Wednesday, April 21, 2010

Small fix for lophttpd

I uploaded a new version of lophttpd since it was
not properly decoding URL escapes (%2B etc). Not
a security issue, but it was just ignoring escapes
completely %-D
Since the download stats for lophttpd are quite
impressive, I quickly added it. I already found the first
lophttpd banners in the wild. :)

The amount of download is of course not as impressive
as for devshit. I think most people don't realize that
this is not an exploit that pops you up a rootshell.Instead
it sets up a portable HDD which, upon plugin into a vulnerable
DeviceKit installation, creates a rootshell on the system.
IOW you need console access.

Sunday, April 18, 2010

CVE-2010-0436 PoC


The fixes for the CVE-2010-0436 have been released last week,
so comes the PoC. I wonder nobody has already done it yet,
as its an easier one. Its a classic symlink attack in KDM
with an additional "trick" that requires to keep the
directory where the vulnerability happens has to be/made
owned by the user in order to work.
The vulnerabilities in-depth description is here.

Tuesday, April 13, 2010

Released simple&fast webserver

I just released the lonely and poor httpd. Its not
RFC full-featured but was written as a study for
a single-threaded, high-speed HTTP server which
can handle tens of thousands connections simultaneously.
It delivers static content, supports vhosts and autoindexing
on the fly. It doesnt need any config-file and runs
as nobody in a chroot for maximum security :)
It avoids unnecessary userland/kernelland/socket-buffer copies
by using sendfile(2)
I tested it on Linux and FreeBSD. As long as your OS supports
sendfile(2), it should be easily portable.