The allegedly weekly roundup of notes – Jan 14th, 2022

Yes, hello. This is a series of supposedly weekly posts I planned to start at the start of 2022, and then rather predictably immediately forgot to do. So this, the end of the second week, will be the first one.

Anyway, this is just where I drop various interesting bits I’ve read/come across during the week, along with misc notes. Not all of it will be computer related.

Will also contain commentary and opinions (often taking the piss), and should not be taken too seriously.

Its tagged “shitpost” in the WordPress tags, so you can filter it out easily (presumably).

No, Mirai variants didn’t infect SonicWall SSL-VPN appliances using VisualDoor.
So I came across this article in Threatpost, referencing this post from Palo Alto’s Unit 42. Anyway, the claim is, that using this exploit I published, a Mirai based botnet was infecting SonicWall SSL-VPN’s.

This is not exactly the case – the astute reader who has tested the exploit out will know that “wget” and such simply are not present on the vulnerable devices. So it is entirely impossible for the payload the Mirai variant fired to execute – it tried inject a “wget” command, and “wget” doesn’t exist…

So SonicWall’s got off the hook this time, but only due to the ineptitude of skids.

My friend Jake is doing this same kind of post, but less frequent and better.
The whole idea for this kind of post came out of a discussion we were having. Basically, that actually publicly sharing what neat/interesting things you come across/are reading about might be interesting to someone else.

Or at least, you will be able to go back and find them later on?

You can read his entry on his site here.

SonicWall SMA-100 Devices Vulnerable to Preauth RCE (again).
The nice folks over at Rapid7 published a very interesting advisory, which you can read here. TL;DR: stack buffer overflow, preauth, in the SonicWall appliances webserver.

Jacob provides a nice minimal proof of concept that gets code execution eventually. With some work, it probably could get code execution a lot faster/more reliably.

Given it is a stack buffer overflow, and the memory layout of each Apache child process (in this case) is identical, I wonder if this could be a good candidate for some technique like Blind ROP? Or is simple bruteforcing of the address space and using the system() gadget more optimal?

I also wonder if Jacobs exploit will get code execution faster if it was modified to use a shitload of concurrent threads…

If someone has a vulnerable appliance that they will let me experiment with, get in touch.

You should also go read the Blind ROP paper, its fucking awesome and lives rent free in my brain for years now.

Bio-transformation of Benzaldehyde via yeast as part of cooking meth?!
As some of you will know, I studied forensic chemistry. I still have an interest in forensics and chemistry, they are fascinating. I also think the war on drugs is fucking stupid – drugs clearly won but the farce goes on, and citizen scientists got royally shafted along with the rest of society.

So you know how there are limits on how much Sudafed you can purchase at a time? Because people use the pseudoephedrine and/or ephedrine to cook methamphetamine? I’m sure we all learned this from Breaking Bad, at least.

Anyway, some clever buggers who wanted to illegally produce methamphetamine in Australia worked out that by getting normal brewers yeast, and feeding it glucose and benzaldehyde, the yeast would produce phenylacetylcarbinol – which can then be converted trivially into pseudoephedrine and/or ephedrine, and onward into methamphetamine by the usual processes. Some characteristic impurities are left behind, meaning meth produced this way is kind of unique.

This really gave me a chuckle, as while pure benzaldehyde is a “watched substance”, its well known that you can produce it trivially from almond oil. Good luck banning fucking almonds, mate (they did ban the oil in the US, but steam distillation of bitter almonds is not exactly difficult).

Obviously, I don’t recommend anyone try reproduce this without the proper licencing and authorisation. Replacing doors is expensive, so are lawyers.

I won’t link directly to the paywalled journal article, but you can find it at a certain hub of science with the following DOI: doi:10.1016/j.forsciint.2009.04.010 .

“The Secrets of the Worlds Greatest Art Thief”.
Ok, so GQ sometimes has some amazing articles, and this ones from a while back. I came across it while looking up art heists. I kind of have a thing for art heists. Probably watched “The Thomas Crown Affair” at a formative age or something.

This guy basically nicked fucking everything, everywhere, all the time. Absolutely insane amounts of priceless artworks pilfered. How? He just picked them up and walked out, basically. All the sophistication of your average teenage shoplifter. For most of his career, he doesn’t even wear gloves.

Dude and his missus (yep, she joined him on these capers) get caught, and get away virtually scot free. Then he gets caught again (for real this time), and his missus and mum go into cleanup mode, punting a metric fuck tonne of priceless art into a canal. Maybe burning some of it. Much of it is never recovered.

Anyway, it’s a good read.

A neat trick for LFI to RCE on nginx.
Neat tricks for getting remote code execution from local file inclusion bugs will always get my attention. Some of the neatest hacks we pulled off back in the day were powered by some pretty interesting local file inclusion trickery to gain code execution.

This blog post outlines one of the neater tricks I’ve seen in a while. It abuses nginx’s POST data body buffering (using tempfiles) to get some content on disc that can then be included. There is some racing involved, but the trick seems pretty reliable.

Probably one of the cooler things I’ve seen come from the CTF scene in a while, as it has immediate, real-world applications in practical hacking.

I have a few experiments to run that might improve the reliability of “winning the race”, for example, using Keep-Alive headers with a long timeout and slowly doing the “file upload” (POST) part over a lengthy period of time (akin to the HTTP Slow POST DoS attack) might make the race easier to win, by extending the period of time during which the buffer is on disc.

A study on the LD-50 of falling from a height.
Sometimes, you come across the most bizarre studies. This one from 2018 is pretty weird – but also makes a lot of sense. Basically, they gathered data on the clinical outcomes of people falling from heights, and tried to validate the LD-50 for height (LD-50 being the “dose at which 50% of subjects snuff it”).

Apparently, 48 feet (4 stories) will do you in half the time, and 84 feet (7 stories) will do you in 90% of the time. There are also statistical outliers (not mentioned in the study) such as Bear Grylls of TV fame who fell from 16,000 feet. Or the even greater outlier, Vesna Vulović, who not only survived the plane being blown up, but also the fall from 33,330 feet.

Now, while the manner of falling (head first, feet first, sideways, etc) would probably have a decent bearing on survivability, along with the conditions of what you fall onto, in general falling from above 25 feet had a “greater risk of death”.

25 feet is about 7.62 meters, and the average bouldering wall tops out at about 15 feet (4.5 meters), so no, falling off the climbing wall probably won’t kill you. It probably will still fuck you up though.

Germany continues in its efforts to censor the internet.
Notoriously backward country (in terms of digitalization and internet laws) Germany, has continued in its war on any technology more modern than the fax machine with suggestions that it might block the shite messaging app Telegram, as per Reuters, unless it can find some way to censor it.

This follows on from their prior idiocy where the German courts ruled that the DNS provider Quad9 must submit to the wishes of Sony and censor pirate sites.

While living in Germany, I often found that sites vital to science, such as Sci-Hub, were blocked (using crude DNS blocking) by ISP’s. The country is also blighted by a plague of copyright lawyers that aggressively pursue those who might torrent some content, sending legal nastygrams and issuing “fines”.

Maybe once the last remaining fax machine manufacturers go out of business, the country will rejoin the rest of us in the 21st century. It is otherwise a lovely place with lovely people, 10/10 would recommend.

Ireland decides to implement minimum unit pricing on alcohol.
In an unsurprisingly poor choice of policies to implement, the Irish governments war on craic continues with the implementation of minimum unit pricing for alcohol in off licences. This policy is intended to curb problematic drinking. But, as anyone can tell you, price isn’t even a consideration for someone with a drink problem. This policy serves only to fuck over the less well off. Naturally, people are pissed.

This joins other regressive policies Ireland has with regards alcohol, such as the virtual ban on drinking in public spaces (mostly down to council by-laws) which was at odds with the “takeaway pints” offered during lockdowns, the relatively novel (and pointless) policy wherein shops have to have alcohol containing products hidden away behind some silly little gates, and the restrictions on hours of sale (with special Sunday hours!).

So booze, which was already hilariously expensive in Ireland, has gotten… More expensive.

I wonder if this will bring about a resurgence in the popularity of home brewing for personal consumption? The return of the poitín still?

Rocket Propelled Christmas Tree.
Two of my favourite content creators, Joe Barnard and Xyla Foxlin, along with a bunch of other cool rocketry people, celebrated Christmas by going out into the desert and strapping a high powered rocket motor to a Christmas tree. It flew surprisingly well!

You can find their videos on this here and here. Worth a watch, you get to see a tree take flight.

I wonder what Treebeard would have to say about all this?

“Alternative” Legal Systems.
I was reading a thread on the orange website regarding an article by some threatbutts about the parallel legal/arbitration system on cybercrime marketplaces, and came across a fascinating link to some work by a David Friedman about various alternative legal systems, both contemporary and modern, that exist.

You can find that work here.

Almost every “Dark Net Market” or cybercriminal marketplace/forum has some kind of arbitration system for disputes, along with groups that work to ensure rippers/scammers are found out and ostracised from the marketplace. If a marketplace gets a reputation for being riddled with untrustworthy vendors (or clients!), business becomes difficult, everyone makes less money, and profit decreases.

Another interesting example of this is the “LSD Avengers“, who took it upon themselves to purchase and test the wares of various acid vendors and post ratings.

An even older example of these parallel “justice systems” and “codes of conduct” is the old rules of “Thief in Law” from the Russian criminal milieu.

Studying these concepts would be of benefit to people who have an interest in the political philosophies of anarchism or “community justice”, I suspect.

Scandinavian heists are fucking absurd.
I came across this piece in the Atavist about a heist in Denmark some years ago. Its a long read, but worthwhile.

Basically, the gang decided to rob a company that runs cash collection/handling in Denmark. To prevent the police from coming, they used caltrops and stolen burning vehicles as roadblocks.

Unfortunately for the gang, despite pretty solid planning and execution of the heist, they got caught due to piss poor operational security practices and generally acting like complete gobshites after the fact.

In news to absolutely nobody, conifer plantations are bad for biodiversity.
A recent study has shown that the conifer plantations that make up a huge amount of Irelands forest cover, are basically worthless in terms of biodiversity – and specifically are bad for the survival of our native red squirrels.

I have absolutely zero faith that the current administration will do anything to rectify this, and believe firmly that the only way we will regain any forest cover worth a damn in Ireland is if private citizens form collectives/coops, purchase blocks of land, install fencing to keep grazing animals (deer, goats, sheep) out, and largely let nature take its course (with probably a little help).

Ukraine gets owned due to (probably) PHP Type Juggling.
Ukraine got cybered pretty hard by the (presumably) Russians. According to Kim Zetters sources, the attackers got in by exploiting a known (not 0day) password reset hole in October CMS, a FOSS Laravel/PHP CMS (that also has commercial support licences, etc).

The culprit seems to be CVE-2021-32648, which allows attackers to send a crafted request to the password reset page on the site and take over admin accounts.

Looking at the patches for this, here and here, you can see the developers adding stricter casting of types to integer, and also changing how they do comparisons – from “==” to “===”. Without delving deeper into the codebase, the scratch-and-sniff test tells me that this is likely a PHP Type Juggling vuln, which are not particularly uncommon.

Well, that ends this weekly shitposting of the misc. stuff I found interesting on the internet. I will maybe continue this next week, with another roundup of whatever caught my fancy during the week. Articles, blog posts, news stories, etc.

If I manage to keep this going for more than a month without forgetting about it, it will be a minor miracle.

%d bloggers like this: