Notices by kaniini (kaniini@mastodon.dereferenced.org), page 19

meanwhile... https://mastodon.dereferenced.org/media/KVfX3mnSBMLOo703RvI

@vahnj JUST SLIGHTLY UNDER 9000

i should note that i was fundamentally opposed to having the vtable in `mowgli.string`, but Pippijn was insistent that it was somehow convenient to have it.

almost everyone just uses mowgli_string_foo functions with it anyway.

hopefully these people remove the vtable when fixing the hole properly, because you get some really nice gadgets for crafting a ret2libc attack there :)

IRC is the land of mid 1990s exploitation vectors, because the entire mindset of the typical IRC developer is entirely wrong.

exploitation of CVE-2016-4478 is simple: generate an XMLRPC request that will generate exactly multiple of 64 bytes output,
excluding the nul terminator.

remember, this is a Pascal string used in the xmlrpc code because Trystan was smart and realized he should use Pascal strings when dealing with webshit.

later on some fuckwit "optimized" the code by dumping the raw string instead of converting properly, and probably didn't notice because the scratch buffer saved him.

(pascal strings are typically overallocated to ensure alignment and avoid spurious reallocs)

once you have such a response, you will also get back the contents of the vtable.

you can take it from there

so yeah, in case you didn't figure it out yet, if you are running atheme (any version), YOU ARE STILL VULNERABLE TO CVE-2016-4478

DO NOT LISTEN TO UPSTREAM, THEY DO NOT KNOW WHAT THE FUCK THEY ARE DOING

@Pyrite

Pascal strings are not nul-terminated, instead the length of the string is tracked.

So when converting to C strings, you do something like this:

*((char *) mempcpy(out, pascalstring.buf, pascalstring.len)) = 0;

This gives you a properly converted string.

ok ok ok if you do not secure your xmlrpc and you're one of the poor souls who shows up on shodan.io when i search for "atheme" i am really sorry but because of these toots somebody probably is going to own your shit and it's going to be hilarious. just ask EFnet.

BUT KANIINI, STRNCPY WILL STOP COPYING AT XMLRPC_BUFSIZE. YES, SO WILL MEMCMP.

NEITHER WILL TERMINATE THE BUFFER, AND BOTH WILL LEAK PRIVATE DATA FROM THE PASCAL STRING WHICH EXPOSES, AMONGST OTHER THINGS, A VTABLE.

FHIUEWHIUFR@FHIUFIUFHIUFWHIUFWHIUFWHIUFWHIUFWHIUDFWHIUDFRHIUDFWHIUFWHIUDFHIUDFWHIUFHIUFFW

I SHOULD HAVE LISTENED TO DIANORA WHEN I WAS YOUNG AND RAN THE FUCK AWAY FROM THIS SHIT

i gotta give them bonus points for swapping a memcpy with strncpy which was entirely pointless because both will happily crash you if there is no scratch buffer remaining.

AND THEN THEY JUST PUT A NUL IN THE PASCAL STRING

fuck it, y'all are on your own with this one.

ARGH WHAT THE FUCKING FUCK

the incompetence is really triggering me over here

since the "new atheme" idiots are busy playing serious business security embargo games, I figured out the vulnerability for the rest of us.

they completely fucked up their mitigation of CVE-2016-4478, making it entirely pointless because THEY DID NOT UNDERSTAND PASCAL STRINGS ARE NOT THE SAME AS C STRINGS (good job guys, maximum security here)

full analysis here:
https://github.com/atheme/atheme/commit/87580d767868360d2fed503980129504da84b63e#r27301897

IF YOU ARE RUNNING ATHEME CLOSE THE XMLRPC EXPOSURE BECAUSE THESE GUYS ARE TRUE MORONS THAT IS ALL

or consider rm'ing your ircd, that also works well.

enough talking about architectures that suck, lets talk about ARM

@tek is it the one with the italian restaurant?

http://www.hiphopmeasure.com/embed/207513/

@tek sure but sometimes it's suspicious when a kitchen is spotless. real kitchens are slightly messy (but obviously under control)

@tek tbh there were episodes where things were too clean and he called them out on it

@newnix

actually it is, `docs` is a virtual which tells the package manager you want all docs for all packages installed. you will soon also be able to do that with the -dev packages.

@newnix

if you use Alpine instead of Void, you can get manpages automatically installed by doing `apk add docs`

why does ARM have to remind me that ESR exists?

https://mastodon.dereferenced.org/media/S8cWM369HWtyiO5Vlog