Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Oracle CDE (Common Data Environment) is a tool to collect all project information into a single platform. This is done via cloud syncing, I presume. The authors of this post had recently found vulnerabilities in the application but decided to hunt for issues in dtprintinfo since it had a track record of bad bugs.

They spent a few days looking for bugs in it manually to no avail. So, they wrote a sophisticated fuzzer. Whoops, sorry. They wrote cat /dev/urandom > ~/.printers as their fuzzer! By doing, they immediately found a bunch of crashes. So, what happened?

Setting fake printers via the configuration file for dtprintinfo caused a bunch of problems. By manipulating the contents with fake printers, it was possible to read heap memory of the setuid root binary. Additionally, being able to pass in printers is NOT something that should be possible as a lower privileged user and opens up a new attack surface.

The authors decided to target the parsing of printer icons in the XPM format. They wrote a simple mutation based fuzzer and found some bugs in the libXm library used by the application. The app was opened in Ghidra with the script Rhabdomancer to find known bad code syncs. They found a trivial buffer overflow via strcat that was triggering a crash.

The exploit code for the Solaris OS is very well commented and nice to look at! A few interesting notes:

• The shellcode is put into a environment variable. This indicates a lack of Nx on the binary.
• The location of the shellcode is dynamically calculated. This is done because of environment variable padding. It appears there is no other leak to break ASLR though.
• Contains a bunch of file manipulation. Since the input for exploitation is within a file, this makes sense.
• They have code for checking for bad characters, such as nullbytes, HT and space. This is to make the exploit more consistent.

The article shows a GIF of a POC as well. Pretty neat to see everything come together, even if modern binary protections aren't enabled. Overall, a fun article on finding a bug, finding more bugs then exploiting the bugs!