Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Jann Horn (jannthejh.net)
Date: Fri May 03 2013 - 17:22:54 CDT
So, I found a vuln for overwriting kernel memory in kernel code by Broadcom for the
Raspberry Pi (afaik not in the official kernel sources, just in the patched
kernel sources for the raspberry pi). It requires you to be in the "video" group,
so it's not very interesting, I think, but I thought, hey, before you share your
PoC for causing a kerneloops with FD, maybe you should contact Broadcom and tell
them so they have a chance to write a fix!
Well, first step: Check their website.
Result: No security contact mail. No contact mail address at all, actually.
Step two: Connect via SMTP, try RFC-specified mailboxes and other common mailboxes
with "RCPT TO", check which are accepted.
Result: Well, <postmaster> isn't accepted, but a lot of other stuff works! Yay!
Step three: Send mail to the addresses that were accepted by "RCPT TO".
Result: Bounces. Turns out the mailserver just accepts everything, then sends bounces.
Step four: Do a whois, send mail to the DNS admin. Not exactly first choice, but oh well...
Result: Bounces, too, because their second SMTP server sees that the mail comes from their
first SMTP server, looks at my SPF record and figures that Broadcom isn't allowed to send
mails in my name. Hooray.
Step five: Spam somewhat-related IRC channels to figure out a working contact mail.
Result: Doesn't bounce – waiting for a reply.
tl;dr: Broadcom, fix your stupid mailservers!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
-----END PGP SIGNATURE-----
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/