Tag Archives: adobe

Hacks at Pwn2Own Vancouver 2023

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2023/03/hacks-at-pwn2own-vancouver-2023.html

An impressive array of hacks were demonstrated at the first day of the Pwn2Own conference in Vancouver:

On the first day of Pwn2Own Vancouver 2023, security researchers successfully demoed Tesla Model 3, Windows 11, and macOS zero-day exploits and exploit chains to win $375,000 and a Tesla Model 3.

The first to fall was Adobe Reader in the enterprise applications category after Haboob SA’s Abdul Aziz Hariri (@abdhariri) used an exploit chain targeting a 6-bug logic chain abusing multiple failed patches which escaped the sandbox and bypassed a banned API list on macOS to earn $50,000.

The STAR Labs team (@starlabs_sg) demoed a zero-day exploit chain targeting Microsoft’s SharePoint team collaboration platform that brought them a $100,000 reward and successfully hacked Ubuntu Desktop with a previously known exploit for $15,000.

Synacktiv (@Synacktiv) took home $100,000 and a Tesla Model 3 after successfully executing a TOCTOU (time-of-check to time-of-use) attack against the Tesla-Gateway in the Automotive category. They also used a TOCTOU zero-day vulnerability to escalate privileges on Apple macOS and earned $40,000.

Oracle VirtualBox was hacked using an OOB Read and a stacked-based buffer overflow exploit chain (worth $40,000) by Qrious Security’s Bien Pham (@bienpnn).

Last but not least, Marcin Wiązowski elevated privileges on Windows 11 using an improper input validation zero-day that came with a $30,000 prize.

The con’s second and third days were equally impressive.

Microsoft Zero-Days Sold and then Used

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2022/07/microsoft-zero-days-sold-and-then-used.html

Yet another article about cyber-weapons arms manufacturers and their particular supply chain. This one is about Windows and Adobe Reader zero-day exploits sold by an Austrian company named DSIRF.

There’s an entire industry devoted to undermining all of our security. It needs to be stopped.

RTMP Api for Node.JS to ease the implementation of RTMP servers and clients

Post Syndicated from Anonymous original http://deliantech.blogspot.com/2014/06/rtmp-api-for-nodejs-to-ease.html

Hello to all,
As I mentioned before, I needed to implement a RTMP streaming server in Node.JS. All of the available modules for implementation of RTMP in Node’s NPM repository were incomplete, incorrect or unusable. Not only that but the librtmp used by libav tools like avconv and avplay was incorrect and incomplete.
The same with most of the implementation I’ve checked (covering perl, python, others). I’ve tried to fix few of them but at the end I had to write one on my own.
This is my library of RTMP related tools and API for Node.JS. It is named node-rtmpapi and is available in the npm repository. Also you can get it here – https://github.com/delian/node-rtmpapi
It works well for me, and it has been tested with MistServer, OrbanEncoders and librtmp (from libav).
That does not mean it will work for you, though 🙂
RTMP is quite badly documented protocol and extremely badly implemented.
During my tests I have seen issues like crash of libraries (including the Adobe’s original one) if the upper layer commands has been sent in unexpected order (although this is allowed by the RTMP protocol and the order of the upper layer commands is not documented at all). Also I have seen (within Adobe’s rtmp library) incorrect implementation of the setPeerBandwidth command.
Generally, each different RTMP implementation is on its own and the only way to make it work is to adjust and tune it according to the software you communicate with.
Therefore I separated my code in utils that allows me to write my own RTMP server relatively easy and to adjust it according to my needs.
The current library supports only TCP as a transport (although TLS and HTTP/HTTPS is easy to be implemented, I haven’t focused on it yet).
It provides separate code that implements streaming (readQueue), the chunk layer of the protocol (rtmpChunk), the upper layer messaging (assembling and disassembling of message over chunks, rtmpMessage), stream processing (rtmpStream) and basic server implementation without the business logic (rtmpServer).
Simplified documentation is provided at the git-hub repository.
The current library uses callbacks for each upper layer command it receives. I am planning to migrate the code to use node streams and to trigger events per command, instead of callbacks. This will extremely simplify the usage and the understanding of the library for a node programmer. However, this is the future and in order to preserve compatibility, I will probably name it something different (like node-streams-rtmpapi)

AMF0/3 encoding/decoding in Node.JS

Post Syndicated from Anonymous original http://deliantech.blogspot.com/2014/06/amf03-encodingdecoding-in-nodejs.html

I am writing my own RTMP restreamer (RTMP is Adobe’s dying streaming protocol widely used with Flash) in Node.JS.
Although, there are quite of few RTMP modules, no one is complete, nor operates with Node.JS buffers, nor support fully ether AMF0 or AMF3 encoding and decoding.
So I had to write one on my own.
The first module is the AMF0/AMF3 utils that allow me to encode or decode AMF data. AMF is a binary encoding used in Adobe’s protocols, very similar to BER (used in ITU’s protocols) but supporting complex objects. In general the goal of AMF is to encode ActiveScript objects into binary. As ActiveScript is a language belonging to the JavaScript’s familly, basically the ActiveScript’s objects are javascript objects (with the exception of some simplified arrays).
My module is named node-amfutils and is now available in the public NPM repository as well as here https://github.com/delian/node-amfutils
It is not fully completed nor very well tested as I have very limited environment to do the tests. However, it works for me and provides the best AMF0 and AMF3 support currently available for Node.JS – 
  • It can encode/decode all the objects defined in both AMF0 and AMF3 (the other AMF modules in the npm repository supports partial AMF0 or partial AMF3)
  • It uses Node.JS buffers (it is not necessary to do string to buffer to string conversion, as you have to do with the other modules)

It is easy to use this module. You just have to do something like this:

var amfUtils = require('node-amfutils');
var buffer = amfUtils.amf0Encode([{ a: "xxx"},b: null]);