Fred Diggle Security Advisory 12.14.07 Dec 14, 2007 I. BACKGROUND
The Fred Diggle Software Foundation recently released very priv8 0day exploit code which exploits a design flaw in the execve system call which could allow an attacker to execute arbitrary commands under the context of their user. It was reported to Fred Diggle that this exploit was vulnerable to several serious design flaws. The most severe of these could allow a user to leverage the Fred Diggle exploit to run arbitrary commands as themselves. <http://msdn.microsoft.com/workshop/author/dhtml/reference/methods/setexpression.asp>II. DESCRIPTION The first vulnerability relates to the usage of a vulnerable libc system call wrapper "execve", this system call contains a vulnerability whereby an attacker could execute arbitrary commands as himself. The second vulnerability relates to the programs behavior when sent a SIGSEGV. According to independent researchers the Fred Diggle Inc. exploit appears to contain a buffer overflow type exploit thing. This has not been confirmed as Fred Diggle does not really understand all this mumbo jumbo about signals and buffers. III. ANALYSIS Exploitation of this vulnerability would allow an attacker to execute arbitrary commands in the context of the user. IV. DETECTION As of December 14th, 2007, Fred Diggle testing shows that all versions of the execve system call exploit are vulnerable. However, the software appears to only be exploitable when compiled using the "DIGGLEISAWESOME" option. V. WORKAROUND Fred Diggle Software Foundation suggest the following temporary workaround. # shutdown -h now VI. VENDOR RESPONSE Fred Diggle doesn;t have to respond to himself, Fred Diggle is above that crap. VII. DISCLOSURE TIMELINE 12/14/2007 Found out about it and disclosed immediately to Full Disclosure VIII. CREDIT This vulnerability was reported to Fred Diggle Software Foundation by Joey Mengele ([EMAIL PROTECTED]). LEGAL NOTICES Copyright (c) 2007 Fred Diggle Software Foundation, Inc. CISSP, PHD, MCSE, CCNA, CEH, FDCA (Fred Diggle Certifiably Awesome) Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of Fred Diggle. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. On Dec 13, 2007 10:47 PM, Joey Mengele <[EMAIL PROTECTED]> wrote: > Dead Fred Diggler, > > You are not as much of an expert as you may have thought. Any > foolish teenager can break software, but it takes a computer > science degree to design software. For example, I have found a > design flaw vulnerability (DFV) in your exploit. By passing a > specially crafted argument to the program, an attacker can execute > arbitrary code with Diggler privileges. > > I have also uncovered several race conditions. If one executes the > command 'pkill -11' on the program, for example, memory corruption > seems to occur, and most modern operating systems output the buffer > overflow code: > > Segmentation fault > > I hope you consult with experts before being so hasty to post your > attempt at a technical rant. LOLOL. > > J > > On Thu, 13 Dec 2007 23:20:21 -0500 Fredrick Diggle > <[EMAIL PROTECTED]> wrote: > >You should post this to milw0rm as it can always use quality > >exploit code > >like this. I also have some priv8 code which I would like to > >disclose which > >is the same type of vulnerability. > > > >/* > > * Author: Fredrick Diggle > > * Vuln: execve system call allows arbitrary code execution > > * Status: VERY PRIV8 > > * DO NOT RELEASE OR FRED DIGGLE WILL EAT YOUR FAMILY > > */ > >#include <stdlib.h> > >#include <stdio.h> > >#include <unistd.h> > >#define INFINITY 73 > >#ifdef DIGGLEISAWESOME > >int main(int argc, char **argv) { > > if (argc < 2) { fprintf(stderr, "usage: %s [command to > >run]\n\tPRIV8 Fred > >Diggle 0day\n", argv[0]); return INFINITY; } > > execve(argv[1], &argv[1], 0); > >} > >#endif > > > > > > > >On Dec 13, 2007 8:57 PM, kcope <[EMAIL PROTECTED]> wrote: > > > >> exploiting "features" > >> > >> (see attached) > >> > >> - -kcope / 2007 > >> > >> -- > >> Psssst! Schon vom neuen GMX MultiMessenger gehört? > >> Der kann`s mit allen: http://www.gmx.net/de/go/multimessenger > >> > >> _______________________________________________ > >> Full-Disclosure - We believe in it. > >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html > >> Hosted and sponsored by Secunia - http://secunia.com/ > > -- > Click for free information on accounting careers, $150/hour potential. > > http://tagline.hushmail.com/fc/Ioyw6h4dCeTvwa5Yr6XnbO95zlTzbYNB9VvYc0dvbs5S8csuefnbpC/ > >> > >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/