Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Where to try to find bugs in software? It turns out, they are all over the place! In this installation of bug finding, the author researches translating from one language to another.

The first bug is in node-sass, a translator of the CSS precompiler. The bug is an integer underflow in a malloc size. The size used (for malloc) has a 1 added to it. Then, the original size is used for allocation. This results in a size of 0 being possible when a size of -1 is used.

The second bug was a vulnerability in png-img in Nodejs. The png-img bindings use an initStorage function which is vulnerable to an integer overflow via multiplication. The bug is very straight forward; it is literally through the height and width of the PNG image. In fact, this same exact bug existed within a JPEG parsing library used by Instagram.

This vulnerability ends up being a wildcopy: a vulnerability where a size is underflowed where a bunch of data gets written. As talked about in the Checkpoint article, this only results in a crash unless we can change the flow in execution before the crash occurs. In fact, we can! If there is NO more data in the stream of the PNG, the image exits.

The author mentions three important parts of an attack:

• How does the attack trigger the bug? PNG file. However, this is not a back & forth communication.
• What data does the attacker control? The bulk of it; it is a PNG file.
• What algorithms (flow of the program) can by influenced by the attacker?It is a linear heap overflow, which results in the ability to corrupt heap memory.

Node.js is compiled with stack canaries, Full RELRO and the NX bit, but without PIE and Fortify. Since the binary is non-interactive (only a single shot) and the binary is NOT compiled with PIE, overwriting data in the .bss section and jumping to code in the non-randomized .text section is a safe bet. The single shot is important to note: memory leaks are NOT possible in this scenario.

The next section goes into how the software interacts with the memory that is controllable by the user. This is how an attacker gets their foothold in a program. In particular, there is a section on the heap that contains function pointers (perfect). But... this did not actually work. They had corrupted code for the dynamic linker in the being used.

They make a really good point about real world exploit development: "As a developer, it is important to understand that attackers will explore vulnerabilities according to the resources and time they’re willing to invest in their exploitation. Even for a relatively straightforward vulnerability such as the png-img heap overflow, we see there is a distinct attacker calculus at play that weighs the pros and cons of various attack strategies against your code. Mitigations are considered from both a platform-specific and goal-oriented perspective.

Using this technique, they went with the corrupting of the symbol table resolution process. The attack looks something similar to RET-2-dl-resolve in order to resolve an arbitrary symbol. However, I am slightly confused because they mention heap chunk for a link map being corrupted or in the runtime execution. In my experience, the symbol resolution process on x86_64 does not use the heap (but maybe whatever they are on does?).

Once they decide to use the symbol resolution process, it was all about finding pointers to dereference in the non-PIE binary to act properly. Additionally, many of the values for this process are relative offsets. So, by placing proper values on the heap for the corrupted linkmap, it was possible to gain control of the symbol resolution process to load an arbitrary symbol.

What symbol do we load? Well, of course, they just call system out of it. This is not the entire description of the exploit; it is just a high-level overview. The entire thing should be read in order to understand the full process.

Overall, this is a fairly crazy exploit that ended up NOT requiring any leaks in order to full off. I had never heard of the ret-2-dl-resolve before; this will be a good addition to the toolbox when leaks are not possible.

Remember spam? No, I mean the spam of the 80's and 90's! The email spam was HORRIBLE because email servers would send off whatever you gave it with no authentication or valid information the domains.

Although the any domain part is mostly gone, you can still find SMTP servers that will relay whatever email with a sender domain that it knows.

This can be used for spoofing emails for internal network pentests to launch phishing campaigns.

This article shows the commands for actually talking to the server over telnet and sending off emails. SMTP is a newline based protocol (super simple) but the syntax is a little tedious to work with.

PDFs have their own hidden language in them. What if we could escape the content being added to the PDF and exfiltrate data? This is what the paper is about.

PDFs are commonly used for generating reports. The idea is to inject our own code into the page that will allow us to exfiltrate sensitive data.

The main issue was that PDF generating libraries were not blocking out parenthesis' when doing the link generation. This allowed for the escaping of the link to create a PDF payload.

Overall, the technique is pretty awesome and should be something to look for in the future. The link bulk of the understanding is above... Gareth goes into the actual nitty-gritty of creating valid PDF code but that can be googled when the time comes :)

Finding bugs is one thing; exploiting the bug is an entirely different thing. The bulk of this article is taking simple bug in the Windows Kernel and turning this into an exploit. Because this is the Windows Internals blog, this a dense article all about Windows!

There is logic that assumes either a 0 (false) or 1 (true) for the protocol. However, any value from 0-0xFF can be used. Because of this, there is sort of a type confusion that leads to a path being taken that increments a pointer that should NOT be incremented.

From there, there is a dump of Windows internal information. I just wanted to keep this here for safe-keeping in case I ever wanted to dive into the Windows world.

Besides all of the Windows stuff, I enjoyed the real world approach to this. There were many road blocks that forced the author to consider other paths to setup the exploitation properly.

SAML is a protocol that allows identity providers (IdP) to pass authorization credentials to service providers. A similar protocol is OAuth.

SAML uses XML in order to verify its claims. The id of a user is used in order to create a claim that represents this specific user.

The user is verified at TWO different points in TWO different ways. By abusing difference in this verification process, a valid user can trick the process to think they are any other user.

The trick was using HTML comments in order to force the parsers to act differently. This is NOT the first time this exact same issue has been seen.

There is a privilege escalation in PostgreSQL once a user had the ability to execute arbitrary commands into PostgreSQL.

This bug came down to a issue with the reverting functionality of a query in the database. Mainly, by abusing the state handling of the revert functionality.

INITIALLY DEFERRED can be used in order to delay commands from being ran. In particular, this delays when a constraint on a given object is looked at. This code was executed AFTER the context switch of users, allowing for the changing of sensitive information.

From there, the author had to find a way to trigger all of the functionality in the proper order.

Overall, super cool privilege escalation! This acts as a TOCTOU bug but more refers to the state handling not being properly reverted. I wish there was a 'tldr' on the article though.

This is a wiki page dedicated to the side-channels built into the web. Besides the attack mechanisms, the defensive also have just as many pages. I honestly did not know about half of these techniques and most of the mitigations!

The first (and most well-known) technique is the XS Search technique. The attack using timing measurements in a search query to determine if data was sent back or not. If so, keep going. Other, stop and try another letter. Instead of just letters, this can also be done with words and phrases too.

Another attack is about using Error Handling for finding pages that are only available within an internal network.

Frame Counting is where the amount of iFrames on a page are counted. This can be useful for determining the state of a site if multiple iFrames are loaded, depending on a GET parameter.

My favorite attack, mentioned on the list, is the Cache Probing attack. The idea is that is somebody has visited a site, then the content is cached in the web browser. So, by using timing differences or notices from the browser that the data is cached, where the user has visited can be determined. This is particularly useful for social media sites.

In terms of protections, a lot of these attacks are mitigated by having the same-site cookie default to lax instead of none.

There are some additional headers that can be used in order to prevent cross-site attacks, such as Cross-Origin-Resource-Policy, X-Frame-Options and Cross-Origin-Opener-Policy.

McAfee ePO is software that helps IT administrators unify security management across endpoints, networks, data, and compliance solutions from McAfee and third-party solutions.

The bugs for this were not very unique; but, the chaining of these bugs was quite interesting. All of the issues come from an API that checks the validity of a database connection.

First, there is a CSRF bug in this API (just NO protections at all).

The second issue is that if the connection request ONLY has the host and the port the credentials are automatically reused. Using this and specifying the host, we can man-in-the-middle (MitM) the connection; this acts as a SSRF bug! The connection also has test database commands being ran.

To tie this all together, we can use the CSRF to send the request to OUR server and change the connection information. Now, with this MitM, we can change the SQL command. Finally, use this to execute arbitrary commands on the server.

The final (unrelated to the chain) bug was zip functionality. Most zip CLI tools prevent directory traversal. However, a lot of processing libraries in languages do not. By using this, it was possible to write arbitrary files to arbitrary locations.

Steam sockets is the core networking library used in a wide variety of games, such as Dota2. This protocol runs over UDP and also supports WebRTC.

With UDP, reliable transmission needs to happen but this has to be built into the protocol itself (unlike TCP). In the past, this had been done insecurely (Apache and several others). So, this was a natural target for the attackers.

There is a value (nOffset), fully controllable by a user. This is initialized as an unsigned integer but later used as a signed integer. When this offset is used for the writing to the buffer later, it can underflow.

However, there was an issue with this via a sanity check for one of the iterators. This put the program into an undefined state: it will keep treating the output of table queries as valid segment data, even when a query finally returns an end() element. This empty C++ iterator could be an interesting for an attacker though.

C++ iterators use the languages operator overload features to work. The iterator for end returns a pointer to end of array (a pointer). This is actually a pointer just passed the final element in the list.

Complicated data structures, such as maps, are implemented using red-black trees, making the iteration a little more complicated though. The author of the exploit creates a fake hash table to iterate out.

After the data has been validated, all unused areas are freed. This can be used for a House of Spirit attack to free data into an arbitrary location.

To me, the main takeaways are using C++ complex objects for our advantage and C++ silently converting types without us even knowing it.

Some MacBooks have an Intel Graphics Modules with kernel extensions for managing it. This is where the vulnerability lies at.

In order to communicate with the API, Mach messages are used. Each type of message has a command number, a buffer and an arithmetic operation that produces an address of a structure.

This operation occurs without a boundary check, resulting in an OOB write vulnerability in kernel-land.

This can be used to get code execution in the kernel. To use this vulnerability to achieve code execution in the kernel, I do not fully understand. It appears to have something to do with being able to corrupt a value that is sent to processKernelCommand though.