Profile_bird

Hey there! spendergrsec is using Twitter.

Twitter is a free service that lets you keep in touch with people through the exchange of quick, frequent answers to one simple question: What's happening? Join today to start receiving spendergrsec's tweets.

Already using Twitter
from your phone? Click here.

spendergrsec

  1. Win7 tips: keep your 0day testing away from MS: http://bit.ly/PYNLS Actually dump full kernel dumps when selected to: http://bit.ly/4FbdgB 7:53 AM Dec 1st from web
  2. @dbph And firewall boxes is about the only thing I think it gets used for in real life :p 6:40 AM Dec 1st from web in reply to dbph
  3. @dbph see my pipe.c exploit for the history lesson; aside from that, I like my OSes to actually be able to do stuff 6:37 AM Dec 1st from web in reply to dbph
  4. @cykyc no :p jeez i thought this would be simple and my first 280 character explanation would have been sufficient 6:18 AM Dec 1st from web in reply to cykyc
  5. @steaIth __findenv_environ is key :p 6:04 AM Dec 1st from web in reply to steaIth
  6. @steaIth not quite, look at getenv like i said, when that internal environment list is cleaned 6:03 AM Dec 1st from web in reply to steaIth
  7. Read through __build_env and re-read my notes, then it should be clear why both stealth and kcope's exploits work ;) 5:39 AM Dec 1st from web
  8. BTW I think everyone's looking in the wrong place -- __merge_environ should return 0 from failing the initial if, it's __build_env you want 5:37 AM Dec 1st from web
  9. @steaIth exactly, how can anyone else verify their claims? It's neither science nor security 4:46 AM Dec 1st from Tweed in reply to steaIth
  10. @steaIth Doesn't everyone stay away from OpenBSD as it is? The users I mean ;) 3:38 AM Dec 1st from web in reply to steaIth
  11. @steaIth If that were the case, even kcope's exploit wouldn't work 3:31 AM Dec 1st from web in reply to steaIth
  12. @steaIth No, because #1 it works backwards, and #2, that whole new array is thrown out once a bad entry is found (see goto Failure) 3:30 AM Dec 1st from web in reply to steaIth
  13. @xorlgr without which it would be unexploitable 7:39 PM Nov 30th from web
  14. @xorlgr you missed the whole part about the internal environment list being freed+cleared upon failure, causing the fallback in getenv 7:39 PM Nov 30th from web
  15. http://bit.ly/5RzWUB "logged-in", "authenticated" users != "logged in users clicking things they shouldn't" 7:14 PM Nov 30th from web
  16. "mac80211: fix two remote exploits" : http://bit.ly/6lw7yt 7:00 PM Nov 30th from web
  17. since the uninitialized buffer from malloc could have '=' in it by accident (though in a fresh process it should be nicely zeroed) 5:04 PM Nov 30th from web
  18. so a more reliable exploit would explicitly set environ to { "blah", "LD_PRELOAD=/tmp/blah.so", NULL } 4:54 PM Nov 30th from web
  19. and the internal env struct building bails out when it finds one that has no "=" in it (working backwards) 4:43 PM Nov 30th from web
  20. I think the FreeBSD bug is caused by getenv falling back to __findenv_environ when unsetenv fails to build the internal env structs 4:41 PM Nov 30th from web