Linux SCTP All Shook Up

An exploit for the denial-of-service-considered remote SCTP vulnerability in the linux kernel has been released.

http://sgrakkyu.antifork.org/sctp_houdini.c

The exploit contains multiple targets and covers 32/64 bits architectures… play time started this morning =X

Share

Major Browsers Pwnd

0day exploits for Internet Explorer, Firefox, and Safari were used to own machines at the Pwn2Own contest @ CanSecWest 2009. Is now the time for someone to port Windows 3.1 to MIPS and install a good telnet client? Roffles.

Credit www.dailygalaxy.com for the fierce FF/IE photo :)

Share

The R(evolution) of Bug Hunters

Getting real money for computer security research is making its way from early development and ideas to mainstream, and bug hunters probably have mixed feelings, like teenagers. Its an interesting concept that might actually work. What will become of the vulnerability market when something like this becomes popular?

Either way, these guys are basically saying no more freeloading, Mr. Vendor.

Share

uCon Security Conference 2009

uCon Security Conference 2009 materials have been released!

Advanced SQL Injection Slides  
Hacking PDF Readers Slides  
Intro to Windows Kernel Security Development Slides  
From theory to practice: Bringing down the house with EXTENDED DHCP Exhausting Attack Slides  
Practical (Introduction to) Reverse Engineering Slides  
Secure Log Centralization, Analysis & Security Visualization Slides  
Ut cognitione visus: ut ipso intellecto – BinNavi v2 Slides  
GSM For Fun and Profit Slides  
Dispelling the myths and discussing the facts of global cyber-warfare Slides  
Advanced Payload Strategies: What is new, what works and what is hoax? Slides
Share

DJBDNS Security Broken

According to this thread, DJBDNS’s security has officially been broken. A patch is available and the reward for the bug by Mr. Bernstein will be awarded to Matthew Dempsky. Quoting from the thread:

“If the administrator of example.com publishes the example.com DNS data through tinydns and axfrdns, and includes data for sub.example.com transferred from an untrusted third party, then that third party can control cache entries for example.com, not just sub.example.com. This is the result of a bug in djbdns pointed out by Matthew Dempsky. (In short, axfrdns compresses some outgoing DNS packets incorrectly.)

Even though this bug affects very few users, it is a violation of the expected security policy in a reasonable situation, so it is a security hole in djbdns. Third-party DNS service is discouraged in the djbdns documentation but is nevertheless supported. Dempsky is hereby awarded $1000.

The next release of djbdns will be backed by a new security guarantee. In the meantime, if any users are in the situation described above, those users are advised to apply Dempsky’s patch and requested to accept my apologies. The patch is also recommended for other users; it corrects the bug without any side effects. A copy of the patch appears below.

—D. J. Bernstein

Research Professor, Computer Science, University of Illinois at Chicago”

I still believe Georgi Guninski’s bug was enough for a reward, but oh well. I wonder what the “new security guarentee” will be, anyway.

Share

The Internet Almost Crashed!


Yeah, it is true. I guess some programming errors are more serious than others, so lets give these guys a break: I also suppose the dark clouds gathered for all the recent DDoS characters, too.

Share

Don’t open that PDF!

Adobe Acrobat, at least the reader, has been owned. Again. So Surprising.

The good news is that Xpdf probably isn’t vulnerable :)

Share

Kaspersky Injected

Kaspersky’s USA website was hacked by SQL injection. Maybe they should hire some virus writers to secure their website, or better yet, a good penetration testing team.

Grab more details about the incident here.

Share

First CVE of 2009

I’d like to welcome the first CVE vulnerability in 2009, which is CVE-2008-2381. The first CVE-2009 to be released to the public is CVE-2009-0022 (hat tip to Steven M. Christey).

By all indications we have a year with many vulnerabilities ahead of us – it already started with a major twitter account hack followed by a widespread phishing via DM, and we’re not even a week into 2009. For marginally interesting stats on 2008, visit SecuriTeam’s stats page.

Share

Gmail Attachment Filter

I ran across something interesting today. A friend asked me to send him a certain exe to his email. Not thinking much about it, I composed an email on my gmail, attached the exe, hit send and then seen an error in which basically told me google doesn’t allow exes to be sent through gmail.

Irritating enough, but seemingly familiar, I decided to ‘get smart’ and zip the exe in a folder and send it. Same thing.

!@#$%

I also tried gzipping the archive and sending it.. didn’t work either.

I finally compressed the folder+exe to make a bz2 archive and sent it away. Worked like a charm.

Where was Google attachment filters then!? *grin*

Share

Exploits of the Week #4

Megacubo 5.0.7 Download & Execute Remote Exploit

JJunior

PHP GD Library Information Leak Exploit

Hamid Ebadi

Destiny Media Player 1.61 “lst file” Local Buffer Overflow Exploit

Encryt3d.M!nd

VMware Remote DoS Exploit

Laurent Gaffie

Konqueror 4.1 XSS & Crash Exploits

staker

Share

Exploits of the Week #3

Amaya Web Browser

SkD

FreeBSD 6x/7 protosw kernel Local Privledge Escalation Exploit

Don “north” Bailey

Doop CMS CSRF/Upload Shell Remote Exploits
x0r

Ultimate PHP Board

athos

Google Chrome Browser Remote Parameter Injection

Nine:Situations:Group::bellick&strawdog

Share

Exploits of the Week #2

barracuda spam firewall

Internet Explorer 7 XML Buffer Overflow ‘All-In-One’ Exploit

krafty

MS SQL Server Heap Overflow Exploit

Guido Landi

Barracuda Spam Firewall SQL Injection

Marian Ventuneac

CUPS pstopdf Filter Local Exploit

Jon Oberheide

Coolplayer Local Buffer Overflow Exploit

r0ut3r

Share

Snoop on Google Talk (Wiretap)

Yes snooping on someone else’s GoogleTalk is no big deal if you know their password, but what is interesting that unlike other chat clients like Skype, MSN and others GoogleTalk will allow you to do so simultaneously.

You can connect to the GoogleTalk server while another user using the same username and password is also connected to the GoogleTalk server.

This neat feature, probably stems from the fact that Google supports web based chat in a constantly refreshing web page (unlike MSN which launches a separate window) allows you to see incoming responses and messages being sent to your target without needing to do anything.

BTW Google, don’t fix this, I find it useful for my BlackBerry and PC chat sharing – basically never needing to logon/logoff on my PC/BlackBerry they are both constantly connected to the Google Talk servers.

UPDATE This post is not related to the recently released NSA patent on Snoop detection :D

Share

Fuzzing’s Impact on Vulnerability Discovery

fuzzing

I just seen the new advisory for Opera, headlining a ‘memory corruption’ vulnerability that sounds like its triggered by specially crafted html construction, that is gathered from this almost incoherent ‘detailed’ description of the bug:

“Certain HTML constructs affecting an internal heap structure. As a result of a pointer calculation, memory may be corrupted in such a way that an attacker could execute arbitrary code.”

I often wonder when I see advisories like this if the vulnerabilities have been found by fuzzing.

Another bug found in Adobe Flash Player that I also discuss here, found by iSEC, looks also to be found by fuzzing, but more (nearly directly) implied in the advisory.

“iSEC applied targeted fuzzing to the ActionScript 2 virtual machine used by the Adobe Flash player, and identified several issues which could lead to denial of service, information disclosure or code execution when parsing a malicious SWF file. The majority of testing occurred during 120 hours of automated SWF-specific fault injection testing in which several hundred unique control paths were identified that trigger bugs and/or potential vulnerabilities in the Adobe Flash Player. Paths leading to duplicate issues where condensed down to a number of unique problems in the Adobe Flash Player. The primary cause for these vulnerabilities appears to be simple failures in verifying the bounds of compartmentalized structures.”

Now, both of these examples could have been found by other means than fuzzing, but I know every time I see scrupulous advisories like those it just makes me wonder. By the way, IMHO Fuzzing: Brute Force Vulnerability Discovery is a great book and a great read. Kudos to the swift, engineering authors as well.

You can browse a list of fuzzers hosting by PacketStorm to exercise your mind even more.

So what do you think? Have fuzzers, being at the most ‘trivial’ to write in ideal conditions (well documented protocol, continued aggressive latency, etc), taken a strong hold in many security researcher’s work?

Share

Top Exploits of the Week #1

Quicktime 0day

I thought I’d try something different (excuse me if its been done before, oh well). Every week I will be making a list of the top 5 exploits of the week, details about them, etc.

So lets get the ball rolling:

#1 Internet Explorer 7 XML Buffer Overflow Exploit (Vista Target) — This remote beauty executes remote code on a vulnerable (probably still unpatched) Internet Explorer 7 machine running Windows Vista. Coded by muts.

#2 Internet Explorer 7 XML Buffer Overflow Exploit (XP SP3 Target) — Exploits the same bug as above but executes code on a Windows XP SP3 target. Coded by Guido Landi.

#3 XOOPS 2.3.1 Multiple LFI Exploits — XOOPS suffers from a few local file inclusion bugs, and DSecRG has some code for you.

#4 Linux Kernel ATMSVC DoS Exploit — Send a kernel into an infinite loop by locally running this exploit on a vulnerable machine. Code by Jon Oberheide.

#5 phpMyAdmin 3.1.0 XSRF Exploit — Cross site scripting attacks are more dangerous than most developers think. Here is exploit code, just don’t have phpMyAdmin open in another tab! Provided by Michael Brooks.

See you all next week with more. Bug on :)

Share