Full Disclosure

Re: The story of the Linux kernel 3.x...

Wed, 16 May 2012 16:27:03 GMT

Posted by Tavis Ormandy on May 16

Adam Zabrocki <pi3 () pi3 com pl> wrote:

You must be doing something unusual, are these stock kernels?

Those distributions all have good security teams who certainly understand
what CONFIG_COMPAT_VDSO does, and would not enable it.

Tavis.

Re: Trigerring Java code from a SVG image

Wed, 16 May 2012 14:55:48 GMT

Posted by Nicolas Grégoire on May 16

Agreed. Uploading a SVG chameleon (SVG file triggering a XSLT
transformation) to a website allows to display nearly arbitrary content
if the file is called directly. This is similar to the WXR upload
feature abused by the MSVR team in order to XSS the Wordpress.com
website (as presented at 27C3).

Mario's research have shown some weird behavior in Opera. There's an
online demo of SVG files loaded via <img> and starting some...

Video tutorial: Stack-Based Buffer Overflow

Wed, 16 May 2012 14:41:20 GMT

Posted by Juan Sacco on May 16

I've made a video tutorial about buffer overflows take a look and share it
if you like it!

Video tutorial: http://www.youtube.com/watch?v=yPKCSXK8ZYo

Enjoy!

Re: Trigerring Java code from a SVG image

Wed, 16 May 2012 14:39:37 GMT

Posted by Krzysztof Kotowicz on May 16

Kind of. You can still do some stuff from <img> in Opera.
http://kotowicz.net/opera/

Re: The story of the Linux kernel 3.x...

Wed, 16 May 2012 14:36:54 GMT

Posted by Adam Zabrocki on May 16

Hi Tavis,

I've checked with the same result:

*) Fedora 16
*) latest Ubuntu
*) latest Suse

Best regards,
Adam Zabrocki

[PRE-SA-2012-03] Linux kernel: Buffer overflow in HFS plus filesystem

Wed, 16 May 2012 14:04:37 GMT

Posted by Timo Warns on May 16

PRE-CERT Security Advisory
==========================

* Advisory: PRE-SA-2012-03
* Released on: 10 May 2012
* Affected product: Linux Kernel 3.3.x <= 3.3.4
2.6.x <= 2.6.35.13
* Impact: code execution / privilege escalation
* Origin: HFS plus file system
* Credit: Timo Warns (PRESENSE Technologies GmbH)
* CVE Identifier: CVE-2012-2319

Summary
-------

The Linux kernel contains a vulnerability in the driver...

Re: Trigerring Java code from a SVG image

Wed, 16 May 2012 10:31:20 GMT

Posted by Dan Kaminsky on May 16

Anything from <img> in any browser?

Re: The story of the Linux kernel 3.x...

Wed, 16 May 2012 09:53:39 GMT

Posted by Tavis Ormandy on May 16

Adam Zabrocki <pi3 () pi3 com pl> wrote:

You must be using CONFIG_COMPAT_VDSO, it's rarely used unless you need
compatibility with an ancient libc that was released during the narrow
window where the vdso was mapped at a static location.

Any libc released since ~2006 would never need it, and will determine the
vdso location at runtime from auxv.

If any distribution ships a kernel with this option enabled, then you've
found a...

Re: Trigerring Java code from a SVG image

Wed, 16 May 2012 09:25:49 GMT

Posted by Michele Orru on May 16

Mario Heiderich did a lot of research on that, he found so many bugs
that allowed
to embed Javascript in SVG images.

Nice stuff Nick btw,

Cheers
antisnatchor

Re: Trigerring Java code from a SVG image

Wed, 16 May 2012 09:13:29 GMT

Posted by Dan Kaminsky on May 16

Yeah, there's a bunch of wild stuff in SVG. The browsers ignore most of
it, AFAIK. I think Firefox is the only browser to even consider
ForeignObjects (which let you throw HTML back into SVG).

Probably the most interesting SVG thing is how they either do or don't have
script access, depending on whether or not they're loaded as <img>'s. It
would be problematic indeed if <img src="foo.jpg"> could...

JW player xss security flaw

Wed, 16 May 2012 09:07:00 GMT

Posted by WooYun on May 16

"LongTail Video is a New York-based startup that has pioneered the web
video market. Our flagship product the - JW Player - is active on over
one million websites and streams billions of videos each month."

Someone has reported a xss security flaw of JW Player on wooyun,much
more information here:

http://www.wooyun.org/bugs/wooyun-2010-07166

from: http://www.wooyun.org/whitehats/gainover

a example here:...

struts csrf token bypass

Wed, 16 May 2012 09:05:22 GMT

Posted by WooYun on May 16

hi

someone report a security flaw of struts on wooyun,it allow you bypass
the struts's csrf protection without XSS

much more information here:

http://zone.wooyun.org/content/205

:)

The story of the Linux kernel 3.x...

Wed, 16 May 2012 09:03:52 GMT

Posted by Adam Zabrocki on May 16

The story of the Linux kernel 3.x...

In 2005 everybody was exited about possibility of bypass ASLR on all
Linux 2.6 kernels because of the new concept called VDSO (Virtual
Dynamic Shared Object). More information about this story can be found
at the following link:
http://www.trilithium.com/johan/2005/08/linux-gate/

In short, VDSO was mmap'ed by the kernel in the user space memory always
at the same fixed address. Because of that...

SEC-T 2012 CFP and Challenge

Wed, 16 May 2012 09:02:18 GMT

Posted by olle on May 16

TL;DR
Submit here: http://sec-t.org/2012/cfp.html
Crack this: http://youtu.be/rMqZW0fFThc
TL;DR

CFP for the 5th annual SEC-T conference in Stockholm, Sweden is open!
This year the conference is held on the 13th and 14th of September.

Don't forget to try your hand at the challenge, this year harder than
ever and produced in cooperation with the one and only Fairlight crew.
Winner gets a free ticket to the conference and infinite glory!!!11...

Trigerring Java code from a SVG image

Wed, 16 May 2012 09:00:46 GMT

Posted by Nicolas Grégoire on May 16

Hello,

SVG is a XML-based file format for static or animated images. Some SVG
specifications (like SVG 1.1 and SVG Tiny 1.2) allow to trigger some
Java code when the SVG file is opened.

Given that I had to look at these features for a customer, I developed
some PoC codes which are now available online:
http://www.agarri.fr/docs/batik-evil.svg
http://www.agarri.fr/docs/batik-evil.jar

I published a more detailed article on my blog:...