[guardian-dev] gethostbyname() buffer overflow, nicknamed GHOST
Hans-Christoph Steiner
hans at guardianproject.info
Thu Jan 29 13:55:31 EST 2015
This makes me think about how companies like FinFisher provide a 30-day
guarantee on their pwning tools. They have enough 0days to guarantee they'll
have a working exploit within 30 days of one their currently using being fixed.
Another fun one: pwn a Blackphone with a text message!
http://blog.azimuthsecurity.com/2015/01/blackpwn-blackphone-silenttext-type.html
.hc
Lee Azzarello:
> If you haven't seen the fantastic (!) logo for the latest panic room
> worthy C bug that will break the Internet into tiny bits which can
> never be assembled again, check this awesome write up.
>
> https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt
>
>
> Of particular note is the PoC using the Exim email server. The author
> gets arbitrary code execution by sending a string to a public network
> port, which can determine the memory address of a specific piece of
> configuration data which is held in memory and when modified can open
> up an ACL in the mail server which unlocks the usage of a run()
> command which allows the user to run shell code!
>
> It's really impressive, though I do not believe it allows privilege escalation.
>
> -lee
> _______________________________________________
> Guardian-dev mailing list
>
> Post: Guardian-dev at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>
> To Unsubscribe
> Send email to: Guardian-dev-unsubscribe at lists.mayfirst.org
> Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info
>
> You are subscribed as: hans at guardianproject.info
>
--
PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81
https://pgp.mit.edu/pks/lookup?op=vindex&search=0x9F0FE587374BBE81
More information about the guardian-dev
mailing list