Rixstep attempt a response

["Rixstep Pwned" <rixstep.pwned () gmail com>]

Your lovely writeup hasn't made the list yet, I assume that it's just
taking its time and this isn't to be attributed to an inability to
send an email competently.

For those who haven't found it, have a read at their top-quality response here:
http://rixstep.com/2/20070121,00.shtml

"What's interesting of course is that Mr Anonymous 'backdated' the
advisory to make the company look bad. This is not 'full disclosure' -
this is the typical immature behaviour of an Apple fanboy."

Actually I haven't backdated anything, the only place I posted
anything to do with this was this mailing list. Any other location is
out of my control and I suggest that (what was the phrase again... oh
yes): 'You should be very careful before going around like an internet
tough, accusing people with nothing more than your own speculation.
Unless you can prove that (that is, using proofs you can't tamper
with, which makes pasting something out of your Text Edit window plain
invalid), we request you to keep away of any future claims like these.
'

I'll add to that list of proofs that you have some sort of evidence
that it was me who submitted it anywhere, which considering I've only
sent anything to this list is going to be *really* hard. Not that I
expect you to withdraw your accusations you'll just make some new and
wonderful post about "fanboys" and continue to think you look like the
coolest kids on the block.

And now we'll skip your fanboy rant (where you use the
ultra-authoritative Wikipedia as a source) and continue on with
something that is actually worth laughing at you about. Like your
coding ability.

"Bottom line? Rixstep are just as 'leet' as they claimed: their stance
is not merely that they write better code and do more QA than other
companies but that they're actively soliciting bug hunts - they won't
hide in the PR department like some other companies. If this is 'leet'
then all software companies should try to be as 'leet': software users
would only benefit."

Write better code? Who on earth thinks they can claim they write
better code when they thought that chmod 666 in suid root code was
ever a good idea? And then didn't even fix it the first time around.

Not to worry, their new fix is amazing. It mostly stops any attacks on
their code. It's just a pity they still seem to have no clue about
what the hell they're doing. We'll do PowerPC disassembly here
because, well it's more fun and some people seem to only ever do x86
disassembly.

First up:
00002300        bl      0x2d30  ; symbol stub for: _getpid
00002304        or      r0,r3,r3
00002308        li      r3,0x1f
0000230c        or      r4,r0,r0
00002310        li      r5,0x0
00002314        li      r6,0x0
00002318        bl      0x2cc4  ; symbol stub for: _ptrace
What, you think PT_DENY_ATTACH is going to do anything? Cute.

I notice you've modified since the first version of your second
attempt at a patch. Instead of doing this:
000022fc        li      r3,0x1f5
00002300        bl      0x2be4  ; symbol stub for: _seteuid
(You're kidding, you think that a hardcoded seteuid(501) is a good idea?)

You've now learnt about getuid:
0000231c        bl      0x2bc8  ; symbol stub for: _getuid
00002320        or      r0,r3,r3
00002324        or      r3,r0,r0
00002328        bl      0x2bec  ; symbol stub for: _seteuid
Wow, congratulations on that, you'll be a Unix coder yet!

I am however wondering why you're bothering with these:
00002450        lwz     r3,0x0(r9)
00002454        or      r4,r0,r0
00002458        bl      0x2c34  ; symbol stub for: _lstat
0000245c        or      r0,r3,r3
00002460        cmpwi   r0,0x0
00002464        bne     0x2714

Haven't you learnt about race conditions yet? What does this gain you again?

00002aa4        li      r3,0x0
00002aa8        bl      0x2bec  ; symbol stub for: _seteuid
00002aac        addi    r9,r30,0x1b0
00002ab0        addi    r0,r30,0x120
00002ab4        or      r3,r9,r9
00002ab8        li      r4,0x800
00002abc        or      r5,r0,r0
00002ac0        bl      0x2ba4  ; symbol stub for: _FSSetCatalogInfo
I do like however that you finally learnt about FSSetCatalogInfo for
setting the invisible bit, it's just a pity you had to use your
despised Carbon to do so (http://rixstep.com/2/20060530,00.shtml,
http://rixstep.com/2/20050417,00.shtml,
http://rixstep.com/2/20041115,00.shtml,
http://rixstep.com/2/1/20060218,00.shtml and many many more).

But then doing stuff like this is always a worry:
000026f4        li      r3,0x0
000026f8        bl      0x2bec  ; symbol stub for: _seteuid
000026fc        lwz     r3,0x10c(r30)
00002700        bl      0x2ce8  ; symbol stub for: _unlink
Let's unlink as root, even though we know we're not smart enough to be
trusted with root.

"Mr Bent [sic] would have the world think he actually contacted
Rixstep prior to going public with his 'nasty bug'. But in such case
he got his hands on a copy of a product two weeks prior to it being
written."

That's right, I didn't contact Rixstep first. Let there be no
impression otherwise. Similarly, let there be no impression that I
submitted anything other than to this mailing list, on the dates they
appeared on this list.

"His claim he produced a denial of service even if his exploit failed
basically sealed his fate: that's about the dumbest thing ever posted
to SF or FD or anywhere ever. When you have two hot ('for (;;)') loops
running in side by side processes and both acting on the file system
of course you get yourself in a tight situation - but no one but a
fanboy would ever try something so immature - this is totally
independent of any external software you claim to be testing."

That's odd, I don't recall any mention of a Denial of Service attack.
Maybe you're reading stuff that I didn't write again, so just to make
it nice and clear for you:
Anything that I didn't post here wasn't by me. Which means so far
that's two source files with the header comments included in the
message. Got that?

"And when you have something like 'system("/bin/cat > <target>
<source>")' inside a compilable file you know you're dealing with
someone very special - and thankfully extremely unusual."

I find that incredibly amusing from anyone who calls chmod(<path to
user supplied file>, 0666) in a suid root tool. Oh, and in case you
hadn't heard, proof of concept exploits generally aren't the best code
around. The whole idea is to demonstrate the problem, not to win a
beautiful code competition.

By the way, when are you going to publish the security advisory on
your website and suggest that all users update to the new, silently
updated version? Or don't you care about your customers being owned
now that the "evil fanboy" posted a bug without contacting the vendor.

Anyway, enough for now, time for you to go and write some more rants
that I'm an evil fanboy and that you're ever so superior. It's been
really fun reading them. I just wish you'd spend the time learning to
code instead.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/