codeblog code is freedom — patching my itch

November 21, 2008

directing firefox url opening

Filed under: Blogging,Debian,Ubuntu,Web — kees @ 5:53 pm

A while ago, I found a way to open multiple firefox instances so I could have multiple cookie/password repositories. One issue that plagued me was that when launching URLs from other applications (e.g. liferea, gnome-terminal, etc), the URL would open in the longest running firefox, so if I opened my Browsing instance first, then my Authenticated instance, URLs would open in the Browsing instance. That’s what I wanted.

However, if I had to restart my Browsing instance (like, say, when flash was crashing), URLs would start opening in the Authenticated instance, which I didn’t want. So, I changed the Gnome preferences to run this script when launching a browser:

#!/bin/sh
firefox -p Browsing -remote 'openURL('"$@"')'

Ta-da, URLs are always directed to the “Browsing” instance, regardless of when it was started.

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

November 18, 2008

md5 lookups for 4 chars and common words

Filed under: Blogging,Debian,Security,Ubuntu,Web — kees @ 8:19 pm

Here’s a fun link. This site appears to have seeded their md5 hash list with all lower case character strings of 4 characters or fewer and many english words (probably from some large dictionaries), and they seem to be adding more as they go. This makes me want to put up an interface to the 7 character alpha-numeric-plus-many-special-chars rainbow table I’ve got. But searching the 500G table for a single hash takes… a while. I’d need to batch it up. Go-go-gadget web 2.0!

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

November 11, 2008

phrase from nearest book meme

Filed under: Blogging,Debian,General,Ubuntu — kees @ 12:42 pm

Meme from Jono:

  • Grab the nearest book.
  • Open it to page 56.
  • Find the fifth sentence.
  • Post the text of the sentence in your journal along with these instructions.
  • Don’t dig for your favorite book, the cool book, or the intellectual one: pick the CLOSEST.

My result:

“The term linear just means that each output bit of the mixing function is the XOR of several of the input bits.”Practical Cryptography, Niels Ferguson, Bruce Schneier.

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

November 9, 2008

“rooting” the HTC G1 Android

Filed under: Blogging,Debian,Embedded,Security,Ubuntu,Vulnerabilities — kees @ 10:27 am

People noticed that running telnetd seemed to run as root. Later it was discovered that everything you typed was being run by the root user also. So, that ends the first mystery: when you typed “telnetd” both the Terminal user and root ran it. It would fail (without error messages) for the Terminal user, and run successfully for the root user. So now, the question is, what the f is a root shell doing mirroring user input?!

So, there is a much easier way to get root that doesn’t require network connectivity. While the /sdcard mount point is nosuid,noexec, it’ll still run scripts if you explicitly direct them to run. It seems that the weird background root shell doesn’t understand the alt-keys, so it can only run stuff that can be typed without using alt, shift, etc. So, put the following in /sdcard/pwn:


mount -o remount,rw -t yaffs2 /dev/block/mtdblock3 /system
cd /system/bin
cat sh > sh.root
chmod 4755 sh.root
mount -o remount,ro -t yaffs2 /dev/block/mtdblock3 /system

You can either do this by dropping the file in place over USB mass storage, or you can type it via the Terminal using “cat“. (Rebooting here might help get the root shell in a sane state.) Finally, just navigate there without slashes and run the script:


$ cd sdcard
$ sh pwn

You’ll see lots of errors (but these are only from the Terminal user). The script is, however, run by the root shell too. You can verify the results:


$ ls -l /system/bin/sh*
-rwxr-xr-x root          shell     86936 2008-09-13 00:13 sh
-rwsr-xr-x root          root      86936 2008-11-09 10:12 sh.root

Next up: cross-compiling a little helper to elevate to real UID 0, and require a password to keep malware from looking for setuid shells.

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

November 3, 2008

days since last incident…

Filed under: Blogging,Debian,Networking,Security,Ubuntu,Ubuntu-Server — kees @ 11:15 am

If I made one of those work-site signs that tracked “Days since last incident”, and made one for “Days since last in-the-wild remote-root worm” for Windows and Linux, what would they each say? 0 and 7304 respectively?

Update: while the post was tongue-in-cheek (everyone suffers when any large subset of computers is being attacked), I should lower the Linux days count to 2783 (for L10n on March 23, 2001, which is slightly newer than Ramen on January 17, 2001). Thanks for everyone’s comments. :)

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

October 30, 2008

how to drain your entropy and have fun with ssh fingerprint ASCII-art

Filed under: Blogging,Debian,General,Ubuntu,Ubuntu-Server — kees @ 10:48 am

SSH’s new “VisualHostKey” option (in Ubuntu Intrepid and Debian Lenny) is great fun. Normally it is disabled, but it seems that “ssh-keygen” turns it on when generating new keys. In celebration of the Ubuntu release, here is a script to entertain yourself with RSA ASCII-art, care of SSH and your system’s entropy pool:


#!/bin/sh
set -e
DIR=$(mktemp -t -d rsa-art-XXXXXX)
trap "rm -f $DIR/key*; rmdir $DIR" EXIT HUP INT QUIT TERM

while :
do
    ART=$(ssh-keygen -t rsa -f $DIR/key -N "" | tail -n 11)
    rm -f $DIR/key
    /bin/echo -e "\x1Bc"
    echo "$ART"
done

Makes me feel like I’m watching Life. (Use control-C to stop it.)

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

October 22, 2008

using hdhomerun IR with lirc

Filed under: Debian,Multimedia,Ubuntu — kees @ 5:18 pm

Followed the instructions and got lirc configured with my HDHomeRun’s IR:


# ID=$(hdhomerun_config discover | cut -d" " -f3)
# hdhomerun_config $ID set /ir/target "10.0.0.100:5000 store"
# echo 'REMOTE_LIRCD_ARGS="-H udp -d 5000"' >> /etc/lirc/hardware.conf
# /etc/init.d/lirc restart
# /etc/init.d/gdm restart

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

September 3, 2008

kvm disk image filesystem growth notes

Filed under: Blogging,Debian,Ubuntu,Ubuntu-Server — kees @ 12:14 pm

Here are my notes on growing a KVM disk image’s root filesystem. I had a few 4G partitions that really needed to be bigger. This shows how to get a report on the sizes of the disk images, convert them to raw, work on the partition tables, grow the root filesystem, and rebuild the swap partition with the original UUID. With some work, it could probably become fully scripted, but since the partition layout may not always be the same from VM to VM, the “fdisk” step needs human interaction to delete and rebuild the partition table. Note that the method below also maintains the sparseness of the images.

# Look for files to change
for i in /vmware/*/*{vmdk,qcow2}; do qemu-img info $i; done
...

# Pick one...
cd dir...
ORIG=64bit-Ubuntu-7.10-desktop.vmdk
SIZE=8G


ORIG_TYPE=$(echo $ORIG | awk -F. '{print $NF}')
TARGET_TYPE="qcow2"
TARGET_BASE=$(basename "$ORIG" ."$ORIG_TYPE")
TARGET_RAW="$TARGET_BASE".raw
TARGET="$TARGET_BASE"."$TARGET_TYPE"

qemu-img convert -f "$ORIG_TYPE" "$ORIG" -O raw "$TARGET_RAW"

trunc "$TARGET_RAW" "$SIZE"

sudo kpartx -a "$TARGET_RAW"
SWAP_PART=$(for i in /dev/mapper/loop0p*; do sudo vol_id $i | \
    grep -q ^ID_FS_TYPE=swap && echo $i; done | head -n 1)
UUID=$(sudo vol_id "$SWAP_PART" | grep ^ID_FS_UUID= | cut -d= -f2)
sudo kpartx -d "$TARGET_RAW"

# use losetup otherwise fdisk doesn't know cylinder count
sudo losetup /dev/loop0 "$TARGET_RAW"
# FIXME: Need to automate fdisk (detect swap partition size, etc)
# I'm deleting the swap and growing the root partition, then re-adding swap
sudo fdisk /dev/loop0
sudo losetup -d /dev/loop0

sudo kpartx -a "$TARGET_RAW"
sudo e2fsck -f /dev/mapper/loop0p1
sudo resize2fs /dev/mapper/loop0p1
sudo mkswap -U "$UUID" "$SWAP_PART"
sudo kpartx -d "$TARGET_RAW"

qemu-img convert -f raw "$TARGET_RAW" -O "$TARGET_TYPE" "$TARGET"
rm "$TARGET_RAW"
# FIXME: change disk image path
sudo vi /etc/libvirt/qemu/THING
# FIXME: have the daemon notice the file change
sudo /etc/init.d/libvirt-bin restart
if [ "$ORIG" != "$TARGET" ]; then rm "$ORIG"; fi

The “trunc” command above is based on my network backups post, but is now a general script I use:

#!/usr/bin/perl
# Copyright (C) 2006-2008 Kees Cook <kees@outflux.net>, License: GPLv3
use strict;
use warnings;

my $filename = $ARGV[0];
die "Need valid size also\n" unless ($ARGV[1] =~ /^(\d+)([KMG])$/);
my $size       = $1 + 0;
my $multiplier = $2;

$size *= 1024 if $multiplier =~ /^[KMG]$/;
$size *= 1024 if $multiplier =~ /^[MG]$/;
$size *= 1024 if $multiplier =~ /^[G]$/;

#die "Not trunc'ing existing file\n" if (-e $filename);
die "$filename: $!\n" if (!open(FILE,">>$filename"));
die "seek: $!\n" if (!(seek(FILE,$size,0)));
die "truncate: $!\n" if (!(truncate(FILE,$size)));
die "close: $!\n" if (!(close(FILE)));

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

September 1, 2008

bash trivia

Filed under: Blogging,Debian,Ubuntu — kees @ 8:42 am

I have been playing too many puzzle games lately. This trivia question just popped into my head:

What command will never appear in a .bash_history file?

Unfortunately, I seem to have disproven the answer I originally had. I wonder if there are others? My original answer was going to be “unset HISTFILE”, but I can make it show up in my .bash_history file:

unset HISTFILE
export HISTFILE=/home/kees/.bash_history

© 2008, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.
Creative Commons License

« Newer Posts

Powered by WordPress