Tuesday, November 29, 2011

me hubbing and gitting on github

As of today you can also find me on github.
I am testing how good or bad it performs for my own projects.
For now, I made lophttpd a public repo where you can
watch the development process.
My openwall site and other places where I used to put code
stay the same and I will continue to upload .tgz files.

Friday, November 25, 2011


In this' blog survey "Do you like surveys?", too many people voted that I am an idiot, rather than they dislike surveys (less amount 
than people who like surveys though) so I do it like middle east
dictatorship: I just cancel it :P

Tuesday, November 8, 2011

openpam trickery

While reviewing an entirely different server side component
of some code, I came across a funny vulnerability inside
OpenPAM (note that this is different from Linux-PAM)
as used in FreeBSD or Solaris. Yet, I only tested it on
a FreeBSD 8.1 machine. The bug is that a program,
namely kcheckpass, which is suid to root, is calling
pam_start() with a user provided argument which makes
the PAM stack parse user owned
config files which ends in loading of user
provided DSO's. WTF?!

Interestingly, OpenPAM recently introduced a filter for
the service name via


commit but I dont think that any BSD or so vendor is
aware of it.

A really trivial PoC exploit can be found here.

[Update:] Solaris is not using OpenPAM (at least the OpenSolaris
version I checked), but I could not find code that strips
off certain character sequences. As the PAM setup is different
from the /etc/pam.d we know it is possible that there are no
consequences if the service argument is not filtered.
However a lot of BSD derivates
use OpenPAM and OSX as well. The question is whether one can
find a vector different than the kcheckpass which is usually
found with all KDE3 and KDE4 installs.
If you can confirm vulnerability on any Solaris or non-FreeBSD
machine, please let me know. Also if you found out how OSX
can be exploited this way.

Thursday, November 3, 2011

Fun with git-upload-pack

The android git was recently moved so I was eager to check
out the new sources. But I always got a 403! What was wrong?
Looking into some forums showed that lots of folks seems to
have the same problems so I post this in the hope that it
saves other developers some hours of debugging. At the end it seems
just to be an issue about the git version or git setup.
I cloned a repo with a clean, new machine and compared the
HTTP stream with what I got from a working box to find
out why some checkouts worked and some dont. Heres is the
old git pull:

and here is the new one with the diff marked green:

Somewhat surprising since according to the download page
git 1.6.4 should just be fine.
Now everything works smoothly. Not a very technical issue indeed,
but tracking down strange issues helps to stay keen. More than
just searching the web for a solution.