Posts by Henry 8 20 publicly visible posts • joined 24 Jan 2013
The watchTowr writeup at https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/ has the exploit details.
1. Set an HTTP header of "X-Pan-Authcheck: off" which basically turns off authentication (!!)
2. Specify user=`$myEvilCommand` (yes, backticks...) which gets expanded via a PHP call that passes $user straight through to a shell (!!!!)
Words fail me.
The Qualys post everyone is linking to says "The Qualys Threat Research Unit (TRU) has identified five Local Privilege Escalation (LPE) vulnerabilities within the needrestart component, which is installed by default on Ubuntu Server. " which seems to have been widely misinterpreted (in every report I've seen on this issue) as "this is a bug in Ubuntu Server"
> Passing the input through the SHA-256 algorithm can mitigate this, she said.
Unless your sha256'ed password happens to end up starting with a null, in which case you're in for a world of pain : https://blog.ircmaxell.com/2015/03/security-issue-combining-bcrypt-with.html
Summary: your bcrypt implementation perhaps uses null-terminated strings to know when to stop, as is traditional. Hashing algorithims like sha256 can end up returning a raw byte string, and so a sha256 hash might end up starting with a null byte. Thus, re-hashing the hash might mean you're really calling bcrypt(\0MySuperSecretPasswordHash) might be functionally equivalent to bcrypt(\0MyTotallyDifferentPasswordHash), or indeed just bcrypt(\0)
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7494048/ describes the standards to follow when naming human genes. I quote from the section on replacing problematic nomenclature : "symbols that affect data handling and retrieval, e.g. all symbols that auto-converted to dates in Microsoft Excel have been changed (SEPT1 is now SEPTIN1; MARCH1 is now MARCHF1 etc);"
Bad guess. The README (which has now been updated) explicltly told users to run the command "pip install $WRONG_PACKAGE". FWIW it looks like the reason for installing the $WRONG_PACKAGE was just to facilitate downloading some data files, and this has now been replaced with a simple "git clone" command.
The Google-provided analytics.js that is downloaded with this story (along with pretty much every webpage we all visit...) is 52kB, so over twice as big as Elite. I know which of those two products I think has brought more value to the world.
(yes I know my browser probably caches analytics.js and doesn't redownload it on every page I browse to, but that's not the point)
The comment about email addresses is not strictly true. The domain part (after the @) is case-insensitive, but the local part (before the @) "MUST be interpreted and assigned semantics only by the host specified in the domain part of the address" (RFC 5321). Whilst in practice many mail servers will handle the local part in a case-insensitive manner, one shouldn't rely on that behaviour.
"the core College IT systems and data and file storage were backed up on a different location of the same storage unit"
I'm sorry, but whatever organisational problems might also have been at play in the sorry episode, any sysadmin who thinks that copying data to the "same storage unit" can in any way count as a backup is incompetent.
One just has to register for distribution rights, once, for free. Took me about 2 minutes to fill in the form and get an automatic response. Yes, it's mildly annoying that they're taking away the old enterprise download links, but it's not difficult to use the replacement - I've been doing so for months.
I haven't done a full comparison of the available features, but the "send email when there's a new tweet" thing sounds awfully like what one can already do (totally for free) on ifttt.com ("If this, then that"). That site also has a great many recipes that others have already written if one wants to copy something to get started.
The statement "probability of data loss to 1 in over 2 million years when properly monitored and maintained" sounds rather fishy to me. What are the chances that they've taken "failure rate for a single disk" and just multiplied that up N times, assuming that all failures are independent? Even if you declare lightning strikes and earthquakes as outside the calculation, disks that are hosted in the same environment, and which were probably all made in the same production run, don't have independent failure rates.
So the article says that this technique doesn't work on keypads with metal keys. Well fair enough, but I've used a far lower-tech solution to bypass keypads (er, obviously, only to get in to areas where I *should* have had access but didn't have the code to hand...). Just look for the keys that have the slightly greasy residue from people's fingers - far easier, cheaper and lower-tech than thermal imaging cameras!
I agree that sysadmins should remember to include VoIP in their assessment of network security etc. However, I'm afraid I'm always going to be sceptical of a company-produced "study" which essentially ends in an advert where they tell you that the same company just so happens to sell a product which can help solve $problem_covered_in_report
I would be rather surprised if Dell were actually paying someone to sit for 10 minutes in front of a computer and hit "next". For the Windows machines I look after, I tick a box, and Firefox will automatically install on a computer of my choice. And for the case of the Dell website, the customer has already ticked the box for them!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
