Tag Archives: Security

The Raspberry Pi 4 model with 4GB of RAM is the first cheap hardware that can provide a real “desktop-like” experience when browsing the web/watching Netflix/etc. However, if you have tried to run Netflix on the Pi, you have quickly entered the disgusting mess that exists around DRM, WideVine (Netflix being one example of something that needs it), and Chromium.

After hours and hours of effort, I finally discovered a quick and elegant solution that lets you use the latest default provided Chromium browser, without having to recompile anything in order to watch any WideVine/DRM (Netflix, Spotify, etc) content.

Background and the DRM Problem

If you are not familiar with this, the short version is that Netflix (and many others, ex: Spotify) use the WideVine “Content Protection System” – aka DRM, and if you want to watch Netflix or something else that uses it, you need to have a WideVine plugin+browse supported integration. Chrome, Firefox, and Safari make it available for x86/amd64 systems, but not for ARM since technically they don’t have ARM builds.

Chromium, the project Chrome is based on, does have an ARM build, but it does not include any DRM support, and technically it does not include widevine support by default (*caveat here, which helps us later)
So long story short, the question becomes “how do you enable DRM/WideVine support in Chromium?”.

It seems there are two main solutions out there: use an old (v51, 55, 56, 60) version of Chromium which has been “patched” with widevine support (kusti8’s version seems to be the most popular one – except since the new Netflix changes, that also does not work), which requires uninstalling the latest Chromium available, installing the old/patched one, and dropping in older widewine plugins; the second option is to use Vivaldi – a proprietary fork of Opera which also has been “sort of patched”, but it still needs a valid libwidevinecdm plugin (see bellow) and it has it’s own issues (and also…it’s Opera…in 2019…who uses Opera?)

After a lot of research and trial and error, I discovered a much more elegant solution – use the extracted ChromeOS (armv7l – yay) binaries and insert them into Chromium + make everything think it’s ChromeOS (user agent)

Netflix/Spotify with the Default Raspberry Pi Chromium Browser

Continue Reading →Netflix and Spotify on a Raspberry Pi 4 with Latest Default Chromium

If you did not know about this – you should be very worried.

A few hours ago it was discovered that Apple’s FaceTime app allows anyone to connect to any Apple device that supports FaceTime and hear their audio without the person ever accepting the call. What’s worse (debatably?) is that it is incredibly easy to do this.

Listen-in on any remote Apple device in 4 steps

1.) Start a FaceTime call with someone
2.) While the call is “connecting”, quickly swipe up on the FaceTime menu
3.) Click on the “+ Add Person”
4.) Add your own phone number/contact

What happens at this point is that the call is “bridged” and a remote audio line is open to the destination Apple device.

Yes – really! You have now turned the remote Apple device into a remote audio tap/bug. You can choose to keep a 2-way audio channel, or mute it from your side.

Update #1: Apparently it works on Mac OS Mojave too.

Temporary Fix – disable FaceTime

As of right now, until Apple patches this, the only fix is to disable FaceTime:

iOS

1.) open “Settings”
2.) click on “FaceTime”
3.) toggle it “off” (green toggle -> to white)

Mac OS Mojave

1.) open “FaceTime” app
2.) press “command + K”
or
2.) click on the top-left menu bar with the app name “FaceTime”, and select “Turn FaceTime Off”

You need to connect to a Cisco AnyConnect (or Juniper Pulse Connect) VPN, and you cannot stand the default client for a variety of reasons (slow connects, crashes, unable to start, pointless pop-up notifications, crashes, pid-loss, etc), and so, you look for alternatives.

You find OpenConnect – the perfect solution, only to realize that the 3rd-party GUI is basically broken and actually doesn’t work (last checked on 8-14-17) with 2-Factor authentication (ex: Duo).

At this point, you can run OpenConnect from a terminal, which works, but you have to keep the terminal open and you have to wrap the long command in a shell script.

Or, you can use my little solution which seems to work perfectly.

OpenConnect GUI - Connected

OpenConnect GUI - Disconnected

Everything you need to get started is on GitHub:
https://github.com/ventz/openconnect-gui-menu-bar

Continue Reading →The perfect OpenConnect GUI Menu Bar App with 2FA/Duo support – for Mac OS X

Lately, we have seen some really bad vulnerabilities in regards to SSL (Heartbleed) and Bash (later dubbed “Shellshock”), along with some slightly “lighter” linux/open source ones.

In September of this year, Google first discovered a fallback attack for SSL v3.0, and they wrote published a paper on it: https://www.openssl.org/~bodo/ssl-poodle.pdf.
Today, it was officially confirmed that SSL version 3.0 is no longer secure, and thus, it is no longer recommended in client software (ex: web browsers, mail clients, etc…) or server software (ex: apache, postfix, etc…).
This was dubbed the “POODLE” vulnerability, and given CVE-2014-3566

A “POODLE attack” can be used against any website or browser that still supports SSLv3.
Browsers and websites need to turn off SSLv3 as soon as possible in order to avoid compromising sensitive/private information. Even though a really small percent of servers/browsers are vulnerable (mozilla estimates 0.3% of the internet), that is quite large in the total number of users.

How can I check if my browser is Vulnerable?
The guys at dshield setup this nice browser check: https://sslv3.dshield.org:444/index.html For checking your browser, use: https://www.poodletest.com

Poodletest was first mentioned to me by Curtis Wilcox.
Continue Reading →OpenSSL – SSL 3.0 Poodle Vulnerability

As some of you may have heard, a very serious remote vulnerability was discovered disclosed today within bash.

A quick summary of the problem is that bash does not properly process function definitions, which can be exported like shell variables. This is a bit like a SQL/XSS injection problem — you provide an “end” to your input, and continue writing other functions/calls after it, which then get executed.

A quick example:

A vulnerable system looks like this:
vulnerable!

A patched system looks like this:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’

Continue Reading →Bash remote exploit vulnerability

UPDATE: Insecure has released v6.46 which contains all of these patches. Just grab the latest and follow the usage info here

If you don’t know what Heartbleed is, you can find out here: http://heartbleed.com/. If you don’t want to read the details above, XKCD put together a great short comic about it: http://xkcd.com/1354/

NOTE: I first put this together 3 days ago, but I am just now releasing after being asked by many people for the package and directions.

The problem: How do you scan a bit more than 5 class B’s (~328000 IP addresses) before any off the vendors (Tenable, Qualys, Rapid7) have released signatures? Easy – you build your own!
The goal was to scan as many IPs as possible at work as quickly as possible.

After using the Heartbleed github project (https://github.com/FiloSottile/Heartbleed) and creating a Dancer web service around it, I realized that there still needed to be a faster way to scan for this. How much faster?

How about a /24 (254 IP addresses) in less than 10 seconds.

I have a patched version of NMAP already (6.40) that has Heartbleed checks.
Again, Insecure has released v.6.46 which has these patches. Grab that and follow these directions

Then, you can scan like this:

 

If you want cleaner results, for a script, a good way to filter the output will be with something like this:

This produced a clean 2 line result, where if it’s vulnerable, it will have “ssl-heartbleed” under each host/IP address entry.

 

How to build your own patched NMAP binary?

But what if you don’t trust my binary? Good – let me show you how to build one yourself:

Continue Reading →Ridiculously fast Heartbleed Subnet Scanner – nmap heartbleed howto and tutorial

There are many ways to exploit a web server and gain access to the file system – read or write (sometimes both). This becomes even easier when one hosts CGIs or other dynamic code – especially when that code includes user based inputs. Recently, I found one of the most elegant exploits that I have seen for this kind of an attack vector, so I wanted to go over it and share some information about how it works and what exactly it exploits.

To setup the background for this scenario, imagine a web server (ex: ‘www.example.com’) setup with userdirs, which allows CGI execution – not an uncommon situation at all. This means that ‘user1’ will have a directory like ‘public_html’, which will become directly accessible at: ‘http://www.example.com/~user1/’. For example, creating a ‘blah’ folder in ‘/home/user1/public_html’, will create ‘http://www.example.com/~user1/blah’ on the web.

At some point, ‘user1’ creates a file called ‘x.cgi’, which simply has a GET parameter called ‘file’, and if that parameter is a file that exists, it loads it via an include. Otherwise, it loads a default.html file. Let’s assume that ‘x.cgi’ is a PHP file which looks like this:

Continue Reading →Web Exploit – user modifiable Read and Execute can give you Write access

The Scenario:

Let’s say you are at a coffee shop with public internet access, and you don’t want someone snooping on your traffic, so you VPN to your work. However, you also don’t want to tunnel personal stuff out of your work VPN (chat, facebook, youtube, your personal email maybe?), so the question becomes, how do you create 2 different firewalls – one that ONLY allows you to VPN and does not allow any other applications access, and one that then controls the traffic within the VPN channel so that you can utilize the connection for some apps but not others?

At this point, there are only 2 “methods” of running a Firewall on Android: having root and managing/accessing IPTables, or, the only alternative – creating a sub-VPN channel that you pipe the traffic over and filter (which does not require root). Unfortunately, the second type (without root) will not work for this, since we will need to utilize the VPN channel ourselves for our VPN, and to my knowledge, Android let’s you setup only 1 active VPN channel. So, you need 1.) a way to root and 2.) a good Firewall

Continue Reading →Firewall the Inside of your OpenVPN or L2TP/IPSec Tunnel on Android

I read an interesting article last night which highlited some problems with the way SSH process communication happens. I am writing a post about it because it is so simple and yet so effective.

Here is the scenario:
Let’s say that you have a linux system running the latest set of patches/OpenSSH. You have multiple users on the system, and one or more of them have sudo/su/escalated privileges. The idea is that when user ‘A’ connects to the system, user ‘C’ will be able to sniff out their password.

The details:
The idea is that almost all ssh daemons by default are configured to use “Privilege Separation”. This means that sshd spawns a process (child) that is unprivileged to listen for incoming network requests. After the user authenticates, another process gets created running as the authenticated user. The magic happens in between these two processes.

A simple example:
User ‘C’ ssh-es into the system, escalates their privledges (either by legitimate or non-legitimate means) and starts listening for newly created ssh ‘net’ processes. As soon as user ‘C’ sees a process being crated, they immediately attach strace to it.

A simple way to do it is by:

or even better:

 

Continue Reading →Sniffing SSH Password from the Server Side

This will be my last post about the Google Nexus S since I just purchased (and received) my Nexus 4. That said, I really wanted to give one last update on the Nexus S since it looks like things have changed quite a bit with the update process. While it looks more complicated at first, it’s actually a lot more flexible now. Here is how to upgrade your Nexus S manually to a full 4.1.2 Jelly Bean, even if you have not received it yet/are in a country where the updates are not coming in, or are on a carrier which is not pushing OTA updates.

The first step is to go to Google’s Official Factory Images for Nexus Devices

Now, you have one of four choices for sections, based on your phone:

  • If you have the (MOST POPULAR) T-Mobile or ATT (GSM) version of the Nexus S, go to: “Factory Images “soju” for Nexus S (worldwide version, i9020t and i9023)”
  • If you have the Sprint (4G) version, go to: “Factory Images “sojus” for Nexus S 4G (d720)”
  • If you have the Korean version (VERY RARE), go to: “Factory Images “sojuk” for Nexus S (Korea version, m200)”
  • If you have the NON-1Ghz (STILL RARE) version, go to: “Factory Images “sojua” for Nexus S (850MHz version, i9020a)”

Let’s assume you have the T-Mobile/ATT one since most people have that.
You will want the “4.1.2 (JZO54K)” image, which you can download from their official link:

soju-jzo54k-factory-36602333.tgz
(md5: 788233dca5954532acda63039f814b4d)

Continue Reading →Google Nexus S – update manually to 4.1.2 Jelly Bean