Iljas Blag

I don’t usually blog about these things, but this is just too insane.

http://www.nytimes.com/2006/09/25/nyregion/25courts.html?ex=1159761600&en=c46719645257c30c&ei=5065&partner=MYWAY

I’m shocked horriefied and disgusted by this.

one of many shocking things in there:
“I just follow my own common sense,” Mr. Buckley, in an interview, said of his 13 years on the bench. “And the hell with the law.”

words fail me to describe how much this disturbes me !

via fefe: http://blog.fefe.de/?ts=bbe49d57

Yes.

But that’s besides the point. There was a post made to the dailydave mailinglist titled “Does Fuzzing Really work?” http://lists.immunitysec.com/pipermail/dailydave/2006-September/003551.html in Which Aviram Jenik states the following:
“There’s a lot of talk lately on whether fuzzing can actually be used to find
vulnerabilities – and more importantly, reliably rule out the existence of
unknown vulnerabilities. … our experience shows it can.”

They’re wrong. They base this on a bunch of numbers they got from their own fuzzer (I’m guessing Aviram is one of the people that works on the fuzzer). Some of those numbers are:
“The FTP protocol has 310 “scenarios” of
valid FTP sessions. If you try to overflow each time a different part of the
command in every scenario you get a little over 12M attack combinations. If
you use some of our nifty beSTORM 2.0 optimizations you get to 70,679 attack
vectors.
…
FTP is too simple you say? With more complex protocols like SIP you have
>15,000 scenarios and something like 40,680,459 attack vectors after
optimizations”

See, their numbers are wrong. I don’t know the exact numbers either. No one knows. They’re only testing what they have tests for (duh !). But one of the things I figured out when I started to play with fuzzers is that if you take any given fuzzer and make some changes (add a test for a length of 0 in a certain protocol for example) (and hence, change the numbers) you find new 0day. So their numbers are incomplete. For example, In their http tests I’m sure they have code that generates url’s. But they probably forgat something. Does it also generate ipv6 urls? if so, does it also generate ipv6 url’s with “%”? (http://[::1]%eth0/ for example). maybe the network device name parser has a trivial stacksmash. Does it have a list of all url scheme’s that might be usefull to fuzz for 1 particular http(-alike) daemon? What about incorrectly formed encoded url’s. http://isec.pl/vulnerabilities/isec-0020-mozilla.txt for example. I don’t know of any fuzzer out there that efficiently fuzzes these kinds of bugs except for my own . I once wrote a url fuzzer that does all of these things any many more things, it was pretty big, but more to the point, I’m sure I forgat something.

“Sounds scary at first, but a SIP server capable of handling
500 requests per second would take only 22 hours to test, …”

Assuming their number are complete (which they’re not !) this means you can test all possible combinations that matter in 22 hours, how nice. However, in reality you know there are things you missed. So to compensate for this, one of the things I like to do is every once in a while substitute 1 thing I’m fuzzing with something random and do this in an endless loop. Some people seem to think this is useless (Arrogantly assuming their numbers are complete), but that’s not true. I’ve had success with this in the past. Finding bugs after days or even weeks. Where the trigger is something I totally didn’t anticipate. A nice example here is a bug in the linux tcp/ip stack that dave jones found with isic earlier this year: http://kernelslacker.livejournal.com/35361.html

quoting even more:
“My point is to those people who mock fuzzers – you either tried the wrong
kind, or you tried them a long time ago. I’m not saying that buffer overflows
are suddenly obsolete (don’t delete that ZERT bookmark just yet!). But
nowadays there is no reason for an FTP server to come out with buffer
overflows; there’s just no excuse.”

If their numbers aren’t complete there might be fuzzable things they’re not fuzzing, and hence there is an excuse. But let’s assume they’re testing all that they can test. Even then there are still issues that might not have been caught by their fuzzer. for example, earlier this year ISS x-force released an advisory for a remote signal race in sendmail (discovered by Mark Dowd). This one would be a bitch to fuzz, and I can’t think of a way to do it in an efficient manner.

Then again. Maybe this was all just to advertise their new fuzzer.

debian is constantly being owned
ilja: it’s god’s punishment for the fact that they use exim as the default mta :p

Yes, this will be a blogpost where I bitch some more about NetBSD.

A couple of hours ago I was reading through the openbsd 3.9 -> 4.0 changes. One of them stated “Fix signal races in ping(8)”. So I looked at OpenBSD’s ping.c and there was indeed a fix for a signal race. I figured, let’s check NetBSD, since they still have a lot of shared code, there might be simular races in NetBSD’s ping code.

And thus, I go to NetBSD’s cvsweb and look at ping.c and while reading it I though to myself “well, this is odd, there is no socket() and privdrop before argument parsing” (and some people might already see where I’m going with this). socket() was indeed after argument parsing, but I couldn’t see the privdrop code. So I search for setuid, seteuid, setreuid, setresuid. NOTHING !, absolutely NOTHING. Do my eyes deceive me ? I must have missed something, it cannot be this bad !

I must have spend an hour digging through their code,
looking for the missing privdrop. thinking to myself “maybe it’s abstracted away in some ugly and nasty way, or maybe it’s in some library code”. But I found nothing that indicated any of that. Then it sort of hit me, THERE IS NO PRIVDROP IN NetBSD’S PING IMPLEMENTATION.

Still in disbelieve I decided I needed to test this, so I recompile NetBSD’s ping from source and add the following right before it exits:
printf(”euid: %u\n”, geteuid());

the output I got:
ping -c 1 127.0.0.1
PING localhost (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=255 time=0.065 ms

—-localhost PING statistics—-
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.065/0.065/0.065/0.000 ms
euid: 0

I am Shocked and horrified. You’d expect this kind of glitches from apple (who added a privdrop to ping and traceroute about a year ago !) but from NetBSD ? It’s 2006 for fucks sake !! I compared with OpenBSD and FreeBSD, both added a privdrop OVER A DECADE AGO !

I decided to look at NetBSD’s traceroute aswell, after all, who knows, they might be consistent in not having privdrop code. They did mildly better in traceroute. There was a privdrop, AFTER argument parsing.

Ofcourse, you could argue that you don’t need a privdrop, as long as you don’t have any [security] bugs. But euh, you know, I mentioned these signal race conditions earlier …

as a final note, I went through all of the ping.c commit messages for NetBSD and some of them stated something about an overrun and some fd_set overflows, but I couldn’t find anything about this in their advisories.

http://lists.grok.org.uk/pipermail/full-disclosure/2004-June/022850.html
http://cds.xs4all.nl:8081/tmp/excploit.c

apple users use sheer willpower to secure their OS

ttyname() is a libc function used to get the path of the tty the fd it gets as argument points to.

on linux (hm, well, glibc on linux) what ttyname() does is return the link used in /proc/self/fd.

which leads to interesting problems. you can have /proc/self/fd point to pretty much anything you want.
it can contain “..”, it can itself be a symlink, ….

So be really carefull when using it (in a suid for example) or avoid it all together and use something else.

reiserfs, making files and wives dissapear in an instant

http://www.youtube.com/watch?v=uY74vKDWWNo

It’s in dutch !
basicly, this is a small piece of some tv show called “vips” where they interview this woman who is one of the 22 finalists of the “Miss Belgian Earth” contest.
They ask here what the qualities are of such a Miss.
Here response: “sweet, spontaneous and smart”.
So the interviewer asks her: “what’s the square root of 25 ?” and she responds: “Don’t do this, really, don’t ! This isn’t fair, they’re always out to get me” clearly showing she doesn’t know the answer. The interviewer asks her if she’s better in languages to which she responds: “no, not good at that either”.

I don’t know if I’m more shocked at the lack of basic mathematical skills this person posseses, or the fact that that particular tv station actually decided to put this on the air.

My webpage ( http://ilja.netric.org/ ) is up again. It seems that I was off by about 7 months with my prediction when it’d be up again.