 Hey, what's up everybody my name is John Hammond So if you have been living under a rock for the past day and day and a half yesterday two days ago There is a new CVE CVE 2021 a 3156 that affects all the versions of pseudo that we tend to know and use Right now in the modern world So pseudo right the command you use to run escalated commands or Escalate your privileges and run a command as root or the super user super user do pseudo on Linux Now it is a heap exploitation or a heap buffer overflow And I don't particularly consider myself a guy that's pretty sharp or smart on Binary exploitation or reverse engineering, but my good friend Caleb is He's pretty sharp on that stuff. So I kind of wanted to pick his brain I want to shout with him and I kind of want to get his hot take on what this thing is So this video is showcasing that conversation with him He's still kind of poking at it tinkering with it trying to follow in the steps of the qualis researchers Because qualis the company that released and found this information found this bug in this flaw They did not release exploit code with that or approve a concept of POC. That's totally cool That's totally understandable, right? It's probably a good move since there aren't a lot of patches rolled out already this is kind of breaking news and Maybe we don't want to put that in potentially bad hands But obviously right a lot of us red teamers a lot of us security researchers I kind of curious and are kind of wondering. Hey, can I play long? Can I look at this? Can I get a POC or a pocket just as well? so Caleb's off to the races and we'll tune in with him maybe later Hopefully if he gets a little bit more traction, but he's still kind of out of wall anyway I wanted to put this out So maybe you could get a little bit of a bigger picture on what this thing is and you could learn a little bit More about it. So before we dive in I do want to maybe walk through how we could patch this thing So I'll roll through some patching footage before we get into the video conversation with Caleb But I'll try to include time stamps in the bottom of this or in the description of this video So you can kind of click around and navigate to what you might want to see anyway, let's get to it Alrighty, so I am at my terminal I'm over here in my temporary directory and if I were to go ahead and run a command I'll just run pseudo tack tack version to see what version I'm running on and I am currently running on 1.8 0.31 now we know this version is affected by this bug by this vulnerability by the CVE So it's kind of up to us the onus is on us to go ahead and update. I'm more than positive This has already been rolled out to a lot of distribution repositories. I'm pretty sure Debian's got it So a bunch who's got it red hat centos arch Obviously anything that's a kind of a rolling release late like on the bleeding edge, right? They've got this stuff already kind of locked in But if you don't or if you don't want to go work through the notion of getting it through the repositories Go grab it from the source. Go grab it from the pseudo main online official page You can see that they do have this new current stable release pseudo 1.9.5 p2 released on January 26 2021 and this is the patched version so that Pseudo CVE will not take effect here if you go up over to the download page You can see they've got a tar gzip file that you can go ahead and download I'll go ahead and copy that link and I'll hop back over here so I can run a W get and Download this now this will take a little bit of time to run. It is you know a decently sized package I also apparently already have that in my current directory. So there is a dot one here. Forgive me This is kind of just for the demonstration's sake, but uh, this is what I would recommend Anyone go do if you want a patch. I've tweeted about this. I'll include that little tweet here You can go take a look at that, but now that that is downloaded I can go ahead and LS see that it is in my current directory and I'll go ahead and tar Extract it with X to extract the for verbose Z because it's going to be a gzip or guns in file and F to specify the file I'll auto complete that pseudo path here and it'll go ahead and decompress extract all of that I can hop into that directory now and I should have all the files Necessary to build this from source and go ahead and stalled on my own machine So that command syntax is super simple Just run dot slash configure to get your machine prepped and ready for it And it'll take a little bit of time to go through make sure you've got all the files that you need Grab all the header information so that it can poop out a make file and then you can go ahead and make and make Install it feels a little wonky running pseudo make install to install pseudo, but you got to do it You got a patch and I would recommend you do this right away Okay, now that that has configured I can go ahead and run make and I will and and pseudo make install with that and I'll whack that it will go ahead and Compile and install it into the proper directories for my system So then the next time I run pseudo tack tack version I will no longer see 1.8 point 3 1 or whatever it was now I'm gonna be running on that 1.9 point 5 p2 as we know the patched version so that's just a quick all the commands you need to go ahead and patch and Then you can trust that your machine is safe and secure do this do it patch update hot fix It's got to be done Okay, now that command has finished it has installed it So if I were to clear my screen and if I were to run a pseudo tack tack version now I will still see the 1.8 point 3 1 but keep in mind your terminal kind of has to be restarted So the quick way to do this just as a sanity check as you're working with it You could just run bash tack see and then go ahead and pseudo tack tack version now You'll see the output. Hey, you're running 1.9 point 5 p2 if you were to spawn a new terminal, right? Here I am in a new window. I'll bring that up to full screen Obviously a pseudo tack tack version in that context We're telling me we are on the latest stable up-to-date and patched version of pseudo cool All right, now that that's out of the way, let's get nerdy Let's do a little deep dive with my good friend Caleb as to what this qualus article and what all the news are all About with this bug and how it works and we'll talk a little bit about how we could be fuzzing it or also trying to find this Vulnerability on our own he's still working through it, but we'll keep you up to date in case we find anything new Roll the clip. All right, so we're gonna talk about the CB 20 with 21 31 56 It's a heap overflow in pseudo. I have the actual qualus is the company that released the Vulnerability initially today. I guess this this article was posted yesterday and It's really cool because basically you can trigger the vulnerability really easily with a short command at your terminal And so it's cool to be able to see something like a heap overflow that you can just like show that it works right away From the terminal the actual exploitation that is more complicated And we don't go over exactly how to do it probably for security reasons They don't want to just release that before people have a chance to patch it. Yeah but there are some details out there about what they did to Find it how they fuzzed that a little bit and then a little bit of detail about the different routes They used for actually exploiting it to get RCE So that's pretty cool. I just wanted to quickly go through kind of what the article talks about I'm not gonna read the whole thing obviously but basically it affects Pretty much any pseudo version since 2011. Yeah, it just affects pseudo It does The patch was released. I believe yesterday the day before is that correct? If I recall correctly, it probably says near somewhere. I think it was yesterday the day before But Yeah, so update your pseudo if you haven't But it affects basically every single operating system that uses to though So if you're on Ubuntu, if you're on DBA, if you're on Fedora, if you're on Cent, whatever I'm on Arch. It affects me. If you have pseudo, the bug is there I guess we can actually start off by just showing it Working like showing it crashing Which is kind of a cool little thing. So if I go pseudo or actually that if I go Could you zoom in a little bit more so it's obnoxious? Yeah, sorry Sudo edit I think So pseudo edit and we'll go over why exactly a pseudo edit not pseudo in a second But just like a kind of a cool little start off like this is it actually working so The fundamental bug is that it's not processing escaped characters correctly So we give it an escape character and then you can give it and I'll actually give it other things so Give it a bunch of stuff for it's buffer and this all happens during the processing of the arguments So it doesn't matter what the arguments are and it doesn't matter if you're in the pseudo Sewers file. It doesn't matter what user you are. It is a bug in the pseudo binary itself prior to all of that happening So none of that matters and you can see right here It died. We had malloc corrupted top size up or global block Basically what that means is we overflowed something to the heap malloc later after we overflowed that pseudo attempted to allocate something in the heap and malloc said wait a second This is all messed up like the the actual structures that malloc uses to track all the data that you've allocated Have now been corrupted and malloc basically killed the application because said I can't trust anything in memory anymore and we're gonna leave So that's just a quick that is it working on my actual machine. I just haven't updated yesterday So that's my actual machine and it's working Hey, sorry quick pivot I just wanted to showcase if you were running that test or doing that check now that we've patched it right running that exact same Command syntax using pseudo edit and then tack s and denoting that you're gonna use an escape character It will no longer cause that malloc choke. It'll simply tell you hey Here's the actual usage of pseudo edit and that is what you can end up using to kind of determine Hey, is your system vulnerable or you currently patch or you want a good version? So that's that now we'll get back to the good stuff. Thanks So that's pretty cool that you can just test it or like see it working like that as far as What it actually or why it actually works that way? basically Pseudo does a bunch of processing they end up taking all of your command line arguments in which come into the Program as an array of strings. So every single argument you pass and this is a string on its own And depending on the mode that pseudo is in it might actually combine all of those Individual arguments back into one long string Problem with that is that then you have issues of okay Well, what if one argument had a space in it? What if one argument had this other special character and that kind of thing in order to handle that? Pseudo takes all of the arguments individually and combines them together with spaces in the middle to make a normal string Like you type in the shell and then it has to go through and escape special characters like spaces When it does that converting to that and then converting back if you had a loan Backslash in there with nothing after it it gets confused because it thought that was actually It thought there was supposed to be another character after that I thought you were trying to escape something like you would normally do maybe a backslash space as a Specific example to this if you did a backslash space what that would mean is hey I don't want to put a space as in separating two arguments. I want to put an actual space in this current argument So it's looking for that next character and what happens is Pseudo Misinterprets the next character which is actually the null terminator of that string And misinterpret that that is supposed to be an escaped character And then keeps processing things because it didn't notice the null terminator. That's what's happening there and causing that overflow And this article goes into some details about how you trigger it and why it's hard to get there It comes down to basically Let me find that exact block I believe it's this one So they check this Pseudo mode and it has to pass this check in order to get to the part that does that escape character processing In order to set all of those settings. There's no way to trigger that normally But what they realized was you could trigger that set of options because of some some Logic bugs in the process if you ran Pseudo edit Pseudo edit is actually the same binary as Pseudo It's just a sin link. What Pseudo does is it checks to see if our v0 So like the first argument which normally is the name of the process that's running It checks to see if that is Pseudo edit and it does one thing if it's Pseudo edit does something else if it's Pseudo They're both the same binary So when you run and they also process arguments the same way when you run Pseudo edit You're still running Pseudo, but it sets one specific flag that you needed it doesn't reset another one that should have been reset and then you because they use the same argument processing are Allowed to pass tack s which actually sets the last flag that you need That that all relates back to these flags if they're talking about here I'm not going to go through every single code block they have here because that would be monotonous but That is basically why you have to run Pseudo edit So as you saw I ran Pseudo edit tack s which like I said that tack s gives us that last flag that it needs to get Into that block of code to process those arguments after that. We don't really care what Pseudo edit is supposed to do It's going to crash before it gets there That's a really really quick rundown of How it works So once now we have that like baseline of how we got here at this point It's just a buffer over or it's just a buffer overflow in the heap We have to figure out how exactly we can use that heap exploits are traditionally Obnoxiously complicated they make my head hurt Because there's a lot of links Basically the heap if you if you never looked into it before is kind of like basically a linked list. So every single piece of memory that you allocate has a header at the beginning of it and that header tells the The allocator or malloc is what you usually use It tells malloc and free how long the next block of memory is so for every piece of memory you allocate You have a header that says hey This is how long this block is and the way it finds the next block is it just adds However much that size says it is to that pointer and then you get to the next block So it's a linked list in that way There's some other pieces in there that make it more complicated like there are Special values that have to line up if the pointers for the backward references don't line up with the forward references that gets all funky And so there's security checks in there that make it very difficult to exploit keep a buffer overflows But what's kind of interesting about this and they go into it here is that basically They went through and they said okay. We have this heap exploit what we would like to do is they wanted to reuse an old Method of heap exploitation because they were like oh, this is just basic heap overflow We could reuse this method and apply it here and maybe get code execution And they go into that actually it's interesting. Let's talk about John a minute ago about this the actual quality blog article Stops here, so they talk about this and they say hey, you know After your arguments the thing immediately following your arguments and memory ends up being your environment variables So you could actually continue the overflow through the environment variables, which is useful And so they give an example here where they do a similar thing that I did where they had though the one two three Whatever those those numbers during letters don't matter Then after that happened it then continued copying characters from the environment, so you see down here You have your one two three four five six seven eight all this stuff that you had here where this slash is it actually escaped the null character and this dot is your null character and then you have your a a equals which is here a And you can actually insert null bytes into the buffer so you can actually use no bites Which is not always a case for buffer overflows You can actually insert null bytes with escape characters, so they showed that example here They have a a equals a and then a null bite and then b equals b just let you see here So all the way down the line you can continue that overflow through the environment variables This is where this article on qualis actually ends interestingly this page from packet storm security as From what I can tell the same content in a little bit different from format But if if you look at the actual content it appears to be the same As far as the description of the vulnerability and these code blocks all these types of things But when you get down to a similar part right after they do that same thing with this Overflowing with the environment that you see here This article ends and packet security goes into some more detail about how they did their Fuzzing to find the actual or the specific way that they could leverage as vulnerability to gain code exclusion So it's kind of interesting. I like this article. It goes to some cool details They talk about how they wanted to use basically part of The locale they wanted to modify the locale Which allowed them to use that other thing I was talking about so they mentioned Half-dogs technique from this link, but you can go look up Had you done any digging on that one? Did you kind of make any sense? Haven't actually gone into that to be honest with you. I have focused on their first result which actually From all indications of this seems like a much simpler way to do it if I can find the right parameters But they did it by accident. So finding those right parameters is gonna be annoying I Haven't looked into it to be honest, but they were apparently trying to replicate that you know has something to do with set locale I haven't gotten all the way into the weeds on that yet Moral of the story is That they developed this fuzzer I was going to fuzz the LC environment variable because they were doing stuff with the locale It was also going to fuzz the size of the user arms buffer, which is basically the argument that you passed in And then it was going to overflow and the size of how much you were gonna overflow into that Pretty sounds pretty straightforward as far as fuzzing overflows go and then They ran that fuzzer Like they said they weren't able to get the outcome They wanted because apparently the locale was forced for some reason is what they talked about here It was always set to see instead of obeying what they were trying to set it to So their method wasn't working However in the output of all of their crashes because they crashed you know a ton of times while they were fuzzing this They found some interesting results, and I think the first one to me is the most interesting because it's just like I Want to say coincidence, but it's such a straightforward like if you can get this then like basically done a During their fuzzing they realized that at some point they accidentally overwrote and it's very a function pointer Not only did they accidentally over at a function pointer The function pointer they overwrote all of the arguments that get passed to that function are valid arguments for exec v What that means is if all they really have to do is Instead of in this case they overwrote the function pointer with a bunch of a's 41 41 41 And that caused a crash, but if they control this which they do because they send a bunch a's They could set this theoretically to the address of the exec VE function Function that is supposed to be an in-call is this get ENV which they talk about here What the actual arguments to that function are it ends up being the name of the environment variable a Pointer to a pointer for the value my pointer to a pointer to a pointer for the value and Then this closure thing that is supposed to be a callback and they talk about those arguments And they actually line up really well with what exec VE is expecting name that gets passed in is an environment variable name But if we were to create This is the actual thing that gets passed in if we were to create an executable within our path that was named that Doesn't matter where it is just create it somewhere And then we ran exec VE or forced this pseudo to run exit VE It would run this binary even though we didn't create that like we we didn't make that name pseudo Was trying to call getting a V with that name, but if we made that executable on our path That would work And then it talks about how these these values of these arguments happen to line up It's a pointer to a null pointer which lines up with exec VE's RV argument, and then the closure is actually a null pointer itself which lines up with exec VE's environment pointer Basically, you can you can pass an empty arg V array, and you can pass no environment and exit VE is fine Which happens to be what this is doing so it's it's kind of like Kind of like a fluke, and I think it's really cool Yeah, I think it's really cool that it just kind of like lined up that way I spent this afternoon trying to find arguments that would end up with this crash. I was not successful But I keep playing with it. I wanted to Compile pseudo with debug symbols and then just start playing with the crash in gdb And trying to look for the values that are actually in these hooks to see when I start overriding them Instead of blindly doing it like they did because that could either take a lot of time or end up with a lot of data That I have looked to look through and since I already kind of know the target location. I'm looking for Sadly pseudo was being a jerk, and I could not get pseudo to compile with debugging symbols. I don't know why But it refused to compile. I did write a really bad buzzer in like Python Where they put it see me that I don't even want I don't really want to show it Yeah, it's I mean, it's nothing crazy I start I start a thread Reading K message looking for the segmentation faults or general protection faults That basically K messages like D message So you'll see a line in there for whenever a process has a segmentation fault or a general protection fault I grab those lines and record what the kid was for that process That's just running in another thread because K message never ends. So you can't just read all of K message It's a special device file that never ends So I do that another thread and I store that in a variable and then keyed by the kid of the process the crash and then I just go through a bunch of sizes of Overflow to do and I just wanted to see what the result be the only result. I ever got was that malloc error which Could be for a lot of reasons. I need to test more and I really just need a debug copy of pseudo so I can figure that out and Yeah, I mean I can run it, but it's not interesting. It just says that it's you get a bunch of crashes and it's trying a bunch of sizes Um, yeah, that was really really fast and I talked really fast They didn't hear I was focusing on this one today I want to get into the other different methods that they may have used but this article has some more information that this just like reload This article does have some more information about the different things they saw and How you could use it? Oh One thing I forgot to mention the Doing that overriding exec VE or overriding with exec VE We don't actually have the address exit fee We have no memory leak from the process which a lot of times you're thinking about buffer overflows like oh I need a memory leak because there's ASLR That's true you do but also you are assumed already have local execution because you're running pseudo and if you do You can read the symbols from pseudo or is that so which is where you're actually getting exec VE from And so you know the offset for that and you can do a partial Overwrite of that function pointer Which effectively they talk about it here, but you can't get an exact partial overwrite but you get partial overwrite plus a little bit extra and I think it's only one byte that you compromise and it ends up being like Statistically you should get the right address like in 4,096 tries or something like that And so basically they say you know we don't have a leak We don't actually know the address, but we can run it 5,000 times and it will probably succeed You're just kind of brute-forcing that last bite of ASLR Which I think is a perfectly fine like it might be noisy, but it would be cool to see it work right And that's the most straightforward initial go. So that's where I was trying to work at Sorry you started to say something I cut you off No, I was gonna ask do you mind showing us how you were trying to compile pseudo or kind of what that looks like when you're Trying to get the debugging symbols and what your what wall what wall you're running into So They have like this thing you're supposed to run It's So you don't just run configure apparently you run like make package and I think wasn't behaving for me You're supposed to just be able to pass debug in It was exactly told me is there anything else Oh, I wanted to pass in all that stuff That should do it and probably with my luck it's gonna work now that I'm sitting here saying it doesn't work It's kind of what I was hoping for That should produce a make file and you should just be able to run make and get a built copy of pseudo Just be compiling something I I've never used this whatever this make baggage thing is I don't know if it's specific to pseudo or not, but normally it's just like dot slash configure Warnings, I suppose they're moving really fast Yeah, so I get was a saying Make package thinks it's trying to build an RPM file Which isn't right because I'm on arch probably if I just did this from like a deviant machine where make package knows what to do because it mentions that River isn't here platform. You can platform use RPM or whatever Probably if I did it on not arch it would probably work But I didn't have a VM on hand when I was doing this a little bit ago I can try it on my machine Want go for it It's literally just like github.com slash pseudo tech project. I think slash you don't even clone it Um Maybe again if you're comfortable with it or if you're cool with it We could if we get any if you get any other progress we could do this again to showcase kind of what you've Poured through but sure. Yeah. Yeah for sure Okay, so That's all the conversation that I have for you so far Obviously, yeah, we're still kind of tinkering with this. We're still kind of playing with it I know Caleb's gonna spin up a virtual machine to see if you can get maybe pseudo compiled with the bugging symbols I've tried to download on my machine and I'm tinkering with it as well There's no way I'm actually gonna get anywhere with it But if anything I can enable and encourage some other folks I hope to try to do so because look this is what it's all about if we're seeing new bugs new flaws new vulnerabilities Then it kind of takes a village, right? It's the whole community playing in concert Everyone kind of just kind of jumping in to learn about this thing see how we can make it better See how we can improve it and see how we can learn from it and just getting everyone in the know just just I don't know spread in the knowledge. So that's what this video was all about I hope you enjoyed that safari ride through some pseudo stuff, but patch your systems I can't say it enough. Hopefully that thing that segment at the beginning this video helped out and We'll do this soon if we get any updates for you We'll we'll hopefully be able to bring that to you just as well Please please jump in as well, you know, you should be having just the same fun that we are and patch I can't say it enough go patch. Thanks so much everybody. I'll see you in the next video. Love you. Take care