Fri, 05 Feb 2010
Description
I'v stumbled about this youtube videos: http://www.youtube.com/watch?v=NN50RtZ2N74
It shows a samba zero-day exploit of an directory traversal / information disclosure security flaw.
Like the last times I blogged about that,
I want to clearify first: Every software has flaws.
And some of them are securiy issues.
So I'm not going to say haha,
the samba team is stupid just because of an security flaw.
But like the last posts too,
this is special...
Samba is a fairly large software project.
The current stable version 3.4.5 is 100MB after extracting.
I didn't care to measure the plain code size,
but I would call it 'pretty large'.
So we can be sure,
there are dozend of flaws in it.
I guess that most of them are pretty hidden,
obscure and hard to find issues.
But what kcope found is so stupid,
that I thought not to see this in the wild,
especially in such a open developed and world-wide deployed software like samba.
The bug is a design issue.
What was done wrong,
is pretty obvious.
Every coder should know: Never trust a client.
Think of a cinema.
It's the server.
You buy a printed ticket,
often on special paper to make it harder to fake it.
And there are some guys (or girls) who are checking if your old enough for the movie.
Normally,
they would take your ticket,
look at the age rating and then let you in or not.
In the Samba-Cinema,
you write the ticket by yourself.
And it's up to you,
to write the movie's name and the age rating.
And the people at the entry just trust you...
Sounds stupid?
Yes...
The Code
On 2741 in samba-3.4.5/source3/client/client.c the function cmd_symlink is defined:
static int cmd_symlink(void)
{
TALLOC_CTX *ctx = talloc_tos();
char *oldname = NULL;
char *newname = NULL;
char *buf = NULL;
char *buf2 = NULL;
char *targetname = NULL;
struct cli_state *targetcli;
if (!next_token_talloc(ctx, &cmd_ptr,&buf,NULL) ||
!next_token_talloc(ctx, &cmd_ptr,&buf2,NULL)) {
d_printf("symlink <oldname> <newname>\n");
return 1;
}
oldname = talloc_asprintf(ctx,
"%s%s",
client_get_cur_dir(),
buf);
if (!oldname) {
return 1;
}
newname = talloc_asprintf(ctx,
"%s%s",
client_get_cur_dir(),
buf2);
if (!newname) {
return 1;
}
if (!cli_resolve_path(ctx, "", auth_info, cli, oldname, &targetcli, &targetname)) {
d_printf("link %s: %s\n", oldname, cli_errstr(cli));
return 1;
}
if (!SERVER_HAS_UNIX_CIFS(targetcli)) {
d_printf("Server doesn't support UNIX CIFS calls.\n");
return 1;
}
if (!cli_unix_symlink(targetcli, targetname, newname)) {
d_printf("%s symlinking files (%s -> %s)\n",
cli_errstr(targetcli), newname, targetname);
return 1;
}
return 0;
}
As you can see, it defines the command line function 'symlink' which takes two parameters. The source and the destination. But the cifs/smb protocol seems to expect the parameters to be absolut paths. So the client prepends the clients working directory:
oldname = talloc_asprintf(ctx,
"%s%s",
client_get_cur_dir(),
buf);
Let say you are in \\public. So if you now type in the client: symlink foo bar this function will turn the oldname in something like /path/to/public/foo. But that happens on client side! Like in _all_ client/server scenarios, if you use your own client (or patch the smbclient like in the video), you can send everything to the server!
So it's very important to validate the user input on the server too - but that doesn't happen. So the server blindly trusts this client side validation.
With your crafted client, you now can simple send a request to add a symlink called 'foo' pointing to any path you want. For example /. If you would enter such request in the client, it would prepend the working dir and you would ending up creating a symlink to the current dir.
After you created a symlink to /, you can access that directory even if i had only access to a small public dir.
PS: Kcope uses ../../../../../ as source for the symlink. I don't know why he didn't use /. Maybe because samba would sanitize that still somehow. But I didn't looked at that closer atm.
Conclusion
I guess we can't say this often enough: Don't trust user input. Never. Nowhere. Error are made, security flaws are always. But this one really, really could have been avoided.
Tue, 01 Dec 2009
Anlässlich meine Geburtstags und bisheriger Freude an Wohnzimmer e.V-Veranstaltungen,
bin ich diesmal der Gastgeber.
Mitzubringen is gar nichts,
für bekannte findet man hier sicher auch ne Pennmöglichkeit.
Also: Alle vorbei kommen ;)
Sa.,
05.12.2009,
20:00 Uhr
*Wohnzimmerlounge - öffentliche Bar in privaten Wohnräumen.* Heute mit der Wohnzimmerlounge 2.0 - Digitale Schnitzeljad im Chat zwischen Wohnzimmer,
Schlafzimmer,
Klo und Küche bei binären Cocktails,
Kabelsalat und Bytebissen.
Eintritt wie immer frei und alles zu Selbtskostenpreisen.
Wohnzimmer e.V. Travelmannstr.
25 (2.
OG links) Bei Johannes Ziemke klingeln! http://www.wohnzimmer-ev.de
Mon, 21 Sep 2009
I'v wrote a simple "mashup" for getting the last played/playing track of a user,
search von youtube for it an embed it on a page:
http://freigeist.org/nowplaying/discordianfish
Mon, 21 Sep 2009
Small script to get the ID3 tags from an ogg file and convert it to ogg/vorbis comments:
for f in *.ogg; do echo vorbiscomment -w "'$f'" `id3tool "$f" | \
sed 's/Song Title:\s*/TITLE=/;s/Artist:\s*/ARTIST=/;s/Album:\s*/ \
ALBUM=/;s/Year:\s*/YEAR=/;s/Genre:\s*\([^(]*\)\s.*/GENRE=\1/'| \
egrep -v '^Filename|^$'|while read l; do echo -n " -t '$l'"; done`; done
Thu, 27 Aug 2009
I just stumbled about a DOS issue in debians libgd.
Atm I could only confirm it with php,
but I guess I'll have a look on the perl bindings too.
I wrote a simple php resizer to prove another issue:
the code
lang:perl
$file = $argv[1];
list($width, $height) = getimagesize($file);
fwrite(STDERR, "width: $width, height: $height
");
$image_out = imagecreatetruecolor(200,200);
fwrite(STDERR, "image created
");
$image = imagecreatefromgif($file);
fwrite(STDERR, "image loaded
");
imagecopyresampled($image_out, $image, 0, 0, 0, 0, 200, 200, $width, $height);
fwrite(STDERR, "image resampled
");
imagejpeg($image_out, null, 100);
fwrite(STDERR, "image processing done
");
lang:none
how to trigger the bug
This should be a pretty common way to resize a image with php.
If you now use on of these gifs:
- http://freigeist.org/files/poc/1px-size_faked.gif, 1x1-px gif
- http://freigeist.org/files/poc/800px-size_faked.gif, 800x800-px gif
If you now run
php resize.php 1px-size_faked.gif > test.jpg
It will run in a endless loop eating up all your cpu at least on your debian/ubuntu system ;)
The reason is obvious, thats what shocks me the most. Look at this hexdump:
Faked size, 0xffff x 0xffff
| |
V V
0000000 4947 3846 6137 ffff ffff 3de7 0000 0000
0000010 0101 0201 0202 0303 0403 0404 0505 0605
0000020 0606 0707 0807 0808 0909 0a09 0a0a 0b0b
I'v just set the image dimensions to 0xffff x 0xffff.
So in the php line:
imagecopyresampled($image_out, $image, 0, 0, 0, 0, 200, 200, $width, $height);
$width and $heigh are 65535, and here is the bug: Why ever (i don't really bother) imagecopyresampled hanges on that invalid, high values in a endless loop.
who is responsible
After that, I asked in #libgd on freenode. With permission of 'Pierre', I quote the chat to not mislead you with my interpretation and enrage the debian community against me ;)
16:14 <@Pierre> it is the external crappy Debian's gd
16:14 <@Pierre> they don't do sec fixes and add non supported patches
16:14 <@Pierre> same for php
16:14 < fish_> ah ok..
16:14 <@Pierre> I would suggest to either compile php yourself, compile php_gd only yourself or use dotdeb instead
16:16 <@Pierre> dotdeb should be the easiest way :)
...
16:20 <@Pierre> I tried to discuss with them but they are more interested in pollitics than actually fixing issues
16:24 <@Pierre> fish_, that behavior was a bug and is fixed since ~ 3 years
16:24 <@Pierre> I fixed it in libgd and php's gd (bundled lib)
16:24 <@Pierre> and it is released too
counter messures
Well, use a not broken version of GD (aww, that was a smart advise, right? ;)) and always use limits (man limits.conf)!
update
Looks like its not really a endless look, but it takes a lot of time, about 10 minutes on my laptop and the image is black afterwards *shrug*. But imo that doesn't really change the impact: If you have a gd/php site under debian, where users can upload images and you resize them, you run in that issue. Looks like a large german social network has the issue too. At least they use limits so the resizing process gets stopped after some seconds.
Sun, 23 Aug 2009
I just did a tiny XSS-PoC for exploiting web based dns lookup tools.
I'v setup a TXT records with rdata <script>alert('test')</script> on test.freigeist.org and tried some public web dns lookup tools..
Well,
most of them failed to encode/escape the answer and just execute the javascript:
http://www.zoneedit.com/lookup.html?host=test.freigeist.org&type=ANY&server=ns1.freigeist.org&forward=Look+it+up
Thu, 06 Aug 2009
Jetzt n Script gebastelt das n User nimmt,
alle Freunde und Freunde der Freunde zieht und anschliessend durch das tasteometer jagt.
Hab dafuer den Code vom letzten mal ein bisschen refakturiert und teilweise in ein Modul getueddelt.
Wenn ich nicht gleich wieder die Musse daran verliere,
gibts das dann demnaechst mit den entsprechenden Script auf CPAN.
1; discordianfish; ; 1; iMann; Saalschutz; Grossstadtgefl�ter; Mediengruppe Telekommander; welle erdball; Frittenbude; Console; Proxy; Ladytron; Lesbians on Ecstasy; 64revolt
2; felixwe; ; 1; toms_rocket; Saalschutz; Grossstadtgefl�ter; Mediengruppe Telekommander; Frittenbude; Console; Egotronic; R�berh�le; GammaBlitzBoys; Digitalism; Der Tante Renate
3; Unzertrennlich; Frank; 1; Drecksladen; Saalschutz; Mediengruppe Telekommander; Ladytron; Digitalism; MSTRKRFT; New Young Pony Club; Simian Mobile Disco; Goose; Crystal Castles; T. Raumschmiere
4; Drecksladen; Chris; 1; sophiesfotosde; Grossstadtgefl�ter; Mediengruppe Telekommander; Frittenbude; Ladytron; ADULT.; Egotronic; Boys Noize; Fischerspooner; Digitalism; Bonaparte
5; nennenesparty; Wir nennen es Party!; 1; h0sh; Saalschutz; Mediengruppe Telekommander; Frittenbude; Console; Proxy; Ladytron; Egotronic; Boys Noize; R�berh�le; GammaBlitzBoys
6; affenterror; Michael P.; 0.95400609279487; iMann; Ladytron; ADULT.; Egotronic; Boys Noize; rampue; Fischerspooner; Digitalism; Der Tante Renate; Chicks on Speed; MSTRKRFT
7; h0sh; probably highly caffeinated right now; 0.8826533523488; der-onkel; Mediengruppe Telekommander; Ladytron; Boys Noize; Fischerspooner; Digitalism; Crookers; Bonaparte; MSTRKRFT; Simian Mobile Disco; Goose
8; TetrisMessiahs; ; 0.87848009225314; Drecksladen; Grossstadtgefl�ter; Ladytron; Digitalism; Bonaparte; New Young Pony Club; Crystal Castles; Deichkind; Wir sind Helden; Ladyhawke; Spillsbury
9; zappience; Sebastian; 0.85515269620474; iMann; Grossstadtgefl�ter; Frittenbude; Grossstadtgefluester; Welle:Erdball; Billy Talent; Fettes Brot; IAMX; The Chemical Brothers; MGMT; De/Vision
10; ccitb; kate b. aceline.; 0.81273157665429; Drecksladen; Proxy; Les Petits Pilous; Boys Noize; Digitalism; The Bloody Beetroots; Goose; Surkin; Mr. Oizo; Tiga; Justice
11; eAvengers; ; 0.81097977515232; AstroCortex; Mediengruppe Telekommander; Frittenbude; Ladytron; 64revolt; Egotronic; Boys Noize; Peaches; Juri Gagarin; Chicks on Speed; Crystal Castles
12; polaroidmemory; la belle pas la b�e; 0.78853176544536; outoftheline; Mediengruppe Telekommander; Peter Fox; The Notwist; Justice; Tocotronic; Klaxons; Tomte; Fettes Brot; Die �zte; MGMT
13; die-immergute; Jeannette aka those-always-good; 0.78787348465457; schrottt; Mediengruppe Telekommander; Frittenbude; Egotronic; Digitalism; Bratze; The Knife; The Notwist; Tocotronic; Die Sterne; Tomte
14; beatsteak; Patrick; 0.78375114600248; Drecksladen; Mediengruppe Telekommander; Frittenbude; Digitalism; Deichkind; Sportfreunde Stiller; Wir sind Helden; Justice; Yuksek; Billy Talent; Tomte
15; profilnummer; Michael; 0.78215190999435; Drecksladen; Mediengruppe Telekommander; Ladytron; Peaches; Digitalism; Chicks on Speed; Simian Mobile Disco; Egoexpress; Peter Fox; The Presets; Deichkind
16; uliamania; Mareike E.; 0.78131140787226; amoebenkeks; Frittenbude; Egotronic; Der Tante Renate; Peter Fox; Jan Delay; Die Fantastischen Vier; Deichkind; Sportfreunde Stiller; Wir sind Helden; Beatsteaks
17; johl; ; 0.78065201524423; schrottt; Mediengruppe Telekommander; Console; classless Kulla; Welle:Erdball; paniq; Air; Die Sterne; Depeche Mode; Die �zte; The Chemical Brothers
18; pasue; ▲▼▲▼▲▼▲▼▲; 0.77762897998135; outoftheline; Boys Noize; Digitalism; Simian Mobile Disco; Peter Fox; Crystal Castles; Mr. Oizo; HeartsRevolution; You Love Her Coz She's Dead; Deichkind; Ladyhawke
19; vosat; ; 0.77665343210531; squ; welle erdball; Console; Welle:Erdball; pornophonique; paniq; Moby; Die �zte; PeterLicht; Farin Urlaub; Maximo Park
20; frame; Marc Troy; 0.7712976862799; toms_rocket; Console; Ladytron; Fischerspooner; The Knife; Fatboy Slim; Die Fantastischen Vier; Miss Kittin; Wir sind Helden; paniq; Air
Mon, 03 Aug 2009
einfach / deutsch
Hab was geschrieben mit dem ich die Leute aus einer Gruppe herausfinden kann,
die mit einem bestimmten User (z.B.) mir,
die höchstes "Musikalische Übereinstimmung" haben.
Losgelassen auf "Münster" mit meinem User "discordianfish" ergibt sich folgendes:
1; Tilmans; Tilman; Brockdorff Klang Labor; Saalschutz; Egotronic; Bratze; Plemo; Grossstadtgeflüster; Frittenbude; rampue; Juri Gagarin; The Dance Inc.
2; anttares; christian; Bratze; Frittenbude; Der Tante Renate; Egotronic; Crystal Castles; HeartsRevolution; IAMX; Juri Gagarin; Digitalism; Mediengruppe Telekommander
3; helmet79; <---- Lucy ; Deichkind; Mr. Oizo; Digitalism; Simian Mobile Disco; Daft Punk; Frittenbude; Alter Ego; Vicarious Bliss; Vitalic; Moby
4; dschungelgeorge; Christian; Blumentopf; Frittenbude; Juri Gagarin; Mediengruppe Telekommander; Digitalism; Sportfreunde Stiller; Air; The Notwist; Justice; Crystal Castles
5; runtothesun; ; Late of the Pier; Goose; Proxy; Digitalism; Surkin; Simian Mobile Disco; Ladyhawke; Boys Noize; Deichkind; Feadz
6; lenafolou; Lena; Bonaparte; Late of the Pier; Hot Chip; Frittenbude; Bratze; Does It Offend You, Yeah?; Goose; Blumentopf; MGMT; Digitalism
7; Nafiba; Fabian Medias; Deichkind; Frittenbude; Blumentopf; Bratze; Juri Gagarin; Saalschutz; Egotronic; The Dance Inc.; Mediengruppe Telekommander; Plemo
8; simon1337; ; Blumentopf; Deichkind; Bonaparte; Billy Talent; Rage Against the Machine; Fatboy Slim; Sportfreunde Stiller; Moby; Air; Daft Punk
9; Degreaz0r; Maximilian; Mediengruppe Telekommander; Frittenbude; Juri Gagarin; Digitalism; Justice; Blumentopf; The Notwist; Mr. Oizo; Boys Noize; Air
10; Winergie; Mattes; Sportfreunde Stiller; Nirvana; Grossstadtgefl#ter; Plemo; Burial; Blumentopf; Plemo And Rampue; MGMT; Mediengruppe Telekommander; Lesbians on Ecstasy
Mal schaun ob da jemand mal Lust auf Party hat ;)
technical / english
I'v written another script to fetch all users from a lastfm group and compare the musical compatibility with a given user and return them sorted by score. It works fine but its pretty slow, because it sends one api call for each user. So don't try this on too large groups ;)
script
Download: https://freigeist.org/files/perl/lastfm-topmemb.pl
lang:perl
#!/usr/bin/env perl
use strict;
use warnings;
use Net::LastFM;
use Scalar::Util qw(reftype);
die "$0 user group" unless @ARGV == 2;
my ($me, $group) = @ARGV;
my $fm = Net::LastFM->new(
api_key => 'your_api_key_here',
api_secret => 'your_api_secret_here'
);
my $page = 1;
my $pages_max;
my @profiles;
do
{
warn "processing page $page";
my $data = $fm->request_signed(
method => 'group.getMembers',
group => $group,
page => $page++
);
push @profiles, @{ $data->{members}->{user} };
$pages_max = $data->{members}->{'@attr'}->{totalPages};
} while $page <= $pages_max;
my @users;
for my $user (@profiles)
{
next if ($user->{name} eq $me);
my $taste = $fm->request_signed(
method => 'tasteometer.compare',
type1 => 'user',
type2 => 'user',
value1 => $user->{name},
value2 => $me,
limit => '10'
);
push @users, { profile => $user, taste => $taste };
}
my $i = 1;
for my $user
(
sort
{
$b->{taste}->{comparison}->{result}->{score} <=>
$a->{taste}->{comparison}->{result}->{score}
} @users
)
{
print $i++, "; $user->{profile}->{name}; $user->{profile}->{realname}; ";
my $artists = $user->{taste}->{comparison}->{result}->{artists}->{artist};
print join '; ', map { $_->{name} }
reftype $artists eq 'ARRAY' ? @$artists : $artists
if defined $artists;
print "
";
Wed, 29 Jul 2009
Oh man,
das hat mich aber verwirrt.
Ich hab mir gestern neue Hardware gegoennt.
Ich dachte ich haette einen "Core Duo" erstanden,
also ein 32 Bit Doppelkerner.
Hab ne alte Platte eingebaut und mich gefreut: Hey,
noch n System drauf.
Erstmal n neuen Kernel gebackt und n frisches Debian debootstrapt.
Erst nach dem tueddeln im Debian faellt mir der uname auf:
Linux box 2.6.30.3 #2 SMP Wed Jul 29 03:29:24 Local time zone must be set--see zic x86_64 GNU/Linux
x86_64? Dann viel es mir wie Schuppen von den Augen: Das System, was auf der Platte war, war auch ein 64-Bit-System, wie konnte das booten? Dann nochmal bei Wikipedia nachgeschaut, Tatsache: Es gibt bereits seit 2007 den "Pentium Dual-Core" als 64-Bit-CPU, basierend auf dem Core 2 Duo.. Also hab ich doch ein 64-Bit-System, nice ;)
Naja, das ist voellig an mir vorbei gegangen. Ich war nur sehr verwundert wieso mein Prozessor 64-Bit-Binarys ausfuehren konnte..
