Pages - Menu

Tuesday, February 3, 2015

Iceweasel 18.0.1 xulrunner-18.0/libxul.so Stack Corruption Vulnerability

Title : Iceweasel 18.0.1 xulrunner-18.0/libxul.so Stack Corruption Vulnerability
Discoverer: Cihat YILDIZ (@cihatix)
Web page : www.binarysniper.net
Test: Debian Linux 3.7 SMP Kali 6
Platform: x64
Status: Not Fixed
Severity: Medium

Discovered : 25 December 2014
Reported :      2 February  2015
Published :     February  2015

Crasher: crasher.pdf
Fuzzing Offset: 280866  (20 30 30 30->FF FF FF FF)

GDB Exploitable Log:


Evince 3.10.3 Crashed with SIGABRT in __kernel_vsyscall()

Title : Evince 3.10.3 Crashed with SIGABRT in __kernel_vsyscall()
Discoverer: Cihat YILDIZ (@cihatix)
Web page : www.binarysniper.net
Test: Ubuntu 14.04.LTS
Status: Fixed in Poppler_0.31
Severity: Medium

Discovered : 25 December 2014
Reported :      2 February  2015
Published :     February  2015

Ubuntu ID: 1417561
FreeDesktop Bugzilla ID: 88990
Crasher: crasher.pdf

GDB Log:

Friday, January 9, 2015

VLC Media Player 2.1.5 Memory Corruption Vulnerabilities

Full Disclosure: seclists.org, packetstormsecurity.com


First Exploitable Bug

Title : VLC Player 2.1.5 DEP Access Violation Vulnerability
Discoverer: Veysel HATAS (@muh4f1z)
Web page : www.binarysniper.net
Vendor :  VideoLAN VLC Project
Test: Windows XP SP3, Windows 7 x64
Status: Fixed on vlc-2.2.0-rc2
Severity : High

CVE ID : CVE-2014-9597
NIST: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9597
OSVDB ID : 116450
VLC Ticket : 13389

windbglog : windbglog.txt

Discovered : 24 November 2014
Reported :   26 December 2014
Published :    9 January 2015

Description : VLC Media Player contains a flaw that is triggered as user-supplied input is not properly sanitized when handling a specially crafted FLV file. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.


Second Exploitable Bug

Title : VLC Player 2.1.5 Write Access Violation Vulnerability
Discoverer: Veysel HATAS (@muh4f1z)
Web page : www.binarysniper.net 
Vendor :  VideoLAN VLC Project
Test: Windows XP SP3, Windows 7 x64
Status: Fixed on vlc-2.2.0-rc2
Severity : High

CVE ID : CVE-2014-9598
NIST: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9598
OSVDB ID : 116451
VLC Ticket : 13390

windbglog : windbglog.txt

Discovered : 24 November 2014
Reported :   26 December 2014
Published :    9 January 2015

Description : VLC Media Player contains a flaw that is triggered as user-supplied input is not properly sanitized when handling a specially crafted M2V file. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.

Technical:
Mcafee : 17666 - VideoLan VLC Media Player libavcodec Two Remote Code Execution Vulnerabilities
SCIP : VideoLAN VLC Media Player 2.1.5 FLV File Handler buffer overflow
Debian : CVE-2014-9597CVE-2014-9598

In the press:


http://channeleye.co.uk/turkish-security-expert-kebabs-vlc/ 
http://www.zdnet.com/article/vlc-vulnerabilities-exposed/ 
http://securityaffairs.co/wordpress/32464/hacking/2-flaws-vlc-media-player.html 
http://threatpost.com/memory-corruption-bugs-found-in-vlc-media-player/110503 
http://www.theregister.co.uk/2015/01/20/vlc_code_exec_flaws/?mt=1421744064349 
http://www.heise.de/security/meldung/Schwachstellen-im-VLC-Player-ermoeglichen-Code-Ausfuehrung-2535794.html

Tuesday, December 23, 2014

Gom Player Read Access Violation Vulnerability

Title : Gom Player 2.2.64.5211 Read Access Violation on Control
Discoverer: Cihat YILDIZ (@cihatix)
Web page : www.binarysniper.net 
Test: Windows XP SP3
Status: Not Fixed
Severity : High

OSVDB ID: 116462

Discovered: 24 December 2014
Reported: 24 December 2014
Published: 24 December 2014

Description : GOM Media Player contains a flaw that is triggered as user-supplied input is not properly sanitized when handling a specially crafted TIFF file. This may allow a context-dependent attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code.


Tuesday, November 25, 2014

Google Chrome caused a crash..!


Title : Google Chrome caused a crash..!
Version: 35.0.1916.114
Discoverer: Veysel HATAŞ (vhatas@gmail.com)
Web page : www.binarysniper.net
Test: Windows 8
Status: Fixed

Discovered: 24 May 2014
Reported: 25 November 2014
Published: 25 November 2014
Chromium Issue: 436382

windbg crash log


Crash report from EMET






Thursday, March 20, 2014

Immunity Debugger Stack Overflow Vulnerability – PoC

It's not always possible to find vulnerabilities or even zero days after using methods of reverse engineering or fuzzing, but this time I was super lucky. 2 months ago, I was studying Corelan’s article about heap spray exploitation which is a great one. During the study, while I was debugging Internet Explorer 7, Immunity Debugger (the last version, 1.85) has crashed and WinDBG handled the exception. I was really surprised.

OSVDB ID : 107499 
EDB-ID      : 32435
Reddit       : /r/netsec

When I looked back to determine what caused it to crash, I noticed that SE-Handler was recursively added to its SEH chain. Because SEH chain was created on stack segment and SEH chain was too long, this caused a stack overflow and Immunity Debugger crashed.



After realizing the cause of the crash, I quickly wrote a dirty PoC code to trigger the stack overflow vulnerability. The following PoC code creates try-catch blocks to overflow the stack.

It was tested on Windows 7 and Windows XP. In both of them, DEP protection was disabled.



When I look at the following !exploitable output, it is stated that this vulnerability is not exploitable. 

0:000> !exploitable
!exploitable 1.6.0.0
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Recommended Bug Title: Read Access Violation near NULL starting at ImmunityDebugger!Addsorteddata+0x0000000000000069 (Hash=0xa84b56c5.0x36b8c4de)
This is a user mode read access violation near null, and is probably not exploitable. 

This vulnerability was reported to the Immunity to support@immunityinc.co on 06 January 2014.


Thursday, August 8, 2013

Hello World

Hello Everybody, This blog is created for researchers to have comprehensive knowledge about vulnerability research and exploit development.

We are planning to post about many subjects to this blog such as,
  • Exploit development 
  • Vulnerability research 
  • Fuzzing
  • Network packet injection
  • Malware Analysis
Additionally, Keep in mind that all posts in this blog will be only for academic usage. We are not responsible for malicious usage.

Have a nice research...