Lyte's Blog

My head’s just now starting to recover from 4 days of Ruxcon. 2 days training, 2 days conference, plus a lot of partying networking.

It’s the first properly security related thing I’ve ever been to, but I was amazed just how quickly I was able to catch on to many of the modern techniques being used to pen test systems out in the wild right now. I don’t think it’s because I’m super smart, I think it’s because most of the flaws that are exploitable are super obvious and you really only need one piece of broken logic to get in to somewhere you don’t belong. It was also quite impressive just how creatively a lot of the people there were able to look at 2 or 3 relatively minor bugs and escalate them in to a full system access hack.

Pen testing also isn’t all the low level buffer over flow stuff I was expecting either, sure there are guys there that can do that and other much fancier stuff to get out of buffer overflow, smash your stack and completely own your box, but there’s still the good ol’ “hmm that acl doesn’t look quite right”.

I managed to catch both talks by Adam and James from Insomnia, what was impressed on me most was that I understood almost everything these guys were doing. Further more a lot of what James was talking about to escalate privileges in a Windows environment was stuff that I was tinkering (sometimes a little too successfully with) back at high school :/

Another pretty interesting stream is just how prolific SQL injection is. I thought (before Thursday) that parameterised SQL queries had solved all the injection problems and the world of IT Security had moved on to harder targets. Turns out I was wrong. This seems to be mainly because half of programmers out there still haven’t actually heard about SQL injection It’s compounded by the fact that those that have probably don’t realise just how easy tools like sqlmap make it. With sqlmap you can take a blind SQLi (SQL injection) attack and have it fire up a SQL prompt for you that lets you write arbitrary select queries, or dump the DB to CSV… wow. Better yet, even parameterised SQL normally can’t parameterise the fields in the “ORDER BY” so a lot of programmers will be utilising parameterised SQL thinking it makes them completely safe, when in fact they’ve just made it fractionally harder.

There was way too much other cool stuff to talk about, I’m definitely going to try and go again next year.

Lyte SysAdmin

Every now and then I see someone asking about an alternative to using Dropbox to manage their dot files in their home directory.

A fair while ago (at least 2 years) I started using Subversion to do this. At some point I wrote a script that can be put in my user’s cron file to automate updates and commits.

I figured I would finally publish it so that others can use or improve (or simply abuse) it.

I also decided to finally set up a github account, so it can be found there there.

To use it I put lines like this in “crontab -e”:

# pidgin - 1 day of lag ok
49 */2 * * * . /home/foo/.ssh/agent; /home/foo/path/to/subversion_auto_sync --max-lag=$((24*60*60)) /home/foo/.purple

Which every 2 hours runs subversion_auto_sync on my home directory with my ssh-agent environment loaded to allow automated (but secure) key based authentication. This example will not run an update for up to 24 hours since the last update, but it will always commit if local modifications have occurred. This provides gradual synchronisation of my Pidgin logs between all Desktops/Laptops I use.

I’ve got the vast bulk of my important home directory files either in Subversion using something similar to what’s above, or being synchronised with Unison.

Lyte Code bash, dropbox, subversion

I just lost the partition table on a drive with a non-standard layout and managed to get the data back… phew.

I originally had something like:

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1          26      208813+  83  Linux
/dev/sda2              27        3943    31463302+  8e  Linux LVM
/dev/sda3            3944        5221    10265535    7  HPFS/NTFS

Note: partition table above is from a VM I spun up to write this entry.

That is to say I had a drive dual booting Linux and Windows, with Windows at the end of drive (because Russel sort of implied it was better).

The person who owns the drive in question wanted all the space claimed by Linux reallocated back to Windows.

After confirming backups of critical documents I fired up gparted in a live CD… which all seems swimmingly ok until the Laptop powered off (because the power plug had dropped out and the battery went flat).

After trying to boot up I discovered a corrupted partition table.

This would probably be ok (given the backups of documents) if not for the fact that I had no appropriate Windows installation media and the owner of the Laptop couldn’t find the original installation disks.

Oh noes! (I scream loudly inside my head so as not to alarm the owner of the Laptop)

After booting back in to the live CD I have a partition table that looks more like this:

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1          26      208813+  83  Linux
/dev/sda3              27        1304    10265535    7  HPFS/NTFS

“Ok” I hear you saying “just rewrite the partition table with the output you saved from “fdisk -l” before starting. “Oh you didn’t save the output before starting…”

After a bit of hair pulling (and googling) I come across gpart.

It found the old partition without breaking a sweat:

root@ubuntu:~# gpart /dev/sda

Begin scan...
Possible partition(Linux ext2), size(203mb), offset(0mb)
Possible partition(Windows NT/W2K FS), size(10024mb), offset(203mb)
Possible partition(Windows NT/W2K FS), size(10024mb), offset(30929mb)
End scan.
[...]
Primary partition(3)
   type: 007(0x07)(OS/2 HPFS, NTFS, QNX or Advanced UNIX)
   size: 10024mb #s(20531070) s(63344295-83875364)
   chs:  (1023/254/63)-(1023/254/63)d (3943/0/1)-(5220/254/63)r
[...]

After talking to fdisk nicely I was able to convince it to create the partition table that gpart was suggesting and subsequently able to mount, resize properly and validate the partition with Windows chkdsk tool… phew, crisis averted.

Next time I’m dding the disk to a USB drive first, no matter how long it takes.

Lyte Uncategorized

If you save a bash script on Windows or email it as a plain text attachment through most Windows email clients, your script will probably stop working.

Why?

Hah! I’m not going to tell you yet, first try it out.

Download the killer_newlines script somewhere and confirm it’s not going to do anything evil:

$ curl -s http://lyte.id.au/bash/killer_newlines > killer_newlines
$ cat killer_newlines
#!/bin/bash
echo Hello World

Looks good, it doesn’t do anything dangerous.

Lets run it to make sure it still works:

$ chmod +x killer_newlines
$ ./killer_newlines
bash: ./killer_newlines: /bin/bash^M: bad interpreter: No such file or directory
$ bash killer_newlines
Hello World
: command not found: line 3:

Huh, what just happened?

Unix is just using LF (Line feed, ‘\n’, 0x0A, 10 in decimal) to signify the end of a line, where as Window (and DOS) also use CR (Carriage return, ‘\r’, 0x0D, 13 in decimal).
See: Wikipedia’s Newline article for more info.

Bash only copes with Unix style line endings and we’ve introduced non Unix line endings.

But what specifically is happening, why is the error so bizarre?

Bash is trying to execute a command ‘\r’. Given there’s (usually) not a ‘\r’ executable in $PATH it errors.

You may also want to play around with these:

$ bash <(printf 'echo Hello World')
Hello World
$ bash <(printf 'echo Hello World\n')
Hello World
$ bash <(printf 'echo Hello World\n\r')
Hello World
: command not found

Weird huh?

Lyte Code, SysAdmin bash

It’s hard to pronounce.

It’s an out dated habit.

The first website didn’t have a “www.” prefix.

You have to type 4 extra characters each time you use it.

Websites that render pages both with and without a “www.” prefix have cache coherency problems.

Stop it, stop it now.

From now on http://www.lyte.id.au/* will redirect to this post, just to spite you.

Have a nice day.

Lyte Uncategorized

On Ubuntu the update-notifier-common package provides a simplistic API to ask if there are security updates available.

I’ve written a little script to convert the output so that I can monitor multiple machines using Nagios:

#!/bin/bash

# Munge output of apt_check.py suitably for Nagios
#
# @author David Schoen - http://lyte.id.au/

# apt_check.py outputs <total updates as int>;<security updates as int> to stderr
# we take this, redirect it to stdin and then read in to local variables
IFS=';' read -r total security < <(/usr/lib/update-notifier/apt_check.py 2>&1)

if [[ $security -eq 0 ]]; then
	echo "APT OK - $security security, $total total updates"
else
	echo "APT WARNING - $security security, $total total updates"
	exit 1
fi

Place this somewhere Nagios (or NRPE) can execute it and call it like you would any other check command.

Lyte SysAdmin bash, Nagios

At least once a day I’ll start a command that runs for a few hours.

Usually I attach a sendmail command to the end of it so that I’ll know when it completes like so:

$ some really slow command; \
echo "Subject: some really slow command has completed" \
| sendmail me@exmaple.com

… but sometimes I just forget.

On Solaris I previously fired up a second screen session at this point and wrote something like:

$ pwait <pid of some really slow command>; \
echo "Subject: some really slow command has completed" \
| sendmail me@exmaple.com

but in Linux I haven’t been able to achieve the same thing:

$ wait 1234
bash: wait: pid 1234 is not a child of this shell

so I’ve been looking for an alternative solution.

I finally figured it out.

Press ctrl+z to pause the process:

$ some really slow command
[1]+  Stopped                 some really slow command

then simply fore-ground the process with the usual email alert appended on the end:

$ fg; \
echo "Subject: some really slow command has completed" \
| sendmail me@exmaple.com

Lyte SysAdmin bash, SysAdmin

Sometimes I want to filter out all log lines that aren’t generated by me when I’m debugging a problem with web servers.

At some point I worked out this trick and I thought I’d share it for others.

In Firefox it’s relatively trivial to add a unique string to your useragent. Fire up the about:config interface and add a new key like general.useragent.extra.yourname with a unique value:

Then you can simply grep for your unique string in access logs:

root@foo:/var/log/apache2# tail -f access.log | grep 'lyte - asdf123123'
bar.example.com:80 127.0.0.1 - - [11/Mar/2011:01:48:06 +1100] "GET / HTTP/1.1" 200 497 "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.14) Gecko/20110221 Ubuntu/10.04 (lucid) Firefox/3.6.14 lyte - asdf123123"

Lyte SysAdmin

Recently my backup drive started filling up really quickly

1.4M 2011-01-03_033006/home/xxxx/.xsession-errors
1.4M 2011-01-04_033006/home/xxxx/.xsession-errors
1.5M 2011-01-05_033006/home/xxxx/.xsession-errors
 16K 2011-01-06_033005/home/xxxx/.xsession-errors
8.0K 2011-01-07_072908/home/xxxx/.xsession-errors
 72K 2011-01-08_094527/home/xxxx/.xsession-errors
228M 2011-01-09_033006/home/xxxx/.xsession-errors
3.4G 2011-01-10_213703/home/xxxx/.xsession-errors
6.2G 2011-01-11_033006/home/xxxx/.xsession-errors
10.4G 2011-01-12_033006/home/xxxx/.xsession-errors
12.3G 2011-01-13_033006/home/xxxx/.xsession-errors
15.1G 2011-01-14_033006/home/xxxx/.xsession-errors
...
27.5G 2011-01-21_033005/home/xxxx/.xsession-errors

… you get the point.

Anyway because I’m storing every file that’s modified during the day again and again every night, my backups were growing by at minimum the size of the .xsession-errors log, which is suddenly HUGE.

I should probably look in to why that file is suddenly growing ultra quickly, but for now I think I’ll just exclude it from my backup.

Lyte Uncategorized

Recently I’ve been trying Tomboy, but I’m giving up.

I haven’t found a good method of exporting all notes at once either built in or via a readily available plugin. You can import linked notes and even follow them recursively, but some of my notes don’t have direct links as they are intentionally only locatable via search.

To make the export work better I ended up creating a note that created a single link to every other note using xpath under bash.

First, move to the notes directory:

cd ~/.local/share/tomboy

Then, for every note grab the title using xpath:

for i in *.note; do
    xpath -q -e '/note/title' $i;
done \
| sed -r 's%^<title>(.*)</title>%\1%g'

Note: The sed command is horrible hack because I couldn’t find a graceful way to make xpath give me the value of the node without printing the actual tags that are matched. I was on the edge of writing a full blow script, but sed was good enough.

Copying the output of that in to a new note automatically created the links and exporting that note gave me HTML output that was much easier to move around.

Lyte Stuff bash