August 2009 – mattfahrner.com

Bash TCP programming hack!?

August 7, 2009

Matt Fahrner

I had never heard of this until I ran into working on a recent project. In “bash” you can open sockets:

exec file-descriptor<>/dev/tcp/IP-or-hostname-here/port

so for example:

exec 3<>/dev/tcp/192.168.1.100/23

would open port 23 (telnet) to IP “192.168.1.100” for read and write (the “<>”) on file descriptor “3” (remember descriptors 0, 1, and 2 are used by default for stdin, stdout, and stderr respectively, so you probably don’t want to step on them). Or if you prefer easier to read:

exec 3<>/dev/tcp/myhost.mydomain.com/telnet

and thus it’ll also do host and service lookups.

You can then write to the socket:

echo “mylogin” >&3

or read from the socket:

cat <&3

If you don’t use “<>” but rather just “<” or “>” you can open the socket only for read or write respectively.

You can also close the socket (as all good programmers should):

exec 3<&- # Close for read
exec 3>&- # Close for write

Bash – it shakes, it bakes, it does socket programming.

To note this is an entire bash-ism, you can’t simply do:

echo “hello” >/dev/tcp/192.168.1.100/23

“bash” is intercepting the “/dev/tcp” stuff and fudging it.

And I thought Perl was the only one with ugly hacks.
Rubber Or Glue, It Still Sticks…

August 6, 2009

Matt Fahrner

This brings up a sort of interesting if not chilling thought in the world of security, particularly for large organizations:

Mozilla shuts online store after security breach

The title of this entry, which I’ve included verbatim, is important.

To me when I read it, I’m reading “Mozilla has a problem”, or “Mozilla isn’t secure”, or most painfully, “Mozilla is a place I want to avoid because of its lack of security.”

However Mozilla didn’t screw up and this is in fact no reflection on Mozilla’s security whatsoever. If you actually read the post, you’ll see:

The Mozilla Foundation has shuttered its e-commerce store after confirming a security breach at GatewayCDI, the third-party vendor that handles the storeâ€™s backend operations. [emphasis added]

Thus it isn’t Mozilla’s “fault” after all, it’s GatewayCDI’s.

So, what’s the point?

The point is, even though it isn’t Mozilla’s fault, the headline sure makes it sound like Mozilla’s fault, My guess is any large or influential organization will be reported similarly. That’s going to leave the first impression, which many people never get past (either because of human nature and/or not reading past the headline) that those organizations are insecure, rather than their arrant 3rd party resource.

Or to put it another way, if your company is using a 3rd party and feels all safe because things like PCI aren’t your concern, think again. Shuffling it off to a 3rd party doesn’t insulate you from the softer liability of public opinion. A liability that can turn out to be nearly as expensive as many of the more traditional ones, like getting sued.

So it’s incumbent on us as organizations and security teams to make sure our vendors are up to snuff. Signing agreements isn’t sufficient – some hands on, potentially including self conducted audits (if possible) may be required.

Most of all this brings into question assumption that moving to a 3rd party really provides you the insulation you might think it does. Choose carefully, are you may get nearly as burned if you had done it yourself.

Outlook email verbosity…

August 3, 2009

I write HTML in Thunderbird because I like some rich formatting (an area I am sad to admit Thunderbird is weak on). In particular I do a lot of indented stuff, which Thunderbird translates to simple “<blockquote>” tags. However, when I moved to Outlook 2007 (which I don’t use for mail, but was just checking) and looked at my mail, I saw the “<blockquotes>” were ignored, instead Outlook, which uses “Word” for its HTML formatting, expects to see these done through CSS “<div>” tags (yikes!).

So, I got to looking and sent myself a simple one line, “Hello world” email from Outlook. Here’s what Outlook rendered it as:

<span style=”font-family: Courier New,Courier,monospace;”>–_000_E67AF5DC51DDCF4A9C6A9867888AACF95052483E39EXMAIL02winco_ Content-Type: text/plain; charset=”us-ascii” Content-Transfer-Encoding: quoted-printable Hello world. –_000_E67AF5DC51DDCF4A9C6A9867888AACF95052483E39EXMAIL02winco_ Content-Type: text/html; charset=”us-ascii” Content-Transfer-Encoding: quoted-printable <html xmlns:v=3D”urn:schemas-microsoft-com:vml” xmlns:o=3D”urn:schemas-micr= osoft-com:office:office” xmlns:w=3D”urn:schemas-microsoft-com:office:word” = xmlns:m=3D”http://schemas.microsoft.com/office/2004/12/omml” xmlns=3D”http:= //www.w3.org/TR/REC-html40″> <head> <META HTTP-EQUIV=3D”Content-Type” CONTENT=3D”text/html; charset=3Dus-ascii”= > <meta name=3DGenerator content=3D”Microsoft Word 12 (filtered medium)”> <style> <!– /* Font Definitions */ @font-face {font-family:”Cambria Math”; panose-1:2 4 5 3 5 4 6 3 2 4;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in; margin-bottom:.0001pt; font-size:11.0pt; font-family:”Calibri”,”sans-serif”;} a:link, span.MsoHyperlink {mso-style-priority:99; color:blue; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {mso-style-priority:99; color:purple; text-decoration:underline;} span.EmailStyle17 {mso-style-type:personal-compose; font-family:”Calibri”,”sans-serif”; color:windowtext;} .MsoChpDefault {mso-style-type:export-only;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in;} div.Section1 {page:Section1;} –> </style> <!–[if gte mso 9]><xml> <o:shapedefaults v:ext=3D”edit” spidmax=3D”1026″ /> </xml><![endif]–><!–[if gte mso 9]><xml> <o:shapelayout v:ext=3D”edit”> <o:idmap v:ext=3D”edit” data=3D”1″ /> </o:shapelayout></xml><![endif]–> </span>

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62

<span style=“font-family: Courier New,Courier,monospace;”>—_000_E67AF5DC51DDCF4A9C6A9867888AACF95052483E39EXMAIL02winco_
Content–Type: text/plain; charset=“us-ascii”
Content–Transfer–Encoding: quoted–printable

Hello world.

—_000_E67AF5DC51DDCF4A9C6A9867888AACF95052483E39EXMAIL02winco_
Content–Type: text/html; charset=“us-ascii”
Content–Transfer–Encoding: quoted–printable

<html xmlns:v=3D“urn:schemas-microsoft-com:vml” xmlns:o=3D“urn:schemas-micr=
osoft-com:office:office” xmlns:w=3D“urn:schemas-microsoft-com:office:word” =
xmlns:m=3D“http://schemas.microsoft.com/office/2004/12/omml” xmlns=3D“http:=
//www.w3.org/TR/REC-html40″>

<head>
<META HTTP–EQUIV=3D“Content-Type” CONTENT=3D“text/html; charset=3Dus-ascii”=
>
<meta name=3DGenerator content=3D“Microsoft Word 12 (filtered medium)”>
<style>
<!—
/* Font Definitions */
@font–face
{font–family:“Cambria Math”;
panose–1:2 4 5 3 5 4 6 3 2 4;}
@font–face
{font–family:Calibri;
panose–1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin–bottom:.0001pt;
font–size:11.0pt;
font–family:“Calibri”,“sans-serif”;}
a:link, span.MsoHyperlink
{mso–style–priority:99;
color:blue;
text–decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso–style–priority:99;
color:purple;
text–decoration:underline;}
span.EmailStyle17
{mso–style–type:personal–compose;
font–family:“Calibri”,“sans-serif”;
color:windowtext;}
.MsoChpDefault
{mso–style–type:export–only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
—>
</style>
<!—[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D“edit” spidmax=3D“1026” />
</xml><![endif]—><!—[if gte mso 9]><xml>
<o:shapelayout v:ext=3D“edit”>
<o:idmap v:ext=3D“edit” data=3D“1” />
</o:shapelayout></xml><![endif]—>
</span>

<span style=”font-family: Courier New,Courier,monospace;”></head> <body lang=3DEN-US link=3Dblue vlink=3Dpurple> <div class=3DSection1> <p class=3DMsoNormal>Hello world.<span style=3D’font-size:12.0pt;font-famil= y:”Times New Roman”,”serif”‘><o:p></o:p></span></p> <p class=3DMsoNormal><o:p>&nbsp;</o:p></p> </div> </body> </span></html>

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

<span style=“font-family: Courier New,Courier,monospace;”></head>

<body lang=3DEN–US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal>Hello world.<span style=3D‘font-size:12.0pt;font-famil=
y:”Times New Roman”,”serif”‘><o:p></o:p></span></p>

<p class=3DMsoNormal><o:p>&nbsp;</o:p></p>

</div>

</body>

</span></html>

Yikes again!

I’ll grant you Word offers a lot more in terms of formatting, but that’s out of control. I guess these guys may have a point!:

http://fixoutlook.org/
http://www.email-standards.org/

Hilarious!

Eating ourselves alive…

August 3, 2009

Matt Fahrner

Here is yet another example of how the “good guys” are figuring out ways to subvert security to “help” us:

http://www.h-online.com/security/Bootkit-bypasses-hard-disk-encryption–/news/113884

Basically Peter Kleissner, a young and clearly very smart university student, has figured out how to inject a bootkit in front of TrueCrypt (an excellent and free encryption product) to subvert its protections.

While I understand that “security by obscurity” is ultimately a flawed paradigm, I really don’t think the bad guys need any help. While some claim the bad guys would ultimately figure this stuff out, I’m not convinced. A lot of the malign stuff out there has at it’s basis attacks developed by “good guys”.

While I entirely support the right to do and publish such work (unlike a number of large corporations that have sued to keep these hacks quiet), I do feel in many cases the publishing of these exploits is an act of ego and narcissism, a sort of destructive “showing off”.

Anyway, down goes another.

Month: August 2009

Bash TCP programming hack!?

Rubber Or Glue, It Still Sticks…

Outlook email verbosity…

Eating ourselves alive…