Thursday, December 30, 2010

Zygote trickery -- 743C 27C3 release

The Gingerbread source has recently been released and
a root vulnerability has been fixed inside the
zygote/dalvik framework (if you dont know what it is,
call it a framework). I hoped that this exploit would
still work on Gingerbread, but since the bug is too
similar to the adb issue it has been fixed as well.
Thus, this only affects android phones < 2.3 but
it also works without debugging being enabled e.g.
from inside an evil app.


As always: the code is AS IS.
If you use it, it may crash your
device and makes it totally useless, SO YOU USE IT AT YOUR OWN RISK! THERE IS NO GUARANTEE
THAT IT WILL WORK AT ALL.


If you dont know what jailbreaking is about, dont do it anyways.
Once executed it should create a /system/bin/rootshell or
+s /system/bin/sh.


The apk can be found here. Nevermind the simple GUI,
it was pasted together from various sample/demo programs
just to make it easier to have an activity to start
for zygote.


And fear my publishing skillz! :D



Thursday, December 16, 2010

The bootdisk and the rootdisk

The recent discussion at the pub was of course about
the bits and bytes but this time with view on historical
facts. Someone remembers the bootdisk and the rootdisk?
When it was not possible to boot from CD-ROM it was
necessary to dd a bootdisk and a rootdisk image to floppy
disks. After a few installs, one of them was always fscked.
So why were we using Linux at all? Wasn't it a funny time
with TurboPascal at school? Or even better with BorlandC++
which I got hands on in '94 or so on a low-price
(b/c outdated-)version. For a price of just 80 DM
which was still high enough at that time one also got the incredible TurboDebugger and there the fun starts.






While I am not going to explain for what reason exactly
TurboDebugger was cool (I know the even more cool guys
used SoftIce :) it showed you the hard way why
RealMode really sucked in particular if there is a ProtectedMode
since years. So isnt there any good OS utilizing that?
Whats this "Linux" ...?




Monday, December 6, 2010

Gingerbread

If someone already has got a Gingerbread and wants to
save the world, let me know.

Monday, November 15, 2010

Happy Birthday to .no

Special greetings and congratulations to Uschluh today
where the one and only root is celebrating his BD.
May be the force with you to withstand all evil of life
in whatever shape it will appear: users, bosses, women,
burning switches or Fedora 14.
You've got the power. Looking forward to a new Gewaltmarsch. :)





Monday, November 1, 2010

New sshttp feature trickery

sshttp is now able to hide SSH inside HTTPS as well.
SSH behind HTTP was possible before, and so was HTTPS,
but now it is "official" :)
You cannot mix HTTP and HTTPS in the same instance,
but you can run multiple sshttpd's.
I also added multicore support (basically the same
as for lophttpd, see earlier postings) AND support
for Linux capabilities. It runs as nobody in a chroot now
and only keeps CAP_NET_ADMIN and CAP_NET_BIND_SERVICE.

Saturday, October 30, 2010

Multicore support for lophttpd

lophttpd (in version 0.86), which is my private research
project for high performance web servers, now comes
with support for multiple cores (Linux only for now).
Unless specified otherwise, one thread per CPU core sleeps
in a accept() loop. Increasing load of the cores will then
result in more and more connections passed to the accept()
sleeping on yet unused cores.
This works since the kernel wakeup's all threads sleeping
in the accept() but only one will actually get the
connection (all others get EAGAIN).
In OS engineering this is known as the thundering herd problem
if you have thousands of processes woken up at once.
However this does not apply here since the number of cores
is small compared to what would "thunder a herd".
So basically we take the good parts of that "problem" but do not
run into the problem itself.


If it turns out to work well, I will also add multicore
support to sshttp. And it is by far more fun to code it
than the OS classes at university discovering scheduling theoretically.

Saturday, October 16, 2010

Death of a great mathematican

I just read that the great Mathematican BenoĆ®t Mandelbrot
died on Oct 14th.
His Mandelbrot-set fractales were one reason for me to start programming back in the days. Beside its beauty its likely
that all your mobile internet wont work without fractales
since (almost all?) antennas inside small wifi/GSM/UMTS
are self-similar to have maximum gain/space ratio. A lot of other technical and scientific
equipment would be NULL without that too, and I bet the
distribution signature of self replicating code also has to
be self-similar if it wants to be optimal. :-)



Monday, October 11, 2010

New sshttp available

I switched the I/O engine inside sshttpd from blocking to
non-blocking sockets. Blocking I/O is by far easier,
but disappearing IPs could hang all other connections.
This should be fixed now.
Non-blocking socket state engines are really worth
a PhD thesis. :-)
Anything else is as before, just setup nf-setup
and run sshttpd.
Available for download here.

Friday, October 8, 2010

Hiding a sshd inside a httpd trickery

If you always asked yourself how you could run both a sshd and
an apache (or a lophttpd!) on the same TCP port 80
without patching any client or server software and still
getting always the right service, you should
have a look at sshttp.

Saturday, September 18, 2010

743C mails

Every now and then I check my 7-4-3-C mailbox and I was quite surprised that in the days
quite a lot of mails arrived. Please dont take it as arrogance if I am not answering, unless there are specific questions regarding
license or such.
The amount of mail is just too much and most of them do not
contain really urgent/important questions.
So please accept this post as a reply. Thanks for
the mails and the offers you made.
Continuing 743C does not depend on the amount of donations
(which has been asked for) since it was not meant to
be a commercial success-project. Nevertheless thanks to the people who did a donation.
To those familar with 4-digit hex numbers, I had to name it
743C for a certain reason. I am not dead, I am just focusing
on different projects to stay sharp. :-)

Friday, September 10, 2010

updated crypto tools available

I submitted new versions of crash and psc mainly
to honor even more strict GCC behavior.
A lot of my own tools dont build anymore because of some
tricky type conversion which I always thought would be
plain ANSI. Well.
It seems to me that type conversion is not a possible
thing anymore today.
GCC folks told me to use memcpy() instead of *(int *)&buf[0] = 0x73;
Time to fix.

Saturday, August 28, 2010

Please hold the line!



Sure. I always did!
If you are on top, you should stop. The 743C project is past.


There is not much we can achieve from now on anyways. More
or less all the robots are belong to us. There is not much chance
that a device or brand cannot be owned with any of
the 743C exploits recently published. Even devices which
are not yet available on the market (epic) can be
rooted with these (src now included). If there are any
devices where the exploit doesnt work -- just let them live.


Personally, I will return to server&network security again
as well as HPC/HA. There will be no more 743C exploits in future.
Every now and then, I will have a look at android, since
- after all - it is a nice OS and there are a lot of things
I am eager to learn from it.


The 743C project was a short, but funny one. I want to thank
all the people involved with it; who discussed issues with
me as well as the folks who wrote all the tutorials and
hints or sent feedback.Thanks to the six people who
were actually PayPaling me :-)


Last but not least, I am very proud that 743C was hosted
by the Openwall Project.
They provided us with stable, secure and reliable hosting.
Without reliable hosting, everything is nothing.





Saturday, August 21, 2010

Droid2

A beta version of a new softbreak is available here.
If it works out it is made publically available.
The l/p is beta/beta.


[Update:]
It has been confirmed that the exploit is working on the
backflip and evo too. Thats not surprising,I always
said it will work on the backflip :D
I just wonder what all these timing discussions are about.
The exploit is doing everything alone by itself,
you do not need to "exit" or kill the adb session.
Just execute it and wait until connection is reset by
exploit. Then adb kill-server; adb shell -> #
Thats not too complicated.





Tuesday, July 27, 2010

Jailbreaking legalized in terms of Y^HDMCA

Apparently the EFF was able to relax some conditions of the DMCA.
Thanks to them it is now legal to jailbreak your phone.
Thats great news! :) Of course that only expresses what
sounds like human digital rights anyway: to own what you own.
As a nice coincidence I was meeting some of them two weeks ago
at a developers conference.


Small side-notice: 743C is still accepting device-donations.
If you have an android >= 2.0 device (preferably newer ones
like DroidX, Milestone, Backflip, Hero, Desire etc.)
that you dont need anymore
please leave me a comment with your contact address.
I dont need the GSM part (e.g. no SIM). I run most of
the stuff inside emulator, but certain things need
a real device as seen with /etc/firmware
or the additional software that is installed by the
vendor/carrier.
It would help to develop jailbreaks in future.


Some people uploaded videos of jailbreaks, using 734C
exploits like this or that.

Friday, July 23, 2010

exploid works on the Droid X

It has been reported that apperently someone was
able to compile and run the exploid on the oh
so unbreakable Droid X.
There seem to be devices with missing /etc/firmware which
is needed as an exploit vector. However there are other
possibilities to exploit this init-bug. But its not the
scope of 743C to provide working versions for every device.
Please note that this is a non-commercial spare-time project
and I even do not own any device for testing.


If the firmware subsystem doesnt work (it requires /etc/firmware
so an additional path traversal bug can be exploited too),
one may also try the usb, graphics, block, char, sound or mtd
subsystem to create mode 0666 devices or to exploit
a race condition during the device-creat
to chown /dev/mtd. It should be
possible, however I dont have time to do so :)

Saturday, June 26, 2010

Fixing large file truncation in lophttpd

I dont want this to become a webserver blog, but I just fixed
a bug which lead to truncation of  large files (e.g. >1Gig)
while downloading. Stupid bug by using %d rather than %zu.
Its available at the usual location (version 0.85). 

Thanks to the one and only Nico for reporting. Your mad
scientists can now continue to download the star collision avi's.

Thursday, June 24, 2010

New lophttpd version supports faster logging

As announced in my previous post; the new lophttpd
package supports mmap and aio based logging now,
if enabled via -L mmap or -L aio .

Tuesday, June 8, 2010

Looking for lophttpd testbeds

I am looking for heavy loaded sites which serve static
content (e.g. banners, pictures,  iso's etc.) to test
my http server software and to help it to improve.
I added  some experimental features recently
which will be released soon and mainly consit of
various log providers to overcome possible bottlenecks
during logging.
If you have  thousands requests/sec, writing out logs 
can become an issue and I added support for AIO and
mmaped-backed buffers.

If you are interested, drop me an email or a comment.I am
BTW also looking for donations of mobile devices
to continue my Android and WebOS research. :)

Sunday, May 30, 2010

New lophttpd packges fixes some issues

I just published version 0.81 of lophttpd
to fix potential access of not mapped memory areas
if large directories are autoindexed. Some other things
has been fixed too (see Changelog).


Thanks to Alexander Hagenah for reporting the autoindex
issue.If you experiance any bugs or performance drops
or alike, please let me know.
 

Wednesday, May 26, 2010

CONFIG_UNIX_MONITOR=y

I digged into the depth of network packet handling, softirq's
and packet queues and hacked down a patch for the
2.6.34 kernel so that PF_PACKET can be applied to
PF_UNIX sockets.
The goal is to have a unix interface one day which you
can pass to pcap_create() and  wireshark or tcpdump.
With a e.g. DBUS dissector you can then monitor 
the application level IPC to find the more unknown
bugs :-)
The hard part now is to get this patch upstream,
so that it is available on a standard Linux distro
the same way you'd monitor your network traffic.

Wednesday, April 21, 2010

Small fix for lophttpd

I uploaded a new version of lophttpd since it was
not properly decoding URL escapes (%2B etc). Not
a security issue, but it was just ignoring escapes
completely %-D
Since the download stats for lophttpd are quite
impressive, I quickly added it. I already found the first
lophttpd banners in the wild. :)

The amount of download is of course not as impressive
as for devshit. I think most people don't realize that
this is not an exploit that pops you up a rootshell.Instead
it sets up a portable HDD which, upon plugin into a vulnerable
DeviceKit installation, creates a rootshell on the system.
IOW you need console access.

Sunday, April 18, 2010

CVE-2010-0436 PoC


The fixes for the CVE-2010-0436 have been released last week,
so comes the PoC. I wonder nobody has already done it yet,
as its an easier one. Its a classic symlink attack in KDM
with an additional "trick" that requires to keep the
directory where the vulnerability happens has to be/made
owned by the user in order to work.
The vulnerabilities in-depth description is here.

Tuesday, April 13, 2010

Released simple&fast webserver

I just released the lonely and poor httpd. Its not
RFC full-featured but was written as a study for
a single-threaded, high-speed HTTP server which
can handle tens of thousands connections simultaneously.
It delivers static content, supports vhosts and autoindexing
on the fly. It doesnt need any config-file and runs
as nobody in a chroot for maximum security :)
It avoids unnecessary userland/kernelland/socket-buffer copies
by using sendfile(2)
I tested it on Linux and FreeBSD. As long as your OS supports
sendfile(2), it should be easily portable. 

Friday, March 12, 2010

Playing with URL shortening

URLs cannot only be shortened. They also can be expanded.
Since  a lot of  pople are using URL shortening services,
it was funny to reverse some randomly generated URLs.
Basically, you find peoples browser history including
session ID's etc. Not a big deal, but I think it could
be used to build some surf statistics and other nice
info gathering.
The script can be found here
Please be carefull not to hammer the servers; thats
actually why a sleep() was intriduced!

Thursday, February 18, 2010

New injectso -- Debian proof

The new injectso comes with a new technique to find the
address of the needed rtld function. Some systems (Debian based)
make /proc/pid/maps unavailable by default which
former injectso needed to work properly.
It now also works via /proc/pid/auxv to read AT_BASE
and to calculate where rtld functions can be found.
The nm method is also still included for systems where
libc exports symbol names.
The /proc/pid/auxv method has only been tested on x86_64
but should work on x86 too.


Additionally, I am officially sorry for the coding style
of injectso before v0.51. All the exploit coding makes a
terrible style and I will drop that for a while.
The code has been cleaned up and is now readable and
something to learn from.

Friday, February 5, 2010

Runtime hot-patching processes w/o ptrace

I am a fan of achieving the same result with multiple, different,
solutions/implementations. In computer science (and security
in particular) this leads to real benefit and cutting edge
because if you have more ways to do it, you are not limited
or bound to techniques that may change, evolve or are
hardened/dropped completely. One such example is the injectso
I recently published. It uses ptrace(), but if you think
removing ptrace() from the kernel is a plus, have a look
at lasso. It does the same thing without using ptrace().


There is more than one way to Milano. 8-)