What a real buffer overwrite may look like

0
1018

In 2018 I got my Firefox hacked! It was over as fast as it was done. First Firefox crashed. It was fully patched and I had an Apparmor profile on Ubuntu in full enforcemode. Here are the log entries:

May 25 20:17:06 molly kernel: [  372.984627] audit: type=1400 audit(1527272226.649:102): apparmor=”DENIED” operation=”capable” profile=”/usr/lib/firefox/firefox{,*[^s][^h]}” pid=7437 comm=”firefox” capability=21  capname=”sys_admin”

May 25 20:17:06 molly dbus-daemon[2062]: apparmor=”DENIED” operation=”dbus_method_call”  bus=”session” path=”/org/gtk/vfs/Daemon” interface=”org.gtk.vfs.Daemon” member=”ListMonitorImplementations” mask=”send” name=”:1.7″ pid=7437 label=”/usr/lib/firefox/firefox{,*[^s][^h]}” peer_pid=2161 peer_label=”unconfined”

May 25 20:17:07 molly kernel: [  373.458709] audit: type=1400 audit(1527272227.121:103): apparmor=”DENIED” operation=”file_lock” profile=”/usr/lib/firefox/firefox{,*[^s][^h]}” name=”/home/erza/.cache/fontconfig/a41116dafaf8b233ac2c61cb73f2ea5f-le64.cache-7″ pid=7437 comm=”firefox” requested_mask=”k” denied_mask=”k” fsuid=1001 ouid=1001

May 25 20:17:07 molly dbus-daemon[2062]: apparmor=”DENIED” operation=”dbus_method_call”  bus=”session” path=”/org/freedesktop/DBus” interface=”org.freedesktop.DBus” member=”RequestName” mask=”send” name=”org.freedesktop.DBus” pid=7437 label=”/usr/lib/firefox/firefox{,*[^s][^h]}” peer_label=”unconfined”

May 25 20:17:07 molly dbus-daemon[2062]: apparmor=”DENIED” operation=”dbus_method_call”  bus=”session” path=”/org/gtk/vfs/Daemon” interface=”org.gtk.vfs.Daemon” member=”ListMonitorImplementations” mask=”send” name=”:1.7″ pid=7505 label=”/usr/lib/firefox/firefox{,*[^s][^h]}” peer_pid=2161 peer_label=”unconfined”

May 25 20:17:08 molly dbus-daemon[2062]: apparmor=”DENIED” operation=”dbus_method_call”  bus=”session” path=”/org/gtk/vfs/Daemon” interface=”org.gtk.vfs.Daemon” member=”ListMonitorImplementations” mask=”send” name=”:1.7″ pid=7567 label=”/usr/lib/firefox/firefox{,*[^s][^h]}” peer_pid=2161 peer_label=”unconfined”

May 25 20:17:24 molly dbus-daemon[2062]: [session uid=1001 pid=2062] Activating via systemd: service name=’org.gnome.Terminal’ unit=’gnome-terminal-server.service’ requested by ‘:1.77’ (uid=1001 pid=7611 comm=”/usr/bin/gnome-terminal.real ” label=”unconfined”)

May 25 20:17:24 molly systemd[2035]: Starting GNOME Terminal Server…

May 25 20:17:24 molly dbus-daemon[2062]: [session uid=1001 pid=2062] Successfully activated service ‘org.gnome.Terminal’

May 25 20:17:24 molly systemd[2035]: Started GNOME Terminal Server.

When I searched through the logs 30 seconds later, almost everything above was gone, leaving only the inconspicious entries. Now, that’s a very professional hacker group at work.

Big whoop! Wanna fight about it? ... Or maybe... you know... just leave a nice comment.

This site uses Akismet to reduce spam. Learn how your comment data is processed.