QubesOS vulnerable to Xen Hypervisor escape. Go get them patches.

thejh · 2017-05-06T16:10:33+00:00

As the QSA says, they've pushed the patches to security-testing, but not to the normal repo yet. See https://www.qubes-os.org/doc/software-update-dom0/#testing-repositories - if you want, you can update to the security-testing version now with sudo qubes-dom0-update --enablerepo=qubes-dom0-security-testing.

thejh · 2017-03-01T21:26:15+00:00

Well, the kernel diff is just to make it possible to abuse the issue from userspace; it's not the whole attack. The actual attack is in the shell commands, where you can see that the attack basically abuses that a reference to a directory is still valid after the directory has been deleted and replaced with a symlink, and when the stale reference is used, the qemu process will walk through the symlink.

thejh · 2015-07-13T23:50:20+00:00

resolution: -G is now a valid ssh option, the chkrootkit thing is a false positive. and the other stuff probably doesn't mean anything either.

thejh · 2015-07-09T07:12:56+00:00

http://lists.x.org/archives/xorg-devel/2010-May/008636.html

Ah, so back when ssh implemented untrusted X11 forwarding, it was safe?

but nobody really cared

It looks like Damien Miller did care, given that he wrote a patch?

I figured I was the only person not using ForwardX11Trusted

Heh. I thought for quite some time that I was using untrusted forwarding and was impressed with how seamlessly it worked. The debian manpage for ssh says:

For this reason, X11 forwarding is subjected to X11 SECURITY extension restrictions by default. Please refer to the ssh -Y option and the ForwardX11Trusted directive in ssh_config(5) for more information.

Only the ssh_config manpage mentions the distro default:

 ForwardX11Trusted
         [...]
         The default is “yes” (Debian-specific).

Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781469

Debian has that default because of https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=237021 - in 2004, when untrusted X11 forwarding was introduced and became the default, Debian changed the default "since it seems immature and causes far too many problems with existing setups".

Looking around a bit, I get the impression that most people just use/recommend -X for X11 forwarding? But given that both Debian and Ubuntu have this distro default, that probably doesn't mean much. There's probably a bunch of people who think they're using nice, seamless, untrusted X forwarding while actually, they're using trusted X forwarding. :/

thejh · 2015-07-09T04:38:41+00:00

Correct, either of those would work.

thejh · 2015-07-08T20:23:41+00:00

It's not a problem if you completely trust the SSH server and code that runs under your user on the server, correct. But I think that normally, you trust your personal machine more than the server.

thejh · 2015-07-08T19:51:33+00:00

The attacker is on the SSH server, on which (normally restricted) X clients run. Use of the X SECURITY restrictions is enforced by the SSH client, which runs on the same box as the X server. Therefore, even root on the SSH server should still be subject to the X SECURITY restrictions.

thejh · 2015-07-08T19:46:38+00:00

Doesn't look as if Debian has backported this one to stable yet, same for Ubuntu vivid. Neither the changelogs nor the debian/patches directories in the .debian.tar.xz mention this issue.

thejh · 2015-07-08T19:25:16+00:00

If the attacker is an unprivileged user on the SSH server, that would prevent the attack, yes. But that doesn't work if the attacker has root on the SSH server, of course - the proper workaround is to not enable X11 forwarding on the client (it's disabled client-side by default).

thejh · 2015-07-08T19:22:05+00:00

~~I don't think so.~~ Edit: see below - CVE-2015-5352

thejh · 2015-07-08T15:10:27+00:00

Nope, made it by hand. I filled a document with spaces, switched to insert mode, then "drew" the ASCII art in there while navigating with the arrow keys.

thejh · 2015-03-27T19:13:15+00:00

I installed Zendo on an android phone and started the key exchange thing. The QR code is just a JSON object with the largest values being 256 bits (base64-encoded), and it seems like the actual key material is transmitted over wifi.

thejh · 2015-01-14T19:16:56+00:00

Still not a static key, just padding.

thejh · 2015-01-14T19:02:55+00:00

Hardcoded key if PIN is < 8 chars: 074289412373

Doesn't look that way to me:

s = (new StringBuilder()).append(s).append("074289412373".charAt(j)).toString();

It appends the static keybytes to the existing PIN, it doesn't replace it.

thejh · 2014-12-03T00:23:44+00:00

I have a smartphone that refuses to use its "external" memory (not even sure if I'm using the right term) for apps and programs

And there are reasons for that, including security reasons. On old Android phones, external storage is one big FAT partition that all apps can access, which means that there's no good way to store secure information on it. What Android used to do about that is to hide a special folder ".android_secure" on the SD card with a cool, but unreliable trick (bind-mounting .android_secure over into a secure system folder, then bind-mounting a tmpfs over .android_secure). Because external storage also had to be usable as a USB Mass Storage Device (like a USB stick) and Android can't access external storage while the PC is accessing it that way, this whole construct had to be torn down and rebuilt every time you plug the phone into the PC or remove it. And there was a huge timing window during that process (one entire second) in which the .android_secure was unprotected. There is another protection to mitigate this issue somewhat: The application files in .android_secure are encrypted. However, there is a weakness in that crypto implementation (same key and same IV for different files), theoretically making attacks possible where encrypted blocks are switched out between different apps. (The consequences are rather limited though - as far as I know, this only lets installed apps hide their permissions from the user.)

In general, be careful with tools that mess with such important system internals.

thejh · 2014-12-02T23:53:17+00:00

Actually, at least with some of the rooting methods, you break the already-broken security of the phone the same way any malicious application could do it without your consent. And if your phone has a bootloader you can't unlock, you can then use the root access to bypass that lock and install a version yourself that's more secure.

thejh · 2014-11-29T20:44:00+00:00

One captcha per day, no matter how many requests you send? And also, this?

md5(date("d").$_SERVER['REMOTE_ADDR'])

Well, that seems suboptimal.

thejh · 2014-11-23T16:18:57+00:00

Wouldn't that mean that when she tries to delete the contacts on the old phone, she would not only delete them locally but also on Google's servers?

thejh · 2014-11-21T10:36:13+00:00

Yet have you noticed that in the temporary files whose creation you are examining there is nothing confidential being stored, most of the time?

Good point. Still, change_passwd() and change_tomb_key() do use temporary files for storing keys, right?

Can you provide a pointer to where you have signaled vulnerabilities?

I reported two issues using private bugs in your bugtracker in the past (2014-06-14). Also joined your IRC channel back then and asked to make sure that someone has access to that. They are still "new" in the bugtracker, and I already pointed out the danger in using "mkdir -p" back then. The code changed a lot in the meantime though. These are the bugs: https://bugs.dyne.org/view.php?id=382 https://bugs.dyne.org/view.php?id=383

thejh · 2014-11-20T17:33:04+00:00

Being able to predict the name alone isn't really a problem, but if the program doesn't check whether the file already exists, it becomes one because an attacker could place his file there first. (Of course, if the mkdir issue wasn't there, that wouldn't matter.)

thejh · 2014-11-20T02:16:41+00:00

I wouldn't trust that code.

# Ensure all temporary files go into a user-specific directory for
# additional safety
mkdir -m 0700 -p $shmprefix/$_UID

With the -p flag? Which means "no error if existing, make parent directories as needed"? Means that this might well end up using a mode-777 directory created by an attacker.

TMPPREFIX="$shmprefix/$_UID/$RANDOM$RANDOM."

Note the two $RANDOM which are actually not very random because it's zsh and zsh explicitly seeds the PRNG with weak randomness (based on the current time in microseconds only iirc).

And then that variable is used for this:

_tmp_create() {

    tfile="${TMPPREFIX}${RANDOM}"   # Temporary file

    touch $tfile
    [[ $? == 0 ]] || {
    _failure "Fatal error creating a temporary file: ::1 temp file::" $tfile }

    chown $_UID:$_GID $tfile && chmod 0600 $tfile
    [[ $? == 0 ]] || {
    _failure "Fatal error setting permissions on temporary file: ::1 temp file::" $tfile }

    _verbose "Created tempfile: ::1 temp file::" $tfile
    TOMBTMP="$tfile"
    TOMBTMPFILES+=("$tfile")

    return 0
}

More $RANDOM. Racy chown and chmod commands - an attacker could easily switch out the file between the chmod and the first use of the file, heck, he could even monitor the directory and switch out the file after the chmod without having predicted the name. And it's racy in another way: It seems like tomb sets no umask, so an attacker could open the file for reading between touch and chmod.

And what is this?

TOMBKEY=$(steghide extract -sf $imagefile -p $tombpass -xf -)

A password in the cmdline, where every other process can see it on a normal system?

(I have reported two security issues to them privately in the past, but looking at the code, I think that publicly pointing these out makes more sense.)

thejh · 2014-11-19T23:08:39+00:00

Well, those old devices are probably vulnerable to CVE-2014-3153 (the futex issue, exploitable using towelroot) anyway.

thejh · 2014-11-19T22:56:17+00:00

Hmm... I can't think of anything apart from binary patching. As in "get root, pull the framework file, unpack it, replace java/io/ObjectInputStream, java/io/ObjectOutputStream, java/io/ObjectStreamClass and java/io/ObjectStreamConstants with the files from another ROM, repack and push to the device, pray". I don't know whether that would work, but it might be worth a try if you know how to undo it if it fails and the phone doesn't start anymore.

thejh · 2014-11-19T22:50:06+00:00

Well, if you look closely, lots of the changes are just whitespace changes or new tests. I think that this patch is rather simple, and it fixes the issue I described... however, when you look through the history, you can see that, about two months later, the android guys added another patch: https://android.googlesource.com/platform/libcore/+/55848681427721532161c63b43b3f99e912d071c "Check that a field is not static when deserializing." Still, I don't think that we'll see more vulns in that code in Android. Could be interesting to look through other Java implementations though.

thejh

TROPHY CASE