Monday, December 12, 2016

IPv6 spoofing trickery

Tales of spoofing on BSD based kernels (actually Darwin).

Although OSX setups should mostly be targets of spoofed
packets, there are times when you need to spoof IPv6 packets
from a OSX box.
Unlike with IPv4, there is no such thing as a IP_HDRINCL
socket option that lets you pass arbitrary IP headers
to raw sockets. In fact, there are RFCs on the subject
(RFC3542 and RFC 3493) and the authors put a lot of effort
to specify on how certain flags and details may be modified,
but the end of the story is that, in this way or another,
its not possible to have a handy library function to
generically send a spoofed IPv6 packet on a raw socket on OSX.

man 4 ip6 says:
"Note: Since the checksum is always calculated by the kernel for an ICMPv6 socket, applications are not able to generate ICMPv6 packets with incorrect checksums (presumably for testing purposes) using this API."

I like the presumably for testing purposes part most.
So I had to eventually switch to packet sockets for
my UDP6 sample of libusi++. Its a bit more work to
set it up initially, but after that all the get/set
of source addresses etc. work as expected.

Thanks to the inject function of libpcap, thats easy
enough.Its probably not worth the effort to handle all the
socket options or ancillary data for raw IPv6 sockets just to 
achieve a goal that at the end still has some header-parts un-modifiable.
I did not test it on OpenBSD or FreeBSD, but the manpage
reads more or less the same, so I expect the same problem
exists there too.

Thursday, August 18, 2016

cross-domain ECDH trickery

Once again, opmsg is ahead of the curve, by introducing
what I will call cross-domain ECDH kex.

The idea behind it is straight forward and obvious,
so that I wouldn't claim to be the first who invented it.
Digging the interweb a bit, didnt show quick results,
so I named it cross-domain ECDH without walking to the
library to do more in-depth research about someone else
having different names for it. If there is, feel free
to point me to it.

ECDH is a neat way to do your Key Exchange (Kex). It has
small footprint in speed and size. Its even fast enough
to be done multiple times in a row, without the user really
noticing a slowdown. The drawback of ECDH is that the so called
domain parameters for the curves are chosen by an entity
that you have to trust. Trust by means of: Nobody in the
committee responsible for choosing the parameters would
introduce so called Nobody-But-Us (NOBUS) bits, that
would weaken the resulting ECDH Kex secret.

There are different ways to put trust into the domain
parameters, like using some kind of sane and "well-known"
seedings and algorithms to generate "reproducable" parameters
(like Brainpool is doing). Other curve designers don't mind about
it at all and resemble eat-or-die mentality. This leads
to some kind of flame-war and bashing between the different
cults of ECC evangelists. Nobody knows anything about the NOBUS,
but everyone believes the opposite curve has backdoored parameters.

opmsg puts an end to this war, by allowing users to
specify more than one curve to do the Kex with. Up
to three curves may be specified. The master secret is derived
from the multiple distinct ECDH Kex's which are made. The idea is that in case there are NOBUS backdoors - even within every single curve -
the different backdooring parties would not work together
and share their NOBUS knowledge to each other. They wont
share their knowledge, because a potential NOBUS inside
a NIST curve would be the holy grail that they are never
ever show to someone else, and in particular not to the
party who, lets say, put their NOBUS into the GOST curves.

So, even if each curve that you chose to do your ECDH Kex
would be weak, the overall cross-domain ECDH Kex is secure.
As long as you really choose your curves cross-domain, e.g.
not three of the NIST curves in a row.

This feature is experimental. Please refer to the chapter
in the README which explains the particular config options.
If you are not in this curve flame war, you don't need to
change anything at all. Its all in the compatibility-mix
and you can just as work as before, if you prefer.

Thursday, July 7, 2016

opcoin trickery

A new tool (opcoin) has been added to opmsg's contrib directory,
which allows to convert bitcoin keys to opmsg personas.
You may find convertable public BTC keys in any
BTC (P2PKH) transaction. So you just go to your favorite
blockchain website and search for an address that you know
belongs to a certain person and import their pubkey(s).
The calculated BTC address (match) ensures that its really
the key you want to import and will since then appear
as the personas name inside opmsg keystore.

Voila! Suddenly opmsg became the crypto system with the largest
keybase world wide! One more benefit: you can ensure that a
dedicated persona name is in possession of a private key,
by authenticating them via micro transactions.

Read more details here. 

Thursday, June 23, 2016

Lets feed attacker input to "sh -c", to see what he's doing

This week I published a PoC for CVE-2016-4989 , which is
yet another local root exploit for setroubleshoot, working
out of the box on CentOS/RHEL 6.6, 6.7, 6.8, 7.0 and 7.1.

The underlying vulnerability and exploitation strategy
is very similar to CVE-2015-1815. So the writeup inside
the git almost entirely applies, except that the PoC
may be executed via remote shells (ssh) and that it is
using a helper binary in order to get a SELinux domain
confinement for an unconfined user, triggering the bug
inside setroubleshoot. To my knowledge this is a novel
approach. Its also new that straight-shooter may be
used as a Docker breakout, if run inside a container,
which has running setroubleshoot running on the host.

Out of personal interest: If you like exploits - either
professional, or as a hobby - and demand for
freedom of speech or freedom of expression, try your best
to lobby against the Wassenaar regulation of exploits. The
Wassenaar regulation of exploits is just a vehicle (sold to
you as a privacy win) to cover backdoors and criminalize
bug finding. Any serious exploit coder and researcher I know
is arguing against Wassenaar, and so should you.

Friday, May 6, 2016

opmsg chacha20-poly1305 trickery...

... and a lot of hassle checking out the new OpenSSL 1.1.0 API 

Support for chacha20-poly1305 stream cipher with AAD (poly1305)
thats causing erection to so many cryptographers recently
has been added to opmsg.Its only available to > OpenSSL 1.1.0,
so be sure your peer is also using it when you send
op messages like that.

The more tricky part is the new API that comes with
OpenSSL 1.1.0. Despite fixing a lot of issues in their
TLS implementation, the OpenSSL project still seems to
have enough time breaking their own API by:

1. Making structures opaquewhich means you cant longer
   declare EVP_MD_CTX and other types on the stack. So you are
   forced to use EVP_MD_CTX_create()/EVP_MD_CTX_destroy()
   since the type is forward declared now.

2. At the same time, removing the EVP_MD_CTX_destroy()
   function and adding _new()/_free() functions which do
   the same (!).

3. Declaring macros for EVP_MD_CTX_destroy(xxx) (with braces!)
   so that unique_ptr<> deleters eventually also break.
   1-3. alltogether make sure that no matter how you declared
   your variables, the OpenSSL team decided to throw your
   code to trash.

4. As if this isnt enough, EVP_PKEY_type() has been removed,
   even if its usage has been encouraged by various code
   examples in their manpage.

So OpenSSL decided to open a wiki to track the amount of
open source projects they offended by causing quite good
amount of time thats needed to rework the code.
Theres definitely more to be added there in future.

Nevertheless, opmsg is now OpenSSL 1.1.0 ready and still
works fine with lower versions and LibreSSL.

If its possible for you, you should consider switching to
LibreSSL , as everything is more smooth and straight there.
(But I think LibreSSL project should also offer https:// :)

Thursday, April 28, 2016

opmux := (opmsg|gpg) trickery

Whenever you are tempted to type gpg, you should type
opmux since now().
I recently pushed opmux to the git that allows for easy
use of opmsg and gpg in parallel and to seamless integrate
into your MUA by just pointing the gpg-path to the opmux
binary and adding keyid-format long to your gpg config

Since then, opmux will transparently choose the right
binary for decryption, based on message markers used
by either world. On encryption, in whatever world the
key-id is found, it is passed along to it. If no key-id
is found, both pubkey databases are shown so the user
can select one. Be sure to nevertheless have a look
at the opmux part of the file.

Here are some Enigmail screenshots on sending, decryption
and debug console:

Tuesday, March 8, 2016

ZeroCopy sshttp

This time we trick sshttp into utilizing the
splice(2) syscall to achieve zero-copy of the
network data thats muxed across the sockets.

If you want to give it a try, pull sshttp git 
and checkout the splice branch. Everything else
goes the same.

Using splice() instead of read()/write() inside
the core loop has a performance benefit. In the ideal
case (SPLICE_F_MOVE is honored by kernel), instead
of copying megabytes of data, the PTE's inside the kernel
are just set up to point to the internal pipe buffers.

sshttp may still run at 100% CPU (which is perfectly OK
when downloading huge files) but has more throughput at the
same time. Below is a screenshot of a parallel download
of a 5MB file (per 30 http clients) and a strace showing
the splicing thats happening inside, which is basically
a poll/splice loop.

Friday, January 29, 2016

packet trickery

Refactored my libusipp packet framework's receiving
functions (sending will be optimized later) to:

o Reflect new libpcap API, in particular things
  changed about selectable fd's and immediate mode.
  It works best if you just pull & build libpcap,
  as most distros and OSX may have outdated libpcaps
  installed (you will notice by missing symbols)

o refactoring sniffpack() functions to not longer rely
  on dynamically allocated memory but using fix buffers
  and offsets to handle incoming packets (much) faster.
  The new[]/delete[] memory allocation was a hangover from
  the 90's when I initially didn't build it with QUANTUM in mind.

o Implementing RX classes for string and fd receiving (tuntap

o Adding support to allow sniffing from file:// devices
  to debug via wireshark packet captures later on.

o support QoS data on wifi links

Some things in libpcap still suck, for instance the timeout
function doesn't accept stuct timeval and cannot be called once
a capture handle has been activated. This forces me to
keep my own timeout functionality which is sub-optimal.

As usual, be warned about API changes in libusi++: I add/change
whatever I feel is needed there. API stability is not my
main goal.

Happy QUANTUM your IoT! :p