Vulnerabilities in libgit2

Vivek and I discovered a couple of security bugs in the git index handling mechanism in libgit2, an year back. There were two CVEs assigned for the two issues discovered. CVE-2018-8098 - Integer overflow which causes out-of-bounds read. CVE-2018-8099 - Double free caused by incorrect return value. Following is the mail I originally sent out to libgit2 maintainers for reporting the vulnerabilities. Double-Free In read_entry() function, git_decode_varint() can be made to fail with it returning varint_len as 0.
Read more →

DoS in Python’s marshal

I discovered a DoS issue in Python’s marshal module. However, the Python community decided that this is not an (security) issue as it is already documented in marshal module that untrusted data is not supposed to be fed to that. So, here is a way to segfault the Python interpreter, if anyone needs a reliable way to do it. Last tested in Python 3.7.3 in Arch Linux on 16th July 2019.
Read more →

PlaidCTF Zipper Forensics Writeup

This was a forensics challenge. We get a zip file named ziper.zip. Trying to extract it, we are greeted with an error message. unzip zipper.zip Archive: zipper.zip warning: filename too long–truncating. : bad extra field length (central) So, there is something wrong with the filename length. Possibly in the central headers. A quick readup on how ZIP files are constructed from ForensicsWiki and Structure of PKZip File helped a lot in solving this particular challenge.
Read more →

Jetty and Spark

I am using Spark Java for writing the REST API servies. Spark is a neat web microframework which kinda reminds me of good-old Python Flask. Problem Some of my HTTP requests I have to send are humongous. Sometimes in megabytes. The underlying Jetty server was throwing "Form too large" exception because, POST requests’ body size exceeds what is supported. The default maximum POST request size is 2 MiB. Now, Spark does not offer any direct ways to configure the settings of the underlying Jetty server.
Read more →

A Custom Virtual Machine in JS

I have been working on a service which exposes its functionalities via a REST API. So, we have a number of REST services listening online and a REST client to control it. The whole server/client setup was originally written in Java. I was instructed to rewrite the client in JS so that we can have a web UI. I was given one and a half days (36 hours) to finish this.
Read more →