News items for tag english - Koos van den Hout

2022-09-28 I participated in the CQWW RTTY 2022 contest
RTTY Contest on websdr Past weekend was the 2022 version of the CQ World Wide RTTY DX Contest and I participated. Not with any preparation: on Saturday after some other tasks I sat behind radio and computer and looked up which set of macros would work for this contest.

But propagation cooperated, especially on the 20 meter band. On Sunday evening after dark I got a nice set of stations in the USA and Canada in the log. I also saw a station from Brunei active but that station never managed to decode my callsign while I tried for a quarter of an hour as this would have been a new country in amateur radio for me.

I made 106 contacts in total: 70 on the 20 meter band and 36 on the 40 meter band.

Tags: , , ,
2022-09-25 Found a "Corinex CXWC-HD200-WNeH"? Let me know!
Officially the "Corinex CXWC-HD200-WNeH" cable modem is out of support for years and deployments should have migrated to newer solutions. That is the reason I got my hands on one: it was replaced by a docsis-based modem. For as far as I can tell these modems are based on homepna or homeplug, over coax networks (the tools on the router don't tell what kind of standards the coax side uses).

I'd like to know if any of these are still used in the wild. If you find this post because you got bored and looked at the underside of the wifi box in your holiday park, get in touch!

My e-mail address is at the bottom of this page and I'm on twitter as @khoos.

Tags: , ,
2022-09-24 Can't live-attach a USB device to a kvm virtual host after upgrades
I have a DS2490 USB 1-wire interface on the home server conway which is rerouted to one of the virtual machines so that that virtual machine can read the sensors on the 1-wire network. This rerouting works when the machine is started, the DS2490 USB 1-wire shows up in the virtual machine fine. From time to time this DS2490 USB 1-wire interface gets confused when I am transmitting on the radio so the solution is to detach it from the virtual machine, unplug it from the server, plug it in again and attach it to the virtual machine again. Today this had to be done and I got an unexpected error message:
root@conway:~# virsh attach-device --live gosper /etc/onewire-for-gosper.xml
error: Failed to attach device from /etc/onewire-for-gosper.xml
error: internal error: unable to execute QEMU command 'device_add': failed to find host usb device 2:8
In logfile /var/log/libvirt/libvirtd.log:
2022-09-24 21:16:38.655+0000: 10923: error : qemuMonitorJSONCheckError:395 : internal error: unable to execute QEMU command 'device_add': failed to find host usb device 2:8
To be complete about it: usb device 2:8 is exactly the right one!
root@conway:~# lsusb | grep 2490
Bus 002 Device 008: ID 04fa:2490 Dallas Semiconductor DS1490F 2-in-1 Fob, 1-Wire adapter
This seems to be new since I upgraded the homeserver to Devuan beowulf giving me versions:
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                                  Version         Architecture Descripti
+++-=====================================-===============-============-=========
ii  libvirt-clients                       5.0.0-4+deb10u1 amd64        Programs 
ii  libvirt-daemon                        5.0.0-4+deb10u1 amd64        Virtualiz
un  libvirt-daemon-driver-storage-gluster                  (no descr
un  libvirt-daemon-driver-storage-rbd                      (no descr
un  libvirt-daemon-driver-storage-zfs                      (no descr
ii  libvirt-daemon-system                 5.0.0-4+deb10u1 amd64        Libvirt d
ii  libvirt-glib-1.0-0:amd64              1.0.0-1         amd64        libvirt G
ii  libvirt0:amd64                        5.0.0-4+deb10u1 amd64        library f

First idea: AppArmor

The first search result that came up was Bug #1552241 “libvirt-bin apparmor settings for usb host device” : Bugs : libvirt package : Ubuntu. So I tried changing the /etc/apparmor.d/abstractions/libvirt-qemu file. After a few tries and reading the warnings in the rest of the file I made sure the source was AppArmor by completely disabling it. The error did not go away so I reverted the libvirt-qemu rules to the original settings, restarted AppArmor and kept debugging.

Second idea: usb rights

Based on QEMU USB passthrough broken after Ubuntu 18.04 upgrade I added udev rules to make sure group libvirt-qemu had read and write rights on the usb device, with /lib/udev/rules.d/51-qemu-usb-passthrough.rules containing:
SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", ATTRS{idVendor}=="04fa", ATTRS{idProduct}=="2490", MODE="0664", GROUP="libvirt-qemu"
And doing the
root@conway:~# udevadm control --reload-rules
And verifying the resulting rule:
root@conway:~# udevadm test -a -p  $(udevadm info -q path -n /dev/bus/usb/002/008)
calling: test
version 3.2.9
This program is for debugging only, it does not run any program
specified by a RUN key. It may show incorrect results, because
some values may be different, or not available at a simulation run.

[..]

GROUP 110 /lib/udev/rules.d/51-qemu-usb-passthrough.rules:1
MODE 0664 /lib/udev/rules.d/51-qemu-usb-passthrough.rules:1
handling device node '/dev/bus/usb/002/008', devnum=c189:135, mode=0664, uid=0, gid=110
[..]
Indeed the right groupid, but still the same error message when trying the attach-device command.

Interesting find: it's specific to the virtual machine that had the device before

Small update: I can attach the USB device to a different host and detach it from that host again. I just can't attach it to the 'original' host again.

I also posted this question on serverfault: Can't live-attach a USB device to a kvm virtual host again after upgrades.

Tags: , , ,
2022-09-22 Getting further into the Corinex CXWC-HD200-WNeH: I got root!
Corinex CXWC-HD200-WNeH side with warrantylabel
Corinex CXWC-HD200-WNeH side with warrantylabel. The warranty was voided.
Picture by Koos van den Hout, license CC-BY-SA
This week I was attending a course in hardware hacking: HackLab: Hardware Hacking at the Deloitte office in Den Haag.

How to find the right pins to get a commandline on a router-like device was part of this course, and the last day there was an option to Bring Your Own Device, to hack it. So I brought this router as I thought it was an ideal target to get access to it, since on the earlier try I could not get into the webinterface of the Corinex CXWC-HD200-WNeH device.

Corinex CXWC-HD200-WNeH opened boards visible
Corinex CXWC-HD200-WNeH opened boards visible
Picture by Koos van den Hout, license CC-BY-SA
So this time I took out the screwdriver, voided the warranty of the device by breaking the little sticker on the side and opening it. It has a board with the powersupply and cable interface parts. The powersupply is shielded with some plastic.

There is a smaller board with the main chip which contains the processor, ram, wifi module. The first task was to find the uart interface which should give a serial console. That's a skill I learned in the hacklab: first find out which pins have continuity to ground with the device switched off. With a simple multimeter which has a beeping continuity meter this is simple. The beep makes it possible to test the device without looking at the meter.

After that it's a matter of switching the multimeter to voltage and checking other pins for voltage. Usually there are 4 pins on a uart port: ground which is physically connected to the device ground, receive data and send data and a reference voltage. On measuring the pins the reference voltage will be at the steady maximum voltage, the data transmitting from the device will be varying and the pin where the device expects data will be at 0 volt.

Uart ports can be 5 volt, 3.3 volt, 2.5 volt or 1.8 volt in recent devices. 5 and 3.3 volt are the most common. USB serial interfaces that support 5 and 3.3 volt are cheap (3 euro), USB serial interfaces that support all 4 are somewhat more expensive (10 euro).

For the Corinex router the voltage is 3.3 Volt. There was a 3.3 Volt ftdi USB to serial interface available, so I was able to access the uart port. I connected to the uart port, used a terminal program and searched for the right serial port settings and ended up at 57600 baud, 8 bits, no parity, 1 stopbit.

After looking at all the boot messages I was greeted with a root prompt. No more hacking, just full access. The system boots using the U-Boot bootloader. The system runs linux with a 2.6.21 kernel. I looked around on the filesystem and started looking for the configuration for the webserver hoping to find the username/password. I found this in /flash/config so I could get into that interface as well.

I also found it was running a telnet server, but not on the standard port. The port was 32560. Without commands like netstat or ss I had to learn this from /proc/net/tcp. Browsing the iptables listing shows that port 80 is supposed to be allowed and other ports aren't, but 32560 reacts fine.

Chip found: Ralink RT3052F processor with embedded ram and flash and with 2.4 GHz wifi and a network switch for 1 gigabit port and 5 100 mbit ports.

Things I'd still like to do: copy the entire filesystem to another computer so I can research it and check around the web interface for security issues.
Read the rest of Getting further into the Corinex CXWC-HD200-WNeH: I got root!

Tags: , , ,
2022-09-17 Looking into the Corinex CXWC-HD200-WNeH
Corinex CXWC-HD200-WNeH underside
Corinex CXWC-HD200-WNeH underside
Picture by Koos van den Hout, license CC-BY-SA
I have a "Corinex Detachable Wireless-N Cable Access" Corinex CXWC-HD200-WNeH to play with. This has been used for Internet access over TV coax cable in a bungalow park where it has been replaced.

So it is some sort of cable modem. According to the source it's not managed network over cable (docsis) but more like ethernet over cable, a relative of ethernet over powerline. Searching a bit finds hempro | JPK consulting which seems to be the next generation and isn't compatible.

I also found Docsis, EOC of Moca toegepast in kleine kabeltelevisienetwerken which mentions that Corinex products are ethernet over cable according to the HomePNA (abbreviated HPNA) 3.1 standard.

The only mention of these devices are for Dutch bungalow parks or campsites, for example woon op een camping, open wifi. geen internet.

The site at corinex.nl just lists why you should stop relying on these devices and replace them with newer technologies that are supported.

It's not clear to me whether I can simply set up a network with a bit of coax and another HomePNA coax interface or whether I need some sort of headend.

Time to play with the device and see how far I can get!
Read the rest of Looking into the Corinex CXWC-HD200-WNeH

Tags: ,
2022-09-04 Minecraft java edition has issues with IPv6 and CPU
Our child plays minecraft regularly. The start was with the Microsoft minecraft edition but recently the java edition became available too without paying again.

I have set up the bedrock server for the Microsoft minecraft edition to make it possible to play with other people outside the house. So the most recent request was to do this for the java edition too.

I don't know much about minecraft but I can do enough with just some websearching and finding a howto. So I started with How to Set Up a Dedicated Minecraft Server on Linux which seems to be a way to try to sell dedicated servers but I have enough server hardware here at home so I just used the same virtual machine which ran the minecraft bedrock server.

It turned out the default-jdk resulted in openjdk-11 getting installed and this resulted in not being able to run the latest minecraft java server. I switched to openjdk-17-jre-headless because I only need the runtime and I never want to run the graphical stuff, so that saved a lot in needed libraries and other overhead.

The server started fine, but the minecraft java edition couldn't connect to it when trying to connect by name, but gave no usable error message. That's a different rant. I checked on the server side and saw the listening socket in dual-stack mode.

With tcpdump I soon found out the minecraft java edition starts with the IPv4 address and gives up when that fails. The solution was to remove the IPv4 address (A record) from the name, flush the dns cache and after that it worked. This does mean that when friends want to connect that are behind ISPs that only support legacy Internet addresses they will have a different problem.
Read the rest of Minecraft java edition has issues with IPv6 and CPU

Tags: , , ,
2022-09-01 Finding interesting requests for timepro.cgi in the logs
There are always attacks in the logs, but this one caught my eye because someone mentioned it, I saw it in logs and searching for a simple explanation for what I saw gave no answers.

Those are the interesting ones. So here is the logline split into multiple parts in an attempt to make it more readable:
"GET /cgi-bin/timepro.cgi?tmenu=netconf&smenu=wansetup&act=save&
sel=dynamic&dns_dynamic_chk=on&fdns_dynamic1=128.0.104.18&
fdns_dynamic2=128.0.104.33&fdns_dynamic3=128.0.104.18&
fdns_dynamic4=128.0.104.18&sdns_dynamic1=128.0.104.18&
sdns_dynamic2=128.0.104.33&sdns_dynamic3=128.0.104.18&
sdns_dynamic4=128.0.104.33&userid=&passwd=&mtu=1454&
ip1=192&ip2=168&ip3=254&ip4=2&
sm1=255&sm2=255&sm3=255&sm4=0&
gw1=192&gw2=168&gw3=254&gw4=254&
fdns1=&fdns2=&fdns3=&fdns4=&
sdns1=&sdns2=&sdns3=&sdns4=&static_mtu=150 HTTP/1.1"
Searching for timepro.cgi finds a2004ns-mod/timepro.cgi at master · hklcf/a2004ns-mod · GitHub which seems to be compiled code: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, stripped.

Based on Honware: A virtual honeypot framework for capturing CPE and IoT zero days my best guess is that requests to timepro.cgi attempt to reconfigure a home router. And my next guess is that the attempt is to set the DNS resolvers to 128.0.104.18 and 128.0.104.33. Further searching finds another attempt from the same source IPv4 address which also looks a lot like an attempt to reconfigure DNS settings:
"GET /dnscfg.cgi?dnsPrimary=128.0.104.18&dnsSecondary=128.0.104.33&dnsDynamic=0&dnsRefresh=1 HTTP/1.1"
The theory that this is an attempt to redirect DNS traffic is somewhat confirmed by the fact that 128.0.104.18 indeed runs an open resolver which will give me answers. For the few things I have tried those are valid answers (no clear attempts to redirect traffic to other places). I get no answers from 128.0.104.33 at the moment.

Update: Searching for the string 128.0.104 finds more:
"POST /dnscfg.cgi?dnsPrimary=128.0.104.18&dnsSecondary=128.0.104.18&dnsDynamic=0&dnsRefresh=1&dnsIfcsList= HTTP/1.1"
"POST /Forms/dns_1?Enable_DNSFollowing=1&dnsPrimary=128.0.104.18&dnsSecondary=8.8.8.8 HTTP/1.1"
Based on the names of the parameters I guess more of the same: attempts to redirect DNS traffic.

Tags: , ,
2022-08-26 Limiting URLs to scan with wapiti
I wanted to use wapiti as scanner to check for other vulnerabilities in The Virtual Bookcase after receiving a report about a cross-site scripting vulnerability. Wapiti is open source and free, which is a fitting price for scanning a hobby project site.

I quickly ran into wapiti taking hours to scan because of the URL structure of the site: all /book/detail/x/y URLs map to one handler that deals with the X and Y parameters in SQL queries. Yes those queries are surrounded by very defensive checking and I use positional parameters. Everything to avoid SQL injection and becoming the next Little Bobby Tables.

Wapiti has no simple method that I can find to crawl for a list of URLs and stop at that to allow for selecting the list of URLs to scan. But it has an option to minimize crawling and import a list of additional URLs to scan so I used that option to get at the same result.

Gathering URLs was done with wget:
$ wget --spider -r http://developer.virtualbookcase.com 2>&1 | grep '^--' | egrep -v '\.(css|jpg|gif|png)' | awk '{ print $3}' > developer.virtualbookcase.com-urls.txt
After that I sorted the file with URLs and threw out a lot of them, making sure all the scripts with several variants of input were still tested.

With that list I start wapiti with some special options. It still needs a starting url at -u so I give it the root but I limit the crawling with the depth parameter -d 1 and the max files parameter --max-files-per-dir 50. Then I add the additional urls from the earlier scan with the -s parameter. It's a lot of tweaking but it does the trick.
$ wapiti -u http://developer.virtualbookcase.com/ -d 1 --max-files-per-dir 50 -s developer.virtualbookcase.com-urls.txt -o ~/wapiti/ -v 2
No vulnerabilities were found. I found one PHP warning which only triggered in the kind of corner case a web vulnerability scanner causes, or an attacker. So I fixed that corner case too.

Tags: , , ,
2022-08-25 D'oh!!! A cross-site scripting vulnerability in one of my own sites
I received a responsible disclosure report of a vulnerability in The Virtual Bookcase.

I will directly admit I haven't done a lot of maintenance on this site in the past few years but I want to keep my sites secure.

The report came via openbugbounty.org and has no details about the vulnerability, so I am not 100% sure where the reported vulnerability is. But based on the report text XSS (Cross Site Scripting) and a peek in the access-log looking for specific requests I found I made a beginner mistake in dealing with a search query: displaying it as-is within an HTML context. I immediately fixed that error in the site.

Now I wonder why it took so long for me to realize the error of my ways or for someone to notice it!

Checking the logs some more finds huge amounts of attempts at SQL injection, which is a vulnerability I am very aware of and where I put up standard defenses. But this is the first time a security researcher made me aware of the cross-site scripting vulnerability.

Update: I contacted the reporter about the vulnerability who responded quickly inquiring about the possible bounty for finding the bug. As this is a site that hasn't delivered any income in years the best I can do is a mention in the credits of the site or on a separate hall of fame.

Update: I also started a vulnerability scanner on the site myself, to find any other vulnerabilities I might have missed. This scanner is going through the development site at the moment. Like many other scanners it doesn't see by default how certain urls all map to the same PHP script.

I already committed a few minor updates to improve handling of corner cases in not set variables and other things popping up in the scan.

Update 2022-09-23: I realized the reporter has never responded with the actual bug information.

Tags: , , ,
2022-08-24 Digging into WPA Enterprise authentication packets
After digging into setting up radius and WPA Enterprise with an Asus WL300g accesspoint the next step was to peek into the traffic on a client.

For that part I used a linux machine with a wired and wireless interface and used tcpdump to try to capture the wireless authentication packets. I configured /etc/network/interfaces for wpa enterprise, based on the eduroam examples.

And this worked, starting the capture:
root@ritchie:~# ifconfig wlan0 up
root@ritchie:~# tcpdump -ni wlan0 -w wlanstart.pcap -s 0 -u -v
And I typed in another window 'ifup wlan0'. This resulted in a capture with the right Extensible Authentication Protocol (EAP) packets included:
root@ritchie:~# tcpdump -nr wlanstart.pcap -v
reading from file wlanstart.pcap, link-type EN10MB (Ethernet)
16:47:39.658963 EAP packet (0) v2, len 5, Request (1), id 0, len 5
                 Type Identity (1)
16:47:39.660863 EAP packet (0) v1, len 25, Response (2), id 0, len 25
                 Type Identity (1), Identity: anonymous@idefix.net
16:47:39.662840 IP6 (hlim 1, next-header Options (0) payload length: 56) :: > ff02::16: HBH (rtalert: 0x0000) (padn) [icmp6 sum ok] ICMP6, multicast listener report v2, 2 group record(s) [gaddr ff02::1:ff23:123 to_in, 0 source(s)] [gaddr ff02::1:ff84:afe0 to_ex, 0 source(s)]
16:47:39.668736 EAP packet (0) v2, len 6, Request (1), id 1, len 6
                 Type TTLS (21) TTLSv0 flags [Start bit] 0x20,
16:47:39.670420 EAP packet (0) v1, len 6, Response (2), id 1, len 6
                 Type Nak (3) unknown (25),
16:47:39.682125 EAP packet (0) v2, len 6, Request (1), id 2, len 6
                 Type unknown (25)
16:47:39.741150 EAP packet (0) v1, len 203, Response (2), id 2, len 203
                 Type unknown (25)
16:47:39.756343 EAP packet (0) v2, len 1004, Request (1), id 3, len 1004
                 Type unknown (25)
16:47:39.756598 EAP packet (0) v1, len 6, Response (2), id 3, len 6
                 Type unknown (25)
16:47:39.834920 EAP packet (0) v2, len 1000, Request (1), id 4, len 1000
                 Type unknown (25)
16:47:39.835159 EAP packet (0) v1, len 6, Response (2), id 4, len 6
                 Type unknown (25)
16:47:39.842070 EAP packet (0) v2, len 1000, Request (1), id 5, len 1000
                 Type unknown (25)
16:47:39.842318 EAP packet (0) v1, len 6, Response (2), id 5, len 6
                 Type unknown (25)
16:47:39.866174 EAP packet (0) v2, len 79, Request (1), id 6, len 79
                 Type unknown (25)
16:47:40.006260 EAP packet (0) v1, len 144, Response (2), id 6, len 144
                 Type unknown (25)
16:47:40.014338 EAP packet (0) v2, len 65, Request (1), id 7, len 65
                 Type unknown (25)
16:47:40.016467 EAP packet (0) v1, len 6, Response (2), id 7, len 6
                 Type unknown (25)
16:47:40.028765 EAP packet (0) v2, len 43, Request (1), id 8, len 43
                 Type unknown (25)
16:47:40.029290 EAP packet (0) v1, len 96, Response (2), id 8, len 96
                 Type unknown (25)
16:47:40.036381 EAP packet (0) v2, len 75, Request (1), id 9, len 75
                 Type unknown (25)
16:47:40.043383 EAP packet (0) v1, len 144, Response (2), id 9, len 144
                 Type unknown (25)
16:47:40.057720 EAP packet (0) v2, len 91, Request (1), id 10, len 91
                 Type unknown (25)
16:47:40.058739 EAP packet (0) v1, len 80, Response (2), id 10, len 80
                 Type unknown (25)
16:47:40.071176 EAP packet (0) v2, len 43, Request (1), id 11, len 43
                 Type unknown (25)
16:47:40.072087 EAP packet (0) v1, len 80, Response (2), id 11, len 80
                 Type unknown (25)
16:47:40.082689 EAP packet (0) v2, len 4, Success (3), id 11, len 4
16:47:40.082865 EAPOL key (3) v2, len 117
16:47:40.091607 EAPOL key (3) v1, len 117
16:47:40.107041 EAPOL key (3) v2, len 175
16:47:40.107839 EAPOL key (3) v1, len 95
At the same time I captured the radius traffic. Now time to correlate those two traffic streams in wireshark.
Read the rest of Digging into WPA Enterprise authentication packets

Tags: , , ,

IPv6 check

Running test...
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred. PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers

RSS
Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated by $Id: newstag.cgi,v 1.37 2022/02/15 21:48:19 koos Exp $ in 0.039757 seconds.