Shuzheng – WindowsTechs.com

SPNEGO-based Kerberos authentication: Should I create a new security context using `gss_init_sec_context` for every request?

Posted on December 10, 2023 by Shuzheng

I’m implementing SPNEGO-based Kerberos authentication for a Linux client application for authenticating requests to a Windows IIS server.
I’ve read RFC4559, which describes how authentication should be performed:
https://datatracker.ietf.o… Continue reading SPNEGO-based Kerberos authentication: Should I create a new security context using `gss_init_sec_context` for every request?→

What’s the threat model of mobile security?

Posted on October 12, 2021 by Shuzheng

When reading about mobile security, the attacker is often assumed to have root access to the device, so as to patch the application or proxy all network traffic.
I see that such applications may have generic vulnerabilities, like non-encry… Continue reading What’s the threat model of mobile security?→

Does Microsoft implement "Windows Defender"-like security for WSL 2 instances?

Posted on October 13, 2020 by Shuzheng

I’m not certain whether WSL 2 instances, running in Hyper-V, are actually scanned by Windows Defender.
I have found some articles on Google describing Window Defender’s performance impact on WSL, but they are not mentioning whether they ar… Continue reading Does Microsoft implement "Windows Defender"-like security for WSL 2 instances?→

Why does Docker use the same user and cgroup namespaces by default, when starting a new container? [migrated]

Posted on January 31, 2020 by Shuzheng

Why does Docker use the same user and cgroup namespaces by default, when starting a new container?

I don’t understand why Docker doesn’t set up a new user namespace, so that root in the container isn’t the same as root on the host.

… Continue reading Why does Docker use the same user and cgroup namespaces by default, when starting a new container? [migrated]→

heap-one (x64) CTF exploit exercise: cannot overwrite GOT entry using arbitrary write (qword) primitive?

Posted on October 31, 2019 by Shuzheng

I’m currently working on the following CTF exercise (x64 version), where the objective is to overwrite a pointer stored on the heap to control the write address of strcpy():

https://exploit.education/phoenix/heap-one/

struc… Continue reading heap-one (x64) CTF exploit exercise: cannot overwrite GOT entry using arbitrary write (qword) primitive?→

Why isn’t the checksum length increased on macOS to mitigate generic heap exploitation?

Posted on October 11, 2019 by Shuzheng

I’ve been studying heap exploitation on Linux/macOS for learning purposes.

Many of the generic exploits on macOS rely on brute-forcing the 4-bit checksum derived from the rack’s cookie value. This effectively results in a 2^… Continue reading Why isn’t the checksum length increased on macOS to mitigate generic heap exploitation?→

How to execute a command directly on the host system through docker.sock in a Docker container?

Posted on September 20, 2019 by Shuzheng

I’ve been studying Docker security and examining ways of escaping from container to host.

Suppose Docker sock (docker.sock) is mounted into the container at /var/run/docker.sock, so that Docker client (docker) can send comma… Continue reading How to execute a command directly on the host system through docker.sock in a Docker container?→

What’s the use of an "extra" dynamic declaration in an external DTD blind XXE attack?

Posted on September 17, 2019 by Shuzheng

I’ve been studying XXE attacks through Portswigger’s Web Security Academy. I stumbled upon a lab Exploiting blind XXE to exfiltrate data using a malicious external DTD.
In this lab an attacker has to define an entity within XML request to … Continue reading What’s the use of an "extra" dynamic declaration in an external DTD blind XXE attack?→

Is it possible to run jailbroken iPhone simulator to research iOS security?

Posted on September 12, 2019 by Shuzheng

I’ve read the Google ProjectZero’s series of iOS exploits:

https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html

I wish to try and replicate some of their work. However, I’m not the owner of … Continue reading Is it possible to run jailbroken iPhone simulator to research iOS security?→

Regex DoS: Is OWASP’s characterization of "evil regexes" complete?

Posted on September 2, 2019 by Shuzheng

OWASP defines “evil regex” (here) as follows:

Evil Regexes
A Regex is called “evil” if it can stuck on crafted input.
Evil Regex pattern contains:
Grouping with repetition
Inside the repeat… Continue reading Regex DoS: Is OWASP’s characterization of "evil regexes" complete?→