time(), GCC, and the linker

While debugging some of my own crappy code I discovered a bug that I thought was interesting. If Kenshoto were to have hosted the game again this year, I think this may have been a fun bug to stage in a vulnerable CTF service. (Actually, I vaguely remember talking to someone who did this years quals who said that there were some "cute bugs that involved clever timing" -- it is very possible it was of the same nature.)

Long story short: if there is an implicit declaration of a function because a header file wasn't included, GCC will warn about the implicit use but allow it. Without the header, GCC doesn't know the expected arguments or return value of the function (logically, it has no prototypes to reference). If the linker can find the function being used, it is linked to during that step.

Consider this contrived and barely functional code sample:

#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>

void (*fp)(void);

void handle_error(void)
{
    printf("you're doing it wrong\n");
}

void handle200(void)
{
    printf("you're still not doing it right\n");
}

void setvalue(int x)
{
    if (x == 200)
    {
        fp = handle200;    
    }
    else
    {
        fp = handle_error;
    }
}


int main(int argc, char *argv[])
{
    time_t mytime;
    int x;
    size_t bufsize = 65 * 1024;
    char *buf;

    buf = malloc(bufsize);
    
    memset(buf, 0, sizeof(buf));
    fgets(buf, bufsize-1, stdin);
    x = atoi(buf);
    setvalue(x);
    mytime = time();
    printf("my time is %u\n", mytime);
    fp();
    free(buf);
    return 0;
}

There is no inclusion of time.h as required for the time function, but the code compiles and executes. If GCC is issuing warnings, during compilation it will say timebug.c:44: warning: implicit declaration of function ‘time’.

I was an idiot for not having warnings enabled while compiling the code I was working on, it would have saved me tons of time (u see wat i did there?)


The prototype for time() is:

time_t time(time_t *t);

And the action taken by time() is as follows:

Get the time from the system.

If the time_t pointer supplied as the only argument is not NULL,
dereference it and store the time there.

Return the time.

In the code sample, since the last value pushed to the stack is the value passed to setvalue(), and as it still resides on the stack when time() is called, it is taken as the argument to time(). If the atoi() call on the buffer returns anything that is not 0 (aka NULL), then time() will treat it as a valid pointer, dereference and write the time to it. This wreaked havoc on my code as in my case, the last value to the stack was a structure pointer full of linked lists and things, and the bug didn't trigger until free() happened on those lists. Serious pain.

Clever uses of this could be done to stage a fun CTF service. If an attacker had this vulnerable app to work with and a means of manipulating time (like a MITM of the Network Time Protocol), they could have a fun instant write-4-anywhere. Additionally, every 4.2 minutes the lower 8 bits of time rotates. Every 18.2 hours, the lower 16 bits rotates. By properly offsetting (say, only overwrite the high 16 bits of a function pointer/EIP) in conjunction with heap massaging or exploiting other application-specific traits, this bug could be fun ;]

MOAR POSTS

So I caved in and joined Twitter with all the other techno-hipsters. Apparently the security industry has a hard-on for a broken down over simplified version of web text irc. Yet still, it is a fun and efficient way to keep in immediate touch with friends and other interesting people. With my time being occupied by getting prepared to move, and tweeting, I haven't spent any time posting blog updates. I promise something interesting soon.

For now, I'll just leave this here:

This is what we needed.

My buddy Jeff said it best - this is what we needed: I TOLD YOU SO.

Why does the media hype things like Conficker into terms such as "an unthinkable disaster". How is it unthinkable? Is Conficker going to leverage the technology of its compromised machines to transcend reality and do something beyond the scope of human comprehension? Is it going to build Skynet and go back in time looking for Sarah Conner? Is it going to use PC speakers to generate vibrations that manifest doom spores in the air that infect us and turn us into zombies?

Sure it could fuck things up. It could delete everything on the infected machines. It could steal information. It could probably wreak DoS havoc in the internet. What's so special about this beyond any other worm of mass propagation? Nothing. It has some semi-clever components, it isn't as absolutely stupid as other worms, and it has an obsession with Rivest's aglorithms. OoOOoOo It must be the end of the world.

So to everyone out there: I told you so. We're still alive. Congratulations on reliving y2k over a worm. Again don't get me wrong: it could cause a bunch of stress and rain on some parades. In fact it might still do something after April 1st. Is it worthy of the hype? Is it an unthinkable disaster? Certainly not.

No Moar Free Hugz

This last week at information security conference CraqPipeWest, security researchers Dr.Raid, Postmodern, CD and Pierce have all decided to make and live by the following mantra:

"NO MOAR FREE HUGZ"

This statement follows the annual conference's competition called Struggle2Snuggle, where in hackers compete to try and get as physically close as possible to girls who also attend the conferences. The contest works in 30 minute rounds, and at the end of each round the hacker who achieves the highest public display of physical interaction with a consenting female wins $50 cash for the round in addition to a free stick of AXE deodorant. The researchers were later quoted in interviews, after being asked about their views regarding the monetary value of hugs:

"No moar free hugz to me really means that these girls can't just expect to get a hug from me for free. I mean I spend time weaponizing my hugs - and I don't even really know what that means when I say it - but it sounds cool. This isn't something I do to make other people money, so they shouldn't be making money off of me. If we're going to be spending time hugging these beautiful women, they should be paying us" - Dr. Raid, Chief of Substance Abuse at Portland based SophSec Research Labs

"It's time that we recognize the effort that hackers have to put into being social like this. I don't smell good, and I bet you don't either. Do you think it's easy for us to hug women?" - Pierce, Manager of Useless Languages, SophSec Research Labs

"Women just don't like getting a beard rubbed in their face." - PostModern, another SophSec member stated before being escorted out of the conference by security for throwing a beer bottle at another attendee wearing a 'Got Root?' shirt.

"I'm actually not legally allowed to have contact with women who are not family, by court orders. This makes hugs really tough for me. Money is really the only thing that makes it worth the risk" - CD, Chief of Epic Lulz, SophSec Research Labs

These views were clearly not held solely by SophSec members, as demonstrated by the crowd who started to cheer on as the contest progressed. It would appear as though Information Security Industry as a whole has been making a collaborative move towards selling hugs to vendors. As time progresses this may open up entire new market places for vendors to exist, and may even spark hope for revitalizing a broken economy. Until next issue, this is Fail Nobra, reporting for Fired Magazine.

Nostalgia

The IRC wars, the epic battles over the control for servers and the constant beef between hacker crews added fun to being involved in security back in the 90s and early 2000s. Recently a friend linked me a monologue of ownage which brought me back memories of watching these types of wars happen back in the day. Having my name in the greetz also pretty nostalgic ;].

Google Native Client security contest

The Google Native Client (NaCl):

"Native Client is an open-source research technology for running x86 native code in web applications, with the goal of maintaining the browser neutrality, OS portability, and safety that people expect from web apps. We've released this project at an early, research stage to get feedback from the security and broader open-source communities. We believe that Native Client technology will someday help web developers to create richer and more dynamic browser-based applications."

A security contest is being held by Google to try and busticate their native client code. Some interesting submissions have already shown up on the issues list. Pretty impressive competition.

Real talk

xkcd is pretty good about hittin the point: