SlideShare une entreprise Scribd logo

Shooting clay pidgins

Télécharger en tant que PPTX, PDF
volvent
volvent

Slides that were presented at SecTalks in Perth that runs through a light code review of libpurple, shows a few example findings, including CVE-2013-6485 and a few others. These bugs were fixed in Pidgin 2.10.8 on Jan 28th 2014.

Technologie
1  sur  36
shooting clay pidgins a preliminary look at libpurple
introduction • Libpurple is used by Pidgin & Adium • Pidgin was originally gaim, dating back to 1998 • People everywhere use this software • Gets increased popularity due to OTR support • And yet many say it’s horribly insecure?  • But most don’t back it up with any evidence
process So, in short sporadic 30~min blocks in 2013… ...when bored on planes, etc. .. spent bits of time reading over some code… … and then try to find time to type up bugs
the goal • Focus on seeing code quality rather than finding exploitable bugs • Try to suss out the general security maturity of the project • See the developer responses/culture for security-related bugs Greppable bugs Top-down bugs Where is it at? Bottom-up bugs
historical vulnerabilities • • • • Over 50 CVE’s since Oct 2005 Mostly crashes/overflows File* issues (arb. fr/fw) SSL/TLS issues (MITM, etc.)
architecture & code • Not much documentation • Appears to be huge attack surface • Many protocol parsers • Dispersed dev. responsibilities • Core code is large (logging, etc.) • Mostly all written in C (Glib)
devs and components
devs and components
devs and components Sometimes many devs touching 1 component Sometimes only 1 touching specific plugins
initial code sweep • Skim calls to purple_debug_{error|info|warn} • Search for *alloc’s and backtrace • Search for *printf’s and backtrace
a sample of findings shooting clay pidgins
3 examples to show… 1. An overflow when parsing chunked HTTP responses 2. An example of just silly sloppy code 3. An example of poor/dangerous design (and sloppy code)
1. process chunked data vulnerability (util.c) G_GSIZE_MODIFIER is unsigned
1. process chunked data vulnerability (util.c) SPOT THE BUG?
1. process chunked data vulnerability (util.c) Bug #1: sz we control off the wire, int overflow here
1. process chunked data vulnerability (util.c) Bug #2 Just a debug macro and they forgot the break; so this check was pointless anyway.
1. process chunked data vulnerability (util.c) Bug #2 Just a debug macro and they forgot the break; so this check was pointless anyway.
1. process chunked data vulnerability (util.c) Overflow here and also a potential out-of-bounds read.
problem triaging Found it hard to triage/trace bugs without stumbling on more things…
2. sloppiness: msn_message_gen_payload A funny example of sloppiness, probably not triggerable remotely.
2. sloppiness: msn_message_gen_payload Bug: Always increments n by 2 as g_strlcpy returns the size of the src
2. sloppiness: msn_message_gen_payload Nevermind though, we’ll just copy the message data ontop of it all anyway
3. poor design: http content-length Different protocol parsers implementing their own Content-Length parsing – many in sloppy ways
3. poor design: http content-length Different protocol parsers implementing their own Content-Length parsing – many in sloppy ways
3. poor design: http content-length Different protocol parsers implementing their own Content-Length parsing – many in sloppy ways %d’s atoi(), etc. for parsing Content-Length is reminiscent of 10+ year old httpd bugs
3. poor design: http content-length broken way to parse content-length #1
3. poor design: http content-length broken way to parse content-length #2
general badness • Many protocol plugins appear to implement their own parsers • HTML/XML/HTTP - e.g. Content-Length • Signed integers for offsets/lengths/indexes is very common • The heavy use of HTML and HTTP parsing also introduces some interesting web-related attack vectors (XSS in HTML logging, etc.)
responses • 100% response rate, fairly understanding, quite good to deal with • Took sometime for a patch to hit the public, e.g. CVE-2013-6485: 8/8/2013 • Initial bug report 18/8/2013 • Follow-up email 20/8/2013 • Acknowledgement 21/8/2013 • Patch ready 28/01/2014 • Fix public • A slight concern about volume of fixes in each release
results summary Spent no more than 1-2 days total reading through code… Greppable bugs Top-down bugs I didn’t get past here… Bottom-up bugs
latest news • 2.10.8 was released on 28th Jan 2014 addressing 18 CVE’s • The http/chunked bug was assigned CVE-2013-6485 • A number of CVE’s in 2.10.8 (reported by Sourcefire VRT) related to Content-Length parsing, e.g: CVE-2013-6490 and CVE-2013-6487 • A lot of other patches that didn’t receive CVE’s (sloppy code) • A lot of areas that could be looked at in more depth, e.g. • All FILE* related paths and operations (i.e. reliable/effective RCE) • More focus on the core, such as logging, etc.
2.x versus 3.x • So, the 2.x branch certainly has some old/sloppy code • It’s getting better each release, but there’s a lot more in there… • The 3.x branch appears to be the more strategic solution • • • • Cleaned up design with a tidier API (e.g. http parsing, etc.) A lot of dead/redundant code elimination and clean-ups Apparently it’s coming in the next 3-6 months Looks promising, but they need help to make it robust
conclusions • Tread carefully running the 2.x version • There’s undoubtedly a lot more dangerous bugs there • At least run on a modern platform in an isolated VM • Alternatively take a look at Jitsi • Keep an eye out for when the 3.x branch drops • And if you like auditing code, help out the team 
conclusions +1
conclusions +1
questions? @volvent

Recommandé

Python for pentesters
Python for pentestersPython for pentesters
Python for pentestersRashid feroz
 
DevSecOps and Drupal: Securing your applications in a modern IT landscape
DevSecOps and Drupal: Securing your applications in a modern IT landscapeDevSecOps and Drupal: Securing your applications in a modern IT landscape
DevSecOps and Drupal: Securing your applications in a modern IT landscapeWill Hall
 
eLabFTW review
eLabFTW revieweLabFTW review
eLabFTW reviewNicolasCARPi
 
Analyzing Packages in Docker images hosted On DockerHub
Analyzing Packages in Docker images hosted On DockerHubAnalyzing Packages in Docker images hosted On DockerHub
Analyzing Packages in Docker images hosted On DockerHubAhmed Zerouali
 
DefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm HoleDefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm HoleDefCamp
 
Foros vs
Foros vsForos vs
Foros vsnayeli8a
 
Bookreport
BookreportBookreport
Bookreportnayeli8a
 
Tiend afinal
Tiend afinalTiend afinal
Tiend afinalnayeli8a
 

Recommandé

Python for pentesters
Python for pentestersPython for pentesters
Python for pentestersRashid feroz
 
DevSecOps and Drupal: Securing your applications in a modern IT landscape
DevSecOps and Drupal: Securing your applications in a modern IT landscapeDevSecOps and Drupal: Securing your applications in a modern IT landscape
DevSecOps and Drupal: Securing your applications in a modern IT landscapeWill Hall
 
eLabFTW review
eLabFTW revieweLabFTW review
eLabFTW reviewNicolasCARPi
 
Analyzing Packages in Docker images hosted On DockerHub
Analyzing Packages in Docker images hosted On DockerHubAnalyzing Packages in Docker images hosted On DockerHub
Analyzing Packages in Docker images hosted On DockerHubAhmed Zerouali
 
DefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm HoleDefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm HoleDefCamp
 
Foros vs
Foros vsForos vs
Foros vsnayeli8a
 
Bookreport
BookreportBookreport
Bookreportnayeli8a
 
Tiend afinal
Tiend afinalTiend afinal
Tiend afinalnayeli8a
 
Rust Programming Language
Rust Programming LanguageRust Programming Language
Rust Programming LanguageJaeju Kim
 
KubeCon EU 2016: Kubernetes meets Finagle for Resilient Microservices
KubeCon EU 2016: Kubernetes meets Finagle for Resilient MicroservicesKubeCon EU 2016: Kubernetes meets Finagle for Resilient Microservices
KubeCon EU 2016: Kubernetes meets Finagle for Resilient MicroservicesKubeAcademy
 
Is Python still production ready ? Ludovic Gasc
Is Python still production ready ? Ludovic GascIs Python still production ready ? Ludovic Gasc
Is Python still production ready ? Ludovic GascPôle Systematic Paris-Region
 
The (Memory) Safety Dance - SAS 2017 keynote
The (Memory) Safety Dance - SAS 2017 keynoteThe (Memory) Safety Dance - SAS 2017 keynote
The (Memory) Safety Dance - SAS 2017 keynoteMarkDowd13
 
Your Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTYour Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTWSO2
 
It's a Jungle Out There – IoT and MRuby
It's a Jungle Out There – IoT and MRubyIt's a Jungle Out There – IoT and MRuby
It's a Jungle Out There – IoT and MRubymatustomlein
 
Kernel Recipes 2016 - Patches carved into stone tablets...
Kernel Recipes 2016 - Patches carved into stone tablets...Kernel Recipes 2016 - Patches carved into stone tablets...
Kernel Recipes 2016 - Patches carved into stone tablets...Anne Nicolas
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014Anant Shrivastava
 
Tor in Haskell & Other Unikernel Tricks
Tor in Haskell & Other Unikernel TricksTor in Haskell & Other Unikernel Tricks
Tor in Haskell & Other Unikernel TricksC4Media
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009dnomura
 
Rust and the coming age of high integrity languages
Rust and the coming age of high integrity languagesRust and the coming age of high integrity languages
Rust and the coming age of high integrity languagesAdaCore
 
Enhancing Developer Productivity with Code Forensics
Enhancing Developer Productivity with Code ForensicsEnhancing Developer Productivity with Code Forensics
Enhancing Developer Productivity with Code ForensicsTechWell
 
Guide to Destroying Codebases The Demise of Clever Code
Guide to Destroying Codebases The Demise of Clever CodeGuide to Destroying Codebases The Demise of Clever Code
Guide to Destroying Codebases The Demise of Clever CodeGabor Varadi
 
Secure App Aspirations: Why it is very difficult in the real world
Secure App Aspirations: Why it is very difficult in the real worldSecure App Aspirations: Why it is very difficult in the real world
Secure App Aspirations: Why it is very difficult in the real worldOllie Whitehouse
 
How to get started with Site Reliability Engineering
How to get started with Site Reliability EngineeringHow to get started with Site Reliability Engineering
How to get started with Site Reliability EngineeringAndrew Kirkpatrick
 
Scratching the itch, making Scratch for the Raspberry Pie
Scratching the itch, making Scratch for the Raspberry PieScratching the itch, making Scratch for the Raspberry Pie
Scratching the itch, making Scratch for the Raspberry PieESUG
 
From hello world to goodbye code
From hello world to goodbye codeFrom hello world to goodbye code
From hello world to goodbye codeKim Moir
 
Static Code Analysis and AutoLint
Static Code Analysis and AutoLintStatic Code Analysis and AutoLint
Static Code Analysis and AutoLintLeander Hasty
 
Go & multi platform GUI Trials and Errors
Go & multi platform GUI Trials and ErrorsGo & multi platform GUI Trials and Errors
Go & multi platform GUI Trials and ErrorsYoshiki Shibukawa
 
12 tricks to avoid hackers breaks your CI / CD
12 tricks to avoid hackers breaks your CI / CD12 tricks to avoid hackers breaks your CI / CD
12 tricks to avoid hackers breaks your CI / CDDaniel Garcia (a.k.a cr0hn)
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 

Contenu connexe

Similaire à Shooting clay pidgins

Rust Programming Language
Rust Programming LanguageRust Programming Language
Rust Programming LanguageJaeju Kim
 
KubeCon EU 2016: Kubernetes meets Finagle for Resilient Microservices
KubeCon EU 2016: Kubernetes meets Finagle for Resilient MicroservicesKubeCon EU 2016: Kubernetes meets Finagle for Resilient Microservices
KubeCon EU 2016: Kubernetes meets Finagle for Resilient MicroservicesKubeAcademy
 
The (Memory) Safety Dance - SAS 2017 keynote
The (Memory) Safety Dance - SAS 2017 keynoteThe (Memory) Safety Dance - SAS 2017 keynote
The (Memory) Safety Dance - SAS 2017 keynoteMarkDowd13
 
Your Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTYour Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTWSO2
 
It's a Jungle Out There – IoT and MRuby
It's a Jungle Out There – IoT and MRubyIt's a Jungle Out There – IoT and MRuby
It's a Jungle Out There – IoT and MRubymatustomlein
 
Kernel Recipes 2016 - Patches carved into stone tablets...
Kernel Recipes 2016 - Patches carved into stone tablets...Kernel Recipes 2016 - Patches carved into stone tablets...
Kernel Recipes 2016 - Patches carved into stone tablets...Anne Nicolas
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014Anant Shrivastava
 
Tor in Haskell & Other Unikernel Tricks
Tor in Haskell & Other Unikernel TricksTor in Haskell & Other Unikernel Tricks
Tor in Haskell & Other Unikernel TricksC4Media
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009dnomura
 
Rust and the coming age of high integrity languages
Rust and the coming age of high integrity languagesRust and the coming age of high integrity languages
Rust and the coming age of high integrity languagesAdaCore
 
Enhancing Developer Productivity with Code Forensics
Enhancing Developer Productivity with Code ForensicsEnhancing Developer Productivity with Code Forensics
Enhancing Developer Productivity with Code ForensicsTechWell
 
Guide to Destroying Codebases The Demise of Clever Code
Guide to Destroying Codebases The Demise of Clever CodeGuide to Destroying Codebases The Demise of Clever Code
Guide to Destroying Codebases The Demise of Clever CodeGabor Varadi
 
Secure App Aspirations: Why it is very difficult in the real world
Secure App Aspirations: Why it is very difficult in the real worldSecure App Aspirations: Why it is very difficult in the real world
Secure App Aspirations: Why it is very difficult in the real worldOllie Whitehouse
 
How to get started with Site Reliability Engineering
How to get started with Site Reliability EngineeringHow to get started with Site Reliability Engineering
How to get started with Site Reliability EngineeringAndrew Kirkpatrick
 
Scratching the itch, making Scratch for the Raspberry Pie
Scratching the itch, making Scratch for the Raspberry PieScratching the itch, making Scratch for the Raspberry Pie
Scratching the itch, making Scratch for the Raspberry PieESUG
 
From hello world to goodbye code
From hello world to goodbye codeFrom hello world to goodbye code
From hello world to goodbye codeKim Moir
 
Static Code Analysis and AutoLint
Static Code Analysis and AutoLintStatic Code Analysis and AutoLint
Static Code Analysis and AutoLintLeander Hasty
 
Go & multi platform GUI Trials and Errors
Go & multi platform GUI Trials and ErrorsGo & multi platform GUI Trials and Errors
Go & multi platform GUI Trials and ErrorsYoshiki Shibukawa
 

Similaire à Shooting clay pidgins (20)

Rust Programming Language
Rust Programming LanguageRust Programming Language
Rust Programming Language
 
KubeCon EU 2016: Kubernetes meets Finagle for Resilient Microservices
KubeCon EU 2016: Kubernetes meets Finagle for Resilient MicroservicesKubeCon EU 2016: Kubernetes meets Finagle for Resilient Microservices
KubeCon EU 2016: Kubernetes meets Finagle for Resilient Microservices
 
Is Python still production ready ? Ludovic Gasc
Is Python still production ready ? Ludovic GascIs Python still production ready ? Ludovic Gasc
Is Python still production ready ? Ludovic Gasc
 
The (Memory) Safety Dance - SAS 2017 keynote
The (Memory) Safety Dance - SAS 2017 keynoteThe (Memory) Safety Dance - SAS 2017 keynote
The (Memory) Safety Dance - SAS 2017 keynote
 
Your Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTYour Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoT
 
It's a Jungle Out There – IoT and MRuby
It's a Jungle Out There – IoT and MRubyIt's a Jungle Out There – IoT and MRuby
It's a Jungle Out There – IoT and MRuby
 
Kernel Recipes 2016 - Patches carved into stone tablets...
Kernel Recipes 2016 - Patches carved into stone tablets...Kernel Recipes 2016 - Patches carved into stone tablets...
Kernel Recipes 2016 - Patches carved into stone tablets...
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014
 
Tor in Haskell & Other Unikernel Tricks
Tor in Haskell & Other Unikernel TricksTor in Haskell & Other Unikernel Tricks
Tor in Haskell & Other Unikernel Tricks
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009
 
Rust and the coming age of high integrity languages
Rust and the coming age of high integrity languagesRust and the coming age of high integrity languages
Rust and the coming age of high integrity languages
 
Enhancing Developer Productivity with Code Forensics
Enhancing Developer Productivity with Code ForensicsEnhancing Developer Productivity with Code Forensics
Enhancing Developer Productivity with Code Forensics
 
Guide to Destroying Codebases The Demise of Clever Code
Guide to Destroying Codebases The Demise of Clever CodeGuide to Destroying Codebases The Demise of Clever Code
Guide to Destroying Codebases The Demise of Clever Code
 
Secure App Aspirations: Why it is very difficult in the real world
Secure App Aspirations: Why it is very difficult in the real worldSecure App Aspirations: Why it is very difficult in the real world
Secure App Aspirations: Why it is very difficult in the real world
 
How to get started with Site Reliability Engineering
How to get started with Site Reliability EngineeringHow to get started with Site Reliability Engineering
How to get started with Site Reliability Engineering
 
Scratching the itch, making Scratch for the Raspberry Pie
Scratching the itch, making Scratch for the Raspberry PieScratching the itch, making Scratch for the Raspberry Pie
Scratching the itch, making Scratch for the Raspberry Pie
 
From hello world to goodbye code
From hello world to goodbye codeFrom hello world to goodbye code
From hello world to goodbye code
 
Static Code Analysis and AutoLint
Static Code Analysis and AutoLintStatic Code Analysis and AutoLint
Static Code Analysis and AutoLint
 
Go & multi platform GUI Trials and Errors
Go & multi platform GUI Trials and ErrorsGo & multi platform GUI Trials and Errors
Go & multi platform GUI Trials and Errors
 
12 tricks to avoid hackers breaks your CI / CD
12 tricks to avoid hackers breaks your CI / CD12 tricks to avoid hackers breaks your CI / CD
12 tricks to avoid hackers breaks your CI / CD
 

Dernier

How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 

Dernier (20)

How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 

Shooting clay pidgins

  • 1. shooting clay pidgins a preliminary look at libpurple
  • 2. introduction • Libpurple is used by Pidgin & Adium • Pidgin was originally gaim, dating back to 1998 • People everywhere use this software • Gets increased popularity due to OTR support • And yet many say it’s horribly insecure?  • But most don’t back it up with any evidence
  • 3. process So, in short sporadic 30~min blocks in 2013… ...when bored on planes, etc. .. spent bits of time reading over some code… … and then try to find time to type up bugs
  • 4. the goal • Focus on seeing code quality rather than finding exploitable bugs • Try to suss out the general security maturity of the project • See the developer responses/culture for security-related bugs Greppable bugs Top-down bugs Where is it at? Bottom-up bugs
  • 5. historical vulnerabilities • • • • Over 50 CVE’s since Oct 2005 Mostly crashes/overflows File* issues (arb. fr/fw) SSL/TLS issues (MITM, etc.)
  • 6. architecture & code • Not much documentation • Appears to be huge attack surface • Many protocol parsers • Dispersed dev. responsibilities • Core code is large (logging, etc.) • Mostly all written in C (Glib)
  • 9. devs and components Sometimes many devs touching 1 component Sometimes only 1 touching specific plugins
  • 10. initial code sweep • Skim calls to purple_debug_{error|info|warn} • Search for *alloc’s and backtrace • Search for *printf’s and backtrace
  • 11. a sample of findings shooting clay pidgins
  • 12. 3 examples to show… 1. An overflow when parsing chunked HTTP responses 2. An example of just silly sloppy code 3. An example of poor/dangerous design (and sloppy code)
  • 13. 1. process chunked data vulnerability (util.c) G_GSIZE_MODIFIER is unsigned
  • 14. 1. process chunked data vulnerability (util.c) SPOT THE BUG?
  • 15. 1. process chunked data vulnerability (util.c) Bug #1: sz we control off the wire, int overflow here
  • 16. 1. process chunked data vulnerability (util.c) Bug #2 Just a debug macro and they forgot the break; so this check was pointless anyway.
  • 17. 1. process chunked data vulnerability (util.c) Bug #2 Just a debug macro and they forgot the break; so this check was pointless anyway.
  • 18. 1. process chunked data vulnerability (util.c) Overflow here and also a potential out-of-bounds read.
  • 19. problem triaging Found it hard to triage/trace bugs without stumbling on more things…
  • 20. 2. sloppiness: msn_message_gen_payload A funny example of sloppiness, probably not triggerable remotely.
  • 21. 2. sloppiness: msn_message_gen_payload Bug: Always increments n by 2 as g_strlcpy returns the size of the src
  • 22. 2. sloppiness: msn_message_gen_payload Nevermind though, we’ll just copy the message data ontop of it all anyway
  • 23. 3. poor design: http content-length Different protocol parsers implementing their own Content-Length parsing – many in sloppy ways
  • 24. 3. poor design: http content-length Different protocol parsers implementing their own Content-Length parsing – many in sloppy ways
  • 25. 3. poor design: http content-length Different protocol parsers implementing their own Content-Length parsing – many in sloppy ways %d’s atoi(), etc. for parsing Content-Length is reminiscent of 10+ year old httpd bugs
  • 26. 3. poor design: http content-length broken way to parse content-length #1
  • 27. 3. poor design: http content-length broken way to parse content-length #2
  • 28. general badness • Many protocol plugins appear to implement their own parsers • HTML/XML/HTTP - e.g. Content-Length • Signed integers for offsets/lengths/indexes is very common • The heavy use of HTML and HTTP parsing also introduces some interesting web-related attack vectors (XSS in HTML logging, etc.)
  • 29. responses • 100% response rate, fairly understanding, quite good to deal with • Took sometime for a patch to hit the public, e.g. CVE-2013-6485: 8/8/2013 • Initial bug report 18/8/2013 • Follow-up email 20/8/2013 • Acknowledgement 21/8/2013 • Patch ready 28/01/2014 • Fix public • A slight concern about volume of fixes in each release
  • 30. results summary Spent no more than 1-2 days total reading through code… Greppable bugs Top-down bugs I didn’t get past here… Bottom-up bugs
  • 31. latest news • 2.10.8 was released on 28th Jan 2014 addressing 18 CVE’s • The http/chunked bug was assigned CVE-2013-6485 • A number of CVE’s in 2.10.8 (reported by Sourcefire VRT) related to Content-Length parsing, e.g: CVE-2013-6490 and CVE-2013-6487 • A lot of other patches that didn’t receive CVE’s (sloppy code) • A lot of areas that could be looked at in more depth, e.g. • All FILE* related paths and operations (i.e. reliable/effective RCE) • More focus on the core, such as logging, etc.
  • 32. 2.x versus 3.x • So, the 2.x branch certainly has some old/sloppy code • It’s getting better each release, but there’s a lot more in there… • The 3.x branch appears to be the more strategic solution • • • • Cleaned up design with a tidier API (e.g. http parsing, etc.) A lot of dead/redundant code elimination and clean-ups Apparently it’s coming in the next 3-6 months Looks promising, but they need help to make it robust
  • 33. conclusions • Tread carefully running the 2.x version • There’s undoubtedly a lot more dangerous bugs there • At least run on a modern platform in an isolated VM • Alternatively take a look at Jitsi • Keep an eye out for when the 3.x branch drops • And if you like auditing code, help out the team 