Xanda’s Blog !~!

I love the smell of Safari 0day in the morning

Can you spot the security bug?

mlfi_envrcpt(SMFICTX* ctx, char** envrcpt)
{
  struct context *sctx = (struct context*)smfi_getpriv(ctx);
  SpamAssassin* assassin = sctx->assassin;
  FILE *p;
#if defined(__FreeBSD__)
  int rv;
#endif
 
  debug(D_FUNC, "mlfi_envrcpt: enter");
 
  if (flag_expand)
  {
  /* open a pipe to sendmail so we can do addressexpansion */
 
    char buf[1024];
    char *fmt="%s -bv \"%s\" 2>&1";
 
#if defined(HAVE_SNPRINTF)
    snprintf(buf, sizeof(buf)-1, fmt, SENDMAIL, envrcpt[0]);
#else
    sprintf(buf, fmt, SENDMAIL, envrcpt[0]);
#endif
 
    debug(D_RCPT, "calling %s", buf);
 
#if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */
    rv = pthread_mutex_lock(&popen_mutex);
    if (rv)
    {
      debug(D_ALWAYS, "Could not lock popen mutex: %s", strerror(rv));
      abort();
    }
#endif
 
    p = popen(buf, "r");
    if (!p)
    {
      debug(D_RCPT, "popen failed(%s).  Will not expand aliases", strerror(errno));
      assassin->expandedrcpt.push_back(envrcpt[0]);

Nice write up by Michael “theprez98” Schearer

Get the PDF file HERE

Quick update

Here is my short update. I was playing around with the ‘nice’ modem and I found 2 vulnerability

1) Remote code execution
2) DoS

Tested on Firmware Version : 2.10.5.0(UE0.C2C)3.7.6.1

I’m looking forward to play around with Riger Corporation’s modem that came with “Enhanced by TM R&D Malaysia” label on it

:: Quick update ::

Today, I’ve been working on a video on the Aurora IE 0day exploit PoC that really mimics the original Aurora’s exploit on Google.

However, the original exploit gonna fail if you enable DEP on the machine.

A few minutes back, someone ping and inform me on the new PoC that gonna bypass the DEP. If true, enabling DEP wont protect IE users anymore

But you are still safe if you disable Active Script / JavaScript support for your IE

Here is how you can disable the Active Shit/JavaShit Active Script / JavaScript support in your IE: Advisory