PGP key for vulnerability reports

Richard Johnson rjohnson at sourcefire.com
Mon Nov 18 17:27:24 EST 2013 

Windows can be forced to map the first page via a VirtualAlloc if the
memory is sufficiently filled / fragemented. This no longer applies in
Windows 8 I believe but for all others it does. I used to work on the
Microsoft Security team and can confirm this to be true. I'm not positive
about whether there are specific mitigations against this in OSX or vanilla
Linux kernel. Either way, most vendors consider a writeAV to be
exploitable.

Yeah, the URL handling bug is particularly annoying because we cannot write
a signature for it from an IPS perspective.

I have a few other bugs I'll send over that were less critical but could
potentially lead to information leak of remote memory layout, which is
necessary for exploitation on systems with ASLR.

I don't have any tight time constraints but hope we can release these
before the end of quarter.


Cheers,
Rich


On Mon, Nov 18, 2013 at 4:09 PM, Ethan Blanton <elb at pidgin.im> wrote:

> Richard Johnson spake unto us the following wisdom:
> > Ethan, can you please confirm receipt of these vulns?
>
> Sorry, yes, we got them!  We haven't formulated a release plan yet.
>
> Just as a quick hit, I believe the GG bug is fixed upstream (or
> pending an upstream fix), the Mxit and SIP bugs are remote crashers
> but not exploitable (no operating system on which Pidgin is routinely
> run maps the first page of memory), and the URL handling bug is the
> worst of the lot.
>
> We will let you know when we've arranged a release; there are several
> issues that have to be coordinated for this, so it is likely to take
> some time.  If you have specific deadlines please let us know and we
> will try to work them in.
>
> Ethan
>
> >
> > On Wed, Nov 13, 2013 at 8:35 PM, Richard Johnson <
> rjohnson at sourcefire.com>wrote:
> >
> > > Please find some of the security bugs we found attached. I've included
> my
> > > public key exported to ascii as well. Let me know if you have any
> trouble
> > > reproducing or understanding the bugs.
> > >
> > >
> > > Cheers,
> > >
> > > Richard Johnson
> > > Vulnerability Development Lead
> > > Sourcefire VRT
> > >
> > >
> > > On Fri, Oct 11, 2013 at 4:28 AM, Ethan Blanton <elb at pidgin.im> wrote:
> > >
> > >> Richard Johnson spake unto us the following wisdom:
> > >> > Hello, our research team has found a number of vulnerabilities in
> > >> > libpurple, including fully controlled remote execution. What is the
> > >> proper
> > >> > procedure for submitting bugs?
> > >>
> > >> You are following it.  :-) For security-related bugs, please send the
> > >> details to this mailing list, and we will arrange for a CVE (unless
> > >> you wish to do so yourselves), bug fix, embargo with our packagers,
> > >> and a public release date.  As we are a large all-volunteer project,
> > >> these things normallly take some time -- however, we will proceed as
> > >> rapidly as possible for a remote execution vulnerability.  As I am
> > >> sure you understand, we do ask that you respect the embargo date we
> > >> set and withold your own publication until that date.  Please provide
> > >> us with whatever crediting information you wish for us to include in
> > >> the CVE and news items -- research institution, individual discoverer,
> > >> email address, etc.
> > >>
> > >> If you wish to encrypt your report, you can encrypt it to my public
> > >> key, 0x771fc72b.  I am currently traveling and there may be some
> > >> latency for a confirmation, but I will distribute the information as
> > >> appropriate.
> > >>
> > >> Ethan
> > >>
> > >
> > >
> > >
> > > --
> > > Richard Johnson
> > > Sourcefire VRT
> > >
> >
> >
> >
> > --
> > Richard Johnson
> > Sourcefire VRT
>



-- 
Richard Johnson
Sourcefire VRT
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20131118/76deaee4/attachment.html>

More information about the security mailing list