This part of the website contains work related to secure programming, vulnerability analysis and exploitation.
Secure programming: Common errors and secure programming techniques to work around those. Currently work in progress (20121105). Read more.
Most interesting activities:
20130519 Introduced RemoteGnupg utility on Enigmail list: Request for comment on the idea of separating e-mail context from gnupg context containing the private key material. Read more
20121105 TTY input data pushback privilege escalation with su, vserver enter: Keeping interactive shell TTYs open when switching execution context, e.g. using su, allows malicious programs running in the target context to inject data into the TTY using TIOCSTI ioctl. Read more
20120908 VirtualBox i386 guest crashes on software interrupt 0x8: Oracle released update for VirtualBox to fix CPU-emulation bug allowing to crash a guest system from ring-3 code due to missing CPL/DPL checks on hardware missing VT-x / AMD-V extensions. Read more
20120818 Disclosure of kernel stack via binfmt_script handler during execve: Analysis of binfmt_script showed, that under certain conditions, kernel stack data could leak to userspace. Read more
20120817 i386 guest crashes on software interrupt 0x8: A sequence of not fully understood events leads to crash of VirtualBox guest system. Read more
20120525 Analysis of xpdf crashes on minimal ubuntu precise installation: Recreational and educational analysis of exploitability of xpdf crashes on minimal ubuntu installs showed, that the bug does not cause exploitable code execution. Read more
20120111 Apache scoreboard invalid free on shutdown in master process: Modification of scoreboard data, shared by root (uid=0) and wwwdata process, allows triggering of invalid free in root process during apache shutdown, exploitation seems impossible except for really broken chroot configs. CVE-2012-0031, read more
20111031 Integer overflow in ap_pregsub called from mod-setenvif: A crafted .htaccess file can be used to execute code as user running apache when processing an HTTP-request. CVE-2011-3607, CVE-2011-4415. Read more
20110723
Find multiple ROP execution pathes that could execute
independently when ASLR is in place:
If successful, this would allow to improve the odds, that a ROP
exploit would work when library mapping offset is randomized
using ASLR. Read more
20110624
Apache follows symlinks even with -FollowSymlinks:
The discovery of the ApacheNoFollowSymlinkTimerace feature showed
me once more, that not reading documentation quite thoroughly
is really dangerous. So the unexpected apache behavior to follow
symlinks, even with -FollowSymlinks, turned out to be in specification
and documentation. Read
more
20110530
Comming to an end with the filesystem recursion and symlink topic:
After more than one year of not very fruitful attempts to address
this 20100424
started issue, full problem information was published for open
discussion, read
more
20110117 Interact With Suid-Binaries Using /Proc-Interface:
The proc file system contains a bug, that allows limited control
over a privileged process, e.g. passwd. This could be used
to subvert stack address randomization when exploiting bugs in
suid-binaries, modify core dump behavior, inject faults via
adjustment of oom_killer, read
more.
20110119 Trivial buffer overflow in ping6 suid binary: ping6 does not check the -s [packetsize] parameter, which causes a buffer overflow, read more.
20110111 Low Memory Program Crashing:
Quite a few programs fail to handle memory allocation errors correctly,
as demonstrated with grep or sudoedit. This is might be due to
missing test procedures for these kind of runtime errors, read
more.
20101101 Timerace in fuse:
At least on ubuntu lucid, the fusermount tool contains a timerace
mounting a user filesystem and updating mtab, thus mtab entries
with arbitrary path are created. Crafted mtab entries can then be
used to unmount live parts of the filesystem
(more).
20100902 Fun with vde_plug bug:
The vde_plug (at least on ubuntu hardy) contains a bug, that is
triggered when a certain amount of encapsulated ether frame data
is sent to the plug in a specially timed manner. Searching for
ways to inject arbitrary ether frames on vde link. Read
more ...
20100629
Xserver protocol input sanitation missing:
Found numerous errors in current xserver implementation, some
should allow execution of arbitrary code. Reported to vendor,
patches already available, but issue still open ...
20100628 Found small
but nice data leak in launchpad:
Waiting for evaluation by launchpad members ...
20101101: Launchpad data leak from 20100628 seems still open
20100511 Published tool
to generate PGP-keys with defined key-id:
When I created a new pgp key lately, I wanted to have a key id,
that has a personal touch and is easy to remember. The result
was a small Java application to search for these keys. Read
more or see the
full disclosure post
20100424
Dilemma handling untrusted filesystem data correctly when walking
it recursively:
There is no linux syscall that avoids to
access a resource via pathname, if the pathname contains a symbolic
link at any position. O_NOFOLLOW works only, if the last path component
is a link. So many programs, that walk over file system structures
recursively, e.g. backup programs, may stumble, if symlinks are
introduces, but not at the last position. Read
more
Activity-related CVEs:
Misc:
Mailing list gems
Last modified 20130519
Contact e-mail: me (%) halfdog.net