Read on Twitter
Mudge is the new head of security at Twitter, which got me talking about cDc, hacking groups, cliques, and the distinctions between them. I mentioned 8lgm and TESO as examples of hacking groups best understood as hacking groups, unlike cDc.
Someone said: “never heard of them”.
Someone said: “never heard of them”.
This creates an opportunity for me to talk again about my favorite exploit of all time, unquestionably a part of the canon of our field.
The year is 1995 and BSD Unix runs the Internet. The most important hacking target is SunOS 4.1.3; every network you want to get on is running it somewhere, and often everywhere.
The most important SunOS security research group: 8lgm.
The most important SunOS security research group: 8lgm.
There is a pattern of vulnerabilities dominating SunOS and BSDI, the same way, say, SQLI or SSRF does today. It’s the IFS vulnerability.
The shell uses IFS to decide what character it should use to separate fields. Space? Comma? Colon?
The shell uses IFS to decide what character it should use to separate fields. Space? Comma? Colon?
Most SunOS vulnerabilities are SUID vulnerabilities. SUIDs are programs that are run by users but have root privileges. “passwd” is the obvious example; you need (limited) root access to edit your entry in the password file.
IFS is problematic for SUIDs.
IFS is problematic for SUIDs.
The reason why is that 1990s C programs tend to be strung together out of other 1990s C programs. A program calls `system(“/usr/bin/whatever”)` to get some work done; system invokes the shell, the shell cares about IFS.
Set your IFS=/ and the shell is no longer executing “/usr/bin/whatever”, but instead “usr bin whatever”; you control “usr” (in tmp or whatever), that’s the ballgame. (It’s been awhile, correct me on the details here).
So there’s a long string of IFS vulnerabilities in all sorts of programs and Sun gets around to fixing one of them, in `loadmodule` — in 1990s Unix, you had multi-user systems with an SUID `loadmodule` that ordinary users could run, because that’s how we rolled. But I digress.
8lgm publishes an IFS vulnerability in `loadmodule`.
Sun responds by knocking out IFS from the environment at the beginning of `loadmodule`.
8lgm responds by…
Sun responds by knocking out IFS from the environment at the beginning of `loadmodule`.
8lgm responds by…
SETTING A SECOND IFS VARIABLE.
It apparently hadn’t occurred to anyone that you could do that, because putenv() and setenv() won’t let you; you have to manually edit the environment.
Loadmodule knocks out the first IFS, but getenv() still sees the second.
It apparently hadn’t occurred to anyone that you could do that, because putenv() and setenv() won’t let you; you have to manually edit the environment.
Loadmodule knocks out the first IFS, but getenv() still sees the second.
I think that’s pretty much the point where I fell in love with this stupid field. I still remember where I was when I read that Bugtraq post (I would have been 18?).
8lgm should probably be better known to people for kicking off the stack overflow craze.
8lgm should probably be better known to people for kicking off the stack overflow craze.
As my friend Ivan points out, 8lgm invented the modern security advisory (prior to them, details about vulns were traded on secret mailing lists, which lists were the reason 60% of hackers hacked anything). They were the pioneers of full disclosure security.
That is, until Sendmail 8.6.12, which they teased in an advisory but didn’t provide an exploit for.
Sendmail, you gotta understand, is _the most important_ software target on the 1995 Internet. Sendmail vulnerabilities are the Gold Krugerrand of the #hack market.
Sendmail, you gotta understand, is _the most important_ software target on the 1995 Internet. Sendmail vulnerabilities are the Gold Krugerrand of the #hack market.
(everything on the 1995 Internet runs Sendmail; even if they’re not running SunOS, they’re still probably running Sendmail; a Sendmail zero-day is skeleton key for the whole Internet).
Everyone had been getting by with the Sendmail 8.6.9 exploit, the last good Sendmail remote, but it was getting played out (and the bug was boring). 8lgm’s 8.6.12 was a huge deal.
The problem? It was a stack overflow, and they didn’t release an exploit.
The problem? It was a stack overflow, and they didn’t release an exploit.
Nobody knew how to exploit stack overflows! It’s crazy to think about that now, when we sort of expect high school kids to be able to pull them off (I guess that’s what we were back then too, but whatever).
I vividly remember being in a room with Mudge after… Pumpcon? While he and a bunch of other people worked out stack overflow exploits with GDB. A total frenzy to get this working, and entirely due to 8lgm’s 8.6.12 tease.
(Ultimately vicm and daveg won the race to publish, with the Linux splitvt exploit, which became the template for the next several years worth of carnage as a zillion overflows people had written off as not-exploitable suddenly became exploitable).
Anyhow, I’m a cDc skeptic, at least as hacking groups go, and I can make the case that there are hacking groups that do sort of merit the special name. But as people go? Mudge is a serious dude, old school, has always known his shit. Good get for Twitter I guess? Congrats to him.
