Friday, January 26, 2007
Tuesday, January 23, 2007
UserNotificationCenter retains wheel privileges on execution time, and still has a UID associated with the current user. Because of this, it will attempt to run any
InputManagerprovided by the user. Code within the input manager will run under wheel privileges. In combination with
diskutiland a wheel-writable setuid binary, this allows unprivileged users to gain root privileges.
See the Month of Apple Bugs release and the exploit. This issue can be abused by fully unprivileged users and triggered via any of the so-called 'crashes' (ex. alleged 'denial of service'-only issues...).
A tribute to the Month of Browser Bugs, and specially Matt Miller, HD Moore and Skywing.
Sunday, January 07, 2007
Description from the NSA website about IME:
The Inline Media Encryptor (IME) is a government-developed media encryption device. It is positioned "in line" between the computer processor and hard drive to ensure that anything stored to the hard drive gets encrypted and anything retrieved from the hard drive gets decrypted. The IME protects data classified Top Secret and below. Data stored on the hard drive is considered unclassified when encrypted.
Nice. Read about the features. Certainly hardware based solutions are extremely useful. Wonder if there's a commercial device that conforms to similar standards available for public consumption. Hopefully not.
Friday, January 05, 2007
There has been a significant work load, between working on exploit code and dealing with press and media. Looks like some stuff has been going around:
- The Metasploit module (Microsoft Windows target) for the Quicktime RSTP vulnerability, by MC.
- An excellent article by Brian Krebs about Microsoft Internet Explorer vulnerabilities, patch times and "exposure" time (total: 284 days, see the neat chart).
- Apple DiskManagement BOM Local Privilege Escalation Vulnerability (Month of Apple Bugs).
- Landon Fuller kicks *** with the fixes for MOAB issues.
- VideoLAN fixes the VLC issue in record time (
certainlyan example of fastgreat vulnerability response).
- dr_springfield website (nice code).
More to come if there's time for it.