Mercurial Mercurial > hg > sen-material / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
slides/slides04.tex
changeset 391 a612dd3ddc81
parent 388 770b58a7d754
child 404 4e3bc09748f7 
--- a/slides/slides04.tex	Sat Oct 03 20:31:57 2015 +0100
+++ b/slides/slides04.tex	Mon Oct 05 05:20:07 2015 +0100
@@ -69,93 +69,73 @@
 \end{frame}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[fragile]
-\frametitle{D-Link Wifi Router, BOA}
-\small
-
-As a proof-of-concept, the following URL allows 
-attackers to control the return value saved on 
-the stack (the vulnerability is triggered when
-executing \pcode{"/usr/sbin/widget"}):
-
-\begin{center}\footnotesize 
-\pcode{curl http://<target ip>/post_login.xml?hash=AAA...AAABBBB}
-\end{center}
-
-The value of the "hash" HTTP GET parameter consists of
-292 occurrences of the \pcode{'A'} character, followed by four 
-occurrences of character \pcode{'B'}. In our lab setup, characters 
-\pcode{'B'} overwrite the saved program counter (\pcode{\%ra}).\bigskip
-
-
-\begin{tabular}{@{}ll}
-Discovery date: & 06/03/2013\\
-Release date:   & 02/08/2013
-\end{tabular}\bigskip
-
-
-\footnotesize
-\hfill\url{http://roberto.greyhats.it/advisories/20130801-dlink-dir645.txt} 
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[fragile]
-\frametitle{D-Link Backdoors}
+\begin{frame}[c]
+\frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}}
 
-D-Link router flaw lets anyone login through "Joel's Backdoor":\medskip
 
-\begin{quote}\rm\small
-If you tell your browser to identify itself as Joel's backdoor, instead of (say) 
-as Mozilla/5.0 AppleWebKit/536.30.1 Version/6.0.5, you're in without authentication.\medskip
+\begin{center}
+  \begin{tikzpicture}[scale=1]
   
-"What is this string," I hear you ask?
+  \draw[line width=1mm] (-.3, 0) rectangle (1.5,2);
+  \draw (4.7,1) node {Internet};
+  \draw (-2.7,1.7) node {\footnotesize Application};
+  \draw (0.6,1.7) node {\footnotesize Interface};
+  \draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}};
+  \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}};
+  
+  \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2);
 
-You will laugh: it is\pause 
-
-\begin{center}\large
-\pcode{xmlset_roodkcableoj28840ybtide}
+  \draw[white] (1.7,1) node (X) {};
+  \draw[white] (3.7,1) node (Y) {};
+  \draw[red, <->, line width = 2mm] (X) -- (Y);
+ 
+  \draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1);
+  \end{tikzpicture}
 \end{center}
-\end{quote}\bigskip\bigskip
 
-\hfill\footnotesize October 15, 2013\\
-\hfill\footnotesize\url{http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/}
+\begin{itemize}
+\item the idea is make the attack surface smaller and mitigate the
+  consequences of an attack
+\end{itemize}
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%     
 
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\begin{frame}[fragile]
-
-CVE-2014-0476 \pcode{chkrootkit} vulnerability 4 Jun'14\medskip
+\mode<presentation>{
+\begin{frame}[c]
+\frametitle{\begin{tabular}{@ {}c@ {}}Infamous Security Flaws\\[-1mm] in Unix\end{tabular}}
 
-\begin{quote}\rm\small
-Hi,
-
-we just found a serious vulnerability in the chkrootkit package, which
-may allow local attackers to gain root access to a box in certain
-configurations (\pcode{/tmp} not mounted noexec). Steps to reproduce:
 
 \begin{itemize}
-\item Put an executable file named \pcode{update} with non-root owner in 
-\pcode{/tmp} (not mounted noexec, obviously)
-\item Run chkrootkit (as uid \pcode{0})
+\item \texttt{lpr} unfortunately runs with root privileges; you had the option to delete files after printing \ldots\pause\pause
+\item for debugging purposes (FreeBSD) Unix provides a ``core dump'', but allowed to follow links \ldots\pause
+\item \texttt{mkdir foo} is owned by root\medskip
+\begin{center}
+\texttt{-rwxr-xr-x  1 root  wheel /bin/mkdir}
+\end{center}\medskip
+it first creates an i-node as root and then changes to ownership to the user's id\\ \textcolor{gray}{\small (race condition -- can be automated with a shell script)}
 \end{itemize}
 
-Result: The file \pcode{/tmp/update} will be executed as root, thus effectively
-rooting your box, if malicious content is placed inside the file.
+\only<5->{
+\begin{textblock}{1}(3,7)
+\begin{tikzpicture}
+\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] 
+{\begin{minipage}{8cm}
+Only failure makes us experts.
+	-- Theo de Raadt (OpenBSD, OpenSSH)
+\end{minipage}};
+\end{tikzpicture}
+\end{textblock}}
 
-If an attacker knows you are periodically running chkrootkit (like in
-\pcode{cron.daily}) and has write access to \pcode{/tmp} (not mounted noexec), he may
-easily take advantage of this.
-\end{quote}
-\mbox{}\\[-10mm]
+\end{frame}}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
 
-\hfill\footnotesize\url{http://seclists.org/oss-sec/2014/q2/430}
+
 
-\end{frame}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \begin{frame}[c]
 \frametitle{Unix-Style Access Control}
@@ -302,6 +282,63 @@
 
 \end{frame}
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[fragile]
+\frametitle{D-Link Backdoors}
+
+D-Link router flaw lets anyone login through "Joel's Backdoor":\medskip
+
+\begin{quote}\rm\small
+If you tell your browser to identify itself as Joel's backdoor, instead of (say) 
+as Mozilla/5.0 AppleWebKit/536.30.1 Version/6.0.5, you're in without authentication.\medskip
+  
+"What is this string," I hear you ask?
+
+You will laugh: it is\pause 
+
+\begin{center}\large
+\pcode{xmlset_roodkcableoj28840ybtide}
+\end{center}
+\end{quote}\bigskip\bigskip
+
+\hfill\footnotesize October 15, 2013\\
+\hfill\footnotesize\url{http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{frame}[fragile]
+
+CVE-2014-0476 \pcode{chkrootkit} vulnerability 4 Jun'14\medskip
+
+\begin{quote}\rm\small
+Hi,
+
+we just found a serious vulnerability in the chkrootkit package, which
+may allow local attackers to gain root access to a box in certain
+configurations (\pcode{/tmp} not mounted noexec). Steps to reproduce:
+
+\begin{itemize}
+\item Put an executable file named \pcode{update} with non-root owner in 
+\pcode{/tmp} (not mounted noexec, obviously)
+\item Run chkrootkit (as uid \pcode{0})
+\end{itemize}
+
+Result: The file \pcode{/tmp/update} will be executed as root, thus effectively
+rooting your box, if malicious content is placed inside the file.
+
+If an attacker knows you are periodically running chkrootkit (like in
+\pcode{cron.daily}) and has write access to \pcode{/tmp} (not mounted noexec), he may
+easily take advantage of this.
+\end{quote}
+\mbox{}\\[-10mm]
+
+\hfill\footnotesize\url{http://seclists.org/oss-sec/2014/q2/430}
+
+\end{frame}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%   
+
 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 \begin{frame}[c]
sen-material