2013-05-02: SyScan 2013, Bochspwn paper and slides

(Collaborative post by Mateusz "j00ru" Jurczyk and Gynvael Coldwind)
A few days ago we (j00ru and I) gave a talk during the SyScan'13 conference in the fine city of Singapore, and as promised (though with a slight delay), today we are publishing both the slide deck and a white paper discussing memory access pattern analysis - a technique we recently employed with success to discover around 50 double-fetch vulnerabilities in Windows kernel and related drivers (Elevation of Privileges and Denial of Service class; see Microsoft Security Bulletins MS13-016, MS13-017, MS13-031 and MS13-036 released in February this year. Also, stay tuned for more security patches in May and June).

Read more... [ 2 comments ]

2013-05-17: Serwis informacyjny BAD[SECTOR].PL

Szybka notka: wygląda na to, że w polskiej części Internetu pojawił się nowy serwis o sec/hack - BAD[SECTOR].pl (prowadzony przez think tank o tej samej nazwie). Wyróżnia się on dwoma cechami: po pierwsze, ekipą (mi osobiście rzuciły się w oczy przede wszystkim dwa nazwiska - Janusz Niewiadomski (isec.pl), oraz Borys Łącki (bothunters.pl) - pewnie dlatego, że są rozpoznawalnymi osobami na polskiej scenie pentesterskiej, świetnymi specami od sec/hack, a i miałem okazję z nimi wypić przysłowiowe piwo); a po drugie target docelowy: pentesterzy, programiści, specjaliści ds bezpieczeństwa oraz admini (zgodnie z pierwszym newsem). A więc RSS++ i z ciekawością będę śledził dalszy rozwój serwisu.

Czytaj dalej... [ 0 komentarzy ]

Five newest or recently updated notes (these are unfinished posts, code snippets, links or commands I find useful but always forget, and other notes that just don't fit on the blog):

• 2013-05-14: FAQ: C++ funkcje wariadyczne (va_arg, etc)
• 2013-05-13: Python zipdl (download a single file from a ZIP via HTTP)
• 2013-05-12: C/C++ print/dump hex function
• 2013-05-07: Python "sandbox" escape
• 2013-05-01: C++ sin using templates

Click here for a list of all notes.

• DLL shared sections: a ghost of the past - research notes taken while revisiting the infamous DLL shared sections; also, a description of finding and exploiting a Cygwin vulnerability. See also this post and these tools.
• PHP LFI to arbitratry code execution via rfc1867 file upload temporary files is an attempt to bring a specific LFI exploitation technique to common knowledge. You might also want to check out a follow-up paper by Brett Moore.
• Exploiting the otherwise non-exploitable - Windows Kernel-mode GS Cookies subverted described the internal mechanisms of generating GS cookies in drivers and a way to predict them.
• GDT and LDT in Windows kernel vulnerability exploitation is another paper I've written with j00ru, this time about using call-gates in kernel exploitation - quite a cool method since it works even if you have only a 1-byte write-what-where condition.

Some conference slides are linked at the bottom of this page.

• Adobe Reader 9.5.1 and 10.1.3 multiple vulnerabilities - 62 unique crashes, from that 31 trivially exploitable and 9 more potentially exploitable, 11 CVE's assigned (CVE-2012-4149 to CVE-2012-4160). Some of these bugs were fixed for Windows and OSX releases of Adobe Reader in APSB12-16.
• Contributed to discovery of multiple low-to-high vulnerabilities in Google Chrome (CVE-2012-2851, CVE-2012-2855, CVE-2012-2856, CVE-2012-2862, CVE-2012-2863 and some other) - some of these were mentioned in this post.
• Cygwin cygwin1.dll shared section local privilege escalation (demo video) - discovered while revisiting old-school classes of bugs (see paper above).
• A lot of bugs in ffmpeg and libav which resulted in 388 (sic!) patches in ffmpeg and 155 patches in libav (CVE-2011-3930 to CVE-2011-3952 and some other).
• Two minor bugs in PuTTY and aterm and rxvt found while playing with terminal control codes. Put here to create some illusion of diversity.
• A few Microsoft Windows privilege escalations and some DoSes patched by MS10-021 and MS10-011 - this research was presented on HITB Dubai 2010 and CONFidence 2010 (video available here).
• Mozilla Firefox 2.0.0.11 and Opera 9.50 information leak, also midly affected Safair, Konqueror and some other products (CVE-2007-6524, CVE-2008-0420, CVE-2008-0894, CVE-2008-1573). A demo video is also available.
• A small but funny bug in Total Commander 7.01 - an FTP client gets attacked by the server, leading to a path traversal.

The full list of vulnerabilities discovered by me (including collaborative work) can be found here (please note that the list might be out of date).

• Unicode fun: PHP preg_match and UTF-8 with analysis of what happens when you forget that UTF-8 is multibyte; and a String-to-Integer vs Unicode - yes, the standard 0-9 digits are not the only ones supported by programming languages or unicode (see also this post).
• Digging deeper into C/C++: internals of static variables initialization, a discussion with myself about NULL/nullptr, the curious case of int a=5; a=a++ + ++a;, and what happens when scanf/atoi/strtol get an overly large number. Also, a way to magically make a list of functions at compilation time, and a way to create naked functions in gcc/g++ (or rather pure-assembly functions with no additional prologs/epilogs).
• Low-level goodies: a Hello World in C without using any headers / library functions, a process that frees almost all the memory it owns, and embedding GDB in assembly source code.
• Do not do this at work kids - OOP in .bat and OpenGL in .bat.

• PiXieServ is a simplified PXE (network boot) server for Windows and Linux-based OS, created for testing of very small home-made OS. See also the post about it.
• ExcpHook, a system-wide exception monitor for Windows XP 32-bit. Useful if you're fuzzing something that doesn't like having a debugger attached.
• Ent is an entropy measuring tool for reverse engineering reconnaissance (see also a post explaining how to use it).
• HiperDrop is a simple command line process memory dumper for Windows, with a few different work modes.
• asmloader - this little app executes headerless machine code (compiled assembly code). It's meant to be an aid in learning/teaching and playing with assembly, as well as the right tool when you just need to execute some machine code.
• NetSock is a simple socket/networking lib/wrapper for C++ I've wrote back in 2003 and update from time to time - I use it for most of my network-enabled projects.

Nagrywane w wolnym czasie videotutoriale o programowaniu, reverse engineeringu oraz hackingu/security: Kanał na YT | Spis odcinków | Wishlista.

Najnowszy odcinek: Gynvael's FAQ: Windows czy Linux? Oba!
[ 309 thumbs up | 75 comments | 13 918 views ]

Dodatkowo: ReverseCraft - starsza seria podcastów o reverse engineeringu i assembly.

Dla programistów:

• Poradnik Początkującego Programisty - czyli jaki język wybrać, z czego się uczyć, jak samodzielnie rozwiązywać problemy i co dalej jak już się zna podstawy.
• Zmienne i stałe: wartość, kodowanie, reprezentacja - rozłożenie zmiennych na części pierwsze, od wysokiego poziomu abstrakcji, do kodowania na poziomie RAMu i CPU.

Security / hacking:

• Hacking - jak uczyć się security/hackingu i spać spokojnie.

Dodatkowo, kilka przemyśleń na temat odnajdywania się na rynku pracy w IT:

• Wybór studiów a szanse na rynku pracy - mój punkt widzenia na wybór studiów, rynek pracy, oczywiście w kontekście informatyki, programowania, itp.
• Spis sposobów na dokumentowanie swojej wiedzy, czyli co można wpisać w CV oprócz praktyk i papierka z uczelni.

• Trochę o PHP, preg_match i UTF-8, czyli o problemach związanych z niespójnym kodowaniem znaków.
• Kilka przemyśleń na temat intów, do tego kilka eksperymentów z wrzucaniem dużych liczb (większych od INT_MAX) w funkcje scanf/atoi/strtol, oraz różnice w wynikach w dzieleniu z udziałem liczb ujemnych w różnych językach.
• int a = 5; a = a++ + ++a;, ile wynosi "a"? Wynik jest oczywiście niezdefiniowany, ale jednak jakiś musi wypaść.
• Sposób na stworzenie funkcji naked w gcc/g++.
• Z przymróżeniem oka - programowanie obiektowe oraz OpenGL w języku skryptowym batch (aka .bat).

← trochę więcej postów jest po angielskojęzycznej stronie.