Year: 2007

INSIGHTS | October 26, 2007

Unmarked Die Revisions :: Part I

By IOActive

We have noticed a few different die revisions on various Microchip’s substrates that caught our attention.  In most case when a company executes any type of change to the die, they change the nomenclature slightly.  An example is the elder PIC16C622.  After some changes, the later part was named the PIC16C622A and there was major silicon layout changes to the newer ‘A’ part.

The PIC16C54 has been through three known silicon revs (‘A’ – ‘C’) and has now been replaced by the PIC16F54.

However, we’ve noticed two different devices from them (PIC12F683 and PIC18F1320) that caught our eye.  The PIC12F683 changes seem purely security related concerns.  The code protection output track was rerouted.

Our guess- They were concerned the magic track was too easilly accessable.

We will focus this article to the PIC18F1320 and consider this as a follow-up to our friends at Bunnie Studios, LLC.  A few years ago Bunnie wrote an article about being able to reset the fuses of the PIC18F1320 to a ‘1’ thus unlocking the once protected PIC.

The newly improvised second generation PIC18F1320 with fill patterns place over open areas.

You might ask yourself:  What are they hiding?  The part contains three metal layers however, the top layer has been partially removed by wet-etching techniques.  This allows us to see below in denser areas.The newly improvised second generation PIC18F1320 now has these cells covered aka Bunnie attack prevention!

Conclusion:  Did they archieve their goal?  From an optical attack, sort-of.  They are not expecting the attacker to be able to selectively remove this covering metal.  Stay tuned for part II of this report where we show you this area with the covering metal removed and the fuses exposed once again!

ADVISORIES | September 20, 2007

Multiple Buffer Overflows in legacy mod_jk2 apache module 2.0.3-DEV and earlier

By Josh Betts Jason Larsen & Walter Pearce

CVE-2007-6257, VU#245025. Discovered: 05.01.07. Reported: 06.27.07. Disclosed: 09.20.07. A buffer overflow vulnerability exists in the Host Header field of the legacy version of the mod_jk2 apache module (jakata-tomcat-connectors), which allows for remote code execution in the context of the Apache process. (more…)

ADVISORIES |

Multiple Total Remote Compromise Vulnerabilities in Mercury SiteScope Monitoring Software

By Chris Paget

CVE-2007-6257, VU#245025. Discovered: 10.05.06. Disclosed: 09.20.07. Critical vulnerabilities exist within the Mercury SiteScope server monitoring software. Some of these can result in a complete remote compromise of the entire monitored network, as well as arbitrary code execution on all servers managed by the SiteScope software. (more…)

ADVISORIES |

Buffer Overflow in Mono BigInteger Montgomery Reduction Method

By Jason Larsen & Walter Pearce

VU#146292. Discovered: 07.25.07. Reported: 08.24.07. Disclosed: 09.20.07. An exploitable buffer overflow vulnerability exists in the Montgomery reduction method within the Mono Frameworks BigInteger Class (Mono.Math.BigInteger). (more…)

ADVISORIES | March 26, 2007

Static Microsoft Windows WPAD entries might allow interception of traffic

By Chris Paget

CVE-2007-1692. Disclosed: 03.26.07. The default configuration of Microsoft Windows uses the Web Proxy Autodiscovery Protocol (WPAD) without static WPAD entries. A remote attacker could leverage this to intercept web traffic by registering a proxy server using WINS or DNS, then responding to WPAD requests. (more…)