This part of the website contains work related to secure programming, vulnerability analysis and exploitation.
There are also some very small utilities used for attack prototyping, see /Misc/Utils/.
Ubuntu comes with apport tool for automatic crash reporting. kernel_crashdump is prone to sym- and hardlink attacks, thus allowing denial of service or local root privilege escalation on some systems. Especially the privilege escalation POC contains a nice workaround to create crafted apport compression. Read more...
The RowHammer attack allows random bit modification in memory. With the D-RamPage POC a disk cache page can be modified again and again without risk. Read more...
On standard Linux systems, e.g. Ubuntu Trusty, normal users are allowed to call dmesg to read the kernel logging ring buffer. From security point of view, the reader might gain some interesting data from there. Read more...
The upstart logrotate job on Ubuntu Vivid does not sanitize input when reading from /run/user/[uid]/upstart/sessions thus allowing users to escalate privileges. Read more...
After closer examination, the kernel panic in vm86 syscall could also be triggered from pure userspace code, with mmap_min_addr=0 the NULL-dereference will give arbitrary ring-0 code execution, more...
The linux vm86 syscall allows to use the virtual-8086 mode processor backward compatibility feature, used e.g. for dosemu. During task switch, missing FPU initialization causes faults leading to kernel panic, more...
Request for comment on the idea of separating e-mail context from gnupg context containing the private key material. Read more
Keeping interactive shell TTYs open when switching execution context, e.g. using su, allows malicious programs running in the target context to inject data into the TTY using TIOCSTI ioctl. Read more
Oracle released update for VirtualBox to fix CPU-emulation bug allowing to crash a guest system from ring-3 code due to missing CPL/DPL checks on hardware missing VT-x / AMD-V extensions. Read more
Analysis of binfmt_script showed, that under certain conditions, kernel stack data could leak to userspace. Read more
A sequence of not fully understood events leads to crash of VirtualBox guest system. Read more
Recreational and educational analysis of exploitability of xpdf crashes on minimal Ubuntu installs showed, that the bug does not cause exploitable code execution. Read more
Modification of scoreboard data, shared by root (uid=0) and wwwdata process, allows triggering of invalid free in root process during apache shutdown, exploitation seems impossible except for really broken chroot configs. CVE-2012-0031, read more
A crafted .htaccess file can be used to execute code as user running apache when processing an HTTP-request. CVE-2011-3607, CVE-2011-4415. Read more
If successful, this would allow to improve the odds, that a ROP exploit would work when library mapping offset is randomized using ASLR. Read more
The discovery of the ApacheNoFollowSymlinkTimerace feature showed me once more, that not reading documentation quite thoroughly is really dangerous. So the unexpected apache behavior to follow symlinks, even with -FollowSymlinks, turned out to be in specification and documentation. Read more
After more than one year of not very fruitful attempts to address this 20100424 started issue, full problem information was published for open discussion, read more
The proc file system contains a bug, that allows limited control over a privileged process, e.g. passwd. This could be used to subvert stack address randomization when exploiting bugs in suid-binaries, modify core dump behavior, inject faults via adjustment of oom_killer, read more.
ping6 does not check the -s [packetsize] parameter, which causes a buffer overflow, read more.
Quite a few programs fail to handle memory allocation errors correctly, as demonstrated with grep or sudoedit. This is might be due to missing test procedures for these kind of runtime errors, read more.
At least on Ubuntu Lucid, the fusermount tool contains a timerace mounting a user filesystem and updating mtab, thus mtab entries with arbitrary path are created. Crafted mtab entries can then be used to unmount live parts of the filesystem (more).
The vde_plug (at least on Ubuntu Hardy) contains a bug, that is triggered when a certain amount of encapsulated ether frame data is sent to the plug in a specially timed manner. Searching for ways to inject arbitrary ether frames on vde link. Read more ...
Found numerous errors in current Xserver implementation, some should allow execution of arbitrary code. Reported to vendor, patches already available, but issue still open ...
Waiting for evaluation by launchpad members ...
20101101: Launchpad data leak from 20100628 seems still open
When I created a new pgp key lately, I wanted to have a key id, that has a personal touch and is easy to remember. The result was a small Java application to search for these keys. Read more or see the full disclosure post
There is no linux syscall that avoids to access a resource via pathname, if the pathname contains a symbolic link at any position. O_NOFOLLOW works only, if the last path component is a link. So many programs, that walk over file system structures recursively, e.g. backup programs, may stumble, if symlinks are introduces, but not at the last position. Read more
Last modified 20180111
Contact e-mail: me (%) halfdog.net