Home > Uncategorized > Security News #0x5B

Security News #0x5B

Exploits
  • There is a new exploit for Internet Explorer from those fine folks at Metasploit. The flaw is MS13-090 CardSpaceClaimCollection ActiveX Integer Underflow, and the underlying vulnerability is CVE 2013-3918. Right now, the Metasploit module only impacts IE 8 on Windows XP, so it is off less concern
  • The second new exploit for Internet Explorer from the folks at Metasploit may be a broader concern. They call their module MS13-022 Microsoft Silverlight ScriptObject Unsafe Memory Access; this module actually uses two different vulnerabilities. What is interesting here is that the second vulnerability is a DEP/ASLR bypass. Most of the existing Metasploit modules for Internet Explorer have used Java 6 as the basis for a ROP chain, and I have not yet had much success with those that do not. If this keeps its promises and does not require Java, it would be most interesting. It has not yet been pushed out to Kali, so I haven’t yet taken it for a spin. The underlying vulnerabilies are CVE 2013-0074 and CVE 2013-3896 and were patched in MS 13-022 and 13-087. Metasploit states that this exploit works against IE 6-10, on XP through Win 7 SP1, and on both 32 and 64 bit machines. Verrry interesting.
  • There has also been a Ruby; in particular there is a heap overflow in floating point processing. The vulnerability is labelled CVE 2013-4164. As yet, I don’t know of any exploits for this vulnerability, but Ruby is used by the folks at Metasploit, and they have released a new version (4.8.1) to avoid this issue.
  • Another Metasploit module worth considering is a vulnerability in Microsoft’s TIFF file format. The underlying vulnerability is CVE 2013-3906, and appears to only affect older systems with Microsoft Office. The module itself only targets XP SP3 with Office 2010.
Learning More
  • The folks at Exodus Intelligence found a vulnerability in Internet Explorer earlier this year (CVE 2013-3147) which has just been patched (MS 13-055). They have taken the time to write up what they found and show how their vulnerability can be exploited.
  • I saw a nice piece on how some compilers can optimize away bounds checks made for security reasons. The original paper from Xi Wang, Nickolai Zeldovich, M. Frans Kaashoek, and Armando Solar-Lezama is definitely worth a read. I tried to replicate their results on one of my 64 bit CentOS boxes with the code
    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    
    void f(char* buffer,char* buffer_end) {
    
      printf("The start of buffer is    %p\n",buffer);
      printf("The end of buffer is      %p\n",buffer_end);
      
      unsigned long int len = -1;
      printf("String length is          %lu\n",len);
      printf("The copied string ends at %p\n", buffer+len);
    
      if(buffer + len >= buffer_end)
        return;
      if(buffer + len < buffer)
        return;
    
      printf("At this point, we copy the string...\n");
    
    }
    
    
    int main(int argv, char* argc[]) {
    
      char* buffer;
      char* buffer_end;
      unsigned int buffer_length = 200;
    
      buffer = (char*) malloc (buffer_length+1);
      if (buffer==NULL) 
        exit (1);
    
      buffer_end = &buffer[buffer_length];
    
      f(buffer,buffer_end);
     
      free (buffer);
    
      return 0;
    }
    

    but the second check does not seem optimized out, even when compiled with -O3:

    [adent@localhost ~]$ gcc -Wall -O3 optim.c 
    [adent@localhost ~]$ ./a.out 
    The start of buffer is    0xf49010
    The end of buffer is      0xf490d8
    String length is          18446744073709551615
    The copied string ends at 0xf4900f
    [adent@localhost ~]$ gcc --version
    gcc (GCC) 4.4.6 20110731 (Red Hat 4.4.6-3)
    Copyright (C) 2010 Free Software Foundation, Inc.
    This is free software; see the source for copying conditions.  There is NO
    warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
    

    It’ll be interesting to see how widespread this problem turns out to be.

General Silliness
  • Dilbert has been good this week, with riffs on SCO and a pair on our friends at NSA.
Advertisements
Categories: Uncategorized
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: