21
Jul
Finally! 19 of July 2011 I had defence of my Master of Degree. I pass exam from whole study at mark 5.5 (the highest mark) and defence my thesis with mark 5.5 (the highest mark) and on the diploma I’m going to have final mark 5.0 (almost the highest mark ;)). My thesis was interesting not only for me but also for my University and they want to send it to the contest 😉 My topic was: “Elaboration of an automatic system of fuzz testing technique to use in the CERN grid applications”. To be honest now I have very powerful fuzzer ;>
At the beginning of March I second time moved to Switzerland (because of my work at CERN). Before that I was working in Wroclaw Center for Networking and Supercomputing in security team. In the middle of one pentesting work me and my friends (Bartek Balcerek and Maciej Kotowicz) discovered very nice vulnerability in the TORQUE server.
TORQUE (Terascale Open-Source Resource and Queue Manager) is very common in any GRID projects – including GRID in European Organization for Nuclear Research aka CERN 🙂 By using this bug attacker are able to create dirty job and put it to the queue and server responsible for executing this job will be hacked. This is very dangerous situation from the infrastructure – in the easiest way noone else will be able to use GRID resources. In worst situation we are able to overtake control on the edge machine which can manipulate any other machine – of course server is running with the root privileges 😉
Here is advisory in full-disclosure list.
Here is backup on my server.
Best regards,
Adam Zabrocki
17
Nov
Finally! After few months of waiting we’ve got Phrack number 67! For me this is special release. Why? My article was accepted by Phrack staff and published at this release 🙂 I’m proud of that 😉 For me Phrack magazine is a legend. I grown on this magazine, so my connection with this magazine is even stronger 😉
At first I would like to thanks blackb1rd. He helps me very much with this article. If not blackb1rd, this article will never exists at this form like it is now. You’ve got beer from me, whenever we meet 😉
OK. So what about this release? Personally I think this is very good release. There is many interesting articles (for me). I love trick with exploiting user space vulnerabilities in the years of Non Executable Memory, ASLR, SSP, … and other shits 😉 There is Heap, there is Format Strings, and of course stack (my article), there is …. ah 😉
From the news the chapter ‘loopback’ comes back 😉 The full table of content is:
0x01 Introduction ....................................... Phrack Staff 0x02 Phrack Prophile on punk ............................ Phrack Staff 0x03 Phrack World News .................................. EL ZILCHO 0x04 Loopback (is back) ................................. Phrack Staff 0x05 How to make it in Prison ........................... TAp 0x06 Kernel instrumentation using kprobes ............... ElfMaster 0x07 ProFTPD with mod_sql pre-authentication ............ FelineMenace 0x08 The House Of Lore: Reloaded ........................ blackngel 0x09 A Eulogy for Format Strings ........................ Captain Planet 0x0a Dynamic Program Analysis and Software Exploitation . BSDaemon 0x0b Exploiting memory corruptions in Fortran programs .. Magma under UNIX/VMS 0x0c PHRACKERZ: Two Tales ............................... Antipeace & The Analog Kid 0x0d Scraps of notes on remote stack overflow ........... pi3 exploitation 0x0e Notes Concerning the Security, Design and .......... The Philosopher Administration of Siemens DCO-CS Digital Switching Systems 0x0f Hacking the mind for fun and profit ................ lvxferis 0x10 International Scenes ............................... various
Pure content looks very interesting, so what is inside? 🙂 Go and read! Go Go GO!!! 🙂
Btw. As you see, my article is:
Scraps of notes on remote stack overflow
available here and backup on my site here.
Btw2. I’m waiting for feedback 😉
.
Best regards,
Adam Zabrocki
Yesterday (30 of April) I gave a lecture in WA (White Area) at CERN. I was talking about my new project (in fact Master of Degree thesis topic). This is automated testing tool which uses fuzzing technique. It can be used for generate CLI, API, Unit, Functionally, Regression, … , tests – in fact we can use it for all types of tests. Generated programs are independent from language. It can generate output program in JAVA, C, C++, Assembler, Python, Perl, C#, … languages – we can simply add new modules for add new languages. To be more flexible, framework used Aspect-Oriented Programming (AOP). First beta version of framework is published on CERN svn servers. It is integrated with DPM CLI tests and works pretty well 😉
In the future maybe I will publish some more details.
Btw. This project can be simply adapted for search vulnerabilities in software 😉
Best regards,
Adam Zabrocki
18
Mar
One day I was reviewing all bugs in bugtraq IDs (popular bids). I want to know which kind of bugs is it now popular and what is the trend of modern bugs. I came to two main conclusions:
1) The most popular are SQL/XSS bugs but in 60% this is found in software which nobody knows/uses (stupid kiddie)
2) We’ve got 2010 year and there is still possible to find stack overflow bugs! The most funny thing for me there is more remote stack overflow bugs than local 🙂
Stack overflow bugs is one of the oldest class of software bugs which still exists – more-less 10% of all bugs ! Of course it isn’t 199x year that you can find it using regexpression for ‘grep’ program. So what is conclusion? Exploit stack overflow bugs is still interesting from attackers point of view. The question is “Is it still possible to exploit this class of bugs in modern UNIX systems in 2010 year?”. The answer for this question isn’t simple. Let’s do simple review of modern defence systems. We’ve got:
*) Non-exec memory (not only stack – almost every region where it is NOT necessary) *) W^X – “Write XOR Exec” memory. It forbids memory with Write and Exec bits in the same time.*) AAAS – ASCII Armored Address Space *) ASLR – Address Space Layout Randomization *) mmap() and mprotect() protections
*) Heap protections – like safe-unlink(), safe malloc() implementation (OpenBSD) *) Random canary of death protections ——————————-|
*) frame pointer protection by canary of death |
*) move all pointers to the beginning of the frame |==> pro-police
*) move all local byte arrays to the end of the frame | protection (SSP) *) Vulnerable arguments copied to the local variables and then reordered—-| .
We can bypass most of this protection but if it isn’t connected. Is there any possibilities to exploit in modern UNIX systems REMOTE stack overflow bugs with enabled ALL of this protections?! It sounds crazy… but STILL we CAN DO IT 🙂 I wrote simple server with remote stack overflow bug and EXPLOIT it. Proof Of Concept of course is private but I created a movie of exploiting. You can find it here:
http://site.pi3.com.pl/priv/bypass-all-protections.flv
We’ve got 2010 year and we can still exploit remote stack overflow bugs in modern UNIX systems 🙂 Amazing… but it could be that this techniques (yes it isn’t one technique which is used to exploit this bug) is the last opportunity to exploiting remote stack overflow bugs… OK so… have a nice watching 🙂
Best regards,
Adam Zabrocki
15
Dec
More than year ago I was publish advisory in ‘mtr’ software. I think, personally, it is great bug because it can’t exist without unspecified situation in libresolv library 🙂 The question is why have I written information about it on blog?
I forgot add this advisory in my site (sic!) 🙂 Now it’s ok and you can find this advisory here.
I attached to this advisory details and Proof Of Concept. If you haven’t read it yet i strongly recommend you to do it because it shows that sometimes if we read source code we think bug doesn’t exists but sometimes other external stuff/bugs/unspecified situation help us to trigger and exploit unexisting bug 🙂
Here is link – once again:
http://site.pi3.com.pl/adv/advisory-libresolv-mtr.txt
Btw. In future I want to continue research about CPU bugs and probably it will cause news posts in this topic 🙂
Best regards,
Adam Zabrocki
6
Dec
Is it a dream? Impossible? Bugs in CPU? No… it’s reality! CPU is only a piece of hardware. Everything have bugs… CPU too. I will give here only a piece of information about bugs in INTEL products…
OK. I haven’t written long time on blog. Today I want to show you what sometimes
yum can do without your knowledge. Few days ago I was upgrading one of system using yum.
Everything looked fine. I was happy that sometimes yum is useful. After work I went sleep
and next day I received messages that smth is fu** up with www…