Sunday, September 2, 2012

WebKit cssText NULL Ptr Deref

Just tested with Chrome 21.0.1180.89 m (latest version)

Crash moment:
0:000> r
eax=00000000 ebx=015ccfb0 ecx=00000000 edx=0014ea24 esi=01e00440 edi=01e44630
eip=58fcd2a8 esp=0014e8b0 ebp=0014e8b4 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
chrome_58bf0000!WebCore::CSSValue::cssText+0x8:
58fcd2a8 8b4804          mov     ecx,dword ptr [eax+4] ds:002b:00000004=????????


PoC:


Same bug in old release (19.0.1084.52) http://pastebin.com/Z0pu9jbE

Tuesday, August 28, 2012

CVE-2012-2760 Session Stealing in mod_auth_openid

As advisory describing, mod_auth_openid is vulnerable to session stealing. Because "Session ids are stored insecurely in /tmp/mod_auth_openid.db (default filename). The db is world readable and the session ids are stored unencrypted." [1]

Yes, this is important issue and file is accessible by local attackers. But more important issue is database file also accessible by remote attackers in some cases (For example, if application have some kind of arbitrary file download/access vulnerability like LFI) because file is located in tmp folder (apache can access tmp directory) and sqlite db is not encrypted.


SQLite is not supporting database file encryption but there are some external libraries that "provides transparent 256-bit AES encryption of database files". [2]

Dear mod_auth_openid developers, you should use database file encryption. :(

[1] http://seclists.org/fulldisclosure/2012/May/238
[2] http://sqlcipher.net/

Wednesday, August 15, 2012

Uniform Binary Search Implementation in JavaScript

Uniform binary search is an optimization of the classic binary search algorithm invented by Donald Knuth and given in Knuth's The Art of Computer Programming. It uses a lookup table to update a single array index, rather than taking the midpoint of an upper and a lower bound on each iteration; therefore, it is optimized for architectures (such as Knuth's MIX) on which
  • a table lookup is generally faster than an addition and a shift, and 
  • many searches will be performed on the same array, or on several arrays of the same length

Just simply implemented in JS from original C source of Knuth's algorithm.


// target = [91, 97, 99, 101, 127, 129, 145]
// will found index of 127 via optimized bin search algo.

thinking...
-----------------
middle of target: 3
127 is bigger than 101
127 is less than 129
127 at index: 4

Source: http://jsfiddle.net/VCtqD/1/

Monday, July 9, 2012

IE Col Element Heap Overflow Vulnerability (CVE-2012-1876) PoC

IE Col Element Heap Overflow Vulnerability (CVE-2012-1876) PoC 
write up soon..
UPDATE: VUPEN (author of this vulnerability) released detailed blog post about this vulnerability.

Tuesday, June 5, 2012

Friday, February 24, 2012

Java Web Start Cmd Arg Injection

ZDI(ZDI-12-039)[1] tarafından bildirilen ve Oracle Şubat CPU ile Java Web Start'ı etkileyen bir zafiyet yamalandı. Zafiyet kısaca daha önce bir benzerini[2] gördüğümüz türden komut satırı argumanlarina mudahele edebiliyoruz. İlgili zafiyetin PoC kodunu yazmak icin ilk olarak JRE 1.6 u30 versiyonunu sisteme kurdum. javaws.exe'nin bir yedegini aldim ve JRE'yi guncelledim. javaws.exe versiyonu 6.0.300.12, guncellenmis versiyon ise 6.0.310.5. Hemen bir patch diff islemi uyguladim. Patch diff islemi icin onceden PatchDiff2 ve Turbodiff gibi yazilimlardan yararlaniyordum fakat DarunGrim3'e bir sans verdim, inanilmaz derecede sureci kolaylastirmis ve hizlandirmis, kullanmak isteyenlere tavsiye ederim. Ayrıca gozu bozmayan, "hacker dostu" bir web arayuzude var :> www.darungrim.org adresinden indirebilirsiniz. Neyse analize gecelim..

Thursday, February 16, 2012

MS11-100 - ASP.NET Forms Auth. Bypass - Revenge of the 0x00

Microsoft MS11-100 güncellemesi ile geçen ay sonlarına doğru meşhur HashTable Collision DoS (CVE-2011-3414), .NET Forms Authentication Bypass (CVE-2011-3416) v.b. .NET platformunu etkileyen güvenlik açıklarını kapattı. Bu blog girdisinde ele alacağım zafiyet ise .NET Forms Authentication Bypass (Revenge of the NULL Byte).

Friday, February 3, 2012

Is ForeFront Bypassable?

Is Microsoft's ForeFront bypassable? Maybe yes (not confirmed yet). During a penetration test of one of our clients (on my past job), ForeFront don't allow us to get meterpreter session (expected result lol), when meterpreter copied to disc, ForeFront denied (possible detect it as malicious) outgoing connections of meterpreter. But in another case, we inspect that when you execute your meterpreter executable over Network Share folder, you are bypassing(high possibility, i am not sure it's a feature or not) ForeFront and ForeFront will not check your executable.

Firstly we got an RDP session (we found local administrator password but we need mpreter for some local priv. escalations etc..), mount our local disk to target machine, run meterpreter executable from network share and BINGO! we have a session!

sudo format string vulnerability

This summary is not available. Please click here to view the post.