A while back I was fuzzing with Hzzp and found a remote format string vulnerability in Ipswitch’s WS_FTP. But, I couldn’t find a security contact for Ipswitch. I waited a few months and made the vulnerability public. The day afterwards, a representative from Ipswitch contacted me and I explained why I hadn’t contacted them previously. He was eager to get the vulnerability fixed and made the comment that they’ll need to do a better job publicizing the security contact information. I was happy to have had received a more professional, non-automated email from someone who seemed to care about the security of their company’s product.

I didn’t worry too much about the update process. I know it can take some companies months or even years to release new patches for vulnerabilities in their products, which most of the time is completely unreasonable. Then, a little more than two weeks later, I received an email from that same Ipswitch representative informing me that a new release of WS_FTP was available and the date in the Help->About window should say Sept 18th (10 days after we discussed the vulnerability). What an excellent example of how vendors should handle security issues within their products.

Fast response, efficient security policy, good business. Thanks Ipswitch!

This summer may have caused a few burden’s on linux administrators. By all the patching necessary to keep their systems out of the hands of those who would choose to exploit it, unless your using something like Ksplice, you’ve more than likely rebooted many times already. Well, here is one more reason to wake this early this morning…

New exploits for the “Linux NULL pointer dereference due to incorrect proto_ops initializations” vulnerability have been released, here and here. I just tried the second one out myself on a (currently) fully updated Ubuntu Jaunty workstation, with (_default_) successful results.

linux@ubuntu:~/2009-proto_ops$ sh run.sh
run.c: In function ‘main’:
run.c:13: warning: missing sentinel in function call
padlina z lublina!
# id
uid=0(root) gid=0(root) groups=4(adm),20(dialout),24(cdrom),46(plugdev)
# exit
linux@ubuntu:~/2009-proto_ops$

A reliable local root exploit for that affects all linux kernels 2.x. Feels like 2003 all over again :X

Just thought I’d bring it up since there has been prolific chatter on the lists lately…

0x01 Introduction
0x02 Phrack Prophile on The PaX Team
0x03 Phrack World News
0x04 Abusing the Objective C runtime
0x05 Backdooring Juniper Firewalls
0x06 Exploiting DLmalloc frees in 2009
0x07 Persistent BIOS infection
0x08 Exploiting UMA : FreeBSD kernel heap exploits
0x09 Exploiting TCP Persist Timer Infiniteness
0x0A Malloc Des-Maleficarum
0x0B A Real SMM Rootkit
0x0C Alphanumeric RISC ARM Shellcode
0x0D Power cell buffer overflow
0x0E Binary Mangling with Radare
0x0F Linux Kernel Heap Tempering Detection
0x10 Developing MacOSX Rootkits
0x11 How close are they of hacking your brain ?

You can check it out here.

Now we have something to keep us busy while the net neutrality debates are going on…

From the looks of it, T-Mobile has been hacked and the goods stolen.

They also seem to love running HP-UX.

An exploit for the denial-of-service-considered remote SCTP vulnerability in the linux kernel has been released.

http://sgrakkyu.antifork.org/sctp_houdini.c

The exploit contains multiple targets and covers 32/64 bits architectures… play time started this morning =X

It seems I get this IN MY INBOX everytime I post…

We have received your request to join the puitika
group hosted by Yahoo! Groups, a free, easy-to-use community service.

This request will expire in 7 days.

TO BECOME A MEMBER OF THE GROUP:

1) Go to the Yahoo! Groups site by clicking on this link:
http://groups.yahoo.com/i?i=oyhn042ed3ckqjsszqpggnyd5xxe0l1b&e=0xjbrown41%40gmail%2Ecom

(If clicking doesn’t work, “Cut” and “Paste” the line above into your
Web browser’s address bar.)

-OR-

2) REPLY to this email by clicking “Reply” and then “Send”
in your email program

If you did not request, or do not want, a membership in the
puitika group, please accept our apologies
and ignore this message.

Regards,

Yahoo! Groups Customer Care

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/

0day exploits for Internet Explorer, Firefox, and Safari were used to own machines at the Pwn2Own contest @ CanSecWest 2009. Is now the time for someone to port Windows 3.1 to MIPS and install a good telnet client? Roffles.

Credit www.dailygalaxy.com for the fierce FF/IE photo

Getting real money for computer security research is making its way from early development and ideas to mainstream, and bug hunters probably have mixed feelings, like teenagers. Its an interesting concept that might actually work. What will become of the vulnerability market when something like this becomes popular?

Either way, these guys are basically saying no more freeloading, Mr. Vendor.

uCon Security Conference 2009 materials have been released!

According to this thread, DJBDNS’s security has officially been broken. A patch is available and the reward for the bug by Mr. Bernstein will be awarded to Matthew Dempsky. Quoting from the thread:

“If the administrator of example.com publishes the example.com DNS data through tinydns and axfrdns, and includes data for sub.example.com transferred from an untrusted third party, then that third party can control cache entries for example.com, not just sub.example.com. This is the result of a bug in djbdns pointed out by Matthew Dempsky. (In short, axfrdns compresses some outgoing DNS packets incorrectly.)

Even though this bug affects very few users, it is a violation of the expected security policy in a reasonable situation, so it is a security hole in djbdns. Third-party DNS service is discouraged in the djbdns documentation but is nevertheless supported. Dempsky is hereby awarded $1000.

The next release of djbdns will be backed by a new security guarantee. In the meantime, if any users are in the situation described above, those users are advised to apply Dempsky’s patch and requested to accept my apologies. The patch is also recommended for other users; it corrects the bug without any side effects. A copy of the patch appears below.

—D. J. Bernstein

Research Professor, Computer Science, University of Illinois at Chicago”

I still believe Georgi Guninski’s bug was enough for a reward, but oh well. I wonder what the “new security guarentee” will be, anyway.

Emails from seemingly no where and from no one trustworthy.. haha
“Dear Hacker,

Manish from this side, i have a good hacking project on linux machine, configuration are below: please considue and if u are able to hack  this system our company can pay whatever u want.  or creat custom exploit that provide reverse shell . this server is online [ip address will be dilivered after project accepted by you] after u hack this system u just provide screen shot of any email header from any user on this server…I am sending you some details that are helpful for you.

Linux 2.6.18, sendmail: 8.13.1, apache 2.0.52, and open webmail 2.52

Suspected open ports:
25, 111(rpc), 443, 1720(SIP), 870(unkwon), 80, 79(finger), 110(pop), 143(imap),
3333(dec-notes), 4444(krb524)

and system is protected by firewall have ttl of system is: 53
Network distance: 10 hops.

Send me mail if u are ready to accept this challenge with project cost and time, so after i send IP address of live server, and money will be dilvered by Wire of paypal or bank transfer, any option that u want.”

Yeah, it is true. I guess some programming errors are more serious than others, so lets give these guys a break: I also suppose the dark clouds gathered for all the recent DDoS characters, too.

And you thought this day would never come… read more here.

No, this is not a joke

Adobe Acrobat, at least the reader, has been owned. Again. So Surprising.

The good news is that Xpdf probably isn’t vulnerable

Kaspersky’s USA website was hacked by SQL injection. Maybe they should hire some virus writers to secure their website, or better yet, a good penetration testing team.

Grab more details about the incident here.