Reflection on Cesar Cerrudo
This week on reflection we have someone who has done a lot of database research and published several advisories and presented at Blackhat, CanSecWest and other conferences on database security. Cesar Cerrudo works for his own company “Argeniss” and has contributed a lot to some of the databases to be more secure today. He has also identified a lot of vulnerabilities in Microsoft Windows, Microsoft Commerce Server, etc. He is passionate about application security and a big believer in open source community both for software and books. Cesar shares his journey with application security in his own words
"I think I always have had "hacker mind" for calling it in some way, I remember being a child and breaking things to look inside. When I was 10 or so I got my first computer a CZ Spectrum (I don't remember the exact model) but it ran BASIC. when I wanted to learn how to use it and to code in BASIC, I went to a place for kids but got bored after many days of being taught PRINT "HOLA MUNDO" only, so I used that computer for games (games were stored on a audio cassette tape and loading them required playing it in a cassette player). I learnt few tricks looking at the guy from a store that recorded games so I started to modify screens when the games were loading, I also hacked multilevel games by loading parts of one level and the rest from a different level, which for my age was a big deal. After a couple of years I stopped using that computer and I didn’t do anything computer related for several years apart from taking few boring classes of MS DOS, QPRO, Lotus, etc. When I was 19 I started to study Computer Science but I didn't have a PC (they were a bit expensive on this side of the planet earth) so I only read old books available at the university and played with a friend's computer, on those days the challenge was to try running cool games on old computers, I became an expert in MS DOS :)
I remember one day being very excited because I found the assembly code from a MS DOS virus in one of the PC at the university, I spent several hours with an old assembly book (thanks Norton-Socha!) until I learnt how the virus worked (in the process I learnt some x86 assembler without coding it in a PC). After some time I started to work on a client/server software for a couple of different local companies and one of the companies had internet access so I started using Internet and since I always liked hacking, Internet was a really good source of information so I started to learn something about hacking for the first time, I was lucky since I had a good academic background on programming, computers, etc. so I didn't end up reading and learning stupid things, but because I had an old PC and no Internet access at home I couldn't test much of the stuff I learnt. Then I took up a new job where I started using Internet frequently and started trying things in free time, this was like 7 years ago and that was when I started with webappsec. I had worked a lot with MS SQL Server so when I first read about SQL Injection I was really amazed with it and I started to create my own techniques, tools, etc.
That’s when I started to play with MS SQL Server and after some time I found my first vulnerability, then the next one and so on when I realized I had found dozen of vulnerabilities on MS SQL Server, I also learnt how to code exploits and new techniques for finding vulnerabilities, since then I have found several vulnerabilities on MS Windows, Oracle Database Server, etc. I have also created new exploitation and attack techniques. Few years ago I designed and wrote a complete web application scanner for a security company, the scanner at that time was better than other available web app scanners but because of some patent issues the product was stop being sold (hurray for Watchfire!!!). Currently I do research on application security mostly focused on database security and in my spare time I like to hack MS Windows :)
I always try to keep big vendors improving on security, I don't care if I have to publish 0day vulnerabilities or controversial papers in order to accomplish that. I have been offered to write books but the only way I can write or contribute in a book is if it will be available for free in some way (electronic, etc.), I know what is not having resources for learning, all people should have easy access to knowledge, books only makes money for the editors and people without money can't get them."
Based out of Parana, Entre Rios, Argentina, Cesar is 31 years old. Below is a list of his contribution to the community
Articles:-
Hacking databases for owning your data
http://www.argeniss.com/research/HackingDatabases.zip
Practical security audit: Oracle case
http://www.argeniss.com/research/10MinSecAudit.zip
WLSI-Windows Local Shellcode Injection
http://www.argeniss.com/research/WLSI.zip
Story of a dumb patch
http://www.argeniss.com/research/MSBugPaper.pdf
Demystifying MS SQL Server & Oracle Database Server security
http://www.argeniss.com/research/SQL-Oracle.zip
Hacking Windows Internals
http://www.argeniss.com/research/hackwininter.zip
Auditing ActiveX Controls
http://www.blackhat.com/presentations/win-usa-04/bh-win-04-cerrudo/bh-win-04-cerrudo.pdf
Hunting Flaws in SQL Server
http://www.appsecinc.com/presentations/Hunting_Flaws_in_SQL_Server.pdf
Manipulating Microsoft SQL Server Using SQL Injection
http://www.appsecinc.com/presentations/Manipulating_SQL_Server_Using_SQL_Injection.pdf
Tools written by him:-
DataThief
http://www.argeniss.com/research/HackingDatabases.zip
Shared section tools
http://www.argeniss.com/research/hackwininter.zip
Contributions:-
WASC - Web Security Threat Classification
Advisories
Microsoft Windows Kernel GDI local privilege escalation procedure
http://www.argeniss.com/research/ARGENISS-ADV-110604.txt
http://www.argeniss.com/research/GDIKernelPoC.c
Oracle Database Server Directory traversal
http://www.argeniss.com/research/ARGENISS-ADV-030501.txt
COM+ Vulnerability
http://www.microsoft.com/technet/security/Bulletin/MS05-051.mspx
COM Structured Storage Vulnerability
http://www.microsoft.com/technet/security/bulletin/MS05-012.mspx
http://www.argeniss.com/research/SSExploit.c
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege
http://www.microsoft.com/technet/security/bulletin/MS04-044.mspx
Vulnerability in Windows LSASS Could Allow Elevation of Privilege
http://www.microsoft.com/technet/security/bulletin/MS04-044.mspx
Multiple vulnerabilities in Oracle Database Server
http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf
Vulnerability in Utility Manager Could Allow Code Execution
http://www.microsoft.com/technet/security/bulletin/MS04-019.mspx
Utility Manager Vulnerability
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
Biztalk Server Vulnerabilities
http://www.microsoft.com/technet/security/bulletin/MS03-016.asp
Buffer Overflow in Windows Troubleshooter ActiveX Control Could Allow Code Execution
http://www.microsoft.com/technet/security/Bulletin/MS03-042.mspx
Symantec Security Check RuFSI ActiveX Control Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/8008
http://secunia.com/advisories/8924/
Yahoo! Chat and Messenger Hostname Buffer Overflow Vulnerability
Multiple buffer overflows in DBCC and SQL Injections
http://www.appsecinc.com/resources/alerts/mssql/02-0011.shtml
BULK INSERT buffer overflow
http://www.appsecinc.com/resources/alerts/mssql/02-0010.shtml
Encoded password written by service pack
http://www.appsecinc.com/resources/alerts/mssql/02-0009.shtml
Microsoft SQL Server: Buffer Overflows in numerous extended stored procedures
http://www.appsecinc.com/resources/alerts/mssql/02-0000.html
xp_dirtree Buffer Overflow
http://www.appsecinc.com/resources/alerts/mssql/02-0007.shtml
Heterogenous Queries Buffer Overflow
http://www.appsecinc.com/resources/alerts/mssql/02-0008.shtml
Conferences:-
Hacking databases for owning your data - Black Hat Europe 2007
http://www.blackhat.com/
Practical security audit: Oracle case - Black Hat DC 2007
http://www.blackhat.com/
DataTheft - How databases are hacked and how to protect them - No cON Name 2006
http://www.noconname.org/
WLSI - Windows Local Shellcode Injection - Black Hat Europe 2006
http://www.blackhat.com/
WLSI - Windows Local Shellcode Injection - EUSecWest/core06 conference
http://www.eusecwest.com/
Database Hacking and Security - Web Application Security and Hacking
http://www.websec.com.mx/
Demystifying Microsoft SQL Server & Oracle Database Server security - Black Hat USA 2005
http://www.blackhat.com/
Hacking Windows Internals - cansecwest/core05 conference
http://www.cansecwest.com/
Hacking Windows Internals - Bellua Cyber Security Asia 2005
www.bellua.com/bcs2005/
Hacking Windows Internals - Black Hat Europe 2005
http://www.blackhat.com/
Auditing ActiveX Controls - Black Hat Windows 2004
http://www.blackhat.com/
Hunting Flaws in MS SQL Server - Black Hat Windows 2003
http://www.blackhat.com/
Company working for:-
Argeniss
Companies worked for:-
Application Security Inc.
Website:-
http://www.argeniss.com/
Email:-
Cesar<(at)>argeniss<(.)>com
Education:-
Analyst programmer
Cesar is very driven and passionate about application security. One of the best in database security. Though he doesn't have a blog right now but you can get all the information on his website along with the whitepapers and latest on database security.
Last Week – Alex Stamos
"I think I always have had "hacker mind" for calling it in some way, I remember being a child and breaking things to look inside. When I was 10 or so I got my first computer a CZ Spectrum (I don't remember the exact model) but it ran BASIC. when I wanted to learn how to use it and to code in BASIC, I went to a place for kids but got bored after many days of being taught PRINT "HOLA MUNDO" only, so I used that computer for games (games were stored on a audio cassette tape and loading them required playing it in a cassette player). I learnt few tricks looking at the guy from a store that recorded games so I started to modify screens when the games were loading, I also hacked multilevel games by loading parts of one level and the rest from a different level, which for my age was a big deal. After a couple of years I stopped using that computer and I didn’t do anything computer related for several years apart from taking few boring classes of MS DOS, QPRO, Lotus, etc. When I was 19 I started to study Computer Science but I didn't have a PC (they were a bit expensive on this side of the planet earth) so I only read old books available at the university and played with a friend's computer, on those days the challenge was to try running cool games on old computers, I became an expert in MS DOS :)
I remember one day being very excited because I found the assembly code from a MS DOS virus in one of the PC at the university, I spent several hours with an old assembly book (thanks Norton-Socha!) until I learnt how the virus worked (in the process I learnt some x86 assembler without coding it in a PC). After some time I started to work on a client/server software for a couple of different local companies and one of the companies had internet access so I started using Internet and since I always liked hacking, Internet was a really good source of information so I started to learn something about hacking for the first time, I was lucky since I had a good academic background on programming, computers, etc. so I didn't end up reading and learning stupid things, but because I had an old PC and no Internet access at home I couldn't test much of the stuff I learnt. Then I took up a new job where I started using Internet frequently and started trying things in free time, this was like 7 years ago and that was when I started with webappsec. I had worked a lot with MS SQL Server so when I first read about SQL Injection I was really amazed with it and I started to create my own techniques, tools, etc.
That’s when I started to play with MS SQL Server and after some time I found my first vulnerability, then the next one and so on when I realized I had found dozen of vulnerabilities on MS SQL Server, I also learnt how to code exploits and new techniques for finding vulnerabilities, since then I have found several vulnerabilities on MS Windows, Oracle Database Server, etc. I have also created new exploitation and attack techniques. Few years ago I designed and wrote a complete web application scanner for a security company, the scanner at that time was better than other available web app scanners but because of some patent issues the product was stop being sold (hurray for Watchfire!!!). Currently I do research on application security mostly focused on database security and in my spare time I like to hack MS Windows :)
I always try to keep big vendors improving on security, I don't care if I have to publish 0day vulnerabilities or controversial papers in order to accomplish that. I have been offered to write books but the only way I can write or contribute in a book is if it will be available for free in some way (electronic, etc.), I know what is not having resources for learning, all people should have easy access to knowledge, books only makes money for the editors and people without money can't get them."
Based out of Parana, Entre Rios, Argentina, Cesar is 31 years old. Below is a list of his contribution to the community
Articles:-
Hacking databases for owning your data
http://www.argeniss.com/research/HackingDatabases.zip
Practical security audit: Oracle case
http://www.argeniss.com/research/10MinSecAudit.zip
WLSI-Windows Local Shellcode Injection
http://www.argeniss.com/research/WLSI.zip
Story of a dumb patch
http://www.argeniss.com/research/MSBugPaper.pdf
Demystifying MS SQL Server & Oracle Database Server security
http://www.argeniss.com/research/SQL-Oracle.zip
Hacking Windows Internals
http://www.argeniss.com/research/hackwininter.zip
Auditing ActiveX Controls
http://www.blackhat.com/presentations/win-usa-04/bh-win-04-cerrudo/bh-win-04-cerrudo.pdf
Hunting Flaws in SQL Server
http://www.appsecinc.com/presentations/Hunting_Flaws_in_SQL_Server.pdf
Manipulating Microsoft SQL Server Using SQL Injection
http://www.appsecinc.com/presentations/Manipulating_SQL_Server_Using_SQL_Injection.pdf
Tools written by him:-
DataThief
http://www.argeniss.com/research/HackingDatabases.zip
Shared section tools
http://www.argeniss.com/research/hackwininter.zip
Contributions:-
WASC - Web Security Threat Classification
Advisories
Microsoft Windows Kernel GDI local privilege escalation procedure
http://www.argeniss.com/research/ARGENISS-ADV-110604.txt
http://www.argeniss.com/research/GDIKernelPoC.c
Oracle Database Server Directory traversal
http://www.argeniss.com/research/ARGENISS-ADV-030501.txt
COM+ Vulnerability
http://www.microsoft.com/technet/security/Bulletin/MS05-051.mspx
COM Structured Storage Vulnerability
http://www.microsoft.com/technet/security/bulletin/MS05-012.mspx
http://www.argeniss.com/research/SSExploit.c
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege
http://www.microsoft.com/technet/security/bulletin/MS04-044.mspx
Vulnerability in Windows LSASS Could Allow Elevation of Privilege
http://www.microsoft.com/technet/security/bulletin/MS04-044.mspx
Multiple vulnerabilities in Oracle Database Server
http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf
Vulnerability in Utility Manager Could Allow Code Execution
http://www.microsoft.com/technet/security/bulletin/MS04-019.mspx
Utility Manager Vulnerability
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
Biztalk Server Vulnerabilities
http://www.microsoft.com/technet/security/bulletin/MS03-016.asp
Buffer Overflow in Windows Troubleshooter ActiveX Control Could Allow Code Execution
http://www.microsoft.com/technet/security/Bulletin/MS03-042.mspx
Symantec Security Check RuFSI ActiveX Control Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/8008
http://secunia.com/advisories/8924/
Yahoo! Chat and Messenger Hostname Buffer Overflow Vulnerability
Multiple buffer overflows in DBCC and SQL Injections
http://www.appsecinc.com/resources/alerts/mssql/02-0011.shtml
BULK INSERT buffer overflow
http://www.appsecinc.com/resources/alerts/mssql/02-0010.shtml
Encoded password written by service pack
http://www.appsecinc.com/resources/alerts/mssql/02-0009.shtml
Microsoft SQL Server: Buffer Overflows in numerous extended stored procedures
http://www.appsecinc.com/resources/alerts/mssql/02-0000.html
xp_dirtree Buffer Overflow
http://www.appsecinc.com/resources/alerts/mssql/02-0007.shtml
Heterogenous Queries Buffer Overflow
http://www.appsecinc.com/resources/alerts/mssql/02-0008.shtml
Conferences:-
Hacking databases for owning your data - Black Hat Europe 2007
http://www.blackhat.com/
Practical security audit: Oracle case - Black Hat DC 2007
http://www.blackhat.com/
DataTheft - How databases are hacked and how to protect them - No cON Name 2006
http://www.noconname.org/
WLSI - Windows Local Shellcode Injection - Black Hat Europe 2006
http://www.blackhat.com/
WLSI - Windows Local Shellcode Injection - EUSecWest/core06 conference
http://www.eusecwest.com/
Database Hacking and Security - Web Application Security and Hacking
http://www.websec.com.mx/
Demystifying Microsoft SQL Server & Oracle Database Server security - Black Hat USA 2005
http://www.blackhat.com/
Hacking Windows Internals - cansecwest/core05 conference
http://www.cansecwest.com/
Hacking Windows Internals - Bellua Cyber Security Asia 2005
www.bellua.com/bcs2005/
Hacking Windows Internals - Black Hat Europe 2005
http://www.blackhat.com/
Auditing ActiveX Controls - Black Hat Windows 2004
http://www.blackhat.com/
Hunting Flaws in MS SQL Server - Black Hat Windows 2003
http://www.blackhat.com/
Company working for:-
Argeniss
Companies worked for:-
Application Security Inc.
Website:-
http://www.argeniss.com/
Email:-
Cesar<(at)>argeniss<(.)>com
Education:-
Analyst programmer
Cesar is very driven and passionate about application security. One of the best in database security. Though he doesn't have a blog right now but you can get all the information on his website along with the whitepapers and latest on database security.
Last Week – Alex Stamos
Next Week – Dinis Cruz
No comments:
Post a Comment