Saturday, December 31, 2016

Killing dragons spawned by arithmetic-related security pitfalls

In the last week, which followed my attempt to earn money with financial trading, I glanced through the Black & Scholes model.


This study resulted in the creation of OptionsCat, an open-source tool to work with European options. I faced many Arithmetic-related security pitfalls when writing this tool, which motivated me to study it and write a blog post.  

  

 I always develop my implementations for the algorithms presented throughout the finance books. That's because the writers are often careless about security pitfalls. From this article's perspective, this is a problem or dragon that can be solved by adding a chapter about validation.


Programming languages that enable direct memory access and do not provide buffer boundary checks and arithmetic numeric checks are particularly vulnerable to integer overflow attacks. An integer overflow may occur when computing the memory size to allocate a buffer, often leading to a buffer overflow.

 

 Look at the following quote: 


 "Integer overflows cannot be detected after they have happened, so there is no way for an application to tell if a result it has calculated previously is correct. This action can get dangerous if the calculation has to do with a buffer's size or how far into an array to index. Of course, most integer overflows are not exploitable because memory is not being directly overwritten, but sometimes they can lead to other bug classes, frequently buffer overflows. As well as this, integer overflows can be difficult to spot, so even well-audited code can spring surprises." 

 by blexim - Phrack Volume 0x0b, Issue 0x3c, Phile #0x0a of 0x10


Some people talk to me about the use of the Big integer library. Like LibGMP to solve it, but when you work with big int need limit that numbers, arithmetic operations with bigint when a user has input with considerable length can cause Denial of service. The use of Integers is not hard to find in the stock markets. But double is then expected and can bring you a problem if you don't control the length, for example:

#include < math.h>
#include < stdio.h> 

double mul_code(double x,double y) 
{
  double result=0;
   
  return result = x*y;
}

int main()
{
 double a=90000000000, b=20000000000000;

 printf("Result: %f\n", mul_code(a,b));
 return 0;
}

If you compile it and run it, it returns something like "1799999999999999916112.*(dirts...)". You ask me, "why to return it ?" you don't validate the operation and pass the carrying limit. This action can cause undefined behaviour and overflow.


Killing dragons in integers 


There are lots of ways for you to solve. One is validating user input. This way, you can use automatons, regular expressions, and strnlen() to limit the number of lengths. Remember phrack; the correct way to test for integer overflow during multiplication is to try before the multiplication, test if the number is negative, and replace functions like atoi() to strtol().

 

 

 Some operating systems have solutions at libraries to mitigate the problem. For example, OSX has os/overflow.h. With this header, you can do something like it:

#include < "os/overflow.h">
 
if (os_mul_overflow(m, n, &bytes)) {
    /* Overflow occured.  Handle appropriately. */
} else {
    /* Allocate "bytes" space. */

Another way to mitigate this way is from OpenBSD:

#define MUL_NO_OVERFLOW ((size_t)1 << (sizeof(size_t)*4))
// based in OpenBSD reallocarray() function http://man.openbsd.org/reallocarray.3
void *reallocarray (void *ptr, size_t nmemb, size_t size) 
{
 if ((nmemb >= MUL_NO_OVERFLOW || size >= MUL_NO_OVERFLOW) && nmemb > 0 && SIZE_MAX / nmemb < size) 
 {
  DEBUG("integer overflow block");
  return NULL;
 }

 void *p = realloc (ptr, nmemb*size);

 if (p == NULL) 
  return NULL;

 return p;
}

Other approaches that you can see is the using libraries and different ways to write safe code with integers, sometimes calling each function safe_add()safe_sub(), safe_mul(), and safe_div() is very dull when having significant expressions, and thinking about it I wrote a solution, look my project Here!


Killing dragons in double



 The Cert C book by Robert Seacord has an example of solving the problem at the double, the derivatives and futures have a lot of operations with double, one way to detect possible bug is using the function fetestexcept() :







At inputs, don't use the atof() function. Replace to strtod(), and double look the following code here.


Thank you for reading.
Cheers!

Monday, August 8, 2016

Steps to create your WAF(web application firewall) in C

Following definition (like OWASP), a WAF is a piece of software intended to protect a web app on the application level. Nowadays, a WAF action is not only defined by the web app. It’s not a customized solution specific to that application but similarly to a general software firewall, where one contains parameters to protect against intrusion in a wide variety of frameworks and codes.

Firewall burning invasors hehehe !

Let's go to clear your mind. There is overlap between the different types of firewalls. Software and hardware firewalls are used in their own right to protect networks. However, with their specialized function for web applications, WAFs can take the form of input of either of those two main types. Per default, a firewall uses a blocklist, protecting against an individual, previously logged attacks.

Additionally, it can also use an allowlist, providing allowable users and instances of interaction for the application. Another function is to block SQL Injection attacks and XSS attacks... In another context, WAFs can create random tokens and put them in forms to stop web robots and automated attacks. This practice can try to mitigate CSRF pitfalls.


Before you ask, "how-to, I create my WAF ?" I have got to bring you some principles, anyway, the theory around facts.


Have two common WAFs:


 1-Uses plugin in HTTPd to get information of INPUT or OUTPUT, before the finish he receives the request and blocks some contents, this function focuses at HTTP METHODs POST, GET... 


2-this way is my favourite. It is an independent reverse proxy server. He brings all requests of the client to the proxy. The proxy makes some analysis in the content. If not, block, he sends all the information to the external server.



Number One is cold, and this path is not fully portable. Another bad thing is you need to create a different plugin for each HTTPd, something to apache another to NGINX, IIs, Lighttpd... it's not cool! If you are not an excellent low-level programmer. You can try using twisted python. It is easy to make a reverse proxy with it, but it is not the right way because not have good performance in production. If you piss off at it, study the Stevens book of sockets.


It is OK, the title of this post is "create waf in C", Task is entirely done here and commented and with some documentations in LaTex... relax, you can get it in this repository: https://github.com/CoolerVoid/raptor_waf

 

Raptor WAF is a simple web application firewall made in C, using KISS principle, to make poll use the select() function, is not better than epoll() or kqueue() from *BSD but is portable, the core of match engine using DFA to detect XSS, SQLi and path traversal, you can see here https://github.com/CoolerVoid/raptor_waf/tree/master/doc/test_dfa


 No more words, look at the following :




Thank you for reading this! 
Cheeers!

Monday, August 1, 2016

Talking about text classifiers

In the last year following search, I searched something about machine learning, like trying to detect SPAMs at my private projects. I saw something about KNN, random decision forests and naive Bayes.


Consequently, I wrote a C++ library to classify texts and some slides for a presentation, which you can view at the end of this blog post.

So I chose Naive Bayes because Naive Bayes is one of the simplest classifiers, based on Bayes theorem with naïve and complete independence assumptions. It is one of the most basic text classification techniques with various email spam detection, document categorization, sexually explicit content detection, personal email sorting, language detection and sentiment detection(i think something like NLP). Despite the naïve design and oversimplified assumptions that this technique uses, Naive Bayes performs well in many complex real-world problems. Another good thing, Naive Bayes is suitable for limited CPU and memory resources.
To optimize detection accuracy, I use DFA(deterministic finite automaton) to match patterns and put each mark in ranking. That ranking has one classification. You can view the following code here. To make your automaton, you can use Flex, bison in another way.


If you view a presentation on slide number 12, you can see my point of view about ranking to optimize the accuracy of the classifier at results.

 


SO, This is a very cool trick to gain accuracy. No more words, friends. Thank you for reading this! 

Cheers!

References:


Wednesday, May 18, 2016

Uncommon trick to bypass windows firewall

When I was about to write post I remembered a scene from the movie Monty Python. It's about a black knight that blocks a bridge (his main purpose) saying the following to Arthur, a guy who insisted on crossing the bridge in safety: "None shall pass!". But Arthur kept on insisting, so the black night said: "Then you shall die.".

A firewall is supposed to stop all applications that don't have a good reason to get privileged access to computers or networks. If your app could "bypass" it, so could malicious applications. Firewall plays the same role as the black night, i.e. prevent anything suspicious from going through the bridge.

You can configure firewalls to let particular connections go through the checks, but sometimes you need physical access to the equipment running the firewall to do that.  Don't you have access to the equipment running the firewall? If so, you need to bypass it.

Are you willing to change rules via RegEdit to allow a specific service to run? I have some bad news to you. Your antivirus can detect this trick, because it's a common approach used by malwares.
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
  • SYSTEM\ControlSet%03d\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

Before you say "I can try to hook it" or "I can execute a function like execl(), system() with the argument: 
  • netsh advfirewall set currentprofile state off
What if I tell you that you can use Windows API to simulate a keystroke so as to bypass firewall checks?

Windows has the function SendInput() to simulate a keystroke. This function accepts as argument an array of INPUT structures. The INPUT structures can be either a mouse or a keyboard event. The keyboard event structure has a member called wVk which can be any key on the keyboard.

SendInput() played an important role when writing the code for bypassing Windows firewall. How does it work? 

Firstly, it finds a window with title 'Windows Security Alert' using the function GetWindowText(). Secondly, it calls SendInput() with TAB and ENTER keys to choose button 'allow access'. As simple as that

Take a look at the following video:



Take a look at my code that bypasses Windows firewall:
https://github.com/CoolerVoid/X_files/blob/master/docs/PoCs/bypass_firewall_windows.cpp 

This is a very cool trick. No more words friends. Thank you for reading this!


cheers !

Thursday, April 21, 2016

Hack any TV remote control

Do you have an old TV remote? What if I told you can create your code to make communication with this remote controller.

You can do it!

Infrared remote control is cool, the idea of this blog post is turn it in presentation tool. It is easy with this remote to keep your finger on the advance button and simply advance slides — or turn the screen back, at your favorite PDF viewer. 

Think like MacGyver,  to handle a difficult situation through improvisation using only available materials to do an intelligent activity...

Its Ok, lets go to the hack...

First step you need get some things:

  • Computer with Unix Like OS(at my tests i using Fedora Linux) 
  • Any TV remote control (i use a samsung model “AA59-00469A”
  • Arduino nano 12,00 USD 
  • IR recv (model “1838B”) - 2,00 USD 
  • Jumpers 1,00 USD 
  • Breadboard 2,50 USD

Total of costs is 17.50 USD, looks good  is not expensive, try following this image to assembly your hardware:




  • Green wire is GND 
  • Orange wire is 5v 
  • Yellow wire is pin 6(this is input  to make communication with arduino) 
  • USB connected at arduino(usually at mini series uses FTDI input)

Second step mapping your TV remote control:

At this step we are get some libraries, look this following:

  • $ git clone https://github.com/shirriff/Arduino-IRremote 
  • $ mv Arduino-IRremote ArduinoRemote; sudo cp -rf ArduinoRemote/ /usr/share/arduino/libraries 

At your arduino IDE tool, you can view examples of use it at tab "File", load example that show the input of serial, look this following:




The function Serial.println() shows the output of serial input. for example: when you hold the button one of TV remote control, this action shows the hexadecimal value "E13DDA28".

Done the mapping process of buttons, the next step is use syscall open() to open the file "/dev/ttyUSB0" and use  the syscall read() to get INPUTs of arduino device, remember to put diferent condition at each button input of device.

To automate keyboard hold keys, at Unix like system, you need use some libraries like libXtst and libX11, to emulate keys to turn screens of presentation, to install this libraries look the following:
$ yum install libXtst-devel libX11-devel
at deb based distros uses apt-get install pkg_name-dev

To get final code, rewrite this lines 152 and 159 with address of your button mapping,  compile it and run:

$ git clone https://github.com/CoolerVoid/arduino_ppt_walk 
$ gcc IR_remote.c -o IR_remote -lX11 -lXtst -Wall
$ ./IR_remote /dev/ttyUSB0
Look this following:

https://www.youtube.com/watch?v=Wx64BfLgxQU

Saturday, April 16, 2016

Solving the fizzbuzz problem in Assembly code

Hello ladies and gentlemen, also the loyal readers of my blog. In this post, we will not be working with optimization techniques. Instead, I will share a small challenge that I worked on. Working on a small challenge can be a good way of relieving stress at the end of the day.

For those who don't know, the problem is about replacing a number that is multiple of 3 or 5 by Fizz or Buzz,respectively. Numbers that are multiple of both 3 and 5 should be replaced by "FizzBuzz".

More information about the problem can be found  here.

This problem can be easily solved using a high-level programming language, but if you use Assembly language instead, it's harder.

That's basically what I am going to share with you. I solved fizzbuzz using x86-64 Assembly with Intel syntax.

Let's take a look at the code:

;; Author: CoolerVoid
;;
;; https://en.wikipedia.org/wiki/Fizz_buzz
;; for multiples of three print "Fizz" instead of the number, and for the multiples of five print "Buzz".
;; For numbers which are multiples of both three and five print "FizzBuzz".
;;
;; $ nasm -g -f elf64 fizz_buzz_game.asm -o buzz.o
;; $ ld -m elf_x86_64 buzz.o -o gamebuzz; ./gamebuzz
section .data
 tick db 'tick'
 fizz db 'fizz'
 buzz db 'buzz'
 newline db 0xA
section .bss
 three resb 1      
 five resb 1      
 zero resb 1      

section .text
global _start

_start:
 xor si, si
 mov si,      0xFF
 mov [three], byte 0x3
 mov [five],  byte 0x5

Loop:
 push si   
 mov [zero], byte 1
 sub [three], byte 1
 mov bl, [three]
 cmp [three], byte 0
 jne Zero_Fizz
 mov [three], byte 3
Zero_Fizz: 
 xor rax, rax   
 cmp bl, 0x0
 jnz Not_Fizz
 mov [zero], byte 0
 mov rax, 4              ; syscall write()
 mov rbx, 1
 mov rcx, fizz
 mov rdx, 4
 int 0x80
Not_Fizz:
 sub [five], byte 1
 mov bl, [five]

 cmp [five], byte 0
 jne Zero_Buzz
 mov [five], byte 5
Zero_Buzz: 
 xor rax, rax  
 cmp bl, 0x0
 jnz Not_Buzz
 mov [zero], byte 0
 mov rax, 4           ; syscall write()
 mov rbx, 1
 mov rcx, buzz
 mov rdx, 4
 int 0x80
Not_Buzz:
 xor rax, rax
 mov al, [zero]
 cmp al, 0x0
 jz Not_Tick
 mov rax, 4         ; syscall write()
 mov rbx, 1
 mov rcx, tick
 mov rdx, 4
 int 0x80
Not_Tick:
 push 0x0
 xor rax, rax
 mov rax, 4         ; syscall write()
 mov rbx, 1
 mov rcx, newline
 mov rdx, 1
 int 0x80
 pop rax
    
 pop si
 dec si
 jnz Loop
    
 mov rax, 1        ; syscall exit()
 mov rbx, 0
 int 0x80


If you have familiarity with Assembly, you will notice that the solution is simple. For those unfamiliar, Assembly is not hard, but it does require that the programmer pays attention to slight details.

If you have doubt you can decrease value 0xFF at line 24, and try run again...its all right in do this...

My fifty cents ! CHEERS !



Friday, January 8, 2016

Simple fast string comparison with SSE4.2


Hello ladies and gentlemen, Royal readers of my blog !


No more jokes, so i wrote this post in english, consequently i need make some task at other languages(to study)… keep warning and prepare your eyes… (will be hard experience, my english is not very good)

In last week following search algorithms, like a try to gain some performance at my private projects, i view some thing about “SSE4.2“. so when i view the possibility to use “xmm0″(a register of 128 bits), thinking “oh my god ! i wanna use it ! this is awesome!”, some days studying it with my friend João Victorino aka “Pl4kt0n”, After studying the concepts around SSE4.2, I ended up writing a program.

Relax brows ! don’t have karate trick here !

To explain, i make two functions, one with the simple function “strcmp()”, other with my implementation using SSE4.2 with Assembly ( i change AT&T to Intel syntax(“AT&T” is very boring ), for the reason that i guess easy to follow examples of the manual‘intel’s manual’), other fact, i test my “strcmp()” function with “array of words”, to carry some results like “CPU cycles” to make the benchmark, so with it, we have some conditions to compare, just a cartesian choice to view and compare like a simple plot bar with “gnuplot“.

You can view result here ! and gnuplot cmd here!



Ok Cooler_ , what’s the trick ?

So there is no trick, generic condition results in common result, then following other way to find uncommon result…

This code doesn’t have trick, i use instruction “pcmpistri”(Packed Compare Implicit LengthStrings, Return Index) and the “movdqu”(move unaligned double quadword) instruction must be used to transfer data from this into an XMM register, this istructions you can make many things around “strings”, take a look at the following:

global strcmp_sse42_64
; by Cooler_  c00f3r[at]gmail[dot]com
; 64 bit
; nasm -f elf64 code.s -o code.o
; int strcmp_sse42_64(const char *, const char *);  // declare in C code
strcmp_sse42_64:
    push        rbp
    mov     rbp, rsp
    mov     rax, rdi
    mov     rdx, rsi
    sub     rax, rdx
    sub     rdx, 32
  
strloop_64:
    add     rdx, 32
    movdqu      xmm0, [rdx]
    pcmpistri   xmm0, [rdx+rax], 0011000b ;compare... jump again if above...
    ja      strloop_64
    jc      blockmov_64 ; jump 2 movzx
    xor     rax, rax ; clear return result...
    jmp     quit
 
blockmov_64:
    add     rax, rdx    
    movzx       rax, byte[rax+rcx] ; move with zero
    movzx       rdx, byte[rdx+rcx]
    sub     rax, rdx    
     
quit:
    pop     rbp
    ret
So i use it to hook functions 32bit and 64bit version:
#if UINTPTR_MAX == 0xffffffff
static int (*strcmp_sse42)(const char *, const char *) = strcmp_sse42_32;
#elif UINTPTR_MAX == 0xffffffffffffffff
static int (*strcmp_sse42)(const char *, const char *) = strcmp_sse42_64;
#else
    fprintf(stderr,"error in arch\n");
    exit(0);
#endif
Before hooking it, you need to check whether or not your machine has SSE4.2 support. There are many ways of doing it, however, for the sake of simplicity, let’s go with the following one:

void cpu_get(int* cpuinfo, int info)
{
#if UINTPTR_MAX == 0xffffffff
 __asm__ __volatile__(
  "xchg %%ebx, %%edi;"
  "cpuid;"
  "xchg %%ebx, %%edi;"
  :"=a" (cpuinfo[0]), "=D" (cpuinfo[1]), "=c" (cpuinfo[2]), "=d" (cpuinfo[3])
  :"0" (info)
 );
#elif UINTPTR_MAX == 0xffffffffffffffff
 __asm__ __volatile__(
  "xchg %%rbx, %%rdi;"
  "cpuid;"
  "xchg %%rbx, %%rdi;"
  :"=a" (cpuinfo[0]), "=D" (cpuinfo[1]), "=c" (cpuinfo[2]), "=d" (cpuinfo[3])
  :"0" (info)
 );
#endif
}
 
void test_sse42_enable()
{
    int cpuinfo[4];
    int sse42=0;
 
    cpu_get(cpuinfo,1);
 
    sse42=cpuinfo[2] & (1 << 20) || 0;
 
    if(sse42)
        puts("SSE4.2 Test...\n OK SSE 4.2 instruction enable !\n");
    else {
        puts("SSE4.2 Not enabled\n your CPU need SSE 4.2 instruction to run this programm\n");
        exit(0);
    }
}

look all source code here!


$ git clone https://github.com/CoolerVoid/cooler_sse42_strcmp
$ make; ./test
SSE4.2 Test…
OK SSE 4.2 instruction enable !

::: strcmp() with SSE42: 2812 cicles
Array size of words is: 245
Benchmark strcmp() with SSE42 matchs is: 84

::: simple strcmp(): 12663 cicles
Array size of words is: 245
Benchmark strcmp() matchs is: 84
$ cat /proc/cpuinfo | grep “model name”
model name : Intel(R) Core(TM) i5-4690K CPU @ 3.50GHz
$ gcc -v | grep “gcc version”
gcc version 4.8.3 20140911 (Red Hat 4.8.3-7) (GCC)
$ uname -a
Linux localhost.localdomain 3.15.10-201.fc20.i686 #1 SMP Wed Aug 27 21:33:30 UTC 2014 i686 i686 i386 GNU/Linux

SSE is very common in image processing, game developers use it too, take a look at the following:
https://software.intel.com/en-us/articles/using-intel-streaming-simd-extensions-and-intel-integrated-performance-primitives-to-accelerate-algorithms

Do you like CPU features ? look this

well well well a cup of Moloko to my little Droogies

my fifty cents ! CHEERS !

The magic of bits

 Before the long tale to the course of magic bits, let's gonna for a little walk in the world of C language. Variable of type int has 4 ...