Tue, 22 Jan 2008

QA Hell: Quicktime again!

Even if time for keeping this blog updated is becoming rather scarce, we couldn't resist publishing a note about Quicktime again. It was on the news some time ago, due to another simple, classical stack buffer overflow flaw. It was related with RTSP interfaces again.

Our exploit pack already provides a reliable exploit against this and other recent flaws, and there's no real exploit for this flaw publicly available (in terms of quality and reliability). It's quite possible that so-called drive-by malware installation kits are making use of this flaw to infect unsuspecting users.

We expected Apple to perform some due diligence with Quicktime's QA, since the last real 1990 style flaws have been all related to RTSP functionality, but looks like they are still missing some guidance. Hopefully it won't take long for them to realize that something like SDL could significantly improve their product security.

Published on: Tue, 22 Jan 2008. | Path: /security/apple | Permalink

NetBSD, architecture-dependent issues and forthcoming projects

We've been talking to a kernel developer of the NetBSD project (probably the most portable operating system out there), regarding its security status and some potential enhancements.
While reading through the secmodel securelevel source, we spotted this interesting snippet: 

case KAUTH_REQ_SYSTEM_TIME_SYSTEM: {

 struct timespec *ts = arg1;
 struct timeval *delta = arg2;

/*
  * Don't allow the time to be set forward so far it will wrap
  * and become negative, thus allowing an attacker to bypass
  * the next check below.  The cutoff is 1 year before rollover
  * occurs, so even if the attacker uses adjtime(2) to move
  * the time past the cutoff, it will take a very long time
  * to get to the wrap point.
  *
  * XXX: we check against INT_MAX since on 64-bit
  *      platforms, sizeof(int) != sizeof(long) and
  *      time_t is 32 bits even when atv.tv_sec is 64 bits.
  */

 if (securelevel > 1 &&
     ((ts->tv_sec > INT_MAX - 365*24*60*60) ||
      (delta->tv_sec < 0 || delta->tv_usec < 0)))
 	result = KAUTH_RESULT_DENY;

break;
}
Published on: Tue, 22 Jan 2008. | Path: /security/development | Permalink

Navigation

Archives

Syndication

Subscribe to our feed

Links

Send a tip

Meta

Powered by Python
Powered by (modified) Pybloxsom 100% free of PHP
Valid CSS!
Valid XHTML 1.0 Strict

License

Creative Commons License
Subreption blog by Subreption LLC is Licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.