argp is currently certified at Journeyer level.

Name: Patroklos Argyroudis
Member since: 2007-04-17 17:39:04
Last Login: 2010-02-09 11:09:43

FOAF RDF Share This

Homepage: http://ntrg.cs.tcd.ie/~argp/

Notes: I am a researcher working on computer security and applied cryptography. Most of the open source code I have released can be found at http://ntrg.cs.tcd.ie/~argp/code/. Also, I am affiliated with census, inc.

PGP key fingerprint: EF2A43E9 C6099C6F 89DD2FD4 114A42C1 B0109FEE

Connect:        

Blogroll: kargig, demonmass, huku, fotisl, ithilgore, xorl, dds, stealth, keramida, silvio

Projects

Recent blog entries by argp

Syndication: RSS 2.0

7 Feb 2010 »

exploit for CVE-2010-0453

While playing today with kmdb on OpenSolaris I wrote a denial of service (kernel panic) PoC exploit for the UCODE_GET_VERSION ioctl NULL pointer dereference vulnerability. The vulnerability was discovered by Tobias Klein who always publishes very detailed advisories:

http://www.trapkit.de/advisories/TKADV2010-001.txt

You can get my exploit from:

http://census-labs.com/media/cve-2010-0453.c

6 Jan 2010 »

first 2010 0day

md5: e8d5dd9d6cdf8602f12c8baef53f6550
sha1: 1322d45eed25260a0d5f85284011e1b205328807
sha256: eb4f95ec1b62d57e022c6945bdcb3f747f94f3ad7ddedc4bfde7dee23d4362ef

24 Dec 2009 »

xmas 2009 0day

md5: a145ed9d7e1c33124daab40447cc5b56
sha1: c888985f209c26243206f8864783500b0c9353bb
sha256: 27cbcd01cf0e1b6a2ba82d4c0209a791957a3c1c29c131b0208f77981a1a81aa

14 Dec 2009 (updated 19 Jan 2010 at 09:10 UTC) »

Monkey HTTPd improper input validation vulnerability

census ID:census-2009-0004
Affected Products:Monkey web server versions ≤ 0.9.2.
Class:Improper Input Validation (CWE-20), Incorrect Calculation (CWE-682)
Remote:Yes
Discovered by:Patroklos Argyroudis

We have discovered a remotely exploitable “improper input validation” vulnerability in the Monkey web server that allows an attacker to perform denial of service attacks by repeatedly crashing worker threads that process HTTP requests. <!--more--> <h3>Details</h3>

Monkey is a fast, efficient, small and easy to configure HTTP/1.1 compliant web server. It has been designed to be scalable with low memory and CPU consumption. More information about its features can be found here.

Monkey (up to and including version 0.9.2) employs an insufficient input validation method for handling HTTP requests with invalid connection headers. Specifically, the vulnerability is in the calculation for the end of the request body buffer related to newline characters in function Request_Find_Variable() in the file src/request.c:

364: char *Request_Find_Variable(char *request_body,  char *string)
365: {
366:   int pos_init_var=0, pos_end_var=0;
367:   char *var_value = 0;
368:
369:   /* Existe *string en request_body ??? */        
370:   if (strstr2(request_body, string) == NULL)
371:       return NULL;
372:
373:   pos_init_var = str_search(request_body, string, strlen(string));
374:   pos_end_var = str_search(request_body+pos_init_var, "\n", 1) — 1;
375:
376:   if(pos_init_var<=0 || pos_end_var<=0){
377:       return  NULL;   
378:   }
379:
380:   pos_init_var += strlen(string) + 1;
381:   pos_end_var = (unsigned int) (pos_init_var  + pos_end_var)
                                — (strlen(string) +1);
382:
383:   var_value = m_copy_string(request_body, pos_init_var, pos_end_var);
384:
385:   return (char *) var_value;
386: }

With a specially crafted request body the pos_init_var integer can take the value 0x1c (28 in decimal) and the pos_end_var integer can take the value 0x1a (26 in decimal). Then in the m_copy_string() function, the calculation for the unsigned integer size in line 428 (file src/utils.c) leads to a signedness bug and m_copy_string() returns NULL (line 438, file src/utils.c):

423: char *m_copy_string(const char *string, int pos_init, int pos_end)
424: {
425:   unsigned int size, bytes;
426:   char *buffer=0;
427:
428:   size = (unsigned int) (pos_end — pos_init ) + 1;
429:   if(size<=2) size=4;
430:
431:   buffer = M_malloc(size);
432:
433:   if(!buffer){
434:       return NULL;
435:   }
436:
437:   if(pos_end>strlen(string) || (pos_init > pos_end)){
438:       return NULL;
439:   }

This causes Request_Find_Variable() to return NULL (line 344, file src/request.c) and this to be used in the strstr2() call at line 345 of file src/request.c:

344:   sr->connection = Request_Find_Variable(request_body, RH_CONNECTION);
345:   if((strstr2(sr->connection,"Keep-Alive"))!=NULL){
346:       sr->keep_alive=VAR_ON;
347:   }

This vulnerability can allow an attacker to perform denial of service attacks by repeatedly crashing Monkey worker threads that process HTTP requests. We have developed a proof-of-concept exploit to demonstrate the vulnerability.

The maintainer of Monkey has been contacted and a new version of the web server (0.9.3) has been released that addresses this issue. All affected parties are advised to upgrade to the latest version available.

Syndicated 2009-12-14 12:04:04 (Updated 2010-01-19 10:51:46) from www.census-labs.com blog posts by author

3 Dec 2009 (updated 3 Dec 2009 at 19:57 UTC) »

Hellenic Air Force Academy free/open source event

census participated in the free/open source event held last month (Friday 23rd of October) at the Hellenic Air Force Academy (Σχολή Ικάρων).

Our talk presented an overview of the available free/open source software that can be used to build complete security solutions for public offices and infrastructure. Furthermore, we analysed recorded cyberwarfare incidents and how the open source model can aid in establishing robust defenses. The slides from our presentation are available here (in Greek).

We would like to cordially thank Professor Antonios Andreatos for inviting us to the event and for his organisational efforts.

Syndicated 2009-12-03 11:00:45 (Updated 2009-12-03 11:00:48) from www.census-labs.com blog posts by author

31 older entries...

 

argp certified others as follows:

  • argp certified fzort as Journeyer
  • argp certified adulau as Journeyer
  • argp certified dma as Journeyer
  • argp certified chalst as Master
  • argp certified redi as Journeyer
  • argp certified Fefe as Master

Others have certified argp as follows:

  • dma certified argp as Journeyer
  • fzort certified argp as Journeyer
  • adulau certified argp as Journeyer
  • StevenRainwater certified argp as Journeyer
  • ncm certified argp as Apprentice
  • chalst certified argp as Journeyer
  • redi certified argp as Journeyer
  • ittner certified argp as Journeyer new

[ Certification disabled because you're not logged in. ]

New Advogato Features

FOAF updates: Trust rankings are now exported, making the data available to other users and websites. An external FOAF URI has been added, allowing users to link to an additional FOAF file.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!

X
Share this page