Archive for the ‘Articles’ Category

Sep 27 2 Update to my Roundcube skin

In my last post I introduced you to the release of my personal Roundcube skin. It's been a few months, and in the meantime a new version of Roundcube arrived bringing changes to the way skins are handled. As it turns out, my skin wasn't compatible with the new version.

Therefore I've updated the skin – now version 1.0 – with the necessary fixes, mainly compatibility with Roundcube 1.0 -- for example you can actually write emails now.

There's also a new beautiful login screen along with some UI improvements – in the Settings area, especially.

Screenshot of the Fredsted Roundcube skin version 1.0

It's available on good ole github, but you can also just download the zipball if you prefer. Installation instructions are included.

Don't hesitate creating some pull requests or reach out about problems in the comments -- there's still lots more work to be done, and I'll make many more design tweaks in the coming weeks and cleaning up the code.

Jun 18 10 How to reverse engineer a wireless router

The Zyxel WRE2205

The Zyxel WRE2205

The Zyxel WRE2205 (rebranded Edimax EW-7303APN V2) is a plug-formed wireless extender. What's interesting to me about this device is its extremely small size. Many of my standard power bricks like are larger than this unit -- but they don't contain a small Linux minicomputer and advanced wireless functionality.

Trying out the WRE2205 for its intended purpose, I discovered that its wireless performance was quite subpar, slower than my actual Internet connection, but still very usable. Of course, that's understandable. It has no antenna. So I replaced it with a faster AirPort Express, which can also act as a wireless bridge.

No longer needing the device for its intended purpose, I thought about how cool it would be to have an actual Linux plug PC I could SSH to and use for all sorts for home automation purposes, or leave it somewhere public, name the SSID "FreeWifi" and install Upside-Down-Ternet. The possibilities are endless!

So I started getting the desire to hack this thing. And having seen some bad router software in the many devices I've owned, I thought that there could be a chance of rooting this thing.

As anyone who've poked around with consumer network equipment knows, a good place to start is binwalk. binwalk is a utility that lists and extracts filesystems embedded in files like router firmware updates. What these "update" files actually do, is that they replace the whole contents of the operating system partition with a completely new version. This is why these devices may "brick" when cutting the power during an upgrade: it may not boot without all the files.

To my delight, binwalk came up with a squashfs filesystem embedded in the latest firmware update from Zyxel's Web site.

simon@workstation:~$ binwalk -v wre2205.bin

Scan Time:     2014-06-18 22:44:24
Signatures:    212
Target File:   wre2205.bin
MD5 Checksum:  e2aa557aa38e70f376d3a3b7dfb4e36f

DECIMAL       HEX           DESCRIPTION
-------------------------------------------------------------
509           0x1FD         LZMA compressed data, properties: 
                            0x88, dictionary size: 1048576 bytes, 
                            uncompressed size: 65535 bytes
11280         0x2C10        LZMA compressed data, properties: 0x5D, 
                            dictionary size: 8388608 bytes, 
                            uncompressed size: 2019328 bytes
655360        0xA0000       Squashfs filesystem, big endian, 
                            version 2.0, size: 1150773 bytes, 445 inodes, 
                            blocksize: 65536 bytes, 
                            created: Wed Mar 26 04:14:59 2014

 

binwalk is so great that it can even extract it for us:

simon@workstation:~$ binwalk -Me wre2205.bin
Target File:   _wre2205.bin.extracted/2C10 
MD5 Checksum:  a47fd986435b2f3b0af9db1a3e666cf1 
DECIMAL       HEX           DESCRIPTION 
------------------------------------------------------------- 
1626688       0x18D240      Linux kernel version "2.4.18-MIPS-01.00 
                            ([email protected]) (gcc version 
                            3.4st.localdomain) (gcc version 3.4.6-1.3.6)
                            #720 Wed Mar 26 11:10"

 

It's all the files for the park... It tells me everything!

It's all the files for the park... It tells me everything!

We can see it's a Linux 2.4 MIPS kernel. Good. "I know this", as they say in Jurassic Park.

What we get is a directory containing the whole Linux system. What's interesting is you can see the configuration and especially all the shell scripts. There are so many shell scripts. Also the source for the Web interface is of course included.

However, most of the functionality is actually not written with whatever scripting language it's using. It comes from within the Web server, which apparently is heavily modified. The Web files mainly display some variables and send some forms. Not yet that exciting.

The Web server, by the way, is something called boa, an open source http server. Studying the config file, something interesting is located in the file /etc/boa/boa.passwd. The contents:

root:$1$iNT/snisG/y7YBVbw0tQaaaA

An MD5-hashed password, it seems. A kind of creepy thing because the default username for the admin user is admin, not root. And it's referenced in the Auth directive of boa’s config file.  So Zyxel has their own little backdoor. I didn't get to cracking that password, because I moved on to the /web directory, containing all the web files.

The Web Interface for the WRE2205

The WRE2205 Web Interface

The standard things are there, of course. The jQuery library (version 1.7), some JavaScript, some graphics and some language files. The standard header/footer pages (in this case, though, because Zyxel is stuck in the 1990s, a frameset), and so on.

Beginning to look through file filenames, two interesting ones were to find: /web/debug.asp and /web/mp.asp. None of these are referenced in the "public" Web interface. Having access to debug files is always a good thing when trying to break into something.

The first file, debug.asp, looks like a password prompt of some sort.

Screenshot from 2014-06-18 23:11:50
One might reasonably assume it has something to do with showing some different log files, despite the weird sentence structure. No clues in the config file, and typing some random passwords didn't work (1). Let's move on.   The next file, mp.asp, looks much more interesting:

Screenshot from 2014-06-18 23:17:08
There are several good signs here despite the rather minimalist interface. First, it actually looks like a command prompt: the text box selects itself upon loading the page, there's a # sign, usually an indicator of a system shell. Here there was also a clue in the source code, the input field's name is actually command. Simply entering nothing and pressing GO yields the following result:

Screenshot from 2014-06-18 23:23:08
Bingo. It seems to launch a shell script where the input box is the parameter. Let's take a look at this rftest.sh fellow:

Screenshot from 2014-06-18 23:26:01
Lots of different debug commands that yield different things. So, entering ENABLEWIRELESS in the prompt would run /bin/rftest.sh ENABLEWIRELESS and return the output in HTML. (I have no idea what "interface" and yes/no switch does, entering eth0 doesn't work, so maybe it's an example?)

At the bottom there's even a COMMAND command that allows us to execute any command. At least they tried to make this a little secure by limiting the applications you can execute:

    "COMMAND")    
         if [ "$2" = "ifconfig" ] || [ "$2" = "flash" ] || [ "$2" = "cat" ] 
            || [ "$2" = "echo" ] || [ "$2" = "cd" ] || [ "$2" = "sleep" ]  
            || [ "$2" = "kill" ] || [ "$2" = "iwpriv" ] || [ "$2" = "reboot" ] 
            || [ "$2" = "ated" ] || [ "$2" = "AutoWPA" ]; then
             $2 $3 $4 $5 $6
         fi
     ;;

But, at this point there's really no point, since doing stuff like this will be completely broken in any case, and we can just do something like this:


And so we have full control. Since || means OR, and the rftest.sh command fails when there's no valid command, the last command will be run.

As we can see from the above screenshot, the web server is running as root so now we have full control of the little plug computer. Software like wget comes preinstalled, so you can just go ahead and download shell scripts, an SSH server, or otherwise have fun on the 1.5 megabytes of space you have to play with. Good luck!

I kind of expected that I had to use an exploit or buffer overflow, get out a disassembler like IDA, or do a port scan, or do some more digging -- but just below the surface there are some quite big security issues. Of course, you need to know the admin password since the whole /web directory is behind Basic authentication.

However, since the boa webserver is an old version with exploits available, you probably won't even need that. We can assume it's not a feature since it's hidden. So with such a big hole, I wonder what else lies below the surface?

 

Footnotes:

  1.  I later found, by running strings on the http server executable, that typing report.txt shows some debug information.

Dec 18 3 Monitoring ’dd’ progress

You should in all likelyhood not be using dd to begin with. But here's how to monitor progress if you do.

On Linux, to view the progress of the file/disk copy tool dd, you could send the USR1 signal to get a progress output. This apparently doesn’t work on Apple’s OS.

However, with Activity Monitor, it's easy to see the progress of dd when, for example, copying an operating system image onto a USB (which can take a while...). Simply compare the size of the image with the "bytes written" column to get a good idea of how much progress it has done:

dd progress with Activity Monitor

If you need to view more detailed progress, or use dd lot, you can try installing pv, a utility which echoes the amount of data piped through it. One would use it with dd like this:

dd if=/file/image | pv | of=/dev/disk8

That would render something like this, letting you know the progress:

1,38MiB 0:00:08 [  144kiB/s]

Also, with pv, you could specify the --size parameter to get an estimation of the time it will take to finish. pv can be installed with, for example, Homebrew.

Apr 28 3 Fixing slow ProFTPd logins

Recently a few users on a Virtualmin server have experienced issues with slow FTP logins. It took a long time to login and often wouldn't log in at all.

To correect this, first log on to the Webmin interface on http://yourserver:10000. At the top left, click Webmin.

A bit further down, under Servers, select ProFTPD Server.

Under Global Configuration, select the Networking icon.

 networking

Then you’ll see a screen with a whole bunch of settings. Set the following options to No:

  1. Set Lookup remote Ident username?
  2. Do reverse DNS lookups of client addresses?

options

Now click save, and on the ProFTPd page press Apply settings on the bottom. Your logins should now be instant.

Feb 26 7 A native KeePass app for Mac

Password storage is incredibly important to me. Since I began seeing friends and others get their identities and online lives taken away because of reusing and/or using weak passwords, I started taking password security extremely seriously.

When I chose the utility to use for this, I had a couple basic requirements.

  1. It had to be open source, for obvious reasons
  2. I had to be able to access my passwords on all my devices (iPad, iPhone, MacBook, workstation)

Things like 1Password and Lastpass didn't fullfill the first requirement, although very handy because of browser integration and the mobile apps. So I ended up choosing a combination of the KeePass framework and Safari+Mac OS X keychain for my password storage needs, with KeePassX for my client, along with a mobile app, MiniKeePass, that syncs my KeePass database using Dropbox. As an added bonus, the iOS mobile app is open source as well.

I use KeePass as my primary password storage database, and Safari's password saving feature for sites I access often, like my blog and reddit account.

I'm very happy with this solution, but unfortunately the Mac KeePassX currently has a very ugly, un-Mac-like user interface. I've been waiting for something which incorporates the native Mac user interface controls.

And, finally, today stumbled across this KeePass Mac client developed by Michael Starke from Hick'n'Hack Software. It seems like it's in very early alpha, but it can load KeePass files and display their contents, so the basis functionality is almost done. It seems like it's using the MiniKeePass framework library for its backend functionality. I cloned and ran it immediately as I've been wanting this ever since I started using KeePass for storing my passwords.

Unfortunately I can't seem to be able to copy passwords yet, and there's no detail dialog when you click on a password entry.

But since, as of writing, the last commit is 13 hours ago I'm sure this functionality will be added soon. I'm just so happy someone is making this. This definitely makes me want to learn Objective C properly so I can contribute to this project! If you know ObjC, you should definitely go add some pull requests!

 

Here's a screenshot from the release I just built:

Screen Shot 2013-02-26 at 5.59.35 PM

Compare this to the current KeePass:

Screen Shot 2013-02-26 at 6.20.28 PM

Feb 23 4 Sync SSH config across computers with Dropbox

Here's a little time-saving tip for Mac OS X/Linux users: if you work with lots of different Macs and servers daily, store your SSH configuration file in dropbox, and create a symbolic link to it so you can sync it across your computers.

With this, once I add a new machine to my SSH config, it's immediately available across all of my computers, my workstation, laptop, work machine, etc. I'm terrible at remembering hostnames and IP-addresses, so this comes in handy as I acquire control over more and more servers.

Also, you can of course extend this method to sync other types of configuration files, like your git config or bash profile. Dropbox is a neat tool!

Step 1

Create a folder in your Dropbox to store files like these.

mkdir ~/Dropbox/configs

Step 2

Move your ssh config to this folder. I just call it ssh-config.txt instead of simply config for easier access and as to not mix it up with other configuration files.

mv ~/.ssh/config ~/Dropbox/configs/ssh-config.txt

Step 3

Create a symbolic link to the new configuration file.

ln -s ~/Dropbox/configs/ssh-config.txt ~/.ssh/config

Apr 13 11 InstaDJ – a quick way to assemble YouTube playlists

I made a website that lets you create YouTube playlists easily - and share them, too.

Everybody is online nowadays. Nobody uses CDs anymore. So at parties it’s common to see a laptop hooked up to a stereo where people go up and select songs on YouTube during the night. It kinda sucks though:

  • Music starts and stops randomly as people get drunk and start searching for songs while another is playing.
  • You need to get up and change the track when it stops.
  • It’s too hard to make a playlist on YouTube. You can’t really make one on the fly.
  • What’s more, you have to be logged in with your Google ID to make playlists. I don’t want random people to mess with my account (e.g. Gmail), especially drunk people.

Sure, there’s Grooveshark. But people who aren’t nerds can’t figure out how to use Grooveshark and will just go to YouTube instead. It’s too easy to interrupt a playlist, especially when you’re drunk. The add to playlist button is easily missed.

Grooveshark is also missing many songs due to silly record companies.

Other sites exist, I know. But no matter which one you use, people will inevitably go to YouTube because it’s got all the content and it’s what people know and love.

Even other "Youtube DJ" sites exist. I've been through a few. They either a) require login, b) are hard to use, c) can't autoplay, d) don't work.

So I got fed up with all this and made InstaDJ. It’s a dead-simple Web site where you can add YouTube videos to a playlist on the fly. Even drunk people get it.

InstaDJ allows you to search and queue YouTube videos, using a simple interface everybody understands, in a way which doesn’t interrupt the music.

What it does

  • Search YouTube videos
  • View user uploads and favorites
  • Queue YouTube videos
  • Auto-selects HD video if available
  • Generate URL to playlists
  • Share playlist
  • It's free and there's no ads
  • Easy to use, minimalist interface

I even find myself just using InstaDJ instead of playing music from my iTunes library.

Don't you want to try it out? Just click here to go to InstaDJ.com.

For the technically interested, it's built with the YouTube API, Twitter Bootstrap and jQuery. Enjoy.

Feb 9 0 Apple Predictions for 2012 – 2013

  • All Apple products with screens will begin to have Retina-grade displays, starting with the iPad 3 coming in the first half of 2012, then the MacBooks and finally the Thunderbolt display and iMacs.
  • iPad 3 will have, other than retina display, double the ram, quad core processor, better 8MP camera, thinner, but same 10hr battery life. The design will be similar to that of iPad 2. Oh, and Siri. Coming Q1 2012.
  • Mac OS X will merge with iOS in the next version coming late 2013, potentially removing a lot of functionality, upsetting professionals. There will be no 10.8. It will simply be called iOS. (They've run out of cat names)
  • iMacs will never have touch-screens though.
  • Apple's 42" television set will premiere before 2013. It will look like a large Thunderbolt Display. It will feature iOS. Apple will also partner with TV stations to offer more on-demand programming. It will probably feature Siri so you can channel surf without moving your body. It will be available in black and white.
  • Mac Pro will be discontinued after the next and final generation comes when Intel's new chipset is ready in mid 2012, so sometime in late 2013. Super fast Thunderbolt-equipped iMacs will take over Mac Pro's market.
  • Apple's server offerings will be replaced with cloud services and the increasingly powerful Mac Mini. (Apple doesn't even use their own hardware for servers anymore)
  • Final Cut Pro X will receive rigorous updates. Video professionals will regret their shift to Media Composer as digital formats replace tape.
  • We will see the transition to ARM-based Macs in late 2013 or the beginning of 2014, starting with the MacBook Air.
  • As battery life will be longer, we'll begin to see security features in the MacBook power adapters like Apple recently patented.
  • iPhone 5 mid-late 2012 will have a new, thinner design going back to round corners plus Siri will end its beta phase at the same time. It will have LTE support. iPhone 5 won't have any exceptional features, but it will be the best selling iPhone ever.
  • iPod Classic will be discontinued and replaced with the iPod touch which will be renamed iPod. It will be expensive because of the 128GB SSD.
  • iPod Shuffle and iPod Nano will merge.

Apple will become more consumer and entertainment oriented and will slim its product line accordingly.

Right now, Apple is preparing and conditioning us for the iOS merge with their Lion operating system.

As we've seen with the release of Lion and the 10.7.3 update, retina support on Macs is coming soon.

ARM-based Macs are further away; it's simply not fast enough yet. But it'll come unless something drastic happens at Intel.

Apple's TV will become the best selling  TV ever, no doubt about it. Right now, TVs suck with their slow menus and bloated designs with huge bezels and bright LED lights. Consumers want an easy to use, minimalist designed, internet-connected television with an Apple logo on it. And they'll pay a premium for it.

Mac Pro is becoming a legacy machine. Apple will probably have to release a new one to please their professional market, but they're not happy about it. Thunderbolt display will mostly be a dock for Macbooks.

Right now is an exciting time at Apple. It seems like their growth can't stop. But will their changes succeed? Will the competition finally pull itself together and release products worth buying?

Aug 23 38 Mediacenter PC Review: Zotac ZBOX ID41

In this article I'll be reviewing the Zotac ZBOX ID41, which is an inexpensive mini PC from Zotac. The thing about this PC is that it's particularly appealing to media center owners and budget-constrained customers due to its price and small size.

In this review I'll look at some of the factors that are important to me for a HTPC: noise, HD playback, expansion features and power usage.

Read the rest of this entry »

Apr 1 2 Google’s Aprils Fools 2011: Helvetica

So, if you search for Helvetica on Google today, this is what you'll get:

Dec 29 1 Fix: Securing the DD-WRT location vulnerability

My Internet router uses a software called DD-WRT instead of the default firmware. DD-WRT is an open-source alternative to the factory-installed firmware for some routers.

Basically, it allows me to do more and have more control over my router.

Today, however, I read about a location vulnerability in the DD-WRT Web administration interface.

Using a DNS rebinding attack, malicious Web sites can track your location fairly accurately using the routers MAC address. For example, when you visit a malicious Web site, people can find out where you live.

How to enable password protection of the Info-site under Administration > Management inside the router administration page

Securing DD-WRT by enabling password-protection of the info-site

I don't want anyone to know my location without my permission, so I found out how to disable the information page where the routers MAC address is shown.

By accessing the administration interface, and enabling password protection of the info-site, you can shut malicious users out.

Click the screenshot to learn how to enable password-protection.