Thursday, July 30, 2009

pwned

Today I proudly realized, while viewing Referer logs, I
have been nominated for the Best Privilege Escalation
Bug in the pwnie-awards for discovering and exploiting

CVE-2009-1185 (udev). The story behind that is that
I was frustrated to have no root-sex within the last
6 months or so (since postfix) and therefore
I started reviewing the glibc ELF loader for such which lead me
somehow to certain daemons such as nscd followed by
hald and finally udevd. I quickly realized that it missed
important checks but the impact was unknown to me since
it kindly denied my exploitation offers until I found my way in.

You might be surprised to hear that I am not really
a security guy and used to stay away from sec-con events,
even though I work in that field.
I rather see myself as a programmer with interest in coding
and reading other peoples code and its often funny to
watch and follow discussions by the "security professionals".

The thing that makes me actually commenting on this is the
nice coincide with the nomination of my hero Solar Designer. :)



Wednesday, July 29, 2009

unreadable comments

Its possible that its just spam, but I receive a lot
of chinese/japanese or whatever comments to my postings.
Since I wont approve what I dont understand, I cannot
approve these. So, please comment either in deutsch
or in english.

Sunday, July 19, 2009

A .note on local root exploits

There happened a lot of weird things and discussions
during the last week. Not only a silly kernel/gcc
combination attack was published by my favorite VJ;
also a second issue was released by the google sec-team,
which unfortunally was inside the same program that spender
used as an attack vector in one of the videos.

At the end, its nice that there are (thanks god, I am not
alone in this world!) people who seem to like/care
about local root exploits. You should definitely
have a look at Julien's blog (pulseuadio as well
as the mmap_min_addr postings).I feel like _uh,ohhh_
that theres actually some people doing real things
beside all the web 2.o, XSS and similar sillyness.

As you might know (or not, who cares :) I like local
root exploits. Every now and then I try to find some,
and sometimes I am even successful. Not only two times
so far, as some blogs try to suggest. :-)
Surprinsingly it is not much harder than 10 years ago,
if we do not count overflow/memory corruption bugs.
The bugs just get more silly and most of the time they
require a combination of multiple minor flaws. But
thats exactly what makes the beauty of local root exploits.

Some people do not honour them. They argue that only
remote exploits are of interest. But these people probably
never run a cluster or one of the top500's or found themself
removing ssh backdoors on a weekend instead of having fun.

A local vulnerability deservs the same update urgency
as remote ones.