The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,860 other subscribers

Archive for the ‘bash’ Category

« Previous Entries
Next Entries »

5 days after the exploit publication of snowcra5h/CVE-2023-38408: Remote Code Execution in OpenSSH’s forwarded ssh-agent

Posted by jpluimers on 2023/07/26

TL;DR is at the bottom (;

5 days ago this exploit development got published: [Wayback/Archive] snowcra5h/CVE-2023-38408: CVE-2023-38408 Remote Code Execution in OpenSSH’s forwarded ssh-agent.

It is about [Wayback/Archive] NVD – CVE-2023-38408 which there at NIST isn’t rated (yet?), neither at [Wayback/Archive] CVE-2023-38408 : The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remot.

However at [Wayback/Archive] CVE-2023-38408- Red Hat Customer Portal it scores 7.3 and [Wayback/Archive] CVE-2023-38408 | SUSE it did get a rating of 7.5, so since I mainly use OpenSuSE I wondered what to do as the CVE is formulated densely at [Wayback/Archive] www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt: it mentions Alice, but no Bob or Mallory (see Alice and Bob – Wikipedia).

Luckily, others readly already did the fine reading and emphasised the important bits, especially at [Wayback/Archive] RCE Vulnerability in OpenSSH’s SSH-Agent Forwarding: CVE-2023-38408 (note that instead of Alex, they actually mean Alice)

“A system administrator (Alice) runs SSH-agent on her local workstation, connects to a remote server with ssh, and enables SSH-agent forwarding with the -A or ForwardAgent option, thus making her SSH-agent (which is running on her local workstation) reachable from the remote server.”

According to researchers from Qualys, a remote attacker who has control of the host, which Alex has connected to, can load (dlopen()) and immediately unload (dlclose()) any shared library in /usr/lib* on Alice’s workstation (via her forwarded SSH-agent if it is compiled with ENABLE_PKCS11, which is the default).

The vulnerability lies in how SSH-agent handles forwarded shared libraries. When SSH-agent is compiled with ENABLE_PKCS11 (the default configuration), it forwards shared libraries from the user’s local workstation to the remote server. These libraries are loaded (dlopen()) and immediately unloaded (dlclose()) on the user’s workstation. The problem arises because certain shared libraries have side effects when loaded and unloaded, which can be exploited by an attacker who gains access to the remote server where SSH-agent is forwarded to.

Mitigations for the SSH-Agent Forwarding RCE Vulnerability

Read the rest of this entry »

Posted in *nix, *nix-tools, bash, bash, Communications Development, Development, Internet protocol suite, OpenSSH, Power User, PowerShell, Scripting, Security, Software Development, SSH | Leave a Comment »

Figuring out the open network connections for processes ran by python

Posted by jpluimers on 2023/07/11

TL;DR:

pidof python | tr " " "\n" | xargs -r -n 1 lsof -i -a -e /run/user/1001/gvfs -p

Breakdown:

  • Getting the process IDs of any python process using pidof (most of my systems do not have pgrep installed):
    # pidof python
26128 12583
  • Given the above list is space separated, and xargs prefers line separated, lets replace spaces with newlines (I showed this before in Source: firewalld: show interfaces with their zone details and show zones in use):
    # pidof python | tr " " "\n"
26128
12583
  • By default, xargs squashes all input on one line:
    # pidof python | tr " " "\n" | xargs echo
26128 12583
  • To work around that, you can either use the -L 1 or -n 1 argument to keep them on separate lines:
    # pidof python | tr " " "\n" | xargs -L 1 echo
26128
12583
# pidof python | tr " " "\n" | xargs -n 1 echo
26128
12583
  • Now lsof can not only show open files, but also IP sockets (-i), and *only* those (-a), for a specific process ID (-p #). So by having the -p as last argument, xargs will append the process ID after it:
    # pidof python | tr " " "\n" | xargs -n 1 lsof -i -a -p
lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1001/gvfs
      Output information may be incomplete.
lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1001/gvfs
      Output information may be incomplete.
COMMAND   PID    USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
python  12583 jeroenp    7u  IPv4 8347396      0t0  TCP 192.168.124.38:54576->192.168.124.23:1012 (ESTABLISHED)
python  12583 jeroenp    8u  IPv4 8345460      0t0  TCP 192.168.124.38:48250->192.168.124.23:http (CLOSE_WAIT)
  • The lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1001/gvfs is a warning not easy to workaround in a short manner as per [Wayback/Archive] privileges – lsof: WARNING: can’t stat() fuse.gvfsd-fuse file system – Unix & Linux Stack Exchange (thanks [Wayback/Archive] pabouk  and [Wayback/Archive] jmunsch):

    In your case lsof does not need to check the GVFS file systems so you can exclude the stat() calls on them using the -e option (or you can just ignore the waring):

    lsof -e /run/user/1000/gvfs

    (via: [Wayback/Archive] lsof: WARNING: can’t stat() fuse.gvfsd-fuse file system /run/user/1001/gvfs – Google Search)

    So you get this:

    # pidof python | tr " " "\n" | xargs -n 1 lsof -i -a -e /run/user/1001/gvfs -p
COMMAND   PID    USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
python  12583 jeroenp    7u  IPv4 8347396      0t0  TCP 192.168.124.38:54576->192.168.124.23:1012 (ESTABLISHED)
python  12583 jeroenp    8u  IPv4 8345460      0t0  TCP 192.168.124.38:48250->192.168.124.23:http (CLOSE_WAIT)
  • When there are no process IDs, you do not want to run lsof, and xargs has an argument just for that: -r, see my earlier post Source: -r argument to pipe (no argument for MacOS)- If no input is given to xargs, don’t let xargs run the utility – Unix & Linux Stack Exchange, so you get this
    # pidof python | tr " " "\n" | xargs -r -n 1 lsof -i -a -e /run/user/1001/gvfs -p

Via:

–jeroen

Posted in *nix, *nix-tools, bash, bash, Development, lsof, Power User, Scripting, Software Development, xargs | Leave a Comment »

Windows “equivalents” for bash backticks in cmd and PowerShell

Posted by jpluimers on 2023/05/17

A while ago, I needed the file information of wsl.exe on one of my Windows systems.

On Linux, I would do something like file `which bash` where file will give the file details and which gets you the full path to bash.

The file equivalent on Windows for me is [Wayback/Archive] Sigcheck – Windows Sysinternals | Microsoft Docs, which is part of [Wayback/Archive] File and Disk Utilities – Windows Sysinternals | Microsoft Docs.

The which equivalent on Windows for me is [Wayback/Archive] where | Microsoft Docs.

Read the rest of this entry »

Posted in bash, Batch-Files, CommandLine, Development, PowerShell, PowerShell, Scripting, Software Development | 1 Comment »

xxd examples of big/little/middle endianness (thanks @jilles_com!)

Posted by jpluimers on 2023/04/18

Cool one-liner program via [Archive] Jilles🏳️‍🌈 (@jilles_com) / Twitter:

for s in 0123456789ABCDEF 172.16.0.254 Passwd:admin;do echo -en "Big    Endian: $s\nMiddle Endian: ";echo -n $s|xxd -e -g 4 | xxd -r;echo -en "\nLittle Endian: ";echo -n $s|xxd -e -g 2 | xxd -r;echo -en "\nReversed     : ";echo -n $s|xxd -p -c1 | tac | xxd -p -r;echo -e "\n";done

Note that the hex are bytes, not nibbles, so the endianness is OK:

Image

Big Endian: 0123456789ABCDEF
Middle Endian: 32107654BA98FEDC
Little Endian: 1032547698BADCFE
Reversed : FEDCBA9876543210

Big Endian: 172.16.0.254
Middle Endian: .2710.61452.
Little Endian: 71.2610.2.45
Reversed : 452.0.61.271

Big Endian: Passwd:admin
Middle Endian: ssaPa:dwnimd
Little Endian: aPssdwa:mdni
Reversed : nimda:dwssaP

That nibble/byte thing confused me at first (as I associate hexadecimal output with hex dumps, where each hexadecimal character represents a nibble)) so here are some interesting messages from the thread that Jilles_com started:

Some related man pages:

–jeroen

Posted in *nix, *nix-tools, bash, Development, Power User, Scripting, Software Development, xxd | Leave a Comment »

llamasoft/polyshell: A Bash/Batch/PowerShell polyglot!

Posted by jpluimers on 2023/03/16

PolyShell is a script that’s simultaneously valid in Bash, Windows Batch, and PowerShell (i.e. a polyglot).

[Wayback/Archive] llamasoft/polyshell: A Bash/Batch/PowerShell polyglot!

Need to check this out, as often I have scripts that have to go from one language to the other or vice versa.

Maybe it enables one language to bootstrap functionality in the other?

The quest

The above polyglot started with a quest to see if I can could include some PowerShell statements in a batch file with two goals:

  1. if the batch file started from the PowerShell command prompt, then execute the PowerShell code
  2. if the batch file started from the cmd.exe command prompt, then have it start PowerShell with the same command-line arguments

The reasoning is simple:

  1. PowerShell scripts will start from the PATH only when PowerShell is already running
  2. Batch files start from the path when either cmd.exe or PowerShell are running

Lots of users still live in the cmd.exe world, but PowerShell scripts are way more powerful, and since PowerShell is integrated in Windows since version 7, so having a batch file bootstrap PowerShell still makes sense.

Since my guess was about quoting parameters the right way, my initial search for the link below was [Wayback/Archive] powershell execute statement from batch file quoting – Google Search.

I have dug not yet into this, so there are still…

Many links to read

These should give me a good idea how to implement a polyglot batch file/PowerShell script.

–jeroen

Posted in *nix, *nix-tools, bash, bash, Batch-Files, Development, JavaScript/ECMAScript, Perl, Polyglot, Power User, PowerShell, Scripting, Software Development | Leave a Comment »

linux – Newline-separated xargs – Server Fault

Posted by jpluimers on 2023/03/07

A long time ago, on just one system, I forgot which one, I needed explicit [Wayback/Archive] linux – Newline-separated xargs – Server Fault.

The simple solution was to replace the newline with null before running xargs:

tr '\n' '\0'

The clean solution was to install [Wayback/Archive] gnu xargs:

GNU xargs (default on Linux; install findutils from MacPorts on OS X to get it) supports [Wayback/Archive] -d which lets you specify a custom delimiter for input, so you can do

ls *foo | xargs -d '\n' -P4 foo

–jeroen

Posted in *nix, *nix-tools, bash, Development, Power User, Scripting, Software Development, xargs | Leave a Comment »

On my list of *n*x things to play with: script and ttyrec

Posted by jpluimers on 2023/01/26

Because of [Archive] PragmaticProgrammers on Twitter: “Helpful Unix trick: use script to log your session. …” / Twitter:

–jeroen

Read the rest of this entry »

Posted in *nix, *nix-tools, ash/dash, bash, bash, Batch-Files, Development, Power User, Scripting, Software Development | Leave a Comment »

Getting your public IP address from the command-line when http and https are blocked: use DNS

Posted by jpluimers on 2022/12/28

Years ago, I wrote Getting your public IP address from the command-line. All methods were http based, so were very easy to execute using cURL.

But then in autumn 2021, Chris Bensen wrote this cool little blog-post [Wayback/Archive] Chris Bensen: How do I find my router’s public IP Address from the command line?:

dig -4 TXT +short o-o.myaddr.l.google.com @ns1.google.com

At first sight, I thought it was uncool, as the command was quite long and there was no explanation of the dig command trick.

But then, knowing that dig is a DNS client, it occurred to me: this perfectly works when http and https are disabled by your firewall, but the DNS protocol works and gives the correct result:

# dig -4 TXT +short o-o.myaddr.l.google.com @ns1.google.com
"80.100.143.119"

This added the below commands and aliases to my tool chest for *nix based environments like Linux and MacOS (not sure yet about Windows yet :), but that still doesn’t explain why it worked. So I did some digging…

IPv4

  • command:
    dig -4 TXT +short o-o.myaddr.l.google.com @ns1.google.com
  • command removing outer double quotes:
    dig -4 TXT +short o-o.myaddr.l.google.com @ns1.google.com | xargs
  • alias:
    alias "whatismyipv4_dns=dig -4 TXT +short o-o.myaddr.l.google.com @ns1.google.com | xargs"

IPv6

  • command:
    dig -6 TXT +short o-o.myaddr.l.google.com @ns1.google.com
  • command removing outer double quotes:
    dig -6 TXT +short o-o.myaddr.l.google.com @ns1.google.com | xargs
  • alias:
    alias "whatismyipv6_dns=dig -6 TXT +short o-o.myaddr.l.google.com @ns1.google.com | xargs"

How it works

Let’s stick to dig and IPv4 as that not having IPv6 (regrettably still) is the most common situation today:

# dig -4 TXT +short o-o.myaddr.l.google.com @ns1.google.com
"80.100.143.119"

What it does is request the DNS TXT record of o-o.myaddr.l.google.com from the Google DNS server ns1.google.com and returns the WAN IPv4 address used in the DNS request, which is for instance explained in [Wayback/Archive] What is the mechanics behind “dig TXT o-o.myaddr.l.google.com @ns1.google.com” : linuxadmin.

Since these are TXT records, dig will automatically double quote them, which xargs can remove (see below how and why):

# dig -4 TXT +short o-o.myaddr.l.google.com @ns1.google.com | xargs
80.100.143.119

The DNS query will fail when requesting the Google Public DNS servers 8.8.8.8 or 8.8.4.4:

# dig -4 TXT +short o-o.myaddr.l.google.com @8.8.8.8
"2a00:1450:4013:c1a::103"
"edns0-client-subnet 80.101.239.0/24"

Or, with quotes removed (the -L 1 ensures that xargs performs the quote-pair removal action on each line):

# dig -4 TXT +short o-o.myaddr.l.google.com @8.8.8.8 | xargs -L 1
2a00:1450:4013:c1a::103
edns0-client-subnet 80.101.239.0/24

This request is both slower than requesting the ns1.google.com server and wrong.

The reason is that only ns1.google.com understands the special o-o.myaddr.l.google.com hostname which instructs it to return the IP address of the requesting dig DNS client.

That 8.8.8.8 returns a different IP address and an additional edns0-client-subnet with less accurate information is explained in an answer to [Wayback/Archive] linux – Getting the WAN IP: difference between HTTP and DNS – Stack Overflow by [Wayback/Archive] argaz referring to this cool post: [Wayback/Archive] Which CDNs support edns-client-subnet? – CDN Planet.

Not just ns1.google.com: any DNS server serving the google.com domain

Since o-o.myaddr.l.google.com is part of the google.com domain, the above works for any DNS server serving the google.com domain (more on that domain: [Wayback/Archive] General DNS overview  |  Google Cloud).

Getting the list of DNS servers is similar to getting the list of MX servers which I explained in Getting the IP addresses of gmail MX servers, replacing MX record type (main exchange) with the NS record type (name server) and the gmail.com domain with the google.com domain:

# dig @8.8.8.8 +short NS google.com
ns3.google.com.
ns1.google.com.
ns2.google.com.
ns4.google.com.

The ns1.google.com DNS server is a special one of the NS servers: it is the start of authority server, which you can query using the SOA record type that also gives slightly more details for this server:

# dig @8.8.8.8 +short SOA google.com
ns1.google.com. dns-admin.google.com. 410477869 900 900 1800 60

The difference between using NS and SOA records with dig are explained in the [Wayback] dns – How do I find the authoritative name-server for a domain name? – Stack Overflow answer by [Wayback/Archive] bortzmeyer who also explains how to help figuring out SOA and NS discrepancies (note to self: check out the check_soa tool originally by Michael Fuhr (I could not find recent content of him, so he might have passed away) of which source code is now at [Wayback/Archive] Net-DNS/check_soa at master · NLnetLabs/Net-DNS).

So this works splendid as well using ns4.google.com on my test system:

# dig -4 TXT +short o-o.myaddr.l.google.com @ns4.google.com | xargs
80.100.143.119

The xargs removes outer quotes removal trick

[Wayback/Archive] string – Shell script – remove first and last quote (“) from a variable – Stack Overflow (thanks quite anonymous [Wayback/Archive] user1587520):

> echo '"quoted"' | xargs
quoted

xargs uses echo as the default command if no command is provided and strips quotes from the input.

More on https versus DNS requests

Some notes are in [Wayback/Archive] How to get public IP address from Linux shell, but note the telnet trick now fails as myip.gelma.net is gone (latest live version was archived in the Wayback Machine in august 2019).

Via

–jeroen

Posted in *nix, *nix-tools, Apple, bash, bash, Batch-Files, Communications Development, Development, DNS, Internet protocol suite, Linux, Mac, Mac OS X / OS X / MacOS, Power User, Scripting, Software Development, TCP | Leave a Comment »

Don’t fall for the golden hammer: avoid git empty commits, especially for kicking off parts of your CI/CD

Posted by jpluimers on 2022/08/16

A while back Kristian Köhntopp (isotopp) wrote a blog post after quite a Twitter argument where he poses against using git empty commits. I’m with Kris: don’t use them for anything, especially not for kicking off your CI/CD.

Basically his blog post is all about avoiding to think you have a golden hammer, and avoid falling for the Law of the instrument – Wikipedia.

Originally, Abraham Maslow said in 1966:

“I suppose it is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail.”

For me this has all to do with preventing technical debt: find the right tool to kick your CI/CD pipeline after part of that chain somehow malfunctioned is way better than polluting the commit history with empty commits.

His blog post: [Wayback/Archive.is] Empty commits and other wrong tools for the job | Die wunderbare Welt von Isotopp

The most important bit in it:

And since we are talking about CI/CD pipelines: Don’t YAML them. Don’t JSON them. Don’t XML them.

Programming in any of these three is wrong use of tooling, and you should not do it.

  • YAML, JSON and XML are for declarative things.
  • Python, Go and Rust are for procedural things.
  • Bash is for interactive use only.

Use the proper tooling for the job. Be an engineer.

This very much reminds me of an Entwickler Konferenz keynote a long time ago, where Neal Ford made the point that most software engineers act very much unlike what is expected from traditional engineering way of operating where the engineer is both responsible and liable for his actions.

The start of the Twitter thread: [Archive.is] Kristian Köhntopp on Twitter: “A lot of people right now that git is an API and triggering CI/CD pipelines with empty commits replaces the equivalent of a Kubernetes controller for their fragile pile of bash in git triggers. This is broken and begets more brokenness. Evidence:… “

The tweet that started the subtweet: [Archive.is] Florian Haas on Twitter: “(For anyone wondering, what’s nice about this one is it works in any CI. So you don’t have to remember how to manually kick off a GitLab CI pipeline or GitHub Action or Zuul job, you just push an empty commit and off you go.)”

Other relevant tweets:

Yes, you want to avoid shell too (anything like for instance sh, ash, dash, bash or zsh), but you have to know it (and understand why to avoid it) as often it is the only interactive way to access systems from the console.

And of course Kris also wrote a big document on that too, which is available as full PDF (Wayback), full HTML (Wayback) and chaptered HTML Die UNIX Shell /bin/sh.

But more importantly, Kris wrote [Wayback/Archive.is] Using Python to bash | Die wunderbare Welt von Isotopp which is about using Python to do things you might be tempted to do in the shell. It quotes

Shell is a thing you want to understand and then not use, because you learned to understand it.

which is from the German post in thread [Wayback/Archive.is] Bashprogrammierung, wo gehts am besten los which quotes Kris’ 1998 message:

From kris Tue Sep 1 11:26:12 1998
From: kris
Newsgroups: de.comp.os.unix.misc
Subject: Re: Shell-Frage, find, xargs, kopieren von vielen Dateien
References: <6seh24$q9a$2...@nz12.rz.uni-karlsruhe.de>
From: kr...@koehntopp.de (Kristian Koehntopp)
Alignment: chaotic/neutral
X-Copyright: (C) Copyright 1987-1998 Kristian Koehntopp -- All rights
reserved.
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

Marc.Hab...@gmx.de (Marc Haber) writes:
>mir ist das ganze Zeug mit der Shell, find, xargs und Konsorten noch
>reichlich verschlüsselt.

http://www.koehntopp.de/kris/artikel/unix/shellprogrammierung/

>xargs hin oder sollte ich besser ein Perlskript schreiben?

Verwende Perl. Shell will man koennen, dann aber nicht verwenden.

Kristian

–jeroen

Posted in *nix, *nix-tools, ash/dash, ash/dash development, bash, bash, Conference Topics, Conferences, Continuous Integration, Development, DVCS - Distributed Version Control, Event, git, Power User, Scripting, sh, Sh Shell, Software Development, Source Code Management, Technical Debt | Leave a Comment »

How can you export the Visual Studio Code extension list? (via: Stack Overflow)

Posted by jpluimers on 2022/06/16

Adapted from [Archive.is] How can you export the Visual Studio Code extension list? – Stack Overflow, presuming that code is on the PATH:

  1. From the command-line interface on MacOS, Linux, BSD or on Windows with git installed:
    code --list-extensions | xargs -L 1 echo code --install-extension
  2. From the command-line interface on MacOS, Linux, BSD or on Windows without git installed:
    code --list-extensions | % { "code --install-extension $_" }

    or, as I think, more clearly (see also [WayBack] syntax – What does “%” (percent) do in PowerShell? – Stack Overflow):

    code --list-extensions | foreach { "code --install-extension $_" }

    or even more explanatory:

    code --list-extensions | ForEach-Object { "code --install-extension $_" }
  3. From the command-line interface on Windows as a plain cmd.exe command:
    @for /f %l in ('code --list-extensions') do @echo code --install-extension %l
  4. On Windows as a plain cmd.exe batch file (in a .bat/.cmd script):
    @for /f %%l in ('code --list-extensions') do @echo code --install-extension %%l
  5. The above two on Windows can also be done using PowerShell:
    PowerShell -Command "code --list-extensions | % { """""code --install-extension $_""""" }"

    Note that here too, the % can be expanded into foreach or ForEach-Object for clarity.

All of the above prepend “code --install-extension ” (note the trailing space) before each installed Visual Studio Code extension.

They all give you a list like this which you can execute on any machine having Visual Studio Code installed and its code on the PATH, and a working internet connection:

code --install-extension DavidAnson.vscode-markdownlint
code --install-extension ms-vscode.powershell
code --install-extension yzhang.markdown-all-in-onex

(This is about the minimum install for me to edit markdown documents and do useful things with PowerShell).

Of course you can pipe these to a text-file script to execute them later on.

The double-quote escaping is based on [Wayback/Archive.is] How to escape PowerShell double quotes from a .bat file – Stack Overflow:

you need to escape the " on the command line, inside a double quoted string. From my testing, the only thing that seems to work is quadruple double quotes """" inside the quoted parameter:

powershell.exe -command "echo '""""X""""'"

Via: [Archive.is] how to save your visual studio code extension list – Google Search

--jeroen

Posted in *nix, *nix-tools, .NET, bash, Batch-Files, CommandLine, Console (command prompt window), Development, Mac OS X / OS X / MacOS, Power User, PowerShell, PowerShell, Software Development, Visual Studio and tools, vscode Visual Studio Code, Windows, Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Development, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, WSL Windows Subsystem for Linux, xargs | Leave a Comment »

« Previous Entries
Next Entries »