Full Disclosure mailing list archives
Rixstep attempt a response
From: "Rixstep Pwned" <rixstep.pwned () gmail com>
Date: Tue, 23 Jan 2007 00:58:25 +1100
Your lovely writeup hasn't made the list yet, I assume that it's just taking its time and this isn't to be attributed to an inability to send an email competently. For those who haven't found it, have a read at their top-quality response here: http://rixstep.com/2/20070121,00.shtml "What's interesting of course is that Mr Anonymous 'backdated' the advisory to make the company look bad. This is not 'full disclosure' - this is the typical immature behaviour of an Apple fanboy." Actually I haven't backdated anything, the only place I posted anything to do with this was this mailing list. Any other location is out of my control and I suggest that (what was the phrase again... oh yes): 'You should be very careful before going around like an internet tough, accusing people with nothing more than your own speculation. Unless you can prove that (that is, using proofs you can't tamper with, which makes pasting something out of your Text Edit window plain invalid), we request you to keep away of any future claims like these. ' I'll add to that list of proofs that you have some sort of evidence that it was me who submitted it anywhere, which considering I've only sent anything to this list is going to be *really* hard. Not that I expect you to withdraw your accusations you'll just make some new and wonderful post about "fanboys" and continue to think you look like the coolest kids on the block. And now we'll skip your fanboy rant (where you use the ultra-authoritative Wikipedia as a source) and continue on with something that is actually worth laughing at you about. Like your coding ability. "Bottom line? Rixstep are just as 'leet' as they claimed: their stance is not merely that they write better code and do more QA than other companies but that they're actively soliciting bug hunts - they won't hide in the PR department like some other companies. If this is 'leet' then all software companies should try to be as 'leet': software users would only benefit." Write better code? Who on earth thinks they can claim they write better code when they thought that chmod 666 in suid root code was ever a good idea? And then didn't even fix it the first time around. Not to worry, their new fix is amazing. It mostly stops any attacks on their code. It's just a pity they still seem to have no clue about what the hell they're doing. We'll do PowerPC disassembly here because, well it's more fun and some people seem to only ever do x86 disassembly. First up: 00002300 bl 0x2d30 ; symbol stub for: _getpid 00002304 or r0,r3,r3 00002308 li r3,0x1f 0000230c or r4,r0,r0 00002310 li r5,0x0 00002314 li r6,0x0 00002318 bl 0x2cc4 ; symbol stub for: _ptrace What, you think PT_DENY_ATTACH is going to do anything? Cute. I notice you've modified since the first version of your second attempt at a patch. Instead of doing this: 000022fc li r3,0x1f5 00002300 bl 0x2be4 ; symbol stub for: _seteuid (You're kidding, you think that a hardcoded seteuid(501) is a good idea?) You've now learnt about getuid: 0000231c bl 0x2bc8 ; symbol stub for: _getuid 00002320 or r0,r3,r3 00002324 or r3,r0,r0 00002328 bl 0x2bec ; symbol stub for: _seteuid Wow, congratulations on that, you'll be a Unix coder yet! I am however wondering why you're bothering with these: 00002450 lwz r3,0x0(r9) 00002454 or r4,r0,r0 00002458 bl 0x2c34 ; symbol stub for: _lstat 0000245c or r0,r3,r3 00002460 cmpwi r0,0x0 00002464 bne 0x2714 Haven't you learnt about race conditions yet? What does this gain you again? 00002aa4 li r3,0x0 00002aa8 bl 0x2bec ; symbol stub for: _seteuid 00002aac addi r9,r30,0x1b0 00002ab0 addi r0,r30,0x120 00002ab4 or r3,r9,r9 00002ab8 li r4,0x800 00002abc or r5,r0,r0 00002ac0 bl 0x2ba4 ; symbol stub for: _FSSetCatalogInfo I do like however that you finally learnt about FSSetCatalogInfo for setting the invisible bit, it's just a pity you had to use your despised Carbon to do so (http://rixstep.com/2/20060530,00.shtml, http://rixstep.com/2/20050417,00.shtml, http://rixstep.com/2/20041115,00.shtml, http://rixstep.com/2/1/20060218,00.shtml and many many more). But then doing stuff like this is always a worry: 000026f4 li r3,0x0 000026f8 bl 0x2bec ; symbol stub for: _seteuid 000026fc lwz r3,0x10c(r30) 00002700 bl 0x2ce8 ; symbol stub for: _unlink Let's unlink as root, even though we know we're not smart enough to be trusted with root. "Mr Bent [sic] would have the world think he actually contacted Rixstep prior to going public with his 'nasty bug'. But in such case he got his hands on a copy of a product two weeks prior to it being written." That's right, I didn't contact Rixstep first. Let there be no impression otherwise. Similarly, let there be no impression that I submitted anything other than to this mailing list, on the dates they appeared on this list. "His claim he produced a denial of service even if his exploit failed basically sealed his fate: that's about the dumbest thing ever posted to SF or FD or anywhere ever. When you have two hot ('for (;;)') loops running in side by side processes and both acting on the file system of course you get yourself in a tight situation - but no one but a fanboy would ever try something so immature - this is totally independent of any external software you claim to be testing." That's odd, I don't recall any mention of a Denial of Service attack. Maybe you're reading stuff that I didn't write again, so just to make it nice and clear for you: Anything that I didn't post here wasn't by me. Which means so far that's two source files with the header comments included in the message. Got that? "And when you have something like 'system("/bin/cat > <target> <source>")' inside a compilable file you know you're dealing with someone very special - and thankfully extremely unusual." I find that incredibly amusing from anyone who calls chmod(<path to user supplied file>, 0666) in a suid root tool. Oh, and in case you hadn't heard, proof of concept exploits generally aren't the best code around. The whole idea is to demonstrate the problem, not to win a beautiful code competition. By the way, when are you going to publish the security advisory on your website and suggest that all users update to the new, silently updated version? Or don't you care about your customers being owned now that the "evil fanboy" posted a bug without contacting the vendor. Anyway, enough for now, time for you to go and write some more rants that I'm an evil fanboy and that you're ever so superior. It's been really fun reading them. I just wish you'd spend the time learning to code instead. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Rixstep attempt a response Rixstep Pwned (Jan 22)