Hawk Enterprises

Some of the intelligent few have noticed that this is indeed a Wordpress blog. Some of you even try and login which is funny to see the wp-login.php in my 404s. Regardless I like to make sure I keep everything up-to-date. I don’t keep a wordpress version like 2.6.3 per say but I do my own custom changesets.

Sometimes I wonder whether the world is being run by smart people who are putting us on or by imbeciles who really mean it.
-Mark Twain

Today we examine the changes from Wordpress 2.6.2 to version Wordpress 2.6.3 and will point out the obvious issues with the previous version.

First I like to point you to the ChangeLog 2.6.3 for wordpress but more importantly the diff changset

On the wp-trac mailing there is always banter about the beloved snoopy class, but this one I must admit takes the cake. I haven’t gone back to see the entire threat but I will expose the idea as follows.

wp-includes/class-snoopy

	  var  $maxlength = 8192;  // old size
          var	$maxlength		=	50000;				// max return data length (body)

After seeing this any old school programmer would know exactly what the exploit was. For those still needing a clue however, it would be a buffer overflow. The maxlength variable obviously controls some type of stream length, otherwise we wouldn’t be seeing a change to a much large number. Is this move alot safer? Well I’m guessing they feel most apache servers limits are set around 51,089k file upload size on shared servers so this should be safe. We know better of course.

So lets take a detour aware the buffer overflow for a moment for one of my favorite security holes. The remote shell execution, or parameter injection.

	$safer_URI = strtr( $URI, "\"", " " ); // strip quotes from the URI to avoid shell access
		exec(escapeshellcmd($this->curl_path." -D \"$headerfile\"".$cmdline_params." \"".$safer_URI."\""),$results,$return);
//----------------------The new and improved----------------------------
		exec($this->curl_path." -k -D \"$headerfile\"".$cmdline_params." \"".escapeshellcmd($URI)."\"",$results,$return);

As you can see safer_URI is being protected by a strtr of double-quotes before placing it into an execution on the sell level. Not only that it’s concatenated into a larger argument string for easy replacement and back-tick manoeuvrings. The new version looks much safer, however $headerfile, $cmdline_params are both un-secured and possibly over-rideable somewhere else in execution.

Back from execution, I mean programming execution…

Buffer overflow finally

/*while (!feof($fp)) {
	$file_content .= fread($fp, filesize($file_name));
}*/
$file_content = fread($fp, filesize($file_name));

There you have it, they went from a string concatenation to a straight assignment. Reason being once again the concate can be broken out of if the buffer gets overflowed and now you have access to execution of $file_content. Is this new fix safer, yes as far as we know assignment operations are considering non-threat. However I have a feeling I could write a 51 meg file to get around this issue, but then again who knows.

So there is a major problem with any wordpress version that runs a snoopy class of 1.2.3 or has these remote execution problems along with overflow issues. 2.6.3 solves this but I’m sure that this has been in wordpress for a while, I wouldn’t be surprised if press 2.0.

The rest of the diffs in the branch are just mistakes made by previous programmers, nothing a security threat just compatibility issues as well as language problems.

In the previous Hangman article we wrote with PHP and GD a graphics port that with this code will complete the hangman game. This bit of code handles the user interaction as well as initialization of the game.

This code can be added on to the other code to create a complete game.

Without further ado here is the entire hangman game user interface written in php

$misses=0;
if($_REQUEST['addmiss'] == 1){
	$misses = 1;
}
if($_REQUEST['draw']==1){
	session_start();
	$misses = $_SESSION['misses'] + $misses;
	$_SESSION['misses'] = $misses;
	$im = drawTxt($im,$word,$_SESSION['choices']);
	$im = drawHangMan($im,$misses);
	header ("Content-type: image/png");
	ImagePng ($im);
}
if($_REQUEST['new_word']){
	require_once('/home/rionmass/hawkenterprises-wordlist-config.php');
	$link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD);
	if (!$link) {
	    die('Not connected : ' . mysql_error());
	}
	$db_selected = mysql_select_db(DB_NAME, $link);
	if (!$db_selected) {
	    die ('Can\'t use foo : ' . mysql_error());
	}
	$sql = 'SELECT word from TABLENAME LIMIT 1';
	$rs = mysql_query($sql);
	$word = mysql_result($rs,0,0);
	session_start();
	$_SESSION['word'] = $word;
}
session_start();
if(!isset($_SESSION['word'])){
	header('location:?new_word=1');
}else{
	$_SESSION['choices'][] = $_POST['choice'];
	if(isset($_POST['choice'])){
		$_SESSION['choices'][] = $_POST['choice'];
		if(false !== strpos($_POST['choice'],$_SESSION['word'])){
			header('location:?draw=1');

		}else{
			header('location:?draw=1&addmiss=1');
		}

	}
}
?>

I hope you enjoyed this little series I know we did.

His achievements read like the graffiti on the walls of a hangman’s changing room.
Johnathan Larsen

When I’m building a game I like to jump right in and build the parts I don’t know much how to do.  In this time I felt like GD is a great place to make some fun images.  So today we start with a graphics port of hangman.

If men can run the world, why can’t they stop wearing neckties. How intelligent is it to start the day by tying a little noose around your neck.
-Linda Ellerbee

This code below is good for draw up to 13 misses, has code for drawing the word as well as the entire hangman graphic seen below

This is easily adaptable to several types of data sources including MYSQL, SQL Server, and any SQL or flat-file like csv. In the second part I will hook it up to a worldlist stored in Mysql.

0){
		//draw head
		imageellipse($im,$left_point,$bottom_point,$head_size,$head_size,$text_color);
	}
	if($misses>1){
		//draw body
		imageline($im,$left_point,$neck_point,$left_point,$leg_point,$text_color);
	}
	if($misses>2){
		//left leg
		imageline($im,$left_point,$leg_point,$left_legX,$left_legY,$text_color);
	}
	if($misses>3){
		//right leg
		imageline($im,$left_point,$leg_point,$right_legX,$right_legY,$text_color);
	}
	if($misses>4){
		//left arm
		imageline($im,$left_point,$neck_point,$left_arm,$neck_point,$text_color);
	}
	if($misses>5){
		//right arm
		imageline($im,$left_point,$neck_point,$right_arm,$neck_point,$text_color);
	}
	if($misses>6){
		//left leg
		imageellipse($im,$left_legX,$left_legY,$foot_size,$foot_size,$text_color);
	}
	if($misses>7){
		//right leg
		imageellipse($im,$right_legX,$right_legY,$foot_size,$foot_size,$text_color);
	}
	if($misses>8){
		//left hand
		imageellipse($im,$left_arm,$neck_point,$hand_size,$hand_size,$text_color);
	}
	if($misses>9){
		//right hand
		imageellipse($im,$right_arm,$neck_point,$hand_size,$hand_size,$text_color);
	}
	if($misses>10){
		//right eye
		imageellipse($im,$right_eyeX,$eyeY,$eye_width,$eye_height,$text_color);
	}
	if($misses>11){
		//left eye
		imageellipse($im,$left_eyeX,$eyeY,$eye_width,$eye_height,$text_color);
	}
	if($misses>12){
		//mouth
		imagearc($im,$left_point,$mouth_center,$mouth_width, $mouth_height, 160, 20,$text_color);
	}
	if($misses>13){
		//double x
		imageline($im,$right_eyeX-3,$eyeY-3,$right_eyeX+3,$eyeY+3,$text_color);
		imageline($im,$left_eyeX-3,$eyeY-3,$left_eyeX+3,$eyeY+3,$text_color);
		imageline($im,$right_eyeX+3,$eyeY-3,$right_eyeX-3,$eyeY+3,$text_color);
		imageline($im,$left_eyeX+3,$eyeY-3,$left_eyeX-3,$eyeY+3,$text_color);
	}

	return $im;
}

$im = drawTxt($im,$word,array('a'));
$im = drawHangMan($im,13);
header ("Content-type: image/png");
ImagePng ($im);
?>