July 14, 2015 12:50 · July 13, 2015 20:58 · August 29, 2015 14:24 · August 29, 2015 14:23 · April 26, 2015 23:49 · August 29, 2015 14:19
 zzzzDevToolsAPI.dispatchMessage({"method":"Network.responseReceived","params":{"requestId":"1191.4","frameId":"1191.1","loaderId":"1191.3","timestamp":125386.24326,"type":"Document","response":{"url":"http://thejh.net/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAthisisaneviltest","status":404,"statusText":"Not Found","headers":{"Date":"Tue, 14 Jul 2015 12:48:11 GMT","Cache-Control":"no-transform","Server":"lighttpd/1.4.35","Content-Length":"345","Content-Type":"text/html"},"mimeType":"text/html","connectionReused":false,"connectionId":21596,"encodedDataLength":-1,"fromDiskCache":false,"fromServiceWorker":false,"timing":{"requestTime":125386.186667,"proxyStart":-1,"proxyEnd":-1,"dnsStart":2.04599999415223,"dnsEnd":2.06400000024587,"connectStart":2.06400000024587,"connectEnd":29.9769999983255,"sslStart":-1,"sslEnd":-1,"serviceWorkerFetchStart":-1,"serviceWorkerFetchReady":-1,"serviceWorkerFetchEnd":-1,"sendStart":30.19000000
 #define _GNU_SOURCE

 #include <stdio.h>
 #include <stdlib.h>
 #include <unistd.h>
 #include <fcntl.h>
 #include <sys/socket.h>
 #include <sys/un.h>
 #include <sys/types.h>
 #include <sys/stat.h>
 diff -rupN afl-0.31b/afl-fuzz.c afl-0.31b-modded/afl-fuzz.c
 --- afl-0.31b/afl-fuzz.c	2014-09-12 08:33:20.000000000 +0200
 +++ afl-0.31b-modded/afl-fuzz.c	2014-09-29 13:35:15.876019069 +0200
 @@ -19,12 +19,14 @@
  */
 
 #define AFL_MAIN
 +#define _GNU_SOURCE
 
 #include "config.h"
  400545:	48 8b 55 f8          	mov    rdx,QWORD PTR [rbp-0x8]
  400549:	64 48 33 14 25 28 00 	xor    rdx,QWORD PTR fs:0x28
  400550:	00 00 
  400552:	74 05                	je     400559 <main+0x33>
  400554:	e8 a7 fe ff ff       	call   400400 <__stack_chk_fail@plt>
 I made a PoC that shows one possible way to exploit this. Use a Tahoe-LAFS instance that is connected to the testnet, browse to different URLs in the testnet, then navigate the same tab to this URL:

 http://localhost:3456/file/URI%3ACHK%3A6hxsjrbtiyjohpj7i7bn6dqixi%3Ail3humxxej53gg6bpr3l5ecxrqdg6wnd5ceuq33vqtrivvrhlfeq%3A1%3A6%3A1262/@@named=/historysteal.html

 Click anywhere on the page. The following attack will happen:

 -------------------------
 The evil HTML file opens itself in a second tab using "window.open(location.toString(), 'foo')" (requires a click to bypass popup blockers). Then the evil HTML file in the second tab can
 access the first tab using "window.opener". The evil second tab does this again and again:
 #define _GNU_SOURCE
 #include <jh.h>
 #include <string.h>
 #include <arpa/inet.h>
 #include <assert.h>
 #include <fcntl.h>

   /* Table of CRCs of all 8-bit messages. */
   unsigned long crc_table[256];
   
 #define _GNU_SOURCE
 #include <dlfcn.h>
 #include <string.h>

 int system(const char *cmd) {
  static int (*realsystem)(const char *);
  if (!realsystem) realsystem = dlsym(RTLD_NEXT, "system");
  if (strchr(cmd, ';') || strchr(cmd, '`') || strstr(cmd, "&&") || strstr(cmd, "../")) {
    return 1;
  }
 When unpacking packages, there's a race that allows putting lib*.so files w=
 ith standard permissions
 into all kinds of places where they shouldn't be. How to exploit:

 - let your app move its "lib" directory away (or delete it if it's empty)
 - let your app create a new "lib" directory (owned by the app)
 - run something like this in the background while the user is installing a=
 n update containing evil shared objects:

       while ls -ld lib|grep app_68 > /dev/null; do true; done; mv lib lib-=
 Android reuses UIDs, and IMO, it shouldn't do that, at least not without having rebooted once.
 Reasons:

 - the deinstallation process doesn't kill all processes with the UID of the app, and neither does
   the installation process - therefore, an app can gain higher privileges by tricking the user
   into uninstalling it and then installing another app with higher privileges
 - there are app-writable filesystems which aren't protected against suid executables, so an app
   could drop a suid-shell in one of those filesystems and thereby allow other malicious apps to
   obtain full access to whatever app will be the next one to get assigned the uid (all filesystems
   without nosuid, except for rootfs, seem to be temporary, so a reboot should wipe all suid executables)
	#define _GNU_SOURCE

	#include <stdio.h>
	#include <stdlib.h>
	#include <unistd.h>
	#include <fcntl.h>
	#include <sys/socket.h>
	#include <sys/un.h>
	#include <sys/types.h>
	#include <sys/stat.h>
	diff -rupN afl-0.31b/afl-fuzz.c afl-0.31b-modded/afl-fuzz.c
	--- afl-0.31b/afl-fuzz.c 2014-09-12 08:33:20.000000000 +0200
	+++ afl-0.31b-modded/afl-fuzz.c 2014-09-29 13:35:15.876019069 +0200
	@@ -19,12 +19,14 @@
	*/

	#define AFL_MAIN
	+#define _GNU_SOURCE

	#include "config.h"
	400545: 48 8b 55 f8 mov rdx,QWORD PTR [rbp-0x8]
	400549: 64 48 33 14 25 28 00 xor rdx,QWORD PTR fs:0x28
	400550: 00 00
	400552: 74 05 je 400559 <main+0x33>
	400554: e8 a7 fe ff ff call 400400 <__stack_chk_fail@plt>
	I made a PoC that shows one possible way to exploit this. Use a Tahoe-LAFS instance that is connected to the testnet, browse to different URLs in the testnet, then navigate the same tab to this URL:

	http://localhost:3456/file/URI%3ACHK%3A6hxsjrbtiyjohpj7i7bn6dqixi%3Ail3humxxej53gg6bpr3l5ecxrqdg6wnd5ceuq33vqtrivvrhlfeq%3A1%3A6%3A1262/@@named=/historysteal.html

	Click anywhere on the page. The following attack will happen:

	-------------------------
	The evil HTML file opens itself in a second tab using "window.open(location.toString(), 'foo')" (requires a click to bypass popup blockers). Then the evil HTML file in the second tab can
	access the first tab using "window.opener". The evil second tab does this again and again:
	#define _GNU_SOURCE
	#include <jh.h>
	#include <string.h>
	#include <arpa/inet.h>
	#include <assert.h>
	#include <fcntl.h>

	/* Table of CRCs of all 8-bit messages. */
	unsigned long crc_table[256];
	#define _GNU_SOURCE
	#include <dlfcn.h>
	#include <string.h>

	int system(const char *cmd) {
	static int (realsystem)(const char );
	if (!realsystem) realsystem = dlsym(RTLD_NEXT, "system");
	if (strchr(cmd, ';') \|\| strchr(cmd, '`') \|\| strstr(cmd, "&&") \|\| strstr(cmd, "../")) {
	return 1;
	}
	When unpacking packages, there's a race that allows putting lib*.so files w=
	ith standard permissions
	into all kinds of places where they shouldn't be. How to exploit:

	- let your app move its "lib" directory away (or delete it if it's empty)
	- let your app create a new "lib" directory (owned by the app)
	- run something like this in the background while the user is installing a=
	n update containing evil shared objects:

	while ls -ld lib\|grep app_68 > /dev/null; do true; done; mv lib lib-=
	Android reuses UIDs, and IMO, it shouldn't do that, at least not without having rebooted once.
	Reasons:

	- the deinstallation process doesn't kill all processes with the UID of the app, and neither does
	the installation process - therefore, an app can gain higher privileges by tricking the user
	into uninstalling it and then installing another app with higher privileges
	- there are app-writable filesystems which aren't protected against suid executables, so an app
	could drop a suid-shell in one of those filesystems and thereby allow other malicious apps to
	obtain full access to whatever app will be the next one to get assigned the uid (all filesystems
	without nosuid, except for rootfs, seem to be temporary, so a reboot should wipe all suid executables)