Memory corruption in FreeBSD’s ring-buffer (kernel)

Memory Ordering has been the latest topic under discussion in the Open Source Study Group. We walked through several concepts such as atomic memory access, volatile declarations, compiler and CPU reordering with different semantics -including the acquire-release model-, fences, compare-and-set (CAS) loops, ABA problems, lock-free algorithms and more. A few lock-free ring-buffer implementations were analyzed; including loki, dpdk and FreeBSD’s buf_ring (kernel).

We found a memory corruption bug in FreeBSD’s ring-buffer. Under specific thread scheduling conditions, and assuming a multiple-producers scenario, it could be possible to overwrite unread entries. However, we did not attempt full exploitation and our PoC (proof-of-concept) makes a few assumptions that may not accurately represent the reality. As a result, it well be the case that the bug is there but triggering not feasible under the constraints -currently- imposed by the context.

Continue reading “Memory corruption in FreeBSD’s ring-buffer (kernel)”

cipherchat: Ekoparty’s 2019 CTF write-up

Last week I joined a group of colleagues from Core Security to participate in the Ekoparty’s 2019 official CTF, organized by null life. I picked up one of the crypto challenges: chiperchat. This write-up is to described the process followed to solve it.

The starting point was a PCAP capture and a hint stating that there was encrypted traffic inside. First off, I opened the capture in Wireshark and verified that there was a perfectly well formed TCP stream between 2 parties. The data carried out by these TCP packets contained no ASCII characters. I was not sure, by then, if every single byte was encrypted or if there was a mix of a binary protocol and encrypted bytes.

Continue reading “cipherchat: Ekoparty’s 2019 CTF write-up”

Reverse Engineering open course v1.0

I’m pleased to announce the release of the Reverse Engineering open course. It has taken more than one year but it’s finally here!

This course is a journey into reversing executable binaries from 3 different angles: 1) Malware analysis, 2) Bug hunting and 3) Exploit writing.  Windows and Linux operating systems, on both x86 and x86_64 architectures, are under the scope. It’s not a purely tools-oriented approach but a mix with fundamental concepts, aiming to explain how things work underneath.

All of the content is licensed under Creative Commons Attribution-ShareAlike 4.0 International, and contributions very much welcomed. Published material includes slides and labs for 11 classes (with demos and hands-on exercises). Slides are both in English and Spanish. The course Linux VM has not been published due to its size. I can help you to replicate the environment if needed.

Continue reading “Reverse Engineering open course v1.0”

Pcapy: pcap library wrapper for Python

Pcapy is a lightweight pcap library wrapper for Python. It allows you to read and handle low-level network packets from Python, both on Windows and UNIX-like platforms (Linux, macOS). Live captures and PCAP files are supported. BPF filters can be applied to get the traffic of interest only.

It works as a native module that can be plugged into the CPython virtual machine. Code is C and links against the Python SDK. In Windows platforms, WinPcap is required.

It has been released under a variation of the Apache Software License, and it’s currently maintained by Core Security. You can get more information and the source code here: https://github.com/helpsystems/pcapy