Re: [Full-disclosure] Apple Safari 4 Beta feeds: URI NULL Pointer Dereference Denial of, Service Vulnerability
I don't think you understand what a NULL pointer dereference is. It is referencing NULL. NULL as in 0x00. Not 0x00+some_reg, that would now be something greater than 0 and hence IT IS NOT DEREFERENCING NULL.. AKA NOT A NULL DEREFERENCE. His point remains valid, how is a free(NULL) exploitable for code execution from userland? How does it constitute a security vulnerability? -- snip -- * I'm didn't even comment on Mark's paper, it is definitely a great piece of ** research, there is no doubt. It's just that some people have read this paper ** and thought, wow, all those NULL bugs are now exploitable. It's important to ** separate these bug classes. * sorry to interrupt your self-aggrandizing tirade, however you're the only one who took the implication that *all* null ptr related bugs are exploitable-- i never implied or said that, just said in some instances they can be. Furthermore, I think you're taking the word 'dereference' a little too serious and you should perhaps take up a hobby such as baseball cards or miniature collectibles to quench you're apparent need to sub-categorize into nothing. If you want to insist that null+x/etc bugs be in an entirely separate category than dereferences, that's cool, just don't go all ape-shit on people who dont share your same narrow view at some feeble attempt at elitism via syntactic pedantry. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple Safari 4 Beta feeds: URI NULL Pointer Dereference Denial of, Service Vulnerability
Just because a bug class can crash an application doesn't make it a security issue. A remotely triggerable DoS condition is a security issue per se, my opinion about the trend to remove the A in CIA for statisitca reasons can be read here : http://blog.zoller.lu/2009/01/open-letter-remove-a-in-cia-or-venting.html -- http://secdev.zoller.lu Thierry Zoller ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple Safari 4 Beta feeds: URI NULL Pointer Dereference Denial of, Service Vulnerability
also keep in mind that null ptr deref's can sometimes be exploitable-- especially on certain processors that store important things at 0x0; of which, from what i recall, the iphone is one. On Thu, 26 Feb 2009, Thierry Zoller wrote: Date: Thu, 26 Feb 2009 16:21:18 +0100 From: Thierry Zoller thie...@zoller.lu To: full-disclosure full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Apple Safari 4 Beta feeds: URI NULL Pointer Dereference Denial of, Service Vulnerability Just because a bug class can crash an application doesn't make it a security issue. A remotely triggerable DoS condition is a security issue per se, my opinion about the trend to remove the A in CIA for statisitca reasons can be read here : http://blog.zoller.lu/2009/01/open-letter-remove-a-in-cia-or-venting.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple Safari 4 Beta feeds: URI NULL Pointer Dereference Denial of, Service Vulnerability
iPhone is not affected by this issue. jf wrote: also keep in mind that null ptr deref's can sometimes be exploitable-- especially on certain processors that store important things at 0x0; of which, from what i recall, the iphone is one. On Thu, 26 Feb 2009, Thierry Zoller wrote: Date: Thu, 26 Feb 2009 16:21:18 +0100 From: Thierry Zoller thie...@zoller.lu To: full-disclosure full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Apple Safari 4 Beta feeds: URI NULL Pointer Dereference Denial of, Service Vulnerability Just because a bug class can crash an application doesn't make it a security issue. A remotely triggerable DoS condition is a security issue per se, my opinion about the trend to remove the A in CIA for statisitca reasons can be read here : http://blog.zoller.lu/2009/01/open-letter-remove-a-in-cia-or-venting.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Moshe :: Trancer 0nly Human. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple Safari 4 Beta feeds: URI NULL Pointer Dereference Denial of, Service Vulnerability
On Fri, Feb 27, 2009 at 10:54 AM, jf j...@danglingpointers.net wrote: also keep in mind that null ptr deref's can sometimes be exploitable-- especially on certain processors that store important things at 0x0; of which, from what i recall, the iphone is one. Can you please give one example of a NULL deref that was exploitable? -- ciao JT ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple Safari 4 Beta feeds: URI NULL Pointer Dereference Denial of, Service Vulnerability
Not all are practically exploitable, but exploitation seems to be possible at least on ARM, XScale, and possibly PowerPC as www.juniper.net/solutions/literature/white_papers/Vector-Rewrite-Attack.pdf points out. As for examples.. doesn't look like they are public. On Thu, Feb 26, 2009 at 6:52 PM, Jubei Trippataka vpn.1.fana...@gmail.com wrote: On Fri, Feb 27, 2009 at 10:54 AM, jf j...@danglingpointers.net wrote: also keep in mind that null ptr deref's can sometimes be exploitable-- especially on certain processors that store important things at 0x0; of which, from what i recall, the iphone is one. Can you please give one example of a NULL deref that was exploitable? -- ciao JT ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple Safari 4 Beta feeds: URI NULL Pointer Dereference Denial of, Service Vulnerability
Can you please give one example of a NULL deref that was exploitable? http://documents.iss.net/whitepapers/IBM_X-Force_WP_final.pdf http://www.ruxcon.org.au/files/2006/unusual_bugs.pdf ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple Safari 4 Beta feeds: URI NULL Pointer Dereference Denial of, Service Vulnerability
Dear JT On Wed, Feb 25, 2009 at 9:09 PM, Jubei Trippataka vpn.1.fana...@gmail.com wrote: Why are these bugs even published to a security mailing list and not privately dealt with by the vendor? What's this list's name again? -- Marcio Barbado, Jr. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple Safari 4 Beta feeds: URI NULL Pointer Dereference Denial of, Service Vulnerability
lol you must work for selinux On Thu, Feb 26, 2009 at 5:52 PM, Jubei Trippataka vpn.1.fana...@gmail.comwrote: On Fri, Feb 27, 2009 at 10:54 AM, jf j...@danglingpointers.net wrote: also keep in mind that null ptr deref's can sometimes be exploitable-- especially on certain processors that store important things at 0x0; of which, from what i recall, the iphone is one. Can you please give one example of a NULL deref that was exploitable? -- ciao JT ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple Safari 4 Beta feeds: URI NULL Pointer Dereference Denial of, Service Vulnerability
BM_X-Force_WP_final.pdf is called Application-Specific Attacks: Leveraging the ActionScript Virtual Machine and if you haven't read it, you should. It'll make you smile. On Fri, Feb 27, 2009 at 08:10:10AM +, jf wrote: Can you please give one example of a NULL deref that was exploitable? http://documents.iss.net/whitepapers/IBM_X-Force_WP_final.pdf http://www.ruxcon.org.au/files/2006/unusual_bugs.pdf ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple Safari 4 Beta feeds: URI NULL Pointer Dereference Denial of, Service Vulnerability
On Fri, Feb 27, 2009 at 12:26 PM, ne...@feelingsinister.net wrote: BM_X-Force_WP_final.pdf is called Application-Specific Attacks: Leveraging the ActionScript Virtual Machine and if you haven't read it, you should. It'll make you smile. OK, and what about this vulnerability makes use of a NULL pointer? This goes to show the shallow exploitation knowledge of this community. If you actually understood the paper it's (NULL + offset). This is NOT the same as a plain NULL deref bug. Also, you need to be able to map the NULL address, so I ask again, in examples such as this, in users-space apps name one exploitable condition. -- ciao JT ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple Safari 4 Beta feeds: URI NULL Pointer Dereference Denial of, Service Vulnerability
Better yet, name two. On Thu, Feb 26, 2009 at 9:22 PM, Jubei Trippataka vpn.1.fana...@gmail.comwrote: On Fri, Feb 27, 2009 at 12:26 PM, ne...@feelingsinister.net wrote: BM_X-Force_WP_final.pdf is called Application-Specific Attacks: Leveraging the ActionScript Virtual Machine and if you haven't read it, you should. It'll make you smile. OK, and what about this vulnerability makes use of a NULL pointer? This goes to show the shallow exploitation knowledge of this community. If you actually understood the paper it's (NULL + offset). This is NOT the same as a plain NULL deref bug. Also, you need to be able to map the NULL address, so I ask again, in examples such as this, in users-space apps name one exploitable condition. -- ciao JT ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple Safari 4 Beta feeds: URI NULL Pointer Dereference Denial of, Service Vulnerability
On Fri, Feb 27, 2009 at 01:22:36PM +1100, Jubei Trippataka wrote: On Fri, Feb 27, 2009 at 12:26 PM, ne...@feelingsinister.net wrote: BM_X-Force_WP_final.pdf is called Application-Specific Attacks: Leveraging the ActionScript Virtual Machine and if you haven't read it, you should. It'll make you smile. OK, and what about this vulnerability makes use of a NULL pointer? This goes See this --^ to show the shallow exploitation knowledge of this community. If you actually understood the paper it's (NULL + offset). This is NOT the same as and then this -^ a plain NULL deref bug. Also, you need to be able to map the NULL address, so I ask again, in examples such as this, in users-space apps name one exploitable condition. -- ciao JT I'll clarify for everyone since you seem lost. EVERYONE, THE NULL POINTER DOES NOT GET DEREFERENCED. It only gets referenced. And Jubei isn't even sure a null pointer is involved at all =) With that out of the way, I'd just like to say that I only meant to encourage people to check out an excellent paper. I didn't mean to say anything related to your argument other than to say that that paper is a must-read. If you can't appreciate that, why the fuck are you on F-D? Think about it. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple Safari 4 Beta feeds: URI NULL Pointer Dereference Denial of, Service Vulnerability
I'll clarify for everyone since you seem lost. EVERYONE, THE NULL POINTER DOES NOT GET DEREFERENCED. It only gets referenced. And Jubei isn't even sure a null pointer is involved at all =) With that out of the way, I'd just like to say that I only meant to encourage people to check out an excellent paper. I didn't mean to say anything related to your argument other than to say that that paper is a must-read. If you can't appreciate that, why the fuck are you on F-D? Think about it. I'm didn't even comment on Mark's paper, it is definitely a great piece of research, there is no doubt. It's just that some people have read this paper and thought, wow, all those NULL bugs are now exploitable. It's important to separate these bug classes. I'd even go to say that while this paper is a must-read, please also spend some time understanding it, otherwise don't bother. -- ciao JT ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple Safari 4 Beta feeds: URI NULL Pointer Dereference Denial of, Service Vulnerability
On Fri, Feb 27, 2009 at 03:19:29PM +1100, Jubei Trippataka wrote: I'd even go to say that while this paper is a must-read, please also spend some time understanding it, otherwise don't bother. -- ciao JT Does having the last word make you feel better? Neeko ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple Safari 4 Beta feeds: URI NULL Pointer Dereference Denial of, Service Vulnerability
http://uninformed.org/?v=4a=5t=sumry On Thu, Feb 26, 2009 at 10:19 PM, Jubei Trippataka vpn.1.fana...@gmail.comwrote: I'll clarify for everyone since you seem lost. EVERYONE, THE NULL POINTER DOES NOT GET DEREFERENCED. It only gets referenced. And Jubei isn't even sure a null pointer is involved at all =) With that out of the way, I'd just like to say that I only meant to encourage people to check out an excellent paper. I didn't mean to say anything related to your argument other than to say that that paper is a must-read. If you can't appreciate that, why the fuck are you on F-D? Think about it. I'm didn't even comment on Mark's paper, it is definitely a great piece of research, there is no doubt. It's just that some people have read this paper and thought, wow, all those NULL bugs are now exploitable. It's important to separate these bug classes. I'd even go to say that while this paper is a must-read, please also spend some time understanding it, otherwise don't bother. -- ciao JT ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple Safari 4 Beta feeds: URI NULL Pointer Dereference Denial of, Service Vulnerability
I'm didn't even comment on Mark's paper, it is definitely a great piece of research, there is no doubt. It's just that some people have read this paper and thought, wow, all those NULL bugs are now exploitable. It's important to separate these bug classes. sorry to interrupt your self-aggrandizing tirade, however you're the only one who took the implication that *all* null ptr related bugs are exploitable-- i never implied or said that, just said in some instances they can be. Furthermore, I think you're taking the word 'dereference' a little too serious and you should perhaps take up a hobby such as baseball cards or miniature collectibles to quench you're apparent need to sub-categorize into nothing. If you want to insist that null+x/etc bugs be in an entirely separate category than dereferences, that's cool, just don't go all ape-shit on people who dont share your same narrow view at some feeble attempt at elitism via syntactic pedantry. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple Safari 4 Beta feeds: URI NULL Pointer Dereference Denial of, Service Vulnerability
On Fri, Feb 27, 2009 at 5:04 PM, bob jones bhold...@gmail.com wrote: http://uninformed.org/?v=4a=5t=sumry This exploitation relies on the ability to have the top-level UEF point to an arbitrary address which hopefully you have the ability to control. The NULL pointer is only used as a mechanism to trigger the exception necessary to execute code where the handler now points. This doesn't need to be a NULL deref, it can be any unhandled exception. I guess you could compare the NULL pointer in this situation to a memory leak necesary to exploit another condition. The memory leak itself wouldn't be called a vulnerability, it's just used instrumentally to assist in exploitation. In this paper the NULL pointer is used to assist in the exploitation of a hijacked UEF by triggering the unhandled exception. My original point stands, the NULL pointer dereference can be used to assist in another explotiation, but in itself is not a vulnerability. Do you disagree? -- ciao JT ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Apple Safari 4 Beta feeds: URI NULL Pointer Dereference Denial of, Service Vulnerability
Apple Safari 4 Beta feeds: URI NULL Pointer Dereference Denial of
Service Vulnerability
Date:Feb 25 2009
Class:Input Validation Error
Local:Yes
Remote:Yes
Vulnerable Versions:
* Apple Safari 4 (528.16) Public Beta
Note: MacOS X versions not tested.
Description:
Apple Safari is prone to a denial-of-service vulnerability, caused by a
NULL pointer defernce bug, because it fails to adequately sanitize
user-supplied input within afeeds: URI.
Attackers can exploit this issue to cause denial-of-service conditions
on a users computer and crash the Safari process.
Proof-of-Concept:
feeds:%www.rec-sec.com/feed/
feeds:{www.rec-sec.com/feed/
feeds:}www.rec-sec.com/feed/
feeds:^www.rec-sec.com/feed/
feeds:`www.rec-sec.com/feed/
feeds:|www.rec-sec.com/feed/
Any feeds: URI containing one of these characters will cause a
denial-of-service condition.
Disclosure:
Vendor has been informed.
Solution:
No solution.
Credit:
Trancer
http://www.rec-sec.com
--
Trancer
0nly Human.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple Safari 4 Beta feeds: URI NULL Pointer Dereference Denial of, Service Vulnerability
Why does the industry incessantly call any bug a DoS Vulnerability. Why are these bugs even published to a security mailing list and not privately dealt with by the vendor? Just because a bug class can crash an application doesn't make it a security issue. Does this frustrate anyone else? -- ciao JT ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apple Safari 4 Beta feeds: URI NULL Pointer Dereference Denial of, Service Vulnerability
Well you said it: DoS Vulnerability And stills a vulnerability, useless yes, but a vulnerability. Regards 2009/2/25, Jubei Trippataka vpn.1.fana...@gmail.com: Why does the industry incessantly call any bug a DoS Vulnerability. Why are these bugs even published to a security mailing list and not privately dealt with by the vendor? Just because a bug class can crash an application doesn't make it a security issue. Does this frustrate anyone else? -- ciao JT ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
