You’ve got slow days and not so slow days. You can say today (hm, well yesterday) was one of those not so slow days. One rather interesting vulnerability got disclosed. A remote signal race in sendmail, which was (not surprsingly) discovered by Mark Dowd of the ISS X-Force. Undoubtably one of the smartest code auditors to walk the face of this earth. The Xforce advisory states that there’s a signal race condition in the timeout handlers, which under certain conditions might lead to stack or in some cases heap corruption. I haven’t looked at the particular vulnerability, but assuming its realistic to trigger the race and you get some flexibility to damage the stack this one could be relialibly exploited. The advisory also states that it’s not a single-shot, so if things don’t work out quite well you can just try again. This one is certainly interesting! Which brings me to another question, why is it that so many people are still using sendmail in 2006? Sendmail is one of those monsters that dates back from the 80’s. It should have died by now! It’s not like there aren’t any alternatives. One of them was even designed to look and feel like sendmail.
Another IE 0day got disclosed today (by the guys from Computer Terrorism (UK) :: Incident Response Centre ). It appears that this one ends up having a function pointer to point to (and I quote) ” very remote, non-existent memory location, causing IE to crash (DoS)”. The ones who discovered it go on to say that this one is very much exploitable and that they are sitting on a reliable exploit for it. I don’t doubt that for a second. My guess would be that they’re using skylined’s heap spraying method or something simular. It’s interesting that so many IE bugs still get found to this day. Because IMO pretty much all other browsers (with the exception of firefox) are WAY WORSE off then IE when it comes to being able to parse input correctly. I say this because I’ve spend a fair amount of time writing and testing browser fuzzers, and IE and Firefox are by far the one’s that can take the most crap before dieing. I’d like to take this opportunity to bark at safari, In pretty much all of my tests it came out the worst. Getting safari to segfault is trivial.
This brings me to hdm’s Hamachi (http://metasploit.com/users/hdm/tools/hamachi/hamachi.html) Which is a small dhtml fuzzer. It would appear that opera, safari, omniweb and konquerer seem to break on it. Firefox (both 1.0.7 and 1.5.x on linux) didn’t die on it. I don’t know about IE. I think people have barely scratched the surface when it comes to browser fuzzing (or adleast what has been publicly reported about it).