Iljas Blag

this is a copypast from code I just had to write:

/*
* HOLY FUCK. so pretty much everything in windows is a GUID,
* buy they don’t have any standard API’s to deal with GUID’s.
* for converting GUID’s to strings I had to use some api from
* ObjBase (all ugly com crap). it has no api to covert strings
* to GUID’s however.
*
* so I look on msdn, and after a long search I find http://msdn.microsoft.com/en-us/library/bb776431(VS.85).aspx
* which is GUIDFromString(), this is hidden in shell32.dll.
* so I try to use it, but the code simply won’t link. I go back to
* that msdn page and see the following at the end of the page: ”
* remarks:
*    This function is not declared in a header or exported by name from a .dll file.
*    It must be loaded from Shell32.dll as ordinal 703 for GUIDFromStringA and ordinal 704 for GUIDFromStringW.
*
*    It can also be accessed from Shlwapi.dll as ordinal 269 for GUIDFromStringA and ordinal 270 for GUIDFromStringW.”
*
* ARE YOU KIDDING ME ??? so I spend an hour or so, trying to
* find api’s to import functions by ordinal, rather than by name
* it turns out there is no GetProcAddress() equivalent for
* ordinals. SON OF A BITCH !!!
*
* so I’m just going to write my own GUIDFromString() api’s
*/

man, this really pissed me off.  not that converting back and forth from a string to a GUID is hard, it’s just that they should have a decent set of api’s for this, and they simply don’t. (atleast not for C code).

edit:

after rereading the GetProcAddress() manpage, it turns out you can specify an ordinal value, if you pass it’s value along as the namepointer effectively encoding the value in a pointer *PUKE*.

“There is some sort of perverse pleasure in knowing that it’s basically impossible to send a piece of hate mail out through the Internet without its being touched by a gay program. That’s kind of funny.” — Eric Allman.
got that from http://findarticles.com/p/articles/mi_m1589/is_n754/ai_20350568

http://plan9.bell-labs.com/sources/plan9/sys/src/ape/lib/bsd/gethostbyname.c
just did a google codesearch for gethostbyname()
the 90’s called, they want their bugs back!

Every once in a while I stumble on some kernel code where the code attempts to do authentication based on the pid of the calling process.
This does not work ! it’s insecure, just don’t do it!
Usually, the code assumes that process with pid x has certain privilege’s.
for example, lets say you only want root to issue ioctl’s on a device.
you’d make the open callback for your device do something like:
open_fn() {
if (current->uid == 0)
add_pid_to_trusted_list(current->pid);
}

and then for all your ioctl’s you’d just check if current->pid is in the trusted list.

This is a horrible kludge !!
All of this works fine, until the procces that opened the device unexpectedly dies.
now there is a dangling pid in the trusted list. all an attacker would have to do is spawn off new processes until you end up with the pid that’s in the trusted list.
and _BAM_ the attacker gets to issues ioctl’s on a device he really shouldn’t get to issues ioctl’s on.

don’t think apps do this ? let’s look at BestCrypt (http://www.jetico.com/).
here’s it’s open callback:
static int bc_open(struct inode *inode, struct file *file)
{
…
if (capable(CAP_SYS_ADMIN)) {
bc_add_pid(current->pid);
}
return 0;
}

it’s ioctl handler looks like:
static int bc_ioctl(struct inode *inode, struct file *file, u_int cmd, u_long arg)
{
…
switch (cmd) {

BC_HANDLER(”get_info”, BC_GET_INFO, bc_get_info(bc, (struct bc_info*) arg));
BC_HANDLER(”set_fd “, BC_SET_FD, bc_set_fd (bc, bdev, (struct bc_file64 *) arg));
BC_HANDLER(”clr_fd “, BC_CLR_FD, bc_clr_fd (bc, bdev, inode));
BC_HANDLER(”lock_dev”, BC_LOCK_DEV, bc_lock_dev(bc, inode->i_rdev, 1));
BC_HANDLER(”ulck_dev”, BC_UNLOCK_DEV, bc_lock_dev(bc, inode->i_rdev, 0));
BC_HANDLER(”frc_ulck”, BC_FORCE_UNLOCK, bc_force_unlock(bc, bdev, inode->i_rdev));
BC_HANDLER(”get_priv”, BC_GET_PRIV, bc_get_priv(arg));
BC_HANDLER(”hdio_geo”, HDIO_GETGEO, hdio_getgeo(bc, (struct hd_geometry *) arg));
BC_HANDLER(”vrfy_alg”, BC_VERIFY_ALG, bc_vrfy_alg((struct bc_alg*) arg));
BC_HANDLER(”make_key”, BC_MAKE_KEY, bc_make_key((struct bc_key*) arg));
BC_HANDLER(”free_key”, BC_FREE_KEY, bc_free_key((struct bc_key*) arg));
BC_HANDLER(”encr_blk”, BC_ENCRYPT_BLOCK, bc_process ((struct bc_block*) arg, BC_ENCRYPT_BLOCK));
BC_HANDLER(”decr_blk”, BC_DECRYPT_BLOCK, bc_process ((struct bc_block*) arg, BC_DECRYPT_BLOCK));
}
…
}

BC_HANDLER is an ugly macro that looks like:
#define BC_HANDLER(dbg, x, y) case (x): /*printk(dbg “\n”); */\
error = (y); \
break;
all of the functions used there looks like:
static int some_function(struct bc_device *bc, struct block_device *bdev, struct bc_file64 *arg) {
… variable declaration …
if (bc_find_pid_safe(current->pid) pid) >= 0) {
current->cap_effective |= (1<<CAP_SYS_ADMIN)|(1<<CAP_CHOWN)|(1<<CAP_DAC_OVERRIDE)|(1<euid = 0;
} else {
return -EPERM;
}

if (arg)
bc_del_pid(current->pid);
return 0;
}

yea, isn’t that great ?
Oh, and here’s the kicker, BestCrypt comes with an suid root application that’ll open the device for you ! (which means you can just kill it once it’s opened the device).
These kind of fuckup’s don’t limit themself to linux. I’ve seen similar screwups in windows drivers.

I was reading http://lists.grok.org.uk/pipermail/full-disclosure/2008-February/060411.html and figured I’d take a look at some if it’s code. it’s not all that secure. here are some code snippets:
void splitvtrc()
{
…
char line[BUFSIZ], newline[BUFSIZ*2], *parsed[256];
…
for ( i=0, head=ptr=newline; ((ptr-newline)<(BUFSIZ*2-2))
&& *tail; ) {
…
parsed[i++]=head; <– no boundscheck done for parsed
…
}
}

main(argc, argv)
int argc;
char *argv[];
{
…
signal(SIGHUP, finish);
signal(SIGINT, finish);
signal(SIGQUIT, finish);
signal(SIGTERM, finish);
signal(SIGSEGV, finish);
#ifdef SIGBUS
signal(SIGBUS, finish);
#endif
…
}
finish() looks like:
static void finish(sig)
int sig;
{
/* Only call this routine after tty_getmode() has been called */
/* The tty_reset() call flushes the tty’s input buffers. */
if ( tty_reset(0) pw_name, upper_tty);
if ( pw && bottomok && lower_tty[0] )
(void) delutmp(pw->pw_name, lower_tty);
(void) replace_me();

if ( sig )
printf(”Exiting due to signal: %d\n”, sig);
exit(sig);
}

lots of signal unsafe stuff happening there end_vt100() for example does:
void end_vt100()
{
int i;

if ( ! setup_vt100 )
return;

/* Clear any old setup */
lastwin=(-1);
for ( i=0; i<upper.rows; ++i )
(void) free(upper.videomem[i]);
(void) free(upper.videomem);
(void) free(upper.tabstops);
for ( i=0; i<lower.rows; ++i )
(void) free(lower.videomem[i]);
(void) free(lower.videomem);
(void) free(lower.tabstops);
setup_vt100=0;
…
}

I like browsing through amazon’s website as much as the next guy, but pandzilla showed me a new way of appreciating amazon. Looking for the craziest reviews of items on amazon. Breathtaking !
some things you should see:
http://www.amazon.com/Underhill-Farms-Elk-Carcass/dp/B000IDOB5Y/ref=sr_1_23/104-0721154-5701564?ie=UTF8&s=gourmet-food&qid=1173397485&sr=1-23
http://www.amazon.com/Bobs-Red-Mill-Xanthan-Gum/dp/B0000CCZUO/ref=pd_bbs_2/002-2655636-8027208?ie=UTF8&s=gourmet-food&qid=1173207456&sr=8-2
http://www.amazon.com/gp/product/customer-reviews/B000002UB3/sr=8-3/qid=ARRAY(0×58fc7004)/ref=cm_rev_sort/002-3634337-6436051?customer-reviews.sort_by=%2BOverallRating&s=music&x=12&y=8
http://www.amazon.com/gp/product/customer-reviews/B000001FS3/sr=1-11/qid=ARRAY(0×574a1498)/ref=cm_rev_sort/002-3634337-6436051?customer-reviews.sort_by=%2BOverallRating&s=music&x=8&y=12

isn’t that hilarious ?

FiSH is a plugin for most popular irc clients that implements encryption. I looked at it a few years ago, and it was horrible. Stacksmashes _everywhere_. I briefly looked at it again yesterday, only to discover that all the bugs are still there ! somewhat shocking. I wonder how many people have been owned because of those bugs.
I looked at the xchat plugin code (but I believe most of the code is shared and only the entry point code is (obviously) different) and it basicly registers 4 functions that handle incomming data:

xchat_hook_server(ph, “PRIVMSG”, XCHAT_PRI_NORM, decrypt_incoming, 0);
xchat_hook_server(ph, “NOTICE”, XCHAT_PRI_NORM, notice_received, 0);
xchat_hook_server(ph, “TOPIC”, XCHAT_PRI_NORM, decrypt_incoming, 0);
xchat_hook_server(ph, “NICK”, XCHAT_PRI_NORM, nick_changed, 0);
xchat_hook_server(ph, “332″, XCHAT_PRI_NORM, decrypt_topic_332, 0);

so let’s look at all of those.

int decrypt_incoming(char *word[], char *word_eol[], void *userdata)
{
unsigned char *msg_ptr, contactName[100]=”", from_nick[50], msg_event[100]=”",

psyNetwork[12];
…
if(word[1][0] == ‘:’) ExtractRnick(from_nick, word[1]);
…
}

here’s what ExtractRnick() does:

int ExtractRnick(char *Rnick, char *incoming_msg)
{
int k=0;

if(*incoming_msg == ‘:’) incoming_msg++;

while(*incoming_msg!=’!’ && *incoming_msg!=0) {
Rnick[k]=*incoming_msg;
incoming_msg++;
k++;
}
Rnick[k]=0;

if (*Rnick < ‘0′) return FALSE;
else return TRUE;
}

you can clearly see the stacksmash here (word[1] comes from the network !). the other 3 functions are just as horrible:

int notice_received(char *word[], char *word_eol[], void *userdata)
{
unsigned int i;
unsigned char hisPubKey[300], contactName[25]=”", from_nick[25]=”";
…
if(ExtractRnick(from_nick, word[1])==0) return XCHAT_EAT_NONE;
…
}

int nick_changed(char *word[], char *word_eol[], void *userdata)
{
unsigned char contactName[100]=”", theKey[500]=”", ini_nicktracker[10];
…
if( *ini_nicktracker==’0′ || *ini_nicktracker==’N’ || *ini_nicktracker==’n’ ||
(ExtractRnick(contactName, word[1])==0) ||
(stricmp(contactName, word[3]+1)==0))
return XCHAT_EAT_NONE;
…
}

int decrypt_topic_332(char *word[], char *word_eol[], void *userdata)
{
unsigned char contactName[100]=”";
…
strcpy(contactName, word[4]);
…
}

yes, that last one is an actual strcpy() stacksmash. The 90’s called, they want their bugs back :-p

“trying to unfuck [some issue] while it’s still unfuckable” — Dan Kaminsky

http://www.usatap.org/FAQ.htm
check nr 6. omfg, these people need to be shot !

I’m sure you’ve already read it by now, but it’s no longer just me blagging here. Which is probably a good thing, I’m rather busy right now and have very little time to blag.

You knew it was going to happen eventually.

You’ve seen her – that annoying kid – following Ilja around like some lost puppy, babbling inanely about you’re not sure what. If you must blame someone, blame prdelka. She (being me, Bitty) now has full guestblagging rights to this blag ;)

(No, I’m not consistantly making the same tyop. Check the title of this blag. It’s definitely a blag. Blogs are so old meme. Memes are so old meme, too.)

Anyways, we all know I never have anything useful to add to a conversation, so I’ll just get going now before Ilja realizes his terrible mistake and revokes my posting privileges. Mostly, I’m here so his RSS feed of new posts doesn’t look so pathetically lonely…

~Bitty