29 of November 2011 was the date of public disclosure interesting vulnerability in lighttpd server. Xi Wang discovered that mod_auth for this server does not propely decode characters from the extended ASCII table. The vulnerable code is below:

--- CUT ---
static const short base64_reverse_table[256] = ...;
static unsigned char * base64_decode(buffer *out, const char *in) {
    int ch, ...;
    size_t i;

        ch = in[i];
        ch = base64_reverse_table[ch];
--- CUT ---

Because variable ‘in’ is type ‘char’, characters above 0x80 lead to negative indices. This vulnerability may lead out-of-boud read and theoretically cause Segmentation Fault (Denial of Service attack). Unfortunately I couldn’t find any binaries where .rodata section before the base64_reverse_table table cause this situation.

Second level of GCHQ ‘canyoucrackit’ challenge requires to implement own Virtual Machine(!). This VM must emulate segmented memory model with 16-byte segment size (notation seg:offset). For details please read this link:


I wrote quick overview about this challenge, how to solve it and some tips. It can be found here:

Yesterday I read in one of the polish portal (with news) an  information about interesting challenge organized by the Government Communications Headquarters (GCHQ). This is a British intelligence agency responsible for providing signals intelligence (SIGINT) and information assurance to the UK government and armed forces. Based in Cheltenham, it operates under the guidance of the Joint Intelligence Committee. CESG (originally Communications-Electronics Security Group) is the branch of GCHQ which works to secure the communications and information systems of the government and critical parts of UK national infrastructure.

Today I’ve received strange mail:

— CUT —
Date: Thu, 01 Sep 2011 09:11:00 +0200
From: gayroobaoll <gayroobaoll@o2.pl>
To: pi3@itsec.pl

Chcesz, http://facebook.com/100002779484440

— CUT —

As we can see, there is no subject, mail include link to someone’s facebook profile and has got only one Polish world (yes, this is attack for the Polish ppl). “Chcesz” means “Do you want”. Strange, dosn’t it? Mail was send from the Polish portal (o2.pl) – free mails.

OK 😉 Let’s check this profile…







Long time ago, far away after mountains and forests was living OpenSSH bug… 😉 This vulnerability existed in the authentication algorithm for GSSAPI module. Every piece of the code pinted to the pre-authentication bug…

Seriously, after a few time of research (un)fortunately this bug is directly after REAL authentication. So this is post-auth bug 🙁 One call less and this will be funny pre-authentication bug… This is the reason why this bug is useless in fact and public now 😉

Here is simple advisory 😉



by pi3

Finally! 19 of July 2011 I had defence of my Master of Degree. I pass exam from whole study at mark 5.5 (the highest mark) and defence my thesis with mark 5.5 (the highest mark) and on the diploma I’m going to have final mark 5.0 (almost the highest mark ;)). My thesis was interesting not only for me but also for my University and they want to send it to the contest 😉 My topic was: “Elaboration of an automatic system of fuzz testing technique to use in the CERN grid applications”. To be honest now I have very powerful fuzzer ;>

At the beginning of March I second time moved to Switzerland (because of my work at CERN). Before that I was working in Wroclaw Center for Networking and Supercomputing in security team. In the middle of one pentesting work me and my friends (Bartek Balcerek and Maciej Kotowicz) discovered very nice vulnerability in the TORQUE server.



by pi3

I had a long delay in posting on the blog… Several reasons made this situation:

*) When I came back from CERN to my family city I had only a few days to move to the city where I’m studying (~650 km from my family city)

*) I need to bought a car because of moving my staff to another city  (I love Toyota RAV4 – the best cars from the 2000-2005 years, unbreakable! :>)

*) I’m also studying a pedagogic

*) I had A LOT OF exams – in the both faculties ~20 exams – finally I pass everything ! 🙂



by pi3

Finally! After few months of waiting we’ve got Phrack number 67! For me this is special release. Why? My article was accepted by Phrack staff and published at this release 🙂 I’m proud of that 😉 For me Phrack magazine is a legend. I grown on this magazine, so my connection with this magazine is even stronger 😉

At first I would like to thanks blackb1rd. He helps me very much with this article. If not blackb1rd, this article will never exists at this form like it is now. You’ve got beer from me, whenever we meet 😉



by pi3

27 września odbyla sie konferencja SecDay 2010, na ktorej mimalem przyjemnosc wyglaszac swoja prelekcje “Linux vs rootkits”. Mozna ja sciagnac tutaj.

Moje wrazenia po konferencji sa pozytywne. W tym roku Lukasz postawil na Politechnike Wroclawska, na ktorej odbywaly sie wyklady. Byla to konferencja jednodniowa, ale za to za free 😉 Wystarczylo sie wczesniej zarejestrowac. Na swoim wykladzie naliczylem okolo 140 osob, wiec nie bylo zle 😉