HP Security Research Blog
The HP Security Research blog provides a platform for security experts from across HP to discuss innovative research, industry observations, and updates on the threat landscape to help organizations proactively identify and manage risk.

Displaying articles for: March 2014

HPSR Software Security Content - 2014 Update 1

HP Security Research and the Software Security Research group are pleased to announce the immediate availability of updates to HP WebInspect SecureBase (available via SmartUpdate), the HP Fortify Secure Coding Rulepacks (English language, version 2014.1.0), HP ArcSight Application View, HP Fortify Runtime Application Protection, and Premium Content.

HP Security Research OSINT (OpenSource Intelligence) articles of interest--March 28, 2014

Welcome to the March 28th edition of the HP Security Research OSINT News Feed—a list of publically available articles that we find interesting in today’s security news.  

Labels: HP| HPSR| security

Reverse engineering NAND Flash for fun and profit

A few weeks ago, I had the chance to reverse-engineer a hardware device we bought from eBay. The purpose of our investigation was to penetration-test the device, but I had no idea how to approach it. I was locked out of the machine by a password and even the seller didn’t know what it was (I assumed the seller was just a sort of liquidation company). However, the machine was so cheap that we couldn’t complain about the deal – password or not. So to penetration-test this machine, we knew there’d have to be some level of hardware reverse engineering.

HP TippingPoint DVLabs – Zero-Day Filter Protection for the Win!

SPOILER ALERT!!  Highlight the text below for spoiler:


One of HP TIppingPoint's already shipping vulnerability filters fully covered a brand new exploit at the recent Pwn2Own contest!  Check out the post for more details!

Let’s see how protected you think you are.

Every day, thousands of malware files are sifted through automated systems built and deployed by AV companies. Some of these files, which cannot be processed automatically, are flagged and must be examined by a researcher. However, some just never get signed in time. Consider the following…

Pwn2Own 2014: A recap

Two record-setting days of payouts for zero-day vulnerabilities brought the 2014 Pwn2Own contest tantalizingly close to our first million-dollar competition, with $850,000 paid to eight entrants.

The world outside the room: Hackers, Pwn2Own, and charity

When ZDI pays big money for vulnerabilities and then hands them over to affected vendors for free, we’re making an investment in getting problems contained and fixed. What could be better than spreading the wealth to other organizations that do the same?

Pwn2Own results for Thursday (Day Two)

The second and final day of Pwn2Own 2014 saw successful attempts by seven entrants against five products, with $450,000 paid to researchers. This brings the two-day payout total to $850,000, not including charitable donations or the value of the laptops, ZDI points, and other prizes given to winning researchers.

Pwn2Own results for Wednesday (Day One)

The first day of Pwn2Own 2014 saw successful attempts by five entrants against five products, with payouts of $400,000 to researchers in the main competition and $82,500 to charity in the Pwn4Fun sponsors-only event.

Pwn2Own 2014: The lineup

The competition order for the 2014 Pwn2Own competition was assigned by random drawing in the Pwn2Own room on Wednesday morning. This year found eight contestants targeting six out of seven products in the competition, with some handling multiple challenges – thirteen competitions in all.

HP TippingPoint DV Labs and ZDI Collaborate at Pwn2Own 2014!

Wondering how ZDI and DV Labs collaborate on security research and customer protection?  Here's a sneak peak at the upcoming Pwn2Own contest and how we work with our stellar ZDI team to provide unrivaled protection against zero day vulnerabilities!

Remote code execution and XML Entity Expansion injection vulnerabilities in the Restlet framework

Restlet is a lightweight Java framework for building RESTful APIs. It comes in different flavors (Java SE, Java EE, Android, Google Web Toolkit and Google App Engine) and is composed of a core API and different extensions that provide additional functionality.


While adding support for the Restlet API to HP Fortify SCA, the Software Security Research group discovered that the XStream extension prior to 2.2 RC3 is susceptible to Remote Code Execution (RCE) via unsafe deserialization of XML messages. Also, versions prior to 2.1.7 and 2.2 RC1 contain APIs susceptible to XML Entity Expansion (XEE) injection, including the default extension to handle XML messages (JAXB).

Process Introspection with Python

Triggering vulnerabilities and design flaws found through static analysis and research is a difficult process, and it can get complicated when the vulnerability lies in a less-accessible part of the code. We’ve developed a Python-based technique for effective, fairly quick prototyping and testing of such vulnerabilities.    

Avoiding collisions: How we’ll handle (potential) duplications between Pwn2Own and Pwn4Fun

This year we introduced Pwn4Fun to give Google and ZDI the opportunity to give money to charity. 

Tags: pwn2own| pwn4fun
Labels: pwn2own| pwn4fun

Botnet Hunting with ZMap - Continuing the Hunt!

This is a follow up to our earlier article on mapping the entire available IPv4 address space for Zero Access trojan infections using ZMap and custom written probes.  See how the landscape for ZA has changed in just a couple months, and some of the possible driving forces around the changes.

Pwning for the lulz…and for charity

So ZDI can’t enter the pwn2own contest and neither can Google – we’re co-sponsors. However, nothing says we can’t get together early and have fun. Announcing Pwn4Fun, a sponsors-only event putting huge amounts of money of the line for charity.

Pwn2Own, Patch Tuesday, and the thrill of the unexpected

The Patch Tuesday tradition established by Microsoft and other software vendors has done a great deal to standardize security-updating practices across the industry. We celebrate that – even when it may well cause some uproar for our Pwn2Own competition.

Tags: pwn2own| ZDI
Showing results for 
Search instead for 
Do you mean 
About the Author(s)
  • Head of OpSec Research
  • I am a senior security content developer with Hewlett-Packard Security Research (HPSR). In this role, I write and edit security analysis and supporting content from researchers, including those from HP’s Zero Day Initiative (ZDI) program. The ZDI program augments HP’s Enterprise Security Products with zero-day research through a network of over 3,000 independent researchers around the world. I am also responsible for providing insight into the threat landscape; competitive intelligence to the research team; and providing guidance on the social media roadmap. Part of my role includes speaking publicly and promoting the research and technology of the HPSR.
  • Kernelsmith is senior vulnerability researcher with Hewlett-Packard Security Research (HPSR). In this role, he analyzes and performs root-cause analysis on hundreds of vulnerabilities submitted to the Zero-Day Initiative (ZDI) program. He also tries to automate whenever he can, pulling from the devops and virtualization arenas. Josh is also a developer for the Metasploit Framework and has spoken at a few conferences and holds a few certifications. Prior to joining HP, Smith served in the U.S. Air Force for 10 years and subsequently became a security engineer at the John Hopkins University Applied Physics Laboratory. Smith performed research into weapons systems vulnerabilities as well as evasion and obfuscation techniques to add depth and realism to security device tests. Smith received a B.S. in Aeronautical Engineering from Rensselaer Polytechnic Institute and an M.A. in Management of Information Systems from the University of Great Falls.
  • Security Researcher, Software Security Research
  • Security Researcher, Zero Day Initiative
  • Steve Povolny manages the Digital Vaccine team at HP TippingPoint. The team is composed of security researchers and filter/signature developers for the Intrusion Prevention System.
HP Blog

HP Software Solutions Blog


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.