[Dailydave] Interesting (?) bug

[Kevin Finisterre (lists)]

On May 29, 2007, at 9:43 AM, Chris Anley wrote:

> This:
>
> http://www.ngssoftware.com/advisories/high-risk-vulnerability-in- 
> mac-os-x/
>
> ...is a fairly straightforward format string bug, of the type that  
> we've
> all been saying for a few years is amenable to automated detection.
>
> I found this one manually. Anyone have any comment on why it wasn't
> reported by anyone using an automated method?

Well if you were working on OSX client you can not exploit this bug  
(and possibly missed it because) with out the presence of   
com.apple.RemoteAccessServers.plist the vulnerable function is not  
reached. I think on OSX server it does exist so anyone with access to  
OSX server should have spotted it with ease.

>
> It's not unrelated to this (from April 2005):
>
> http://labs.idefense.com/intelligence/vulnerabilities/display.php? 
> type=vulnerabilities&id=240
>
> In fact, it appears to have been 'revealed' by the fix to this  
> issue in
> 2005. So I guess maybe I just reviewed vpnd at a propitious time? Then
> again, 2 years is a while, right?

All the security engineers are too busy enjoying the nice weather in  
the campus court yard while eating their free knock off Chipotle  
burritos.

>
> Cheers,
>
>      -chris.
>

Here is a really half assed exploit for this, I am kinda lazy as you  
all know. I'll make a more reliable version later using some things I  
discussed with nemo over the weekend. This exploit relies on a fixed  
system() address that will most likely need to be changed and brute  
force of a saved ret is obviously noisy and not very graceful. Try  
using dyld_stub___cxa_finalize() as it is much more reliable.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: vpenis.tar.gz
Type: application/x-gzip
Size: 1903 bytes
Desc: not available
Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20070529/8749af37/attachment.bin 
-------------- next part --------------

-KF