SLIDE 1
A Bug’s Life
Story of a Solaris 0day 2001-2019
Marco Ivaldi <raptor@0xdeadbeef.info> #INFILTRATE19, Miami Beach
A Bugs Life Story of a Solaris 0day 2001-2019 Marco Ivaldi - - PowerPoint PPT Presentation
A Bugs Life Story of a Solaris 0day 2001-2019 Marco Ivaldi - - PowerPoint PPT Presentation
A Bugs Life Story of a Solaris 0day 2001-2019 Marco Ivaldi <raptor@0xdeadbeef.info> #INFILTRATE19, Miami Beach A Bit of Background Source: https://www.computerhistory.org/timeline/1995/ How to Write Buffer Overflows (1995):
SLIDE 2
SLIDE 3
A Bit of Background
Source: https://www.computerhistory.org/timeline/1995/
SLIDE 4
How to Write Buffer Overflows (1995): https://insecure.org/stf/mudge_buffer_overflow_tutorial.html Smashing the Stack for Fun and Profit (1996): http://phrack.org/issues/49/14.html
SLIDE 5
Source: https://www.exploit-db.com/?author=315&platform=solaris
SLIDE 6
Source: https://seclists.org/bugtraq/2004/Dec/401
SLIDE 7
Source: https://web.archive.org/web/20030323044416/http://www.0dd.com:80/
SLIDE 8
Once Upon a Time in 2004
Source: https://www.computerhistory.org/timeline/2004/
SLIDE 9
Source: https://en.wikipedia.org/wiki/SPARC#/media/File:Sun_UltraSPARCII.jpg
SLIDE 10
Source: 0dd private mailing list (February 2004)
SLIDE 11
SLIDE 12
Source: 0dd private mailing list (February 2004)
SLIDE 13
Source: @stake 0day pack (November 2004)
SLIDE 14
Source: https://sourceforge.net/p/cdesktopenv/wiki/Home/
SLIDE 15
Source: @stake 0day pack (November 2004)
SLIDE 16
Source: email exchange with Dave (November 2004)
SLIDE 17
Unexpected News in 2005
Source: https://www.computerhistory.org/timeline/2005/
SLIDE 18
Source: email exchange with Dave (October 2005)
SLIDE 19
Fast Forward to 2017
SLIDE 20
SLIDE 21
Source: https://xkcd.com/1513/
SLIDE 22
SLIDE 23
Source: https://www.famousbirthdays.com/year/2001.html
SLIDE 24
The Bug
Source: Mr. Bug from the Happy! TV Series (SyFy)
SLIDE 25
Source: dtprintinfo28.tar in @stake 0day pack
dtprintex.c lpstat.c
SLIDE 26
Source: truss -fae /usr/dt/bin/dtprintinfo
SLIDE 27
Source: man lpstat
SLIDE 28
SLIDE 29
Source: truss -u '*' -u '!libc' -fae ./raptor_dtprintname_poc
SLIDE 30
Source: truss -u a.out -u 'libDtSvc : :' -u 'libc : *printf,*scanf,strdup' -fae ./raptor_dtprintname_poc
SLIDE 31
Source: IDA disassembly of dtprintinfo
SLIDE 32
Source: programs/dtprintinfo/UI/DtPrinterIcon.C in cde-src-2.3.0.tar.gz
SLIDE 33
Source: email exchange with Dave (January 2019)
SLIDE 34
The Exploit
Source: https://0xdeadbeef.info/stuff/ralphy.jpg
SLIDE 35
Source: raptor_dtprintname_intel.c
SLIDE 36
Source: pmap -x 1020
SLIDE 37
Source: raptor_dtprintname_intel.c
SLIDE 38
Source: raptor_dtprintname_intel.c
SLIDE 39
Source: raptor_dtprintname_intel.c
SLIDE 40
Source: raptor_dtprintname_intel.c
SLIDE 41
Source: raptor_dtprintname_intel.c
SLIDE 42
Source: https://twitter.com/0xdea/status/579210295496871936
SLIDE 43
The Sky is not Falling
SLIDE 44
Source: #INFILTRATE2019 swag
SLIDE 45
Source: https://www.oracle.com/corporate/security-practices/assurance/vulnerability/reporting.html
SLIDE 46
Final Remarks
No fancy name or logo were assigned to this vulnerability. We’ll make do with a CVE number, I guess. No “cybers” were harmed in the making of this presentation.
Source: https://paulbellamy.com/vulnerability-name-generator/
SLIDE 47
SLIDE 48
Question Time
https://0xdeadbeef.info https://github.com/0xdea https://twitter.com/0xdea raptor@0xdeadbeef.info
Source: Mr. Bug from the Happy! TV Series (SyFy)