Slaps around a bit with a large trout.
On 25th May, after 2 years of hard work from the historical fork announce, Devuan Jessie stable has been released! This is a long term support release so it will be maintained until 2020.
This blog was running on Debian Wheezy until now, but this is the time to upgrade to Devuan!
We want linux FREE, simple, and stupid! Now Devuan is the new GNU+Linux universal distribution as Debian was infected by systemd.
Pasquale `sid` Fiorillo and Guido `go` Oricchio have released a critical security advisory for any QNAP NAS running any version of QTS prior to 4.2.4 Build 20170313.
The issue involves all the QNAP NAS that are members of a Microsoft Active Directory and can be used by any local user, such as “httpdusr” used to run web application, to escalate to Domain Administrator.
Aws-key-auditor is a simple bash script to test AWS credentials against some safe (read-only) awscli commands.
It could be useful during a penetration test to automate checks to understand what resources can be accessed with compromised key.
If you run ssh in a non-real TTY (like a popen() from mod_php, or cron) against a windows host running Win32-OpenSSH, you may receive a “read failed”.
To easily reproduce the problem you can run ssh through “nohup”:
nohup ssh -vvv user@windows-host whoami
Here’s the log:
[...] debug1: Sending command: whoami debug2: channel 0: request exec confirm 1 debug2: callback done debug2: channel 0: open confirm rwindow 0 rmax 32768 debug2: channel 0: rcvd adjust 2097152 debug2: channel_input_status_confirm: type 99 id 0 debug2: exec request accepted on channel 0 debug2: channel 0: read<=0 rfd 4 len 0 debug2: channel 0: read failed debug2: channel 0: close_read debug2: channel 0: input open -> drain debug2: channel 0: ibuf empty debug2: channel 0: send eof debug2: channel 0: input drain -> closed debug2: channel 0: rcvd eof debug2: channel 0: output open -> drain debug2: channel 0: obuf empty debug2: channel 0: close_write debug2: channel 0: output drain -> closed debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug2: channel 0: rcvd close debug3: channel 0: will not send data after close debug2: channel 0: almost dead debug2: channel 0: gc: notify user debug2: channel 0: gc: user detached debug2: channel 0: send close debug2: channel 0: is dead debug2: channel 0: garbage collecting debug1: channel 0: free: client-session, nchannels 1 debug3: channel 0: status: The following connections are open: #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1 cc -1) debug1: fd 0 clearing O_NONBLOCK debug1: fd 1 clearing O_NONBLOCK debug1: fd 2 clearing O_NONBLOCK Transferred: sent 3888, received 2748 bytes, in 0.1 seconds Bytes per second: sent 75340.2, received 53249.7 debug1: Exit status 0
A workaround which can be used to solve this issue is the running of the ssh through “script”, a 1980’s utility to log an interactive session to a file:
script makes a typescript of everything displayed on your terminal.
It is useful for students who need a hardcopy record of an
interactive session as proof of an assignment, as the typescript file
can be printed out later with lpr(1).
So, for example:
script -q -c "ssh user@windows-host whoami"
There is an open issue on GitHub.