Korelogic Logo
We Produce Innovative Solutions
for Hard to Solve Issues
  Check out the KoreLogic Blog  
pic Publications by KoreLogic

KoreLogic has published numerous security advisories, attempting coordination with vendors; our disclosure policy is available in text and PDF.

Our staff often speak at security conferences; some presentations and white papers are available below.

Advisories :

KL-001-2017-009: Solarwinds LEM Database Listener with Hardcoded Credentials

KL-001-2017-008: Solarwinds LEM Management Shell Arbitrary File Read

KL-001-2017-007: Solarwinds LEM Management Shell Escape via Command Injection

KL-001-2017-006: Solarwinds LEM Privilege Escalation via Sudo Script Abuse

KL-001-2017-005: Solarwinds LEM Privilege Escalation via Controlled Sudo Path

KL-001-2017-004: WatchGuard XTMv User Management Cross-Site Request Forgery

KL-001-2017-003: Trendmicro InterScan Remote Root Access Vulnerability

KL-001-2017-002: Trendmicro InterScan Privilege Escalation Vulnerability

KL-001-2017-001: Trendmicro InterScan Arbitrary File Write

KL-001-2016-009: Sophos Web Appliance Remote Code Execution

KL-001-2016-008: Sophos Web Appliance Privilege Escalation

KL-001-2016-007: Cisco Firepower Threat Management Console Remote Command Execution Leading to Root Access

KL-001-2016-006: Cisco Firepower Threat Management Console Local File Inclusion

KL-001-2016-005: Cisco Firepower Threat Management Console Hard-coded MySQL Credentials

KL-001-2016-004: Cisco Firepower Threat Management Console Authenticated Denial of Service

KL-001-2016-003: SQLite Tempdir Selection Vulnerability

KL-001-2016-002: Ubiquiti Administration Portal CSRF to Remote Command Execution

KL-001-2016-001: Arris DG1670A Cable Modem Remote Command Execution

KL-001-2015-008: Dell Pre-Boot Authentication Driver Uncontrolled Write to Arbitrary Address

KL-001-2015-007: Seagate GoFlex Satellite Remote Telnet Default Password

KL-001-2015-006: Linksys EA6100 Wireless Router Authentication Bypass

KL-001-2015-005: VBox Satellite Express driver Privilege Escalation for Windows 7 & XP

KL-001-2015-004: XGI VGA driver Privilege Escalation for Windows XP

KL-001-2015-003: SiS VGA driver Privilege Escalation for Windows 7 & XP

KL-001-2015-002: Piriform CCleaner Wiped Filename Recovery

KL-001-2015-001: Windows 2003 tcpip.sys Privilege Escalation

KL-001-2014-004: VMWare vmx86.sys Arbitrary Kernel Read

KL-001-2014-003: MQAC driver Privilege Escalation for Windows XP

KL-001-2014-002: BthPan.sys Arbitrary Write Privilege Escalation for Windows XP

KL-001-2014-001: VirtualBox Privilege Escalation on Windows XP

Presentations :

"Giles: Taking Event Correlation With You" at Black Hat 2015.

"im in ur scm, bein a ninja" at BSides DC 2014. Watch the presentation.

"PathWell: Password Topology Histogram Wear-Leveling" at BSides Asheville 2014. Watch the presentation.

"Experiences in Enterprise Searching: Tips, Techniques, and Pitfalls" at the Techno Forensics Digital Investigations Conference 2010 in Gaithersburg, Maryland.

"Shrinking the IDS Haystack" at the IntrusionWorld conference in Baltimore, MD.

"Burying Your Head in the SandNet" at the Computer Forensics Show conference in Washington, DC.

"The Forensic Katana - Digital File Carving" at the CEIC conference in Las Vegas. There were two versions, a basic and an advanced session. Download the basic class slides or handouts, or the advanced class slides or handouts

"Home-grown Crypto (aka Taking a Shiv to a Gun Fight)" at the ShmooCon conference in Washington D.C. Click here to watch a video of the presentation.

"Introduction to Botnets" at the Ohio Information Security Conference (OISC 07).

Papers :

The Giles Production System Compiler - Giles is a compiler that creates production systems, such as event correlation engines, forensic behavior detection and log analysis, and expert systems. (See the open-source release of Giles here.)

DFRWS 2006 File Carving Challenge Submission Paper - Summarizes the results of our efforts to solve the Digital Forensic Research Workshop (DFRWS) 2006 File Carving Challenge. In short, our team took 1st place (here's our press release). Details regarding this challenge may be found here.

- dfrws_challenge_2006.final.2006-07-17.tgz - Original submission tar ball.
- dfrws_challenge_2006.final.2006-08-22.tgz - Updated tar ball that includes several corrections (e.g., wording changes, error/omission fixes, etc.
- DFRWS_2006_File_Carving_Challenge.pdf

MD5 Prehash Analysis - This paper examines the advantages of prehashing for data streams (e.g., session IDs) that can be broken into two consecutive sub-streams where the first sub-stream is fixed or relatively fixed (i.e., easily inferred/guessed) and the second sub-stream is unpredictable (random) or hard to guess/infer (pseudo-random). While the observations and findings of this study were limited to the MD5 algorithm, it is likely that they would apply to all hashing techniques in general.

System Baselining - A Forensic Perspective - This paper defines baselining terminology, explains the mechanics of baselining, compares and contrasts different baselining techniques, and describes FTimes -- a system baselining and evidence collection tool. The paper also explores some of the criteria that evidence collection tools and techniques must satisfy if they are going to support prosecutions. In closing, it presents a pair of war stories that are typical of the times.

WebJob Breakeven Analysis - Installing and Configuring a Solaris Package - This paper describes the labor cost associated with using a WebJob framework to deploy and configure a Solaris package on several hundred systems. In short, the payoff is pretty amazing. Furthermore, the efficiencies and economy of scale that this approach delivers can be translated to almost any other type of administrative and/or repetitive task that can be scripted.

The WebJob Framework: A Generic, Extensible, and Scalable Endpoint Security Solution - This paper describes the key features and attributes of the WebJob framework, how it is a next generation endpoint security solution, and how the framework has been used in a number of production environments including the Federal government and Fortune 500 businesses to perform evidence collection, enterprise searching, incident response, live forensics, system management and monitoring, and grid computing.


Please contact us if you would like more information about our services, tools, or careers with us.
Privacy Policy : Disclosure Policy [pdf] [txt] : Copyright 2017. KoreLogic Security. All rights reserved