This part of the website contains work related to secure programming, vulnerability analysis and exploitation.

Most interesting activities:

There are also some very small utilities used for attack prototyping, see /Misc/Utils/.

Activities by Date

20180111 Libc realpath buffer underflow:

Current glibc6 implementation contains an exploitable buffer underflow in realpath() when Linux kernel getcwd() returns a path not starting with a slash. When exploited, privilege escalation is possible as demonstrated with Ubuntu/Stretch umount. Read more...

20180107 Execute code in sftp chroot when / writable:

The sftp component from OpenSSH provides a chroot-feature for hardening. It is stated in documentation, that the chroot root directory must not be writable. This page documents some analysis results following discussion on openssh-dev mailing list. Some people were questioning the read-only restriction. Here should be some arguments, why it still makes sense in 2018. Read more...

20171225 Gain Access to SSH Group via ssh-agent and OpenSSL:

ssh-agent on Debian from the openssh-client is a set-group-id binary to prevent ptracing. While the anti-ptrace measures are still effective, ssh-agent itself can be used to gain access to the group 'ssh' via the OpenSSL library. As the group is only used by the agent, this seems not cause any further security implications. Read more...

20161230 GuerillaBackup available for Debian:

GuerillaBackup is designed to be a lightweight, resilient, distributed backup and archiving solution with security in mind. It allows to build own backup and transfer flows with one-way data encryption at source, support for GDPR- compliant logfile archiving, transfer without requiring remote code execution capable access to machines and high network bandwith. The Debian inclusion is ongoing, see, also the best source for the packages. The documentation and sources are here, excluding the changes currently in Debian review process.

20160630 Debian Exim Spool directory races local root:

Exim4 is started as root but switches to uid/gid Debian-exim/Debian-exim. To regain privileges for mailbox delivery, it may re-invoke exim4 SUID binary. A race in spool directory handling will thus allow any Debian-exim process to escalate to root. Read more...

20160222 Aufs Union Filesystem Privilege Escalation In User Namespaces:

Aufs is a union filesystem to mix content of different underlying filesystems, e.g. read-only medium with r/w RAM-fs. That is also allowed in user namespaces when module was loaded with allow_userns option. Due to different bugs, aufs in a crafted USERNS allows privilege escalation, which is a problem on systems enabling unprivileged USERNS by default, e.g. Ubuntu Wily. Read more...

20160222 Overlayfs over Fuse Privilege Escalation:

On some systems, e.g. Ubuntu Wily, it is possible to place an USERNS overlayfs mount over a fuse (file system in userspace) mount. Inactive SUID binaries in the user-controllable fuse filesystem may then be copied to other filesystems in copy_up, thus allowing unprivileged users to create arbitrary SUID binaries on the disk. Read more...

20160222 User Namespaces Overlayfs Xattr Setgid Privilege Escalation:

Overlayfs allows to mix content of two filesystems, e.g. read-only medium with r/w RAM-fs. This is also allowed within user namespaces. As overlayfs does not initialize xattr ACLs when copying files, malicious user may gain write access to SGID directories and further gain full member access to that group. As member of group root or staff escalation to user root might be simple. Read more...

20160222 Access to all /dev/pts devices via pt_chown and user namespaces:

/usr/lib/pt_chown was used to change ownership of slave pts devices in /dev/pts to the same uid holding the master file descriptor for the slave. Another devpts instance mountend within user namespace allows unprivileged user to fool pt_chown to operate on file descriptors from inside namespace but change ownership of device with same number outside the namespace. Read more...

20160121 NTP user root privilege escalation via statsdir daily cronjob:

he cronjob script bundled with ntp package on Ubuntu is intended to perform cleanup on statistics files produced by NTP daemon running with statistics enabled. The script is run as root during the daily cronjobs all operations on the ntp-user controlled statistics directory. Various flaws allow to escalate from ntp user to root. Read more...

20160110 Linux user namespaces overlayfs local root:

Overlayfs in user namespaces were missing a permission check, thus allowing to create modified suid binaries to escalate privileges, e.g. on Ubuntu Wily. Read more...

20151214 Setgid directory privilege escalation:

On some Linux systems, directories with setgid bit set may be found. If a user not belonging to that group is allowed to write to it, he may escalate privileges to that group as demonstrated with group man on Ubuntu Vivid. Read more...

20151214 Mandb user man to root local privilege escalation:

On some Linux systems, man database comes with cleanup job to remove catman pages created as user man. A hardlink attack combined with TOCTOU-vulnerability allows privilege escalantion. Read more...

20150924 Apport symlink vulnerabilities for DOS/privilege escalation:

Ubuntu comes with apport tool for automatic crash reporting. kernel_crashdump is prone to sym- and hardlink attacks, thus allowing denial of service or local root privilege escalation on some systems. Especially the privilege escalation POC contains a nice workaround to create crafted apport compression. Read more...

20150316 A safe row-hammer privilege escalation variant:

The RowHammer attack allows random bit modification in memory. With the D-RamPage POC a disk cache page can be modified again and again without risk. Read more...

20150313 Having fun with the dmesg command:

On standard Linux systems, e.g. Ubuntu Trusty, normal users are allowed to call dmesg to read the kernel logging ring buffer. From security point of view, the reader might gain some interesting data from there. Read more...

20150225 Upstart logrotation cron job privilege escalation:

The upstart logrotate job on Ubuntu Vivid does not sanitize input when reading from /run/user/[uid]/upstart/sessions thus allowing users to escalate privileges. Read more...

20140107 Task-switch FPU state error privilege escalation:

After closer examination, the kernel panic in vm86 syscall could also be triggered from pure userspace code, with mmap_min_addr=0 the NULL-dereference will give arbitrary ring-0 code execution, more...

20131229 Linux Kernel-Panic in vm86 Syscall During Task Switch:

The linux vm86 syscall allows to use the virtual-8086 mode processor backward compatibility feature, used e.g. for dosemu. During task switch, missing FPU initialization causes faults leading to kernel panic, more...

20130519 Introduced RemoteGnupg utility on Enigmail list:

Request for comment on the idea of separating e-mail context from gnupg context containing the private key material. Read more

20121105 TTY input data pushback privilege escalation with su, vserver enter:

Keeping interactive shell TTYs open when switching execution context, e.g. using su, allows malicious programs running in the target context to inject data into the TTY using TIOCSTI ioctl. Read more

20120908 VirtualBox i386 guest crashes on software interrupt 0x8:

Oracle released update for VirtualBox to fix CPU-emulation bug allowing to crash a guest system from ring-3 code due to missing CPL/DPL checks on hardware missing VT-x / AMD-V extensions. Read more

20120818 Disclosure of kernel stack via binfmt_script handler during execve:

Analysis of binfmt_script showed, that under certain conditions, kernel stack data could leak to userspace. Read more

20120817 i386 guest crashes on software interrupt 0x8:

A sequence of not fully understood events leads to crash of VirtualBox guest system. Read more

20120525 Analysis of xpdf crashes on minimal Ubuntu Precise installation:

Recreational and educational analysis of exploitability of xpdf crashes on minimal Ubuntu installs showed, that the bug does not cause exploitable code execution. Read more

20120111 Apache scoreboard invalid free on shutdown in master process:

Modification of scoreboard data, shared by root (uid=0) and wwwdata process, allows triggering of invalid free in root process during apache shutdown, exploitation seems impossible except for really broken chroot configs. CVE-2012-0031, read more

20111031 Integer overflow in ap_pregsub called from mod-setenvif:

A crafted .htaccess file can be used to execute code as user running apache when processing an HTTP-request. CVE-2011-3607, CVE-2011-4415. Read more

20110723 Find multiple ROP execution pathes that could execute independently when ASLR is in place:

If successful, this would allow to improve the odds, that a ROP exploit would work when library mapping offset is randomized using ASLR. Read more

20110624 Apache follows symlinks even with -FollowSymlinks:

The discovery of the ApacheNoFollowSymlinkTimerace feature showed me once more, that not reading documentation quite thoroughly is really dangerous. So the unexpected apache behavior to follow symlinks, even with -FollowSymlinks, turned out to be in specification and documentation. Read more

20110530 Comming to an end with the filesystem recursion and symlink topic:

After more than one year of not very fruitful attempts to address this 20100424 started issue, full problem information was published for open discussion, read more

20110117 Interact With Suid-Binaries Using /Proc-Interface:

The proc file system contains a bug, that allows limited control over a privileged process, e.g. passwd. This could be used to subvert stack address randomization when exploiting bugs in suid-binaries, modify core dump behavior, inject faults via adjustment of oom_killer, read more.

20110119 Trivial buffer overflow in ping6 suid binary:

ping6 does not check the -s [packetsize] parameter, which causes a buffer overflow, read more.

20110111 Low Memory Program Crashing:

Quite a few programs fail to handle memory allocation errors correctly, as demonstrated with grep or sudoedit. This is might be due to missing test procedures for these kind of runtime errors, read more.

20101101 Timerace in fuse:

At least on Ubuntu Lucid, the fusermount tool contains a timerace mounting a user filesystem and updating mtab, thus mtab entries with arbitrary path are created. Crafted mtab entries can then be used to unmount live parts of the filesystem (more).

20100902 Fun with vde_plug bug:

The vde_plug (at least on Ubuntu Hardy) contains a bug, that is triggered when a certain amount of encapsulated ether frame data is sent to the plug in a specially timed manner. Searching for ways to inject arbitrary ether frames on vde link. Read more ...

20100629 Xserver protocol input sanitation missing:

Found numerous errors in current Xserver implementation, some should allow execution of arbitrary code. Reported to vendor, patches already available, but issue still open ...

20100628 Found small but nice data leak in launchpad:

Waiting for evaluation by launchpad members ...
20101101: Launchpad data leak from 20100628 seems still open

20100511 Published tool to generate PGP-keys with defined key-id:

When I created a new pgp key lately, I wanted to have a key id, that has a personal touch and is easy to remember. The result was a small Java application to search for these keys. Read more or see the full disclosure post

20100424 Dilemma handling untrusted filesystem data correctly when walking it recursively:

There is no linux syscall that avoids to access a resource via pathname, if the pathname contains a symbolic link at any position. O_NOFOLLOW works only, if the last path component is a link. So many programs, that walk over file system structures recursively, e.g. backup programs, may stumble, if symlinks are introduces, but not at the last position. Read more

Activities by Category


Activity-related CVEs:


Mailing list gems

Last modified 20180111
Contact e-mail: me (%)