- a beautiful place

25C3 (CCC Congress 2008) Tricks: makes you smile

January 6, 2009 at 10:58 pm - Filed under Team, Hacks, Language EN - 969 words, reading time ~3 minutes - Permalink - Comments

Finally back from CCC Conference 2008, thanks Berlin you always provide heaps of fun!

This year instead of simply attending to CCC I had a talk in the stlyle of "did you know that ..?" aimed to be entratainment for hackers, a totally underhyped lecture on something interesting and funny.


Tricks: makes you smile

A clever or ingenious device or expedient; adroit technique: the tricks of the trade.

A collection of engaging techniques, some unreleased and some perhaps forgotten, to make pentesting fun again. From layer 3 attacks that still work, to user interaction based exploits that aren't 'clickjacking', to local root privilege escalation without exploits and uncommon web application exploitation techniques.

Well it seems to have worked out despite my broken english : ) Thanks to who enjoyed the show and even laughed. That was the goal of it.

You can download the slides in various formats: ODP, PDF, Mirrored PDF.

The first part was about ICMP Redirects, a way to dinamically "optimize" routes that can be abused to poison (MITM) hosts in a way similiar to ARP.

Additional information can be found at this URL:

Then I talked about PMTU and how dynamic Maximum Transfer Unit can be abused to create a Denial of Service.

The third item in the agenda was the Mappable Blind SQL Injection discovered by Wisec. The demo was based on the charmap tool that I have developed with him to demonstrate the effectiveness of the attack.

You can download charmap from here: http://www_ush_it/team/ascii/hack-charmap/ http://www_ush_it/team/ascii/hack-charmap/charmap_0.1.tar.gz.

Watch the demo:

The consequent argument was about sudo and how its defaults are crazy: password caching, no tty_tickets and logging on files with weak permissions can lead to headaches by themselves but this was just a preparation for the real juice of the talk. Something that seems to be forgotten is that leaving fd0 (stdin) open can raise to unexpected results: this is the case of sudo and su and the TIOCSTI ioctl.

Using such ioctl chars can be stuffed into the calling terminal buffer that will interpret them as they were typed by the user (terminals are dangerous!).

Download the weaponized poc here for the sudosu madness:

Or watch the high tech demo:

After some old-school trickery one could expect some new stuff! That's why I have included a personal finding that was previously unreleased: clientside, user iteraction based exploitation for the masses called "what you see is not what you copy" (the clipboard is your enemy).

Basically when you select Hel<span style="display:none">OMG!</span>lo! (live test here: HelOMG!lo!) from some browsers you are copying HelOMG!lo! while seeing Hello!.

Get a live demo on your UNIX system, just select the first code snippet and paste it to your terminal:

If everithing goes right you'll end executing this file:

The last two points in the agenda were the mistake of putting A records in DNS that resolve to (since you are sharing your same origin policy with someting on the client) and the local file inclusion to remote code execution research from me and kuza55.

You should really check the slides for everything that has not been discovered by me (slides include links to the original disclosures) since they definitely deserve all the credits and I'm waiting for your comments on my stuff: charmap, the "what you see is not what you copy", the lfi2rce research and so on.

Everything was really exciting and memorable for me, my first international conference as a speaker! Thanks to fukami who encouraged me to do the talk and kuza55 and wisec who were near the stage in case something went wrong.

Closing I want to salute the people who helped me in all these years!

Reed's Alert! Got something burning? Tell USH team.
THP USH Wisec DigitalBullets