Author: Jonathan Bennett

446 Articles

FLOSS Weekly Episode 778: OctoPrint — People Are Amazing At Breaking Things

April 10, 2024 by 7 Comments

This week Jonathan Bennett and Katherine Druckman sit down with Gina Häußge to talk OctoPrint! It’s one of our favorite ways to babysit our 3D printers, and the project has come a long way in the last 12 years! It’s a labor of love, primarily led by Gina, who has managed to turn it into a full time job. Listen in to hear that story and more, including how to run an Open Source project without losing your sanity, why plugins are great, and how to avoid adding a special services employee as a co-maintainer!

Continue reading “FLOSS Weekly Episode 778: OctoPrint — People Are Amazing At Breaking Things”

This Week In Security: XZ, ATT, And Letters Of Marque

April 5, 2024 by 11 Comments

The xz backdoor is naturally still the top story of the week. If you need a refresher, see our previous coverage. As expected, some very talented reverse engineers have gone to work on the code, and we have a much better idea of what the injected payload does.

One of the first findings to note is that the backdoor doesn’t allow a user to log in over SSH. Instead, when an SSH request is signed with the right authentication key, one of the certificate fields is decoded and executed via a system() call. And this makes perfect sense. An SSH login leaves an audit trail, while this backdoor is obviously intended to be silent and secret.

It’s interesting to note that this code made use of both autotools macros, and the GNU ifunc, or Indirect FUNCtions. That’s the nifty feature where a binary can include different versions of a function, each optimized for a different processor instruction set. The right version of the function gets called at runtime. Or in this case, the malicious version of that function gets hooked in to execution by a malicious library. Continue reading “This Week In Security: XZ, ATT, And Letters Of Marque”

FLOSS Weekly Episode 777: Asterisk — Wait, Faxes?

April 3, 2024 by 9 Comments

This week Jonathan Bennett and David Ruggles sit down with Joshua Colp to talk about Asterisk! That’s the Open Source phone system software you already interact with without realizing it. It started as a side project to run the phones for Linux Support Services, and it turned out working on phone systems was more fun than supporting Linux. The project grew, and in the years since has landed at Sangoma, where Joshua holds the title of Asterisk Project Lead.

Asterisk is used in call centers, business phone systems, and telecom appliances around the world. But how does it handle faxes, WebRTC, and stopping spam calls? Just kidding on that last one, still an unsolved problem.

Continue reading “FLOSS Weekly Episode 777: Asterisk — Wait, Faxes?”

Security Alert: Potential SSH Backdoor Via Liblzma

March 29, 2024 by 34 Comments

In breaking news that dropped just after our weekly security column went live, a backdoor has been discovered in the xz package, that could potentially compromise SSH logins on Linux systems. The most detailed analysis so far seems to be by [Andres Freund] on the oss-security list.

The xz release tarballs from 5.6.0 in late February and 5.6.1 on March 9th both contain malicious code. A pair of compressed files in the repository contain the majority of the malicious patch, disguised as test files. In practice, this means that looking at the repository doesn’t reveal anything amiss, but downloading the release tarballs gives you the compromised code.

This was discovered because SSH logins on a Debian sid were taking longer, with more CPU cycles than expected. And interestingly, Valgrind was throwing unexpected errors when running on the liblzma library. That last bit was first discovered on February 24th, immediately after the 5.6.0 release. The xz-utils package failed its tests on Gentoo builds.

Continue reading “Security Alert: Potential SSH Backdoor Via Liblzma”

This Week In Security: Peering Through The Wall, Apple’s GoFetch, And SHA-256

March 29, 2024 by 1 Comment

The Linux command wall is a hold-over from the way Unix machines used to be used. It’s an abbreviation of Write to ALL, and it was first included in AT&T Unix, way back in 1975. wall is a tool that a sysadmin can use to send a message to the terminal session of all logged-in users. So far nothing too exciting from a security perspective. Where things get a bit more interesting is the consideration of ANSI escape codes. Those are the control codes that moves the cursor around on the screen, also inherited from the olden days of terminals.

The modern wall binary is actually part of util-linux, rather than being a continuation of the old Unix codebase. On many systems, wall runs as a setgid, so the behavior of the system binary really matters. It’s accepted that wall shouldn’t be able to send control codes, and when processing a message specified via standard input, those control codes get rejected by the fputs_careful() function. But when a message is passed in on the command line, as an argument, that function call is skipped.

This allows any user that can send wall messages to also send ANSI control codes. Is that really a security problem? There are two scenarios where it could be. The first is that some terminals support writing to the system clipboard via command codes. The other, more creative issue, is that the output from running a binary could be overwritten with arbitrary text. Text like:
Sorry, try again.
[sudo] password for jbennett:

You may have questions. Like, how would an attacker know when such a command would be appropriate? And how would this attacker capture a password that has been entered this way? The simple answer is by watching the list of running processes and system log. Many systems have a command-not-found function, which will print the failing command to the system log. If that failing command is actually a password, then it’s right there for the taking. Now, you may think this is a very narrow attack surface that’s not going to be terribly useful in real-world usage. And that’s probably pretty accurate. It is a really fascinating idea to think through, and definitively worth getting fixed. Continue reading “This Week In Security: Peering Through The Wall, Apple’s GoFetch, And SHA-256”

FLOSS Weekly Episode 776: Dnsmasq, Making The Internet Work Since 1999

March 27, 2024 by 4 Comments

This week Jonathan Bennett and Simon Phipps sit down with Simon Kelley to talk about Dnsmasq! That’s a piece of software that was first built to get a laptop online over LapLink, and now runs on most of the world’s routers and phones. How did we get here, and what does the future of Dnsmasq look like? For now, Dnsmasq has a bus factor of one, which is a bit alarming, given how important it is to keeping all of us online. But the beauty of the project being available under the GPL is that if Simon Kelley walks away, Google, OpenWRT, and other users can fork and continue maintenance as needed. Give the episode a listen to learn more about Dnsmasq, how it’s tied to the Human Genome Project, and more!

Continue reading “FLOSS Weekly Episode 776: Dnsmasq, Making The Internet Work Since 1999”

This Week In Security: Loop DOS, Flipper Responds, And More!

March 22, 2024 by 8 Comments

Here’s a fun thought experiment. UDP packets can be sent with an arbitrary source IP and port, so you can send a packet to one server, and could aim the response at another server. What happens if that response triggers another response? What if you could craft a packet that continues that cycle endlessly? That is essentially the idea behind Loop DoS (Denial of Service).

This unique avalanche of packets has been managed using specific implementations of several different network services, like TFTP, DNS, and NTP. There are several CVEs being used to track the issue, but CVE-2024-2169 is particularly odd, with the description that “Implementations of UDP application protocol are vulnerable to network loops.” This seems to be a blanket CVE for UDP, which is particularly inappropriate given that the first DoS of this sort was first reported in 2009 at the latest.

More details are available in a Google Doc. There some interesting tidbits there, like the existence of cross-protocol loops, and several legacy protocols that are vulnerable by design. The important thing to remember here is you have to have an accessible UDP port for this sort of attack to take place, so if you’re not using it, firewall it.

Flipper Flips Back

We’ve covered the saga of the Flipper Zero vs the Canadian government, in the context of car theft. The short version is that Canada has seen an uptick of car thefts from organized crime. Rather than meaningfully dealing with this problem, the Canadian government went looking for scapegoats, and found the Flipper Zero.

Well now, Flipper has responded, and put simply, the message is “stop the madness”. There has never been a confirmed case of using a flipper to steal a car, and it’s very unlikely it’s ever happened. On a modern car with proper rolling-code security, it’s not meaningfully possible to use the Flipper Zero for the theft. The two primary ways criminals actually steal cars are with dedicated keyfob repeaters and CAN bus hackers.

There is a petition to sign, and for Canadians, Flipper suggests contacting your local member of parliament. Continue reading “This Week In Security: Loop DOS, Flipper Responds, And More!”