A collection of ASCII-art protocol stack diagrams.
In Debian kitty
package, the
kitty-open.desktop
file would associate kitty +open
with several MIME types.
This could be used to arbitrary trigger code execution by serving a
file with such a MIME type.
This has been introduced in kitty in 73a197fcd (2022-02-06) released as part of v0.24.3. This has been fixed in v0.26.5-5 of the Debian kitty package. Fixed upstream in 537cabca7 released in v0.29.0. Other distributions such as Ubuntu Lunar are still impacted.
Some tools and other notes when you just want to analyze your structured log files locally using simple tools with a focus for newline-delimited JSON (NDJSON) / JSON lines / JSON Text Sequences.
A simple way to display image in a terminal using the iTerm2 image protocol. This is supported by iTerm2, WezTerm, recent versions of Konsole.
Shell command injection and Emacs Lisp injection vulnerabilities
in one of the Emacs Desktop Entry (emacsclient-mail.desktop)
leading to arbitrary code execution
through a crafted mailto:
URI.
I found an arbitrary file write vulnerability (through path traversal) which would be exploited for arbitrary code execution in Stellarium (desktop version).
An interesting spoofing attack resulting from the interaction between Firefox (or Thunderbird) MIME types handling and file managers.
A dangerous file type association in Debian which could be used to trigger arbitrary code execution.
Tutorial on how to get Carte Professionnel de Santé 3 (CPS3) smart cards work with Firefox under Linux with a Kap&Link smart card reader. It has some information to understand the related lingo, how the different components interact and how you might try to enable support for a PC/SC (Personal computer/Smart Card) / CCID (Chip/Smart Card Interface Devices) smart card reader which is not supported by the driver.
Some sequence diagrams about OAuth 2.x and OpenID Connect.
Some commands for interacting with the namespaces of Podman containers.
Executing the Stable Diffusion text-to-image model on an AMD Ryzen 5 5600G integrated GPU (iGPU).
How to extract the schema from a remote LDAP server and use it on a OpenLDAP instance.
Comparing the different Wifi/WPA authentication and key distribution methods (PSK, EAP, SEA).
Some context and analysis about attacks on in WebDriver implementations.
Lack of X.509 TLS certificate validation in OWASP ZAP (Zed Attack Proxy) could be used for man-in-the-middle attacks.
A DNS rebinding vulnerability I found in ReadyMedia (formerly MiniDLNA) v1.3.0 and below. This is CVE-2022-26505.
Some notes about how TLS v1.3 works. This is a follow-up of the previous episode about TLS v1.2. As before, the goal is to have a high-level overview about how the protocol works, what is the role of the different messages and be able to understand (and debug) a network traffic dump.
Vulnerabilities in found on the WebDriver endpoints of Selenium Server (Grid).
A DNS rebinding vulnerability I found in GeckoDriver which could be used to execute arbitrary shell commands. This is bug #1652612 and CVE-2021-4138.
Some notes about how TLS v1.2 (Transport Layer Security) works. The goal explain what is going on in a network traffic dump, the role of the different TLS extensions, the impact of the different cipher suites on security, etc. It includes several diagrams and many references.
The Diffie-Hellman (DH) key exchange (and variants thereof) is widely used in many protocols (such as TLS, SSH, IKE (IPSec), Signal, etc.) to bootstrap some symmetric key material which may then be used to secure communication channel between two parties. This introduction focuses on the different ways the DH key exchange is used in practice in several protocols (especially TLS) and the impact of these different approaches on the security. This is intended as a prelude for the upcoming next episodes about how TLS works.
Manually inspecting the content of a French COVID-19 vaccination certificate QR code. The main intent is to show with a concrete example which data is actually included in the certificate.
I found a cross-origin/same-site request forgery vulnerability in chromedriver. It was rejected (won't fix) because it is only possible to trigger this from the cross-origin/same-site and not cross-site. In practice, it means it is really only possible to trigger this from another localhost-bound web application.
A Cross-Site Request Forgery (CSRF) vulnerability I found in GeckoDriver which could be used to execute arbitrary shell commands. CVE-2020-15660 has been assigned to this vulnerability. This was fixed by GeckoDriver v0.27.0 in 2020-07-27. This is bug #1648964.
GUPnP, a GNOME library for Universal Plug and Play (UPnP), was vulnerable to DNS rebinding attacks. This is CVE-2021-33516 and GUPnP issue #24. This was fixed in GUPnP 1.0.7 and GUPnP 1.2.5.
A quick summary about how DNS rebinding attacks work. The main motivation for this post is to have a diagram to show when explaining DNS-rebinding attacks.
Some notes about using the TUN/TAP interface, especially on Linux.
I found that the filtering of private IPv4 addresses in the DNS-over-HTTPS (DoH) implementation of Firefox could by bypassed. This is CVE-2020-26961 and Mozilla bug 1672528. It has been fixed in Firefox 83, Firefox ESR 78.5 and Thunderbird 78.5.
I found a DNS rebinding vulnerability as well as a Cross Site Request Forgery (CSRF) vulnerability on the DIAL (Discovery And Launch) implementation of the Samsung TV UE40F6320 (v1.0), from 2011. This can be used to open any installed application (eg. Netflix and Youtube) and force the vizualisation of a given video in the applications.
I found a DNS rebinding vulnerability on the Universal Plug-and-Play (UPnP) interface of the Samsung TV UE40F6320 (v1.0), from 2011. This could be used, for example, to change the channel, to know which channel is currently used or open the builtin browser to any URI.
Some notes about how to write a Frida script with the (somewhat classic) example of disabling certificate verification for TLS communications on Android applications.
I found some DNS rebinding vulnerabilities in Freebox devices (CVE-2020-24374, CVE-2020-24375, CVE-2020-24376, CVE-2020-24377) as well as a Cross Site Request Forgery (CSRF) vulnerability (CVE-2020-24373). These vulnerabilities were fixed in 2020-08-05.
This post describes different software components involved in host name resolutions and DNS configuration on GNU/Linux systems. It consists of a diagram and some accompanying explanations. The goal is to give some pointers and references to understand how to troubleshoot host name/DNS resolution problems and configuration problems on GNU/Linux systems.
Some scripts I wrote to enable system-wide push-to-talk (for X11 and PulseAudio). Some people might find it useful for the ongoing lockdown.
Some guidance about configuring/fixing domain name resolution with a corporate Virtual Private Network (VPN), especially OpenVPN and with systemd-based Linux systems. This configuration uses the internal/private corporate resolvers for resolving internal/private domain names while using the ISP resolver for general domain names. This might help if your VPN is struggling these days because of the COVID-19 threat 😷.
Using FlameGraph for displaying disk usage.
I was looking for a LLMNR commandline lookup utility.
Actually, dig
can do the job quite fine.
I thought I was understanding pretty well how bash argument processing and various expansions is supposed to behave. Apparently, there are still subtleties which tricks me, sometimes.
How I found remote code execution vulnerabilities via Cross Site Request Forgery (CSRF) on the administration interfaces of InternetCube applications and of the YunoHost administration interface which could have been used to execute arbitrary code as root. These vulnerabilities were fixed in YunoHost 3.3, OpenVPN Client app 1.3.0. and YunoHost 3.4.
Here is the workflow I am using to generate simple text documents (resume, cover letters, etc.) from Markdown, YAML and Jinja2 templates.
Trying to bring back some old IP spoofing Firefox extension for watching South Park episodes.
In the previous episode, I talked about some argument and shell command injections vulnerabilities through URIs passed to browsers. Here I am evaluating some other CVEs which were registered at the same time (not by me).
I found an argument injection vulnerability
related to the handling of the BROWSER
environment variable
in sensible-browser
.
This lead me (and others) to a a few other argument and shell command injection
vulnerabilities in BROWSER
processing and browser invocation in general.
In Tail Recursion In Python, Chris Penner implements (self) tail-call optimization (TCO) in Python using a function decorator. Here I am extending the approach for sibling calls.
A comparison of the different solutions for using SSH2 as a secured transport for protocols/services/applications.
Live sharing a terminal session to another (shared) host over SSH in read-only mode.
While looking at the OpenSSH ssh_config
manpage, I found the
ProxyUseFdpass
configuration I did not know about.
It is apparently not widely known or used.
This is an overview of some recent additions to the SimGrid code related to actor synchronisation. It might be interesting for people using SimGrid, working on SimGrid or for people interested in generic C++ code for synchronisation or asynchronicity.
There has been some articles lately about Intel Active Management Technology (AMT) and its impact on security, trust, privacy and free-software. AMT supposed to be widely deployed in newest Intel hardware. So I wanted to see if I could find some AMT devices in the wild.
FlameGraph is used to display stack trace samples but we can ue it for other purposes as well.
A simple way to create IP over
UDP tunnels using
socat
.
In a previous post, I tried different solutions for tunnelling DNS over TLS. One of those solutions was using a dedicated DNS-over-UDP fake service replying to all queries with the truncate flag set: this was causing the stub resolvers to retry the query using a TCP-based virtual-circuit. This solution is interesting because it is dead simple (it fits in a few line of codes) but it is clearly a hack. Here, I am using a dedicated DNS forwarder aggregating all the incoming DNS-over-UDP requests over a single persistent TCP virtual-circuit.
RR is a very useful tool for debugging. It can record the execution of a program and then replay the exact same execution at will inside a debugger. One very useful extra power available since 4.0 is the support for efficient reverse execution which can be used to find the root cause of a bug in your program by rewinding time. In this example, we reverse-execute a program from a case of use-after-free in order to find where the block of memory was freed.
If you try to use mutt, you will wonder how you are supposed to handle multiple accounts. You will find suggestions to bind some keys to switch to different accounts, use hooks.
How to create a private on-demand PostgreSQL instance accessible only for the local user over UNIX socket.
Some notes on the ELF 🧝 file format with references, explanations and some examples.
In my previous SimGrid post, I talked about different solutions for a better isolation between the model-checked application and the model-checker. We chose to avoid the (hackery) solution based multiple dynamic-linker namespaces in the same process and use a more conventional process-based isolation.
Faster Than Light (FTL)
is a very nice (and quite difficult)
rogue-like-ish game with space battles, teleporters, management of the energy of
your ship, asteroid fields, alien species, droids (drones), etc.
It is quite cheap, DRM-free
and available natively on Intel-based GNU/Linux.
These are notes taken while trying to find out the format of the .dat
files of
the game containing the game assets, ships statistics, events, etc.
when I had not access to the internet to find the solution.
There is a companion C program, ftldat,
for extracting the files within the archives and generating archives.
Unsurprisingly, similar tools
with the same name already exists. However, the description of the process
of reverse-engineering a (very simple) binary format might be interesting for
someone out there.
In Plasma 5, support for the XEmbed-based
“legacy” systray protocol
was removed:
only the new SNI protocol is handled.
However, a lot of applications still do not handle the new protocol:
Qt4 and Qt5 applications can be fixed
by installing the sni-qt
(currently in experimental) and libdbusmenu-qt5
respectively
but other applications (such as GTK ones) must be patched/recompiled with SNI support.
Without this, windows disappear into oblivion 😿.
You can have a seamless systray-enabled Plasma panel
with a single (OK, two) line of shell 😼.
How to use html-pipeline
in
middleman.
The Executable and Linkable Format (ELF) is used for
compilation outputs (.o
files), executables, shared libraries and core dumps.
The first cases are documented in the System V ABI
specification
and the Tools Interface Standard (TIS) ELF
specification but there does not
seem to be much documentation about the usage of the ELF format for core dumps.
Here are some notes on this.
The official guide for verifying the authenticity of a Debian 🍥 CD image is not so clear if you don't already have an idea about what you are doing. Here is a translation in terms of shell commands.
A short summary of the logging message workflow with systemd-journald (and the different formats and sockets involved).
I updated a Geeksphone Peak from Firefox OS 1.1 to Firefox OS 2.1 and it was not that easy.
Bundler is a tool to manage Ruby gem
dependencies, install them and setup the execution environment. The
homepage shows how to use it to install the gems alongside the ruby
installation/systemwide which is not so great. For some reason, I
initially didn't find the option to install the gems locally
(--path
) and have been using horrible environment variable
modifications to avoid the systemwide installation. In fact, this is
quite simple…
The Broadband Forum as a lot of technical reports about the xDSL architecture but it is not so easy to find a good description of the global architecture. Those are ASCII-art protocol stack I inferred from those documents. What is in there may be wrong, feel free to correct me.
You might want to use an open recursive DNS servers if your ISP's DNS
server is lying. However, if your network/ISP is intercepting all DNS
requests, a standard open recursive DNS server won't help. You might
have more luck by using an alternative port or by forcing the usage of
TCP (use-vc
option in recent versions of glibc) but it might not
work. Alternatively, you could want to talk to a (trusted) remote
recursive DNS server over secure channel such as TLS: by using DNS
over TLS over TCP port 443 (the HTTP/TLS port), you should be able to
avoid most filtering between you and the recursive server.
Some notes on ELF 🧝 loading and dynamic linking mainly for GNU userland
(ld.so
, libc
, libdl
) running on top of the Linux kernel. Some
prior knowlegde on the topic (virtual memory, shared objects,
sections) might be useful to understand this.
Today, I managed to forget a password but I had a Icedove (Thunderbird) process running containing the password.
The Apache HTTP server ships with a
split-logfile
utility which parses Combined Log File entries prefixed with the virtual host:
some notes about this and its inclusion in nginx and
logstash.
In an attempt to simplify the development around the SimGrid model-checker, we were thinking about moving the model-checker out in a different process. Another different approach would be to use a dynamic-linker isolation of the different components of the process. Here is a summary of the goals, problems and design issues surrounding these topics.
In two previous posts, I looked into cleaning the stack frame of a function before using it by adding assembly at the beginning of each function. This was done either by modifying LLVM with a custom codegen pass or by rewriting the assembly between the compiler and the assembler. The current implementation adds a loop at the beginning of every function. We look at the impact of this modification on the performance on the application.
In order to help the SimGridMC state comparison code, I wrote a proof-of-concept LLVM pass which cleans each stack frame before using it. However, SimGridMC currently does not work properly when compiled with clang/LLVM. We can do the same thing by pre-processing the assembly generated by the compiler before passing it to the linker: this is done by inserting a script between the compiler and the assembler. This script will rewrite the generated assembly by prepending stack-cleaning code at the beginning of each function.
In the previous episode, we implemented a LLVM pass which does nothing. Now we are trying to modify this to create a (proof-of-concept) LLVM pass which fills the current stack frame with zero before using it.
The SimGrid model checker uses memory introspection (of the heap,
stack and global variables) in order to detect the equality of the
state of a distributed application at the different nodes of its
execution graph. One difficulty is to deal with uninitialised
variables. The uninitialised global variables are usually not a big
problem as their initial value is 0. The heap variables are dealt with
by memset
ing to 0 the content of the buffers returned by malloc
and friends. The case of uninitialised stack variables is more
problematic as their value is whatever was at this place on the stack
before. In order to evaluate the impact of those uninitialised
variables, we would like to clean each stack frame before using
them. This could be done with a LLVM plugin. Here is my first attempt
to write a LLVM pass to modify the code of a function.
I had a few Joomla posts that I wanted to clean up semi-automatically. Here are a few scripts, to pass the content of the clipboard (or the current selection) through a UNIX filter.
There are some good
plugins to
export Joomla content to WordPress. However, the free version does not
rewrite the URIs. It is quite simple to read the Joomla database and
generates a bunch of Apache Redirect
directives.
The Wine 🍷 wiki has instructions for building a shared WoW64 Wine : this needs two out of source builds. The issue is that some developement packages are not multiarch co-installable. Another wiki page for Ubuntu recommends setting up a 32-bit LXC. Here is how I did it without a 32-bit container on Debian 🍥 testing.
In the previous episode, I talked about the implementation of a same-page-merging page store. On top of this, we can build same-page-merging snapshots for the SimGrid model checker.
GDB can be used to get the stack each time a breakpoint is reached.
The first (lower) layer of the per-page snapshot mechanism is a page store: its responsibility is to store immutable shareable reference-counted memory pages independently of the snapshoting logic. Snapshot management and representation, soft-dirty tracking will be handled in higher layer.
Many recent games do not provide an option to map the keys/axes of the gamepad to specific actions. They assume that the gamepad is XBox compatible: if it is not the game is completely unusable. SDL2 provides a way to calibrate a gamepad 🎮 in order to map its keys/axes to the “standard” XBox ones.
Short tutorial about creating a custom keyboard layout without being root.
I looked at my options to achieve efficient/cheap snapshots of the simulated application for the Simgrid model checker using copy-on-write. Here I look at another solution to achieve this without using copy-on-write.
The SimGrid model checker explores the graph of possible executions of a simulated distributed application in order to verify safety and liveness properties. The model checker needs to store the state of the application in each node of the execution graph in order to detect cycles. However, saving the whole state of the application at each node of the graph leads to huge memory consumption and in some cases most of the time is spent copying data in order to take the snapshots of the application. We will see how we could solve this problem, using copy-on-write.
Flamegraph is a software which generates SVG graphics to visualise stack-sampling based profiles. It processes data collected with tools such as Linux perf, SystemTap, DTrace.