## Linux kernel pipe NULL pointer dereference exploit (CVE-2009-3547)

November 5th, 2009

Another exploit for the kernel pipe NULL pointer dereference bug. This one is inspired by Spender‘s great work for his enlightenment framework. It seems to exist at every 2.6 and 2.4 kernel version I’ve tested! Another sock_sendpage maybe? This sample exploit only works for versions >= 2.6.17. You can download it here. As usual more information in the code. This time there are some funny quotes too! I haven’t done a lot of tests, so any feedback, and especially versions you have tested it and it worked, is welcome!

EDIT: New version is out. It adds support for the detection of kernels compiled with spinlock debugging options. Download it here.

Categories: Tags:

October 29th, 2009

Recently I received some comments from a friend about a previous article on linux kernel debugging using kgdb. What he asked me was how could he load symbols from a kernel or a kernel module. So I wrote a quick guide to help you start with kernel debugging. After each step I will show you the gdb output.

First of all you should start gdb!

Then you should load all kernel symbols from the vmlinux file. This can be found at the directory where you compiled the kernel, most probably /usr/src/linux. Remember to compile the kernel using debug information by setting the appropriate option, it will help you a lot!

You’re ready to start debugging! Set the target and use the Alt-SysRq-G sequence as it was described at the previous post. You can now set breakpoints, watch anything you want in memory, step or continue running the kernel!

Now let’s see how we can debug kernel modules. I will test the l2cap bluetooth kernel module.

You first need to find the object file which contains the module. For l2cap this is net/bluetooth/l2cap.o in the kernel source tree. Transfer this to the host (or the machine running gdb if you’re not using a virtual machine). Then load the module in the virtual machine. This creates a new directory in /sys/module named after the module name, i.e. l2cap. Inside this directory, there is another one named sections which contains the addresses where all sections are loaded. We are interested in the .text section so we read the file /sys/module/l2cap/sections/.text.

We know where the .text section is loaded so we can now load the symbols from l2cap.o using the add-symbol-file gdb command.

If you need to load other sections too, in case they are not contiguous with the text in memory, you need to read their addresses. For example we’ll load both the .text and the .data sections (you should do .bss too but it’s omitted since I wanted to write a quick and dirty guide and it’s already very big!)

Find where both .text and .data are loaded.

Then you load apart from the .text section the .data too.

Categories: Tags:

## Ecryptfs NULL pointer dereference exploit (CVE-2009-2908)

October 17th, 2009

Categories: Tags:

## Setting default options and bindings for sockets.

October 10th, 2009

Recently one of the people I follow at twitter (yes, I have a twitter account, you can follow me!) asked if anyone knew an option for lynx which would make it bind to a certain interface. I searched the manual page but there was no such option. Some programs, like netkit telnet, have an option to bind to a certain address, which can be very useful and especially when you’ve joined a VPN.

The first thing that came to my mind is write a library which would automatically bind new sockets to a certain address and then use the environment variable LD_PRELOAD so that the runtime linker would load it when a new program was run. The library should overwrite the socket(2) function and replace it with one which would run the original function to create the socket and then immediately bind it to an address. This address would be taken from an environment variable. And since I wrote the wrapper for socket(2) I could add some extra functionality such as setting various options with setsockopt(2). I wanted the program to be very efficient so it shouldn’t lookup the old socket(2) function each time the wrapper was called. In order to do this I should store the original address of the function at some variable at the beginning. This could be done in a check in the wrapper function and if the address was equal to NULL, then all initialization would take place. However, that would mean an extra check at every call. So I created a constructor which would be called when the library was initially loaded. I used a very low priority so that the constructor was run before any other constructors which could open a socket.

The program is named sockopts and you can find it at my main page, under the programs section. For the moment I have tested it at my local box having one ethernet interface and an openvpn running with a tap interface. And it works great! If you have a feature request or you found that something is broken you can leave a comment here or just email me.

Categories: Tags:

## The NULL certificate prefix bug

October 3rd, 2009

Before some months, at the Black Hat 2009, Moxie Marlinspikes and Dan Kaminsky presented a vulnerability that exists at some implementations of SSL.

It’s concept is pretty simple, you request a certificate having as a CN (common name) www.paypal.com\x00.example.com. This can be easy, especially for some public key infrastructures operated by companies for their internal needs, where server certificates are issued automatically as long as the CN is a host under a specific domain. However, since many SSL implementations use strcmp for validating the remote host, they will only check if the host is equal to the part before \x00! So a malicious user can simply issue such a certificate and using spoofing he can start a man in the middle attack. Furthermore, it is possible to issue a certificate with a CN such as *.paypal.com\x00.example.com which will match all hosts under the paypal.com domain. Or even the CN *\x00.example.com which will match… everything! Jacob Appelbaum has created such a certificate and posted it to the Noisebridge-discuss mailing list.

Firefox 3.5.2 and 3.0.13 have fixed this vulnerability, however I checked with the Internet Explorer browser today and it still has this bug. The test was done at a friend’s pc so I don’t know exactly the patches he has applied or when he last run windows update. It is very interesting that it probably uses the strcpy function for copying the value of CN to the buffer where it keeps the certificate information so when you try to see them, you only see www.paypal.com!

You can use the following program to create your own certificate requests. You run it as follows:

At the output you will get the private key and the certificate request.

Categories: Tags:

## Full disclosure… or not?

September 26th, 2009

One of the biggest problems I face sometimes is what should I do when I find a bug. I recently found a bug at the linux kernel version 2.6.30, which was fixed at 2.6.31, but I only told it to a friend of mine. Posting the description to a mailing list or at my blog would mean that everybody could write an exploit and use it to hack into systems. I could also write a patch which could be merged at the next release. For the moment I chose not to do anything until the next kernel release and if it wasn’t fixed I would then decide what should I do.
I face the same problem when I write security related programs. For example, a rootkit that can be used for malicious purposes can also be used to demonstrate bugs at the design of an operating system. Should a program like this be released?
I have created the following two polls. I believe that the results are going to be very interesting!

Categories: Security Tags:

## Inline assembly the gcc way

September 15th, 2009

This is the second time I write a post about inline assembly. The last one was at my old blog which I had to remove. However, since that was the most viewed article I think I should write about this again. Although this is just a small introduction, you must know C and assembly in order to continue. For the moment I will only describe x86 assembly, however the differences for other architectures are minimal. I must also point you to the GCC Inline Assembly HOWTO. I wrote the first post before reading it (well, the post was ready but before publishing it I googled a little bit and found it) and I think it is equally useful.

We are going to start with a little introduction to the AT&T syntax for the assembly for all of you who are familiar only with Intel syntax. Here are some basic rules:

• Registers: All register names begin with the character %. So, if we want to use the eax register, then we will use the name %eax.
• Immediate operands: The immediate operands begin with the character $. For example, if we want to use the value 0xdeadbeef as an immediate operand, then we will use$0xdeadbeef.
• Indirect memory references: Indirect memory references are done using ( ). The byte pointed by register %esi is (%esi). If you want to use an offset, you put it in front of the (register). Warning! Since it is not an immediate operand, you don’t have to use the $. For example, you should use 0x4(%esi) and not$0x4(%esi).
• Ordering of the operands: The ordering is:
instruction source, destination
This is the reverse of the intel syntax where the destination comes first.
• Size of operand: All instructions taking operands that can have variable sizes must be suffixed with the appropriate letter:
• b – Byte (1 byte)
• w – Word (2 bytes)
• l – Long (4 bytes)
• q – Quad word (8 bytes) – Only when you use 64 bit programs.
• Immediate long jumps and calls use the form
ljmp/lcall $section,$offset
jmp/call far section:offset

Here are some examples in intel and at&t syntax.

Intel syntax:

This gets translated to:

If you want to see more examples, you can write your own code and disassemble it using the objdump command. By using the -d option you can disassemble any file you want. The default syntax is at&t but if you want to switch to intel you can add -M intel to the command line.

We can now continue to putting inline assembly to our programs. In order to insert assembly code we must use the “asm” construct.

This will execute a simple nop instruction. In case asm conflicts with something else in your program you can also use __asm__. Apart from this there is also a more advanced format.

The assembly template is your actual assembly code with some special operands that will be replaced by registers or memory locations. This code will be send directly to the assembler, so if you want to run more than one command you must use one of the following constructs:

OR

OR

The last one uses ; which is the line separator at most architectures. Since we are going to use only x86 we are free to use it, however, at other architectures, like H8/300, ; is the comment character. You can check the gas info page for more information about the line separator character.

The output and input operands are two lists the have the form

"constraint"(variable), "constraint"(variable), ...

At the output operands a constraint denotes what will be placed at variable after the execution of the assembly code and at the input operands a constraint denotes where a variable will be placed. The various constraints for the x86 architecture are:

• r: any register, one will be chosen by the compiler
• a: eax register
• b: ebx register
• c: ecx register
• d: edx register
• S: esi register
• D: edi register
• A: eax and edx combined as a 64-bit integer
• f: floating point register
• t: first floating point register
• u: second floating point register
• m: memory operand
• 0-9: matching operand

The memory operand will not use a register, it will only pass the location of variable in memory. Furthermore, the matching operand is used when a register is used both as input and as output, e.g. by specifying 0 as an input operand, the first output register will be used for input. You must prefix the output constraints with the = character. If you use the r constraint more than once, the same register may be assigned. If you want to choose a different register, you should use the & character, i.e. the constraint &r.

Finally, the list of clobbered registers is a list of all registers modified by your program. These registers must have the format %eax, %ebx etc.

If your code must execute exact;y at the place you put it, you must put the volatile keyword after asm or __volatile__ after __asm__. Otherwise, the compiler may change its position if optimization takes place.

I will present some simple examples.

At the first example I will read the timestamp counter. This is done using the rdtsc command which returns the result at eax and edx.

The generated code will be:

-16(%ebp) and -12(%ebp) are the two words that hold the unsigned long long tsc that will get the timestamp counter.

The second example will read and print some cpuid information.

I will only present the second part of the program which prints the processor brand.

Location -32(%ebp) stores the op variable. At the beginning it is assigned the value 0x80000002. I will not comment the code generated for the loop, it is pretty simple. After the .L3 label the inline assembly begins. At the beginning, the op value is moved to the register %eax since it is in the input operands list with the constraint a. The cpuid instruction is then executed since it is in the assembly template. Finally, all registers at the output operands list are saved to the appropriate location, i.e. -28(%ebp) for %eax, -24(%ebp) for %ebx, -20(%ebp) for %ecx and -16(%ebp) for %edx.

You can find more information by writing your own programs and disassembling them using the objdump utility.

If you like this post I will continue with something more advanced.

Categories: Tags:

## Debugging the linux kernel using kgdb and VirtualBox

September 6th, 2009

Kgdb is a source level debugger for the linux kernel. It requires two machines, one running a kernel compiled with kgdb enabled and the second one running gdb. It can be found at sourceforge and a light version has been merged into the 2.6.26 kernel. There is an article at kerneltrap which contains all the appropriate information about this light version and it’s differences from the full one. I am going to describe how you can debug a linux kernel running under VirtualBox using the kgdb-light debugger.

First of all you must define a serial port. Go to the settings of your virtual machine, then at the “Serial Ports” and enable “Port 1”. Use port number COM1, port mode ‘Host Pipe’, check ‘Create Pipe’ and enter a path, e.g. /home/fotisl/virtualbox/myvm/serial1. You can use another port number, e.g. COM2, but then you’ll have to change the device below to ttyS1, ttyS2 for COM3 etc. Furthermore, you can create the pipe yourself and not automatically using:

At your virtual machine you must have a kernel compiled with the option CONFIG_KGDB. You can find this under the “Kernel debugging” menu. I also advise you to enable the CONFIG_DEBUG_INFO to insert debug symbols.

At the host machine you only need to install socat and of course gdb. Socat is a multipurpose relay which can be found here. You should also transfer the uncompressed image of the kernel running at the vm. It can be found at the directory where you compiled the kernel and it’s name will be vmlinux.

You are now ready to start. At the host machine run:

You must note the PTY, in this case /dev/pts/4. Now fire gdb and load vmlinux. Then set the remote baud to 115200 and attach to the serial port.

Now switch to the virtual machine. You must first set the serial port that kgdb will use.

You’re ready to start debugging! When you want to break use the Alt-SysRq-G key combination or use

If you want to start the debugging when the kernel starts loading, append

to the command line parameters of the kernel. You must use this order! First you must register the I/O driver and then kgdb will be able to wait.

You can now explore the linux kernel! Warning, messing with various structures and executing code that you shouldn’t can cause kernel panics and mess up your virtual machine! But you already know that, that’s why you use virtualbox!

Categories: Tags:

## Zero to the zero power at google, wolfram alpha and others

August 23rd, 2009

Yesterday I was trying some features of the google search engine such as the built-in calculator. After trying some simple functions that it supports, I wanted to see its limitations.

First, I tried searching for 1 / 0 or ln(0) in order to see if it has support for infinity. The calculator didn’t even show up to return results, even if searches with a similar format that don’t return infinity such as 4 / 2 and ln(e) returned the correct result. So, google calculator supports infinity but doesn’t inform you about it when it is the result of a calculation.

Then I tried searching for something that is an indeterminate form, such as $0^0$. And the result given by google when searching for 0 ^ 0 was 1! I then tried the same query at Wolfram Alpha which uses the mathematica engine and I got the correct result, indeterminate. EDIT: I made a HUGE error trying to fool the mathematica engine and I fooled myself!!! Thanks to my readers I had the chance to fix it! Still, I wasn’t satisfied and I wanted to see if I could fool it. First I had to find something that is equal to 0 but doesn’t look like this. I decided to use $e^{-\frac{1}{x}}$ which is equal to 0 when x equals 0. Then I tried to evaluate $(e^{-\frac{1}{x}})^x$, i.e. $0^0$ for x = 0. The query I used was (e^(-1/x))^x which returned a lot of information for this function. One thing that I noticed is that it stated «Alternate form assuming all variables are real: $\frac{1}{e}$». Since 0 is real, by substituting in the function we get $0^0 = \frac{1}{e}$! To be honest I didn’t believe that the mathematica engine would fail here and it would be difficult to fool it but it seems I was wrong!

After all these I made some tests to see what real calculator programs return when computing $0^0$. Some results are given below:

• Libc 2.9
pow, powf, powl return 1
Since this returns 1 many of the following will return 1 too
• Perl 5.10.0
0**0 returns 1
• Python 2.5.4
0**0 returns 1
• Bash 3.2.48
\$((0**0)) returns 1
• XCalc from X.Org 7.4
0 $x^y$ 0 returns 1
• Kcalc 2.5 using kde 4.3.0
0 $x^y$ 0 returns nan! Well done!
• Windows calculator 5.1 from windows xp with sp3
0 x^y 0 returns 1
• Mac OS X calculator version 4.0
0 $y^x$ 0 returns 1
Categories: Tags:

## Hello and welcome!

August 21st, 2009

Hello and welcome to my brand new blog!

Before some time I started a blog hosted at wordpress.com. It was written in Greek and although I translated some posts to English, there were people who told me that they couldn’t read it and an English blog would be much better. Now I have registered a new domain name based on my real name and I have started a new blog. All posts will be written in English and I hope no one will have any problems reading it.

The blog will be mostly technically oriented, although I plan on putting some other stuff like mathematics and photography.

Categories: Blog Tags: