Make DragonflyBSD great again?

I wanted to do a social experiment at the beginning and check what will happen if the stream is delayed. But nothing will happen today. It's hard. My name is Mateusz Kocielski and I was supposed to talk about PHP today, but my friend suggested that after dinner I will talk about PHP and the food will come back. Therefore, I decided to dig my drawer's holes in DragonflyBSD and show you how to make a route on DragonflyBSD from DragonflyBSD errors. I assume that none of you have ever seen DragonflyBSD. Has anyone ever installed this system? Four people, that's not bad. I will tell you about myself. I work in the company Logical Trust. Today, as part of an anarchist act, I decided to speak without

slides, in the presence of Adam, who always tells stories in the form of pictures and never forgets anything. But he didn't give me one important piece of information that all notes are displayed on his laptop. Therefore, it is a novelty for me. We'll see what happens. Some time ago I started We decided to get the root on every operating system from A to Z. We take the letters in random order, We are looking at how the system is built and we are trying to take over the administrator's rights from a normal user. Some time ago we did it for NetBSD, which I will tell you about at the end, if we have enough time. And because the letter N was

made, we decided to to change it to letter D, but we forgot something important. I hope that the law on raising children from the blind will not offend anyone. We'll see. I just wanted to make sure that there was no problem with the Mac, that it wasn't hot. Okay, we'll check. And I would like to ask for this drink in the green bottle. I will mention in the meantime that I have five more T-shirts to hand out, but all of them are in size L and larger. Therefore, answering the questions, take your size into account. If you are smaller than L, you can probably make a sleeping bag or a tent. You still have a blanket, possibly. Right, right, thank you. Since Adam

is also a trombone player and he didn't mention that he has stickers, I will give them away. I have stickers with different designs. Of course, I have discount coupons from the trainings we conduct and we cordially invite you to them. Okay. Organizers' health. Please, applause. We started with M, not by accident, because in my free time, as you can see on my computer, I like the project NetBSD. I know that there are representatives of OpenBSD and FreeBSD in the room, but don't talk to them. And not to extend the introduction, Let's move on to Dragonfly. The story is that I was on holiday and had problems with sleep. If someone has problems with sleep, they can read the code "BSDPSHED"

and fall asleep immediately. And in those three minutes between starting the tablet and falling asleep, I noticed a mistake. This mistake is the first winning shirt. Does anyone know what is the connection between this system call? Who said it? Remember, after the presentation I will give you a tent. Without a rack. Yes, it is a system call connected with traffic lights. And BSD has a way of transferring what it receives in seconds. I'll just pull out a pointer that got tangled up somewhere. Do you have it? The first one. What comes from here, the question for 100 points, where does it come from? From U? Exactly, from the user. And then, these data are transferred

locally, and we pay attention to the magic one here. Wait, I'll also increase the number of rows to see if the last row is satisfied. Great. So here is an argument called argument, and it is transferred to the variable called argument. And now look what's happening. Here the code is somehow going, going, going, going. And here is a call for the function bcopy. Does anyone know the function bcopy? Two people in the room know it, so I will mention that this is copying memory from here to here. And so many bytes are copied. So, the next question is for the T-shirt and the additional prize in the form of a plastic bag. Is there anyone who can tell us where

the error is? But is there a zero here? Can it be zero or not? Let's see. You know what? It's the structure, from what I remember, or actually... I will return to something else. The argument comes from the user. We have already given away the plastic belt and the other shirt. Since the argument comes from the user, is a clever and malicious user who can copy anything from the memory that is here to any address in the memory, especially in the system core. What I wanted to tell you is a journey from this line to get the administrator's rights. So, let's see how to trigger this error. I will start the console. This is what Dragonfly BSD looks like on terminal 8/13. I will

show you the result of the test, if it is not Dragonfly BSD. This project has an interesting history. It was created because someone had a fight with from FreeBSD and a man named Dylan said that he won't take freeBSD programmers for long He decided to open his own project, he had his own conceptions and goals. Here is the name of DragonflyBSD, he created a domain, moved to another repository. The initial reaction of FreeBSD community was that he was joking. So, it turned out that after 13 years he didn't joke and the system is still being issued. It even has a weird mascot, as you can guess, it's a wasp. If someone guesses it by name, I'll get a

special reward. No, it's Fred. Such an odd curiosity. And this Mr. Dillon has done a lot over the past 13 years, but he is a bit of a crazy genius, because no one uses this system. My first contact with him came from the fact that I had the opportunity to be in Stockholm at a BSD conference with one of the people in the room last year. And I made a mistake with the room. A man came who could not get into the machine with a laptop. I was sitting in a long row, and I was locked in a tight corner. For an hour I had to listen to the operating system, so I decided to take revenge.

So how to provoke this error? I didn't expect it to be like this, but let's do it. Is the last row satisfied with the size? Great. The easiest way is to add an address to the kernel that is most likely not mapped. And here's another question for you: if you compile it like a real man using GCC, not Clang, the question is: what will happen? Louder, you have to... OK, let's start and see. What happened? Not much. But when the administrator approaches the server, he will be hit because kernel has been thrown on the access to the dead-dead memory. So the administrator already has a suspicion that it is bad. What you see here, or the last row

sees only from here, I will press... oh, damn. I was going to press enter a bit but I can't. This is a debugger available by default in BSD kernels. It has OpenBSD, Net, Free, etc. Linux doesn't have it because it doesn't exist. So... I mean... Excuse me? This is a very good reason. It's a very limited debugger, and because BSD is often thrown out, on mailing lists, there is a way to enter a trace, take a picture of the monitor and send it to the list of what has been broken. Okay, I will restart this system. in the meantime, by combining further. So we can copy something to any memory address, but the question is what we are copying.

Because using this error at the moment is under a big question mark, because we don't know if anything we copy we are able to control.

I assume I haven't lost anyone so far. Now I'm checking the system file. I hope it will say... OK, we've started. Great. Let's log in to our magical machine again, because I think... OK. There was a moment of danger, but everything is fine. Okay, so now we can annoy the administrator and kick his machine out at midnight or any other hour. And now let's check if we can control something. And for this purpose we will run such a code. Again, a question for the T-shirt. What will this instruction do? Break. Who said? Okay. You can make a jacket for yourself. You can pray for someone at the Central Station. It will be a great advertisement for our trainings.

Many people will see it, so... Maybe it's not stupid, it would be the first campaign in Poland. So it's not a bad idea. So what's happening here is that we're starting this bad system call, but this time we're giving it a good address. So kernel will copy to userland what our address is typing. To do this we need to do some magic. We need to get the breakpoint. We will add some more magic here. If I start the code like this the operating system will say that I'm weak because I didn't get the breakpoint. So I will open it in GDB. And indeed, the breakpoint is set. Now let's see what's in the buffer we

copied to. And again a question for the attentive listeners: which part of this memory do we control? Who knows old school groups that wrote viruses? Nobody? Damn. And who, in a hobbyistic way, transfers numbers in the decimal system to hexes? and there is one person, then here is a characteristic number, exactly, there is 666 in this place, which everyone probably sees. And I think that for such observability, the T-shirt is probably 2XL size. It's already a car seat cover. You know what? After the presentation. Because streaming has a delay ahead. Whatever it means. To avoid boring you, we will control 4 bytes. This is the exact argument we are using here. And now we have

a question. If we control 4 bytes... I will start it again... to show what is before and after the buffer. If we control these four bytes, and fortunately, before and after are the same from zero, we can try to write something in memory, for example, by giving a pointer to the userland or something like that. But here is a trap, because when we see this code, is defective, we do not control the number of bytes copied. In summary, we should be able to write a memory fragment that will write something important in this fragment, and in this fragment will not return the system's core to panic. And now a question for hardcore players. In such

a situation, if everyone would spread their arms, but not us, what should we write and why? User ID can be tried, we have already tried to put the t0 in the user ID, but if you look at the structure of the processes in Dragonfly BSD, then before and after we will write important data and the kernel will just rebel. The return address can also be used, but just This is also a bit of an anecdote, that since Dragonfly BSD forked from FreeBSD, they removed some of the security that were in the kernel by default, but they left the randomized TOS address, so we need to have a error first, which will leak this address to us. But with the

address, this is already a good concept. other ideas? I will tell you that this can be a pointer for a function and when it becomes a pointer for a function and we will write our address here, the kernel will call this function via the pointer and will run the address controlled by us. And if we will not write anything important before or after, we will be at home. So we decided what to add here. We chose the most stupid option possible. Or one of the most stupid ones, because later we showed it a person, she thought: "Why didn't you write down the SysCol board?" Somewhere on the high numbers. And she was right, but because we are hardcore, we will go through the

hardcore path. And we thought that we would write down a structure that serves to store Functions for devices. I wonder if anyone has ever changed catalog to /dev and checked what's there. At least one person, by accident. I assume that everyone has done it, but I'll show you for sure. When you type in "magic /dev" nothing bad will happen. Here are the most common devices. We have come up with a solution to locate devices that a regular user can run. For example, Urandom. We will replace the "open" function in Urandom so that instead of opening the file, something useful will be created. And I chose this device called KPMAP. It is a device that is a bit dark. It takes part of the

information from the kernel to the userland, so that you don't have to jump to the core space with syscalls, because it is a code.

The map is defined in this structure. As I mentioned, nothing is randomized except for the nodes in the core, so we can define the address of the node as always. It is there, it is exactly the same. And so we construct this question, that we will write in this memo function, sorry, not this one, that we will write this function open. And now I will demonstrate to you the ready code. Where is it? Not this one, sorry. I don't see the last rows, so I'll trust the word. The address we're giving here, shellcode, is in 4 bytes, because the first 4 are zeros. And when we call it, we'll write this address, and then we'll run open, so we should jump in

here. And a question for the smart listener: what will happen? Not "forbomb", but close. "forbomb" - in a sense, this code will be executed in a circle, and it will be executed in the user's core or in the user's space. Exactly. And now the question for the last shirt. What kind of security would be prevented from the fact that the code would fail? I checked, it's okay. It overheats, so be a little less careful, because the projector is no longer able to handle it. Does anyone know a security code? No. S. S for four letters. SMAP? SMAP is also a good one. But this particular case could be cut off with SMAP, which prevents the user code from being

used in the space. So let's run this code and see what happens. gcc -o shellcode OK, this code is written in a bit of a mess because some warnings and so on pop up. But we don't care about it and run this code. And according to the forecast, not much has happened. It doesn't react to enter. Oh, I didn't turn off the code. OK, so we'll run the demo again. I'll tell you why it didn't turn on in the backstage. It will be turned on for a moment and we'll check if the disk didn't break down. This demo didn't work because the demo 666 was created in the system. So it didn't work. This time it didn't check

the disk. I'm typing the secret password again.

In the meantime, I will ask who wants a sticker with Z3E? Ok, a few people at the end, so please pass it to the back and by the way, please give it a try if you want to. Ok, I will enter a secret password. Ok, once again we enter our secret catalogue. I have it.

Listen, this is... This is a sticker with a pattern like this or like this. This is only one, so I will give it to you, so that it will spin randomly. And these... no, no, no, I won't throw them, and we can give them to you. I will leave a part for people who dare to ask questions. It can be a question from the top. We will start the whole shellcode. We did not expect this, we did not fight for such Poland. We will start it again. This time, what we expected happened. Everything just When we press enter or enter the magic combination of D and UPA, nothing will show up. Therefore, the only thing left is

to reset the machine. But we are already at home, because we managed to run our code. So at this moment, what you suggested remains to change the user ID. and safely land back. So let's think about how to safely land back. Because what we did was the function that we set for open. So we can set anything there, make it so that open fails, Everything should be fine. But we should also fix all the damage we have done before and after the function "open". So here is another code to be done. So here we do this... We define a variable and check if the kernel has actually reflected this function. And what we do in this function is to repair the structure that we

have just written. Again, these functions have permanent addresses because there is no ASLR, KSLR or other devices. The code looks like this, we don't change the variable executed anywhere and we check if it will be different before or after. Let's run this code. We've compiled it, let's run it. I can't see the last rows, so I'll pull it up. Something has changed before and after. We have not only started our code in the core space, but we have also changed the function "executed", so we are almost at home. What we are missing is that I am a user, not another, and I would like to be a user Now, to see how to make this root easier, it is easiest

to have a handle for a place that stores information about the process. This function opens the standard structure, so let's see what's inside. This structure is defined here. We will look at it in a moment. Here is a reference to another structure, which was told to me by Ktorski when I was in a elevator that it has useful information. I would like to see its definition. It is defined here. and it has information about what is UID, GID, etc. So, when we get an argument that gives the function open, we are able to get to this structure and replace all UIDs, GIDs, etc. and finally become a root. This is the culmination of our entire adventure. This is

exactly what this function does. It switches all the values to zero, which correspond to the administrator's account. Let's compile this code. It may not work again, because we need to remove this semaphore first.

Ok, we've compiled this code and now let's see a little magic. I'll zoom in a little bit. Let's see if we can see a file with the password in the BSD system. And in contrast to Linux, where does BSD store the password? Who said that? Oh, damn. I have a special sticker. This is an exceptional collector with a printing error. In 15 years, sales in millions. So if we want to display the Master PassWD here, it writes to us that "Sorry dear user, but you can't". But when we run our code, it will suddenly turn out that we have the right of the administrator. If we are stubborn, we will suspect MasterpassWD. And that would be

the end of our story. We really got the right of the administrator to turn off Dragonfly BSD. Which happened anyway. Do you have any questions? Not necessarily for the presentation itself, but I have at least three stickers. What's the next letter? Actually, we didn't take NetBSD at the beginning, but Plan 9. But Plan 9 is like this: that before we realized how to use it, two weeks had passed. We were discouraged and switched to other systems. And the system on F is FreeBSD. We've been looking for it, but so far we haven't found anything. We are still looking for the question, but only by reading the code. No. The answer is no. We use various techniques.

Here, it just so happened that I opened this file with the fate control and in those three minutes when I was watching it, I accidentally hit it. Dragonfly BSD improved this code in a few hours, which is extraordinary in the world of BSD. They also improved it quite well. It's one day, because yesterday it was fixed. I lost the topic of the question, but going back to the main question, we are also in the phase, and NetBSD was partially lost due to static code analysis. Someone else had a question at the end.

The question is: did the author of Dragonfly think about the policy of removing the security? So this is a question for the author and 15 people who use this system. At the moment there are 14 people, because one of them got offended in the meantime. Yes, I went to sleep, because the question is whether I went to sleep finding this error or how I found it. So many times I've already found that I have an error and after 5 hours at night it turned out that I was looking at something wrong. This time I went to sleep, but from the error to exploiting Ten hours have passed since I've passed the sleep period. So, it was quite

quick. Two more stickers. Fifteen stickers? Okay, if anyone has a question in the chat, I'll gladly share it with a sticker or a discount coupon. Thank you very much for your attention.