CppCast - Binary Exploits
Episode Date: January 20, 2022Marit Tokle and Christian Ressell join Rob and Jason. They first talk about a Y2K like bug that unexpectedly hit us in the new year. Then they talk about binary exploits, why they're still relevant, a...nd a particular binary exploit that Marit and Christian demonstrated during their recent talk at NDC Techtown. They also talk about 'Capture The Flag' security competitions. News YYMMDDHHMM just overflowed a signed 32 bit int James Webb Space Telescope runs on C++ My Mentoring Program "Fundamentals for C++ Professionals" Links NDC TechTown: Demonstrating binary exploitation with a recent vulnerability Demonstrating binary exploitation - Marit Iren Rognli Tokle & Christian Resell CodeQL CTF Time CTF Team bootplug CTF Learn Over The Wire Sponsors Indicate the #cppcast hashtag and request your PVS-Studio one-month trial license here https://pvs-studio.com/try_free C++ tools evolution: static code analyzers: https://pvs-studio.com/0873
Transcript
Discussion (0)
Episode 333 of CppCast with guests Meritocle and Christian Ressel recorded January 12, 2022.
Sponsor of this episode of CppCast is the PVS Studio team.
The team promotes regular usage of static code analysis and the PVS Studio Static Analysis Tool. In this episode, we talk about an unexpected Y2K-like bug for 2022.
Then we talk to Merit and Christian from CTF Team Bootplug.
Merit and Christian talk to us about binary exploits
and why they're still relevant. Welcome to episode 333 of CppCast, the first podcast for C++ developers by C++ developers.
I'm your host, Rob Irving, joined by my co-host, Jason Turner.
Jason, how are you doing today?
I'm all right, Rob. How are you doing?
Doing okay. Had to get my daughter COVID tested yesterday, so waiting on that to come back,
which I'm a little antsy about, but hopefully it'll be fine. She doesn't have any symptoms
or anything, but she sat next to someone at lunch who had it, so got gotta get checked if you uh i was just following a twitter thread this morning
about all of the fake covid testing centers around the united states testing yeah that they are
charging you and or not just necessarily charging you but they're using it as a way to collect uh
collect personal information and then they're charging the government for the test
and then uh giving you a negative result no matter what happened like not even actually running a
test that's a fun new scam yeah you know honestly i'm not shocked because everyone tries to make a
buck in the situation you know i guess that's unfortunate how do you know to look out like
what do you look out for to avoid a fake covid testing center well according to this
particular twitter thread the thing that cued a one guy off to this being fake is that he saw that
the uh you know go here to get your results was a static url so everyone was given the same url
wow that's terrible yeah okay well at the top of every episode, I like to read a piece of feedback.
We got this comment on the Include C++ Discord.
We do have our own group for CppCast and the Include Discord. was from OJ002 saying, latest episode referring to the recent episode
with Slobodan about his modern C book.
Latest episode mentioned that there is no container vector
that can accept everything without void star shenanigans.
There's actually a very easy to use way
of getting almost the exact behavior of std vector in C
using macros.
And he has a little code snippet here pointing to this stretchy buffer library.
So I will put a link to that in the show notes.
And he actually goes on to say that he made his own version of this container library.
And there's some other neat things.
I also talked about
some of the proposals going into
C2X like lambdas and you can go
and read them with a link he put
here. So thank you for all that.
Kind of scary.
I mean, just in theory.
Kind of scary
doing all this with macros,
but is that what you mean?
Well, I don't know know i feel like i need to
look at it and see what it's doing yeah well the the second link uh that this person put in is like
a more type safe version of this container library okay i said yeah cool yeah well we'd love to hear
your thoughts about the show you can always reach out to us on Facebook, Twitter, or email us at feedback at cpdcast.com. And don't forget to leave us a review on iTunes or subscribe on YouTube. She's engaged in the hacking community in Norway, among other things. She's a member of the CTF team boot plug and a board member of the Association Oslo CTF
that focuses on creating an inclusive and safe learning environment for beginners and security.
Merit, welcome to the show.
Thank you.
I really, really want to ask you about the CTF team stuff, but we're going to have to wait for later.
But it's just the thing that i want to latch on to with
with your with your bio like anyhow i'm so curious we'll talk about that more though yeah yeah also
joining us today is christian russell christian is a security engineer working with tracking and
analyzing apt actors he has previously worked with vulnerability research and malware analysis
he is a ctF player and regularly solves challenges
related to binary exploitation for his team, BootClug.
Christian, welcome to the show.
Thanks.
Okay, so we'll talk about CTF later,
but you added another acronym or initialism in here, APT.
What are APT actors?
Yeah, so APT is short for advanced persistent threat and it's usually used to
categorize like hacking groups that are state sponsored or that has you know significant
funding or backing of some sorts so yeah very interesting so you track and analyze those people? Yeah, so I kind of have to look up,
check what they're doing
and see if they're trying to abuse any of our systems
to protect users from attacks, basically.
Okay, so it's like a normal day at the office,
like North Korea is hacking our system again
like uh i guess unfortunately like sometimes it is like that you kind of get numb to it i guess
there's a lot of attacks happening all the time um and before i i used to work for the norwegian
like cert which is another acronym which which is short for Computer Emergency Response
Team.
Okay.
And there as well, you kind of see everything that hits, you know, the Norwegian government
directly, or, you know, critical infrastructure.
And yeah, it's just a lot of stuff happening all the time.
So, so yeah.
That CERT, that's what a lot of our listeners would maybe already be familiar with for like
software vulnerabilities, that kind of thing.
Sorry, what was the question?
For security vulnerabilities in a library or something, when there's a notice posted about that, a cert, is that the same CERT thing?
No, so this is like a team that's embedded for the...
Or I guess it's a team that works...
Yeah, it's the whole team that does incident response
and responding to threats and attacks.
But don't they also post vulnerabilities that we need to fix?
Like, hey, there's something we need to fix now.
Yeah, that's a lot of familiar things, sir.
Yeah, that's actually a good point.
Maybe, I'm not actually sure.
I thought so.
Since I worked with this.
Okay.
Okay.
Well, we got a couple news articles to discuss.
Feel free to comment on any of these
and we'll start talking more about
binary exploitation and CTFs, okay?
All right. So this first article we have is year, year, month, date, hour, minute,
just overflowed assigned 32-bit int. And this is just a really short post about how, yeah,
in January 1st, 2022, if you're using a signed 32-bit int to store
dates in this format, it doesn't fit anymore.
And I never really thought that this would be used to store dates in a 32-bit int.
I'm not sure how common this was, but I certainly was not expecting that, you know, this January
1st would be like a Y2K type scenario for some software systems.
I have so many questions about this.
First of all, why is it a two-digit year?
Didn't we learn that lesson approximately 20 years ago?
Didn't we learn that?
Yeah.
Apparently, for some people, their exchange servers stopped working but it's not exchange specifically
it's microsoft's vulnerability scanner that plugs into exchange that started to dying if you click
on the really no joke link on this one uh it's the that's what that points to. Microsoft scan engine failed to load. So the Microsoft vulnerability scan engine for emails.
So they had to like, people who had this problem
had to turn off virus scanning on Exchange
to be able to send email.
Wow.
That's weird.
I was thinking if this could be used,
like it's integer overflow, right?
And while thinking about it,
it wasn't that interesting,
like from an exploitation point of view,
because I don't think I could exploit it.
I don't know, Christian, would you be able to?
I guess in this case,
you're forced to turn off your defense mechanism.
But yeah, I guess other than that like
causing unexpected behavior i don't know for this case it's a funny bug at least yeah yeah
definitely a funny bug i i also just thought we were past these things after y2k is is the um
you know the unix epoch still something we need to worry about in like 10 years or is that
yeah anyone know i believe it's still an issue on some systems because if you're still using a 32
bit timestamp and some of the unix system apis still use 32 bits timestamps that'll it'll overflow
yes i believe it is still a potentially lingering issue did you say it was 38 when that would
overflow or is it 34 i thought it was 38 that's what i thought as well okay oh 16 years hopefully
you can figure it out and no no i think it's fine in 15 years when everyone's panicking we all just
become very highly paid consultants fixing these issues there There you go. Just like all the COBOL programmers did in Y2K.
Yeah.
Yeah.
Sounds great.
All right.
Next thing we have, this is just a really short Reddit post,
but interesting that the James Webb Space Telescope,
which there's been some news about recently, is running C++ code.
So that was cool to hear.
Yeah.
I hope they do their memory management well.
I mean, space shuttles, they should be secure, right?
Mm-hmm.
I think with a lot of those systems systems they're not allowed to do any dynamic
allocation at runtime at all like it's all front-loaded kind of things so that eliminates
some classes of bugs yeah yeah i did you all read the comment thread i i skimmed through some of it
uh was there something you wanted to highlight there?
Well, I just felt confused by it
because all of the top rated comments
are complaining about how the comment section
is full of people complaining about C++,
but I couldn't actually find any comments
about people complaining about C++.
I couldn't find people complaining about...
YouTube comments?
I don't know.
I did not see the comments
complaining about the
programming language, but I did see the
top ones.
But that is one of the
things that we do say when we talk about
binary exploitation, that not using
memory in unsafe languages is
kind of a way to avoid
vulnerabilities, right?
But that's a huge discussion.
Although, well, I think I have maybe a simple question.
What languages are considered memory safe languages?
Well, we do have Java, Python, but then again python is written in c so there was i don't
remember when it was like last year or something there was a vulnerability found in python
so that python was uh had a memory vulnerability even though it's a memory-safe language. Yeah, it was like using C APIs behind the scenes
in an unsafe way.
So in that way, you can get some issues.
And we kind of have the same in JavaScript as well.
So every modern browser today is parsing JavaScript,
and the JavaScript engine is always written in,
I think, almost...
I think all the modern browsers are using C++.
I believe so.
But there has been a ton of issues in the engines.
But I guess the language in itself is memory-safe,
but the implementation might not be.
I guess it's... Yeah.
I think there was i feel like there was an era around you know like 2009 like late early 2000s if you will where every single
vulnerability that i saw was a new one in the java jre and sun's jre and you're like crap i have to
update my java runtime again i thought that was the whole
point of using java i don't i haven't seen that come up in a long time though maybe they've
resolved those that's a good point but we did also mention rust and rust does have some of
these capabilities like you can create kernel modules, right?
And so they can still be pretty fast
when we talk about the security versus performance issue.
So that can be a good option as a memory-safe language.
So as security researchers,
if you find out that a project was written in Rust,
are you more likely to say,
oh, well, it's going to be harder to find find a vulnerability here do you think is that like you can still do unsafe
things in rust too you just need to do it explicitly right yeah yeah so but i think for
if you want to look for like memory safety issues it's a lot harder in rust i mean you would have
to look for these unsafe uh like where the programmer explicitly uses unsafe code.
But I mean, you still have this,
like all these other classes of bugs,
like logic bugs and so on.
So, I mean, you would just have to kind of
change your mindset a bit.
So you're not like looking for, I don't know,
string copy or, you know, some other pattern like that you have to look
for other types of patterns okay okay and then this last thing we have is a post on rainier
grim's blog and this is my mentoring program fundamentals for c++ professionals and i don't
think we mentioned this before but it looks like he's setting up
this new mentoring class.
I'm not seeing how to register for it.
Maybe he's just kind of putting out,
putting this idea out there
that he's going to be setting up this class.
But certainly seems like something
that some of our listeners might be interested in.
I did actually read this whole article.
So to answer your first question,
he says that the registration will open,
what did he say?
Four weeks before the class goes live,
which he's planning for April.
Goals to launch the course in April.
And yes, once to open registration,
four weeks before the course starts, right?
Okay. So it's going to be a nine month course and if you want to go to the website and see
there's 28
topics that will be covered
and each week you'll
get videos and access
to his books
and also one on one mentoring
which sounds great
and for people who are curious it's 250 euro per
month okay it seems like an interesting concept i'll be very curious to see how it goes for him
yeah kind of want to sign up actually
well if it goes well for him you could uh look into doing the same type of thing yourself jason so yeah you don't like the online training much well i i don't love online training but that
seems kind of uh i don't know reiner came up with this great idea now i'm gonna steal it
i hope it goes well for reiner and i you I will continue pursuing the things that I'm pursuing.
All right. So let's get started talking about vulnerabilities and security research.
How did you both get involved in this space?
You want to start, Monit?
I was going to let you start, but I can't.
My answer is meeting christian really um so i hope he could do like an introduction first but when i met christian
um that was basically when i became a nerd i didn't really have a community or anything before
i met him that really like found all these tools that are cool to use and makes us do efficient
programming and hacking and whatnot so meeting him and he introduced me to this Norwegian
hacking competition called TG Hack and I became a part of that community making challenges there that was how I came into the
security community but I'm not actually doing security research though that's what Christian
do I do like secure development um but I do hacking on uh on the side like after work yeah
well you said it was after you met Christian that became a nerd but so then i have to ask what was your what was what were you doing before you met christian like were you already
a programmer uh yeah i i did do i did go to the university with programming for four years before
i met christian uh but then i was hanging out with a lot of people, going out, getting drunk a lot.
Only doing like whatever we had to do to pass.
So it's just amazing that I even passed.
But it was barely.
So you were a partier and then you became a nerd.
Yeah.
But I was always a nerd within. I just didn't have people to be nerding with.
Yeah.
Totally.
Okay. How about you, Christian Christian how did you get involved in this
I think it all started like
way way back when I was a kid
I was you know playing my Nintendo
64 and stuff
and when I kind of got tired of the game
me and my friends would always be
looking for like glitches and bugs
in the game you know to just mess with the game me and my friends would always be looking for like glitches and bugs in the game
uh you know to just mess with the game basically and like during that period i was always like
interested in computers my dad is a programmer um so you know we always had a computer around but uh
yeah and for some reason you know i i thought like hacking was a bit interesting
can't remember like the first time i you know was made aware of it um but basically uh i did
you know i tried to learn programming uh several times but i always like gave up because it was
too boring or too hard i was like ah screw this. So it wasn't until I started the university
that my kind of interest picked up again.
And that's where I kind of learned all of this security stuff.
Once I kind of got over that barrier of, you know,
I was able to write more than, you know, Hello World in Java.
I was suddenly, I got super interested and started digging into, you know, low-level stuff like C and assembly.
And yeah, that eventually led to this security stuff.
I mean, in all fairness, though, Hello World in Java is like 15 lines.
It's not nothing.
I was working as like a teaching assistant in our java course at the
university and like the first thing we always told the students was like yeah don't think about all
of these lines of code this is just there you know just uh just forget it uh yeah so you said
you got started by trying to exploit games in 64 so just out of curiosity like i've been watching
some of these speed running videos lately and now they're like oh we just cracked level three of
mario kart 64 finally and like finding the bug that lets them speed run that level and mario
kart like do you follow any of that stuff yeah we're actually watching yeah yeah yeah we're watching a marathon right now called gamestone quick where they
collect uh like um yeah it's like a charity event where they get money and now it's for the prevent
cancer foundation and it's just like speed running for a week straight last year they did have this
really fun bug where they flipped a bit um on no uh what was that was it like a satellite thingy where they managed to
flip a bit and then uh do you remember oh oh yeah yeah and then they could do this really weird
glitch in the game yeah what was it was something like super crazy like uh some like disturbance
like i'm not sure what it's called like electromagnetic disturbance or whatever flipped a bit in memory on his console and that enabled him to do something
weird it was like it's like the weirdest stuff i've ever heard about you start aiming microwave
magnetons at your n64 so that you can actually uh actually.
Very interesting.
So we already talked a little bit about you know,
memory safety and
things like that. Do you want to tell us
what exactly binary
exploitations are and some of these
topics you went over in your
MDC TechTown talk?
Yeah, sure.
So binary exploitation is topics you went over in your MDC TechTown talk? Yeah, sure. Binary exploitation
is
and this is when I always say
it is to exploit binaries,
which is obviously, but it's
to exploit vulnerabilities in
binaries. These vulnerabilities
are often memory safety issues.
We already
talked a little bit about
overflows,
and it's common with stack overflows or buffer overflows.
And we also have this one type of overflow called heap overflow,
which is very common.
And that's the one we talk about in our talk.
I don't know.
Do you want to fill in, Christian?
Is there anything more we should...
I think that's a good introduction.
We just want to mess with binaries in some way or another.
And memory safety is like the...
I guess it's one of those classes of bugs that are prevalent still today and has been for a long time.
And they're usually very, very powerful.
Yeah.
For our talk, we tried to find some statistics to let everyone know how relevant it is.
And I was actually quite surprised. I didn't really think that it would be more than
half of the vulnerabilities that both Google and Microsoft found. They were memory safety issues.
And that was surprising for me, at least. I mean, when I'm doing development with my
development teams, if we at some point
and we rarely do talk about
binary exploitation,
someone will always say that
it's old news.
That it's probably not relevant anymore.
But obviously that's
wrong.
I'm just imagining
someone on your team telling you
since this is the kind of thing that you do
oh that's old news
most of my teams are really really cool but it's like yeah when we i i just never knew how relevant
it was myself and i kind of got fooled by these comments like it's probably not relevant and while doing this easy and really
actually old um easy buffer flow challenges i've always thought that this is probably not that
relevant or um common but yeah we still see some i guess at least at least christian you see some, I guess. At least, Christian, you see some simple buffer overflows here and there.
Yeah, especially in embedded systems,
simple stack overflow can still be relevant,
even though it's not in modern software.
It's not really that big of an issue anymore.
But some products products they just you
know disable all kinds of security mechanisms or they um in some cases like the security
mitigations and mechanisms aren't available if you're especially if you're like on embedded or
something like that like if you're writing software for uh i don't know like a remote control for your tv or something
weird it's like yeah i think almost all programmers have probably experienced a stack overflow when
writing a recursive function whether they did it intentionally or not but right i'm uh can you
explain what a heap uh overflow is since that's what you started this conversation with?
Yeah.
Heap overflow is more or less the same as a stack overflow,
but we have the static memory allocation,
and then we have dynamic memory allocation.
And when we do static memory allocation,
we allocate on the stack,
while dynamic allocation is on the stack, while dynamic
allocation is on the heap.
And
so whenever we allocate something
runtime, we do
heap allocation.
Okay. If that's correct.
Yeah.
Yeah.
Sorry.
Go on. Yeah, so in c++ like whenever you do new something
some object uh that's a heap allocation and like behind the scenes and if you have something
like if you're writing to a buffer allocated with like new or a malloc or whatever and you're
writing too much data into that buffer that's a heap overflow okay so if you
like right past the end of your buffer that's a heap overflow yeah is that the same thing as a
buffer overflow then or not it's kind of the same it's just a different type of storage okay yeah
i think like buffer overflow is like a I don't know umbrella term kind of
and then you can be more specific and say
oh this is a stack overflow or a
heap overflow or
like sometimes you have a global buffer
overflow so yeah
so if the buffer
lives on the stack then you might
get a stack overflow if the buffer lives on the heap
you might get a heap overflow okay
cool
thank you the sponsor of this episode of CppCast is overflow. If the buffer lives on the heap, you might get a heap overflow. Okay. All right. Cool.
Thank you.
The sponsor of this episode of CppCast is the PVS Studio development team.
PVS Studio is a static code analysis solution that helps enhance code quality, security,
and safety. The analyzer detects bugs and potential vulnerabilities in C, C++, C Sharp,
and Java code on Windows, Linux, and macOS. CppCast listeners can use the CppCast hashtag to get the analyzer's one-month trial version.
To request the trial, use the link in the podcast description.
C++ projects are getting increasingly complex, too complex for people to analyze them thoroughly during code reviews.
That's where code analyzers come in.
They notice everything the human eye misses, thus making code reviews more productive and
enhancing code quality.
Want to know more about the problem?
Take a look at the recent article from the PVS Studio team, C++ Tools Evolution, Static Code Analyzers.
The link is in the podcast description.
So do you want to tell us a little bit about the specific hack that you showed in your NDC talk?
Because it was pretty interesting know, pretty interesting.
I'll actually do that, Christian.
Okay, sure.
Yeah.
Yeah, so, yeah, we tried to demonstrate a bug
that was found by a company called Qualys in sudo.
So we chose this because, like, sudo is such a common tool.
I mean, I use it everywhere.
That's the Unix escalation,
privilege escalation tool or whatever?
Okay.
Yeah, yeah.
So yeah, I mean, sudo is in basically
every Linux distribution
and yeah, used to get higher privileges
to install packages
or whatever you might need to do on your system.
And this was a heap overflow in this program that they found.
And it enables like a local attacker
to take full control of the machine,
even though you're not allowed to use sudo.
Yeah, so you can be like a totally unprivileged user
and suddenly you have full control of the system because you've kind of
tricked sudo into giving you more privileges that's about even writing your password right
yeah you don't have to do anything basically you trick sudo like the bug is so early on in the code
so it doesn't it doesn't have time to check your password or check if you're a legit user or anything.
It's just basically full control very early on.
And that's what makes it such a bad bug, I guess.
How recently was this bug discovered or exploited?
It was...
Isn't it like a year?
It's almost an anniversary. I think it's almost an anniversary yeah yeah wow so surely
these things aren't relevant anymore right like so obviously we don't have um you know the ability
to look through code right now like you did in your talk, but can you talk us through exactly
how this pseudo hack works?
Okay, I can try to kind of...
Do your best, I guess.
It's hard without the code.
Yeah.
So basically, there's this one mode
where pseudo parses command line arguments.
And one thing it has to look at is like escape characters and
stuff like that and what sudo does is like early on in the code it checks basically how many command
line arguments do we have and then it allocates space for all of these command line arguments
on the heap using malloc and then there's like this weird bug where
if you enable some flag when you start sudo it it changes how it parses these escape characters
and then like later in the code like this buffer has been allocated there's room for all the command line arguments and now
we're going to copy them from one place to another and uh so basically what it ends up doing is like
i think it places like a space between every command line argument and puts them in a like
huge buffer and the problem is that um if you have if you end your command line argument with a backslash, sudo will increment past the backslash.
And then in C, every string is null terminated.
And then it will skip the null terminator and keep reading out of bounds of this buffer.
And if it finds more valid characters, all of those will be copied into this heap buffer
and that ends up overflowing the buffer
like you're writing outside the bounds
and again then you can use this
to kind of manipulate data on the heap
to trick sudo into basically running your code
I've written almost exactly that same bug.
Yeah, it's hard to get it right, right?
Yeah.
It also shows, the bug shows how important it is to write a readable code
because that exact piece of code wasn't really easy to read.
At least in my opinion, it wasn't.
I agree.
I think we also got some questions during one of our presentations
where someone was asking, like, what is going on here?
This code isn't valid or something like that.
Because it was doing some weird assignment and checking
it's C it's probably
valid
so as Jason said you know he's probably written this
exact same bug I've come very close
to our listeners have yeah
yeah
what kind of kind of tools or patterns might you recommend to avoid these sorts of bugs?
Well, at first I want to point out that we don't do much, or we're not C++ developers.
But for the talk, we wanted to find more tools to be more helpful but we didn't really have much
time to do much research on it but we do have some like common suggestions
so for instance like what I'm more from the security development side.
So I would say tools that we developers can use are stuff like IDE plugins
or commit hooks, or when we merge our pull requests, have pull request checks.
And for those, it can be anything like very quick scans like common security
issues that just take the
low-hanging fruit and then
maybe once
a week you have a large scan
doing more in-depth
checks
on the systems.
But I think Christian has some tools that he recommend as well
yeah so i have some tools um but basically anything you can do to kind of increase the
quality of your code will kind of you know security issues are just bugs right except that they can have you know
have a lot of consequence if your program is like exposed to the internet or has a lot of users
so yeah anything that increases code quality is like it's a good good bet but like for specifically
for for like memory safety issues and stuff like that,
I always use Address Analyzer when I develop C or C++.
It makes it so much easier to catch these memory safety issues early on.
And it also catches memory leaks and stuff that won't really lead to security issues,
but it could still be good to catch these.
So I think this is available in both Clang and GCC.
I'm not really familiar with Mac OS and Windows.
Visual Studio just now has address sanitizer support also.
Just go ahead and mention that.
Awesome. Yeah, that's really cool and clang also has another tool that i like to use called lib fuzzer okay so uh i'm not sure
if everyone is familiar with fuzzing but uh it's basically you know throw random stuff at your
program or functions and see how it behaves and of course there's a lot of like
smartness behind like how the fuzzing is done and so on so um but uh like with lib fuzzer um
if you have some function that kind of parses data from the user it's very nice and it helps
you kind of catch all sorts of edge cases so this together with address sanitizer
will be like you're
quickly able to catch bugs
did you
think if
libfuzzer had been run
on the command line arguments
for sudo it would have
found this exploit
or identify that there was a bug
there?
That's a good question actually
Didn't you say that they did use a fuzzer
to find this or did they
find out about it first
and then
Yeah they didn't use a fuzzer to find it
Yeah it was code review and then they
fuzzed to find this
Feng Shui
What is it called again yeah
yeah that's what like when you're doing vulnerability research and you're trying to
like shape the heap to look just how you want it so you can overflow you know the correct
object on the heap you we call it heap Feng Shui, which is kind of funny.
So you actually have to set up the heap in a certain way
so that when the overflow occurs,
you're now executing the code you want to be executing.
Yeah.
So this is like, anyone who does like exploit development
or vulnerability research, they usually have to,
like one of the
things you have to understand is like how the heap allocator or implementation works
so and this like varies a lot like there's one in android user space there's one in the kernel
one in the browser there's a different one on windows on mac and everyone like works a bit differently so yeah so i maybe if i can like flip that question
around a little bit that we just asked are there tools that you use other than fuzzers
and to find vulnerabilities that we as programmers could run on our own code first
before we release it over to you to find the vulnerabilities in it.
I have a very good example.
You did use the CodeQL, right?
That was a nice tool for scanning the code.
Yeah, CodeQL is really nice.
It's from GitHub Securityub security lab or something
i don't think i'm familiar with yeah it's like a query language for code so it compiles your code
and then you can do queries on top of it but you don't have to understand like the language and
stuff to use it you you can just run your code through like different checks oh and it seems that LGTM
uses that also which I'm familiar with
as a online scanning tool
in your code
okay LGTM's tied
into this interesting okay
I've not heard of this before
codeQL we'll put a link to this
in the show notes
another tool that I always use like how i found my first bug was the grep string copy uh that's
always you know that's just kind of sad yeah no but it is recommended when i did like you know
pen tested training to learn a little more about how we, like the difference between coding
until doing pen testing.
I was trying to find like the good mid way
on how much should a developer learn about hacking.
And then when I learned about pen testing,
they said using grep is a very good way
to find vulnerabilities.
That's just amazing.
I mean, and you do mean literally the C function,
S-T-R-C-P-Y, right?
Yeah.
That's, I mean, I don't know.
It feels like we could have learned something
over the last 50 years that that would no longer be
a reliable way of finding bugs do compilers like
warn you on using stir copy without the like safer version of it uh clang tidy will warn you
the unsafe version of stir copy yes there's actually i think on i'm not sure if it's the default, but at least some compilers will change string copy
into the fortified version, I think it's called.
So it will turn into,
it's called string copy underscore check instead.
And this will actually check,
if it's possible to determine the size
of the destination buffer,
the compiler will actually, or at runtime,
it will kind of check if this is the same.
But I was looking at some firmware for a router recently,
and they love parsing HTTP requests in C
using all of these wonderful string functions.
So
you still see it today
in use.
So, yeah.
But that's what I mean by these
IDE plugins or commit hooks.
These will take all of this stupid
stuff, right?
And you have this really quick
feedback loop. so you don't
have to wait until that long before you find these small things that you can avoid
so i'm curious uh what kind of development do you do right now
mary you said you don't do c, but I'm just curious what you're... I just started doing F Sharp.
Oh, interesting.
So my team is huge fans of F Sharp.
But we've done some Python scripting.
We do a lot of different stuff.
But they are in love with F Sharp.
So F Sharp managed language on the.net runtime, right?
Functional.
Functional.
Do you have, uh, what kind of security concerns do you find when you're working on F sharp
code or do you?
Oh, wow.
I never actually, it's been like, I've done it for a week now. So I have been working more with like code katas
and understanding the code
more than I've been focusing on the security part of it.
Okay.
Yeah.
Well, you'll have to come back and report back at some point.
Yeah.
Yeah, I am curious what other managed languages
still have to deal with.
Yeah.
So in both your bios, we mentioned that you're both involved with CTF teams.
Do we want to talk about that a little bit?
Can one of you tell us what CTFs are?
Yeah.
CTF stands for capture the flag. So the main goal of every challenge in the CTF is to find a flag. And every CTF has a wide range of categories that are usually security related. So it can be like cryptography, web applications,
forensics,
binary exploitation,
which we've been talking about.
There's so much.
And every category has a set of challenges
which have different difficulties.
And if you solve a challenge, you find this flag.
And a flag is just a piece of string which has a static part
and then a part that is dynamic depending on,
or different for every challenge.
And this flag represents information you're not supposed to see
or access you're not supposed to see or access you're not supposed to have.
So if you find a flag, you kind of hacked the challenge or web application,
whatever it is, you did it correctly. And then you put the flag into a platform and you get points and so it's uh really rewarding in a sense but also
it's um we've experienced that it's not for those who doesn't really have much patience
so that is probably why christian is so much better me in CTFs because I don't have the patience. Sitting with
a challenge for three days, it's
really hard.
But you are both on the same
team? Yeah.
Okay. These take days to
complete? Some of these challenges? Yeah.
Yeah. So the hardest ones
are like super brutal.
I remember like we were playing
a CTF called defcon ctf
which is uh it's connected to the huge security conference uh that's hosted in las vegas over here
right uh and there i think we spent on one challenge we were just trying to figure out
how it works for like two days straight or something. And then when we finally figured it out,
the challenge was over
and we didn't get to exploit it.
So it can be frustrating at times,
but it's very rewarding once you solve something
or you figure something out.
So these are specially crafted challenges, right?
These aren't like,
you're not like trying to hack Chrome
or something like that.
Is that correct?
Yeah, usually they're crafted.
But we do have, like we see more,
there's at least one CDF where the challenges are like real targets.
And I think we've seen... It's coming next week, isn next week isn't it oh yeah yeah it's actually
called real yeah real and they actually i'm not sure if it's true but i heard that they make
people burn like zero days or other bugs or exploits that they didn't have from before
and then someone might even use those uh themselves so they take exploits that they didn't have from before and then someone might even use those
themselves so they take
exploits and use them
yeah
that's the rumor at least
but
it's kind of funny also
certain CTFs have like they've
found like real vulnerabilities that aren't
maybe that you know
critical and then like you have to find the same vulnerability during the ctf even though it's like
um so it's a completely real product and there's a real vulnerability um but the way the challenge
is crafted makes it so that you'll have like a higher chance of finding it as well
have you heard about hack the box is that common to know about the hack the box i believe i have heard about that but uh go ahead and explain yeah so hack the box is a platform where they have machines where you try to
first get some user access
and then
get higher privilege and get the
roots of the machine.
And then
often we have this
discussion between
the hack the box people,
which are usually pentesters,
and the CTF people, which some of them
aren't the same people, or some of us do both. But then there's this discussion of which one is best.
Like, is it best to do the pen testing, scanning the machine, finding all the open ports,
and owning a machine? Or is it best to do these CTF challenges? And I find it very nice to explain what CTF is,
to explain this little discussion,
because in CTFs, we have more like tiny pieces of problems.
Someone crafted a problem
and you need to really, really understand
the whole environment to be able to exploit
this specific vulnerability.
While in Hack the Box, you do a lot of scanning, and it's a bigger environment, but you don't
necessarily have to understand the environment that much, because you can often use exploits that others
made once you find vulnerability so yeah it's a bit of both world is nice in my opinion but
it makes sense yeah so there's prize money or anything like this and they capture the flag competitions
yeah there is some it depends on the like the contest like some of them have higher price money
than others um but yeah like most of the stuff that we've won is like vouchers for hack the box
or you know swag or i think one of our team members
just got like a playstation 5 in the mail or something like that so very nice yeah that's
worth like two thousand dollars right on the black market right now
yeah there is really hefty prices as well but the thing is that there usually isn't any limit, size limit on the CTF teams.
So our team is relatively small.
We usually have at the most 7 to 10 players.
But the biggest teams who win a lot, they can have up to 200 players.
Oh, wow.
So if there is a huge price um we basically have no chance right but
we're doing really good though uh in the world yeah is there any overlap in their ctf world and
in the community that you know with people who also participate in like the paid bug bounty kind of things like you know find a vulnerability in chrome and earn x number of dollars or whatever
kind of thing yeah there's definitely overlap there uh i think especially in the like um
web application security space i think i've seen a lot of cdf players who find a lot of like really um cool bugs in
yeah in different applications i think there was like like on a git lab just recently there
was one cdf player who found like a very critical uh bug so yeah there's definitely overlap so the
kind of thing someone could make a living doing
if they were properly motivated?
Yeah.
I heard some of the biggest teams
having the most experienced, skilled players
in the CTF community,
they do get a lot.
Or yeah, they win so much a year
that they can live off it.
But I mean, it's not really uh i would rather
have a job paying me something every month than relying on finding something yeah there's plenty
of people who'd rather not have a job yeah yeah yeah there's also this like market i think we call it the gray market where people like find
bugs and i guess in this market it's more popular with like you find bugs in the linux kernel you
find bugs in chrome firefox like windows the iphone or stuff like that and people sell these
yeah these are worth like i don't know hundreds of thousands of dollars
uh sometimes like i think it was like one company was paying like two million dollars
if you can hack a phone um but uh like this is this has become like so super hard so i'm not
sure how many people actually do it anymore i think it was more common before like you could
you know grab string copy and find uh find a bug and you know get some cash but uh like these days it's a bit harder yeah well there's definitely
still a market for it like you you know we start at the top of this i ask you if you know north
korea trying to penetrate your network is a is a you know just another day at the office um there's
certainly what like state actors and stuff that are willing
to pay lots of money to discover these vulnerabilities right not that i'm suggesting
that our listeners should find vulnerabilities in linux current sell them to north korea just
for the record i'm just saying there's clearly a market money for these things out there
yeah i'm not sure if you uh if you saw the nso group stuff that was just
in the media or i guess it's a little while ago it's one of these like surveillance vendors
that sell basically hacking tools for mobile phones uh and it turned out that they were
basically selling it to you know a bunch of sketchy places um i'm sure so it was being like
used for human human rights abuses stuff like that so uh it is like a it's a weird market and uh
yeah it's a lot of controversy there as well
every now and then i'll see reports from someone that's like, I discovered this critical vulnerability. I reported it to Apple.
They refused to acknowledge it.
So I followed the like 90 day rules or whatever.
And so now I'm releasing it to the public.
And then Apple's like, what?
But I mean, we were going to do something about that.
Like, well, you missed your window.
There's so much about those things as well.
We have this scary or in norwegian i
would say scary story like i'm not sure what that translates to but whatever it's this 13 year old
kid he finds a vulnerability in his school system and his school doesn't take him seriously
so after a while after trying to make them listen he writes an email or a message
to the whole school pretending to be the principal saying something like our security suck balls or
something like that and then the police came to his door took his computer it's just crazy so this kid they just took his computer
like if he's doing this stuff he's probably in love with his computer and they took it and
i think they did they give him some sort of punishment or something probably yeah probably
i think so yeah i can't remember what it was but it was kind
of like they were taking it very seriously yeah but in the end he ended up paying or with someone
else use another really hefty tool to do some really bad shit and then i would say that how the police did take this or handle this made him a criminal, kind of.
So it's scary how handling a report, security report, is really important for...
Oh, what's the correct word?
Definitely makes sense to just, you know, do the bug bounty program or these people who are finding things and letting you know about it.
Don't, you know, make them into criminals.
Well, I mean, we're kind of running low on time here, but there's a related story where a reporter in Missouri discovered that the state Missouri system,
if you were to right-click on a page where you search for teachers,
do view source,
it would show you personally identifying information.
They reported it to the state of Missouri,
and that reporter is now probably facing prosecution for hacking.
What?
Oh my God, really?
I've seen this on Twitter.
I've seen this.
It is an actual real thing that's happening, yes.
That's crazy.
I did not think it would go this far.
It's, well, it all comes down to,
it would seem that the governor of the state
or the mayor of the city or whoever it is,
I think it's the governor of Missouri,
has now somehow decided he's going to take's happened. I think it's the governor of Missouri is now somehow decided he's going to
take it personally.
I like it because otherwise it doesn't make any sense at all.
It doesn't make any sense.
Anyone with a browser can do that.
Yeah.
Yeah.
So we are wrapping up,
but I did want to ask,
you know,
if listeners want to get involved in,
you know,
learning more about exploitations,
maybe getting into CTS, do you have any like recommended place where they could in, you know, learning more about exploitations, maybe getting into CTFs,
do you have any like recommended place where they could go, you know, to get started in this type
of community? Yeah, definitely. Hack the Box is a nice place to start learning more about for CTFs. We do have this page called CTF...
Oh, CTF...
CTFtime.org, yeah.
In which there are CTFs
every week.
Even several every week.
But there are also
some places for beginners.
A platform called
Pico CTF is really nice.
And another one called CTF Learn.
Those are nice places.
Very cool.
And Over the Wire as well.
Yeah.
I also just noticed CodeQL,
because I still had that tab open from our conversation earlier,
has a CTF listed on their page at the moment as well.
Yeah, I actually did a couple of those.
And it's really nice if you want to learn CodeKill.
It's a good way to kind of force yourself into learning how it works.
All right.
Well, Merit and Christian, it was great having you on the show today.
Thank you so much for coming on.
Yeah, thanks for having us.
Thanks.
Thanks so much for listening in as we
chat about C++. We'd love to hear what you think of the podcast. Please let us know if we're
discussing the stuff you're interested in, or if you have a suggestion for a topic, we'd love to
hear about that too. You can email all your thoughts to feedback at cppcast.com. We'd also
appreciate if you can like CppCast on Facebook and follow CppCast on Twitter.
You can also follow me at Rob W. Irving and Jason at Lefticus on Twitter.
We'd also like to thank all our patrons who help support the show through Patreon.
If you'd like to support us on Patreon, you can do so at patreon.com slash cppcast.
And of course, you can find all that info and the show notes on the podcast website at cppcast.com.
Theme music for this episode is provided by podcastthemes.com.