Xanda's Blog !~!

Safari 0day

May
08

I love the smell of Safari 0day in the morning πŸ™‚

SpamAssassin Milter Plugin ‘mlfi_envrcpt()’ Remote Arbitrary Command Injection Vulnerability

Mar
09

Can you spot the security bug? πŸ™‚

mlfi_envrcpt(SMFICTX* ctx, char** envrcpt)
{
  struct context *sctx = (struct context*)smfi_getpriv(ctx);
  SpamAssassin* assassin = sctx->assassin;
  FILE *p;
#if defined(__FreeBSD__)
  int rv;
#endif
 
  debug(D_FUNC, "mlfi_envrcpt: enter");
 
  if (flag_expand)
  {
  /* open a pipe to sendmail so we can do addressexpansion */
 
    char buf[1024];
    char *fmt="%s -bv \"%s\" 2>&1";
 
#if defined(HAVE_SNPRINTF)
    snprintf(buf, sizeof(buf)-1, fmt, SENDMAIL, envrcpt[0]);
#else
    sprintf(buf, fmt, SENDMAIL, envrcpt[0]);
#endif
 
    debug(D_RCPT, "calling %s", buf);
 
#if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */
    rv = pthread_mutex_lock(&popen_mutex);
    if (rv)
    {
      debug(D_ALWAYS, "Could not lock popen mutex: %s", strerror(rv));
      abort();
    }
#endif
 
    p = popen(buf, "r");
    if (!p)
    {
      debug(D_RCPT, "popen failed(%s).  Will not expand aliases", strerror(errno));
      assassin->expandedrcpt.push_back(envrcpt[0]);

Pen Testing the Web With Firefox

Feb
19

Nice write up by Michael β€œtheprez98” Schearer



Get the PDF file HERE

0day on TM Billion ADSL Modem/Router

Feb
06

Quick update

Here is my short update. I was playing around with the ‘nice’ modem and I found 2 vulnerability

1) Remote code execution
2) DoS

Tested on Firmware Version : 2.10.5.0(UE0.C2C)3.7.6.1

I’m looking forward to play around with Riger Corporation’s modem that came with “Enhanced by TM R&D Malaysia” label on it πŸ™‚

CVE-2010-0249 – Aurora IE 0day Exploit :: DEP bypassed

Jan
19

:: Quick update ::

Today, I’ve been working on a video on the Aurora IE 0day exploit PoC that really mimics the original Aurora’s exploit on Google.

However, the original exploit gonna fail if you enable DEP on the machine.

A few minutes back, someone ping and inform me on the new PoC that gonna bypass the DEP. If true, enabling DEP wont protect IE users anymore πŸ˜‰

But you are still safe if you disable Active Script / JavaScript support for your IE

Here is how you can disable the Active Shit/JavaShit Active Script / JavaScript support in your IE: Advisory