Creating a dynamic DNS service using djbdns

December 7th, 2011 2 comments Print Print

Before some days I decided to create a dynamic DNS service for a domain I own. There are many dynamic DNS services, e.g. dyndns and FreeDNS, but none gives you the power I wanted. For example I needed custom records such as SSHFP but most services don’t allow you this type of entries. Also, many of them aren’t free, especially when you transfer your own domain.

So I went on to make my own service. I knew from the beginning that BIND wasn’t what I wanted. I wanted something small, fast and secure. So I chose djbdns. Unfortunately, the IPv6 support isn’t that good so I used dbndns, which is a djbdns with some patches, especially for IPv6. (Yes, the title says djbdns, but it’s the same, if you don’t like the debian patches I can tell you how to transform a line to make it djbdns compatible!)

The first part was to design the interface. I could make a fancy web page with buttons and nice images. However, since most of the users would like a simple command that they could insert at their crontab to update their IP, I decided to just get a number of parameters and return a status string. Much simpler, more functional and I get to  spend more time coding the core of the server!

And then it’s the functionalities. Which would be the supported entries? IPv4 and IPv6 are ok for the beginning. But would the user be able to choose whatever IP he wanted? What about the hostname? Most users want a dynamic DNS so they can connect to their home box using ssh. As I said at the first paragraph, SSHFP records should be supported. But other records such as TXT and SRV? That’s why I used privileges. Every user has a privilege, and the higher the privilege the more powers you have. For the moment the following are implemented:

  • Level 1: Simple user. You are allowed one hostname and the IP is the IP you had when you made your request.
  • Level 2: Simple user with IP selection. You are allowed one hostname but you have the option to select your IP. If you don’t supply one, the IP that made the request is used.
  • Level 3: Simple user with IP and hostname selection. You are allowed to also change your hostname. If you don’t supply one the default will be used. Also, this allows you to have multiple hostnames at the same time.
  • Level 10: Administrator. Higher level, you can add, change and remove users.

All levels have IPv4, IPv6 and SSHFP support. Other privilege levels (4 … 9) are reserved for future improvements.

What about privacy? It was very important for me that all entries would ‘disappear’ after some time. The user should leave no traces. The problem is that the entry should be updated many times and not just the first time you change your IP but that’s the price for privacy! And this is something that you don’t find at many dynamic DNS services out there.

So, we’ve got many users, with different usernames, passwords and privileges, different hostnames and IPs, A, AAAA and SSHFP records, expiration times and many many more. What’s missing? SQLite! I was already running a mysql server, but I just wanted something simple. And at the end I found out that it helped me a lot with the DNS data file update.

I ended up writing a simple PHP program that would take a number of input variables:

  • username: User’s username
  • password: User’s password
  • action: The action the user wants to commit

Valid actions with their arguments are:

  • update4: Update IPv4 address
    • ip: The new IP address (if you’re allowed to set it)
    • hostname: The hostname (if you’re allowed to set it)
  • update6: Update IPv6 address
    • ip: The new IP address (if you’re allowed to set it)
    • hostname: The hostname (if you’re allowed to set it)
  • list: List all IPv4, IPv6 and SSHFP entries.
  • delete4: Delete an IPv4 dns entry immediately (before it expires by itself)
    • hostname: The hostname (if you’re allowed to set it)
  • delete6: Delete an IPv6 dns entry immediately (before it expires by itself)
    • hostname: The hostname (if you’re allowed to set it)
  • setsshfp: Add an SSHFP record
    • hostname: The hostname (if you’re allowed to set it)
    • key: The key as you can find it at /etc/ssh/ssh_host_rsa_key.pub and /etc/ssh/ssh_host_dsa_key.pub. Warning! If there are any ‘+’ in the key (very probable since it’s base64 encoded) you must escape them!
  • delsshfp: Delete an SSHFP record
    • hostname: The hostname (if you’re allowed to set it)
  • changepw: Change password
    • newpw: The new password
  • adduser: Add a new user (if you’re allowed to add one)
    • newuser: The new user’s username
    • newpw: The new user’s password
    • newpriv: The new user’s privilege level
    • newhostname: The new user’s default hostname
  • deluser: Delete a user (if you’re allowed to delete one)
    • deluser: The user to delete
  • edituser: Edit a user (if you’re allowed to edit one)
    • Any of the following options can be used
    • newpw: User’s new password
    • newpriv: User’s new privilege level
    • newhostname: User’s new default hostname
  • cleanup: Cleanup the database.
TIP: Use curl with the -F option, at least for the setsshfp (curl -F ‘</etc/ssh/ssh_host_rsa_key.pub’ …).

The server is almost finished! What’s missing is inserting all these into the data file for the dns server. I decided that I didn’t want to code a c/perl program and I would write a simple shellscript. Since the djbdns data file consists of values seperated by the ‘:’ character, with  a few sql commands to sqlite3 and the -separator ‘:’ argument the updated datafile is ready. But when should the file be regenerated? I thought of a cronjob but I really didn’t like the idea of waiting. And this is where the SQLite database idea came handy! Using inotifywait from the inotify-tools I wait for close events on the database and then I update the djbdns data file. I use the daemontools to run this shellscript and till now everything seems to work great!

You can download everything here:

  • The PHP file that contains the daemon. At the top you can see two configuration options, the location where the database file can be found and the duration of each entry. The file has a txt extension, of course you’ll have to rename it. Also remember that if you store your database under the document root you should deny access from the web!!!
  • An SQL dump file that your can use to generate a sample database. A user with username and password ‘admin’ has been created, remember to change the password or create a new admin and delete the old one!
  • The shellscript that regenerates the data file.
  • The run file for daemontools. It can be merged with the previous, but you may want to generate the datafile using another way, so I created a different file.
Remember that this is just a simple dynamic DNS service designed for a small number of users!
Please leave feedback and suggestions!
Categories: DNS, Linux, Networking Tags:

Playing with HTC’s hboot 2.00.0002

October 23rd, 2011 4 comments Print Print

It’s been a long time since I last updated my blog. I have been very busy and I had no time to write a complete post. I have started writing some posts but I never managed to finish them. To be honest I knew that this may happen from very beginning, when I installed wordpress! So, I decided that from now on I will not create drafts, and publish even very small articles!

I am owner of an HTC Desire S smartphone which runs Android. It uses the Sense user interface which I like very much and that’s why I never used a ROM such as CyanogenMod. There are Sense based ROMs but I preferred to use the original one. If you don’t understand anything I said till now, you should visit the xda-developers forum and come back later!

Unfortunately, even if HTC uses an open operating system for its phones, the bootloader, known as hboot, is locked. A locked bootloader means that you cannot change the radio, the recovery, the boot, system and other partitions, and many other important stuff. Even if you get temporary root at your android it is very difficult to make it permanent. The lock depends on the @secu_flag variable which is stored in the radio NVRAM and it is not accessible from the user. This variable controls if your phone is S-ON, meaning it is secured, or S-OFF, meaning it’s unsecured. Currently, the best way to root the phone is change the hboot in order to report that the flag is off, even if it’s on. And this is what revolutionary by Unrevoked and AlphaRev does. You can visit their site to find out more. I had hboot version 0.98.0002 which is supported, so I used it and after one or two minutes I had permanent root, a modified hboot to report S-OFF and ClockworkMod, a much better recovery than the one HTC preinstalls.

Recently, HTC pushed a new OTA update to all Desire S phones, featuring the new Sense 3.0. And since I really like Sense, I couldn’t wait so I installed it. I had to do some work because I didn’t have the original hboot and recovery which are needed for the update. Unfortunatelly, the update also changed my hboot to version 2.00.0002. This version apart from all other locks also prohibits changes to the bootloader, so even if you have temporary root you cannot install your own ‘cracked’ hboot. I searched a little bit but I couldn’t find any information, so I started my own research. For the moment I have cracked the hboot (at least I believe so! :) so it reports that you have an S-OFF phone. You can download the patched version here. In case you want to study it yourself, the changes are at the function starting at offset 0x9fa4. If you need more information about the disassembly you can leave a comment or mail me. I chatted a little bit with hyuh at #revolutionary@freenode and he told me that maybe downgrading to an older hboot and upgrading to this one could S-OFF my phone but I really don’t want to try this at the moment. The updated created a new partition for /system/lib which is not supported at older hboot versions, so I don’t want to start playing and brick my phone! I’m searching for new ways, and if I make any progress I will report it here, so stay tuned!

Categories: Android, Reverse Engineering Tags:

PreZ: my new injector!

March 25th, 2010 5 comments Print Print

Together with my presentation at 0x375 0x2 (check previous post), I wrote a proof of concept program, PreZ! What it does is create a new thread at a running program. I will give a small description of the way it works. The images below are taken from the presentation and refer to the linux version but the same concept is used in all versions, i.e. linux, freebsd and opensolaris.

PreZ consists of three parts, the injector, the thread creation code and the code that will be executed at the new thread (the shell code). The following steps take place each time you run PreZ.

At the beginning the injector stops the traced process, the ‘victim’. It’s state is saved (registers and some other stuff at the opensolaris version) and part of the code at the place where the EIP register points to. This code is then overwritten with the other two parts so we have the modified address space at the image above. The execution then continues and the new code we just injected runs.

What the new code does is mmap a new space with read, write and execute permissions (the orange space at the image above). Then, the shellcode at the end is copied to this new location. All this runs in a single thread (the purple thread of execution at the image). A new thread is spawned and now we have two different threads of execution, the green and the pink at the image above.

Finally, the new thread jumps to the place where we copied the new code and the original thread executes an int3 instruction. When this instruction is executed, the injector catches the trap and knows that the thread has been created successfully. The original code read at the beginning is restored, the state is restored, and finally execution continues. All these are transparent to the original process which can’t understand that the injected code has been executed.

PreZ v1.0 can be downloaded from this link. The sample code for the new thread listens for a connection to port 65226 and when it accepts one it spawns a shell. You can do much more, this is just a simple code to demonstrate the injection process.

Categories: Linux, Programming, Security Tags:

My 0x375 presentation – injecting code at a running process!

March 22nd, 2010 2 comments Print Print

It’s been a LOT of time since I last posted to my blog. Unfortunately, I’ve been too busy to write something even if I had some ideas. So, here is my first post after more than a month of absence!

I recently made a presentation at the 0x375 (Thessaloniki Tech Talk Sessions). You can find more info about 0x375 at the grhack site. In short, it is a series of some tech talk session where anyone can present his work on a subject. Submissions are open for everyone. There are no regular dates but if you watch the site you can find info about when and where the next event will take place (always at Thessaloniki and till now at the Aristotle University).

My presentation was about injecting code at a running process and running it as a separate thread. You can download it here. Since 0x375 takes place in Greece the presentation is written in Greek, sorry if you can’t ready it! In short what the technique I presented and the accompanying program does is create a new thread at a running process. The presentation talks about Linux, however a freebsd and an opensolaris version are ready. I will put them online soon so you can check it out. Wait for the next post!

Categories: Linux, Programming, Security Tags:

Timesharing at 1964

January 14th, 2010 No comments Print Print

I recently found a youtube video (thanks stateless!) with professor Fernando Corbato. It is about timesharing, something revolutionary at 1964. MIT professor Corbato is the founder of Multics which later lead to the creation of UNIX. He has also received the Turing award for his work on resource sharing. The video lasts 27 minutes but it’s worth seeing, trust me! And you also get to see a REAL geek!

Categories: Operating Systems Tags:

Using non-standard bases

January 4th, 2010 1 comment Print Print

There are a number of different bases, or radices. Most of us use the decimal positional numeral system, i.e. base 10 for our everyday jobs. When it comes to computers most people use the binary, the hexadecimal or even the octal numeral system. However, there are a number of different “unusual” bases.

For example, there are negative bases. An example is the negadecimal positional numeral system, that is using the base -10. Converting a number from base -10 to base 10 is as simple as:

d_1d_2d_3d_4\ _{(-10)} = d_1(-10)^3 + d_2(-10)^2 +d_3(-10)^1 + d_4(-10)^0

But why use such a base? It’s very simple, you can represent any number you want, positive or negative, without using a sign. For example:

-1_{(10)} = 1(-10)^1 + 9(-10)^0 = 19_{(-10)}

The conversion from decimal to negadecimal is pretty simple. You continuously divide by -10 and keep the remainder as you would do with any other positional numeral system. For example:

-256 = 26 * (-10) + 4

26 = -2 * (-10) + 6

-2 = 1 * (-10) + 8

1 = 0 * (-10) + 1

So -256_{10} = 1864_{-10} . Converting a positive number is done the same way too.

256 = -25 * (-10) + 6

-25 = 3 * (-10) + 5

3 = 0 * (-10) + 3

So 256_{(10)} = 356_{(-10)} . As you can see, there is no need for a sign symbol. And when using the negabinary numeral system there is no problem with signed and unsigned integers since there is no need for a sign bit!

But a negative base isn’t the only non-standard base. You can use complex numbers as bases too. This way there is no need to use a real and an imaginary part to represent a complex number. An example of such a base is -1 + i where of course i^2 = -1 . A number can then have the form

d_1d_2d_3d_4 = d_1(-1 + i)^3 + d_2(-1 + i)^2 + d_3(-1 + i)^1 + d_4(-1 + i)^0, d_i \in {0,1}

Using this base you can represent any complex you want without using the i symbol.

Converting from this base to decimal is pretty simple, however the reverse is a little bit difficult. What you do for the convertion is divide continuously with -1 + i as usual. The remainder will always be 0 or 1 . So, if the quotient is q = q_1 + q_2i then:

a + bi = (q_1 + q_2i)(-1 + i) + r

a + bi = -q_1 + q_1i - q_2i - q_2 + r

a + bi = (-q_1 - q_2 + r) + (q_1 - q_2)i

-q_1 - q_2 + r = a

q_1 - q_2 = b

q_1 = \frac{b - a + r}{2}

q_2 = \frac{-b - a + r}{2}

That means that if a and b are both odd or even, then r = 0 , otherwise r = 1 . Then we continue the division of the quotient as usual.

Now let’s calculate the value of 2.

2 has both the real and imaginary part even, so r = 0 .

\frac{2}{-1 + i} = \frac{2(-1 - i)}{(-1 + i)(-1 - i)} = -1 - i

The real and imaginary part are both odd, so r = 0 again.

\frac{-1 - i}{-1 + i} = \frac{(-1 - i)(-1 - i)}{(-1 + i)(-1 - i)} = i

Since the real part is even and the imaginary is odd, r = 1 . So, we can divide by the number minus 1 and the remainder will be 0.

\frac{i - 1}{-1 + i} = 1

Now, the real part is odd and the imaginary is even. So again r = 1 . We divide by 1 - 1 so,

\frac{1 - 1}{-1 + i} = 0

We now stop since q = 0 . So we have 2_{(10)} = 1100_{(-1 + i)} . Pretty cool!

Categories: Mathematics Tags:

Ext4 online defrag and how you can mess up everything when implementing it

December 20th, 2009 2 comments Print Print

It’s been a long time since I last posted something at my blog. Unfortunatelly, I’m too busy so I have almost no time to write something!

This post is about the online defrag the ext4 filesystem supports. It is a very cool feature and allows you to defrag any file without even unmounting a filesystem! This is done using a special ioctl, EXT4_IOC_MOVE_EXT defined as follows:

#define EXT4_IOC_MOVE_EXT   _IOWR('f', 15, struct move_extent)

As you can see the ioctl’s last parameter is a special structure, struct move_extent, defined as:

struct move_extent {
    int orig_fd;
    int donor_fd;
    uint64_t orig_start;
    uint64_t donor_start;
    uint64_t len;
    uint64_t moved_len;
};

What the ioctl does is copy len extents from the file with descriptor orig_fd starting with orig_start to the one with descriptor donor_fd starting at donor_start. Finally it returns the total number of extents moved at the member moved_len. Using this syscall it is pretty easy to defrag files. You must first open a new file, which will be the donor, and allocate some space using fallocate. Hopefully the extents of the new file will be less than the ones of the original file so you just swap the extents of donor using the ones from the original file. The following code is a simple call to this ioctl which can help you understand how it works:

int origfd, donorfd;
int origsize;
struct move_extent me;
char *origfile, *donorfile;

/* origfile, donorfile and origsize should be set here */

if((origfd = open(origfile, O_RDONLY | O_EXCL)) < 0) {
    perror("Cannot open original file");
    exit(1);
}

if((donorfd = open(donorfile, O_WRONLY | O_CREAT | O_EXCL)) < 0) {
    perror("Cannot create donor file");
    exit(1);
}

if(fallocate(donorfd, 0, 0, origsize) < 0) {
    perror("Cannot allocate space for donor");
    exit(1);
}

memset(&me, 0, sizeof(me));
me.orig_fd = origfd;
me.donor_fd = donorfd;
me.orig_start = 0;
me.donor_start = 0;
me.len = extentcnt;

if(ioctl(origfd, EXT4_IOC_MOVE_EXT, &me) < 0) {
    perror("Cannot move extents");
    exit(1);
}

printf("Moved extents: %i\n", me.moved_len);

close(origfd);
close(donorfd);

You should note that there is no restriction on the doner file, it can be any file on the disk.

And here it is! CVE-2009-4131! Until commit 910123ba363623f15ffb5d05dd87bdf06d08c609 the only check was if the user could read the donor file, not write it! Furthermore, there were no checks on the file's mode. You can simply open your program which executes /bin/sh as the original file, /bin/ping as the donor and kaboom! /bin/ping is an suid root executable and the code that will be executed will be your code!

I have written a small program that you can use to demonstrate this vulnerability. It simply moves extents. You can download it here. Just use a program that spawns a shell as the original file, a suid root file as a donor, zero as the offset and ceil(filesize/1024) as len. However, it is not very usable yet since for some strange reason you need to unmount the fs and then remount it in order for the changes to take effect. If you find a solution just leave a comment!

UPDATE: Try reading a LOT of data from the partition after running the program! Damn cache! I shouldn't have been working with a filesystem that's 10mbs and store only the executable there!

Categories: Linux, Programming Tags:

Concurrent programming the fast and dirty way!

November 20th, 2009 1 comment Print Print

Creating threads, mutexes, setting attributes and joining can be very easy using the pthreads library. However, there are times when you don’t want to link your program with another library or you need something fast. As an example you can see the pipe exploit where I need only two threads to trigger the race condition.

Here’s a simple way to create these threads. First, we need to allocate the stack for the thread using malloc(3) and then we can start it using clone(2).

int koko(void *arg)
{
    /* do something concurrently with main */
}

int start_thread(int (*func)(void *), void *arg)
{
    int thread_id;
    char *stack;

    if((stack = malloc(0x4000)) == NULL) {
        perror("malloc");
        return -1;
    }

    if((thread_id = clone(func, stack + 0x4000 - sizeof(unsigned long), CLONE_FS | CLONE_FILES | CLONE_SIGHAND | CLONE_VM | CLONE_THREAD, arg)) < 0) {
        perror("clone");
        return -1;
    }

    return thread_id;
}

int main()
{
    int thread_id;
    if((thread_id = startthread(koko, NULL)) == -1) {
        printf("Couldn't start thread.\n");
        exit(1);
    }

    /* This runs together with koko */
}

Using this code we create a new thread running in the same thread group. This means that calling getpid(2) will return the same pid. In order to distinguish threads in the same thread group you must use gettid(2) to get the thread id.

When creating a thread in the same thread group you cannot get the return value from the function you called. In order to get this value when it finishes you must create a thread in a new thread group which will be assigned a new pid and then call wait(2). To create such a thread you have to remove the CLONE_THREAD flag and replace it with SIGCHLD which will be the signal that will be send to the parent when the function returns. If we choose to send another signal, then wait(2) should be called with the __WALL or __WCLONE options.

These were the basics of creating threads. However, creating threads is only a part of concurrent programming. We will now create spinlocks using some internal functions of gcc. So, here are lock and unlock functions.

void lock(int spinlock)
{
    while(__sync_lock_test_and_set(&spinlock, 1))
        ;
}

void unlock(int spinlock)
{
    __sync_lock_release(&spinlock);
}

It's pretty simple using the functions gcc provides us. You can find more at the gcc documentation about atomic builtins.

Categories: Linux, Programming Tags:

Site update

November 14th, 2009 1 comment Print Print

I have moved my site to another host. So if you have any problems please contact me or leave a comment.

More posts will come soon!

Categories: Blog Tags:

Linux kernel pipe NULL pointer dereference exploit (CVE-2009-3547)

November 5th, 2009 6 comments Print Print

Another exploit for the kernel pipe NULL pointer dereference bug. This one is inspired by Spender‘s great work for his enlightenment framework. It seems to exist at every 2.6 and 2.4 kernel version I’ve tested! Another sock_sendpage maybe? This sample exploit only works for versions >= 2.6.17. You can download it here. As usual more information in the code. This time there are some funny quotes too! I haven’t done a lot of tests, so any feedback, and especially versions you have tested it and it worked, is welcome!

EDIT: New version is out. It adds support for the detection of kernels compiled with spinlock debugging options. Download it here.

Categories: Exploits, Security Tags:
SEO Powered by Platinum SEO from Techblissonline