CVE-2014-3518 JBoss EAP/AS 5: Remote code execution

Overview

JBoss Application Server (JBoss AS) is an open-source, cross-platform Java application server developed by JBoss, a division of Red Hat Inc. JBoss AS is an open-source implementation of Java 2 Enterprise Edition (J2EE) that is used for implementing Java applications and other Web-based applications and software.

JBoss AS is released through Lesser General Public License. The JBoss.org community provides free support for this application server.

We have discovered that default installations of JBoss AS 5.x products prone to remote code execution attacks.

read more

Kyle: A password manager for paranoids.

Overview

For a password manager kyle differs with the others in two points;

  • It doesn't store any password so there is no file to steal and crack for attackers
  • So you can't store any given password from 3rd parties but demand your own

And kyle differs with password generators with;

  • Generated passwords are not random but a brute-force method can take trillions of years to crack just one

    For example on the test vectors Bill Gates' password tooks 12.11 secs on a MacBook Pro Early 2013 with 2,4 GHZ Intel Core i7. So even for a lazy master-key with 8 chars includes small-case-letters and numbers 36^8+36^7+36^5+36^4+36^3+36^2+36 equals 2901713047668 combination with 12.11 secs per combination try leads to 1,114,274 years to try all combinations.

  • It doesn't use any specific hash or encryption algorithm although it uses mixture of them by an algorithm to choose which generated from info and master-key.

read more