Thought leaders in information security, we conduct radical, world-changing research and deliver renowned presentations around the world.
Disclosures | ADVISORIES | July 13, 2012

Invensys Wonderware InTouch 10 DLL Hijack

ICS-CERT originally released Advisory ICSA-12-177-01P on the US-CERT Portal on July 05, 2012. The web page’s release was delayed to provide the vendor with enough time to contact customers concerning this information. Independent researcher Carlos Mario Penagos Hollmann has identified an uncontrolled search path element vulnerability, commonly referred to as a DLL hijack, in the Invensys Wonderware InTouch application. Successfully exploiting this vulnerability could lead to arbitrary code execution. ICS-CERT has coordinated the report with Invensys, which has produced an upgrade to address this vulnerability. Mr. Hollmann has validated that…

View Advisory
Carlos Hollman
Disclosures | ADVISORIES | July 3, 2012

WellinTech KingView and KingHistorian Multiple Vulnerabilities

Independent researchers Carlos Hollmand and Dillon Beresford identified multiple vulnerabilities in WellinTech’s KingView and a single vulnerability in WellinTech’s KingHistorian applications. These vulnerabilities can be exploited remotely. WellinTech has created a patch, and the researchers have validated that the patch resolves these vulnerabilities in the KingView and KingHistorian applications.

View Advisory
Carlos Hollman
Disclosures | ADVISORIES | July 1, 2012

Wonderware Archestra ConfigurationAccessComponent ActiveX stack overflow

The Wonderware Archestra ConfigurationAccessComponent ActiveX control that is marked “safe for scripting” is suffering from a stack-overflow vulnerability. The UnsubscribeData method of the IConfigurationAccess interface is using wcscpy() to copy its first parameter into a static-sized local buffer. Attackers can exploit this vulnerability to overwrite arbitrary stack data and gain code execution.

Launch PDF
Richard van Eeden
Disclosures | ADVISORIES |

XBMC File Traversal Vulnerability

XBMC is an award-winning, free, and open source (GPL) software media player and entertainment hub for digital media. XBMC is available for Linux, OSX, and Windows. Created in 2003 by a group of like-minded programmers, XBMC is a nonprofit project run and was developed by volunteers located around the world. More than 50 software developers have contributed to XBMC, and 100-plus translators have worked to expand its reach, making it available in more than 30 languages.

Launch PDF
Lucas Lundgren
Disclosures | ADVISORIES |

Multiple Vulnerabilities in Fwknop

Fwknop stands for the “FireWall KNock OPerator” and implements an authorization scheme called Single Packet Authorization (SPA). This method of authorization is based on a default-drop packet filter and libpcap. A server might appear to have no open ports available, but it could still grant access to certain services if authorized fwknop packets are received. Companies commonly use this service on exposed systems and need to diminish the attack surface of this service. wknop contains several vulnerabilities. The most critical of these might allow remote, authenticated attackers to leverage flaws…

Launch PDF
Fernando Arnaboldi
Disclosures | ADVISORIES |

IBM Informix XML functions overflows

Informix is one of the world’s most widely used database servers, with users ranging from the world’s largest corporations to startups. Informix incorporates design concepts that are significantly different from traditional relational platforms. This results in extremely high levels of performance and availability, distinctive capabilities in data replication and scalability, and minimal administrative overhead. Informix contains two vulnerabilities affecting several versions. Attackers can exploit these vulnerabilities to execute arbitrary code or cause denial-of-service conditions.

Launch PDF
Ariel Sanchez
Disclosures | ADVISORIES |

Windows Kernel Library Filename Parsing Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Windows. User interaction is required to exploit this vulnerability in that the target must open or browse to a file or subfolder with a specially crafted name on a network SMB share, UNC share, or WebDAV web folder.

Launch PDF
Lucas Apa
Disclosures | ADVISORIES | May 4, 2010

Authentication Bypass In Tranax Remote Management Software

Reported: 04.05.10. The Tranax Remote Management Software (RMS) allows for the administration of common Automated Teller Machine (ATM) tasks from a remote location. To successfully authenticate to a remote ATM, both the serial number and the RMS password are required. An attacker can leverage an implementation flaw that occurs when verifying credentials to craft a request that bypasses all authentication measures. The attacker could then perform remote management tasks with invalid credentials. The RMS interface is enabled, by default, on a typical ATM installation.

Launch PDF
Barnaby Jack
Disclosures | ADVISORIES | March 18, 2010

SQL Injection and Cross-site Scripting at

Discovered: 03.18.10. Reported: 03.23.10. The formID parameter at is vulnerable to SQL injection. The searchTerms parameter at is vulnerable to cross-site scripting attacks. Exploiting these vulnerabilities would likely expose sensitive data and may result in compromise of the affected systems.

Launch PDF
Mike Davis Rich Lundeen & Sean Malone
Disclosures | ADVISORIES | March 1, 2010

Multiple Vulnerabilities in Accoria Web Server

Discovered/Reported to Accoria: December 2008. Date Reported to US-Cert: March 1, 2010. The Accoria Web Server 1.4.7 for x86 Solaris exhibits multiple vulnerabilities, including cross-site scripting, directory traversal, and format string errors.

Launch PDF
Ilja van Sprundel

Biometric Security: Facial Recognition Testing

IOActive has conducted extensive research and testing of facial recognition systems on commercial mobile devices. Our testing included setups for 2D- and 3D-based algorithms, including technologies using stereo IR cameras. Discovering the underlying algorithms to find setups to bypass them, then calculating the Spoof Acceptance Rate (SAR).