In Part One we discovered an object that lets us execute arbitrary commands via unsafe handling of user input - the Alley room. Now we want to understand the blast radius of this issue. The first question to ask is, "What does the Alley control?"
Flags: TRUST STICKY VISUAL BATHROOM
Owner: 8BitMUSH Zone: NOTHING Coins: 0
Created: Sat Apr 28 13:14:31 2001
The help entry for
...continue reading "Back-Alley Hacking: 8Bit MUSH (Part Two)"
help control tells us that if the Alley has the
TRUST flag, it controls anything with the same owner that isn't set
WIZARD. As it turns out, the
8BitMUSH user owns a great deal of things throughout 8Bit.
Update: If you're looking for the secret conclusion to this series, you can find Part Three here. The password is the one-word name of Burger King's signature sandwich.
I created a MUSH called Parlor City in the beginning of 2019. This is an online, multi-player, text-based social game that uses a rudimentary code base for world-building.
Parlor City was opened after about 18 months of work, at which time I sought out another MUSH where I could gain some experience and a change of scenery. MUSH trackers suggest that there are roughly eight-hundred different MUSH-style games available, each with unique themes and styles.
I asked users of PennMUSH (an invaluable coding forum) if any particular crew was known to be hostile or disreputable. The answer came back: "The folks at 8Bit have been known to break MUSHes for fun." So that's what I wanted to join.
...continue reading "Back-Alley Hacking: 8Bit MUSH (Part One)"
I've always liked having the ability to view public webcams around the world. During the last hurricane, for example, there was a camera streaming from an oil rig a mile or more out to sea that let us see the strength of the storm before it made landfall.
Now that I'm a homeowner, I wanted to put a camera on our roof and stream the view from up there. I bought a weatherproof Amcrest IP8M-2597EW-28MM and dropped it through the soffit under our roof. The process of snaking the ethernet cord through an air duct up to the attic will not be covered here.
Amcrest cameras act as RTSP (real-time streaming protocol) servers that can be accessed on a specific port. This means that it's necessary to run an active RTSP client to consume the live feed.
...continue reading "Streaming an Amcrest Camera to YouTube"
I have slowly been working on a MUSH, which is an online, multi-player, text-based social game. The game Zork (1977) is probably the most popular game in this style, although it is not multi-player. I decided to use PennMUSH as the server distro since it seems to have the widest support.
MUSH servers open a raw TCP socket for incoming connections and most sessions occur over plaintext. There are a handful of MUSH clients that players can use but a simple TELNET connection also works. MUSH servers understand enough of the TELNET protocol to refuse option negotiation.
Rather than expose the MUSH server to the open internet, I decided to create restricted shell accounts for users and have them connect to the MUSH via
localhost instead. This drastically reduces the accessibility of the MUSH and would likely deter prospective players but it works for our current user base.
Despite the huge number of active MUDs on the internet, forcing users through SSH still seems safer than exposing the MUSH service. I'm using AWS security groups on the MUSH host to prevent external access to that port.
Note: After some testing, I have walked this back and decided to just open it to the internet after the initial release. Shell accounts will still be an option. See this page for some details.
...continue reading "MUSH and Restricted Shell"
In a previous article I described how to install and run the Port Scan Attack Detector (PSAD) on a Raspberry Pi. It is the closest thing to a full IDS that works on the Raspberry Pi and it's extremely easy to set up.
None of the existing visualization tools for PSAD data really met my needs, so I created a custom Python script that generates an HTML page from the live PSAD data.
The PSADify script is available here: PSADify on Github
You can see the actual data here: Live PSAD Attack Data
On my own host running PSAD, there is a cronjob that runs this script every five minutes and uploads the output to an AWS S3 bucket. If the local configuration or the settings on the AWS side would be useful to anyone, let me know!
...continue reading "PSADify – Custom PSAD Output Tool"
I have never gotten a full intrusion detection system (IDS) working correctly on a Raspberry Pi. The two most popular – Snort and Bro IDS – either have problems with their dependencies or the ARM architecture.
I recently came across PSAD – the Port Scan Attack Detector. It is essentially a collection of daemons that analyze
iptables logs to identify patterns of malicious traffic. When used in conjunction with fwsnort, PSAD can also correlate blocked traffic with many of the "Emerging Threats" Snort rules.
PSAD was extremely easy to set up on a Raspberry Pi that's deployed as a catch-all DMZ host on my home network. Before diving into the details, you can see live data being collected by that host here: https://psad.disloops.com
...continue reading "PSAD on Raspberry Pi"
I recently needed to run Nmap against a ton of hosts at once but my internet connection died as soon as I launched all the concurrent threads. That had never happened before – turns out that I maxed out the “state table” on my SG-2440 pfSense router.
The default settings allow it to hold 405,000 max connections in the firewall state table. Every million states take about a gig of RAM and the router has 4 gig total, so the default is to let the state table take up 10% of the total memory capacity at most. Apparently running around 50+ Nmap threads against all ports per host maxes that out immediately.
I had to SSH into the router and flush the state table (“pfctl -F states”) to get my connection working again. Then I bumped the max states up to 3M and I scaled back the number of Nmap threads I’m running. Now it works but I thought that was a funny problem to come across; I didn’t foresee my fancy router being the bottleneck.
I recently spent some time exploring the issue of CloudFront domain hijacking. This is not a new issue but I think it has gone mostly unnoticed for a few reasons:
- CloudFront's default behavior is not intuitive. Some standard DNS configurations can mislead users into thinking that their vulnerable domains are configured correctly.
- In the past year, misconfigured S3 buckets have been everyone's priority. Other AWS security issues have played second banana.
- Because a misconfigured domain presents an obvious error message, one would assume there is no "low-hanging fruit" for attackers.
There are a couple reports on HackerOne but I'd say that this issue is still relatively unexplored. So I devoted some time to finding the right targets and scripting the testing process. The results are below.
...continue reading "CloudFront Hijacking"
There are plenty of articles online about the different things you can do with a Raspberry Pi. I recently bought a new one from Adafruit and I wanted to write down the steps I took to create a baseline configuration for future projects.
Setting Up Rasbian
I downloaded the latest version of Raspbian and burned it to a new micro SD card. I plugged that in along with some peripherals I bought:
The Raspberry Pi 3 actually has built-in WiFi but I thought I'd have a stronger connection using an external USB adapter.
After booting for the first time, I wanted to get rid of the default
pi user. To do this, go to the start menu, open "Raspberry Pi Configuration" under "Preferences" and turn off the "Auto-Login" option. Then open a terminal and create a password for the root user:
...continue reading "Raspberry Pi 3 Basics"
For the longest time I've gotten the following error from Snort's
barnyard2 spooler process:
barnyard2: Could not remove pid file /var/run//barnyard2_NULL.pid: Permission denied
On Ubuntu 16.04, the
barnyard2 process is created in this systemd unit file:
This process creates the pid file in the
/var/run directory before the user permissions drop to the level provided by the '-u' option. Then when exiting, the process attempts to delete the pid file that was created with elevated privileges.
To fix this, I modified the process's systemd file:
...continue reading "Fixing the Barnyard2 PID File Problem"