Full Disclosure mailing list archives
GOGGLES ADVISORY: FLAW IN MAJOR DISTRIBUTIONS
From: <goggles () hush com>
Date: Thu, 3 Jun 2004 03:19:15 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _,--, _ __,-'____| ___ /' | /' `\,--,/' `\ /' | ( ) ( )' \_ _/' `\_ _/ """ """ I R WATCHING Y0U GOGGLES SECURITY ADVISORY #forty-two GOGGLES has discovered attempt of big security company to disclose bug in many major UNIX variants. GOGGLES believes in perfect world and security bug should not be disclosed by company to make quick fame and money, but to selflessly strive for collective effort to make better and more secure world for everyone to live in. GOGGLES strives for this and decides to regulate release of information with this ethical ideal in mind and not capitalistic gain for big company. GOGGLES explicitly disclaims credit for discovery, and has to tell world company did not make discovery either, even if it claims so afterwards. Discovery seems to have been made by tribes of pagans and heretics who are yet to achieve Enlightenment and discover True Path of Full-Disclosure. Problem GOGGLES did not discover but tries to make perfect world with is in libc select() function. select() is bad way to do event driven notification for io events, GOGGLES believes true men and real women use epoll or kqueue these days, and that only real idiots use /dev/poll. select() is bad for security as well, as Theo de Raadt proved with OpenBSD operating system. Pagans discovered fd_set structure select() uses often allocates static amount of space for monitoring descriptors for events. Proof of concept code kindly provided in sys/select.h from glibc, where idiots coded: __fd_mask fds_bits[__FD_SETSIZE / __NFDBITS]; GOGGLES notes that every descriptor is tracked by single bit, and this way normally 128 bytes will be reserved for 1024 descriptors. Pagans decided that rlimit for amount open files is 1024 as well, so code will not go *BOOM* and is more secure than OpenBSD code (note: in this respect they seem to be right). Now pagans decided that rlimit for amount of open files raised above 1024 could make select() *BOOM* and proceeded to check theory. GOGGLES did check on glibc bits/select.h to verify pagan idea, and found that bigger idiots coded amongst others: # define __FD_SET(fd, fdsp) \ __asm__ __volatile__ ("btsl %1,%0" \ : "=m" (__FDS_BITS (fdsp)[__FDELT (fd)]) \ : "r" (((int) (fd)) % __NFDBITS) \ : "cc","memory") So pagan hypothesis would work in theory, GOGGLES not believed eyes, and continued test with proof-of-concept code for believers in True Path who are more rigid than pagans in accepting the obvious and comprehending the world around them; this of course in perfect analogy with christians and pagans we all heard of. #include <stdio.h> #include <stdlib.h> #include <sys/time.h> #include <sys/resource.h> #include <unistd.h> #include <sys/select.h> #include <fcntl.h> int main(void) { struct rlimit _; char __[256]; fd_set ___; unsigned int ____; _.rlim_cur = _.rlim_max = 0xDULL + 0xC0DE; if(setrlimit(RLIMIT_NOFILE, &_) == -1) { fprintf(stderr, "GOGGLE GOGGLE\n"); exit(EXIT_FAILURE); } memset(__, 0, sizeof(__)); for(____ = 3; ____ < 1024; ____++) close(____); for(____ = 0; ____ < 1024 + sizeof(__) * 8; ____++) { int _; if( (_ = open("/dev/null", O_RDONLY)) != -1) FD_SET(_, &___); else { fprintf(stderr, "GOGGLE GOGGLE\n"); exit(EXIT_FAILURE); } } printf("%s\n", &0[__]); /* diz is to look stupid */ } Now GOGGLES run example code on Linux machine at home, and find this output: ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ0¶°ëA GOGGLES realize that to exploit problem rlimit has to be raised, which can only be done as root, even with local access. But, GOGGLES and pagans reasoned, if server such as inetd or so raises rlimit by itself to something higher than 1024 then by making connections we can call FD_SET and overflow fd_set structure with bits. GOGGLES believes in perfect world, and therefore will not release proof of concept exploit, since in perfect world no crackers exist who will run it, and every administrator is smart enough to see problem from illustrations above. GOGGLES does not want contact about this bug, and since pagans do not have telephones GOGGLES does not have way to reach them for more information. However, provided are following numbers of company trying to make big money by stealing pagan techniques and not aim to make world a good place to live in, so people can ask for more information about financial exploitation of software consumers for information which is free in perfect world. This is great way to start your own security company. +31-70-3111010 (ask for Patrick Oonk or Mark Lastdrager) +31-70-3107390 (ask for Iljitsch van Beijnum) +31-50-5420781 (ask for Joost Pol or the hacker that defaced cn.freebsd.org) +31-6-26630263 or +31-6-53760017 (ask for {} or if you cannot pronounce this, ask for the hacker that defaced apache.org) Or send fax of favourite underpants worn for weeks to: +31-70-3111011 +31-70-3635911 GOGGLES is sad to not know for sure if all numbers work, but at least should be enough to provide public with usable information. GOGGLES hopes to have made world slightly better place this way, and prevent commercial rip-off of poor software consumers and false claims to discovery we see from many security company, and especially XFORCE- ISS. Signed, GOGGLES -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.4 wkYEARECAAYFAkC++x8ACgkQ42dM9omIJ0TrFgCfesdGtJMDWC1yFPqf41UUhXn2+N0A n3Y8l4IcFYnNIo0/g4AQKrDZVi8U =fvjl -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- GOGGLES ADVISORY: FLAW IN MAJOR DISTRIBUTIONS goggles (Jun 03)