I wonder how often this happens to researchers. It's not that it has happened often to me, twice now, and once turned out to be slightly unique. I'm talking about finding a vulnerability that's not only been found before, but has also been fixed.
Yesterday I fulfilled a promise to myself, which I made long ago, to start looking at protocol handlers in *Nix. It took awhile... I was bored of them. Anyways, within minutes of starting on the newest install of Ubuntu, I discovered a format string flaw within the Vinagre VNC client's vnc:// protocol handler. It was basically your classic vnc://%n causes crash. I was thrilled, obviously, and set out to begin working on exploit code.
Then I came to the realization that I could make tracing this a lot easier if I looked at the source code first (tend to forget that exists when you do most your research on Windows). I searched Google for Vinagre's page, but one of the first hits that came up was to a Core Advisory on the very same format string flaw I had "found". DAMN! Forgot to update my fresh installed Ubuntu VMWare! DAMN! Found a flaw someone else already found and it's already fixed!
I guess it could've been worse, I could've spent forever working on exploit code and THEN found out. Kudos to the Core team for the find. Their advisory shows the p0c performed in a couple ways and they do mention that there's many ways to kick this off, but they don't mention the protocol handler (I wonder if the protocol handler was there by default when this was discovered). I do like the protocol handler attack vector... call me a web app guy if you must, but there's a perverse pleasure one takes in actually owning someone from a cross-site scripting attack (not just stealing some cookies).
I wonder how often this happens to other researchers... I mean, it could've been worse, I could've found the flaw, wrote the sploit, turned it in, only to have been undercut in the process by someone who didn't take the time to fully explore the flaw.
Oh well, one down, several to go when it comes to the *Nix protocol handler front... although, I did like the idea of finding an exploit in one that was there by default.
Interesting side note... I mentioned this happened to me one other time as well, but that it turned out to be a unique case. This was actually in the format string flaw that I found in Apple's iPhoto, which was originally reported and "fixed" with the Month of Apple Bugs project. I remember very well contacting Erik Cabetas for some assistance in putting out some proof of concept exploit code and him telling me that it had already been found during MOAB and fixed by Apple.
I was blown away since I had literally just bought and patched my Mac Book. At the time, I was brute force trying to hit up protocol handlers on the Mac for fodder for my "URI Use and Abuse" research and was attempting to use a string designed to cause either a format string flaw or some kind of buffer overflow. The string I had used was a long string of %n characters... or so I thought. Apparently in the process of creating that long string, I accidentally had typed a %dd into the mix. This pushed iPhoto down a different path, leading to the same vulnerability in a different code path.
Let no one speak ill of my poor typing skillz again :).
1 year ago