about me

photo

I was born in 1983. I grew up in Lublin, Poland but now I live in Warsaw. Since 1999 I'm "white hat" hacker providing part-time security consulting services. You can contact me, if you need pentest or security audit. Currently, I also work for Atende Software company on Multimedia & Security Division Director position. I'm co-owner of Nette, an ISP based in Lublin, Poland. You can find my professional resume on linkedin.com. Since 2003 I'm licensed ham radio operator (callsign SQ5JIV), which is my primary hobby.

my security semi-blog

August 17, 2010

I had some spare time last weekend, so I was able to explore FreeBSD kernel for another vulnerabilities. I spotted a neat crash, reported in PR kern/137310, which looked promising for further exploration. Unfortunately, it was fixed just before release of 7.3.

The bug is a classical example of null pointer dereference in pseudofs code, which is common for procfs and linprocofs. By controlling write-at-null, we are able to put arbitrary value at arbitrary kernel memory address.

I'm going to disclose further details in few weeks, after notifing FreeBSD secteam.

November 23, 2009

You can download here my presentation from CONFidence 2009, regarding recent FreeBSD vulnerabilities.

October 14, 2009

Very detailed analysis of my devfs/VFS exploit was published by xorl on his blog. If you don't understand the way it works, you're encouraged to read it.

October 05, 2009

Official FreeBSD security advisories regarding pipe and devfs race conditions were issued last Thursday. All systems running FreeBSD 6.x or 7.x and having untrusted local users should be immediately upgraded. I'm going to release exploit codes this week.

Above vulnerabilities and exploits will be explained in my speech at CONFidence 2009, taking place on 19-20 November, 2009 in Warsaw.

September 16, 2009

In recent days, a much of FUD is spreading regarding recently found FreeBSD vulnerabilities. I would like to clarify some facts. First of all, there are three different race conditions affecting kernel. They are located in different kernel subsystems, but all of them are somehow related to kqueue(2) mechanism. First one affects FreeBSD 6.1 and was already published. There was no official advisory, as 6.1 is EoLed at this time. Another one affects 6.x up to 6.4 and official advisory with patch will be published this week. The last one was found on Sunday, it was reported immediately to FreeBSD security team, but no detailed analysis was made. It affects FreeBSD 7.x up to 7.2, as well as 6.x up to 6.4. There no workarounds for any of these bugs.

I have written exploit codes for all of above, but they are private, and I won't give them to the blackhat community. Exploits will be published at least a week after official security advisory.

The last thing to mention: I received a lot of criticism after article in The Register. Please read some facts. I send few mails: on 29th Aug to security team, on 2nd Sep and 11th Sep directly to the security officer. None of them were responded until 14th September, when the article was out. I haven't published nothing more than a video, as it would made easier to develop independently working exploit. I belive, that this is the only responsible way to handle such security threat. Thanks to The Reg article, system administrators are now aware of threat and can take some countermeasures, like disabling untrusted user accounts, before official patch is available.

security research

2010 pseudofs local root vulnerability in freebsd 7.0 - 7.2 (exploit)
2009 devfs/kqueue local root vulnerability in freebsd <= 7.2 kernel (advisory)
pipe/kqueue local root vulnerability in freebsd <= 6.4 kernel (advisory)
fdesc/kqueue local root vulnerability in freebsd 6.0 - 6.1 kernel
exploit for proto_ops vulnerability in linux <= 2.6.30.4
2007 cooperation in delevopment of x86_64 ia32syscall exploit for linux
cooperation in development of dccp exploit for linux
2005 local root in ld.so on Solaris 8/9/10
vulnerabilities in traceroute on Solaris 10
missing NULL termination in rlogin on FreeBSD
research on undisclosed bugs in Nokia phones
2004 local off-by-one in mtr versions 0.55 to 0.65
remote information leak in Zyxel Prestige 681
multiple remote vulnerabilities in lukemftpd aka tnftpd, which is default on NetBSD and MacOS X
2003 remote DoS in tcpdump
research on remote root bug in wuftpd 2.6.2
2002 research on local root bug in sudo 1.6.5
trivial bug in mail on OpenBSD 3.0 gives local root in some circumstances
raw socket leak in mtr 0.45
2001 research on GnuPG having sgid root bit set on Mandrake
remote DoS in Zyxel Prestige 681 SDSL router
research on exploiting double free() bug in wuftpd 2.6.1
remote DoS in Mercury
local uid=uucp shell in hylafax
local root in FreeBSD 4.4 libutil
local root in FreeBSD 4.3 kernel (found by me and independently by Georgi Guninski, proof)
remote root in ftpd + libc from FreeBSD 4.2
remote root in ntpd 4.0.99k
remote root in QNX ftpd
remote root in mars_nwe 0.99.pl19
nonexploitable format string bugs in proftpd 1.2.0rc2
nonexploitable format string bugs in wuftpd 2.6.1
2000 local gid=kmem shell on FreeBSD 4
potential remote root bug in HPUX ftpd 1.7.212.2
remote root in wuftpd 2.6.0
local root in libterminfo and mtr 0.41 on FreeBSD 3.4
local uid=man shell in RH Linux 6.1
1999 local root in cfingerd 1.4.2
remote root in mars_nwe 0.99pl15
remote root in proftpd 1.2.0pre3
bug in FreeBSD 2.2.8 kernel and libc giving local root in some circumstances
remote DoS in Netware HTTP Server