Matasano Chargen - Latest Comments in zeroBay Exists: Will The Juice Be Worth The Squeeze?

Re: zeroBay Exists: Will The Juice Be Worth The Squeeze?

JohnGruberIsARobot — Mon, 09 Jul 2007 11:21:27 -0000

@Marcin:

With that guarantee, it might be tricky. Oh well, there's always the old-fashioned way of gathering free code auditing that vendors have been using for years: offending researchers with outlandish claims of having flawless security in a product and seeing what they come up with....

Re: zeroBay Exists: Will The Juice Be Worth The Squeeze?

Marcin — Mon, 09 Jul 2007 10:55:16 -0000

@JohnGruberIsARobot:

You can't get any better than this ;) /sarcasm

Q: What guarantees will you give me about the reliability of the security researches listed on the market place?
A: Full guarantee. Every piece of security research is carefully analyzed and replicated in our own laboratories and eventually implemented with our own complementary research material before being placed on the market place.

Re: zeroBay Exists: Will The Juice Be Worth The Squeeze?

JohnGruberIsARobot — Sat, 07 Jul 2007 15:35:43 -0000

Wow, judging by all the free code auditing done here and Daily Dave, it seems like vendors can get some good free auditing done just by posting a fake vuln on zeroBay and waiting til it's "reversed."

Re: zeroBay Exists: Will The Juice Be Worth The Squeeze?

Stefan Esser — Sat, 07 Jul 2007 09:52:30 -0000

Bee Binger I took your challenge ;)

However gpg_ckMOD($MOD) is not of much use if it is used in this way:

if (!isset($MOD) || !$MOD) {
gpg_ckMOD($MOD);
}

Therefore through gpg_pop_init.php you can include arbitrary files ;)

The help system requires are btw. already fixed in their CVS version.

And yes I was right through the "Decrypt Attachment" function arbitrary shell commands can be injected via the dlfilename parameter.

Re: zeroBay Exists: Will The Juice Be Worth The Squeeze?

Stefan Esser — Fri, 06 Jul 2007 12:24:27 -0000

From looking a few minutes onto the code and without a installed version of Squirrelmail I GUESS that there is some code execution through the filename of encrypted attachments.

Atleast the very quick look lets me assume that the filename is copied into the shellcommand without escaping...

lalalala...

Re: zeroBay Exists: Will The Juice Be Worth The Squeeze?

Rhys Kidd — Fri, 06 Jul 2007 11:52:39 -0000

Not only does has that local Linux kernel memory leak vulnerability from March 2007 been assigned CVE-2007-1000, but PoC code was included in the *original* Linux Bugzilla posting, and is easily found with a moment of Googling.

http://bugzilla.kernel.org/show_bug.cgi?id=8134

So some idiot might wastefully pay for that PoC code, which can be found for free, is old, likely patched and doesn't really have a high impact rating. Woohoo, that sites a great way to print Euros from recycling public domain code.

Re: zeroBay Exists: Will The Juice Be Worth The Squeeze?

Bee Binger — Fri, 06 Jul 2007 10:51:45 -0000

grep require * | grep -i get
gpg_help.php:require_once (SM_PATH.'plugins/gpg/help/' . $_GET['help'] );
gpg_help_base.php:require_once (SM_PATH.'plugins/gpg/help/' . $_GET['help'] );

------------
if you can break this function .. maybe a good challenge?

function gpg_ckMOD($rMOD){
if (strstr($rMOD, '.')
|| strstr($rMOD, '/')
|| strstr($rMOD, '%')
|| strstr($rMOD, "\\")){
echo _("Cute.");
exit;
}
};

then you would have command exec in these:

gpg_options.php:require_once(SM_PATH."plugins/gpg/modules/$MOD.mod");
gpg_pop_init.php:require_once("modules/$MOD.mod");

------

$pre_pass =" $path_to_gpg --passphrase-fd 0 --armor --batch --no-tty --detach-sign --default-key $key_id
--homedir $gpg_key_dir $filename 2>&1";
$cmd = "echo $passphrase|$pre_pass";
exec($cmd,$output,$returnval);

plus many of these user variables going to many different exec calls

yea this is a joke .. I do not think you need stefan esser to pop these.

Re: zeroBay Exists: Will The Juice Be Worth The Squeeze?

Dave G. — Fri, 06 Jul 2007 10:17:01 -0000

@Fionnbharr:

It is definitely true that the information isn't as directly valuable. But knowing that something exists and what type of vulnerability definitely gives a competitive researcher a nice head start on finding the vulnerability. If someone were selling an Apache bug, I can think of a couple of researchers who would double their efforts on Apache.

Re: zeroBay Exists: Will The Juice Be Worth The Squeeze?

Chris R. — Fri, 06 Jul 2007 08:10:18 -0000

That linux kernel vulnerability has a CVE #. Soooo its just an exploit for sale?

Re: zeroBay Exists: Will The Juice Be Worth The Squeeze?

dre — Fri, 06 Jul 2007 03:49:59 -0000

But, according to the Wikipedia entry on Mr. T, "For about ten years, Mr. T was a bodyguard to the stars, protecting such well-known personalities as Muhammad Ali, Steve McQueen, Michael Jackson, Bruce Lee, Joe Frazier, and Diana Ross. He charged around $3,000 a day and his business card famously read, `Next to God, there is no greater protector than I'. He always boasts that he never lost a client, saying, `I got hurt worse growing up in the ghetto than working as a bodyguard'".

Everybody loves Mr. T! Come on! You gotta love him!

Completely on topic

Notice that I didn't even use the word "iPhone" or mention anyone by the initials "David Maynor" at all in this blog comment.

Re: zeroBay Exists: Will The Juice Be Worth The Squeeze?

Fionnbharr Davies — Fri, 06 Jul 2007 03:48:12 -0000

Your post is true for smaller apps imo, but what about one of the other auctions up there now 'Local Linux kernel memory leak'. Pretty big target.