July, 2009

article thumbnail

iPhone and Safari advisories

Scary Beasts Security

Catching up on a few items. I seem to have gotten a mention in a couple of recent Apple advisories: iPhone 3.0 security fixes Safari 4.0.2 It's one of the Safari bugs that interests me today, CVE-2009-1725 or an off-by-one heap memory corruption in Webkit. The patch says it all, really: [link] Here's the faulty code: checkBuffer(10); // ignore the sequence, add it to the buffer as plaintext *dest++ = '&'; for (unsigned i = 0; i < cBufferPos; i++) dest[i] = m_cBuffer[i]; Turns out, that 10 sho

50
article thumbnail

Beware the little pieces you use in your web app

Scary Beasts Security

I've just released the technical details behind some recently fixed vulnerabilities in mimetex: [link] "mimetex" is a little binary (written in the C language) used to render mathematical equations based on the TeX language. It looks very nice and is a cool concept to embed it in web apps. You can use a Google search to locate places that use it: [link] Unfortunately, the binary suffered from various classic stack-based buffer overflows as well as some commands that might leak inappropriate info

50
article thumbnail

vsftpd-2.2.0pre1 and network separation

Scary Beasts Security

Following on from vsftpd-2.1.2 , I've just released vsftpd-2.1.0pre1: ftp://vsftpd.beasts.org/users/cevans/vsftpd-2.1.0pre1.tar.gz This further plays with the new Linux container flags: this time, CLONE_NEWNET. This flag creates a process with a separate (and empty) list of network devices and bindings. A process isolated in such a way can create network sockets but any attempt to e.g. do an IPv4 connect() to localhost (or any other destination) will get ENETUNREACH.