From owner-freebsd-security@freebsd.org Sat Apr 28 02:40:20 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CB7D5FBA624; Sat, 28 Apr 2018 02:40:20 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-it0-x244.google.com (mail-it0-x244.google.com [IPv6:2607:f8b0:4001:c0b::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 59C60801D1; Sat, 28 Apr 2018 02:40:20 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: by mail-it0-x244.google.com with SMTP id f6-v6so4181801ita.2; Fri, 27 Apr 2018 19:40:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=le5T0bXDDAZZsxTeYCw5GH+GVdvtfj8A8elO+5HagWw=; b=n4wZeTzyM5/e70Md3D27ftwNXXt9jHTiAUBZAWYVtfquaAAIgiuFAH4Nix53UKydpY u/rHOCyhxH5S06DgWzv3dek8X9xCk5+ckpmkqy+qnPrevKwOIHkZ+riw3hqUTrnCYPq2 8p8jfqjFanFW7ngVGIHbDpOJ4rtFWV2bN+j3su9YZXXT/dNRx88XEOYhW79EiGEa3Yw5 8GMvdkEcR2b/8eIgmnpZGtuzrdplwhR7iS1rDNaMt3gTQabpNVsk6q7kGYsooleIZ+3n AGT/fjAu7rVloYIGHCORfYSrkcuhfJiccBpGwY0IE5ekYC7aY6pyrhVPFKDh32Q1p5K3 KtHA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=le5T0bXDDAZZsxTeYCw5GH+GVdvtfj8A8elO+5HagWw=; b=p/pDF9CviblF8rKF1RHwBWfaZexcbt2PHDVlmZSczRAcuCQOM7I3+1CL/ew94BLSu6 y/rQi8TTlGOHmwOHaPSdihyXrvtCT9PzzTK1FYCr95KJiVQDFZ1zzdDlb/v04BWRQNz2 41vJbYFw0Uhl72coeARH8uVx3/S1T/0ld8JUzmndwfluNobVL29fa+kJSrByZv7lc8eI O4F66vv7ny0lJp5cLzpE9KwRqKJHt1/2wuxAooFPaKOepbTYtBhmiYUuMb5cg8CbKoAw o/A2PVZPlYUSU1OozpgjeRL49bdwwiekrCHMHn+JBKsEWqdJIPrFMsC/mm92WLLmzefx CPkA== X-Gm-Message-State: ALQs6tDN4ja0mpW2mSHhTYVVSleiTdwZAIHNX4xaHAB3ryyt1GYFKWwz hB3uKAEI0x2cT1+a4D/kSuUVX7gffWinFyVPRnJbZg== X-Google-Smtp-Source: AB8JxZqmVeBWmtXqZG/5ZHUcb/y8ueP4fUcnyhLRlLpIO1nNlDSrYBPeji6IaC6K3F0Fe6Y9kjwt2/lGG9oFGWuupvQ= X-Received: by 2002:a24:2c52:: with SMTP id i79-v6mr4611525iti.101.1524883219326; Fri, 27 Apr 2018 19:40:19 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a02:8d6a:0:0:0:0:0 with HTTP; Fri, 27 Apr 2018 19:39:38 -0700 (PDT) From: grarpamp Date: Fri, 27 Apr 2018 22:39:38 -0400 Message-ID: Subject: Exploit Lecture: Writing FreeBSD Malware To: freebsd-security@freebsd.org Cc: freebsd-questions@freebsd.org, freebsd-hackers@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Mailman-Approved-At: Sat, 28 Apr 2018 10:35:32 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Apr 2018 02:40:21 -0000 https://www.youtube.com/watch?v=bT_k06Xg-BE Without exploit mitigations and with an insecure-by-default design, writing malware for FreeBSD is a fun task, taking us back to 1999-era Linux exploit authorship. Several members of FreeBSD's development team have claimed that Capsicum, a capabilities/sandboxing framework, prevents exploitation of applications. Our in-depth analysis of the topics below will show that in order to be effective, applying Capsicum to existing complex codebases lends itself to wrapper-style sandboxing. Wrapper-style sandbox is a technique whereby privileged operations get wrapped and passed to a segregated process, which performs the operation on behalf of the capsicumized process. With a new libhijack payload, we will demonstrate that wrapper-style sandboxing requires ASLR and CFI for effectiveness. FreeBSD supports neither ASLR nor CFI. Tying into the wrapper-style Capsicum defeat, we'll talk about advances being made with libhijack, a tool announced at Thotcon 0x4. The payload developed in the Capsicum discussion will be used with libhijack, thus making it easy to extend. We will also learn the Mandatory Access Control (MAC) framework in FreeBSD. The MAC framework places hooks into several key places in the kernel. We'll learn how to abuse the MAC framework for writing efficient rootkits. Attendees of this presentation should walk away with the knowledge to skillfully and artfully write offensive code targeting both the FreeBSD userland and the kernel. https://twitter.com/lattera/status/989602709950029824 Shawn Webb is a cofounder of HardenedBSD, a hardened downstream distribution of FreeBSD. With over a decade in infosec, he dabbles in both the offensive and defensive aspects of the industry. On the advisory board for Emerald Onion, Shawn believes in a more free and open Internet. His whole house is wired for Tor. Getting on the Tor network is only a network jack away! https://www.youtube.com/user/CarolinaConVideos/videos CarolinaCon was started in 2005 and has been held every year since. With each passing year the conference continues to grow and attract more attendees and speakers. As has always been the case, CarolinaCon is put together and run by an all-volunteer staff. CarolinaCon is proudly brought to you by "The CarolinaCon Group". The CarolinaCon Group is a non-profit organization registered in the state of NC, dedicated to educating the local and global communities about technology, information/network/computer security, and information rights. The CarolinaCon Group is also closely associated with various 2600 chapters across NC, SC, TN, VA, LA, DC, GA, PA and NY. Many of the volunteers who help develop and deliver CarolinaCon come from those chapters. From owner-freebsd-security@freebsd.org Sat Apr 28 12:54:02 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 997A0FAE55B; Sat, 28 Apr 2018 12:54:02 +0000 (UTC) (envelope-from freebsd@disroot.org) Received: from knopi.disroot.org (knopi.disroot.org [178.21.23.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2E5857C627; Sat, 28 Apr 2018 12:54:01 +0000 (UTC) (envelope-from freebsd@disroot.org) Received: from localhost (localhost [127.0.0.1]) by disroot.org (Postfix) with ESMTP id CEE362E0C5; Sat, 28 Apr 2018 14:53:59 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=disroot.org; s=mail; t=1524920039; bh=Uwo5uSvv3X5V8rx6h9WYGVNmosULzlNxiPKK/XFB6+Y=; h=Subject:To:Cc:References:From:Date:In-Reply-To; b=LseFT+ncQ7sKoYtUdyIJf2StSysgp9qLUZky2gMlpAhNAmvSKKIcKpTH8CYbuQpDS V387bALzt3E+/P1IwH3L03T1EvQFu7BO7A1RPDyG6WXXXWaCbF4FT42tbYochp133J lqETQvBTE3N0rHuYLpLRFITJDMVKCvkhHy+pu6jwd9PyAy0UhijVh/PGo9lb8zdYte k6mMY7PmWAbVPgnsWO0GdSoAHHsRNksbQGTEY86jHFqUGTJ/7hyvB7VAeSfuTHFubu V1pdHrCH8iUL9OBctdPwQyTiDGTUKl4JBeicrs1nKI4rzZF+ppECOuyyIZGctbcktk 0JQWVK/EtKldg== X-Virus-Scanned: Debian amavisd-new at disroot.org Received: from knopi.disroot.org ([127.0.0.1]) by localhost (mail01.disroot.lan [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id npEAgYHzpcZE; Sat, 28 Apr 2018 14:53:57 +0200 (CEST) Subject: Re: Exploit Lecture: Writing FreeBSD Malware DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=disroot.org; s=mail; t=1524920037; bh=Uwo5uSvv3X5V8rx6h9WYGVNmosULzlNxiPKK/XFB6+Y=; h=Subject:To:Cc:References:From:Date:In-Reply-To; b=OvJhP1GCfDWMcqwEO2LXpTLAI6/fhzi2Lz/vDtQ6GIT0ieP20lhiVYZGMMEvN8LEp VgyqiD3ZD5j1eQWU2mevBOOSpTLMjqNXYwULyNJkVXhAkEPnOg3EbA62oFLZLIlvr0 q7X1WDqjbA8/hYz6QGxbr01spGizR8chsM3x4+AN5uA8ruvWME4vTLBScLw7NZeBTe Vm8vDdF70tPDrW41HNZDVP+Bz0N4YRsaVz0xYGVAAnXGGX1eqZVFy2cDDffurbxfQ7 mIxCf4QukhcqrW34w4yce8h0rdu7SrFeOfgrdukD2Ish4cQ1gRIrX5zKa0eJNanmDL Gq7F7xxPAcSLQ== To: grarpamp@gmail.com, freebsd-security@freebsd.org Cc: freebsd-hackers@freebsd.org, freebsd-questions@freebsd.org References: From: "Peter G." Message-ID: Date: Sat, 28 Apr 2018 14:53:46 +0200 Mime-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Apr 2018 12:54:02 -0000 Webb, next time when talking to any audience, remove your fucking hat. That's basic human courtesy. -- PG On 28/04/2018 04:39, grarpamp wrote: > https://www.youtube.com/watch?v=bT_k06Xg-BE > > Without exploit mitigations and with an insecure-by-default design, > writing malware for FreeBSD is a fun task, taking us back to 1999-era > Linux exploit authorship. Several members of FreeBSD's development > team have claimed that Capsicum, a capabilities/sandboxing framework, > prevents exploitation of applications. Our in-depth analysis of the > topics below will show that in order to be effective, applying > Capsicum to existing complex codebases lends itself to wrapper-style > sandboxing. Wrapper-style sandbox is a technique whereby privileged > operations get wrapped and passed to a segregated process, which > performs the operation on behalf of the capsicumized process. With a > new libhijack payload, we will demonstrate that wrapper-style > sandboxing requires ASLR and CFI for effectiveness. FreeBSD supports > neither ASLR nor CFI. Tying into the wrapper-style Capsicum defeat, > we'll talk about advances being made with libhijack, a tool announced > at Thotcon 0x4. The payload developed in the Capsicum discussion will > be used with libhijack, thus making it easy to extend. We will also > learn the Mandatory Access Control (MAC) framework in FreeBSD. The MAC > framework places hooks into several key places in the kernel. We'll > learn how to abuse the MAC framework for writing efficient rootkits. > Attendees of this presentation should walk away with the knowledge to > skillfully and artfully write offensive code targeting both the > FreeBSD userland and the kernel. > > https://twitter.com/lattera/status/989602709950029824 > > Shawn Webb is a cofounder of HardenedBSD, a hardened downstream > distribution of FreeBSD. With over a decade in infosec, he dabbles in > both the offensive and defensive aspects of the industry. On the > advisory board for Emerald Onion, Shawn believes in a more free and > open Internet. His whole house is wired for Tor. Getting on the Tor > network is only a network jack away! From owner-freebsd-security@freebsd.org Sat Apr 28 15:53:17 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2D9AAFB2EE6 for ; Sat, 28 Apr 2018 15:53:17 +0000 (UTC) (envelope-from yonas@fizk.net) Received: from mail-io0-x233.google.com (mail-io0-x233.google.com [IPv6:2607:f8b0:4001:c06::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BE5537DB02 for ; Sat, 28 Apr 2018 15:53:16 +0000 (UTC) (envelope-from yonas@fizk.net) Received: by mail-io0-x233.google.com with SMTP id r22-v6so5804868ioc.12 for ; Sat, 28 Apr 2018 08:53:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fizk.net; s=google; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=FOHZxqm8JEA29OhAw2j14F1Mugm8J85eLWxQIc/gDzU=; b=H+XnMKs07qs9HqC2LkxvncUzRM+m4PZ74hb57N2LLABtwfZH0yaBk7vNKOMSOTJdVO iCBzDIZ7at6rOIOXcqiMEpZMZDJGzDP8OgKkqoAGRSIq0shofaVu+ojwtoPrDNw6sdNR ZCD76sZ8sH+EOsAiX2fpDLw2zX5RmFgSrDRtc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=FOHZxqm8JEA29OhAw2j14F1Mugm8J85eLWxQIc/gDzU=; b=KtbSB9UFgxgMpyIMBoCmhVtPvDrtMEmn2ng26XTIOJ25d8g4X4fw71S86ehT8C2Wfm 9B+FR+8DVTMGW5XlK+yVLVdJ8BRAv3l8FBgw1C2Ft3AHU1t+hgSdlCvoZsggoi0bjvZV +Qoy9Cf8XqzclBxtE9hBNKYZ7onnXS23ReW0dhCMP3ARsTF+WLlV3fpBd9AIzPiwGU2f hyirN1PPoCa3s/T0TU6/Hr3UvGiUcQlNwVKSYjJT2b4Yp5U7FvmibY3kFB+kL/B+8PhM yrTxNkFIL/hBybVTu8iOBH6BL1wKDErsx88ZgwlUmqlKDBiy0dt3mpa418+MhmU23NOz 99Zw== X-Gm-Message-State: ALQs6tAPdcc2x91feOzkisEjbefQao8iwfzLx4mY6B0NpBFSVWDqtX3d CpD0XIjWQrGj05Sn4vuJf0DaPg== X-Google-Smtp-Source: AB8JxZpGbwsFUaLaQ8p4poAu6Ps6fSbh3zUgGpdYUpcuGsGoWVEY6ZvcGxvWWUzWJ3vmtKEVrWXy7Q== X-Received: by 2002:a6b:81a1:: with SMTP id l33-v6mr6563619ioi.295.1524930796085; Sat, 28 Apr 2018 08:53:16 -0700 (PDT) Received: from [192.168.0.200] (CPEf0f2494a5cf3-CMf0f2494a5cf0.cpe.net.cable.rogers.com. [99.243.5.210]) by smtp.gmail.com with ESMTPSA id e98-v6sm1656434itd.18.2018.04.28.08.53.14 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 28 Apr 2018 08:53:15 -0700 (PDT) Subject: Re: Exploit Lecture: Writing FreeBSD Malware To: "Peter G." , grarpamp@gmail.com, freebsd-security@freebsd.org Cc: freebsd-hackers@freebsd.org, freebsd-questions@freebsd.org References: From: Yonas Yanfa Message-ID: Date: Sat, 28 Apr 2018 11:52:50 -0400 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: Content-Language: en-US Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Apr 2018 15:53:17 -0000 Peter, who fucking cares if he wears a hat indoors? That's some old-timey shit! Can you even explain exactly why it's such a "basic human courtesy"? Other than, "Because we've always done it that way........". And to broadcast this for the entire mailing list...WTF MATE?? Welcome to 2018. His head, his rules! #FreeTheHat #HatNazi #NoHatForYou! On 04/28/2018 08:53, Peter G. wrote: > Webb, next time when talking to any audience, remove your fucking hat. > That's basic human courtesy. > -- > PG > > On 28/04/2018 04:39, grarpamp wrote: >> https://www.youtube.com/watch?v=bT_k06Xg-BE >> >> Without exploit mitigations and with an insecure-by-default design, >> writing malware for FreeBSD is a fun task, taking us back to 1999-era >> Linux exploit authorship. Several members of FreeBSD's development >> team have claimed that Capsicum, a capabilities/sandboxing framework, >> prevents exploitation of applications. Our in-depth analysis of the >> topics below will show that in order to be effective, applying >> Capsicum to existing complex codebases lends itself to wrapper-style >> sandboxing. Wrapper-style sandbox is a technique whereby privileged >> operations get wrapped and passed to a segregated process, which >> performs the operation on behalf of the capsicumized process. With a >> new libhijack payload, we will demonstrate that wrapper-style >> sandboxing requires ASLR and CFI for effectiveness. FreeBSD supports >> neither ASLR nor CFI. Tying into the wrapper-style Capsicum defeat, >> we'll talk about advances being made with libhijack, a tool announced >> at Thotcon 0x4. The payload developed in the Capsicum discussion will >> be used with libhijack, thus making it easy to extend. We will also >> learn the Mandatory Access Control (MAC) framework in FreeBSD. The MAC >> framework places hooks into several key places in the kernel. We'll >> learn how to abuse the MAC framework for writing efficient rootkits. >> Attendees of this presentation should walk away with the knowledge to >> skillfully and artfully write offensive code targeting both the >> FreeBSD userland and the kernel. >> >> https://twitter.com/lattera/status/989602709950029824 >> >> Shawn Webb is a cofounder of HardenedBSD, a hardened downstream >> distribution of FreeBSD. With over a decade in infosec, he dabbles in >> both the offensive and defensive aspects of the industry. On the >> advisory board for Emerald Onion, Shawn believes in a more free and >> open Internet. His whole house is wired for Tor. Getting on the Tor >> network is only a network jack away! > _______________________________________________ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Yonas Yanfa In Love With Open Source Drupal :: GitHub :: Mozilla fizk.net | yonas@fizk.net