I read an interesting article last night which highlited some problems with the way SSH process communication happens. I am writing a post about it because it is so simple and yet so effective.
Here is the scenario:
Let’s say that you have a linux system running the latest set of patches/OpenSSH. You have multiple users on the system, and one or more of them have sudo/su/escalated privileges. The idea is that when user ‘A’ connects to the system, user ‘C’ will be able to sniff out their password.
The details:
The idea is that almost all ssh daemons by default are configured to use “Privilege Separation”. This means that sshd spawns a process (child) that is unprivileged to listen for incoming network requests. After the user authenticates, another process gets created running as the authenticated user. The magic happens in between these two processes.
A simple example: User ‘C’ ssh-es into the system, escalates their privledges (either by legitimate or non-legitimate means) and starts listening for newly created ssh ‘net’ processes. As soon as user ‘C’ sees a process being crated, they immediately attach strace to it.
This will be my last post about the Google Nexus S since I just purchased (and received) my Nexus 4. That said, I really wanted to give one last update on the Nexus S since it looks like things have changed quite a bit with the update process. While it looks more complicated at first, it’s actually a lot more flexible now. Here is how to upgrade your Nexus S manually to a full 4.1.2 Jelly Bean, even if you have not received it yet/are in a country where the updates are not coming in, or are on a carrier which is not pushing OTA updates.
Now, you have one of four choices for sections, based on your phone:
If you have the (MOST POPULAR) T-Mobile or ATT (GSM) version of the Nexus S, go to: “Factory Images “soju” for Nexus S (worldwide version, i9020t and i9023)”
If you have the Sprint (4G) version, go to: “Factory Images “sojus” for Nexus S 4G (d720)”
If you have the Korean version (VERY RARE), go to: “Factory Images “sojuk” for Nexus S (Korea version, m200)”
If you have the NON-1Ghz (STILL RARE) version, go to: “Factory Images “sojua” for Nexus S (850MHz version, i9020a)”
Let’s assume you have the T-Mobile/ATT one since most people have that.
You will want the “4.1.2 (JZO54K)” image, which you can download from their official link:
[updated: March 29th, 2015 | Aman Surana created a great youtube video on how to do this. The main difference is that he is using a plugin (comes as an app which extends Tasker) called AutoNotification. The biggest benefit is that it abstracts the application notification layer into a standard set of variables. This allows you to utilize apps other than the main SMS app (ex: now you can use things like WhatsApp, Google Hangouts, etc). It also works with the latest version of Android, which I am starting to get the feeling that my profiles bellow do NOT work with anymore. Anyway, you can find the video here: https://www.youtube.com/watch?t=37&v=c-Kp9KynlV4, and read the post here since the idea behind how to do this still holds. That and it’s an interesting way to accomplish this task – no pun ;)]
I walk outside listening to Pandora quite a lot, and today I realized that I miss about half the SMS’ that I get. Either because it’s too noisy, or maybe because the SMS’ are not loud enough and I use a single beep, or because the sound trigger gets interrupted by Pandora, but either way, it’s a bit annoying. I have been considering some sort of a solution that will play incoming SMS messages when my headphones are plugged in for quite some time, but I couldn’t think of an efficient way to do it — that is, efficient on the battery. I think I came up with one today.
The idea behind this Tasker program is the following:
There are two Profiles: ‘Detect Headphones‘ and ‘Play Text Over Headphones‘. Only one Profile has to be actually active at all times – the Detect Headphones one. When you plug in your headset (with microphone, or just regular headphones), the profile sets a variable %HEADPHONES to ‘yes’. It then turns on the second Profile – the one that monitors incoming SMS messages and plays them over the headset if your %HEADPHONES variable is set to ‘yes’.
The general idea behind this is that it utilizes my original Blackberry Sound Profiles for Android and it adds a “timer” element which can be set. Upon setting the timer, it will set a temporary task until the timer runs out. The idea came from one of my visitors who asked me how to do this. At first, I had no idea how to do it. About 30 minutes later I had a semi-working prototype. Another 3 hours later (had to figure out how Scenes worked and interacted with variables and the rest of the system) I had the final version with a working GUI.
The first thing that you need are my Tasker Blackberry Sound Profiles found here: (http://blog.vpetkov.net/2011/05/10/my-tasker-program-blackberry-sound-profiles-for-android). If you don’t have them yet, follow the super quick “Getting Started” section. Once you have the tasks and you have them working (if you want this to work out of the box, grab at least the “Work” task and the “Sleep” task), download the Timed extension:
Note: You need the current BETA to import this profile: http://tasker.dinglisch.net/beta.html (1.2.1b4m)
Now unzip it and follow the same steps from the original post – grab the “Timed.tsk.xml” file and import it into the the Tasks tab, and then grab the “TimedScene.scn.xml” file and import it into the Scenes tab. Go to your home screen and create a Tasker widget of your “Timed” task. Every time you select this task, it will pop a box which will let you use a slider or directly type in a number. After this, when you hit “Set Profile”, the temporary task (by default “Sleep”) will get activated for the number of minutes you set. After that time period it will go back to the other (by default “Work”) task.
This is an update to the article “My Tasker program – BlackBerry Sound Profiles for Android” (http://blog.vpetkov.net/2011/05/10/my-tasker-program-blackberry-sound-profiles-for-android). Download the new file here, read through “what has changed”, and “what I have updated”, and then definitely read the original post (url above) as it contains all the details and how-to information.
What Has Changed:
There are a couple of things that Google has drastically changed in ICS 4.0 when it comes to Sound, Vibrate, and Volume.
First of all, they have greatly simplified the Sound Settings. The Volume menu now contains: “Music,Video, Games, and other media” as one volume toggle, then “Ringtone and notifications” as another, and Alarms as a third. Something to note here is that the keyboard “clicking” sound can now be found under the keyboard settings -> under Advanced.
The Second change is the way “Vibrate” has been re-implemented. The new “Silent Mode” controls three things currently: Sound, Mute, and Vibrate. This is important as this was completely broken on 2.3. The next thing to note is the “Vibrate and Ring” option, as this has a negative effect when toggled on via Vibrate (it’s still sticky for some reason, but due to Silent Mode being fixed, we can now un-toggle it via Tasker).
Google has released ICS (Ice Cream Sandwich) – the next version of the Nexus S OS (ICS 4.0.3- IML74K), and once again, I am posting it directly here — mostly for people who have not received it yet, people who are using a jailbroken phone, or people outside of the US who do not get the updates.
If you are on GRK39F (2.3.6), you can apply only the small update:
Please note that the above update is the ~128 MB update, and will only work if you are on 2.3.6 GRK39F. This is NOT for people who are running jailbroken/custom roms.
If the above doesn’t work, OR if you are using a jailbroken/custom rom, of if you have another version before 2.3.6, then I suggest doing the full 4.0.3 (IML74K) flash:
This is the ~161 MB image. You can use the same 7 steps from the link above.
If you are having problems with the update above, this is the full factory restore and it should work without any problems.
Please post comments if you have any problems, or if you just want to post that it works!
Google has released the next version of the Nexus S OS (Gingerbread 2.3.6 – GRK39F), and once again, I am posting it directly here — mostly for people who have not received it yet, people who are using a jailbroken phone, or people outside of the US who do not get the updates.
If you are on GRJ22 (2.3.4), you can apply only the small update:
Please note that the above update is the ~18MB update, and it will only work if you are on 2.3.4 GRJ22. This is NOT for people who are running jailbroken/custom roms.
If the above doesn’t work, OR if you are using a jailbroken/custom rom, then I suggest doing the full 2.3.6 (GRK39F) flash:
This is the ~98 MB image. You can use the same 7 steps from the link above, OR you can use any custom installer (including ClockWork).
If you are having problems with the update above, this is the full factory restore and it should work without any problems.
Please post comments if you have any problems, or if you just want to post that it works!
UPDATE: Please check out latest version from my git repo: http://git.vpetkov.net/projects – project name: “pandora”
It seems that Pandora is not putting too much time or thought into how they provide and access music online through their website. I really hope they fix this since it’s irresponsible as far as the the DMCA is concerned. Each song is simply an encoded token, and it’s pulled down directly from, presumably, one of their proxy server. If you look at the stream while playing songs on pandora.com, you will notice something like this (ex: not real):
Some assumptions: the “version=4” is high quality or what used to be CD quality (192 kbps). The “lid=#####” is the “login id”, or your unique user number. The “token=…” is the actual song, encoded. By finding the host of these requests, and putting it all together, where the lid is completely optional, you will have a full request URL to a song.
Imagine putting it together like this: (example as a POC, like this)
"http.request.uri contains token and http.host contains pandora"|./worker.pl
Then having something that parses this “buffer”:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
#!/usr/bin/perl
useTie::File;
useWWW::Mechanize;
my$tokensdb='.tokens.db';my$songsdb='.songs';
unless(-e$tokensdb){`touch$tokensdb`;}
unless(-d$songsdb){mkdir$songsdbordie;}
tieour@tokens,'Tie::File',$tokensdb;
my$mech=WWW::Mechanize->new();
$mech->timeout(5);
$mech->quiet(1);
$mech->agent_alias('Mac Safari');
while(<STDIN>){
my($host,$token)=split(/,/,$_);
$token=~s/&lid=(\d*)//g;chomp($token);
my$url="http://$host"."$token";
if(grep{"$_"eq"$token"}@tokens){
print"Token Already Seen...\n";
}
else{
push(@tokens,$token);
print">> New Token Added!\n";
$file=time;
# Code removed in order to prevent Abuse!
}
}
One way for them to fix this would be to session encode the requests. You should not be able to make requests that originate from outside of pandora.com directly to the servers. Also, the requests should be authenticated. As an addition, they could potentially be checked against what is “played” and controlled for streaming mechanisms. I really hope this fix this as soon as possible.
Droidzone (Joel Mathew) has created a much more advanced fork of this with many improvements – check it out: http://blog.droidzone.in/2013/03/31/automatically-update-all-wordpress-plugins-from-bash/ (While I still very much support this, I believe my updated solution from Sept 30th, 2018 is incredibly easier and has a single dependency on “WWW::Mechanize”. Leaving the link here to Joel’s for anyone that is interested in taking a look at his. His original fork + extension supports good visual output and other options that someone may be interested in. I believe the last update was in 2014.)
I already created a script to upgrade wordpress installations automatically. You can find it here: http://blog.vpetkov.net/2011/06/01/script-to-upgrade-wordpress-to-the-latest-version-fully-automatically Recently, the same general problem came about when it came to plugins. The biggest problem I had is that I had to log-into wordpress, see a number of plugins that were outdated, and then go hunt each one down by generally just copying the name and pasting it into google . Even thought most of the time, the plugin was the first hit, I then had to download the latest version, extract it, and clean it up. Imagine doing this for 10+ plugins for 5+ blogs — constantly. It was just time consuming and frustrating.
Here is my solution in the form of a perl script:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
#!/usr/bin/perl
# By: Ventz Petkov
# Date: 06-15-2011
# Last: 02-11-2018
# Version: 3.5
# Comment on last update:
# * WP changed their plugins html format syntax quite a bit...
# * WP changed their plugins URL a tiny bit, and download URL newline/spacing
# * WP changed their description html a bit
# * WP changed their description again - changed to pulling it from the meta tag
1.) You can simply run it, and it will update everything that you have listed in the @plugins array.
2.) You can give it a parameter of a registered plugin name. This does 2 jobs — upgrades an existing plugin, AND installs new ones.
You can definitely add an extension to this. For #1, you can go a step further by making it scan your plugin directory and populating the list from there. If you want to be even fancier, you can relatively easily keep version tracks of what you have installed and what’s currently available, so that you don’t just blindly download new plugins. For me this is sufficient. If anyone is interested in getting help implementing any of these extra additions, feel free to ask and I’ll help as much as I can.
This post is a bit different, but I think some people will find it very interesting. What got me to write this was an interesting article posted by Kevin Mitnick via his twitter account: http://news.cnet.com/8301-27080_3-20077732-245/kevin-mitnick-shows-how-easy-it-is-to-hack-a-phone/?part=rss&tag=feed&subj=News-Security. Kevin’s claim is that “Any 15-year-old that knows how to write a simple script can find a VoIP provider that spoofs caller ID and set this up in about 30 minutes”, and my only question is: what will you do with the other 25 minutes?
START OF NOTE AND WARNING! Spoofing your Caller ID is legal in the US only if done via VOIP services for legal and legitimate uses, or to block sending your caller ID, but again, only if it is used for legal purposes. An example of a legitimate use is spoofing your own home/cell phone number when making outbound calls via VOIP/SIP. Another example would be spoofing an outgoing number (a bit like NATing) when sitting at a private (let’s say for example 2,3,4, or 5 digit) extension. There are many scenarios where this is absolutely needed — like offices, enterprises, remote employees/road warriors, and phone support.
Spoofing your Caller ID is not legal for false identity, threatening/harassing someone, pranking, lying, or other such negative and immoral actions. If you are interested in some more information, you can find some here: http://www.gordostuff.com/2011/06/fcc-ups-caller-id-spoofing-penalties.html, and here: http://www.gordostuff.com/2011/02/is-faking-caller-id-legal-in-united.html. This said, I am providing this information for anyone who wants to learn about how this is done, or/and is interested in setting it up for their business or personal use, but ONLY for legal and legitimate uses. I am in no way responsible if you do something stupid or illegal. Here is a good background/history and more information on Caller ID Spoofing: http://www.calleridspoofing.info/ END OF NOTE AND WARNING!
The assumption here is that you have some things already setup and working. The article is titled “Spoofing Caller ID on the fly from any phone” and not “how to spoof your Caller ID”. I am assuming that you have: a sip trunk provider with an outgoing plan, a DID, a SIP server with some advanced features (Asterisk and OpenPBX, or something like TrixBox), and most of all — a working setup. The first step is getting DISA (Direct Inward System Access – http://www.voip-info.org/wiki/view/Asterisk+cmd+DISA). The idea is that you will dial your DID phone number, and the sip trunk provider will route it to your IP address. From there, your server will handle the call and connect you inside your system. I absolutely suggest setting up a DISA password/passcode, otherwise, you leave yourself open to abuse and other people will be able to potentially make calls and use your sip account. It is also important to note that generally, you can simply set a from name and number right here in the DISA outbound options. But again, the idea is to make this dynamic. Ones you dial into your system, the next step is to setup an extension that will handle the rest of this. Leave your context “from-internal” if you want to be able to make external calls by default — necessary in order to bridge the active call to your destination. If you are using Asterisk or TrixBox, go to /etc/asterisk/extensions_custom.conf, and enter something like this:
Now here’s what’s happening: When you get your DID, you get the DISA context. From there, after you authenticate yourself with a pin and now you are in your system. At this point, you would hook in your custom context, in this case called “proof-of-concept-custom”. Make sure that the word “custom” is present somewhere. At this point, your recipe will be executed. The first thing you want to do is answer. You can look up each of these commands at the voip-info.org website. For example, Answer: http://www.voip-info.org/wiki/view/Asterisk+cmd+Answer. The next step is to wait 2 seconds. Then you will speak out the current caller ID. This is really just so you know where you are coming from – it is not neccessary. The play (mp3/wav/etc…) play is not really necessary either, but it can be used to queue up different actions. If you will play something, the suggestion is to Answer the channel before hand, and pause/wait for a bit. The next step is to read 10 digits into the “digito” variable. For good measure, and to prevent a mistake, you can speak out the digits again, and then set them as the current Caller ID (the spoofing part). At this point, you can play another sound to queue up the next action. As an extra precaution/security-by-obscurity step, you can prompt for another pin. In this case, it’s “98765”. After the pin has been successfully entered, you can signal via a sound, and then dial and bridge the call to the same number that you set as your Caller ID (impractical, but just for the purpose of a proof of concept). You can very easily modify this to ask for a destination number and call that destination number instead. Please note that this will charge you a twice from the point that you dial the call and bridge it — once for the current/already active call, and once for the new call that you are making to your destination.
Again, there are many legitimate and absolutely necessary cases for this. If you work in any company, most of the time they will not disclose private numbers. If the company is very large, they might simply not have/want to buy individual “routable” phone numbers. Your desk extension of “1234” can be masked behind a general number which routes to “directory/support” when called back. Another great case is someone who works from remote. Say that you work from home and are part of a support group. A customer calls you and reports a problem. Now you want to call the customer back, but you don’t want him to have your personal home number/cellphone – you can spoof your support number and call the customer back.
Something interesting to note is that VOIP/SIP system can choose to not respect Caller ID (cid) blocking/spoofing, and and 1-800/other TOLL-FREE numbers simply do not respect it.
The only point of this article is to demonstrate how easy it is to achieve this dynamically. Again, this is something that you can very easily set statically in the extension or DISA settings. This is not something new or mind blowing. You could have done this over 10 years ago. The point is that you can have a setup which can be activated from any phone and within 30 seconds or less, you can have a dynamically spoofed Caller ID number.