CVE-2018-7160 - Pwning (NodeJS) Developers

TL;DR:  NodeJS in debug mode did not check the Origin-Header of websocket connections. This could lead to arbitrary code execution on victims systems if they visited a malicious website while debugging NodeJS. Visual Studio Code 1.19 - 1.19.2 was running in debug mode by default and exposed all users to this vulnerability.

Due to my suspiciousness against 3rd party software (probably a side effect of being an information security professional) I regularly check my systems for open ports (either by directly using ss/netstat or with my cinnamon plugin (disclaimer: mostly written for my needs and I'm to lazy for the documentation)). In January 2018 I noticed that Visual Studio Code has opened TCP port 9333 listening on localhost (version 1.19.1 at that time).

It's not uncommon these days for code editors to open listeners (mostly for remote debugging, but also for live updating the website your currently developing or shared intellisense support). Nevertheless, I wanted to see why it's listening on this port as I wasn't debugging anything and also worked only on some python code.

As it turned out, it was actually a debug port! Not for some code I was developing, but to debug vscode itself...

USB Reverse Tethering with Android 5.1 (Root required)

Hi,

I've used USB reverse tethering years ago with my HTC Desire HD in cases were I had a faster ethernet connection or bad wifi signals. Today I wanted to use the ethernet connection of my laptop because the wifi was to unstable to make some videos offline available for later use.

So I decided to reactivate the (now officially unavailable) reverse tether mechanism of my Nexus 4 (with CM12).

The first steps were more or less easy:

1. Enable the usb tethering device on the android phone (after connecting via USB of course)

   adb> # setprop sys.usb.config rndis,adb

2. Making a "share connection with others" profile in NetworkManager
3. Setup nat on the host

   host> # sysctl -w net.ipv4.ip_forward=1
   host> # iptables -t nat -F
   host> # iptables -t nat -A POSTROUTING -j MASQUERADE
   

4. Setup the ip addresses and routes on the phone

   adb> # ip addr add 10.42.0.2/24 dev usb0
   adb> # ip link set usb0 up
   adb> # ip route add default via 10.42.0.1

Aaaaand.... didn't work -.-

As I read somewhere many of the android apps ask the android API for a existing internet connection, and will only get a positive answer if a wifi or data connection is enabled.
As a wifi network was available (but with no internet uplink) I decided to connect to it to fool the system...

Things got weired... an ip route show command revealed that I had setup the route correctly:

adb> # ip route show
default via 10.42.0.1 dev usb0 
10.42.0.0/24 dev usb0  proto kernel  scope link  src 10.42.0.2 
192.168.178.0/24 dev wlan0  proto kernel  scope link  src 192.168.178.164

... but all connections were routed over the wlan0 device:

adb> # tracepath 8.8.8.8
 1:  192.168.178.164                                       1.129ms pmtu 1500
...

After some fiddling I noticed that the ip route command can handle multiple routing tables and there were a wlan0 routing table:

adb> # ip route show table wlan0
default via 192.168.178.1 dev wlan0
192.168.178.0/24 dev wlan0  proto kernel  scope link  src 192.168.178.164

Now I had only to fix this table and everthing gots working :-) :

adb> # ip route delete default table wlan0
adb> # ip route add default via 10.42.0.1 table wlan0
adb> # ip route add 10.42.0.0/24 dev usb0 table wlan0

You'll find a shellscript setting things up for you at github

git submodules and branches

normally git submodules are working in a 'detached mode'. This means that if you want to commit some changes, they could be lost (or at least you need to recover it) if you didn't create a branch for it.

But git submodules can also handle automerging/-rebasing on every git submodule update call.

This could be done by setting the correct commandline switch:

$ git submodule update --merge  # for merging 
$ git submodule update --rebase # for rebasing

or you could set it in your git config by issuing

$ git config submodule.[the submodule name].update merge # for merging
$ git config submodule.[the submodule name].update rebase # for rebasing

or doing it all in once

$ for submodule in $(git submodule | cut -d' ' -f1); do git config submodule.${submodule}.update merge; done; # for merging
$ for submodule in $(git submodule | cut -d' ' -f1); do git config submodule.${submodule}.update rebase; done; # for rebasing

BlueC0re

git pre-receive hook with checkstyle for java code checking

Today I have written a small python script for forcing the sun coding conventions in a small project. For checking the java source code I have used the checkstyle tool.

The following python script uses the git executable for creating a file list of all changed files, latest file revision only, and run checkstyle over it.

GDB: Disassembly Syntax highlighting + CPP demangle

Here is a little GDB Skript, which enables syntax highlighting for disassemblings and demangles cpp-names:

shell mkfifo /tmp/colorPipe

define hook-disassemble
echo \n
shell cat /tmp/colorPipe | c++filt | highlight --syntax=asm -Oxterm256 &
set logging redirect on
set logging on /tmp/colorPipe
end

define hookpost-disassemble
set logging off
set logging redirect off
shell sleep 0.1s
end

define hook-quit
shell rm /tmp/colorPipe
end

It uses highlight and c++filt and is based on Expermintal GDB syntax highlighting by Michael Kelleher

SessionManager for gdb

I had written today a simple SessionManager for GDB via GDB's Python-API
You need to place the following python lines in /usr/share/gdb/python/session.py

import os.path

def gettargetname():
    target = gdb.execute("info target", False, True).strip()
    target = target.splitlines()

    if len(target) > 2 and target[1].count("Local") > 0:
        name = target[2].strip().split(',')[0]
        name = os.path.basename(name.replace("`", "").replace("'", ""))
        return name
    return None


class SessionManager(gdb.Command):
    """Save and Loads gdb Sessions
    session save - saves session
    session load - loads session"""

    def __init__(self):
        super(SessionManager, self).__init__("session", gdb.COMMAND_SUPPORT)
        print "[+] Registered command 'session'"
    
    def save(self):
        name = gettargetname()
        breakpoints = gdb.breakpoints()
        if not breakpoints:
            return

        print "[*] write to %s.gdbsession" % name
        gdb.execute("save breakpoints %s.gdbsession" % name)
        print "done"


    def invoke(self, arg, from_tty):
        if arg == "save":
            self.save()
        elif arg == "load":
            name = gettargetname()
            gdb.execute("source %s.gdbsession" % name)
        else:
            print "Invalid argument. see 'help session' for details"
SessionManager()

Now you can add the following lines to your .gdbinit

source session.py
session load

define hook-quit
    session save
end

Have fun with automated breakpoint saving/loading :-)

Greetz,
bluec0re

How to git svn dcommit with uncommited changes

If you want to send your commits to a svn backend, you can do this with:

> git svn dcommit

Sometimes git ends with the error messge 'file.xy: needs update'. This happens if you have uncommited changes in your working directory. But often you won't commit these changes to the repository yet. A workaround would be the following:

> git stash
> git stash list # if you want to check the stashed changes
> git svn rebase # get the remote changes
> git svn dcommit
> git stash apply
> git stash drop # clean up the stash list if everything went fine

A shortcut for stash apply + stash drop also exists:

> git stash pop

I created a shortcut for this:

> git alias.svn-update '!git stash && git svn rebase && git stash pop'
> git svn-update