x64Architecture

Hacking Team Exploits

A few days ago The Hacking Team We Kill People™ was turned into the Hacked Team and left us a few exploits. The first I will list is the Adobe Flash Player use-after-free vulnerability and just to quote how marvelous they thought it was here is an excerpt from the readme.txt

Congrats! You are reading about the most beautiful Flash bug for the last four years since CVE-2010-2161.

Full readme.txt with exploit explanation (courtesy of the Hacked Team)

Another exploit was the Windows kernel privilege escalation vulnerability which was in the Open Font Type Manager ATMFD.dll provided by sigh Adobe which was a driver that let you select which font driver to use for font processing. There was an exploitable underflow which allowed the attacker to insert arbitrary code before the buffer, and since it was in kernel mode you now are running code with Administrator privileges thank you Adobe!

Windows Privilege Escalation Image

Tested on Windows 8.1 x86

Source code

New Project: Libicuid

The cpuid instruction recently caught my interest and I decided to write a library libicuid that gathers and decodes all the information it outputs. It provides a C interface that is compatible with C++ programs, is written in C and Assembly, and supports all major compilers GCC, Clang, and Microsoft Visual Studio. I licensed it under the ISC License which is functionally equivalent to the BSD 2-Clause License. You can visit its homepage here.

Example C program code:

#include <stdio.h>
#include <icuid/icuid.h>

int main(int argc, char **argv)
{
    int ret = -1;
    cpuid_raw_data_t raw;
    cpuid_data_t data;

    ret = cpuid_get_raw_data(&raw);
    if (ret != ICUID_OK) {
        printf("%s\n", icuid_errorstr(ret));
        return ret;
    }

    ret = icuid_identify(&raw, &data);
    if (ret != ICUID_OK) {
        printf("%s\n", icuid_errorstr(ret));
        return ret;
    }

    printf("Vendor: %s\n", data.vendor_str);
    printf("CPU: %s\n", data.brand_str);
    printf("Codename: %s\n", data.codename);
    printf("Cores: %u\n", data.cores);
    printf("Logical: %u\n", data.logical_cpus);

   if (data.flags[CPU_FEATURE_AVX])
       printf("CPU Supports AVX\n");

   return ret;
}

OpenSSL Heartbleed Vulnerability

If you haven’t heard there was a vulnerability in OpenSSL in the TLS heartbeat extension implementation, which leaked 64kb of memory per heartbeat request I put the latter text in bold because an attacker could retrieve that amount of memory every single time they make a heartbeat request (unlimited). If you want more info on the vulnerability look up the vulnerability. But to let you know this server has been patched to prevent the vulnerability from taking place.

How to Install Mailman With Ubuntu

I haven’t posted a how-to in a while, so I figured since I just spent half a day installing mailman due to horrible documentation with nginx and mailman and suggestions to install thttpd instead. Here is the link to the Mailman I setup. So now onto the tutorial.

First your going to want to install Postfix and configure it.

$ sudo apt-get install postfix

Then your going to want to configure it:

$ sudo dpkg-reconfigure postfix

Insert the following details when asked (replacing example.com with your domain name if you have one):

  1. General type of mail configuration: Internet Site
  2. NONE doesn’t appear to be requested in current config
  3. System mail name: example.com (if you want an email like me@example.com)
  4. Root and postmaster mail recipient:
  5. Other destinations for mail: example.com, localhost.example.com, localhost (And any other domains you want postfix to handle)
  6. Force synchronous updates on mail queue?: No
  7. Local networks: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
  8. Yes doesn’t appear to be requested in current config
  9. Mailbox size limit (bytes): ****
  10. Local address extension character: +
  11. Internet protocols to use: all

Restart postix

$ sudo service postfix restart

Now were going to want to install fcgiwrap.

$ sudo apt-get install fcgiwrap

You may need to adjust /etc/init.d/fcgiwrap with the appropriate user and group of your nginx install.

$ sudo nano /etc/init.d/fcgiwrap
FCGI_USER="your nginx user"
FCGI_GROUP="www-data"
Restart fcgiwrap
$ sudo service fcgiwrap restart

Now onto Mailman.

First install Mailman (the two install instructions are self-explanatory and up to you)

$ sudo apt-get install mailman

Now we have to create a mailman list (the instructions again are self-explanatory and up to you).

$ sudo newlist mailman

Now we have to create aliases for the mail so edit /etc/aliases

$ sudo nano /etc/aliases

Add the following lines. (Your going to have to do this for every new list)

## mailman mailing list
mailman:              "|/var/lib/mailman/mail/mailman post mailman"
mailman-admin:        "|/var/lib/mailman/mail/mailman admin mailman"
mailman-bounces:      "|/var/lib/mailman/mail/mailman bounces mailman"
mailman-confirm:      "|/var/lib/mailman/mail/mailman confirm mailman"
mailman-join:         "|/var/lib/mailman/mail/mailman join mailman"
mailman-leave:        "|/var/lib/mailman/mail/mailman leave mailman"
mailman-owner:        "|/var/lib/mailman/mail/mailman owner mailman"
mailman-request:      "|/var/lib/mailman/mail/mailman request mailman"
mailman-subscribe:    "|/var/lib/mailman/mail/mailman subscribe mailman"
mailman-unsubscribe:  "|/var/lib/mailman/mail/mailman unsubscribe mailman"

Now we have to update the aliases.

$ sudo newaliases

And now restart postfix.

$ sudo service postfix restart

Now start up mailman

$ sudo service mailman start

Now onto the Nginx configuration, i’m assuming you already have a vhost setup if not go create one.

First we have to edit /etc/nginx/fastcgi_params

$ sudo nano /etc/nginx/fastcgi_params

put a comment ‘#’ in front of

fastcgi_param SCRIPT_FILENAME $request_filename;

so it will look like this:

#fastcgi_param SCRIPT_FILENAME $request_filename;

Now open up your vhost for this tutorial im refering to it as /etc/nginx/sites-available/example.com.conf

$ sudo nano /etc/nginx/sites-available/example.com.conf Insert the following lines into your server block for whatever domain.

server {
[...]
        location /cgi-bin/mailman {
               root /usr/lib/;
               fastcgi_split_path_info (^/cgi-bin/mailman/[^/]*)(.*)$;
               include /etc/nginx/fastcgi_params;
               fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
               fastcgi_param PATH_INFO $fastcgi_path_info;
               fastcgi_pass unix:/var/run/fcgiwrap.socket;
        }
        location /images/mailman {
               alias /usr/share/images/mailman;
        }
        location /pipermail {
               alias /var/lib/mailman/archives/public;
               autoindex on;
        }
[...]
}

Restart nginx and your done!

$ sudo service nginx restart Notes and FAQ:

If you want to remove /cgi-bin Your going to have to edit /var/lib/mailman/Mainman/mm_config.py and the nginx config. If your having trouble with mail make sure your firewall isn’t blocking port 25. Example: $ sudo ufw allow 25/tcp

IOS TLS/SSL Bug

If any of you haven’t heard yet there is a serious flaw in the verification of SSL certificates of OS X and IOS. It is in the function SSLVerifySignedServerKeyExchange. The bug is in the following piece of code and is written in C by Apple:

static OSStatus
SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer signedParams,
                                 uint8_t *signature, UInt16 signatureLen)
{
    ...

    hashOut.data = hashes + SSL_MD5_DIGEST_LEN;
    hashOut.length = SSL_SHA1_DIGEST_LEN;
    if ((err = SSLFreeBuffer(&hashCtx)) != 0)
        goto fail;

    if ((err = ReadyHash(&SSLHashSHA1, &hashCtx)) != 0)
        goto fail;
    if ((err = SSLHashSHA1.update(&hashCtx, &clientRandom)) != 0)
        goto fail;
    if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0)
        goto fail;
    if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
        goto fail;
        goto fail; // Notice the duplicate goto here
    if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
        goto fail;

...

fail:
    SSLFreeBuffer(&signedHashes);
    SSLFreeBuffer(&hashCtx);
    return err;

}

(The offending file is located here)

Now if you didn’t notice there were two goto fail; lines in a row, which causes the conditional to always jump to fail, therefore bypassing the signature check, Which creates a security vulnerability as demonstrated here.

Wnmp 2.0.7 Released!

Windows, Nginx, MySQL & PHP(Wnmp)

Wnmp 2.0.7: Released: 01/02/2014
********************************
- Wnmp Control Panel 2.1.2

  * Fixed: Windows 8.1 version detection.
  * Fixed: an invalid url and other misc changes
  * Changed: Forms can't be resized now using ~WS_THICKFRAME
  * Feature: Double click the Log RichTextBox and it will pop up a notepad with the current log
  * Feature: When Wnmp closes it saves a log to the start up path
  * Feature: When Wnmp is closed it saves a log to Wnmp.log

- Nginx

 * Updated to 1.5.9
 * Compiled with OpenSSL 1.0.1f to fix CVE-2013-4353 & CVE-2013-6450
 * SPDY/3.1 Support!

 - MariaDB

 * Updated to 5.5.35

- PHP

  * Updated to 5.5.8

- phpMyAdmin

  * Updated to 4.1.6

Nginx Now Supports SPDY/3.1

In December Nginx announced that it would upgrade their SPDY implementation to SPDY/3.1 which was funded by Automattic, MaxCDN, and CloudFlare. And now they implemented it with this commit on January 31st. SPDY/3.1’s highlights were that SPDY/3 implements flow control and SPDY/3.1 implements session flow control. And if any of you noticed I patched Nginx 1.5.9 to support SPDY/3.1 which should speed up some things.

Wnmp 2.0.4 Released!

Windows, Nginx, MySQL & PHP(Wnmp)

Wnmp 2.0.4
**********
- Wnmp Control Panel 2.0.9

  * Wnmp now backups configuration files and overwrite the old ones.
  * Implemented Automatic Check For Updates Feature, see #15.

- Nginx

  * Updated to 1.5.7

- MariaDB

  * Updated to 5.5.34