SecurityFeed.info » Apple Fun

Feeds

23887 items (23887 unread) in 97 feeds

• Aviv Raff On .NET (18 unread)
• Bugtraq (bugtraq) Mailing List (605 unread)
• CGISecurity.com: Your Web Site and Application Security Resource (74 unread)
• christian's weblog (25 unread)
• Irongeek's Security Site (125 unread)
• Jeremiah Grossman (74 unread)
• Heorot.net (11 unread)
• milw0rm.com (440 unread)
• Nmap Hackers (nmap-hackers) Mailing List (7 unread)
• Packet Storm Security Advisories (373 unread)
• Packet Storm Security Exploits (461 unread)
• Packet Storm Security Headlines (376 unread)
• Packet Storm Security Last 100 (1841 unread)
• Packet Storm Security Last 20 (833 unread)
• Packet Storm Security Last 50 (1441 unread)
• Packet Storm Security Last Files (544 unread)
• Packet Storm Security Miscellaneous Files (109 unread)
• Packet Storm Security Tools (113 unread)
• Rootsecure.net (694 unread)
• SecuriTeam.com (184 unread)
• Security Vulnerability Research & Defense (36 unread)
• SecurityFocus News (139 unread)
• SecurityFocus Vulnerabilities (806 unread)
• Securityvulns news channel (336 unread)
• SecWatch - Latest Exploit Alerts (10 unread)
• Taking Network Security to the Streets (28 unread)
• The One And Only Matt Parnell.com (34 unread)
• The Register - Security (389 unread)
• The Register - Software (457 unread)
• VulnWatch (vulnwatch) Mailing List (19 unread)
• Web App Security (webappsec) Mailing List (88 unread)
• IceСμbeς (15 unread)
• Linmagazine (186 unread)
• ‫netcraft Bytes :) (38 unread)
• Digg (4061 unread)
• Blonde 2.0 (51 unread)
• The Microsoft Security Response Center (MSRC) (40 unread)
• (IN)SECURE Magazine Notifications RSS (17 unread)
• 0x000000 Security (79 unread)
• ----- Anti-Malware ----- Analysis and Defense (15 unread)
• Apple Fun (25 unread)
• Technorati Search for: aviv.raffon.net (203 unread)
• C.I.S.R.T. (10 unread)
• Determina Zero-Day Protection (6 unread)
• Didier Stevens (47 unread)
• eEye Digital Security - Research Blog (10 unread)
• Ryan Naraine's Security Watch (96 unread)
• Security - RSS Feeds (179 unread)
• Exploit Prevention Labs (28 unread)
• Software Vulnerability Exploitation Blog (22 unread)
• F-Secure Antivirus Research Weblog (75 unread)
• Full Disclosure (290 unread)
• George Ou (10 unread)
• GNUCITIZEN Media Portfolio (65 unread)
• ha.ckers.org web application security lab (35 unread)
• heise security (342 unread)
• invisiblethings' blog (35 unread)
• Jeff Jones's blog (12 unread)
• JScript Blog (16 unread)
• Matasano Chargen (38 unread)
• McAfee Avert Labs (66 unread)
• Michael Howard's Web Log (26 unread)
• PandaLabs (35 unread)
• Zero Day (273 unread)
• SANS Internet Storm Center, InfoCON: green (232 unread)
• Latest Secunia Security Watchdog Blog Entries (24 unread)
• SecuriTeam Blogs (65 unread)
• Security Fix (115 unread)
• HP ASC Portal (30 unread)
• Strike Center (12 unread)
• Sunbelt Blog (217 unread)
• Sunnet Beskerming Security Advisories (29 unread)
• Technobabylon
• The Recurity Lablog (31 unread)
• Wired: Threat Level (454 unread)
• TrendLabs | Malware Blog - by Trend Micro (159 unread)
• Uninformed Journal (44 unread)
• WabiSabiLabi's blog (22 unread)
• WatchGuard Wire (48 unread)
• Latest Blog Entires From WebSense Security Labs (42 unread)
• Hackszine.com (151 unread)
• DVLabs: Blogs (63 unread)
• Errata Security (81 unread)
• Robert Hensing's Blog (71 unread)
• PaulDotCom Community Blog (10 unread)
• David LeBlanc's Web Log (20 unread)
• Billy (BK) Rios (19 unread)
• David Litchfield's blog (21 unread)
• Farfromr00tin (23 unread)
• aut disce, aut discede (17 unread)
• pwn* (16 unread)
• hackademix.net (42 unread)
• SecurityDot Vulnerabilities (422 unread)
• Vulnerabilities & Exploits (29 unread)
• Malicious Code (26 unread)
• Security Risks (21 unread)
• Digg / Security / upcoming (4195 unread)

Apple Fun (10 unread)

• February 01, 2007
• 1:59

  MOAB-31-01-2007: Stay tuned (and farewell)

   » ‎ Apple Fun
  We thank everyone who has contributed, as well as those who donated to the project and sent nice feedback. We also thank the zealots, who made our day every time they blogged and commented about us. We would like to thank Apple for making this month a smooth one.
  
  Last but not least, we will stop disclosing (although KF might continue releasing issues) any further information related to OS X security. Full disclosure isn't good. Feeding the security industry neither.
  
  OS X remains insecure. But now there will be less 'publicity hogging' about it. Finally, you can always keep an eye on our well respected friends at Matasano, who might keep the a-bug-per-decade campaign.
  
  Have fun.
  

  • MOAB-31-01-2007: Stay tuned?
• January 31, 2007
• 4:50

  MOAB-30-01-2007: Multiple Apple Software Format String Vulnerabilities

   » ‎ Apple Fun

  Multiple developers of Apple based software including Apples own developers seem to have a misunderstanding of how to properly use NSBeginAlertSheet, NSBeginCriticalAlertSheet, NSBeginInformationalAlertSheet, NSGetAlertPanel, NSGetCriticalAlertPanel, NSGetInformationalAlertPanel, NSReleaseAlertPanel, NSRunAlertPanel, NSRunCriticalAlertPanel, NSRunInformationalAlertPanel, and NSLog.

  
  Further information:
  
  

  • Multiple Apple Software Format String Vulnerabilities
  • Application Kit Functions Reference
• January 30, 2007
• 6:48

  MOAB-29-01-2007: Apple iChat Bonjour Multiple Denial of Service Vulnerabilities

   » ‎ Apple Fun
  
  

  Apple iChat Bonjour functionality is affected by several remotely exploitable denial of service flaws which can be triggered via advertising presence services over multicast DNS.

  
  Further information:
  

  • Apple iChat Bonjour Multiple Denial of Service Vulnerabilities
  • Exploit: MOAB-29-01-2007.rb

  In other news, "Craig Seeman cseeman (at) optonline.net" (author of Flip4Mac reviews) contacted us:
  

  
  Hi,
  regarding http://projects.info-pull.com/moab/MOAB-27-01-2007.html
  This is what they're testing have found at this point: Flip4Mac has received reports of a QuickTime crash when playing a deliberately modified/damaged Windows Media file. There is no evidence that this has been or could be exploited to produce a security vulnerability. We have reproduced the crash and will include a fix for this in our next release.
  

  
  Hmm, even Mr. Keller has kept out of his business (prolly learnt that integer overflows are useful to pop shells around, long after the initial DMG-related lessons). So anyway, better saved EIP overwrite for you:
  

  
  Program received signal EXC_BAD_ACCESS, Could not access memory.
  Reason: KERN_INVALID_ADDRESS at address: 0xff806aa5
  0xffff0ac7 in ___memcpy () at .../PrivateHeaders/i386/cpu_capabilities.h:228
  228     in /.../PrivateHeaders/i386/cpu_capabilities.h
  (gdb) i f
  Stack level 0, frame at 0xbfffdc78:
  eip = 0xffff0ac7 in ___memcpy (/.../PrivateHeaders/i386/cpu_capabilities.h:228); saved eip 0xdddeface
  called by frame at 0xbfffdc80
  source language unknown.
  Arglist at 0xbfffdc70, args:
  Locals at 0xbfffdc70, Previous frame's sp is 0xbfffdc74
  Saved registers:
  eip at 0xbfffdc70
  (gdb) bt
  #0  0xffff0ac7 in ___memcpy () at /.../PrivateHeaders/i386/cpu_capabilities.h:228
  #1  0xdddeface in ?? ()
  

  
  Sure we can fake the output. But we seriously have better stuff to do around. Like releasing a working exploit while you keep eating peanuts. Enjoy.
  
• January 29, 2007
• 1:54

  MOAB-28-01-2007: Apple crashdump Privilege Escalation Vulnerability

   » ‎ Apple Fun

  crashdump follows symlinks within the /Library/Logs/CrashReporter/ directory, allowing admin-group users to execute arbitrary code and overwrite files with elevated privileges. In couple with a specially crafted Mach-O binary, this can be used to write a malicious crontab entry, which will run with root privileges.

  • Apple crashdump Privilege Escalation Vulnerability
  • Exploit: MOAB-28-01-2007.rb and vuln
    
• January 27, 2007
• 10:00

  MOAB-27-01-2007: Telestream Flip4Mac WMV Parsing Memory Corruption Vulnerability

   » ‎ Apple Fun

  Flip4Mac fails to properly handle WMV files with a crafted ASF_File_Properties_Object size field, leading to an exploitable memory corruption condition, which can be abused remotely for arbitrary code execution.

  
  Further information:
  

  • Telestream Flip4Mac WMV Parsing Memory Corruption Vulnerability
  • Proof of concept: MOAB-27-01-2007.wmv

  This can be abused remotely even via Mail.app (sending the movie attached in the message), Safari, etc.
• 8:49

  MOAB-26-01-2007: Apple Installer Package Filename Format String Vulnerability

   » ‎ Apple Fun
  
  

  Apple Installer fails to properly handle package filename strings. It's a affected by a typical format string vulnerability, which can lead to a denial of service condition or arbitrary code execution.

  
  Further information:
  

  • Apple Installer Package Filename Format String Vulnerability
  • Petition Online: Assure OSX authentication dialog box authenticity
  • Petition Online: Remove all admin->root authorization prompts from OSX

  See: Sarcasm.
  
  Also, many thanks to an anonymous supporter for donating to the project. We are at $568.73 USD now. We would like to note also that we don't endorse any actions taken against anyone who openly criticizes or disagrees with the project. Let's keep out of personal attacks, they don't bring anything interesting to the playground, and after all, there are plenty of ways to poke fun out of someone without resorting to dirty tricks. For instance, give a exploit a good use.
• January 26, 2007
• 2:17

  MOAB-25-01-2007: Apple CFNetwork HTTP Response Denial of Service

   » ‎ Apple Fun

  CFNetwork fails to handle certain HTTP responses properly, causing the _CFNetConnectionWillEnqueueRequests() function to dereference a NULL pointer, leading to a denial of service condition.
  

  
  Further information:
  

  • Apple CFNetwork HTTP Response Denial of Service
  • Proof of concept: MOAB-25-01-2007.rb and MOAB-25-01-2007.c

  Many thanks to Craig Loomis, Greg Slepak and a previous supporter for donating to the project. The mark is at $472.93 USD now, so we are very close to the goal. Again, many thanks to everyone who has contributed, with both donations and feedback.
• January 25, 2007
• 3:27

  MOAB-24-01-2007: Apple Software Update Catalog Filename Format String Vulnerability

   » ‎ Apple Fun
  
  

  Software Update fails to properly handle the filename strings containing the swutmp extension. It's a affected by a typical format string vulnerability, which can lead to a denial of service condition or arbitrary code execution.

  
  Further information:
  

  • Apple Software Update Catalog Filename Format String Vulnerability
    
• January 24, 2007
• 3:08

  MOAB-23-01-2007: Apple QuickDraw GetSrcBits32ARGB() Memory Corruption Vulnerability

   » ‎ Apple Fun
  
  

  QuickDraw is integrated in Mac OS X since very early versions, used by Quicktime and any other application that needs to handle PICT images. A vulnerability exists in the handling of ARGB records (Alpha RGB) within PICT images, that leads to an exploitable memory corruption condition (ex. denial of service, so-called crash, which can be used to gain root privileges in combination with MOAB-22-01-2007).

  
  For further information:
  

  • Apple QuickDraw GetSrcBits32ARGB() Memory Corruption Vulnerability
  • Proof of concept: MOAB-23-01-2007.pct

  Apple has released a fix to MOAB-01-01-2007: Security Update 2007-001. They finally acknowledge the MoAB, with some PR crediting wizardry, aka 'let's mention but not explicitly say we are broken'. 22 days to fix a remote arbitrary code execution issue in one of their most extended products, distributed with working exploits for both Microsoft Windows and Mac OS X versions can be considered acceptable timing. Come on, it's not that difficult to change a strcpy() call... is it?
• January 23, 2007
• 6:05

  MOAB-22-01-2007: Apple UserNotificationCenter Privilege Escalation Vulnerability

   » ‎ Apple Fun

  UserNotificationCenter retains wheel privileges on execution time, and still has a UID associated with the current user. Because of this, it> will attempt to run any InputManager provided by the user. Code within the input manager will run under wheel privileges. In combination with diskutil and a wheel-writable setuid binary, this allows unprivileged users to gain root privileges.

  Further information:
  

  • Apple UserNotificationCenter Privilege Escalation Vulnerability
  • Exploit: MOAB-22-01-2007.rb

  Update: updated exploit (now fat binaries are used, thus exploit should work on a system without XCode and related developer tools; source code is provided to avoid the usual FUD about alleged 'root kits' and non-sense), release information, etc. KF worked hard on getting stuff up due to connectivity issues. He deserves a thumbs-up from everyone.