Friday, August 31, 2007

Thwarting the Evil Thinkpad T61 ESC Key

Since I am not an emacs wanker and the T-61's ESC key is small and way the hell away, I get the GNOME help screen only like 40-50 times a day (and have been for the last 3 month). But no more. Enough is Enough.

xmodmap -e "keycode 67 = Escape"

Shiner comers to Skokie!


I was shocked last night to see Shiner Bock in the cooler at the seedy little Austin Liquor store. (For the record, Dempster & Crawford is about as far from Austin, TX as you can get.) But it made up from the quirky Russian, Czech, and Israeli beer I've bought at the village market. Although a Shiner on tap would be even better! Since I took the afternoon off, must get off the computer and enjoy the gorgeous weather that you wouldn't see in Texas until November.

Tuesday, August 28, 2007

My Year at Digital Bond and Gifts that Keep On Giving



Although I have since sworn off fuzzing (I've been clean for quite some time, I promise) I was pleased to see that the small toolset I developed for fuzzing TPKT, COTP, and OSI protocols used by ICCP, MMS, and IEC61850 was released to vetted Digital Bond subscribers.

Bring on the clueless news stories.

Of course there were a lot of tragedy and comedy that happened behind the scenes (but none that trumped when the crappy Python fuzzer I wrote in CIAG back in 2002 was called "threat to national security" now that was truly a happy day and the tragedy? the frightening number of emails on the topic to various members of Cisco PSIRT arguing about whether or not said tool should ever see the light of day) that only a handful of folks will ever be privy to, but one of the more amusing anecdotes that is public (if you know the right google keywords) was when a private email I sent to board members of the UCA Foundation asking for contact information for a couple of the smaller SCADA vendors got posted their sharepoint site you can imagine the fun that was had by all end users started asking "what up with that?" to their vendors. And, no doubt, some heated emails were exchanged between myself and others. Ah, sweet memories.

Thursday, August 23, 2007

Non-Jython News and the irrelevance of Jython

So JDJ has an article on a major upgrade in Jython 2.2


Jython 2.2 has support for most of Python 2.2 and numerous features from Python 2.3. The new release - the first major overhaul in 4 years - includes many major changes:

* new-style classes
* Java Collections integration
* PEP 302 implementation
* iterators
* generators
* __future__ division
* support for running on JDK1.5 and 1.6
* new installer
* a significant number of features to bring Jython in line with CPython


Compatible with 2.2? Who cares? Given the incompatibilities between 2.3 and 2.4 (let alone 2.2 and 2.4) this makes Jython basically unusable.

JRuby has clearly won the war here in terms of major scripting languages to use with Java and that is too bad.

Wednesday, August 22, 2007

RSnake vs. TQBF: As we used to say at Cisco, "Two Man Enter: One Man Leave"

Apart from the 4-packs of sparkling fruit drinks they had in San Jose, probably the best thing about working at Cisco was the online directory. Working at a large company that has a Notes based online directory, I really, really, really, really miss directory.cisco.com (I think that's what it was, but hey is it resolves, so it must exist as does my old workstation samara.cisco.com, woo-ho!).

Not only could you watch as ordinary "Software Engineers" became "Technical Leaders" (and you knew they were either a grade 11 or 12 by then and could then guess at their bonus percentile) there were pictures! So you could tell who was shooting for the stars when they replaced their first day digital camera picture (yes I was so happy to have left Southwestern Bell/SBC and at $54 the stock could only go up!) with an executive portrait in a suit and tie and the blueish Sears portrait studio style backdrop. And any directory.cisco.com blog entry would be incomplete without stories of the SPA engineer[s] that used curl-cron jobs (or whatever) during the "Hundred Year Flood" (the term Chambers gave to the big round of layoffs in the Spring of '01) to track which organizations and individuals we "impacted."

But back to the pictures! So much you could do with these pictures. During a "management transition" my cube-mate created javascript popups of our new boss all over his screen to let him know that our new boss was always watching him (and improving his productivity!). Other folks replaced their photo's with arbitrary URLs of their favorite movie characters. I sent out one of a crazy looking crypto program manager spoofed from misterx@cisco.com. Who was this Mr. X? What did he want? Those were the days. And that is what happens when you are in a overhead group with no revenue responsibilities or infrastructure to operate and maintain.

But the best were the cage matches. You picked (and printed out) a crusty old distinguished engineer that had the vagrant/professor look down and imaged him battling the VP/GM of some switching BU that looked like the bully that kicked your ass in 7th grade. And you watch them fighting, brawling, swinging, until one was left standing. And you would shout, "Two Man Enter: One Man Leave!"

* * *

Oh yeah if you are taking the day off (I haven't logged into the VPN once!) and are looking for a fun read, check out Robert Hansen Loses His Sh*t Over Google Gadgets. A classic cage match, Cisco Austin Building 3 style.

Monday, August 20, 2007

CVE-2007-4091 and the Lack of Actionable Info in Vulnerability Disclosures

I was going to blog on something more interesting tonight -- like Cormac McCarthy's Novel, The Road which I read in almost one sitting yesterday evening -- but I got distracted by the new rsync vulnerability disclosed last Wednesday which once again show how little useful information (from the point of view of an end user/administrator) shows up in the disclosures by either the vendors or the finders.

For example:
It still pays to have a look at open source projects.
rsync 2.6.9 contains two off by one stack overflows, one from which the target buffer is next to the
saved frame pointer.
The problematic function is f_name().
Obviously it expects a target buffer size
of MAXPATHLEN bytes. Otherwise
the size parameter calculation to
strlcpy() is wrong.
Lets have a look at f_name() calls within the two following pictures.
An offset is added to the fname buffer
which is of size MAXPATHLEN.
The offset is the stringlen of dir.root
plus one (due to the slash).
Within successfull_send(), the buffer
should be neighbor of the saved

And USN-500-1 is only slightly more useful:

Sebastian Krahmer discovered that rsync contained an off-by-one miscalculation when handling certain file paths. By creating a specially crafted tree of files and tricking an rsync server into processing them, a remote attacker could write a single NULL to stack memory, possibly leading to arbitrary code execution.
So this is only a server issue? In my state of exhaustion (had to work most of the weekend) I am more worried about attacks against the "client?" Like a more trusted centralized server pulling files from many more exposed (less trusted) server. So an attacker creaties a malicious path (greater than 1024) on a remote server (plus whatever else is needed...) to compromise the "rsync client" pulling from the servers? If I'm running rsync+ssh am I just as vulnerable? Is this only an rsyncd issue?

Of course most bug finders could give a shit about real access world issues that ultimately allow risk decisions to be made, and help folks that run systems must be upgraded immediately, which can wait? Or how does this vuln compare to others?
I'm not sure I buy the CVSS 6.8 in the NVD. The NVD entry says this is a pre-auth?

I think you get the point here. More questions than answers. Or do you just blindly update the .deb or RPM? So Ubuntu and Debian have updates out but doesn't look like this is in FreeBSD ports yet and nothing in CVS yet. And the rsync in OSX, can you say 2.6.3

Forget about it.

Sunday, August 12, 2007

Any luck ILO100 (DL145G3) on non-Windows JVM?



So HP DL145 G3's are nice, cheap (non-RAID), AMD-64 1U servers with Lights Out Management (they use the ILO100s built by ServerEngines) and the Java Applet KVM (which runs VNC or something like it) worked well on OSX, Linux, and obviously Windows for the eval hardware we had from HP. But whatever the version of only works with the JRE1.4.2-13 of Windows. Using any other JVM results in a NullPointer Exception and the message "General Exception: Optional Package Installation is Aborted"



Anyone else have luck? Oh well, guess I'll be dealing with HP support this week, wish me luck.

Sunday, August 05, 2007

BWM-NG + Ruby for Gathering Network Stats

BWM-NG is a great tool for getting real time stats, but by using the CSV output you can capture historical data as well.

# bwm-ng -o csv -t 2500 -c 1 -C,
1186367009,em2,198.09,50.12,248.21,126,498,0.40,0.80,1.19,2,1,0.00,0.00,0,0
1186367009,lo0,0.00,0.00,0.00,0,0,0.00,0.00,0.00,0,0,0.00,0.00,0,0
1186367009,total,198.09,50.12,248.21,126,498,0.40,0.80,1.19,2,1,0.00,0.00,0,0

So to make use of this, we'll need some sort of Time/Date API to convert the etime into something useful as well as the CSV parser.

#!/usr/bin/env ruby
require 'csv'
require 'pp'
require 'date'

bytes={}
packets={}
errors={}
cmd = 'bwm-ng -o csv -t 2500 -c 1 -C,'
p = IO.popen(cmd) do |f|
f.each_line do |g|
h = CSV::parse(g).flatten
$dtg = Time.at(h[0].to_i).to_s
interface = h[1]
bytes[interface] = h[2..4]
packets[interface] = h[7..9]
errors[interface] = h[14..15]
end
end

puts "Date: #{$dtg}"
bytes.keys.sort.each do |i|
puts "\nInterface: #{i} (TX/RX/Total)"
print "Bytes:"
pp bytes[i]
print "Packets:"
pp packets[i]
print "Errors:"
pp errors[i]
end


And the output looks like

# ./rbbw.rb
Date: Mon Aug 06 03:35:17 +0000 2007

Interface: em2 (TX/RX/Total)
Bytes:["128.88", "76.37", "205.25"]
Packets:["0.80", "1.19", "1.99"]
Errors:["0", "0"]

Interface: lo0 (TX/RX/Total)
Bytes:["133.65", "133.65", "267.30"]
Packets:["1.59", "1.59", "3.18"]
Errors:["0", "0"]

Interface: total (TX/RX/Total)
Bytes:["262.53", "210.02", "472.55"]
Packets:["2.39", "2.78", "5.17"]
Errors:["0", "0"]


Where these are obviously rate values (per second) for a very boring FreeBSD VM.