diff -r 92a8dad2cc86 -r a612dd3ddc81 slides/slides04.tex --- a/slides/slides04.tex Sat Oct 03 20:31:57 2015 +0100 +++ b/slides/slides04.tex Mon Oct 05 05:20:07 2015 +0100 @@ -69,93 +69,73 @@ \end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[fragile] -\frametitle{D-Link Wifi Router, BOA} -\small - -As a proof-of-concept, the following URL allows -attackers to control the return value saved on -the stack (the vulnerability is triggered when -executing \pcode{"/usr/sbin/widget"}): - -\begin{center}\footnotesize -\pcode{curl http:///post_login.xml?hash=AAA...AAABBBB} -\end{center} - -The value of the "hash" HTTP GET parameter consists of -292 occurrences of the \pcode{'A'} character, followed by four -occurrences of character \pcode{'B'}. In our lab setup, characters -\pcode{'B'} overwrite the saved program counter (\pcode{\%ra}).\bigskip - - -\begin{tabular}{@{}ll} -Discovery date: & 06/03/2013\\ -Release date: & 02/08/2013 -\end{tabular}\bigskip - - -\footnotesize -\hfill\url{http://roberto.greyhats.it/advisories/20130801-dlink-dir645.txt} -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[fragile] -\frametitle{D-Link Backdoors} +\begin{frame}[c] +\frametitle{\begin{tabular}{c}Network Applications:\\[-1mm] Privilege Separation\end{tabular}} -D-Link router flaw lets anyone login through "Joel's Backdoor":\medskip -\begin{quote}\rm\small -If you tell your browser to identify itself as Joel's backdoor, instead of (say) -as Mozilla/5.0 AppleWebKit/536.30.1 Version/6.0.5, you're in without authentication.\medskip +\begin{center} + \begin{tikzpicture}[scale=1] -"What is this string," I hear you ask? + \draw[line width=1mm] (-.3, 0) rectangle (1.5,2); + \draw (4.7,1) node {Internet}; + \draw (-2.7,1.7) node {\footnotesize Application}; + \draw (0.6,1.7) node {\footnotesize Interface}; + \draw (0.6,-0.4) node {\footnotesize \begin{tabular}{c}unprivileged\\[-1mm] process\end{tabular}}; + \draw (-2.7,-0.4) node {\footnotesize \begin{tabular}{c}privileged\\[-1mm] process\end{tabular}}; + + \draw[line width=1mm] (-1.8, 0) rectangle (-3.6,2); -You will laugh: it is\pause - -\begin{center}\large -\pcode{xmlset_roodkcableoj28840ybtide} + \draw[white] (1.7,1) node (X) {}; + \draw[white] (3.7,1) node (Y) {}; + \draw[red, <->, line width = 2mm] (X) -- (Y); + + \draw[red, <->, line width = 1mm] (-0.6,1) -- (-1.6,1); + \end{tikzpicture} \end{center} -\end{quote}\bigskip\bigskip -\hfill\footnotesize October 15, 2013\\ -\hfill\footnotesize\url{http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/} +\begin{itemize} +\item the idea is make the attack surface smaller and mitigate the + consequences of an attack +\end{itemize} +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\begin{frame}[fragile] - -CVE-2014-0476 \pcode{chkrootkit} vulnerability 4 Jun'14\medskip +\mode{ +\begin{frame}[c] +\frametitle{\begin{tabular}{@ {}c@ {}}Infamous Security Flaws\\[-1mm] in Unix\end{tabular}} -\begin{quote}\rm\small -Hi, - -we just found a serious vulnerability in the chkrootkit package, which -may allow local attackers to gain root access to a box in certain -configurations (\pcode{/tmp} not mounted noexec). Steps to reproduce: \begin{itemize} -\item Put an executable file named \pcode{update} with non-root owner in -\pcode{/tmp} (not mounted noexec, obviously) -\item Run chkrootkit (as uid \pcode{0}) +\item \texttt{lpr} unfortunately runs with root privileges; you had the option to delete files after printing \ldots\pause\pause +\item for debugging purposes (FreeBSD) Unix provides a ``core dump'', but allowed to follow links \ldots\pause +\item \texttt{mkdir foo} is owned by root\medskip +\begin{center} +\texttt{-rwxr-xr-x 1 root wheel /bin/mkdir} +\end{center}\medskip +it first creates an i-node as root and then changes to ownership to the user's id\\ \textcolor{gray}{\small (race condition -- can be automated with a shell script)} \end{itemize} -Result: The file \pcode{/tmp/update} will be executed as root, thus effectively -rooting your box, if malicious content is placed inside the file. +\only<5->{ +\begin{textblock}{1}(3,7) +\begin{tikzpicture} +\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm] +{\begin{minipage}{8cm} +Only failure makes us experts. + -- Theo de Raadt (OpenBSD, OpenSSH) +\end{minipage}}; +\end{tikzpicture} +\end{textblock}} -If an attacker knows you are periodically running chkrootkit (like in -\pcode{cron.daily}) and has write access to \pcode{/tmp} (not mounted noexec), he may -easily take advantage of this. -\end{quote} -\mbox{}\\[-10mm] +\end{frame}} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -\hfill\footnotesize\url{http://seclists.org/oss-sec/2014/q2/430} + -\end{frame} -%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c] \frametitle{Unix-Style Access Control} @@ -302,6 +282,63 @@ \end{frame} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[fragile] +\frametitle{D-Link Backdoors} + +D-Link router flaw lets anyone login through "Joel's Backdoor":\medskip + +\begin{quote}\rm\small +If you tell your browser to identify itself as Joel's backdoor, instead of (say) +as Mozilla/5.0 AppleWebKit/536.30.1 Version/6.0.5, you're in without authentication.\medskip + +"What is this string," I hear you ask? + +You will laugh: it is\pause + +\begin{center}\large +\pcode{xmlset_roodkcableoj28840ybtide} +\end{center} +\end{quote}\bigskip\bigskip + +\hfill\footnotesize October 15, 2013\\ +\hfill\footnotesize\url{http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% +\begin{frame}[fragile] + +CVE-2014-0476 \pcode{chkrootkit} vulnerability 4 Jun'14\medskip + +\begin{quote}\rm\small +Hi, + +we just found a serious vulnerability in the chkrootkit package, which +may allow local attackers to gain root access to a box in certain +configurations (\pcode{/tmp} not mounted noexec). Steps to reproduce: + +\begin{itemize} +\item Put an executable file named \pcode{update} with non-root owner in +\pcode{/tmp} (not mounted noexec, obviously) +\item Run chkrootkit (as uid \pcode{0}) +\end{itemize} + +Result: The file \pcode{/tmp/update} will be executed as root, thus effectively +rooting your box, if malicious content is placed inside the file. + +If an attacker knows you are periodically running chkrootkit (like in +\pcode{cron.daily}) and has write access to \pcode{/tmp} (not mounted noexec), he may +easily take advantage of this. +\end{quote} +\mbox{}\\[-10mm] + +\hfill\footnotesize\url{http://seclists.org/oss-sec/2014/q2/430} + +\end{frame} +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \begin{frame}[c]