Re: [Full-disclosure] Insect Pro - Advisory 2011 0428 - Zero Day - Heap Buffer Overflow in xMatters APClient
This is not simply wrong, this is medically wrong. On 04/29/2011 12:43 AM, Mario Vilas wrote: Precisely. The poc triggers the bug by passing a very long command line argument, so it's assumed the attacker already has executed code. The only way this is exploitable is if the binary has suid (then the attacker can elevate privileges) or the command can be executed remotely (and the attacker additionaly cannot execute any other commands, but can mysteriously control the arguments). Unless either scenario is researched (and nothing in the advisory tells me so) I call bullshit. On Thu, Apr 28, 2011 at 6:09 PM, valdis.kletni...@vt.edu wrote: On Thu, 28 Apr 2011 14:40:22 -0300, Mario Vilas said: Is the suid bit set on that binary? Otherwise, unless I'm missing something it doesn't seem to be exploitable by an attacker... Who cares? You got code executed on the remote box, that's the *hard* part. Use that to inject a callback shell or something, use *that* to get yourself a shell prompt. At that point, download something else that exploits you to root - if you even *need* to, as quite often the Good Stuff is readable by non-root users. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Insect Pro - Advisory 2011 0428 - Zero Day - Heap Buffer Overflow in xMatters APClient
However I have to say that Mr. Neo here may have an actually exploitable bug if the overflow code can be also reached with a remote codepath. On 04/29/2011 12:43 AM, Mario Vilas wrote: Precisely. The poc triggers the bug by passing a very long command line argument, so it's assumed the attacker already has executed code. The only way this is exploitable is if the binary has suid (then the attacker can elevate privileges) or the command can be executed remotely (and the attacker additionaly cannot execute any other commands, but can mysteriously control the arguments). Unless either scenario is researched (and nothing in the advisory tells me so) I call bullshit. On Thu, Apr 28, 2011 at 6:09 PM, valdis.kletni...@vt.edu wrote: On Thu, 28 Apr 2011 14:40:22 -0300, Mario Vilas said: Is the suid bit set on that binary? Otherwise, unless I'm missing something it doesn't seem to be exploitable by an attacker... Who cares? You got code executed on the remote box, that's the *hard* part. Use that to inject a callback shell or something, use *that* to get yourself a shell prompt. At that point, download something else that exploits you to root - if you even *need* to, as quite often the Good Stuff is readable by non-root users. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Insect Pro - Advisory 2011 0428 - Zero Day - Heap Buffer Overflow in xMatters APClient
On a side note, anyone here ever used any of the xmatters engines?? Care to give a small review?? On Thu, Apr 28, 2011 at 4:03 PM, Juan Sacco jsa...@insecurityresearch.comwrote: Information Name : Heap Buffer Overflow in xMatters AlarmPoint APClient Version: APClient 3.2.0 (native) Software : xMatters AlarmPoint Vendor Homepage : http://www.xmatters.com Vulnerability Type : Heap Buffer Overflow Md5: 283d98063323f35deb7afbd1db93d859 APClient.bin Severity : High Researcher : Juan Sacco jsacco [at] insecurityresearch [dot] com Description -- The AlarmPoint Java Server consists of a collection of software components and software APIs designed to provide a flexible and powerful set of tools for integrating various applications to AlarmPoint. Details --- AlarmPoint APClient is affected by a Heap Overflow vulnerability in version APClient 3.2.0 (native) A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as the POSIX malloc() call. https://www.owasp.org/index.php/Heap_overflow Exploit as follow: Submit a malicious file cointaining the exploit root@ea-gateway:/opt/alarmpointsystems/integrationagent/bin$ ./APClient.bin --submit-file maliciousfile.hex or (gdb) run `python -c 'print \x90*16287'` Starting program: /opt/alarmpointsystems/integrationagent/bin/APClient.bin `python -c 'print \x90*16287'` Program received signal SIGSEGV, Segmentation fault. 0x0804be8a in free () (gdb) i r eax0xa303924170932516 ecx0xbfb8 49080 edx0xa303924170932516 ebx0x8059438134583352 esp0xbfff3620 0xbfff3620 ebp0xbfff3638 0xbfff3638 esi0x8059440134583360 edi0x80653f0134632432 eip0x804be8a0x804be8a free+126 eflags 0x210206 [ PF IF RF ID ] cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 (gdb) Solution --- No patch are available at this time. Credits --- Manual discovered by Insecurity Research Labs Juan Sacco - http://www.insecurityresearch.com -- -- _ Insecurity Research - Security auditing and testing software Web: http://www.insecurityresearch.com Insect Pro 2.5 was released stay tunned ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Insect Pro - Advisory 2011 0428 - Zero Day - Heap Buffer Overflow in xMatters APClient
GROUP HUG. On Thu, Apr 28, 2011 at 11:11 PM, ghost gho...@gmail.com wrote: So in 6 short months you've become a master hacker huh Gage ? All that reporting nigerian scammers really put you to the top of the hacker echelon ? or is it cause you finally got a piece of paper as recognition from your little school ? In short; Shut the fuck up and go play in traffic, kid. On Thu, Apr 28, 2011 at 2:39 PM, ichib0d crane themadichi...@gmail.com wrote: This isn't a zero day. This is a vulnerability. Being able to crash the system is nothing compared to the effort needed to actually write the exploit. What function is the heap overflow in? Did you guys even bother to find out? How do I know this is even a heap overflow? Heck you couldnt even overwrite a single register! How effective are standard mitigations on the target? Are there even any?(if there isnt and you couldnt overwrite a single reg theres something wrong with you). Cool fuzz story bro, tell it again, but a quick fuzz doesn't drop zero days. A smart exploit WRITER drops zero days. Come back once you stop being an amateur. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Insect Pro - Advisory 2011 0428 - Zero Day - Heap Buffer Overflow in xMatters APClient
Im with ya there, Insect is a joke... i mean, open src tools, sure, we can use those... but, a non open src, non free tool,. being posted ATALL surprises me.. so, why berat up on him ? your lame app missed shit, simple.. even if your a good coder, does not mean YOUR product will 'rule'. Sorry but, ichib0d, is in the right, he should -not- be flamed for his willingness to participate, in something wich most lister's agree with.. your the minority here sherlock.. trying to sell an app, on FD... whats next! xd On 29 April 2011 08:22, ichib0d crane themadichi...@gmail.com wrote: Any reason for the hostility? The nigerian thing was ages ago and out of curiosity, and I don't see how my choice of school is relevant in the situation. Wheres this six month deal coming from and when did I ever say I even counted myself as a hacker? All I'm saying is InsectPro did poor documentation and poor investigation into the vulnerability. On Thu, Apr 28, 2011 at 3:11 PM, ghost gho...@gmail.com wrote: So in 6 short months you've become a master hacker huh Gage ? All that reporting nigerian scammers really put you to the top of the hacker echelon ? or is it cause you finally got a piece of paper as recognition from your little school ? In short; Shut the fuck up and go play in traffic, kid. On Thu, Apr 28, 2011 at 2:39 PM, ichib0d crane themadichi...@gmail.com wrote: This isn't a zero day. This is a vulnerability. Being able to crash the system is nothing compared to the effort needed to actually write the exploit. What function is the heap overflow in? Did you guys even bother to find out? How do I know this is even a heap overflow? Heck you couldnt even overwrite a single register! How effective are standard mitigations on the target? Are there even any?(if there isnt and you couldnt overwrite a single reg theres something wrong with you). Cool fuzz story bro, tell it again, but a quick fuzz doesn't drop zero days. A smart exploit WRITER drops zero days. Come back once you stop being an amateur. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Insect Pro - Advisory 2011 0428 - Zero Day - Heap Buffer Overflow in xMatters APClient
Well... I am only saying, this place is NOT a place where 'web fuzzing' should be the main topic of interest, specially when it is related to software wich costs money and does not even have any trial.. It also, produced a false, on many occassions. Acutenix consultant would do this, and guess what, get a cracked copy, and they STILL let ya be a consultant!! neat huh?? Now with this and Insect... you cannot do any ill.. your hard working product, doesnt even scan right, and there is no free version... there is only 'email' ones as ive seen, so what kinda shit is that, posting to grok ??? eh ??? Im with the others... the tests show the truth, truth is, the product stinks, even when given the second glance. Your peers vote i think, against this app...and, unless you maybe fix it, and, even use some open src tosdo so (maybe learn something about 'opening') the product, and more people will be happy to debug for you.. but alone, your , yes..an insect waiting to be squashed :P lol...pardon my fracoise' . xd On 29 April 2011 13:43, Mario Vilas mvi...@gmail.com wrote: Precisely. The poc triggers the bug by passing a very long command line argument, so it's assumed the attacker already has executed code. The only way this is exploitable is if the binary has suid (then the attacker can elevate privileges) or the command can be executed remotely (and the attacker additionaly cannot execute any other commands, but can mysteriously control the arguments). Unless either scenario is researched (and nothing in the advisory tells me so) I call bullshit. On Thu, Apr 28, 2011 at 6:09 PM, valdis.kletni...@vt.edu wrote: On Thu, 28 Apr 2011 14:40:22 -0300, Mario Vilas said: Is the suid bit set on that binary? Otherwise, unless I'm missing something it doesn't seem to be exploitable by an attacker... Who cares? You got code executed on the remote box, that's the *hard* part. Use that to inject a callback shell or something, use *that* to get yourself a shell prompt. At that point, download something else that exploits you to root - if you even *need* to, as quite often the Good Stuff is readable by non-root users. -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Insect Pro - Advisory 2011 0428 - Zero Day - Heap Buffer Overflow in xMatters APClient
insect's are a big joke m* f* 2011/4/29 -= Glowing Doom =- sec...@gmail.com Well... I am only saying, this place is NOT a place where 'web fuzzing' should be the main topic of interest, specially when it is related to software wich costs money and does not even have any trial.. It also, produced a false, on many occassions. Acutenix consultant would do this, and guess what, get a cracked copy, and they STILL let ya be a consultant!! neat huh?? Now with this and Insect... you cannot do any ill.. your hard working product, doesnt even scan right, and there is no free version... there is only 'email' ones as ive seen, so what kinda shit is that, posting to grok ??? eh ??? Im with the others... the tests show the truth, truth is, the product stinks, even when given the second glance. Your peers vote i think, against this app...and, unless you maybe fix it, and, even use some open src tosdo so (maybe learn something about 'opening') the product, and more people will be happy to debug for you.. but alone, your , yes..an insect waiting to be squashed :P lol...pardon my fracoise' . xd On 29 April 2011 13:43, Mario Vilas mvi...@gmail.com wrote: Precisely. The poc triggers the bug by passing a very long command line argument, so it's assumed the attacker already has executed code. The only way this is exploitable is if the binary has suid (then the attacker can elevate privileges) or the command can be executed remotely (and the attacker additionaly cannot execute any other commands, but can mysteriously control the arguments). Unless either scenario is researched (and nothing in the advisory tells me so) I call bullshit. On Thu, Apr 28, 2011 at 6:09 PM, valdis.kletni...@vt.edu wrote: On Thu, 28 Apr 2011 14:40:22 -0300, Mario Vilas said: Is the suid bit set on that binary? Otherwise, unless I'm missing something it doesn't seem to be exploitable by an attacker... Who cares? You got code executed on the remote box, that's the *hard* part. Use that to inject a callback shell or something, use *that* to get yourself a shell prompt. At that point, download something else that exploits you to root - if you even *need* to, as quite often the Good Stuff is readable by non-root users. -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Insect Pro - Advisory 2011 0428 - Zero Day - Heap Buffer Overflow in xMatters APClient
Information Name : Heap Buffer Overflow in xMatters AlarmPoint APClient Version: APClient 3.2.0 (native) Software : xMatters AlarmPoint Vendor Homepage : http://www.xmatters.com Vulnerability Type : Heap Buffer Overflow Md5: 283d98063323f35deb7afbd1db93d859 APClient.bin Severity : High Researcher : Juan Sacco jsacco [at] insecurityresearch [dot] com Description -- The AlarmPoint Java Server consists of a collection of software components and software APIs designed to provide a flexible and powerful set of tools for integrating various applications to AlarmPoint. Details --- AlarmPoint APClient is affected by a Heap Overflow vulnerability in version APClient 3.2.0 (native) A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as the POSIX malloc() call. https://www.owasp.org/index.php/Heap_overflow Exploit as follow: Submit a malicious file cointaining the exploit root@ea-gateway:/opt/alarmpointsystems/integrationagent/bin$ ./APClient.bin --submit-file maliciousfile.hex or (gdb) run `python -c 'print \x90*16287'` Starting program: /opt/alarmpointsystems/integrationagent/bin/APClient.bin `python -c 'print \x90*16287'` Program received signal SIGSEGV, Segmentation fault. 0x0804be8a in free () (gdb) i r eax0xa303924170932516 ecx0xbfb8 49080 edx0xa303924170932516 ebx0x8059438134583352 esp0xbfff3620 0xbfff3620 ebp0xbfff3638 0xbfff3638 esi0x8059440134583360 edi0x80653f0134632432 eip0x804be8a0x804be8a free+126 eflags 0x210206 [ PF IF RF ID ] cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 (gdb) Solution --- No patch are available at this time. Credits --- Manual discovered by Insecurity Research Labs Juan Sacco - http://www.insecurityresearch.com -- -- _ Insecurity Research - Security auditing and testing software Web: http://www.insecurityresearch.com Insect Pro 2.5 was released stay tunned ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Insect Pro - Advisory 2011 0428 - Zero Day - Heap Buffer Overflow in xMatters APClient
Is the suid bit set on that binary? Otherwise, unless I'm missing something it doesn't seem to be exploitable by an attacker... On Thu, Apr 28, 2011 at 12:03 PM, Juan Sacco jsa...@insecurityresearch.comwrote: Information Name : Heap Buffer Overflow in xMatters AlarmPoint APClient Version: APClient 3.2.0 (native) Software : xMatters AlarmPoint Vendor Homepage : http://www.xmatters.com Vulnerability Type : Heap Buffer Overflow Md5: 283d98063323f35deb7afbd1db93d859 APClient.bin Severity : High Researcher : Juan Sacco jsacco [at] insecurityresearch [dot] com Description -- The AlarmPoint Java Server consists of a collection of software components and software APIs designed to provide a flexible and powerful set of tools for integrating various applications to AlarmPoint. Details --- AlarmPoint APClient is affected by a Heap Overflow vulnerability in version APClient 3.2.0 (native) A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as the POSIX malloc() call. https://www.owasp.org/index.php/Heap_overflow Exploit as follow: Submit a malicious file cointaining the exploit root@ea-gateway:/opt/alarmpointsystems/integrationagent/bin$ ./APClient.bin --submit-file maliciousfile.hex or (gdb) run `python -c 'print \x90*16287'` Starting program: /opt/alarmpointsystems/integrationagent/bin/APClient.bin `python -c 'print \x90*16287'` Program received signal SIGSEGV, Segmentation fault. 0x0804be8a in free () (gdb) i r eax0xa303924170932516 ecx0xbfb8 49080 edx0xa303924170932516 ebx0x8059438134583352 esp0xbfff3620 0xbfff3620 ebp0xbfff3638 0xbfff3638 esi0x8059440134583360 edi0x80653f0134632432 eip0x804be8a0x804be8a free+126 eflags 0x210206 [ PF IF RF ID ] cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 (gdb) Solution --- No patch are available at this time. Credits --- Manual discovered by Insecurity Research Labs Juan Sacco - http://www.insecurityresearch.com -- -- _ Insecurity Research - Security auditing and testing software Web: http://www.insecurityresearch.com Insect Pro 2.5 was released stay tunned ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Insect Pro - Advisory 2011 0428 - Zero Day - Heap Buffer Overflow in xMatters APClient
On Thu, 28 Apr 2011 14:40:22 -0300, Mario Vilas said: Is the suid bit set on that binary? Otherwise, unless I'm missing something it doesn't seem to be exploitable by an attacker... Who cares? You got code executed on the remote box, that's the *hard* part. Use that to inject a callback shell or something, use *that* to get yourself a shell prompt. At that point, download something else that exploits you to root - if you even *need* to, as quite often the Good Stuff is readable by non-root users. pgpa4tTkUuJIF.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Insect Pro - Advisory 2011 0428 - Zero Day - Heap Buffer Overflow in xMatters APClient
This isn't a zero day. This is a vulnerability. Being able to crash the system is nothing compared to the effort needed to actually write the exploit. What function is the heap overflow in? Did you guys even bother to find out? How do I know this is even a heap overflow? Heck you couldnt even overwrite a single register! How effective are standard mitigations on the target? Are there even any?(if there isnt and you couldnt overwrite a single reg theres something wrong with you). Cool fuzz story bro, tell it again, but a quick fuzz doesn't drop zero days. A smart exploit WRITER drops zero days. Come back once you stop being an amateur. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Insect Pro - Advisory 2011 0428 - Zero Day - Heap Buffer Overflow in xMatters APClient
So in 6 short months you've become a master hacker huh Gage ? All that reporting nigerian scammers really put you to the top of the hacker echelon ? or is it cause you finally got a piece of paper as recognition from your little school ? In short; Shut the fuck up and go play in traffic, kid. On Thu, Apr 28, 2011 at 2:39 PM, ichib0d crane themadichi...@gmail.com wrote: This isn't a zero day. This is a vulnerability. Being able to crash the system is nothing compared to the effort needed to actually write the exploit. What function is the heap overflow in? Did you guys even bother to find out? How do I know this is even a heap overflow? Heck you couldnt even overwrite a single register! How effective are standard mitigations on the target? Are there even any?(if there isnt and you couldnt overwrite a single reg theres something wrong with you). Cool fuzz story bro, tell it again, but a quick fuzz doesn't drop zero days. A smart exploit WRITER drops zero days. Come back once you stop being an amateur. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Insect Pro - Advisory 2011 0428 - Zero Day - Heap Buffer Overflow in xMatters APClient
Any reason for the hostility? The nigerian thing was ages ago and out of curiosity, and I don't see how my choice of school is relevant in the situation. Wheres this six month deal coming from and when did I ever say I even counted myself as a hacker? All I'm saying is InsectPro did poor documentation and poor investigation into the vulnerability. On Thu, Apr 28, 2011 at 3:11 PM, ghost gho...@gmail.com wrote: So in 6 short months you've become a master hacker huh Gage ? All that reporting nigerian scammers really put you to the top of the hacker echelon ? or is it cause you finally got a piece of paper as recognition from your little school ? In short; Shut the fuck up and go play in traffic, kid. On Thu, Apr 28, 2011 at 2:39 PM, ichib0d crane themadichi...@gmail.com wrote: This isn't a zero day. This is a vulnerability. Being able to crash the system is nothing compared to the effort needed to actually write the exploit. What function is the heap overflow in? Did you guys even bother to find out? How do I know this is even a heap overflow? Heck you couldnt even overwrite a single register! How effective are standard mitigations on the target? Are there even any?(if there isnt and you couldnt overwrite a single reg theres something wrong with you). Cool fuzz story bro, tell it again, but a quick fuzz doesn't drop zero days. A smart exploit WRITER drops zero days. Come back once you stop being an amateur. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Insect Pro - Advisory 2011 0428 - Zero Day - Heap Buffer Overflow in xMatters APClient
Precisely. The poc triggers the bug by passing a very long command line argument, so it's assumed the attacker already has executed code. The only way this is exploitable is if the binary has suid (then the attacker can elevate privileges) or the command can be executed remotely (and the attacker additionaly cannot execute any other commands, but can mysteriously control the arguments). Unless either scenario is researched (and nothing in the advisory tells me so) I call bullshit. On Thu, Apr 28, 2011 at 6:09 PM, valdis.kletni...@vt.edu wrote: On Thu, 28 Apr 2011 14:40:22 -0300, Mario Vilas said: Is the suid bit set on that binary? Otherwise, unless I'm missing something it doesn't seem to be exploitable by an attacker... Who cares? You got code executed on the remote box, that's the *hard* part. Use that to inject a callback shell or something, use *that* to get yourself a shell prompt. At that point, download something else that exploits you to root - if you even *need* to, as quite often the Good Stuff is readable by non-root users. -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/