21

Jul

by pi3

Finally! 19 of July 2011 I had defence of my Master of Degree. I pass exam from whole study at mark 5.5 (the highest mark) and defence my thesis with mark 5.5 (the highest mark) and on the diploma I’m going to have final mark 5.0 (almost the highest mark ;)). My thesis was interesting not only for me but also for my University and they want to send it to the contest 😉 My topic was: “Elaboration of an automatic system of fuzz testing technique to use in the CERN grid applications”. To be honest now I have very powerful fuzzer ;>

At the beginning of March I second time moved to Switzerland (because of my work at CERN). Before that I was working in Wroclaw Center for Networking and Supercomputing in security team. In the middle of one pentesting work me and my friends (Bartek Balcerek and Maciej Kotowicz) discovered very nice vulnerability in the TORQUE server.

TORQUE (Terascale Open-Source Resource and Queue Manager) is very common in any GRID projects – including GRID in European Organization for Nuclear Research aka CERN 🙂 By using this bug attacker are able to create dirty job and put it to the queue and server responsible for executing this job will be hacked. This is very dangerous situation from the infrastructure – in the easiest way noone else will be able to use GRID resources. In worst situation we are able to overtake control on the edge machine which can manipulate any other machine – of course server is running with the root privileges 😉

Here is advisory in full-disclosure list.

Here is backup on my server.

 

Best regards,

Adam Zabrocki

 

17

Nov

by pi3

Finally! After few months of waiting we’ve got Phrack number 67! For me this is special release. Why? My article was accepted by Phrack staff and published at this release 🙂 I’m proud of that 😉 For me Phrack magazine is a legend. I grown on this magazine, so my connection with this magazine is even stronger 😉

At first I would like to thanks blackb1rd. He helps me very much with this article. If not blackb1rd, this article will never exists at this form like it is now. You’ve got beer from me, whenever we meet 😉

OK. So what about this release? Personally I think this is very good release. There is many interesting articles (for me). I love trick with exploiting user space vulnerabilities in the years of Non Executable Memory, ASLR, SSP, … and other shits 😉 There is Heap, there is Format Strings, and of course stack (my article), there is …. ah 😉

From the news the chapter ‘loopback’ comes back 😉 The full table of content is:

 0x01  Introduction ....................................... Phrack Staff

 0x02  Phrack Prophile on punk ............................ Phrack Staff

 0x03  Phrack World News .................................. EL ZILCHO

 0x04  Loopback (is back) ................................. Phrack Staff

 0x05  How to make it in Prison ........................... TAp

 0x06  Kernel instrumentation using kprobes ............... ElfMaster

 0x07  ProFTPD with mod_sql pre-authentication ............ FelineMenace

 0x08  The House Of Lore: Reloaded ........................ blackngel

 0x09  A Eulogy for Format Strings ........................ Captain Planet

 0x0a  Dynamic Program Analysis and Software Exploitation . BSDaemon

 0x0b  Exploiting memory corruptions in Fortran programs .. Magma
       under UNIX/VMS

 0x0c  PHRACKERZ: Two Tales ............................... Antipeace
                                                                &
                                                            The Analog Kid

 0x0d  Scraps of notes on remote stack overflow ........... pi3
       exploitation

 0x0e  Notes Concerning the Security, Design and .......... The Philosopher
       Administration of Siemens DCO-CS Digital
       Switching Systems                                                

 0x0f  Hacking the mind for fun and profit ................ lvxferis

 0x10  International Scenes ............................... various

Pure content looks very interesting, so what is inside? 🙂 Go and read! Go Go GO!!! 🙂

Btw. As you see, my article is:

Scraps of notes on remote stack overflow

available here and backup on my site here.

Btw2. I’m waiting for feedback 😉

.

Best regards,

Adam Zabrocki

18

Mar

by pi3

One day I was reviewing all bugs in bugtraq IDs (popular bids). I want to know which kind of bugs is it now popular and what is the trend of modern bugs. I came to two main conclusions:

1) The most popular are SQL/XSS bugs but in 60% this is found in software which nobody knows/uses (stupid kiddie)

2) We’ve got 2010 year and there is still possible to find stack overflow bugs! The most funny thing for me there is more remote stack overflow bugs than local 🙂

Stack overflow bugs is one of the oldest class of software bugs which still exists – more-less 10% of all bugs ! Of course it isn’t 199x year that you can find it using regexpression for ‘grep’ program. So what is conclusion? Exploit stack overflow bugs is still interesting from attackers point of view. The question is “Is it still possible to exploit this class of bugs in modern UNIX systems in 2010 year?”. The answer for this question isn’t simple. Let’s do simple review of modern defence systems. We’ve got:

*) Non-exec memory (not only stack – almost every region where it is NOT necessary)
*) W^X – “Write XOR Exec” memory. It forbids memory with Write and Exec bits in the same time.
*) AAAS – ASCII Armored Address Space
*) ASLR – Address Space Layout Randomization
*) mmap() and mprotect() protections
*) Heap protections – like safe-unlink(), safe malloc() implementation (OpenBSD)
*) Random canary of death protections                       ——————————-|
*) frame pointer protection by canary of death                                                |
*) move all pointers to the beginning of the frame                                           |==>  pro-police
*) move all local byte arrays to the end of the frame                                       |        protection (SSP)
*) Vulnerable arguments copied to the local variables and then reordered—-|
.

We can bypass most of this protection but if it isn’t connected. Is there any possibilities to exploit in modern UNIX systems REMOTE stack overflow bugs with enabled ALL of this protections?! It sounds crazy… but STILL we CAN DO IT 🙂 I wrote simple server with remote stack overflow bug and EXPLOIT it. Proof Of Concept of course is private but I created a movie of exploiting. You can find it here:

http://site.pi3.com.pl/priv/bypass-all-protections.flv

We’ve got 2010 year and we can still exploit remote stack overflow bugs in modern UNIX systems 🙂 Amazing… but it could be that this techniques (yes it isn’t one technique which is used to exploit this bug) is the last opportunity to exploiting remote stack overflow bugs… OK so… have a nice watching 🙂

Best regards,

Adam Zabrocki

30

Dec

by pi3

This will be very short post… I have found (few months ago) security vulnerability in one of Apache server/module. I contact with apache security team. After few days I will decide about “future” of this bug – publish or wait for security path and publish after it. Now I can paste here simple output from gdb:

Program received signal SIGSEGV, Segmentation fault.
0x0000003fec682958 in memcpy () from /lib64/libc.so.6
Missing separate debuginfos, use: debuginfo-install expat-2.0.1-6.fc11.1.x86_64 
glibc-2.10.1-5.x86_64 nss-softokn-freebl-3.12.4-3.fc11.x86_64
(gdb) bt
#0  0x0000003fec682958 in memcpy () from /lib64/libc.so.6
#1  0x000000000043083c in inet_addr ()
#2  0x000000000042a796 in inet_addr ()
#3  0x000000000042975f in inet_addr ()
#4  0x000000000041d8f5 in inet_addr ()
#5  0x0000000000432a29 in inet_addr ()
#6  0x000000000044bc88 in inet_addr ()
#7  0x000000000044bceb in inet_addr ()
#8  0x0000000000441344 in inet_addr ()
#9  0x0000000000441521 in inet_addr ()
#10 0x00000000004416a7 in inet_addr ()
#11 0x0000000000441f5f in inet_addr ()
#12 0x0000000000442820 in inet_addr ()
#13 0x0000003fec61ea2d in __libc_start_main () from /lib64/libc.so.6
#14 0x0000000000403399 in inet_addr ()
#15 0x00007fffffffe618 in ?? ()
#16 0x000000000000001c in ?? ()
#17 0x0000000000000002 in ?? ()
#18 0x00007fffffffe87d in ?? ()
#19 0x00007fffffffe899 in ?? ()
#20 0x0000000000000000 in ?? ()

Best regards,

Adam Zabrocki

15

Dec

by pi3

More than year ago I was publish advisory in ‘mtr’ software. I think, personally, it is great bug because it can’t exist without unspecified situation in  libresolv library 🙂 The question is why have I written information about it on blog?

I forgot add this advisory in my site (sic!) 🙂 Now it’s ok and you can find this advisory here.

I attached to this advisory details and Proof Of Concept. If you haven’t read it yet i strongly recommend you to do it because it shows that sometimes if  we read source code we think bug doesn’t exists but sometimes other external stuff/bugs/unspecified situation help us to trigger and exploit unexisting bug 🙂

Here is link – once again:
http://site.pi3.com.pl/adv/advisory-libresolv-mtr.txt

Btw. In future I want to continue research about CPU bugs and probably it will cause news posts in this topic 🙂

Best regards,

Adam Zabrocki

Last few weeks I was talking(mailing) with Derek (xpdf developer – btw. really nice guy) about some vulnerabilities in his product. 14th of October he published path for bugs (not only my vulnerabilites) so i decide to release advisory…

Read more