lunes, diciembre 29, 2008

PSI remote integer overflow

I once scanned myself from internet, and 8010/tcp port was detected.
my PSI jabber file transfer service was exposed to internet.

Then I fuzz this service and found a nice DoS.

A signed integer check lets crash remote PSI's and I think is not possible to overflow the heap, becouse the destination buffer is reallocated to the same amount of bytes to be copied.

I have reported it to the coders, and then they give me the ok to launch the advisory:

advisory
exploit

Be aware with the services you are exposing to internet, and be aware with your client applications (browser, jabber, msn, email client ..)

code has bugs ;)

lunes, diciembre 01, 2008

Ksec - my Linux Defense System

Kernel viruses/rootkits are dificult to detect, but admins change the kernel frequently and the attacker loose the rootkit.

People infect user-space, and pre-root attacks are also in user-space, then a system to log user-space dangerous activities will be very useful.

A year ago I coded a defense system that is now public.
Is simple but useful, I hook open, socketcall, execve and unlink, for example if your "ls" is connecting to internet you will see:

Dec 1 13:44:51 hostname kernel: ls CONNECT(80.33.158.80:1337 fam:2)

If your ls Opening for writting:

Dec 1 13:44:25 pwn3d kernel: ls OPEN(/dev/.shm/.sniff w)

try the Defense System here