drupal 5.0 form

November 29, 2014 Leave a comment

if you want to create and submit form in drupal form then make sure you give submit action as self. then only you can use drupal’s form function.

Categories: Uncategorized

Running Drupal 5.x on PHP 5.4.3

November 22, 2014 Leave a comment

Drupal5 does not support PHP 5.4.3 and for those who have sites which are based on drupal 5, this causes major headache. so some guys has wrote a patch which you can apply to core files and use drupal 5 on php 5.4.3.

you can download the patch here:

https://www.drupal.org/node/1016008

 

Thanks,

Categories: Uncategorized

CVE-2014-4715 Analysis

July 11, 2014 Leave a comment

Its a integer overflow vulnerability in LZ4 ‘lz4.c’. if we see the patch at https://code.google.com/p/lz4/source/diff?spec=svn119&r=119&format=side&path=/trunk/lz4.c

they have added following conditions:

/* overflow detection */
926 if ((sizeof(void*)==4) && unlikely((size_t)(op+length)<(size_t)(op))) goto _output_error; /* quickfix issue 134 */
927 if ((endOnInput) && (sizeof(void*)==4) && unlikely((size_t)(ip+length)<(size_t)(ip))) goto _output_error; /* quickfix issue 134 */

 

//if ((sizeof(void*)==4) && unlikely(length>LZ4_MAX_INPUT_SIZE)) goto _output_error; /* overflow detection */
967 if ((sizeof(void*)==4) && unlikely((size_t)(op+length)<(size_t)op)) goto _output_error; /* quickfix issue 134 */

as you may have figured out, we are adding some value to variable ip and then we are checking if some is less then the value of ip. this will be only true in case of integer overflow.simillar check is added for op variable.

 

Thanks,

Hardik

Categories: 0 day analysis

HeartBleed Vulnerability, CVE-2014-0160 Analysis

April 11, 2014 Leave a comment

Here is the packet:

heartbeat

so whats the issue? lets look in to the patched code:

if you look at the checks there are following checks:

1. if (1 + 2 + 16 > s->s3->rrec.length)
return 0; /* silently discard */

2.if (1 + 2 + payload + 16 > s->s3->rrec.length)
return 0; /* silently discard per RFC 6520 sec. 4 */

3.if (write_length > SSL3_RT_MAX_PLAIN_LENGTH)
return 0;

 

first check make sure that it discard the packets where TLS length is less then 19 bytes. why? its because 1 byte denote msg type, 2 bytes denote length and 16 bytes is padding. so this will discard packet with 0 payload length.

second check will make sure that length of payload + header is equal to length mentioned in TLS packet.

third check will make sure that write length is not more then 16348 or 0x4000 which is SSL3_RT_MAX_PLAIN_LENGTH.

 

This is a quick post and hope it clarifies the things. if you have any questions feel free to mail me.

 

Categories: Uncategorized

CVE-2013-4232 analyis

April 5, 2014 Leave a comment

After long time i did some quick analysis. here are the details for CVE-2013-4232:

 

if you look at the patch here:

https://github.com/willysr/SlackHacks/blob/master/SlackBuilds/libtiff/tiff-4.0.3-CVE-2013-4232.patch

 

there is only 1 line of code added:

_TIFFfree(buffer);
+ return(0);
} else {
  buffer=samplebuffer;
you see the return statement above? well thats it, its a user after free vulnerability. here is the full code:
if(samplebuffer==NULL){
TIFFError(TIFF2PDF_MODULE,
“Can’t allocate %lu bytes of memory for t2p_readwrite_pdf_image, %s”,
(unsigned long) t2p->tiff_datasize,
TIFFFileName(input));
t2p->t2p_error = T2P_ERR_ERROR;
_TIFFfree(buffer);
return(0); – this is the fix
} else {
buffer=samplebuffer;
t2p->tiff_datasize *= t2p->tiff_samplesperpixel;
}
t2p_sample_realize_palette(t2p, buffer); -> if function does not return then code will use buffer var, which was already freed causing vulnerability.
}
that’s it.
Categories: Uncategorized Tags:

Sulley_l2 how to install on backtrack5

April 23, 2013 Leave a comment

1. set $PYTHONPATH to the sulley dir

2. set $PATH to include python executable.

3.Install libdnet. go to python dir and run python setup.py install

 

then run any fuzzer from sulley_l2 main dir. should work.

 

CVE-2013-1488

April 22, 2013 Leave a comment

bug fix is simple, remove the print code.

@@ -516,7 +516,7 @@ public class DriverManager {
*/
try{
while(driversIterator.hasNext()) {
- println(” Loading done by the java.util.ServiceLoader : “+driversIterator.next());
+ driversIterator.next();
}
} catch(Throwable t) {
// Do nothing
if you want to read more about this vulnerability then original researcher has posted details here:
good peace of work!
Categories: Uncategorized Tags:
Follow

Get every new post delivered to your Inbox.

Join 522 other followers

%d bloggers like this: