Medvedev Announces Complete Reintegration Of Crimea Into Russia

Today Russian Prime Minister Dmitry Medvedev announced that Crimea had been reintegrated into Russia following a mix up that left Crimea for some years after the Soviet Union collapse attached instead to Ukraine (archived). During the final years of the Hussein Bahamas administration Russia was pushed to reclaim the territory after foreign meddling by western governments in Ukraine destabilized the region.

Information On US "Quiet Skies" Program Leaks

Information on a US surveillance program targeting persons not known to be terrorists has been leaked (archived). The progam dubbed "Quiet Skies" involves the assignment of air marshall details to follow travelers who meet the following criteria:

  1. Not under investigation by any agency
  2. Not in the terrorist screening database

Selected targets are then followed by a team of armed plainclothes air marshalls for the duration of their US air travel. In their report on the program, the Boston Globe estimated the program manages to handle 35 targets daily.

'Anti-Racist' Football Tournament Cancelled After Racist Violence Between Refugee Teams

The United Colours Antifa Street Soccer Cup in Zwickau, Germany was cancelled after racist violence broke out between a primarily Arab and a primarily African team. The event's organizers are self declared Antifa terrorists and describe the competition as a demonstration that Zwickau is not for "racism and every type of discrimination", a mission statement the involved players must have failed to comprehend before the game broke down into a cacophony of racist violence.

Oracle Re-Patches 11 Year Old Solaris Hole That Survived First Patch

In an episode reminiscent of the frequently revived Windows USB hole which propagated Stuxnet, Oracle has re-patched a kernel level hole in the "Solaris Availability Suite Service" which survived its initial patching 11 years ago largely intact. The vulnerability affects all versions of Solaris 10 and 11 allowing1 locally logged in users to esclate their priviledge to their heart's content. Continue reading


  1. Text preserved below for the lulz as traditional archiving tools failed:

    CVE-2018-2892 – Kernel Level Privilege Escalation in Oracle Solaris

    July 24, 2018
    Posted By Neil Kettle
    Comments (0)

    Trustwave recently discovered a locally exploitable issue in all current versions of Oracle Solaris 10/11 as detailed in the recently posted Trustwave advisory. The issue is present in the kernel and is locally exploitable as an unprivileged user provided the local system has the Sun StorageTek Availability Suite (AVS) configured.
    The Vulnerability

    The vulnerability has an interesting history dating back to 2007 when the underlying issue was originally discovered and exploited. The original issue was disclosed on stage at CanSec 2009 ( https://cansecwest.com/slides.html). The root cause of the issue is a combination of an arbitrary memory dereference through a lack of bounds checking on a user-controlled array index combined with an unbounded user-controllable length in the call to copyin(). The combined result is an arbitrary memory write and overflow in the call to copyin(). The vulnerability itself is present in the ioctl handler for the '/dev/sdbc' device, the vulnerable code path passes through the following code with a 'cmd' value of 'SDBC_TEST_INIT ':

    common/avs/ns/sdbc/sd_misc.c:

    922 static int
    923 sdbcioctl(dev_t dev, int cmd, void *arg, int mode, cred_t *crp, int *rvp)
    924 {

    953 switch (cmd) {

    966 case SDBC_TEST_INIT:
    967 rc = _sd_test_init(&args);
    968 break;

    The code passes through the call to _sd_testing_init(&args) to the function definition given below:

    common/avs/ns/sdbc/sd_tdaemon.c:

    613 int
    614 _sd_test_init(void *args)
    615 {
    616 register struct a {
    617 caddr_t addr;
    618 long ar;
    619 long len;
    620 long tsize;
    621 long flag;
    622 } *uap = (struct a *)args;
    623
    624 if (copyin(uap->addr, devarray[uap->ar]1, uap->len2) ) {
    625 return (EFAULT);
    626 }
    627 dev_tsize[uap->ar]3 = (uap->tsize < 48) ? 48 : uap->tsize;
    628 dev_flag[uap->ar]4 = uap->flag;
    629 return (0);
    630 }

    There are at least 4 different vulnerabilities in this small code fragment! We summarise these below:

    arbitrary memory dereference resulting in an arbitrary destination pointer being passed to copyin(),
    arbitrary user-controlled length in the call to copyin() resulting in an unbounded memory write,
    arbitrary memory dereference and thus a user controllable write,
    arbitrary memory dereference and thus a user controllable write.

    However, the history of this particular vulnerability does not end there, sometime between 2009 and 2017 Oracle/Sun attempted to fix the issue by adding a bounds check on the value of uap->ar. The following disassembly illustrates the bounds checking Oracle/Sun applied:

    Screen Shot 2018-07-17 at 08.24.03

    As can be seen, the value of uap->ar should not be greater or equal to 128. However, we can also observer than Oracle/Sun did not modify the underlying type os uap->ar which is a signed long and as such a signedness issue exists since the value of uap->ar is not checked for a value < 0. As such an attacker could specify a value with the top most bit set (and thus negative) and pass the bounds check thereby dereferencing arbitrary memory once again. The remainder of the patch was to the limit the uap->len parameter to a signed value less than 256 (but also potentially negative).
    Exploitation

    Exploitation of the issue is almost identical to the exploit developed back in 2007 for the original issue with the exception of a change in architecture between OpenSolaris running on x86 (32-bit) and the newer Oracle Solaris 11 running on x86-64 taking into account that the user-supplied index uap->ar must now be a negative value.

    Image001
    Final Thoughts

    In case you were wondering why there would be such an obviously exploitable issue in a common configuration of Oracle Solaris, well the following might provide some hints:

    common/avs/ns/sdbc/sdbc_ioctl.h:

    93 #define SDBC_TEST_INIT _SDBC_(5) /* TESTING – tdaemon parameters */
    94 /*
    95 * char * device_name;
    96 * int index;
    97 * int len;
    98 * int track_size;
    99 * int flags;
    100 */

    The code in question may well be for testing purposes.

    This vulnerability has been issued CVE-2018-2892.
    Oracle has patched this vulnerability as a part of their July CPU patch cycle: http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
    More information is available in our advisory here: https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2018-007

     

UK Court Issues No Sanctions Over Gross Violations Of Surveillance Law

In Britain the Investagatory Powers Tribunal has found that MI5 and GCHQ have spent 15 years grossly violating section 94 of the local Telecommunications act through their cable tapping programs (archived). The tribunal's president Michael Burton however found no reason for anything to be done citing a word salad of bureaucratic wank.