Every once in a while Jan Schaumann writes a long Twitter thread and saves it in a blog post. Always good ways to learn. This time it was no different: [Wayback/Archive] DNS Response Size started with
Archive for the ‘Internet protocol suite’ Category
Guess the maximum DNS Response Size… (by Jan Schaumann)
Posted by jpluimers on 2023/12/26
Posted in Communications Development, Development, DNS, Internet, Internet protocol suite, IPv4, IPv6, Power User, TCP, tcpdump, UDP, Wireshark | Leave a Comment »
Hello “SMTP Smuggling” information released days before the Holiday season to open source SMTP server teams
Posted by jpluimers on 2023/12/24
Jan Wildeboer was mad for good reasons, though the open source projects didn’t yet seem to publicly have show their real madness, just bits like [Wayback/Archive] oss-security – Re: Re: New SMTP smuggling attack:
I'm a little confused by sec-consult's process here. They identify a problem affecting various pieces of software including some very widely deployed open source software, go to the trouble of doing a coordinated disclosure, but only do that with...looking at their timeline... gmx, microsoft and cisco?
“SMTP Smuggling” is bad, and big open source SMTP server projects like exim, postfix and sendmail needed to assess and fix/prevent the issue on very short notice: effectively confronting them with a zero-day less than a week between the information got released and the Holiday season.
That gives “deploy on Fridays” a totally different dimension.
How bad? Well, it already managed to reach this Newline – Wikipedia entry:
The standard Internet Message Format[26] for email states: “CR and LF MUST only occur together as CRLF; they MUST NOT appear independently in the body”. Differences between SMTP implementations in how they treat bare LF and/or bare CF characters have led to so-called SMTP smuggling attacks[27].
The crux of the problem is very well described by the “Postfix: SMTP Smuggling” link below: recommended reading, and the middle of [Wayback/Archive] SMTP Smuggling – Spoofing Emails Worldwide | Hacker News
…
TLDR: In the SMTP protocol, the end of the payload (email message) is indicated by a line consisting of a single dot. The line endings normally have to be CRLF, but some MTAs also accept just LF before and/or after the dot. This allows SMTP commands that follow an LF-delimited dot line to be “tunneled” through a first MTA (which requires CRLF and thus considers the commands to be part of the email message) to a second MTA (which accepts LF and thus processes the commands as real commands). For the second MTA, the commands appear to come from the first MTA, hence this allows sending any email that the first MTA is authorized to send. That is, emails from arbitrary senders under the domains associated with the first MTA can be spoofed.
…
Here are some links to keep you busy the next hours/days/weeks:
- [Wayback/Archive] CVE-2023-51764 postfix
- [Wayback/Archive] CVE-2023-51765 sendmail
- [Wayback/Archive] CVE-2023-51766 exim
- [Wayback/Archive] hannob/smtpsmug
Script to help analyze mail servers for SMTP Smuggling vulnerabilities.
And the toots linking to background information:
Share this:
Posted in *nix, *nix-tools, Communications Development, Development, exim mail, Internet protocol suite, postfix, Power User, Python, Scripting, sendmail, SMTP, Software Development | Leave a Comment »
Some threadreaderapp URLs
Posted by jpluimers on 2023/09/14
For my link archive so I can better automate archiving Tweet threads using bookmarklets written in JavaScript:
- https://twitter.com/ThomasDamsko/status/1499996661535367169
- https://threadreaderapp.com/search?q=https://twitter.com/ThomasDamsko/status/1499996661535367169
HTTP-302 redirects to:
- https://threadreaderapp.com/thread/1499996661535367169.html
pressing refresh does a POST to:
- https://threadreaderapp.com/thread/1499996661535367169/refreshx
The base will likely be this:
javascript:void(open(`https://archive.is/?run=1&url=${encodeURIComponent(document.location)}`))
which for now I have modified into this:
javascript:void(open(`https://threadreaderapp.com/search?q=${document.location}`))
It works perfectly fine without URL encoding and demonstrates the JavaScript backtick feature for template literals for which you can find documentation at [WayBack/Archive] Template literals – JavaScript | MDN.
Share this:
Posted in *nix, *nix-tools, bash, bash, Bookmarklet, Communications Development, cURL, Development, HTTP, https, Internet protocol suite, Power User, Scripting, Security, Software Development, TCP, Web Browsers | Leave a Comment »
Email Handling and vBulletin Cloud – vBulletin Community Forum
Posted by jpluimers on 2023/08/25
For my link archive: [Wayback/Archive] Email Handling and vBulletin Cloud – vBulletin Community Forum.
- Asking your end users to white list your email address and the Sendgrid IP (
167.89.58.99) can help alleviate the issues.
I didn’t know the above but bumped into an issue because I didn’t know a supplier had moved to vBulletin Cloud, my account password stopped being accepted and my account password reset messages would not arrive.
So I wrote this as part of a mail to sort this out, and it was confirmed to be correct:
Then I re-checked a few connection refusals that appeared close to the password reset tries. Not sure if this a pattern, but a few of them had this:2022-02-20T19:41:42.999415+01:00 snap sendmail[24314]: NOQUEUE: connect from o1678958x99.outbound-mail.sendgrid.net [167.89.58.99]
2022-02-20T19:41:43.015958+01:00 snap sendmail[24314]: NOQUEUE: dns 99.58.89.167.bl.spamcop.net. => 127.0.0.2
2022-02-20T19:41:43.016442+01:00 snap sendmail[24314]: ruleset=check_relay, arg1=o1678958x99.outbound-mail.sendgrid.net, arg2=127.0.0.2, relay=o1678958x99.outbound-mail.sendgrid.net [167.89.58.99], reject=553 5.3.0 Spam blocked see: http://spamcop.net/bl.shtml?167.89.58.99
2022-02-20T19:42:29.527789+01:00 snap sendmail[23814]: 21KIeTfo023814: engine10.uptimerobot.com [69.162.124.231] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTAFrom the linked page I got to https://www.spamcop.net/w3m?action=blcheck&ip=167.89.58.99 indicating167.89.58.99 listed in bl.spamcop.net (127.0.0.2)
If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 13 hours.
Causes of listing
- System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)
Express-delisting is not available
Listing HistoryIn the past 44.4 days, it has been listed 12 times for a total of 13.3 days
Can you check if the forum software uses sendgrid?
The confirmation linked to the first post in this blog entry on how to whitelist the SendGrid outgoing IP-address.
One thing I wonder: why does SendGrid use a single outgoing IP-address? If it gets blacklisted, many of their clients have problems.
Anyway: before adding the entry to my whitelist, the problem had resolved itself, and the blacklist entries were done:
- [Wayback/Archive] SpamCop.net – Blocking List ( bl.spamcop.net )
Information about the reasons for IP listing (blocking) your mail server (167.89.58.99)
- [Wayback/Archive] SpamCop.net – blcheck – 167.89.58.99
Query
bl.spamcop.net–167.89.58.99…
167.89.58.99not listed inbl.spamcop.net
Related: [Wayback/Archive] Forum Move – Scooter Forums
We’ve moved our forums to vBulletin Cloud.
New forum URL: https://forum.scootersoftware.com/
Links to the old forum will be redirected to the new URL.
If you notice any problems after the move, please let us know.
[Wayback/Archive] Forums – Scooter Forums
–jeroen
Share this:
Posted in Communications Development, Development, eMail, GMail, Google, Internet protocol suite, Power User, SMTP, SocialMedia | Leave a Comment »
5 days after the exploit publication of snowcra5h/CVE-2023-38408: Remote Code Execution in OpenSSH’s forwarded ssh-agent
Posted by jpluimers on 2023/07/26
TL;DR is at the bottom (;
5 days ago this exploit development got published: [Wayback/Archive] snowcra5h/CVE-2023-38408: CVE-2023-38408 Remote Code Execution in OpenSSH’s forwarded ssh-agent.
It is about [Wayback/Archive] NVD – CVE-2023-38408 which there at NIST isn’t rated (yet?), neither at [Wayback/Archive] CVE-2023-38408 : The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remot.
However at [Wayback/Archive] CVE-2023-38408- Red Hat Customer Portal it scores 7.3 and [Wayback/Archive] CVE-2023-38408 | SUSE it did get a rating of 7.5, so since I mainly use OpenSuSE I wondered what to do as the CVE is formulated densely at [Wayback/Archive] www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt: it mentions Alice, but no Bob or Mallory (see Alice and Bob – Wikipedia).
Luckily, others readly already did the fine reading and emphasised the important bits, especially at [Wayback/Archive] RCE Vulnerability in OpenSSH’s SSH-Agent Forwarding: CVE-2023-38408 (note that instead of Alex, they actually mean Alice)
“A system administrator (Alice) runs SSH-agent on her local workstation, connects to a remote server with ssh, and enables SSH-agent forwarding with the -A or ForwardAgent option, thus making her SSH-agent (which is running on her local workstation) reachable from the remote server.”
According to researchers from Qualys, a remote attacker who has control of the host, which Alex has connected to, can load (dlopen()) and immediately unload (dlclose()) any shared library in /usr/lib* on Alice’s workstation (via her forwarded SSH-agent if it is compiled with ENABLE_PKCS11, which is the default).
The vulnerability lies in how SSH-agent handles forwarded shared libraries. When SSH-agent is compiled with ENABLE_PKCS11 (the default configuration), it forwards shared libraries from the user’s local workstation to the remote server. These libraries are loaded (dlopen()) and immediately unloaded (dlclose()) on the user’s workstation. The problem arises because certain shared libraries have side effects when loaded and unloaded, which can be exploited by an attacker who gains access to the remote server where SSH-agent is forwarded to.
Mitigations for the SSH-Agent Forwarding RCE Vulnerability
Share this:
Posted in *nix, *nix-tools, bash, bash, Communications Development, Development, Internet protocol suite, OpenSSH, Power User, PowerShell, Scripting, Security, Software Development, SSH | Leave a Comment »
Looking for maintainer(s) for fritzcap (Python project that captures calls from a Fritz!Box)
Posted by jpluimers on 2023/07/12
Given my health uncertainty, I am looking for maintainers for the fritzcap project (it captures calls from a Fritz!Box modem/router and is written in Python).
History
The fritzcap project was originally started in2007 by [Wayback/Archive] spongebob | IP Phone Forum, first as a binary fritzcap.exe Windows executable (see his first post at [Wayback/Archive] FritzBox: Tool für Etherreal Trace und Audiodaten-Extraktion | IP Phone Forum). In 2010 it became an open source Python project at [Wayback/Archive] Google Code Archive – Long-term storage for Google Code Project Hosting.
Share this:
Posted in About, Audio, Cloud, Communications Development, Containers, Development, Docker, ffmpeg, Fritz!, Fritz!Box, fritzcap, Hardware, HTTP, Infrastructure, Internet protocol suite, Media, Network-and-equipment, Personal, Power User, Python, Scripting, Software Development, TCP | Leave a Comment »
Different ways for installing Windows features on the command line – Peter Hahndorf
Posted by jpluimers on 2023/06/02
If course you can configure Windows Optional Features using the GUI as for instance explained at [Wayback/Archive] How to manage Windows 10’s many ‘optional features | Windows Central.
However, I prefer command-line management.
About the only post doing the comparison of command-line mangement options I could find about is [Wayback/Archive] Different ways for installing Windows features on the command line – Peter Hahndorf and hopefully will be further updated in the future. It is dated 2015, but has been updated until at least Windows Server Nano.
I added one, and then rewrote the tool-set availability table in the post into this:
Share this:
Posted in Communications Development, Development, Internet protocol suite, Microsoft Store, OpenSSH, Power User, SSH, TCP, Windows, Windows 10, Windows 11, Windows 7, Windows 8, Windows 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Vista | Leave a Comment »
Some resources on CORS proxies
Posted by jpluimers on 2023/04/19
Having my background before the web-development era, and having lived mostly in back-ends or client-server front-ends, I sometimes need to really dig into things in order to understand them better.
CORS is such a thing, so below are some links to get started. My main interest is CORS proxies as they will force me do go deep and really get what is going on below the surface.
- Cross-origin resource sharing – Wikipedia
Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served.
- [Wayback/Archive] Cross-Origin Resource Sharing (CORS) introductory article describing the basics and the various headers/responses involved.
- [Wayback/Archive] enable cross-origin resource sharing in depth site including loads of documentation references and a test front-end:
- [Wayback/Archive] blocked by CORS policy? CORS Proxy is Solution 😎 – DEV Community
- [Wayback/Archive] What are CORS proxies, and when are they safe? | HTTP Toolkit
- [Wayback/Archive] Cors proxies – gist with regularly updated list of proxies
- [Wayback/Archive] 10 Free to Use CORS Proxies | Nordic APIs |
- [Wayback/Archive] bmpvieira/simple-corsproxy: Proxy to access resources that lack the Access-Control-Allow-Origin * header (last maintained in 2014)
- [Wayback/Archive] corihudson/crossorigin.me: A CORS proxy for everyone. (last maintained in 2018)
- [Wayback/Archive] martinkr/corsify: A tiny transparent proxy. The benefit: it adds the CORS-headers! Why? It prevents Cross Domain Errors. (maintained until at least 2021, maybe by now even more recently)
- [Wayback/Archive] Rob–W/cors-anywhere: CORS Anywhere is a NodeJS reverse proxy which adds CORS headers to the proxied request. (maintained until at least 2021, maybe by now even more recently)
- [Wayback/Archive] CORS Proxy API Documentation (joshirajesh448@gmail.com) | RapidAPI
Defunct CORS proxy sites:
- [Wayback/Archive] The domain name crossorigin.me is for sale / [Archive] crossorigin.me (@corsproxy) / Twitter
Used searches:
- [Wayback/Archive] corsify – Google Search
- [Wayback/Archive] “crossorigin.me” – Google Search
- [Wayback/Archive] cors proxy – Google Search
–jeroen
Share this:
Posted in Communications Development, Development, HTTP, Internet protocol suite, REST, Software Development, TCP, Web Development | Leave a Comment »
Installing Windows OpenSSH from the command-line on Windows 10 and 11
Posted by jpluimers on 2023/03/28
While writing On my reading list: Windows Console and PTY, I found out that OpenSSH had become available as an optional Windows feature.
It was in [Wayback/Archive.is] Windows Command-Line: Introducing the Windows Pseudo Console (ConPTY) | Windows Command Line:
Thankfully, OpenSSH was recently ported to Windows and added as a Windows 10 optional feature. PowerShell Core has also adopted ssh as one of its supported PowerShell Core Remoting protocols.
Here are a few links:
Share this:
Posted in *nix, *nix-tools, Communications Development, ConPTY, Console (command prompt window), Development, Internet protocol suite, OpenSSH, Power User, SSH, ssh/sshd, TCP, Windows, Windows 10, Windows 11 | Leave a Comment »
Getting your public IP address from the command-line when http and https are blocked: use DNS
Posted by jpluimers on 2022/12/28
Years ago, I wrote Getting your public IP address from the command-line. All methods were http based, so were very easy to execute using cURL.
But then in autumn 2021, Chris Bensen wrote this cool little blog-post [Wayback/Archive] Chris Bensen: How do I find my router’s public IP Address from the command line?:
dig -4 TXT +short o-o.myaddr.l.google.com @ns1.google.com
At first sight, I thought it was uncool, as the command was quite long and there was no explanation of the dig command trick.
But then, knowing that dig is a DNS client, it occurred to me: this perfectly works when http and https are disabled by your firewall, but the DNS protocol works and gives the correct result:
# dig -4 TXT +short o-o.myaddr.l.google.com @ns1.google.com "80.100.143.119"
This added the below commands and aliases to my tool chest for *nix based environments like Linux and MacOS (not sure yet about Windows yet :), but that still doesn’t explain why it worked. So I did some digging…
IPv4
- command:
dig -4 TXT +short o-o.myaddr.l.google.com @ns1.google.com - command removing outer double quotes:
dig -4 TXT +short o-o.myaddr.l.google.com @ns1.google.com | xargs - alias:
alias "whatismyipv4_dns=dig -4 TXT +short o-o.myaddr.l.google.com @ns1.google.com | xargs"
IPv6
- command:
dig -6 TXT +short o-o.myaddr.l.google.com @ns1.google.com - command removing outer double quotes:
dig -6 TXT +short o-o.myaddr.l.google.com @ns1.google.com | xargs - alias:
alias "whatismyipv6_dns=dig -6 TXT +short o-o.myaddr.l.google.com @ns1.google.com | xargs"
How it works
Let’s stick to dig and IPv4 as that not having IPv6 (regrettably still) is the most common situation today:
# dig -4 TXT +short o-o.myaddr.l.google.com @ns1.google.com "80.100.143.119"
What it does is request the DNS TXT record of o-o.myaddr.l.google.com from the Google DNS server ns1.google.com and returns the WAN IPv4 address used in the DNS request, which is for instance explained in [Wayback/Archive] What is the mechanics behind “dig TXT o-o.myaddr.l.google.com @ns1.google.com” : linuxadmin.
Since these are TXT records, dig will automatically double quote them, which xargs can remove (see below how and why):
# dig -4 TXT +short o-o.myaddr.l.google.com @ns1.google.com | xargs 80.100.143.119
The DNS query will fail when requesting the Google Public DNS servers 8.8.8.8 or 8.8.4.4:
# dig -4 TXT +short o-o.myaddr.l.google.com @8.8.8.8 "2a00:1450:4013:c1a::103" "edns0-client-subnet 80.101.239.0/24"
Or, with quotes removed (the -L 1 ensures that xargs performs the quote-pair removal action on each line):
# dig -4 TXT +short o-o.myaddr.l.google.com @8.8.8.8 | xargs -L 1 2a00:1450:4013:c1a::103 edns0-client-subnet 80.101.239.0/24
This request is both slower than requesting the ns1.google.com server and wrong.
The reason is that only ns1.google.com understands the special o-o.myaddr.l.google.com hostname which instructs it to return the IP address of the requesting dig DNS client.
That 8.8.8.8 returns a different IP address and an additional edns0-client-subnet with less accurate information is explained in an answer to [Wayback/Archive] linux – Getting the WAN IP: difference between HTTP and DNS – Stack Overflow by [Wayback/Archive] argaz referring to this cool post: [Wayback/Archive] Which CDNs support edns-client-subnet? – CDN Planet.
Not just ns1.google.com: any DNS server serving the google.com domain
Since o-o.myaddr.l.google.com is part of the google.com domain, the above works for any DNS server serving the google.com domain (more on that domain: [Wayback/Archive] General DNS overview | Google Cloud).
Getting the list of DNS servers is similar to getting the list of MX servers which I explained in Getting the IP addresses of gmail MX servers, replacing MX record type (main exchange) with the NS record type (name server) and the gmail.com domain with the google.com domain:
# dig @8.8.8.8 +short NS google.com ns3.google.com. ns1.google.com. ns2.google.com. ns4.google.com.
The ns1.google.com DNS server is a special one of the NS servers: it is the start of authority server, which you can query using the SOA record type that also gives slightly more details for this server:
# dig @8.8.8.8 +short SOA google.com ns1.google.com. dns-admin.google.com. 410477869 900 900 1800 60
The difference between using NS and SOA records with dig are explained in the [Wayback] dns – How do I find the authoritative name-server for a domain name? – Stack Overflow answer by [Wayback/Archive] bortzmeyer who also explains how to help figuring out SOA and NS discrepancies (note to self: check out the check_soa tool originally by Michael Fuhr (I could not find recent content of him, so he might have passed away) of which source code is now at [Wayback/Archive] Net-DNS/check_soa at master · NLnetLabs/Net-DNS).
So this works splendid as well using ns4.google.com on my test system:
# dig -4 TXT +short o-o.myaddr.l.google.com @ns4.google.com | xargs 80.100.143.119
The xargs removes outer quotes removal trick
[Wayback/Archive] string – Shell script – remove first and last quote (“) from a variable – Stack Overflow (thanks quite anonymous [Wayback/Archive] user1587520):
> echo '"quoted"' | xargs quoted
xargsusesechoas the default command if no command is provided and strips quotes from the input.
More on https versus DNS requests
Some notes are in [Wayback/Archive] How to get public IP address from Linux shell, but note the telnet trick now fails as myip.gelma.net is gone (latest live version was archived in the Wayback Machine in august 2019).
Via
- [Archive] Jeroen Wiert Pluimers on Twitter: “Hi @chrisbensen, I just saw … I use this alias: alias
whatismyipv4='curl ipv4.whatismyip.akamai.com && echo'It’s a quite a bit shorter than the dig construct in your post (;” - [Wayback/Archive] Chris Bensen on Twitter: “I’ll edit the post tomorrow.… “
- [Archive] Jeroen Wiert Pluimers on Twitter: “I gave your post some more thought. The cool thing about your dig command is that it works when http traffic is blocked, and DNS traffic is allowed. That is an important point to make, as in some situations, this can actually be the case.… “
–jeroen
Share this:
Posted in *nix, *nix-tools, Apple, bash, bash, Batch-Files, Communications Development, Development, DNS, Internet protocol suite, Linux, Mac, Mac OS X / OS X / MacOS, Power User, Scripting, Software Development, TCP | Leave a Comment »
The Wiert Corner - irregular stream of stuff 