News: Phrack #67

with 5 comments

So, today the 67th issue of Phrack was released. This a special day for Phrack since it’s the same date that the first issue was released on 1985, 25 years ago.
Before moving to the articles I want to say something that bothers me since the day I saw it. I think it’s completely inapropriate for such an ezine to indirectly advertise a security industry conference. Regardless of the technical level of the conference I’m finding it at least sad.
Anyway, let’s move to the articles which is the important part…



Introduction
by The Phrack Staff
So… The first document after more than a year from the Phrack staff it starts with a nice intro that leads to a really obscure (for Phrack) result. After a message of Mike Schiffman/route/daemon9 regarding the 25th birthdary of Phrack, there is some inside joke against halfdead and next, the table of contents. Also, Phrack editors inform us that this is a release dedicated to userland exploitation.

Phrack Prophile on Punk
by The Phrack Staff
That was a great profile of a l33t hacker. I’m not going to add anything more here. Just go read it.

Phrack World News
by EL ZILCHO
World news of this issue deals with four subjects. The TJX Case where information of the people involved is provided and in addition there is a very interesting introduction to cases that involved various government agencies’ cooperation worldwide. The next subject is about the Stuxnet worm that got all that attention recently. Here, the author discusses the political hacking that this story (as well as some other cases such as the Aurora) involves and its possible explanation. Following, the last subject is the WikiLeaks one. This part discusses mostly the recent leak of Iraq war diaries from both points of view. It’s a nice reading. At last, there is a small paragraph for the scene events which is more of an conclusion section of the article.

Loopback (is back)
by The Phrack Staff
First of all, I’m glad loopback section is back because it was always one of the funniest parts of each issue. Nothing to add here. You must read it.

How to make it in Prison
by TAp
That’s the first non-technical article that was published in this issue. It’s aim is to provide information that will help us if/when we find ourselves in a prison environment. It’s separated in small sections that makes it easier to follow and deals with all kind of stuff from the first day in prison to everyday life. Anyway, it’s a good read although it’s based on the American judicial system that might be different from country to country.

Kernel instrumentation using kprobes
by ElfMaster
And now the first technical one… My first experience with kretprobes/jprobes was yesterday when I saw the title of that article before its release. I was already quite sure that you could use them in creating rootkits which would be fairly easy if you’ve ever coded even the simplest kretprobe/jprobe kernel module (I did yesterday :P).
Anyway, back to the article. Beginning with simple examples of both kretprobe and jprobe it moves to information regarding the kprobes implementation in the Linux kernel. Next, ElfMaster codes a file hiding kernel module using both techniques from the previously acquired knowledge. The following part is probably the most interesting since it deals with modifying read-only kernel segments. To do this he uses a classic technique of disabling the Write-Protection (using the 16th bit of CR0 register) that I personally first saw it on PaX’s native_pax_{open,close}_kernel() functions. At last, a rootkit against mprotect()/mmap() restrictions is provided and concepts such as detection are covered. It’s definitely one of the best articles in my opinion. Congrats dude! :)

ProFTPD with mod_sql pre-authentication, remote root heap overflow
by FelineMenace
This is something that will piss off some people for sure. It’s full disclosure of a remote ProFTPd 0day. Since last year there was some rumor about a FelineMenace member disclosing a ProFTPd remote root on Phrack but that was only rumor. Anyway, the bug is an overflow at sql_prepare_where() that FelineMenace noticed when developers attempted to fix a different security issue. The write-up is awesome from exploit developer’s point of view and since it’s now public information, I highly recommend you to study it carefully. As I’ve said before “Art of Exploitation” was my favorite Phrack section but releasing a ProFTPd 0day? I strongly disagree…

The House Of Lore: Reloaded ptmalloc v2 & v3: Analysis & Corruption
by blackngel
Continuing from the previous journey to ProFTPd’s allocator we have blackngel‘s article on ptmalloc v2 and v3. In this article blackangel goes through ptmalloc‘s internals in order to achieve successful exploitation. The techniques described are the ‘SmallBin’ and ‘LargeBin’ corruption starting from simple examples that demonstrate the exploitation on modern operating systems and then moving to more complex ones. There is also an analysis of ptmalloc3 implementation which is mostly a comparison between the previously used ptmalloc2 from an exploit developer’s point of view. The last parts of the article deal with mitigation strategies. The author also provides some vulnerable code that could be used on wargames. Pretty cool article! :)

A Eulogy For Format Strings
by Captain Planet
As we all know format strings aren’t that common compared to few years ago. In this article Captain Planet (nice one…) reveals some techniques to bypass format string protections on modern systems. That is GNU C Library’s FORTIFY_SOURCE protection and uses Ronald Volgers’ CVE-2010-0393 to demonstrate his technique on a real world application. Definitely, a worth reading article.

Dynamic Program Analysis And Software Exploitation
by BSDaemon
BSDaemon published another article on this issue of Phrack. His article is about a project that is released along with it that can make exploitation easier. It’s a dynamic analysis application that aims on software exploitation. It’s name is VDT Project but since I haven’t read this article carefully and haven’t tested the code I won’t say anything more. It soulds like a great project though.

Exploiting Memory Corruptions in Fortran Programs Under Unix/VMS
by Magma
First of all, I had (and still don’t) no idea that Fortran was used in banking software as the author states in the introduction of his article. I knew about COBOL applications, but Fortran?
Anyway, for the sake of knowledge I read this article too. So, after an introduction to the basics of Fortran we have our first contact with Fortran memory corruption bugs. He then discusses other bug classes including type casting vulnerabilities, signedness bugs, integer overflows/underflows, dangling pointers etc. Knowing this, the author introduces the reader the world of OpenVMS operating system. By doing this, you get to know OpenVMS specific behaviors as long as subjects like VMS heap memory allocator etc. and at last, exploitation of a heap based memory corruption vulnerability on OpenVMS platform. The last sections include mitigation strategies, summary and greetings.

Phrackerz: Two Tales
by Antipeace & The Analog Kid
This is another non-technical article featured in #67 issue of Phrack. It’s a nice question/answer series of two persons, Antipeace & The Analog Kid that answer questions of hacker culture and the overall lifestyle from the hacker’s point of view.

Scraps of notes on remote stack overflow exploitation
by pi3
This next article is written by pi3 and it’s one of my favorite from this issue. Specifically, in this article you can find some little details that can be used on remote exploitation of stack overflows. As the author says, nowadays remotely exploiting vulnerabilities has become harder because of the various protections that are implemented. Here, after describing in detail some neat tricks, he moves to a proof-of-concept code that demonstrates them. One of the highlights here is that his PoC works under grsecurity systems too. ;)

Notes Concerning the Security, Design and Administration of Siemens DCO-CS Digital Switching Systems
by The Philosopher
I can recall talking about this on 26c3 with some people but ‘The Philosopher’ did some excellent work here. Even though I don’t know much about such stuff I found that article very informative and as always, giving many useful information from a security perspective. Nevertheless, I won’t comment anything since I don’t have the required knowledge to do so.

Hacking the mind for fun and profit
by lvxferis
This non-technical document written by lvxferis is about NLP that I believe almost all the people have experimented with some time. It’s just an overview of NLP but you’ll probably love the greetings section (especially the people who know what he’s saying about kcope) :P

International Scenes
by various
Yeah baby! Let’s see what we have here…
The story begins with the Indian Hacking scene which was written by an anonymous null community member. Since I don’t know much about Indian hackers I’ll say nothing BUT… I cannot do the same for the second part of this article which has this title:
“An overview of the Greek computer underground, part 1”
and it’s written by (I can guess who you are): “two (not really) anonymous G(r)eeks”. Oh… my… Let the games begin…
– GRHACK
Since you say that there will be a second part I won’t comment that GRHACK is something new (I know, different people, different goals). Also, there are really few hackers, if any in this community. Most of them are either security professionals (aka whitehats) or individual researchers.
– 0x375
Never participated at one. I have no idea of how it’s related with the .gr scene and that’s why I will not comment this.
– AthCon
Seriously..? I mean for real!!? A security industry conference has to do with the hacking scene of Greece… Yeah, whatever.
– 2600
Unfortunately (or fortunately?), now 2600 is just a bunch of friends that meet once a month to have some beer and talk. I am one of those people and I can ensure you that it has nothing to do with hacking.
– Online forums
I have lots of stories about forum wars and stuff but I think the authors are correct although the technical level is not very high in most of these forums. Here there is also a reference to me and my blog but just to clarify. This is not my main involvement with the security and hacking scene of Greece and of course, this is not the nick I use anywhere else apart from wordpress.com
– Controversial groups
Heh… that lxplus.cern.ch defacement… It was one of the best stories ever. It’s purpose was just to piss some other Greek guys off :P
I have nothing to add about ‘Greek Hacking Scene’ group but an article regarding the historic ‘Greek Hackers Society’ group would be nice. At last, the H4F subject is not that simple but it’s also highly illegal to discuss anything about it.
– Demo scene
No comment
– Pentesting community
It’s true that most whitehats in Greece used to be part of the hacking scene.
– Open source related events
No comment… No wait! One word, ricudis.
– Academia
No comment
– Conclusion, what does the future hold
No comment
Now.. Something that is very true: “…Greek “scene” is small, obscure, full of ignorant and incompetent people…”. Since you’re not involved in the .gr scene (and I cannot say that I am (at least directly) either), you wouldn’t have probably noticed that there was absolutely no reference on the underground. It exists but maybe the authors didn’t know about it, I don’t know. There are underground hacking groups in Greece that are active (some of them with skilled hackers writing remote kernel exploits and knowing how to bypass most protections) and there are also Greek people in international groups as well. I will not say anything since it’s not my job. Maybe the people who submitted the article should have done the same. There are only very few people that could talk about this subject cause they know exactly what’s going on in the hacking scene (I’m not one of them). One of the authors used to be a hacker long long time ago.
I was always hoping for such a section in the “International Scenes” but always worried of the person that was going to write it. Anyway, I have nothing left to say.

As an overall it’s a pretty good issue with an awesome Phrack Prophile and some kick-ass articles like pi3’s and FelineMenace’s. Also, if you noticed, from this issue there are no more “The Circle of Lost Hackers” but instead, “The Circle of Found Hackers”. Just kidding. :P
As you saw the editorial team is now called “The Phrack Staff”.
Personally, I would like to thank everyone (except the anonymous G(r)eeks) starting from the Phrack editorial team, hackers, researchers, contributors etc. that helped to create this issue. Honestly, thank you people! :)

Written by xorl

November 18, 2010 at 06:24

Posted in news, phrack