SlideShare uma empresa Scribd logo

Shooting clay pidgins

Transferir como PPTX, PDF
volvent
volvent

Slides that were presented at SecTalks in Perth that runs through a light code review of libpurple, shows a few example findings, including CVE-2013-6485 and a few others. These bugs were fixed in Pidgin 2.10.8 on Jan 28th 2014.

Tecnologia
1 de 36
shooting clay pidgins a preliminary look at libpurple
introduction • Libpurple is used by Pidgin & Adium • Pidgin was originally gaim, dating back to 1998 • People everywhere use this software • Gets increased popularity due to OTR support • And yet many say it’s horribly insecure?  • But most don’t back it up with any evidence
process So, in short sporadic 30~min blocks in 2013… ...when bored on planes, etc. .. spent bits of time reading over some code… … and then try to find time to type up bugs
the goal • Focus on seeing code quality rather than finding exploitable bugs • Try to suss out the general security maturity of the project • See the developer responses/culture for security-related bugs Greppable bugs Top-down bugs Where is it at? Bottom-up bugs
historical vulnerabilities • • • • Over 50 CVE’s since Oct 2005 Mostly crashes/overflows File* issues (arb. fr/fw) SSL/TLS issues (MITM, etc.)
architecture & code • Not much documentation • Appears to be huge attack surface • Many protocol parsers • Dispersed dev. responsibilities • Core code is large (logging, etc.) • Mostly all written in C (Glib)
devs and components
devs and components
devs and components Sometimes many devs touching 1 component Sometimes only 1 touching specific plugins
initial code sweep • Skim calls to purple_debug_{error|info|warn} • Search for *alloc’s and backtrace • Search for *printf’s and backtrace
a sample of findings shooting clay pidgins
3 examples to show… 1. An overflow when parsing chunked HTTP responses 2. An example of just silly sloppy code 3. An example of poor/dangerous design (and sloppy code)
1. process chunked data vulnerability (util.c) G_GSIZE_MODIFIER is unsigned
1. process chunked data vulnerability (util.c) SPOT THE BUG?
1. process chunked data vulnerability (util.c) Bug #1: sz we control off the wire, int overflow here
1. process chunked data vulnerability (util.c) Bug #2 Just a debug macro and they forgot the break; so this check was pointless anyway.
1. process chunked data vulnerability (util.c) Bug #2 Just a debug macro and they forgot the break; so this check was pointless anyway.
1. process chunked data vulnerability (util.c) Overflow here and also a potential out-of-bounds read.
problem triaging Found it hard to triage/trace bugs without stumbling on more things…
2. sloppiness: msn_message_gen_payload A funny example of sloppiness, probably not triggerable remotely.
2. sloppiness: msn_message_gen_payload Bug: Always increments n by 2 as g_strlcpy returns the size of the src
2. sloppiness: msn_message_gen_payload Nevermind though, we’ll just copy the message data ontop of it all anyway
3. poor design: http content-length Different protocol parsers implementing their own Content-Length parsing – many in sloppy ways
3. poor design: http content-length Different protocol parsers implementing their own Content-Length parsing – many in sloppy ways
3. poor design: http content-length Different protocol parsers implementing their own Content-Length parsing – many in sloppy ways %d’s atoi(), etc. for parsing Content-Length is reminiscent of 10+ year old httpd bugs
3. poor design: http content-length broken way to parse content-length #1
3. poor design: http content-length broken way to parse content-length #2
general badness • Many protocol plugins appear to implement their own parsers • HTML/XML/HTTP - e.g. Content-Length • Signed integers for offsets/lengths/indexes is very common • The heavy use of HTML and HTTP parsing also introduces some interesting web-related attack vectors (XSS in HTML logging, etc.)
responses • 100% response rate, fairly understanding, quite good to deal with • Took sometime for a patch to hit the public, e.g. CVE-2013-6485: 8/8/2013 • Initial bug report 18/8/2013 • Follow-up email 20/8/2013 • Acknowledgement 21/8/2013 • Patch ready 28/01/2014 • Fix public • A slight concern about volume of fixes in each release
results summary Spent no more than 1-2 days total reading through code… Greppable bugs Top-down bugs I didn’t get past here… Bottom-up bugs
latest news • 2.10.8 was released on 28th Jan 2014 addressing 18 CVE’s • The http/chunked bug was assigned CVE-2013-6485 • A number of CVE’s in 2.10.8 (reported by Sourcefire VRT) related to Content-Length parsing, e.g: CVE-2013-6490 and CVE-2013-6487 • A lot of other patches that didn’t receive CVE’s (sloppy code) • A lot of areas that could be looked at in more depth, e.g. • All FILE* related paths and operations (i.e. reliable/effective RCE) • More focus on the core, such as logging, etc.
2.x versus 3.x • So, the 2.x branch certainly has some old/sloppy code • It’s getting better each release, but there’s a lot more in there… • The 3.x branch appears to be the more strategic solution • • • • Cleaned up design with a tidier API (e.g. http parsing, etc.) A lot of dead/redundant code elimination and clean-ups Apparently it’s coming in the next 3-6 months Looks promising, but they need help to make it robust
conclusions • Tread carefully running the 2.x version • There’s undoubtedly a lot more dangerous bugs there • At least run on a modern platform in an isolated VM • Alternatively take a look at Jitsi • Keep an eye out for when the 3.x branch drops • And if you like auditing code, help out the team 
conclusions +1
conclusions +1
questions? @volvent

Recomendados

Python for pentesters
Python for pentestersPython for pentesters
Python for pentestersRashid feroz
 
DevSecOps and Drupal: Securing your applications in a modern IT landscape
DevSecOps and Drupal: Securing your applications in a modern IT landscapeDevSecOps and Drupal: Securing your applications in a modern IT landscape
DevSecOps and Drupal: Securing your applications in a modern IT landscapeWill Hall
 
eLabFTW review
eLabFTW revieweLabFTW review
eLabFTW reviewNicolasCARPi
 
Analyzing Packages in Docker images hosted On DockerHub
Analyzing Packages in Docker images hosted On DockerHubAnalyzing Packages in Docker images hosted On DockerHub
Analyzing Packages in Docker images hosted On DockerHubAhmed Zerouali
 
DefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm HoleDefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm HoleDefCamp
 
Foros vs
Foros vsForos vs
Foros vsnayeli8a
 
Bookreport
BookreportBookreport
Bookreportnayeli8a
 
Tiend afinal
Tiend afinalTiend afinal
Tiend afinalnayeli8a
 

Recomendados

Python for pentesters
Python for pentestersPython for pentesters
Python for pentestersRashid feroz
 
DevSecOps and Drupal: Securing your applications in a modern IT landscape
DevSecOps and Drupal: Securing your applications in a modern IT landscapeDevSecOps and Drupal: Securing your applications in a modern IT landscape
DevSecOps and Drupal: Securing your applications in a modern IT landscapeWill Hall
 
eLabFTW review
eLabFTW revieweLabFTW review
eLabFTW reviewNicolasCARPi
 
Analyzing Packages in Docker images hosted On DockerHub
Analyzing Packages in Docker images hosted On DockerHubAnalyzing Packages in Docker images hosted On DockerHub
Analyzing Packages in Docker images hosted On DockerHubAhmed Zerouali
 
DefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm HoleDefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm HoleDefCamp
 
Foros vs
Foros vsForos vs
Foros vsnayeli8a
 
Bookreport
BookreportBookreport
Bookreportnayeli8a
 
Tiend afinal
Tiend afinalTiend afinal
Tiend afinalnayeli8a
 
Rust Programming Language
Rust Programming LanguageRust Programming Language
Rust Programming LanguageJaeju Kim
 
KubeCon EU 2016: Kubernetes meets Finagle for Resilient Microservices
KubeCon EU 2016: Kubernetes meets Finagle for Resilient MicroservicesKubeCon EU 2016: Kubernetes meets Finagle for Resilient Microservices
KubeCon EU 2016: Kubernetes meets Finagle for Resilient MicroservicesKubeAcademy
 
Is Python still production ready ? Ludovic Gasc
Is Python still production ready ? Ludovic GascIs Python still production ready ? Ludovic Gasc
Is Python still production ready ? Ludovic GascPôle Systematic Paris-Region
 
The (Memory) Safety Dance - SAS 2017 keynote
The (Memory) Safety Dance - SAS 2017 keynoteThe (Memory) Safety Dance - SAS 2017 keynote
The (Memory) Safety Dance - SAS 2017 keynoteMarkDowd13
 
Your Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTYour Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTWSO2
 
It's a Jungle Out There – IoT and MRuby
It's a Jungle Out There – IoT and MRubyIt's a Jungle Out There – IoT and MRuby
It's a Jungle Out There – IoT and MRubymatustomlein
 
Kernel Recipes 2016 - Patches carved into stone tablets...
Kernel Recipes 2016 - Patches carved into stone tablets...Kernel Recipes 2016 - Patches carved into stone tablets...
Kernel Recipes 2016 - Patches carved into stone tablets...Anne Nicolas
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014Anant Shrivastava
 
Tor in Haskell & Other Unikernel Tricks
Tor in Haskell & Other Unikernel TricksTor in Haskell & Other Unikernel Tricks
Tor in Haskell & Other Unikernel TricksC4Media
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009dnomura
 
Rust and the coming age of high integrity languages
Rust and the coming age of high integrity languagesRust and the coming age of high integrity languages
Rust and the coming age of high integrity languagesAdaCore
 
Enhancing Developer Productivity with Code Forensics
Enhancing Developer Productivity with Code ForensicsEnhancing Developer Productivity with Code Forensics
Enhancing Developer Productivity with Code ForensicsTechWell
 
Guide to Destroying Codebases The Demise of Clever Code
Guide to Destroying Codebases The Demise of Clever CodeGuide to Destroying Codebases The Demise of Clever Code
Guide to Destroying Codebases The Demise of Clever CodeGabor Varadi
 
Secure App Aspirations: Why it is very difficult in the real world
Secure App Aspirations: Why it is very difficult in the real worldSecure App Aspirations: Why it is very difficult in the real world
Secure App Aspirations: Why it is very difficult in the real worldOllie Whitehouse
 
How to get started with Site Reliability Engineering
How to get started with Site Reliability EngineeringHow to get started with Site Reliability Engineering
How to get started with Site Reliability EngineeringAndrew Kirkpatrick
 
Scratching the itch, making Scratch for the Raspberry Pie
Scratching the itch, making Scratch for the Raspberry PieScratching the itch, making Scratch for the Raspberry Pie
Scratching the itch, making Scratch for the Raspberry PieESUG
 
From hello world to goodbye code
From hello world to goodbye codeFrom hello world to goodbye code
From hello world to goodbye codeKim Moir
 
Static Code Analysis and AutoLint
Static Code Analysis and AutoLintStatic Code Analysis and AutoLint
Static Code Analysis and AutoLintLeander Hasty
 
Go & multi platform GUI Trials and Errors
Go & multi platform GUI Trials and ErrorsGo & multi platform GUI Trials and Errors
Go & multi platform GUI Trials and ErrorsYoshiki Shibukawa
 
12 tricks to avoid hackers breaks your CI / CD
12 tricks to avoid hackers breaks your CI / CD12 tricks to avoid hackers breaks your CI / CD
12 tricks to avoid hackers breaks your CI / CDDaniel Garcia (a.k.a cr0hn)
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 

Mais conteúdo relacionado

Semelhante a Shooting clay pidgins

Rust Programming Language
Rust Programming LanguageRust Programming Language
Rust Programming LanguageJaeju Kim
 
KubeCon EU 2016: Kubernetes meets Finagle for Resilient Microservices
KubeCon EU 2016: Kubernetes meets Finagle for Resilient MicroservicesKubeCon EU 2016: Kubernetes meets Finagle for Resilient Microservices
KubeCon EU 2016: Kubernetes meets Finagle for Resilient MicroservicesKubeAcademy
 
The (Memory) Safety Dance - SAS 2017 keynote
The (Memory) Safety Dance - SAS 2017 keynoteThe (Memory) Safety Dance - SAS 2017 keynote
The (Memory) Safety Dance - SAS 2017 keynoteMarkDowd13
 
Your Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTYour Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTWSO2
 
It's a Jungle Out There – IoT and MRuby
It's a Jungle Out There – IoT and MRubyIt's a Jungle Out There – IoT and MRuby
It's a Jungle Out There – IoT and MRubymatustomlein
 
Kernel Recipes 2016 - Patches carved into stone tablets...
Kernel Recipes 2016 - Patches carved into stone tablets...Kernel Recipes 2016 - Patches carved into stone tablets...
Kernel Recipes 2016 - Patches carved into stone tablets...Anne Nicolas
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014Anant Shrivastava
 
Tor in Haskell & Other Unikernel Tricks
Tor in Haskell & Other Unikernel TricksTor in Haskell & Other Unikernel Tricks
Tor in Haskell & Other Unikernel TricksC4Media
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009dnomura
 
Rust and the coming age of high integrity languages
Rust and the coming age of high integrity languagesRust and the coming age of high integrity languages
Rust and the coming age of high integrity languagesAdaCore
 
Enhancing Developer Productivity with Code Forensics
Enhancing Developer Productivity with Code ForensicsEnhancing Developer Productivity with Code Forensics
Enhancing Developer Productivity with Code ForensicsTechWell
 
Guide to Destroying Codebases The Demise of Clever Code
Guide to Destroying Codebases The Demise of Clever CodeGuide to Destroying Codebases The Demise of Clever Code
Guide to Destroying Codebases The Demise of Clever CodeGabor Varadi
 
Secure App Aspirations: Why it is very difficult in the real world
Secure App Aspirations: Why it is very difficult in the real worldSecure App Aspirations: Why it is very difficult in the real world
Secure App Aspirations: Why it is very difficult in the real worldOllie Whitehouse
 
How to get started with Site Reliability Engineering
How to get started with Site Reliability EngineeringHow to get started with Site Reliability Engineering
How to get started with Site Reliability EngineeringAndrew Kirkpatrick
 
Scratching the itch, making Scratch for the Raspberry Pie
Scratching the itch, making Scratch for the Raspberry PieScratching the itch, making Scratch for the Raspberry Pie
Scratching the itch, making Scratch for the Raspberry PieESUG
 
From hello world to goodbye code
From hello world to goodbye codeFrom hello world to goodbye code
From hello world to goodbye codeKim Moir
 
Static Code Analysis and AutoLint
Static Code Analysis and AutoLintStatic Code Analysis and AutoLint
Static Code Analysis and AutoLintLeander Hasty
 
Go & multi platform GUI Trials and Errors
Go & multi platform GUI Trials and ErrorsGo & multi platform GUI Trials and Errors
Go & multi platform GUI Trials and ErrorsYoshiki Shibukawa
 

Semelhante a Shooting clay pidgins (20)

Rust Programming Language
Rust Programming LanguageRust Programming Language
Rust Programming Language
 
KubeCon EU 2016: Kubernetes meets Finagle for Resilient Microservices
KubeCon EU 2016: Kubernetes meets Finagle for Resilient MicroservicesKubeCon EU 2016: Kubernetes meets Finagle for Resilient Microservices
KubeCon EU 2016: Kubernetes meets Finagle for Resilient Microservices
 
Is Python still production ready ? Ludovic Gasc
Is Python still production ready ? Ludovic GascIs Python still production ready ? Ludovic Gasc
Is Python still production ready ? Ludovic Gasc
 
The (Memory) Safety Dance - SAS 2017 keynote
The (Memory) Safety Dance - SAS 2017 keynoteThe (Memory) Safety Dance - SAS 2017 keynote
The (Memory) Safety Dance - SAS 2017 keynote
 
Your Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTYour Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoT
 
It's a Jungle Out There – IoT and MRuby
It's a Jungle Out There – IoT and MRubyIt's a Jungle Out There – IoT and MRuby
It's a Jungle Out There – IoT and MRuby
 
Kernel Recipes 2016 - Patches carved into stone tablets...
Kernel Recipes 2016 - Patches carved into stone tablets...Kernel Recipes 2016 - Patches carved into stone tablets...
Kernel Recipes 2016 - Patches carved into stone tablets...
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014
 
Tor in Haskell & Other Unikernel Tricks
Tor in Haskell & Other Unikernel TricksTor in Haskell & Other Unikernel Tricks
Tor in Haskell & Other Unikernel Tricks
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009
 
Rust and the coming age of high integrity languages
Rust and the coming age of high integrity languagesRust and the coming age of high integrity languages
Rust and the coming age of high integrity languages
 
Enhancing Developer Productivity with Code Forensics
Enhancing Developer Productivity with Code ForensicsEnhancing Developer Productivity with Code Forensics
Enhancing Developer Productivity with Code Forensics
 
Guide to Destroying Codebases The Demise of Clever Code
Guide to Destroying Codebases The Demise of Clever CodeGuide to Destroying Codebases The Demise of Clever Code
Guide to Destroying Codebases The Demise of Clever Code
 
Secure App Aspirations: Why it is very difficult in the real world
Secure App Aspirations: Why it is very difficult in the real worldSecure App Aspirations: Why it is very difficult in the real world
Secure App Aspirations: Why it is very difficult in the real world
 
How to get started with Site Reliability Engineering
How to get started with Site Reliability EngineeringHow to get started with Site Reliability Engineering
How to get started with Site Reliability Engineering
 
Scratching the itch, making Scratch for the Raspberry Pie
Scratching the itch, making Scratch for the Raspberry PieScratching the itch, making Scratch for the Raspberry Pie
Scratching the itch, making Scratch for the Raspberry Pie
 
From hello world to goodbye code
From hello world to goodbye codeFrom hello world to goodbye code
From hello world to goodbye code
 
Static Code Analysis and AutoLint
Static Code Analysis and AutoLintStatic Code Analysis and AutoLint
Static Code Analysis and AutoLint
 
Go & multi platform GUI Trials and Errors
Go & multi platform GUI Trials and ErrorsGo & multi platform GUI Trials and Errors
Go & multi platform GUI Trials and Errors
 
12 tricks to avoid hackers breaks your CI / CD
12 tricks to avoid hackers breaks your CI / CD12 tricks to avoid hackers breaks your CI / CD
12 tricks to avoid hackers breaks your CI / CD
 

Último

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 

Último (20)

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 

Shooting clay pidgins

  • 1. shooting clay pidgins a preliminary look at libpurple
  • 2. introduction • Libpurple is used by Pidgin & Adium • Pidgin was originally gaim, dating back to 1998 • People everywhere use this software • Gets increased popularity due to OTR support • And yet many say it’s horribly insecure?  • But most don’t back it up with any evidence
  • 3. process So, in short sporadic 30~min blocks in 2013… ...when bored on planes, etc. .. spent bits of time reading over some code… … and then try to find time to type up bugs
  • 4. the goal • Focus on seeing code quality rather than finding exploitable bugs • Try to suss out the general security maturity of the project • See the developer responses/culture for security-related bugs Greppable bugs Top-down bugs Where is it at? Bottom-up bugs
  • 5. historical vulnerabilities • • • • Over 50 CVE’s since Oct 2005 Mostly crashes/overflows File* issues (arb. fr/fw) SSL/TLS issues (MITM, etc.)
  • 6. architecture & code • Not much documentation • Appears to be huge attack surface • Many protocol parsers • Dispersed dev. responsibilities • Core code is large (logging, etc.) • Mostly all written in C (Glib)
  • 9. devs and components Sometimes many devs touching 1 component Sometimes only 1 touching specific plugins
  • 10. initial code sweep • Skim calls to purple_debug_{error|info|warn} • Search for *alloc’s and backtrace • Search for *printf’s and backtrace
  • 11. a sample of findings shooting clay pidgins
  • 12. 3 examples to show… 1. An overflow when parsing chunked HTTP responses 2. An example of just silly sloppy code 3. An example of poor/dangerous design (and sloppy code)
  • 13. 1. process chunked data vulnerability (util.c) G_GSIZE_MODIFIER is unsigned
  • 14. 1. process chunked data vulnerability (util.c) SPOT THE BUG?
  • 15. 1. process chunked data vulnerability (util.c) Bug #1: sz we control off the wire, int overflow here
  • 16. 1. process chunked data vulnerability (util.c) Bug #2 Just a debug macro and they forgot the break; so this check was pointless anyway.
  • 17. 1. process chunked data vulnerability (util.c) Bug #2 Just a debug macro and they forgot the break; so this check was pointless anyway.
  • 18. 1. process chunked data vulnerability (util.c) Overflow here and also a potential out-of-bounds read.
  • 19. problem triaging Found it hard to triage/trace bugs without stumbling on more things…
  • 20. 2. sloppiness: msn_message_gen_payload A funny example of sloppiness, probably not triggerable remotely.
  • 21. 2. sloppiness: msn_message_gen_payload Bug: Always increments n by 2 as g_strlcpy returns the size of the src
  • 22. 2. sloppiness: msn_message_gen_payload Nevermind though, we’ll just copy the message data ontop of it all anyway
  • 23. 3. poor design: http content-length Different protocol parsers implementing their own Content-Length parsing – many in sloppy ways
  • 24. 3. poor design: http content-length Different protocol parsers implementing their own Content-Length parsing – many in sloppy ways
  • 25. 3. poor design: http content-length Different protocol parsers implementing their own Content-Length parsing – many in sloppy ways %d’s atoi(), etc. for parsing Content-Length is reminiscent of 10+ year old httpd bugs
  • 26. 3. poor design: http content-length broken way to parse content-length #1
  • 27. 3. poor design: http content-length broken way to parse content-length #2
  • 28. general badness • Many protocol plugins appear to implement their own parsers • HTML/XML/HTTP - e.g. Content-Length • Signed integers for offsets/lengths/indexes is very common • The heavy use of HTML and HTTP parsing also introduces some interesting web-related attack vectors (XSS in HTML logging, etc.)
  • 29. responses • 100% response rate, fairly understanding, quite good to deal with • Took sometime for a patch to hit the public, e.g. CVE-2013-6485: 8/8/2013 • Initial bug report 18/8/2013 • Follow-up email 20/8/2013 • Acknowledgement 21/8/2013 • Patch ready 28/01/2014 • Fix public • A slight concern about volume of fixes in each release
  • 30. results summary Spent no more than 1-2 days total reading through code… Greppable bugs Top-down bugs I didn’t get past here… Bottom-up bugs
  • 31. latest news • 2.10.8 was released on 28th Jan 2014 addressing 18 CVE’s • The http/chunked bug was assigned CVE-2013-6485 • A number of CVE’s in 2.10.8 (reported by Sourcefire VRT) related to Content-Length parsing, e.g: CVE-2013-6490 and CVE-2013-6487 • A lot of other patches that didn’t receive CVE’s (sloppy code) • A lot of areas that could be looked at in more depth, e.g. • All FILE* related paths and operations (i.e. reliable/effective RCE) • More focus on the core, such as logging, etc.
  • 32. 2.x versus 3.x • So, the 2.x branch certainly has some old/sloppy code • It’s getting better each release, but there’s a lot more in there… • The 3.x branch appears to be the more strategic solution • • • • Cleaned up design with a tidier API (e.g. http parsing, etc.) A lot of dead/redundant code elimination and clean-ups Apparently it’s coming in the next 3-6 months Looks promising, but they need help to make it robust
  • 33. conclusions • Tread carefully running the 2.x version • There’s undoubtedly a lot more dangerous bugs there • At least run on a modern platform in an isolated VM • Alternatively take a look at Jitsi • Keep an eye out for when the 3.x branch drops • And if you like auditing code, help out the team 