Niels Provos

Adobe PDF Vulnerability: Stack overflow in Font File parsing

nospam@example.com (Niels Provos) — Thu, 09 Sep 2010 22:18:39 -0700

Metasploit has a great write up on new vulnerability in PDF. The basic problem is a stack overflow when parsing OpenType fonts. In particular, SING Glyphlet tables contain a 27 byte long unique name that is expected to be NUL-terminated and stored in a 28-byte buffer. The vulnerable code is using strcat and lacks bounds checking resulting in a stack overflow.

The PDF in the wild prepares the heap via Javascript and contains multiple different font files that are selected by navigating to a specific page in the PDF based on the viewer version. Each font files has slightly different shell code. It was amusing to see that the attackers after modifying the head and SING tables did not fix up their respective checksums. According to Metasploit, this exploit works under Windows 7 with both DEP and ASLR turned on. Fun Fun. As of now, no patched version is available. The SecBrowsing blog contains instructions with temporary remedies.

Libevent-2.0.7-rc release

nospam@example.com (Niels Provos) — Thu, 09 Sep 2010 22:15:40 -0700

Nick announced the release of Libevent-2.0.7-rc today. Here is an excerpt from his email:

Thanks to everybody who reported and fixed bugs in Libevent 2.0.6-rc,
Libevent 2.0.7-rc should be much more stable and portable, especially
for people using IOCP, Windows, rate-limiting, or threads.

There are also numerous small bugfixes thoughout the codebase (though
still not, alas, in the http stuff).

For a complete list of changes, just see the ChangeLog included with
the source distribution.

You can download source code of libevent releases from monkey.org

Anatomy of a PDF Exploit

nospam@example.com (Niels Provos) — Thu, 19 Aug 2010 17:10:08 -0700

PDF has become the de-facto standard for formatting print documents. Over the years, it has evolved into a feature rich and very complex system. PDF supports embedded Javascript that can be used for form validation and contains support for different image formats and 3D models, etc. As a result, PDF implementations have numerous vulnerabilities that can be exploit by adversaries to gain control over a user’s computer. Here are a number of CVEs that are currently being exploited in the wild: CVE-2007-5659, CVE-2008-2992, CVE-2009-0927, CVE-2009-2994, CVE-2009-4324, CVE-2010-0188.

In this blog post, we are going to look at current exploitation of CVE-2010-0188: An integer overflow in the parsing of the dot range option in TIFF files. The vulnerability was publicly announced in February 2010. Examples of exploit code are readily available on the Internet and a very good explanation of how the exploit works has been provided by Fortinet.

The exploit described by Fortinet utilizes an AcroForm described in XML. The XML contains an image field with an embedded TIFF image that triggers the vulnerability.

Continue reading "Anatomy of a PDF Exploit"

Heat treating the Wakizashi

nospam@example.com (Niels Provos) — Fri, 30 Jul 2010 20:33:16 -0700

Heat treating a sword using a water quench is a tense affair as the sword my crack and many hours of work may be lost. This video shows heat treating a wakizashi I made from forge welded cable that was folded several times. The Japanese differential heat treat calls for coating the back of the blade with a clay layer that retards the quench and allows the covered part of the steel to remain softer. The border between harder and softer steel becomes visible as hamon. Although, the heat treating was successful, the blade developed a welding flaw and at this point it looks like 20 hours of work might have been lost.

Folding Steel

nospam@example.com (Niels Provos) — Sun, 30 May 2010 19:26:51 -0700

When examining a traditionally forged Japanese sword, the steel structure (hada) often looks like wood grain. This structure is a result of folding and forge welding tamahagane. To simulate such hada without using expensive tamahagane, I took 24in of 1in diameter steel cable and forge welded it into a single piece of steel. That steel was then folded 7 times with some surface manipulation and then forged into a small wakizashi. The picture shows the tang after the scale was removed, polished and then lightly etched to show the grain. The steel structure seems similar to mokume hada. Now, I just need to find the time to shape, heat treat, polish and mount the sword. Expect progress pictures as work permits - probably in a few months.

Railroad Spike Knife

nospam@example.com (Niels Provos) — Tue, 23 Mar 2010 23:05:57 -0700

The is a knife made from a high carbon railroad spike. The blade is flat ground and about 4.5in long. The whole knife is a little bit longer than 10in. The twist in the handle feels nice in the hand. HC in this case apparently means 1030 which is pretty low carbon content for a knife. While it got to be very sharp, the edge is probably not going to stay that way for very long.

Forging this was a lot of fun and using the spring fuller really helped with separating the steel from the handle and the blade. Making this knife actually didn't take very long. About an hour of forging time, a couple hours of grinding and polishing.

Libevent 2.0.4-alpha released

nospam@example.com (Niels Provos) — Fri, 05 Mar 2010 23:32:00 -0800

Libevent 2.0.4-alpha is now available for download:

http://monkey.org/~provos/libevent-2.0.4-alpha.tar.gz
http://monkey.org/~provos/libevent-2.0.4-alpha.tar.gz.sig

The complete change list is available here.

Some of the feature improvements include:

bufferevents can now be rate limited
http connections can now resolve host names asynchronously
a facility for lock debugging
arc4random() for evdns

However, we (that means mostly Nick) have also made a large number of bug fixes and stability improvements across many platforms. Many thanks to everyone who helped by providing bug reports and patches including Brodie Thiesfield, Dagobert Michelsen, Evan Jones, Joachim Bauch, Pavel Plesov, Roman Puls, Sebastian Hahn, William Ahern, Yasuoka Masahiko and Zhuang Yuyao.

In a separate email, Nick also provided a much more verbose description of what all changed.

Cable Tantos

nospam@example.com (Niels Provos) — Sun, 14 Feb 2010 19:16:18 -0800

Although, I have made various attempts at forging knives, this tanto is the first knife I have completed. It's a shinogi-zukuri tanto with choji hamon. The steel was made from forge-welded high carbon cable. Originally, this was supposed to become a wakizashi, but due to a bad hammer blow when forging the sunobe, I had to fold it over and no longer had enough steel for a longer blade. As a result, the blade is only about 9in long. The habaki was made from brazed copper and the shira-saya was carved from a popular blank.

The picture to the left shows two more cable tantos in various stages of progress. The top one had some rough grinding done to it whereas the bottom one is straight from the forge. Only about 10% of the time is actually spent forging the blades. The rest of time is spent grinding, polishing and working on the habaki as well as on the saya and everything else.

OpenSSL Client Certificates and Libevent-2.0.3-alpha

nospam@example.com (Niels Provos) — Fri, 04 Dec 2009 18:02:15 -0800

Tom Pusateri reported success with using OpenSSL client certificates and libevent's builtin OpenSSL support. Here is what he wrote on the mailing list:

I tried 2.0.3 alpha against the Apple Push notification feedback service which requires a client key/certificate and it works great.

One hint... Make sure you add the key and cert to the SSL context before calling SSL_new(). Otherwise, you'll get an error that looks like:

sslv3 alert handshake failure in SSL routines SSL3_READ_BYTES

Here's the working code:

static void
init_feedback_service(struct event_base *ev_base,
    struct evdns_base *dns)
{
   int rc;
   struct bufferevent *bev;
   SSL_CTX *ssl_ctx;
   SSL *ssl;

   ssl_ctx = SSL_CTX_new(SSLv3_method());

   rc = SSL_CTX_use_certificate_file(ssl_ctx, "my_apple_cert_key.pem",
       SSL_FILETYPE_PEM);
   if (rc != 1) {
       errx(EXIT_FAILURE, "Could not load certificate file");
   }
   rc = SSL_CTX_use_PrivateKey_file(ssl_ctx, "my_apple_cert_key.pem",
       SSL_FILETYPE_PEM);
   if (rc != 1) {
       errx(EXIT_FAILURE, "Could not load private key file");
   }

   ssl = SSL_new(ssl_ctx);
   bev = bufferevent_openssl_socket_new(ev_base, -1, ssl,
       BUFFEREVENT_SSL_CONNECTING, BEV_OPT_CLOSE_ON_FREE);
   bufferevent_setcb(bev, feedback_read_cb, NULL,
       feedback_event_cb, NULL);
   rc = bufferevent_socket_connect_hostname(bev, dns, AF_INET,
       "feedback.sandbox.push.apple.com", 2196);
   if (rc < 0) {
       warnx("could not connect to feedback service: %s",
             evutil_socket_error_to_string(EVUTIL_SOCKET_ERROR()));
       bufferevent_free(bev);
       return;
   }
   bufferevent_enable(bev, EV_READ);
}

Libevent-2.0.3-alpha release

nospam@example.com (Niels Provos) — Fri, 20 Nov 2009 21:23:55 -0800

It has been a while since the last alpha release of libevent-2.0. Yesterday, we released 2.0.3-alpha which can be downloaded from

http://monkey.org/~provos/libevent-2.0.3-alpha.tar.gz

Please, give it a spin and let us know if you run into any problems. There have been a lot of changes since the last release, mostly due to Nick's hard work. Here are just some highlights, the ChangeLog contains the full story:

- SSL/TLS support on bufferevents, using the OpenSSL library
- Improved searching on evbuffer objects
- Improved support for Windows
- More efficient memory allocation for event_bases that use epoll
- Improved thread-safety
- The IOCP bufferevent backend is now exposed on Windows; many thanks to Christopher Davis for his work.

Many thanks to everyone who helped with patches and bug reports including Rocco Carbone, Brodie Thiesfield, Caitlin Mercer, David Reiss, Alexander Pronchenkov, Jacek Masiulaniec, Ka-Hing Cheung, Christopher Davis, Ferenc Szalai, and Ryan Phillips.

Edited to fix the link.

Libevent 1.4.13-stable released

nospam@example.com (Niels Provos) — Tue, 17 Nov 2009 20:16:10 -0800

We just released a new stable version of Libevent that fixes the following problems:

If the kernel tells us that there are a negative number of bytes to read from a socket, do not believe it. Fixes bug 2841177; found by Alexander Pronchenkov.
Do not allocate the maximum event queue and fd array for the epoll backend at startup. Instead, start out accepting 32 events at a time, and double the queue's size when it seems that the OS is generating events faster than we're requesting them. Saves up to 512K per epoll-based event_base. Resolves bug 2839240.
Fix compilation on Android, which forgot to define fd_mask in its sys/select.h
Do not drop data from evbuffer when out of memory; reported by Jacek Masiulaniec
Rename our replacement compat/sys/_time.h header to avoid build a conflict on HPUX; reported by Kathryn Hogg.
Build kqueue.c correctly on GNU/kFreeBSD platforms. Patch pulled upstream from Debian.
Fix a problem with excessive memory allocation when using multiple event priorities.
When running set[ug]id, don't check the environment. Based on a patch from OpenBSD.

A new alpha release of libevent 2.0 is on its way, too. Thanks to everyone who submitted patches and bug reports.

The source code is available at http://www.monkey.org/~provos/libevent-1.4.13-stable.tar.gz. Don't forget to verify the signature.

San Mai Knife

nospam@example.com (Niels Provos) — Thu, 15 Oct 2009 14:48:38 -0700

A while ago, I forged a San Mai billet with the hope to turn it into a tanto. Unfortunately, the forge I was using had a very oxygen rich atmosphere and the welds did not take very well. Over the last couple of days, I spent some time grinding and heat treating the remaining steel into a knife for practice purposes. The cable structure of the knife came out very nicely with repeated applications of lemon juice and metal polish to remove the oxides left by the lemon juice etch.

I also figured out how to take decent pictures of the steel. The trick was to use direct light rather than diffused light that shines directly on the blade, and then have black surfaces inside the light box. The angle of the knife needs to be so that the black is reflected do the camera. Although, this is a failed knife due to all the welding flaws, it still was an interesting experiment.

Forging a Wakizashi

nospam@example.com (Niels Provos) — Mon, 14 Sep 2009 11:43:26 -0700

I just finished taking the 5-day basic forging class taught by Michael Bell at Dragonfly Forge. The wakizashi in the picture is the result of it. The blade is about 18in long and was forged from forge-welded cable. The forge welding of the cable conducted by Michael and his son Gabriel took the better half of the first day. Afterward, the steel was forged into a sunobe which has the basic taper for the tang and point of the sword. We then forged in the ji and the shinogi ji. The remainder of the time was spent grinding in preparation for heat treatment. Before the clay was applied, we draw filed the blade so that all file marks were parallel with the edge rather than the perpendicular marks left by the belt grinder. Applying the clay was a three step process; a light coating of the whole blade, applying the ashi lines, and then coating everything that should remain soft. You can see the ashi and where the clay was applied on the middle picture. After heat treating, the blade took on a nice curve and it was back to the grinder. During the last day there was a little bit of time to polish on stones which showed hints of some very wild hamon as well as some mune yaki. The whole class was a great experience.

LEET '10 Call for Papers

nospam@example.com (Niels Provos) — Sat, 29 Aug 2009 12:35:46 -0700

The call for papers for the 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET '10) Botnets, Spyware, Worms, and More just went out. It will be held on April 27, 2010 in San Jose, CA.

LEET '10 will be co-located with the 7th USENIX Symposium on Networked Systems Design and Implementation (NSDI '10), which will take place April 28–30, 2010.

Important Dates

Submissions due: Thursday, February 25, 2010, 11:59 p.m. PST
Notification of acceptance: Wednesday, March 24, 2010
Final papers due: Monday, April 5, 2010

Workshop Organizers
Program Chair

Michael Bailey, University of Michigan

Program Committee

Dan Boneh, Stanford University
Nick Feamster, Georgia Institute of Technology
Jaeyeon Jung, Intel Labs, Seattle
Christian Kreibich, International Computer Science Institute
Patrick McDaniel, Pennsylvania State University
Fabian Monrose, University of North Carolina, Chapel Hill
Jose Nazario, Arbor Networks, Inc.
Stefan Savage, University of California, San Diego
Matt Williamson, AVG Technologies
Yinglian Xie, Microsoft Research
Vinod Yegneswaran, SRI International

Go submit your work!

Ask Google's Anti-Malware Team

nospam@example.com (Niels Provos) — Sun, 16 Aug 2009 16:42:12 -0700

Google's Anti-Malware team has prepared a moderator page where web masters and users can ask questions and vote which questions they would like to see answered. The voting period ends on Friday, August 28th at which point the Anti-Malware team will prepare answers for some of the top-rated questions.