Iljas Blag

Every once in a while I go looking for “undefined behavior” in some manpages (or the lack thereof).
I found a good one this time. This is straight from the hp-ux pthread_mutex_lock manpage:
WARNINGS
A recursive mutex can be locked more than once by the same thread
without causing that thread to deadlock. Undefined behavior may result
if the owner of a recursive mutex tries to lock the mutex too many
times.

without giving ANY predefined value for how much is too much. that is just craptastic !

About 2 months ago I found some security bug in FreeBSD. I mailed them about it (both colin and security-officer@), no reply, so I mailed again about a month ago, no reply, so I mailed again 2 days ago and finally got a reply (after writing “I mailed this to you guys twice already in the course of about 2 months, no response so far,trying one last time:” in my email) from one of their security people that they are looking into it. Today I got a reply saying that “there is very little risk”.
because of the nature of this bug (I’m not going to give too much detail yet :) I mailed back to say I disagree, and am currently looking into some possible attack vectors (it’s not a trivial stacksmash or anything like that) (woohoo, free QA, think I could bill them ? :). So at some point I start digging into some of their pam code and read the following:
void
makesalt(char salt[SALTSIZE])
{
int i;
…
for (i = 0; i < SALTSIZE; i += 4)
to64(&salt[i], arc4random(), 4);
salt[SALTSIZE] = ”;
}

yes, that’s a hardcoded off-by-one! from what I can see it *looks like* the way they’re using it doesn’t allow for exploitation (although I could be wrong and missing something) but I can certainly imagine this being exploitable in the right circumstances.

I just listened to the one where they interviewed Dave Aitel. It was interesting, they talked about some of the common computer security things, disclosure, ZERT, hacker-vendor relationship, ….
By far the most entertaining thing about that podcast was the small commercial at the beginning. I think it was for some patch management thing from microsoft. In it you hear this aussie saying “A dingo ate my server”. that cracked me up !

anyways, you can find the podcast at:
http://zdpub.vo.llnwd.net/o2/eWeek/onsecurity12042006.mp3

It seems fefe has been auditing gnupg and found some hilarious bugs. Read about it here. The blog’s in german, but you don’t need to be able to read german to find t3h 0day !

Apparenlty stefan esser is no longer part of the php security team.
“Last night I finally retired from the PHP Security Response Team [...] For the ordinary PHP user this means that I will no longer hide the slow response time to security holes in my advisories. It will also mean that some of my advisories will come without patches available”

So am I to understand we’ll be getting some php 0day from him ? Read about it here

2 really cool quotes I just read:
“…and is of course LGPLed (”free as in communism”).” — Michal Zalewski
“These people are looking more and more like a criminal organization every day.” — Bruce Schneier about the MPAA

Bruce has a point !

I’m stunned !!
why the fuck would it do that ? No other sane os on the planet has allowed that to happen for adleast a decade !

I wonder what their excuse is (and it’s just that, an excuse, THERE IS NO JUST REASON WHY YOU WOULD DO THIS!)

I’m shocked !
I tested this on FreeBSD and NetBSD aswell and they don’t seem to allow it (thank god!, or else I would have ranted some more on NetBSD :).

A couple of months ago I was forced to buy a new laptop after a liquid experiment with my laptop. I purchased the ibm thinkpad x60, coz I love those small machines. The machine is nice, but the screen really blows. I’ve only had it for a few months And I’ve already lost count of how many broken pixels it has :(

yea right !
so, assume you have a bug in your kernel that simply calls panic() and does nothing else wrong. They do exist, take the fpathconf() bug in osx for example.
A lot of people don’t believe these are security bugs.
I beg to differ. THEY ARE SECURITY BUGS. for one, a panic effectively causes a shutdown. SHUTTING DOWN A BOX IS A PRIVILEGE NO ONE EXCEPT THE SUPERUSER SHOULD HAVE ! maybe this isn’t entirely true on a desktop, but this sure makes sense on something that’s used as a server. So for this fact alone it’s a security bug. But it gets worse. kernel panics often lead to loss of data on disk. This is because at the time of panic not all data is synced to disk. I’ve had this happen to me quite a few times when toying with some kernel bugs on OpenBSD and NetBSD. I assume this is probably common among most operating systems, and that none that I’m aware of have special disk sync code in the panic() function (or BugCheck[Ex](), depending on which os you’re using).
When I was playing with some osx kernel bugs in late 2004 and early 2005 I once had my entire home directory removed after a kernel panic, something you really don’t want. But wait, it gets even worse. Kernel panics are unnatural, they interrupt everything you do and basicly panic your system. That means, that some weak hardware might not like it and you might cause hardware to break (while this is probably rare these days, I’ve been told by some oldtimers that this used to be a big problem for some hardware).
I’ve talked to lmh (of the month of the kernel bugs) and he told me that if you use filevault on osx, and have a kernel panic that whatever filevault is protecting gets garbled, certainly not something you want.

So, in conclusion, if an unprivileged user can arbitrarily cause a kernel panic, then that is a security bug!

a.k.a NetBSD blowing up on a trivial ioctl fuzzer.

A while ago I was reading the gdb manual. Apparently it reads the .gdbinit file from your homedirectory AND from the current working directory:
“2.1.3 What gdb does during startup
Here’s the description of what gdb does during session startup:
1. Sets up the command interpreter as specified by the command line (see Section 2.1.2
[Mode Options], page 13).
2. Reads the init file (if any) in your home directory1 and executes all the commands in
that file.
3. Processes command line options and operands.
4. Reads and executes the commands from init file (if any) in the current working directory.
This is only done if the current directory is different from your home directory.
Thus, you can have more than one init file, one generic in your home directory, and
another, specific to the program you are debugging, in the directory where you invoke
gdb.”

Anyone besides me that thinks this is a dumb idea ?
Btw, in case you didnt know, it’s possible to have shell commands in your .gdbinit file.
Anyways, next time I’m on a shellserver you can bet I’ll have an evil .gdbinit file in /tmp.