17
Nov
Finally! After few months of waiting we’ve got Phrack number 67! For me this is special release. Why? My article was accepted by Phrack staff and published at this release 🙂 I’m proud of that 😉 For me Phrack magazine is a legend. I grown on this magazine, so my connection with this magazine is even stronger 😉
At first I would like to thanks blackb1rd. He helps me very much with this article. If not blackb1rd, this article will never exists at this form like it is now. You’ve got beer from me, whenever we meet 😉
OK. So what about this release? Personally I think this is very good release. There is many interesting articles (for me). I love trick with exploiting user space vulnerabilities in the years of Non Executable Memory, ASLR, SSP, … and other shits 😉 There is Heap, there is Format Strings, and of course stack (my article), there is …. ah 😉
From the news the chapter ‘loopback’ comes back 😉 The full table of content is:
0x01 Introduction ....................................... Phrack Staff
0x02 Phrack Prophile on punk ............................ Phrack Staff
0x03 Phrack World News .................................. EL ZILCHO
0x04 Loopback (is back) ................................. Phrack Staff
0x05 How to make it in Prison ........................... TAp
0x06 Kernel instrumentation using kprobes ............... ElfMaster
0x07 ProFTPD with mod_sql pre-authentication ............ FelineMenace
0x08 The House Of Lore: Reloaded ........................ blackngel
0x09 A Eulogy for Format Strings ........................ Captain Planet
0x0a Dynamic Program Analysis and Software Exploitation . BSDaemon
0x0b Exploiting memory corruptions in Fortran programs .. Magma
under UNIX/VMS
0x0c PHRACKERZ: Two Tales ............................... Antipeace
&
The Analog Kid
0x0d Scraps of notes on remote stack overflow ........... pi3
exploitation
0x0e Notes Concerning the Security, Design and .......... The Philosopher
Administration of Siemens DCO-CS Digital
Switching Systems
0x0f Hacking the mind for fun and profit ................ lvxferis
0x10 International Scenes ............................... various
Pure content looks very interesting, so what is inside? 🙂 Go and read! Go Go GO!!! 🙂
Btw. As you see, my article is:
Scraps of notes on remote stack overflow
available here and backup on my site here.
Btw2. I’m waiting for feedback 😉
.
Best regards,
Adam Zabrocki
18
Mar
One day I was reviewing all bugs in bugtraq IDs (popular bids). I want to know which kind of bugs is it now popular and what is the trend of modern bugs. I came to two main conclusions:
1) The most popular are SQL/XSS bugs but in 60% this is found in software which nobody knows/uses (stupid kiddie)
2) We’ve got 2010 year and there is still possible to find stack overflow bugs! The most funny thing for me there is more remote stack overflow bugs than local 🙂
Stack overflow bugs is one of the oldest class of software bugs which still exists – more-less 10% of all bugs ! Of course it isn’t 199x year that you can find it using regexpression for ‘grep’ program. So what is conclusion? Exploit stack overflow bugs is still interesting from attackers point of view. The question is “Is it still possible to exploit this class of bugs in modern UNIX systems in 2010 year?”. The answer for this question isn’t simple. Let’s do simple review of modern defence systems. We’ve got:
*) Non-exec memory (not only stack – almost every region where it is NOT necessary) *) W^X – “Write XOR Exec” memory. It forbids memory with Write and Exec bits in the same time.*) AAAS – ASCII Armored Address Space *) ASLR – Address Space Layout Randomization *) mmap() and mprotect() protections
*) Heap protections – like safe-unlink(), safe malloc() implementation (OpenBSD) *) Random canary of death protections ——————————-|
*) frame pointer protection by canary of death |
*) move all pointers to the beginning of the frame |==> pro-police
*) move all local byte arrays to the end of the frame | protection (SSP) *) Vulnerable arguments copied to the local variables and then reordered—-| .
We can bypass most of this protection but if it isn’t connected. Is there any possibilities to exploit in modern UNIX systems REMOTE stack overflow bugs with enabled ALL of this protections?! It sounds crazy… but STILL we CAN DO IT 🙂 I wrote simple server with remote stack overflow bug and EXPLOIT it. Proof Of Concept of course is private but I created a movie of exploiting. You can find it here:
http://site.pi3.com.pl/priv/bypass-all-protections.flv
We’ve got 2010 year and we can still exploit remote stack overflow bugs in modern UNIX systems 🙂 Amazing… but it could be that this techniques (yes it isn’t one technique which is used to exploit this bug) is the last opportunity to exploiting remote stack overflow bugs… OK so… have a nice watching 🙂
Best regards,
Adam Zabrocki
30
Dec
This will be very short post… I have found (few months ago) security vulnerability in one of Apache server/module. I contact with apache security team. After few days I will decide about “future” of this bug – publish or wait for security path and publish after it. Now I can paste here simple output from gdb:
Program received signal SIGSEGV, Segmentation fault. 0x0000003fec682958 in memcpy () from /lib64/libc.so.6 Missing separate debuginfos, use: debuginfo-install expat-2.0.1-6.fc11.1.x86_64 glibc-2.10.1-5.x86_64 nss-softokn-freebl-3.12.4-3.fc11.x86_64 (gdb) bt #0 0x0000003fec682958 in memcpy () from /lib64/libc.so.6 #1 0x000000000043083c in inet_addr () #2 0x000000000042a796 in inet_addr () #3 0x000000000042975f in inet_addr () #4 0x000000000041d8f5 in inet_addr () #5 0x0000000000432a29 in inet_addr () #6 0x000000000044bc88 in inet_addr () #7 0x000000000044bceb in inet_addr () #8 0x0000000000441344 in inet_addr () #9 0x0000000000441521 in inet_addr () #10 0x00000000004416a7 in inet_addr () #11 0x0000000000441f5f in inet_addr () #12 0x0000000000442820 in inet_addr () #13 0x0000003fec61ea2d in __libc_start_main () from /lib64/libc.so.6 #14 0x0000000000403399 in inet_addr () #15 0x00007fffffffe618 in ?? () #16 0x000000000000001c in ?? () #17 0x0000000000000002 in ?? () #18 0x00007fffffffe87d in ?? () #19 0x00007fffffffe899 in ?? () #20 0x0000000000000000 in ?? ()
Best regards,
Adam Zabrocki
15
Dec
More than year ago I was publish advisory in ‘mtr’ software. I think, personally, it is great bug because it can’t exist without unspecified situation in libresolv library 🙂 The question is why have I written information about it on blog?
I forgot add this advisory in my site (sic!) 🙂 Now it’s ok and you can find this advisory here.
I attached to this advisory details and Proof Of Concept. If you haven’t read it yet i strongly recommend you to do it because it shows that sometimes if we read source code we think bug doesn’t exists but sometimes other external stuff/bugs/unspecified situation help us to trigger and exploit unexisting bug 🙂
Here is link – once again:
http://site.pi3.com.pl/adv/advisory-libresolv-mtr.txt
Btw. In future I want to continue research about CPU bugs and probably it will cause news posts in this topic 🙂
Best regards,
Adam Zabrocki
6
Dec
Is it a dream? Impossible? Bugs in CPU? No… it’s reality! CPU is only a piece of hardware. Everything have bugs… CPU too. I will give here only a piece of information about bugs in INTEL products…
Last few weeks I was talking(mailing) with Derek (xpdf developer – btw. really nice guy) about some vulnerabilities in his product. 14th of October he published path for bugs (not only my vulnerabilites) so i decide to release advisory…