 | Mike Verhagen on geerlingguy/my-backup-plan: Ho… |
 | Attila Kovacs on docs.embarcadero.com unreachab… |
 | David Blue on MacOS: converting a man page t… |
 | jpluimers on How do I pretty-print JSON in… |
| jpluimers on Delphi 10.2 Tokyo Godzilla ISO… |
Posted by jpluimers on 2011/12/30
It took me a bit of searching to find this out, as the Windows RDP clients switched over to “/admin” for this a long time ago:
with the Mac RDC client, you can connect to a servers console by adding “/CONSOLE” to the end of the computer name
–jeroen
via MacUpdate: Member Profile – Nate Silva.
Posted in Apple, Mac OS X 10.5 Leopard, Mac OS X 10.6 Snow Leopard, Mac OS X 10.7 Lion, Power User | Leave a Comment »
Posted by jpluimers on 2011/12/29
In addition to the ASP.NET hash collision Denial of Service attack, Microsoft patches 3 more vulnerabilities resulting in an Aggregate Severity Rating that is Critical.
This is a summary of the vulnerabilities. Please read the full MS11-100 bulletin for more details and how to download and install the patches.
| Vulnerability Severity Rating | Maximum Security Impact | Affected Software | CVE ID |
| Important | Denial of Service | Collisions in HashTable May Cause DoS Vulnerability | CVE-2011-3414 |
| N/A or Moderate | N/A or Spoofing | Insecure Redirect in .NET Form Authentication Vulnerability | CVE-2011-3415 |
| Critical | Elevation of Privilege | ASP.Net Forms Authentication Bypass Vulnerability | CVE-2011-3416 |
| Important | Elevation of Privilege | ASP.NET Forms Authentication Ticket Caching Vulnerability | CVE-2011-3417 |
The CVE-2011-3415 is N/A in .NET 1.1, and Moderate in all other .NET versions.
–jeroen
Posted in .NET, ASP.NET, C#, Development, Software Development, VB.NET, Visual Studio and tools | Tagged: denial of service attack, dos vulnerability, hash collision, microsoft patches, microsoft security bulletin, severity rating | Leave a Comment »
Posted by jpluimers on 2011/12/29
When writing my Patch your ASP.NET servers ASAP early this morning, I didn’t have time to research the full extend of the vulnerabilities published at 28C3 (slides, mp4), though a small bell was ringing a message that I had seen something like it before earlier this century.
I was right, this posting on perlmonks direct me to a /. posting in 2003 pointing me to the research paper on low-bandwidth attacks based on hash collisions (pdf version) that I had seen before. Perl 5.8.1 fixed it September 2003 (search for “hash” in that link).
The attack can be used for DoS because a normal distributed hash table insert of n elements will be running O(n), but a carefully crafted insert of those elements will run O(n^2).
Carefully crafting a worst case scenario depends on how well you can predict collisions in the underlying hash table implementation, which – apparently – is not too difficult, and requires little bandwidth.
Many platforms and languages are vulnerable (already archived at the WayBack machine), including those based on Java, Tomcat, .NET, Ruby, PHP and more in greater or lesser extent. I have the impression that the list only includes big names, but presume platforms based on smaller names (ASP, Delphi, Objective C) are equally vulnerable.
Just read the articles on CERT 903934, oCERT 2011-003, Arstechnica, Cryptanalysis.eu, Heise (German), Hackillusion and the research paper published at 28C3.
a few quotes:
“This attack is mostly independent of the underlying Web application and just relies on a common fact of how Web application servers typically work,” the team wrote, noting that such attacks would force Web application servers “to use 99% of CPU for several minutes to hours for a single HTTP request.”
“Prior to going public, Klink and Wälde contacted vendors and developer groups such as PHP, Oracle, Python, Ruby, Google, and Microsoft. The researchers noted that the Ruby security team and Tomcat have already released fixes, and that “Oracle has decided there is nothing that needs to be fixed within Java itself, but will release an updated version of Glassfish in a future CPU (critical patch update).”
“The algorithmic complexity of inserting n elements into the
table then goes to O(n**2), making it possible to exhaust hours of CPU time using a single HTTP request”“We show that PHP 5, Java, ASP.NET as well as v8 are fully vulnerable to this issue and PHP 4,
Python and Ruby are partially vulnerable, depending on version or whether the server
running the code is a 32 bit or 64 bit machine.”
Microsoft seems to have been notified pretty late in the cycle, I presume because the researchers started with a some platforms and finally realized the breath of platforms involved.
The ultimate solution is to patch/fix the platforms using for instance a randomized hash function a.k.a. universal hashing.
Microsoft will provide a patch for ASP.NET later today, Ruby already patched and other vendors will soon or have already (please comment if you know of other platforms and patches).
The links this morning indicated there were no known attacks. That is (maybe was) true for ASP.NET, but for PHP a public proof of concept of such a DoS is has been published by Krzysztof Kotowicz (blog) with sources at github and a demo html page.
Temporary workarounds (based on the some of the links in this and the prior blog post, and the workarounds mentioned here and here):
Some platforms already have applied temporary workarounds (I know of Tomcat (default max 10000 parameters), and PHP (default max_input_vars = 1000) did, and looks like the ASP.NET fix will do too).
Other platforms (like JRuby 1.6.5.1, CRuby 1.8.7 (comments) and Perl 5.8.1 in September 2003 ) fixed it the proper way.
Note: workarounds are temporary measures that will also deny legitimate requests. The only solution is to apply a fix or patch.
A major lesson learned today for a few people around me: when vendors start publishing “out of band” updates, do not trust a single 3rd party assessment with state “initial investigation”, but be diligent and do some further research.
–jeroen
PS: Just found out that most Azure users won’t need to manually apply a fix: just make sure your Hosted Service OS servicing policy is set to “Auto”.
Posted in .NET, ASP.NET, C#, Cloud Development, Delphi, Development, Java, PHP, Ruby, Scripting, Software Development, Web Development, Windows Azure | 6 Comments »
Posted by jpluimers on 2011/12/29
Quotes:
The security update we are releasing resolves a publicly disclosed Denial of Service issue present in all versions of ASP.NET. We’re currently unaware of any attacks on ASP.NET customers using this exploit, but we strongly encourage customers to deploy the update as soon as possible.
Attacks such as these are not specific to any particular language or operating system. Presenters at the security conference discussed how to cause them using standard HTTP form posts against several different web frameworks (including ASP.NET). Because these attacks on web frameworks can create Denial of Service issues with relatively few HTTP requests, there is a high likelihood of attacks happening using this approach. We strongly encourage customers to deploy the update as soon as possible.
The security update we are releasing on Thursday, December 29th updates ASP.NET so that attackers can no longer perform these attacks. The security update does not require any code or application changes.
During the 28e Chaos Communication Congress in Germany, on December 28, 2011 a security vulnerability was showed that potentially can DOS many types of web servers (including ASP.NET) with a carefully crafted 100 kilobyte plain HTTP form post request.
Information on the ASP.NET vulnerability was published by Microsoft on December 27, 2011.
ASP.NET on all supported .NET versions (1.0 SP3, 1.1 SP1, 2.0 SP2, 3.5 SP1, 4.0) on all supported Windows versions (XP, Server 2003 and R2, Vista, 7, Server 2008 and R2) are affected.
Since the vulnerability as being very severe, Microsoft will publish an out of band fix today (December 29, 2011) at around 10 AM Pacific time (during winter, this 1800 UTC) on Windows Update, Windows Server Update and the Microsoft Download Center followed 3 hours later by a webcast at 01 PM Pacific time (2100 UTC).
More about about 28C3 in German.
–jeroen
via: ASP.NET Security Update Shipping Thursday, Dec 29th – ScottGu’s Blog.
Posted in .NET, ASP.NET, Development, Software Development | 1 Comment »
Posted by jpluimers on 2011/12/29
Sometimes you want to parse commandline arguments in batch files starting at the last one.
For parsing them left to right, the shift command comes in handy.
But there is no “shift-reverse” command, so you need some trick.
StackOverflow to the rescue: user Joey provides this really nice answer:
The easiest and perhaps most reliable way would be to just use cmds own parsing for arguments and shift then until no more are there.Since this destroys the use of %1, etc. you can do it in a subroutine
@echo off
call :lastarg %*
echo Last argument: %LAST_ARG%
goto :eof
:lastarg
set "LAST_ARG=%~1"
shift if not "%~1"=="" goto :lastarg
goto :eof
:eof
–jeroen
via: Get last command line argument in windows batch file – Stack Overflow.
Posted in Batch-Files, Development, Power User, Scripting, Software Development | Leave a Comment »
The Wiert Corner - irregular stream of stuff 