Index
- Introduction
- Basic information on Java
- Java and sound files
- Null byte write to stack
- User supplied function pointer call
- Heap overflow
- Links
Introduction
A while back I found some vulnerabilities in the way java handles certain audio files. Those problems were fixed in Java update 19, and since anyone who did not yet install Java update 20 is being exploited anyways I figured I might as well write down all the details.
Once it was believed that Java was safe from buffer overflows, and while that might still be the case for the actual Java classes, it is not the case for the underlying native code. For those who weren’t aware, the core Java functionality actually exists of both java class files and C-code containing the code for the native functions. This native functions are vulnerable to everything your average C-code can be vulnerable to. And since the Java dll files are compiled without any protection like ALSR or DEP, any vulnerability is pretty easy to exploit. I poked around in the native code for a bit and found some nice vulnerabilities. 3 of those I will try to explain here.
Read the rest of this entry »
I decided to write up on some old and funny bugs I found a while back. Starting today with ‘remote’ code execution in YaBB version 2.2 the problem is fixed in 2.4 (or so it seems at first glance)
YaBB (yet another bulletin board) is as the name says a bulletin board. Its written in perl which is nice since I do work a lot with perl making it easier for me to rush through the code for problems.
YaBB doesn’t use a database, but it saves all information in plain text files. Every user has a text file with his/her user data, and every other data is stored in text files as well.
YaBB pages are actually perl code that gets executed and the resulting html is then parsed again for special tags. So if we can find a way to edit those templates we can run perl code with the rights of the webuser. Read the rest of this entry »
I’ll kick off with imho one of my more interresting findings. Its not interresting due to the nature of the vulnerability, but due to the possible impact. It was quite some time ago already, back in the summer of 2006 when I was looking into COM objects that came installed with ICQ. If you’re unfamiliair with COM objects and how that ’sneak’ in with program installations, I suggest you read this article. Anyway, installing ICQ added a few COM objects that were accesible as ActiveX Objects in IE6 without warning. Most of them were a bit boring, but there was a nice design error in one of them.
The object in question had CLSID: 54BDE6EC-F42F-4500-AC46-905177444300 and ws also accesible under the name ‘ICQPhone.SipxPhoneManager’
It exposed a function called ‘DownloadAgent’ wich had one parameter. The string you entered as parameter would be used as a URL and the location of the URL would be downloaded to the local machine and then run.
Read the rest of this entry »
Although this is my first post I have been searching for vulnerabilities since 1998. Back then it was mostly unsafe php includes and evals, and there were a lot them. I can remember them all, but funnily enough some still show up in google searches. But I doubt anyone will be interrested in those anymore so I’ll try to write more about my recent work. Most of my research I sell to either ZDI or iDefense so I wont be able to disclose much of them untill they are published. But since Im not a strong believer in fulldisclosure anyway I have no problem with that :) For some of my work I will post POC and detailed analyses when I have the time, others I wont even mention.
Recently I found quite a few holes in IE8, but since all most of them are still being undisclosed I wont post anything about those yet. I will start soon with some posts about older stuff just to get the hang of it for myself.
For those who are interrested: here is a quick list of my findings.
