An update to this post using the linux-hardened project is available here. USB has some surprising security implications: when a device is plugged in, the operating system generally loads the appropriate driver and initializes it. For example, plugging a device into an unlocked computer can execute code, since the device can act as a USB keyboard. This is how the "BadUSB" series of attacks work. Samy Kamkar's Poisontap project has been getting a lot of press recently. It's a little more inter...| https://blog.lizzie.io
I read this document but had a little trouble understanding it at first: "Vulnerability: POINTYFEATHER aka Tar extract pathname bypass": Tar will happily extract files & directories into an arbitrary location when supplied with a suitably crafted archive file. If a target system is extracting an attacker supplied file, the vulnerability can be exploited to gain file overwrite capability. So, some notes: tar has a long history of security issues. For example, tar files can contain paths like /...| https://blog.lizzie.io
It doesn't work to just check structs against for example| blog.lizzie.io
I saw this recently: Listing 55: CVE request: GNU Guile <= 2.0.12: REPL serverGNU Guile, an implementation of the Scheme language, provides a “REPL server” which is a command prompt that developers can connect to for live coding and debugging purposes. The REPL server is started by the ‘--listen’ command-line option or equivalent API. Christopher Allan Webber reported that the REPL server is vulnerable to the HTTP inter-protocol attack as described at <https://en.wikipedia.org/wiki/In...| https://blog.lizzie.io
I saw this recently: Listing 57: CVE request: GNU Guile <= 2.0.12: REPL serverGNU Guile, an implementation of the Scheme language, provides a “REPL server” which is a command prompt that developers can connect to for live coding and debugging purposes. The REPL server is started by the ‘--listen’ command-line option or equivalent API. Christopher Allan Webber reported that the REPL server is vulnerable to the HTTP inter-protocol attack as described at <https://en.wikipedia.org/wiki/In...| https://blog.lizzie.io
Before Linux 4.6, the default value of /proc/sys/kernel/perf_event_paranoid was 1, and so any Linux process could sample kernel addresses with perf_event_open's PERF_SAMPLE_IP. So you can break KASLR by sampling the addresses and taking the mininum. Listing 59: perf_rip_find.c/* -*- compile-command: "gcc -Wall perf_rip_find.c -o perf_rip_find" -*- */ #include <fcntl.h> #include <unistd.h> #include <stdio.h> #include <stdint.h> #include <sys/ioctl.h> #include <sys/mman.h> #include <sys/syscall...| https://blog.lizzie.io
In December 2016 I wrote a piece about using Grsecurity to prevent new USB devices from being loaded. Grsecurity has, unfortunately, left this world, but the linux-hardened project has taken on some of the patches and updates. I thought it would be worth a minor update to that post now that linux-hardened has ported the deny_new_usb patches, and uses a marginally different sysctl setting. The new systemd service: Listing 60: deny_new_usb.service[Unit] Description=Prevent new USB devices from ...| https://blog.lizzie.io
Clickjacking Chrome Extensions| blog.lizzie.io
clone is the system call behind fork() et al. It's also the key to| blog.lizzie.io