http://www.unsecurityresearch.com will be the new home for security research updates.
Please refer there for all my future advisories and work.
Sunday, January 24, 2010
Monday, December 21, 2009
Research updated
The cumulative list of vulnerabilities I've discovered was updated today.
For a full list refer to: http://unsecurityresearch.blogspot.com/2009/02/advisories-upcoming.html
New items are:
Vendor: Oracle
Severity: High
Type: Remote
Status: Under review
Discovered: 1/2010
(Best discovery yet)
Vendor: Oracle
Severity: High
Type: Remote
Status: Under review
Discovered: 12-20-09
Vendor: Novell
Severity: High
Type: Remote
Status: ZDI-CAN-680
Discovered: 12-04-09
Vendor: Novell
Severity: High
Type: Remote vulnerability
Status: ZDI-CAN-622
Discovered: 9-19-09
For a full list refer to: http://unsecurityresearch.blogspot.com/2009/02/advisories-upcoming.html
New items are:
Vendor: Oracle
Severity: High
Type: Remote
Status: Under review
Discovered: 1/2010
(Best discovery yet)
Vendor: Oracle
Severity: High
Type: Remote
Status: Under review
Discovered: 12-20-09
Vendor: Novell
Severity: High
Type: Remote
Status: ZDI-CAN-680
Discovered: 12-04-09
Vendor: Novell
Severity: High
Type: Remote vulnerability
Status: ZDI-CAN-622
Discovered: 9-19-09
Monday, June 1, 2009
Research - Discarded
This section will list potential vulnerabilities that I have discarded.If reporting them to the vendor is easy then you I'll wait for their response before posting.
Firefox - bug 492779
PL_Base64D ecode integer overflow
Code changes made: here and here
Looked very promising at first. A common library routine used in many places with a straight forward integer overflow, caused because it multiplied before dividing..Exploitation also looked promising since we could control the amount to overflow the buffer with by using invalid base64 characters to make the decode no-op.
Reason for discarding:
Was unable to trigger it.
Firefox - bug 492779
PL_Base64D
Code changes made: here and here
Looked very promising at first. A common library routine used in many places with a straight forward integer overflow, caused because it multiplied before dividing..Exploitation also looked promising since we could control the amount to overflow the buffer with by using invalid base64 characters to make the decode no-op.
Reason for discarding:
Was unable to trigger it.
Saturday, February 28, 2009
Advisories - Published
Vendor: Novell
Severity: High
Type: Remote vulnerability
Published: ZDI-10-001
Discovered: 02-09
Comments: Interesting that Novell patches the vulnerability and releases patch but advisory is not published until several months later. I wonder if many vendors do this.
Vendor: Sun
Product: Solaris - w(1)
Severity: Medium
Published: Sun Alert
Sun Bug: 6821298
Notes: I respect Sun alot, so no further details provided.
Vendor: IBM
Product: AIX
Severity: Medium
Type: Local privilege escalation
Notes: Three privilege escalations found, Two published
muxatmd buffer overflow
4-15-09 iDefense
Bugtraq ID: 34543
libc arbitrary file overwrite
5-20-09 iDefense
Bugtraq ID: 35034
This is also the first bug I have ever sold, was a rather eye-opening experience.
I really would have expected more from developers working on libc.
My research is published giving credit to: 1c239c43f521145fa8385d64a9c32243
(Except my very first few)
Severity: High
Type: Remote vulnerability
Published: ZDI-10-001
Discovered: 02-09
Comments: Interesting that Novell patches the vulnerability and releases patch but advisory is not published until several months later. I wonder if many vendors do this.
Vendor: Sun
Product: Solaris - w(1)
Severity: Medium
Published: Sun Alert
Sun Bug: 6821298
Notes: I respect Sun alot, so no further details provided.
Vendor: IBM
Product: AIX
Severity: Medium
Type: Local privilege escalation
Notes: Three privilege escalations found, Two published
muxatmd buffer overflow
4-15-09 iDefense
Bugtraq ID: 34543
libc arbitrary file overwrite
5-20-09 iDefense
Bugtraq ID: 35034
This is also the first bug I have ever sold, was a rather eye-opening experience.
I really would have expected more from developers working on libc.
My research is published giving credit to: 1c239c43f521145fa8385d64a9c32243
(Except my very first few)
Advisories - Upcoming
Update: http://www.unsecurityresearch.com
Will be the new home for all my security research updates. Please refer there for all my future work and advisories. The list below is being left but will not be updated. 1-24-2010
Vendor: Oracle
Severity: High
Type: Remote
Status: Under review
Discovered: 1/2010
Vendor: Novell
Severity: Low
Type: Remote
Status: Under review
Discovered: Several months ago, did not submit to ZDI until now since it may have overlapped with previous discovery
Vendor: Oracle
Severity: High
Type: Remote
Status: Under review
Discovered: 12-20-09
Vendor: Novell
Severity: High
Type: Remote
Status: ZDI-CAN-680
Discovered: 12-04-09
Vendor: Novell
Severity: High
Type: Remote vulnerability
Status: ZDI-CAN-622
Discovered: 9-19-09
Vendor: Novell
Severity: High
Type: Remote vulnerability
Status: ZDI-CAN-622
Discovered: 9-16-09
Vendor: Novell
Severity: High
Type: Remote vulnerability
Status: Sold ZDI-CAN-607
Discovered: 8-12-09
Vendor: Novell
Severity: Medium
Type: Remote vulnerability (Post-Auth)
Status: Sold ZDI-CAN-572
Discovered: Can't remember..
Vendor: Novell
Severity: Low
Type: Remote vulnerability
Status: Sold ZDI-CAN-477
Discovered: 2-29-09
Vendor: IBM
Severity: Medium
Type: Local privilege escalation
2 published, 4-15-09 iDefense, 5-20-09 iDefense
1 unpublished
Vendor: Sun
Severity: Medium
Status: Reported to Sun - Sun bugs 6821298, 6821299
6821298 - Fixed - Sun Alert
Vendor: Novell
Severity: Low
Status: Sold - ZDI-CAN-440, ZDI-CAN-445
Discovered: 02-09
If you would like to fund research into a particular application, contact me.
If you would like to purchase anything listed as For Sale, contact me
Will be the new home for all my security research updates. Please refer there for all my future work and advisories. The list below is being left but will not be updated. 1-24-2010
Vendor: Oracle
Severity: High
Type: Remote
Status: Under review
Discovered: 1/2010
Vendor: Novell
Severity: Low
Type: Remote
Status: Under review
Discovered: Several months ago, did not submit to ZDI until now since it may have overlapped with previous discovery
Vendor: Oracle
Severity: High
Type: Remote
Status: Under review
Discovered: 12-20-09
Vendor: Novell
Severity: High
Type: Remote
Status: ZDI-CAN-680
Discovered: 12-04-09
Vendor: Novell
Severity: High
Type: Remote vulnerability
Status: ZDI-CAN-622
Discovered: 9-19-09
Vendor: Novell
Severity: High
Type: Remote vulnerability
Status: ZDI-CAN-622
Discovered: 9-16-09
Vendor: Novell
Severity: High
Type: Remote vulnerability
Status: Sold ZDI-CAN-607
Discovered: 8-12-09
Vendor: Novell
Severity: Medium
Type: Remote vulnerability (Post-Auth)
Status: Sold ZDI-CAN-572
Discovered: Can't remember..
Vendor: Novell
Severity: Low
Type: Remote vulnerability
Status: Sold ZDI-CAN-477
Discovered: 2-29-09
Vendor: IBM
Severity: Medium
Type: Local privilege escalation
2 published, 4-15-09 iDefense, 5-20-09 iDefense
1 unpublished
Vendor: Sun
Severity: Medium
Status: Reported to Sun - Sun bugs 6821298, 6821299
6821298 - Fixed - Sun Alert
Vendor: Novell
Severity: Low
Status: Sold - ZDI-CAN-440, ZDI-CAN-445
Discovered: 02-09
If you would like to fund research into a particular application, contact me.
If you would like to purchase anything listed as For Sale, contact me
Subscribe to:
Posts (Atom)