 This is the same case with fabs. He is as all the other great presenters a beautiful amazing intelligent person And please an applause to fabs while he joins me on stage Fabs Yeah, so basically I'm gonna be ranting a bit about Vulnerabilities and open source software and the disclosure process behind them I'm sorry about the rant and I'm sorry about my slides. They just came into existence like half an hour ago So I'll do my best, but I'm sorry for that so The title of my talk is gripping for shells because most of the stuff I did I found on with grep It's an awesome tool love grep It's the best seriously and apart from that I'm gonna talk about about like how the whole responsible disclosure thing works sometimes Especially how that works in open-source software and what can go wrong The software I'm gonna talk about as an example here is when I found a bug in it's my was my first disclosure. So I Don't really know how the whole thing works, but I'm kind of doing the bit a bit of storytelling and The software is used by this kind of weird research lab in Switzerland that does like these shooting little bits at each other and it's the software that I use to look at the data they're using and how to analyze it and so on and I the this whole the story starts sometime around Easter when I had a bit of time and First of all, what's rude? It's the software. I'll talk about there was a talk about it on the last C3 Something about LHC plus Higgs plus something is equal to something. It was a good talk recommend watching it, but yeah, this is More about the bugs in it. So root. This is the text they used to describe it on their website where they say it's a framework to look at things and to do things and and but most of all the thing I found it to be is Very special. It's software to do special use cases. First of all, you can save data and files That's very special the data that data is in tables and Tables have are called trees and roots. I don't know why but they are columns are called branches and in those columns you can have rows and Well or cells and like, you know, you get the idea and they're called leaves not tea leaves But everything in route starts with the tea because it's a type. It's C plus plus. I don't know and Of course when you have like software that does this kind of stuff, you need an embedded scripting language So what they did is they put this embedded scripting language in there. It's called C plus plus and It's interpreted by a clang thing that was made into a just-in-time compiler called cling because it's interactive now and They do like big data, you know, like they have a lot of these collisions So there's a lot of things happening and they need to save it and it's like, you know a lot So they need to save that stuff. They need to process it so There are a few requirements You need to not have the whole file in memory at one time because that can be a few terabytes and that's annoying Then you can you have to be able to do like some sort of cluster operations so they have their own demon for that and Because you need to like access files over the network. They decided to do this thing called implementing their own file server and you can open files remotely and the protocol is called route and It's an awesome file server. You can open files and so on but I'll come out to that so They there's a few services it offers and some of that is a Remote code execution and some of it is local code execution as a services and I'll be this will be three acts Because it's a trilogy, you know First of all when I look through the documentation, can you read this? It's a too small yeah does but anyways There's this documentation thing that they have and it says that you can open files and When it starts with route Then it's open over in the network over this network server, which I thought like cool. Let's take a look at that So yeah, that's a thing It's the service that forwards open read write and so on over in the network and You can open files and you can every time you read something it reads a whole block and sends it to you. It's great Really the service called is called root D. I don't know on some Distributions that runs as like root But that's not because it's in the name sometimes it doesn't run as a route and it's deprecated but still used so and The new thing is called x root D. I don't know it's because it's better So root D They thought they thought it's really good to produce shell variables in file names and they thought of how do we like? do that so Turns out they do like that. Does anyone see what's wrong with this? Yep, basically. Yeah, and then they decided to to fix that by escaping stuff so this is basically the the stuff they are doing and Yeah, they're putting echo in front of it On HP UX they put Espen node bin echo in front of it And they even do like this thing where they escape shell characters to fix that whole thing So these are the characters they escaped I don't know why they didn't think of back takes But yeah, so there was a remote code execution in that so then they decided okay That's this the whole thing is deprecated anyways So I looked at the new one because you know they're they're not gonna do the same mistake twice, right? So they didn't but I was having fun and I was grab using grep to do things So I started grabbing source codes for like, you know get repositories for p open p opens awesome. It opens a shell and Gives you like what the shell does so sometimes they do that so they decided, you know X-RootD is cool. It's it's more web scale, you know, you can even authenticate with like a lot of users So they put this LDAP module in it and they needed to like map users to like the LDAP principle like distinguished names and Grapping for p open finds things Anyone see what's wrong here? It's the same thing as before pretty much you can basically just This thing here is the username that you could put in to like do it The other the other bug was you didn't have to put a new username like you had to authenticate first And then, you know put the file name, but here you can just put a new username that contains like quotes And a semi colon and there you go. You have a shell There's it like another bug there as well where you know you can put in a long username. It's also works Yeah, and it's it's all fed into p open. Oh, okay. Yeah So episode six Those were the two remote code executions I found The third this the next one was actually in the documentation. So it's actually also worth Grapping documentation for C++ keywords If you have like C++ things so the way they they represent a function object It's like a you know in their scripting language is you have this thing called a TF one It's T for type because it's a type F for function and one for one dimensional because it's C++, you know and That can be a lot of things it can be an expression It can be an expression. It can be a lambda expression. So if you grab stuff for lambda sometimes you find things And the way you use it is you create a new type of this object and in a string you put like The C++ code you want to execute and the cool thing is you can save these things and those root files You know, you can you can save those is in like those trees or branches or next to them or like in histograms that you make So does anyone know those office macro things That you know when you when you click like execute when like, you know, you open an office thing from one of those weird emails That one just like send you money Yeah, basically same thing Because you can put lambda expressions in there It's even documented. It's as a service, you know So you can actually put a fun create functions that look like that it's cool and So, you know, you start grabbing documentation for like, you know shells you start to grabbing Like source code for shells and you find things and then the next question is what do you do? I mean, this is like software that's running on like universities and in like research institutes and you know, it's not You kind of have some sort of responsibility If you feel like that and you want to make sure this gets fixed the right way TM Whatever that is But you want to make sure this gets fixed without too many people like taking advantage of it. So How do you do that? It's surprisingly difficult actually and takes a lot of time So I started looking around and I found like there's this this get up repository and There's like a URL up there. So I clicked that There's this page and it says Hey, you know, there's a public key So that you can like, you know contact us with if you want to like disclose something. I was like, yay, they get it cool By the way, I'm gonna show you some emails. I'll only show me you emails I wrote or emails that were not encrypted which are public there for anyways So I sent them this message Which roughly just crypts to like this I don't really know how that this Disclosure process works. So it said like, hey, I Have discovered something there. Those are the things I found. I have some proof concept stuff And I'd like to like disclose it. And how do I do this? And here's my public key. Feel free to contact me with it They sent me this email back, which is also encrypted with this weird cipher called html I Reducted the name, but it's this person from like that organization I'll call him like the certain search guy or something like that Yeah, and that roughly decrypts to that. Oh No, wait, did I? No, I don't have this decrypted But yeah, it basically says like, yeah, thanks for contacting us if you have a proof of concept. We'd like that and Like tell us how to do it so we can fix the software and arrange for like it to be rolled out and Was like, yeah, cool. This was like a few minutes later. I was like On it like an Easter day where people are usually like, you know, not at work in the evening. So Yeah, they get it Even though it wasn't like Encrypted, but yeah, so I sent them this back and I said like, yeah, I couldn't read your email But maybe send me text plain messages with like your P with like PGP. That's that's cool but yeah, so that's that and I gave them some like proof of concepts how to like open it and I Suggested a few more things. I don't know if it was my place to do this because I don't know how to do this But I thought it would be like a good idea to you know suggest being kept in the loop or To like ask them to like publish stuff that like a security advisory or something like that So people know to actually fix their stuff and get patched Because you know fixing software doesn't help if people don't patch it Yeah, I got this thing back Which roughly decrypts to that which is some ticket system saying yeah, we have a we're at it The fix turns out to be like for them the thing the macro thing You know where you'd like have can open a file and it executes code It seems to be kind of difficult because executing code is the service like you know the purpose so it's code execution as a service yay And you know you shouldn't trust those files, but yeah anyways, and that's pretty much the last thing I heard then a while later. I You know updated my like, you know get polls and so on and So they fixed it there is this poll request and it got merged and it was cool cool cool That says like yeah address security threat reported by and the reported by I redacted the name You can't see it, but that was that like search guy that I reported the thing to so yay for attribution But the good thing is the software got fixed right and yeah, it says here someone even wait Here's someone even like suggests Could someone merges in maybe we should backport it as Then put it into like an old software Which is cool yay Except it didn't happen. It just got merged and the other software the XRT someone said yeah That may become a security threat. So let's not build this LDAP module thing anymore. So it's like That's cool at least, you know no bones and the code they like ship now. It's like all commented out So yeah, sorry, that's the end It's fixed really So yeah, not not really so the thing is Getting it fixed is like the beginning of it all and it seems disclosure is like a really like difficult process and Doing it takes time and effort So it turns out this is like a screenshot from archive.org awesome projects. The greats really they're they're great and it Right like the latest releases at the time where the fix was pushed and Like the latest release like in the was like around then and like version 60904 was the one they committed the fix in and Version 60902 was the one that was the current development branch Or like unstable or something like that. This was stable People use stable People like stable software. They don't like their bugs getting fixed So And this was like, you know the old version the really stable one, you know, and I think yeah So stuff like that happened and it you know There's these things called change logs people don't put things in them that that might look bad for them So that's also great So not you know, they were the bug was fixed but no one knew about it and no one was gonna patch their shit so Yeah, the other thing extra D did put it in the change lock. They said do not build package lip Xrd sec gsi gmap LDAP dot so do you would you like update your software if it says that? What do you feel like you had like a bug? Like, you know remote code execution kind of in the username kind of bug Not really, right? So yeah, I thought you know, there's one way to make sure that people get the idea to like patch their stuff If they're not gonna do it, you know, I'll have to so there's this awesome project called the distributed weakness filing project It's kind of starting out till now every time you want to see the it goes through some like Numbering authority that assigns you a number and once you get that number and It gets verified Then that gets pushed out to like all the distributions and like loads of people who you know See that there is a problem. That's the point of doing these and Sometime in May June. I don't unfortunately don't really remember anymore when it that was exactly I filled out this Google Docs form Which is the how to get a CVE for open source software It seems like this is the only project that currently assigns CVE numbers for open source software That took ages. Oops. That's the wrong slide. Then I spent a lot of time waiting in June I like pretty pretty like I think it was a month later or something like that I'm not quite sure to be honest. I Got an email to accept some terms of use or like contributor guidelines that I'm that I'm willing to like Publish stuff then nothing happened Then mid of August I got a notification of assignment that my CVE's got assigned and in sometime in November I Got an email like here. There's a CVE. Can you like I have no idea? You know What the problem is because there is like nothing in the release notes. There's nothing by the project itself referring to the problem So, yeah, I had to clear that up and then like they were assigned So which is cool and then even later something it got even better. I Just saw this like two hours ago. It's 14 days ago, which is approximately the time those CVE numbers hit the bug trackers. They actually Backported the fix So yay for them So it seems like the way to get stuff done is actually to get these weird CVE numbers otherwise people don't care and It even like that was the slide. I was trying to show you here. It even landed in like these Debian trackers, which is cool they decided not to fix it because it's you know authenticated code execution but and I think the package itself is not supported anymore because no one maintains it But yeah, that's cool that there is like things and trackers about it and So, yeah, I have like that is till now where I'm at. I don't know if there's still something happening or anything But the first like I have a few takeaways from it and things I learned through like throughout the process. It's Responsible disclosure is really really hard like it. It's a lot of work. It's not easy. You have to kick people and People will not really want you to do that some people will but people don't really want their bugs to be like public or whatever like one one take away for like people who are actually in the business of like You know mitigating exploits and Or like the whole, you know communication stuff No, the work doesn't end after the bug fix arranging for a bug fix isn't the end of it is That bug fix still even has to like land in repositories that bug fix has to land in like the stable branches it's always nice to credit people who found it and not like, you know, take the credit yourself and Things like the the distributed weakness filing project. They're awesome. They they are very necessary and you know, they They they cause things to like work and without them things don't work Because without them bugs don't get pushed like the the fixes don't get pushed to like out there and Especially like in non IT and sci-fi communities like for example, where you get route Software engineering is difficult for people who don't do it and people who don't do it end up, you know not being educated to do it and So it really helps to like have some kind of synergy between people who are in software engineering and security and other areas which is I feel a bit missing and you know People shouldn't have to make their own tools if they if they're like work isn't really, you know making them but using them and Yeah, that's like where I'm at. I'd like to thank the distributed weakness filing project for Taking care of like bugs and doing that's the stuff they do. They're awesome I'd like to thank certain cert for getting the bug fixed The route project for doing that making that software because it's actually useful My CTF team tasteless. They're great. The best Totally, it's true and that very awesome person who made me look at route Are there any questions? Yeah, thank you Perhaps thank you very much any questions from the audience. I can ask a few questions to warm you up Perhaps you promise. Okay. Now I'm first though You promised me a talk if this guy's wouldn't don't have the wouldn't have done the backport 14 days ago. Would you still would you have held the talk here anyway? To be honest, I saw that the backport happened like two hours ago and I Don't know I think publicity is one way to get stuff fixed and And The bug if the bug is like the moment the the fix landed in like a poll request It's kind of it's kind of public, you know people people know it people see people look at the GitHub poll requests For like, you know the fixed remote code execution, please merge Yeah, they those things are out there and You know, there's there's a process to like, you know fix code and then then publish that there is like a fix out there and please update your stuff and If that isn't followed, but you know, you fix it in like, you know master, but you don't fix it in like your stable branch Then I don't know. I don't know what to do about that Well, I don't really see a big difference between code as a service and remote code execution So why would anyone do this at all? Sorry? I don't really see big difference between Code as a service and remote code execution. Why is does this package exist at all? Well, it's basically It's basically something that works like a database and it has functions to analyze data it exists because People are too lazy to look at the new things and want to use their old stuff that used to work in the 80s So it's it's legacy, but it's the best there is for the stuff it do it does which is Have a lot of classes that do a lot of data analysis and scriptable and C++ Any more questions? So fabs One last question from my side I will sit down too This is my the cameraman has an awesome fun. Normally you stay in one hate. You don't you don't you don't move down Like in the back There was a lot of movement perhaps this was a very interesting talk and If any one of us would like to talk to you about it, how would we do it? How would you get in touch? Maybe questioning. I don't know if you see me walking around. I'm mostly walking around so I don't really have a place. I'm sitting here at the moment so There isn't really that much you can dig out my email from the cv number that was on the screen, which uh, yeah, something like that Yeah service as a service. Yeah, basically Okay, um Then this concludes the talk held by fabs last applause please