Planet


Blind Trust in Email Could Cost You Your Home

Postby BrianKrebs via Krebs on Security »

The process of buying or selling a home can be extremely stressful and complex, but imagine the stress that would boil up if — at settlement — your money was wired to scammers in another country instead of to the settlement firm or escrow company. Here’s the story about a phishing email that cost a couple their home and left them scrambling for months to recover hundreds of thousands in cash that went missing.

It was late November 2016, and Jon and Dorothy Little were all set to close on a $200,000 home in Hendersonville, North Carolina. Just prior to the closing date on Dec. 2 their realtor sent an email to the Little’s and to the law firm handling the closing, asking the settlement firm for instructions on wiring the money to an escrow account.

The fraudulent wire instructions apparently sent by the hackers via the settlement law firm.
An attorney with the closing firm responded with wiring instructions as requested, attaching a document that had the law firm’s logo and some bank account information that was represented as the seller’s account number. The Little’s realtor sent the wire on Thursday morning, the day before settlement.

“We went to closing at 1 p.m. on Friday, and after we signed all the papers, we asked the lawyers if we were going to get back the extra money we had sent them, because they hadn’t be able to give us an exact amount in the wiring instructions. At that point they told us they had never gotten the money.”

After some disagreement, both legitimate parties to the transaction agreed that someone’s email had been hacked by the fraudsters, and was used to divert the wired funds to an account the criminals controlled. The hackers had forged a copy of the law firm’s letterhead, and beneath it placed their own Bank of America account information (see screen shot above).

The owner of the Bank of America account appears to have been a willing or unwitting accomplice — also know as a “money mule” — recruited through work-at-home job schemes to receive and forward funds stolen from hacked business accounts. In this case, the money mule wired all but 10 percent of the money (a typical money mule commission) to an account at TD Bank.

Fortunately for the Littles, the FBI succeeded in having the resulting $180,000 wire transfer frozen once it hit the TD Bank account. However, efforts to recover the stolen funds were stymied immediately when the Littles’ credit union refused to give Bank of America a so-called “hold harmless” agreement that the bigger bank wanted as a legal guarantee before agreeing to help.

Charisse Castagnoli, an adjunct professor of law at the John Marshall Law School, said banks have a fiduciary duty to their customers to honor their requests in good faith, and as such they tend to be very nervous legally about colluding with another bank to reverse payment instructions by one of their own customers. The “hold harmless” agreement is usually sought by the bank which received a fraudulent wire transfer, Castagnoli said, and it requires the responding bank to assume any and all liability for costs that the requesting bank may later incur should the owner of account which received the fraudulent wire decide to dispute the payment reversal.

“When it comes to wire fraud cases the banks have to move very quickly because once the wires make it outside the U.S. to foreign banks, the money is usually as good as gone,” Castagnoli said. “The receiver or transferee usually insists on a hold harmless agreement because they’re moving the money on behalf of their own account holder, kind of going against their own client which is a big ‘no-no’ when you’re a fiduciary.”

But in this case, the credit union in which the Littles had invested virtually all of their money for more than 40 years decided it could not in good faith provide that hold harmless agreement, because doing so would stipulate that the credit union affirms the victim (the Littles) hadn’t willingly and knowing initiated the wire, when in fact they had.

“I talked to the wire dept multiple times,” Mr. Little said of the folks at his financial institution, Atlanta, Ga.-based Delta Community Credit Union (DCCU). “They finally put me through to the vice president of loss prevention at the credit union. I’m not sure they even believed all that was going on. They finally came back and told me they couldn’t do it. Their rules would not allow them to send a hold harmless letter because I had asked them to do something and they had done it. They had a big meeting last week with apparently the CEO of the credit union and several other people. Then they called me on Monday again and told me they would not could not do it.”

The Littles had to cancel the contract on the house they were prepared to occupy in December. Most of their cash was tied up in this account that the banks were haggling over, and so they opted to get a heavily mortgaged small townhome instead, with the intention of paying off the mortgage when their stolen funds are returned.

“We canceled the contract on the house because the sellers really needed to sell it,” Jon Little said.

The DCCU has yet to respond to my requests for comment. But less than a day after KrebsOnSecurity reached out to the credit union for comment about the Littles’ story, the bank informed the Littles that the other bank would soon have its hold harmless letter — freeing up their $180,000 after more than four months in legal limbo.

The Littles’ story has a fairly happy ending, however most of the other few dozens stories previously featured on this blog about wayward mortgage, escrow and payroll payments wound up with the victim losing six figures at least.

One of the more recent advertisers on this blog — Ninjio — specializes in developing custom, “gamified” security awareness training videos for clients. “The Homeless Homebuyer,” one of the videos Ninjio produced for a government client seems appropriate here: It features an animated FBI agent breaking the bad news to some would-be homeowners that their money is gone and so are their dreams of a new home — all because everyone blindly trusted unsecured email for what is essentially a high-risk cash transaction.

I like the video because its message is fairly stark and real: You could get screwed if you don’t take this seriously and proceed carefully, because once the money’s gone it usually stays gone. Check it out here:

So here’s what you need to know if you or anyone you know, love or even like are about to buy or sell a home: Never wire money based on the say-so of one party to the transaction made via email. You simply don’t know if their account is hacked, so from a self-preservation standpoint it’s best to assume it is.

Agree in advance who will contact whom — preferably by phone — on settlement day to receive the wiring details, and who will manage the wiring process. Never trust bank account details and payment instructions sent via email. Always double or even triple check any instructions for wiring money at settlement. Confirm all wiring instructions in person if possible, or else over the phone.

By the way, these same precautions can help make organizations less susceptible to CEO fraud schemes, email scams in which the attacker spoofs the boss and tricks an employee at the organization into wiring funds to the fraudster.

The Federal Bureau of Investigation (FBI) has been keeping a running tally of the financial devastation visited on companies via CEO fraud scams. In June 2016, the FBI estimated that crooks had stolen nearly $3.1 billion from more than 22,000 victims of these wire fraud schemes.

Castagnoli said many credit unions and small banks don’t have the legal staff with the clearance to make calls on whether to issue a hold harmless agreement, and so they usually try to punt on that when requested. Were she in The Littles’ position, Castagnoli said she would have called the head of the credit union and demanded assistance.

“If the head of the bank wouldn’t do it, I’d call my congressperson or a state banking regulator,” she said.

If you’re selling or buying the home yourself and somehow also in charge of wiring money, consider using a Live CD approach (all of these “live” Linux distributions will just as happily run on USB-based flash drives). I have long recommend Live Linux usage as a smart option for small businesses to avoid paying dearly when a Windows banking trojan snarfs their business banking credentials.
Top

imageworsener: heap-based buffer overflow in iw_process_cols_to_intermediate (imagew-main.c)

Postby ago via agostino's blog »

Description:
imageworsener is a utility for image scaling and processing.

The complete ASan output of the issue:

# imagew $FILE /tmp/out -outfmt bmp
==20314==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fe233b99af8 at pc 0x7fea7f55da64 bp 0x7ffdb4737840 sp 0x7ffdb4737838                                                                         
WRITE of size 4 at 0x7fe233b99af8 thread T0                                                                                                                                                                       
    #0 0x7fea7f55da63 in iw_process_cols_to_intermediate /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-main.c:903:75                                                             
    #1 0x7fea7f55da63 in iw_process_one_channel /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-main.c:1144                                                                        
    #2 0x7fea7f54ca71 in iw_process_internal /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-main.c:1405:7                                                                         
    #3 0x7fea7f520095 in iw_process_image /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-main.c:2248:8                                                                            
    #4 0x528de1 in iwcmd_run /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-cmd.c:1400:6                                                                                          
    #5 0x515326 in iwcmd_main /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-cmd.c:3018:7                                                                                         
    #6 0x515326 in main /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-cmd.c:3067                                                                                                 
    #7 0x7fea7e5e878f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289                                                                                        
    #8 0x41b028 in _init (/usr/bin/imagew+0x41b028)                                                                                                                                                               
                                                                                                                                                                                                                  
0x7fe233b99af8 is located 4 bytes to the right of 8003134196-byte region [0x7fe056b37800,0x7fe233b99af4)                                                                                                          
allocated by thread T0 here:                                                                                                                                                                                      
    #0 0x4da6f8 in malloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:66                                                                          
    #1 0x551fc0 in my_mallocfn /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-cmd.c:794:9                                                                                         
    #2 0x7fea7f6a39ae in iw_malloc_ex /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-util.c:48:8                                                                                  
    #3 0x7fea7f6a3dec in iw_malloc_large /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-util.c:77:9                                                                               
    #4 0x7fea7f54c5a0 in iw_process_internal /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-main.c:1396:44                                                                        
    #5 0x7fea7f520095 in iw_process_image /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-main.c:2248:8                                                                            
    #6 0x528de1 in iwcmd_run /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-cmd.c:1400:6                                                                                          
    #7 0x515326 in iwcmd_main /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-cmd.c:3018:7                                                                                         
    #8 0x515326 in main /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-cmd.c:3067                                                                                                 
    #9 0x7fea7e5e878f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-main.c:903:75 in iw_process_cols_to_intermediate
Shadow bytes around the buggy address:
  0x0ffcc676b300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffcc676b310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffcc676b320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffcc676b330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffcc676b340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ffcc676b350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04[fa]
  0x0ffcc676b360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffcc676b370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffcc676b380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffcc676b390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffcc676b3a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==20314==ABORTING
Affected version:
1.3.0

Fixed version:
1.3.1

Commit fix:
https://github.com/jsummers/imageworsener/commit/86564051db45b466e5f667111ce00b5eeedc8fb6

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00269-imageworsener-heapoverflow-iw_process_cols_to_intermediate

Timeline:
2017-04-12: bug discovered and reported to upstream
2017-04-12: upstream released a patch
2017-04-27: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

imageworsener: heap-based buffer overflow in iw_process_cols_to_intermediate (imagew-main.c)

Top

imageworsener: two left shift

Postby ago via agostino's blog »

Description:
imageworsener is a utility for image scaling and processing.

There are two left shift visible with UbSan enabled.

# imagew $FILE /tmp/out -outfmt bmp
src/imagew-util.c:415:68: runtime error: left shift of 255 by 24 places cannot be represented in type 'int'
src/imagew-bmp.c:427:10: runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
Affected version:
1.3.0

Fixed version:
1.3.1

Commit fix:
https://github.com/jsummers/imageworsener/commit/a00183107d4b84bc8a714290e824ca9c68dac738

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00271-imageworsener-leftshift

Timeline:
2017-04-13: bug discovered and reported to upstream
2017-04-22: upstream released a patch
2017-04-27: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

imageworsener: two left shift

Top

imageworsener: memory allocation failure in my_mallocfn (imagew-cmd.c)

Postby ago via agostino's blog »

Description:
imageworsener is a utility for image scaling and processing.

There is a memory allocation failure, I will show the interesting ASan output,

# imagew $FILE /tmp/out -outfmt bmp
    #8 0x551fc0 in my_mallocfn /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-cmd.c:794:9
    #9 0x7f37f140c9ae in iw_malloc_ex /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-util.c:48:8
    #10 0x7f37f140cdec in iw_malloc_large /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-util.c:77:9
    #11 0x7f37f136d66c in bmpr_read_uncompressed /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-bmp.c:665:32
    #12 0x7f37f134ce64 in iwbmp_read_bits /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-bmp.c:910:7
    #13 0x7f37f134ce64 in iw_read_bmp_file /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-bmp.c:980
    #14 0x7f37f1349f94 in iw_read_file_by_fmt /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-allfmts.c:66:12
    #15 0x519304 in iwcmd_run /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-cmd.c:1191:6
    #16 0x515326 in iwcmd_main /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-cmd.c:3018:7
    #17 0x515326 in main /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-cmd.c:3067
    #18 0x7f37f035178f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #19 0x41b028 in _init (/usr/bin/imagew+0x41b028)
Affected version:
1.3.0

Fixed version:
1.3.1

Commit fix:
https://github.com/jsummers/imageworsener/commit/86564051db45b466e5f667111ce00b5eeedc8fb6

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00276-imageworsener-memallocfailure

Timeline:
2017-04-13: bug discovered and reported to upstream
2017-04-12: upstream released a patch for another issue that fixes this issue too
2017-04-27: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

imageworsener: memory allocation failure in my_mallocfn (imagew-cmd.c)

Top

(finally) investigating how to get dynamic WDS (DWDS) working in FreeBSD!

Postby Adrian via Adrian Chadd's Ramblings »

I sat down recently to figure out how to get dynamic WDS working on FreeBSD-HEAD. It's been in FreeBSD since forever, and it in theory should actually have just worked, but it's extremely not documented in any useful way. It's basically the same technology in earlier Apple Airports (before it grew into what the wireless tech world calls "Proxy-STA") and is what the "extender" technology on Qualcomm Atheros chipsets implement.

A common question I get from people is "why can't I bridge multiple virtual machines on my laptop and have them show up over wifi? It works on ethernet!" And my response is "when I make dynamic WDS work, you can just make this work on FreeBSD devices - but for now, use NAT." That always makes people sad.

So what is it?

With normal station / access point setups, wireless frames have up to three addresses. In the header it's "address 1", "address 2", and "address 3".

Depending upon the packet type, these can be a variety of addresses:

  • SA - source address - source of the packet (eg the STA address)
  • TA - transmitter address - STA/AP that transmitted the frame
  • RA - receiver address - immediate destination of the packet 
  • DA - finally recipient of the data
  • BSSID - BSS ID (ie, AP mac address)
There are a lot of addresses. There are, in fact, more than the number of address fields in a normal 802.11 frame.

Now, if you want to understand when each of these are used in which frames, you can totally find blog posts from people which describe things (eg http://80211notes.blogspot.com/2013/09/understanding-address-fields-in-80211.html) will fill you in. But the TL;DR for normal AP/STA traffic is:

  • From an AP, the frame has BSSID, SA of the MAC (eg ethernet behind the AP bridge) sending data, and DA is the STA MAC address
  • From a STA, the frame has BSSID, TA is the STA that transmits, and DA is the final destination of the frame (eg ethernet behind the AP bridge.)
The big note here is that there's not enough MAC addresses to say "please send this frame to a station MAC address, but then have them forward it to another MAC address attached behind it in a bridge." That would require 4 mac addresses in the 802.11 header, which we don't get.

.. except we do. There's a separate address format where from-DS and to-DS bits in the header set to 1, which means "this frame is coming from distribution system to a distribution system", and it has four mac addresses. The RA is then the AP you're sending to, and then a fourth field indicates the eventual destination address that may be an ethernet device connected behind said STA.

If you don't configure up WDS, then when you send frames from a station from a MAC address that isn't actually your 802.11 interface MAC address, the system would be confused. The STA wouldn't be able to transmit it easily, and the AP wouldn't know how to get back to your bridged ethernet addresses.

Ok, so how does this work with WDS? The above from/to-DS mode is actually the technical hilarity behind "Wireless Distribution System",  which is a fancy way of saying "an AP connects to another AP and can relay frames for you." It's what was used for extending wireless networks before true meshing solutions came into existence.

The original WDS was a statically configured thing. You'd configure up a particular device as a WDS extender, and both sides would need configuring:

  • The central AP would need to know the MAC address of a WDS master, so it would know that frames from/to that particular AP needed the four-address frame format, and
  • The extender AP would need to be configured to talk to the central AP to act as a WDS master - it would then associate as a station to that central AP, and would use 4-address frames to relay traffic to it.
 So for static configurations, this works great. You'd associate your extender AP as a station of the central AP, it'd use wpa_supplicant to setup encryption, then anything between that central AP and that extender AP (as a station) would be encrypted as normal station traffic (but, 4-address frame format.)

But that's not very convenient. You have to statically configure everything, including telling your central AP about all of your satellite extender APs. If you want to replace your central AP, you have to reprogram all of your extenders to use the new MAC addresses.

So, Sam Leffler came up with "dynamic WDS" - where you don't have to explicitly state the list of central/satellite APs. Instead, you configure a central AP as "dynamic WDS", and when a 4-address frame shows up from an associated station, it "promotes" it to a WDS peer for you. On the satellite AP, it will just find an AP to communicate to, and then assume it'll do WDS and start using 4-address frames. It's still a bit clunky (there's no beacon, probe request, etc IEs that say "I do dynamic WDS!" so you'd better make ALL your central APs a different SSID!) but it certainly is better than what we had.

(Yes, one of the things I'll be doing to FreeBSD now that this works is adding that concept of "I'm a DWDS primary!" node concept so satellites can just "find" a DWDS primary enabled AP to associate to. Baby steps..)

But, I tried it - and ... let's just say, the documentation didn't say very much. So I couldn't really get it to work.

Then a friend pointed out he figured it out. (Thankyou Edward!)

Firstly, there are scripts in src/tools/tools/net80211/ - setup.wdsmain and setup.wdsrelay. These scripts are .. well, the almost complete documentation on a dynamic WDS setup. The manpage doesn't go into anywhere near enough information.

So I dug into it. It turns out that dynamic WDS uses a helper daemon - 'wlanwds' -  which listens for dynamic WDS configuration changes and will do things for you. This is what runs on the central AP side. Then it started making sense!
  • For dynamic WDS, there are no WDS interface types created by default
  • net80211 will post a routing socket message if a 4-address frame shows up on a "dwds" enabled interface, which is the signal to userland to plumb up a DWDS interface for that particular peer
  • wlanwds is then responsible for creating that virtual interface with the right configuration
  • Then it runs a shell script that you provide which lets you do things like assign it to a bridge group so it can bridge traffic
  • Finally, if the station goes away, wlanwds will get another notification from net80211 saying the station has gone, and wlanwds will destroy the virtual interface for that peer.
So far, so good. I followed that script, modified it a bit to use encryption, and .. well, it half worked. Association worked fine, but no traffic was passing.

A little tcpdump'ing later showed what was going on!
  • 4-address frames from the extender side was successfully being encrypted and transmitted to the central AP
  • 4-address frames from the central AP were being send, but unencrypted
  • .. so the station dropped them as well, unencrypted when they should've been encrypted.
A little more digging showed the actual problem - the dynamic WDS example scripts are for an open/unencrypted network. If you are using an encrypted network, the central AP side needs to enable privacy on the virtual interfaces so traffic gets encrypted with the parent interface encryption keys. So adding this:

ifconfig $DEV wepmode mixed

.. to the shell script for when an interface was created made everything work.

Now, I've only done enough testing to show that indeed it is working. I haven't done anything like pass lots of traffic via iperf, or have a mix of DWDS and normal STA peers, nor actually run it for longer than 5 minutes. I'm sure there will be issues to fix. However - I do need it at home, as I can't see the home AP from the upstairs room (and now you see why I care about DWDS!) and so when I start using it daily I'll fix whatever hilarity ensues.
Top

TR069 meets Brickerbot and friends

Postby kris via The Isoblog. »

Bleepingcomputer has a report on the californian ISP Sierra Tel, who apparently has visitors (JPG of letter) over at their customers TR069 interfaces.

TR069 is the config interface of home DSL equipment, and if it is insufficiently secured, can be used to own each and every home DSL router of an ISP.

Which happened to Sierra, twice, simultaneously. Which did not improve the results at all.

“BrickerBot was active on the Sierra Tel network at the time their customers reported issues,” Janit0r told Bleeping Computer in an email, “but their modems had also just been mass-infected with malware, so it’s possible some of the network problems were caused by this concomitant activity.”

Janit0r suggested the other culprit was Mirai, a malware also known to cause similar issues.

Mirai is also the malware that disabled a bunch of German and British Telekom modems earlier this year.

Top

Toybox: Writing a new command line from scratch

Postby kris via The Isoblog. »

Rob Landley, of Busybox/Toybox fame, spoke four years ago about the Toybox project in the context of Android and whatever else was recent back then. The talk contains a brilliant deconstruction of the problems that GPL v3 has, and why it is in decline.

It also shows a lot of vision re containers, and what is needed in this context. If you are deploying Alpine today, with musl and toybox in it, here is why and how it came to be.

Top

Mastodon (or actually, GNU.social)

Postby kris via The Isoblog. »

This article by rw is a good non-technical introduction to GNU.social, Mastodon, and the protocols and ideologies behind it:

The protocol OStatus is shared by a number of implementations, which are all more or less interoperable. One of the implementations is GNU.social, another is the right now hyped Mastodon. Each of the implementations has many instances, some of them large, many of them very small. They all connect to each other and talk to each other, through federation, and together they form the so called Fediverse.

You can subscribe to one or more of the instances, or start to run your own – it’s up to you.

I signed up as Isotopp@octodon.social, and use it mostly for reading. I won’t start posting there any time soon. So, what is it like?

It’s better than Twitter, and the raised character limit Mastodon presents (500 characters) helps a lot.

The fact that instances separated structures content – people sharing the same instance with you get special treatment, they form their own stream which you can read. So it matters where you are getting an account. So far, the content the ocotodon-local stream is throwing at me is surprisingly hate-free, coming from Twitter, but is also only very mildly interesting.

The fact that it presents content structurally like Twitter, in individual messages with no threading and very little structure, is appalling and makes conversations still hard, even if the character limit is not getting into the way. A structure and presentation that is more like Google plus or Facebook, a thing that is more conversational, would actually be helpful.

The timeline is still rather slow. The images are grossly stretched. The interface things I am on a tablet.
The way content is being presented in the default interface shown by Octodon also does not help – the web interface things that every device is a tablet and wastes a lot of screen space, misformats images and is fast, but just plain ugly.

For me, this puts Mastodon rather far back on the reading list and not at all on the post-to list. Which is rather unfortunate, because the ideas behind it are actually not broken.
Top

Switzerland, post fixed book price agreements

Postby kris via The Isoblog. »

Swiss NZZ has an article about the Buchpreisbindung, fixed book price agreements. These are still a thing in Germany, and have been in Switzerland, in the past.

In Switzerland, fixed book prices was not prolonged in May 2007. In the political followup, it came to  a public referendum in March 2012, and that did not come through, repealing the agreement permanently.

Since then, book prices fell by 20%, and variances in price mostly have been caused by the price of the swiss franc in relation to the Euro. 30% of the book shows also closed, but that is more likely caused by digitization of reading than by the price agreement going away.

Complete statistics of the book market are hard to come by, because the market increasingly becomes fragmented and opaque: specifically ebook sales happen across national borders, Amazon is not really publishing numbers, and an increasing number of book sales are direct sales, the authors not going through publishers, or not even producing a material copy of the work, but selling ebook only. Many such works also have no standard ISBN and are not registered in any way.

The article, and the traditional publishing business are mourning the loss of structure in the market, because they are losing political power and public subsidies in the same proportion as the market loses its rigid structure. This, for many of them, apparently is a larger problem than the loss of the fixed book price agreement.

Top

What happened to Google’s book scanning project

Postby kris via The Isoblog. »

The Atlantic has a wonderful article about the Google book scanning project and what became of it.

In 2002, Google began mass scanning every book it could possibly their hands on, OCRing it and making it searchable. Authors and publishers soon began sueing Google from here to the south pole and back, but in the end realized that they did not actually want to win their lawsuits.

Suppose the Authors Guild won: they were unlikely to recoup anything more than the statutory minimum in damages; and what good would it do to stop Google from providing snippets of old books? If anything those snippets might drive demand. And suppose Google won: Authors and publishers would get nothing, and all readers would get for out-of-print books would be snippets—not access to full texts.

The plaintiffs, in other words, had gotten themselves into a pretty unusual situation. They didn’t want to lose their own lawsuit—but they didn’t want to win it either.

The solution was the “Google Books Search Amended Settlement Agreement” (GBS), which took more than two years to formulate, and which would find an agreement between authors, publishers, libraries and Google, and to top it off, would define a regime on how to deal with out-of-print books that are still technically covered under copyright.

But making these scanned books available also drew objections, from many parties, including Amazon, because people feared that this scanning effort would turn Google into a giant book store. Looking back, most of these fears are nonsensical, but they led to the US department of justice putting the settlement on hold. Taking Google out of the equation was not possible:

In some ways, the parties to the settlement didn’t have a good way out: no matter how “non-exclusive” they tried to make the deal, it was in effect a deal that only Google could get—because Google was the only defendant in the case. For a settlement in a class action titled Authors Guild v. Google to include not just Google but, say, every company that wanted to become a digital bookseller, would be to stretch the class action mechanism past its breaking point.

To fix things, congress would have to adjust copyright law, which it would not do. The end result: Somewhere at Google, there is a database with 25 million books in them, and nobody is legally allowed to read them.

Sometimes, politics just suck.
Top

jq

Postby kris via The Isoblog. »

When dealing with Kubernetes, you will inevitably have to deal with config and data that is in JSON format.

jq is a cool tool to handle this, but while the man page is complete, it is also very dry. A nice tutorial can be found at The Programming Historian, which uses some real world use cases. My personal use case is Converting JSON to CSV, and the inverse of that. There also is a mildly interesting FAQ.

Learning jq takes about one quiet afternoon of time.
Top

UK Man Gets Two Years in Jail for Running ‘Titanium Stresser’ Attack-for-Hire Service

Postby BrianKrebs via Krebs on Security »

A 20-year-old man from the United Kingdom was sentenced to two years in prison today after admitting to operating and selling access to “Titanium Stresser,” a simple-to-use service that let paying customers launch crippling online attacks against Web sites and individual Internet users.

Adam Mudd of Hertfordshire, U.K. admitted to three counts of computer misuse connected with his creating and operating the attack service, also known as a “stresser” or “booter” tool. Services like Titanium Stresser coordinate so-called “distributed denial-of-service” or DDoS attacks that hurl huge barrages of junk data at a site in a bid to make it crash or become otherwise unreachable to legitimate visitors.

Mudd’s TitaniumStresser service.
According to U.K. prosecutors, Mudd’s Titanium Stresser service was used by others in more than 1.7 million denial-of-service attacks against victims worldwide, with most countries in the world affected at some point. He originally built the booter service at the age of 15, earning more than $300,000 in ill-gotten gains from it. Also during his interviews, he admitted security breaches against his own college while he was there studying computer science.

Mudd pleaded guilty to three offences under the U.K. Computer Misuse Act and a further offense of money laundering under the Proceeds of Crime Act in October 2016.

“Today, he was sentenced to 24 months imprisonment for his own DDoS attacks, nine months for running a titanium stressor service and 24 months for money laundering the proceeds made from the stressor service, all to run concurrently,” reads a press release issued by the Eastern Region Special Operations Unit (ERSOU), an anti-cybercrime unit that worked with the U.K.’s National Crime Agency to investigate Mudd.

Detective Chief Inspector Martin Peters of the ERSOU’s Regional Crime Unit recalled that at sentencing the judge said the defendant likely would have received six years if he’d been tried as an adult and if he had no medical issues. Mudd had been slated to be sentenced last week, but that hearing was delayed until today after the court heard medical testimony on Mudd’s apparent struggles with autism.

The Mudd case is the latest in a string of law enforcement actions in the U.K., U.S. and elsewhere targeting booter service operators and their customers. In December 2016, federal investigators in the United States and Europe arrested nearly three-dozen people suspected of patronizing booter services. That crackdown was part of an effort by authorities to weaken demand for booter and stresser services and to impress upon customers that hiring someone to launch cyberattacks on your behalf can land you in jail.

In October 2016, the U.S. Justice Department charged two 19-year-old men alleged to have run booter services tied to the “Lizard Squad” hacking group. That same month the sprawling discussion forum Hackforums — once the most bustling marketplace on the Internet where people could compare and purchase booter and stresser service subscriptions — announced that it was permanently banning the sale and advertising of booters

Last month, authorities in Israel said they were preparing a case against two 18-year-old Israeli men who investigators there say operated the wildly popular “vDOS” booter service. The proprietors of vDOS were in business for four years prior to being exposed by KrebsOnSecurity. During just two of those four years in operation vDOS made more than $600,000 helping paying customer coordinate hundreds of thousands (if not millions) of DDoS attacks.

The detail about Mudd having attacked the very same school he was attending as a computer science student seemed both interesting and familiar. Then I remembered: This same dynamic was at work with a young man approximately Mudd’s age who lives in New Jersey and recently was implicated by many of his close associates and a great deal of circumstantial evidence as a co-author of the Mirai botnet computer code.

Mirai is a network worm that enslaves poorly secured “Internet of Things” devices like security cameras and digital video recorders for use in extremely powerful DDoS attacks capable of knocking almost any target offline.

After Mirai took my site offline for several days last year, I spent many hours trying to figure out who was responsible for writing and unleashing the malware. All signs pointed to a computer science student at Rutgers University who used a large Mirai botnet to attack the university repeatedly — all the while using his hacker alter ego to taunt the university in online interviews.

The authorities in the U.K. say they are hoping to make an example of Mudd as part of a broader education effort to divert talented, smart kids away from malicious hacking and toward more productive endeavors.

“Adam Mudd’s case is a regrettable one, because this young man clearly has a lot of skill, but he has been utilising that talent for personal gain at the expense of others,” the ERSOU press release observes. “We want to make clear it is not our wish to unnecessarily criminalise young people, but want to harness those skills before they accelerate into crime. It is important that this case sends out a clear message to others who may be tempted by committing cybercrime or who are already engaging in cyber scams from the comfort of their own bedrooms, to consider what they are doing and it is for parents to know and understand what your children are doing online.”
Top

The difference between knowledge and experience

Postby kris via The Isoblog. »



Tweet via Turbo Sandzwerg

I have a personal story that goes very well with this tweet:

Many years ago, I was doing database scalability at a company I have been working for. A new DBA needed to reload the a central MySQL master server in order for some config changes to /etc/my.cnf to go life.

Back then it could happen that when you “service mysql stop” something, it could go fast or it could take rather long. You would not know beforehand. Starting and stopping the server kindly would create an outage of unpredictable length, and consequently loss of money, because the company would not have an incoming while this server reloaded.

It was 2 in the afternoon, and the server was in good shape – I checked, and the redo log was at less than 400 MB in size. Also, critically, innodb_flush_log_at_trx_commit was set at the proper value, the default 1. That is, commits would go properly to disk, to the redo log, on each commit.

I knew from personal experience that this would be safe, and fast: a kill -9 on the mysql pid would terminate the server, the server would go into recovery and this particular hardware would recover 400 MB of redo log in less than 20 seconds. I had in fact at one time written a script that did restore a server from backup, start up recovery and replication, kill the server, and backup the server again, in a loop, for a week, in order to test and provoke a certain bug.

The new DBA knew all I did knew, but from a book. He had not tested this personally the way I did. He knew the server was important, and to him kill -9’ing this server at 2pm in the afternoon was a high risk operation.

So we agreed to reload the server the next morning at 6am. We met in a chat, and in a “screen -x” shared session. I typed the kill command, and in a second screen a “tail -F” on the error log of the server, then asked him to hit return.

He could not.

He physically was unable to hit the return key. He intellectally knew that it was safe and should recover in no time. He knew the operation should be safe. He could not bring himself to do this.

So I did.

Of course the server went through recovery, and came back in 12 seconds. We lost a minimal amount of business, far less then an orderly shutdown of the server would have cost.

The admin saw, and learned. He knew before, but now he experienced personally that his knowledge is true, and trustworthy. He did not just know he was safe, he felt safe. In the following months he became an excellent and courageous DBA and did whatever was operationally necessary.

The lesson here is that there is a huge difference between knowing things, knowledge in the head, and having experienced things personally, knowledge in the heart, and having done things so often that you do not even have to think about what goes which way when you act, knowing things inutitively in the stomach.

These are knowledge, experience and intuition.

Experience and Intuition cannot be taught in a book. They can only be gathered from practice, repetition and survived failure.
Top

Exploding Kittens Special

Postby kris via The Isoblog. »



Exploding Kittens Android Game for ten cents in the Play Store.
Top

Handling Mail, correctly.

Postby kris via The Isoblog. »

Somebody sent me a mail with
Content-Type: multipart-mixed;
  boundary=X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*”
Thank you for that. This is precisely my kind of humor.
Top


The Backstory Behind Carder Kingpin Roman Seleznev’s Record 27 Year Prison Sentence

Postby BrianKrebs via Krebs on Security »

Roman Seleznev, a 32-year-old Russian cybercriminal and prolific credit card thief, was sentenced Friday to 27 years in federal prison. That is a record punishment for hacking violations in the United States and by all accounts one designed to send a message to criminal hackers everywhere. But a close review of the case suggests that Seleznev’s record sentence was severe in large part because the evidence against him was substantial and yet he declined to cooperate with prosecutors prior to his trial.

The Maldives is a South Asian island country, located in the Indian Ocean, situated in the Arabian Sea. Source: Wikipedia.
The son of an influential Russian politician, Seleznev made international headlines in 2014 after he was captured while vacationing in The Maldives, a popular vacation spot for Russians and one that many Russian cybercriminals previously considered to be out of reach for western law enforcement agencies.

However, U.S. authorities were able to negotiate a secret deal with the Maldivian government to apprehend Seleznev. Following his capture, Seleznev was whisked away to Guam for more than a month before being transported to Washington state to stand trial for computer hacking charges.

The U.S. Justice Department says the laptop found with him when he was arrested contained more than 1.7 million stolen credit card numbers, and that evidence presented at trial showed that Seleznev earned tens of millions of dollars defrauding more than 3,400 financial institutions.

Investigators also reportedly found a smoking gun: a password cheat sheet that linked Seleznev to a decade’s worth of criminal hacking.

Seleznev was initially identified as a major cybercriminal by U.S. government investigators in 2011, when prosecutors in Nevada named him as part of a conspiracy involving more than three dozen popular merchants on carder[dot]su, a bustling fraud forum where he and other members openly marketed various cybercrime-oriented services.

Known by the hacker handle “nCux,” Seleznev operated multiple online shops that sold stolen credit and debit card data. According to Seleznev’s indictment in the Nevada case, he was part of a group that hacked into restaurants between 2009 and 2011 and planted malicious software to steal card data from store point-of-sale devices.

In Seattle on Aug. 25, 2016, Seleznev was convicted of 10 counts of wire fraud, eight counts of intentional damage to a protected computer, nine counts of obtaining information from a protected computer, nine counts of possession of 15 or more unauthorized access devices and two counts of aggravated identity theft.

“Simply put, Roman Seleznev has harmed more victims and caused more financial loss than perhaps any other defendant that has appeared before the court,” federal prosecutors charged in their sentencing memorandum. “This prosecution is unprecedented.”

Seleznev’s lawyer Igor Litvak called his client’s sentence “draconian,” saying that Seleznev was gravely injured in a 2011 terrorist attack in Morocco, has Hepatitis B and is not well physically.

Litvak noted that his client also faces two more prosecutions — in Georgia and Nevada, and that his client is likely to be shipped off to Nevada soon.

“It’s unprecedented, yes, but it’s also a draconian sentence for a person who is very gravely ill,” Litvak said in an interview with KrebsOnSecurity. “He’s not going to live that long. He’s going to die in jail. I’m certain of that.”


ANALYSIS

As for the severity of his sentence, Seleznev did himself no favors by rededicating himself to his carding empire after having been clearly marked by U.S. investigators in the 2011 indictment as a key figure in an online organized crime ring.

Many of the documents related to Seleznev’s prosecution and conviction in Washington state last week remain sealed, as he still faces federal criminal hacking charges in Nevada and Georgia. But former black hat Russian hacker turned political and cybersecurity blogger Andrey “Sporaw” Sporov published snippets from documents apparently related to Seleznev’s prosecution indicating that investigators with the U.S. Secret Service and FBI met with the Russian Federal Security Service (FSB) in 2009 to discuss Seleznev’s activities, presenting “substantial” evidence that Seleznev was a bigtime cybercrook.

2pac[dot]cc credit card shop that Seleznov operated, among others.
Seleznev’s online alter ego nCux reportedly got word of the meeting, and was soon after seen deleting his identities on hacker forums and saying he was closing up shop:
“As U.S. Probation noted, the information that U.S. law enforcement was investigating Seleznev ‘clearly got back to Mr. Seleznev,'” reads the document. “Indeed, Seleznev had his own contacts inside the FSB. In chat messages between Seleznev and an associate from 2008, Seleznev stated that he had obtained protection through the law enforcement contacts in the computer crime squad of the FSB. Later, in 2010, Seleznev told another associate that the FSB knew his identity and was working with the FBI.”.

But nCux didn’t go away, he merely reinvented himself as “Bulba,” operating a number of carding sites including track2[dot]name, bulba[dot]cc, and 2Pac[dot]cc. These sites sold tens of thousands of “dumps,” data that thieves encode onto new plastic cards and use to buy high-priced electronics and gift cards from big box retailers. Seleznev’s sites specialized in selling tens of thousands of dumps at a time to criminal groups and street gangs operating throughout the United States

A private mesasge between card merchant “Bulba” and an interested buyer on the fraud bazaar carder[dot]pro.
Seleznev reportedly used this money to live an extravagant lifestyle, buying up properties in Bali, Indonesia. Photographs seized from Seleznev show his associates with large bundles of cash, at luxurious resorts, and posing for photographs next to flashy sports cars. Just before his capture, Seleznev reportedly spent over $20,000 to stay in a resort in the Maldives and boasting of having rented the most expensive accommodations there. Sporov’s documents describe Seleznev’s years to evade law enforcement officials following his then-sealed indictment in Nevada:

“Seleznev remained at large for over three years. During this period, Seleznev carefully evaded apprehension, employing practices like buying last-minute plane tickets to avoid giving authorities advance notice of his travel plans. Seleznev obtained an account with the U.S. Court’s PACER system, which he monitored for criminal indictments naming him or his nicknames. He avoided travel to countries that had entered into extradition treaties with the United States. Indeed, when Seleznev was finally confronted by U.S. agents in the Maldives, his first words were to question whether the United States had an extradition treaty with the Maldives.”

The defendant also apparently burned through multiple lawyers, almost all of whom appear to have advised him to seek a plea deal with the U.S. government:

“Seleznev repeatedly attempted to manipulate and protract these proceedings, resulting in a cumulative delay of 26 months, and six sets of counsel, between his capture and trial….Transcripts of jail calls previously submitted to the Court reveal that, in the days leading up to the hearing, Seleznev and his father resolved to delay the hearing so that they could work on a secret strategy they elliptically referred to as ‘Uncle Andrey’s option.’ To manufacture the delay, Seleznev’s father suggested that Seleznev either ‘get sick’ or ‘completely stop the communication with the lawyers.'”

Seleznev is the son of Valery Seleznev, a prominent member of the Russian Duma (Russia’s parliament) and is considered an ally of President Vladimir Putin. As the Seattle Times wrote at Seleznev’s conviction in 2016, “federal prosecutors accused Seleznev and his father of plotting to tamper with witnesses and possibly discussing an escape from the Federal Detention Center in SeaTac. The assertions were based on recorded conversations, according to the government.”

Seleznev posing with a sports car in Red Square. Image: DOJ.
Perhaps Mr. Seleznev thought his father’s influence and/or his own apparent connections with Russian law enforcement officials would rescue him. Maybe Seleznev believed he could prevail against the U.S. government in court.

But it seems clear that Seleznev’s record 27-year sentence had at least as much to do with the impact of his crimes as it did the enormity of the charges and evidence against him combined with his refusal to cooperate with investigators.

Seleznev’s lawyer Igor Litvak said his client declined a plea deal prior to his trial, and by the time Seleznev had changed his mind the trial was over and the government no longer needed the information he could offer. Prosecutors sought to put him away for 35 years: They got eight years shy of that request.

“The prosecution said if he would have cooperated this case would have turned out very differently,” Litvak said.

The docket for Seleznev’s case is available here and includes a number of unsealed documents related to this case.

Update, Apr. 25, 5:09 p.m. ET: Added link in the third paragraph to documentation of Seleznev’s month-long hiatus in Guam.
Top

Tumblr of the Day is Tagesschau20Jahre

Postby kris via The Isoblog. »

Tumblr of the Day is “Tagesschau vor 20 Jahren”.

Top

Science March (vs. Placebo March)

Postby kris via The Isoblog. »

Science March
»The numbers for the Science March seem high, but we won’t know until we compare it to the numbers at the placebo march that’s also happening.

I honestly feel bad for the people on the Placebo March, who thought they were at the Science March, but double blind testing is important.

I head the placebo marchers feel like they’re making a difference even after they’re told they’re at the placebo march.«

I am confused – it’s a science march, but in April. And the Placebo thing, that’s a concert, right?
Top

Tumblr of the Day: @IstBERinBetrieb

Postby kris via The Isoblog. »



Tumblr of the Day is a Twitter: @IstBERinBetrieb. Reason: Today BER is 2001 days late.
Top

How to fix Too many files open java.io.IOException in Tomcat

Postby miwi via Martin Wilke »

Not many Java programmers knows that socket connections are treated like files and they use file descriptor, which is a limited resource. Different operating system has different limits on number of file handles they can manage. One of the common reason of java.net.SocketException: Too many files open in Tomcat, any Java application server is, too many clients connecting and disconnecting frequently at very short span of time. Since Socket connection internally use TCP protocol, which says that a socket can remain in TIME_WAIT state for some time, even after they are closed. One of the reason to keep closed socket in TIME_WAIT state is to ensure that delayed packets reached to the corresponding socket. Different operating system has different default time to keep sockets in TIME_WAIT state, in Linux it’s 60 seconds, while in Windows is 4 minutes. Remember longer the timeout, longer your closed socket will keep file handle, which increase chances of java.net.SocketException: Too many files open exception.

This also means, if you are running Tomcat or any other web server in windows machine, you are more prone to this error than Unix based systems.

By the way this error is same as java.io.IOException: Too many files open exception, which is throw by code from IO package if you try to open a new FileInputStream or any stream pointing to file resource.

Now, we know that this error is coming because clients are connecting and disconnecting frequently. If that’s seems unusual to your application, you can find the culprit client and prohibit them from reconnecting from making a connection, but if that is something, your application may expect and you want to handle it on your side, you have two options :

1) Increase number of open file handles or file descriptors per process.
2) Reduce timeout for TIME_WAIT state in your operating system

In UNIX based operating system you can use command ulimit -a to find out how many open file handles per process is allowed.

$ ulimit -a
core file size (blocks, -c) unlimited
data seg size (kbytes, -d) unlimited
file size (blocks, -f) unlimited
open files (-n) 256
pipe size (512 bytes, -p) 10
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) 2048
virtual memory (kbytes, -v) unlimited

You can see that, open files (-n) 256, which means only 256 open file handles per process is allowed. If your Java program, remember Tomcat or any other application server are Java programs and they run on JVM, exceeds this limit, it will throw java.net.SocketException: Too many files open error.

You can change this limit by using ulimit -n to a larger number e.g. 4096, but do it only if you are know what you are doing.

Another important thing to verify is that, your process is not leaking file descriptors or handles, well that’s a tedious thing to find out, but you can use lsof command to check how many open file handles is owned by a particular process in UNIX or Linux. You can run lsof command by providing PID of your process, which you can get it from ps command.

Similarly, you can change TIME_WAIT timeout, as a really low time means, you might miss delayed packets. In UNIX based systems, you ca n see current configuration in /proc/sys/net/ipv4/tcp_fin_timeout file. In Windows based system, you can see this information in windows registry. You can change the TCP TIME_WAIT timeout in Windows by following below steps :

1) Open Windows Registry Editor, by typing regedit in run command window
2) Find the key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\tcpip\Parameters
3) Add a new key value pair TcpTimedWaitDelay asa decimal and set the desired timeout in seconds (60-240)
4) Restart your windows machine.

Bottom line to fix java.net.SocketException: Too many files open, is that either increasing number of open file handles or reducing TCP TIME_WAIT timeout.
Top

Lining up

Postby Warner Losh via Warner's Random Hacking Blog »

Turns out I didn't need to look for exotic formats to solve this problem.

I had physical copies of the disks with 10 sectors per track. Since I couldn't get tar to line up, I posited that there must be missing sectors. Turns out I was missing something, but it wasn't sectors. That turned out to be a dry well.

What's going on is actually a lot simpler. I managed to get Venix installed on my Rainbow (I'll write up how in my next blog, it's fun to login to my rainbow from upstairs while it's down in the basement).

On the Rainbow 100, under both CP/M and MS-DOS there's an interleave of 2, but no per-track offset. This is done by having the logical sectors ride on top of the physical. So, if I write logical sectors in the order 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, it gets put on the disk in sectors with the labels 1, 6, 2, 7, 3, 8, 4, 9, 5, 10. Why go through this crazy arrangement? For performance. This helps sequential performance. After I read sector 1, I have half a disk rotation (at 300rpm or 5/s that's about 10ms) to queue up the read for sector 2. If I have a slow system, this can help performance a lot, since I don't have to wait for the disk to rotate a full rotation if I'm not fast enough to setup the transfer for second immediately. This is often impossible on slower systems since the inter sector gap is maybe 20-40 bytes. 40 bytes transfers at 250kHz, 320bits at 250kHz is about 100 micro seconds. At 4.8MHz that the Rainbow runs at, this is 5000 instructions. But since there's latency between when the transfer is complete to the controller, and the system interrupts this can easily have less than 10 microseconds to respond. On the Rainbow, it takes tens of microseconds to setup the command to read the floppy. Given such a tight time budget, you can get a big gain by requiring only 100ms to get the next sector instead of 200ms.

This is well known and well documented in the Rainbow community. I had to cope with it when I wrote IMPDRIVE back years ago by translating the requested sector so that it would read the proper sector when reading 3.5" floppies which don't do this.

There's another way to get better performance. MS-DOS and CP/M don't do this. But Venix does. If you want to reduce the amount of time that you have to wait for sector 1 to spin by the head when stepping from the previous track, you can skew the sectors another way. If you shift the start of the interleave sequence above to be something like 8, 4, 9, 5, 10, 1, 6, 2, 7, 3. This gives you half a rotation to get the head moved and settled. If sector 1 is right under the head by the time the head is done moving and the host gets its command to the floppy controller, we don't have to wait an average of half a rotation.

So to sort out this, I dd'd one of the disks under Venix ono the disk. Tar was able to read it readily there, but couldn't on raw images. So, I wrote a program to undo these effects. Once I did that, I was able to read the images with tar.

Once I was able to decode the images, I discovered that the floppies I'd read out under dos using rbimg. icreate.exe is used to read it out, and iwrite.exe can be used to recreate them. These days, this is the gold standard to preserve disks. Well, non-copy protected disks. If you want to preserve the disk in all its glory, use a disk imaging solution like Kryoflux.
Top

How Cybercrooks Put the Beatdown on My Beats

Postby BrianKrebs via Krebs on Security »

Last month Yours Truly got snookered by a too-good-to-be-true online scam in which some dirtball hijacked an Amazon merchant’s account and used it to pimp steeply discounted electronics that he never intended to sell. Amazon refunded my money, and the legitimate seller never did figure out how his account was hacked. But such attacks are becoming more prevalent of late as crooks increasingly turn to online crimeware services that make it a cakewalk to cash out stolen passwords.

The elusive Sonos Play:5
The item at Amazon that drew me to this should-have-known-better bargain was a Sonos wireless speaker that is very pricey and as a consequence has hung on my wish list for quite some time. Then I noticed an established seller with great feedback on Amazon was advertising a “new” model of the same speaker for 32 percent off. So on March 4, I purchased it straight away — paying for it with my credit card via Amazon’s one-click checkout.

A day later I received a nice notice from the seller stating that the item had shipped. Even Amazon’s site seemed to be fooled because for several days Amazon’s package tracking system updated its progress slider bar steadily from left to right.

Suddenly the package seemed to stall, as did any updates about where it was or when it might arrive. This went on for almost a week. On March 10, I received an email from the legitimate owner of the seller’s account stating that his account had been hacked.

Identifying myself as a reporter, I asked the seller to tell me what he knew about how it all went down. He agreed to talk if I left his name out of it.

“Our seller’s account email address was changed,” he wrote. “One night everything was fine and the next morning our seller account had a email address not associated with us. We could not access our account for a week. Fake electronic products were added to our storefront.”

He couldn’t quite explain the fake tracking number claim, but nevertheless the tactic does seem to be part of an overall effort to delay suspicion on the part of the buyer while the crook seeks to maximize the number of scam sales in a short period of time.

“The hacker then indicated they were shipped with fake tracking numbers on both the fake products they added and the products we actually sell,” the seller wrote. “They were only looking to get funds through Amazon. We are working with Amazon to refund all money that were spent buying these false products.”

As these things go, the entire ordeal wasn’t awful — aside maybe from the six days spent in great anticipation of audiophilic nirvana (alas, after my refund I thought better of the purchase and put the item back on my wish list.) But apparently I was in plenty of good (or bad?) company.

The Wall Street Journal notes that in recent weeks “attackers have changed the bank-deposit information on Amazon accounts of active sellers to steal tens of thousands of dollars from each, according to several sellers and advisers. Attackers also have hacked into the Amazon accounts of sellers who haven’t used them recently to post nonexistent merchandise for sale at steep discounts in an attempt to pocket the cash.”

Perhaps fraudsters are becoming more brazen of late with hacked Amazon accounts, but the same scams mentioned above happen every day on plenty of other large merchandising sites. The sad reality is that hacked Amazon seller accounts have been available for years at underground shops for about half the price of a coffee at Starbucks.

The majority of this commerce is made possible by one or two large account credential vendors in the cybercrime underground, and these vendors have been collecting, vetting and reselling hacked account credentials at major e-commerce sites for years.

I have no idea where the thieves got the credentials for the guy whose account was used to fake sell the Sonos speaker. But it’s likely to have been from a site like SLILPP, a crime shop which specializes in selling hacked Amazon accounts. Currently, the site advertises more than 340,000 Amazon account usernames and passwords for sale.

The price is about USD $2.50 per credential pair. Buyers can select accounts by balance, country, associated credit/debit card type, card expiration date and last order date. Account credentials that also include the password to the victim’s associated email inbox can double the price.

The Amazon portion of SLILPP, a long-running fraud shop that at any given time has hundreds of thousands of Amazon account credentials for sale.


If memory serves correctly, SLILPP started off years ago mainly as a PayPal and eBay accounts seller (hence the “PP”). “Slil” is transliterated Russian for “слил,” which in this context may mean “leaked,” “download” or “to steal,” as in password data that has leaked or been stolen in other breaches. SLILPP has vastly expanded his store in the years since: It currently advertises more than 7.1 million credentials for sale from hundreds of popular bank and e-commerce sites.

The site’s proprietor has been at this game so long he probably deserves a story of his own soon, but for now I’ll say only that he seems to do a brisk business buying up credentials being gathered by credential-testing crime crews — cyber thieves who spend a great deal of time harvesting and enriching credentials stolen and/or leaked from major data breaches at social networking and e-commerce providers in recent years.

SLILPP’s main inventory page.
Fraudsters can take a list of credentials stolen from, say, the Myspace.com breach (in which some 427 million credentials were posted online) and see how many of those email address and password pairs from the MySpace accounts also work at hundreds of other bank and e-commerce sites.

Password thieves often then turn to crimeware-as-a-service tools like Sentry MBA, which can vastly simplify the process of checking a list of account credentials at multiple sites. To make blocking their password-checking activities more challenging for retailers and banks, these thieves often try to route the Internet traffic from their password-guessing tools through legions of open Web proxies, hacked PCs or even stolen/carded cloud computing instances.

PASSWORD RE-USE: THE ENGINE OF ALL ONLINE FRAUD

In response, many major retailers are being forced to alert customers when they see known account credential testing activity that results in a successful login (thus suggesting the user’s account credentials were replicated and compromised elsewhere). However, from the customer’s perspective, this is tantamount to the e-commerce provider experiencing a breach even though the user’s penchant for recycling their password across multiple sites is invariably the culprit.

There are a multitude of useful security lessons here, some of which bear repeating because their lack of general observance is the cause of most password woes today (aside from the fact that so many places still rely on passwords and stupid things like “secret questions” in the first place). First and foremost: Do not re-use the same password across multiple sites. Secondly, but equally important: Never re-use your email password anywhere else.

Also, with a few exceptions, password length is generally more important than password complexity, and complex passwords are difficult to remember anyway. I prefer to think in terms of “pass phrases,” which are more like sentences or verses that are easy to remember.

If you have difficult recalling even unique passphrases, a password manager can help you pick and remember strong, unique passwords for each site you interact with, requiring only one strong master password to unlock any of them. Oh, and if the online account in question allows 2-factor authentication, be sure to take advantage of that.

I hope it’s clear that Amazon is just one of the many platforms where fraudsters lurk. SLILPP currently is selling stolen credentials for nearly 500 other banks and e-commerce sites. The full list of merchants targeted by this particularly bustling fraud shop is here (.txt file).

As for the “buyer beware” aspect of this tale, in retrospect there were several warning signs that I either ignored or neglected to assign much weight. For starters, the deal that snookered me was for a luxury product on sale for 32 percent off without much explanation as to why the apparently otherwise pristine item was so steeply discounted.

Also, while the seller had a stellar history of selling products on Amazon for many years (with overwhelmingly positive feedback on virtually all of his transactions) he did not have a history of selling the type of product that thieves tried to sell through his account. The old adage “If something seems too good to be true, it probably is,” ages really well in cyberspace.
Top

Militant capitalist attacked german soccer bus

Postby kris via The Isoblog. »

The bomb attack on the bus of the german soccer club BVB has been solved. The attacker was not an islamist extremist, as the fake letters found on site suggested. They also weren’t Neo-Nazis, as the fake letters to two german newspapers claimed. The perpetrator was instead a militant capitalist who tried to influence BVB stock in order, after he purchased 15k put options on BVB stock.

An english language article with background can be found at the BBC.

It is unclear if German legislation will now call on a ban on radical capitalist education camps in german universities, or what kind of extreme vetting will be instituted in order to handle the problem.
Top

On Parking

Postby kris via The Isoblog. »

Looking at Berlin in the 70ies, you can also see how much cities change with more cars – the images here look unreal to anyone used to todays cities.

Kreuzberg in the 70ies on Flickr
There is an older article in The Economist about Parking in Cities, and Zoning rules that require building parking spaces when building new housing.



The impact that parking, unused cars, have on the design of public space is quite astonishing. The article illustrates that using the new Apple HQ in Cupertino as an example – a building with 318k sqm of office and 325k sqm of parking space, as required by local zoning rules.

The situation is complicated, even in cities such as Amsterdam, which do have functioning public transport and are attractive to Biking – people still own cars, and want to park them where they live. Permits are still too cheaply priced, for political reasons, and that is changing only slowly (check out neighboring Haarlem for a slightly more aggressive approach to keep cars out of the historic centre).

But things are slowly improving, closes the article. More and more cities are realising what they are doing to their urban environment by keeping cars inside, and are modifying regulations.
Top

Understanding sysdig

Postby kris via The Isoblog. »

The open source sysdig is a piece of software that does not quite, but almost, what strace or oprofile do: It instrument the kernel, and traces system calls as well as a few other kernel activities.

It does not utilize the ptrace(2) kernel facility, though, but its own interface. This interface picks up data in the kernel and writes it into a ring buffer.

A userspace component extracts this data, interprets, filters and formats it, and then shows it. If the data source outpaces the userspace, the ring buffer overflows and events are lost, but the actual production workload is never slowed down.

So sysdig requires that you add the sysdig-probe.ko to your kernel. This is a component available in source, and can be built for your kernel just fine.

On the other hand, sysdig just collects data in kernel, it does not process the data in that place – instead it moves most of the processing to userland. This is unlike dtrace, which requires an in-kernel special purpose language to do stuff, and requires a special coding style in order to prevent waits of the production workload. In sysdig, this processing happens off the production path, in userland, and hence is less time-critical.

A long discussion of the design decisions can be seen in a sysdig blog article.

The open source version of sysdig is a single host thing – data is collected on one host and processed there, but it is already container aware.

The really interesting product is the commercial variant of sysdig, though.

Here, all your container hosts are being instrumented and data is collected (with application of filters, of course) on all hosts, centrally collected and stored, and then can be processed and drilled down using a web interface or a command line utility.

The data store parts are standard persistence components that are known to scale nicely – cassandra, elastic search, and MySQL, connected together by Redis queues. You can run all this in your data center with their on-premises solution, or push to the sysdig run monitoring cloud solution (not really an option for most European customers, though, and also not for anybody wanting to stay PCI compliant).

The commercial solution not only is a kind of distributed strace, but like the single host product is container and orchestrator aware. So you can ask it for all disk writes to all log directories in all MySQL instances related to the wordpress deployment in Kubernetes, and it will find the relevant instances and their data for you and pick these events, no matter where Kubernetes has been scheduling these instances. In fact, the product also knows about LDAP authentication and Openshift/Kubernetes RBAC authorization, so that developers can view the trace data from their groups deployments, but not from others.

The commercial solution also transcends systen call instrumentation and in fact understands internal event data from other, higher level products. When you are stracing or oprofiling a JVM or a perl instance, the only data you get is a lot of memcpy(), which is not really useful for debugging. You need execution engine instrumentation to understand what the language is doing, what symbols, objects and function call frame are on the stack and how memory is being used. Integrations for many things exist and are being loaded on demand.

So the web GUI allows you to review the topology of a Kubernetes project deployment, how it is being mapped to hosts, zoom in into instances of containers, and then dig into the actual pieces of software running in these containers, and finally dive into individual network packets or calls these things have been making.

It’s pretty awesome, and it takes the grind of finding instances, setting up monitoring, collecting and interpreting data completely away from the developer. They simply have seamless and effort-free visibility to all their things, and only their things.

Sysdig (even the open source variant) also brings a number of nice and innovative concepts to the table. Spans for example are a hierarchical set of start/stop markers, which can be easily added to own code by simply writing structured data to /dev/null – that’s a cheap and universally available operation, which nonetheless is clearly visible to sysdigs instrumentation. Sysdig understands spans, and can correlate them with themselves (they are hierarchical), with system objects (Spans can have IDs and tags) and with other events (spans are called spans, because they mark a span of time and space and they contain other system events).

A spectrogram plots logarithmically bucketized spans (or calls) every 2 seconds. Slow calls to the right, fast to the left. You can mark an area with the cursor and see the actual calls in the Drilldown.
Drill down is then possible within a span to see what happened inside. So you can span a transaction, request or another event, watch for bad things happening and then after the fact go and dive into the event logs and call stacks of things, watching the stack catch fire and burn down event by event.

Treating event streams as a time series is – within limits – also possible. Lua scripts called chisels can be used to trigger on events in the event stream, and maintain aggregates or format interesting events. Because this happens outside of the kernel and also outside of the production control flow, this is not performance critical for production, and because it is using Lua it is very flexible and easily extensible.

The commercial sysdig product collects and stores data in a cassandra instance. The web GUI then to some extent treats that data as a kind of primitive time series database.

This is also where the limits of the current product lie: Their understanding of the statistics and math of time series data is limited.

There are no expressions, only single data-source values. You cannot calculate derives values (MySQL disk reads/disk read requests to get a cache ratio for example) on retrieval, but like with Zabbix you have to do this on collection.

Also, Time Series Math as it exists with the Graphite/Grafana languages is not possible in sysdig, so it is impossible to plot correct read ratio vs. last weeks read ratio scaled to todays load in the same graph for comparison. Aggregations are always single functions, to raw data generating a mean (50th percentile), a 99th, 99.9th and 100th (max) percentile time series at once is not an operation that can be expressed. Averages are used when means would be more appropriate, and averages of averges are being built without conideration to math and meaning at all.

Alerting is hampered by the lack of time series math. What would be necessary would be proper time series math for model building (“This is the expected, modelled system behavior”) and the acceptable deviation corridors around the predicted system behavior should be defined. Alerts should fire when the actual observed behavior deviates from the predicted system behavior – but the lack of math makes the modelling impossible and so the Alerting is primitive and must lead to many false positives.

So if you see monitoring as a tripartite thing (*1), Debugging, Transactional Monitoring and Data Warehousey Monitoring, sysdig is awesomely advanced in the debugging discipline, and kind of meh’ish okay in the transactional thing. It fails the data warehousey stuff completely due to a lack of functionality on that side.

That said, within these limitations, sysdig is awesome, and makes the debugging part of container deployments a breeze, and adds completely new possibilities and an incredible amount of visibility to working in Kubernetes. The centralized logging and data storage makes a distributed, container-aware strace/oprofile available to developers, and integrates nicely with the access control methods available in the system.

Well worth the invest in added productivity, even if it is not (can’t be) the end-all of monitoring for everyone and all use-cases (but they are working on it).


(*1) Debugging means you interactively define filters, drilldown and views on the system to observe application behavior. You may be able to define triggers that recognize events where you want to start more capture, collect data in depth and then reconstruct buggy behavior with very in depth, non necessarily purely numerical data collected. Sysdig is the benchmark system for debugging here.

Transactional monitoring is where you define Alert conditions, generate alert events to get a human to handle the incident, have the human handle the incident and close it. Once that has happened, the transaction is done, and the data about the incident can be forgotten. Prometheus is the benchmark transactional monitoring system.

Datawarehousey monitoring builds long term views of system utilization and behavior and tries to model system behavior. It is used for capacity planning, trend analysis, and sometimes delivers baselines for transactional anomaly detection. Many TSDB systems, stuff like Druid, and – outside of containers – Graphite do this kind of stuff.


Article written after getting the product demoed, and playing with it in our environment with some test licenses. Not sponsored by sysdig or anybody else.
Top

Bose Connect App creates illegal listening profiles

Postby kris via The Isoblog. »

A class action lawsuit has been filed against Bose, by Kyle Zak, on the grounds of the Bose Connect App for their wireless headphones creating illegal listening profiles, and sharing data with data miners.

1. Defendant Bose manufactures and sells high-end wireless headphones and speakers. To fully operate its wireless products, customers must download Defendant’s “Bose Connect” mobile application from the Apple App or Google Play stores and install it on their smartphones. With Bose Connect, customers can “pair” their smartphones with their Bose wireless products, which allows them to access and control their settings and features.

2. Unbeknownst to its customers, however, Defendant designed Bose Connect to (i) collect and record the titles of the music and audio files its customers choose to play through their Bose wireless products and (ii) transmit such data along with other personal identifiers to third-parties—including a data miner—without its customers’ knowledge or consent.

Affected are all users of the Bose Connect App, that is minimum users of the QuietComfort 35, SoundSport Wireless, Sound Sport Pulse Wireless, QuietControl 30, SoundLink Around-Ear Wireless Headphones II, and SoundLink Color II (“Bose Wireless Products”), but possibly more.

Fun Fact: The German adjective meaning “evil” is “böse”.
Top

A mind is born

Postby kris via The Isoblog. »

Linus Åkesson has been creating a C64 based demo that fits into 256 bytes. Since there is no 256 byte demo compo competition, he submitted it as a 4K entry – and won.

The article shows the 256 bytes hexdump of the demo, and discusses structure and code. A video of the executioni is being provided, too.

Top

Perceptual Ad Highlighter

Postby kris via The Isoblog. »

Perceptual Ad Highlighter is a Chrome Plugin that detects and highlights ads using image/layout recognition on a rendered page/DOM tree.

As law required that ad-content is marked and visually identifyable as promoted content, the plugin renders the page and then visually analyzes the page layout to detect and mark ads.

The source is available on Github, and a paper describes the technology (PDF).

To turn this into a proper ad-blocker, a dual buffering approach would be necessary, in which the full page is rendered into a hidden buffer, including all ads. The perceptual adblocker would then identify the parts of the page that are content and copy them over into a secondary page that is shown to the user sans advertising. The extension could also simulate user interaction with the hidden page to fool robot detection Javascript.
Top

Native Ad Blocking in Chrome

Postby kris via The Isoblog. »

According to an article in The Verge, Google is rumored to implement native adblocking in Chrome.

The option would be opt-in, and it would remove any and all “unacceptable” ads as defined by Coalition for Better Ads industry group. Those types of ads include pop-up ads, autoplay videos, and what are known as prestitial ads, or those ads that are often fullscreen and show up before you’re taken to the homepage or desired website.

The majority of web users have installed adblockers by now, and adblockers have been increasingly recognized as a malware fighting tool, preventing drive-by exploits by targeted malvertising.

Native Adblocking would be a good way for Google to control the agenda, and to push the Coalition for Better Ads style of advertising – a way for the advertising industry to reign in the wild-west style of user profiling, malvertising, and generally making web browing a bad experience.

This is definitively a step into the right direction, but too little, too late.

Top

Tracing Spam: Diet Pills from Beltway Bandits

Postby BrianKrebs via Krebs on Security »

Reading junk spam messages isn’t exactly my idea of a good time, but sometimes fun can be had when you take a moment to check who really sent the email. Here’s the simple story of how a recent spam email advertising celebrity “diet pills” was traced back to a Washington, D.C.-area defense contractor that builds tactical communications systems for the U.S. military and intelligence communities.

Your average spam email can contain a great deal of information about the systems used to blast junk email. If you’re lucky, it may even offer insight into the organization that owns the networked resources (computers, mobile devices) which have been hacked for use in sending or relaying junk messages.

Earlier this month, anti-spam activist and expert Ron Guilmette found himself poring over the “headers” for a spam message that set off a curious alert. “Headers” are the usually unseen addressing and routing details that accompany each message. They’re generally unseen because they’re hidden unless you know how and where to look for them.

Let’s take the headers from this particular email — from April 12, 2017 — as an example. To the uninitiated, email headers may seem like an overwhelming dump of information. But there really are only a few things we’re interested in here (Guilmette’s actual email address has been modified to “ronsdomain.example.com” in the otherwise unaltered spam message headers below):

Return-Path: <dan@gtacs.com>
X-Original-To: rfg-myspace@ronsdomain.example.com
Delivered-To: rfg-myspace@ronsdomain.example.com
Received: from host.psttsxserver.com (host.tracesystems.com [72.52.186.80])
by subdomain.ronsdomain.example.com (Postfix) with ESMTP id 5FE083AE87
for <rfg-myspace@ronsdomain.example.com>; Wed, 12 Apr 2017 13:37:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gtacs.com;
s=default; h=MIME-Version:Content-Type:Date:Message-ID:Subject:To:From:
Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description:
Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
List-Post:List-Owner:List-Archive;
Received: from [186.226.237.238] (port=41986 helo=[127.0.0.1])
by host.psttsxserver.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256)
(Exim 4.87)
(envelope-from <dan@gtacs.com>)
id 1cyP1J-0004K8-OR
for rfg-myspace@ronsdomain.example.com; Wed, 12 Apr 2017 16:37:42 -0400
From: dan@gtacs.com
To: rfg-myspace@ronsdomain.example.com
Subject: Discover The Secret How Movies & Pop Stars Are Still In Shape
Message-ID: <F5E99999.A1F67C94585E5E2F@gtacs.com>
X-Priority: 3
Importance: Normal
Date: Wed, 12 Apr 2017 22:37:39 +0200
X-Original-Content-Type: multipart/alternative;
boundary=”–InfrawareEmailBoundaryDepth1_FD5E8CC5–”
MIME-Version: 1.0
X-Mailer: Infraware POLARIS Mobile Mailer v2.5
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname – host.psttsxserver.com
X-AntiAbuse: Original Domain – ronsdomain.example.com
X-AntiAbuse: Originator/Caller UID/GID – [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain – gtacs.com
X-Get-Message-Sender-Via: host.psttsxserver.com: authenticated_id: dan@gtacs.com
X-Authenticated-Sender: host.psttsxserver.com: dan@gtacs.com

Celebrities always have to look good and that’s as hard as you might
{… snipped…}

In this case, the return address is dan@gtacs.com. The other bit to notice is the Internet address and domain referenced in the fourth line, after “Received,” which reads: “from host.psttsxserver.com (host.tracesystems.com [72.52.186.80])”

Gtacs.com belongs to the Trace Systems GTACS Team Portal, a Web site explaining that GTACS is part of the Trace Systems Team, which contracts to provide “a full range of tactical communications systems, systems engineering, integration, installation and technical support services to the Department of Defense (DoD), Department of Homeland Security (DHS), and Intelligence Community customers.” The company lists some of its customers here.

The home page of Trace Systems.
Both Gtacs.com and tracesystems.com say the companies “provide Cybersecurity and Intelligence expertise in support of national security interests: “GTACS is a contract vehicle that will be used by a variety of customers within the scope of C3T systems, equipment, services and data,” the company’s site says. The “C3T” part is military speak for “Command, Control, Communications, and Tactical.”

Passive domain name system (DNS) records maintained by Farsight Security for the Internet address listed in the spam headers — 72.52.186.80 — show that gtacs.com was at one time on that same Internet address along with many domains and subdomains associated with Trace Systems.

It is true that some of an email’s header information can be forged. For example, spammers and their tools can falsify the email address in the “from:” line of the message, as well as in the “reply-to:” portion of the missive. But neither appears to have been forged in this particular piece of pharmacy spam.

The Gtacs.com home page.
I forwarded this spam message back to Dan@gtacs.com, the apparent sender. Receiving no response from Dan after several days, I grew concerned that cybercriminals might be rooting around inside the networks of this defense contractor that does communications for the U.S. military. Clumsy and not terribly bright spammers, but intruders to be sure. So I forwarded the spam message to a Linkedin contact at Trace Systems who does incident response contracting work for the company.

My Linkedin source forwarded the inquiry to a “task lead” at Trace who said he’d been informed gtacs.com wasn’t a Trace Systems domain. Seeking more information in the face of many different facts that support a different conclusion, I escalated the inquiry to Matthew Sodano, a vice president and chief information officer at Trace Systems Inc.

“The domain and site in question is hosted and maintained for us by an outside provider,” Sodano said. “We have alerted them to this issue and they are investigating. The account has been disabled.”

Presumably, the company’s “outside provider” was Power Storm Technologies, the company that apparently owns the servers which sent the unauthorized spam from Dan@gtacs.com. Power Storm did not return messages seeking comment.

According to Guilmette, whoever Dan is or was at Gtacs.com, he got his account compromised by some fairly inept spammers who evidently did not know or didn’t care that they were inside of a U.S. defense contractor which specializes in custom military-grade communications. Instead, the intruders chose to use those systems in a way almost guaranteed to call attention to the compromised account and hacked servers used to forward the junk email.

“Some…contractor who works for a Vienna, Va. based government/military ‘cybersecurity’ contractor company has apparently lost his outbound email credentials (which are probably useful also for remote login) to a spammer who, I believe, based on the available evidence, is most likely located in Romania,” Guilmette wrote in an email to this author.

Guilmette told KrebsOnSecurity that he’s been tracking this particular pill spammer since Sept. 2015. Asked why he’s so certain the same guy is responsible for this and other specific spams, Guilmette shared that the spammer composes his spam messages with the same telltale HTML “signature” in the hyperlink that forms the bulk of the message: An extremely old version of Microsoft Office.

This spammer apparently didn’t mind spamming Web-based discussion lists. For example, he even sent one of his celebrity diet pill scams to a list maintained by the American Registry for Internet Numbers (ARIN), the regional Internet registry for Canada and the United States. ARIN’s list scrubbed the HTML file that the spammer attached to the message. Clicking the included link to view the scrubbed attachment sent to the ARIN list turns up this page. And if you look near the top of that page, you’ll see something that says:

”  … xmlns:m=”http://schemas.microsoft.com/office/2004/12/omml” …”

“Of course, there are a fair number of regular people who are also still using this ancient MS Office to compose emails, but as far as I can tell, this is the only big-time spammer who is using this at the moment,” Guilmette said. “I’ve got dozens and dozens of spams, all from this same guy, stretching back about 18 months.  They all have the same style and all were composed with “/office/2004/12/”.

Guilmette claims that the same spammers who’ve been sending that ancient Office spam from defense contractors also have been spamming from compromised “Internet of Things” devices, like a hacked video conferencing system based in China. Guilmette says the spammer has been known to send out malicious links in email that use malicious JavaScript exploits to snarf credentials stored on the compromised machine, and he guesses that Dan@gtacs.com probably opened one of the booby-trapped JavaScript links.

“When and if he finds any, he uses those stolen credentials to send out yet more spam via the mail server of the ‘legit’ company,” Guilmette said. “And because the spams are now coming out of ‘legit’ mail servers belonging to ‘legit’ companies, they never get blocked, by Spamhaus or by any other blacklists.”

We can only hope that the spammer who pulled this off doesn’t ever realize the probable value of this specific set of login credentials that he has managed to make off with, among many others, Guilmette said.

“If he did realize what he has in his hands, I feel sure that the Russians and/or the Chinese would be more than happy to buy those credentials from him, probably reimbursing him more for those than any amount he could hope to make in years of spamming.”

This isn’t the first time a small email oops may have created a big problem for a Washington-area cybersecurity defense contractor. Last month, Defense Point Security — which provides cyber contracting services to the security operations center for DHS’s Immigration and Customs Enforcement (ICE) division — alerted some 200-300 current and former employees that their W-2 tax information was given away to scammers after an employee fell for a phishing scam that spoofed the boss.

Want to know more about how to find and read email headers? This site has a handy reference showing you how to reveal headers on more than two-dozen different email programs, including Outlook, Yahoo!, Hotmail and Gmail. This primer from HowToGeek.com explains what kinds of information you can find in email headers and what they all mean.
Top

Meaningless Content

Postby kris via The Isoblog. »

This blog has been officially classified as “Meaningless content”
This screenshot has been made my somebody else, and been shared with me. My employer does not use such content filters, and that is a good thing™.

Still, since 2014 I have been completely separating private and work hardware. There is no work stuff on my private phone any more, and it is not using the corporate Wifi.

I have no private stuff on my work computer any more, and no work stuff on my private computer. The blog is handled from the private machine, as is all private web browsing.

I have a VNC session in a ssh tunnel to my home computer from work, for private stuff that happens during work time.

Keeping things separated, hard, helps a lot to keep things clear.
Top

You keep using that word…

Postby kris via The Isoblog. »





Traditionally, networked storage is using their own storage network with their own storage networking technology. You have two completely different networks, the production IP network for Internet access, and the storage network, for example FC/AL, using different cables, switches, network cards and maintaining two different topologies.

Convergence using technologies such as iSCSI means that storage and production IP network both run on the same technology, using the same switches, cards and protocols. Both networks may still be separated to some degree, because data is kept on filers, and filers have some replication traffic for redundancy, which may be kept off the production IP network.

Hyperconvergent systems use the disks in your servers to construct distributed storage using things such as GlusterFS, Ceph, HDFS, Quobyte or other services. In this case, your production IP network is carrying also a lot of replication traffic, and unlike with traditional IP networks the predominant traffic pattern is not from the server to teh Interwebz (North-South), but from a server to disks in other servers, crossing top of rack switches (East-West). It requires a different kind of data center fabric.

Nothing of this is in any way special to healthcare, nor revolutionary.
Top

Passwords in the Bug Reports (Owncloud/Nextcloud)

Postby Hanno Böck via Hanno's blog »

A while ago I wanted to report a bug in one of Nextcloud's apps. They use the Github issue tracker, after creating a new issue I was welcomed with a long list of things they wanted to know about my installation. I filled the info to the best of my knowledge, until I was asked for this:

The content of config/config.php:

Which made me stop and wonder: The config file probably contains sensitive information like passwords. I quickly checked, and yes it does. It depends on the configuration of your Nextcloud installation, but in many cases the configuration contains variables for the database password (dbpassword), the smtp mail server password (mail_smtppassword) or both. Combined with other information from the config file (e. g. it also contains the smtp hostname) this could be very valuable information for an attacker.

A few lines later the bug reporting template has a warning (“Without the database password, passwordsalt and secret”), though this is incomplete, as it doesn't mention the smtp password. It also provides an alternative way of getting the content of the config file via the command line.

However... you know, this is the Internet. People don't read the fineprint. If you ask them to paste the content of their config file they might just do it.

User's passwords publicly accessible

The issues on github are all public and the URLs are of a very simple form and numbered (e. g. https://github.com/nextcloud/calendar/issues/[number]), so downloading all issues from a project is trivial. Thus with a quick check I could confirm that some users indeed posted real looking passwords to the bug tracker.

Nextcoud is a fork of Owncloud, so I checked that as well. The bug reporting template contained exactly the same words, probably Nextcloud just copied it over when they forked. So I reported the issue to both Owncloud and Nextcloud via their HackerOne bug bounty programs. That was in January.

I proposed that both projects should go through their past bug reports and remove everything that looks like a password or another sensitive value. I also said that I think asking for the content of the configuration file is inherently dangerous and should be avoided. To allow users to share configuration options in a safe way I proposed to offer an option similar to the command line tool (which may not be available or usable for all users) in the web interface.

The reaction wasn't overwhelming. Apart from confirming that both projects acknowledged the problem nothing happened for quite a while. During FOSDEM I reached out to members of both projects and discussed the issue in person. Shortly after that I announced that I intended to disclose this issue three months after the initial report.

Disclosure deadline was nearing with passwords still public

The deadline was nearing and I didn't receive any report on any actions being taken by Owncloud or Nextcloud. I sent out this tweet which received quite some attention (and I'm sorry that some people got worried about a vulnerability in Owncloud/Nextcloud itself, I got a couple of questions):



In all fairness to NextCloud, they had actually started scrubbing data from the existing bug reports, they just hadn't informed me. After the tweet Nextcloud gave me an update and Owncloud asked for a one week extension of the disclosure deadline which I agreed to.

The outcome by now isn't ideal. Both projects have scrubbed all obvious passwords from existing bug reports, although I still find values where it's not entirely clear whether they are replacement values or just very bad passwords (e. g. things like “123456”, but you might argue that people using such passwords have other problems).

Nextcloud has changed the wording of the bug reporting template. The new template still asks for the config file, but it mentions the safer command line option first and has the warning closer to the mentioning of the config. This is still far from ideal and I wouldn't be surprised if people continue pasting their passwords. However Nextcloud developers have indicated in the HackerOne discussion that they might pick up my idea of offering a GUI version to export a scrubbed config file. Owncloud has changed nothing yet.

If you have reported bugs to Owncloud or Nextcloud in the past and are unsure whether you may have pasted your password it's probably best to change it. Even if it's been removed now it may still be available within search engine caches or it might have already been recorded by an attacker.
Top

node.js idea of an inode is approximately broken

Postby kris via The Isoblog. »



The Tweet points to the bug report.

After the facepalming there is still a lot to say about that.

About the bug: There is a system call stat(2) in Posix, which returns a struct stat as a result. Part of that data structure is a field st_ino, which contains the inode number of that file. That number is a unique file identifier, a 64 bit bit pattern.

Javascript does not have integer types to represent that number, so node.js has been falsely converting it to a float, which can hold 53 bits of precision. So on certain file systems, 2048 different files will be munged together, which is extremely bad.

Possible solutions are obvious: Use a string or use two 32-bit numbers to hold full precision values.

About Javascript: Javascript is a language used in browsers, and changing the specs of Javascript is incredibly hard. Basically, you have to get everybody to update their browsers in order to actually make progress.

There are things that do crypto with Javascript as a target language, and there are compilers from proper programming languages to portable Javascript as a target. But still, Javascript itself is poisonous, and while that take on the language is humorous, this is a serious problem.

About culture: So we are getting a generation of developers now, which have been growing up without hardware or state. They learned programming on AWS and take RDS for granted, which means they have never actually seen hard(-ware related) problems.

They also learned programming with the Javascript framework of the week, and think that real software can be written this way. The result is not only the mess that s npm, but also an attempt at systems programming resulting in constructs such as this.

I cannot for the life of me stand the coddly approach to teaching of Julia Evans (check out her writeups at her blog), but apparently what she does and how she does it is necessary and appropriate for people growing up in a programming environment like this. Well, I’m ok with that if it prevents mindsets and bugs like the one above.
Top

InterContinental Hotel Chain Breach Expands

Postby BrianKrebs via Krebs on Security »

In December 2016, KrebsOnSecurity broke the news that fraud experts at various banks were seeing a pattern suggesting a widespread credit card breach across some 5,000 hotels worldwide owned by InterContinental Hotels Group (IHG). In February, IHG acknowledged a breach but said it appeared to involve only a dozen properties. Now, IHG has released data showing that cash registers at more than 1,000 of its properties were compromised with malicious software designed to siphon customer debit and credit card data.

An Intercontinental hotel in New York City.
Headquartered in Denham, U.K., IHG operates more than 5,000 hotels across nearly 100 countries. The company’s dozen brands include Holiday Inn, Holiday Inn Express, InterContinental, Kimpton Hotels, and Crowne Plaza.

According to a statement released by IHG, the investigation “identified signs of the operation of malware designed to access payment card data from cards used onsite at front desks at certain IHG-branded franchise hotel locations between September 29, 2016 and December 29, 2016.”

IHG didn’t say how many properties total were affected, although it has published a state-by-state lookup tool available here. I counted 28 in my hometown state of Virginia alone, California more than double that; Alabama almost the same number as Virginia. So north of 1,000 locations nationwide seems very likely.

Update, April 19, 11:09 a.m. ET: Danish geek Christian Sonne writes that his research on the state lookup tool shows there are at least 1,175 properties on the list so far. The breakdown so far is: 1,175 properties across the USA and Puerto Rico in the following brands, Holiday Inn Express (781), Holiday Inn (176), Candlewood Suites (120), Staybridge Suites (54), Crowne Plaza (30), Hotel Indigo (11), Holiday Inn Resort (3).

Original story:

IHG has been offering its franchised properties a free examination by an outside computer forensic team hired to look for signs of the same malware infestation known to have hit front desk systems at other properties. But not all property owners have been anxious to take the company up on that offer. As a consequence, there may be more breached hotel locations yet to be added to the state lookup tool.

A letter from IHG to franchise customers, offering to pay for the cyber forensics examination.
IHG franchises who accepted the security inspections were told they would receive a consolidated report sharing information specific to the property, and that “your acquiring bank and/or processor may contact you regarding this investigation.”

IHG also has been trying to steer franchised properties toward adopting its “secure payment solution” (SPS) that ensures cardholder data remains encrypted at all times and at every “hop” across the electronic transaction. According to IHG, properties that used its solution prior to the initial intrusion on Sept. 29, 2016 were not affected.

“Many more properties implemented SPS after September 29, 2016, and the implementation of SPS ended the ability of the malware to find payment card data,” IHG wrote.

Card-stealing cyber thieves have broken into some of the largest hotel chains over the past few years. Hotel brands that have acknowledged card breaches over the last year after prompting by KrebsOnSecurity include Kimpton HotelsTrump Hotels (twice), Hilton, Mandarin Oriental, and White Lodging (twice). Card breaches also have hit hospitality chains Starwood Hotels and Hyatt

In many of those incidents, thieves planted malicious software on the point-of-sale devices at restaurants and bars inside of the hotel chains. Point-of-sale based malware has driven most of the credit card breaches over the past two years, including intrusions at Target and Home Depot, as well as breaches at a slew of point-of-sale vendors. The malicious code usually is installed via hacked remote administration tools. Once the attackers have their malware loaded onto the point-of-sale devices, they can remotely capture data from each card swiped at that cash register.

Thieves can then sell that data to crooks who specialize in encoding the stolen data onto any card with a magnetic stripe, and using the cards to purchase high-priced electronics and gift cards from big-box stores like Target and Best Buy.

It’s a good bet that none of the above-mentioned companies were running point-to-point encryption (P2PE) solutions before they started hemorrhaging customer credit cards. P2PE is an added cost for sure, but it can protect customer card data even on point-of-sale systems that are already compromised because the malware can no longer read the data going across the wire.

Readers should remember that they’re not liable for fraudulent charges on their credit or debit cards, but they still have to report the unauthorized transactions. There is no substitute for keeping a close eye on your card statements. Also, consider using credit cards instead of debit cards; having your checking account emptied of cash while your bank sorts out the situation can be a hassle and lead to secondary problems (bounced checks, for instance).
Top

Not lining up

Postby Warner Losh via Warner's Random Hacking Blog »

Close, but not quite

So, it looks like I'm getting closer. I read the disks with the 'physical' read option, which did sector skewing. Now that I've looked at them, I think that was a mistake. It looks like they are meant to be read in a logical mode, so I'm redoing a few to analyze again.

So I wrote a program to try to sort that out. It did work, but not quite. It got things almost right, but over-shot the mark when it came to getting the second or third file from the tar ball. It looked for all the world like there were missing sectors or something.

On a lark, I decided to try to read 11 sectors instead of 10 that RX-50's are usually formatted at. And I was able to read all 11, and the data for the 11th doesn't seem to match anything else. But we still have a mismatch, and I'm trying to chase that down. Well, 11th sector for tracks 2 and larger. So, I need to try to figure out why I'm not seeing extra data between the files.

So it looks like I'll have to do this again to get all the bits.... I think I need to puzzle this out with some friendly files that have text (include files) in them. maybe there's 12 sectors, though that would be unprecedented for these drives. You can do 800k like the RX-50, and also 880k for the amiga, but I don't think you could fit much more than that on a track, but who knows, maybe there is 12 sectors and I'm messing up.

Then again maybe I should just wait for the Kryoflux to show up so I can image the entire disk, including the boot disk.
Top

Peering into the Venix Disks with read errors

Postby Warner Losh via Warner's Random Hacking Blog »

As you may recall from last time, I had 5 errors on two disks I'm trying to read for the Rainbow Venix Floppy project.

The specific errors were on two disks. 76/3, 77/7 and 78/5 on the "User 3" disk and 78/5 and 79/5 on "User 2". The program I was using to read the disks didn't report the kind of error, so I'll have to augment it to do so.

This is very concerning to me, so I though I'd take a closer look what's on the disks. It appears that the disks are much simpler than I'd though. The first two tracks (10k) is nothing at all. Then we have what appears to be a TAR file after that. So, it looks like, worst case, we have at most 5 files that are corrupted, and more likely only a couple. The distance on User 2 is only 5k, while the distance on User 3 is 11k. There's a good chance that there will just be one file that's affected.

If I wanted to try to extract these disks, there's another wrinkle. I thought a simple dd to remove the first 10k would do the trick. However, there's a snag. I read these in the physical mode. The RX-50s, at least as used on the Rainbow, have a sector interleaving starting with track 2. The actual sectors are labeled as 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 on the disk (that's the order I read them out in). However, it appears that these sectors correspond to 1, 6, 2, 7, 3, 8, 4, 9, 5, 10, so I'll have to write a stupid filter to de-interlace them. Otherwise TAR throws all kinds of fits.

Unix v7 Tar files, btw, have fixed 512-byte headers. Wasteful, to be sure, but great for data recovery. A quick grep from hexdump shows what's on the 'User 1' disk:

00001400  2f 75 73 72 2f 61 64 6d  2f 00 00 00 00 00 00 00  |/usr/adm/.......|
00001800  2f 75 73 72 2f 62 69 6e  2f 00 00 00 00 00 00 00  |/usr/bin/.......|
00001c00  2f 75 73 72 2f 62 69 6e  2f 61 64 62 00 00 00 00  |/usr/bin/adb....|
00009200  2f 75 73 72 2f 62 69 6e  2f 72 61 6e 6c 69 62 00  |/usr/bin/ranlib.|
0000c600  2f 75 73 72 2f 62 69 6e  2f 63 61 6c 00 00 00 00  |/usr/bin/cal....|
0000e000  2f 75 73 72 2f 62 69 6e  2f 61 63 00 00 00 00 00  |/usr/bin/ac.....|
00010800  2f 75 73 72 2f 62 69 6e  2f 62 63 00 00 00 00 00  |/usr/bin/bc.....|
00011400  2f 75 73 72 2f 62 69 6e  2f 64 6f 73 63 6f 70 79  |/usr/bin/doscopy|
00014400  2f 75 73 72 2f 62 69 6e  2f 63 62 00 00 00 00 00  |/usr/bin/cb.....|
00014600  2f 75 73 72 2f 62 69 6e  2f 64 63 00 64 63 00 2d  |/usr/bin/dc.dc.-|
00015000  2f 75 73 72 2f 62 69 6e  2f 63 61 6c 65 6e 64 61  |/usr/bin/calenda|
00016c00  2f 75 73 72 2f 62 69 6e  2f 63 6f 6c 00 00 00 00  |/usr/bin/col....|
0001a200  2f 75 73 72 2f 62 69 6e  2f 64 6f 73 00 00 00 00  |/usr/bin/dos....|
00020400  2f 75 73 72 2f 62 69 6e  2f 64 65 72 6f 66 66 00  |/usr/bin/deroff.|
00021e00  2f 75 73 72 2f 62 69 6e  2f 65 67 72 65 70 00 00  |/usr/bin/egrep..|
00026a00  2f 75 73 72 2f 62 69 6e  2f 66 67 72 65 70 00 00  |/usr/bin/fgrep..|
00027a00  2f 75 73 72 2f 62 69 6e  2f 67 72 61 70 68 00 00  |/usr/bin/graph..|
0002be00  2f 75 73 72 2f 62 69 6e  2f 69 70 6c 6f 74 00 00  |/usr/bin/iplot..|
00031a00  2f 75 73 72 2f 62 69 6e  2f 6c 65 78 00 00 00 00  |/usr/bin/lex....|
00039e00  2f 75 73 72 2f 62 69 6e  2f 73 70 6c 69 6e 65 00  |/usr/bin/spline.|
0003c400  2f 75 73 72 2f 62 69 6e  2f 6c 70 73 74 6f 70 00  |/usr/bin/lpstop.|
0003f800  2f 75 73 72 2f 62 69 6e  2f 6d 34 00 00 00 00 00  |/usr/bin/m4.....|
00042a00  2f 75 73 72 2f 62 69 6e  2f 6e 65 71 6e 00 00 00  |/usr/bin/neqn...|
0004a600  2f 75 73 72 2f 62 69 6e  2f 6e 72 6f 66 66 00 00  |/usr/bin/nroff..|
00054600  2f 75 73 72 2f 62 69 6e  2f 73 70 65 6c 6c 00 00  |/usr/bin/spell..|
00054c00  2f 75 73 72 2f 6c 69 62  2f 74 6d 61 63 2f 74 6d  |/usr/lib/tmac/tm|
00055600  2f 75 73 72 2f 62 69 6e  2f 79 61 63 63 00 00 00  |/usr/bin/yacc...|
so there's lex, yacc, and several familiar filters. Transferring from the Rainbow is being super slow since I'm sending them via old-reliable KERMIT, so I've only looked at the first file.

All in all, I'd say this is encouraging news. I'll transfer the other disks and see what's missing to see if it is worth trying to delve further into the missing bits or not. If nothing else, it means we can use whatever data we can for those 5 sectors and the reduced functionality may be almost nothing. And there's a chance we can get a second copy of the affected files from the boot disk or something.
Top

imageworsener: divide-by-zero in iwgif_record_pixel (imagew-gif.c)

Postby ago via agostino's blog »

Description:
imageworsener is a utility for image scaling and processing.

A fuzz on it discovered a divide-by-zero.

The complete ASan output:

# imagew $FILE /tmp/out -outfmt bmp
==20305==ERROR: AddressSanitizer: FPE on unknown address 0x7f8e57340cd6 (pc 0x7f8e57340cd6 bp 0x7ffc0fee8910 sp 0x7ffc0fee87e0 T0)                                                                                
    #0 0x7f8e57340cd5 in iwgif_record_pixel /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-gif.c:213:13                                                                           
    #1 0x7f8e57340cd5 in lzw_emit_code /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-gif.c:312                                                                                   
    #2 0x7f8e57339a94 in lzw_process_code /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-gif.c:376:3                                                                              
    #3 0x7f8e57339a94 in lzw_process_bytes /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-gif.c:433                                                                               
    #4 0x7f8e57339a94 in iwgif_read_image /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-gif.c:669                                                                                
    #5 0x7f8e57339a94 in iwgif_read_main /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-gif.c:724                                                                                 
    #6 0x7f8e5732fb71 in iw_read_gif_file /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-gif.c:773:6                                                                              
    #7 0x7f8e572e9091 in iw_read_file_by_fmt /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-allfmts.c:61:12                                                                       
    #8 0x519304 in iwcmd_run /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-cmd.c:1191:6                                                                                          
    #9 0x515326 in iwcmd_main /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-cmd.c:3018:7                                                                                         
    #10 0x515326 in main /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-cmd.c:3067                                                                                                
    #11 0x7f8e562f078f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289                                                                                       
    #12 0x41b028 in _init (/usr/bin/imagew+0x41b028)                                                                                                                                                              
                                                                                                                                                                                                                  
AddressSanitizer can not provide additional info.                                                                                                                                                                 
SUMMARY: AddressSanitizer: FPE /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-gif.c:213:13 in iwgif_record_pixel                                                                  
==20305==ABORTING
Affected version:
1.3.0

Fixed version:
N/A

Commit fix:
https://github.com/jsummers/imageworsener/commit/ca3356eb49fee03e2eaf6b6aff826988c1122d93

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-7962

Reproducer:
https://github.com/asarubbo/poc/blob/master/00270-imageworsener-FPE-iwgif_record_pixel

Timeline:
2017-04-12: bug discovered and reported to upstream
2017-04-14: upstream released a patch
2017-04-17: blog post about the issue
2017-04-19: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

imageworsener: divide-by-zero in iwgif_record_pixel (imagew-gif.c)

Top

libcroco: heap overflow and undefined behavior

Postby ago via agostino's blog »

Description:
libcroco is a Generic Cascading Style Sheet (CSS) parsing and manipulation toolkit.

A fuzz on it discovered and heap overflow and an undefined behavior.

The complete ASan output:

# csslint-0.6 $FILE
==9246==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000007a at pc 0x7f3771a05074 bp 0x7fff426076a0 sp 0x7fff42607698                                                                          
READ of size 1 at 0x60400000007a thread T0                                                                                                                                                                        
    #0 0x7f3771a05073 in cr_input_read_byte /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-input.c:416:19                                                                                      
    #1 0x7f3771a3c0ba in cr_tknzr_parse_rgb /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-tknzr.c:1295:17                                                                                     
    #2 0x7f3771a3c0ba in cr_tknzr_get_next_token /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-tknzr.c:2127                                                                                   
    #3 0x7f3771ab6688 in cr_parser_parse_any_core /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c:1179:18                                                                              
    #4 0x7f3771ab6c1e in cr_parser_parse_any_core /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c:1215:34                                                                              
    #5 0x7f3771ab6c1e in cr_parser_parse_any_core /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c:1215:34                                                                              
    #6 0x7f3771ab6c1e in cr_parser_parse_any_core /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c:1215:34                                                                              
    #7 0x7f3771ab9579 in cr_parser_parse_block_core /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c:1005:26                                                                            
    #8 0x7f3771a8882a in cr_parser_parse_atrule_core /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c:798:26                                                                            
    #9 0x7f3771ab0644 in cr_parser_parse_stylesheet /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c                                                                                    
    #10 0x7f3771a8131e in cr_parser_parse /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c:4381:26                                                                                      
    #11 0x7f3771a804f1 in cr_parser_parse_file /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c:2993:18                                                                                 
    #12 0x7f3771b04869 in cr_om_parser_parse_file /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-om-parser.c:956:18                                                                            
    #13 0x51506f in cssom_parse /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/csslint/csslint.c:252:18                                                                                               
    #14 0x51506f in main /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/csslint/csslint.c:997                                                                                                         
    #15 0x7f377041b78f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289                                                                                       
    #16 0x41a9b8 in _init (/usr/bin/csslint-0.6+0x41a9b8)

0x60400000007a is located 0 bytes to the right of 42-byte region 
[0x604000000050,0x60400000007a)
allocated by thread T0 here:
    #0 0x4da285 in calloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:74
    #1 0x7f377168a1a0 in g_malloc0 /tmp/portage/dev-libs/glib-2.48.2/work/glib-2.48.2/glib/gmem.c:124
    #2 0x7f3771a00c4d in cr_input_new_from_buf /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-input.c:151:26
    #3 0x7f3771a027d6 in cr_input_new_from_uri /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-input.c:251:26
    #4 0x7f3771a22797 in cr_tknzr_new_from_uri /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-tknzr.c:1642:17
    #5 0x7f3771a8047c in cr_parser_parse_file /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c:2986:17
    #6 0x7f3771b04869 in cr_om_parser_parse_file /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-om-parser.c:956:18
    #7 0x51506f in cssom_parse /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/csslint/csslint.c:252:18
    #8 0x51506f in main /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/csslint/csslint.c:997
    #9 0x7f377041b78f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-input.c:416:19 in cr_input_read_byte
Shadow bytes around the buggy address:
  0x0c087fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c087fff8000: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00[02]
  0x0c087fff8010: fa fa 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x0c087fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==9246==ABORTING
Commit fix:
https://git.gnome.org/browse/libcroco/commit/?id=898e3a8c8c0314d2e6b106809a8e3e93cf9d4394
Reproducer:
https://github.com/asarubbo/poc/blob/master/00267-libcroco-heapoverflow-cr_input_read_byte
CVE:
CVE-2017-7960

#####################################

# csslint-0.6 $FILE
/tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-tknzr.c:1283:15: runtime error: value 9.11111e+19 is outside the range of representable values of type 'long'
Commit fix:
https://git.gnome.org/browse/libcroco/commit/?id=9ad72875e9f08e4c519ef63d44cdbd94aa9504f7
Reproducer:
https://github.com/asarubbo/poc/blob/master/00268-libcroco-outside-long
CVE:
CVE-2017-7961

Affected version:
0.6.11 and 0.6.12

Fixed version:
0.6.13 (not released atm)

Credit:
These bugs were discovered by Agostino Sarubbo of Gentoo.

Timeline:
2017-04-12: bugs discovered and reported to upstream
2017-04-16: upstream released a patch
2017-04-17: blog post about the issues
2017-04-19: CVE assigned

Note:
These bugs were found with American Fuzzy Lop.

Permalink:

libcroco: heap overflow and undefined behavior

Top

US travel ban total desaster, sad

Postby kris via The Isoblog. »

The Washington Post reports on the amount of damage the travel bans in the US are doing to travel as a whole, not just the six/seven countries primarily targeted:

The result was a wave of withdrawals. “Getting those cancellations all at once, that was startling,” said Russ Hedge, chief executive of HIU, which oversees 52 hostels across the country. “We’ve never seen something like that.”

and

Fifteen miles from the White House, the Sheraton Tysons Hotel is now offering a free Apple Watch to anybody who books a meeting. “We’re doing everything we can to get through this storm,” said Chris Zindash, the hotel’s director of sales and marketing.

Top

Seven years Eyjafjallajökull eruption

Postby kris via The Isoblog. »

In 2010, between April, 15 and April, 23, Air Travel was disrupted because of the ash cloud generated by the icelandic Eyjafjallajökull eruption.

Air travel disruption after the 2010 Eyjafjallajökull eruption
That meant a lot of travellers could not reach the beds they had booked, while approximately the same number of people could not leave their beds to return home. On the first day, the volume of calls making it into the call center (not counting dropped calls) was nine times the normal volume. We added a lot of personal (three times the normal staff, IIRC) to call centers, upgraded servers to handle the increased churn on the databases, and added licenses to the phone system to cope – all in all an extremely busy time.

Also, many hoteliers realized that it is actually ok for customers to cancel, as long as the beds are warm (and paid for). Travelling became a lot more flexible in the aftermath of this incident.
Top

Passenger dragged onto Ryanair flight

Postby kris via The Isoblog. »

»Outcry as shocking scenes emerge of passenger being dragged onto Ryanair flight« titles the satiric magazine Dafty News, spot on, to continue:

Michael O’Leary, the outspoken CEO of Ryanair appeared unconcerned last night as he told reporters: “I don’t know what all the fuss is about, to be honest. The flight was underbooked and this individual was spotted wandering aimlessly around Costa Coffee in the airport lounge, so after making sure he had a credit card, we took him took the necessary steps to get him on board.

Remember: It’s only funny, because it’s almost true.
Top

Rainbow 100 Venix/86R Disks Found

Postby Warner Losh via Warner's Random Hacking Blog »

Recently, there was a post on an obscure retro-computing blog. It said that someone had acquired a Rainbow 100, which isn't so unusual (though there's only a few on the market). The part that was interesting was that it said it included VENIX disks. After some email back and forth, the owner sent the disks to me for reading.

After fighting for a week with PCs (more on that in another blog), I decided to search to see if there was a Rainbow native solution. Turns out that there was something called RBIMG by PrintStar (Jeff Armstrong) which I was able to get going on my old Rainbow 100B. It came with source because the Venix disks were mostly good, but some sectors requires a number of retries. It appears to be a Version 7 Unix for the PC.

I've read in the Boot disk, a bunch of Xfer Disks (not sure what they are), All the User and System utilities and an BWS extension disks. That's the good news. The bad news is that I still have a few sectors that aren't doing so hot. User3 disk has 3 errors, User2 disk has 2 errors and the boot disk has 1 error.

The Boot disk's one error, though, seems intentional. I've actually booted the Venix disk on my Rainbow, and it comes up. It also tells me the serial number after what sounds like a read error. I'm not yet sure what scheme that Venix uses, so that one might be solvable. It's cool to see a unix kernel that's only 45k in size.

So I'm 5 errors away from having a full set of disks. My thought was that maybe these disks were produced with a 1.2MB drive instead of a real RX-50, so diversity being good, I'm going to try to bring up an old PC I have sitting on the E-Waste pile. I have newer ones, but the BIOS doesn't support 1.2MB drives in those, which may be a clue that 1.2MB drives won't work at all in them (the literature on the web is spotty on this topic, but seems to indicate that latter-day systems cost-reduced 360k/1.2MB support out of the controller). More on those trials and tribulations in a newer post.
Top

Network Devops Engineer at Booking.com

Postby kris via The Isoblog. »

You know Python and Networking? We do have a platform based on Django that automates network and data center management, and we need to invest in this.

We are going to do a lot more with this, and with many other interesting toys.

Want to play? Check this out.

“Empowering people to experience the world…”

“… and working with people from literally all over the world.”
Top

SELinux, do you understand it?

Postby kris via The Isoblog. »

Yeah, me neither.

For people like me, there is now the SELinux Coloring book (PDF).

Top

Shadowbrokers released NSA exploits, most not 0days any more

Postby kris via The Isoblog. »

The Shadowbrokers released a number of Windows exploits that have been leaked from the NSAs exploit cache.

A lot of blogs and tech opinion pieces appeared, most of them being up in arms about the NSA not only sitting on these exploits, but also not being in communication with microsoft about them since the last 90+ in which these exploits have been known to be compromised.

Turns out, all of these exploits are actually fixed already (or appear not to be working on current platforms in the first place), and though both MS and the NSA do not comment, both parties apparently have been in communication about this.

So the situation is not nearly as dire as those opinion pieces make it look.

So the main question is: have you been patching all your systems up to MS17-010 (March, 14th of 2017), already? And what about your Windows XP habit?

Right. Thought as much.
Top

Nautilus Scripting die dritte

Postby bed via Zockertown: Nerten News »

Vor einigen Jahren hatte ich ein paar Scripte für den nautilus vorgestellt.

Ich habe heute einen kleinen Bug beseitigt und vom Resize Script 2 Unterarten erstellt.

Die Scripte gehören in $HOME/.local/share/nautilus/scripts/

Sie müssen mit chmod +x ausführbar gemacht werden, damit sie im Kontext Menü des Nautilus sichtbar sind. 

resize_auto_orient.sh
!/bin/bash
#
#  Titel: resize_auto_orient.sh
#  Autor: Bed [@] zockertown.de
#  Web: zockertown.de/s9y/
#  Version 0.4
#  Voraussetzung: Benötigt wird Imagemagick für das Consolentool convert
#  und mogrify
#  Zweck: skaliert die Bilder auf 1280x1024, wenn im Quellbild die
#         Orientierungshinweise intakt sind,
#         wird das Bild korrekt gedreht.
#         Das skalierte Bild wird mit einer Textnotiz versehen, wenn in
#         der Schleife der mogrify disabled wird (durch einfügen des '#')
#         wird das Branding nicht durchgeführt.
count=$(/bin/echo $NAUTILUS_SCRIPT_SELECTED_URIS|wc -w)
teil=$[100 / $count ]
teiler=$teil
( for file in $NAUTILUS_SCRIPT_SELECTED_URIS; do
    file_name=$(echo $file | sed -e 's/file:\/\///g' -e 's/\%20/\ /g' -e 's/.*\///g')
    file_folder=$(echo $file | sed -e 's/file:\/\///g' -e 's/\%20/\ /g' -e "s/$file_name//g")
        convert -auto-orient -strip -geometry 1280x1024 -quality 80 "$file_folder/$file_name" "${file_folder}/${file_name}_resized_1280x1024.jpg"
        teiler=$[$teiler + $teil]
        echo $teiler
        mogrify -pointsize 10 -fill gray -gravity SouthWest -draw "text 10,20 'Copyright Bernd Dau'" "${file_folder}/${file_name}_resized_1280x1024.jpg"
done ) | (zenity --progress --percentage=$teil --auto-close)

resize_auto_orient-max-256kb.sh
#!/bin/bash
#
#  Titel: resize_auto_orient-max-256kb.sh
#  Autor: Bed [@] zockertown.de
#  Web: zockertown.de/s9y/
#  Version 0.4
#  Voraussetzung: Benötigt wird Imagemagick für das Consolentool convert
#  und mogrify
#  Zweck: skaliert die Bilder auf 1280x1024, wenn im Quellbild die
#         Orientierungshinweise intakt sind,
#         wird das Bild korrekt gedreht.
#         Es wird das Bild so komprimierrt, dass es den eingestellten Wert (hier 256KB) nicht überschreitet
#         Dies ist für Foren nützlich, wenn die nur eine begrenzte File_size erlauben
#         Das skalierte Bild wird mit einer Textnotiz versehen, wenn in
#         der Schleife der mogrify disabled wird (durch einfügen des '#')
#         wird das Branding nicht durchgeführt.
count=$(/bin/echo $NAUTILUS_SCRIPT_SELECTED_URIS|wc -w)
teil=$[100 / $count ]
teiler=$teil
( for file in $NAUTILUS_SCRIPT_SELECTED_URIS; do
    file_name=$(echo $file | sed -e 's/file:\/\///g' -e 's/\%20/\ /g' -e 's/.*\///g')
    file_folder=$(echo $file | sed -e 's/file:\/\///g' -e 's/\%20/\ /g' -e "s/$file_name//g")
        convert -auto-orient -strip -define jpeg:extent=256kb -geometry 1280x1024 "$file_folder/$file_name" "${file_folder}/${file_name}_max_256kb_1280x1024.jpg"
        teiler=$[$teiler + $teil]
        echo $teiler
        mogrify -pointsize 10 -fill gray -gravity SouthWest -draw "text 10,20 'Copyright Bernd Dau'" "${file_folder}/${file_name}_max_256kb_1280x1024.jpg"
done ) | (zenity --progress --percentage=$teil --auto-close)

shrink-max_256k.sh (Natürlich muß man sich im Klaren sein, dass hier evtl. die Bildqualtität leidet. Für Landschaftsaufnahmen von Kamera Auflösung in 3MB auf 256KB bleibt das nicht aus)
#!/bin/bash
#
#  Titel: shrink-max_256k.sh
#  Autor: Bed [@] zockertown.de
#  Web: zockertown.de/s9y/
#  Version 0.4
#  Voraussetzung: Benötigt wird Imagemagick für das Consolentool convert
#  und mogrify
#  Zweck: Die Auflösung der Bilder wird nier nicht verändert. Wenn im Quellbild die
#         Orientierungshinweise intakt sind,
#         wird das Bild korrekt gedreht.
#         Es wird das Bild so komprimierrt, dass es den eingestellten Wert (hier 256KB) nicht überschreitet
#         Dies ist für Foren nützlich, wenn die nur eine begrenzte File_size erlauben
#         Das skalierte Bild wird mit einer Textnotiz versehen, wenn in
#         der Schleife der mogrify disabled wird (durch einfügen des '#')
#         wird das Branding nicht durchgeführt.
count=$(/bin/echo $NAUTILUS_SCRIPT_SELECTED_URIS|wc -w)
teil=$[100 / $count ]
teiler=$teil
( for file in $NAUTILUS_SCRIPT_SELECTED_URIS; do
    file_name=$(echo $file | sed -e 's/file:\/\///g' -e 's/\%20/\ /g' -e 's/.*\///g')
    file_folder=$(echo $file | sed -e 's/file:\/\///g' -e 's/\%20/\ /g' -e "s/$file_name//g")
        convert -auto-orient -strip -define jpeg:extent=256kb "$file_folder/$file_name" "${file_folder}/${file_name}_max_256kb.jpg"
        teiler=$[$teiler + $teil]
        echo $teiler
        mogrify -pointsize 10 -fill gray -gravity SouthWest -draw "text 10,20 'Copyright Bernd Dau'" "${file_folder}/${file_name}_max_256kb.jpg"
done ) | (zenity --progress --percentage=$teil --auto-close)

Top

Shoney’s Hit By Apparent Credit Card Breach

Postby BrianKrebs via Krebs on Security »

It’s Friday, which means it’s time for another episode of “Which Restaurant Chain Got Hacked?” Multiple sources in the financial industry say they’ve traced a pattern of fraud on customer cards indicating that the latest victim may be Shoney’s, a 70-year-old restaurant chain that operates primarily in the southern United States.

Image: Thomas Hawk, Flickr.
Shoney’s did not respond to multiple requests for comment left with the company and its outside public relations firm over the past two weeks.

Based in Nashville, Tenn., the privately-held restaurant chain includes approximately 150 company-owned and franchised locations in 17 states from Maryland to Florida in the east, and from Missouri to Texas in the West — with the northernmost location being in Ohio, according to the company’s Wikipedia page.

Sources in the financial industry say they’ve received confidential alerts from the credit card associations about suspected breaches at dozens of those locations, although it remains unclear whether the problem is limited to those locations or if it extends company-wide. Those same sources say the affected locations were thought to have been breached between December 2016 and early March 2017.

It’s also unclear whether the apparent breach affects corporate-owned or franchised stores — or both. In last year’s card breach involving hundreds of Wendy’s restaurants, only franchised locations were thought to have been impacted. In the case of the intrusion at Arby’s, on the other hand, only corporate stores were affected.

The vast majority of the breaches involving restaurant and hospitality chains over the past few years have been tied to point-of-sale devices that were remotely hacked and seeded with card-stealing malicious software.

Once the attackers have their malware loaded onto the point-of-sale devices, they can remotely capture data from each card swiped at that cash register. Thieves can then sell the data to crooks who specialize in encoding the stolen data onto any card with a magnetic stripe, and using the cards to buy gift cards and high-priced goods from big-box stores like Target and Best Buy.

Many retailers are now moving to install card readers that can handle transactions from more secure chip-based credit and debit cards, which are far more expensive for thieves to clone. Malware that makes it onto point-of-sale devices capable of processing chip card transactions can still intercept data from a customer’s chip-enabled card, but that information cannot later be used to create a cloned physical copy of the card.

Update, April 16, 2017, 10:05 p.m. ET: After this story was published, an Atlanta-based company called Best American Hospitality Corp. published a press release claiming responsibility for a card breach impacting dozens of Shoney’s locations. Here’s the company’s notice about this incident, which lists the locations thought to have been compromised so far.
Top

Tumblr of the Day: Roots of Design

Postby kris via The Isoblog. »

I have just finished reading the Project Zero Blog entries about the Broadcom Wifi SoC used in Cellphones, and how to utilise that SoC to take over the main CPU of a phone.

While this is awesome reading, it reminded me about my interest in taking up a career in landscape gardening.

So here is my Tumblr of the Day recommendation for today: Roots of Design, a podcast about… Landscape Gardening.

It’s awesome, exploit free and about design, so it’s everything that IT isn’t.

It’s also defunct, the last episode is from almost 2 years ago, so it has at least something in common with the patch level of your phone.
Top

Signed pointers

Postby kris via The Isoblog. »

So those real hackers keep telling me that back then in the times of the LISP machine they had tagged pointers and stuff.

Those pesky mobile Whizkids at Qualcomm could not let that stand, so they created signed pointers for ARM 8.3. Two families of new instructions have been made, one for signing pointers, the other for checking the signature. How does that work? The PDF at Qualcomm describes the details.

Basically, when pushing a return address onto the stack on subroutine call, that pointer is authenticated with a PAC* instruction, on return that pointer is checked with an AUT* instruction. The actual RET will fail with an address violation if the pointer has been messed with. PAC* and AUT* are out of NOP space, so they can be executed as NOPs on older CPUs.

PAC* signs the return address, AUT* checks it. On pre-8.3 CPUs, they decode as NOP instructions. RETing to an address that does not AUT is an illegal address exception.
A 64 bit pointer in an 40 bit cellphone processor is good for 24 bit signatures, but other partitions are possible depending on address space layout and size.
Top

CVE-2016-10229: Remote UDP Exploit or why did your Nexus want a new kernel this morning?

Postby kris via The Isoblog. »

CVE-2016-10229: Almost perfect score.

CVSS v3 Base Score 9.8 (Critical)



»udp.c in the Linux kernel before 4.5 allows remote attackers to execute arbitrary code via UDP traffic that triggers an unsafe second checksum calculation during execution of a recv system call with the MSG_PEEK flag.«

Affects your Linux, and hence all the unupdateable Android you own. Or “why did your Nexus need a reboot this morning?”
Top

Let’s Encrypt and Comodo targeted by Phishers for TLS certs

Postby kris via The Isoblog. »

A netcraft report highlights that both Let’s Encrypt and Comodo have been issuing thousands of domains that in some form or the other contain the words “apple”, “paypal” or “ebay” in them, and that virtually all of these domains are being used for phishing or other fraudulent activities.



Netcraft provides a metric called “Deceptive Domain Score“, and uses the opportunity to promote this service of theirs, requesting that certificate authorities implement a similar service.

In each of these examples above — and in the other statistics referenced above — the certificate authority had sight of the whole hostname that was blocked. These examples did not rely on wildcard certificates to carry out their deception. In particular, some of these examples (such as update.wellsfargo.com.casaecologica.cl) demonstrate that the certificate authority was better placed to prevent misuse than the domain registrar (who would have seen casaecologica.cl upon registration).

The two services are attractive to phishers, because they offer TLS certificates for free and through an API, with a very limited screening process. Both services are using the Safe Browsing API to check if the domain being certified does contain malware, but because it usually does not at the time the cert is being issued this is pointless. Netcraft would rather have the CAs buy their Deceptive Domain Scoring service instead.
Top

Curlbash, and Desktop Containers

Postby kris via The Isoblog. »

I was having two independent discussions recently, which started with some traditional Unix person condemning software installing with curlbash (“curl https://… | bash”), or even “curl | sudo bash”.

I do not really think this to be much more dangerous than the installation of random rpm or dpkg packages any more. Especially if those packages are unsigned or the signing key gets installed just before the package.

The threat model really became a different one in the last few years, and the security mechanism have had to change as well. And they have, UIDs becoming much less important.

Desktop containers and Sandboxes have become much more important, and segregation happens now at a much finer granularity (the app level) instead of the user level.



The two discusssions have been around the installation of sysdig (see their article, which focuses on signed code and proxies injecting modifications), and Mastodon (which uses node.js, which features one installation path using “curl -sL https://deb.nodesource.com/setup_7.x | sudo -E bash -“).

Provided that you actually get the file that’s on the remote server (i.e. no proxy exists that modifies stuff), I fail to see the problem. You are not very likely to go through the source and review it.

Also, you are hopefully installing this into a single-purpose virtual machine or container, so there is nothing else inside the image anyway. It does not really matter, which UID this is running as, because there is nothing else inside this universe in the first place.

We have come, in a way, full circle and are back at MS-DOS, where there are no users or permissions visible to the application, because it is utterly alone in the world.

User IDs also do not matter much on personal devices, because these typically have only one user. Being kris (1000) on my Laptop or my Cellphone does not really contain or isolate anything, because there is only me and the only files important are all mine – the files not owned by me come from the operating system image and can be restored at any time. Yes, my files are much more important and harder to replace than the system files.

MacOS

In MacOS, we have a system that kind of solved the problem of a lone user installing a lot of apps, all of which might to a certain extent be hostile to each other or are trying to pull off things with me and my data.

The threat model is not “multiple users sharing a single device, and keeping their stuff separate”, but “many apps from different sources, and with different levels of trustworthiness, make sure they do not make off with the users data or another apps data unnoticed”. This is very different from Unix-Think and Unix is actually by default not set up at all to handle this.

MacOS attacks the problem by sandboxing Apps from the App Store. Apps run in

⌂ [:~/Library … com.omnigroup.OmniGraffle7.MacAppStore]↥ $ pwd
 /Users/kkoehntopp/Library/Containers/com.omnigroup.OmniGraffle7.MacAppStore

 ⌂ [:~/Library … com.omnigroup.OmniGraffle7.MacAppStore]↥ $ ls -1 Data/
 Desktop
 Documents
 Downloads
 Library
 Movies
 Music
 Pictures
That is, you still have a single UID per potential user, but apps are confined to a subdirectory and a bunch of system standard locations for stuff.

They can exit that through the file dialogs and other systems means and access arbitrary locations in the system, but the user interaction required here makes sure their activity is being screened and contextualized by a human.

For the user, this is transparent and invisible, and requires no conscious permissive actions. It is implied in the normal I/O dialog workflow. That’s genius, because it hides all the complexity that comes with other systems such as AppArmor, let alone SELinux.

Android

Android uses Unix UIDs, but differently than intended.

In Android, you always have a GUI, because a Command line without a GUI does make no sense on touch devices. Multiple Users are possible, but user separation is not via UID, it is via GUI.

Instead, Android assigns a UID to each app dynamically, and uses Linux permissions and SELinux on top of that to keep apps out of each others data.

The “SD Card” area and permission is actually a limited file share facility between apps, but that was not planned. Instead it has been but a side effect of the fact that MS-DOS filesystems on SD-Cards do not enforce Unix UIDs of different apps. On top of that, Google has been learning clumsily and slowly to leverage this to an advantage, with several false starts.

User Story

Both systems allow users to install apps from all kinds of app makers through a unified channel with limited review, and manage to keep data per-app separated. So it is possible to run apps safely, even if the app is somewhat hostile to other apps or the users data.

The ideas behind that have been picked up, and are being transformed slowly in the unix environment using the desktop-container paradigm. Things like Flatpak are leveraging containers on the desktop to do exactly what the MacOS sandbox does.

Summary:

  • If everything on your system is running as the same user, then “curl |sudo bash” and “curl | bash” are equivalent in terms of threat.
  • If the user is actually reviewing the source and build, then each apt-get, rpm and any curlbash are actually equivalent, because the amount of review is the same, and far too little.
What is instead necessary is a system that improves security in a way that separates apps, not users, and that makes it possible to recover from the accidental install and execution of a hostile or broken app.

And that’s what desktop containers like flatpak do, or intend to do.

They are obviously neither perfect nor finished. But they are actually addressing a new and different threat model than the one Unix was built for, and that is no longer reflecting the current world.
Top

The Illustrated Guide to Kubernetes

Postby kris via The Isoblog. »

»The other day, my daughter sidled into my office, and asked me, “Dearest Father, whose knowledge is incomparable, what is Kubernetes?”

And I responded, “Kubernetes is an open source orchestration system for Docker containers. It handles scheduling onto nodes in a compute cluster and actively manages workloads to ensure that their state matches the users’ declared intentions. Using the concepts of “labels” and “pods”, it groups the container which make up an application into logical units for easy management and discovery.”

And my daughter said to me, “Huh?”

And so I give you…«

Video: https://www.youtube.com/watch?v=4ht22ReBjno

Comic: The Illustrated Guide to Kubernetes
Top

Humble Sanderson Bundle

Postby kris via The Isoblog. »

Humble Bundles are a good thing. Brandon Sanderson is a good author. Here is a combo:

Humble Sanderson Bundle
Top

Fashion Fix

Postby kris via The Isoblog. »



Can’t get fashionable Jeans sans knee holes? Buy one with, fix it yourself.
Top


Critical Security Updates from Adobe, Microsoft

Postby BrianKrebs via Krebs on Security »

Adobe and Microsoft separately issued updates on Tuesday to fix a slew of security flaws in their products. Adobe patched dozens of holes in its Flash Player, Acrobat and Reader products. Microsoft pushed fixes to address dozens of vulnerabilities in Windows and related software.

The biggest change this month for Windows users and specifically for people responsible for maintaining lots of Windows machines is that Microsoft has replaced individual security bulletins for patches with a single “Security Update Guide.”

This change follows closely on the heels of a move by Microsoft to bar home users from selectively downloading specific updates and instead issuing all monthly updates as one big patch blob.

Microsoft’s claims that customers have been clamoring for this consolidated guide notwithstanding, many users are likely to be put off by the new format, which seems to require a great deal more clicking and searching than under the previous rubric. In any case, Microsoft has released a FAQ explaining what’s changed and what folks can expect under the new arrangement.

By my count, Microsoft’s patches this week address some 46 security vulnerabilities, including flaws in Internet Explorer, Microsoft Edge, Windows, Office, Visual Studio for Mac, .NET Framework, Silverlight and Adobe Flash Player.

At least two of the critical bugs fixed by Microsoft this month are already being exploited in active attacks, including a weakness in Microsoft Word that is showing up in attacks designed to spread the Dridex banking trojan.

Finally, a heads up for any Microsoft users still running Windows Vista: This month is slated to be the last that Vista will receive security updates. Vista was first released to consumers more than ten years ago — in January 2007 — so if you’re still using Vista it might be time to give a more modern OS a try (doesn’t have to be Windows…just saying).

As it is wont to do on Microsoft’s Patch Tuesday, Adobe pushed its own batch of security patches. The usual “critical” update for Flash Player fixes at least seven flaws. The newest version is v. 25.0.0.148 for Windows, Mac and Linux systems.

As loyal readers here no doubt already know, I dislike Flash because it’s full of security holes, is a favorite target of drive-by malware exploits, and isn’t really necessary to be left installed or turned on all the time anymore.

Hence, if you have Flash installed, you should update, hobble or remove Flash as soon as possible. To see which version of Flash your browser may have installed, check out this page.

The smartest option is probably to ditch the program once and for all and significantly increase the security of your system in the process. An extremely powerful and buggy program that binds itself to the browser, Flash is a favorite target of attackers and malware. For some ideas about how to hobble or do without Flash (as well as slightly less radical solutions) check out A Month Without Adobe Flash Player.

If you choose to keep Flash, please update it today. The most recent versions of Flash should be available from the Flash home page. Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

Chrome and IE should auto-install the latest Flash version on browser restart (users may need to manually check for updates in and/or restart the browser to get the latest Flash version). Chrome users may need to restart the browser to install or automatically download the latest version. When in doubt, click the vertical three dot icon to the right of the URL bar, select “Help,” then “About Chrome”: If there is an update available, Chrome should install it then.

Adobe also issued security fixes for its Photoshop, Adobe Reader and Acrobat software packages. The Reader/Acrobat updates address a whopping 47 security holes in these products, so if you’ve got either program installed please take a moment to update.

As ever, please leave a note in the comment section if you run into any difficulties downloading or installing any of these patches.
Top


Deutsche Post makes more StreetScooters

Postby kris via The Isoblog. »

Production Street Scooter in Aachen
Deutsche Post tried to purchase a lot of simple and cheap electric vans for delivery of post and parcels – could not find a suitable offer. So they teamed up with StreetScooter Aachen, later purchased the company.

Their vehicles: electric bikes for loads up to 50kg, and the “Work” parcel delivery car. Both have been an unmitigated success, and StreetScooter was swamped with requests from other companies having similar needs.

End Result: doubled production capacity (20k per year), new factory in NRW, Germany, selling vehicles to third parties due to high demand, and a new Scooter, Work L, with double the load.

The full fleet is expected to cover all urban delivery needs, from e-bikes through e-trikes, to electric vans with 4, 8 and 20 cbm transport capacity. Deutsche Post plans to be completely emissions free in 2050.
Top

Mastodon

Postby kris via The Isoblog. »

Apparently I am https://octodon.social/@Isotopp for now.
Top

One Cookie Popup? We demand Hundreds of them!

Postby kris via The Isoblog. »

You can’t read any website anywhere in Europe without getting a completely useless “We too are using Cookies” overlay. This has been such a unmitigated success that there exists a separate “Kill all Cookie banners” category in every Adblocker available.

But, says the Article 29 group of European Privacy Commissioners, is by far not annoying enough, we can do worse. Consent cannot be given in general, you need to make this more specific.

That is, they demand hundreds of these overlays on each site (PDF).

Page 17 of that PDF:

The end-user must be able to give separate consent per  website or app for tracking for different purposes (such as social media sharing or advertising). […]

For both browsers and data controllers this means it would be invalid if they would only offer an option ‘to accept all cookies’, since this would not enable users to provide the required granular consent.

Right. How is this even practical.
Top

FrOSCon 2017

Postby kris via The Isoblog. »

TL;DR: Submit your FrOSCon proposals to https://www.froscon.de/1/cfp/. Deadline is 23-May 2017

Call for Papers FrOSCon 2017

The Free and Open Source Software Conference (FrOSCon), an annual summer conference for users and developers of FOSS, will be held on the August 19-20 at the University of Applied Sciences Bonn-Rhein-Sieg in Sankt Augustin near Bonn, Germany. It is organized by the University’s Department of Computer Science in collaboration with the student body and the FrOSCon e.V.

As its key feature, volunteer speakers will deliver a comprehensive range of talks and workshops. Additionally, the event offers space and facilities to Free Software developers and projects to organize their own meetings or subconferences. The event also hosts an exhibit hall with booths from both FLOSS projects and companies.

Topics

We are looking for contributed papers on current trends and developments in all areas of Free and Open Source Software, e.g.:

  • Operating systems
  • Software development
  • Administration
  • IT security
  • Legal aspects
  • Desktop
  • Education
  • GIS
Focus areas in 2017 are:

  • “Cooexisting with Bots” – Why can’t we be friends?
  • “The Rise of Machine Learning” – You Only Learn Once
  • “Persistent Migration” – The changing pace of software in the Open Source landscape
  • “The days of plenty are over” – Software Design Patterns in 2017

OSGeo & OSM Subconference

For the first time at FrOSCon, there will be a subconference for free geodata & geosoftware. FOSSGIS e.V. (http://fossgis.de) is organizing this sidebar event and they are looking for contributions on OpenStreetMap, free geodata, free GIS software & more. They welcome submissions of both shorter talks (20 min) and longer presentations (45 min).

Submitting Contributions

To submit a paper, create an account and submit your contribution at http://cfp.froscon.org/. To participate in the Call for Papers, you will have to submit a short abstract as well as a detailed description of your proposed session.

All accepted speakers must submit slides for their talk before the event.

The call for papers is open through May 23, 2017. The program committee meets to review proposals in early June. We will do our best to notify submitters whether their proposals were accepted within a week or two.

Language

Talks can be held in German or in English. The choice of language should depend solely on which language is more suitable for presenting the chosen topic. Language of submitted texts and the resulting talk should be the same.

Length of the Submissions

The abstract should summarize the planned content of the talk in a precise and succinct way. We do not place a limit on its length.

Talks should take no more than 45 minutes, in order to allow some time for Q&A and speaker transition.

We can accept longer contributions in special cases; we ask for a justification for the longer extent in this case.

Format

Abstract and description have to be submitted as plain text via the http://cfp.froscon.de. We ask for submission of the slides in PDF format; other open document formats such as OpenOffice should only be submitted after prior consultation.

Licenses

We will publish abstract, description, slides and a video of your presentation online and include the abstract in the conference program. We require that you place your contributions under the Creative Commons Attribution 4.0 International (http://creativecommons.org/licenses/by/4.0/) license (or a more lenient license).

Unless another license is noted, we will assume that your contribution is under this license. If you want to place your works under a less restrictive license, please note so with your submission.

Selection of Contributions

Contributions are selected based on their content by a program committee.

Please understand that we cannot accept all contributions. We will favor submissions which fall under one of the aforementioned topics.

Other Remuneration

FrOSCon is organized by volunteers and is mostly funded by sponsors. We ask you to understand that we will not be able to reimburse you for your expenses. In special cases, we might be able to help you with your travel expenses and we continue to seek sponsors to cover this cost. Please get in touch with us if you have a special case or if your company would like to sponsor speaker travel.

Accommodation

There will be a room block reserved for our speakers in a hotel nearby the conference venue. You will receive details on the room block after your submission has been accepted.

Social Event

We are planning to hold a social event on the evening of the 19th and kindly invite all speakers to attend.

Important Dates and Contact Information

May 23, 2017 End of the Call for Papers. All contributions need to be submitted by this date in order to qualify.

June 6, 2017 Notification of acceptance of all contributions .

June 19, 2017 Final acceptance. We ask all invited speakers to give their final confirmation by this date.

August 1, 2017 Last date for submitting slides.

August 19, 2017 First day of FrOSCon.

Further information can be found on the website under http://www.froscon.org.

Please send questions about the Call for Papers via email to: program@froscon.org

Contact the organizers via email: contact@froscon.org

Postal address:

FrOSCon e.V.
c/o Fachhochschule Bonn-Rhein-Sieg
53757 Sankt Augustin
Germany

Top

Network attacks on MySQL, Part 6: Loose ends

Postby Daniël van Eeden via Daniël's Database Blog »

Backup traffic

After securing application-to-database and replication traffic, you should also do the same for backup traffic.

If you use Percona XtraBackup with streaming than you should use SSH to send your backup to a secure location. The same is true for MySQL Enterprise Backup. Also both have options to encrypt the backup itself. If you send your backup to a cloud service this is something you should really do, especially if it is not sent via SSH or HTTPS.

And mysqldump and mysqlbinlog both support SSL. And you could use GnuPG, OpenSSL, WinZIP or any other tool to encrypt it.

Sending credentials

You could try to force the client to send credentials elsewhere. This can be done if you can control the parameters to the mysql client. It reads the config from /etc/my.cnf, ~/.my.cnf and ~/.mylogin.conf but if you for example specify a login-path and a hostname.. it connects to that host, but with the password and username from the loginpath from the encrypted ~/.mylogin.cnf file.

You could use --enable-cleartext-plugin to make it even easier to get to the stored password. Note that if you have direct access to the ~/.mylogin.cnf file that there are options to decrypt it.

See Bug #74545: mysql allows to override login-path for details.

MySQL Cluster (NDB)

Make sure your machines use a private network (VLAN) which can only be accessed from cluster nodes. Your API nodes should be in this network and have a public interface where mysqld listens. Another option might be to use a firewall device or host based firewalls. Just make sure you are aware or the risks.

As usual thers is extensive documentation about this: MySQL Cluster Security and Networking Issues from the MySQL Reference Manual.

Network storage

And use proper security for iSCSI, NFS, FCP or any other kind of network storage you might be using. I've seen setups where iSCSI and/or NFS were publicly available and even with data-at-rest encryption this is not really safe, especially if read-write access is available.

Future

In both MySQL 5.6 and MySQL 5.7 Oracle improved the SSL/TLS support a lot. There are more improvements needed as a lot has changed in how SSL over the past 10 years. Assumptions made years ago are no longer true.

And also the creators of YaSSL have been busy: wolfSSL/mysql-patch on github
Top

Installing FreeBSD-current with 11.0R installation image

Postby Warner Losh via Warner's Random Hacking Blog »

Just a quick blog to document a trick.

Boot the install image (or even just a boot-only image). Get a Shell. At the shell, type
# env UNAME_r=12.0-CURRENT bsdinstall auto
and it will get the latest 12.0-current build installed. Thanks to Allan Jude for alerting me of this trick.
Top

Making Cables

Postby Warner Losh via Warner's Random Hacking Blog »

Tonight I assembled my cables I'll need to read my Rainbow 100B ST-251-1 hard drive I've had for a long time to get a backup.

I recently purchased a MFM ST-506 emulator which supports reading and writing old hard disks. To read the ST-252-1 I need the old standard two-cable (20-pin and 34-ping) to connect it to the emulator. This will give me a final backup, and also make it easy for me to snag the data from the drive.

Once I get this done, I'll switch to using the emulator to access the drive so I'll have continuous backups. It will also make it possible for me to explore Venix if the Venix disks that I just got are still good.... Still need to read them. I've hit a few snags in reading them from FreeBSD, which appears to have broken ISA DMA in 11.x, so I'll have to install 10.x instead of -current.

We'll see how it goes...
Top

Fake News at Work in Spam Kingpin’s Arrest?

Postby BrianKrebs via Krebs on Security »

Over the past several days, many Western news media outlets have predictably devoured thinly-sourced reporting from a Russian publication that the arrest last week of a Russian spam kingpin in Spain was related to hacking attacks linked to last year’s U.S. election. While there is scant evidence that the spammer’s arrest had anything to do with the election, the success of that narrative is a sterling example of how the Kremlin’s propaganda machine is adept at manufacturing fake news, undermining public trust in the media, and distracting attention away from the real story.

Russian President Vladimir Putin tours RT facilities. Image: DNI
On Saturday, news broke from RT.com (formerly Russia Today) that authorities in Spain had arrested 36-year-old Peter “Severa” Levashov, one of the most-wanted spammers on the planet and the alleged creator of some of the nastiest cybercrime engines in history — including the Storm worm, and the Waledac and Kelihos spam botnets.

But the RT story didn’t lead with Levashov’s alleged misdeeds or his primacy among junk emailers and virus writers. Rather, the publication said it interviewed Levashov’s wife Maria, who claimed that Spanish authorities said her husband was detained because he was suspected of being involved in hacking attacks aimed at influencing the 2016 U.S. election.

The RT piece is fairly typical of one that covers the arrest of Russian hackers in that the story quickly becomes not about the criminal charges but about how the accused is being unfairly treated or maligned by overzealous or misguided Western law enforcement agencies.

The RT story about Levashov, for example, seems engineered to leave readers with the impression that some bumbling cops rudely disturbed the springtime vacation of a nice Russian family, stole their belongings, and left a dazed and confused young mother alone to fend for herself and her child.

This should not be shocking to any journalist or reader who has paid attention to U.S. intelligence agency reports on Russia’s efforts to influence the outcome of last year’s election. A 25-page dossier released in January by the Office of the Director of National Intelligence describes RT as a U.S.-based but Kremlin-financed media outlet that is little more than an engine of anti-Western propaganda controlled by Russian intelligence agencies.

Somehow, this small detail was lost on countless Western media outlets, who seemed all too willing to parrot the narrative constructed by RT regarding Levashov’s arrest. With a brief nod to RT’s “scoop,” these publications back-benched the real story (the long-sought capture of one of the world’s most wanted spammers) and led with an angle supported by the flimsiest of sourcing.

On Monday, the U.S. Justice Department released a bevy of documents detailing Levashov’s alleged history as a spammer, and many of the sordid details in the allegations laid out in the government’s case echoed those in a story I published early Monday. Investigators said they had dismantled the Kelihos botnet that Severa allegedly built and used to distribute junk email, but they also emphasized that Levashov’s arrest had nothing to do with hacking efforts tied to last year’s election.

“Despite Russian news media reports to the contrary, American officials said Mr. Levashov played no role in attempts by Russian government hackers to meddle in the 2016 presidential election and support the candidacy of Donald J. Trump,” The New York Times reported.

Nevertheless, from the Kremlin’s perspective, the RT story is almost certainly being viewed as an unqualified success: It distracted attention away from the real scoop (a major Russian spammer was apprehended); it made much of the news media appear unreliable and foolish by regurgitating fake news; and it continued to sow doubt in the minds of the Western public about the legitimacy of democratic process.

Levashov’s wife may well have been told her husband was wanted for political hacking. Likewise, Levashov could have played a part in Russian hacking efforts aimed at influencing last year’s election. As noted here and in The New York Times earlier this week, the Kelihos botnet does have a historic association with election meddling: It was used during the Russian election in 2012 to send political messages to email accounts on computers with Russian Internet addresses.

According to The Times, those emails linked to fake news stories saying that Mikhail D. Prokhorov, a businessman who was running for president against Vladimir V. Putin, had come out as gay. It’s also well established that the Kremlin has a history of recruiting successful criminal hackers for political and espionage purposes.

But the less glamorous truth in this case is that the facts as we know them so far do not support the narrative that Levashov was involved in hacking activities related to last year’s election. To insist otherwise absent any facts to support such a conclusion only encourages the spread of more fake news.
Top

Fossil Fuel Feminism and Inclusivity

Postby kris via The Isoblog. »

The Koch Brothers are highly invested into hydrocarbons and desperately need more time to get out of their investment while the world is switching to renewables. So how desperate are they, exactly? Think Progress has a money quote:

Cooke told ThinkProgress that the organization’s fossil fuels art contest is rooted in inclusivity. “Fossil fuels seem to get left out of the Earth Day celebration,” she said via email. “As an energy feminist — pro-choice in energy sources — I feel it’s important to have hydrocarbons equally represented.”

As a friend put it: »If she’s delivering this with a straight face, she’s worth every cent of her salary as a PR-woman.«

(via Florian)
Top

libsndfile: invalid memory READ and invalid memory WRITE in flac_buffer_copy (flac.c)

Postby ago via agostino's blog »

Description:
libsndfile is a C library for reading and writing files containing sampled sound.

A fuzz via the sndfile-resample command-line tool of libsamplerate, discovered and invalid memory read and an invalid memory write. The upstream author Erik de Castro Lopo (erikd) said that they was fixed in the recent commit 60b234301adf258786d8b90be5c1d437fc8799e0 which addresses CVE-2017-7585. As usual I’m providing the stacktrace and the reproducer so that all release distros can test and check if their version is affected or not.

The complete ASan output:

# sndfile-resample -to 24000 -c 1 $FILE out
==959==ERROR: AddressSanitizer: SEGV on unknown address 0x0000013cc000 (pc 0x7fc1ba91251c bp 0x60e000000040 sp 0x7fff95597f70 T0)
==959==The signal is caused by a WRITE memory access.
    #0 0x7fc1ba91251b in flac_buffer_copy /tmp/portage/media-libs/libsndfile-1.0.27-r1/work/libsndfile-1.0.27/src/flac.c:264
    #1 0x7fc1ba913404 in flac_read_loop /tmp/portage/media-libs/libsndfile-1.0.27-r1/work/libsndfile-1.0.27/src/flac.c:884
    #2 0x7fc1ba913505 in flac_read_flac2f /tmp/portage/media-libs/libsndfile-1.0.27-r1/work/libsndfile-1.0.27/src/flac.c:949
    #3 0x7fc1ba907a49 in sf_readf_float /tmp/portage/media-libs/libsndfile-1.0.27-r1/work/libsndfile-1.0.27/src/sndfile.c:1870
    #4 0x5135c5 in sample_rate_convert /tmp/portage/media-libs/libsamplerate-0.1.8-r1/work/libsamplerate-0.1.8/examples/sndfile-resample.c:213:29
    #5 0x5135c5 in main /tmp/portage/media-libs/libsamplerate-0.1.8-r1/work/libsamplerate-0.1.8/examples/sndfile-resample.c:163
    #6 0x7fc1b9a4178f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #7 0x419f88 in _init (/usr/bin/sndfile-resample+0x419f88)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-libs/libsndfile-1.0.27-r1/work/libsndfile-1.0.27/src/flac.c:264 in flac_buffer_copy
==959==ABORTING
Reproducer:
https://github.com/asarubbo/poc/blob/master/00261-libsndfile-invalidwrite-flac_buffer_copy
CVE:
CVE-2017-7741

#################

# sndfile-resample -to 24000 -c 1 $FILE out
==32533==ERROR: AddressSanitizer: SEGV on unknown address 0x000000004000 (pc 0x7f576a5e8512 bp 0x60e000000040 sp 0x7ffeab4e66d0 T0)
==32533==The signal is caused by a READ memory access.
    #0 0x7f576a5e8511 in flac_buffer_copy /tmp/portage/media-libs/libsndfile-1.0.27-r1/work/libsndfile-1.0.27/src/flac.c:263
    #1 0x7f576a5e9404 in flac_read_loop /tmp/portage/media-libs/libsndfile-1.0.27-r1/work/libsndfile-1.0.27/src/flac.c:884
    #2 0x7f576a5e9505 in flac_read_flac2f /tmp/portage/media-libs/libsndfile-1.0.27-r1/work/libsndfile-1.0.27/src/flac.c:949
    #3 0x7f576a5dda49 in sf_readf_float /tmp/portage/media-libs/libsndfile-1.0.27-r1/work/libsndfile-1.0.27/src/sndfile.c:1870
    #4 0x5135c5 in sample_rate_convert /tmp/portage/media-libs/libsamplerate-0.1.8-r1/work/libsamplerate-0.1.8/examples/sndfile-resample.c:213:29
    #5 0x5135c5 in main /tmp/portage/media-libs/libsamplerate-0.1.8-r1/work/libsamplerate-0.1.8/examples/sndfile-resample.c:163
    #6 0x7f576971778f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #7 0x419f88 in _init (/usr/bin/sndfile-resample+0x419f88)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-libs/libsndfile-1.0.27-r1/work/libsndfile-1.0.27/src/flac.c:263 in flac_buffer_copy
==32533==ABORTING
Reproducer:
https://github.com/asarubbo/poc/blob/master/00260-libsndfile-invalidread-flac_buffer_copy
CVE:
CVE-2017-7742

Affected version:
1.0.27

Fixed version:
1.0.28

Commit fix:
https://github.com/erikd/libsndfile/commit/60b234301adf258786d8b90be5c1d437fc8799e0

Credit:
These bugs were discovered by Agostino Sarubbo of Gentoo.

Timeline:
2017-04-11: bugs discovered and reported to upstream
2017-04-11: blog post about the issues
2017-04-12: CVE assigned

Note:
These bugs were found with American Fuzzy Lop.

Permalink:

libsndfile: invalid memory READ and invalid memory WRITE in flac_buffer_copy (flac.c)

Top

libsamplerate: global buffer overflow in calc_output_single (src_sinc.c)

Postby ago via agostino's blog »

Description:
libsamplerate is a Sample Rate Converter for audio.

This bug was initially discovered and silently fixed by the upstream author Erik de Castro Lopo (erikd). As usual I’m providing the stacktrace and the reproducer so that all release distros can test and patch their own version of the package.

# sndfile-resample -to 24000 -c 1 $FILE out
==13807==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f44bc709a3c at pc 0x7f44bc6b1d6b bp 0x7fffec8f5e20 sp 0x7fffec8f5e18                                                                       
READ of size 4 at 0x7f44bc709a3c thread T0                                                                                                                                                                        
    #0 0x7f44bc6b1d6a in calc_output_single /tmp/portage/media-libs/libsamplerate-0.1.8-r1/work/libsamplerate-0.1.8/src/src_sinc.c:296:48                                                                         
    #1 0x7f44bc6b1d6a in sinc_mono_vari_process /tmp/portage/media-libs/libsamplerate-0.1.8-r1/work/libsamplerate-0.1.8/src/src_sinc.c:400                                                                        
    #2 0x7f44bc6a3659 in src_process /tmp/portage/media-libs/libsamplerate-0.1.8-r1/work/libsamplerate-0.1.8/src/samplerate.c:174:11                                                                              
    #3 0x51369a in sample_rate_convert /tmp/portage/media-libs/libsamplerate-0.1.8-r1/work/libsamplerate-0.1.8/examples/sndfile-resample.c:221:16                                                                 
    #4 0x51369a in main /tmp/portage/media-libs/libsamplerate-0.1.8-r1/work/libsamplerate-0.1.8/examples/sndfile-resample.c:163                                                                                   
    #5 0x7f44bb55278f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289                                                                                        
    #6 0x419f88 in _init (/usr/bin/sndfile-resample+0x419f88)                                                                                                                                                     
                                                                                                                                                                                                                  
0x7f44bc709a3c is located 0 bytes to the right of global variable 'slow_mid_qual_coeffs' defined in '/tmp/portage/media-libs/libsamplerate-0.1.8-r1/work/libsamplerate-0.1.8/src/mid_qual_coeffs.h:37:3' (0x7f44bc6f3ba0) of size 89756                                                                                                                                                                                             
SUMMARY: AddressSanitizer: global-buffer-overflow /tmp/portage/media-libs/libsamplerate-0.1.8-r1/work/libsamplerate-0.1.8/src/src_sinc.c:296:48 in calc_output_single                                             
Shadow bytes around the buggy address:                                                                                                                                                                            
  0x0fe9178d92f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                                                                                                                                                 
  0x0fe9178d9300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                                                                                                                                                 
  0x0fe9178d9310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                                                                                                                                                 
  0x0fe9178d9320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                                                                                                                                                 
  0x0fe9178d9330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                                                                                                                                                 
=>0x0fe9178d9340: 00 00 00 00 00 00 00[04]f9 f9 f9 f9 f9 f9 f9 f9                                                                                                                                                 
  0x0fe9178d9350: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9                                                                                                                                                 
  0x0fe9178d9360: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9                                                                                                                                                 
  0x0fe9178d9370: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9                                                                                                                                                 
  0x0fe9178d9380: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9                                                                                                                                                 
  0x0fe9178d9390: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9                                                                                                                                                 
Shadow byte legend (one shadow byte represents 8 application bytes):                                                                                                                                              
  Addressable:           00                                                                                                                                                                                       
  Partially addressable: 01 02 03 04 05 06 07                                                                                                                                                                     
  Heap left redzone:       fa                                                                                                                                                                                     
  Freed heap region:       fd                                                                                                                                                                                     
  Stack left redzone:      f1                                                                                                                                                                                     
  Stack mid redzone:       f2                                                                                                                                                                                     
  Stack right redzone:     f3                                                                                                                                                                                     
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==13807==ABORTING
Affected version:
1.0.8

Fixed version:
1.0.9

Commit fix:
N/A

Credit:
This bug was discovered by Erik de Castro Lopo and Agostino Sarubbo.

CVE:
CVE-2017-7697

Reproducer:
https://github.com/asarubbo/poc/blob/master/00262-libsamplerate-globaloverflow-calc_output_single

Timeline:
2017-04-11: bug discovered and reported to upstream
2017-04-11: blog post about the issue
2017-04-12: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libsamplerate: global buffer overflow in calc_output_single (src_sinc.c)

Top

Data Driven Scaling Booking.com’s Infrastructure

Postby kris via The Isoblog. »

Brendan Bank: Data Driven Scaling Booking.com’s Infrastructure

Brendan Bank is CTO at Booking.com. In this talk he explains where Booking is coming from, how we work and where we are going.

We are hiring.
Top

Wind Power in Texas, of all places

Postby kris via The Isoblog. »

Technology Review has an article about wind power in Texas.

With nearly 18,000 megawatts of capacity, Texas, if it were a country, would be the sixth-largest generator of wind power in the world, right behind Spain.

Texas profits from an electric power network built in 2007, whose purpose is to bring wind power generated in the desolate west and north parts of the state to the big cities in the south and east.
Top

New York Noise

Postby kris via The Isoblog. »

Nautilus has an article about anechoic chamber in New York at 20 DB, and how New York runs on noise:

Noise is the single greatest quality-of-life complaint New Yorkers have (we lodged 18,000 phone complaints with the Department of Environmental Protection last July alone). We all love to hate the noise. And yet sitting in silence, I do not feel as if I’ve found an escape from pain: I have simply traded it for a new variety. Shockingly, I realize I want to trade back.

At the same time, the New York Times reports on Doug Wheeler’s Desert Silence, a 10 DB anechoic chamber as an art project:

The sound engineers Doug is working with (Raj Patel and Joseph Digerness from the firm Arup) can identify things utterly imperceptible to us. They identified an electronic buzz from a panel on the eighth floor, a floor above us, coming through a concrete slab.

Top

Brexit

Postby kris via The Isoblog. »

Washington Post on “Brexit and Britain’s delusions of empire“: The article goes through the former British colonies and checks how much they need the British and their trade to succeed. TL;DR: They don’t.

The Guardian on “Up to 100,000 UK jobs at risk as Merkel and Juncker ally warns on euro clearing“:

“EU citizens decide on their own money,” Weber said during a press conference in Strasbourg on Tuesday. “When the UK is leaving the European Union it is not thinkable that at the end the whole euro business is managed in London. This is an external place, this is not an EU place any more. The euro business should be managed on EU soil.” […]

Clearing houses are independent parties that sit between the two parties in a trade and are tasked with managing the risk if one side defaults on payment. London clears around three-quarters of all euro-denominated trades.

And German Die Zeit has an article titled simply “Vergesst Großbritannien!” (“Forget Britain!”), an interview with Labour-Politician and EU Trade Commissar Perer Mandelson.

Top

IKEA without screws

Postby kris via The Isoblog. »

IKEA is experimenting with furniture that has wooden click fittings instead of screws.

»We believe that easy assembly will be important for IKEA and our customers. When we were kids, we built treehouses. Today, kids grow up with a phone in their hands. It doesn’t come as natural to them to assembly furniture with a screwdriver.«

Top

This week in vc4 (2017-04-10): dmabuf fencing, meson

Postby Eric Anholt via anholt's lj »

The big project for the last two weeks has been developing dmabuf fencing support for vc4.  Without dmabuf fences, when passing buffers between devices the user needs to manually wait for the job to finish on one (say, camera snapshot) before letting the other device get started (accumulating GL commands to texture from the camera snapshot).  That means leaving both devices idle for a moment while the CPU accumulates the command stream for the consumer, but the bigger pain is that it requires that the end user manage the synchronization.

With dma-buf fencing in the kernel, a "reservation object" generated by the dma-buf exporter tracks the fences of the various devices using the shared object, and then the device trivers get to look at that list and wait on on each others' fences when using it.

So far, I've got my reservations and fences being exported from vc4, so that pl111 display can wait for vc4 to be done before actually putting a new pageflip up on the screen.  I haven't quite hooked up the other direction, for camera capture into vc4 display or GL texturing (I don't have a testcase for this, as the current camera driver doesn't expose dmabufs), but it shouldn't be hard.

On the meson front, rendercheck is now converted to meson upstream.  I've made more progress on the X Server:  Xorg is now building, and even successfully executes Xorg -pogo with the previous modesetting driver in place.  The new modesetting driver is failing mysteriously.  With a build hack I got from the meson folks and some work from ajax, the sdksyms script I complained about in my last post isn't used at all on the meson build.  And, best of all, the meson devs have written the code needed for us to not even need the build hack I'm using.

It's so nice to be using a build system that's an actual living software project.
Top

py3status v3.5

Postby ultrabug via Ultrabug »

Howdy folks,

I’m obviously slacking a bit on my blog and I’m ashamed to say that it’s not the only place where I do. py3status is another of them and it wouldn’t be the project it is today without @tobes.

In fact, this new 3.5 release has witnessed his takeover on the top contributions on the project, so I want to extend a warm thank you and lots of congratulations on this my friend

Also, an amazing new contributor from the USA has come around in the nickname of @lasers. He has been doing a tremendous job on module normalization, code review and feedbacks. His high energy is amazing and more than welcome.

This release is mainly his, so thank you @lasers !

What’s new ?

Well the changelog has never been so large that I even don’t know where to start. I guess the most noticeable change is the gorgeous and brand new documentation of py3status on readthedocs !

Apart from the enhanced guides and sections, what’s amazing behind this new documentation is the level of automation efforts that @lasers and @tobes put into it. They even generate modules’ screenshots programmatically ! I would never have thought of it possible



The other main efforts on this release is about modules normalization where @lasers put so much energy in taking advantage of the formatter features and bringing all the modules to a new level of standardization. This long work brought to light some lack of features or bugs which got corrected along the way.

Last but not least, the way py3status notifies you when modules fail to load/execute got changed. Now modules which fail to load or execute will not pop up a notification (i3 nagbar or dbus) but display directly in the bar where they belong. Users can left click to show the error and right click to discard them from their bar !

New modules

Once again, new and recurring contributors helped the project get better and offer a cool set of modules, thank you contributors !

  • air_quality module, to display the air quality of your place, by @beetleman and @lasers
  • getjson module to display fields from a json url, by @vicyap
  • keyboard_locks module to display keyboard locks states, by @lasers
  • systemd module to check the status of a systemd unit, by @adrianlzt
  • tor_rate module to display the incoming and outgoing data rates of a Tor daemon instance, by @fmorgner
  • xscreensaver module, by @lasers and @neutronst4r
Special mention to @maximbaz for his continuous efforts and help. And also a special community mention to @valdur55 for his responsiveness and help for other users on IRC !

What’s next ?

The 3.6 version will focus on the following ideas, some sane and some crazy

  • we will continue to work on the ability to add/remove/move modules in the bar at runtime
  • i3blocks and i3pystatus support, to embed their configurations and modules inside py3status
  • formatter optimizations
  • finish modules normalization
  • write more documentation and clean up the old ones
Stay tuned
Top

Alleged Spam King Pyotr Levashov Arrested

Postby BrianKrebs via Krebs on Security »

Authorities in Spain have arrested a Russian computer programmer thought to be one of the world’s most notorious spam kingpins.

Spanish police arrested Pyotr Levashov under an international warrant executed in the city of Barcelona, according to Reuters. Russian state-run television station RT (formerly Russia Today) reported that Levashov was arrested while vacationing in Spain with his family.

Spamdot.biz moderator Severa listing prices to rent his Waledac spam botnet.
According to numerous stories here at KrebsOnSecurity, Levashov was better known as “Severa,” the hacker moniker used by a pivotal figure in many Russian-language cybercrime forums. Severa was the moderator for the spam subsection of multiple online communities, and in this role served as the virtual linchpin connecting virus writers with huge spam networks — including some that Severa allegedly created and sold himself.

Levashov is currently listed as #7 in the the world’s Top 10 Worst Spammers list maintained by anti-spam group Spamhaus. The U.S. Justice Department maintains that Severa was the Russian partner of Alan Ralsky, a convicted American spammer who specialized in “pump-and-dump” spam schemes designed to artificially inflate the value of penny stocks.

Levashov allegedly went by the aliases Peter Severa and Peter of the North (Pyotr is the Russian form of Peter). My reporting indicates that — in addition to spamming activities — Severa was responsible for running multiple criminal operations that paid virus writers and spammers to install “fake antivirus” software. So-called “fake AV” uses malware and/or programming tricks to bombard the victim with misleading alerts about security threats, hijacking the PC until its owner either pays for a license to the bogus security software or figures out how to remove the invasive program.

A screenshot of a fake antivirus or “scareware” affiliate program run by “Severa,” allegedly the cybercriminal alias of Pyotr Levashov.
There is ample evidence that Severa is the cybercriminal behind the Waledac spam botnet, a spam engine that for several years infected between 70,000 and 90,000 computers and was capable of sending approximately 1.5 billion spam messages a day.

In 2010, Microsoft launched a combined technical and legal sneak attack on the Waledac botnet, successfully dismantling it. The company would later do the same to the Kelihos botnet, a global spam machine which shared a great deal of computer code with Waledac.

The connection between Waledac/Kelihos and Severa is supported by data leaked in 2010 after hackers broke into the servers of pharmacy spam affiliate program SpamIt. According to the stolen SpamIt records, Severa — this time using the alias “Viktor Sergeevich Ivashov” — brought in revenues of $438,000 and earned commissions of $145,000 spamming rogue online pharmacy sites over a 3-year period.

Severa also was a moderator of Spamdot.biz (pictured in the first screenshot above), a vetted, members-only forum that at one time attracted almost daily visits from most of Russia’s top spammers. Leaked Spamdot forum posts for Severa indicate that he hails from Saint Petersburg, Russia’s second-largest city.

According to an exhaustive analysis published in my book — Spam Nation: The Inside Story of Organized Cybercrime — Severa likely made more money renting Waledac and other custom spam botnets to other spammers than blasting out junk email on his own. For $200, vetted users could hire one of his botnets to send 1 million pieces of spam. Junk email campaigns touting auction and employment scams cost $300 per million, and phishing emails designed to separate unwary email users from their usernames and passwords could be blasted out through Severa’s botnet for the bargain price of $500 per million.

The above-referenced Reuters story on Levashov’s arrest cited reporting from Russian news outlet RT which associated Levashov with hacking attacks linked to alleged interference in last year’s U.S. election. But subsequent updates from Reuters cast doubt on those claims.

“A U.S. Department of Justice official said it was a criminal matter without an apparent national security connection,” Reuters added in an update to an earlier version of its story.

The New York Times reports that Russian news media did not say if Levashov was suspected of being involved in that activity. However, The Times piece observes that the Kelihos botnet does have a historic association with election meddling, noting the botnet was used during the Russian election in 2012 to send political messages to email accounts on computers with Russian Internet addresses. According to The Times, those emails linked to fake news stories saying that Mikhail D. Prokhorov, a businessman who was running for president against Vladimir V. Putin, had come out as gay.
Top

Switched to Lineage OS

Postby Sven Vermeulen via Simplicity is a form of art... »

I have been a long time user of Cyanogenmod, which discontinued its services end of 2016. Due to lack of (continuous) time, I was not able to switch over toward a different ROM. Also, I wasn't sure if LineageOS would remain the best choice for me or not. I wanted to review other ROMs for my Samsung Galaxy SIII (the i9300 model) phone.

Today, I made my choice and installed LineageOS.

The requirements list

When looking for new ROMs to use, I had a number of requirements, some must-have, others should-have or would-have (using the MoSCoW method.

First of all, I want the ROM to be installable through ClockworkMod 6.4.0.something. This is a mandatory requirement, because I don't want to venture out in installing a different recovery (like TWRP). Not that much that I'm scared from it, but it might require me to install stuff like Heimdal and update my SELinux policies on my system to allow it to run, and has the additional risk that things still fail.

I tried updating the recovery ROM in the past (a year or so ago) using the mobile application approaches themselves (which require root access, that my phone had at the time) but it continuously said that it failed and that I had to revert to the more traditional way of flashing the recovery.

Given that I know I need to upgrade within a day (and have other things planned today) I didn't want to loose too much time in upgrading the recovery first.

Second, the ROM had to allow OTA updates. With CyanogenMod, the OTA didn't fully work on my phone (it downloaded and verified the images correctly, but couldn't install it automatically - I had to reboot in recovery manually and install the ZIP), but it worked sufficiently for me to easily update the phone on a weekly basis. I wanted to keep this luxury, and who knows, move towards an end-to-end working OTA.

Furthermore, the ROM had to support Android 7.1. I want the latest Android to see how long this (nowadays aged) phone can handle things. Once the phone cannot get the latest Android anymore, I'll probably move towards a new phone. But as long as I don't have to, I'll put my money in other endeavours ;-)

Finally, the ROM must be in active development. One of the reasons I want the latest Android is also because I want to keep receiving the necessary security fixes. If a ROM doesn't actively follow the security patches and code, then it might become (too) vulnerable for comfort.

ROMs, ROMs everywhere (?)

First, I visited the Galaxy S3 discussion on the XDA-Developers site. This often contains enough material to find ROMs which have a somewhat active development base.

I was still positively surprised by the activity on this quite old phone (the i9300 was first released in May, 2012, making this phone almost 5 years old).

The Vanir mod seemed to imply that TWRP was required, but past articles on Vanir showed that CWM should also work. However, from the discussion I gathered that it is based on LineageOS. Not that that's bad, but it makes LineageOS the "preferred" ROM first (default installed software list, larger upstream community, etc.)

The Ressurrection Remix shows a very active discussion with good feedback from the developer(s). It is based on a number of other resources (including CyanogenMod), so seems to borrow and implement various other features. Although I got the slight impression that it would be a bit more filled with applications I might not want, I kept it on the short-list.

SLIMROM is based on AOSP (the Android Open Source Project). It doesn't seem to support OTA though, and its release history is currently still premature. However, I will keep an eye on this one for future reference.

After a while, I started looking for ROMs based on AOSP, as the majority of ROMs shown are based on LineageOS (abbreviated to LOS). Apparently, for the Samsung S3, LineageOS seems to be one of the most popular sources (and ROMs).

So I put my attention to LineageOS:

So, why not?

Using LineageOS without root

While deciding to use LineageOS or go through with additional ROM seeking, I stumbled upon the installation instructions that showed that the ROM can be installed without automatically enabling rooted Android access. I'm not sure if this was the case with Cyanogenmod (I've been running with a rooted Cyanogenmod for too long to remember) but it opened a possiblity for me...

Personally, I don't mind having a rooted phone, as long as it is the user who decides which applications can get root access and which can't. For me, the two applications that used root access was an open source ad blocker called AdAway and the Android shell (for troubleshooting purposes, such as killing the media server if it locked my camera).

But some applications seem to think that a rooted phone automatically means that the phone is open access and full of malware. It is hard to find any trustworthy, academical research on the actual secure state of rooted versus non-rooted devices. I believe that proper application vetting (don't install applications that aren't popular and long-existing, check the application vendors, etc.) and keeping your phone up-to-date is much more important than not rooting.

And although these applications happily function on old, unpatched Android 4.x devices they refuse to function on my (rooted) Android 7.1 phone. So, the ability to install LineageOS without root (rooting actually requires flashing an additional package) is a nice thing as I can start with a non-rooted device first, and switch back to a rooted device if I need it later.

With that, I decided to flash my phone with the latest LineageOS nightly for my phone.

Switching password manager

I tend to use such ROM switches (or, in case of CyanogenMod, major version upgrades) as a time to revisit the mobile application list, and reduce it to what I really used the last few months.

One of the changes I did on my mobile application list is switch the password application. I used to use Remember Passwords but it hasn't seen updates for quite some time, and the backup import failed last time I migrated to a higher CyanogenMod version (possibly Android version related). Because I don't want to synchronize the passwords or see the application have any Internet oriented activity, I now use Keepass2Android Offline.

This is for passwords which I don't auto-generate using SuperGenPass, my favorite password manager. I don't use the bookmarklet approach myself, but download and run it separately when generating passwords - or use a SuperGenPass mobile application.

First impressions

It is too soon to say if it is fully functional or not. Most standard functionality works OK (phone, SMS, camera) but it is only after a few days that specific issues can come up.

Only the first boot was very slow (probably because it was optimizing the application list in the background), the second boot was well below half a minute. I didn't count it, but it's fast enough for me.
Top

The epic spam battle from SpamAssassin (10 + year user) to rspamd.

Postby Remko Lodder via Evilcoder.org ❄️ »

For many System Administrators that have public facing Mailservers, it is an ongoing battle.. SPAM. Since there is money to make, it will never ever go away, but we can try to mitigate this.

Introduction on my usage of anti-spam products:

For many moons I have used the SpamAssassin product in various forms, simply as a client to check every email on delivery, as daemon where multiple servers check one instance, as part of MailScanner where a single (replicated) database was responsible for storing all bits and pieces combined with local additional rules. This worked fine for years, but, our external MX servers are not the most powerful machines in the world. We need to be selective on what we load on them. And the ever increasing spam battle just makes sure that your memory and processing power is going faster then the system(s) could continuously deliver.More rules, more Anti-Virus, more regular expressions, more downloading, parsing and re2c’ing files that gets harder and harder for the systems every time the amount of rules etc increases.

I already mentioned that this worked fine for years. I switched to MailScanner for our MX’es not too long ago, and I am happy with that, except that it takes additional load on the machines, and will only judge about mails when they are already in. I contributed to MailScanner and specifically to the MailWatch project for reasons of LDAP authentication and more of those things, where I found space to improve. Even though I like the system very much, it is not how I want to prevent Spam from coming in. It might be a good fit for you though, it offers a quarantine where users can selectively release emails and mark them as spam and such and you can generate emails that send the amount of potentially missed emails and a link to them etc. Some of our users where happy with that as well, and so was I.

Limitations of our handling of email:

But, resources were becoming a problem. Yes I can upgrade my external MX’es ofcourse and load them with more memory and CPU power, but that costs money. Money that is hard earned in the hosting world, because there is plenty to choose from, even if we give the best prices around, it still takes multiple additional customers to warrant the higher bills (that is not taking into account that profit would be fun for additional investments in the company so that our users can get even better products).

So, given the saturated market, I was not going to spend additional money on our machines just yet. Another thing is that I wanted to prevent spam from coming into the machine in the first place, so reject them at the border where possible, so I do not have to cater them. (See it as border patrol, it’s easier to prevent things coming in, then to handle them once they are in). I noticed that several email servers where already doing that when we forward mail for our domains to lets say gmail or other companies that people are happy to use. Those servers, like gmail, either rate limit you or they just deny the emails before you are able to send them. Leaving you with the problems instead of the gmail user itself. Magnificent. But how does that work? for Postfix, which I use that means using a milter, specifically in this case rmilter, which binds into the product on the SMTP level, checks signatures stored, scans the content and verifies with bayes and a neural network whether this is OK or not, and then either rejects it before processing it, greylisting it when it seems spammy or adds an header to the message and forwards it to it’s final destination. If we are the final destination, then the header is taken into account and the message is automatically put in the Spam folder, or for gmail/hotmail users this is the ‘unwanted email’ folder or whatever it is called nowadays. I have put filters in place, that learn your behaviour, so if a message is put in the Spam folder and is not spam and you move it back to for example the INBOX, then the system learns that it should not mark it as spam and try to do better next time.

The product: rspamd

But what product delivers that ? After talking with a postmaster team member of FreeBSD, I found out about rspamd, and that the author is a fellow-FreeBSD-committer as well. I implemented it (it took some time to learn the curve, but essentially it is rather easy, try it!). It has less load then the various spam assassin products and additional applications that support it (like mailscanner and mailwatch), it does not need a webserver by itself etc. So it reduced my memory footprint with around 400mb’s continuously of less memory usage. That is a whole lot of you have mb’s to spare instead of handing them out.

How does it globally work?

I also configured rspamd to behave like the following;

  • Both our external MX’es have a local bayes-classifier and various other local databases. I used the suggested three database tier on the machine and I extended both machines to use stunnel to contact eachother over the stunnel to the remote database. I changed all configuration options to not only use “servers = “localhost”;“ but instead “servers = “localhost,localhost:26379”; and spreading that across every redis line I could find. I then restarted rspamd on both machines and noticed that there is a lot of things going on, it seems that everything is written and read on both machines. Using the webinterface, you’ll sometime get errors, not sure why that is, and history is not always consistent. but it’s for management purposes only so not very problematic in this case. Both MX’es are checking on their localhost, and “also_check” the remote machine over an internal private network that I have setup.
  • Our internal machines that handle the delivery of the email, use both MX’es as rspamd instance as configured in rmilter. They do not handle anything themselves, except for Virus Scanning (which is also done on the MX but as well on the local machine, but only for email not received from the MX’es, like outgoing email). That means less overhead for those machines and only using the two machines where we know they are working. I also extended these machines to use redis on the MX’es instead of locally and configured them both in the configuration, again using stunnel. rmilter uses the redis databases to store and save messages that we have send and get replies and such. In the future if rspamd is by itself capable of handling this, rmilter will be taken out and only rspamd will run like mentioned.
Learning spam/ham messages:

For now this seems to work very well, I have implemented a dovecot script that triggers when someone moves a message from spam to inbox (‘learn-ham.sh’) and from inbox or other mailboxes to the spambox (‘learn-spam.sh’).

The contents of the files look like the follwing, where learn_spam and learn_ham are in the appropriate places ofcourse.

#!/bin/sh

data=$(cat)

echo “$data” | /usr/local/bin/rspamc -h MX1 -P <secret password for MX1> learn_spam

echo “$data” | /usr/local/bin/rspamc -h MX2 -P <secret password for MX2> learn_spam

Ofcourse it takes additional understanding of how emails work, how your environment works and what is acceptable or not. On the course of just a few days we processed more then 10k of emails (yes there are many providers doing more emails, everyone has it’s own perks ;-)). and we have learned more then 60 emails in just a day after enabling users to do their own training.

One note:

A little note about the rejecting of spam, we only reject spam when the message is really spammy and cannot be easily something else. Most emails that I saw so far are forwarded with an additional header instead of being rejected and the emails that are rejected are really spam. Users will never ever see them, which is good enough for my environment but might be something different for your environment. Please dry-run it at first to see how it matches your environment.

References:

The script for learning spam under dovecot comes from: https://kaworu.ch/blog/2014/03/25/dovecot-antispam-with-rspamd/#comment-2436333602 user Alex.

The documentation I used for rspamd comes from http://www.rspamd.com itself.

The sieve filters that I use for dovecot are from Dovecot itself https://wiki2.dovecot.org/HowTo/AntispamWithSieve

Custom blacklisting of domains and such come from: https://gist.github.com/kvaps/25507a87dc287e6a620e1eec2d60ebc1

Top

And then I saw the Password in the Stack Trace

Postby Hanno Böck via Hanno's blog »

I want to tell a little story here. I am usually relatively savvy in IT security issues. Yet I was made aware of a quite severe mistake today that caused a security issue in my web page. I want to learn from mistakes, but maybe also others can learn something as well.

I have a private web page. Its primary purpose is to provide a list of links to articles I wrote elsewhere. It's probably not a high value target, but well, being an IT security person I wanted to get security right.

Of course the page uses TLS-encryption via HTTPS. It also uses HTTP Strict Transport Security (HSTS), TLS 1.2 with an AEAD and forward secrecy, has a CAA record and even HPKP (although I tend to tell people that they shouldn't use HPKP, because it's too easy to get wrong). Obviously it has an A+ rating on SSL Labs.

Surely I thought about Cross Site Scripting (XSS). While an XSS on the page wouldn't be very interesting - it doesn't have any kind of login or backend and doesn't use cookies - and also quite unlikely – no user supplied input – I've done everything to prevent XSS. I set a strict Content Security Policy header and other security headers. I have an A-rating on securityheaders.io (no A+, because after several HPKP missteps I decided to use a short timeout).

I also thought about SQL injection. While an SQL injection would be quite unlikely – you remember, no user supplied input – I'm using prepared statements, so SQL injections should be practically impossible.

All in all I felt that I have a pretty secure web page. So what could possibly go wrong?

Well, this morning someone send me this screenshot:


And before you ask: Yes, this was the real database password. (I changed it now.)

So what happened? The mysql server was down for a moment. It had crashed for reasons unrelated to this web page. I had already taken care of that and hadn't noted the password leak. The crashed mysql server subsequently let to an error message by PDO (PDO stands for PHP Database Object and is the modern way of doing database operations in PHP).

The PDO error message contains a stack trace of the function call including function parameters. And this led to the password leak: The password is passed to the PDO constructor as a parameter.

There are a few things to note here. First of all for this to happen the PHP option display_errors needs to be enabled. It is recommended to disable this option in production systems, however it is enabled by default. (Interesting enough the PHP documentation about display_errors doesn't even tell you what the default is.)

display_errors wasn't enabled by accident. It was actually disabled in the past. I made a conscious decision to enable it. Back when we had display_errors disabled on the server I once tested a new PHP version where our custom config wasn't enabled yet. I noticed several bugs in PHP pages. So my rationale was that disabling display_errors hides bugs, thus I'd better enable it. In hindsight it was a bad idea. But well... hindsight is 20/20.

The second thing to note is that this only happens because PDO throws an exception that is unhandled. To be fair, the PDO documentation mentions this risk. Other kinds of PHP bugs don't show stack traces. If I had used mysqli – the second supported API to access MySQL databases in PHP – the error message would've looked like this:

PHP Warning: mysqli::__construct(): (HY000/1045): Access denied for user 'test'@'localhost' (using password: YES) in /home/[...]/mysqli.php on line 3

While this still leaks the username, it's much less dangerous. This is a subtlety that is far from obvious. PHP functions have different modes of error reporting. Object oriented functions – like PDO – throw exceptions. Unhandled exceptions will lead to stack traces. Other functions will just report error messages without stack traces.

If you wonder about the impact: It's probably minor. People could've seen the password, but I haven't noticed any changes in the database. I obviously changed it immediately after being notified. I'm pretty certain that there is no way that a database compromise could be used to execute code within the web page code. It's far too simple for that.

Of course there are a number of ways this could've been prevented, and I've implemented several of them. I'm now properly handling exceptions from PDO. I also set a general exception handler that will inform me (and not the web page visitor) if any other unhandled exceptions occur. And finally I've changed the server's default to display_errors being disabled.

While I don't want to shift too much blame here, I think PHP is making this far too easy to happen. There exists a bug report about the leaking of passwords in stack traces from 2014, but nothing happened. I think there are a variety of unfortunate decisions made by PHP. If display_errors is dangerous and discouraged for production systems then it shouldn't be enabled by default.

PHP could avoid sending stack traces by default and make this a separate option from display_errors. It could also introduce a way to make exceptions fatal for functions so that calling those functions is prevented outside of a try/catch block that handles them. (However that obviously would introduce compatibility problems with existing applications, as Craig Young pointed out to me.)

So finally maybe a couple of takeaways:
  • display_errors is far more dangerous than I was aware of.
  • Unhandled exceptions introduce unexpected risks that I wasn't aware of.
  • In the past I was recommending that people should use PDO with prepared statements if they use MySQL with PHP. I wonder if I should reconsider that, given the circumstances mysqli seems safer (it also supports prepared statements).
  • I'm not sure if there's a general takeaway, but at least for me it was quite surprising that I could have such a severe security failure in a project and code base where I thought I had everything covered.
Top

Gamestop.com Investigating Possible Breach

Postby BrianKrebs via Krebs on Security »

Video game giant GameStop Corp.  [NSYE: GME] says it is investigating reports that hackers may have siphoned credit card and customer data from its website — gamestop.com. The company acknowledged the investigation after being contacted by KrebsOnSecurity.

“GameStop recently received notification from a third party that it believed payment card data from cards used on the GameStop.com website was being offered for sale on a website,” a company spokesman wrote in response to questions from this author.

“That day a leading security firm was engaged to investigate these claims. Gamestop has and will continue to work non-stop to address this report and take appropriate measures to eradicate any issue that may be identified,” the company’s statement continued.

Two sources in the financial industry told KrebsOnSecurity that they have received alerts from a credit card processor stating that Gamestop.com was likely compromised by intruders between mid-September 2016 and the first week of February 2017.

Those same sources said the compromised data is thought to include customer card number, expiration date, name, address and card verification value (CVV2), usually a 3-digit security code printed on the backs of credit cards.

Online merchants are not supposed to store CVV2 codes, but hackers can steal the codes by placing malicious software on a company’s e-commerce site, so that the data is copied and recorded by the intruders before it is encrypted and transmitted to be processed.

GameStop would not comment on the possible timeframe of the suspected breach, or say what types of customer data might be impacted.



Based in Grapevine, Texas, GameStop generated more than $8.6 billion in revenue in 2016, although it’s unclear how much of that came through the company’s Web site. GameStop operates more than 7,000 retail stores through the United States, Canada, Australia, New Zealand and Europe. There is currently no indication that the company’s retail store locations may have been affected.

According to Web site statistics firm Alexa.com, Gamestop.com is the 269th most popular Web site in the United States.

“We regret any concern this situation may cause for our customers,” Game Stop said in its statement. “GameStop would like to remind its customers that it is always advisable to monitor payment card account statements for unauthorized charges. If you identify such a charge, report it immediately to the bank that issued the card because payment card network rules generally state that cardholders are not responsible for unauthorized charges that are timely reported.”
Top

Self-Proclaimed ‘Nuclear Bot’ Author Weighs U.S. Job Offer

Postby BrianKrebs via Krebs on Security »

The author of a banking Trojan called Nuclear Bot — a teenager living in France — recently released the source code for his creation just months after the malware began showing up for sale in cybercrime forums. Now the young man’s father is trying to convince him not to act on a job offer in the United States, fearing it may be a trap set by law enforcement agents.

In December 2016, Arbor Networks released a writeup on Nuclear Bot (a.k.a. NukeBot) after researchers discovered the malware package for sale in the usual underground cybercrime forums for the price of USD $2,500.

The program’s author claimed the malware was written from scratch, but that it functioned similarly to the ZeuS banking trojan in that it could steal passwords and inject arbitrary content when victims visited banking Web sites.

The administration panel for Nuclear Bot. Image: IBM X-Force.
Malware analysts at IBM’s X-Force research division also examined the code, primarily because the individual selling it claimed that Nuclear Bot could bypass Trusteer Rapport, an IBM security product that many banks offer customers to help blunt the effectiveness of banking trojans.

“These claims are unfounded and incorrect,” IBM’s researchers wrote. “Rapport detection and protection against the NukeBot malware are effective on all protection layers.”

But the malware’s original author — 18-year-old Augustin Inzirillo — begs to differ, saying he released the source code for the bot late last month in part because he wanted others be able to test his claims.

In an interview with KrebsOnSecurity, Inzirillo admits he wrote the Nuclear Bot trojan as a proof-of-concept to demonstrate a method he developed that he says bypasses Rapport. But he denies ever selling or marketing the malware, and maintains that this was done without his permission by an acquaintance with whom he shared the code privately.

“I’ve been interested in malware since I [was] a child, and I wanted to have a challenge,” Inzirillo said. “I was excited about this, and having nobody to share this with, I distributed the code to ‘friends’ who tried to profit off my work.”

After the source code for Nuclear Bot was released on Github, IBM followed up with a more in-depth examination of it, which argued that the author of the code appeared to release it in a failed bid to shore up his fragile ego.

According to IBM, a hacker calling himself “Gosya” tried to sell the malware in such a clumsy and inexperienced fashion that he managed to get himself banned from multiple cybercrime forums for violating specific rules about how such products should be sold.

“He did not have the malware tested and certified by forum admins, nor did he provide any test versions to members,” IBM researchers Limor Kessem and Ilya Kolmanovich wrote. “At the same time, he was attacked by existing competition, namely the FlokiBot vendor, who wanted to get down to the technical nitty gritty with him and find out if Gosya’s claims about his malware’s capabilities were indeed viable.”

The IBM authors continued:

“In posts where he replied to challenging questions, Gosya got nervous and defensive, raising suspicion among other forum members. This was likely a simple case of inexperience, but it cost him the trust of potential buyers.”

“For his next wrong move, Gosya started selling on additional forums under multiple monikers. When fraudsters realized that the same person was trying to vend under different names, they got even more suspicious that he was a ripper, misrepresenting or selling a product he does not possess. The issue got worse when Gosya changed the malware’s name to Micro Banking Trojan in one last attempt to buy it a new life.”

Inzirillo said the main reason he released his code was to prevent others from profiting off his creation. But now he says he regrets that decision as well.

“It was a big mistake, because now I know people will reuse my code to steal money from other people,” Inzirillo told KrebsOnSecurity in an online chat. 

Inzirillo released the code on Github with a short note explaining his motivations, and included a contact email address at a domain (inzirillo.com) set up long ago by his father, Daniel Inzirillo.

KrebsOnSecurity also reached out to Augustin’s dad, and heard back from him roughly an hour before Augustin replied to requests for an interview. Inzirillo the elder said his son used the family domain name in his source code release as part of a misguided attempt to impress him.

“He didn’t do it for money,” said Daniel Inzirillo, whose CV shows he has built an impressive career in computer programming and working for various financial institutions. “He did it to spite all the cyber shitheads. The idea was that they wouldn’t be able to sell his software anymore because it was now free for grabs.”

Daniel Inzirillo said he’s worried because his son has expressed a strong interest in traveling to the United States after receiving a job offer from a supposed recruiter at a technology firm which said it was impressed by Augustin’s coding skills.

“I am very worried for him, because some technology company told him they wanted to fly him to the U.S. for a job interview as a result of him posting that online,” Daniel Inzirillo said. “There is a strong possibility that in one or two weeks he’s going to be flying to California, and I am concerned that maybe some guy in some law enforcement agency has his sights on him.”

Augustin’s dad said he had hoped his son might choose a different profession than his own.

“I didn’t want him to do software development, I always wanted him to do something else,” Daniel said. “He was introduced to programming by a math teacher at school. As soon as he learned about this it became a passion for him. But I was so pissed off about this. Even though I have been doing software all my life, I didn’t have a good opinion about this profession. I got a degree in software development as a kind of ‘Plan B,’ but I always felt there was something missing there, that it wasn’t intellectually satisfying.”

Nevertheless, Daniel said he is proud of his son’s intellectual abilities, noting that Augustin is completely self-taught in computer programming.

“I haven’t taught him anything, although sometimes he comes and he asks me some questions,” Daniel said. “He’s a self-made made man. In terms of software security and hacking, nearly everything he knows he learned by himself.”

Daniel said that after he and his wife divorced in 2012, his son went from being the first or second best student in his class to dropping out of school. After that, computers became an obsession for Augustin, he said.

Daniel said his son is extremely opinionated but not very emotionally intelligent, and he believes Augustin has strong misgivings about his chosen path. By way of example, he related a story about an incident in which Augustin was recently arrested after an altercation at a local establishment.

“When he got arrested, for no reason, he blurted out everything he was doing on his computer,” Daniel recalled. “The policemen couldn’t believe he was telling them that for no reason. I realized at that moment that he just wanted to get out. He didn’t want to continue doing what he was doing.”

Daniel said he’s deeply concerned for his kid’s future, but also recognizes that his son won’t listen to his counsel.

“He respects me, he admires me, and he knows in terms of software development I’m very good, and he wants to become like me but on the other hand he doesn’t want to listen to me,” Daniel said. “If my vision of things is written about, that might help him. But I’m also worried now that he might feel I have hijacked his notoriety. This is his story, his way of surpassing me, and he might hate me for being here.”

Augustin said he wasn’t interested in discussing his father or his family life, but he did confirm (without elaborating) that he recently was offered a job in the United States. He remains somewhat ambivalent about the opportunity, but indicated he is leaning toward accepting it.

“Well, I don’t think it’s fair that I would feel bad about getting a job because of this code, I just feel bad about having released the code,” he said. “If people want to offer me something interesting as a result, I don’t think it makes sense me saying no.”
Top

Compiling sdcc for FreeBSD

Postby Warner Losh via Warner's Random Hacking Blog »

In preparation for a possible new project, I needed to build sdcc, a compiler that targets a bunch of 8-bit architectures. You can find information about sdcc at their sourceforge page: http://sdcc.sourceforge.net/

Usually, this is just a port away. But due to looking at the wrong tree, I thought I had to compile it myself. The port and package are great, and are what people should normally be using, but the problems showed the need to use a trick or three to get the job done. I thought I'd document them here, since they are minimal and easy to write up.

FreeBSD's compiler doesn't default to having /usr/local/include in its include path, or /usr/local/lib in its library path. Normally, one would try to get around this by just add --prefix /usr/local to the configure command. However, that doesn't work for the sdcc stuff (since it is already the default). You have to explicitly add more things to the command line. After some digging, it turns out it's only a few variables to worry about:


./configure CC=clang CXX=clang++ CPPFLAGS="-I/usr/local/include -L/usr/local/lib" CFLAGS="-I/usr/local/include -L/usr/local/lib"
 The key ones here are CPPFLAGS and CFLAGS.

With that, I have a build sdcc. But it's a pain to install. The port / package is much easier for that reason alone.
Top

binutils: two NULL pointer dereference in elflink.c

Postby ago via agostino's blog »

Description:
binutils are a collection of binary tools necessary to build programs.

An updated clang version were able to discover two null pointer dereference in the following simple way:

# echo "int main () { return 0; }" > test.c
# cc test.c -o test
/tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/bfd/elflink.c:124:12: runtime error: member access within null pointer of type 'struct elf_link_hash_entry'                            

/tmp/portage/sys-devel/binutils-2.28/work/binutils-2.28/bfd/elflink.c:11979:58: runtime error: member access within null pointer of type 'elf_section_list' (aka 'struct elf_section_list')  
Affected version:
2.28

Fixed version:
N/A

Commit fix:
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ad32986fdf9da1c8748e47b8b45100398223dba8

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-7614

Timeline:
2017-04-01: bug discovered and reported to upstream
2017-04-04: upstream released a patch
2017-04-05: blog post about the issue
2017-04-09: CVE assigned

Note:
This bug was found with clang’s Undefined Behavior Sanitizer.

Permalink:

binutils: two NULL pointer dereference in elflink.c

Top

Network attacks on MySQL, Part 5: Attack on SHA256 based passwords

Postby Daniël van Eeden via Daniël's Database Blog »

The mysql_sha256_password doesn't use the nonce system which is used for mysql_new_password, but instead forces the use of RSA or SSL.

This is how that works:

  1. The client connects
  2. The server changes authentication to sha256 password (or default?)
  3. The server sends the RSA public key.
  4. The client encrypts the password with the RSA public key and sends it to the server.
  5. The server decrypts the password with the private key and validates it.
The problem is that the client trusts public key of the server. It is possible to use --server-public-key-path=file_name. But then you need to take care of secure public key distribution yourself.

So if we put a proxy between the client and the server and then have the proxy sent its own public key... then we can decrypt it and reencode it with the real public key and send it to the server. Also the decrypted password is the password, not a hash. So we then know the real password.

And if SSL is used it doesn't do the RSA encryption... but this can be a connection with an invalid certificate. Just anything as long as the connection is SSL.
Top

Dual-Use Software Criminal Case Not So Novel

Postby BrianKrebs via Krebs on Security »

“He built a piece of software. That tool was pirated and abused by hackers. Now the feds want him to pay for the computer crooks’ crimes.”

The above snippet is the subhead of a story published last month by the The Daily Beast titled, “FBI Arrests Hacker Who Hacked No One.” The subject of that piece — a 26-year-old American named Taylor Huddleston — faces felony hacking charges connected to two computer programs he authored and sold: An anti-piracy product called Net Seal, and a Remote Administration Tool (RAT) called NanoCore that he says was a benign program designed to help users remotely administer their computers.

Photo illustration by Lyne Lucien/The Daily Beast
The author of the Daily Beast story, former black hat hacker and Wired.com editor Kevin Poulsen, argues that Huddleston’s case raises a novel question: When is a programmer criminally responsible for the actions of his users?

“Some experts say [the case] could have far reaching implications for developers, particularly those working on new technologies that criminals might adopt in unforeseeable ways,” Poulsen wrote.

But a closer look at the government’s side of the story — as well as public postings left behind by the accused and his alleged accomplices — paints a more complex and nuanced picture that suggests this may not be the case to raise that specific legal question in any meaningful way.

Mark Rumold, senior staff attorney at the Electronic Frontier Foundation (EFF), said cases like these are not so cut-and-dry because they hinge on intent, and determining who knew what and when.

“I don’t read the government’s complaint as making the case that selling some type of RAT is illegal, and if that were the case I think we would be very interested in this,” Rumold said. “Whether or not [the government’s] claims are valid is going to be extraordinarily fact-specific, but unfortunately there is not a precise set of facts that would push this case from being about the valid reselling of a tool that no one questions can be done legally to crossing that threshold of engaging in a criminal conspiracy.”

Citing group chat logs and other evidence that hasn’t yet been made public, U.S. prosecutors say Huddleston intended NanoCore to function more like a Remote Access Trojan used to remotely control compromised PCs, and they’ve indicted Huddleston on criminal charges of conspiracy as well as aiding and abetting computer intrusions.

Poulsen depicts Huddleston as an ambitious — if extremely naive — programmer struggling to make an honest living selling what is essentially a dual-use software product. Using the nickname “Aeonhack,” Huddleston marketed his NanoCore RAT on Hackforums[dot]net, an English-language hacking forum that is overrun with young, impressionable but otherwise low-skilled hackers who are constantly looking for point-and-click tools and services that can help them demonstrate their supposed hacking prowess.

Yet we’re told that Huddleston was positively shocked to discover that many buyers on the forum were using his tools in a less-than-legal manner, and that in response he chastised and even penalized customers who did so. By way of example, Poulsen writes that Huddleston routinely used his Net Seal program to revoke the software licenses for customers who boasted online about using his NanoCore RAT illegally.

We later learn that — despite Net Seal’s copy protection abilities — denizens of Hackforums were able to pirate copies of NanoCore and spread it far and wide in malware and phishing campaigns. Eventually, Huddleston said he grew weary of all the drama and sold both programs to another Hackforums member, using the $60,000 or so in proceeds to move out of the rusty trailer he and his girlfriend shared and buy a house in a low-income corner of Hot Springs, Arkansas.

From the story:



“Now even Huddleston’s modest home is in jeopardy,” Poulsen writes. “As part of their case, prosecutors are seeking forfeiture of any property derived from the proceeds of NanoCore, as well as from Huddleston’s anti piracy system, which is also featured in the indictment. ‘Net Seal licensing software is licensing software for cybercriminals,’ the indictment declares.

“For this surprising charge—remember, Huddleston use the licenses to fight crooks and pirates—the government leans on the conviction of a Virginia college student named Zachary Shames, who pleaded guilty in January to selling hackers a keystroke logging program called Limitless. Unlike Huddleston, Shames embraced malicious use of his code. And he used Net Seal to protect and distribute it.

“Huddleston admits an acquaintanceship with Shames, who was known on HackForums as ‘Mephobia,’ but bristles at the accusation that Net Seal was built for crime. ‘Net Seal is literally the exact opposite of aiding and abetting’ criminals, he says. ‘It logs their IP addresses, it block their access to the software, it stops them from sharing it with other cyber criminals. I mean, every aspect of it fundamentally prevents cybercrime. For them to say that [crime] is its intention is just ridiculous.’”

Poulsen does note that Shames pleaded guilty in January to selling his Limitless keystroke logging program, which relied on Huddleston’s Net Seal program for distribution and copy protection.

Otherwise, The Daily Beast story seems to breeze over relationship between Huddleston and Shames as almost incidental. But according to the government it is at the crux of the case, and a review of the indictment against Huddleston suggests the two’s fortunes were intimately intertwined.

From the government’s indictment:

“During the course of the conspiracy, Huddleston received over 25,000 payments via PayPal from Net Seal customers. As part of the conspiracy, Huddleston provided Shames with access to his Net Seal licensing software in order to assist Shames in the distribution of his Limitless keylogger. In exchange, Shames made at least one thousand payments via PayPal to Huddleston.”

“As part of the conspiracy, Huddleston and Shames distributed the Limitless keylogger to over 3,000 people who used it to access over 16,000 computers without authorization with the goal and frequently with the result of stealing sensitive information from those computers. As part of the conspiracy, Huddleston provided Net Seal to several other co-conspirators to assist in the profitable distribution of the malicious software they developed, including prolific malware that has repeatedly been used to conduct unlawful and unauthorized computer intrusions.”

A screen shot of Zach “Mephobia” Shames on Hackforums discussing the relationship between his Limitless keylogger and Huddleston’s (Aeonhack) Net Seal anti-piracy and payment platform.
Allison Nixon, director of security research for New York City-based security firm Flashpoint, observed that in the context of Hackforums, payment processing through Paypal is a significant problem for forum members trying to sell dual-use software and services on the forum.

“Most of their potential customer base uses PayPal, but their vendor accounts keep getting suspended for being associated with crime, so people who can successfully get payments through are prized,” Nixon said. “Net Seal can revoke access to a program that uses it, but it is a payment processing and digital rights management (DRM) system. Huddleston can claim the DRM is to prevent cybercrime, but realistically speaking the DRM is part of the payment system — to prevent people from pirating the software or initiating a Paypal chargeback. Just because he says that he blocked someone’s license due to an admission of crime does not mean that was the original purpose of the software.”

Nixon, a researcher who has spent countless hours profiling hackers and activities on Hackforums, said selling the NanoCore RAT on Hackforums and simultaneously scolding people for using it to illegally spy on people “could at best be seen as the actions of the most naive software developer on the Earth.”

“In the greater context of his role as the money man for Limitless Keylogger, it does raise questions about how sincere his anti-cybercrime stance really is,” Nixon said. “Considering that he bought a house from this, he has a significant financial incentive to play ignorant while simultaneously operating a business that can’t make nearly as much money if it was operated on a forum that wasn’t infested with criminals.”

Huddleston makes the case in Poulsen’s story that there’s a corporate-friendly double standard at work in the government’s charges, noting that malicious hackers have used commercial remote administration tools like TeamViewer and VNC for years, but the FBI doesn’t show up at their corporate headquarters with guns drawn.

But Nixon notes that RATs sold on Hackforums are extremely dangerous for the average person to use on his personal computer because there are past cases when RAT authors divert infected machines to their own botnet.

Case in point: The author of the Blackshades Trojan — once a wildly popular RAT sold principally on Hackforums before its author and hundreds of its paying customers were arrested in a global law enforcement sweep — wasn’t content to simply rake in money from the sale of each Blackshades license: He also included a backdoor that let him secretly commandeer machines running the software.

A Hackforums user details how the Blackshades RAT included a backdoor that let the RAT’s original author secretly access systems infected with the RAT.
“If a person is using RAT software on their personal machine that they purchased from Hackforums, they are taking this risk,” Nixon said. “Programs like VNC and Teamviewer are much safer for legitimate use, because they are actual companies, not programs produced by teenagers in a criminogenic environment.”

All of this may be moot if the government can’t win its case against Huddleston. The EFF’s Rumold said while prosecutors may have leverage in Shames’s conviction, the government probably doesn’t want to take the case to trial.

“My guess is if they want a conviction, they’re going to have to go to trial or offer him some type of very favorable plea,” Rumold said. “Just the fact that Huddleston was able to tell his story in a way that makes him come off as a very sympathetic character sounds like the government may have a difficult time prosecuting him.”

A copy of the indictment against Huddleston is available here (PDF).

If you enjoyed this story, take a look at a related piece published here last year about a different RAT proprietor selling his product on Hackforums who similarly claimed the software was just a security tool designed for system administrators, despite features of the program and related services that strongly suggested otherwise.
Top

elfutils: memory allocation failure in xcalloc (xmalloc.c)

Postby ago via agostino's blog »

Description:
elfutils is a set of libraries/utilities to handle ELF objects (drop in replacement for libelf).

A fuzz on eu-elflint showed a memory allocation failure.

The interesting ASan output:

# eu-elflint -d $FILE
==5053==AddressSanitizer CHECK failed: /tmp/portage/sys-devel/gcc-6.3.0/work/gcc-6.3.0/libsanitizer/sanitizer_common/sanitizer_common.cc:180 "((0 && "unable to mmap")) != (0)" (0x0, 0x0)
    #0 0x7faa2335941d  (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0xcb41d)
    #1 0x7faa2335f063 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0xd1063)
    #2 0x7faa2335f24d  (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0xd124d)
    #3 0x7faa23368c52  (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0xdac52)
    #4 0x7faa232ba0b9  (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0x2c0b9)
    #5 0x7faa232b249b  (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0x2449b)
    #6 0x7faa2335040a in calloc (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0xc240a)
    #7 0x431b8d in xcalloc /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/lib/xmalloc.c:64
    #8 0x41f0bb in check_sections /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:3680
    #9 0x42961f in process_elf_file /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:4697
    #10 0x42961f in process_file /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:242
    #11 0x402d33 in main /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:175
    #12 0x7faa21c6378f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #13 0x403498 in _start (/usr/bin/eu-elflint+0x403498)
Affected version:
0.168

Fixed version:
0.169 (not released atm)

Commit fix:
https://sourceware.org/ml/elfutils-devel/2017-q1/msg00133.html

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-7613

Reproducer:
https://github.com/asarubbo/poc/blob/master/00236-elfutils-memallocfailure

Timeline:
2017-03-27: bug discovered and reported to upstream
2017-04-04: blog post about the issue
2017-04-09: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

elfutils: memory allocation failure in xcalloc (xmalloc.c)

Top

elfutils: heap-based buffer overflow in check_sysv_hash (elflint.c)

Postby ago via agostino's blog »

Description:
elfutils is a set of libraries/utilities to handle ELF objects (drop in replacement for libelf).

A fuzz on eu-elflint showed an heap overflow.

The complete ASan output:

# eu-elflint -d $FILE
==14428==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b00000aff4 at pc 0x00000040b36b bp 0x7ffe1e25ef20 sp 0x7ffe1e25ef18
READ of size 4 at 0x60b00000aff4 thread T0
    #0 0x40b36a in check_sysv_hash /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:2020
    #1 0x40b36a in check_hash /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:2315
    #2 0x422e73 in check_sections /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:4118
    #3 0x42961f in process_elf_file /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:4697
    #4 0x42961f in process_file /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:242
    #5 0x402d33 in main /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:175
    #6 0x7f7a318a878f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #7 0x403498 in _start (/usr/bin/eu-elflint+0x403498)

0x60b00000aff7 is located 0 bytes to the right of 103-byte region [0x60b00000af90,0x60b00000aff7)
allocated by thread T0 here:
    #0 0x7f7a32f95288 in malloc (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0xc2288)
    #1 0x7f7a32bf1b46 in convert_data /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:166
    #2 0x7f7a32bf1b46 in __libelf_set_data_list_rdlock /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:434
    #3 0x7f7a32bf2662 in __elf_getdata_rdlock /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:541
    #4 0x7f7a32bf2776 in elf_getdata /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:559
    #5 0x7f7a32c1e035 in elf32_getchdr /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf32_getchdr.c:72
    #6 0x7f7a32c1e55c in gelf_getchdr /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/gelf_getchdr.c:52
    #7 0x420edf in check_sections /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:3911
    #8 0x42961f in process_elf_file /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:4697
    #9 0x42961f in process_file /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:242
    #10 0x402d33 in main /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:175
    #11 0x7f7a318a878f in __libc_start_main (/lib64/libc.so.6+0x2078f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:2020 in check_sysv_hash
Shadow bytes around the buggy address:
  0x0c167fff95a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff95b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff95c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff95d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff95e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c167fff95f0: fa fa 00 00 00 00 00 00 00 00 00 00 00 00[07]fa
  0x0c167fff9600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff9610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff9620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff9630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c167fff9640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==14428==ABORTING
Affected version:
0.168

Fixed version:
0.169 (not released atm)

Commit fix:
https://sourceware.org/ml/elfutils-devel/2017-q1/msg00131.html

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-7612

Reproducer:
https://github.com/asarubbo/poc/blob/master/00235-elfutils-heapoverflow-check_sysv_hash

Timeline:
2017-03-27: bug discovered and reported to upstream
2017-04-04: blog post about the issue
2017-04-09: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

elfutils: heap-based buffer overflow in check_sysv_hash (elflint.c)

Top

elfutils: heap-based buffer overflow in check_symtab_shndx (elflint.c)

Postby ago via agostino's blog »

Description:
elfutils is a set of libraries/utilities to handle ELF objects (drop in replacement for libelf).

A fuzz on eu-elflint showed an heap overflow.

The complete ASan output:

# eu-elflint -d $FILE
==14342==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efd0 at pc 0x0000004267ec bp 0x7ffdf36a7ad0 sp 0x7ffdf36a7ac8
READ of size 4 at 0x60200000efd0 thread T0
    #0 0x4267eb in check_symtab_shndx /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:1961
    #1 0x4267eb in check_sections /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:4114
    #2 0x42961f in process_elf_file /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:4697
    #3 0x42961f in process_file /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:242
    #4 0x402d33 in main /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:175
    #5 0x7f625ef4678f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #6 0x403498 in _start (/usr/bin/eu-elflint+0x403498)

0x60200000efd2 is located 0 bytes to the right of 2-byte region [0x60200000efd0,0x60200000efd2)
allocated by thread T0 here:
    #0 0x7f6260633288 in malloc (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0xc2288)
    #1 0x7f626028fb46 in convert_data /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:166
    #2 0x7f626028fb46 in __libelf_set_data_list_rdlock /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:434
    #3 0x7f6260290662 in __elf_getdata_rdlock /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:541
    #4 0x7f6260290776 in elf_getdata /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:559
    #5 0x7f62602bc035 in elf32_getchdr /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf32_getchdr.c:72
    #6 0x7f62602bc55c in gelf_getchdr /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/gelf_getchdr.c:52
    #7 0x420edf in check_sections /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:3911
    #8 0x42961f in process_elf_file /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:4697
    #9 0x42961f in process_file /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:242
    #10 0x402d33 in main /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:175
    #11 0x7f625ef4678f in __libc_start_main (/lib64/libc.so.6+0x2078f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:1961 in check_symtab_shndx
Shadow bytes around the buggy address:
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa[02]fa fa fa 00 01
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==14342==ABORTING
Affected version:
0.168

Fixed version:
0.169 (not released atm)

Commit fix:
https://sourceware.org/ml/elfutils-devel/2017-q1/msg00129.html

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-7611

Reproducer:
https://github.com/asarubbo/poc/blob/master/00234-elfutils-heapoverflow-check_symtab_shndx

Timeline:
2017-03-27: bug discovered and reported to upstream
2017-04-04: blog post about the issue
2017-04-09: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

elfutils: heap-based buffer overflow in check_symtab_shndx (elflint.c)

Top

elfutils: heap-based buffer overflow in check_group (elflint.c)

Postby ago via agostino's blog »

Description:
elfutils is a set of libraries/utilities to handle ELF objects (drop in replacement for libelf).

A fuzz on eu-elflint showed an heap overflow.

The complete ASan output:

# eu-elflint -d $FILE
==12804==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efd0 at pc 0x00000041a39f bp 0x7ffee6a331d0 sp 0x7ffee6a331c8
READ of size 4 at 0x60200000efd0 thread T0
    #0 0x41a39e in check_group /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:2664
    #1 0x420787 in check_sections /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:4132
    #2 0x42961f in process_elf_file /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:4697
    #3 0x42961f in process_file /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:242
    #4 0x402d33 in main /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:175
    #5 0x7ff00282678f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #6 0x403498 in _start (/usr/bin/eu-elflint+0x403498)

0x60200000efd1 is located 0 bytes to the right of 1-byte region [0x60200000efd0,0x60200000efd1)
allocated by thread T0 here:
    #0 0x7ff003f13288 in malloc (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0xc2288)
    #1 0x7ff003b6fb46 in convert_data /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:166
    #2 0x7ff003b6fb46 in __libelf_set_data_list_rdlock /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:434
    #3 0x7ff003b70662 in __elf_getdata_rdlock /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:541
    #4 0x7ff003b70776 in elf_getdata /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:559
    #5 0x420935 in check_scn_group /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:544
    #6 0x420935 in check_sections /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:3940
    #7 0x42961f in process_elf_file /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:4697
    #8 0x42961f in process_file /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:242
    #9 0x402d33 in main /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:175
    #10 0x7ff00282678f in __libc_start_main (/lib64/libc.so.6+0x2078f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/elflint.c:2664 in check_group
Shadow bytes around the buggy address:
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa fa fa fa fa 04 fa fa fa[01]fa fa fa 00 01
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12804==ABORTING
Affected version:
0.168

Fixed version:
0.169 (not released atm)

Commit fix:
https://sourceware.org/ml/elfutils-devel/2017-q1/msg00137.html

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-7610

Reproducer:
https://github.com/asarubbo/poc/blob/master/00247-elfutils-heapoverflow-check_group

Timeline:
2017-03-28: bug discovered and reported to upstream
2017-04-04: blog post about the issue
2017-04-09: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

elfutils: heap-based buffer overflow in check_group (elflint.c)

Top

elfutils: memory allocation failure in __libelf_decompress (elf_compress.c)

Postby ago via agostino's blog »

Description:
elfutils is a set of libraries/utilities to handle ELF objects (drop in replacement for libelf).

A fuzz on eu-readelf showed a memory allocation failure. Will follow a feedback from upstream:

That is slightly tricky. We do have to trust the input data to give us the expected output size. We won’t know if that was correct till we decompressed the input. We do actually double check the given output size was correct at the end of the decompression. But we could catch some really bogus sizes before trying to allocate a giant amount of memory and decompressing stuff for nothing (like in this case).

The complete ASan output:

# eu-readelf -a $FILE
==1927==WARNING: AddressSanitizer failed to allocate 0x280065041580 bytes
==1927==AddressSanitizer's allocator is terminating the process instead of returning 0
==1927==If you don't like this behavior set allocator_may_return_null=1
==1927==AddressSanitizer CHECK failed: /tmp/portage/sys-devel/gcc-6.3.0/work/gcc-6.3.0/libsanitizer/sanitizer_common/sanitizer_allocator.cc:145 "((0)) != (0)" (0x0, 0x0)
    #0 0x7f85fc3a741d  (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0xcb41d)
    #1 0x7f85fc3ad063 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0xd1063)
    #2 0x7f85fc3ab226  (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0xcf226)
    #3 0x7f85fc3016a4  (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0x256a4)
    #4 0x7f85fc39e265 in malloc (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0xc2265)
    #5 0x7f85fb88dd1e in __libelf_decompress /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_compress.c:214
    #6 0x7f85fb88e359 in __libelf_decompress_elf /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_compress.c:288
    #7 0x7f85fb89132e in elf_compress /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_compress.c:479
    #8 0x41f933 in handle_hash /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:3327
    #9 0x4680f7 in process_elf_file /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:898
    #10 0x47ae65 in process_dwflmod /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:690
    #11 0x7f85fbe3a094 in dwfl_getmodules /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libdwfl/dwfl_getmodules.c:82
    #12 0x4365f2 in process_file /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:789
    #13 0x405e50 in main /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:305
    #14 0x7f85fa45878f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #15 0x406cd8 in _start (/usr/bin/eu-readelf+0x406cd8)
Affected version:
0.168

Fixed version:
0.169 (not released atm)

Commit fix:
https://sourceware.org/ml/elfutils-devel/2017-q1/msg00114.html

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-7609

Reproducer:
https://github.com/asarubbo/poc/blob/master/00227-elfutils-memallocfailure

Timeline:
2017-03-24: bug discovered and reported to upstream
2017-04-04: blog post about the issue
2017-04-09: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

elfutils: memory allocation failure in __libelf_decompress (elf_compress.c)

Top

elfutils: heap-based buffer overflow in ebl_object_note_type_name (eblobjnotetypename.c)

Postby ago via agostino's blog »

Description:
elfutils is a set of libraries/utilities to handle ELF objects (drop in replacement for libelf).

A fuzz on eu-readelf showed an heap overflow. Will follow a feedback from upstream:

Nice find. The issue is with notes that have a zero sized name (and also no descriptor data at the end of a note section).

“The system reserves note information with no name (namesz==0) and with a zero-length name (name[0]==’\0′) but currently defines no types. All other names must have at least one non-null character.”

So we must explicitly check for namesz == 0 before using the name data in the note.

The complete ASan output:

# eu-readelf -a $FILE
==29866==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ef9c at pc 0x7f910ac17150 bp 0x7fff92f7ed90 sp 0x7fff92f7e540
READ of size 1 at 0x60200000ef9c thread T0
    #0 0x7f910ac1714f  (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0x4514f)
    #1 0x4f63a7 in ebl_object_note_type_name /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libebl/eblobjnotetypename.c:48
    #2 0x461251 in handle_notes_data /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:9372
    #3 0x47209d in handle_notes /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:9455
    #4 0x47209d in process_elf_file /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:916
    #5 0x47ae65 in process_dwflmod /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:690
    #6 0x7f910a730094 in dwfl_getmodules /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libdwfl/dwfl_getmodules.c:82
    #7 0x4365f2 in process_file /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:789
    #8 0x405e50 in main /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:305
    #9 0x7f9108d4e78f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #10 0x406cd8 in _start (/usr/bin/eu-readelf+0x406cd8)

0x60200000ef9c is located 0 bytes to the right of 12-byte region [0x60200000ef90,0x60200000ef9c)
allocated by thread T0 here:
    #0 0x7f910ac94288 in malloc (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0xc2288)
    #1 0x7f910a10af48 in convert_data /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:166
    #2 0x7f910a10af48 in __libelf_set_data_list_rdlock /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:434
    #3 0x7f910a10c9ba in __elf_getdata_rdlock /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:541
    #4 0x7f910a10ccae in elf_getdata /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:559
    #5 0x471fe7 in handle_notes /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:9455
    #6 0x471fe7 in process_elf_file /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:916
    #7 0x47ae65 in process_dwflmod /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:690
    #8 0x7f910a730094 in dwfl_getmodules /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libdwfl/dwfl_getmodules.c:82
    #9 0x4365f2 in process_file /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:789
    #10 0x405e50 in main /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:305
    #11 0x7f9108d4e78f in __libc_start_main (/lib64/libc.so.6+0x2078f)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0x4514f) 
Shadow bytes around the buggy address:
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa 00[04]fa fa 00 02 fa fa 00 02 fa fa 00 01
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==29866==ABORTING
Affected version:
0.168

Fixed version:
0.169 (not released atm)

Commit fix:
https://sourceware.org/ml/elfutils-devel/2017-q1/msg00111.html

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-7608

Reproducer:
https://github.com/asarubbo/poc/blob/master/00226-elfutils-heapoverflow-ebl_object_note_type_name

Timeline:
2017-03-24: bug discovered and reported to upstream
2017-04-04: blog post about the issue
2017-04-09: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

elfutils: heap-based buffer overflow in ebl_object_note_type_name (eblobjnotetypename.c)

Top

elfutils: heap-based buffer overflow in handle_gnu_hash (readelf.c)

Postby ago via agostino's blog »

Description:
elfutils is a set of libraries/utilities to handle ELF objects (drop in replacement for libelf).

A fuzz on eu-readelf showed an heap overflow.

The complete ASan output:

# eu-readelf -a $FILE
==1855==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000009ffc at pc 0x000000421a8c bp 0x7ffef67082e0 sp 0x7ffef67082d8
READ of size 4 at 0x611000009ffc thread T0
    #0 0x421a8b in handle_gnu_hash /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:3268
    #1 0x421a8b in handle_hash /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:3346
    #2 0x4680f7 in process_elf_file /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:898
    #3 0x47ae65 in process_dwflmod /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:690
    #4 0x7f4bae746094 in dwfl_getmodules /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libdwfl/dwfl_getmodules.c:82
    #5 0x4365f2 in process_file /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:789
    #6 0x405e50 in main /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:305
    #7 0x7f4bacd6478f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #8 0x406cd8 in _start (/usr/bin/eu-readelf+0x406cd8)

0x611000009ffc is located 0 bytes to the right of 252-byte region [0x611000009f00,0x611000009ffc)
allocated by thread T0 here:
    #0 0x7f4baecaa288 in malloc (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libasan.so.3+0xc2288)
    #1 0x7f4bae120f48 in convert_data /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:166
    #2 0x7f4bae120f48 in __libelf_set_data_list_rdlock /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:434
    #3 0x7f4bae1229ba in __elf_getdata_rdlock /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:541
    #4 0x7f4bae122cae in elf_getdata /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libelf/elf_getdata.c:559
    #5 0x41f100 in handle_gnu_hash /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:3206
    #6 0x41f100 in handle_hash /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:3346
    #7 0x4680f7 in process_elf_file /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:898
    #8 0x47ae65 in process_dwflmod /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:690
    #9 0x7f4bae746094 in dwfl_getmodules /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/libdwfl/dwfl_getmodules.c:82
    #10 0x4365f2 in process_file /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:789
    #11 0x405e50 in main /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:305
    #12 0x7f4bacd6478f in __libc_start_main (/lib64/libc.so.6+0x2078f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/dev-libs/elfutils-0.168/work/elfutils-0.168/src/readelf.c:3268 in handle_gnu_hash
Shadow bytes around the buggy address:
  0x0c227fff93a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff93b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff93c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff93d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff93e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c227fff93f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[04]
  0x0c227fff9400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff9410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff9420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff9430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff9440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1855==ABORTING
Affected version:
0.168

Fixed version:
0.169 (not released atm)

Commit fix:
https://sourceware.org/ml/elfutils-devel/2017-q1/msg00109.html

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-7607

Reproducer:
https://github.com/asarubbo/poc/blob/master/00225-elfutils-heapoverflow-handle_gnu_hash

Timeline:
2017-03-24: bug discovered and reported to upstream
2017-04-04: blog post about the issue
2017-04-09: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

elfutils: heap-based buffer overflow in handle_gnu_hash (readelf.c)

Top

Fidelio, Act Two

Postby Dag-Erling Smørgrav via May Contain Traces of Bolts »

As promised, here is my adaption of the second act of Beethoven‘s one and only opera Fidelio. Read the first act if you haven’t already.


Scene 1

Florestan: Shit, it’s really dark in here. It’s a good thing I’m really, really righteous and brave! I just hope Leonore is OK.


Scene 2

Fidelionore: Brr, it’s cold as balls down here.

Rocco: Sorry, Pizarro must have forgotten to pay the electricity bill. Anyway, here we are.

Fidelionore: He’s not moving!

Rocco: You think he’s dead? Nah, just asleep. Help me dig. You scared?

Fidelionore: Just cold. Sorry.

Rocco: Start digging, it’ll keep you warm.

They dig.

Fidelionore: I think he’s waking up!

Rocco: Get out of here, I need to talk to him.

Florestan: I have been imprisoned here for over two years, and surely I must know where I am and what has happened, but the audience wasn’t here, so please pretend I don’t know, and tell me who is keeping me here.

Rocco: Pizarro, and believe me, I like him about as much as you do.

Florestan: Pizarro? Shit. Send word to Sevilla, let my wife know where I am!

Rocco: Sorry, bud, no can do. I brought some wine to dull the pain of digging another man’s grave, want a drop?

Florestan: Why the hell not.

Rocco: Fidelio, bring the wine! Hey, you don’t look too good.

Florestan: Poor kid!

Fidelionore: I don’t feel too good.

Rocco: Look, it sucks that he’s going to die, but I’m only following orders.

Fidelionore: Want some stale bread? I’ve been carrying this around for days instead of grabbing a fresh piece at the breakfast table every morning.

Rocco: I am about to become complicit in an innocent man’s death, but it’s all good because I’m only following orders, plus I gave him some wine.

Florestan: I am sorry that I cannot repay you for bringing me a stale piece of bread and the dregs of your wine after you were done digging my grave.

Rocco: Okiedokie, off to tell Pizarro everything is ready.

Fidelionore: Don’t worry, it’ll all work out. Somehow. Maybe. I hope.


Scene 3

Pizarro: All done?

Rocco: All done.

Pizarro: Send the kid away and untie the prisoner while I gloat over his impending doom and make sure to let him know at whose hand it will come.

Florestan: Murderer!

Fidelionore: Murderer!

Rocco: Just following orders.

Fidelionore throws herself between Pizarro and Florestan

Fidelionore: You’ll have to kill me first!

Pizarro: Wut?

Fidelionore: I’m his wife, dumbass. Did nobody notice the hips and the tits and the fact that I’m a ducking soprano?

Pizarro: You’re his wife?

Rocco: You’re his wife?

Florestan: You’re my wife?

Pizarro: Wow, you’re really brave.

Rocco: Wow, you’re really brave.

Florestan: Wow, you’re really brave.

Pizarro: Shit, now I have to kill them both.

Fidelionore: Well, sucks to be you.

The alarm sounds.

Fidelionore: You’re saved!

Florestan: I’m saved?

Pizarro: Shit, Fernando!

Rocco: We’re saved!


Scene 4

Jaquino: Hey boss, Secretary Fernando has arrived.

Rocco: Send the guards down to, eh, ensure Pizarro gets safely up the stairs.

Fidelionore & Florestan: We’re saved!

Pizarro: I’m doomed!

Rocco: Remember, I was only following orders!


Scene 5

Fidelionore: You’re saved!

Florestan: We gonna frick!


Scene 6

Prisoners: We’re free!

Fernando: The King has sent me to free you!

Prisoners: Bonus heart-wrenching chorus!


Scene 7

Rocco: Help! Help!

Pizarro: Shut up!

Fernando: What’s all this then?

Rocco: Have mercy on Florestan—

Fernando: Florestan? Isn’t he dead?

Rocco: Only mostly dead. There’s a big difference between mostly dead and all dead. Mostly dead is slightly alive.

Fernando: Florestan is slightly alive?

Fidelionore: HE’S RIGHT IN FRONT OF YOU, YOU DUMBASS!

Rocco: …with his wife Leonore! Dressed as a man!

Marzelline: Oh shit.

Rocco: Pizarro was going to murder him!

Pizarro: And I would have gotten away with it too, if it weren’t for that meddling kid! Besides, you were helping.

Rocco: For the last time, I was only following orders!

Pizarro is arrested and taken away

Fernando: Here, Leonore, unshackle your husband.

Everybody: WE’RE SO HAPPY!

Florestan: Let this be a lesson to you all, the righteous always prevail in the end!

Fidelionore: Not to mention Tru Wuv.

Everybody: Yeah, yeah, we’re all very impressed.

Fidelionore: We gonna frick!


TEH END

Thank you, you’ve been a lovely audience.
Top

Fidelio, Act One

Postby Dag-Erling Smørgrav via May Contain Traces of Bolts »

I went to see a concert version of Fidelio at the Norwegian National Opera last night. For those of you who aren’t well versed in opera or in the classical or romantic eras of Western music, Fidelio is Beethoven‘s only opera; initially written in 1804 under the title Leonore, oder Der Triumph der ehelichen Liebe, it took ten years and numerous rewrites before it became what we know today as Fidelio. I know Fidelio quite well, having owned a copy of Karajan’s 1970 recording since my teens, but never really paid attention to the lyrics as a whole until I saw it on stage. I was mildly surprised at how progressive and (in places) possibly even scandalous they are, for their time. They deserve wider recognition. So without further ado, I present my abridged and somewhat… improved version of the libretto.


Background

Two years ago, Florestan uncovered evidence of his rival Pizarro’s crimes. Since then, he has been illegally detained by the latter in the prison he governs. Florestan’s wife Leonore has tracked Florestan down and obtained employment at the prison, disguised as a young man named Fidelio (because opera, that’s why). She has gradually gained warden Rocco’s trust. Prison guard Jaquino is infatuated with Rocco’s daughter Marzelline, who is infatuated with Fidelio (because opera, that’s why).


Scene 1

Jaquino: Finally got you cornered! I need to talk to you.

Marzelline: Dude, I got work to do.

Jaquino: Come on, give a guy a break!

Marzelline: OK, spit it out. Just don’t expect me to like it.

Jaquino: I’ve decided that you are to be my wife. We can have the wedding in a few weeks.

Marzelline: LOL WUT

someone knocks

Jaquino: PISS OFF I’M TRYING TO PROPOSE HERE

Marzelline: Dude, I don’t even like you. I’m in love with Fidelio.

Jaquino: What can I do to convince you?

knocking intensifies

Marzelline: Good, maybe he’ll let me go now.

Rocco (off-stage): Jaquino, you lazy good-for-nothing, get back to work!

Marzelline: You heard the man, now scram!

Jaquino leaves

Marzelline: Poor guy. I used to like him until I met Fidelio. Now there’s a man in touch with his feminine side!


Scene 2

Marzelline pines for Fidelio


Scene 3

Rocco: Where the f— is Fidelio?

Marzelline: Hell if I know. Oh, wait, there he is!


Scene 4

Fidelionore: Sorry, boss. Dude took forever. Here’s the receipt.

Rocco: Wow, how’d you talk the price down so much?

Fidelionore: I try my best, boss.

Rocco: Good man. Don’t worry, you’ll get what you’re after.

Fidelionore: Say what now?

Rocco: Oh come on, I know you like Marzelline.

Marzelline: OMG OMG OMG FIDELIO LIKES ME OMG!

Fidelionore: Oh shit.

Rocco: I’m so happy for them!

Jaquino: Oh shit.

Rocco: Good, then it’s settled! We can have the wedding as soon as that ass Pizarro leaves for Sevilla.

Marzelline: Squee!

Rocco: One thing though, Fidelio. Promise me you’ll provide for my daughter. Love means nothing if you can’t put food on the table. Gold, gold, gold, gold, gold, gold, gold!

Fidelionore: Well, I still maintain that true love… but there’s one thing that bothers me. Why don’t you trust me to accompany you down to the lower cells?

Rocco: It’s not that I don’t trust you, it’s that I’m not allowed to let anyone near them.

Fidelionore: But you work your fingers to the bone! Let me help.

Rocco: Well, maybe. But I won’t let you near the oubliette. It’s too gruesome.

Marzelline: Is that where the secret prisoner is kept?

Fidelionore: Has he been there long?

Rocco: Two years. And now Pizarro has ordered me to let him starve in the dark.

Marzelline: Please don’t take Fidelio there, it’ll break his heart!

Fidelionore: Are you calling me a wuss?

Rocco: You need guts to get ahead in life, boy.

Fidelionore: I got plenty. Try me.

Marzelline: Your determination to see a man being starved to death makes me inexplicably proud.

Rocco: Fine! I’ll ask the governor to allow you to assist me. I’m working myself to death as it is.

Marzelline: I am so turned on right now.


Scene 5

Pizarro storms in from who knows where

Pizarro: Man the walls! Let no-one in without my express permission. Rocco, bring me my mail!

Rocco: Here, sir.

Pizarro: Bill—bill—advertising—overdue bill—Sears catalogue—final notice—pre-approved credit card—oh shit, I know that letterhead. “It has come to my attention that you are illegally keeping political prisoners, and I am therefore conducting a surprise inspection. You have a few hours to hide the evidence. XOXO Fernando.” Holy shit, he and Florestan were like besties. Captain! Post guards and sound the alarm the moment you see Secretary Fernando’s limo arrive!

Captain: Sir, yes, sir!

Pizarro: The only thing that can save me now is an act of unsurpassed bravery. And I will finally have my revenge, which I could have had at any time in the two years this man has been my prisoner, but inexplicably postponed! Oh, I can’t wait to see the knife twist in his heart! Rocco!

Rocco: Sir?

Pizarro: Rocco, I want you to prove my bravery, courage and high moral conviction by murdering this man in my place.

Rocco: Let’s not, and say we did.

Pizarro: Wuss. Never mind, I’ll do it myself. Go dig his grave while I put on an unconvincing disguise so I can tell myself it wasn’t really me who did it. And God help you if I get blood on my shoes!

Rocco: Oh well. At least he won’t starve any more.


Scene 6

Fidelionore: WHAT THE F— JUST HAPPENED? I have to stop this.


Scene 7

Jaquino: Marzelline! You used to love me, but ever since this Fidelio…

Marzelline: Leave me alone!


Scene 8

Rocco: Let it go, son. She doesn’t want you.

Fidelionore: Rocco, won’t you please let the prisoners out into the sun? Pizarro doesn’t need to know.

Rocco: Oh, why the hell not. Jaquino, Fidelio, open the upper cells!


Scene 9

Prisoners: Watch as we march dramatically out of our cells and sing a heart-wrenching chorus about how bad it is to imprison people for their political opinions! But not too loud, someone might hear us.


Scene 10

Fidelionore: How did it go?

Rocco: He agreed to the wedding and to let you accompany me to the lower cells.

Fidelionore: O frabjous day! Callooh! Callay!

Rocco: What are you going on about? Anyway, we have to go down to the secret prisoner.

Fidelionore: Is he being released?

Rocco: Released? Oh, no, we are to bury him.

Fidelionore: What?! He’s dead?

Rocco: Well, not quite yet…

Fidelionore: YOU’RE GOING TO KILL HIM?

Rocco: No, just dig his grave and wash my hands of his murder.

Fidelionore starts crying

Rocco: Oh, grow up. Let’s go.


Scene 11

Marzelline: Dad! Dad! Pizarro is looking for you, and let me tell you, he is PISSED. The guard captain told him we let the prisoners out. You know how mad he gets…

Rocco: Oh shit. Quick, get everybody back inside.


Scene 12

Pizarro: Rocco! ROCCO! Who the FRACK gave you permission to let the prisoners out?

Rocco: Well, uh, it’s, uh, spring, and also the King’s birthday or something? Also, I only let the regular prisoners out, not the secret one.

Pizarro: Oh, shut up, and go dig that grave.

Prisoners: We’re really sad to have to go back inside.

Marzelline: I’m really sad to see the prisoners go back inside.

Fidelionore: I’m really sad to see the prisoners go back inside.

Jaquino: Oh, screw them.

Pizarro: Off you go, Rocco, and stay there until the deed is done.


End of Act One


I’ll post Act Two as soon as that ass Pizarro leaves for Sevilla.

Update: Act Two
Top

imagemagick: undefined behavior in coders/rle.c

Postby ago via agostino's blog »

Description:
imagemagick is a software suite to create, edit, compose, or convert bitmap images.

A fuzz with the upstream security policy enabled, a quantum of 32 and the undefined behavior sanitizer discovered this bug.

# identify $FILE
coders/rle.c:274:18: runtime error: value 1.72801e+09 is outside the range of representable values of type 'unsigned char'                                                                     
Affected version:
7.0.5.4

Fixed version:
7.0.5.5 (not released atm)

Commit fix:
https://github.com/ImageMagick/ImageMagick/commit/b218117cad34d39b9ffb587b45c71c5a49b12bde

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-7606

Reproducer:
https://github.com/asarubbo/poc/blob/master/00253-imagemagick-outside-unsigned-char

Timeline:
2017-03-31: bug discovered and reported to upstream
2017-03-31: upstream released a patch
2017-04-02: blog post about the issue
2017-04-09: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

imagemagick: undefined behavior in coders/rle.c

Top

libaacplus: signed integer overflow, left shift and assertion failure

Postby ago via agostino's blog »

Description:
libaacplus is a HE-AAC+ v2 library, based on the reference implementation.

While fuzzing it I found some crashes. Upstream was poked on 2017-03-12, but no response from him.

# aacplusenc $FILE out.aac 24000 s
au_channel.h:31:91: runtime error: signed integer overflow: 2147483647 + 8 cannot be represented in type 'int'
Affected version:
2.0.2
Fixed version:
N/A
Commit fix:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00254-libaacplus-signedintoverflow
CVE:
CVE-2017-7603

##############################################

# aacplusenc $FILE out.aac 24000 s
au_channel.h:31:83: runtime error: left shift of 241 by 24 places cannot be represented in type 'int'
Affected version:
2.0.2
Fixed version:
N/A
Commit fix:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00255-libaacplus-leftshift
CVE:
CVE-2017-7604

##############################################

# aacplusenc $FILE out.aac 24000 s
aacplusenc: aacplusenc.c:67: aacplusEncHandle aacplusEncOpen(unsigned long, unsigned int, unsigned long *, unsigned long *): Assertion `numChannels <= MAX_CHANNELS' failed.
Affected version:
2.0.2
Fixed version:
N/A
Commit fix:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00256-libaacplus-assertion-failure
CVE:
CVE-2017-7605

##############################################

Credit:
These bugs were discovered by Agostino Sarubbo of Gentoo.

Timeline:
2017-03-12: bug discovered and poked upstream about
2017-04-01: blog post about the issue
2017-04-09: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libaacplus: signed integer overflow, left shift and assertion failure

Top