Nice granny code!

Too bad it only works for 'union' :>

2016
2017 /*
2018  * Delete a whiteout from the filesystem.
2019  */
2020 /* ARGSUSED */
2021 #warning XXX authorization not implmented for whiteouts
2022 int
2023 undelete(struct proc *p, register struct undelete_args *uap, __unused register_t *retval)
2024 {

Left-overs from old functionality are dangerous. Or at least fun to deal with.

Apple releases Quicktime and Airport Extreme security updates

Apple has released security updates for the vulnerability published during the Month of Apple Bugs as MOAB-01-01-2007 and the closing vulnerability for the Month of Kernel Bugs , MOKB-30-11-2006. The exposure time was of 22 days for the first, and 58 days for the latter (although no public proof of concept was distributed, which would have, most probably, boosted the patch development).

• AirPort Update 2007-001 (CVE-2006-6292)
• Security Update 2007-001 (CVE-2007-0015)

Exploiting the otherwise non-exploitable, on Mac OS X

UserNotificationCenter retains wheel privileges on execution time, and still has a UID associated with the current user. Because of this, it will attempt to run any InputManager provided by the user. Code within the input manager will run under wheel privileges. In combination with diskutil and a wheel-writable setuid binary, this allows unprivileged users to gain root privileges.

See the Month of Apple Bugs release and the exploit. This issue can be abused by fully unprivileged users and triggered via any of the so-called 'crashes' (ex. alleged 'denial of service'-only issues...).

A tribute to the Month of Browser Bugs, and specially Matt Miller, HD Moore and Skywing.

Flawed antivirus products

A load of new issues have been published, related to AV products (during the current month). Apparently fuzzing is becoming quite a bit popular nowadays, as mostly every issue is related to a file format parsing flaw:

• F-Prot Antivirus for Unix: heap overflow and Denial of Service
• [ GLSA 200612-12 ] F-PROT Antivirus: Multiple vulnerabilities
• iDefense Security Advisory 12.08.06: Sophos Antivirus CHM File Heap Overflow Vulnerability
• iDefense Security Advisory 12.08.06: Sophos Antivirus CHM Chunk Name Length Memory Corruption Vulnerability
• iDefense Security Advisory 12.08.06: Multiple Vendor Antivirus RAR File Denial of Service Vulnerability
• n.runs - NOD32 Antivirus CAB parsing Arbitrary Code Execution Advisory
• n.runs - NOD32 Antivirus DOC parsing Arbitrary Code Execution Advisory
• n.runs - BitDefender AV Packed PE File Parsing Engine Heap Overflow

Definitely AV engines are a hot target for fuzzing. They are supposed to handle many different archive and executable formats and that's a great source of security issues (most commonly, integer overflows, heap-based buffer overflows and even some good old stack smashing fun).

Wireless fun with MOKB-11-11-2006

The Broadcom BCMWL5.SYS wireless device driver is vulnerable to a stack-based buffer overflow that can lead to arbitrary kernel-mode code execution. This particular vulnerability is caused by improper handling of 802.11 probe responses containing a long SSID field. The BCMWL5.SYS driver is bundled with new PCs from HP, Dell, Gateway, eMachines, and other computer manufacturers. Broadcom has released a fixed driver to their partners, which are in turn providing updates for the affected products. Linksys, Zonet, and other wireless card manufactures also provide devices that ship with this driver.

More details and proof of concept (exploit) at http://projects.info-pull.com/mokb/MOKB-11-11-2006.html.