Matthew Dempsky found a bug in TinyDNS and the author, Daniel Julius Bernstein, has a Security Guarantee that rewards the first who finds an exploitable bug with $1000 and he says, he is going to make it happen! I love this guy…
Author: muelli
Moores Law
PyFon – Being a Fonero
The problems I described last time, are gone now 🙂 The paramiko mailinglist is, besides the pretty good documentation, a very good information ressource.
So I built a Fon client in Python which allows you to login to the Fon server and make your Fonera officially online.
So in order to get your copy of PyFON, do a
hg clone http://hg.cryptobitch.de/pyfon
To use it, simply give the MAC address of your Foneras wireless interface as an argument and run it or do it in a more sophisticated way:
muelli@xbox:~/hg/pyfon$ python ./src/pyfonclient.py --loglevel info --firmware 0.7.2 --revision 3 --mode cron --ethernetmac 00:18:84:fo:ob:ar 00:18:84:fo:ob:ar INFO:root:Connecting to host: download.fon.com:1937 as user: openwrt INFO:paramiko.transport:Connected (version 2.0, client OpenSSH_4.3p2) INFO:paramiko.transport:Authentication (publickey) successful! INFO:root:Connect finished INFO:paramiko.transport:Secsh channel 1 opened. INFO:root:Found _auth_string: mode='cron' wlmac='00:18:84:ff:ee:dd' mac='00:18:84:fo:ob:ar' fonrev='3' firmware='0.7.2' chillver='1.0-1' thclver='1.0' device='fonera' INFO:root:Finally closing everything muelli@xbox:~/hg/pyfon$
If you increase the loglevel to, say, debug, then you’ll get the script which Fon send you and supposes you to execute. If you change your password via the Fon webinterface, you’ll see your new password in that script.
So if you want to disturb the Fon network, you can iterate over all Fon MACs and receive the possible made configuration changes. By that, you’ll get the new passwords as well, of course…
Another funny thing is that the Fon server sends you their banner, if you explicitely request a shell:
In [1]: import pyfonclient In [2]: c = pyfonclient.Client() In [3]: c.connect() In [4]: channel = c.client.invoke_shell() In [5]: channel.recv_ready() Out[5]: True In [6]: buf="" In [7]: while channel.recv_ready(): buf += channel.recv(1) ...: In [8]: print buf Linux fonesfat02 2.6.18-6-amd64 #1 SMP Sun Feb 10 17:50:19 UTC 2008 x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. In [9]:
But you can’t execute any command…
Patches are, as always, welcome 🙂
Free FON
You might know that FON thing, which basically provides you with WiFi on many places. They give you an access point which they suppose you to run and provide that WiFi to others. Then you are eligible to use other peoples WiFi.
The given access point connects itself with a script to the main server and tells it, that it’s online. The server then grants you access to other WiFis.
If you flash the access point, which is called “fonera”, with e.g. OpenWRT then you’ll lose that script. This in pretty bad because you *do* provide free WiFi to the people (unless you don’t run an open WiFi) but lose the right to use others.
There are sites out there which describe, howto do the “heartbeat” yourself, but they have major drawbacks:
- They are written in Bash
- The key used is in dropbear format, and not OpenSSH
Also note, that you can receive the files from the Fon development site and steal that heartbeat thing from there.
Thanks to this site I found a way to convert the dropbear key to the OpenSSH format (/usr/lib/dropbear/dropbearconvert dropbear openssh fonkey fonkey.ssh
), but that bash thing is still ugly. Also, to use OpenSSH, you have to fiddle with permissions of the keyfile, etc.
So in order to run that heartbeat thing properly on, say, your PC, you don’t want to depend on dropbear or “nvram” to get the MAC address of your wireless interface. You might want to run the following script, of course you have to adapt the variables first. I try to get rid of Bash, but I still have a few problems with Pythons SSH package: I can’t send something to “stdin”, like “echo 'foo' | ssh bar
” does.
#!/bin/sh # # version 1.1.0 THINCLIENTPATH="/tmp" # path of this file ROOTHOME="/tmp/root" # root's home dir SSHPATH="/usr/bin/ssh" # path to ssh KEY="/tmp/fonkey.ssh.1" # private key for fetching the info from the FON server THINCLIENTOUT="/tmp/.thinclient.sh" # output file THINCLIENTOUTDEFAULT="33" # default size of the output file THCLVER="1.0" CHILLVER="1.0-1" FONREV="2" # /etc/fon_revision FIRMWARE="0.7.2" # taken from /etc/banner (without Beta) DEVICE="fonera" USER="openwrt" SERVER="download.fon.com" PORT="1937" FONSIG="$SERVER ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA0zJFtj5NtrVsj8+qG0dtPE8WpHHDpTXp5+d3vvtSS7Hx7vYHyrfN/8PBVrrYOgl4dySY65sGtq34EU04VN4a7xQHSKJBunDUSQ/2Xz+eyo53LCVeFy1zNRCmB6jrFlJQvl5yviLvXmMtOGxG8Z1dfu4qavfGtBxwtwxKPKuiyhs=" cat > $KEY <> $ROOTHOME/.ssh/known_hosts } exec_cron_mode () { check_env sleep "$((0x$(head /dev/urandom |hexdump |awk '$2 > 0 {print $2}'|head -n1) % 10))" echo "mode='cron' wlmac='$MAC' mac='$ETMAC' fonrev='$FONREV' firmware='$FIRMWARE'" | $SSHPATH -T ${PORT:+ -p $PORT}${KEY:+ -i $KEY} "${USER}@${SERVER}" > $THINCLIENTOUT echo "sent: mode='cron' wlmac='$MAC' mac='$ETMAC' fonrev='$FONREV' firmware='$FIRMWARE'" exec_check_thinclient } exec_start_mode () { sleep 10 # make sure WAN is up and crond is running check_env [ -f "/tmp/crontab" ] || touch /tmp/crontab [ `grep -c thinclient /tmp/crontab` = "0" ] && echo "24,54 * * ** root $THINCLIENTPATH/thinclient cron > /dev/null 2>&1 &" >> /tmp/crontab echo "mode='start' wlmac='$MAC' mac='$ETMAC' fonrev='$FONREV' firmware='$FIRMWARE' chillver='$CHILLVER' thclver='$THCLVER' device='$DEVICE'" | $SSHPATH -T ${PORT:+ -p $PORT}${KEY:+ -i $KEY} "${USER}@${SERVER}" > $THINCLIENTOUT echo "sent: mode='start' wlmac='$MAC' mac='$ETMAC' fonrev='$FONREV' firmware='$FIRMWARE' chillver='$CHILLVER' thclver='$THCLVER' device='$DEVICE'" exec_check_thinclient } exec_check_thinclient () { if [ -f $THINCLIENTOUT ] then THINSIZE="$(wc -c < $THINCLIENTOUT)" if [ $THINSIZE = "0" ] then echo "Something is wrong, $THINCLIENTOUT is empty" elif [ $THINSIZE != "33" ] then echo "Something is different in $THINCLIENTOUT:" cat $THINCLIENTOUT else echo "$THINCLIENTOUT is the default one, deleted" rm $THINCLIENTOUT fi else echo "Something is wrong, $THINCLIENTOUT does not exist!" fi } case "$1" in cron) exec_cron_mode ;; start) exec_start_mode ;; check) exec_check_thinclient ;; *) echo "Usage: `basename $0` {cron|start|check}" exit esac
Bug processed
As of today, there are no NEEDINFO bugs, older than 6 months in GNOMEs Bugzilla left! *yay*
DAAD Recall
Journey
I applied for a stipend from the DAAD, the “German Academic Exchange Service”, in November. They must have liked my application because they invited my to the “next round” in the former capital Bonn.
I got some LIDL train tickets on eBay for 70 Euros (thanks Mezzo), which were 55 as they were sold by LIDL. Flying wasn’t an option due to the airports, both Hamburg and Koeln-Bonn, being located outside the cities and would have brought travel overhead which takes time as well. I enjoyed my non-stop train trip and arrived in Bonn after almost 5 hours.
Hostel
After a short stroll through the city, I went to my Hostel: Max Hostel in the old town. They seem to be rather new since they were obviously surprised that I arrived. The guy at the reception left a clueless but happy impression. That Hostel offers a kitchen with Pasta and coffee for free! Especially the latter is pretty important 😉 Though, I was not amused by the fact, that the showers were on the outer floor, where everybody is on his street shoes.
But the beds were pretty good and I slept nearly 11 hours.
Maybe that’s due to my long walking trip through Bonn. I got lost several times on my way to the museums but that wasn’t too bad as I could see Bonns living district with beautiful old houses.
If you are ever going to Bonn, don’t miss the “Haus der Geschichte”! An excellent Museum covering different aspects of German history.
Before I went to bed, I had a few big Schnitzel together with Beer^W “Koelsch”. Last time I had a Koelsch it reminded me of water rather than beer but this brand, “Boennsch” was quite good.
Questions
So I went to the Uni Club Bonn to have a talk to the selection committee. Other students were already waiting in front of the talking room. The amount of administrative overhead to select the ones who will receive the stiped is impressing. They do that selection talk thing the whole day, from 10:00 to 18:00, in 4 rooms in parallel.
But let’s get to the guts of that talking. I tried to prepare for that discussion with googling facts about it. I didn’t find much so I’m going to list the questions and the atmosphere. If you have questions left, feel free to drop me a line.
I was called to come into the room and I was pretty nervous. I haven’t been so nervous even right before exams. I was invited to have a seat in front of a table with ready-to-drink water. The committee sat in front of a separate table and they counted 7 people. The committee was introduced to my by one of them. She introduced each member: Four of them were professors from different places in Germany, one student who got the stipend a year ago and two DAAD executives. And then it already begun. The professor asked four or five questions at once:
- Why I was studying computer science
- Why I am interested in computer security
- Why I want to go to Dublin
- Why the DAAD should give the stipend to me and not to anybody else
I began saying that I hope to not forget any of these questions. The prof immediately said that he asked so many question at once so that I can talk for a long time…
So I told my story: I am interested in computer science since I was a child, I got in touch with security very early, blablabla. Of course I forgot a few points, e.g. why I wanted to go to Dublin and why *I* should be sponsored.
But my talking drifted into a nice dialogue. I told them about the situation on my home university, especially that our security staff has gone and they asked a couple of questions like whether the professorship is going to be replace or whether I was able to do a diploma thesis at my home university.
Other questions include
- Where do I see myself in 5 years
- Where do I see the best university for computer security
- What kind of experience I had in computer science and what my (university) projects were about
- What would I have studied if I wouldn’t have taken computer science
- Which news of the last week moved me
While the whole talking was in German, the student suddenly asked in English me why I needed so much time for my studies. We discussed like one minute or two after we switched to German again.
While I was pretty happy coming out of that room after 15 minutes, I think I didn’t perform very well. The more I think about it, the less I like my answers.I didn’t set any particular weights and gave unnecessary answers which are not of any interest.
The atmosphere, however, was okay. Everybody seemed interested and had a pile of paper in front. Nobody picked on a particular shortcoming and were high level in general.
So I missed to make a few points and while I think about my answers afterwards, I think I could have given smarter ones. But we’ll know more in about three weeks, because the DAAD executive said, that they’ll send a mail then.
I was about to go to the Arithmeum and the Haus der Geschichte but unfortunately they were closed on Mondays 🙁 So I went to have lunch and a beer before I went to the railway station to get home.
Balls of Steel (§202c)
I just received a mail where some dude told that he reported himself to the Police. He accused himself of “obtaining posesssion” and “creating” passwords which could be used for a crime afterwards. He supposes that to be illegal due to the famous german “Hackerparagraph” §202c.
He says he downloaded and printed an article from the New York Times (maybe he meant this one?) which listed the 20 most common passwords on MySpace.
Also he used pwgen to generate passwords himself.
His first try to denounce himself failed because the police officer said that *this* wasn’t justiciable. The second attempt, though, succeeded. He offered his police report as downloadable PDF.
I have to say: Respect Mr. Balls of Steel! I am eager to see how that’s turning out.
Happy 1234567890 :)
$ date -d @1234567890
Sa 14. Feb 00:31:30 CET 2009
Happy Valentines Day