Analysis of CVE-2014-8476: a FreeBSD kernel memory disclosure vulnerability

One week ago, on November 4th, 2014, the FreeBSD team published security advisory FreeBSD-SA-14:25.setlogin describing an information disclosure vulnerability in setlogin(2) / getlogin(2), which could allow an unprivileged user to disclose kernel memory contents.

This vulnerability (identified as CVE-2014-8476) affects all supported versions of FreeBSD. This is the problem description, taken from the advisory:

When setlogin(2) is called while setting up a new login session, the login name is copied into an uninitialized stack buffer, which is then copied into a buffer of the same size in the session structure. The getlogin(2) system call returns the entire buffer rather than just the
portion occupied by the login name associated with the session.

The code of the vulnerable function (getlogin in FreeBSD 8.4, sys_getlogin in newer versions) is located at /sys/kern/kern_prot.c:

Continue reading

Stripe CTF 2.0 writeups, levels 0 to 6

About a week late, but here you have my writeups for Stripe CTF 2.0, levels 0 to 6. There were two more levels, but I wasn’t able to complete them.

Congrats to the Stripe guys for the nice work organizing this web-oriented CTF!

Level 0 (SQL Injection)

This level was a web application written using node.js. It was possible to inject SQL code into a vulnerable query, as seen below:

Continue reading

Mitigating Cross-Site Request Forgery with NoScript

Three months ago Core Security posted an advisory regarding a CSRF vulnerability I’ve found in IBM WebSphere Application Server. While preparing the advisory, I’ve investigated some ways to mitigate this class of vulnerability when, for some reason, there’s no patch available for the affected web application. It turned that Cross-Site Request Forgery can be mitigated both on the server side and on the client side.

Continue reading

Advisory: Oracle GlassFish Server Administration Console Authentication Bypass (CVE-2011-1511)

This is a quick post about a vulnerability I found in Oracle GlassFish Server (CVE-2011-1511), which was published two weeks ago (I know, I’m a bit late).

The Administration Console of Oracle GlassFish Server is prone to an authentication bypass vulnerability, which can be exploited by remote attackers by performing TRACE requests.

You can find the advisory with the analysis of the bug and its technical details here:  CORE-2010-1118: Oracle GlassFish Server Administration Console Authentication Bypass.

By the way, the timeline of the advisory deserves some attention!

And if you are asking, yes, this bug can be exploited to create an administrative account on the Glassfish Server and then execute arbitrary code on the vulnerable machine!