Posts on The Shadow File

Forrester Research Note - Mythos 10 Consequences - Finance Translation

Sun, 26 Apr 2026 21:04:20 -0700

A few weeks ago Forrester Research, who would not normally be on my radar, posted a very concise “Project Glasswing: The 10 Consequences Nobody’s Writing About Yet.” Short version: the infosec industry is about to be turned upside down over the next 2–5 years, and in many ways the transition is well underway.

This is one of the most important things I’ve read this year, and it exists at the intersection of infosec, artificial intelligence, and business & economics. I feel like people in our industry are snoozing on this.

Revisiting Pegasus on iOS9

Sat, 02 Jul 2022 13:50:48 -0700

What follows is a writeup of the kernel bugs NSO Group’s Pegasus spyware exploited in iOS 9, specifically versions 9.3.4 and earlier. The spyware was discovered and the vulnerabilities patched roughly six years ago.

Why now? Well, “now” isn’t exactly the right word; I wrote this up just over four years ago. At the time, my intent wasn’t to publish. Rather it was to better understand the practical aspects of exploiting kernel bugs in XNU, iOS’s and macOS’s kernel. As I explain in the writeup, there’s often a lot of discussion of bugs themselves, and sometimes some superficial discussion of their exploitability. But there’s rarely a soup-to-nuts discussion along the lines of “What do these bugs actually get you? What does exploiting kernel bugs on iOS actually look like, and what do you next, having exploited them?”. I wanted to understand those aspects of kernel exploitation, so I went through the exercise of exploiting the bugs myself, in as similar a manner as possible to what Pegasus did. I wanted to understand the challenges of:

Source Level Debugging the XNU Kernel

Wed, 24 Oct 2018 19:50:00 -0700

Whether you’re developing a kernel extension, doing vulnerability research, or you have some other need to spelunk into the macOS/iOS kernel, XNU, sometimes you need to attach a debugger. And when you do that, doing it with source code is really nice when possible. Damien DeVille, Snare and probably others have written about this process. Here are some of their articles:

Things have evolved a bit. And while you can probably work it all out from the combined previous work, there are some things that aren’t addressed. So let’s go through it here, from scratch.

Autogenerating defaults(1) Commands

Tue, 28 Aug 2018 13:00:00 -0700

In previous posts, I described some advanced uses of the macOS defaults(1) command, including adding arbitrarily complex data structures to defaults dictionaries. I also described less than obvious locations where system and applicaton preferences get recorded. Those were all background for this article.

It can be difficult know what plist file on disk stores a given setting, or exactly what the key (and corresponding value in that dictionary) are for a setting. In this post I’ll describe a tool I’ve written for detecting what file on disk is changed and exactly what the change was.

Defaults Non-obvious Locations

Sat, 18 Aug 2018 14:37:00 -0800

I wrote a tool that sniffs changes to macOS defaults as they change and autogenerates the defaults incantation to set those preferences. I have a post in the wings about this. For that to be useful, though, I need to establish a bit more groundwork about defaults. In particular, the various locations where the backing plist files can exist. Most are intuitive, but many are not.

Here’s a rundown of places where defaults plist files can exist if they’re not in ~/Library/Preferences or /Library/Preferences.

Advanced defaults(1) Usage

Sat, 16 Jun 2018 12:34:00 -0700

Want to change Finder’s preferred view to column view from the command line? There’s a defaults command for that. Want to alter trackpad behavior from a shell script? Yep, defaults can do it.

Lots of (most?) macOS and iOS settings manifest in the defaults subsystem (see Apple’s Preferences Programming Topics for Core Foundation and UserDefaults). What this means for you, the macOS user, is many of these settings exist somewhere on disk in the form of .plist files. You can find them in /Library/Preferences, ~/Library/Preferences, among other places.

Broken, Abandoned, and Forgotten Code, Part 14

Thu, 05 Nov 2015 08:30:00 -0800

In the previous post, we walked through building a stage 1 firmware image that can be flashed to the Netgear R6200 by exploiting the hidden SetFirmware SOAP action in upnpd. Due to an undersized memory allocation, we aren’t able to flash a full sized image using this exploit. Whereas a stock firmware is nearly 9MB, the buffer upnpd base64 decodes into is 4MB, leading to a crash. As a result we have to load our trojanized firmware in two stages.

Broken, Abandoned, and Forgotten Code, Part 13

Thu, 08 Oct 2015 08:30:00 -0700

In the first twelve parts of this series, we identified an unauthenticated firmware update feature in the Netgear R6200 wireless router. Unfortunately, this feature was broken and only partially implemented, making exploitation less that straightforward. We reverse engineered the timing requirements and structure of the SOAP request required to exploit this vulnerability. We also reverse engineered the firmware image format, including its undocumented firmware header.

As of the previous part, the exploitation phase is complete, which is to say we are able to have the Netgear UPnP daemon overwrite the firmware on flash storage with arbitrary data of our choosing. We are able to do this without authentication.

Broken, Abandoned, and Forgotten Code, Part 12

Thu, 17 Sep 2015 08:30:00 -0700

In the previous part, I described how to strip out all but the most essential services and libraries in the stock firmware in order to get the firmware image down to under 4MB. This avoids crashing upnpd, which allocates less than half enough memory to base64 decode a stock-sized firmware image.

In this part, we’ll walk through a crasher you might encounter (or might not, depending how you formatted your ambit header) and how to sidestep it.

Broken, Abandoned, and Forgotten Code, Part 11

Thu, 16 Jul 2015 08:00:00 -0700

In the previous part, we moved away from emulation to working with physical hardware. We identified a UART header inside the Netgear R6200 that can be used for console access. I demonstrated how to access the CFE bootloader’s recovery mode to reflash a working firmware over TFTP. This makes it possible to iteratively modify and test firmware images that will be used in the SetFirmware UPnP exploit.

In this part, I’ll talk about regenerating the filesystem portion of the firmware image. I’ll also walk through shrinking the filesystem in order to avoid crashing upnpd.

Broken, Abandoned, and Forgotten Code, Part 10

Thu, 09 Jul 2015 08:11:00 -0700

Debugging and De-bricking the Netgear R6200 via UART

Update: I forgot to credit my former colleague, Tim (@bjt2n3904), for helping me locate the UART header. This project would have been way more challenging without the serial connection. It would have involved desoldering the flash memory chip, probably replacing it with a ZIF socket, and then removing and reprogramming the chip for each iteration of testing.

In the previous installment, we filled out the ambit firmware header just enough to satisfy Netgear’s broken UPnP server. We also patched out several ioctl() calls in upnpd in order to test the SetFirmware exploit in emulation.

Broken, Abandoned, and Forgotten Code, Part 9

Thu, 25 Jun 2015 08:30:00 -0700

In the previous part, we switched gears back to the Netgear R6200 upnpd after spending some time analyzing httpd. The HTTP daemon provided an understanding of how the firmware header is supposed to be constructed. We found a header parsing function in upnpd that was similar to its httpd counterpart. So similar that it has the same memcpy() buffer overflow. This overflow was more interesting this time around, as it did not require authentication. Additionally, we discovered a reference to the “Ambit image” via an error message string. Presumably an ambit image is a firmware format analogous to TRX. In this case, however, the ambit image encapsulates a TRX image.

Broken, Abandoned, and Forgotten Code, Part 8

Thu, 18 Jun 2015 08:30:00 -0700

In the previous few posts, we spent time reversing how the Netgear R6200’s HTTP daemon parses a firmware header before writing the firmware image to flash. The goal was to work out how the 58-byte firmware header is constructed and how to generate a new one that can replace the header in a stock firmware. In the end we identified the purpose of all but 4 bytes. The regenerated header plus the original TRX firmware image allowed the HTTP daemon, running in emulation, to reach the stage where it would start writing data to the /dev/mtd1 flash partition. Considering this a win, we’ll now circle back to analyzing upnpd.

Broken, Abandoned, and Forgotten Code, Intermission

Mon, 08 Jun 2015 06:31:00 -0700

We’re about halfway through the Broken, Abandoned series, so this is a good time to pause for a minute and take stock. At this point, things have gotten pretty technical; if you’ve only joined recently, you may be wondering what this series is about. I want to take a moment to summarize where we’ve been and where we can expect to go from here.

Overview

This series, entitled Broken, Abandoned, and Forgotten Code, is about an unauthenticated firmware update mechanism in the Netgear R6200 wireless router’s UPnP service. Bypassing authentication and updating the firmware would be moderately interesting by itself. What makes this particularly interesting, however, is this capability appears only partially implemented. It’s not quite dead code; more like zombie code. It’s wired up just enough to kind of work. There are many artifacts of incomplete implementation that stand in the way of straightforward exploitation.

Broken, Abandoned, and Forgotten Code, Part 7

Thu, 04 Jun 2015 10:37:00 -0700

In the previous post, I finished discussing the abCheckBoardID() function. I called attention to a checksum in the header generated by an unknown algorithm. I provided a python implementation of that algorithm ported from IDA disassembly. In total, I identified four fields parsed by this function, accounting for 30 bytes of the 58 byte header.

In this part I’ll give an overview of the remaining functions that parse and validate the firmware header. By the end we will be able to generate a header that allows the firmware to be programmed to flash memory. I won’t discuss each header field in quite as much detail as I did previously, but if you’ve made it this far, it shouldn’t be too hard to understand how each field is used.

Broken, Abandoned, and Forgotten Code, Part 6

Thu, 28 May 2015 08:26:00 -0700

Note: It is assumed that the reader is debugging the processes described in this and the next several posts using emulation and IDA Pro. Those topics are outside the scope of this series and are covered in detail here and here.

In the previous post, we switched gears and started looking at the web server for the Netgear R6200. That’s because the HTTP daemon’s code for upgrading the firmware is less broken and easier to analyze. We also analyzed a stock firmware image downloaded from Netgear to see how it is composed. Craig Heffner’s binwalk identified three parts, a TRX header at offset 58, followed by a compressed Linux kernel, followed by a squashfs filesystem. All of those parts are well understood, which only leaves the first 58 bytes to analyze.

Broken, Abandoned, and Forgotten Code, Part 5

Thu, 21 May 2015 09:30:00 -0700

In previous installments I shared proof-of-concept code that would exercise the Netgear R6200’s hidden (and badly broken) SetFirmware SOAP action. It satisfied the various wonky conditions necessary to get into the sa_parseRcvCmd() function. Then I showed where in that function a firmware would be decoded from the SOAP request and written to flash. I showed how to identify a code path that leads to firmware writing. In part four, I showed how an undersized malloc() means a stock firmware crashes upnpd. Although we’ll work around that bug later, for this and the next several installments we’ll be working out how the firmware image gets parsed so we can create our own.

Broken, Abandoned, and Forgotten Code, Part 4

Thu, 14 May 2015 09:18:00 -0700

In the last post, I described how upnpd’s sa_parseRcvCmd() function finds the body of a SOAP request and how it parses that SOAP request. This is a large and complicated function that processes many types of SOAP requests. I demonstrated how to work out the desired path of execution to decode and write firmware. At the end I made an educated guess as to how the SOAP request should be formed, and how the firmware should be represented in the request body.

Broken, Abandoned, and Forgotten Code, Part 3

Thu, 07 May 2015 08:00:00 -0700

In the previous posts, I talked about the hidden “SetFirmware” SOAP action in the Netgear R6200’s UPnP daemon, and the weird timing games we have play to deal with UPnP daemon’s broken networking code. I also discussed the haphazard parsing of the HTTP headers across multiple functions. I made a guess at what headers might get our SetFirmware SOAP request passed to the sa_parseRcvCmd() function where hopefully an encapsulated firmware image will be decoded.

Broken, Abandoned, and Forgotten Code, Part 2

Thu, 30 Apr 2015 07:59:00 -0700

In the part 1, I showed how the Netgear R6200’s upnpd binary contains what appears to be a hidden SOAP action related to the string “SetFirmware”. I also showed how we can get into the upnp_receive_firmware_packets() function if we play timing games and send our request in multiple parts.

In this part I’ll describe additional timing considerations needed to avoid hanging the server. I’ll also discuss sloppy parsing of the SOAP request, and I’ll make some guesses as to how that request should be formed.

Broken, Abandoned, and Forgotten Code, Part 1

Thu, 23 Apr 2015 12:00:00 -0700

Introduction

This series of posts describes how abandoned, partially implemented functionality can be exploited to gain complete, persistent control of Netgear wireless routers. I’ll describe a hidden SOAP method in the UPnP stack that, at first glance, appeared to allow unauthenticated remote firmware upload to the router. After some reverse engineering, it became apparent this functionality was never fully implemented, and could never work properly given a well formed SOAP request and firmware image. If it could work at all, it would be with only the most contrived of inputs.

Broken, Abandoned, and Forgotten Code: Prologue

Wed, 22 Apr 2015 17:11:00 -0700

A Secret Passage to Persistant SOHO Router Pwnage

Almost two years ago plus a house selling, a cross-country move, a house buying, a job change, and a wedding, I downloaded and unpacked the firmware for Netgear’s then-new R6200 wireless router. This was one of Netgear’s first entries into the nascent 802.11ac market. At around US$200 at the time, this device was at the high end of the Netgear lineup. Finding some cool vulnerabilities in some of the newest, swankiest, consumer WiFi gear would make for a neat paper, or at least a good blog post or two.

Bowcaster Feature: multipart/form-data

Fri, 20 Feb 2015 11:29:00 -0800

Need to reverse engineer or exploit a file upload vulnerability in an embedded web server? I added a multipart/form-data class to Bowcaster to help with that. You can have a look here:
https://github.com/zcutlip/bowcaster/blob/master/src/bowcaster/clients/http.py

Here’s some background:
I’ve been reverse engineering how the Netgear R6200 web server parses a new firmware image when you use the firmware update facility in the web interface. Manually browsing to the router’s web interface, then to the firmware update form, then browsing to a firmware file on disk, then clicking “upload” gets really tedious after a few times.

Patching, Emulating, and Debugging a Netgear Embedded Web Server

Sat, 31 Jan 2015 00:43:00 -0800

Previously I posted about running and remotely debugging a Netgear UPnP daemon using QEMU and IDA Pro. This time we’ll take on the challenge of running the built-in web server from the Netgear R6200 in emulation.

The httpd daemon is responsible for so much more than the web interface. This daemon is responsible for a silly amount of system management, including configuring firewall rules, managing the samba and ftp file servers, managing attached USB storage, and many other things. And it does all of this management as part of its initialization, which means lots of opportunities to fail or crash when running in emulation as a standalone service.

Remote Debugging with QEMU and IDA Pro

Sat, 03 Jan 2015 12:05:00 -0800

It’s often the case, when analyzing an embedded device’s firmware, that static analysis isn’t enough. You need to actually execute a binary you’re analyzing in order to see how it behaves. In the world of embedded Linux devices, it’s often fairly easy to put a debugger on the target hardware for debugging. However it’s a lot more convenient if you can run the binary right on your own system and not have to drag hardware around to do your analysis. Enter emulation with QEMU.

Exploit Tunneling and Callback

Tue, 23 Sep 2014 17:32:00 -0700

A few years ago, when I worked for my previous employer, I put together a proof-of-concept that was to be part of a client demo. I thought it was kind of cool, so I recorded a screencast of it in action. I’ve had the video sitting on my laptop ever since, not really sure what to do with it. I finally decided to post it.

In the video, what you see is a custom exploit script that exploits a buffer overflow in the web interfaces of several D-Link webcams. The neat part is that it tunnels the exploit and callback through each successive webcam. It works basically like this:

Infiltrate 2014

Fri, 16 May 2014 14:06:00 -0700

Here are some additional resources I may have mentioned in my Infiltrate 2014 presentation.

White Paper: SQL Injection to MIPS Overflows - Part Deux
Slides: SQL Injection to MIPS Overflows - Part Deux

Original white paper from Black Hat USA 2012:
SQL Injections to MIPS Overflows: Rooting SOHO Routers

Proof of Concept Exploit code:
Here’s my Github repository for proof-of-concept exploit code. In it, you’ll find the exploit code for the Netgear WNDR 3700v3 that I demoed at Infiltrate, among a few others. The white paper is in there as well.
https://github.com/zcutlip/exploit-poc

Emulating and Debugging Workspace

Mon, 30 Dec 2013 12:17:00 -0800

A grad student emailed me in response to my Netgear auth bypass post. He’s working on a research project and wanted to know if I knew of any resources or techniques to use emulation for executing and debugging the net-cgi binary in the Netgear firmware. It turns out I’ve got all the resources to do just that. I replied with a description of my workspace and some links to resources I use, and, in many cases, have developed. I thought this might make an interesting blog post, but I don’t really have time to write it up all blog-post-like. Instead I’ll just paste in my email. Maybe it’ll be useful to other people as well.

BayThreat 2013 Presentation - Additional Resources

Sat, 07 Dec 2013 11:30:00 -0800

For my presentation at BayThreat, entitled “BT Wireless Routers: Adventures in Reversing and Exploiting”, rather than have one or two or three slides packed with hard to read URLs, I included a single slide with a link to this post. Here you’ll find links to additional resources that I may have referenced in my talk.

White paper: Reverse Engineering and Exploiting the BT HomeHub 3.0b (pdf)
Slides: BT Wireless Routers: Adventures in Reversing and Exploiting

Netgear Root Compromise via Command Injection

Thu, 24 Oct 2013 14:34:00 -0700

At the end of my post on the Netgear wndr3700v4’s authentication bugs, I said to expect followup posts. Once the web interface is unlocked, any further bugs that normally require authentication become fair game. Well good news, everyone!!

Previously, I talked about the net-cgi executable in the wndr3700’s firmware. ;net-cgi is a multi-call binary, a little like busybox. As such it has a lot of functionality baked in. One of its more interesting functions is called cmd_ping6(). Here’s what it looks like:

Complete, Persistent Compromise of Netgear Wireless Routers

Tue, 22 Oct 2013 06:27:00 -0700

UPDATE: Turns out, Jacob Holocomb (@rootHak42 on Twitter) of Independent Security Evaluators found this bug back in April on a different device, the WNDR4700. Thanks for letting me know, Jacob. Nice find. Here’s a link to that report.

UPDATE 2: Because there are almost certainly fools who would go hack somebody’s router and say I told them to do it, I added a warning to not do this. DON’T DO IT.

A Connect-back HTTP Exploit Server for Bowcaster

Wed, 09 Oct 2013 09:25:00 -0700

I’ve just added a module to Bowcaster that I think is cool. Actually, I just got around to finishing a module that was there all along. It’s a basic HTTP server module, but it has some unique features that make it suitable for serving payloads to remotely exploited targets.

The connect-back server modules in Bowcaster are designed to run asynchronously so that they can be used right in line with your exploit code. Basically the model is this:

44CON Presentation - Additional Resources

Thu, 12 Sep 2013 05:59:00 -0700

Update December 2014: 44CON has posted the videos from all 2013 talks online. Unfortunately, they don’t allow the videos to be embedded, so here’s a link.

For my presentation at 44CON, entitled “Reversing and Exploiting BT CPE Devices”, rather than have one or two or three slides packed with hard to read URLs, I included a single slide with a link to this post. Here you’ll find links to additional resources that I may have referenced in my talk.

Insulting Recruiter Emails

Mon, 09 Sep 2013 08:51:00 -0700

Note: I have a great job at a company called Tactical Network Solutions, based in Columbia, MD. I’m not looking for a new job. That’s not why I’m writing this post. I have way too much fun working with crazy smart people right where I am.

I get a lot of recruiter email. Some are very thoughtful and are for companies that would be very cool to work for. I love those, and I want to high five those people for being such class acts. I try to always send them a thoughtful response thanking them for thinking of me, but letting them know I’m fine where I am.

Running Debian MIPS Linux in QEMU

Fri, 31 May 2013 13:35:00 -0700

Sometimes I need a MIPS Linux system that I can use for development and testing. Maybe I need to test some shellcode or debug a binary I’m analyzing. What I wish existed was a Raspberry Pi-like MIPS device. I’d love to have a bunch of small, sub-$50 devices that I could network together as a sort of desktop exploit lab. Unfortunately I don’t know of such a device. There is MIPS hardware you can get and install Linux on. I have a Cobalt RAQ, and a lot of people like to get a hackable WiFi router and image it with OpenWRT. But there’s nothing as small, cheap and convenient as the RPi that is MIPS.

Is your Mac's File System Protected?

Fri, 03 May 2013 04:42:00 -0700

Nothing original here, but this is a great tip, so I want to share it. Thanks to @thegrugq for cluing me into this via Twitter.

For everyone running OS X 10.7 or 10.8 on their Macs (and really, EVERYONE should be on 10.8; the security benefits are non-trivial) and are using FileVault 2 to encrypt your filesystems (you are, right?) here’s a good tip I picked up the other day:

Bowcaster's EmptyOverflowBuffer class (Tutorial Part 5)

Thu, 25 Apr 2013 13:56:00 -0700

In previous parts of the Bowcaster tutorial, I showed how to construct your buffer overflow using the OverflowBuffer class. I also mentioned there is another class, EmptyOverflowBuffer, that I would explain later. That class is going to be the topic of this post.

When I started development of Bowcaster, I created it for myself and for the way I develop exploits and think about buffer overflows. The OverflowBuffer class works the way I think. But when I talked to my colleague, Craig Heffner, about the project, Craig preferred a different API, I realized that we each think about the same problem in different ways.

Buffer Overflows with Bowcaster Part 4

Mon, 08 Apr 2013 09:08:00 -0700

In part 1 of the Bowcaster tutorial I showed how to generate an overflow string with the OverflowBuffer class. In part 2, I showed how to populate your your overflow string with ROP gadgets. In part 3, I showed how to add Bowcaster’s connect-back payload for MIPS Linux to your overflow string. I also showed how to encode your payload using Bowcaster’s MIPS Linux-specific XOR encoder in order to sanitize restricted bytes.

Part 3 ended by using a netcat listener to serve a connect-back root shell. In this part I’ll show how to use one of Bowcaster’s server modules to replace netcat.

Crossbow is now Bowcaster

Mon, 08 Apr 2013 05:57:00 -0700

Crossbow has been renamed to Bowcaster. It turns out “Crossbow” is a popular word. Who knew? A company in California has the word registered as a trademark in the US in connection with computer software. They might be cool with us using the word, since this is an open-source, noncommercial product, but we’ve decided to change the name just in case. Hopefully the new name is esoteric enough to avoid any naming conflicts, while still being cool and fun to say. I left the original post as-is, save for an update note and a new Github link. The old Github project will stay up for a while, but you should use the new one from this point on.

Buffer Overflows with Bowcaster Part 3

Fri, 29 Mar 2013 09:21:00 -0700

This is the third part in a multi part tutorial on using the Bowcaster exploit development framework to build a buffer overflow exploit. Here are part 1 and part 2.

In the last part, we had built an exploit buffer and added a ROP chain that would flush the MIPS CPU cache, locate the stack (which is randomized), and return into it. Now it’s time to add a payload.

Bowcaster provides a few MIPS Linux payloads, and the one we’ll use for this buffer overflow is the connect-back payload, which will yield an interactive shell.

Buffer Overflows with Bowcaster Part 2

Thu, 28 Mar 2013 13:54:00 -0700

This is the second in a multi-part tutorial on developing a buffer overflow exploit using Bowcaster. Here’s Part 1.

In part 1, we had gotten a crash by sending a 2048-byte pattern to the vulnerable program.

The saved return address had been overwritten with 0x41367241 and restored to the $ra register. That value is located at an offset of 528 in our overflow buffer. Now we need to start describing ROP gadgets and substituting them for parts of the 2048-byte overflow string.

Buffer Overflows with Bowcaster Part 1

Thu, 28 Mar 2013 11:01:00 -0700

This is the first in a multi-part tutorial on developing a buffer overflow exploit using Crossbow (now called Bowcaster), which I released earlier today.

For this tutorial I’ve written a simple program in C that overflows a buffer on the stack with whatever it reads from the network. I cross-compiled it for MIPS Linux and ran it using QEMU chrooted into the unpacked filesystem of the Netgear WNDR3700v3 (Firmware 1.0.0.18).

The program, vulnerable.c contains the following function:

Crossbow

Thu, 28 Mar 2013 10:32:00 -0700

UPDATE: Crossbow has been renamed to Bowcaster. It turns out “Crossbow” is a popular word. Who knew? A company in California has the word registered as a trademark in the US in connection with computer software. They might be cool with us using the word, since this is an open-source noncommercial product, but we’ve decided to change the name just in case. Hopefully the new name is esoteric enough to avoid any naming conflicts, while still being cool and fun to say. I’m leaving this post as-is, save for the new Github link. The old Github project will stay up for a while, but you should use the new one from this point on.

Hacking is Bullshit

Sun, 10 Feb 2013 15:35:00 -0800

I love hacking. I love vulnerability research. I love software exploitation. I love finding creative ways to subvert control of an application or system to make it do something it wasn’t intended to do.

But this is research, and like any research, lots of things never pan out. It’s weird because it involves hours, often hundreds or even thousands of hours, of frustration paid off by successes that last only moments. And the cycle repeats.

DLink DIR-815 UPnP Command Injection

Fri, 01 Feb 2013 15:07:00 -0800

With all the excitement regarding UPnP vulnerabilities lately, I though I’d write up this one I found a few weeks back. I had kind of forgotten about it. But it’s pretty straight forward, and kind of fun, so here it is.

In Tactical Network Solutions’ Intro to Embedded Device Exploitation class, we use the D-Link DIR-815 for the practical exercises since there are tons of great 0-days for the students to find. The last time we taught the class, I thought I’d try my hand at finding a new one. Twenty minutes in, voila! Command injection in a single multicast packet!

UPDATED: Responsible (non)Disclosure

Thu, 29 Nov 2012 09:30:00 -0800

Update: I received a personal communication from Mr. Flemming. He makes the case that what I believed to be a subtextual threat was not intended. Not necessarily speaking for TNS, I am inclined to take him at his word and that my initial read of the situation may have been unduly skeptical. I hope to post additional updates as things develop. I’m leaving the original text of this post intact, though, as it provides meaningful context for the situation that is unfolding.
**
Original Post:**
So here’s something awesome. And by “awesome” I mean “kinda shitty.”

Specifying Preferred Load Addresses for ELF Shared Libraries

Tue, 23 Oct 2012 18:44:00 -0700

[NOTE: This was going to be a post about how to relocate a shared library that is loaded using LD_PRELOAD such that a program’s linked libraries get loaded at their normal addresses. Sadly, the trick I thought would do that didn’t actually work for me. The library got relocated, but the other libraries weren’t restored to their natural base addresses. That said, it still is interesting and worth writing up.]

Parsing Email and Fixing Timestamps in Python

Tue, 12 Jun 2012 09:06:00 -0700

I decided to POP out all my Yahoo mail into my Google Apps account so I could stop paying for Yahoo’s “premium” service (WTF, it’s 2012, and POP is a paid feature–and there’s no IMAP?). I have fetchmail then download all of my messages which get post-processed by procmail and re-served by dovecot. Since a bunch of really old messages were just downloaded by fetchmail, they appeared to be “new” from dovecot’s perspective. This is because the name of the message files stored in the Maildir format used by dovecot starts with a number representing when the messages were downloaded. So years-old messages that were just downloaded will have a very recent timestamp encoded in their filenames.

Long-form Reading 2011

Fri, 16 Dec 2011 08:01:00 -0800

Here are some long-form articles I’ve enjoyed this year.

The Hazards of Nerd Supremacy: The Case of Wikileaks (theatlantic.com)

The Octopus Conspiracy: One Woman’s Search for Her Father’s Killer (wired.com)

Confessions of a Prep School College Counselor (theatlantic.com)

The Great Rubber Robbery: How Julius Fromm’s Condom Empire Fell to the Nazis (berlinbooks.org)

Bursting the Bubble (about David Vetter, the “Bubble Boy”, houstonpress.com)

The Stutterer: How He Makes His Voice Heard (slate.com)

Reading List 2011

Tue, 13 Dec 2011 12:15:00 -0800

I was using up all of my accumulated credits on Audible.com just now, and realized I’ve listened to several great audiobooks over the last year. Here’s a list of what I’ve listened to in 2011, along with a link to the book on Audible.com. I recommend them all.

Judas Unchained, Peter F. Hamilton, Part 2 of the Commonwealth Saga (link)
The Gun, C. J. Chivers (link)
The Windup Girl, Paolo Bacigalupi (link)
Snow Crash, Neal Stephenson (link)
Embassytown, China Mieville (link)
Pattern Recognition, William Gibson (link)
Spook Country, William Gibson (link)
Zero History, William Gibson (link)

Handling HTTP Redirection in Ruby

Sun, 15 Mar 2009 09:18:00 -0700

I have a Ruby project where I’m dumping a bunch of bookmarks from delicious.com, then fetching each bookmarked page for analysis.

One of the problems I encountered early on is that the some of the web pages bookmarked would redirect to some other location. Simply checking for HTTP response code 200 was insufficient. I needed to check for redirection as well.

A quick Google search for “ruby follow http redirect” yields lots of results. Unfortunately, they’re all very similar, and not quite right. In general, the examples you come across (even the one in the official Ruby documentation) don’t handle the case when the redirected location is path relative to the original location. So you end up doing a get on a URL that looks like “../../redirected/location/index.html,” which clearly won’t work.

Mounting LVM Disks in Ubuntu

Thu, 12 Mar 2009 06:30:00 -0700

I always thought LVM (Linux’s Logical Volume Manager) was kind of neat for the flexibility it gives you in adding and removing disks and resizing volumes such. However, in practice, I find it’s usually more trouble than it’s worth. It adds a layer of complexity between me and my data.

Often I need to mount a disk configured with LVM on another Linux machine or in an Ubuntu live CD environment. Out of the box the logical volumes aren’t recognized, so I can’t mount them.

How to sudoedit non-interactively

Thu, 08 Jan 2009 06:31:00 -0800

Okay, this one’s a bit esoteric, but I think it’s pretty cool. How do you use ‘sudoedit’ non-interactively such as from a script? Just a brief background about sudo: sudo is an authentication mechanism in Unix & Linux that allows unprivileged users to run specific commands (as defined by the system administrator) with root privileges without having the root password. This has several advantages over logging in as root:

Users can have specific, limited set of root privileges without having the entire set of root privileges.
Users use their own password, so the root password doesn’t have to be shared. If a user’s sudo privileges are revoked, the root password doesn’t have to be reset.
Each use of sudo is audited per user, so that each time sudo privileges are invoked, there is an event in the system logs that identifies the specific user and the command they ran.

Sudoedit is a command that is related to sudo. It lets users edit files that normally only root can edit, such as system configuration files. However instead of using “sudo” followed by the editing command, the user runs “sudoedit filename” and sudo invokes the user’s default editor, letting them edit the file.

The Shadow File

Wed, 15 Dec 2004 19:20:00 -0800

This is the first post to The Shadow File. I suppose a brief explanation is in order. What is The Shadow File? In Unix and Linux, an algorithm is used to create a one-way hash of a user’s password. This hash, along with the username and other information used to be stored in /etc/passwd. In many modern *nix systems, the password hash has been removed from the passwd file and is now stored in a separate file, because the passwd file is world-readable. This way, an attacker would have to obtain both files in order to attempt to recreate the password. The file that contains the password hashes is /etc/shadow. Now you know.