[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] GOGGLES ADVISORY: FLAW IN MAJOR DISTRIBUTIONS



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



                                 _,--,            _
                            __,-'____| ___      /' |
                          /'   `\,--,/'   `\  /'   |
                         (       )  (       )'
                          \_   _/'  `\_   _/
                            """        """
                            I R WATCHING Y0U

                GOGGLES SECURITY ADVISORY #forty-two

GOGGLES has discovered attempt of big security company to disclose bug
in many major UNIX variants.
GOGGLES believes in perfect world and security bug should not be disclosed
by company to make quick fame and money, but to selflessly strive for
collective effort to make better and more secure world for everyone to
live in.
GOGGLES strives for this and decides to regulate release of information
with this ethical ideal in mind and not capitalistic gain for big company.

GOGGLES explicitly disclaims credit for discovery, and has to tell world
company did not make discovery either, even if it claims so afterwards.
Discovery seems to have been made by tribes of pagans and heretics who
are yet to achieve Enlightenment and discover True Path of
Full-Disclosure.

Problem GOGGLES did not discover but tries to make perfect world with
is in libc select() function.
select() is bad way to do event driven notification for io events, GOGGLES
believes true men and real women use epoll or kqueue these days, and
that only real idiots use /dev/poll.
select() is bad for security as well, as Theo de Raadt proved with
OpenBSD operating system.

Pagans discovered fd_set structure select() uses often allocates static
amount of space for monitoring descriptors for events.
Proof of concept code kindly provided in sys/select.h from glibc, where
idiots coded:
        __fd_mask fds_bits[__FD_SETSIZE / __NFDBITS];

GOGGLES notes that every descriptor is tracked by single bit, and this
way normally 128 bytes will be reserved for 1024 descriptors.
Pagans decided that rlimit for amount open files is 1024 as well, so
code will not go *BOOM* and is more secure than OpenBSD code (note: in
this respect they seem to be right).
Now pagans decided that rlimit for amount of open files raised above
1024 could make select() *BOOM* and proceeded to check theory.
GOGGLES did check on glibc bits/select.h to verify pagan idea, and found
that bigger idiots coded amongst others:

# define __FD_SET(fd, fdsp) \
  __asm__ __volatile__ ("btsl %1,%0"                             \
                        : "=m" (__FDS_BITS (fdsp)[__FDELT (fd)]) \
                        : "r" (((int) (fd)) % __NFDBITS)         \
                        : "cc","memory")

So pagan hypothesis would work in theory, GOGGLES not believed eyes,
and continued test with proof-of-concept code for believers in True
Path who are more rigid than pagans in accepting the obvious and
comprehending the world around them; this of course in perfect analogy
with christians and pagans we all heard of.

#include <stdio.h>
#include <stdlib.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <unistd.h>
#include <sys/select.h>
#include <fcntl.h>

int main(void) {
        struct rlimit _;
        char __[256];
        fd_set ___;
        unsigned int ____;

        _.rlim_cur = _.rlim_max = 0xDULL + 0xC0DE;

        if(setrlimit(RLIMIT_NOFILE, &_) == -1) {
                fprintf(stderr, "GOGGLE GOGGLE\n");
                exit(EXIT_FAILURE);
        }
        memset(__, 0, sizeof(__));
        for(____ = 3; ____ < 1024; ____++)
                close(____);
        for(____ = 0; ____ < 1024 + sizeof(__) * 8; ____++) {
                int _;

                if( (_ = open("/dev/null", O_RDONLY)) != -1)
                        FD_SET(_, &___);
                else {
                        fprintf(stderr, "GOGGLE GOGGLE\n");
                        exit(EXIT_FAILURE);
                }
        }
        printf("%s\n", &0[__]); /* diz is to look stupid */
}

Now GOGGLES run example code on Linux machine at home, and find this
output:
ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ0¶°ëA

GOGGLES realize that to exploit problem rlimit has to be raised, which
can only be done as root, even with local access. But, GOGGLES and pagans
reasoned, if server such as inetd or so raises rlimit by itself to something
higher than 1024 then by making connections we can call FD_SET and overflow
fd_set structure with bits.

GOGGLES believes in perfect world, and therefore will not release proof
of concept exploit, since in perfect world no crackers exist who will
run it, and every administrator is smart enough to see problem from
illustrations above.

GOGGLES does not want contact about this bug, and since pagans do not
have telephones GOGGLES does not have way to reach them for more
information.
However, provided are following numbers of company trying to make big
money by stealing pagan techniques and not aim to make world a good place
to live in, so people can ask for more information about financial
exploitation of software consumers for information which is free in perfect
world. This is great way to start your own security company.
        +31-70-3111010 (ask for Patrick Oonk or Mark Lastdrager)
        +31-70-3107390 (ask for Iljitsch van Beijnum)
        +31-50-5420781 (ask for Joost Pol or the hacker that defaced
                        cn.freebsd.org)
        +31-6-26630263 or +31-6-53760017 (ask for {} or if you cannot
                                          pronounce this, ask for the
                                          hacker that defaced apache.org)
Or send fax of favourite underpants worn for weeks to:
        +31-70-3111011
        +31-70-3635911
GOGGLES is sad to not know for sure if all numbers work, but at least
should be enough to provide public with usable information.


GOGGLES hopes to have made world slightly better place this way, and
prevent commercial rip-off of poor software consumers and false claims
to discovery we see from many security company, and especially XFORCE-
ISS.

        Signed,
                GOGGLES
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkC++x8ACgkQ42dM9omIJ0TrFgCfesdGtJMDWC1yFPqf41UUhXn2+N0A
n3Y8l4IcFYnNIo0/g4AQKrDZVi8U
=fvjl
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html