Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
- CodeQL lets you query code as though it were data. Using this taint analysis can be done in order to find anti-patterns.
- The author used a CodeQL query in order to track user controlled sizes being used. Although this is NOT a vulnerability by itself, it is a good pattern to follow to find bugs. After running this query, several data points were returned, with a single one leading to memory corruption.
- While parsing a frame, two main bugs occur. First, the header length is subtracted from the buffer, even if an invalid packet was sent. If this size was smaller than the subtracted value, this turns the value into a large positive number.
- The second bug (with the size) is that an allocated buffer is created from the size passed in, but not restricted to this size. So, while uncompressing the data, an overflow occurs in a linked list structure.
- To me, the interesting thing was the usage of CodeQL. CodeQL did not discover the bug. But, it gave a nice place to point in order to look for bugs. I may be adding to this my toolbox in the near future.
- SerenityOS is a free and open source operating system created by Andreas Kling. It is designed to be a Unix-like operating system that draws inspiration from the graphical user interface of the 1990s. This was found during a CTF in 2019.
- SerenityOS attempts to validate the location of syscalls, if a pointer is passed in. If the memory is not properly mapped, then an
EFAULTstatus code should be returned. - The issue is that this validation allows for too mucg. Instead of validating if the memory just exists in the user process, it also accepts valid pointers into kernel space! So, this is essentially an arbitrary read/write built into the syscalls.
- Additionally,
dmsg(kernel debug messages) will just output the kernel stack addresses. So, at this point, we have a kernel address stack leak and an arbitrary read/write primitive into the kernel. This looks good enough to me! - In order to exploit this, the author forks into two processes. In the child process, the program goes to sleep. With the parent process, the author reads until they find the stack addresses they are looking for (from dmesg). Once it finds the right address, it uses the arbitrary write primitive in order to overwrite the return address of the child process.
- The child process return pointer is then sent back to the userspace program (which you should not be able to do). With the ring0 process, we have access to all kernel-level functions. To solve the challenge, the author loads a block device and reads from it.
- In order to fix this, the address validation is now only done for userspace pointers and not the kernel ones. Additionally, a check was implemented that only allows userspace writes by checking an expected program mask.
- For the
dmesgleak, SerenityOS made a few changes. First, runningdmesgnow requires a root account. Furthermore, the author is attempting to find all memory addresses leaks indmesgand leaking these. However, there is value in having addresses available for the users for debugging. So, if root, you can probably leak kernel space memory still.
- The Same Origin Policy (SOP) disallows content from one website to be grabbed from another. For example, if a user visits malicious site, the malicious site should NOT be able to get my bank accounts information.
- One part of this is that the page can have data embedded inside, but cannot READ the data. A common example is selecting an image from a different website; this can be used (embedded) by NOT directly read.
- This post discusses a side channel in the rendering process of a picture via the
canvasHTML element. Because some pixels are drawn faster than others, it was possible to leak information about the image, across domain. - This feels like a very difficult problem to solve; allowing embedding but not directly reading. This bug actually existed in Skia, which is used by both Firefox and Chrome.
- SerenityOS is a free and open source operating system created by Andreas Kling. It is designed to be a Unix-like operating system that draws inspiration from the graphical user interface of the 1990s.
- This was vulnerability was found as part of a CTF challenge! This is an issue with ptrace (the second for the CTF).
- The vulnerability lies in the fact that the
eflagsregister has a bunch of metadata associated with the process. By have arbitrary access to this via ptrace, it is possible to escalate the privileges of a process I/O (ring) level. This can be exploited usingptraceandsigreturn. - With the ability to act at ring 0, you can add kernel drivers directly to do whatever you want. In the CTF, this was done in order to read a flag from the harddrive directly.
- The solution to this is to provide a mask for the allowed values in the
eflagsregister. Additionally, a sanity check is added to multiple locations, including the general syscall handler, to ensure that a running process is does not have the IOPL (I/O privilege) set. Defense in depth is always a helpful. - An analysis by the main author of SerenityOS can be found here. For those who are curious, the validation for this takes place
- This router is publicly accessible from the internet, as well as its administrative functionality over IPv6. The firewalling worked fine over IPv4 but not on IPv6.
- The second mistake is the amount of information that is leaked all over the place. There is password information hidden in log files, hardcoded SSL certs, and a pre-auth info leak in
info.aspthat discloses the telnet password and secret used for FTTH connection. - Next, there is a backdoor that allows the turning on of the telnet CLI(and changing the routing rules). Using this, an attacker could get access to telnet, without auth, from the public internet.
- Additionally, the telnet CLI can be turned on via the web interface by using one of the 40 backdoor passwords that ISPs have access to. Hooray!
- The telnet CLI even has a backdoor password itself. Additionally, the cookies of an ASP page is vulnerable to a buffer overflow. So, that is three different ways to enable the telnet CLI without having any knowledge of the password.
- Once in the telnet CLI (not a true telnet but restricted), it is possible to setup an actual telnet connection on port 26 to turn on by running
shell. Then, on the current connection, runningtshellwill elevate the privileges of the connection to root. - There are crazy amount of surface level bugs in this router. The article is a little hard to read (ordering and sparse explanations) but the content is quite awesome.
Making Clouds Rain: Remote Code Execution in Microsoft Office 365
srcincite Reference →Posted 5 Years Ago- This is a high value target, as a large amount of people use Office 365. Being able to compromise this at any company would be the dream for a nation-state actor.
- Exchange Server exposes a number of web APIs as well as a powershell remoting interface for users and administrators. This looks like a good target for trying to find a command injection of some sorts.
- There is an API that takes in a list of strings which are then executed in the CLI as a powershell command. If an attacker can control this data, then it is essentially game over.
- It appears that reversing this was super easy; the code that the author has looks really nice! I assume this is because C# code can be easily decompiled into its original form.
- Microsoft failed to patch this bug twice. This was because they attempted to use a denylist from the attackers first payload. The author was able to bypass the restrictions twice and got additional payouts from Microsoft. Denylists are extremely difficult to set properly.
- YouTube (who is owned by Google) has the ability to use three settings on YouTube video publicity: Public (what is sounds like), Unlisted (not in search but can be found via a direct link) and Private (only my account has access).
- The general idea of this attacker was trying to view Private videos on YouTube in some way. The author of the article was mostly hunting for insecure direct object reference (IDOR) bugs that allowed access to a private video.
- From testing all of the YouTube endpoints of the, none of this worked. But, what about other services that would have access to the internals of YouTube? As stated above, YouTube is owned by Google.
- It turns out that Google Ads can take in video Ids and use them on ads services! This seems like an interesting place to look for an IDOR.
- After testing several of the YouTube video based APIs on, Google Ads the author tested the
/GetThumbnailsAPI. And it sends back a base64 encoded blob, which was a frame of the Private video! - After discovering this single frame IDOR, the author wrote a script to steal the entire video (frame by frame). Of course, because this was a thumbnail, no audio can be heard. Additionally, the video ID must be known.
- I really enjoyed the cross service aspect of this attack. This is something that I will definitely need to consider in the future.
- In the world of virtualization, there are two types: 1 & 2. Type 1 runs on bare metal (no OS in between hardware and hypervisor) essentially BEING the OS. Examples of type 1 are Xen, VMWare ESXi and Hyper-V. Type 2 runs on top of an OS, such as Virtual Box, VMware Workstation and others. A good picture to see the difference can be found here.
- The vulnerability in this post discusses an issue found in the Type 1 hypervisor Xen.
- The bug was discovered a NULL pointer dereference in an IRQ handler from the guest to the Xen host. The IRQ is a way for events to be handled by hypervisor. This can be triggered when an interrupt occurs for the IRQ to be handled AND the IRQ has just been freed.
- At a minimum, triggering this bug can result in a DoS by taking down the hypervisor. At the worst, this IRQ position could be REUSED in another IRQ allocation. If this comes from a different physical device, the IRQ would have an entirely different structure, which could lead to a complete compromise of the hypervisor.
- The vulnerability is a complete lack of input sanitization when going to kernel functions. This leads to a linear heap overflow, a TOCTOU race condition, an out of bounds read with a controlled index and an arbitrary add primitive. These are all very serious bugs where any one of them could take control of the process.
- The heap overflow looks like a good primitive because we can overflow values at the end of the ION buffer allocation in kernel space. This is done by winning a race to change the size of the array AFTER the size of another value has been chosen. This OOB write has mostly complete control of the buffer.
- The OOB addition can add a single value to any point. This is important because it may be possible to increment a pointer to an arbitrary value. This is done by setting an offset to find an array of
address_vectorstructs. The offset has no bounds or alignment checks. This offset does have a constraint in order to perform the OOB write though. - The next section is rather instead. The author goes into HOW this could be exploited on iOS first, then dives into Android. The author hypothesizes the exploitation on iOS and references several CVEs.
- The author chose to go with the arbitrary add primitive because the location of the data was next to kernel thread stacks! Using this, we could overwrite a size parameter for a syscall in memcpy in order to cause further memory corruption.
- The next problem to solve was HOW to put a thread stack at this location? The main pain point is that on Linux, kernel memory is placed into a
unpurged_vm_areaand eventually placed back into the usable heap memory. In order to combat this issue, the author spammed a bunch of allocations of binders to create arbitrary sized mappings to flush the cache. Then, spammed a bunch of threads. With a little luck, the thread stack was aligned in the proper place for our overflow. - Something that I was not familiar with is blocking. Blocking is when the execution of a program stops then re-executes later on, after some criteria has been met. This is useful for this primitive because the contents of a blocked thread appear on the thread stack.
- Once the thread stack was in the proper area, the goal was to get a nice memory leak. This was done by first causing a page fault in one thread. When this page fault occurs, the fault sends data back to a thread stack which will send some errors back to userland. By altering a thread stack variable (the size of the data), an arbitrary memory leak can be performed to leak stack addresses, canaries and so on.
- An additional idea (for the arbitrary write) was to overwrite a threads
SPSR(saved process status register). Doing this would change many parts of the execution environment, such as whether this thread was from user or kernel space. Unfortunately, some quirks of this technique caused issues too terrible to work around. - The final solution (for the write) was to corrupt the value of 'n' of a
file descriptorcounter. Using this, an OOB write could occur, on the stack, to gain control of a RET address. Because this primitive allowed for an indexed partial write, the RET address could be changed without editing the canary! This came with several complications, but read the article on how this was handled. - With the ability to overwrite a RET address with 15 64-bit values on the stack, it was time for the ultimate ROP chain. The BPF (Berkley Packet Filter) is a subsystem of Linux that allows for arbitrary commands to be ran. By using this, an arbitrary read/write/execute primitive could be created by calling this from the ROP chain.
- Command injection is when you can insert arbitrary shell characters into a
systemcall to modify it. This is a well-known and explored attack vector; people will commonly try to protect against this by escaping the meta-characters, such as[;`"'|&${}]. Instead of a straight command injection, it is about moving around the protections created. But, is there anything missing here? - The valid character (and normally used)
-is missing from this set of characters. This character is used for flags in many commands. Although the meta-characters themselves are escaped, can we add flags to the command? Yes! - In this situation, the author has the ability to set flags for
tar, a compression tool on the Unix. RTFM. - There are several options, in tar, that give us code execution, including
--to-command command_script,--checkpoint=1 --checkpoint-action=exec=<command>and-T <file>. Recall, the equals sign is not usable, which leaves us with a fewer selection of options. - All of the options that could execute code require a file path to know where to execute at. So, can we control a file path? Using a prior tar command (multiple in one set), the
-Poption can be used to write to the files absolute location instead of relative location. - The exploit flow can be completed. We use one tar command to put a file into a known file in
/tmpby using the-P. Then, we use one of the file include flags to include a file to execute during the scripting of tar. At the end of the day, this required an additional step to get the code to execute, but it is essentially the same. - Long live command injection! Although this is slightly different, it is a good case of understanding what you have and using that to the fullest.
