Comments for Iljas Blag

Comment on surely you jest by ilja

ilja — Mon, 03 Aug 2009 11:11:30 +0000

the rumours are false. I am not, nor have I ever been, an employee at Microsoft.

Comment on surely you jest by heh

heh — Mon, 03 Aug 2009 07:45:31 +0000

Are you working for microsoft now? Are the rumours true?

Thanks

Comment on all shells suck ! by walkingbit

walkingbit — Thu, 12 Mar 2009 14:50:04 +0000

No fail with Bash anymore!

GNU bash, version 3.2.25(1)-release (powerpc-apple-darwin8.11.0)

Comment on Various things by CVE-2009-0478: Squid HTTP Version Remote DoS « xorl %eax, %eax

CVE-2009-0478: Squid HTTP Version Remote DoS « xorl %eax, %eax — Wed, 11 Feb 2009 19:37:39 +0000

[...] I’m a big supporter of ilja’s opinion on assert(3) calls for production code which you can read at his blag. In addition to this, Squid is just full of assertions… Imagine, a crappy parsing like this [...]

Comment on readlink abuse by CVE-2009-0269: Linux eCryptFS off-by-one Underflow « xorl %eax, %eax

CVE-2009-0269: Linux eCryptFS off-by-one Underflow « xorl %eax, %eax — Thu, 29 Jan 2009 14:18:33 +0000

[...] is a classic off-by-one which is documented at least since 2006 when Ilja van Sprundel wrote on his blog about it. Our case is only vulnerable to an off-by-one underflow according to ilja’s post. [...]

Comment on No, I’m not dead yet by ah

ah — Tue, 21 Oct 2008 23:47:12 +0000

It’s a shame. I am looking for the talk for several weeks now. But noone has it. I watched it on the congress itself and I kind of liked it. Would love to see it again. Maybe I find a mirror somewhere …

Comment on 79.666% of all statistics are made up on the spot by replaced

replaced — Thu, 16 Oct 2008 14:55:24 +0000

how i hate openbsd fanboys ;P

Comment on Dave on finding vulnerabilities by ntronic

ntronic — Thu, 16 Oct 2008 05:44:01 +0000

Ilya

Ilya
How are you my man? Long time no see :-)

ntronic

This comment was originally posted on 20061113T13:36:32

Comment on proftpd by ilja

ilja — Thu, 16 Oct 2008 05:43:59 +0000

hahaha

hahaha
that is hilarious !

This comment was originally posted on 20061127T04:02:06

Comment on proftpd by evgeny legerov

evgeny legerov — Thu, 16 Oct 2008 05:43:58 +0000

their exact response was:

their exact response was:
“”"
I don’t believe this assertion about our sstrncpy() is correct. Here is our
sstrncpy() implementation:

char *sstrncpy(char *dest, const char *src, size_t n) {
register char *d = dest;

if (!dest)
return NULL;

if (n == 0)
return NULL;

if (src && *src) {
for (; *src && n > 1; n–)
*d++ = *src++;
}

*d = ”;

return dest;
}

As you can see, the ‘*src && n > 1′ check will only copy data if n (the
passed count) is positive.”"”

This comment was originally posted on 20061126T08:56:04

Comment on proftpd by ilja

ilja — Thu, 16 Oct 2008 05:43:57 +0000

Really ? that’s strange, IIRC the size argument in sstrncpy() is of type size_t. then again, it’s proftpd, so I can see how they wouldn’t get it :)

This comment was originally posted on 20061126T06:16:31

Comment on proftpd by evgeny legerov

evgeny legerov — Thu, 16 Oct 2008 05:43:56 +0000

yeah, it is not my bug

yeah, it is not my bug
I already wrote about it on dailydave@ list:
http://seclists.org/dailydave/2006/q4/0223.html
I reported my bug to proftpd team, so I hope that I will be able to release vd_proftpd at the beginning of the next week.
ProFTPD guys are suprised me a lot , they think that their sstrncpy(dst,src,n) will not work when the third argument ‘n’ set to a negative value ;-)

This comment was originally posted on 20061125T19:11:17

Comment on close and fclose by mdornseif

mdornseif — Thu, 16 Oct 2008 05:43:55 +0000

One nice habit is tat on a fork in the child you close all filediscriptors unless you really want them – see DJC code for a nice example.

Regarding high level languages. You are right, but then there is a single point in my code where I have to concentrate on fixing the issue, not one bazillion.

Skimming this leaves me with mixed feelings. Somebody thought about checking thr return code in file_dealloc but leaves no way of acting on that issue (unless you count reading stderr). Hmgmpf. If you nicely close the file (file_close) then you get a return value – which you must check by hand.

IMHO the code should be changed to raise an exception if close fails. Normally that would terminate the programm unless the programmer decides to catch the exception in which case he hopfully knows what he is doing.

This comment was originally posted on 20061126T08:08:34

Comment on close and fclose by ilja

ilja — Thu, 16 Oct 2008 05:43:54 +0000

hm, well in unix files always stay open unless you explicitly close them or call exit, they survive fork and execve (unless you set close on exec, but its not set by default). This turns out to be a pain in the ass for a lot of perl programmers, who never close files. (mostly, coz they run out of file descriptors)

Oh, and I bet those highlevel garbage collectors end up calling close() without checking the return value :)

This comment was originally posted on 20061126T05:36:32

Comment on close and fclose by mdornseif

mdornseif — Thu, 16 Oct 2008 05:43:53 +0000

Don’t you have a garbage collector to close your files when they fall out of scope?

Or are you still stuck with programming concepts from the 60’s ;-)

This comment was originally posted on 20061125T21:39:24

Comment on fun with gdb by fefe

fefe — Thu, 16 Oct 2008 05:43:51 +0000

Uh, so you debug on untrusted machines?

Uh, so you debug on untrusted machines?
I don’t. And I rely on that feature all the time.
I have separate .gdbinit files for all my projects, and I use them to specify the command line for the processes I’m about to debug. Since these differ per process, it would suck if I couldn’t do that because some Debilian idiot removed that feature.

This comment was originally posted on 20061129T11:45:38

Comment on fun with gdb by ilja

ilja — Thu, 16 Oct 2008 05:43:51 +0000

ah, that’s good to know, I guess the documentation is outdated then.

This comment was originally posted on 20061127T20:22:08

Comment on fun with gdb by bugmenot

bugmenot — Thu, 16 Oct 2008 05:43:50 +0000

patched for a while

patched for a while
this is patched with gdb6.4 and gdb6.3 with debian security patches
.gdbinit which owner aren’t the current user are ignored and a warning message is displayed

> warning: not using untrusted file “.gdbinit”

tested with GNU gdb 6.3-debian and GNU gdb 6.4-debian
this flaw has been reported in may 2005
http://seclists.org/bugtraq/2005/May/0314.html

This comment was originally posted on 20061127T15:00:23

Comment on fun with gdb by guest

guest — Thu, 16 Oct 2008 05:43:49 +0000

doesn’t work

doesn’t work
warning: not using untrusted file “.gdbinit”

This comment was originally posted on 20061127T14:54:55

Comment on oh, it’s just a kernel panic by bsdaemon

bsdaemon — Thu, 16 Oct 2008 05:43:47 +0000

I agree…

I agree…
The problem is more serious if the team does understand a bug and say it´s just a DoS, like i think you will remember ilja:

http://blogs.securiteam.com/index.php/archives/date
/2006/09/

This comment was originally posted on 20061222T17:29:31

Comment on Fuck you lenovo by ilja

ilja — Thu, 16 Oct 2008 05:43:46 +0000

I dunnow

I dunnow
Good question. I honestly don’t know, I’ve been through quite a few laptops before I got my x31 (which died in the liquid experiment). And the x31 was really the only one I liked. Hence why I bough the x60, which lenovo totally fucked up !

So anyone have any suggestions ?
What I’m looking for is something that’s small (12 inch), light, and strong as hell (as in, it can stand being dropped a few times). I dont care that much for battery life, but > 1 hour would be nice. Oh and it has to be virtually silent. I’ve had it with noisy laptops !

This comment was originally posted on 20061204T06:59:59

Comment on Fuck you lenovo by str0ke

str0ke — Thu, 16 Oct 2008 05:43:45 +0000

laptop

laptop
If you could go back in time ilja, which laptop would you of gotten :)

/str0ke

This comment was originally posted on 20061204T05:13:04

Comment on Fuck you lenovo by kaka

kaka — Thu, 16 Oct 2008 05:43:44 +0000

haha

haha
welcome to fuck lenovo :D

go to http://www.ibm.com and get your support :D

This comment was originally posted on 20061204T01:22:07

Comment on OpenBSD allows suid shellscripts ? by miod

miod — Thu, 16 Oct 2008 05:43:43 +0000

Indeed

Indeed
You need a shebang on the first line for the script to be recognized as such, which is why ilja’s example works and grg’s example doesn’t.

This comment was originally posted on 20070108T16:38:28

Comment on OpenBSD allows suid shellscripts ? by ilja

ilja — Thu, 16 Oct 2008 05:43:42 +0000

errr… yes

(yes, it’s a vmware screen capture, …)

This comment was originally posted on 20070104T19:49:25

Comment on OpenBSD allows suid shellscripts ? by grg

grg — Thu, 16 Oct 2008 05:43:41 +0000

errr… no

errr… no
What exactly makes you think that suid shell scripts work?

$ uname -r
4.0
$ mount
/dev/wd0a on / type ffs (NFS exported, local)
/dev/wd0f on /tmp type ffs (local, nodev, noexec, nosuid)
/dev/wd0g on /usr type ffs (local, nodev)
/dev/wd0e on /var type ffs (local, nodev, nosuid)
$ ls -l /usr/tmp/suidid
-r-sr-xr-x 1 root wheel 3 Jan 5 02:57 /usr/tmp/suidid*
$ cat /usr/tmp/suidid
id
$ id
uid=1001(grg) gid=100(grg) groups=100(grg), 0(wheel), 9(wsrc), 10(users)
$ /usr/tmp/suidid
uid=1001(grg) gid=100(grg) groups=100(grg), 0(wheel), 9(wsrc), 10(users)

This comment was originally posted on 20070104T16:32:08

Comment on OpenBSD allows suid shellscripts ? by kasperle

kasperle — Thu, 16 Oct 2008 05:43:40 +0000

That does not change anything about the way OpenBSD treats suid shellscripts on / or /usr though.

This comment was originally posted on 20061204T23:19:35

Comment on OpenBSD allows suid shellscripts ? by rgouveia

rgouveia — Thu, 16 Oct 2008 05:43:39 +0000

I think you didn’t create any partitions besides the root ‘a’ in the install or else the install script would have added in the “nosuid” option to fstab:
/dev/wd1a / ffs rw 1 1
/dev/wd1e /tmp ffs rw,nodev,nosuid,softdep 1 2
/dev/wd1f /usr ffs rw,nodev,softdep 1 2
/dev/wd1d /var ffs rw,nodev,nosuid,softdep 1 2
/dev/wd1g /home ffs rw,nodev,nosuid,softdep 1 2

This comment was originally posted on 20061204T21:37:45

Comment on OpenBSD allows suid shellscripts ? by ilja

ilja — Thu, 16 Oct 2008 05:43:39 +0000

but you would expect something like that from sun.
I didn’t think the OpenBSD guys would allow this.

This comment was originally posted on 20061204T12:10:31

Comment on OpenBSD allows suid shellscripts ? by alert7

alert7 — Thu, 16 Oct 2008 05:43:38 +0000

solaris8,9 also allow suid shellscripts

solaris8,9 also allow suid shellscripts
as i remember , solaris8,9 also allow suid shellscripts.
i didn’t test solaris 10.

This comment was originally posted on 20061204T12:04:53

Comment on hardcoded off-by-one’s by ilja

ilja — Thu, 16 Oct 2008 05:43:36 +0000

yea, I saw that.
the code in makesalt() is still wrong tho :)

This comment was originally posted on 20061216T17:54:51

Comment on hardcoded off-by-one’s by cklein

cklein — Thu, 16 Oct 2008 05:43:35 +0000

I think it’s just bad style of coding:
PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc __unused, const char *argv[] __unused) { char salt[SALTSIZE + 1]; [...] makesalt(salt);

This comment was originally posted on 20061216T09:56:59

Comment on No, I’m not dead yet by hynek

hynek — Thu, 16 Oct 2008 05:43:33 +0000

Found it finally: http://23c3.ccc-trier.de/videos/official/23C3-1428-en-you_cant_make_this_stuff_up.m4v

This comment was originally posted on 20070112T13:48:57

Comment on No, I’m not dead yet by thoth

thoth — Thu, 16 Oct 2008 05:43:32 +0000

http://mirror1.kaschwig.net/23C3/wmv/
http://debian.tu-bs.de/mirror/ccc/23C3-mitschnitte/
are up as of this post

I can’t read German but somewhere there might be ’standup’ :)

This comment was originally posted on 20070111T22:18:38

Comment on No, I’m not dead yet by hynek

hynek — Thu, 16 Oct 2008 05:43:32 +0000

010

010
So it does run in wine, right? ;)

Your unusual bugs talk was great btw, do you know by any chance if there’s somewhere a stream of the standup comedy? Last time I looked at the official place, it wasn’t there and now the site is down. :/

This comment was originally posted on 20070111T12:57:21

Comment on No, I’m not dead yet by fbz

fbz — Thu, 16 Oct 2008 05:43:31 +0000

openbsd-ers fix stuff quickly

openbsd-ers fix stuff quickly
right after your talk i was walking by the bsd t-shirt area and they all asked if i had filmed/photographed the part of your talk with the openbsd stuff, i had video so they had me fast-forward to that part and zoom in on your slides. talk about quick fixes!

This comment was originally posted on 20070110T10:22:42

Comment on No, I’m not dead yet by ilja

ilja — Thu, 16 Oct 2008 05:43:30 +0000

yes, I will, at some point. I might try and integrate it in my csw talk (assuming it gets accepted) and hence won’t publish that right now. Ofcourse I’ll credit people for telling me !

This comment was originally posted on 20070109T23:14:06

Comment on No, I’m not dead yet by d3fn011

d3fn011 — Thu, 16 Oct 2008 05:43:29 +0000

Publish Related Comments

Publish Related Comments
In the paragraph about the Unusual Bugs talk you mention, “I got some awesome feedback on it, and people have told me about some related things I didn’t know yet.” Are you going to publish those “related things?”

This comment was originally posted on 20070109T22:50:29

Comment on Guestblagging! by guest

guest — Thu, 16 Oct 2008 05:43:28 +0000

bitty?!

bitty?!
Have you ever looked up what bitty means?
http://www.urbandictionary.com/define.php?term=bitty

This comment was originally posted on 20070218T11:23:33

Comment on Guestblagging! by prdelka

prdelka — Thu, 16 Oct 2008 05:43:27 +0000

not guilty.

not guilty.
i maintain my innocence despite the overwhelming evidence. i am not guilty.

~ prdelka

This comment was originally posted on 20070214T10:29:19

Comment on too funny by cochy

cochy — Thu, 16 Oct 2008 05:43:26 +0000

informed

informed
I have informed this web site of their problem. As of now they seemed to have removed that problematic FAQ. Hopefully they will implement better security measures, if they would like to accept CCs.

This comment was originally posted on 20070217T21:28:32

Comment on too funny by vlooy

vlooy — Thu, 16 Oct 2008 05:43:25 +0000

tap

tap
They better wrote this:

Q: I think your security sucks, …
A: http://www.usatap.org/images/PIX/1328.jpg

This comment was originally posted on 20070214T17:48:07

Comment on too funny by teemu

teemu — Thu, 16 Oct 2008 05:43:24 +0000

geezus ..

This comment was originally posted on 20070209T11:24:16

Comment on fishy FiSH by tomten

tomten — Thu, 16 Oct 2008 05:43:23 +0000

Problems with libfish and sparc

Problems with libfish and sparc
Hi, I’m having trubbel with libfish. Don’t like it muth, it has problems with operating on difrent archs. I run sparc64, and when i try to decode a msg from a intel machine all i get is junk! Think its a problem with the bytorder….

Great work on the blogg, hope to read more soon.

This comment was originally posted on 20080723T09:43:29

Comment on fishy FiSH by ilja

ilja — Thu, 16 Oct 2008 05:43:22 +0000

I didnt have to see that, I just barfed up my dinner.

This comment was originally posted on 20070328T03:37:39

Comment on fishy FiSH by oxff

oxff — Thu, 16 Oct 2008 05:43:21 +0000

He prevents Buffer Overflows!

He prevents Buffer Overflows!
FiSH-irssi-v0.99-source.zip:FiSH.c:79

// usually a received message does not exceed 512 chars, but we want to prevent evil buffer overflow
if(msg_len >= (int)(sizeof(bf_dest)*1.5)) msg_ptr[(int)(sizeof(bf_dest)*1.5)-20]=”;

Isn’t that cute?

This comment was originally posted on 20070328T00:59:18

Comment on fishy FiSH by calcite

calcite — Thu, 16 Oct 2008 05:43:20 +0000

Wow

Wow
I’m suprised to see strcpy() fuckup like that in such a widely used application.

This comment was originally posted on 20070325T03:34:24

Comment on fishy FiSH by ilja

ilja — Thu, 16 Oct 2008 05:43:19 +0000

the fact that it has to be serverside in most cases is pretty obvious, and imo needn’t even be mentioned. also it looks like you might be able to trigger the notice stacksmash clientside.
I didn’t know the xchat code was that different from the mirc code, I never looked, I just assumed, hence the “I believe …” I wasn’t stating facts.

This comment was originally posted on 20070320T04:16:12

Comment on fishy FiSH by slashy

slashy — Thu, 16 Oct 2008 05:43:18 +0000

well done research.. a bit further and you would have noticed that you can’t attack this without full control of the ircserver (or you have to find irc-servers which have a nicklen setting > 100). Also it should be mentioned that this flaws only applies to xchat version .. the flawed part of the code ain’t reused in mIRC version past 1.25

read here for more: http://fish.sekure.us/forum/viewtopic.php?p=1166#1166

This comment was originally posted on 20070317T11:08:30

Comment on fishy FiSH by prdelka

prdelka — Thu, 16 Oct 2008 05:43:17 +0000

Month of retro bugs! :-D

This comment was originally posted on 20070315T14:00:47

Comment on fishy FiSH by sacrine

sacrine — Thu, 16 Oct 2008 05:43:17 +0000

RE:

RE:
Echte mannen gebruiken FiSH ?

I don’t think so :)

This comment was originally posted on 20070308T09:16:31

Comment on A whole new world of amazon fun by fefe

fefe — Thu, 16 Oct 2008 05:43:15 +0000

milk

milk
usually sort lowest rating first for very popular items, or go to generic bland items like milk and bananas:

http://www.amazon.com/dp/B00032G1S0
http://www.amazon.com/dp/B000328OH6

This comment was originally posted on 20070313T22:21:58

Comment on auth by pid doesn’t work ! by ilja

ilja — Thu, 16 Oct 2008 05:43:14 +0000

How can you be sure that the requetor process can be trusted ?

How can you be sure that the requetor process can be trusted ?
you simply can’t. auth by pid is always broken !
while it may be trusted while it’s doing it’s ioctl call (if you do a privcheck first), the moment you switch back to userland it’s no longer trusted (if all you’re using for auth is a pid ofcourse).

This comment was originally posted on 20080305T12:08:28

Comment on auth by pid doesn’t work ! by mxatone

mxatone — Thu, 16 Oct 2008 05:43:13 +0000

On windows, you can make it better easily but …

On windows, you can make it better easily but …
Using PsSetLoadImageNotifyRoutine() you can see when registered pid stop.

But as process injection is a trivial task (CreateProcess gives you directly an handle on new process with many different ways to get control over a created process).

The issue is more:

How can you be sure that the requetor process can be trusted ?

Most of the time, they authorized only a limited number of process but if you crash a trusted one, you can get control directly.

This comment was originally posted on 20080305T11:52:04

Comment on what year are we ? by tping

tping — Thu, 16 Oct 2008 05:43:12 +0000

lol

lol
sprintf ftw! :P

And here are some more at:
- getprotobyname()
http://plan9.bell-labs.com/sources/plan9/sys/src/ape/lib/bsd/getprotobyname.c

- getservbyname()
http://plan9.bell-labs.com/sources/plan9/sys/src/ape/lib/bsd/getservbyname.c

Probably there should be more of them

This comment was originally posted on 20080830T13:40:39