Monday, November 29, 2010

Login notifications, pam_exec scripting

If you like monitoring, you might want to receive notifications at every (or only root) login, in addition to logs.

/etc/profile, bashrc, etc.

One can first think of a script in /etc/profile - I saw that solution on many websites - but it is wrong because the user can connect with ssh /bin/sh and it will not run any login script. Also, this kind of login does not appear in last/wtmp but only in auth.log by sshd (because it's not considered as an "interactive login").

Saturday, November 06, 2010

Exec race condition exploitations

I recently learned a cool technique for exploiting exec race conditions. It was mentioned in a comment by Julien Tinnes about the 2009 pulseaudio vulnerability in Linux, and more recently by Tavis Ormandy (@taviso) about the GNU C library dynamic linker expanding $ORIGIN in setuid library search path vulnerability. I am sure that many people know this for ages, but still it was new to me and I thought it was worth a small post on it.

Monday, November 01, 2010

Hack.lu CTF - Challenge 19 "magicwall" writeup, double strcpy

I did not solve challenge 19 "magicwall" during the CTF - my friend Ivanlef0u (@Ivanlef0u) did - but since Fluxfingers (@fluxfingers) kept the CTF online, I had the chance to pwn it too! Just like challenge 20 "sscat", it was binary exploitation.

Hellman (@hellman1908) already made a very good writeup, I just wanted to share my different method.

Sunday, October 31, 2010

Hack.lu CTF - Challenge 9 "bottle" writeup, extracting data from an iodine DNS tunnel

Challenge #9 entitled "bottle" was original and worth its 500 points. We were given the following network capture and instructed to find a message.

Opening the capture in Wireshark reveals a lot of DNS traffic (and 4 ARP requests): it definitely looks like a DNS tunnel.


Saturday, October 30, 2010

Hack.lu CTF - sscat writeup

Last week was hack.lu 2010 security conference as well a high quality CTF organized by fluxfingers CTF team. Again I played with Nibbles and we ended 2nd as you can see on the final scoreboard and my usual graphs (made possible thanks to fluxfingers).

Challenge 20 was a very nice exploitation level. We were given an SSH with a setuid binary called sscat (standing for Serious Substition Cipher Analysis Tool) - with source. We had to exploit the program in order to read the flag file.

Thursday, September 30, 2010

CSAW CTF - Forensics Write-up

The forensics challenge given at CSAW CTF weren't exactly what I was expecting, but still we achieved to solve most of it. Here are my write-ups for the 4 challenges.

Challenges were made by Efstratios Gavas (@xtrat), Director of cyber security labs at NYU Poly! Awesome :)

Wednesday, September 29, 2010

CSAW Exploit 3 Write-up - FreeBSD local root

For exploit3, we were given the following instructions:
Get Root. Get the key. If only I can jump over the mountain without being normal
ssh://128.238.66.100:40010
chal3:$+1zX*(
2048 51:41:94:32:cf:b1:3f:d9:74:c1:d2:08:aa:e3:49:2b /etc/ssh/ssh_host_rsa_key.pub (RSA)
1024 22:7f:72:93:93:7e:9a:3d:01:b9:58:ea:74:1a:c5:af /etc/ssh/ssh_host_dsa_key.pub (DSA)

Vulnerable FreeBSD kernel

We ssh and notice an old FreeBSD kernel. We can try to use @kingcope's freebsd sendfile cache local root. Sadly it does not work out of the box because we do not have /tmp writable: we have to customize a bit the shellcode to use a different one. Also, we can remove the 64-bit part since we are on 32-bit.

CSAW Exploit 1 Write-up - FreeBSD remote stack based buffer overflow

A few weeks ago was held Leet More CTF where Nibbles ended 1st! Didn't have the time to put some write-ups, but you can find some on nibbles blog or by sh4ka, auntitled and hellman.

Last week-end was held the well-known CSAW CTF (quals) by NYU-Poly. Last year and this year winners are none but our awesome friends PPP! We took 2nd place just behind them, see top15 graph.

They gave us interesting exploit challenges and I had the opportunity to look at exploit1: a remote stack based buffer overflow under FreeBSD 8.0.

Wednesday, September 01, 2010

Free secondary DNS services

If you run an authoritative DNS server and serve your own zones you may know about the need to have decent secondary DNS servers, or "slaves", to back you up. I recently changed mine, followed recommendations by Frankb's page and found new ones.

June 2017 update: so far these are great, so passing the word.
  • puck.nether.net: simple, IPv4+IPv6, supports DNSSEC, 1 location; fairly quick to update
  • freedns.afraid.org: simple, supports DNSSEC, 1 location; a bit slow to update
  • BuddyNS: fancy but does not support DNSSEC, so no

Saturday, August 28, 2010

Process list with /proc -r

You may already have encountered this small issue, you are on a system and want to list processes but /proc has no read permission so you cannot list entries. Does it stop us? No, obviously we can iterate all possible pids and check for /proc/<pid>/ directory.

In shell we can get a simple process list with:
$ for P in $(seq 1 32168); do
  [ -d "/proc/$P" ] || continue
  echo "$P: $(cat /proc/$P/cmdline 2>/dev/null |sed 's/\x00/ /g')"
done
1: init [2]
1423: -bash
[...]
But what if we want more information, just like ps from procps gives us?

Sunday, July 25, 2010

Write-up on RootBSD's forensics challenge

Saturday, RootBSD (@r00tbsd #hackbbs) organized a small forensics challenge (french). About 30 people played the challenge, and we had fun. Fellow Nibbles member sh4ka quickly took the first place in just 2 hours and therefore won a shirt of his choice at getdigital.de. I played with two friends - 0vercl0k and thaw - and we took second place a few minutes after sh4ka. Below is my write-up for all the flags, but other players have also posted their write-ups: m_101 and tryks.

CVE-2010-2529 ping infinite loop

On friday, Ovidiu Mara reported a vulnerability in ping utility from iputils package. It was announced as MDVSA-2010:138 by Mandriva Security on Full Disclosure mailing list, and CVE-2010-2529 has been reserved for it. Be assured it is not a critical bug. In fact if you ping a malicious host which replies a malicious packet, ping goes in an infinite loop. Just kill it and you're done.

However, I like networking and found the vulnerability funny (reminds me a bit the ping of death), so I investigated, found the vulnerability and developed an exploit.

Wednesday, July 14, 2010

smpCTF challenge #11 write-up, phplist 0day

Challenge #11 of smpCTF was interesting: we were given an URL to a phplist version 2.10.12 installation - with default admin/phplist administrator account - and instructed to find a 0day.

Tuesday, July 13, 2010

smpCTF challenge #2 write-up

Challenge #2 was similar to defcon trivial 200: you had to escape from a VIM editor, but this time it was not evil - you can see the screen.

We were given the following instructions:
ssh -l luser gordo.smpctf.com -p 2282 Password: smpctf
Help find waldo..

smpCTF challenge #1 write-up

smpCTF challenge #1 was a simple web + programming challenge.

We were given the following instructions:
Set S = 1
Set P = 1
Set previous answer = 1

answer = S * P + previous answer + R
R = 39

After this => S + 1 and P + 1 ('answer' becomes 'previous answer') + 39
then repeat this till you have S = 11065.

The final key will be the value of 'answer' when S = 11065.

Example:
So if R = 15..

17 = 1 * 1 + 1 + 15
36 = 2 * 2 + 17 + 15
60 = 3 * 3 + 36 + 15

Submit the correct answer and you will recieve a flag. Have fun ;D

smpCTF challenge #5 write-up - Forensic

smpCTF challenge #5 was forensics: we were given the file forensic1-image and instructed to find a flag.

As usual, we start our analysis with file command:
$ file forensic1-image
forensic1-image: rzip compressed data - version 2.1 (15185973 bytes)

Monday, July 12, 2010

smpCTF challenge #3 write-up

This week-end was smpCTF, again I played with Nibbles and we ended 1st!

Challenge #3 was just horrible, right? ;) Worse than defcon packet100! But we finally got it, after PPP.

We were given the following instructions and hints:
  • Generate a file which has a SHA-1 hash of: 008ce55c7d1b602dc4c4c3ad52a5d064e6d1ef12
  • Hint: DRM-0, Linux-1
  • _DO NOT BRUTE FORCE_ it's not required...
  • Hidden hint (HTML comment): t3=(*((unsigned int *)(key+2)))^(*((unsigned int *)(sec+0x56)));

Friday, July 09, 2010

From file tampering to local root

Ubuntu Security Notice USN-959-1 (CVE-2010-0832) reports that Denis Excoffier discovered a serious flaw in PAM MOTD module in Ubuntu: it does not correctly handle path permissions when creating user file stamps. For more details, just have a look at the diff.

The exploit made by Kristian Erik Hermansen allows tampering any file. From that, we can get root for example by adding a user with uid 0. We don't want an empty password because the SSH server sshd has default PermitEmptyPasswords to no. Also, we don't want to prompt the user for his password at SSH connection, so we could create a temporary SSH key and add it to authorized_keys. Also, we want to be sure we backup any file we modify. Finally, we want to remove the rogue user and restore files we modified.

Sunday, June 13, 2010

UnrealIRCd 3.2.8.1 backdoored, investigation

UnrealIRCd is a great IRC server software (daemon) and very popular among mid-sized networks because of its highly advanced features and the fact that it is cross-platform (at least Windows/Linux fully supported).

Yesterday, bad news: some versions of Unreal3.2.8.1.tar.gz contain a backdoor because download mirrors have been compromised.. since november 2009! Read the official security advisory for more information. Other websites are reporting the issue, someone even provided a small shell script to fix the flaw: it basically reverts the changes with diff+patch, make clean & make again, so you just have to restart your IRCd. If you're running an UnrealIRCd you should double check your installation because some exploits are already widespread, as well as an NSE (Nmap Scripting Engine) script (seen on nmap-dev mailing list) to scan & kill IRC servers infected by the backdoor.

Oh and funny thing on Yahoo news and techworld (who seems to have copy/pasted yahoo news..):
The good news [...] is that the Trojan is in a game download so it should
have no bearing on Linux in a business setting.
Unreal is a popular first-person shooter game--similar to Doom or Quake.
No, Unreal is not UnrealIRCd. :)

As a curious person I wanted to know more about this backdoor, so let's investigate.

Sunday, June 06, 2010

Updated links, XMLStarlet

Just a small message to let you know that I have updated my links list. Big thanks to these good sites/blogs that I read regularly via their RSS/Atom feeds.

To create this list, I exported my subscriptions from Google Reader and used XMLStarlet to easily parse the XML.
F=google-reader-subscriptions.xml
for N in $(xmlstarlet sel -t -m '/opml/body/outline' -v "@title" -n $F); do
  echo "# $N"
  xmlstarlet sel -t -m "/opml/body/outline[@title='$N']/outline" -v "@title" -o '|' -v '@htmlUrl' -n $F
done > subscriptions
# manual edit to remove some things
grep -v '^#' subscriptions |sort |awk 'BEGIN{FS="|"} {if ($0!="") print "<a href=\""$2"\">"$1"</a><br />"}' > feeds.html
Some resources about XMLStarlet.

Update 2011: too many feeds to fit nicely on the blog so I removed it. If you are looking for feeds, check out infond's or eikonal's.

Saturday, May 29, 2010

Defcon 18 CTF quals writeup - Forensics 100

Forensics 100 was simple forensics but still with some traps.

Description: find the key, and they gave us the following file which revealed to be a gzipped raw disk image.

First analysis


After extracting, use the file command to recognize a raw disk image:
$ file f100_6db079ca91c4860f.bin
f100_6db079ca91c4860f.bin:    x86 boot sector; partition 1: ID=0x7, starthead 0,
  startsector 31, 31558 sectors

Thursday, May 27, 2010

Defcon 18 CTF quals writeup - Packet 200

Packet Madness 200 was a simple TCP server speaking an uncommon language (at least now).

Description: These folks speak a different language. Join their site and translate the key for us.

We open this file in Wireshark, we see a TCP stream so first thing we do is right-click & "follow TCP stream" to see in a single window contents of the TCP stream.

Defcon 18 CTF quals writeup - Trivial 200

Trivial 200 was an evil blind VIM terminal you had to escape from.

Description: sheep@pwn21.ddtek.biz:6000 sheep go baaAaaA

One could simply SSH to the server with:
ssh -p 6000 sheep@pwn21.ddtek.biz # and use password baaAaaA
However, it appeared that the server was overloaded and most of the time SSH did not work. The solution is to connect to SSH continuously until it works with some shell scripting:
while true; do
  ssh -p6000 sheep@pwn21.ddtek.biz
done
Once connected, you get a black screen with nothing but rapidly discover you are in VIM text editor.

Tuesday, May 25, 2010

Defcon 18 CTF quals writeup - Packet 100

Packet 100 was just... horrible right? :) However some teams managed to get it, here is my writeup.

Description: sumthing is not like the other... Here are your packets.

We have a capture file of several ICMP echo-request/echo-reply pings. We can ignore echo-reply packets because they carry the same payload (it's a ping).
First, we focused on the only packet to have a 129 bytes payload instead of 256, but achieved nothing, so we focused on the other packets.
We tried so many things: frequency analysis, cesar, xors, consider only ascii, sum things, IP checksum, Ethernet mac, use first packet as a key or initialisation vector. But in fact it appeared to be what was explained in the description "sumthing is not like the other", only consider bytes that only reside in this packet and concatenate (sum) them.

Defcon 18 CTF quals writeups and scoreboard

This week-end was Defcon #18 CTF quals, I played with Nibbles and we managed to get #10! Congrats everyone, and thank you DDTEK, it was an awesome experience.

There are already many great writeups on the challenges available on the internet, if you want links check out my friend @Ivanlef0u he tweets them all. Update: all links are now also on defcon's CTF archive page.

In the following posts I'll give my own writeups, the challenges files being available here.

By the way, the scoreboard was a java applet connecting to DDTEK with some custom SSL. I was sad that no full scoreboard was made public by DDTEK, so at the beginning of the CTF - while waiting for new challenges to open - I decompiled the java applet, and modified it in order to get the scoreboard (only top15 available) regularily and archived all the different scoreboards over time. After extracting the scores, it allowed me to create a top15 graph using flot just like shallweplayaga.me did. The scoreboard archive is here if you want to make your own graphs or else.

Friday, May 21, 2010

CITCTF write-ups, Defcon

As previously mentioned, last week-end was CIT CTF. It was great, thank you! Again, I played with Nibbles and wow.. we managed arrive in 1st place! Nibbles plans to release a document with our write-ups (instead of multiple blog posts), but meanwhile you can find some of my notes in my citctf directory:
  • Matryoshka: hundreds of nested passworded archives just like Russian nesting dolls. Questions were answered with google and automated extraction with some shell.
  • What is her name: interesting steganography, with embedded files into a picture, and finally the password revealed by diff'ing two pictures. And no, her name was not Darya ;)
  • Damned traffic: a weird tcpdump output with pictures, ICMP's, fragmented IP with UDP. I had fun playing with Python and my favourite network packet manipulation tool Scapy but did not find anything, nor any other team, and sadly staff did not release any hint.. I'm wondering if they plan to release the solution or if we will never find out what it was.
  • Time bomb: a real time bomb in BASIC code along with the schematics, we had to find the exact time & location of explosion. We thought we had it, but sadly we failed :( I'm looking forward other write-ups to understand what it really was.
Update: very good writeups by @citizen_stig.

And as you probably know this week-end there is another competition: Defcon CTF Quals. First time for me, again playing with Nibbles, we will try to have fun and do our best! Good luck if you are a player too.

Monday, May 17, 2010

Small OpenVZ admin and backup scripts

I am now using OpenVZ for a while, and by the time I created very small scripts to make my sysadmin life easier.

Update 2013-01-14: as this evolve, I put them on github: StalkR/misc/openvz.

Update 2010-06-10: new scripts and updated some of them. Instead of embedding them in the post, scripts are available here.

You'll find:
  • vz* for OpenVZ, there are many but my favourite is vzl (a nice vzlist)
  • backup-all, to do backups using vzdump (with a powerful backup exclude system), send them to FTP, nice summary output
  • backup-purge, to purge old and no longer valid backups on FTP
  • ftpbackup*, for all FTP backup stuff using lftp: send files, get disk usage, shortcut to send FTP commands

I have put these scripts in /usr/local/sbin and find them useful. Note that many of these scripts depends on others to work properly.

If you like them too, help yourself!

Friday, May 14, 2010

OpenVZ 2.6.32, soon Proxmox kernel 2.6.32 with KVM & OpenVZ

This is great, I just discovered that OpenVZ has a 2.6.32 branch: kernel 2.6.32-avdeyev.1 is available. As you may now, 2.6.32 will be a major kernel version (like 2.6.18 was) for important distributions such as RedHat 6, Debian squeeze, etc. By the way, squeeze should be released as Debian stable this year.

A good consequence is that Proxmox Kernel 2.6.32 which currently has only KVM will also support OpenVZ, so no longer need to stick with the old 2.6.18. They did not announced a release date for now, but it should come this year too.

Wednesday, May 05, 2010

UDP scan with ICMP port unreachable and scapy

As you probably now, scanning UDP opened ports is painful because UDP is not connected, so you cannot rely on TCP SYN/SYN-ACK to find opened ports.

The ultimate network scanner nmap knows how to perform an UDP scan:
$ nmap -sU -p1-65535 <target>
You can add useful options such as -sV (probe open ports to determine service/version info). The scan is much longer than a TCP scan, but sometimes it works. Yes, sometimes. Recently I started a simple UDP server (with socat) on a random port and challenged myself to find it within the whole 1-65535 range: I appeared to be unable to find it with nmap (I'm probably misusing nmap).

Friday, April 23, 2010

Codegate, HES2010, citctf

As you may know, I played Codegate CTF quals with Nibbles and we managed to be #11. As you can see, there was many good write-ups on the challenges. Despite being 11th, my friend SiD & I had the chance to go in Korea to play CTF finals and it was great: discovering Korea, playing CTF (managed to arrive 4th!), meeting other teams, conference speakers and other nice people. Also, networking session was awesome! I didn't have the time to see the conferences, but it reported to be very good as well.

Challenges by LM**2 were again interesting, excellent write-up from HFS (winners) for the encrypted shellcode (only team to solve it!). I should write-up on some challenges too if I have time. In the meantime I would love to see the challenges available on the net, maybe on intruded?

To conclude Codegate 2010 was amazing, well-organized by Softforum, great people and a lot of fun. You can find nice pictures of the whole event from yoggy0 and team PPP our CTF friends. I will definitely do my best to return next year if there is a Codegate 2011 :)

At the same time, Hackito Ergo Sum (HES) security conference was happening in France: impressive program and speakers (slides are available), they also organized a wargame with OverTheWire guys (reputed for their good online challenges), and recently even made it available among their other wargames (thank you, starting to play hehe!).

Among the next events are CIT CTF on May 15-16 (registration) from our Russian friends of Codegate, and obviously Defcon CTF quals on May 21-24 (registration). Good luck and have fun if you're a player too!

Wednesday, March 17, 2010

Write-up Codegate 2010 #17 - Crypto, Linear Congruential Generators and Vernam Cipher, the power of XOR

Challenge #17 was crypto, based on Linear Congruential Generators (LCG), a well known pseudorandom number generator (PRNG), and the Vernam Cipher which is basically a XOR cipher relying on exclusive OR . Sadly, we did not succeed this challenge in time. However my friend Ivan found it afterwards thanks to Julianor (a staff member).

Basically, there is a TCP server listening to incoming connections. We simply use netcat (or telnet) to connect to it:
$ nc ctf3.codegate.org 10909
a?

c?

m?

Bad values

Tuesday, March 16, 2010

Write-up Codegate 2010 #19 - Forensic, introduction to the Sleuth Kit and Autopsy

Challenge #19 was also interesting, at least for the story:
Found a dead guy on the street, assumed that a guy committed suicide.
How can you assume that? Find the clue.
And they gave us a simple binary file: 56DACF1C6CF363F27501FFCA50CC0415 (9.6MB).

Monday, March 15, 2010

Write-up Codegate 2010 #7 - Decrypting HTTPS SSL/TLSv1 using RSA 768bits with Wireshark

Last week-end, I was a challenger at Codegate 2010 Capture the Flag with team Nibbles. Well organized by Koreans guys (who didn't sleep a lot either ;), the CTF proposed quality challenges and I thought it would be a great subject for a few posts.

Challenge #7 was a network capture file (ssl.pcap) containing an encrypted https session. The hint was: does the modulus look familiar?. The goal is obviously to decrypt the https to find the flag. Let's see how we can do that!

Steps:
  1. Extract public certificate
  2. Identify encryption
  3. Create private certificate
  4. Decrypt https

Friday, March 12, 2010

Nanosecond time measurement with clock_gettime, CPU idling

Recently, I had to do latency testing of message passing between kernel-land and user-land, so I first looked after time structures and functions available in both the kernel and the libc, and then I looked after possible tuning of the kernel.

Obviously gettimeofday is not precise enough because it returns a timeval structure (defined in time.h), which only has a microsecond resolution:
struct timeval {
  time_t      tv_sec;       /* seconds */
  suseconds_t tv_usec; /* microseconds */
};

Friday, February 05, 2010

Proxmox KVM - Reach VNC in IPv6

These days, I am playing with Proxmox, a free and open-source Linux distribution which provides an easy solution for virtualization. In fact, they include:
  • a linux kernel with KVM (full virtualization) and OpenVZ (containers)
  • an interface to manage kvm, openvz, storage, backups and also monitoring

You can create, start, stop your virtual machines or containers via the web interface. For a KVM, they even provide a VNC java applet to see the screen of your virtual machine. This is amazing!

Tuesday, January 19, 2010

POSIX File Capabilities

Sometimes you need a particular program to do a specific task that requires administrative (root) privileges. You can run your program with sudo or chown your program to root and use the setuid bit (that allows to run a program with its owner uid). However, the setuid bit has serious security issues: if you are able to change the flow of execution of the program (and if the program does not drop his root privileges once no longer necessary), you can get a root shell.

More specifically, I needed a program to be able to create raw sockets without requiring full root privileges. It's possible! Using POSIX File Capabilities that relies on capabilities architecture.

Tuesday, January 12, 2010

Enabling Wake-on-LAN

The first thing you do when you configure Wake-on-LAN is to enable it in your motherboard BIOS (on my ASRock it's "wake on PCI device -> enabled").

However, this is not enough because when you leave Linux (or Windows), your network card may not be set to wake up from LAN. Thanks to tjansson, I'm now using the following root crontab to enable Wake-on-LAN everytime Linux starts (I prefer that to an init/rc6 script).
@reboot /usr/sbin/ethtool -s eth0 wol g

I invite you to read tjansson's blog entry for more information.