The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 4,262 other subscribers

Archive for the ‘Communications Development’ Category

« Previous Entries

Guess the maximum DNS Response Size… (by Jan Schaumann)

Posted by jpluimers on 2023/12/26

Every once in a while Jan Schaumann writes a long Twitter thread and saves it in a blog post. Always good ways to learn. This time it was no different: [Wayback/Archive] DNS Response Size started with

Read the rest of this entry »

Posted in Communications Development, Development, DNS, Internet, Internet protocol suite, IPv4, IPv6, Power User, TCP, tcpdump, UDP, Wireshark | Leave a Comment »

Hello “SMTP Smuggling” information released days before the Holiday season to open source SMTP server teams

Posted by jpluimers on 2023/12/24

Jan Wildeboer was mad for good reasons, though the open source projects didn’t yet seem to publicly have show their real madness, just bits like [Wayback/Archive] oss-security – Re: Re: New SMTP smuggling attack:

I'm a little confused by sec-consult's process here. They identify a
problem affecting various pieces of software including some very widely
deployed open source software, go to the trouble of doing a coordinated
disclosure, but only do that with...looking at their timeline... gmx,
microsoft and cisco?

“SMTP Smuggling” is bad, and big open source SMTP server projects like exim, postfix and sendmail needed to assess and fix/prevent the issue on very short notice: effectively confronting them with a zero-day less than a week between the information got released and the Holiday season.

That gives “deploy on Fridays” a totally different dimension.

How bad? Well, it already managed to reach this Newline – Wikipedia entry:

The standard Internet Message Format[26] for email states: “CR and LF MUST only occur together as CRLF; they MUST NOT appear independently in the body”. Differences between SMTP implementations in how they treat bare LF and/or bare CF characters have led to so-called SMTP smuggling attacks[27].

The crux of the problem is very well described by the “Postfix: SMTP Smuggling” link below: recommended reading, and the middle of [Wayback/Archive] SMTP Smuggling – Spoofing Emails Worldwide | Hacker News

TLDR: In the SMTP protocol, the end of the payload (email message) is indicated by a line consisting of a single dot. The line endings normally have to be CRLF, but some MTAs also accept just LF before and/or after the dot. This allows SMTP commands that follow an LF-delimited dot line to be “tunneled” through a first MTA (which requires CRLF and thus considers the commands to be part of the email message) to a second MTA (which accepts LF and thus processes the commands as real commands). For the second MTA, the commands appear to come from the first MTA, hence this allows sending any email that the first MTA is authorized to send. That is, emails from arbitrary senders under the domains associated with the first MTA can be spoofed.

Here are some links to keep you busy the next hours/days/weeks:

And the toots linking to background information:

Read the rest of this entry »

Posted in *nix, *nix-tools, Communications Development, Development, exim mail, Internet protocol suite, postfix, Power User, Python, Scripting, sendmail, SMTP, Software Development | Leave a Comment »

Some threadreaderapp URLs

Posted by jpluimers on 2023/09/14

For my link archive so I can better automate archiving Tweet threads using bookmarklets written in JavaScript:

The base will likely be this:

javascript:void(open(`https://archive.is/?run=1&url=${encodeURIComponent(document.location)}`))

which for now I have modified into this:

javascript:void(open(`https://threadreaderapp.com/search?q=${document.location}`))

It works perfectly fine without URL encoding and demonstrates the JavaScript backtick feature for template literals for which you can find documentation at [WayBack/Archive] Template literals – JavaScript | MDN.

Read the rest of this entry »

Posted in *nix, *nix-tools, bash, bash, Bookmarklet, Communications Development, cURL, Development, HTTP, https, Internet protocol suite, Power User, Scripting, Security, Software Development, TCP, Web Browsers | Leave a Comment »

Email Handling and vBulletin Cloud – vBulletin Community Forum

Posted by jpluimers on 2023/08/25

For my link archive: [Wayback/Archive] Email Handling and vBulletin Cloud – vBulletin Community Forum.

  • Asking your end users to white list your email address and the Sendgrid IP (167.89.58.99) can help alleviate the issues.

I didn’t know the above but bumped into an issue because I didn’t know a supplier had moved to vBulletin Cloud, my account password stopped being accepted and my account password reset messages would not arrive.

So I wrote this as part of a mail to sort this out, and it was confirmed to be correct:

Then I re-checked a few connection refusals that appeared close to the password reset tries. Not sure if this a pattern, but a few of them had this:
2022-02-20T19:41:42.999415+01:00 snap sendmail[24314]: NOQUEUE: connect from o1678958x99.outbound-mail.sendgrid.net [167.89.58.99]
2022-02-20T19:41:43.015958+01:00 snap sendmail[24314]: NOQUEUE: dns 99.58.89.167.bl.spamcop.net. => 127.0.0.2
2022-02-20T19:41:43.016442+01:00 snap sendmail[24314]: ruleset=check_relay, arg1=o1678958x99.outbound-mail.sendgrid.net, arg2=127.0.0.2, relay=o1678958x99.outbound-mail.sendgrid.net [167.89.58.99], reject=553 5.3.0 Spam blocked see: http://spamcop.net/bl.shtml?167.89.58.99
2022-02-20T19:42:29.527789+01:00 snap sendmail[23814]: 21KIeTfo023814: engine10.uptimerobot.com [69.162.124.231] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
From the linked page I got to https://www.spamcop.net/w3m?action=blcheck&ip=167.89.58.99 indicating

167.89.58.99 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 13 hours.

Causes of listing
  • System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

Express-delisting is not available

Listing History

In the past 44.4 days, it has been listed 12 times for a total of 13.3 days

Can you check if the forum software uses sendgrid?

The confirmation linked to the first post in this blog entry on how to whitelist the SendGrid outgoing IP-address.

One thing I wonder: why does SendGrid use a single outgoing IP-address? If it gets blacklisted, many of their clients have problems.

Anyway: before adding the entry to my whitelist, the problem had resolved itself, and the blacklist entries were done:

Related: [Wayback/Archive] Forum Move – Scooter Forums

We’ve moved our forums to vBulletin Cloud.

New forum URL: https://forum.scootersoftware.com/

Links to the old forum will be redirected to the new URL.

If you notice any problems after the move, please let us know.

[Wayback/Archive] Forums – Scooter Forums

–jeroen

Posted in Communications Development, Development, eMail, GMail, Google, Internet protocol suite, Power User, SMTP, SocialMedia | Leave a Comment »

5 days after the exploit publication of snowcra5h/CVE-2023-38408: Remote Code Execution in OpenSSH’s forwarded ssh-agent

Posted by jpluimers on 2023/07/26

TL;DR is at the bottom (;

5 days ago this exploit development got published: [Wayback/Archive] snowcra5h/CVE-2023-38408: CVE-2023-38408 Remote Code Execution in OpenSSH’s forwarded ssh-agent.

It is about [Wayback/Archive] NVD – CVE-2023-38408 which there at NIST isn’t rated (yet?), neither at [Wayback/Archive] CVE-2023-38408 : The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remot.

However at [Wayback/Archive] CVE-2023-38408- Red Hat Customer Portal it scores 7.3 and [Wayback/Archive] CVE-2023-38408 | SUSE it did get a rating of 7.5, so since I mainly use OpenSuSE I wondered what to do as the CVE is formulated densely at [Wayback/Archive] www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt: it mentions Alice, but no Bob or Mallory (see Alice and Bob – Wikipedia).

Luckily, others readly already did the fine reading and emphasised the important bits, especially at [Wayback/Archive] RCE Vulnerability in OpenSSH’s SSH-Agent Forwarding: CVE-2023-38408 (note that instead of Alex, they actually mean Alice)

“A system administrator (Alice) runs SSH-agent on her local workstation, connects to a remote server with ssh, and enables SSH-agent forwarding with the -A or ForwardAgent option, thus making her SSH-agent (which is running on her local workstation) reachable from the remote server.”

According to researchers from Qualys, a remote attacker who has control of the host, which Alex has connected to, can load (dlopen()) and immediately unload (dlclose()) any shared library in /usr/lib* on Alice’s workstation (via her forwarded SSH-agent if it is compiled with ENABLE_PKCS11, which is the default).

The vulnerability lies in how SSH-agent handles forwarded shared libraries. When SSH-agent is compiled with ENABLE_PKCS11 (the default configuration), it forwards shared libraries from the user’s local workstation to the remote server. These libraries are loaded (dlopen()) and immediately unloaded (dlclose()) on the user’s workstation. The problem arises because certain shared libraries have side effects when loaded and unloaded, which can be exploited by an attacker who gains access to the remote server where SSH-agent is forwarded to.

Mitigations for the SSH-Agent Forwarding RCE Vulnerability

Read the rest of this entry »

Posted in *nix, *nix-tools, bash, bash, Communications Development, Development, Internet protocol suite, OpenSSH, Power User, PowerShell, Scripting, Security, Software Development, SSH | Leave a Comment »

« Previous Entries