Yesterday Apple has released a security update 2015-005 which included fixes for two vulnerabilities related to font parsing in OS X that i have reported to the ZDI. See original advisories for CVE-2015-3679 and CVE-2015-3680.
Showing posts with label advisory. Show all posts
Showing posts with label advisory. Show all posts
Wednesday, 1 July 2015
Tuesday, 10 February 2015
Microsoft Internet Explorer CShadow Direction Integer Overflow Remote Code Execution CVE-2015-0036 (MS15-009)
In this months bulletin Microsoft has fixed multiple vulnerabilities in Internet Explorer including one which was mine. It was an integer overflow in the CShadow filter which could lead to remote code execution. It affected Internet Explorer 10 and 11. You can find the original ZDI advisory here and the Microsoft Bulletin here.
There is some confusion when it comes to CVE assignment, as Microsoft acknowledged me for CVE-2015-0035 (also credited to Sky) while ZDI marked my bug CVE-2015-0036 which is credited to an anonymous researcher on the bulletin page. I will update this post if something changes regarding to that.
There is some confusion when it comes to CVE assignment, as Microsoft acknowledged me for CVE-2015-0035 (also credited to Sky) while ZDI marked my bug CVE-2015-0036 which is credited to an anonymous researcher on the bulletin page. I will update this post if something changes regarding to that.
Monday, 24 November 2014
Hopper Disassembler 2.8.7 / 3.6.2 Mach-O Handling Buffer Overflow
Inspired by @j00ru talk @ SECURE 2014 i decided to do a quick check of Hopper Disassembler (which is a great tool btw, I highly recommend it).
As a sample i simply used one of the system tools from OS X (/bin/ls) and started fuzzing. I quickly began recording tons of crashes.The most interesting one was this:
And file diff showed something like that:
Its pretty straightforward right ? I checked the modules, and a standard SEH exploit should work for us:
I calculated the offsets:
By now i thought it's over, but first problems started to show when i wanted to substitute my A's and B's with pointers and other non printable characters (e.g. NOPs or INT 3) - Hopper would not crash at all.
Instead of NOPs i could use \x40\x48 which is inc eax, dec eax.
Regarding SEH overwrite i couldn't use short jump so i had to find a pointer that would later assemble to a instruction that wouldn't crash. Fortunately libpng had a nice ascii printable pointer which i could use for pop pop ret.
Next there was a problem with ascii only shellcode. I needed one of the register to point to it, but in case of SEH registers are XOR'ed. I found a solution here. Basically by using multiple POPAD instructions we can get ESP point to our buffer and then return to it.
Now we can just generate our shellcode and place it in the controlled area:
When we let it run we get:
Short demo:
The final result can be downloaded here: Hopper run calc
Vulnerable versions:
Hopper 2.8.7 and probably older versions (tested on Windows)
Hopper 3.6.2 and probably older versions (tested on Mac OS X)
Linux version was not tested.
Timeline:
17 Nov 2014 - issue reported to the vendor
18 Nov 2014 - vendor releases a fix for Mac OS X (3.6.3 version)
24 Nov 2014 - publication of this article
Windows version remains unpatched as its development is currently on hold.
As a sample i simply used one of the system tools from OS X (/bin/ls) and started fuzzing. I quickly began recording tons of crashes.The most interesting one was this:
And file diff showed something like that:
Instead of NOPs i could use \x40\x48 which is inc eax, dec eax.
Regarding SEH overwrite i couldn't use short jump so i had to find a pointer that would later assemble to a instruction that wouldn't crash. Fortunately libpng had a nice ascii printable pointer which i could use for pop pop ret.
Next there was a problem with ascii only shellcode. I needed one of the register to point to it, but in case of SEH registers are XOR'ed. I found a solution here. Basically by using multiple POPAD instructions we can get ESP point to our buffer and then return to it.
Now we can just generate our shellcode and place it in the controlled area:
The final result can be downloaded here: Hopper run calc
Vulnerable versions:
Hopper 2.8.7 and probably older versions (tested on Windows)
Hopper 3.6.2 and probably older versions (tested on Mac OS X)
Linux version was not tested.
Timeline:
17 Nov 2014 - issue reported to the vendor
18 Nov 2014 - vendor releases a fix for Mac OS X (3.6.3 version)
24 Nov 2014 - publication of this article
Windows version remains unpatched as its development is currently on hold.
Subscribe to:
Posts (Atom)