SlideShare a Scribd company logo

Shooting clay pidgins

Download as PPTX, PDF
volvent
volvent

Slides that were presented at SecTalks in Perth that runs through a light code review of libpurple, shows a few example findings, including CVE-2013-6485 and a few others. These bugs were fixed in Pidgin 2.10.8 on Jan 28th 2014.

Technology
1 of 36
shooting clay pidgins a preliminary look at libpurple
introduction • Libpurple is used by Pidgin & Adium • Pidgin was originally gaim, dating back to 1998 • People everywhere use this software • Gets increased popularity due to OTR support • And yet many say it’s horribly insecure?  • But most don’t back it up with any evidence
process So, in short sporadic 30~min blocks in 2013… ...when bored on planes, etc. .. spent bits of time reading over some code… … and then try to find time to type up bugs
the goal • Focus on seeing code quality rather than finding exploitable bugs • Try to suss out the general security maturity of the project • See the developer responses/culture for security-related bugs Greppable bugs Top-down bugs Where is it at? Bottom-up bugs
historical vulnerabilities • • • • Over 50 CVE’s since Oct 2005 Mostly crashes/overflows File* issues (arb. fr/fw) SSL/TLS issues (MITM, etc.)
architecture & code • Not much documentation • Appears to be huge attack surface • Many protocol parsers • Dispersed dev. responsibilities • Core code is large (logging, etc.) • Mostly all written in C (Glib)
devs and components
devs and components
devs and components Sometimes many devs touching 1 component Sometimes only 1 touching specific plugins
initial code sweep • Skim calls to purple_debug_{error|info|warn} • Search for *alloc’s and backtrace • Search for *printf’s and backtrace
a sample of findings shooting clay pidgins
3 examples to show… 1. An overflow when parsing chunked HTTP responses 2. An example of just silly sloppy code 3. An example of poor/dangerous design (and sloppy code)
1. process chunked data vulnerability (util.c) G_GSIZE_MODIFIER is unsigned
1. process chunked data vulnerability (util.c) SPOT THE BUG?
1. process chunked data vulnerability (util.c) Bug #1: sz we control off the wire, int overflow here
1. process chunked data vulnerability (util.c) Bug #2 Just a debug macro and they forgot the break; so this check was pointless anyway.
1. process chunked data vulnerability (util.c) Bug #2 Just a debug macro and they forgot the break; so this check was pointless anyway.
1. process chunked data vulnerability (util.c) Overflow here and also a potential out-of-bounds read.
problem triaging Found it hard to triage/trace bugs without stumbling on more things…
2. sloppiness: msn_message_gen_payload A funny example of sloppiness, probably not triggerable remotely.
2. sloppiness: msn_message_gen_payload Bug: Always increments n by 2 as g_strlcpy returns the size of the src
2. sloppiness: msn_message_gen_payload Nevermind though, we’ll just copy the message data ontop of it all anyway
3. poor design: http content-length Different protocol parsers implementing their own Content-Length parsing – many in sloppy ways
3. poor design: http content-length Different protocol parsers implementing their own Content-Length parsing – many in sloppy ways
3. poor design: http content-length Different protocol parsers implementing their own Content-Length parsing – many in sloppy ways %d’s atoi(), etc. for parsing Content-Length is reminiscent of 10+ year old httpd bugs
3. poor design: http content-length broken way to parse content-length #1
3. poor design: http content-length broken way to parse content-length #2
general badness • Many protocol plugins appear to implement their own parsers • HTML/XML/HTTP - e.g. Content-Length • Signed integers for offsets/lengths/indexes is very common • The heavy use of HTML and HTTP parsing also introduces some interesting web-related attack vectors (XSS in HTML logging, etc.)
responses • 100% response rate, fairly understanding, quite good to deal with • Took sometime for a patch to hit the public, e.g. CVE-2013-6485: 8/8/2013 • Initial bug report 18/8/2013 • Follow-up email 20/8/2013 • Acknowledgement 21/8/2013 • Patch ready 28/01/2014 • Fix public • A slight concern about volume of fixes in each release
results summary Spent no more than 1-2 days total reading through code… Greppable bugs Top-down bugs I didn’t get past here… Bottom-up bugs
latest news • 2.10.8 was released on 28th Jan 2014 addressing 18 CVE’s • The http/chunked bug was assigned CVE-2013-6485 • A number of CVE’s in 2.10.8 (reported by Sourcefire VRT) related to Content-Length parsing, e.g: CVE-2013-6490 and CVE-2013-6487 • A lot of other patches that didn’t receive CVE’s (sloppy code) • A lot of areas that could be looked at in more depth, e.g. • All FILE* related paths and operations (i.e. reliable/effective RCE) • More focus on the core, such as logging, etc.
2.x versus 3.x • So, the 2.x branch certainly has some old/sloppy code • It’s getting better each release, but there’s a lot more in there… • The 3.x branch appears to be the more strategic solution • • • • Cleaned up design with a tidier API (e.g. http parsing, etc.) A lot of dead/redundant code elimination and clean-ups Apparently it’s coming in the next 3-6 months Looks promising, but they need help to make it robust
conclusions • Tread carefully running the 2.x version • There’s undoubtedly a lot more dangerous bugs there • At least run on a modern platform in an isolated VM • Alternatively take a look at Jitsi • Keep an eye out for when the 3.x branch drops • And if you like auditing code, help out the team 
conclusions +1
conclusions +1
questions? @volvent

Recommended

Python for pentesters
Python for pentestersPython for pentesters
Python for pentestersRashid feroz
 
DevSecOps and Drupal: Securing your applications in a modern IT landscape
DevSecOps and Drupal: Securing your applications in a modern IT landscapeDevSecOps and Drupal: Securing your applications in a modern IT landscape
DevSecOps and Drupal: Securing your applications in a modern IT landscapeWill Hall
 
eLabFTW review
eLabFTW revieweLabFTW review
eLabFTW reviewNicolasCARPi
 
Analyzing Packages in Docker images hosted On DockerHub
Analyzing Packages in Docker images hosted On DockerHubAnalyzing Packages in Docker images hosted On DockerHub
Analyzing Packages in Docker images hosted On DockerHubAhmed Zerouali
 
DefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm HoleDefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm HoleDefCamp
 
Foros vs
Foros vsForos vs
Foros vsnayeli8a
 
Bookreport
BookreportBookreport
Bookreportnayeli8a
 
Tiend afinal
Tiend afinalTiend afinal
Tiend afinalnayeli8a
 

Recommended

Python for pentesters
Python for pentestersPython for pentesters
Python for pentestersRashid feroz
 
DevSecOps and Drupal: Securing your applications in a modern IT landscape
DevSecOps and Drupal: Securing your applications in a modern IT landscapeDevSecOps and Drupal: Securing your applications in a modern IT landscape
DevSecOps and Drupal: Securing your applications in a modern IT landscapeWill Hall
 
eLabFTW review
eLabFTW revieweLabFTW review
eLabFTW reviewNicolasCARPi
 
Analyzing Packages in Docker images hosted On DockerHub
Analyzing Packages in Docker images hosted On DockerHubAnalyzing Packages in Docker images hosted On DockerHub
Analyzing Packages in Docker images hosted On DockerHubAhmed Zerouali
 
DefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm HoleDefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm HoleDefCamp
 
Foros vs
Foros vsForos vs
Foros vsnayeli8a
 
Bookreport
BookreportBookreport
Bookreportnayeli8a
 
Tiend afinal
Tiend afinalTiend afinal
Tiend afinalnayeli8a
 
Rust Programming Language
Rust Programming LanguageRust Programming Language
Rust Programming LanguageJaeju Kim
 
KubeCon EU 2016: Kubernetes meets Finagle for Resilient Microservices
KubeCon EU 2016: Kubernetes meets Finagle for Resilient MicroservicesKubeCon EU 2016: Kubernetes meets Finagle for Resilient Microservices
KubeCon EU 2016: Kubernetes meets Finagle for Resilient MicroservicesKubeAcademy
 
Is Python still production ready ? Ludovic Gasc
Is Python still production ready ? Ludovic GascIs Python still production ready ? Ludovic Gasc
Is Python still production ready ? Ludovic GascPôle Systematic Paris-Region
 
The (Memory) Safety Dance - SAS 2017 keynote
The (Memory) Safety Dance - SAS 2017 keynoteThe (Memory) Safety Dance - SAS 2017 keynote
The (Memory) Safety Dance - SAS 2017 keynoteMarkDowd13
 
Your Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTYour Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTWSO2
 
It's a Jungle Out There – IoT and MRuby
It's a Jungle Out There – IoT and MRubyIt's a Jungle Out There – IoT and MRuby
It's a Jungle Out There – IoT and MRubymatustomlein
 
Kernel Recipes 2016 - Patches carved into stone tablets...
Kernel Recipes 2016 - Patches carved into stone tablets...Kernel Recipes 2016 - Patches carved into stone tablets...
Kernel Recipes 2016 - Patches carved into stone tablets...Anne Nicolas
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014Anant Shrivastava
 
Tor in Haskell & Other Unikernel Tricks
Tor in Haskell & Other Unikernel TricksTor in Haskell & Other Unikernel Tricks
Tor in Haskell & Other Unikernel TricksC4Media
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009dnomura
 
Rust and the coming age of high integrity languages
Rust and the coming age of high integrity languagesRust and the coming age of high integrity languages
Rust and the coming age of high integrity languagesAdaCore
 
Enhancing Developer Productivity with Code Forensics
Enhancing Developer Productivity with Code ForensicsEnhancing Developer Productivity with Code Forensics
Enhancing Developer Productivity with Code ForensicsTechWell
 
Guide to Destroying Codebases The Demise of Clever Code
Guide to Destroying Codebases The Demise of Clever CodeGuide to Destroying Codebases The Demise of Clever Code
Guide to Destroying Codebases The Demise of Clever CodeGabor Varadi
 
Secure App Aspirations: Why it is very difficult in the real world
Secure App Aspirations: Why it is very difficult in the real worldSecure App Aspirations: Why it is very difficult in the real world
Secure App Aspirations: Why it is very difficult in the real worldOllie Whitehouse
 
How to get started with Site Reliability Engineering
How to get started with Site Reliability EngineeringHow to get started with Site Reliability Engineering
How to get started with Site Reliability EngineeringAndrew Kirkpatrick
 
Scratching the itch, making Scratch for the Raspberry Pie
Scratching the itch, making Scratch for the Raspberry PieScratching the itch, making Scratch for the Raspberry Pie
Scratching the itch, making Scratch for the Raspberry PieESUG
 
From hello world to goodbye code
From hello world to goodbye codeFrom hello world to goodbye code
From hello world to goodbye codeKim Moir
 
Static Code Analysis and AutoLint
Static Code Analysis and AutoLintStatic Code Analysis and AutoLint
Static Code Analysis and AutoLintLeander Hasty
 
Go & multi platform GUI Trials and Errors
Go & multi platform GUI Trials and ErrorsGo & multi platform GUI Trials and Errors
Go & multi platform GUI Trials and ErrorsYoshiki Shibukawa
 
12 tricks to avoid hackers breaks your CI / CD
12 tricks to avoid hackers breaks your CI / CD12 tricks to avoid hackers breaks your CI / CD
12 tricks to avoid hackers breaks your CI / CDDaniel Garcia (a.k.a cr0hn)
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 

More Related Content

Similar to Shooting clay pidgins

Rust Programming Language
Rust Programming LanguageRust Programming Language
Rust Programming LanguageJaeju Kim
 
KubeCon EU 2016: Kubernetes meets Finagle for Resilient Microservices
KubeCon EU 2016: Kubernetes meets Finagle for Resilient MicroservicesKubeCon EU 2016: Kubernetes meets Finagle for Resilient Microservices
KubeCon EU 2016: Kubernetes meets Finagle for Resilient MicroservicesKubeAcademy
 
The (Memory) Safety Dance - SAS 2017 keynote
The (Memory) Safety Dance - SAS 2017 keynoteThe (Memory) Safety Dance - SAS 2017 keynote
The (Memory) Safety Dance - SAS 2017 keynoteMarkDowd13
 
Your Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTYour Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTWSO2
 
It's a Jungle Out There – IoT and MRuby
It's a Jungle Out There – IoT and MRubyIt's a Jungle Out There – IoT and MRuby
It's a Jungle Out There – IoT and MRubymatustomlein
 
Kernel Recipes 2016 - Patches carved into stone tablets...
Kernel Recipes 2016 - Patches carved into stone tablets...Kernel Recipes 2016 - Patches carved into stone tablets...
Kernel Recipes 2016 - Patches carved into stone tablets...Anne Nicolas
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014Anant Shrivastava
 
Tor in Haskell & Other Unikernel Tricks
Tor in Haskell & Other Unikernel TricksTor in Haskell & Other Unikernel Tricks
Tor in Haskell & Other Unikernel TricksC4Media
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009dnomura
 
Rust and the coming age of high integrity languages
Rust and the coming age of high integrity languagesRust and the coming age of high integrity languages
Rust and the coming age of high integrity languagesAdaCore
 
Enhancing Developer Productivity with Code Forensics
Enhancing Developer Productivity with Code ForensicsEnhancing Developer Productivity with Code Forensics
Enhancing Developer Productivity with Code ForensicsTechWell
 
Guide to Destroying Codebases The Demise of Clever Code
Guide to Destroying Codebases The Demise of Clever CodeGuide to Destroying Codebases The Demise of Clever Code
Guide to Destroying Codebases The Demise of Clever CodeGabor Varadi
 
Secure App Aspirations: Why it is very difficult in the real world
Secure App Aspirations: Why it is very difficult in the real worldSecure App Aspirations: Why it is very difficult in the real world
Secure App Aspirations: Why it is very difficult in the real worldOllie Whitehouse
 
How to get started with Site Reliability Engineering
How to get started with Site Reliability EngineeringHow to get started with Site Reliability Engineering
How to get started with Site Reliability EngineeringAndrew Kirkpatrick
 
Scratching the itch, making Scratch for the Raspberry Pie
Scratching the itch, making Scratch for the Raspberry PieScratching the itch, making Scratch for the Raspberry Pie
Scratching the itch, making Scratch for the Raspberry PieESUG
 
From hello world to goodbye code
From hello world to goodbye codeFrom hello world to goodbye code
From hello world to goodbye codeKim Moir
 
Static Code Analysis and AutoLint
Static Code Analysis and AutoLintStatic Code Analysis and AutoLint
Static Code Analysis and AutoLintLeander Hasty
 
Go & multi platform GUI Trials and Errors
Go & multi platform GUI Trials and ErrorsGo & multi platform GUI Trials and Errors
Go & multi platform GUI Trials and ErrorsYoshiki Shibukawa
 

Similar to Shooting clay pidgins (20)

Rust Programming Language
Rust Programming LanguageRust Programming Language
Rust Programming Language
 
KubeCon EU 2016: Kubernetes meets Finagle for Resilient Microservices
KubeCon EU 2016: Kubernetes meets Finagle for Resilient MicroservicesKubeCon EU 2016: Kubernetes meets Finagle for Resilient Microservices
KubeCon EU 2016: Kubernetes meets Finagle for Resilient Microservices
 
Is Python still production ready ? Ludovic Gasc
Is Python still production ready ? Ludovic GascIs Python still production ready ? Ludovic Gasc
Is Python still production ready ? Ludovic Gasc
 
The (Memory) Safety Dance - SAS 2017 keynote
The (Memory) Safety Dance - SAS 2017 keynoteThe (Memory) Safety Dance - SAS 2017 keynote
The (Memory) Safety Dance - SAS 2017 keynote
 
Your Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoTYour Thing is Pwned - Security Challenges for the IoT
Your Thing is Pwned - Security Challenges for the IoT
 
It's a Jungle Out There – IoT and MRuby
It's a Jungle Out There – IoT and MRubyIt's a Jungle Out There – IoT and MRuby
It's a Jungle Out There – IoT and MRuby
 
Kernel Recipes 2016 - Patches carved into stone tablets...
Kernel Recipes 2016 - Patches carved into stone tablets...Kernel Recipes 2016 - Patches carved into stone tablets...
Kernel Recipes 2016 - Patches carved into stone tablets...
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014
 
Tor in Haskell & Other Unikernel Tricks
Tor in Haskell & Other Unikernel TricksTor in Haskell & Other Unikernel Tricks
Tor in Haskell & Other Unikernel Tricks
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009
 
Rust and the coming age of high integrity languages
Rust and the coming age of high integrity languagesRust and the coming age of high integrity languages
Rust and the coming age of high integrity languages
 
Enhancing Developer Productivity with Code Forensics
Enhancing Developer Productivity with Code ForensicsEnhancing Developer Productivity with Code Forensics
Enhancing Developer Productivity with Code Forensics
 
Guide to Destroying Codebases The Demise of Clever Code
Guide to Destroying Codebases The Demise of Clever CodeGuide to Destroying Codebases The Demise of Clever Code
Guide to Destroying Codebases The Demise of Clever Code
 
Secure App Aspirations: Why it is very difficult in the real world
Secure App Aspirations: Why it is very difficult in the real worldSecure App Aspirations: Why it is very difficult in the real world
Secure App Aspirations: Why it is very difficult in the real world
 
How to get started with Site Reliability Engineering
How to get started with Site Reliability EngineeringHow to get started with Site Reliability Engineering
How to get started with Site Reliability Engineering
 
Scratching the itch, making Scratch for the Raspberry Pie
Scratching the itch, making Scratch for the Raspberry PieScratching the itch, making Scratch for the Raspberry Pie
Scratching the itch, making Scratch for the Raspberry Pie
 
From hello world to goodbye code
From hello world to goodbye codeFrom hello world to goodbye code
From hello world to goodbye code
 
Static Code Analysis and AutoLint
Static Code Analysis and AutoLintStatic Code Analysis and AutoLint
Static Code Analysis and AutoLint
 
Go & multi platform GUI Trials and Errors
Go & multi platform GUI Trials and ErrorsGo & multi platform GUI Trials and Errors
Go & multi platform GUI Trials and Errors
 
12 tricks to avoid hackers breaks your CI / CD
12 tricks to avoid hackers breaks your CI / CD12 tricks to avoid hackers breaks your CI / CD
12 tricks to avoid hackers breaks your CI / CD
 

Recently uploaded

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 

Recently uploaded (20)

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 

Shooting clay pidgins

  • 1. shooting clay pidgins a preliminary look at libpurple
  • 2. introduction • Libpurple is used by Pidgin & Adium • Pidgin was originally gaim, dating back to 1998 • People everywhere use this software • Gets increased popularity due to OTR support • And yet many say it’s horribly insecure?  • But most don’t back it up with any evidence
  • 3. process So, in short sporadic 30~min blocks in 2013… ...when bored on planes, etc. .. spent bits of time reading over some code… … and then try to find time to type up bugs
  • 4. the goal • Focus on seeing code quality rather than finding exploitable bugs • Try to suss out the general security maturity of the project • See the developer responses/culture for security-related bugs Greppable bugs Top-down bugs Where is it at? Bottom-up bugs
  • 5. historical vulnerabilities • • • • Over 50 CVE’s since Oct 2005 Mostly crashes/overflows File* issues (arb. fr/fw) SSL/TLS issues (MITM, etc.)
  • 6. architecture & code • Not much documentation • Appears to be huge attack surface • Many protocol parsers • Dispersed dev. responsibilities • Core code is large (logging, etc.) • Mostly all written in C (Glib)
  • 9. devs and components Sometimes many devs touching 1 component Sometimes only 1 touching specific plugins
  • 10. initial code sweep • Skim calls to purple_debug_{error|info|warn} • Search for *alloc’s and backtrace • Search for *printf’s and backtrace
  • 11. a sample of findings shooting clay pidgins
  • 12. 3 examples to show… 1. An overflow when parsing chunked HTTP responses 2. An example of just silly sloppy code 3. An example of poor/dangerous design (and sloppy code)
  • 13. 1. process chunked data vulnerability (util.c) G_GSIZE_MODIFIER is unsigned
  • 14. 1. process chunked data vulnerability (util.c) SPOT THE BUG?
  • 15. 1. process chunked data vulnerability (util.c) Bug #1: sz we control off the wire, int overflow here
  • 16. 1. process chunked data vulnerability (util.c) Bug #2 Just a debug macro and they forgot the break; so this check was pointless anyway.
  • 17. 1. process chunked data vulnerability (util.c) Bug #2 Just a debug macro and they forgot the break; so this check was pointless anyway.
  • 18. 1. process chunked data vulnerability (util.c) Overflow here and also a potential out-of-bounds read.
  • 19. problem triaging Found it hard to triage/trace bugs without stumbling on more things…
  • 20. 2. sloppiness: msn_message_gen_payload A funny example of sloppiness, probably not triggerable remotely.
  • 21. 2. sloppiness: msn_message_gen_payload Bug: Always increments n by 2 as g_strlcpy returns the size of the src
  • 22. 2. sloppiness: msn_message_gen_payload Nevermind though, we’ll just copy the message data ontop of it all anyway
  • 23. 3. poor design: http content-length Different protocol parsers implementing their own Content-Length parsing – many in sloppy ways
  • 24. 3. poor design: http content-length Different protocol parsers implementing their own Content-Length parsing – many in sloppy ways
  • 25. 3. poor design: http content-length Different protocol parsers implementing their own Content-Length parsing – many in sloppy ways %d’s atoi(), etc. for parsing Content-Length is reminiscent of 10+ year old httpd bugs
  • 26. 3. poor design: http content-length broken way to parse content-length #1
  • 27. 3. poor design: http content-length broken way to parse content-length #2
  • 28. general badness • Many protocol plugins appear to implement their own parsers • HTML/XML/HTTP - e.g. Content-Length • Signed integers for offsets/lengths/indexes is very common • The heavy use of HTML and HTTP parsing also introduces some interesting web-related attack vectors (XSS in HTML logging, etc.)
  • 29. responses • 100% response rate, fairly understanding, quite good to deal with • Took sometime for a patch to hit the public, e.g. CVE-2013-6485: 8/8/2013 • Initial bug report 18/8/2013 • Follow-up email 20/8/2013 • Acknowledgement 21/8/2013 • Patch ready 28/01/2014 • Fix public • A slight concern about volume of fixes in each release
  • 30. results summary Spent no more than 1-2 days total reading through code… Greppable bugs Top-down bugs I didn’t get past here… Bottom-up bugs
  • 31. latest news • 2.10.8 was released on 28th Jan 2014 addressing 18 CVE’s • The http/chunked bug was assigned CVE-2013-6485 • A number of CVE’s in 2.10.8 (reported by Sourcefire VRT) related to Content-Length parsing, e.g: CVE-2013-6490 and CVE-2013-6487 • A lot of other patches that didn’t receive CVE’s (sloppy code) • A lot of areas that could be looked at in more depth, e.g. • All FILE* related paths and operations (i.e. reliable/effective RCE) • More focus on the core, such as logging, etc.
  • 32. 2.x versus 3.x • So, the 2.x branch certainly has some old/sloppy code • It’s getting better each release, but there’s a lot more in there… • The 3.x branch appears to be the more strategic solution • • • • Cleaned up design with a tidier API (e.g. http parsing, etc.) A lot of dead/redundant code elimination and clean-ups Apparently it’s coming in the next 3-6 months Looks promising, but they need help to make it robust
  • 33. conclusions • Tread carefully running the 2.x version • There’s undoubtedly a lot more dangerous bugs there • At least run on a modern platform in an isolated VM • Alternatively take a look at Jitsi • Keep an eye out for when the 3.x branch drops • And if you like auditing code, help out the team 