Lingua Diabolis

Apr 02, 2025

Debugging loadlibrary Through Space and Time

In 2017 Tavis Ormandy released loadlibrary, a "library that allows native Linux programs to load and call functions from a Windows DLL". As a showcase, the code included mpclient, a program that was capable of loading mpengine.dll of Windows Defender and scan files for malware on Linux. This is an impressive feat: mpengine.dll is a notoriously complex, ~20MB library that I tend to use to stress-test static analysis tools - getting it to actually execute on a different operating system is really something!

Unfortunately mpengine.dll gets significant updates almost every month: with 5% of functions changing or unmatched in a library this size, we are talking thousands of changes monthly. It's no surprise mpclient has old unresolved issues about crashes with no easy fixes. While I know... Read more ->

Mar 11, 2025

Analysis of CVE-2025-24813 Apache Tomcat Path Equivalence RCE

On 10. March 2025. ASF announced CVE-2025-24813, an Apache Tomcat vulnerability that may result in information disclosure or corruption, and even remote code execution. This is a quick and dirty analysis explaining the parts of the picture that are not in the advisory or can't be deduced trivially from the source code. Please read the linked materials and use your favorite search engine on the side!

Configuration Requirements

I tested the vulnerability on Debian 12. At the time of writing the latest package version for Tomcat 10 is 10.1.34-0+deb12u1, where the discussed vulnerability is still unfixed.

The advisory states the following requirements for all exploitation vectors:

  • "writes enabled for the default servlet (disabled by default)"
  • "support for partial PUT (enabled by default)"

The first... Read more ->

Mar 06, 2025

Dreams in CodeQL - Quest for the Perfect GOTO

On 21. February Qualys Threat Research Unit (TRU) posted the details of two vulnerabilities of OpenSSH to the Full Disclosure and oss-security mailing lists. The starting point of the presented research was a typical error handling pattern in the OpenSSH code base. TRU's idea was that the pattern is easy to get wrong, so it's worth to look for variants that may result in undefined behavior potentially leading to exploitable vulnerabilities. The message included a CodeQL query with the following comment:

Warning: our rudimentary CodeQL query (below) might hurt the eyes of experienced CodeQL programmers; if you, dear reader, are able to write a query that runs faster or produces less false positives, please post it to the public oss-security mailing list!

While I won't call myself an... Read more ->