Entries from November 2007 ↓

While we wouldn’t release exploit code under normal circumstances, we are pretty much emerging and wanted to show an example of our work. Since this vulnerability was already public, and the Apple security people are most probably working on an imminent update to Quicktime, potential attackers have a limited time-span to abuse it.

Hopefully Apple will speed up on this one and release an update to fix the vulnerability. We enjoy the versatility of Mac OS X on daily basis, and want it to be as more secure as possible.

Thanks to Kevin Finisterre for the testing environment and proofing of the exploit on PowerPC. Thanks to HD Moore for suggestions and the Metasploit project.

The exploit code is available at: static.subreption.com/public/exploits/qtimertsp_redux.rb

Some improvements that might be released:

• Better PowerPC target information.
• Reliable Microsoft Windows Vista target.
• Reliabe Leopard target for x86.

Continue reading →

Make sure you have read the first part of this article already!

From the XNU 9.0 source code, we have some interesting snippets around:

         /* load_machfile() maps the vnode */
         (void)ubc_map(imgp->ip_vp, PROT_READ | PROT_EXEC);

 #ifdef notyet
 /* Hmm .. */
 #if defined(VM_PROT_READ_IS_EXEC)
                 if (prot & VM_PROT_READ)
                         prot |= VM_PROT_EXECUTE;
                 if (maxprot & VM_PROT_READ)
                         maxprot |= VM_PROT_EXECUTE;
 #endif
 #endif /* notyet */

 #if 3777787
                 if (prot & (VM_PROT_EXECUTE | VM_PROT_WRITE))
                         prot |= VM_PROT_READ;
                 if (maxprot & (VM_PROT_EXECUTE | VM_PROT_WRITE))
                         maxprot |= VM_PROT_READ;
 #endif  /* radar 3777787 */

Pay attention to the VM_PROT_EXECUTE flag. Let’s get back to the exploit development: we have reliable EIP control and we can most probably make use of return to libSystem (good old ret2libc) or jump into heap. But Leopard randomizes some library addresses… Let’s see how the process memory layout looks like for Quicktime:

(gdb) shell vmmap 18909 | grep MALLOC
MALLOC (freed?)        00122000-00123000 [    4K] rw-/rwx SM=COW
MALLOC_LARGE           00124000-0012a000 [   24K] rw-/rwx SM=PRV  DefaultMallocZone_0x200000
MALLOC_LARGE           0012d000-0012e000 [    4K] rw-/rwx SM=PRV  DefaultMallocZone_0x200000
MALLOC_LARGE           00135000-0013e000 [   36K] rw-/rwx SM=PRV  DefaultMallocZone_0x200000
MALLOC_TINY            00200000-00300000 [ 1024K] rw-/rwx SM=COW  DefaultMallocZone_0x200000
MALLOC_LARGE           003bf000-003ca000 [   44K] rw-/rwx SM=PRV  DefaultMallocZone_0x200000
MALLOC_LARGE           003f9000-00401000 [   32K] rw-/rwx SM=PRV  DefaultMallocZone_0x200000
MALLOC_LARGE           00405000-00406000 [    4K] rw-/rwx SM=PRV  DefaultMallocZone_0x200000
MALLOC_LARGE           0042f000-00459000 [  168K] rw-/rwx SM=PRV  DefaultMallocZone_0x200000
MALLOC_LARGE           007ee000-007f7000 [   36K] rw-/rwx SM=PRV  DefaultMallocZone_0x200000
MALLOC_SMALL           00800000-01000000 [ 8192K] rw-/rwx SM=COW  DefaultMallocZone_0x200000
MALLOC_LARGE           1450f000-14517000 [   32K] rw-/rwx SM=PRV  DefaultMallocZone_0x200000
MALLOC_TINY            14900000-14a00000 [ 1024K] rw-/rwx SM=COW  DefaultMallocZone_0x200000
MALLOC_LARGE           15d1d000-15d27000 [   40K] rw-/rwx SM=PRV  DefaultMallocZone_0x200000
MALLOC                  [   10.4M]

Continue reading →

A new vulnerability has been published for Apple’s Quicktime software. It definitely looks like an easy one: a classic stack-based buffer overflow. We started testing the original proof of concept against Mac OS X 10.5.1 (9B18) (that’s Leopard!)…

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x000000004141416b
Crashed Thread:  0

It’s possibly embarrassing for a high profile application to have this kind of issues (it’s 2007 already, approaching 2008…), but they are found everywhere. Apple is really trying to make advances in security matters, even if they didn’t manage to implement some of them properly for Leopard.

After some tinkering, we started developing our own multi-platform exploit. This vulnerability, like most plain simple stack-based buffer overflows, allows full register control, therefore code execution is a piece of cake (the register status below comes from running the original Python code, available from Milw0rm):

Thread 0 crashed with X86 Thread State (32-bit):
  eax: 0x41414141  ebx: 0x166a36f0  ecx: 0x00000000  edx: 0x00000041
  edi: 0xbfffd308  esi: 0x6875683f  ebp: 0xbfffd438  esp: 0xbfffd180
   ss: 0x0000001f  efl: 0x00010207  eip: 0x166a41c5   cs: 0x00000017
   ds: 0x0000001f   es: 0x0000001f   fs: 0x00000000   gs: 0x00000037
  cr2: 0x4141416b

Nowadays, it’s a common practice to release rather incomplete and non-reliable exploits or so-called “proof of concept” code (although, people out there don’t agree on naming conventions; an exploit is not a proof of concept, if it’s really reliable). They are usually coded in Python (we don’t really know what’s so great about it as a language for exploit development, Ruby is possibly much more flexible and efficient for such purposes), have poor indentation and code style, use publicly available shellcode and repetitive techniques, and last but not least, they are poorly automated. Releasing a proof of concept nowadays is generally a matter of getting those nifty 15 minutes of fame. Then it vanishes…

Continue reading →

Without making a funny analogy between truly solid HIPS solutions and those tough organisms called extremophiles, today’s entry isn’t really technical per-se. Sometimes it’s good to take a look over something else.

The Tardigrades (aka “water bears”) can be classified as arthropods (like insects, arachnids…) because of their segmented body. They are known because of being extremely resistant to a wide range of normally lethal conditions, namely: extreme temperatures, radiation, dehydration and extreme pressures. One of their impressive treats is their ability to lower the metabolism exponentially, and preserving themselves over long time with no water.

This is known as “cryptobiosis”; when the environment becomes hospitable again, the organism reverses back to its normal metabolic state and effectively comes back to life. Imagine an animal that has been standing still for over a decade, after post-apocalyptic events that no other species have been able to overcome, and finds its way back to a devastated world. How does it feel to be the toughest animal on Earth?

Let’s see a few of the conditions that these little animals can resist:

• High (151 C) and really low temperatures (almost absolute zero, and about 270 C for days).
• Radiation: up to 570k rads. One to two thousand rads are lethal to humans.
• Vacuum’s low pressure, as well as damn high pressure (six times that the deepest ocean trench).
• They survive dehydration for a decade!

Research of these life forms could lead to advances in treatment of certain diseases. It’s simply amazing how resistant these little animals are.

Hopefully a HIPS half as tough as a tardigrade could bring some light to the rather depressing world of so-called security software!

One of the most important features of our content management system is its usability and careful design. We faced a complicated issue with forms: it’s not that uncommon to use tables for a fluid layout, easy to customize using CSS. The typical table-less solution involves using floating labels to the left, with fixed width, and input fields to the right. We’ve seen designs where a help text could be neatly displayed right next to the input, using tables.

Always perform server-side validation and don’t require JavaScript in forms!

This allows support in possibly every web browser out there, without compatibility issues. The code looks clean too.Another feature that boosts the usability of forms is live data input validation. For security reasons, you should never rely on client-side validation, but it comes as an extremely useful aid for showing the user if there’s anything wrongly formatted that requires fixing, before wasting time submitting the form.

We came across LiveValidation (quite an appropriate name ), a neat Prototype-compatible JavaScript library for automating data validation. It’s free (MIT license, for personal and commercial projects) and compatible with every major browser we’ve tested.

Continue reading →

Finally we decided that Mephisto wasn’t yet the right solution for us, and until we have time to develop a proper blog engine in place, we are going to keep this going. We are damn busy at the moment, hence why our time for blogging is really limited. But we’ll try to keep interesting news around, stay tuned .

We are sorry about the not-so impressive looking current design, but this is being worked on behind the scenes. Hopefully the design guy will come up with some fresh ideas, he’s still busy working on the corporate site. Although, developing with Rails is never boring (well, just unlikely ).