AOH :: P58-0X03.TXT

Phrack 58 File 03: Signalnoise



                             ==Phrack Inc.==

               Volume 0x0b, Issue 0x3a, Phile #0x03 of 0x0e

|=----------------------=[ S I G N A L N O I S E ]=----------------------=|
|=-----------------------------------------------------------------------=|
|=---------------------------=[ phrackstaff ]=---------------------------=|
      _                                                              _
     /     "crrr...Everything that does not fit somewhere else...crr" \
    |-+ - - -   "can be found here. Corrections and additions" - - - +-|   
    |\_  "to previous articles, to short articles or articles that"  _/|
    |      "just dont make it....everything...crr..<NO CARRIER>"       |
 _=====_                                                            _=====_

  0x00:  SIGOOPS
  0x01:  No SIGSEGV anymore
  0x02:  covered IPC via TCP over signal()
  0x03:  SIGnalINTelligence warrant of apprehension on gobbles

|=[ 0x00 ]=--------------------------------------------------------------=|

  p57-02/loopback: 0x16 and 0x0f are the same. Oops.

  We forgot to mention the email of brett (variablek@home.com) who wrote
  the cisco addendum in p57-03/linenoise.

|=[ 0x01 ]=--------------------------------------------------------------=|

Subject: Getting rid of SIGSEGV - for fun but not for profit.

  UNIX signals provide a mechanism for notiying processes of system
events, communication [see below :P] and syncronization between
processes and exception handling. Most readers are familiar with
the term 'software generated signals' (generated by the kernel or userland
application) and 'cpu exceptions'.

  The most famous and by far the most hated signal under UNIX is 
SIGSEGV. The signal is usually generated by the kernel when
'something realy bad happened' or something 'your hardware is really
not amused about'. The hardware 'is not amused' about illegal memory
references and notifies the kernel (cpu exception) which in turn notifies
the offending process with a signal. The default action is to terminate
the running process and to dump core.

  What would happen if the process could recover from such a SIGSEGV and
continue execution? After a SIGSEGV the process is in an undefined state
and basicly everything could happen. In many cases the result is by far less
extrem as we would expect. We may experience missing grafics in netscape, no
background image in Eterm or missing frames in a .avi movie.

  A programm may use signal(SIGSEGV, SIG_IGN); to ignore a SIGSEGV sent
by another process. A cpu exception generated by the hardware will still
cause the process to terminate (default action). A process may choose to
override the default action and specify a signal handler - a user-defined
function which is invoked whenever a SIGSEGV is delivered to the process.
We will concentrade on SIGSEGV caused by a cpu exception only - recovering
from all other cases is trivial.

  Let's first take a look at the kernel and follow the path of the SIGSEGV
until it gets delivered to the application. After our little excurse I
will show some source which, compiled as a shared object, can be
preloaded (LD_PRELOAD) to any programm. The preloaded .so will recover
(at its best) from a SIGSEGV and continue execution.

  When the system boots, the function arch/i386/kernel/traps.c:trap_init()
is called which sets up the Interrupt Descriptor Table (IDT) so that
vector 0x14 (of type 15, dpl 0) points to the address of the page_fault entry
from arch/i386/kernel/entry.S. The entry invoked do_page_fault() in 
arch/i386/mm/fault.c whenever the specific exception occures. This function
handles all kind of page faults and calls 'force_sig_info()' if the
exception was caused by user mode access to invalid memory. This function
forces signal delivery to the userland applicationg by unblocking the signal
and by setting SIG_IGN to SIG_DFL (if no handler has been assigned).
To cut a long story short the kernel drops into send_sig_info() which
calls deliver_signal() which calls send_signal() which calls
sigaddset() which finaly set the bit in the process signalbitmask.

  It is important to note that any action, including process termination,
can only be taken by the receiving process itself. This requires, at the
very least, that the process be scheduled to run. In between signal
generation and signal delivery, the signal is said to be pending to the
process.

  When a process is scheduled to run the kernel checks for pending
signals at the following times:

- Immediatly after waking up from an interruptible event.
- Before returning to user mode from a system call or interrupt.
- Before blocking on an interruptible event.

  The kernel calls arch/i386/kernel/signal.c:do_signal() and fetches the
first pending signal from the queue (kernel/signal.c:dequeue_signal()).
Nothing spectacular happens and the kernel processes with the next pending
signal from the queue if action is set to SIG_DFL or SIG_IGN. The kernel
calls handle_signal() if a user-defined action has been assigned to the
signal handler (ka->sa.sa_handler). 

  If the signal event occured during a system call with restarting capability
the eip of the process is substracted by the value of 2 to automaticly
reinvoke the system call after the signal handler returned. The kernel calls
setup_frame() to save the current register set and other values (see 
'struct sigframe' in arch/i386/kernel/signal.c) on the stack of the process.
The same function also sets up a 'stub' which is executed after the signal
handler returned to restore the previous saved 'sigframe'.

    struct sigframe
    {
        char *pretcode;                /* 4 bytes                        */
        int sig;                       /* 4 bytes                        */
        struct sigcontext sc;          /* 88 bytes, see sigcontext.h     */
        struct _fpstate fpstate;       /* 624 bytes, floating point regs */
        unsigned long extramask[1];    /* 4 bytes                        */
        char retcode[8];               /* 8 bytes                        */
    };

struct sigcontext expands to:

    struct sigcontext
    {
        ...                            /* ...56 bytes                    */
        unsigned long eip;             /* Aha!                           */
        ...                            /* ...88 bytes                    */
     };

  The old eip is saved 64 bytes after the beginning of struct sigframe,
followed by the return address of the signal handler and the saved frame
pointer. The return address will points to the 'stub' which will pass
control back to the kernel to restore the registers once the signal handler
returns.

           0xbfffffff  | ...                    |
                       +------------------------+
                       | sigframe, old eip      |
                       | is saved 56 bytes      |  <---+
                       | from behind retaddr    |      |
                       +------------------------+    68 bytes distance to
                       | retaddr of stub        |    saved eip from ebp.
                       +------------------------+      |
             ebp->     | saved frame pointer    |  <---+
                       +------------------------+
                       | local variables of     |
                       | signal handler routine |
                       +------------------------+

  The easiest way to recover from a SIGSEGV thus is to assign our
own signal handler, travel up the stack until we find the saved
eip, set the eip to the instruction followed the instruction which caused
the segfault and return from our handler.


  The library also ignores SIGILL just for the case in which the process
starts to run amok and the IP hits space where no IP has gone
before. 


/*
 * someone@segfault.net
 *
 * This is published non-proprietary source code of someone without a
 * name...someone who dont need to be named....
 *
 * You do not want to use this on productivity systems - really not.
 *
 * This preload-library recovers from a SIGSEGV - for fun purposes only!
 *
 * $ gcc -Wall -O2 -fPIC -DDEBUG -c assfault.c
 * $ ld -Bshareable -o assfault.so assfault.o -ldl
 # $ LD_PRELOAD=./assfault.so netscape &
 */
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/time.h>
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>
#include <dlfcn.h>

#define REPLACE(a, x, y) if ( !(o_##x = dlsym(##a , ##y)) )\
            { fprintf(stderr, ##y"() not found in libc!\n");\
                exit(-1); }
#ifdef DEBUG
# define DEBUGF(a...)    do{fprintf(stderr, "%s[%d]", __FILE__, __LINE__); \
                           fprintf(stderr, ##a);}while(0)
#else
# define DEBUGF(a...)
#endif

#define err_exit(str) do{fprintf(stderr, "ERROR:%s\n", str);exit(-1);}while(0);

static void *(*o_signal)(int, void(*)(int));
static void *libc_handle = NULL;
static int sigcount;

void
assfault_handler(int sig)
{
    DEBUGF("SIG%s occured (%d)\n"
           , (sig==SIGSEGV)?"SEGV":(sig==SIGILL)?"ILL":"BUS", ++sigcount);

    asm volatile("incl 0x44(%ebp)");
}

void
(*signal(int sn, void (*sighandler)(int)))()
{
    if ((sn == SIGSEGV) || (sn == SIGILL) || (sn == SIGBUS))
    {
        DEBUGF("signal(SIG%s, ...) intercepted [%d]\n"
              , (sn==SIGSEGV)?"SEGV":(sn==SIGILL)?"ILL":"BUS", getpid());
        return assfault_handler;
    }

    /* in all other cases call the original libc signal() -function */

	return o_signal(sn, sighandler);
}

static void
assfault_init(void)
{
    if ( (libc_handle = dlopen("libc.so", RTLD_NOW)) == NULL)
        if ( (libc_handle = dlopen("libc.so.6", RTLD_NOW)) == NULL)
            err_exit("error loading libc!");

    /* get the address of the original signal() -function in libc */
    REPLACE(libc_handle, signal, "signal");

    /* redirect action for these signals to our functions */
    o_signal(SIGSEGV, assfault_handler);
    o_signal(SIGILL, assfault_handler);
    o_signal(SIGBUS, assfault_handler);

    dlclose(libc_handle);
}

/*
 * called by dynamic loader.
 */
void
_init(void)
{
    if (libc_handle != NULL)
        return; /* should never happen */

    assfault_init();
    DEBUGF("assfault.so activated.\n");
}   
/*** EOF assfault.c ***/

/*
 * example programm that segfault's a lot.
 * $ gcc -Wall -o segfault segfault.c
 * $ LD_PRELOAD=./assfault.so ./segfault
 */
#include <stdio.h>
int
main()
{
    char *ptr=NULL;

    fprintf(stderr, "|0| everything looks fine. lets produce a SIGSEGV\n");
	*ptr=1;
	fprintf(stderr, "|1| after first provocated SIGSEGV\n");
    *ptr=1;
    fprintf(stderr, "|2| after second provocated SIGSEGV\n");
    fprintf(stderr, "|X| We survived - enough played today.\n");

    return 0;
}
/*** EOF segfault.c ***/

|=[ 0x02 ]=--------------------------------------------------------------=|

Subject: TCP over signal()

Bored subjects do naughty things, so why not transferring data
with signals. With signals, not along with. Good old morsing
hits us again. Theoretical speaking its a covert channel. A method for
transferring data which is not recognized as transfer to the outside
world.
Things are simple, if sender sees a bit is 1 it sends 'HIGH'
and 'LOW' if it finds the bit being 0.
I let it to you to figure out how the simple programs work. :-)

<recv.c>
#include <stdio.h>
#include <sys/types.h>
#include <signal.h>

#define L SIGHUP
#define H SIGUSR1
#define RESET SIGUSR2

int bit;
unsigned char c;

void recv_high_low(int x)
{
	if (bit == 8) {
		bit = 0;
		putchar(c);
		fflush(stdout);
		c = 0;
	}
	if (x == H)
		c = ((c<<1)|1);
	else
		c <<= 1;
	++bit;
}

void recv_reset(int x)
{
	bit = 0;
	c = 0;
}

int main()
{
	bit = 0;
	c = 0;
	
	signal(L, recv_high_low);
	signal(H, recv_high_low);
	signal(RESET, recv_reset);
	
	for (;;);

	return 0;
}

</recv.c>


<send.c>

#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>
#include <signal.h>
#include <sys/types.h>
#include <stdlib.h>

#define L SIGHUP
#define H SIGUSR1
#define RESET SIGUSR2

void die(char *s)
{
	perror(s);
	exit(errno);
}

int main(int argc, char **argv)
{
	int pid, fd, j;
	char *file, c;

	if (argc < 3) {
		fprintf(stderr, "Usage: %s <pid> <file>\n", argv[0]);
		exit(1);
	}

	pid = atoi(argv[1]);
	file = argv[2];

	if ((fd = open(file, O_RDONLY)) < 0)
		die("open");	


	kill(pid, RESET);
	sleep(1);
	
	while (read(fd, &c, sizeof(c)) > 0) {

		/* and for every bit of this byte do */
		for (j = 7; j >= 0; --j) {
			if ((1<<j) & c) {
				printf("1");fflush(stdout);
				if (kill(pid, H) < 0)
					die("kill");	/* send HIGH (1) */
			} else {
				printf("0");fflush(stdout);
				if (kill(pid, L) < 0)	/* send LOW (0) */
					die("kill");
			}
			usleep(200);
		}
	}
	close(fd);
	return 0;
}

</send.c>


|=[ 0x03 ]=--------------------------------------------------------------=|

* SIGINT CONFIDENTIAL REPORT ON GOBBLES *

  On 2001/12/20 various individual around the world succeeded in
unrevealing valuable information about the suspect. The information
gathered about the suspect seems to be authentic - action should be taken
immediatly by local law enforcements.

      WANTED - GOBBLES - WANTED - GOBBLES - WANTED - GOBBLES - WANTED


Do you have other handles beside 'Gobbles' ? 

  GOBBLES is known as many things, but GOBBLES can not let the rest of the
world know he other identities in relation to name of GOBBLES due to fear
of social rejection from he peers.  GOBBLES wish at some point that people
could stop asking, "GOBBLES who else are you known as" to him when all he
really ask for is a little privacy, cannot people learn to keep their
hands to what is their own?


What kind of species is 'Gobbles' and what is the sex ? 

  GOBBLES himself is homosapian (which mean human for all you penetrators)  
obviously but like the name GOBBLES came from Yahoo.com picture turkey.jpg
found one day which made GOBBLES think to self, "Hey this a funny looking
picture and make me think of security community that full of evil turkies,
hehe 'other identity' should now become known as GOBBLES to be security
turkey too!". Gobbles Security is not limited to one person, or one gender.


How can Gobbles Security  be reached (email? sms? irl? irc?) 

  GOBBLES Security can be reached at group email addrses on hushmail.com
which is GOBBLES@hushmail.com, if anyone ever need to contact us about
anything that be the place to do it from.  As far as where one can find
GOBBLES irl (that mean "in real life" for penetrators), GOBBLES originally
from Lithuania but now live in a place with a little more stable economy.  
Some GOBBLES Security members do live in same country and then they
frequent GOBBLES Labs location to do hardcore hacking and programming all
day long.  


When and where have you been born ?

  GOBBLES himself was born during year of 1979 in country of Lithuania, but
not born as GOBBLES, hehe (that not real name ;), but real name shouldn't
be of real concern anywhere though, so that do not matter.  GOBBLES was
born into computer security industry scene as GOBBLES during the month of
June in the year of 2001 and currently have plans of being immortal in
this field and living forever. 


Is there any picture available of Gobbles Security on the internet ? 

  GOBBLES Security is more concerned with finding all exploitable bugs and
letting the world know about them than they are with worrying about taking
time to update webpage and get it pretty looking, although making webpage
pretty and finish is becoming a higher GOBBLES priority due to demands of
our many fans who email saying, "Please friend GOBBLES, finish webpage!"


Where does Gobbles Security live (current location) ? 

  To respect privacy of GOBBLES Security and members GOBBLES does not want
to give out physical location of GOBBLES Labs or the IP addresses (that IP
mean internet protocol, for penetrators needing translation).  Website of
GOBBLES where information is fully disclosed is on bugtraq.org though.


To which kind of music does Gobbles Security listen ? 

  Right now the multiple cd player jukebox in GOBBLES Labs have cd's
(compact disc for penetrator confusing cd with chdir) from following
bands and artists:
 -Radiohead
 -Tori Amos
 -The Violent Femmes
 -KMFDM
 -Goo Goo Dolls
 -Savage Garden
 -The Djali Zwan
 -Dmitri Shostakovich
 -Smashing Pumpkins
 -Ace of Base
 -They Might Be Giants
 -Various Disney Soundtracks and Sing-a-long's

so you get an idea of different genre's that are liked by people who
occupy GOBBLES Labs facility, hehe.


Does Gobbles Security like the movies 'Chicken run' and/or was any
relative actively involved in the movie ? 

  GOBBLES didn't really understand movie on his own, and consensus from
other group members is that the movie was not very good.  GOBBLES spent
the whole movie trying to identify celebrities with they cartoon
characters instead of paying close attention to complex plot, so it can be
understood why GOBBLES didn't really follow and understand the story of
that movie.


How many employees does 'Gobbles Security' currently have ? 

  GOBBLES Security is not a for-profit group and does not have any income
or employees.  Everyone who come to GOBBLES Labs to do coding and exploit
bring own computers and materials and alcohol, there is no money involved
so there are not any employees.  GOBBLES Labs have 19 active members and
researchers.  With 18+ members, GOBBLES Labs is currently the largest
active non-profit security team in the world (that not private and
exclusive with research, of course there is larger private group in
existance that GOBBLES not ignorant of).  Unlike other groups that make
this claim, GOBBLES Labs is actually active, hehe. 


Are there stocks available from 'Gobbles Security' ? 

  Hehe, no, because remember we not a commercial organisation?  =)  GOBBLES
believe that security should not be huge commercial entity anyways and
miss the days when people who were knowledgable about security were
respected and looked to for security information rather than people with
certification like CISSP who qualified to use Nessus in corporate
environment and notify they companies of updates on cert.org website.


Is there any buisiness plan (current projects ?) of Gobbles Security
for 2002 ? 

  GOBBLES have no business plan, since GOBBLES Security is not a business,
just more of a club, and GOBBLES hope to keep it that way forever.  If the
big dollar is ever waived in GOBBLES face like happen to other good
non-profit security group, GOBBLES will refuse to snatch it and keep
GOBBLES Labs independant and free always.


Where did Gobbles Security learn english ? 

  GOBBLES Security is a multinational group and members have learned they
English in many different places, some speak it natively, or at least
American which is very similar to English from what GOBBLES can
deduce.  GOBBLES learn English from Extreme Calculus professor in
university who say to GOBBLES, "GOBBLES if you to go anywhere in life, you
must learn to speak English, here I will help."  That is true story of how
GOBBLES learn to speak this wonderful language, hehe.


Have you heard of anti-security and what is your opinion to
http://anti.security.is ? 

  Yes GOBBLES have seen they website before and read message board very
frequently.  GOBBLES think anti.security.is have many good ideas on
security, since it seem that sometimes disclosure is not best since all it
really do is contribute to system being comprimised.  GOBBLES recall
reading somewhere that still only 30% of servers are patched for CORE-SDI
ssh backdoor still, and that known almost for a year now, so sometimes
GOBBLES wonder why disclosure is even done in the first place if no one
really pay attention to advisory and fix security.  However this is not
the policy of GOBBLES Security who are firm supporters of Information
Anarchy and Jay Dyson's quote "Real men prefer full disclosure", although
some GOBBLES researchers are very loyal to anti.security.is philosophy
which is why you do not see all exploits written by GOBBLES Security
members since we respect they wishes.  GOBBLES have many respect for
ideals of anti.security.is and often wonders what really is best to
improve state of security on the Internet, but still he decide that it is
Information Anarchy.


What does Gobbles Security think about Theo de Raadt ? 

  GOBBLES think Theo is silly individual who think brilliant research and
revelation of removing machine from network make it secure from network
based attacks and therefor inpenetrable, because then what is the real use
of that workstation when it not on a network and can't access
anything?  GOBBLES think Theo attempt to banish all networking in name of
security is idiotic idea and GOBBLES really not a big fan of his for this
sorts of things.


And about Aleph1 and bugtraq ? 

  The Aleph1 is old friend of GOBBLES (but not someone the Aleph1 know as
GOBBLES, hehe) and is someone that GOBBLES very much likes.  In question
GOBBLES assume that bugtraq == securityfocus.com, so that how GOBBLES
shall answer the question.  GOBBLES not a very big fan of securityfocus
itself for way it do delayed disclosure, for way it claim to be full
disclosure, but then make people have to pay to see good advisories first
(holding information hostage probably not best practice for full
disclosure), for filtering important security advisories because
advisories have comments in that hurt pride of securityfocus staff
member.  If it were real intentions of securityfocus to help in security
process, GOBBLES think that they would pass important advisories through,
but know from experience that many will be filtered for silly
reason.  When securityfocus say, "hey, we will run mailing lists" they
should have also let everyone know that they had intention of profitting
off list and selling information rather than keeping them in original
form, GOBBLES is bothered by level of deceit there.  But as for does
GOBBLES like the Aleph1, the answer is YES, GOBBLES do like the
Aleph1.  In fact GOBBLES have open invitation to him (and mudge and
dildog) to leave they high paying jobs and the dark side of the force to
join back where they know they want to be, in they hearts, back in the
real security community where you don't have to shave you beard and give
out real name; always extra room for them as members in GOBBLES Security
if they ever decide to reform.

Does Gobbles Security consider other groups like ADM, LSD, TESO as
competitors or as friends ? 

  GOBBLES Security think of those group as brothers and sisters, not as
competitors.


In which way will Gobbles Security infuence the scene in the future ? 

  Well GOBBLES have the hope of helping rebirth of real security scene
where the world can know who the people are who have real security
knowledge are not the point and click penetrator testers and patch
applicators who make the big dollar, and hopefully someday in future there
will be not so much commercialization of computer security and thing can
return back to normal and the scene can exist again once more.


Write down 'Memorable Experiences': 
 
  One time #GOBBLES on irc was taken over by prominant irc takeover gang
which is very memorable experience for the whole GOBBLES Security
Crew.  Some things that stuck with GOBBLES from incident include:

  <route> gogogogo
  <route> OK, newsh fork over the opz
  <route> word
  <route> ok listen up motherfuckerz
  <route> u will get yer chan back when i see fit
  <route> mmkay?
  <route> now, who'z the fuckwit who insulted me in that yahoo messenger
          advisory?
  <route> you mess with libnet, you mess with death motherfuckerz!

  [ note by phrackstaff: The above log isn't from the real route. ]

  Other very memorable experience was last week at GOBBLES Labs where
Alicia became over intoxicated by alcohol from boxed wine (speaking of
alcohol, Mr. Huger promise to bring GOBBLES back some good wine from he
Canada trip, GOBBLES better get it Al!) during exploit coding session and
then took off all her clothes.  Needless to say male GOBBLES members were
embarassed at the mess they made.  GOBBLES swear this true story, not just
humor, even some pictures of naked Alicia captured on webcam broadcast
with tcpdump soon to be made into mpeg, hehe!

 Write down some Quotes: 

 "Opensource software has a future."
  -Sir William Gates

 "What goes around comes around."
  -Anonymous

 "That vulnerability is completly TheoRaadtical."
  -Microsoft

 "A preauthentication bug in OpenSSH?  Who hasn't found one of those?"
  -OpenSSH Developer

 "No I wasn't caught on video jerking off at defcon 9!"
  -Peter Shipley
 
 "If one XOR is good TWICE IS BETTER."
  -Peiter Zatko


In closing GOBBLES would like to thank Phrack and Phrack Staff for
awarding GOBBLES this Man of the Year Award, GOBBLES very flattered to not
only be nominated but also to be winner of award!  GOBBLES LOVE YOU!

|=[ EOF ]=---------------------------------------------------------------=| 


AOH Site layout & design copyright © 2006 AOH