Xanda's Blog !~!

Safari 0day

I love the smell of Safari 0day in the morning πŸ™‚

SpamAssassin Milter Plugin ‘mlfi_envrcpt()’ Remote Arbitrary Command Injection Vulnerability

Can you spot the security bug? πŸ™‚

mlfi_envrcpt(SMFICTX* ctx, char** envrcpt)
  struct context *sctx = (struct context*)smfi_getpriv(ctx);
  SpamAssassin* assassin = sctx->assassin;
  FILE *p;
#if defined(__FreeBSD__)
  int rv;
  debug(D_FUNC, "mlfi_envrcpt: enter");
  if (flag_expand)
  /* open a pipe to sendmail so we can do addressexpansion */
    char buf[1024];
    char *fmt="%s -bv \"%s\" 2>&1";
#if defined(HAVE_SNPRINTF)
    snprintf(buf, sizeof(buf)-1, fmt, SENDMAIL, envrcpt[0]);
    sprintf(buf, fmt, SENDMAIL, envrcpt[0]);
    debug(D_RCPT, "calling %s", buf);
#if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */
    rv = pthread_mutex_lock(&popen_mutex);
    if (rv)
      debug(D_ALWAYS, "Could not lock popen mutex: %s", strerror(rv));
    p = popen(buf, "r");
    if (!p)
      debug(D_RCPT, "popen failed(%s).  Will not expand aliases", strerror(errno));

Pen Testing the Web With Firefox

Nice write up by Michael β€œtheprez98” Schearer

Get the PDF file HERE

0day on TM Billion ADSL Modem/Router

Quick update

Here is my short update. I was playing around with the ‘nice’ modem and I found 2 vulnerability

1) Remote code execution
2) DoS

Tested on Firmware Version :

I’m looking forward to play around with Riger Corporation’s modem that came with “Enhanced by TM R&D Malaysia” label on it πŸ™‚

CVE-2010-0249 – Aurora IE 0day Exploit :: DEP bypassed

:: Quick update ::

Today, I’ve been working on a video on the Aurora IE 0day exploit PoC that really mimics the original Aurora’s exploit on Google.

However, the original exploit gonna fail if you enable DEP on the machine.

A few minutes back, someone ping and inform me on the new PoC that gonna bypass the DEP. If true, enabling DEP wont protect IE users anymore πŸ˜‰

But you are still safe if you disable Active Script / JavaScript support for your IE

Here is how you can disable the Active Shit/JavaShit Active Script / JavaScript support in your IE: Advisory