Entries posted in May 2005

Wordpress Updates & Format string attacks

Saturday, 28 May 2005

Security

  • New wordpress security update – v1.5.1(updated)
    • I’m getting increasing disillusioned by Wordpress. I’d switch to something home-grown like so many others. But invariably this means people can’t leave comments and I like that ability. I rarely bother to email people in response to entries. It’s just too much effort.
  • Strings sent to the C syslog function, to be logged, should always be wrapped in “%s”.
    • If you don’t understand why I can explain. You can audit your software with the pscan package.

| No comments

 

Malformed image testing.

Friday, 27 May 2005

Malformed Images

Since discovering a few crashes in browsers that don’t handle badly formed HTML input I’ve been taking a little bit of a break.

Being in a sadistic mood though, I thought I’d see what other kinds of bad input I could generate to test programs with, with a focus on making simple changes that would be easy to duplicate and test automatically.

In the recent past there have been a lot of integer overflow type bugs found in various graphics libraries. (Imlib, libpng, etc).

So I thought I’d play around in that area.

What are we looking for?

We’re looking to craft an image such that viewing it in either a standalone graphics package, or a web browser will cause a crash.

But how?

Well the very idea is that we’ll create “malformed” images deliberately designed to trigger badness tm.

But what kind of image manipulation can we carry out?

Well lets assume we take one known-good (and pretty) picture.

  • Copy it 3xN times (N_0.ext, N_1.ext, N_2.ext).
  • (Where N is the length of the file in bytes.)
  • Foreach copy of the image (N.ext) set byte[N] to be :
    • 0
    • 128
    • 255

This gives us 3xN images. Each of which has one byte which has been altered – from first to last.

These we can lead in sequence, automatically via a simple CGI-script which will META-REFRESH onto the next one.

With this script we can simply kick off the loading of the first image, then wait for it to load all in turn – or crash.

If it crashes we can look at the server logs to see which image it loaded last.

What did we get?

We got:

  • Two scripts:
    • make_evil_img.c
    • refresh_script.cgi

What else did we get?

Well I started my test using a 20K animated gif image. This lead to 60k images and a new appreciation for handling directories with lots of files in them … :S

Running the test took a good long time, showing three images a second. But my desktop was very responsive.

No crashes though :(

A waste of time? Well maybe, but it was fun experiment, and it could easily be duplicated or extended by anybody with the inclination.

If it’s useful I’ll share my scripts – they’re nothing special though.

What next?

Realising that most images will use either 16 or 32 bit indexes we should repeat the test except:

  • Instead of tweaking each individual byte in turn, do it for each pair of adjacent bytes.
  • Instead of tweaking each pair of individual bytes in turn, do it for each double pair of adjacent bytes.

This is left as an excercise to the reader….

Happy Hacking!

| No comments

 

Still not dead.

Monday, 23 May 2005

Work

Well that’s me signed off work for an additional four weeks. sigh

| No comments

 

Websites with no 'www.' prefix

Friday, 20 May 2005

Website Domain Names

People please make sure your website address works as expected.

Example:

That annoys the hell out of me. Argos isn’t alone in this regard either, many many big sites and companies “work” like this.

| No comments

 

Irony is ..

Friday, 20 May 2005

Seeing a post on somebodies blog which says my previous entry didn’t allow comments.

Then being unable to reply to that entry!


My error is that this version of Wordpress doesn’t allow comments if the entry has no title. When I upgrade wordpress I’ll report a bug if it’s still present. Users with a more recent version than I could tell me if it’s still broken till then?

His error is:

There is no GD-Library-Support enabled. 
The Captcha-Class cannot be used!

| No comments

 

Website ponderings

Tuesday, 17 May 2005

Change is bad

I’m realising how hard it is to change a website which has been running for a while with a decent amount of users.

The problem is two-fold:

  • Users who see the change tend to prefer the older version, because they know it.
  • Adding extra options to a user’s account, or the site, is largely something that current users don’t notice or take advantage of.

I think this could be part of the reason why the layout of Slashdot is still so broken – it works. Everybody knows that slashdot could be improved, but it’s not seen as an important enough way to spend time.


I’m still planning how to redo my homepage. I’m very tempted to go into a more dynamic direction – I think I’ve hand editted every single page on the site twice to update the look and feel.

Doing it a third time would just demonstrate I haven’t learnt anything, and suck up hours of my life which could be better spent.

The Open Source Web Design site will probably be browsed to find a decent layout into which I can place my content – then I need to work out what to use to power it.

Most of my pages are static text with minimal images. (Apart from the image galleries).

lus side I’m happy with the directory / URI naming. So I do expect to keep things where they currently are – I cool URIs dont change after all!

| No comments

 

Tetris and Life

Saturday, 14 May 2005

Tetris

There are some people who play Tetris who make the same mistake over and over again.

They are the ‘over-correctors’. Say you want to drop a piece one square away from the left-side-wall. A good player will move it all the way into place in one attempt.

A bad player will slam the piece all the way to the left-wall, then nudge it one space to the right.

On the face of it the bad player is doing the right thing; they’re always going to judge it correctly, and they are always going to avoid “miscounting” the correct landing column.

However the overcorrector will fail at speed – there just isn’t enough time to move the piece further than it needs to go, then move it back. It’s just not possible.

It’s a bit like life really.

Sometimes doing things the hard way is the best course of action.

Funny old world, eh?

(Ps. Anybody want to setup a Debian-tetrinet server somewhere public? I’ve got a lot of free time right now … :S)

| No comments

 

Mozilla, Debian, GNUMP3d, Sleep.

Tuesday, 10 May 2005

Another Site Update

Another big upgrade to the code behind my site, now allowing all users to customise the display a little. More tweaks coming shortly.

I’ll not comment on that any more, cos it’s repetitive and advertising ;)

Work

Discovered that I’m due back at work on the 23rd. Still given that I’m not actually being treated and haven’t had a diagnosis yet I think it’s pretty unlikely I’ll actually be back then.

I’m due to see the doctor again shortly, so I’m going to see what he can do. Hopefully move the study forward from the current estimate of December – because the way I am now there’s no way I’m going to go back to work.

sigh

Still I have been offered a couple of contracty / one-off jobs which I might accept in the interim. I need to find out more details and pay first.

Security

After a few miscommunications another Mozilla Firefox crash bug has been reported.

I’m unsure how I manage to consistently reproduce this both on Linux + Windows 2000 – but the other commentors can only reproduce it on Linux.

Still a remote crash, and a fun thing to investiate.

Sarge

I uploaded an update to GNUMP3d to the testing-proposed-updates queue, after asking for permission.

Of the two changes one was accepted (to be honest the other had slipped my mind), so all being well this will be available shortly – and no more users will complain of broken /info links.

I should probably make a new upstream release soon, it’s been fixed in CVS for a while. hard to be enthusiastic about the project any more. It works. It works well. Nothing left to add, nothing left to take away.

Maybe just another sign of my current apathy. Seems like I have nothing interesting to work on during the few hours I’m actually awake.

| No comments

 

Sarge Security

Wednesday, 4 May 2005

Sarge

Sarge was frozen yesterday, and today a new binary snapshot arrived on my doorstep!

It’s a few days old, but still useful for me.

Since I have it now is a good time to update my Debian Unstable Setuid/Setgid software list. (Actually I should do more with that whole site).

Anyway in a fit of enthusiasm I reported my first sarge security issue today. It’s another trivial one, but it might still be the first one to be tested on the new autobuilders!

| No comments

 

Freeze imminent?

Tuesday, 3 May 2005

Maybe so...

I made uploads a few days ago, I hope they make it in if there is a freeze soon, but not a big deal if they dont’t.

(OT: I wonder how we find out about these meetings in advance? I don’t follow -release, so I’ll assume it was mentioned there).

| No comments

 

Recent Posts

Recent Tags