MITM, almost: Redux

Apparently one of my OpenWRT boxes still uses OpenDNS. I was checking my Godaddy account then a Mozilla Firefox security error popped up. Note the https at the end of the host.


I didn't accept the certificate since I was already logged in. Unfortunately it didn't happen again so I was not able to verify. Was it a one time or erratic glitch? I'm not very sure who is at fault here, Godaddy or OpenDNS.

Somebody else experienced this and he asked Godaddy customer support. The CS response:

Thank you for contacting Online Support. We are sorry for any confusion with this process. You should be using the latest version of your web browser, as well as any new patches for these. We cannot control any errors that appear on browsers or any local security settings. However, the latest patches, web browser versions, etc. should rid these errors on your browsing.

Please let us know if we may be of further assistance.
Sincerely,
Ben P.
Online Support

The response was not satisfying to say the least but this is possibly a Mozilla Firefox bug. Replicating it is pretty hard so reporting will be a pain in the ass.

ICC stack-security-check

Recently I've been playing with the Intel C++/C Compiler. Code produced by the compiler reportedly are optimized better than GCC's. I'd say it's overrated and only gives perceived speed increase for common use.

I noticed that by default it produces AT&T assembly instead of Intel. Anyway, I'm more interested in its security feature.

$ icc -help
...
-fstack-security-check
              enable overflow security checks
...

A sample C program I used.

int 
main(int argc,char *argv[]) {
  char buffer[256];
  strcpy(buffer,argv[1]);
  return 0;
}

This is the vanilla assembly output of the program above.

push   ebp
mov    ebp,esp
sub    esp,0x3
and    esp,0xfffffff8
add    esp,0x4
sub    esp,0x108
add    esp,0x0
lea    eax,[ebp-0x100]
mov    DWORD PTR [esp],eax
mov    eax,DWORD PTR [ebp+0xc]
mov    eax,DWORD PTR [eax+0x4]
mov    DWORD PTR [esp+0x4],eax
call   804ddd0 <strcpy>
add    esp,0x8
xor    eax,eax
leave
ret

Looking at the produced assembly output of -fstack-security-check, it looks very similar to Stack Smashing Protector (SSP).

[chunk 1]
<         sub    esp,0x108
---
>         sub    esp,0x10c
>         mov    eax,__intel_security_cookie
>         mov    eax,DWORD PTR [ebp-0x4]
[chunk 2]
<         lea    eax,[ebp-0x100]
---
>         lea    eax,[ebp-0x104]
[chunk 3]
>         mov    eax,DWORD PTR [ebp-0x4]
>         call   __intel_security_check_cookie

__intel_security_cookie is a 32-bit canary from DS e.g. ds:0x080bc00c. Just like SSP it checks the canary before returning.

./dumbsoft `ruby -e 'puts "B"*512'`
Error:  Buffer overrun occurred, forced exit
Aborted

In case you didn't know, GCC has similar features.