The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,860 other subscribers

Archive for the ‘PowerShell’ Category

« Previous Entries
Next Entries »

5 days after the exploit publication of snowcra5h/CVE-2023-38408: Remote Code Execution in OpenSSH’s forwarded ssh-agent

Posted by jpluimers on 2023/07/26

TL;DR is at the bottom (;

5 days ago this exploit development got published: [Wayback/Archive] snowcra5h/CVE-2023-38408: CVE-2023-38408 Remote Code Execution in OpenSSH’s forwarded ssh-agent.

It is about [Wayback/Archive] NVD – CVE-2023-38408 which there at NIST isn’t rated (yet?), neither at [Wayback/Archive] CVE-2023-38408 : The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remot.

However at [Wayback/Archive] CVE-2023-38408- Red Hat Customer Portal it scores 7.3 and [Wayback/Archive] CVE-2023-38408 | SUSE it did get a rating of 7.5, so since I mainly use OpenSuSE I wondered what to do as the CVE is formulated densely at [Wayback/Archive] www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt: it mentions Alice, but no Bob or Mallory (see Alice and Bob – Wikipedia).

Luckily, others readly already did the fine reading and emphasised the important bits, especially at [Wayback/Archive] RCE Vulnerability in OpenSSH’s SSH-Agent Forwarding: CVE-2023-38408 (note that instead of Alex, they actually mean Alice)

“A system administrator (Alice) runs SSH-agent on her local workstation, connects to a remote server with ssh, and enables SSH-agent forwarding with the -A or ForwardAgent option, thus making her SSH-agent (which is running on her local workstation) reachable from the remote server.”

According to researchers from Qualys, a remote attacker who has control of the host, which Alex has connected to, can load (dlopen()) and immediately unload (dlclose()) any shared library in /usr/lib* on Alice’s workstation (via her forwarded SSH-agent if it is compiled with ENABLE_PKCS11, which is the default).

The vulnerability lies in how SSH-agent handles forwarded shared libraries. When SSH-agent is compiled with ENABLE_PKCS11 (the default configuration), it forwards shared libraries from the user’s local workstation to the remote server. These libraries are loaded (dlopen()) and immediately unloaded (dlclose()) on the user’s workstation. The problem arises because certain shared libraries have side effects when loaded and unloaded, which can be exploited by an attacker who gains access to the remote server where SSH-agent is forwarded to.

Mitigations for the SSH-Agent Forwarding RCE Vulnerability

Read the rest of this entry »

Posted in *nix, *nix-tools, bash, bash, Communications Development, Development, Internet protocol suite, OpenSSH, Power User, PowerShell, Scripting, Security, Software Development, SSH | Leave a Comment »

Windows “equivalents” for bash backticks in cmd and PowerShell

Posted by jpluimers on 2023/05/17

A while ago, I needed the file information of wsl.exe on one of my Windows systems.

On Linux, I would do something like file `which bash` where file will give the file details and which gets you the full path to bash.

The file equivalent on Windows for me is [Wayback/Archive] Sigcheck – Windows Sysinternals | Microsoft Docs, which is part of [Wayback/Archive] File and Disk Utilities – Windows Sysinternals | Microsoft Docs.

The which equivalent on Windows for me is [Wayback/Archive] where | Microsoft Docs.

Read the rest of this entry »

Posted in bash, Batch-Files, CommandLine, Development, PowerShell, PowerShell, Scripting, Software Development | 1 Comment »

Restart Windows explorer with an UAC administrator token

Posted by jpluimers on 2023/05/10

Sometimes, you want to restart the Windows explorer. This is already an exception case which you want to do when explorer hangs (for instance when taskbar icons do not respond any more), or has files locked which need to be modified. I described the latter in Inno Setup: Program Folder not showing up In Start > All Programs , with this very simple restart script:

taskkill /F /IM explorer.exe
start explorer

Even more exception is wanting to run explorer with a UAC elevated administrative token. I sometimes do this when moving around stuff from other users on the same computer without having them logged on (as that would lock the files or directories to be moved around).

The risk of running explorer under UAC elevation, is that any program you start will also start UAC elevated, so beware what you ask for…

This is how you start explorer under UAC elevation:

pwsh.exe -nol -noni -nop -w hidden -c "taskkill /f /im explorer.exe; start explorer -v runas -a /nouaccheck"

or if you run an older Windows version of PowerShell:

PowerShell.exe -nol -noni -nop -w hidden -c "taskkill /f /im explorer.exe; start explorer -v runas -a /nouaccheck"

These command-line options and verbs are used:

Time to explain a few:

Read the rest of this entry »

Posted in Batch-Files, CommandLine, Development, Power User, PowerShell, PowerShell, Scripting, Software Development, Windows, Windows 10, Windows 11, Windows 7, Windows 8.1 | 1 Comment »

Eight Dollars – Chrome Web Store: see who fell for the twitter blue scam

Posted by jpluimers on 2023/04/03

[Wayback/Archive] Eight Dollars – Chrome Web Store

It’s available for other browsers too (Brave, FireFox, Edge, Opera; Safari should become supported too), and more importantly: open source as well at [Wayback/Archive] wseagar/eight-dollars: A browser extension that shows twitter blue vs real verified users.

Via [Wayback/Archive] Alan Neilan on Twitter: “@IanColdwater pssst check out”.

jeroen

Read the rest of this entry »

Posted in CSS, Development, HTML, JavaScript/ECMAScript, PowerShell, Scripting, Software Development, Web Development | Leave a Comment »

llamasoft/polyshell: A Bash/Batch/PowerShell polyglot!

Posted by jpluimers on 2023/03/16

PolyShell is a script that’s simultaneously valid in Bash, Windows Batch, and PowerShell (i.e. a polyglot).

[Wayback/Archive] llamasoft/polyshell: A Bash/Batch/PowerShell polyglot!

Need to check this out, as often I have scripts that have to go from one language to the other or vice versa.

Maybe it enables one language to bootstrap functionality in the other?

The quest

The above polyglot started with a quest to see if I can could include some PowerShell statements in a batch file with two goals:

  1. if the batch file started from the PowerShell command prompt, then execute the PowerShell code
  2. if the batch file started from the cmd.exe command prompt, then have it start PowerShell with the same command-line arguments

The reasoning is simple:

  1. PowerShell scripts will start from the PATH only when PowerShell is already running
  2. Batch files start from the path when either cmd.exe or PowerShell are running

Lots of users still live in the cmd.exe world, but PowerShell scripts are way more powerful, and since PowerShell is integrated in Windows since version 7, so having a batch file bootstrap PowerShell still makes sense.

Since my guess was about quoting parameters the right way, my initial search for the link below was [Wayback/Archive] powershell execute statement from batch file quoting – Google Search.

I have dug not yet into this, so there are still…

Many links to read

These should give me a good idea how to implement a polyglot batch file/PowerShell script.

–jeroen

Posted in *nix, *nix-tools, bash, bash, Batch-Files, Development, JavaScript/ECMAScript, Perl, Polyglot, Power User, PowerShell, Scripting, Software Development | Leave a Comment »

PowerShell: working around Get-NetFirewallRule not showing all the fields that Set-NetFirewallRule allows you to set

Posted by jpluimers on 2022/10/26

With APIs, you always hope that Get and Set methods mirror each other. More often than not, they don’t.

Take for instance these two:

They are far from symmetric: [Wayback/Archive] Get-NetFirewallRule shows far less than [Wayback/Archive] Set-NetFirewallRule allows you to set (first and foremost the various port related properties). It can be worked around though.

There are a few posts discussing this, of which I think these two are the most important:

Both above posts via [Wayback/Archive] “Get-NetFirewallRule” “LocalPort” – Google Search.

This is what I was after:

PowerShell "Get-NetFirewallRule -Name 'RemoteDesktop-UserMode-In-TCP' | Select-Object Name,DisplayName,Enabled,Direction,@{Name='Protocol';Expression={($PSItem | Get-NetFirewallPortFilter).Protocol}},Action,@{Name='LocalPort';Expression={($PSItem | Get-NetFirewallPortFilter).LocalPort}}"

Or actually:

Read the rest of this entry »

Posted in CommandLine, Development, Power User, PowerShell, PowerShell, Remote Desktop Protocol/MSTSC/Terminal Services, Scripting, Software Development, Windows | Leave a Comment »

In some countries @archiveis redirect their domains using http-302 which can have trouble with multi-WAN

Posted by jpluimers on 2022/08/12

From [Wayback Archive.is blog — Why has the URL “archive-li” changed to…:

Why has the URL “archive-li” changed to “archive-ph”, and will this affect saved bookmarks at any time in the future?

Anonymous

This is temporary and only for some countries. All 7 domains work, so you do not need to change the bookmarks.

In The Netherlands all Archive Today domains redirect to archive.ph using a HTTP 302 redirect.

This caused trouble at my home location, but not at my brother, so I searched for local issues.

In the end, it was because I have dual WAN as network load balancing at home.

TL;DR

Modifying the routing table so traffic for 54.37.18.234 goes to WAN1 was my solution.

Finding the destination address

Read the rest of this entry »

Posted in .NET, Development, Hardware, Network-and-equipment, Power User, PowerShell, routers, Scripting, Software Development | Leave a Comment »

Hardware MAC address formats (which I need for Wake-on-LAN.ps1)

Posted by jpluimers on 2022/07/06

Early june, I blogged about Wake-on-LAN from a Windows machine.

My plan was to adopt [Wayback/Archive.is] Wake.ps1 into Wake-on-LAN.ps1 (as naming is important).

One of the goals was to support multiple hardware MAC address formats, especially as Wake.ps1 had the below comment, but did support the AA-BB-CC-DD-EE-FF, though not the AA:BB:CC:DD:EE:FF hardware MAC address format:

<#
...
.NOTES
Make sure the MAC addresses supplied don't contain "-" or ".".
#>

A colon separated hardware MAC address would result in this error inside the call to the [Wayback/Archive.is] PhysicalAddress.Parse Method (System.Net.NetworkInformation) | Microsoft Docs:

Send-Packet : Exception calling "Parse" with "1" argument(s): "An invalid physical address was specified."

So I did some digging, starting inside the above mentioned blog post, and adding more:

  1. Wake.ps1 uses the [Wayback/Archive.is] Parse method in the [Wayback/Archive.is] PhysicalAddress.cs source code in C# .NET,  which contains code like this:
                //has dashes? 
            if (address.IndexOf('-') >= 0 ){ 
                hasDashes = true;
                buffer = new byte[(address.Length+1)/3]; 
            }
  2. The Perl script at [Wayback/Archive.is] wakeonlan/wakeonlan at master · jpoliv/wakeonlan that started my first blog post in this series which mentions:
    • xx:xx:xx:xx:xx:xx (canonical)
    • xx-xx-xx-xx-xx-xx (Windows)
    • xxxxxx-xxxxxx (Hewlett-Packard switches)
    • xxxxxxxxxxxx (Intel Landesk)

    I should rename the first one IEEE 802, as per this:

  3. The MAC address: Notational conventions – Wikipedia

    The standard (IEEE 802) format for printing EUI-48 addresses in human-friendly form is six groups of two hexadecimal digits, separated by hyphens (-) in transmission order (e.g. 01-23-45-67-89-AB). This form is also commonly used for EUI-64 (e.g. 01-23-45-67-89-AB-CD-EF).[2] Other conventions include six groups of two hexadecimal digits separated by colons (:) (e.g. 01:23:45:67:89:AB), and three groups of four hexadecimal digits separated by dots (.) (e.g. 0123.4567.89AB); again in transmission order.[30]

    The latter is used by Cisco (see for instance [Wayback/Archive.is] Cisco DCNM Security Configuration Guide, Release 4.0 – Configuring MAC ACLs [Support] – Cisco and [Wayback/Archive.is] Cisco IOS LAN Switching Command Reference – mac address-group through revision [Support] – Cisco), so another format to add:

    • xxxx.xxxx.xxxx (Cisco)
  4. [Wayback/Archive.is] PhysicalAddress.Parse Method (System.Net.NetworkInformation) | Microsoft Docs remarks:

    The address parameter must contain a string that can only consist of numbers and letters as hexadecimal digits. Some examples of string formats that are acceptable are as follows:

    • 001122334455
    • 00-11-22-33-44-55
    • 0011.2233.4455
    • 00:11:22:33:44:55
    • F0-E1-D2-C3-B4-A5
    • f0-e1-d2-c3-b4-a5

    Use the GetAddressBytes method to retrieve the address from an existing PhysicalAddress instance.

  5. After a bit more digging via [Wayback/Archive.is] “three groups of four hexadecimal digits separated by dots” – Google Search , I found that even more hardware MAC address formats are in use as per [Wayback/Archive.is] What are the various standard and industry practice ways to express a 48-bit MAC address? – Network Engineering Stack Exchange.

    I really do not have all the sources for the various representations for 48-bit MAC addresses, but I have seen them variously used:

    AA-BB-CC-DD-EE-FF
AA.BB.CC.DD.EE.FF
AA:BB:CC:DD:EE:FF
AAA-BBB-CCC-DDD
AAA.BBB.CCC.DDD
AAA:BBB:CCC:DDD
AAAA-BBBB-CCCC
AAAA.BBBB.CCCC
AAAA:BBBB:CCCC
AAAAAA-BBBBBB
AAAAAA.BBBBBB
AAAAAA:BBBBBB

From the last list, which is far more complete than the others, I recognise quite a few from tools I used in the past, but too forgot the actual sources, so I took the full list from there and tried to name them in parenthesis after the links I found above and what I remembered:

  • AABBCCDDEEFF (Bare / Landesk)
  • AA-BB-CC-DD-EE-FF (IEEE 802 / Windows)
  • AA.BB.CC.DD.EE.FF (???)
  • AA:BB:CC:DD:EE:FF (Linux / BSD / MacOS)
  • AAA-BBB-CCC-DDD (???)
  • AAA.BBB.CCC.DDD (Cisco?)
  • AAA:BBB:CCC:DDD (???)
  • AAAA-BBBB-CCCC (???)
  • AAAA.BBBB.CCCC (Cisco / Brocade)
  • AAAA:BBBB:CCCC (???)
  • AAAAAA-BBBBBB (Hewlett-Packard networking)
  • AAAAAA.BBBBBB (???)
  • AAAAAA:BBBBBB (???)

Some additional links in addition to the ones above:

–jeroen

Posted in .NET, CommandLine, Development, Encoding, HEX encoding, Network-and-equipment, Power User, PowerShell, PowerShell, Scripting, Software Development | Leave a Comment »

Powershell code formatting and coding style and style guides: some links and elaboration

Posted by jpluimers on 2022/07/05

I started doing occasional PowerShell “work” long before Visual Studio Code came along with its [Wayback] PowerShell Extension.

Back then, my tool of choice was PowerGUI: Settling on PowerGUI for PowerShell development. Before that it was PowerShell ISE.

Since then, I fiddled around a bit with Visual Studio Code, but not much. Then I got treated for rectum cancer, and when writing this, I’m back to Visual Studio code with the PowerShell Extension and already figured out a lot has improved.

One of the things is code formatting. Back some 7 years ago, this was all not set in stone. Now it is, so it is important to adhere to.

I already posted Code Layout and Formatting: Indentation · PowerShell Practice and Style last year, so now it is good repeat the link in it and add some more.

For my link archive:

Read the rest of this entry »

Posted in Development, PowerShell, Scripting, Software Development, Technical Debt | Leave a Comment »

chocolatey-community/chocolatey-test-environment: A testing setup related to how the Chocolatey Package Verifier runs testing. Used for manual testing or prior to submission

Posted by jpluimers on 2022/06/29

On my list of things to play around with: [Wayback/Archive.is] chocolatey-community/chocolatey-test-environment: A testing setup related to how the Chocolatey Package Verifier runs testing. Used for manual testing or prior to submission

It sort of is a standalone version of the [Wayback] Chocolatey Software Docs | Package Verifier Moderation Service that you can use to check Chocolatey package that you develop/modify.

From the github repository README:

Requirements

You need a computer with:

  • a 64-bit processor and OS
  • Intel VT-x enabled (usually not an issue if your computer is newer than 2011). This is necessary because we are using 64bit VMs.
  • Hyper-V may need to be disabled for Virtualbox to work properly if your computer is a Windows box. NOTE: This may actually not be required.
  • At least 10GB of free space.

Setup

To get started, ensure you have the following installed:

  • Vagrant 1.8.1+ – linked clones is the huge reason here. You can technically use any version of Vagrant 1.3.5+. But you will get the best performance with 1.8.x+. It appears you can go up to Vagrant 2.1.5, but may have some issues with 2.2.2 and Windows guests (newer versions may be fine).
  • Virtualbox 4.3.28+ – 6.1.6 (this flows in the selection of Vagrant – 5.2.22 seems to have some issues but newer versions may work fine)
  • vagrant sahara plugin (vagrant plugin install sahara)

NOTE: If you decide to run with version 1.8.1 of Vagrant, you are going to need to set the VAGRANT_SERVER_URL environment variable as described in this forum post, otherwise, you will get an HTTP 404 error when attempting to download the base vagrant box used here.

Related: people wanting to do a similar thing for Linux: [Archive.is] chocolatey/choco: Has anyone ever tried to set up virtual box with linux (e.g. ubuntu) for choco testing ? – Gitter

Yes, it should work for choco newchoco pack, and choco push, running on mono.
[Wayback/Archive.is] https://github.com/chocolatey/choco/runs/3660684196?check_suite_focus=true

There is also a dockerfile available here:
[Wayback/Archive.is] https://github.com/chocolatey/choco/tree/develop/docker

However, as @AdmiringWorm said, there are not any official builds or official support at this time.

In my own private fork of choco however I’m using such interfaces as RestartManager

    //https://docs.microsoft.com/en-us/windows/win32/api/restartmanager/nf-restartmanager-rmstartsession
    [DllImport("rstrtmgr.dll", SetLastError = true, CharSet = CharSet.Auto)]
    static extern int RmStartSession(out uint pSessionHandle,
                                     int dwSessionFlags,
                                     string strSessionKey);

    //https://docs.microsoft.com/en-us/windows/win32/api/restartmanager/nf-restartmanager-rmendsession
    [DllImport("rstrtmgr.dll", SetLastError = true)]
    static extern int RmEndSession(uint pSessionHandle);

    //https://docs.microsoft.com/en-us/windows/win32/api/restartmanager/nf-restartmanager-rmgetlist
    [DllImport("rstrtmgr.dll", SetLastError = true)]
    static extern int RmGetList(uint dwSessionHandle,
                                out uint pnProcInfoNeeded,
                                ref uint pnProcInfo,
                                [In, Out] ProcessInfo[] rgAffectedApps,
                                ref uint lpdwRebootReasons);

those will be windows specific indeed, but I’ll reach them later on.

Tarmo Pikaro

–jeroen

Posted in .NET, Chocolatey, CommandLine, Development, Power User, PowerShell, PowerShell, Scripting, Software Development, Windows | Leave a Comment »

« Previous Entries
Next Entries »