Dailydave mailing list archives
Re: Interesting (?) bug
From: "Kevin Finisterre (lists)" <kf_lists () digitalmunition com>
Date: Tue, 29 May 2007 11:33:48 -0400
On May 29, 2007, at 9:43 AM, Chris Anley wrote:
This:http://www.ngssoftware.com/advisories/high-risk-vulnerability-in- mac-os-x/...is a fairly straightforward format string bug, of the type that we'veall been saying for a few years is amenable to automated detection. I found this one manually. Anyone have any comment on why it wasn't reported by anyone using an automated method?
Well if you were working on OSX client you can not exploit this bug (and possibly missed it because) with out the presence of com.apple.RemoteAccessServers.plist the vulnerable function is not reached. I think on OSX server it does exist so anyone with access to OSX server should have spotted it with ease.
It's not unrelated to this (from April 2005):http://labs.idefense.com/intelligence/vulnerabilities/display.php? type=vulnerabilities&id=240In fact, it appears to have been 'revealed' by the fix to this issue in2005. So I guess maybe I just reviewed vpnd at a propitious time? Then again, 2 years is a while, right?
All the security engineers are too busy enjoying the nice weather in the campus court yard while eating their free knock off Chipotle burritos.
Cheers, -chris.
Here is a really half assed exploit for this, I am kinda lazy as you all know. I'll make a more reliable version later using some things I discussed with nemo over the weekend. This exploit relies on a fixed system() address that will most likely need to be changed and brute force of a saved ret is obviously noisy and not very graceful. Try using dyld_stub___cxa_finalize() as it is much more reliable.
Attachment:
vpenis.tar.gz
Description:
-KF
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Interesting (?) bug Chris Anley (May 29)
- Re: Interesting (?) bug Kevin Finisterre (lists) (May 29)
- Re: Interesting (?) bug Rhys Kidd (May 30)