Older blog entries for Stevey (starting at number 73)

dpkg-changes

 I wrote about my little script for keeping track of package uploads/downloads previously on here.

 A suprisingly large number of people appeared to like it - so it's now been updated to report on the dates upon which packages were added to the system. It's also the first package I added to my personal apt-get'able repository

Debian Audit

 The Debian auditing project is still slowly continuing, I've found a few more packages with problems but nothing too major thus far.

 It's looking like I was a little bit harsh initially; on average I'm finding exploitable/crashable programs in 5-10% of cases.

Chicago

 Here's a couple of jokes which I always love, and usually go down well:

Why is six scared of seven?
Because Seven Ate Nine...

 This is my favourite...

What did zero say to eight?
Nice corset ;)
Debian

 I've just finished packaging a couple more minor scripts, and now that I've discovered how I'm in the process of creating an apt-get'able repository so that people can download them from my site; before they enter Debian properly - if they ever do.

Network Stuff
jds thanks for the comments. I like your idea of not denying the request; just sending back something.
DNS

 After the recent bind security vulnerabilities were announced I've been reading all the DNS rfc's and source code I can.

 It actually a mostly simple and sane protocol certainly something I'd like to look at in more depth, time willing.

 Currently my understanding is that there are several alternatives to bind, but none of them are as complete:

  • djdns - Unpleasant license, some oddities.
  • maradns - Not suitable for production.
  • nsd - New one, not sure about this yet - will look when the Debian package arrives
  • dnsql - Uses a database.

 I spent a while knocking up a flex/bison parser to read in Bind's zone files - they're a little gnarly, but it seems wrong to me to create yet another configuration file format, and it would ease migration considerably (cf djdns)

Email

 I got the go ahead to purchase two 80Gb drives to stick in our new mail server. This will allow me to switch the company to imap, which is a good thing - as I can use the squirrelmail package to provide webmail to everybody as a bonus.

 Currently the companies mail files total ~14Gb, so I figure 80Gb will keep us in space for a few months at the least, and the second drive will maintain an hourly rsync'd backup for safety. (There'll be a tape backup too, but I hate having to restore things from tape )

 Migrating people should be fine; I'll just move the contents of their inboxs over, then upload their Eudora mail files to the new imap server and all should be well.

 I've also been given two 24 port 100mbps hubs, so I anticipate a busy time next weekend tidying up the companies racks and upgrading the two 10Mbps hubs we have. I hope I don't have to make too many new cat5 cables. (I can do them but I hate the fiddlyness of it! Plus my failure rate is around 10% which is bad)

Network Librarys?

 I've been thinking about adaptive systems a bit recently, systems that would learn what is a normal environment, and automagically detect deviations.

 This is part of my recurring obsession with genetic algorithms and self-organizing systems.

 Now I'm thinking of actually writing code. `Protecting` a webserver would seem like a trivial task, read in all the URL's which are requested, and deny those which are atypical For example it should be possible to detect something anomolous like '/_vti_inf.html'.

 Now that I come to implement it the boring part of the code is proving harder than I thought.

 Assume the following setup:


----------------- -------------- ------------- | Evil Internet |-> | Filter Box | -> | Webserver | ----------------- -------------- -------------

 That seems logical doesn't it? With that setup I could trivially use libpcap to capture packets destined for the webserver, and use those as input to the filtering system.

 The hard part comes next; how do I silently drop the `bad` requests?

 Right now I'm not aware of anything that will do it, (allow me to both intercept and possibly discard packets arbitrarily).

 So I'm having to write this as a kind of proxy server, which I don't like as this really does require a seperate box/layer. I liked the idea of silently sniffing, much like snort does.

 Ho hum...

Imnsomnia

 I finally gave up the futile attempt to sleep at around 11PM. It just wasn't happening.

 After surfing the web for an hour or two I decided that I should write some code; I have a small list of projects I keep meaning to start, little programs that aren't really that big but which would be useful to have.

 Tonight I decided to write my package tracking software...

dpkg-changes

 dpkg-changes is a small perl script which will report on the packages which have been added or removed from a Debian GNU/Linux system since it was last run.

 It's almost as simple as it sounds!

 The first time it is run it builds up a cache of all the installed packages, then on each subsequant run it compares the current state of the system to what it reads from it's cache. Added or removed packages are dumped to stdout - its ideal to run from a crontab file.

 I've wanted something like this for a while at work, where several people are constantly tweaking some of our server machines.

 It's sufficiently trivial that I've never quite gotten round to writing it, until now.

 As it's so trivial I've not created a Debian package yet - maybe in a few days time, if nobody points me at an already existing solution to this problem ;)

10 Nov 2002 (updated 10 Nov 2002 at 19:38 UTC) »
Unbounded Copies

Nafai77: Yes my problem is that strncpy isn't being used in that snippet. If the environmental variable HOME is longer than `MAXPATH` the buffer it is being copied into will be overflowed, and there is the possibility of running arbitary code. (For more details on how this can be done read the classic paper Smashing the stack for fun and profit by Aleph One)

 I've been filing a lot of bugs about these kind of issues recently - because they're sloppy coding, and if the program is setuid/setgid they're almost certainly exploitable.

 For each case my patch has been to re-write the code as this:


char path[MAXPATH]; memset(path, '\0', sizeof(path));

if ( getenv( "HOME" ) ) { snprintf("%s/.foorc", sizeof(path)-1, getenv( "HOME" ); } else { /* No $HOME attempt to use the current directory */ strcpy( path, ".foorc" ); }

 I believe that code is robust.

Gifts

 Somebody nice bought me a DVD from my wishlist, I've been in a happy mood all week!

 Financially it's something I could have bought it myself with no effort, and it wasn't a very expensive gift; I'm just feeling so pleased that somebody cared enough about my code/work to donate something.

Hacks

 More work has been done on the Debian security audit project; I've gone over a few more packages and found a few small bugs. Nothing major at the moment.

 It is depressing, though, how many times I've seen the same code in unrelated packages:

char path[MAXPATH];
...

strcpy( path, getenv("HOME" ) ); strcat( path, "/" ); strcat( path, ".foorc" );

 I'm seriously beginning to blame this kind of error on the sample code which is so often displayed in books, and online - code which usually has a disclaimer in the introduction along the lines of "obviously you'd include error checking in your code - we've omitted it here to better demonstrate the principles we're discussing".

 Never again would I purchase a book which contains this text, or its equivilent, in it's introduction.

 I'm tempted to write a piece on testing software to destruction - which is something I enjoy...

SysAdmin

 One of the higher up people in our company resigned on Friday, he had root on all our boxes - so there was a morning of frantically resetting passwords, checking for 'screen' sessions, and poring over crontab entries.

 I don't think for a moment that he would do anything bad; but being careful protects us, and him.

 I'm going to miss him over the coming days, and weeks .. if only because I have one less person to beat at gTetrinet

Audit

 The Debian auditing is sucking up most of my time at the moment, that and a little bit of x86 assembly language programming.

 I used to have the linux-progress-patch installed upon my desktop machine, but it fell by the wayside when I had to upgrade my kernel to get USB support fairly recently.

 To be honest I liked it a lot, it made the machine sexier to visiting friends...

 I might have a look at that again - there's even a debian package available for it nowadays.

GNUMP3d

 After a month long absence from all development I'm getting back into it coolvibe mentioned a problem with GCC 3.2 using v0.9.9.9.4 - which is very old.

 I'm sure it's been fixed now, I made a few changes for GCC compatability a while back, mostly to get it working under FreeBSD. The only remaining problem that I'm aware of is the segfaults under SMP machines because of improper std::strign updates.

 I've tried to mask this by using paranoid mutexes. The real solution woiuld be to fix libstdc++, or write a new threadsafe string class - which is fairly pointless...

Debian Audit

 Now that there's a new version available I can publically reveal my gTetrinet advisory.

 This was the first vulnerable program discovered by my Debian Security Audit Project. Go me!

xclose

 Whilst ill in bed at the end of this week I put together a quick hack xclose - This is a tiny application which will either list or kill any X windows within your current X session which match a given regular expression.

 It's comparable to those Windows applications which sit in the system tray and attempt to close popup windows from browsers. Given that I use Mozilla I don't have that problem, but it did serve as a fun reminder of writing XLib code.

 This will be used as the core of a new application - I want a little toolbar which will effectively duplicate the functionality of the windows taskbar. A long thin, movable, strip which will display an icon for each open window on the desktop, and allow simple operations to be applied to them.

 (This is for use with window managers which don't provide a taskbar of their own - something I really miss.)

Debian Auditing Project

 After discovering a couple of Debian packages with remotely exploitable holes, (adviserories should be out this week), I've started an ambitious new project:

 If anybody is interested in helping out I'd appreciate hearing from you, either here, or elsewhere.

 I've been putting together a couple of tools to help with the audit which is being carried out by hand. There are some interesting tools around such as RATS, Flawfinder, etc, but I think it's fair to say that their output is advisory at best.

64 older entries...

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!