nion's blog

If startpanic already shocked you, have a look at: http://www.making-the-web.com/misc/sites-you-visit/nojs/.

The latter version works without javascript so NoScript won't help you but the results are also not that great as it requires a pre-compiled list of possible visisted URLs which the startpanic doesn't need. But still, very impressive.

Given the recent activity in the IT security area I now replaced my 1024-bit DSA key (0x73647CFF)
with a brand new shiny 4096-bit RSA key. I already sent it to the keyserver (copy in case you can't wait for distribution) and of course signed the new one with the old one to create a trust path.

Transition statement: http://nion.modprobe.de/key-transition-2008-06-01.txt.asc (gpg -d key-transition-2008-06-01.txt.asc|gpg --verify)
Details:
pub   4096R/A0A0AAAA 2009-06-01
      Key fingerprint = E1AB DE0E FFCA AEF3 9494  7592 CD4B 2AF3 A0A0 AAAA
uid                  Nico Golde <nion@debian.org>
uid                  Nico Golde <nico@ngolde.de>
uid                  Nico Golde <nion@cs.tu-berlin.de>
uid                  Nico Golde <nion@gmx.net>
sub   4096R/E89CCA30 2009-06-02

There are a lot of discussions out there whether functions like strcpy are dangerous and shouldn't be used in C programs.
But Heise security made my day:

The problem is caused by the use of the unsafe C function printf in crypto_recv in ntpd/ntp_crypto.c.

Beware of the evil printf!

Im rather disappointed by the overall quality of the heise security news anyway but of course they seem to have misread the original advisory and the bug report. They mean sprintf

EDIT: they fixed it

We all know it's not a good idea to copy things in your terminal you don't really understand, for example all these nice perl snippets that delete your home directory or do even worse things.

But what about shell snippets you do understand? Do we really need obfuscation? What about the following?

i=0
while [ $i -lt 10 ]; do
    echo FOO-$i
    i=$(($i+1));echo "YOU SHOULD NOT JUST DO BLINDY COPY STUFF INTO YOUR TERMINAL";i=0
done

This was one of the neat things ascii showed in his talk Tricks: Makes you smile at the 25c3 congress.

I know we are all aware of the fact that c&p is not a good idea in most cases, but who hasn't copied config snippets from the net so far? We are all lazy

The problem here is that some browsers (e.g. firefox) do not display text that is surrounded by
<span style="display:none"></span> while the string that is not displayed will be happily copied into your X11 buffer and later pasted. Interestingly opera(I tested 9.63) only copies the visible text so its users are not vulnerable to this specific problem.

Check out the talk, it includes quite some other interesting things.

UPDATE: while the above example doesn't work in opera it seems that there is a way to defeat operas filter, check out the uname example on: http://ush.it/team/ascii/hack-tricks_253C_CCC2008/wysinwyc/howto.html (thanks ascii for pointing that out).

While some people think that Googles new open source webbrowser Chrome is a great example of code reuse I think the opposite is true. He found at least 25 open source libraries used by the browser. So far this is not a problem but what is a problem is that it embeds all of them in the upstream source tarball instead of depending on the system-wide copies. I know that it might be problematic if people have to install 25 libraries on their own (they could provide static builds though) but for distributors this is just a nightmare if security issues pop-up in one of the used libraries (famous libraries who had issues in the past: webkit, libpng, libjpeg, libxml, ...).

In this case the distributors can't just fix the security issue in the shared library and all applications using it are fixed, no they also have to fix all the copies in software like Chrome. Same if you installed Chrome from source, if a security issue pops out in one of the embedded libs you have to go and install a new Chrome version. Google also needs to additionally maintain upstream and security fixes in their embedded code copies but I guess they have enough manpower to do so.

I didn't yet look at the Chrome source code but I hope it has at least a way to link against the system-wide copies without patching the makefiles.

Finally the pwnie award nominations are out, a bit late though.

Of course we also got our nomination for the infamous openssl issue in the Most Epic FAIL category as well as one nomination for Luciano for the discovery of this in the Mass0wnage section :/

I nominated Wonderware (I wrote about that before) in the Lamest vendor response category, looks like it has been accepted.

wordpress also got its place in the Mass0wnage category:

An unbelievable number of WordPress vulnerabilities (CVE-2008-*)

Discovered by: everybody who cared to look

It seems like hardly a week goes by without a new vulnerability in WordPress or one of its many plugins. Many of them are actively being exploited to own popular WordPress blogs and use them to serve spam or client-side exploits to unsuspecting visitors. The popularity of WordPress combined with the abysmal security practices of WordPress plugin developers places the entire Internet at risk and is worty of a nomination.

138 reported vulnerabilities since 2004 referring to MITRE, shocking!

Looks like youtubes age filter that should prevent kids from watching special content (sex, violence, drugs, whatever) is flawed by design. While youtube asks for a registered account with a "valid" 18+ age if you are on their website they do not integrate this authentication in embedded flash files for these categories.

There is a simple demonstration that let's you embed any youtube video you are not allowed to watch because of your age

[via dark SEO programmin]

A lot of people start throwing mud in the direction of Debian and especially the maintainer of openssl because of high impact security issue that was released today: DSA-1571.

Please notice that this was indeed discussed in 2006 with the openssl people before patching the package and it was an openssl.org guy who ACKed this patch after the maintainer asked for their opinion. So please stop blaming random people. Thanks!
Such things happen, so better use your time to fix your systems instead



UPDATE: people complaining about the "fact" that the "wrong" list was used to contact the openssl people, please read this

Security companies like coresecurity often notice vendors about found flaws before they are going to publish the vulnerability details to public resources.
Corelabs found a denial of service vulnerability in a product called SuiteLink. I never saw such a big vendor FAIL like in this case:

2008-02-29: Vendor acknowledges reception of the report and states that it understands the seriousness
of the problem and that its development team will look into it.
2008-02-29: Vendor asks for a copy of the proof of concept code used to demonstrate the vulnerability.
2008-03-03: Core sends proof-of-concept code written in Python.
2008-03-05: Vendor asks for compiler tools required to use the PoC code.
2008-03-05: ore sends a link to http://www.python.org where a Python interpreter can be downloaded.
2008-03-10: Vendor requests more information about the network and the firewall settings used during the tests and inquires about conformance
(or lack thereof) of the tested network with the vendor's security policies and recommendations.
2008-03-10: Vendor asks for details about how the advisory will be published.
2008-03-12: Core responds that the workstation running the vulnerable service had no firewall activated in the tests, but since the Wonderware
SuiteLink Service allows incoming connections it is assumed that the corresponding port should be allowed to receive inbound session
establishment packets.
...
2008-04-29: Vendor provides an official statement and indicates that versions of SuiteLink prior to 2.0 patch 01 are vulnerable. Multiple
products use SuiteLink.
...read on

Fixing this bug took the vendor 3 months!
(sorry for the bad formatting ;- P

Looks like xing has a problem with it's security. The web team was so kind to provide nice xml files with contact data and even including older changes.

wget http://www.xing.com/sitemap[1-27].xml.gz

Anyone interested in preparing some nice graphs? ;-P

[via netzhure]