Friday, October 27, 2006

Ubuntu Edgy Eft and Firefox2

The developer community seem to be on drugs. Last week Ubuntu Edgy Eft, Firefox 2 and Fedora 6 were released. Apple have also given hints of Touch screen iPod and iPhone. Last but not the least Microsoft have released IE7 after 5 years.
Am not an apple user so might not use those products. I am not going to even try getting IE7... i cant browse on anything except firefox. Fedora 6...ummm .. only if I am forced too, not interested, life is too bland without apt-get.

However I did upgrade to Ubuntu Edgy Eft. The user experience in Ubuntu never stops to amaze me. I find it so much easier to use than Windows. If you have ever upgraded Windows, you know the process...
  • Pop in the CD..
  • Navigate through ugly menus, expect the user using Windows to play solitaire to know how to partition, which partition to load on...
  • Take 30-50 minutes to install.
  • Take another 1 hour to install the drivers.
  • Take another few days to get all the applications running.
I was running Ubuntu Dapper before... i just did gksu "update-manager -c" .. This took care of everything. It downloaded all the upgrades, installed it... thats the level of abstraction that creates a cult user following. As an added surprise it upgraded my Firefox (although I was running firefox2 on dapper). The only hitch was the some unwanted services that were running at startup. I killed them using sysv-rc-conf (Fedora users think chkconfig)... I think I am in love with Ubuntu :P

Firefox2 deserves a mention too. It has integrated several function provided earlier by extensions. One of the feature is the snap back tab feature earlier provided by SessionSaver. Just press Ctrl+Shift+T to get back a tab you closed by mistake. I am also a sucker for its inbuilt spell checker. Blogging and writing mails is so much fun now that I don't have to use the bloated spell checking web app.
I know that I am addicted to computers, Linux and internet... but am too smug to care.

Wednesday, October 25, 2006

Practice what you preach...

Today morning I received a mail (via listserv) from Dr Du. He wanted to fix the time slot for a make up class as he was going to attend a conference during the regular class hours. Here is the mail he sent us:
I have proposed the following 3 time slots. Unfortunately, so far, there
is an exactly one conflict for each of them. Since there is a 3-way tie, I
need to pick one randomly.

(1) 11:00 - 12:20
(2) 13:00 - 14:20
(3) 14:00 - 15:20

What makes this thing interesting is that I also have my own preference.
How can I pick one while convincing you that this is picked randomly, not
based on my preference?

To demonstrate an important application of one-way hash function, I would
like to propose a protocol to generate a number S (S will be 1, 2, or 3).
The S-th time slot described above will be picked. There is an important
requirement: S must be random; neither I nor you can control the value of
S. Let's conduct this protocol through emails.

(1) You pick a string M: Whoever reads this email first, please send me
any string you like (please send to this mailing list, so we all know the
string). Let's call this string M.

(2) I also pick a string K: I cannot tell you my string at this moment
(think about why). However, I need to tell you something, so I cannot
change my string after seeing your string M (think about why I want to
change my string). Therefore, I am sending you the md5 hash value of my
string. Here it is: 1c4bfe13bf159f26ddd23926b7376b14

(3) After receiving your string M, I will generate an HMAC_MD5 value on M,
using my K as the key. We will get a 16-byte number.

(4) Let D represent the last byte (the least significant byte) of the
HMAC_MD5 value. I will compute S = (D % 3) + 1. This result S will be our
final decision.

Question: is this protocol fair? Can anybody (you or me) control the
outcome? Please think about this, and we will talk about it in our class.

Now, I am waiting for your string. If you are the first one to read this
email, please send us a string of any length. I assume there is at least
one hard-working student in this class. If nobody sends a string by 8:00am
tomorrow. I will use M = "AAABBBCCCDDD", and generate a decision.


- Kevin
(published with permission)

Is there a better was to teach Internet security?? ... practice what you preach

Thursday, October 12, 2006

Another year gone by...

Another year passed by... Am 24 odd years old now. It wouldn't take a rocket scientist to figure out how I spent my birthday. I had to reply to 150+ emails and orkut scraps who had wished me. All efforts to work today went in vain. So here I am at home.. still checking my mail every ten seconds and pathetically blogging about my birthday. Did not have a party as people had their midterms... generally I gift myself stuffs on such occasions but after searching the web, I couldn't find anything that fits my budget :(

The past year was great... although it could have been better. Since I am expected to be a bit more mature (hehe...lolz), let me plan the next year or set the goals I need to achieve before I turn 25. This is just for me...

  1. Get a Job: I need one... am graduating in May'07
  2. Retain/Increase the level of weirdity in action : I hate mob mentality but I am not a non-conformist. Since my actions are so much different from my peers, some people call me weird... (something like .."He blogged instead of getting wasted" weird).
  3. Shed the movie geek title: I know people who download movies like crazy and I watch movies like crazy. There have been times, when I had seen the same movie thrice... back to back. I know their IMDB rating, RottenTomatoes rating, the wikipedia entry and filmography of the actors. Its an addiction I need to get rid of. I have read less than five novels since I came to the US.
  4. Definitely read more.
  5. Code more.
  6. Maintain my sourceforge projects.
  7. Eat healthy so as to exercise less :P
  8. Get a girlfriend... the possibility is meek, given that I spend 18/24 hours in front of the computer.
  9. Get more gadgets... you can never have enough of those.
  10. Lie without feeling a pang of anger or guilt.
On a totally unrelated note I came third in TopCoder's Collegiate challenge. I got a $50 gift certificate from Best Buy. Unfortunately I did not find anything there that I need for myself or for gifting anyone in India..

Monday, October 09, 2006

Beginner's guide to Stack buffer overflow...

If you are a C/C++ geek with an ounce of interest in system programming, you would have definitely tried stack buffer overflow. Most of the websites out there are either too detailed or too abstract. Some of the popular websites for buffer overflow claim success on age old machines.. of course the techniques listed on these sites don't work and are terribly hard to replicate.

So all you linux newbs, here is a simplistic buffer overflow exploit written in C... Well I wont call it an exploit, more of a way to modify the return address. A little bit of assembly knowledge would help but is not necessary. I did it on Ubuntu Dapper... fasten your seat belts now.

void function(int a, int b, int c)
{
char ret5[1];
}

int main()
{
int x;

x = 0;
function(1,100,3);
x = 1;
printf(``%d\n'',x);
}
*Adapted example from http://www.cs.wright.edu/people/faculty/tkprasad/courses/cs781/alephOne.html
The above program just prints 1 on the console... what did you think? BTW do keep the debugging option on while compiling the code, i.e your command line should be:
$gcc -o program program.c -g


Now its time to wear that black hat and fire gdb.

(gdb) break 1
Breakpoint 1 at 0x8048360: file temp.c, line 1.
(gdb) r
Starting program: /home/sridhar/bufov/program

Breakpoint 1, function (a=1, b=-1082010236, c=-1082010228) at temp.c:1
1 void function(int a, int b, int c) {
(gdb) s
3 }
(gdb) info registers
eax 0x10 16
ecx 0xbf81d58c -1082010228
edx 0x1 1
ebx 0xb7ef2adc -1209062692
esp 0xbf81d4a8 0xbf81d4a8
ebp 0xbf81d4b8 0xbf81d4b8
esi 0xbf81d584 -1082010236
edi 0xbf81d510 -1082010352
eip 0x8048366 0x8048366
eflags 0x200282 2097794
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
(gdb) print &ret
Hmm so what is the address of ret?
$1 = (char (*)[1]) 0xbf81d4b7
(gdb) disassemble main //Lets see the return address in main
Dump of assembler code for function main:
0x08048368 : push %ebp
0x08048369 : mov %esp,%ebp
0x0804836b : sub $0x28,%esp
0x0804836e : and $0xfffffff0,%esp
0x08048371 : mov $0x0,%eax
0x08048376 : add $0xf,%eax
0x08048379 : add $0xf,%eax
0x0804837c : shr $0x4,%eax
0x0804837f : shl $0x4,%eax
0x08048382 : sub %eax,%esp
0x08048384 : movl $0x0,0xfffffffc(%ebp)
0x0804838b : movl $0x3,0x8(%esp)
0x08048393 : movl $0x64,0x4(%esp)
0x0804839b : movl $0x1,(%esp)
0x080483a2 : call 0x8048360

|----this is the return address. How did I know that? well its the statement
after the function call

0x080483a7 : movl $0x1,0xfffffffc(%ebp)
0x080483ae : mov 0xfffffffc(%ebp),%eax
0x080483b1 : mov %eax,0x4(%esp)
0x080483b5 : movl $0x80484b4,(%esp)
0x080483bc : call 0x80482b0
0x080483c1 : leave
0x080483c2 : ret
End of assembler dump.
(gdb) x 0xbf81d4b8 //Go back up and see the value of ebp...
what's it pointing to? Notice its just below ret

0xbf81d4b8: 0xbf81d4f8
(gdb) x 0xbf81d4b9 //hmm the return address should be some where nearby
0xbf81d4b9: 0xa7bf81d4
(gdb) x 0xbf81d4ba // nah.. this is not the one
0xbf81d4ba: 0x83a7bf81
(gdb) x 0xbf81d4bb //still not there
0xbf81d4bb: 0x0483a7bf
(gdb) x 0xbf81d4bc //BINGO!!
0xbf81d4bc: 0x080483a7
(gdb) print &ret[4] //Now lets find out how far is ret away from the return address
$2 = 0xbf81d4bb "��\203\004\b\001"
(gdb) print &ret[5] //GOT IT
$3 = 0xbf81d4bc "�\203\004\b\001"
Now that we know that ret[5] contains the return address, lets go for the kill. A brute force way would have been to just fill ret with long strings so that the buffer overflows. If we know the the position of a code in the memory we can overwrite the return address to branch to that address instead of back to main. For the sake of simplicity, I'll just skip a statement in main(), so that the output is 0 instead of 1 (i.e.the statement x=1 is skipped).

From the disassembly of main() we know that the return address should be 0x080483ae instead of 0x080483a7. Which means i need to increment the return address by 0x080483ae-0x080483a7=7.

Lets take a look at the code now..

void function(int a, int b, int c)
{
char ret[1];
*(long *) &ret[5] +=7 ;
}
int main()
{
int x;
x = 0;
function(1,100,3);
x = 1;
printf("%d\n",x);
}


*Adapted example from http://www.cs.wright.edu/people/faculty/tkprasad/courses/cs781/alephOne.html
Ok WTF is *(long *) &ret[5] +=7 ??
Well it turns out that data is stored on word boundaries for efficiency, and we know that word is of the size of long. Hence the above statement dereferences the long data buffer pointed to by a char pointer. Wait for some time till that concept sinks in...
Feeling better now??good..
Now compile it $gcc -o p2 p2.c
and run it
$./p2
0
If you followed everything till this point, you are no longer a newb...

Update: I reffered this article.

Wednesday, October 04, 2006

IP Attacks..

You know that you have taken a great course when you look forward to do each project and the assignments given... Internet Security is one such course. I was supposed to stress test Minix 3 and Linux for vulnerabilies. Specifically I had to attack the ARP, IP and ICMP protocols and find out the vulnerabilities if any. I always thought that this was a waste of time, why on earth will these attacks work?? after all.. these protocols have been there for more than three decades.. how wrong was I!!... This is what I found out :

Attacks Minix 3 Linux
ARP Cache Attack yes yes
IP DoS Attack no no
IP Fragmentation Attack no no
ICMP Attacks

Ping of death no no
Smurf Attack yes yes
Destination Unreachable yes no
Source Quench no somewhat
Redirect yes yes


Out of all the attacks, I find ARP cache poisoning, ICMP redirect and Smurf attacks quite slick. There is no simple method to detect these attacks and anyone can do them (at least you can after reading this blog entry). You don't have to be a cracker with a brain of a rocket scientist to use the publicly available tools.

I used the netwox tool box to conduct the above attacks. Its an amazing collection of 221 tools, each of which can be customized to bring even the most monstrous server to its knees. You can read my documentation of this attack here. This attack reveals some really nasty design flaws in these protocols, sadly changing them means changing the software on a billion computers(i totally made that number up but you get the point right??) on this planet.
Also I must say that out of all the FOSS OSs I have used, I find Minix's source code most well written. If you are a kernel hacker and an object oriented developer at the same time, you will surely appreciate how well written the code is. I find it better than FreeBSD and certainly better than Linux. The Microkernel implementation would also rock your world.
Lastly please don't try these on public networks... your arrest warrant will be stamped before you can reboot your computer. I tried these on my own computers behind a NAT. And BTW.. if you are using Windows, be ready for a bsod.