phpbb and sql errors

Today´s Diary

If you have more information or corrections regarding our diary, click here to contact us.

Published: 2009-07-17,
Last Updated: 2009-07-17 09:45:15 UTC
by Bojan Zdrnja (Version: 1)
0 comment(s) Facebookacebook witter

Source code for a exploit of a Linux kernel vulnerability has been posted by Brad Spengler (Brad is the author of grsecurity). I have to tell you right now – this was one of the most fascinating bugs I've read about lately.

Why is it so fascinating? Because a source code audit of the vulnerable code would never find this vulnerability (well, actually, it is possible but I assure you that almost everyone would miss it). However, when you add some other variables into the game, the whole landscape changes.

While technical details about this are a bit complex, generally what's happening can be easily explained. The vulnerable code is located in the net/tun implementation. Basically, what happens here is that the developer initialized a variable (sk in the code snippet below) to a certain value that can be NULL. The developer correctly checked the value of this new variable couple of lines later and, if it is 0 (NULL), he just returns back an error. The code looks like this:

struct sock *sk = tun->sk;  // initialize sk with tun->sk

if (!tun)
    return POLLERR;  // if tun is NULL return error

This code looks perfectly ok, right? Well, it is, until the compiler takes this into its hands. While optimizing the code, the compiler will see that the variable has already been assigned and will actually remove the if block (the check if tun is NULL) completely from the resulting compiled code. In other words, the compiler will introduce the vulnerability to the binary code, which didn't exist in the source code. This will cause the kernel to try to read/write data from 0x00000000, which the attacker can map to userland – and this finally pwns the box. There are some other highly technical details here so you can check your favorite mailing list for details, or see a video with this exploit on YouTube at http://www.youtube.com/watch?v=UdkpJ13e6Z0. Brad was able to even bypass SELinux protections with this and LSM.

The fix for this is relatively easy, the check has to be done before assigning the value to the sk structure.
Fascinating research that again shows how security depends on every layer, and how even very expensive source code audit can result in missed vulnerabilities.

--
Bojan
 

Keywords: 0day kernel linux selinux
0 comment(s) Facebookacebook witter
Published: 2009-07-17,
Last Updated: 2009-07-17 07:17:02 UTC
by Stephen Hall (Version: 1)
0 comment(s) Facebookacebook witter

Thanks to all those who have sent in submissions overnight to alert us to the release of Firefox 3.5.1.

The update contains a single fix for the JIT issue contained in our earlier diary.

Mozilla have the details of the fix contained in their security advisory.

If you are a Firefox 3.5 user, update now. And remember, if you applied the world around by disabling the JIT in about:config, remember to turn it back on!

Steve Hall

www.tarkie.net

Keywords: firefox 35
0 comment(s) Facebookacebook witter

If you have more information or corrections regarding our diary, click here to contact us.

Diary Archive

DateAuthorTitle
2009-07-17Stephen Hall Firefox 3.5.1 has been released
2009-07-17Bojan Zdrnja A new fascinating Linux kernel vulnerability
2009-07-16Guy Bruneau Changes in Windows Security Center
2009-07-16Bojan Zdrnja OWC exploits used in SQL injection attacks
2009-07-16Bojan Zdrnja Nmap 5.0 released
2009-07-15Bojan Zdrnja Make sure you update that Java
2009-07-14Swa Frantzen Firefox new exploit
2009-07-14Swa Frantzen ISC DHCP client updated
2009-07-14Swa Frantzen Oracle Black Tuesday
2009-07-14Swa Frantzen Recent attacks and a false sense of security
Complete Archive
Search Diaries:

StormCast


last update 08 hrs 23 min ago.

Featured Event

Latest Reading Room Papers

Quantifying Business Value of Information Security
Inside a Phish
Scanning Windows Deeper With the Nmap Scanning Engine
A Virtually Secure Browser
Incident Handlers Guide to SQL Injection Worms

Poll

Trial software and Bloat pre-installed on new PCs...
... I uninstall/remove right away
... gets overwritten anyway when I install Linux or BSD
... gets overwritten anyway with a fresh install of Windows
... I actually like to try out and sometimes buy
... I keep installed but actually never use

Trends

trends more details

World Map

Worldmap