The gnu Privacy handbook has a ton of useful information, but I thought I’d make a quick reference for the gpg usage I use most. Especially because I was just an idiot and lost my gpg private key (though I do remember the passphrase) – this time there will be a backup!
List all keys
gpg –list-keys
print key to a file (mypublickey) – <keyid> is listed when you do list-keys
gpg -ao mypublickey.key –export <keyid>
show secret keys
gpg –list-secret-keys
backup secret keys
gpg -a –export-secret-keys <keyid> | gpg-aco myprivatkeyfile.key.gpg
Do not use system() from a program with set-user-ID or set-group-ID privileges, because strange values for some environment variables might be used to subvert system integrity.
Good advice, but sometimes you need to get stuff done anyway. This is experimenting with pam and execv from a stupid google apps pam module I wrote
PID = fork();
if (PID == 0) {
//child
char* argvarray[4] = {progarg0, username, newpass, (char *) 0};
execv(netprog, argvarray);
if (debug == 1)
printf("forking failure\n");
report_error(1);
return PAM_CRED_ERR;
}
else if (PID < 0) {
if (debug == 1)
printf("unexpected error\n");
report_error(1);
return PAM_CRED_ERR;
}
wait(&execreturn);
//make sure this does exit properly and isn't killed
if (WIFEXITED(execreturn)) {
rc = WEXITSTATUS(execreturn);
}
else {
report_error(1);
return PAM_CRED_ERR;
}
The first 18 lines emulate a system call. The rest is used to get the return value, which you would also need to do with a system call. Basically, it has close to the same functionality as if it were:
system("programcall");
wait(&execreturn);
//make sure this does exit properly and isn't killed
if (WIFEXITED(execreturn)) {
rc = WEXITSTATUS(execreturn);
}
else {
report_error(1);
return PAM_CRED_ERR;
}
This is a topic that’s been covered a lot. However, it took a bit of research to find a solution that worked for me, so I thought I’d write about it here.
I am doing some research that involves a *lot* of google searches. Because this research involves a significant number of directed queries, it seems logical to hide this information as much as practical. If there is a web host who notices sequential names in a Google referer URL repeatedly, this might raise suspicion or alter behavior which could skew results. Similarly, it is desirable to hide IP information from both the web host (for similar reasons) and possibly even search engines.
First, to avoid any changes to usual browsing, a new firefox profile was created using:
firefox -ProfileManager
Additionally, to run both firefox profiles at once, the first was run as normal, which the second has the additional options:
firefox -P <new-profile> -no-remote
I add this to my taskbar alongside the regular old firefox %u so I can choose a profile with a click.
To hide the HTTP referer, a firefox extension called RefControl was selected https://addons.mozilla.org/en-US/firefox/addon/953. This simply replaces the referer for every query with one that is configurable. Although this is certainly possible with a more traditional proxy (like paros), RefControl’s ease of use is essential with the shear number of queries that were performed for this research. For this research, I changed the referer passed several times from names like “yahoo.com”, “cnn.com”, etc. Although the traffic patterns may still seem suspicious to an administrator who carefully monitors his logs, it reveals virtually no information about what it is that is being searched for.
To obfuscate the IP address, tor and privoxy were used. Tor bounces the HTTP requests around a distributed network of relays all around the world. An in depth discussion of Tor is out of the context here, but in a nutshell “it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location” http://www.torproject.org/. Privoxy is additionally used to prevent applications like flash or dns from leaking information. Since both privoxy and tor are required, you need to install these:
apt-get install tor privoxy
and to get privoxy to work with tor, I uncommented the following line (if it’s not there just add it):
forward-socks4a / localhost:9050 .
Despite the advantages, this did make browsing for names quite slow. I really like torbutton. In the not so distant future I remember having to modify proxy settings every time I wanted to go back and forth using tor. With tor
Lastly, the noscript firefox plugin was used to mitigate all javascript based attacks that might be used to obtain IP information http://noscript.net/.
Does my title sound like buz-word central? You bet it does. That’s because it was a bit difficult to find any good introductory material on this. Maybe that’s because there’s so much information out there…
Anyway, here is some. The README:
Rich Lundeen
lundrich@isu.edu
The Specification:
———————————
The purpose of this assignment is to introduce you to the software tools we will use for the
AVR microprocessor, and to give you a better understanding of the run-time environment that
a C program operates under.
For this assignment, you will write a C main program and two subroutines – one in AVR
assembly, and the other in C. The subroutines should each do the same thing:
1. Monitor a port (your choice) that is connected to a switch. Wait until the switch is
pressed.
2. Once pressed, the routine should keep track of how long the switch is held down.
3. Wait for approximately one second.
4. Using another port (your choice) connected to a LED, turn on the LED for the same
amount of time that the switch was pressed earlier.
In addition to writing the code, determine the size of the code (main and both subroutines) in
your program.
———————————-
This code requires avrdude, avr-gcc, and objcopy are installed.
To compile the C version, type:
make
To compile the asm version, type:
make asm
After it’s compiled, to install to a connected and powered on atmega16 board, type:
make install
homework1.avi contains a short demonstration of the C version – however, both do the same thing. It
will play with vlc or mplayer.
Here is a demo of the program.. oooh blinky lights. Yeah, and anyway, the hardest part is just to find a hello world. This includes one in both C and assembly, so good hunting!
/*main.c*/
#include "portstuff.h"
int main (void) {
DDRB = 0xff; /*11111111 means all output */
DDRD = 0x00; /*00000000 for all input */
PORTB = 0xff;
portmon();
return(0);
}
/* portstuff.c */
#include "portstuff.h"
/*this is in clock cycles for my board.
* 30000 seems to be close to about a sec */
const DELAY = 30000;
void portmon() {
while(1) {
unsigned long timer = 0;
unsigned long i;
/*while a button is pressed */
while (PIND != 0xff) {
/*light up the button pressed */
PORTB = PIND;
timer += 1;
}
PORTB = 0xff;
/*if the timer is not zero, we need to handle a button pressed */
if (timer != 0) {
/*delay for about a second */
for (i = DELAY; i!=0; i--);
PORTB = 0x00;
/*delay for timer roughly equal to how long button was pressed */
for (i = timer; i!=0; i--);
timer = 0;
}
}
}
/*portstuff.s*/
#include "portstuff.h"
.file "portstuff.c"
PORTB = 56-0x20
PORTD = 48-0x20
ALLON = 31
WAIT = 0xa
.text
.global portmon
.type portmon, @function
portmon:
/*initialize count to zero */
.BEGIN:
/*r18 is our counter*/
ldi r18,0x00
/*initialize port values*/
in r24,PORTD
out PORTB, r24
.LEDWAIT:
in r24,PORTD
nop
/*see if the button is currently pressed - if it is then continue
if not jump to .LEDWAIT */
cpi r24, lo8(-1)
breq .LEDWAIT
.BUTTONPRESSED:
out PORTB, r24
/*measure the number of delays the button is pressed*/
rcall delay
inc r18
/*see if button is still currently pressed - if it is then
jump to Buttonpressed */
in r24, PORTD
cpi r24, lo8(-1)
brne .BUTTONPRESSED
out PORTB, r24
ldi r23, WAIT
.DELAYSECOND:
/*theoretically this delays a second */
rcall delay
dec r23
cpi r23,0
brne .DELAYSECOND
.LEDSON:
/*light up all leds for the amount of time the one was pressed*/
out PORTB, ALLON
rcall delay
dec r18
cpi r18,0
breq .BEGIN
rjmp .LEDSON
/*delay function makes time reasonable to deal with */
delay:
ldi r17,0x60
waitouterloop:
ldi r16,0xFF
waitinnerloop:
subi r16,0x01
brne waitinnerloop
subi r17,0x01
brne waitouterloop
ret
.size portmon, .-portmon
On a lot of multi-user systems, like the one at the school where we have 300+ users all with usermod enabled, we also happen to have other web services running. It’s inconvenient and in insecure for everyone to be running their dynamic web stuff as the same user. I understand this is nearly impossible to do with good security, but this is a university and the point of this server is to let students learn, which means being able to host code.
One security problem in particular is php. suexec was built for cgi-bin stuff – but php is a whole other beast. That’s what I’m talking about here – getting php to run as the user who owns it. More specifically, this will show how /home/user/public_html/myphp.php will run as “user”, but stuff in /var/www will still run as www-data.
One good article I found describing this is here: http://alain.knaff.lu/howto/PhpSuexec/
First things first – mod_php needs to be disabled. This can be done globally, but it’s better to just disable it for public_html dirs. This can be done by adding the following to /etc/apache2/apache2.conf.
<Directory /home>
php_admin_flag engine off
</Directory>
Now, to enable suphp.
First install php-cgi. and the apache2 prefork which has some things we’ll need later on.
apt-get install php-cgi apache2-prefork-dev
Do not install libapache2-mod-suphp – at least not on 8.04. This older version lacks some of the things most people need… like having more than one directory.
Download the latest suphp module from http://www.suphp.org/Home.html. Compile this like:
tar xfzv suphp-SNAPSHOT-2008-03-31.tar.gz
cd suphp-SNAPSHOT-2008-03-31
./configure --with-apxs=/usr/bin/apxs2 --with-setid-mode=owner
make
make install
[global]
webserver_user=www-data
docroot=${HOME}/public_html
check_vhost_docroot=false
[handlers]
;Handler for php-scripts
application/x-httpd-php="php:/usr/bin/php-cgi"
Restart apache. To debug, check /var/log/apache2/errors.log. To test create scripts in public_html directories and in /var/www that exec(‘whoami’) and make sure they’re called with the correct permissions.
It’s a start, but then there’s always stuff like XSS, etc.
RT @NealPoole: Better late than never: writeup on vulnerable Flash applets (swfupload, Plupload) that were fixed in Wordpress 3.3.2 (htt ... 2 weeks ago
