Friday, May 19, 2017

KDE trickery

I published my writeup about CVE-2017-8422 and CVE-2017-8849,
including the PoC for smb4k.

Note, that this helper is most likely not installed by
default on KDE systems. However, other helpers which are
installed by default are affected too, such as kcm_systemd which
could be leveraged to overwrite arbitrary files.

The most complicated thing about the PoC was to setup
a proper Qt/KDE 4/5 build environment; so I decided to
just use dbus-send with a binary blob instead, rather
than creating my own QVariantMap. 



Thursday, May 4, 2017

OpenSSL constant hell





Last week, someone opened a bug for opmsg, saying it
wont compile with recent versions of gcc.
I am happy that I've been noticed about it, since it shows
people are using opmsg. The "bug" however is not within
opmsg, its about the way OpenSSL changes their function
definitions (breaking the API!) in between minor versions
of OpenSSL.

What exactly happened?

In above screendump you see two functions constp() and
constpp(). They will serve as an easy, down-stripped demo.

While with constp() the const char * declaration
by the programmer is more like a promise to the caller
that the data at which ptr points to, will not be written to,
this is different when the type changes to a double
pointer. You can pass char * variables to constp() without
any problem, because constp() just promises you to not modify
the pointee data. It would be allowed to do so for char *
variables, but it confines itself to this promise, which
is good practise to show the user of the API "Hey, we
wont modify your data as you pass it to us." 
There are no problems if you would change a foo(char *) 
declaration to a foo(const char *) because the later declaration 
just promises more to you, and you lose nothing by foo()
making additional promises to you.
The takeaway is: you can pass a char * variable to a
function that wants a const char *. Both foo()
functions are accepting the same type. You can see
this by the compiler accepting the call to constp()
for a char * variable.

Thats different when a double pointer is involved as
with the constpp() function. Here you have to pass
a const char ** because otherwise the pointer value itself could
be assigned a char * by which const objects could be modified.
This would violate the const correctness of the program
and obsolete the const keyword. Thats why the foo(char **)
and foo(const char **) arguments are really different types.
In other words, you cant just add a const keyword to
double pointer function arguments as you could do it
with single pointers. You end up having entirely different
function signatures.

Now, guess what OpenSSL has made with the

DH_get0_key(const DH *dh, BIGNUM **pub_key, BIGNUM **priv_key);

and

RSA_get0_key(const RSA *r, BIGNUM **n, BIGNUM **e, BIGNUM **d);

functions? They "just" added a const to the BIGNUM
double pointers somewhere after the 1.1.0 version
already introduced a new API. Thats a warning for
C11 programs (one that you should not ignore) but even
worse, as you can see in above demo, its an error for
C++11 programs.

So, I had to add a wrapper function for the functions
in question which call the right functions, depending
on the OpenSSL version.


If you want to read more about the double pointer
const topic, its described here.




Thursday, April 20, 2017

drops and free trial

My google-cloud free-trial account will run out soon, so the
bootstrap IP address in the drops README will end up
being non-responsive soon. I am not sure which cloud
provider I will use in future, so I am not signing up
for premium there yet. I am quite happy there wrt stability
and the overall setup; its merely a matter of pricing.

I plan to write some fancy ncurses GUI frontend for drops,
so one can read and write drops messages in mutt-style,
but that can take a while. (I need less ShadowLeaker 90's 0day
that reminds me of old times and more joy starting to learn
ncursesUntil then, someone else has to spend free bonus coins
of his cloud provider to setup drops bootstrap nodes (and
thanks to that anon french guy running that 78* node :)

Wednesday, March 29, 2017

New git signing keys

My previous git signing key expired, so I uploaded a new one. 

I didnt sign all of my github repos with it yet,
but I took the opportunity to polish my optimized dd
repo, adding a useful help and making it fully usable
under the GPLv3.

If you dont do so already, consider signing your
external git repos. Its painless and you will thank me later
in case your external repos will be fucked with.



Thursday, February 23, 2017

sshttp SNI proxy trickery




The sshttp protocol muxer has been updated to support
SNI muxing. When muxing SSH/HTTPS, the ClientHello message
of the TLS handshake may contain a SNI, which is parsed by
sshttpd  and can be routed to an alternative port (rather than to the regular https port specified with -H).
This is of particular interest with the drops p2p network,
as it is using TLS with the SNI of drops.v2.
This way you can hide sshd and drops behind your https server.


Friday, February 3, 2017

Drops trickery

In the past months I have been working on a project
for a distributed p2p messenging platform, featuring
the opmsg format. opmsg is usually attached to emails.
Emails however leave meta data traces such as email addresses and
header content. Not so with drops, which is ready for testing !

As its a p2p network, it lives from participating people.
So even when you dont use opmsg yourself, you can setup
a drops node so the network gets more distributed and
stable.

Its now in beta testing, and some features such as
sandboxing are yet missing.

Dont be worried by the spartanic README, it will get
updated and there will also be a document describing
the techical details.