flak rss random

ssh in https

The wifi network at BSDcan, really the UOttawa network, blocks a bunch of ports. This makes it difficult to connect to outside machines using “exotic” protocols, basically anything except http or https. There are many ways to resolve this, here’s what I did.

Pick a port that’s allowed, such as 443. Unfortunately I’m already using port 443 for some very serious https business. But it’s possible to run two protocols over the same port with some smarts in the endpoint.

ssh connections start by having both client and server exchange version strings. You can observe this by running netcat.

> nc localhost 22

Or start a server and observe the client, ssh -p 20002 localhost.

> nc -l localhost 20002

This is convenient because many other protocols typically begin with only one party. You can’t tell you’re talking to a web server, for instance, because the server doesn’t respond until it receives a request. The upside, for ssh, is that you can probably inject it into almost anything, given some control over the software.

In my case, I’m running a web server. My request loop used to look like this:

        _, err := rw.Reader.Peek(1)
        if err != nil {
        req, err := http.ReadRequest(rw.Reader)

It’s reading one byte to check for timeouts and disconnects. If we read a little more, we can spot ssh connections.

        sneak, err := rw.Reader.Peek(4)
        if err != nil {
        if conn.sshproxy && string(sneak) == "SSH-" {
            sshconn, err := net.Dial("tcp", "")
            sneak, _ = rw.Reader.Peek(rw.Reader.Buffered())
            c := make(chan net.Conn)
            go copyuntildone(netconn, sshconn, c)
            go copyuntildone(sshconn, netconn, c)
        req, err := http.ReadRequest(rw.Reader)

From there, it’s a simple matter of copying data from one socket to the other.

On the client side, this requires a simple proxy command to connect via TLS first.

ProxyCommand nc -c %h 443
Posted 17 May 2019 17:32 by tedu Updated: 17 May 2019 17:32
Tagged: openbsd software web

syzkaller found a bug

Common problem for operating system fuzzers is breaking the system they’re running on. Some forms of damage are expected, some are not, and sometimes it’s difficult to tell which is which.

A few days ago, a stack leak bug was fixed in FreeBSD. A similar fix for OpenBSD was committed. And then syzkaller came kalling just a few days later.

panic: bad dir

There’s a few possible causes for this, but inspection revealed that the most likely case might be a directory entry missing the nul terminator. The timing certainly seemed suspicious. Could there be an off by one?

memset(newdirp->d_name + (cnp->cn_namelen & ~(DIR_ROUNDUP-1)), 0, DIR_ROUNDUP);

Actually no. syzkaller had found a way to create filesystem corruption through one of the “expected” damage paths, but the test case was a little obfuscated. More study revealed it was calling mknod to create a new device that happened to be equal to /dev/sd0c and opening it, and then calling pwrite to write some garbage to a random spot.

mknod("banana", 0777, 0x0402);
pwrite(3, "oops", 4, 0x9000);

Not recommended.

Further complicating the matter was that syzkaller didn’t know that pwrite is one of the magic syscalls that takes a padding argument before off_t. This didn’t affect the test, per se, but makes it harder to interpret because syzkaller calls things directly. (The actual syscall in use was the iovec variant, pwritev.)

syscall(SYS_pwritev, r[0], 0x200002c0, 1, 0);

If you read the man page for pwritev that looks correct. But inspecting src/sys/kern/syscalls.master reveals that the fourth argument is actually a pad argument, and the offset is the fifth argument. So the call above was writing to an offset that was not zero.

Not the first fuzzer to encounter this oddity. More details here.

In the end, it was just coincidence that syzkaller found a new way to corrupt its filesystem a few days after a filesystem commit.

Posted 10 May 2019 16:02 by tedu Updated: 10 May 2019 16:02
Tagged: openbsd

toying with wireguard on openbsd

New year, new network. WireGuard promises to be a simpler more secure alternative to IPsec, and there’s a beta iOS client, so I thought I’d try my hand at setting up a server endpoint.


Posted 01 Jan 2019 15:45 by tedu Updated: 16 May 2019 19:30
Tagged: openbsd

protectli router

My ERL melted itself. Again. Time for a replacement. I went with a Protectli FW4A. It’s a small industrial enclosure, fanless, with four ethernet ports.


Posted 29 Nov 2018 18:39 by tedu Updated: 12 Dec 2018 18:39
Tagged: computers openbsd

commands without magic

Is a magic command without magic still a command? And if a feature was a bug, can a new bug be a feature?


Posted 29 Oct 2018 19:27 by tedu Updated: 29 Oct 2018 19:27
Tagged: openbsd programming

hard state soft state confusion

A few thoughts after reading The History of a Security Hole about a series of bugs in the OpenBSD kernel. It’s a good explanation of an instance of a problem I’ll call hard state soft state confusion, which can lead to some serious bugs, occurs with some regularity, but doesn’t seem to be often discussed.


Posted 02 Sep 2018 22:51 by tedu Updated: 02 Sep 2018 22:55
Tagged: openbsd programming

openbsd changes of note 629

This is the end, beautiful friend; this is the end, my only friend, the end.

Note that octeon supports a few more machines.

Add support for isochronous transfers to xhci. Remains disabled.

Some of the i386 assembly implementations of math functions in compiler-rt use SSE2. Switch to using generic C code.

Use getrusage to measure CPU time in md5 benchmarking.

Add guard pages at the end of kernel stacks so overflows don’t run into important stuff.

Close the default syslogd 514 port.

Add dwxe driver for ethernet found on Allwinner A64, H3 and H5 SoCs.

Fix buffer overflow in perl regexp. Errata.

Fix a regression caused by removal of SIGIO from some devices.

In relayd, use EVBUFFER_EOL_CRLF so that “\r” by itself at the end of a chunk won’t be treated as end of line, causing the following “\n” to be interpreted as a blank line.

In malloc, always delay freeing chunks and change ‘F’ option to perform a more extensive check for double free.

EuroBSDcon happened. There are talks and slides.

Change sendsyslog prototype to take a string, since there’s little point logging not strings.

Validate the TCB (thread control block) pointer which lives in the GS register. Errata.

Removing DDB_STRUCTINFO broke the kernel makefiles by removing too many dependencies, leading to some bad kernels. Put back the good stuff.

Add a kill command to ddb.

Update to unbound 1.6.6.

Add preliminary kabylake support to inteldrm(4) by backporting the relevant commits from linux-4.8.x.

OpenSSH is now version 7.6.

62.html is under construction.

The config program tries to modify zero initialized variables. Previous versions of gcc were patched to place these in the data segment, instead of the bss, but clang has no such patches. Long long ago, this was the default behavior for compilers, which is why gcc was patched to maintain that existing behavior, but now we want a slightly less unusual toolchain. Fix the underlying issue for now by annotating such variables with a data section attribute.

The xrstor instruction will fault if it’s unhappy. Handle this properly. Errata.

6.2-current, back to work.

Posted 06 Oct 2017 16:09 by tedu Updated: 06 Oct 2017 16:09
Tagged: openbsd

openbsd changes of note 628

EuroBSDCon in two weeks. Be sure to attend early and often.


Posted 07 Sep 2017 16:31 by tedu Updated: 07 Sep 2017 16:35
Tagged: openbsd

yet another introduction to yacc

One of the great tools in the unix toolbox is yacc. Regrettably, the documentation can be somewhat weak. The OpenBSD man page covers command line options, but doesn’t even provide a reference to the grammar of the input file. For that, one must read Stephen Johnson’s paper, Yacc: Yet Another Compiler-Compiler. It’s pretty good, and there’s some other tutorials out there, but perhaps it’s worth highlighting a few tips and tricks.


Posted 30 Aug 2017 17:20 by tedu Updated: 30 Aug 2017 17:20
Tagged: openbsd programming

openbsd changes of note 627

The hackers, they thonned.


Posted 28 Aug 2017 16:12 by tedu Updated: 28 Aug 2017 16:12
Tagged: openbsd