encryption is implemented, and show how to decrypt and use adopted drives on any Linux machine.

Security Techniques

How to bypass Apple Passcode in 9.1 and laterSecurity Affairs

How to bypass Apple Passcode in 9.1 and later: “An application update loop that results in a pass code bypass vulnerability has been discovered in the official Apple iOS (iPhone5&6|iPad2) v8.x, v9.0, v9.1 & v9.2. The security vulnerability allows local attackers to bypass pass code lock protection of the apple iphone via an application update loop issue. The issue affects the device security when processing to request a local update by an installed mobile ios web-application.” states the technical description published by the


Security Techniques

PowerForensics v1.0.1 released – is a PowerShell digital forensics framework.


with Cmdlets Function:
Boot Sector

New Technology File System (NTFS)

Extended File System 4 (ext4)

Windows Artifacts



Security Techniques

MagSpoof – “wireless” credit card/magstripe spoofer

Samy Kamkar: MagSpoof: MagSpoof – “wireless” credit card/magstripe spoofer

  • Allows you to store all of your credit cards and magstripes in one device
  • Works on traditional magstripe readers wirelessly (no NFC/RFID required)
  • Can disable Chip-and-PIN (code not included)
  • Correctly predicts Amex credit card numbers + expirations from previous card number (code not included)
  • Supports all three magnetic stripe tracks, and even supports Track 1+2 simultaneously
  • Easy to build using Arduino or other common parts
Security Techniques

Hacker predicts AMEX card numbers, bypasses chip and PIN

Hacker predicts AMEX card numbers, bypasses chip and PIN: Brainiac hacker Samy Kamkar has developed a US$10 gadget that can predict and store hundreds of American Express credit cards and use them for wireless transactions, even at non-wireless payment terminals.

The mind-blowing feat is the result of Kamkar cracking how the card issuer picks replacement numbers, and in dissecting the functionality of magnetic stripe data.

It means criminals could use the tiny gadget to keep pillaging cash after cards have been cancelled at businesses that do not require the three or four -digit CVV numbers on the back of cards.

American Express has been notified and says it is working on a fix.

“Magspoof is a device that can spoof any mag stripe or credit card entirely wirelessly, can disable chip and PIN (EMV) protection, switch between different credit cards, and accurately predict the card number and expiration on American Express credit cards,” Kamkar says.

“You can put it up to any traditional point of sales system and it will believe that a card is being swiped.

“I pulled up the numbers for several other AMEX cards I had and compared to more than 20 others and found a global pattern that allows me to accuracy predict replacement numbers” and expiration dates.

A .GIF of the device in action is yours for the viewing here.

The wireless function works by emitting a strong “electromagnetic field” that emulates that produced when physically swiping a card.

Interested criminals researchers can download the necessary code and follow instructions to build the device, but it will be somewhat neutered because Kamkar has removed the ability to deactivate EMV and has not released the AMEX prediction algorithm.