I once scanned myself from internet, and 8010/tcp port was detected.
my PSI jabber file transfer service was exposed to internet.
Then I fuzz this service and found a nice DoS.
A signed integer check lets crash remote PSI's and I think is not possible to overflow the heap, becouse the destination buffer is reallocated to the same amount of bytes to be copied.
I have reported it to the coders, and then they give me the ok to launch the advisory:
advisory
exploit
Be aware with the services you are exposing to internet, and be aware with your client applications (browser, jabber, msn, email client ..)
code has bugs ;)
lunes, diciembre 29, 2008
lunes, diciembre 01, 2008
Ksec - my Linux Defense System
Kernel viruses/rootkits are dificult to detect, but admins change the kernel frequently and the attacker loose the rootkit.
People infect user-space, and pre-root attacks are also in user-space, then a system to log user-space dangerous activities will be very useful.
A year ago I coded a defense system that is now public.
Is simple but useful, I hook open, socketcall, execve and unlink, for example if your "ls" is connecting to internet you will see:
Dec 1 13:44:51 hostname kernel: ls CONNECT(80.33.158.80:1337 fam:2)
If your ls Opening for writting:
Dec 1 13:44:25 pwn3d kernel: ls OPEN(/dev/.shm/.sniff w)
try the Defense System here
People infect user-space, and pre-root attacks are also in user-space, then a system to log user-space dangerous activities will be very useful.
A year ago I coded a defense system that is now public.
Is simple but useful, I hook open, socketcall, execve and unlink, for example if your "ls" is connecting to internet you will see:
Dec 1 13:44:51 hostname kernel: ls CONNECT(80.33.158.80:1337 fam:2)
If your ls Opening for writting:
Dec 1 13:44:25 pwn3d kernel: ls OPEN(/dev/.shm/.sniff w)
try the Defense System here
Suscribirse a:
Entradas (Atom)
