Binary Sniper
Hacking is really about experimenting!!
Monday, October 23, 2017
Wednesday, July 1, 2015
Thursday, June 4, 2015
Thursday, May 21, 2015
Tuesday, February 3, 2015
Iceweasel 18.0.1 xulrunner-18.0/libxul.so Stack Corruption Vulnerability
Title : Iceweasel 18.0.1 xulrunner-18.0/libxul.so Stack Corruption Vulnerability
Discoverer: Cihat YILDIZ (@cihatix)
Web page : www.binarysniper.net
Test: Debian Linux 3.7 SMP Kali 6
Platform: x64
Status: Not Fixed
Severity: Medium
Discovered : 25 December 2014
Reported : 2 February 2015
Published : 2 February 2015
Crasher: crasher.pdf
Fuzzing Offset: 280866 (20 30 30 30->FF FF FF FF)
GDB Exploitable Log:
Discoverer: Cihat YILDIZ (@cihatix)
Web page : www.binarysniper.net
Test: Debian Linux 3.7 SMP Kali 6
Platform: x64
Status: Not Fixed
Severity: Medium
Discovered : 25 December 2014
Reported : 2 February 2015
Published : 2 February 2015
Crasher: crasher.pdf
Fuzzing Offset: 280866 (20 30 30 30->FF FF FF FF)
GDB Exploitable Log:
Evince 3.10.3 Crashed with SIGABRT in __kernel_vsyscall()
Title : Evince 3.10.3 Crashed with SIGABRT in __kernel_vsyscall()
Discoverer: Cihat YILDIZ (@cihatix)
Web page : www.binarysniper.net
Test: Ubuntu 14.04.LTS
Status: Fixed in Poppler_0.31
Severity: Medium
Discovered : 25 December 2014
Reported : 2 February 2015
Published : 2 February 2015
Ubuntu ID: 1417561
FreeDesktop Bugzilla ID: 88990
Crasher: crasher.pdf
GDB Log:
Discoverer: Cihat YILDIZ (@cihatix)
Web page : www.binarysniper.net
Test: Ubuntu 14.04.LTS
Status: Fixed in Poppler_0.31
Severity: Medium
Discovered : 25 December 2014
Reported : 2 February 2015
Published : 2 February 2015
Ubuntu ID: 1417561
FreeDesktop Bugzilla ID: 88990
Crasher: crasher.pdf
GDB Log:
Friday, January 9, 2015
VLC Media Player 2.1.5 Memory Corruption Vulnerabilities
Full Disclosure: seclists.org, packetstormsecurity.com
First Exploitable Bug
Title : VLC Player 2.1.5 DEP Access Violation VulnerabilityDiscoverer: Veysel HATAS (@muh4f1z)
Web page : www.binarysniper.net
Vendor : VideoLAN VLC Project
Test: Windows XP SP3, Windows 7 x64
Status: Fixed on vlc-2.2.0-rc2
Severity : High
CVE ID : CVE-2014-9597
NIST: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9597
OSVDB ID : 116450
VLC Ticket : 13389
windbglog : windbglog.txt
Discovered : 24 November 2014
Reported : 26 December 2014
Published : 9 January 2015
Description : VLC Media Player contains a flaw that is triggered as user-supplied input is not properly sanitized when handling a specially crafted FLV file. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
Second Exploitable Bug
Title : VLC Player 2.1.5 Write Access Violation Vulnerability
Discoverer: Veysel HATAS (@muh4f1z)
Web page : www.binarysniper.net
Vendor : VideoLAN VLC Project
Test: Windows XP SP3, Windows 7 x64
Status: Fixed on vlc-2.2.0-rc2
Severity : High
CVE ID : CVE-2014-9598
NIST: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9598
OSVDB ID : 116451
VLC Ticket : 13390
windbglog : windbglog.txt
Discovered : 24 November 2014
Reported : 26 December 2014
Published : 9 January 2015
Discoverer: Veysel HATAS (@muh4f1z)
Web page : www.binarysniper.net
Vendor : VideoLAN VLC Project
Test: Windows XP SP3, Windows 7 x64
Status: Fixed on vlc-2.2.0-rc2
Severity : High
CVE ID : CVE-2014-9598
NIST: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9598
OSVDB ID : 116451
VLC Ticket : 13390
windbglog : windbglog.txt
Discovered : 24 November 2014
Reported : 26 December 2014
Published : 9 January 2015
Description : VLC Media Player contains a flaw that is triggered as user-supplied input is not properly sanitized when handling a specially crafted M2V file. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
Technical:
Mcafee : 17666 - VideoLan VLC Media Player libavcodec Two Remote Code Execution Vulnerabilities
SCIP : VideoLAN VLC Media Player 2.1.5 FLV File Handler buffer overflow
Debian : CVE-2014-9597, CVE-2014-9598
In the press:
http://channeleye.co.uk/turkish-security-expert-kebabs-vlc/
Technical:
Mcafee : 17666 - VideoLan VLC Media Player libavcodec Two Remote Code Execution Vulnerabilities
SCIP : VideoLAN VLC Media Player 2.1.5 FLV File Handler buffer overflow
Debian : CVE-2014-9597, CVE-2014-9598
In the press:
http://channeleye.co.uk/turkish-security-expert-kebabs-vlc/
http://www.zdnet.com/article/vlc-vulnerabilities-exposed/
http://securityaffairs.co/wordpress/32464/hacking/2-flaws-vlc-media-player.html
http://threatpost.com/memory-corruption-bugs-found-in-vlc-media-player/110503
http://www.theregister.co.uk/2015/01/20/vlc_code_exec_flaws/?mt=1421744064349
http://www.heise.de/security/meldung/Schwachstellen-im-VLC-Player-ermoeglichen-Code-Ausfuehrung-2535794.htmlTuesday, December 23, 2014
Gom Player Read Access Violation Vulnerability
Title : Gom Player 2.2.64.5211 Read Access Violation on Control
Discoverer: Cihat YILDIZ (@cihatix)
Web page : www.binarysniper.net
Test: Windows XP SP3
Status: Not Fixed
Severity : High
OSVDB ID: 116462
Discovered: 24 December 2014
Reported: 24 December 2014
Published: 24 December 2014
Description : GOM Media Player contains a flaw that is triggered as user-supplied input is not properly sanitized when handling a specially crafted TIFF file. This may allow a context-dependent attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code.
Discoverer: Cihat YILDIZ (@cihatix)
Web page : www.binarysniper.net
Test: Windows XP SP3
Status: Not Fixed
Severity : High
OSVDB ID: 116462
Discovered: 24 December 2014
Reported: 24 December 2014
Published: 24 December 2014
Description : GOM Media Player contains a flaw that is triggered as user-supplied input is not properly sanitized when handling a specially crafted TIFF file. This may allow a context-dependent attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code.
Tuesday, November 25, 2014
Google Chrome caused a crash..!
Title : Google Chrome caused a crash..!
Version: 35.0.1916.114
Discoverer: Veysel HATAŞ (vhatas@gmail.com)
Web page : www.binarysniper.net
Test: Windows 8
Status: Fixed
Discovered: 24 May 2014
Reported: 25 November 2014
Published: 25 November 2014
Chromium Issue: 436382
windbg crash log
Crash report from EMET
Thursday, March 20, 2014
Immunity Debugger Stack Overflow Vulnerability – PoC
It's not always possible to find vulnerabilities or even zero days after using methods of reverse engineering or fuzzing, but this time I was super lucky. 2 months ago, I was studying Corelan’s article about heap spray exploitation which is a great one. During the study, while I was debugging Internet Explorer 7, Immunity Debugger (the last version, 1.85) has crashed and WinDBG handled the exception. I was really surprised.
OSVDB ID : 107499
EDB-ID : 32435
Reddit : /r/netsec
OSVDB ID : 107499
EDB-ID : 32435
Reddit : /r/netsec
When I looked back to determine what caused it to crash, I noticed that SE-Handler was recursively added to its SEH chain. Because SEH chain was created on stack segment and SEH chain was too long, this caused a stack overflow and Immunity Debugger crashed.
After realizing the cause of the crash, I quickly wrote a dirty PoC code to trigger the stack overflow vulnerability. The following PoC code creates try-catch blocks to overflow the stack.
It was tested on Windows 7 and Windows XP. In both of them, DEP protection was disabled.
When I look at the following !exploitable output, it is stated that this vulnerability is not exploitable.
!exploitable 1.6.0.0
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Recommended Bug Title: Read Access Violation near NULL starting at ImmunityDebugger!Addsorteddata+0x0000000000000069 (Hash=0xa84b56c5.0x36b8c4de)
This is a user mode read access violation near null, and is probably not exploitable.
This vulnerability was reported to the Immunity to support@immunityinc.co on 06 January 2014.
Subscribe to:
Posts (Atom)