tag:blogger.com,1999:blog-6081584076968529472011-08-03T00:22:25.113-07:00Research on unsecuritySecurity research discovered by: 1c239c43f521145fa8385d64a9c32243Monarchhttp://www.blogger.com/profile/00127937541503546345noreply@blogger.comBlogger51100tag:blogger.com,1999:blog-608158407696852947.post-70738231865334926222010-01-24T13:18:00.000-08:002010-01-24T13:18:32.082-08:00Moving - http://www.unsecurityresearch.com<a href="http://www.unsecurityresearch.com/">http://www.unsecurityresearch.com</a> will be the new home for security research updates.<br /><br />Please refer there for all my future advisories and work.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/608158407696852947-7073823186533492622?l=unsecurityresearch.blogspot.com' alt='' /></div>Monarchhttp://www.blogger.com/profile/00127937541503546345noreply@blogger.com0tag:blogger.com,1999:blog-608158407696852947.post-3723926636669251702009-12-21T13:33:00.000-08:002010-01-23T19:14:27.100-08:00Research updatedThe cumulative list of vulnerabilities I've discovered was updated today.<br />For a full list refer to: <a href="http://unsecurityresearch.blogspot.com/2009/02/advisories-upcoming.html">http://unsecurityresearch.blogspot.com/2009/02/advisories-upcoming.html</a><br /><br />New items are:<br />Vendor: <b>Oracle</b><br />Severity: High<br />Type: Remote<br />Status: Under review<br />Discovered: 1/2010 <br />(Best discovery yet)<br /><br />Vendor: <b>Oracle</b><br />Severity: High<br />Type: Remote<br />Status: Under review<br />Discovered: 12-20-09 <br /><br />Vendor: <b>Novell</b><br />Severity: High <br />Type: Remote<br />Status: ZDI-CAN-680<br />Discovered: 12-04-09<br /><br />Vendor: <span style="font-weight: bold;">Novell</span><br />Severity: High<br />Type: Remote vulnerability<br />Status: <i>ZDI-CAN-622</i><br />Discovered: 9-19-09<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/608158407696852947-372392663666925170?l=unsecurityresearch.blogspot.com' alt='' /></div>Monarchhttp://www.blogger.com/profile/00127937541503546345noreply@blogger.com0tag:blogger.com,1999:blog-608158407696852947.post-30057984037175719952009-06-01T17:27:00.000-07:002009-09-11T08:18:33.264-07:00Research - DiscardedThis section will list potential vulnerabilities that I have discarded.If reporting them to the vendor is easy then you I'll wait for their response before posting.<br /><br />Firefox - bug 492779<br /><span style="font-size: 100%;"><span id=":hc">PL_Base64D<wbr></wbr>ecode integer overflow</span></span><br />Code changes made: <a href="http://bonsai.mozilla.org/cvsview2.cgi?diff_mode=context&whitespace_mode=show&subdir=mozilla/nsprpub/lib/libc/src&command=DIFF_FRAMESET&file=base64.c&rev1=3.7&rev2=3.8&root=/cvsroot">here</a> and <a href="http://bonsai.mozilla.org/cvsview2.cgi?diff_mode=context&whitespace_mode=show&subdir=mozilla/nsprpub/lib/libc/src&command=DIFF_FRAMESET&file=base64.c&rev1=3.8&rev2=3.9&root=/cvsroot">here</a><br /><br />Looked very promising at first. A common library routine used in many places with a straight forward integer overflow, caused because it multiplied before dividing..Exploitation also looked promising since we could control the amount to overflow the buffer with by using invalid base64 characters to make the decode no-op.<br /><br />Reason for discarding:<br />Was unable to trigger it.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/608158407696852947-3005798403717571995?l=unsecurityresearch.blogspot.com' alt='' /></div>Monarchhttp://www.blogger.com/profile/00127937541503546345noreply@blogger.com0tag:blogger.com,1999:blog-608158407696852947.post-73667228212024335112009-02-28T10:36:00.000-08:002010-01-23T19:19:08.345-08:00Advisories - PublishedVendor: <span style="font-weight: bold;">Novell</span><br />Severity: <b>High</b><br />Type: Remote vulnerability<br />Published: <a href="http://www.zerodayinitiative.com/advisories/ZDI-10-001/">ZDI-10-001</a><br />Discovered: 02-09<br />Comments: Interesting that Novell patches the vulnerability and releases patch but advisory is not published until several months later. I wonder if many vendors do this. <br /><br />Vendor: <b>Sun</b><br />Product: <b>Solaris - w(1)</b><br />Severity: Medium<br />Published: <a href="http://sunsolve.sun.com/search/document.do?assetkey=1-66-266348-1">Sun Alert</a><br />Sun Bug: 6821298<br />Notes: I respect Sun alot, so no further details provided. <br /><br />Vendor: <span style="font-weight: bold;">IBM</span><br />Product:<span style="font-weight: bold;"> AIX</span><br />Severity: Medium<br />Type: Local privilege escalation<br />Notes: Three privilege escalations found, Two published <br /><br /><span style="font-weight: bold;">muxatmd buffer overflow</span><br /><a href="https://labs.idefense.com/intelligence/vulnerabilities/display.php?id=784"> 4-15-09 iDefense</a><br /><a href="http://www.securityfocus.com/bid/34543"> Bugtraq ID: 34543</a><br /><br /><span style="font-weight: bold;">libc arbitrary file overwrite</span><br /><a href="http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=802">5-20-09 iDefense</a><br /><a href="http://www.securityfocus.com/bid/35034">Bugtraq ID: 35034</a><br />This is also the first bug I have ever sold, was a rather eye-opening experience.<br />I really would have expected more from developers working on libc.<br /><br /><br />My research is published giving credit to: 1c239c43f521145fa8385d64a9c32243<br />(Except my very first few)<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/608158407696852947-7366722821202433511?l=unsecurityresearch.blogspot.com' alt='' /></div>Monarchhttp://www.blogger.com/profile/00127937541503546345noreply@blogger.com0tag:blogger.com,1999:blog-608158407696852947.post-67000226556152465842009-02-28T10:30:00.000-08:002010-01-24T13:20:01.785-08:00Advisories - UpcomingUpdate: <a href="http://www.unsecurityresearch.com/">http://www.unsecurityresearch.com</a><br />Will be the new home for all my security research updates. Please refer there for all my future work and advisories. The list below is being left but will not be updated. 1-24-2010 <br /><br /><br />Vendor: <b>Oracle </b><br />Severity: High<br />Type: Remote<br />Status: Under review<br />Discovered: 1/2010<br /><br />Vendor: <b>Novell</b><br />Severity: Low<br />Type: Remote<br />Status: Under review<br />Discovered: Several months ago, did not submit to ZDI until now since it may have overlapped with previous discovery<br /><br />Vendor: <b>Oracle</b><br />Severity: High<br />Type: Remote<br />Status: Under review<br />Discovered: 12-20-09 <br /><br />Vendor: <b>Novell</b><br />Severity: High <br />Type: Remote<br />Status: ZDI-CAN-680 <br />Discovered: 12-04-09<br /><br />Vendor: <span style="font-weight: bold;">Novell</span><br />Severity: High<br />Type: Remote vulnerability<br />Status: <i>ZDI-CAN-622</i><br />Discovered: 9-19-09<br /> <br />Vendor: <span style="font-weight: bold;">Novell</span><br />Severity: High<br />Type: Remote vulnerability<br />Status: <i>ZDI-CAN-622</i><br />Discovered: 9-16-09<br /><br />Vendor: <span style="font-weight: bold;">Novell</span><br />Severity: High<br />Type: Remote vulnerability<br />Status: Sold ZDI-CAN-607<br />Discovered: 8-12-09<br /><br />Vendor: <span style="font-weight: bold;">Novell</span><br />Severity: Medium<br />Type: Remote vulnerability (Post-Auth)<br />Status: Sold ZDI-CAN-572 <br />Discovered: Can't remember..<br /><br />Vendor: <span style="font-weight: bold;">Novell</span><br />Severity: Low<br />Type: Remote vulnerability<br />Status: Sold <i>ZDI-CAN-477</i><br />Discovered: 2-29-09<br /><br />Vendor: <span style="font-weight: bold;">IBM</span><br />Severity: Medium<br />Type: Local privilege escalation<br />2 published, <a href="http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=784">4-15-09 iDefense</a>, <a href="http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=802">5-20-09 iDefense</a><br />1 unpublished<br /><br />Vendor:<span style="font-weight: bold;"> Sun</span><br />Severity: Medium <br />Status: <span style="font-style: italic;">Reported to Sun</span> - <span style="font-size: 100%;"><span id=":ie">Sun bugs 6821298, 6821299</span></span><br /><span style="font-size: 100%;"><span id=":ie">6821298 - Fixed - <a href="http://sunsolve.sun.com/search/document.do?assetkey=1-66-266348-1">Sun Alert</a><br /></span></span><br /><br />Vendor: <span style="font-weight: bold;">Novell</span><br />Severity: Low<br />Status: Sold - ZDI-CAN-440, ZDI-CAN-445<br />Discovered: 02-09<br /><br /><br />If you would like to fund research into a particular application, contact me.<br />If you would like to purchase anything listed as For Sale, contact me<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/608158407696852947-6700022655615246584?l=unsecurityresearch.blogspot.com' alt='' /></div>Monarchhttp://www.blogger.com/profile/00127937541503546345noreply@blogger.com0