CENSUS researchers Vasilis Tsaousoglou and Patroklos Argyroudis delivered the "The Shadow over Android: Heap Exploitation Assistance for Android's libc Allocator" technical talk at the 2017 INFILTRATE (Miami, Florida) conference. The abstract of the talk follows:
|Affected Products:||libpurple (all versions), libpurple clients with DBUS support (incl. all versions of pidgin), pidgin-otr (all versions)|
|Class:||Information Exposure (CWE-200), Privacy Violation (CWE-359), Information Exposure Through Sent Data (CWE-201)|
|Discovered by:||Dimitris Glynos|
libpurple-based applications broadcast the plaintext of OTR (off-the-record) conversations over DBUS.
This makes the plaintext available to other (possibly unrelated) applications executing under the same
user. Also, due to a design flaw in libpurple, the user’s choice of not logging OTR plaintext on Pidgin is not communicated over to the third party applications listening on DBUS. This may lead to unintentional (on disk) logging of private messages.
|Affected Products:||FreeBSD 8.0-RELEASE, 7.3-RELEASE, 7.2-RELEASE|
|Class:||Improper Input Validation (CWE-20)|
|Discovered by:||Patroklos Argyroudis|
We have discovered two improper input validation vulnerabilities in the FreeBSD kernel’s NFS client-side implementation (FreeBSD 8.0-RELEASE, 7.3-RELEASE and 7.2-RELEASE) that allow local unprivileged users to escalate their privileges, or to crash the system by performing a denial of service attack.
In my recent Black Hat Europe 2010 talk I gave an overview of the kernel exploitation prevention mechanisms that exist on FreeBSD. A few people at the conference have subsequently asked me to elaborate on the subject. In this post I will collect all the information from my talk and the various discussions I had in the Black Hat conference hallways.