Older blog entries for argp (starting at number 38)

Black Hat Europe 2010 update

Black Hat Europe 2010 is now over and after a brief ash cloud caused delay I am back in Greece. It has been a great conference, flawlessly organised and with many outstanding presentations. I would like to thank everyone that attended my presentation but also all the kind people that spoke to me before and afterwards. I hope to meet all of you again at a future event.

My presentation, titled “Binding the Daemon: FreeBSD Kernel Stack and Heap Exploitation”, was divided into four parts. In the first part I gave an overview of the published work on the subject of kernel exploitation for Unix-like operating systems. The second and third parts were the main body of the presentation. Specifically, in the second part I explained how a kernel stack overflow vulnerability on FreeBSD can be leveraged to achieve arbitrary code execution. The third part focused on a detailed security analysis of the Universal Memory Allocator (UMA), the FreeBSD kernel’s memory allocator. I explored how UMA overflows can lead to arbitrary code execution in the context of the latest stable FreeBSD kernel (8.0-RELEASE), and I developed an exploitation methodology for privilege escalation and kernel continuation.

In the fourth and final part I gave a demo of a FreeBSD kernel local 0day vulnerability that I have discovered. However, I have not released the details of the vulnerability in my Black Hat presentation. The details of this vulnerability (plus the proof-of-concept exploit) will be released shortly, once the relevant code is patched and the official advisory is out.

Below you may find all the material of my presentation, updated with some extra information and minor corrections:

Syndicated 2010-04-22 08:39:53 (Updated 2010-04-22 08:39:45) from www.census-labs.com blog posts by author

Binding the Daemon - Black Hat Europe 2010

census will be presenting “Binding the Daemon”, an in-depth analysis of FreeBSD kernel stack and kernel heap exploitation methodologies at Black Hat Europe 2010. This year the European Black Hat Briefings conference will be held in Barcelona, Spain. We hope to see you there!

Syndicated 2010-03-19 09:15:16 (Updated 2010-03-19 09:40:15) from www.census-labs.com blog posts by author

argp.gr/blog

I have moved my blog to http://argp.gr/blog/. Please update your RSS reader's entry since I will no longer be directly updating my Advogato diary. The new feed is here.

exploit for CVE-2010-0453

While playing today with kmdb on OpenSolaris I wrote a denial of service (kernel panic) PoC exploit for the UCODE_GET_VERSION ioctl NULL pointer dereference vulnerability. The vulnerability was discovered by Tobias Klein who always publishes very detailed advisories:

http://www.trapkit.de/advisories/TKADV2010-001.txt

You can get my exploit from:

http://census-labs.com/media/cve-2010-0453.c

first 2010 0day

md5: e8d5dd9d6cdf8602f12c8baef53f6550
sha1: 1322d45eed25260a0d5f85284011e1b205328807
sha256: eb4f95ec1b62d57e022c6945bdcb3f747f94f3ad7ddedc4bfde7dee23d4362ef

xmas 2009 0day

md5: a145ed9d7e1c33124daab40447cc5b56
sha1: c888985f209c26243206f8864783500b0c9353bb
sha256: 27cbcd01cf0e1b6a2ba82d4c0209a791957a3c1c29c131b0208f77981a1a81aa

14 Dec 2009 (updated 8 Mar 2010 at 17:09 UTC) »

Monkey HTTPd improper input validation vulnerability

census ID: census-2009-0004
Affected Products: Monkey web server versions ≤ 0.9.2.
Class: Improper Input Validation (CWE-20), Incorrect Calculation (CWE-682)
Remote: Yes
Discovered by: Patroklos Argyroudis

We have discovered a remotely exploitable “improper input validation” vulnerability in the Monkey web server that allows an attacker to perform denial of service attacks by repeatedly crashing worker threads that process HTTP requests.

Details

Monkey is a fast, efficient, small and easy to configure HTTP/1.1 compliant web server. It has been designed to be scalable with low memory and CPU consumption. More information about its features can be found here.

Monkey (up to and including version 0.9.2) employs an insufficient input validation method for handling HTTP requests with invalid connection headers. Specifically, the vulnerability is in the calculation for the end of the request body buffer related to newline characters in function Request_Find_Variable() in the file src/request.c:

  364: char *Request_Find_Variable(char *request_body,  char *string)
365: {
366:   int pos_init_var=0, pos_end_var=0;
367:   char *var_value = 0;
368:
369:   /* Existe *string en request_body ??? */        
370:   if (strstr2(request_body, string) == NULL)
371:       return NULL;
372:
373:   pos_init_var = str_search(request_body, string, strlen(string));
374:   pos_end_var = str_search(request_body+pos_init_var, "\n", 1) — 1;
375:
376:   if(pos_init_var

With a specially crafted request body the pos_init_var integer can take the value 0x1c (28 in decimal) and the pos_end_var integer can take the value 0x1a (26 in decimal). Then in the m_copy_string() function, the calculation for the unsigned integer size in line 428 (file src/utils.c) leads to a signedness bug and m_copy_string() returns NULL (line 438, file src/utils.c):

  423: char *m_copy_string(const char *string, int pos_init, int pos_end)
424: {
425:   unsigned int size, bytes;
426:   char *buffer=0;
427:
428:   size = (unsigned int) (pos_end — pos_init ) + 1;
429:   if(sizestrlen(string) || (pos_init > pos_end)){
438:       return NULL;
439:   }

This causes Request_Find_Variable() to return NULL (line 344, file src/request.c) and this to be used in the strstr2() call at line 345 of file src/request.c:

  344:   sr->connection = Request_Find_Variable(request_body, RH_CONNECTION);
345:   if((strstr2(sr->connection,"Keep-Alive"))!=NULL){
346:       sr->keep_alive=VAR_ON;
347:   }

This vulnerability can allow an attacker to perform denial of service attacks by repeatedly crashing Monkey worker threads that process HTTP requests. We have developed a proof-of-concept exploit to demonstrate the vulnerability.

The maintainer of Monkey has been contacted and a new version of the web server (0.9.3) has been released that addresses this issue. All affected parties are advised to upgrade to the latest version available.

Syndicated 2009-12-14 12:04:04 (Updated 2010-03-08 18:27:38) from www.census-labs.com blog posts by author

3 Dec 2009 (updated 3 Dec 2009 at 19:57 UTC) »

Hellenic Air Force Academy free/open source event

census participated in the free/open source event held last month (Friday 23rd of October) at the Hellenic Air Force Academy (Σχολή Ικάρων).

Our talk presented an overview of the available free/open source software that can be used to build complete security solutions for public offices and infrastructure. Furthermore, we analysed recorded cyberwarfare incidents and how the open source model can aid in establishing robust defenses. The slides from our presentation are available here (in Greek).

We would like to cordially thank Professor Antonios Andreatos for inviting us to the event and for his organisational efforts.

Syndicated 2009-12-03 11:00:45 (Updated 2009-12-03 11:00:48) from www.census-labs.com blog posts by author

CoreHTTP web server off-by-one buffer overflow vulnerability

census ID: census-2009-0003
CVE ID: CVE-2009-3586
Affected Products: CoreHTTP web server versions ≤ 0.5.3.1.
Class: Improper Input Validation (CWE-20), Failure to Constrain Operations within the Bounds of a Memory Buffer (CWE-119)
Remote: Yes
Discovered by: Patroklos Argyroudis

We have discovered a remotely exploitable “improper input validation” vulnerability in the CoreHTTP web server that leads to an off-by-one stack buffer overflow. The vulnerability can lead to denial of service attacks against the web server and potentially to the remote execution of arbitrary code with the privileges of the user running the server.

Details

CoreHTTP is a minimalist web server focusing on speed and size. More information about its features can be found here.

CoreHTTP (up to and including version 0.5.3.1) employs an insufficient input validation method for handling HTTP requests with invalid method names and URIs. Specifically, the vulnerability is an off-by-one buffer overflow in the sscanf() call at file src/http.c line numbers 45 and 46:

  45:    sscanf(parentsprock->buffer,
46:        "%" PATHSIZE_S "[A-Za-z] %" PATHSIZE_S "s%*[ \t\n]", req, url);

The buffers req and url are declared to be of size 256 bytes (PATHSIZE) and the sscanf() call writes 256 bytes (PATHSIZE_S) to these buffers without NULL terminating them.

Note that this is not vulnerability CVE-2007-4060 in which the same sscanf() call contained no bounds check at all.

This vulnerability can lead to denial of service attacks against the CoreHTTP web server and potentially to the remote execution of arbitrary code with the privileges of the user running the server. We have developed a proof-of-concept exploit to demonstrate the vulnerability.

To address the problem we propose the following unofficial patch (download it from here), since CoreHTTP’s author has not released an official fix yet:

  --- corehttp/src/common.h.orig  2009-12-01 09:29:18.000000000 +0200
+++ corehttp/src/common.h       2009-12-01 09:31:47.000000000 +0200
@@ -36,7 +36,7 @@
 #define BUFSIZE                2048
 #define BUFSIZE_S      "2048"
 #define PATHSIZE       256
-#define PATHSIZE_S     "256"
+#define PATHSIZE_S     "255"
 #define        SETSIZE         16

 #ifndef GLOBALS_DEFINED

Syndicated 2009-12-02 09:47:13 (Updated 2009-12-02 18:31:43) from www.census-labs.com blog posts by author

1 Dec 2009 (updated 2 Dec 2009 at 11:22 UTC) »

Linux kernel SUNRPC off-by-two buffer overflow

census ID: census-2009-0005
Affected Products: Linux kernel versions from 2.6.32 to 2.6.32-rc7.
Class: Off-by-two stack buffer overflow.
Discovered by: Patroklos Argyroudis

We have found an off-by-two stack buffer overflow in the Linux kernel SUNRPC implementation. Linux kernel versions from 2.6.32 to 2.6.32-rc7 are affected.

Details

There is an off-by-two stack buffer overflow in function rpc_uaddr2sockaddr() of file net/sunrpc/addr.c in the Linux kernel SUNRPC implementation. It was introduced in commit a02d692611348f11ee1bc37431a883c3ff2de23e.

The function rpc_uaddr2sockaddr() that is used to convert a universal address to a socket address takes as an argument the size_t variable uaddr_len (the length of the universal address string). The stack buffer buf is declared in line 315 to be of size RPCBIND_MAXUADDRLEN. If the passed argument uaddr_len is equal to RPCBIND_MAXUADDRLEN then the condition of line 319 is false and then at lines 324 and 325 there are two out-of-bounds assignments:

  312: size_t rpc_uaddr2sockaddr(const char *uaddr, const size_t uaddr_len,
313:                           struct sockaddr *sap, const size_t salen)
314: {
315:        char *c, buf[RPCBIND_MAXUADDRLEN];
            ...
319:        if (uaddr_len > sizeof(buf))
320:            return 0;
            ...
324:        buf[uaddr_len] = '\n';
325:        buf[uaddr_len + 1] = '\0';
            ...
363: }
364: EXPORT_SYMBOL_GPL(rpc_uaddr2sockaddr);


Since the function rpc_uaddr2sockaddr() is declared as an EXPORT_SYMBOL_GPL function it can be used by kernel modules and potentially be reachable by user input. The bug was reported and fixed in 2.6.32-rc8 (commit 1e360a60b24ad8f8685af66fa6de10ce46693a4b).

Syndicated 2009-12-01 22:35:24 (Updated 2009-12-02 12:36:20) from www.census-labs.com blog posts by author

29 older entries...

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!