As little as three years ago, the concept of remote kernelexploitation remained arcane for most people in the security industryand was believed in some circles to be practically impossible, mostlydue to reliability issues. However, things in the security realm changequickly. Reliable exploit techniques come and go, new securitymechanisms are introduced, and arcane exploitation concepts arerevisited. Sometimes an exploitation concept that was once brushed offas too unreliable is reconsidered, bringing it again into focus as auseful and feasible attack vector.
Kernel vulnerabilities themselves are nothing new, of course. Theexploitation of local kernel flaws has been a popular pastime for manyresearchers and hackers over the years, and in many cases these flawswere shown to be exploited just as reliably as a local flaw in userlandsoftware. However, being local to the system has its advantages; thelevel of interactivity with the system and the data that is availablemake for...
The hacking scene is definitely not what it used to be. Though it seems hard to remember, there was a time before vulnerabilities were posted to mailing lists every day, you could sell exploits to corporations and hacking groups were being turned into security companies. There were few established laws restricting hacking and a simple Internet search returned a massive amount of detail on how to hack. It was a time when a few small groups of elite technology enthusiasts, driven largely by curiosity and mischief (vs. malicious) became some of the most notorious and powerful hackers of all time.
This was the era of groups like the Legion of Doom, the Cult of the Dead Cow, the Masters of Deception, the Chaos Computer Club, the P.H.I.R.M., the genesis of zines like Phrack and 2600, and the days when blowing a whistle found in a cereal box into a telephone receiver gave you control of a phone line.
In those days, communication between hackers was mostly...
On May 14, 2007 a number of interesting heap-corruptionvulnerabilities were disclosed in Samba 3.0.25rc3 and earlier. On thesame day, Immunity released a private exploit for one of the issues on Solaris. A few days later, an exploit modulewas released for the Metasploit framework that reliably exploited theissue on a number of Linux distributions. The module specificallytargeted the flaw in the lsa_io_trans_names function.
Over the past few years, the discovery of high profilevulnerabilities in widespread Unix applications seems to be decreasing.Additionally, a variety of security mechanisms are more commonlydeployed on Linux distributions, such as non-executable stacks, stackcanaries, and secure heaps, all of which make the release of publicexploits this reliable more rare,...
The DeepSight Threat Analyst Team is constantly monitoring honeypotstermed “crawlers”, which are designed to crawl the Internet looking formaliciously-crafted web pages. These crawlers emulate users surfing theInternet with various browsers that may be susceptible to client-sideexploits hosted on Webpages. With the crawlers, we capture a lot of therun-of-the-mill malicious code using legacy web vulnerabilities.Malware authors especially like to spread using the (Microsoft MDAC RDS.Dataspace ActiveX Control Remote Code Execution Vulnerability BID 17462).
But among the legacy attacks, we run into much more interestingcompromises that ironically still install some of the same old malwarevariants. One of these interesting compromises was encountered on May8, 2007. A URL was distributed that was designed to look like itbelonged to the Halifax Online financial institute. However, theresulting site looked only...
The month of January is already over and, accordingly, so is the Month of Apple Bugs(MoAB). As promised, one advisory was released every day of the month,in some cases addressing numerous vulnerabilities in an application.Unlike the Month of Browser Bugs and Month of Kernel Bugs, this time we saw the interesting twist of a parallel group starting a Month of Apple Fixes.This group was responsible for the release of unofficial run-timepatches for the majority of the issues disclosed, with the exception ofthose affecting the kernel.
The classes of vulnerabilities discovered during the MoAB coveredpretty much the whole gamut, including stack and...
Succinct information regarding the OS Xthreat landscape is hard to come by. Much of the information regardingOS X security and threats is blatantly wrong, overwhelmed by flamewars, and generally hard to digest. This isn’t to say that researchersaren’t releasing accurate and cutting edge information regardingviruses, vulnerabilities, and exploitation vectors affecting theplatform. On the contrary, it seems that many of the defenders or usersof OS X are unaware of their existence, don't understand them, orsimply choose to ignore them.
In light of all of the misinformation and confusion surrounding thetopic, there is a lack of a sufficient summary of what threats haveaffected OS X and what research is being carried out regarding theplatform. So, I decided to document it. The document I set out to writewas not meant to uncover anything new. No new vulnerabilities, exploitvectors, or rootkit techniques. Instead, I wanted to correlate andsummarize the...
