The blog of a gypsy engineer

Software security, electronics, DIY and traveling.

New bug bounty programs on HackerOne for open source libraries

There are a couple of new bug bounty programs on HackeOne for popular open source libraries:

  • libcap
  • ImageMagick
  • libpng
  • GraphicsMagick
  • curl
  • tcpdump

They just started on last week (Sep 22nd, 2017). You can find the rules, scope and other details on HackerOne

Those are well-known tools and libraries, and they have already gotten quite much attention from the security community. So, looks like it’s going to be challenging to discover new issues there. Looking for a challenge? This may be a good one for sure. By the way, minimum bounty is $500. Not too much, but you also are going to get some credit for making the world better.

The libraries are mostly written in C/C++, so you may want to start with fuzzing. Although, if you search for fuzzing results for the libs above, you are going to find that security researches put some effort on it. On the other hand, it’s never worse to try even harder. Someone can also contribute to Google’s OOS-fuzz project, and add support for fuzzing those libraries. OSS-fuzz already has libpng and curl, but seems like there may be some room for libcap, ImageMagick, GraphicsMagick and tcpdump.

Good luck!

LDAP injections

Everybody knows about SQL injections. It’s like a celebrity in the world of software security. But there are much more many different types of injection attacks which may feel jealous about popularity of SQL injections. That’s not fair. Let’s try to feel the gap, and talk about LDAP injections.

Read More

Global buffer overflows

There are a lot of articles, posts, and even books which describe stack buffer overflows. There are a little less stuff about heap buffer overflows. But there is one more thing which you can overflow – buffers in global memory. Although all of those types of issues are very similar, let me try to fill this little gap with global buffer overflows.

Read More

MessagePack fuzzing

MessagePack is a binary serialization format. There are lots of open source implementations of this protocol on various languages including C/C++. It’s good to do something good in new year. For example, it can be a little contribution to an open source project. Let’s check quickly if the implementation on C/C++ has any memory corruption issues. One of the best ways is of course fuzzing.

Read More

Fuzzing GUI applications: AbiWord

Usually there is no problem if you want to fuzz a headless application. A headless application can be run just in a terminal, and doesn’t have any GUI. You can pick up your favorite fuzzer, and feed fuzzed data to the application. Normally, a headless application just processes data, and then quits or crashes right away. But it may be different if you are trying to fuzz an application with GUI. Let’s try to fuzz an open source text editor AbiWord.

Read More

Accessing private fields with synthetic methods in Java

In Java, you can define one class B inside another class A. Class B is called an inner class, and class A is called an outer class. It looks like the following:

public class A {
    private int secret;

    public class B {
    
		public go() {
			// do something
		}
	}
}

Class A has a private field “secret”. This private field can be accessed by both A and B classes. But in some cases, this private field can be accessed by other classes in the same package even if neither A or B provide any accessors. It actually depends on what we have in go() method.

Read More

DNS tunneling with Java

DNS tunneling may help you to bypass a firewall if DNS requests are allowed. Or, it can just get you a free Wi-Fi. There are a number standalone tools which allow you to setup a TCP-over-DNS tunnel. Here is a simple implementation of DNS tunneling with pure Java. It’s not ready for using in real world, but it shows an idea how DNS tunneling can be implemented. The implementation works with standard JRE, and doesn’t require any additional library.

(русская версия – Java и свет в конце DNS туннеля)

DNS tunneling with Java

Read More

Spelling error report

The following text will be sent to our editors: