DISQUS

Fionnbharr Davies · 2 years ago

Your post is true for smaller apps imo, but what about one of the other auctions up there now 'Local Linux kernel memory leak'. Pretty big target.

dre · 2 years ago

But, according to the Wikipedia entry on Mr. T, "For about ten years, Mr. T was a bodyguard to the stars, protecting such well-known personalities as Muhammad Ali, Steve McQueen, Michael Jackson, Bruce Lee, Joe Frazier, and Diana Ross. He charged around $3,000 a day and his business card famously read, `Next to God, there is no greater protector than I'. He always boasts that he never lost a client, saying, `I got hurt worse growing up in the ghetto than working as a bodyguard'".

Everybody loves Mr. T! Come on! You gotta love him!

Completely on topic

Notice that I didn't even use the word "iPhone" or mention anyone by the initials "David Maynor" at all in this blog comment.

Chris R. · 2 years ago

That linux kernel vulnerability has a CVE #. Soooo its just an exploit for sale?

Dave G. · 2 years ago

@Fionnbharr:

It is definitely true that the information isn't as directly valuable. But knowing that something exists and what type of vulnerability definitely gives a competitive researcher a nice head start on finding the vulnerability. If someone were selling an Apache bug, I can think of a couple of researchers who would double their efforts on Apache.

Bee Binger · 2 years ago

grep require * | grep -i get
gpg_help.php:require_once (SM_PATH.'plugins/gpg/help/' . $_GET['help'] );
gpg_help_base.php:require_once (SM_PATH.'plugins/gpg/help/' . $_GET['help'] );

------------
if you can break this function .. maybe a good challenge?

function gpg_ckMOD($rMOD){
if (strstr($rMOD, '.')
|| strstr($rMOD, '/')
|| strstr($rMOD, '%')
|| strstr($rMOD, "\\")){
echo _("Cute.");
exit;
}
};

then you would have command exec in these:

gpg_options.php:require_once(SM_PATH."plugins/gpg/modules/$MOD.mod");
gpg_pop_init.php:require_once("modules/$MOD.mod");

------

$pre_pass =" $path_to_gpg --passphrase-fd 0 --armor --batch --no-tty --detach-sign --default-key $key_id
--homedir $gpg_key_dir $filename 2>&1";
$cmd = "echo $passphrase|$pre_pass";
exec($cmd,$output,$returnval);

plus many of these user variables going to many different exec calls

yea this is a joke .. I do not think you need stefan esser to pop these.

Rhys Kidd · 2 years ago

Not only does has that local Linux kernel memory leak vulnerability from March 2007 been assigned CVE-2007-1000, but PoC code was included in the *original* Linux Bugzilla posting, and is easily found with a moment of Googling.

http://bugzilla.kernel.org/show_bug.cgi?id=8134

So some idiot might wastefully pay for that PoC code, which can be found for free, is old, likely patched and doesn't really have a high impact rating. Woohoo, that sites a great way to print Euros from recycling public domain code.

Stefan Esser · 2 years ago

From looking a few minutes onto the code and without a installed version of Squirrelmail I GUESS that there is some code execution through the filename of encrypted attachments.

Atleast the very quick look lets me assume that the filename is copied into the shellcommand without escaping...

lalalala...

Stefan Esser · 2 years ago

Bee Binger I took your challenge ;)

However gpg_ckMOD($MOD) is not of much use if it is used in this way:

if (!isset($MOD) || !$MOD) {
gpg_ckMOD($MOD);
}

Therefore through gpg_pop_init.php you can include arbitrary files ;)

The help system requires are btw. already fixed in their CVS version.

And yes I was right through the "Decrypt Attachment" function arbitrary shell commands can be injected via the dlfilename parameter.

JohnGruberIsARobot · 2 years ago

Wow, judging by all the free code auditing done here and Daily Dave, it seems like vendors can get some good free auditing done just by posting a fake vuln on zeroBay and waiting til it's "reversed."

Marcin · 2 years ago

@JohnGruberIsARobot:

You can't get any better than this ;) /sarcasm

Q: What guarantees will you give me about the reliability of the security researches listed on the market place?
A: Full guarantee. Every piece of security research is carefully analyzed and replicated in our own laboratories and eventually implemented with our own complementary research material before being placed on the market place.

JohnGruberIsARobot · 2 years ago

@Marcin:

With that guarantee, it might be tricky. Oh well, there's always the old-fashioned way of gathering free code auditing that vendors have been using for years: offending researchers with outlandish claims of having flawless security in a product and seeing what they come up with....