|
<<<<< January - 2010 >>>>> |
| 01 |
02 |
03 |
04 |
05 |
06 |
07 |
08 |
09 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
25-Jan-2010 [11:34] -- Firefox 3.6 vulnerability... exploitable?
I was reading the RSS feeds I am subscribed to and found this
Firefox 3.6 proof of concept.
A brief scan on the poc looks like an invalid xml file with 30k nested children...
Once I was sure the PoC was clean with no malicious code, I opened windbg and tested it.
Crash is as follows:
xul!NS_Realloc_P+0x3f63:
61b11333 53 push ebx
0:000> r
eax=00000000 ebx=0e45b800 ecx=0d252680 edx=0d926490 esi=00000000 edi=0d86fb48
eip=61b11333 esp=00052ffc ebp=00000000 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216
xul!NS_Realloc_P+0x3f63:
61b11333 53 push ebx
0:000> kPn
# ChildEBP RetAddr
00 00000000 00000000 xul!NS_Realloc_P+0x3f63
0:000> q
It is a stack recursion bug... so I do not think we should consider this more than a client side DoS.
Zhodiac || Fermin
Comments (0)
6-Jan-2010 [12:50] -- DRINC solutions (AwesomeX.ocx)
Some time ago I sent to the
DVlabs guys the solutions to one of the unsolved challenges at
ekoparty.
Time has passed and here are both simple solutions. Funny these were not caught since they are some simple and easy to spot...
* Flaw #1
Using Javascript you can instantiate this control and force it to
autoupdate from a malicious web server, the only check is a magic flag
(54535254h)
It will download the update and execute it... (c:awesomex_update_latest.exe)
Of course it also has problems with MITM, DNS poisoning... on legit
sites using a site-locked activex control.
int Download_updates(LPCWSTR lpszServerName, int flag)
The flag comparison is performed at:
.text:100018DD cmp [ebp+flag], 54535254h
* Flaw #2:
On DoFancyStuff (callable through JS) the first argument is a VT_UI4.
There are several checks to see if it is word aligned and below
0x30000000. And then, after some fancy stuff malloc/memcpy, we will
give control to that (address*2)+0x14h..
.text:10001B87 mov eax, [ebp+pointer]
.text:10001B8A test al, 3
.text:10001B8C jnz loc_10001C34
.text:10001B92 lea ecx, [eax+eax]
.text:10001B95 cmp ecx, 60000000h
.text:10001B9B ja loc_10001C34
.text:10001BA1 test eax, eax
[...]
.text:10001BAB lea esi, [eax+14h]
[...]
.text:10001C2F call esi
With heap spraying we can control that address... and place a shellcode there.
On other things, please note the website address has changed and the new one is
http://zhodiac.hispahack.com with the new rss feed
http://zhodiac.hispahack.com/rss.php. Old rss will stop working shortly.
Zhodiac || Fermin
Comments (0)
30-Oct-2009 [11:52] -- EMET
I'm not going to copy & paste the blog post... You can read it here...
http://blogs.technet.com/srd/archive/2009/10/27/announcing-the-release-of-the-enhanced-mitigation-evaluation-toolkit.aspx
Basically, it is a framework/tool for testing mitigations, even on downlevel OS, we wrote at Microsoft. Special thanks to Andrew Roths and Matt Miller.
Zhodiac || Fermin
Comments (0)
1-Oct-2009 [11:43] -- DVlabs DRINC Challenge
Looks like there was some
DRINC challenges unsolved at Ekoparty 2009... Congrats Gera for solving most of them and winning the champagne.
Yesterday, I took a look at the ActiveX one and found the two left issues. Easy ones :)
Still left two vulnerabilities at the SecureLoggingServer binary. Hopefully next week I will have some free time for it if it is still unsolved.
Zhodiac || Fermin
Comments (0)
