April has been over for awhile now. I was slightly busy in that month and have added 4 disclosures to my list:
With travel for work calming down, I’m hoping to have my time to hack stuff in May!
Two of my published vulnerabilities have been assigned CVEs:
I some more vuln news towards the end of the week!
This past Thursday, I presented my talk, “Android in the Healthcare Workplace: A Case Study” at AppSec DC 2012. I would like to thank all of those who came to see my talk.
It was a wonderful experience and I would like to thank the AppSec DC volunteers and staff for giving me the opportunity to speak!
I have posted my slides. Please check the Presentations page for them.
Back in October, I was introduced to the infosec side of Android. I attended a couple presentations which spoke about how to assess Android applications as well as reverse engineer them. After doing some research, I found that the amount of vulnerabilities posted for Android was very, very miniscule as opposed to traditional web apps and software. So I decided to do some research.
I picked something I had some experience with, fuzzing FTP servers. After doing some research on the Android Market, I found that there were a plethora of FTP servers available for testing. I have SPIKE scripts set up for such a thing; so I downloaded just about every single one and started Fuzzing.
It did not take long until I found something interesting; my Android tablet restarted during the testing of the FTPServer by Andreas Liebig app. After doing a few more tests, I was able to narrow down the cause of the crash and create a PoC to demonstrate the vulnerability.
During this time I contacted the Android Security Team. They initially responded very quickly and over the next several weeks they came to understand the bug. I originally reported the vulnerability to them on October 20th, 2011.
It has now been 5 months since I have reported it and have decided to make the issue public. It appears that the vulnerability does not exist in Android 4.0 as it has a much newer kernel.
See below for all links, including the vulnerability report and software downloads. If anyone is interested in more details you may find me on twitter, @g13net, or by email: g13net () gmail.com
http://www.exploit-db.com/exploits/18630/
My talk, “Android in the Healthcare Workplace: A Case Study,” has been selected for Appsec DC 2012! My talk is on April 5th at 3PM. See the schedule below:
http://appsecdc.org/2012schedule/
This is my first time speaking at an Infosec conference and I am very excited!
January seems to have been an off month for me. However in February I picked back up with some more vulnerability research! I was able to snag three more vulns, 1 XSS and 2 SQLi! Finally out of my XSS slump and found some interesting things!
Let’s hope for a busy March!
Goofile 1.5 has been released! This new version contains one major enhancement; more results!
Grab it here:
Up until this point, my disclosure policy has been whatever-the-hell I feel like. I had no guidelines and disclosed stuff whenever I felt like. I have decided that having a published policy to provide vendors .
I will include a link to the policy in every report I make to a vendor.
If you would like to see the policy, it resides: http://www.g13net.com/vuln-disc.txt
If anyone has any comments, I am open to suggestions.
Important Note: This policy goes into effect for any vulnerabilities I report AFTER today’s date.
In December, I went on a spree looking for injection vulnerabilities in dozens of available web applications from Google Code and Sourceforge. What I came out of it were 6 published vulnerabilities, all XSS. Five of those issues have been assigned CVEs:
The latter two, CVE-2012-0699 and CVE-2012-0846, seem to not be published by MITRE yet. Although they have been identified to me as the CVE-IDs for the issues, MITRE has not publicly announced it. So either after further review they were rejected or they have not committed them yet. My hope is that they eventually get published my MITRE and NVD.
