Iljas Blag

It seems the good people from redteam-pentesting ( who also have a blog here: http://blogs.23.nu/RedTeam ) recently released a nice advisory where they could evade a regex and get some sql injection and passwd retrival (for another user) working for phpbannerexchange.
This was related to a small weakness in php where the ereg*() functions aren’t binary safe and it would stop matching after a 0-byte.

A while ago I’ve spend some time looking into regex evasion myself. Although not looking for oddities in the regex implementation itself, but instead looking for weaknesses in the regex itself.

For example, if you have: /^\d$/ that would only match numbers (0-9). Or so you would think, the $-sign will also match a next line. A potential attack vector here would be where the inputted data gets written to a line-based file. Where all the sudden you get next line injection.

After some googling I found out that this kind of regex evasion is used sometimes with some ids’s, there is a nice post about this on the snort forum: http://www.snort.org/archive-3-1353.html

The Redteam people think that we haven’t seen the last of these kind of attacks and I believe they are right.

A couple of months ago I set out to fuzz some of the filesystems that linux supports (and it supports way too many filesystems !).

Basicly, what I did was look for a filesystems that have userland utils that allowed me to make an empty partion in a file instead of a device. I think I ended up fuzzing ext2/3, reiserfs, xfs,jfs and fat12.

Then used mangle.c in a loop with the loopback device and sat back till something happened:

EVERYTHING BLEW UP WITHIN SECONDS !!!

when I say blow up, I mean full kernel panic or atleast very scary oopses.

The only exception is fat12. It didn’t break. not at all, nothing, I couldn’t even get it to printk() some debug crap. My guess is this is because a) fat12 is a really trivial fs and b) floppies are so unreliable that whatever corruption you can ever have with fat12 already happened at some point in the past and has been dealt with.

I remember emailing Hans Reiser about some of this stuff, but never got a reply. Several months later there was an interesting thread on lkml:
http://lkml.org/lkml/2006/2/19/138

A while ago Felix von Leitner and I came up with a small list of people who should be banned from programming because of pouring out too much nasty code with serious security side effects. here’s the list:
- paul vixie (cron, holds the official record of “most cert advisories due to a single author”)
- Andrew Tridgell (samba, rsync)
- everyone who ever hacked on wu-ftpd (most insecure ftpd of all times)
- eric allman (sendmail)
- Christos Zoulas (responsible for most recent netbsd (kernel) fuckups)
- Ulrich Drepper (glibc)
- Jörg Schilling (cdrecord)

If you know of more people to be on this list, please make a comment.

As for the fuckedup layout of the previous post, I am aware of it and will fix it at some point (yes, I am a slacker ….).