Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

FreeBSD is a unix strand of OS. chroot is a system call is that meant to restrict access to the rest of the file system. In essence, it gives the user a pseudo-root directory. This is commonly referred to as chroot jail.

The FTP daemon for FreeBSD had an option to use chroot a user into a particular part of the file system. This is where the bug exists! Who would think to find a privilege escalation in a chrooted FTP implementation!?

The logic checks to see if the chrdir (chroot directory) is accessible. If this fails, it jumps to some unintended code at a goto label. Now, ftpd still awaits a new login, but the connection is already locked inside the chroot jail from the previous logic. This causes incorrect behavior during the next login attempt on that connection.

An attacker can make chdir fail by using chmod 0. Why is having this fail useful? The ftpd itself gets trapped in chroot jail!

So, later, when authentication checks are done, they are done within the chrooted directory! This means that we can control the root credentials being used, on the next authentication login.

Now, we can upload libraries that act as replacements to normal daemon libraries. If we add a reverse shell to one of these, we end up as the non-chrooted root user!

To me, the interesting part was that this issue was created because of a failure in one of the commands, while the other one succeeded. Just because you catch an error, does not mean that it is handled properly!

Bouncy Castle Crypto is a popular and common cryptography library implemented in Java. This is used at the enterprise level quite a bit.

The bcrypt (password hashing function) had a flaw introduced into it for two versions before anybody noticed. This flaw (in Java) used the indexOf instead of the charAt function on a string. The indexOf function finds the first occurrence of a character in a string. Clearly, the code newPasswordHash.indexOf(i) == currentPasswordHash.indexOf(i) has an issue.

This bypass is not trivial to implement and does require a bunch of brute forcing. From testing, it appears that 20% of passwords were bypassed within 1000 attempts (which is not viable on a site). Regardless, this COULD be used for a bypass on some passwords.

Even in memory safe languages, vulnerabilities still exist! :)

Where to try to find bugs in software? It turns out, they are all over the place! In this installation of bug finding, the author researches translating from one language to another.

The first bug is in node-sass, a translator of the CSS precompiler. The bug is an integer underflow in a malloc size. The size used (for malloc) has a 1 added to it. Then, the original size is used for allocation. This results in a size of 0 being possible when a size of -1 is used.

The second bug was a vulnerability in png-img in Nodejs. The png-img bindings use an initStorage function which is vulnerable to an integer overflow via multiplication. The bug is very straight forward; it is literally through the height and width of the PNG image. In fact, this same exact bug existed within a JPEG parsing library used by Instagram.

This vulnerability ends up being a wildcopy: a vulnerability where a size is underflowed where a bunch of data gets written. As talked about in the Checkpoint article, this only results in a crash unless we can change the flow in execution before the crash occurs. In fact, we can! If there is NO more data in the stream of the PNG, the image exits.

The author mentions three important parts of an attack:

• How does the attack trigger the bug? PNG file. However, this is not a back & forth communication.
• What data does the attacker control? The bulk of it; it is a PNG file.
• What algorithms (flow of the program) can by influenced by the attacker?It is a linear heap overflow, which results in the ability to corrupt heap memory.

Node.js is compiled with stack canaries, Full RELRO and the NX bit, but without PIE and Fortify. Since the binary is non-interactive (only a single shot) and the binary is NOT compiled with PIE, overwriting data in the .bss section and jumping to code in the non-randomized .text section is a safe bet. The single shot is important to note: memory leaks are NOT possible in this scenario.

The next section goes into how the software interacts with the memory that is controllable by the user. This is how an attacker gets their foothold in a program. In particular, there is a section on the heap that contains function pointers (perfect). But... this did not actually work. They had corrupted code for the dynamic linker in the being used.

They make a really good point about real world exploit development: "As a developer, it is important to understand that attackers will explore vulnerabilities according to the resources and time they’re willing to invest in their exploitation. Even for a relatively straightforward vulnerability such as the png-img heap overflow, we see there is a distinct attacker calculus at play that weighs the pros and cons of various attack strategies against your code. Mitigations are considered from both a platform-specific and goal-oriented perspective.

Using this technique, they went with the corrupting of the symbol table resolution process. The attack looks something similar to RET-2-dl-resolve in order to resolve an arbitrary symbol. However, I am slightly confused because they mention heap chunk for a link map being corrupted or in the runtime execution. In my experience, the symbol resolution process on x86_64 does not use the heap (but maybe whatever they are on does?).

Once they decide to use the symbol resolution process, it was all about finding pointers to dereference in the non-PIE binary to act properly. Additionally, many of the values for this process are relative offsets. So, by placing proper values on the heap for the corrupted linkmap, it was possible to gain control of the symbol resolution process to load an arbitrary symbol.

What symbol do we load? Well, of course, they just call system out of it. This is not the entire description of the exploit; it is just a high-level overview. The entire thing should be read in order to understand the full process.

Overall, this is a fairly crazy exploit that ended up NOT requiring any leaks in order to full off. I had never heard of the ret-2-dl-resolve before; this will be a good addition to the toolbox when leaks are not possible.

Remember spam? No, I mean the spam of the 80's and 90's! The email spam was HORRIBLE because email servers would send off whatever you gave it with no authentication or valid information the domains.

Although the any domain part is mostly gone, you can still find SMTP servers that will relay whatever email with a sender domain that it knows.

This can be used for spoofing emails for internal network pentests to launch phishing campaigns.

This article shows the commands for actually talking to the server over telnet and sending off emails. SMTP is a newline based protocol (super simple) but the syntax is a little tedious to work with.

PDFs have their own hidden language in them. What if we could escape the content being added to the PDF and exfiltrate data? This is what the paper is about.

PDFs are commonly used for generating reports. The idea is to inject our own code into the page that will allow us to exfiltrate sensitive data.

The main issue was that PDF generating libraries were not blocking out parenthesis' when doing the link generation. This allowed for the escaping of the link to create a PDF payload.

Overall, the technique is pretty awesome and should be something to look for in the future. The link bulk of the understanding is above... Gareth goes into the actual nitty-gritty of creating valid PDF code but that can be googled when the time comes :)

Finding bugs is one thing; exploiting the bug is an entirely different thing. The bulk of this article is taking simple bug in the Windows Kernel and turning this into an exploit. Because this is the Windows Internals blog, this a dense article all about Windows!

There is logic that assumes either a 0 (false) or 1 (true) for the protocol. However, any value from 0-0xFF can be used. Because of this, there is sort of a type confusion that leads to a path being taken that increments a pointer that should NOT be incremented.

From there, there is a dump of Windows internal information. I just wanted to keep this here for safe-keeping in case I ever wanted to dive into the Windows world.

Besides all of the Windows stuff, I enjoyed the real world approach to this. There were many road blocks that forced the author to consider other paths to setup the exploitation properly.

SAML is a protocol that allows identity providers (IdP) to pass authorization credentials to service providers. A similar protocol is OAuth.

SAML uses XML in order to verify its claims. The id of a user is used in order to create a claim that represents this specific user.

The user is verified at TWO different points in TWO different ways. By abusing difference in this verification process, a valid user can trick the process to think they are any other user.

The trick was using HTML comments in order to force the parsers to act differently. This is NOT the first time this exact same issue has been seen.

There is a privilege escalation in PostgreSQL once a user had the ability to execute arbitrary commands into PostgreSQL.

This bug came down to a issue with the reverting functionality of a query in the database. Mainly, by abusing the state handling of the revert functionality.

INITIALLY DEFERRED can be used in order to delay commands from being ran. In particular, this delays when a constraint on a given object is looked at. This code was executed AFTER the context switch of users, allowing for the changing of sensitive information.

From there, the author had to find a way to trigger all of the functionality in the proper order.

Overall, super cool privilege escalation! This acts as a TOCTOU bug but more refers to the state handling not being properly reverted. I wish there was a 'tldr' on the article though.

This is a wiki page dedicated to the side-channels built into the web. Besides the attack mechanisms, the defensive also have just as many pages. I honestly did not know about half of these techniques and most of the mitigations!

The first (and most well-known) technique is the XS Search technique. The attack using timing measurements in a search query to determine if data was sent back or not. If so, keep going. Other, stop and try another letter. Instead of just letters, this can also be done with words and phrases too.

Another attack is about using Error Handling for finding pages that are only available within an internal network.

Frame Counting is where the amount of iFrames on a page are counted. This can be useful for determining the state of a site if multiple iFrames are loaded, depending on a GET parameter.

My favorite attack, mentioned on the list, is the Cache Probing attack. The idea is that is somebody has visited a site, then the content is cached in the web browser. So, by using timing differences or notices from the browser that the data is cached, where the user has visited can be determined. This is particularly useful for social media sites.

In terms of protections, a lot of these attacks are mitigated by having the same-site cookie default to lax instead of none.

There are some additional headers that can be used in order to prevent cross-site attacks, such as Cross-Origin-Resource-Policy, X-Frame-Options and Cross-Origin-Opener-Policy.

McAfee ePO is software that helps IT administrators unify security management across endpoints, networks, data, and compliance solutions from McAfee and third-party solutions.

The bugs for this were not very unique; but, the chaining of these bugs was quite interesting. All of the issues come from an API that checks the validity of a database connection.

First, there is a CSRF bug in this API (just NO protections at all).

The second issue is that if the connection request ONLY has the host and the port the credentials are automatically reused. Using this and specifying the host, we can man-in-the-middle (MitM) the connection; this acts as a SSRF bug! The connection also has test database commands being ran.

To tie this all together, we can use the CSRF to send the request to OUR server and change the connection information. Now, with this MitM, we can change the SQL command. Finally, use this to execute arbitrary commands on the server.

The final (unrelated to the chain) bug was zip functionality. Most zip CLI tools prevent directory traversal. However, a lot of processing libraries in languages do not. By using this, it was possible to write arbitrary files to arbitrary locations.