Nth Dimension/blog:: Negatively discriminating against idiots since 1995!
2009-03-27 16:54:10
By Tim Brown
Since Ahead Of The Times took their PinSentry apart, I thought it was about time to share my analysis thus far of the numbers it generates:...[more]
2009-03-17 00:06:53
Shellcode for setuid(0) + execve("/bin/sh") on x86_64 GNU/Linux
By Tim Brown
There are many people that know more about the black arts of low-level exploitation than me. Fact. Shell code isn't that novel and that with only 30 or 40 bytes to play with chances are high that someone else will have done it first. Fact. However, in the spirit of learning, I proudly present my first working(?) shellcode. It's a small chunk of AT&T style assembly for the x86_64 architecture running GNU/Linux which calls first setuid(0) and secondly execve("/bin/sh") for use in local exploits. I've attempted to document each and every line of code, so maybe it will be of some use to others that are yet to embark on this journey....[more]
2009-02-23 23:11:08
Exploiting preg_replace (an oldie but a goodie)
By Tim Brown
Calling preg_replace($pattern, $replacement, $subject) et al, where $pattern and $replacement are under user control should be considered dangerous. Witness the following:
<?php
preg_replace("/" . $pattern . "/", $replacement, $subject);
?>Our attacker passes a $pattern of "(.*)/e\x00", a $replacement of "system('\1')" and a $subject of "id". The following results:...[more]
2009-02-17 00:58:46
By Tim Brown
Sometimes life can be fun...
That's the result of unauthenticated XSS, command injection and privelege escalation against one poor vendors (poor) product....[more]
2009-02-12 08:19:01
By Tim Brown
So after the latest squid advisory I thought I might take a look at it to see if there were any other gems waiting to be found.
So since I'm lazy, I ran cppchecker on the code base which found this gem in squid_kerb_auth.c within the gethost_name function:...[more]
2008-10-26 17:33:00
By Tim Brown
So having spent a good portion of the last 24 hours trying to get a handle on reliably exploiting this vulnerability, I've drawn a blank. Two things have me stumped, one quite trivial and one that I'm going to have to leave for my betters. Because I'm using rpcclient as my transport to send data to the Server service I have to rely on that for the encoding. In practice this means that in the best case I can only control two out of 4 bytes of my %eip overwrite (namely 0x00__00__) because my input to rpccli_srvsvc_NetPathCanonicalize() gets unicode encoded further down the RPC/CIFS stack. Secondly (and this is the killer right now), the stack appears to vary considerably between exploit attempts. I've been playing with exploiting it under Windows 2K on WMware and every time it appears I've got the offset right to control %eip, I repeat it once more for luck and the damn thing moves. Combine this with the fact that Windows will likely reboot if the Server service crashes and I'm interested to see whether reliable exploits are released....[more]
2008-10-24 11:07:58
By Tim Brown
OpenVAS already detects for MS08-067 as part of the Windows Local Check plugin family but as a penetration tester, I wanted a little more, the possibility of detecting the vulnerability in cases where we don't have valid credentials. To that end, I spent part of today investigating the problem a little further. I started off with the POC that can be found on milw0rm but could not get it to compile either under VS 6.0 or 2k3. A quick google showed that other had the same problem but noone had found a solution, so I began thinking about other lines of enquiry. I briefly considered using Impacket but I recanted - I hate Python. Then I looked as some of the POC for MS06-040 but most of these seemed to be using hardcoded RPC calls. Then it struck me, Samba has a full implementation of the Windows RPC/CIFS stack. Sure enough, there was rpccli_srvsvc_NetPathCanonicalize() which allows remote calls to the vulnerable function NetprPathCanonicalize exported by netapi32.dll. From there it was all too trivial to hack rpcclient to make the malicious call and there you have it:...[more]
2008-10-22 16:17:41
By Tim Brown
So today I heard back from the organisers of CCC regarding the proposal for myself and Vlatko to give a presentation on OpenVAS entitled OpenVAS - free your vulnerabilities. From what I'd already heard, they've had a lot of interesting presentations submitted and I wasn't greatly surprised to hear that we'd missed out. It's not the end of the world though, we've been invited to write an article instead. I've also been invited to give a talk tomorrow at London's monthly DC4420 the contents of which will be uploaded shortly after. So what else has been happening?...[more]
2008-08-23 16:50:39
What can we learn from the Debian OpenSSL debacle - a response to the DebConf 8 BOF
By Tim Brown
Just been watching the DebConf 8 BOF on the Debian OpenSSL debacle and my gut instinct is that the discussions really focussed on the wrong question. The question shouldn't be how can we expose our divergences from upstream but as I've said before, how we can encourage better relationships between Debian participants and those that operate either upstream or on other distributions so that the many eyes maxim holds. Maybe what is needed is a social network for patches, packages and packagers but whatever, I do not believe a Debian centric solution will work....[more]
2008-05-01 13:24:24
In your network, pwning your data
By Tim Brown
Securing networks, of both the social and electronic variety interests me. The old saying that No man is an island was never more true than it is now. We're an interconnected species and those connections span the globe. Anyway, with that thought in mind I thought I'd share two interesting developments in the security domain that have occurred this week....[more]
![[del.icio.us - Post this page to del.icio.us]](images/del.icio.us.png "[del.icio.us.png - Post this page to del.icio.us]")