Georgi Guninski's blog

What is your sexual fantasy?
He dies during sex and leaves me $150M USD

Stories from the past: the qmail-smtpd on freebsd exploit

The qmail smtpd exploit on freebsd is probably the most bragable 
of my exploits. The advisory is at [1] and is rather short.
Don't remember it is so because of "if it was hard to write, it must be
hard to understand".

I don't like this exploit much, the *BSD kernel stuff is better IMHO.

The provably exploitable part of the advisory is:
---
char *p;
int i; /*XXX signed int*/
...
p[i]=0;
---

In case $i$ is negative, this is out of bounds write. It is not
integer overflow, more like memory corruption.

The process of discovery was rational [^2] dirty labour:
1. analyze
2. test
3. in case of failure (almost surely it fails) repeat
4. return SUCCESS

The process took _long_. Temporary gave up several times, until I
pressed the lucky keys.

Exploitability required about 20GB of virtual memory.

djb basically replied: "This is not a bug, this is a feature. Nobody gives so
much virtual memory to qmail".

The strongest counterclaims to djb's answer are:
1. The installation instructions don't mention limits
2. In the future libc alone can become larger than the limits

[1] http://www.guninski.com/where_do_you_want_billg_to_go_today_4.html
[^2]: in math irrational and transcendental stuff are more interesting
than rational stuff.

Hi HR,

You are a proxy recruiter, right?

Assuming so I appear to be the ``product''.

Here is a brief summary of the product: I was active in security in the period
1997-2007, mainly disclosing my 0days. Per my estimate was in top 3%
overall of the public hacking scene (this might be far off in both
directions). 
During roughly this time was Netscape/Mozilla independent security consultant,
mainly pre-0days and advice for the Firefox browser.
Then I went on a vacation, mainly enjoying life and doing
experimental mathematics as a hobby.

I am considering return in the IT stuff.

Some of the things I DO NOT do currently:
1. 0days (AKA security bug hunting)
2. working with products of microsoft (don't like MS).
3. relocation from Sofia, Bulgaria (it is in the EU).

Some of the things I would like to do (not all applicable for you):
1. Experimental mathematics/data analysis
2. Software quality assurance (QA)
3. Hardening systems
4. Privacy research
5. Some security research without 0days
6. Possibly software development
7. Possibly security consulting

In all non-trivial stuff I have done I am self taught, education
didn't help much.

CV: http://j.ludost.net/resumegg.pdf

Georgi Guninski