Yesterday Apple has released a security update 2015-005 which included fixes for two vulnerabilities related to font parsing in OS X that i have reported to the ZDI. See original advisories for CVE-2015-3679 and CVE-2015-3680.
h0wl's blog
pentester & vuln researcher writing about stuff...
Wednesday, 1 July 2015
Monday, 22 June 2015
Browsing stackoverflow for interesting crashes - Microsoft Internet Explorer 11
Here is a nice example why it is worth to browse stackoverflow.com for crash reports. Recently i stumbled upon this post:
http://stackoverflow.com/questions/28114732/internet-explorer-11-crashes-when-angulars-http-post-is-used-with-large-complex
I checked it out and as for today (22 Jun 2015) it crashes the latest Internet Explorer 11. The crash log looks interesting:
The proof of concept from the post is huge so i decided to downsize it a bit and here it is:
Certainly more readable. As usual maybe someone will find it useful.
From one of the comments in the stackoverflow discussion, we can see that Microsoft is already looking into it (23 Jan 2015).
Update:
The bug was patched in the July 2015 MS Bulletin (probably this one MS15-065 - CVE-2015-2419)
Update #2:
Great in-depth analysis of the bug by the guys from Checkpoint: http://blog.checkpoint.com/2016/02/10/too-much-freedom-is-dangerous-understanding-ie-11-cve-2015-2419-exploitation/
http://stackoverflow.com/questions/28114732/internet-explorer-11-crashes-when-angulars-http-post-is-used-with-large-complex
I checked it out and as for today (22 Jun 2015) it crashes the latest Internet Explorer 11. The crash log looks interesting:
The proof of concept from the post is huge so i decided to downsize it a bit and here it is:
Certainly more readable. As usual maybe someone will find it useful.
From one of the comments in the stackoverflow discussion, we can see that Microsoft is already looking into it (23 Jan 2015).
Update:
The bug was patched in the July 2015 MS Bulletin (probably this one MS15-065 - CVE-2015-2419)
Update #2:
Great in-depth analysis of the bug by the guys from Checkpoint: http://blog.checkpoint.com/2016/02/10/too-much-freedom-is-dangerous-understanding-ie-11-cve-2015-2419-exploitation/
Sunday, 7 June 2015
Microsoft Internet Explorer 11 Crash PoC
A test case that looked interesting at first, but most likely it is only a null ptr. Anyway you can find the proof of concept below.
It was tested on Windows 7 and 8.1, doesnt crash on older versions of IE as the faulty code was introduced in IE11.
It was tested on Windows 7 and 8.1, doesnt crash on older versions of IE as the faulty code was introduced in IE11.
Friday, 3 April 2015
Crashing Shells
A quick post about two crashes i found in tcsh (default FreeBSD shell, however the BSD version does not segfault) and mksh (default shell on Android). As i'm not planning to research it further, i will just leave it here. Maybe someone will figure out if any of this can be exploited somehow.
tcsh:
1. Affected version
tcsh 6.18.01 and maybe older. FreeBSD version handled it just fine.
3. PoC
$ perl -e 'print "\$?:\x80"' | tcsh
Program received signal SIGSEGV, Segmentation fault.Where the last byte marked with red color can be anything > 0x79 to trigger the crash.
0x080d827a in xputchar (c=8388738) at sh.print.c:156
156 if(iscntrl(c) && (ASC(c) < 0x80 || MB_CUR_MAX == 1)) {
(gdb) x/i $eip
=> 0x80d827a: movzwl (%eax,%ebx,2),%edx
Android shell / mksh:
1. Affected version
mksh-R50e and maybe older. Tested on latest source version and a Nexus with Android 5.0.1
2. PoC
D:\Android\sdk\platform-tools>adb shell # run shell
shell@mako:/ $ cd sdcard # must be a dir that is not read-only
cd sdcard
shell@mako:/sdcard $ 4444444444444>4 # actual input that causes the crash
4444444444444>4
D:\Android\sdk\platform-tools> # our shell died
It seems to crash at exec.c:1415 in function iosetup() if (e->savefd[iop->unit] == 0) {
update:
by manipulating the first part of the expression we can control EAX and EBP value:
e.g.
$ 10947955850>1
Program received signal SIGSEGV, Segmentation fault.
0x80009c92 in ?? ()
(gdb) i r
eax 0x8c8c8c8a -1936946038
ecx 0x3 3
edx 0x0 0
ebx 0x8003be50 -2147238320
esp 0xbffff210 0xbffff210
ebp 0x991da068 0x991da068
esi 0x80044a54 -2147202476
edi 0x2 2
eip 0x80009c92 0x80009c92
eflags 0x10206 [ PF IF RF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
$ 1000200887800>1The bug has been patched in the latest R-50f release.
Program received signal SIGSEGV, Segmentation fault.
0x80009c92 in ?? ()
(gdb) i r
eax 0xe09e5df8 -526492168
ecx 0x3 3
edx 0x0 0
ebx 0x8003be50 -2147238320
esp 0xbffff210 0xbffff210
ebp 0x41414344 0x41414344
esi 0x80044a54 -2147202476
edi 0x2 2
eip 0x80009c92 0x80009c92
eflags 0x10206 [ PF IF RF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
(gdb) bt
#0 0x80009c92 in ?? ()
Backtrace stopped: Cannot access memory at address 0x41414348
Bug report can be seen here and the fix here.
Labels:
android,
android shell,
bug,
crash,
exploit,
fun,
memory corruption,
mksh,
segfault,
tcsh
Tuesday, 10 February 2015
Microsoft Internet Explorer CShadow Direction Integer Overflow Remote Code Execution CVE-2015-0036 (MS15-009)
In this months bulletin Microsoft has fixed multiple vulnerabilities in Internet Explorer including one which was mine. It was an integer overflow in the CShadow filter which could lead to remote code execution. It affected Internet Explorer 10 and 11. You can find the original ZDI advisory here and the Microsoft Bulletin here.
There is some confusion when it comes to CVE assignment, as Microsoft acknowledged me for CVE-2015-0035 (also credited to Sky) while ZDI marked my bug CVE-2015-0036 which is credited to an anonymous researcher on the bulletin page. I will update this post if something changes regarding to that.
There is some confusion when it comes to CVE assignment, as Microsoft acknowledged me for CVE-2015-0035 (also credited to Sky) while ZDI marked my bug CVE-2015-0036 which is credited to an anonymous researcher on the bulletin page. I will update this post if something changes regarding to that.
Monday, 24 November 2014
Hopper Disassembler 2.8.7 / 3.6.2 Mach-O Handling Buffer Overflow
Inspired by @j00ru talk @ SECURE 2014 i decided to do a quick check of Hopper Disassembler (which is a great tool btw, I highly recommend it).
As a sample i simply used one of the system tools from OS X (/bin/ls) and started fuzzing. I quickly began recording tons of crashes.The most interesting one was this:
And file diff showed something like that:
Its pretty straightforward right ? I checked the modules, and a standard SEH exploit should work for us:
I calculated the offsets:
By now i thought it's over, but first problems started to show when i wanted to substitute my A's and B's with pointers and other non printable characters (e.g. NOPs or INT 3) - Hopper would not crash at all.
Instead of NOPs i could use \x40\x48 which is inc eax, dec eax.
Regarding SEH overwrite i couldn't use short jump so i had to find a pointer that would later assemble to a instruction that wouldn't crash. Fortunately libpng had a nice ascii printable pointer which i could use for pop pop ret.
Next there was a problem with ascii only shellcode. I needed one of the register to point to it, but in case of SEH registers are XOR'ed. I found a solution here. Basically by using multiple POPAD instructions we can get ESP point to our buffer and then return to it.
Now we can just generate our shellcode and place it in the controlled area:
When we let it run we get:
Short demo:
The final result can be downloaded here: Hopper run calc
Vulnerable versions:
Hopper 2.8.7 and probably older versions (tested on Windows)
Hopper 3.6.2 and probably older versions (tested on Mac OS X)
Linux version was not tested.
Timeline:
17 Nov 2014 - issue reported to the vendor
18 Nov 2014 - vendor releases a fix for Mac OS X (3.6.3 version)
24 Nov 2014 - publication of this article
Windows version remains unpatched as its development is currently on hold.
As a sample i simply used one of the system tools from OS X (/bin/ls) and started fuzzing. I quickly began recording tons of crashes.The most interesting one was this:
And file diff showed something like that:
Its pretty straightforward right ? I checked the modules, and a standard SEH exploit should work for us:
I calculated the offsets:
By now i thought it's over, but first problems started to show when i wanted to substitute my A's and B's with pointers and other non printable characters (e.g. NOPs or INT 3) - Hopper would not crash at all.
Instead of NOPs i could use \x40\x48 which is inc eax, dec eax.
Regarding SEH overwrite i couldn't use short jump so i had to find a pointer that would later assemble to a instruction that wouldn't crash. Fortunately libpng had a nice ascii printable pointer which i could use for pop pop ret.
Next there was a problem with ascii only shellcode. I needed one of the register to point to it, but in case of SEH registers are XOR'ed. I found a solution here. Basically by using multiple POPAD instructions we can get ESP point to our buffer and then return to it.
Now we can just generate our shellcode and place it in the controlled area:
Short demo:
The final result can be downloaded here: Hopper run calc
Vulnerable versions:
Hopper 2.8.7 and probably older versions (tested on Windows)
Hopper 3.6.2 and probably older versions (tested on Mac OS X)
Linux version was not tested.
Timeline:
17 Nov 2014 - issue reported to the vendor
18 Nov 2014 - vendor releases a fix for Mac OS X (3.6.3 version)
24 Nov 2014 - publication of this article
Windows version remains unpatched as its development is currently on hold.
Tuesday, 22 July 2014
SyScan360 2014 - Mobile Browsers Security: iOS
Last week together with Lukasz Pilorz I was speaking about mobile browsers security on iOS @ SyScan360 in Beijing. Visiting China for the first time was a great experience, and the conference itself was just awesome. Cool people, very technical talks and good organization is what it makes this event exceptional.
Our slides are already available for download from the conference site here.
Our slides are already available for download from the conference site here.
Labels:
Browsers,
Conference,
iOS,
Mobile,
SyScan,
SyScan360,
vulnerability
Subscribe to:
Posts (Atom)