PornoSecurity

Impossible is Nothing

Mon, 25 August 2008 12:59:42 +0000

I was looking for a vuln to write an exploit for when I found this PoC.

The author wrote:

     "The reason why there isnt any shellcode here is because the client is
     coverting the junk/buffer data to unicode so its corrupting the shellcode,
     ive tried sending unicode buffer but the same problem occurs.
     if anyone else can get further please let me know. but i doubt you can"

It is for this reason, a small suggestion of impossibility(copyright Phantasmal Phantasmagoria) that i decided to write this. Actually it was pretty funny :)

The first problem is how to redirect the execution flow to our buffer, the buffer can be found at three different locations:

at some address on the stack converted to unicode
at some address on the heap again converted to unicode
at some address on the heap in plain ASCII

Unfortunately none of these addresses are unicode friendly :(.
But.. there is an address on the stack that points in the middle of the buffer(the one on the stack), all we need is to pop the stack 6 times and then return.
To achieve this we return 2 times on a unicode friendly pop,pop,pop,ret.

The second problem is that the buffer on the stack is converted to unicode(so \x41 -> \x00\x41) *and* must be, with some exceptions, in the \x01 -> \x59 space... so I decided to write a unicode friendly ASM stub that will load the address of the ASCII version of the buffer in EAX using offsets from a register(somewhat related to our buffer), push it and then return.

On my box this works 100 times out of 100 :)

Check it out here

Having Fun With Windogs

Mon, 11 August 2008 14:21:03 +0000

Oh yes, it's definitely true, i'm actually approaching the wild word of windogs. I started with some simple stack-based buffer overflows, and let me say a thing: they seems to be very very easy to exploit, kernel32.dll(which is guaranteed to be loaded in every single windozze app) and his friends are full of very usefull opcodes.
Heap-based buffer overflows are a bit more tricky, but it's just a matter of playing around for a while with your favourite debugger. At least for windozze <= sp1, actually sp2 introduces a bit more security in the way he manage chunk's coalescence, they call it safe-unlink and is more or less what glibc adds around version 2.3.5, it basically checks that the prev->next pointer equals the next->prev one before triggering RtlpCoalesceFreeBlocks(). So, i dunnno how to defeat it (yet), but if we speak about all of those browser-based vulnerabilities, i mean like ActiveX, the good news is that is possibile to adjust the Infernet eXploder heap by playing with javascript, and this is very very helpful!

A Linksys video and an IGSuite exploit

Mon, 23 June 2008 00:01:56 +0000

Well, i got bored. I notified Cisco PSIRT and Linksys security on 04/21, they confimed some of the vulnerabilities and asked for more details. I sent them a pretty dumb-proof report a couple of days after their email, now it's time to disclose! Here is a sexy video demonstrating the flaws, there's really no need for even a single line of code :)

I also posted to milw0rm a fully automated reverse shell exploit(currently waiting for it to be published) that take advantage of a blind SQL injection vulnerability in IGSuite <=3.2.4, enjoy.

A Sneak Preview

Fri, 23 May 2008 15:36:15 +0000

Hi there, some time has passed since the last post on this weblog, I'm now auditing a web application written by some italian guys and I am focusing on the steps from an SQL Injection to a real command shell. Too many times SQL Injection flaws are considered as a low/medium threat due to the fact that they are often [ab]used to conduct low-impact attacks(such as defacing).
This has to change, SQL Injection flaws are a *really* dangerous threat. Here is a sneak preview regarding some of the (for now) 0-day flaws i discovered in this webapp.

I have also discovered some vulnerabilities in some Cisco/Linksys products, and I'm in contact with the Cisco Product Security Incident Response Team (PSIRT) and the Linksys security team to coordinate pubblic disclosure.

More news soon.

xine-lib NSF Demuxer Buffer Overflow Vulnerability

Thu, 17 April 2008 12:40:27 +0000

I found a stack-based buffer overflow in the NES Sound Format demuxer(demux_nsf.c) of xine-lib <= 1.1.12. The vulnerability is caused due to a boundary error within the "demux_nsf_send_chunk()" function in src/demuxers/demux_nsf.c and can be exploited to run arbitrary code while processing an NSF file with an overly large NSF title tag.

Secunia advisory

Pligg 9.9.0 SQL Injection Vulnerability

Wed, 09 April 2008 00:48:39 +0000

Today i wanted to try the Pligg digg-like content management system, after playing with it for a while I found a vulnerability.

The pligg developers fail to sufficiently sanitize user-supplied data before using it in an SQL query making it possibile to inject extra SQL statements.

http://www.example.com/editlink.php?id=1+AND+((SELECT+user_pass+FROM+pligg_users+WHERE+user_login=0x676f64)+LIKE+0x25)+UNION+SELECT+10,2

To exploit this you need the id of a news you submitted(10 in the example) and an id of a news submitted by others(1 in the example), when the LIKE statement matches you get a "Not your link" error.

This is a tipical blind SQL-injection scenario.

UPDATE:

Trying to write a little patch for a friend of mine i found many other security-related problems in pligg. Many user-supplied variables are simply not checked or checked in the very wrong way.

The first case, editlink.php:

if(isset($_GET['id'])){
$theid = strip_tags($_GET['id']);
}
if(isset($_POST['id'])){
$theid = strip_tags($_POST['id']);

}
[...]
$link = $db->get_row("SELECT link_id, link_author FROM " . table_links .
" WHERE link_id=".$theid.";")
[...]
$linkres->id=$link_id = strip_tags($_POST['id']);
$linkres->read();

libs/link.php:

function read($usecache = TRUE) {
$id = $this->id;
$link = $db->get_row("SELECT " . table_links . ".* FROM " . table_links
. " WHERE link_id = $id");
}

Another one, vote.php:

$link->id=$_POST['id'];
$link->read_basic();

link/link.php:

function read_basic() {
[...]
$id = $this->id;
$db->get_row("SELECT link_comments, link_author, link_status, link_randkey, link_category, link_date, link_votes, link_karma,link_published_date FROM " . table_links . " WHERE link_id = $id")

..and so on.

I really dunno why they insist to strip_tags instead of a simple intval() ;)

mplayer sdpplin_parse() Array Indexing Vulnerability

Mon, 24 March 2008 20:38:25 +0000

Thursday i read this advisory regarding a xine-lib vulnerability, and after a while i've read that also vlc shares the same vulnerable code.Then i decided to take a look at mplayer and even if the conditions to reach the vulnerability are slightly different, mplayer is vulnerable.

The shared vulnerable code(line numbers apply to mplayer):

sdpplin_parse_stream():161

desc->stream_id=atoi(buf);

spplin_parse():283

desc->stream[stream->stream_id]=stream;

Example on mplayer :

eax    0xa0737008 // pointer to desc->stream
edx    0x0495badd // "streamid" value (76921565)
edi    0x089b59e8 // pointer to stream

: mov    DWORD PTR [eax+edx*4],edi

In the xine-lib case, using a positive or negative "streamid" parameter as a 4-byte offset from "desc->stream"(that in mplayer appears to fall always on the same location) we can write a pointer to a "stream" structure everywhere in the memory, the first element of the "stream" structure is a pointer to a user-supplied buffer.

There's an important difference here, mplayer does some checks to ensure that "streamid" is equal or greater than 0 and less than the "StreamCount" parameter, but it's still possible to write at memory locations beyond the "desc->stream" pointer.

Got sploit, lets patch! kthx.

Wed, 05 March 2008 17:30:58 +0000

Ok, il software XYZ e' vulnerabile. Ok, la vunerabilita' e' ormai pubblica. Ok, ho anche il mio bel numerino CVE. Problema risolto? Non sempre, ci sono casi in cui il problema nn finisce qui.

Qualche esempio: il recente stack-based buffer overflow sul parser dei file .MDB che nn e' stato e non verra' mai patchato da Microsoft oppure un buffer overflow nel popolarissimo eggdrop che e' presente ancora nell'ultima versione scaricabile dal sito.

Primi problemi per Android

Wed, 05 March 2008 12:46:13 +0000

Primi problemi di sicurezza per l' SDK rilasciato da google. Android, questo il nome del sistema operativo che google vuole portare sui cellulari di mezzo mondo, risulta essere affetto da diverse vulnerabilita' alcune delle quali presenti in vecchie versioni di librerie incluse nell' SDK, altre invece sono brand new flaws introdotte da google stessa.

Core Security ha rilasciato un dettagliato(as usual) advisory.

Teewars remote heap overflow

Mon, 25 February 2008 19:06:51 +0000

Qualche tempo fa un amico mi ha fatto provare questo gioco, la prima cosa che ho fatto dopo qualche frags e' stata scrivere un piccolo client in perl che querasse lo stato dei servers.

Ho cominciato quindi a dare un occhio al codice sorgente per cercare di reversare il protocollo e mentre giravo trai sorgenti mi sono imbattuto in una strcpy() di troppo. Facendo qualche prova sono riuscito a risalire a come raggiungere quella particolare linea e a causare l'overflow. Il problema e' nel file e_network.c all'interno del quale la funzione conn_set_error() copia una stringa ricevuta dall'utente in un buffer di lunghezza statica, ho appena comunicato la cosa sul forum di teewars.

La problematica risulta particolarmente perniciosa dato che e' possibile ottenere una lista dei servers attivi semplicemente querando il masterserver.