Older blog entries for Marcus (starting at number 125)

New glibc security things: Pointer obfuscation

glibc 2.4 (in SUSE Linux 10.1) introduces pointer obfuscation. On program startup a random value is read from /dev/urandom, and several pointers are xor'ed with this value when storing them to data structure and when restoring them.

This goes for:

  • jmp_bufs (setjmp/longjmp) which could be used by Stack Overflows to execute code. If you could overwrite the stack pointer or instruction related register stored in jmp_buf (usually stored on the stack too), you could exploit stack overflows even without triggering canaries.
  • atexit() functions, in case the attacker overwrites heap and those function pointers
  • iconv / gconv related function pointers.
Another potential of changing code execution paths is gone.

New things in 10.1 from a security point of view.

Format string exploits got harder, thanks to FORTIFY_SOURCE and glibc 2.4.

glibc now checks if %n (the critical point in format string exploits) appear in writeable memory, and if yes, it will abort. Considers this example:

#include <stdio.h>
#include <string.h>

extern int f(char *f) { char *buf = malloc(strlen(f)+1);

strcpy(buf, f); printf(buf,"hello world"); } int main(int argc, char **argv) { f("%s\n%n%n%n"); }


$ gcc -O2 -o xx xx.c
$ ./xx
hello world
Segmentation fault
Exploit successful.


$ gcc -O2 -o xx xx.c -D_FORTIFY_SOURCE=2
$ ./xx
hello world
*** %n in writable segment detected ***
Exploit only successful in getting a controlled abort(), but no code execution.

This requires code compiled with the -D_FORTIFY_SOURCE=2 define, which all packages with RPM_OPT_FLAGS in SUSE Linux are, which are around 90% - 95%.

(Of course I know that almost all format string exploits have been fixed in the meantime. But there might still be some left.)

0.9.13 has been released!

Of WINE of course. ;) And SUSE RPMs are built and uploaded.

YUM repos for SL 9.3 - 10.1 are at:<code> ftp://ftp.suse.de/pub/people/meissner/wine/<distro>/ </code>

The new SUSE Linux 10.1 now shows updated WINE automatically as soon as they appear.

Hmm, to clarify the last diary entry ... Basically every one doing something for SUSE Linux is "openSUSE staff member". In _no_ order of importance:

  • The Novell/SUSE employees doing the packaging, integration etc. work
  • The countless number of Testers and Bugreporters
  • The folks helping on the mailinglists.
  • The folks that helped manning the openSUSE booth at LT (and upcoming fairs).
  • The folks fixing typos in the Wiki.
  • ... meaning every one :)

But anyway, back to my opensource stuff...

My TWAIN -> sane/gphoto2 split got applied to WINE cvs and will be in Wine 0.9.13. So you can import your pictures into Picasa now. Sadly via a JPEG -> Bitmap -> JPEG route currently.

Peeked at the MTP developer kit. Now I know what the missing PTP opcodes mean, the 0x91xx set is for the Janus DRM, the 0x9201 one is for some strange "Buy Now(tm)" technology. Both not really necessary to implement for your music playing experience right now.

Interesting read on Windows Media DRM too, especially the fact that they planned that it will be cracked. The commercial vendors are learning from the DVD desaster.

And I watched Buffy the Vampire Slayer Season 3 episodes. Evil Willow *rrrrrr* :)

I am a proud member of the openSUSE staff.

Was at the open-door day of our local Tram guys ... 125 year of trams . Visiting the tram storage area, repair shops... Entertainment including a horse tram. :)

Found out about Microsoft embracing the USB world with Microsoft OS USB Descriptors. How to detect a MTP device?

  • Query the string descriptor at offset 0xee, index 0.
    There is a signature (MSFT0001) and then there is a cmd byte.
  • read on here
  • Don't know the layout of the Extended Device Descriptor and Extended Property Descriptor there yet.
7 May 2006 (updated 7 May 2006 at 10:29 UTC) »

If you are interested in not yet so well documented standards regarding PTP digital cameras, there is some tradesecret leakage here:

The planetsuse.org RSS feed seems to be down, the planet itself is not... strange.

Wonderful spring weekend here in frankonia. At least the sunday ... Went inline skating with a good friend of mine to the best inline skating place in town. The Reichsparteitagsgelaende around the Dutzendteich in Nuernberg with a large asphalt place right in front of the tribune, home of skate hockey, skate tricks etc during the warm days.

Finished splitting of sane.ds from twain_32.dll. Submitted it, but it got not accepted before Alexandres vacation.

Finished my first draft of a gphoto2.ds (gphoto2 TWAIN source). Half of the programs can now import photos from cameras. Only one half, because while one transfer mode imagememxfer) works, the other (imagenativexfer) returns a handle which the callers do not like. It should return a handle for a DIB section, and it does ... But apparently in Windows these handles are different. This is going to be fun to fix. NOT.

Happy springtime. :)

Spent easter weekend at parents... without Internet, but with Laptop. So the WINE 0.9.12 SUSE packages have been a bit late, but are on Sourceforge and the ftp.suse.com/pub/people/ mirrors now.
For additional fun I now provide YUM metadata,

Add the YUM source ftp://ftp.suse.com/pub/people/meissner/wine/10.0/ (or 10.1) to get updates via YUM.

I spent the train travel and some quiet times hacking on several things:

  • More Nikon DSLR remote controllability. There are like 100 options to remote control on the Nikons, and libgphoto2 now supports like 90 of them.
  • MTP device meta data handling. MTP devices provide metadata, like Artist, Genre, Duration, etcetc... In a sideband from the actual MP3 file on the player. You need to call special functions to retrieve or send those databits from/to the device. I have enhanced libgphoto2 (and gphoto2) to allow a sideband "METADATA" stream to get and put those attributes.
  • Some speed tests on libgphoto2 ... It is taking quite some time to retrieve even the list of cameras. Serial device locking taking way too long, shared library loading and freeing madness, etc... all take its toll.
  • On the WINE side I spent some time splitting off the sane support from the twain_32.dll implementation. Two ideas for this: Add a libgphoto2 interface and allow native twain drivers. The latter are not terribly useful before getting their USB kernel level drivers to load, but it opens new possibilities.
Off for a new week with new security horrors.
8 Apr 2006 (updated 9 Apr 2006 at 10:19 UTC) »

Finally bitten the bullet and created a page of (libgphoto2) remote controllable cameras.

Your input is very welcome here, just drop me a mail if you have changes, additions or layout suggestions.

This is yet another time consuming activity. :/

Later today: Foto Safari through the Nuernberg Tiergarten/Zoo.

116 older entries...

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!