Matthieu Keller's Posts

Breaking some homemade crypto

I recently did a code review assessment on an application for one of my client. The best part of the application was their own cryptography algorithm.

Moreover, the application was written in PHP and PHP do some strange things with string, characters and XOR operations. It only needed a few lines of python in order to break it.

TL;DR : please do not write your own crypto!

Let's encrypt certificate for offline servers with OVH DNS

Let's encrypt provide free and easy SSL certificates. Nevertheless it need to verify that you own the machine. In order to do that we usually use HTTP verification with the .well-known directory.

But sometime our servers are not reachable from the internet. Therefore the HTTP validation is not possible. Hopefully there is another way the acme challenge can be validated: DNS validation.

In this post we will see how we can generate Let's encrypt SSL certificate for offline machine with DNS validation for domains hosts by OVH.

CVE 2016-5195 dirtycow

Ðirtycow logo

Dirty COW (CVE-2016-5195) is a privilege escalation vulnerability in the Linux Kernel. "A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system." (Source: Red Hat)

CVE 2016-6210 OpenSSHD user enumeration

The 13th if July a new wild CVE appeared (Yes, Pokemon Go is still a buzz for the moment).

The CVE 2016-6210 allow a user enumeration on an SSH server by comparing request time between non existing user and allowed ones. This vulnerability target OpenSSHD with a version of 7.2p2 or inferior.

That means with a good dictionary you may know which user are present on the server with an SSH access.

This post just demonstrate how to exploit this vulnerability with a simple example.