I just published version 0.81 of lophttpd
to fix potential access of not mapped memory areas
if large directories are autoindexed. Some other things
has been fixed too (see Changelog).
Thanks to Alexander Hagenah for reporting the autoindex
issue.If you experiance any bugs or performance drops
or alike, please let me know.
Sunday, May 30, 2010
Wednesday, May 26, 2010
CONFIG_UNIX_MONITOR=y
I digged into the depth of network packet handling, softirq's
and packet queues and hacked down a patch for the
2.6.34 kernel so that PF_PACKET can be applied to
PF_UNIX sockets.
The goal is to have a unix interface one day which you
can pass to pcap_create() and wireshark or tcpdump.
With a e.g. DBUS dissector you can then monitor
the application level IPC to find the more unknown
bugs :-)
The hard part now is to get this patch upstream,
so that it is available on a standard Linux distro
the same way you'd monitor your network traffic.
and packet queues and hacked down a patch for the
2.6.34 kernel so that PF_PACKET can be applied to
PF_UNIX sockets.
The goal is to have a unix interface one day which you
can pass to pcap_create() and wireshark or tcpdump.
With a e.g. DBUS dissector you can then monitor
the application level IPC to find the more unknown
bugs :-)
The hard part now is to get this patch upstream,
so that it is available on a standard Linux distro
the same way you'd monitor your network traffic.
Wednesday, April 21, 2010
Small fix for lophttpd
I uploaded a new version of lophttpd since it was
not properly decoding URL escapes (%2B etc). Not
a security issue, but it was just ignoring escapes
completely %-D
Since the download stats for lophttpd are quite
impressive, I quickly added it. I already found the first
lophttpd banners in the wild. :)
The amount of download is of course not as impressive
as for devshit. I think most people don't realize that
this is not an exploit that pops you up a rootshell.Instead
it sets up a portable HDD which, upon plugin into a vulnerable
DeviceKit installation, creates a rootshell on the system.
IOW you need console access.
not properly decoding URL escapes (%2B etc). Not
a security issue, but it was just ignoring escapes
completely %-D
Since the download stats for lophttpd are quite
impressive, I quickly added it. I already found the first
lophttpd banners in the wild. :)
The amount of download is of course not as impressive
as for devshit. I think most people don't realize that
this is not an exploit that pops you up a rootshell.Instead
it sets up a portable HDD which, upon plugin into a vulnerable
DeviceKit installation, creates a rootshell on the system.
IOW you need console access.
Sunday, April 18, 2010
CVE-2010-0436 PoC
The fixes for the CVE-2010-0436 have been released last week,
so comes the PoC. I wonder nobody has already done it yet,
as its an easier one. Its a classic symlink attack in KDM
with an additional "trick" that requires to keep the
directory where the vulnerability happens has to be/made
owned by the user in order to work.
The vulnerabilities in-depth description is here.
Tuesday, April 13, 2010
Released simple&fast webserver
I just released the lonely and poor httpd. Its not
RFC full-featured but was written as a study for
a single-threaded, high-speed HTTP server which
can handle tens of thousands connections simultaneously.
It delivers static content, supports vhosts and autoindexing
on the fly. It doesnt need any config-file and runs
as nobody in a chroot for maximum security :)
It avoids unnecessary userland/kernelland/socket-buffer copies
by using sendfile(2).
I tested it on Linux and FreeBSD. As long as your OS supports
sendfile(2), it should be easily portable.
RFC full-featured but was written as a study for
a single-threaded, high-speed HTTP server which
can handle tens of thousands connections simultaneously.
It delivers static content, supports vhosts and autoindexing
on the fly. It doesnt need any config-file and runs
as nobody in a chroot for maximum security :)
It avoids unnecessary userland/kernelland/socket-buffer copies
by using sendfile(2).
I tested it on Linux and FreeBSD. As long as your OS supports
sendfile(2), it should be easily portable.
Friday, March 12, 2010
Playing with URL shortening
URLs cannot only be shortened. They also can be expanded.
Since a lot of pople are using URL shortening services,
it was funny to reverse some randomly generated URLs.
Basically, you find peoples browser history including
session ID's etc. Not a big deal, but I think it could
be used to build some surf statistics and other nice
info gathering.
The script can be found here
Please be carefull not to hammer the servers; thats
actually why a sleep() was intriduced!
Since a lot of pople are using URL shortening services,
it was funny to reverse some randomly generated URLs.
Basically, you find peoples browser history including
session ID's etc. Not a big deal, but I think it could
be used to build some surf statistics and other nice
info gathering.
The script can be found here
Please be carefull not to hammer the servers; thats
actually why a sleep() was intriduced!
Thursday, February 18, 2010
New injectso -- Debian proof
The new injectso comes with a new technique to find the
address of the needed rtld function. Some systems (Debian based)
make /proc/pid/maps unavailable by default which
former injectso needed to work properly.
It now also works via /proc/pid/auxv to read AT_BASE
and to calculate where rtld functions can be found.
The nm method is also still included for systems where
libc exports symbol names.
The /proc/pid/auxv method has only been tested on x86_64
but should work on x86 too.
Additionally, I am officially sorry for the coding style
of injectso before v0.51. All the exploit coding makes a
terrible style and I will drop that for a while.
The code has been cleaned up and is now readable and
something to learn from.
address of the needed rtld function. Some systems (Debian based)
make /proc/pid/maps unavailable by default which
former injectso needed to work properly.
It now also works via /proc/pid/auxv to read AT_BASE
and to calculate where rtld functions can be found.
The nm method is also still included for systems where
libc exports symbol names.
The /proc/pid/auxv method has only been tested on x86_64
but should work on x86 too.
Additionally, I am officially sorry for the coding style
of injectso before v0.51. All the exploit coding makes a
terrible style and I will drop that for a while.
The code has been cleaned up and is now readable and
something to learn from.
Friday, February 5, 2010
Runtime hot-patching processes w/o ptrace
I am a fan of achieving the same result with multiple, different,
solutions/implementations. In computer science (and security
in particular) this leads to real benefit and cutting edge
because if you have more ways to do it, you are not limited
or bound to techniques that may change, evolve or are
hardened/dropped completely. One such example is the injectso
I recently published. It uses ptrace(), but if you think
removing ptrace() from the kernel is a plus, have a look
at lasso. It does the same thing without using ptrace().
There is more than one way to Milano. 8-)
solutions/implementations. In computer science (and security
in particular) this leads to real benefit and cutting edge
because if you have more ways to do it, you are not limited
or bound to techniques that may change, evolve or are
hardened/dropped completely. One such example is the injectso
I recently published. It uses ptrace(), but if you think
removing ptrace() from the kernel is a plus, have a look
at lasso. It does the same thing without using ptrace().
There is more than one way to Milano. 8-)
Wednesday, December 23, 2009
Thoughts on companion worms
I wrote a paper almost a year ago now and since it has been
reviewed by a lot of skilled people including, but not limited
to, anti virus researchers, its time to make it public.
Its about a special kind of worm and vulnerabilities
which are commonly under-hyped like CVE-2008-2383 which
most people would probably only recognize as local, if at all.
You can find the paper here.
Enjoy reading it, if you feel that X-mess is coming :)
This is most likely the last posting for this year, so
I wish you merry X-mas and happy new year. You can find me
at the 26C3 in Berlin this year, if everything goes straight.
reviewed by a lot of skilled people including, but not limited
to, anti virus researchers, its time to make it public.
Its about a special kind of worm and vulnerabilities
which are commonly under-hyped like CVE-2008-2383 which
most people would probably only recognize as local, if at all.
You can find the paper here.
Enjoy reading it, if you feel that X-mess is coming :)
This is most likely the last posting for this year, so
I wish you merry X-mas and happy new year. You can find me
at the 26C3 in Berlin this year, if everything goes straight.
Monday, November 30, 2009
Always check return value!
A nice bug inside the FreeBSD runtime linker has been
reported here.
It was good that I hashed my previous exploit
(discovered it some months ago) in my twitter message
from November 5th:
md5 4b1717926ed0d4823622011625fb1824 sha1 6871fd05efbddf7eea4447f7bfdc1c9a45979fe3
to prove it.
I have a strange feeling that this re-discovery comes now,
since I talked to some people regarding BSD bugs lately.
Nevertheless I know kingcope is a skilled reviewer and
it was not the first time he had BSD as a target.
reported here.
It was good that I hashed my previous exploit
(discovered it some months ago) in my twitter message
from November 5th:
md5 4b1717926ed0d4823622011625fb1824 sha1 6871fd05efbddf7eea4447f7bfdc1c9a45979fe3
Since a public exploit is now available anyway,
I also make my version public and you can check the
hashes
to prove it.
I have a strange feeling that this re-discovery comes now,
since I talked to some people regarding BSD bugs lately.
Nevertheless I know kingcope is a skilled reviewer and
it was not the first time he had BSD as a target.
Subscribe to:
Posts (Atom)
Posts
