the xz sshd backdoor rabbithole goes quite a bit deeper. I was just able to trigger some harder to reach functionality of the backdoor. there's still more to explore.. 1/n
auth bypass confirmed!
> INFO:paramiko.transport:Authentication (password) successful!
mm_keyallowed_backdoor cmd 1 allows to override the response for mm_answer_authpassword with a custom one. if you set it to { u32(9), u8(13), u32(1), u32(0) } you can login with any pass 🤓
xz bd engineer 1: bro, we need a way to probe the address space to make sure we never SEGV sshd
xz bd engineer 2: we'll just do a pselect syscall with empty fd sets, a timeout of 1 nanosecond and the addr we want to probe is passed as the sigmask pointer, EFAULT means unmapped
.. since this tweet is ballin' slightly outta control:
1) image was stolen from
@njudah
@sfba
.social on the fediverse, not my neighbourhood (SF)
2) all the printers I currently own will only display this quirky animation: -- who do I contact??
While
@bl4sty
only scored a COLLISION (non-unique bug) - Peter definitely gets a boatload of STYLE POINTS for this hack on a Canon printer @
#P2OToronto
#Pwn2Own
you gotta appreciate the way they shipped the backdoored object file. added some "test" data to the source tree that gets unxz'd and (dd) carved in a specific way, that is fed into a deobfuscator written in.. awk script and the result gets unxz'd again
whoever designed this stuff had to take a deep dive into openSSH(d) internals (and so did I for the past couple of days, oof) .. hats off, once again :)
q3k from
@DragonSectorCTF
has figured out the string/symbol obfuscation in the xz backdoor! there's appears to be a lot more going on then reported in the initial report.
If you are hard at work scanning the internet for CVE-2021-41773 (apache 2.4.49 path traversal thing).. also try /icons instead of just /cgi-bin, enjoy the increased success rate. :-P
some people asked for the code .. so I decided to quickly refactor my scrappy paramiko script and turned it into an ssh agent implementation that works with a vanilla openssh client that has a single line patched out.
it requires sending a properly crafted command to the RSA_public_decrypt hook, which will then install another for the `mm_answer_keyallowed` sshd function. subsequently you offer N more fake ssh-rsa pubkeys which are crafted in a special way to chunk together .. 2/n
Last night
@lockedbyte
showed you how we managed to exploit sudo with a partial overwrite of a funcptr and some small bruteforce. Today.. we do it single-shot with some help of glibc/nss.
currently I'm just triggering command 0x03 in this part of the code, which allows for a basic RCE through system() again. (also lets you set uid/gid). but there's more code that needs to be understood. it looks like a full auth bypass (interactive session) is possible!
a "magic buffer" which contains more backdoor commands, this buffer also has two additional ed448 signatures. which like the ones for the RSA_public_decrypt portion of the backdoor are salted with the SHA256 digest of the hostkey
To celebrate
@WyzeCam
's decision to release a firmware update a day before this years Pwn2Own Toronto competition.. I've decided to release the exploit for my (killed) bugchain:
.. maybe next time they will not withhold patches for critical bugs? 🙃
the final signature also takes into account the session_id (0x20 bytes) that is derived during the initial key exchange (KEX) for the SSH session. my current PoC implementation uses a heavily monkey patched paramiko (ssh client) library to achieve this
New version of sudo exploit is up at (old archive has been replaced too). Made things more generic and added support for Debian Buster (sudo 1.8.27). More targets are welcome! :-) (Maybe some aspiring x-dev can code a finder)
Our team mate
@hungtt28
finished writing the blog post for that.
We hope it's useful.
Thanks to
@TaDinhSung
@bruce30262
@_jsoo_
& Frances for proof-reading and
@buttburner
for the cute cats
Don't worry, no cats were harmed during the entire process
.
@WyzeCam
I will not submit to your beg bounty program that only pays in "trust", "respect", "transparency" and "common good". [1]
none of those put bread on the table.. 😂
[1]:
what a wonderful disclosure timeline in
@chompie1337
's latest blog post. people attempt to hide vuln fix commits by redacting the e-mail address you report bugs with 😂
cursory examination leads me to believe contributor Jia Tan <jiat0218
@gmail
.com> was actually being complicit in this whole ordeal, or he was forced to for some reason. either that or someone who compromised his stuff is really good at LARP'ing as the guy
great stuff: -- we had independently confirmed the same details over the past 2 days. there's more to be uncovered/understood. the engineering effort of the xz backdoor is crazy. some weird design decisions though..
SSH agent forwarding just became even more dangerous. 😂-- leave it to the creative minds at Qualys to turn a series of dlopen()+dlclose() calls (of unrelated/benign shared libraries) into arbitrary code exec, hats off!
Slightly revised copy of blasty-vs-pkexec.c available here: -- Might work better against your annoying ArchLinux coworkers and is more self contained as a bonus. (No more system("gcc") lol, thanks
@_darrenmartyn
and others for this suggestion)
I contributed a task to this year's
@PotluckCTF
that contains an emulator for a custom ISA. one of the players actually implemented a decompiler for it by lifting to binja's IL. mind you: this is a 24h long CTF! very neat to see current tooling makes things like this feasible!
RCE exploit (LAN, but probably WAN with some CSRF/SSRF imagination) for ZTE H368N/H369A (and probably others) modems. Dropped this (amongst other stuff) at
@WarConPL
last month. No time/energy/interest for contacting vendor, so enjoy the 0day!
The Linux (e)BPF bytecode verifier, the gift that keeps on giving! Wrote an exploit for CVE-2020-27194. :-) Shout out to
@scannell_simon
for the bug and
@_manfp
for exploitation strategy inspiration!
I've lost count of how many eBPF verifier vulns we've seen in Linux over the years. You want to make sure unprivileged bpf syscalls are not allowed on your machines (configurable through kernel.unprivileged_bpf_disabled).
Got quite a few questions about the post-exploitation payload for the printer(s), here is the code:
It even runs in the browser thanks to the power of Emscripten/WASM:
EHLO mailserver
AUTH AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARRRGGGHHHHHH..
any actual details? 🙃
here I was hoping for the cURL bug to be something useful to upgrade a SSRF to have new superpowers or something similar. 🙃
good luck exploiting this heap overflow on a modern-ish libc in a remote context with valid hostname characters for the trigger
For what it's worth, should be a piece of cake to adapt to work with CVE-2020-8835 (as used by
@_manfp
at Pwn2Own 2020) as well. Not sure about releasing this code right now although personally I couldn't care less as the bugs are dead anyway. ;-)
public announcement for Bad Actors™️ who are wget'ing/cURL'ing exploit code directly from my website to (potentially) vulnerable endpoints: please re-host the code elsewhere, I don't need to know where your shellz live. 😅
a myriad of libcrypto routines are being resolved, password auth is likely bypassed as well. logging infra for sshd is hooked to prevent auth bypasses ending up in syslog. there's hooks for setresgid/setresuid, likely used to prevent privdrop when auth'ing as non-root
Success! The Midnight Blue (
@midnightbluelab
) / PHP Hooligans team executed their attack against the Sony XAV-AX5500. They’re off to the disclosure room for confirmation.
#Pwn2Own
Lexmark published an advisory in response to my published work: -- apparently it affects ~130 of their printer models, not a bad haul! *pats himself on the back* 🤣 Only took them 13 days to come up with a response/fix; irresponsible disclosure works!
Update:
Crowdstrike came out and released a technical report confirming my analysis. They were reading in a bad data file and attempting to access invalid memory.
This global crash was a two-part bomb. The detonator apparently, was NOT new.. it was PRE-INSTALLED.
/1
'auth_root_allowed' is also resolved for sshd instances that don't allow root login (common), and there's a mystery string I haven't been able to find referenced in the code so far: "yolAbejyiejuvnup=Evjtgvsh5okmkAvj"
New: this NFT will steal your IP address.
Viewing this and some other NFTs on marketplace OpenSea will send your IP to the NFT creator, because OpenSea lets people load custom code, including HTML. NFTs can gather data on viewers. Confirmed with my own IP
We (
@rdjgr
, carlo from
@midnightbluelab
& me) landed 3rd place! 🎉
The payout could have been better (damn drawing) but fortunately none of our bugs were dupes. For one target we actually had 3 distinct exploits lined up and picked "the right one" last minute-ish.🙃
The first ever
#Pwn2Own
Automotive is in the books! We awarded $1,323,750 throughout the event and discovered 49 unique zero-days. A special congratulations to
@synacktiv
, the Masters of Pwn! Stay with us here and at the ZDI blog as we prepare for Pwn2Own Vancouver in March.
I have decided to give back to my community.
All 0day sent to my address below will be sent back doubled. I am only doing a maximum of 50,000 0day.
0day
@haxx
.in
Enjoy!
#0dayponzischeme
Now
@Zerodium
is paying $2.5 million for Android full chains (iOS chains still at $2M) as Google/Samsung have considerably improved their security. iOS chains (1-click) e.g via Safari reduced to $1M as there’s a bunch of them on the market, sad but true.
to everyone who buys into the Wyze story that they were only made aware of the auth bypass right before the competition: ask yourself why did they only bother addressing the issue in the Wyze Cam V3 (pwn2own target)? and not their other products that have the the same bug? 🤐
@0xTib3rius
@WyzeCam
They are free to patch whatever they want at any time of course. The timing here was just very fishy and seemed to be related to thwarting pwn2own entries. If we take their word for it and they were only made aware of the vulnerability right before the competition, then why.. 1/n
hey
@thegrugq
whenever you finally make that follow up talk of "OPSEC: because jail is for wuftpd" make sure to include this gem (source: "incognito market" complaint: )