A few weeks/months ago I sadly realized that the author
of the xorl blog was quitting his writeups. Now it seems
that he is continuing his activities. Now I have
something nice to read at the beginning of the day.
Although he doesn't speak about vulnerabilities he found
himself, its one of the better security blogs in my opinion.
I really enjoy reading it and like to recommend it to
everyone interested in software trickery.
I want more OpenBSD foo. :)
Monday, November 2, 2009
Friday, October 16, 2009
injectso 32bit x86 port
injectso now supports x86 and x86-64 architecture. make automagically
compiles the correct version.I also added some code cleanups and
error checking as well as the possibility to inject DSO's with relative
pathnames as suggested by a patch I received.
Do not forget to vote (right toolbar:) !
Wednesday, October 14, 2009
New injectso available
I ported injectso to the new glibc (2.5, 2.9 and 2.10 tested).
It now runs on Linux/x86-64 machines. Original developed
by Shaun Clowes in 2001 for i386 and sparc it showed that
there is a really simple way on current systems to do that.
It now runs on Linux/x86-64 machines. Original developed
by Shaun Clowes in 2001 for i386 and sparc it showed that
there is a really simple way on current systems to do that.
Wednesday, September 30, 2009
unixdump UNIX-socket sniffer available
Update:
Released new version (0.42) since 0.41 (not avail anymore)
crashes when accessing udmp device afer rmmod.
(The dynamically assigned major number was not updated
for unregistering.) Thanks to myself for reviewing my own
code :)
Ok, its finally avail here.
Do not run it inside an xterm or otherwise its
like sniffing all tcp traffic remotely on a ssh shell.
BTW ssh. Due to my ssh timing/packet-size patch
I've been called a Iran circumvention developer.
Really funny wording. I like to add that to my
resume.
And right in time while typing
they play LOA with Love to let you down.
What do you want more?
Released new version (0.42) since 0.41 (not avail anymore)
crashes when accessing udmp device afer rmmod.
(The dynamically assigned major number was not updated
for unregistering.) Thanks to myself for reviewing my own
code :)
Ok, its finally avail here.
Do not run it inside an xterm or otherwise its
like sniffing all tcp traffic remotely on a ssh shell.
BTW ssh. Due to my ssh timing/packet-size patch
I've been called a Iran circumvention developer.
Really funny wording. I like to add that to my
resume.
And right in time while typing
they play LOA with Love to let you down.
What do you want more?
Tuesday, September 29, 2009
When const really means const
Who cares about const? Its never enforced anyways!?
Except in Linux kernels built with gcc 4.x (maybe even
before?). If you declare a pointer member const
(the thing it points to, not the pointer itself), like
proto_ops in the socket struct, the pointee will be placed in a
RO location which means you cant redirect socket operation
functions like recvmsg(). You have to make the right PTE
writable in order to redirect the functions.
Rootk^H^H^H^H^HCertain debugging LKMs like my unixdump
require to redirect some functions in order to record
whats sent across sockets. unixdump works like tcpdump
for inet sockets. The version which is available now was
written in 2006 for the 2.6.16 kernel and doesnt work with
recent/current ones (and its dirty and hackish anyways).
Thats why I ported it within the last days to current kernels.
It will be uploaded soon.
The way you can modify const members changed in current kernels;
in fact is is easier than before b/c a new function lookup_address()
is exported and you do not need to walk the PGD down.
Except in Linux kernels built with gcc 4.x (maybe even
before?). If you declare a pointer member const
(the thing it points to, not the pointer itself), like
proto_ops in the socket struct, the pointee will be placed in a
RO location which means you cant redirect socket operation
functions like recvmsg(). You have to make the right PTE
writable in order to redirect the functions.
Rootk^H^H^H^H^HCertain debugging LKMs like my unixdump
require to redirect some functions in order to record
whats sent across sockets. unixdump works like tcpdump
for inet sockets. The version which is available now was
written in 2006 for the 2.6.16 kernel and doesnt work with
recent/current ones (and its dirty and hackish anyways).
Thats why I ported it within the last days to current kernels.
It will be uploaded soon.
The way you can modify const members changed in current kernels;
in fact is is easier than before b/c a new function lookup_address()
is exported and you do not need to walk the PGD down.
Tuesday, September 22, 2009
GCC -fmudflap
Programs compiled with -fmudflap are given protection by GCC
against overflow conditions etc. The GCC then adds a runtime
to track&check operations on arrays etc..
To specify runtime behavior, you can pass various
options via the $MUDFLAP_OPTIONS environment variable.
If we look how the mudflap runtime is
handling these options, we have:
...
case viol_gdb:
snprintf (buf, 128, "gdb --pid=%u", (unsigned) getpid ());
system (buf);
...
Note, that mudflap is made for security reasons. For programs
like network servers or setuid binaries.
I made a bugzilla entry into the GCC bugzilla since this
should be changed somehow :)
against overflow conditions etc. The GCC then adds a runtime
to track&check operations on arrays etc..
To specify runtime behavior, you can pass various
options via the $MUDFLAP_OPTIONS environment variable.
If we look how the mudflap runtime is
handling these options, we have:
...
case viol_gdb:
snprintf (buf, 128, "gdb --pid=%u", (unsigned) getpid ());
system (buf);
...
Note, that mudflap is made for security reasons. For programs
like network servers or setuid binaries.
I made a bugzilla entry into the GCC bugzilla since this
should be changed somehow :)
Monday, September 21, 2009
Small improvement for inotify
The inotify tool got a small improvement yesterday, so you
can pass -r (recursion) to it. It now also allows you to recursively
watch newly created/modified/deleted/accessed files/dirs
in newly created subdirs of the watched directory.
This already showed me some differences between man versions :)
can pass -r (recursion) to it. It now also allows you to recursively
watch newly created/modified/deleted/accessed files/dirs
in newly created subdirs of the watched directory.
This already showed me some differences between man versions :)
Monday, September 14, 2009
un-evil code
I had incredible dl statistics for gc.cc (see last posting). Even
better than for exploits, years ago when I was publishing them.
Seems to me I should switch completely to write robust and boring
application code which is much more appreciated by the public.
Nevertheless, since there have not been reports about
crash containing major bugs or alike, I removed the beta-test
password from the directory.
better than for exploits, years ago when I was publishing them.
Seems to me I should switch completely to write robust and boring
application code which is much more appreciated by the public.
Nevertheless, since there have not been reports about
crash containing major bugs or alike, I removed the beta-test
password from the directory.
Friday, September 4, 2009
C++ local_scope<> template
If you write a lot of code (and I know, some of the readers
actually do :), depending on your style, you often run
into situations where you allocate some ressource like
fopen()ing some files or allocing memory and later
you realize some error-condition and you properly need
to fclose()/free() all the stuff in the right order
and depending on what was allocated yet.
This leads to a lot of copy-n-paste code and often
plain wrong code or even better security breaches :)
If you like C++, you can have a look here to avoid
all these problems.
You can register FILE pointers, file-descriptors or
memory regions to a local_scope<> template and it
automatically closes/releases ressources when you leave scope
(also in right order).It is as easy as
local_scope<int> fd(open("/tmp/x2", O_RDONLY), close);
and you can use fd afterwards like you'd normally use
your descriptor. If you need to return due to some
other error condition, the file is closed when the
scope is left.Other ressources like lock's etc could easily
be added by extending local_scope<>.
actually do :), depending on your style, you often run
into situations where you allocate some ressource like
fopen()ing some files or allocing memory and later
you realize some error-condition and you properly need
to fclose()/free() all the stuff in the right order
and depending on what was allocated yet.
This leads to a lot of copy-n-paste code and often
plain wrong code or even better security breaches :)
If you like C++, you can have a look here to avoid
all these problems.
You can register FILE pointers, file-descriptors or
memory regions to a local_scope<> template and it
automatically closes/releases ressources when you leave scope
(also in right order).It is as easy as
local_scope<int> fd(open("/tmp/x2", O_RDONLY), close);
and you can use fd afterwards like you'd normally use
your descriptor. If you need to return due to some
other error condition, the file is closed when the
scope is left.Other ressources like lock's etc could easily
be added by extending local_scope<>.
Friday, August 28, 2009
rewrote Port Shell Crypter
I rewrote PSC, a tool to upgrade plaintext and/or
sessions without a tty across networks (even via
multiple hops) to a full crypted pty based session.
It works by doing the handshake and crypto across
the terminal layer instead of using network calls. The whole
code does not need any networking functionality.
If you have a chained session from host A to D like
A -> B -> C -> D and before starting the session you start your
local psc tool on host A and as soon as on host D you start
the other endpoint, the full chain is encrypted and nobody
on B and C can see or modify what you are typing.
Evil administrators on intermediate hosts (B, C) might use
ptrace() or whatever to even sniff SSH sessions. Using psc,
this is not possible anymore.
First, I wanted to make some video (since it seems very hip
these days :) showing how a old gitweb exploit makes a full
pty crypto shell using psc so you could use 'mc' etc.
on it at the end. However, xvidcap has some lib requirements
which I cant give it on my machine yet without hours
of recompilation and so I thought I do the release old-school. :)
sessions without a tty across networks (even via
multiple hops) to a full crypted pty based session.
It works by doing the handshake and crypto across
the terminal layer instead of using network calls. The whole
code does not need any networking functionality.
If you have a chained session from host A to D like
A -> B -> C -> D and before starting the session you start your
local psc tool on host A and as soon as on host D you start
the other endpoint, the full chain is encrypted and nobody
on B and C can see or modify what you are typing.
Evil administrators on intermediate hosts (B, C) might use
ptrace() or whatever to even sniff SSH sessions. Using psc,
this is not possible anymore.
First, I wanted to make some video (since it seems very hip
these days :) showing how a old gitweb exploit makes a full
pty crypto shell using psc so you could use 'mc' etc.
on it at the end. However, xvidcap has some lib requirements
which I cant give it on my machine yet without hours
of recompilation and so I thought I do the release old-school. :)
Subscribe to:
Posts (Atom)
Posts
