Conversation

Notices

1. Embed this notice
   Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 01-Feb-2024 18:25:34 JST Ryan Castellucci :nonbinary_flag:

   • Matthew Green

   It's been ten years, so a short story about the "gotofail" bug.

   Someone came to me about a catastrophic vulnerability in Apple's TLS implementation.

   I shit you not, they'd overheard someone at a bar drunkenly bragging about how they were going to sell it to a FVEY intelligence agency for six figures.

   They didn't know exactly what it was, just some vague details and the key point is that it allowed use of the real certificate.

   This was enough for me to find the bug (yay open source), which would go on to be known as "gotofail", and produce a working exploit in less than a day.

   The details were anonymously back channelled to Apple, who released a fix.

   @matthew_d_green posted on Twitter about it, concerned by the Apple's vague release notes.

   I used a burner phone to share the details with him anonymously.

   Then everyone forgot about the whole thing because heartbleed.

   ¯_(ツ)_/¯

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 01-Feb-2024 19:22:45 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     Oh, and my exploit was, like, a 5 line LD_PRELOAD hack that disabled the "private key matches certificate" check in OpenSSL, ROFL.

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 01-Feb-2024 20:05:12 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Matthew Green
     • Filippo Valsorda :go:
     • Adam Langley

     @filippo @matthew_d_green @agl You're welcome!

     I had a test for it on gotofail.com, which was probably online first.

   • Embed this notice
     Filippo Valsorda :go: (filippo@abyssdomain.expert)'s status on Thursday, 01-Feb-2024 20:05:13 JST Filippo Valsorda :go:

     in reply to

     • Matthew Green
     • Adam Langley

     @ryanc @matthew_d_green

     IIRC @agl made an online test for it, a page that would only load for vulnerable clients.

     That was the inspiration for making the Heartbleed test, which kickstarted my career.

     So thank you :)

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 01-Feb-2024 20:06:24 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Natasha Nox 🇺🇦🇵🇸
     • Matt Palmer

     @Natanox @womble gotofail absolutely would have been prevented by better tooling and code style

   • Embed this notice
     Natasha Nox 🇺🇦🇵🇸 (natanox@chaos.social)'s status on Thursday, 01-Feb-2024 20:06:25 JST Natasha Nox 🇺🇦🇵🇸

     in reply to

     • Matt Palmer

     @womble Point taken. Guess I just wondered given TLS seem so elemental to me, like something a thousand eyes would probably glance over regularly. Although I might be spoiled by Open-Source.

   • Embed this notice
     Matt Palmer (womble@infosec.exchange)'s status on Thursday, 01-Feb-2024 20:06:27 JST Matt Palmer

     in reply to

     • Natasha Nox 🇺🇦🇵🇸

     @Natanox there aren't enough security experts in the world to audit even a small portion of the security sensitive code being written - not to mention that experts are human too, and can make mistakes. The focus needs to be on more secure *methods* of writing code, and tools that can detect or (preferably) prevent insecure code, including formal methods that can prove that code is secure.

   • Embed this notice
     Natasha Nox 🇺🇦🇵🇸 (natanox@chaos.social)'s status on Thursday, 01-Feb-2024 20:06:28 JST Natasha Nox 🇺🇦🇵🇸

     in reply to

     @ryanc How the heck do oversights like these happen? How few security experts does Apple have?

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 01-Feb-2024 20:30:02 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Matthew Green
     • Filippo Valsorda :go:
     • Adam Langley

     @filippo @matthew_d_green @agl Anyway, if I haven't already said it, thank you for inviting me to the cabal of cryptographers in 2015. 😉

   • Embed this notice
     Stephen Battista (he/him) (mitresteve@infosec.exchange)'s status on Thursday, 01-Feb-2024 20:38:07 JST Stephen Battista (he/him)

     in reply to

     • Matthew Green

     @ryanc @matthew_d_green Three of the things that would happen in rust and many other languges

     1. Auto formatting. It just makes things so much more easier to read.
        1. Dead code detection, when accidently creating dead code, you get a warning.
        2. No goto. I don't know how many times in other languages I have messed that one up. I know it is a style thing and I'm starting a holy war but the extra time to work the logic in is totally worth it. (They should just rename goto as yolo, I did not want to think though the logic)
   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 01-Feb-2024 20:41:17 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     tl;dr: I repro'd a vuln worth a couple of lambos from a conversation someone overheard at a bar and immediately burned it by disclosing to the vendor

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 01-Feb-2024 20:50:22 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Filippo Valsorda :go:

     @filippo sent you something more out of band

   • Embed this notice
     Aris Adamantiadis :verified:💲Paid (aris@infosec.exchange)'s status on Thursday, 01-Feb-2024 20:51:05 JST Aris Adamantiadis :verified:💲Paid

     in reply to

     @ryanc loose lips sink ships as they said. That's written in font 35 on the first page of an NDA I had to sign for a project.

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 01-Feb-2024 20:53:37 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Aris Adamantiadis :verified:💲Paid

     @aris The odds of someone overhearing that, understanding the significance, knowing someone to tell, and remembering sufficient detail to reconstruct though...

   • Embed this notice
     Ben Aveling (benaveling@infosec.exchange)'s status on Thursday, 01-Feb-2024 20:56:34 JST Ben Aveling

     in reply to

     • Aris Adamantiadis :verified:💲Paid

     @aris @ryanc …implies that it must have happened repeatedly.

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 01-Feb-2024 23:14:10 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Ben Aveling
     • Aris Adamantiadis :verified:💲Paid

     @BenAveling @aris 🤷

   • Embed this notice
     Simon Zerafa (simonzerafa@infosec.exchange)'s status on Thursday, 01-Feb-2024 23:15:07 JST Simon Zerafa

     in reply to

     • Aris Adamantiadis :verified:💲Paid

     @ryanc @aris

     Really is the very definition of Chance favouring the Prepared Mind.

     A most epic tale and very much worth of a free coffee should you ever wish for one 🙂👍

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 01-Feb-2024 23:17:40 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Matthew Green
     • Stephen Battista (he/him)

     @MITREsteve @matthew_d_green eh, it's kind of hard to avoid goto when you have to manually free memory and don't have exception handling.

     I program in C, but I never trust that code, and I strongly discourage others from using C.

     I'm spinning up a rust project at work now though!

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Thursday, 01-Feb-2024 23:51:17 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Natasha Nox 🇺🇦🇵🇸
     • penguin42

     @penguin42 @Natanox I still think it was deliberately introduced based on a review of the changes to that file over time, but we'll probably never know.

   • Embed this notice
     penguin42 (penguin42@mastodon.org.uk)'s status on Thursday, 01-Feb-2024 23:51:19 JST penguin42

     in reply to

     • Natasha Nox 🇺🇦🇵🇸

     @Natanox @ryanc Because it's not really a 'security' type of error; it's a patch/tooling mistake that led to a duplicated line of code (maybe just a typo in an editor??); so it depends what the 'security people' looked at; maybe they looked at the intended patch, or the algorithm, and they would have been happy.

   • Embed this notice
     werrett (werrett@infosec.exchange)'s status on Friday, 02-Feb-2024 00:14:06 JST werrett

     in reply to

     @ryanc I heard the bar bragging origins of gotofail (maybe a couple of years later).

     Glad it’s out more broadly — it’s a great piece of security lore 😛

   • Embed this notice
     Loren Kohnfelder (lmk@infosec.exchange)'s status on Friday, 02-Feb-2024 00:57:03 JST Loren Kohnfelder

     in reply to

     • Natasha Nox 🇺🇦🇵🇸
     • Matt Palmer

     @ryanc do you still have the 5 lines of code to share? @Natanox @womble gotofail was preventable just by a unit test checking that each of the necessary conditions were being tested. Nice blast from the past.

   • Embed this notice
     Marco Ivaldi (raptor@infosec.exchange)'s status on Friday, 02-Feb-2024 02:32:29 JST Marco Ivaldi

     in reply to

     • Matthew Green

     @ryanc @matthew_d_green awesome, thanks for sharing this!

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Friday, 02-Feb-2024 02:53:35 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Natasha Nox 🇺🇦🇵🇸
     • penguin42
     • Rich Felker

     @dalias @penguin42 @Natanox iirc it looked like it got added in a commit that was otherwise only changing other parts of the code

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Friday, 02-Feb-2024 02:53:36 JST Rich Felker

     in reply to

     • Natasha Nox 🇺🇦🇵🇸
     • penguin42

     @ryanc @penguin42 @Natanox Is there any writeup of the reasons to believe that?

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Friday, 02-Feb-2024 03:09:39 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Natasha Nox 🇺🇦🇵🇸
     • penguin42
     • Rich Felker

     @dalias @penguin42 @Natanox I don't remember any more than what I said already, and I don't think I was able to determine who committed it. I may have just been doing diffs between versions.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Friday, 02-Feb-2024 03:09:40 JST Rich Felker

     in reply to

     • Natasha Nox 🇺🇦🇵🇸
     • penguin42

     @ryanc @penguin42 @Natanox Ok that's really sus, but also has some vaguely plausible deniability. Like "oh, I had that file open in another window and accidentally deleted something, then added it back, but I guess I was wrong and it didn't actually get deleted."

     Did the committer have plausible motive?

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Friday, 02-Feb-2024 03:13:06 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Natasha Nox 🇺🇦🇵🇸
     • Matt Palmer
     • Loren Kohnfelder

     @lmk @Natanox @womble

     I forgot how hilariously trivial it was.

     /*
     To build:
     gcc -shared -fPIC -o libgotofail.so gotofail.c
     To use:
     LD_PRELOAD=./libgotofail.so PROGRAM AND ARGUMENTS GO HERE
     */
     #define _GNU_SOURCE
     int X509_check_private_key(void *a, void *b) { return 1; }
     
   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Friday, 02-Feb-2024 03:15:34 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Natasha Nox 🇺🇦🇵🇸
     • Matt Palmer
     • Loren Kohnfelder

     @lmk @Natanox @womble

     I forgot how hilariously trivial it was.

     All one had to do was generate a private key of matching size and algorithm to use with the certificate chain, and restrict to vulnerable cipher suites.

     /*
     To build:
     gcc -shared -fPIC -o libgotofail.so gotofail.c
     To use:
     LD_PRELOAD=./libgotofail.so PROGRAM AND ARGUMENTS GO HERE
     */
     #define _GNU_SOURCE
     int X509_check_private_key(void *a, void *b) { return 1; }
     
   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Friday, 02-Feb-2024 03:24:50 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • werrett

     @werrett I have told the story in person a number of times, and of course the other folks involved may have shared. Always intended to eventually eventually post about what happened.

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Friday, 02-Feb-2024 03:31:29 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Natasha Nox 🇺🇦🇵🇸
     • penguin42
     • Rich Felker

     @dalias @penguin42 @Natanox It's fine, I just don't want to be nerdsniped into reinvestigating it.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Friday, 02-Feb-2024 03:31:30 JST Rich Felker

     in reply to

     • Natasha Nox 🇺🇦🇵🇸
     • penguin42

     @ryanc @penguin42 @Natanox Sorry to be so probing. Thanks for sharing what's known of this epic story & for your part in it.

   • Embed this notice
     Billie Thompson 🦊 (purplebooth@hachyderm.io)'s status on Friday, 02-Feb-2024 04:25:41 JST Billie Thompson 🦊

     in reply to

     • Matthew Green

     @ryanc @matthew_d_green wow ok, TIL about LD_PRELOAD I am going to do terrible things with this

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Friday, 02-Feb-2024 04:26:34 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • coldclimate

     @coldclimate It's not a thread I want to pull.

   • Embed this notice
     coldclimate (coldclimate@hachyderm.io)'s status on Friday, 02-Feb-2024 04:26:35 JST coldclimate

     in reply to

     @ryanc tremendous work, thank you. Was the drunk twit ever sourced?

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Friday, 02-Feb-2024 04:29:30 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Matthew Green
     • Billie Thompson 🦊

     @PurpleBooth @matthew_d_green I posted the exploit down thread.

     An actually interesting example:

     https://github.com/ryancdotorg/libsdsock

   • Embed this notice
     Bø!rge (forteller@tutoteket.no)'s status on Friday, 02-Feb-2024 05:37:03 JST Bø!rge

     in reply to

     @ryanc You're a hero!

   • Embed this notice
     Brian Rogers (codercyclist@infosec.exchange)'s status on Friday, 02-Feb-2024 06:01:04 JST Brian Rogers

     in reply to

     @ryanc Thank you for that. I remember it. I wrote a memo to management about how the vulnerability, the nature of the code mistake that had led to it, and how it highlighted the importance of various, widely neglected best practices.

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Friday, 02-Feb-2024 06:30:37 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • argv minus one
     • JB Lièvremont

     @argv_minus_one @mithfindel they do now, because of that bug

   • Embed this notice
     argv minus one (argv_minus_one@mstdn.party)'s status on Friday, 02-Feb-2024 06:30:38 JST argv minus one

     in reply to

     • JB Lièvremont

     @mithfindel

     Now that you mention it, why didn't GCC/Clang issue a warning for the code after the erroneous `goto` being unreachable?

     @ryanc

   • Embed this notice
     JB Lièvremont (mithfindel@mastodon.social)'s status on Friday, 02-Feb-2024 06:30:39 JST JB Lièvremont

     in reply to

     @ryanc thank you for gotofail! To this day, it is my favorite illustration of "really bad stuff that could be found by simple static analysis".

   • Embed this notice
     Marsh Ray (marshray@infosec.exchange)'s status on Saturday, 20-Apr-2024 09:46:06 JST Marsh Ray

     in reply to

     @ryanc Oh yeah, I remember that one.
     Fantastic.