libssh code audit ================= Focus ----- * Check the state machine and all transitions * Note: The state machine is the same for the client and the server * We had a CVE in this area last year: https://www.libssh.org/security/advisories/CVE-2018-10933.txt * Check input sanitization (both from function parameters and configuration files) * config file parsing (`src/config.c`) * ssh key parsing (`src/pki_container*.c`) * known_hosts file parsing (`src/knownhosts.c`) Security process ---------------- https://www.libssh.org/development/security-process/ Examples -------- Server: `examples/ssh_server_fork.c` Client: `examples/ssh_client.c` Fuzzing ------- See `tests/fuzz` https://github.com/google/oss-fuzz/tree/master/projects/libssh Currently only the first state of the state machine after connect is fuzzed. We miss inputs (starting points) for oss-fuzz. For this libssh would need to be extened that in src/socket.c the packets are also written to a file (client and server). https://gitlab.com/libssh/libssh-mirror/merge_requests/59 We need a client and server similar to the fuzzer so we can create traces. Example: https://gitlab.com/gnutls/gnutls/blob/master/fuzz/README-adding-traces.md Those traces should be feeded into American Fuzzy Loop so it creates variation of those inputs (needs to run for 2 days). Communication ------------- IRC: #libssh-pentest @ Freenode People to talk to: * Andreas Schneider * IRC: gladiac * Matrix: @asn:matrix.org * Jakub Jelen * IRC: jjelen * Anderson Sasaki * IRC: ansasaki * Aris Adamantiadis * IRC: ar1s Schedule -------- Possibly CW39 & CW40 State machine: -------------- The state machine is not implemented in a single file, but it is scattered in the code, which makes it hard to find the exact global state. It is basically a composition of various state machines. The global state is composed by the session state (``session->session_state``) and the states of the other contexts (``session->socket_state``, ``session->dh_handshake_state``, ``session->auth.state``, ``session->global_req_state``, ``channel->state``, etc.). When a state machine is started, the callbacks and an initial state are set. These callbacks usually change the ``session->pending_call_state`` to the current operation being performed, which is expected to be called again in non-blocking sessions. Then a message is sent to the server and a reaction from the server is expected. The packets from the server are captured by the socket polling, which calls the appropriate callbacks for each message type (see ``packet.c``). These callbacks change the global state by changing the session state or the state of one of the other contexts. The incoming packets are filtered (in ``ssh_packet_incoming_filter()`` in ``packet.c``) by the expected global state before being processed (by ``ssh_packet_process()``). Although not complete, it is possible to see the majority of the expected transitions made by the callbacks, documented in comments. In the beginning of the ``packet.c`` file, it is possible to see the default callbacks called for each message type. If the session is non-blocking, it is expected the API to be called many times, while the return is ``SSH_AGAIN``. If the session is blocking, the call will block in a loop. For example to connect to a host as a client: * Call ``ssh_connect()``, which sets the callback as ``ssh_client_connection_callback``, the session state to ``SSH_SESSION_STATE_CONNECTING``, and pending_call_state to ``PENDING_CALL_CONNECT`` * This will call ``ssh_handle_packets()``, which will poll the socket and call the appropriate callbacks for each packet arriving * The session state changes to ``SSH_SESSION_STATE_SOCKET_CONNECTED`` when the socket connection is stablished * The client sends the banner. Then it expects the server to send its banner * The server sends its banner. The polling gets the packet and calls ``callback_receive_banner()`` setting the state to ``SSH_SESSION_BANNER_RECEIVED`` * The client sends the initial key exchange info and sets the session state as ``SSH_SESSION_STATE_INITIAL_KEX`` * The polling gets the server packet with its initial key exchange info; the client changes the state to ``SSH_SESSION_STATE_KEXINIT_RECEIVED`` * The client selects the key exchange methods, sets the session state as ``SSH_SESSION_STATE_DH``, and starts the key exchange (a.k.a DH) state machine by calling ``dh_handshake()`` * The session state does not change until the state machine handling the key exchange is finished, which is informed by the ``session->dh_handshake_state`` * When the key exchange is finished, the state is changed to ``SSH_SESSION_AUTHENTICATING``. * Again, this doesn't change until the state machine handling the authentication finishes, setting the ``session->session_state`` to ``SSH_SESSION_AUTHENTICATED`` or ``SSH_SESSION_STATE_ERROR`` Now the key exchange is finished and the user can use one of the authentication methods to authenticate. ###### tags: `libssh`
Last changed by  
Andreas Schneider
371

Read more

Samba Debugging

Maybe one of the most important tools we have. The testparm utility checks if the the smb.conf is valid. Run

7/18/2023
Hack together

Run Samba Selftest rlRun "chown -R $USER:$USER $TmpDir" 0 "change owner of $TmpDir to $USER" # Unpacks RPM in $HOME/rpmbuild/SOURCES and unpacks tarball to $HOME/rpmbuild/BUILD rlRun "rpmbuild -rp samba-4.16.2-101.el9.src.rpm" 0 "Unpack RPM and apply patches" rlRun "$SU_CMD CFLAGS='-O1 -g -ggdb -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -fasynchronous-unwind-tables -fstack-clash-protection' ./configure --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu --program-prefix= --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=/usr/share/info --enable-fhs --with-piddir=/run --with-sockets-dir=/run/samba --with-modulesdir=/usr/lib64/samba --with-pammodulesdir=/usr/lib64/security --with-lockdir=/var/lib/samba/lock --with-statedir=/var/lib/samba --with-cachedir=/var/lib/samba --disable-rpath-install --with-shared-modules=idmap_ad,idmap_rid,idmap_ldap,idmap_hash,idmap_tdb2,pdb_tdbsam,pdb_ldap,pdb_smbpasswd,pdb_wbc_sam,pdb_samba4,auth_wbc,auth_unix,auth_server,auth_samba4,vfs_dfs_samba4 '--bundled-libraries=!popt,!talloc,!pytalloc,!pytalloc-util,!tevent,!pytevent,!tdb,!pytdb,!ldb,!pyldb,!pyldb-util' --with-pam --with-pie --with-relro --without-fam --with-system-mitkrb5 --with-experimental-mit-ad-dc --disable-glusterfs --with-cluster-support --with-profiling-data --with-systemd --with-quotas --enable-selftest" rlRun "$SU_CMD make -j4" && rlRun "touch /root/make_successful"

6/27/2022
Day of Learning: neovim 0.5.0

by Andreas Schneider Introduction Finally neovim 0.5.0 has been released. This release represents ~4000 commits since v0.4.4, the previous non-maintenance release. Highlights include builtin support for Lanugage Server Protocol (LSP), new APIs for extended marks (with byte resolution tracking of changes) and buffer decorations, as well as vast improvements to lua as a plugin and configuration language. Experimental support for tree-sitter as a syntax engine is also included, building on the new core APIs for byte tracking and decorations. https://github.com/neovim/neovim/commit/a5ac2f45ff84a688a09479f357a9909d5b914294 Till now your config was going to init.nvim. As Vimscript is an interpredted language and slow, neovim supports lua for config files now (init.lua). This makes a lot of stuff faster. However vimscript support will not go away.

7/29/2021
Samba TODO

TEST: Add echo locDCpass1 | bin/rpcclient ncacn_np:$SERVER -UAdministrator -c getusername echo locDCpass1 | USER=administrator bin/rpcclient ncacn_np:$SERVER -c getusername -> https://gitlab.com/samba-team/samba/-/merge_requests/1271 Migrate s3 client code to cli_credentials

11/12/2020
Read more from Andreas Schneider
Published on HackMD