RISE Security

ASUS Eee PC Rooted Out of the Box

Posted on February 8, 2008 by Ramon de Carvalho Valle

We have recently acquired an ASUS Eee PC (if you want to know more about it, a lot of reviews are available on internet). The first thing we did when we put our hands at the ASUS Eee PC was to test its security. The ASUS Eee PC comes with a customized version of Xandros operating system installed, and some other bundled software like Mozilla Firefox, Pidgin, Skype and OpenOffice.org.

Analysing the running processes of the ASUS Eee PC, the first thing that caught our attention was the running smbd process (the sshd daemon was started by us, and is not enabled by default).

Continue reading “ASUS Eee PC Rooted Out of the Box”

Filed under Uncategorized. Comments Off

InterBase/Firebird fun

Posted on October 3, 2007 by Ramon de Carvalho Valle

While developing an exploit module for the Borland Interbase ibserver.exe ‘create’ Buffer Overflow Vulnerability, published by TippingPoint, we decided to take a look into Borland InterBase code, and unfortunately, the results were not good.

We found about 20 buffer overflow vulnerabilities that affects all versions of Borland InterBase, and some of them also affects the Firebird Relational Database. All remote, trivial to exploit, stack-based buffer overflows.

Continue reading “InterBase/Firebird fun”

Filed under Uncategorized. Comments Off

Update on exploiting the Samba lsa_io_trans_names() Heap Overflow in Mac OS X

Posted on July 19, 2007 by Ramon de Carvalho Valle

After some tests, we discovered that when the smbd process is started by the lauchd daemon, exploiting this vulnerability using the size() pointer in initial_malloc_zones may cause a unexpected behavior. The lauchd daemon starts a smbd process only at the first brute force interaction, and does not start any new smbd processes at subsequent iterations, causing exploitation to fail.

However, we found a reliable way to exploit this vulnerability even if the smbd process is started by the launchd daemon.

Continue reading “Update on exploiting the Samba lsa_io_trans_names() Heap Overflow in Mac OS X”

Filed under Uncategorized. Comments Off

Exploiting the Samba lsa_io_trans_names() Heap Overflow in Mac OS X

Posted on July 5, 2007 by Ramon de Carvalho Valle

While developing an exploit for the Samba lsa_io_trans_names() Heap Overflow for the Mac OS X operating system, we discovered that the szone_free() function has some interesting behavior.

The szone_free() function can be abused to overwrite one of the function pointers in the initial_malloc_zones structure and achieve arbitrary code execution. Exploitation is not straightforward, however, due to how the szone_free() function operates.

Continue reading “Exploiting the Samba lsa_io_trans_names() Heap Overflow in Mac OS X”

Filed under Uncategorized. Comments Off


Next posts

Entries RSS. Comments RSS
© 2010 RISE Security. All rights reserved.