Monday, December 22, 2008

SSHv2 trickery

Current SSHv2 implementations suffer from a 'vulnerability' that allows traffic analysis
to match incoming and outgoing connections from a box. In case you use a SSH shell
on some box for anonymity before you SSH to some other box, a global observer
may correlate the traffic on the end-box and the box in between to find out
who actually connected to the end-box. Especially by observing packet sizes
and time differences of the connection, it is possible to see when something is typed
and what amount of output comes back. This works no matter of how many
hops are in between. It is then possible to finally find out the originating IP address.
SSHv2 specification was not really designed for anonymity or measures against
advanced traffic analysis, even if they have SSH_MSG_IGNORE packets.
I wrote a patch that adds constant delay and packet-size to the connection no matter
whether something is typed and how much is done one the connection.
You can find it here.

Wednesday, October 22, 2008

PAM spam

About PAM, the cool Pluggable Authentication Modules common across
all major Linux dists.

I recently was involved in a project that used PAM to authenticate users via some
special kind of hardware. A note to developers and reviewers: keep in mind
that pam_syslog() and pam_prompt() expect a format string as argument.
In case you write your own log-wrapping code which expects format strings itself,
you still need to pass resulting strings via the "%s" format specifier to these pam functions!
Keep in mind that attackers may pass
strings like "%%s%%n" to the first (correct) format-resolver which open a format string vulnerability
to following incorrect calls as it is shrinked to "%s%n".

Monday, October 13, 2008

Linus blogs!

It has been once more proved to me that blogs are, most of the time, not really
worth reading. Especially if they do not cover any technical or scientific details
(such as this posting :). Even more weird, a blog about family stuff and dogs
which is interesting like a XSS-attack inside cat. Really worth announcing it at heise news.
Apparently even more worth for people to reply with 100's of comments for such postings.

Wednesday, August 13, 2008

postfix trickery

Eventually, after years of research, I was able to add postfix
to my personal list of the exceptional exploited programs (exexpro) }|-)

As of now, updates are already available. CVE-2008-2936 and CVE-2008-2937
have been assigned to this issue. My dear colleague Thomas will have sent an advisory out today
(writing this one day before the CRD).
So far, my exexpro list has grown to contain the following (random order):
Postfix, rsync, traceroute, modprobe/kernel, vixie crontab, suidperl, sudo, lpr, cups,
ppp, ippp, LIDS, hylafax, racoon to just name the more popular ones. Some of them appear multiple
times, some of them only affected BSD systems. The OpenBSD team was so kind to
offer me a poster for a local root exploit in ppp years ago. Additionally,
dozens of less popular programs appear on the list such as
imwheel, kreatecd, dip, wmcdplay various other K* programs etc. For all of them I wrote an exploit.
I am not able to provide exploits anymore due to the new law about this in Germany.
The exceptional exploited also contains weak implementations of secure protocols (SSL, SSH)
or weak protocols itself (CHAP) or absolutely uncommon exploits (see last posting for instance).

Lets hope that I can continue the trickery list in future and let the targets be smart and
popular. Only the minority of issues have been overflow or related bugs, BTW.

I hope you enjoy non-XSS related issues :-)

Saturday, August 2, 2008

OpenSolaris remote root exploit

Like the the BSI was new in the LiveCD market segment, so is Sun!

If you boot your OpenSolaris CD and have your network plugged in and a DHCP
server is available (very common setup today; every homeuser got DSL ...), remote
attackers can log into your machine with jack/jack and su to root with
opensolaris. What a luck that remote root logins are disabled by the sshd running
during the installation procedure. It also has a nice banner which distinguishs it
clearly from the rest of the OpenSSH world.
Far more bad than the BOSS BSI issue:
If you want to install OpenSolaris (and a plenty of sysadmins will do) the only
way is to boot the LiveCD and install it from there. You are owned before your installation procedure is finished!

So, somehow, we got a remote root exploit for a lot of data centers I guess. And BTW,
if there is no DHCP server running at the university, attackers can feel free to setup one :-)

Beside that, I like the Open Source path which Sun is now walking on and Solaris
is still a very cute OS which kicks ass. But admins should really unplug
the network cable during installation. No kidding. If I got something wrong, feel
free to mail me and I will correct myself. I tested the 2008.05 image from their main download

Update: Sun Microsystems is already tracking this issue and will change the behavior with
the next live CD release.

Thursday, July 10, 2008

I notify ...

I wonder it took so long to discover that DNS is vulnerable to a birthday attack :-)
A 16 bit ID in the DNS header never added any security and I doubt that source port randomization will.

Anyway... While I was hunting down some race conditions recently I remembered the
new inotify(2) system calls in recent Linux 2.6 kernels. Some of you might not be aware of
this, but this is an excellent way to win races. Beside that you can re-write tmp-watch to work
really reliable. While up-to-then tools (including my own) needed to rescan directories to find out changes
which was prone to error and racy in itself, you can now watch the lifetime of a file from creation,
during chmod until closing. The short screenshot shows the basics.
You can download the small helper program here.
It is very interesting to watch mail and print spoolers using this program! :-)
If you find any exploitable tmp-races using my program, feel free to credit and inotify me :-)

Monday, April 14, 2008

rsync xattr item_list heap overflow

Last week I discovered a classical integer wrap around which leads to a heap
overflow in rsync 3.0. A source patch can be found here.
We backported the xattr feature to some of our 2.6.9 and 2.6.8 versions.
Even though the code base is different there, the vulnerability also exists.
Updated packages will soon be available.

Tuesday, March 18, 2008

BOSS 2.0 LiveCD owned / Bundestrojaner entdeckt

The BOSS LiveCD (BSI OSS Security LiveCD) is a bootable Morphix Linux
distribution basically with a nessus scanner and some other security tools.
Its distributed for administrators to check their network for vulnerabilities.
The aim is to make the network more secure.

However there is a backdoor: If you boot this CD in your network it sets up
the network interface(s) via DHCP. It also starts an OpenSSH daemon and guess what,
it has a DSA private key for the user 'slad' placed in slad's homedir. The passphrase
for this key is 'bosscd'. And... the root password to su to root after ssh login
(root login via SSH is disabled) is also 'bosscd'.
One may argue that this is a LiveCD system and this does not matter. Wrong! The laptop
you boot has got a harddisk! And you are behind the firewall!

So, if you are responsible for your network, DO NOT BOOT THIS CD. You are subject to
immidiate owning. It is very easy to scan whole class A networks for this DSA key
within a short period of time, so do not think that "just running it half a hour" is short enough
for you to survive.

More info about the BOSS CD/Bundestrojaner here.

After contacting the "Bundesamt für Sicherheit in der Informationstechnik" (BSI) they responded
and included a security notice about the LiveCD in their website. Although I do not think
that, due to automatic WLAN setup during boot, a splitted testing environment is possible,
I recognize that they reacted within one day which is very fast for a government agency.

Monday, February 18, 2008

Mono trickery

I always spot the best bugs during coding. While coding tjmd5 (see last posting) I ran across
an interesting mono feature. For each 'foo' C# file that it compiles it lookups ''
in /usr, /usr/lib etc directories and '' in the cwd. This can be abused to execute
arbitrary code while someone is just compiling an C#-file. I am not sure about the impact since
you can say that the dude is executing the .exe after he was compiling it. Well.
Depending on the comments you all make I will decide whether this is something to tell Miguel :-)

Trapper John MD5

During hackweek in Nuremberg I lifted my C#-skills and wrote a MD5 based filesystem
and web integrity checker from scratch. In .NET, from scratch means you plug a few classes
and API calls together and get a complex application in 100 lines :-)
C# is fun coding nevertheless. Never heared again from tripwire, one of my faves
back in the 90's. You can download trapper john md5 here.

Wednesday, January 30, 2008


While reading planet security
to get updated about what ubercool bugz the scene is producing I stumbled across the
fail blog. Definitely worth reading :-) Especially "wet squirrel" was funny after
serious and hard work on vlock which I had a look at. "Satellite" shows that hardware-engineers
are experiencing the same problems as computer scientists with software: it crashes all day long.
Heads up guys!

Tuesday, January 29, 2008

The evilness of setuid(getuid())

We recently had a discussion after a code review that a setuid(getuid()) inside a suid without error checking
and program execution afterwards should be fixed. A lot of people think that this could
never fail. getuid() indeed can never fail, but setuid() can. Lets put aside theoretical issues such
as missing CAP_SETUID or signals and lets have a look how the kernel is executing a setuid()
in the first picture. CAP_SETUID should be ok since we talk about a setuid root program which is
executing setuid(getuid()). Obviously we can trigger an error return of EAGAIN if set_user() fails
which is only called if the real UID is changed during the call. That may only happen if some of the set*uid() functions with a different UID than at startup time of the program has been called already.
For instance a setuid root program runs at startup with the real UID of the user and calls setuid(0)
in order to to obtain full privileges. It then calls setuid(getuid()) to drop the privileges again.
How can this fail? Lets have a look at set_user() in the second picture. Obviously if the
RLIMIT_NPROC limit is exceeded and its not setuid'ing to root (which is the case) then
an error is returned. Huh! Lowering limits is always allowed ;-)
The sample program in picture three demonstrates how a setuid root program dropping
its privileges in this way can be tricked into executing other programs as root.

I apologize if you already knew this trick. I also apologize for the madness of this' blog
editing program which always places the pictures as it wants to and which makes me nuts.

Wednesday, January 23, 2008


In case you are tired of yet another unknown web browser vulnerability, you might
try firebox. This small script sets up a chroot environment for firefox which then runs
unprivileged, has no access to suid-files, /proc, /dev, /sys etc and can only create files
inside a loopback mount; so possible exploits triggered from evil websites can't modify
your homedir or system-files (as long as theres no kernel-0day of course :-).
Java, flash and all that sh** is not working yet but that might even be an advantage.

Friday, January 11, 2008

Happy new year!

Although a little bit late, I wish every reader a happy new year!

The 24c3 event was great. I missed some old and known faces, but had some interesting evening
with an italian a french and a dutch hacker at a steak house restaurant. Never made and heared so
many jokes on software. :-)

Even in the new year I am continously asked by the famous hakin9 magazine
to write an article for them. There must be a rumor/confusion somewhere about my person -- I am not a hacker! :-)