The story of the Linux kernel 3.x…

In 2005 everybody was exited about possibility of bypass ASLR on all Linux 2.6 kernels because of the new concept called VDSO (Virtual Dynamic Shared Object). More information about this story can be found at the following link:


In short, VDSO was mmap’ed by the kernel in the user space memory always at the same fixed address. Because of that well-known technique ret-to-libc (or as some ppl prefer ROP) was possible and effective to bypass existing security mitigation in the system.

First of August 2011 was the date when I decided to publish advisory about vulnerability in OpenSSH  daemon. If someone read carefully advisory he will discover this bug was found in 2008. It took me quite a long time to publish details about vulnerability. I did it from a few reasons; at first I didn’t have a time to analyse details and bug was promising (pre-authentication). In this case advisory will never be public. Problem exists in GSSAPI module (native in OpenSSH source code). I checked many packages in many systems and it seems this method of authentication (gssapi-with-mic) is enabled by default in most of them. Everything was looking very promising 😉 After some months I returned to that problem and discovered that vulnerability is _EXACTLY_ after authentication (one call) so (un)fortunately this is post-authentication bug. Next I tried to find some other way to exploit it. Again I was starting to be busy and drop this project. Because of that finally I published the advisory maybe someone else is interesting to play with that. More information can be found here and here 🙂

I haven’t been posting on this blog for a while. It doesn’t mean I’m not doing research – I’m just not a big fan of releasing anything and most of my work stays private. Anyway because Apache released new version of their Http Server one of my research was burned. New version of Apache fixes remote code execution vulnerability in default instalation! This vulnerability is quite old and have been exploited in the wild for last 5 years 🙂

This vulnerability is fixed and no longer be 0day I decided to publish exploit code for this bug. How is it work? Find below:

Today I’ve received strange mail:

— CUT —
Date: Thu, 01 Sep 2011 09:11:00 +0200
From: gayroobaoll <>


— CUT —

As we can see, there is no subject, mail include link to someone’s facebook profile and has got only one Polish world (yes, this is attack for the Polish ppl). “Chcesz” means “Do you want”. Strange, dosn’t it? Mail was send from the Polish portal ( – free mails.

OK 😉 Let’s check this profile…







Long time ago, far away after mountains and forests was living OpenSSH bug… 😉 This vulnerability existed in the authentication algorithm for GSSAPI module. Every piece of the code pinted to the pre-authentication bug…

Seriously, after a few time of research (un)fortunately this bug is directly after REAL authentication. So this is post-auth bug 🙁 One call less and this will be funny pre-authentication bug… This is the reason why this bug is useless in fact and public now 😉

Here is simple advisory 😉



by pi3

Finally! 19 of July 2011 I had defence of my Master of Degree. I pass exam from whole study at mark 5.5 (the highest mark) and defence my thesis with mark 5.5 (the highest mark) and on the diploma I’m going to have final mark 5.0 (almost the highest mark ;)). My thesis was interesting not only for me but also for my University and they want to send it to the contest 😉 My topic was: “Elaboration of an automatic system of fuzz testing technique to use in the CERN grid applications”. To be honest now I have very powerful fuzzer ;>



by pi3

I had a long delay in posting on the blog… Several reasons made this situation:

*) When I came back from CERN to my family city I had only a few days to move to the city where I’m studying (~650 km from my family city)

*) I need to bought a car because of moving my staff to another city  (I love Toyota RAV4 – the best cars from the 2000-2005 years, unbreakable! :>)

*) I’m also studying a pedagogic

*) I had A LOT OF exams – in the both faculties ~20 exams – finally I pass everything ! 🙂



by pi3

27 września odbyla sie konferencja SecDay 2010, na ktorej mimalem przyjemnosc wyglaszac swoja prelekcje “Linux vs rootkits”. Mozna ja sciagnac tutaj.

Moje wrazenia po konferencji sa pozytywne. W tym roku Lukasz postawil na Politechnike Wroclawska, na ktorej odbywaly sie wyklady. Byla to konferencja jednodniowa, ale za to za free 😉 Wystarczylo sie wczesniej zarejestrowac. Na swoim wykladzie naliczylem okolo 140 osob, wiec nie bylo zle 😉



by pi3

Today (27.07.2010) I’m going to the hospital (Hospital de la Tour) for surgery… I don’t know how long I’m going to stay in the hospital after the surgery and when I will be available… Wish me good luck!

Best regards,

Adam Zabrocki

In co-operation with Maksymilian Arciemowicz we were analysing implementation of  OPIE Authentication System on FreeBSD. The result is discovered off-by-one vulnerability in library ‘libopie’. The most interesting point of this vulnerability is a possibility to exploit it pre-auth remotely!

A lot of softwares using this library for authentication module. For example FreeBSD team change a little the source of  the OpenSSH. They added in some places the code which use the libopie 😉 The same changed code is used by DragnoflyBSD. OpenSuSe is using libopie too. Novell systems too.

We’ve analysed exploiting way in default FTP daemon for FreeBSD 8.0. Official FreeBSD’s advisory is available here.