|
==Phrack Inc.== Volume 0x0b, Issue 0x3a, Phile #0x03 of 0x0e |=----------------------=[ S I G N A L N O I S E ]=----------------------=| |=-----------------------------------------------------------------------=| |=---------------------------=[ phrackstaff ]=---------------------------=| _ _ / "crrr...Everything that does not fit somewhere else...crr" \ |-+ - - - "can be found here. Corrections and additions" - - - +-| |\_ "to previous articles, to short articles or articles that" _/| | "just dont make it....everything...crr..<NO CARRIER>" | _=====_ _=====_ 0x00: SIGOOPS 0x01: No SIGSEGV anymore 0x02: covered IPC via TCP over signal() 0x03: SIGnalINTelligence warrant of apprehension on gobbles |=[ 0x00 ]=--------------------------------------------------------------=| p57-02/loopback: 0x16 and 0x0f are the same. Oops. We forgot to mention the email of brett (variablek@home.com) who wrote the cisco addendum in p57-03/linenoise. |=[ 0x01 ]=--------------------------------------------------------------=| Subject: Getting rid of SIGSEGV - for fun but not for profit. UNIX signals provide a mechanism for notiying processes of system events, communication [see below :P] and syncronization between processes and exception handling. Most readers are familiar with the term 'software generated signals' (generated by the kernel or userland application) and 'cpu exceptions'. The most famous and by far the most hated signal under UNIX is SIGSEGV. The signal is usually generated by the kernel when 'something realy bad happened' or something 'your hardware is really not amused about'. The hardware 'is not amused' about illegal memory references and notifies the kernel (cpu exception) which in turn notifies the offending process with a signal. The default action is to terminate the running process and to dump core. What would happen if the process could recover from such a SIGSEGV and continue execution? After a SIGSEGV the process is in an undefined state and basicly everything could happen. In many cases the result is by far less extrem as we would expect. We may experience missing grafics in netscape, no background image in Eterm or missing frames in a .avi movie. A programm may use signal(SIGSEGV, SIG_IGN); to ignore a SIGSEGV sent by another process. A cpu exception generated by the hardware will still cause the process to terminate (default action). A process may choose to override the default action and specify a signal handler - a user-defined function which is invoked whenever a SIGSEGV is delivered to the process. We will concentrade on SIGSEGV caused by a cpu exception only - recovering from all other cases is trivial. Let's first take a look at the kernel and follow the path of the SIGSEGV until it gets delivered to the application. After our little excurse I will show some source which, compiled as a shared object, can be preloaded (LD_PRELOAD) to any programm. The preloaded .so will recover (at its best) from a SIGSEGV and continue execution. When the system boots, the function arch/i386/kernel/traps.c:trap_init() is called which sets up the Interrupt Descriptor Table (IDT) so that vector 0x14 (of type 15, dpl 0) points to the address of the page_fault entry from arch/i386/kernel/entry.S. The entry invoked do_page_fault() in arch/i386/mm/fault.c whenever the specific exception occures. This function handles all kind of page faults and calls 'force_sig_info()' if the exception was caused by user mode access to invalid memory. This function forces signal delivery to the userland applicationg by unblocking the signal and by setting SIG_IGN to SIG_DFL (if no handler has been assigned). To cut a long story short the kernel drops into send_sig_info() which calls deliver_signal() which calls send_signal() which calls sigaddset() which finaly set the bit in the process signalbitmask. It is important to note that any action, including process termination, can only be taken by the receiving process itself. This requires, at the very least, that the process be scheduled to run. In between signal generation and signal delivery, the signal is said to be pending to the process. When a process is scheduled to run the kernel checks for pending signals at the following times: - Immediatly after waking up from an interruptible event. - Before returning to user mode from a system call or interrupt. - Before blocking on an interruptible event. The kernel calls arch/i386/kernel/signal.c:do_signal() and fetches the first pending signal from the queue (kernel/signal.c:dequeue_signal()). Nothing spectacular happens and the kernel processes with the next pending signal from the queue if action is set to SIG_DFL or SIG_IGN. The kernel calls handle_signal() if a user-defined action has been assigned to the signal handler (ka->sa.sa_handler). If the signal event occured during a system call with restarting capability the eip of the process is substracted by the value of 2 to automaticly reinvoke the system call after the signal handler returned. The kernel calls setup_frame() to save the current register set and other values (see 'struct sigframe' in arch/i386/kernel/signal.c) on the stack of the process. The same function also sets up a 'stub' which is executed after the signal handler returned to restore the previous saved 'sigframe'. struct sigframe { char *pretcode; /* 4 bytes */ int sig; /* 4 bytes */ struct sigcontext sc; /* 88 bytes, see sigcontext.h */ struct _fpstate fpstate; /* 624 bytes, floating point regs */ unsigned long extramask[1]; /* 4 bytes */ char retcode[8]; /* 8 bytes */ }; struct sigcontext expands to: struct sigcontext { ... /* ...56 bytes */ unsigned long eip; /* Aha! */ ... /* ...88 bytes */ }; The old eip is saved 64 bytes after the beginning of struct sigframe, followed by the return address of the signal handler and the saved frame pointer. The return address will points to the 'stub' which will pass control back to the kernel to restore the registers once the signal handler returns. 0xbfffffff | ... | +------------------------+ | sigframe, old eip | | is saved 56 bytes | <---+ | from behind retaddr | | +------------------------+ 68 bytes distance to | retaddr of stub | saved eip from ebp. +------------------------+ | ebp-> | saved frame pointer | <---+ +------------------------+ | local variables of | | signal handler routine | +------------------------+ The easiest way to recover from a SIGSEGV thus is to assign our own signal handler, travel up the stack until we find the saved eip, set the eip to the instruction followed the instruction which caused the segfault and return from our handler. The library also ignores SIGILL just for the case in which the process starts to run amok and the IP hits space where no IP has gone before. /* * someone@segfault.net * * This is published non-proprietary source code of someone without a * name...someone who dont need to be named.... * * You do not want to use this on productivity systems - really not. * * This preload-library recovers from a SIGSEGV - for fun purposes only! * * $ gcc -Wall -O2 -fPIC -DDEBUG -c assfault.c * $ ld -Bshareable -o assfault.so assfault.o -ldl # $ LD_PRELOAD=./assfault.so netscape & */ #include <sys/types.h> #include <sys/stat.h> #include <sys/time.h> #include <stdio.h> #include <unistd.h> #include <stdlib.h> #include <string.h> #include <signal.h> #include <dlfcn.h> #define REPLACE(a, x, y) if ( !(o_##x = dlsym(##a , ##y)) )\ { fprintf(stderr, ##y"() not found in libc!\n");\ exit(-1); } #ifdef DEBUG # define DEBUGF(a...) do{fprintf(stderr, "%s[%d]", __FILE__, __LINE__); \ fprintf(stderr, ##a);}while(0) #else # define DEBUGF(a...) #endif #define err_exit(str) do{fprintf(stderr, "ERROR:%s\n", str);exit(-1);}while(0); static void *(*o_signal)(int, void(*)(int)); static void *libc_handle = NULL; static int sigcount; void assfault_handler(int sig) { DEBUGF("SIG%s occured (%d)\n" , (sig==SIGSEGV)?"SEGV":(sig==SIGILL)?"ILL":"BUS", ++sigcount); asm volatile("incl 0x44(%ebp)"); } void (*signal(int sn, void (*sighandler)(int)))() { if ((sn == SIGSEGV) || (sn == SIGILL) || (sn == SIGBUS)) { DEBUGF("signal(SIG%s, ...) intercepted [%d]\n" , (sn==SIGSEGV)?"SEGV":(sn==SIGILL)?"ILL":"BUS", getpid()); return assfault_handler; } /* in all other cases call the original libc signal() -function */ return o_signal(sn, sighandler); } static void assfault_init(void) { if ( (libc_handle = dlopen("libc.so", RTLD_NOW)) == NULL) if ( (libc_handle = dlopen("libc.so.6", RTLD_NOW)) == NULL) err_exit("error loading libc!"); /* get the address of the original signal() -function in libc */ REPLACE(libc_handle, signal, "signal"); /* redirect action for these signals to our functions */ o_signal(SIGSEGV, assfault_handler); o_signal(SIGILL, assfault_handler); o_signal(SIGBUS, assfault_handler); dlclose(libc_handle); } /* * called by dynamic loader. */ void _init(void) { if (libc_handle != NULL) return; /* should never happen */ assfault_init(); DEBUGF("assfault.so activated.\n"); } /*** EOF assfault.c ***/ /* * example programm that segfault's a lot. * $ gcc -Wall -o segfault segfault.c * $ LD_PRELOAD=./assfault.so ./segfault */ #include <stdio.h> int main() { char *ptr=NULL; fprintf(stderr, "|0| everything looks fine. lets produce a SIGSEGV\n"); *ptr=1; fprintf(stderr, "|1| after first provocated SIGSEGV\n"); *ptr=1; fprintf(stderr, "|2| after second provocated SIGSEGV\n"); fprintf(stderr, "|X| We survived - enough played today.\n"); return 0; } /*** EOF segfault.c ***/ |=[ 0x02 ]=--------------------------------------------------------------=| Subject: TCP over signal() Bored subjects do naughty things, so why not transferring data with signals. With signals, not along with. Good old morsing hits us again. Theoretical speaking its a covert channel. A method for transferring data which is not recognized as transfer to the outside world. Things are simple, if sender sees a bit is 1 it sends 'HIGH' and 'LOW' if it finds the bit being 0. I let it to you to figure out how the simple programs work. :-) <recv.c> #include <stdio.h> #include <sys/types.h> #include <signal.h> #define L SIGHUP #define H SIGUSR1 #define RESET SIGUSR2 int bit; unsigned char c; void recv_high_low(int x) { if (bit == 8) { bit = 0; putchar(c); fflush(stdout); c = 0; } if (x == H) c = ((c<<1)|1); else c <<= 1; ++bit; } void recv_reset(int x) { bit = 0; c = 0; } int main() { bit = 0; c = 0; signal(L, recv_high_low); signal(H, recv_high_low); signal(RESET, recv_reset); for (;;); return 0; } </recv.c> <send.c> #include <stdio.h> #include <unistd.h> #include <fcntl.h> #include <errno.h> #include <signal.h> #include <sys/types.h> #include <stdlib.h> #define L SIGHUP #define H SIGUSR1 #define RESET SIGUSR2 void die(char *s) { perror(s); exit(errno); } int main(int argc, char **argv) { int pid, fd, j; char *file, c; if (argc < 3) { fprintf(stderr, "Usage: %s <pid> <file>\n", argv[0]); exit(1); } pid = atoi(argv[1]); file = argv[2]; if ((fd = open(file, O_RDONLY)) < 0) die("open"); kill(pid, RESET); sleep(1); while (read(fd, &c, sizeof(c)) > 0) { /* and for every bit of this byte do */ for (j = 7; j >= 0; --j) { if ((1<<j) & c) { printf("1");fflush(stdout); if (kill(pid, H) < 0) die("kill"); /* send HIGH (1) */ } else { printf("0");fflush(stdout); if (kill(pid, L) < 0) /* send LOW (0) */ die("kill"); } usleep(200); } } close(fd); return 0; } </send.c> |=[ 0x03 ]=--------------------------------------------------------------=| * SIGINT CONFIDENTIAL REPORT ON GOBBLES * On 2001/12/20 various individual around the world succeeded in unrevealing valuable information about the suspect. The information gathered about the suspect seems to be authentic - action should be taken immediatly by local law enforcements. WANTED - GOBBLES - WANTED - GOBBLES - WANTED - GOBBLES - WANTED Do you have other handles beside 'Gobbles' ? GOBBLES is known as many things, but GOBBLES can not let the rest of the world know he other identities in relation to name of GOBBLES due to fear of social rejection from he peers. GOBBLES wish at some point that people could stop asking, "GOBBLES who else are you known as" to him when all he really ask for is a little privacy, cannot people learn to keep their hands to what is their own? What kind of species is 'Gobbles' and what is the sex ? GOBBLES himself is homosapian (which mean human for all you penetrators) obviously but like the name GOBBLES came from Yahoo.com picture turkey.jpg found one day which made GOBBLES think to self, "Hey this a funny looking picture and make me think of security community that full of evil turkies, hehe 'other identity' should now become known as GOBBLES to be security turkey too!". Gobbles Security is not limited to one person, or one gender. How can Gobbles Security be reached (email? sms? irl? irc?) GOBBLES Security can be reached at group email addrses on hushmail.com which is GOBBLES@hushmail.com, if anyone ever need to contact us about anything that be the place to do it from. As far as where one can find GOBBLES irl (that mean "in real life" for penetrators), GOBBLES originally from Lithuania but now live in a place with a little more stable economy. Some GOBBLES Security members do live in same country and then they frequent GOBBLES Labs location to do hardcore hacking and programming all day long. When and where have you been born ? GOBBLES himself was born during year of 1979 in country of Lithuania, but not born as GOBBLES, hehe (that not real name ;), but real name shouldn't be of real concern anywhere though, so that do not matter. GOBBLES was born into computer security industry scene as GOBBLES during the month of June in the year of 2001 and currently have plans of being immortal in this field and living forever. Is there any picture available of Gobbles Security on the internet ? GOBBLES Security is more concerned with finding all exploitable bugs and letting the world know about them than they are with worrying about taking time to update webpage and get it pretty looking, although making webpage pretty and finish is becoming a higher GOBBLES priority due to demands of our many fans who email saying, "Please friend GOBBLES, finish webpage!" Where does Gobbles Security live (current location) ? To respect privacy of GOBBLES Security and members GOBBLES does not want to give out physical location of GOBBLES Labs or the IP addresses (that IP mean internet protocol, for penetrators needing translation). Website of GOBBLES where information is fully disclosed is on bugtraq.org though. To which kind of music does Gobbles Security listen ? Right now the multiple cd player jukebox in GOBBLES Labs have cd's (compact disc for penetrator confusing cd with chdir) from following bands and artists: -Radiohead -Tori Amos -The Violent Femmes -KMFDM -Goo Goo Dolls -Savage Garden -The Djali Zwan -Dmitri Shostakovich -Smashing Pumpkins -Ace of Base -They Might Be Giants -Various Disney Soundtracks and Sing-a-long's so you get an idea of different genre's that are liked by people who occupy GOBBLES Labs facility, hehe. Does Gobbles Security like the movies 'Chicken run' and/or was any relative actively involved in the movie ? GOBBLES didn't really understand movie on his own, and consensus from other group members is that the movie was not very good. GOBBLES spent the whole movie trying to identify celebrities with they cartoon characters instead of paying close attention to complex plot, so it can be understood why GOBBLES didn't really follow and understand the story of that movie. How many employees does 'Gobbles Security' currently have ? GOBBLES Security is not a for-profit group and does not have any income or employees. Everyone who come to GOBBLES Labs to do coding and exploit bring own computers and materials and alcohol, there is no money involved so there are not any employees. GOBBLES Labs have 19 active members and researchers. With 18+ members, GOBBLES Labs is currently the largest active non-profit security team in the world (that not private and exclusive with research, of course there is larger private group in existance that GOBBLES not ignorant of). Unlike other groups that make this claim, GOBBLES Labs is actually active, hehe. Are there stocks available from 'Gobbles Security' ? Hehe, no, because remember we not a commercial organisation? =) GOBBLES believe that security should not be huge commercial entity anyways and miss the days when people who were knowledgable about security were respected and looked to for security information rather than people with certification like CISSP who qualified to use Nessus in corporate environment and notify they companies of updates on cert.org website. Is there any buisiness plan (current projects ?) of Gobbles Security for 2002 ? GOBBLES have no business plan, since GOBBLES Security is not a business, just more of a club, and GOBBLES hope to keep it that way forever. If the big dollar is ever waived in GOBBLES face like happen to other good non-profit security group, GOBBLES will refuse to snatch it and keep GOBBLES Labs independant and free always. Where did Gobbles Security learn english ? GOBBLES Security is a multinational group and members have learned they English in many different places, some speak it natively, or at least American which is very similar to English from what GOBBLES can deduce. GOBBLES learn English from Extreme Calculus professor in university who say to GOBBLES, "GOBBLES if you to go anywhere in life, you must learn to speak English, here I will help." That is true story of how GOBBLES learn to speak this wonderful language, hehe. Have you heard of anti-security and what is your opinion to http://anti.security.is ? Yes GOBBLES have seen they website before and read message board very frequently. GOBBLES think anti.security.is have many good ideas on security, since it seem that sometimes disclosure is not best since all it really do is contribute to system being comprimised. GOBBLES recall reading somewhere that still only 30% of servers are patched for CORE-SDI ssh backdoor still, and that known almost for a year now, so sometimes GOBBLES wonder why disclosure is even done in the first place if no one really pay attention to advisory and fix security. However this is not the policy of GOBBLES Security who are firm supporters of Information Anarchy and Jay Dyson's quote "Real men prefer full disclosure", although some GOBBLES researchers are very loyal to anti.security.is philosophy which is why you do not see all exploits written by GOBBLES Security members since we respect they wishes. GOBBLES have many respect for ideals of anti.security.is and often wonders what really is best to improve state of security on the Internet, but still he decide that it is Information Anarchy. What does Gobbles Security think about Theo de Raadt ? GOBBLES think Theo is silly individual who think brilliant research and revelation of removing machine from network make it secure from network based attacks and therefor inpenetrable, because then what is the real use of that workstation when it not on a network and can't access anything? GOBBLES think Theo attempt to banish all networking in name of security is idiotic idea and GOBBLES really not a big fan of his for this sorts of things. And about Aleph1 and bugtraq ? The Aleph1 is old friend of GOBBLES (but not someone the Aleph1 know as GOBBLES, hehe) and is someone that GOBBLES very much likes. In question GOBBLES assume that bugtraq == securityfocus.com, so that how GOBBLES shall answer the question. GOBBLES not a very big fan of securityfocus itself for way it do delayed disclosure, for way it claim to be full disclosure, but then make people have to pay to see good advisories first (holding information hostage probably not best practice for full disclosure), for filtering important security advisories because advisories have comments in that hurt pride of securityfocus staff member. If it were real intentions of securityfocus to help in security process, GOBBLES think that they would pass important advisories through, but know from experience that many will be filtered for silly reason. When securityfocus say, "hey, we will run mailing lists" they should have also let everyone know that they had intention of profitting off list and selling information rather than keeping them in original form, GOBBLES is bothered by level of deceit there. But as for does GOBBLES like the Aleph1, the answer is YES, GOBBLES do like the Aleph1. In fact GOBBLES have open invitation to him (and mudge and dildog) to leave they high paying jobs and the dark side of the force to join back where they know they want to be, in they hearts, back in the real security community where you don't have to shave you beard and give out real name; always extra room for them as members in GOBBLES Security if they ever decide to reform. Does Gobbles Security consider other groups like ADM, LSD, TESO as competitors or as friends ? GOBBLES Security think of those group as brothers and sisters, not as competitors. In which way will Gobbles Security infuence the scene in the future ? Well GOBBLES have the hope of helping rebirth of real security scene where the world can know who the people are who have real security knowledge are not the point and click penetrator testers and patch applicators who make the big dollar, and hopefully someday in future there will be not so much commercialization of computer security and thing can return back to normal and the scene can exist again once more. Write down 'Memorable Experiences': One time #GOBBLES on irc was taken over by prominant irc takeover gang which is very memorable experience for the whole GOBBLES Security Crew. Some things that stuck with GOBBLES from incident include: <route> gogogogo <route> OK, newsh fork over the opz <route> word <route> ok listen up motherfuckerz <route> u will get yer chan back when i see fit <route> mmkay? <route> now, who'z the fuckwit who insulted me in that yahoo messenger advisory? <route> you mess with libnet, you mess with death motherfuckerz! [ note by phrackstaff: The above log isn't from the real route. ] Other very memorable experience was last week at GOBBLES Labs where Alicia became over intoxicated by alcohol from boxed wine (speaking of alcohol, Mr. Huger promise to bring GOBBLES back some good wine from he Canada trip, GOBBLES better get it Al!) during exploit coding session and then took off all her clothes. Needless to say male GOBBLES members were embarassed at the mess they made. GOBBLES swear this true story, not just humor, even some pictures of naked Alicia captured on webcam broadcast with tcpdump soon to be made into mpeg, hehe! Write down some Quotes: "Opensource software has a future." -Sir William Gates "What goes around comes around." -Anonymous "That vulnerability is completly TheoRaadtical." -Microsoft "A preauthentication bug in OpenSSH? Who hasn't found one of those?" -OpenSSH Developer "No I wasn't caught on video jerking off at defcon 9!" -Peter Shipley "If one XOR is good TWICE IS BETTER." -Peiter Zatko In closing GOBBLES would like to thank Phrack and Phrack Staff for awarding GOBBLES this Man of the Year Award, GOBBLES very flattered to not only be nominated but also to be winner of award! GOBBLES LOVE YOU! |=[ EOF ]=---------------------------------------------------------------=|