Zero Day Initiative (ZDI) has published an advisory for a heap overflow vulnerability in Cogent DataHub which i have found few months ago. Full advisory can be read here ZDI-13-252.
Earlier this year i have also found some null pointer dereference bugs leading to a denial of service in DataHub. I will post some PoC's soon.
Monday 25 November 2013
Tuesday 3 September 2013
Funny sudo bug
Around a month ago i was performing a task where i needed to create a user with a very large UID in the system. The required UID happened to be 2147483648 (0x80000000) exactly.
We can have some fun with it e.g. creating a user with the 0x7fffffff UID. This way sudo will no longer crash, but it will be called for a different user : ). The bug was tested on the 1.8.5p2 version 32-bit OS. Additional details can be found in the bug report.
root@hive:~# adduser -u 2147483648 test1Next i switched to the newly created user and typed sudo.
test1@hive:/$ su test1And this was the result:
test1@hive:/$ sudo
test1@hive:/$ sudoWe can see here that the UID value was wrapped to the 2147483647 value (0x7fffffff) followed by a segfault.
sudo: perm stack underflow: Invalid argument
sudo: unknown uid: 2147483647
Segmentation fault
We can have some fun with it e.g. creating a user with the 0x7fffffff UID. This way sudo will no longer crash, but it will be called for a different user : ). The bug was tested on the 1.8.5p2 version 32-bit OS. Additional details can be found in the bug report.
Monday 18 March 2013
Skype Malware Analysis
When i came back from work today and fired up Skype, multiple messages popped up immediately. Some of them in in English and some in Polish, but all leading to the same url with "pictures" of me ; oo. Another interesting fact was that all the messages came from people working at the same company (zomg APT alert ;D).
The messages looked like this:
We check what is behind the url shortener:
Crunchpress seems to be a 'hacked' website:
Lets download and unzip it:
Quick scan @ virustotal.com gives 7/44 and identifies the file as a dropper:
Not surprisingly it downloads something using HTTP protocol:
Let's see what we have there. First some quick geo localization request:
Next a list of 'unwanted' domain names is downloaded (full list available here).
The messages looked like this:
|
zip file ! |
crunchpress image folder with some aditional content |
Oh noez! no pics just exe : ( |
virustotal results |
Actual bad stuff downloaded here |
hi ho |
Subscribe to:
Posts (Atom)