|
|
tags:
all,
apache,
apachecon,
apacheweek,
bryce,
cve,
fedora,
fudcon,
geocaching,
gps,
ha,
jabber,
metrics,
microsoft,
nashville,
north carolina,
oscon,
red hat summit,
security,
trips
|
|
|
mark :: blog :: ha
ZoneMinder is an amazing Linux video camera
security and surveillance application I use as part of my home automation
system. ZoneMinder prior to version 1.23.3 contains unescaped
PHP exec() calls which can allow an authorised remote user the ability to run
arbitrary code as the Apache httpd user (CVE-2008-1381)
CVSS
v2 Base Score 6.5
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
This is really a moderate severity flaw because you need a remote attacker who
has the ability to start/stop/control ZoneMinder, and you really should protect
your ZoneMinder installation so you don't allow arbitrary people to control your
security system. (Although I think at least one distributor package of
ZoneMinder doesn't protect it by default, and you can find a few unprotected
ZoneMinder consoles using a web search).
I discovered this because when we went on holiday early in April I forgot to
turn down the heating in the house. Our heating system is controlled by
computer and you can change the settings locally by talking to a Jabber heating
bot (Figure 1). But remotely over the internet it's pretty locked down and the only thing
we can access is the installation of ZoneMinder. So without remote shell access,
and with an hour to spare at Heathrow waiting for the connecting flight to
Phoenix, I figured the easiest way to correct the temperature was to find a
security flaw in ZoneMinder and exploit it. The fallback plan was to explain to
our house-minder how to change it locally, but that didn't seem as much fun.
So I downloaded ZoneMinder and took a look at the source. ZoneMinder is a
mixture of C and PHP, and a few years ago I found a buffer overflow in one of
the C CGI scripts, but as I use Red Hat Enterprise Linux exploiting any new
buffer overflow with my ZoneMinder compiled as PIE definately wouldn't be
feasible with just an hours work. My PHP and Apache were up to date too. So I
focussed on the PHP scripts.
A quick grep of the PHP scripts packaged with ZoneMinder found a few cases where
the arguments passed to PHP exec() were not escaped. One of them was really
straightforward to exploit, and with a carefully crafted URL (and if you have
authorization to a ZoneMinder installation) you can run arbitrary shell code as
the Apache httpd user. So with the help of an inserted semicolon and one reverse shell
I had the ability to remotely turn down the heating, and was happy.
I notified the ZoneMinder author and the various vendors shortly after and
updates were released today (a patch is also
available)
Figure 1: Local heating control
Last month I read a blog entry from
hadess via Fedora Planet about hardware to let you run homebrew
applications on Nintendo DS. There is a ton of homebrew applications
available, but as of yet no jabber client.
My home automation system is all based around XMPP, with a standard Jabber
server to which all the home automation systems connect to share messages. I
wrote it like this so that it would be easy to just take some existing Jabber
client for a platform and be able to come up with a nice looking front end with
minimal effort.
I found Iksemel, a portable
C XML parser and protocol library that looked perfect, and it only
took a couple of hours to have it ported on the NDS, and a couple
more hours to get it working with PAlib for wifi. It's not a generic
Jabber chat client, but it wouldn't take too much work to make it into
one (although I didn't bother with encryption support so you won't be
able to use it with Google talk servers for example). Anyway, the code
might save someone a few hours, so I've made the source available.
I've included a copy of Iksemel, so if you want to build this yourself
all you need is a working development environment: devkitpro and PAlib. This
still needs some work, I need to integrate a library to handle displaying
images from the network (when the phone rings it can pop up the callers
picture or a streaming picture from one of the cameras when the doorbell
is pushed)
Over the Christmas holiday I joined Second Life. I wasn't expecting to find it interesting as I don't use chat systems at all outside of work (all of the Red Hat Security Response Team work in different locations around the world so irc provides a good crisis room). But I was quickly hooked and started creating shirts, figuring out ways that Sonik could play a live gig, playing Myst-like adventure puzzles, and virtually dancing to great music.
Having discovered libsecondlife and having a few spare hours this weekend I installed mono development tools and knocked up a quick libsecondlife to Jabber interface. All my home automation communicates using XMPP, so by giving my second life avatar the ability to communicate to my Jabber server he can do all sorts of things. My avatar gets notification when the phone rings and can tell me the callers number (and do a cute little animation to pick up a phone), the avatar can turn on and off the house lights, or find the temperatures of rooms.
I've not figured out a use for this yet. I've a few ideas though which will need to wait until there's more free time.
The hot weather followed me back to Scotland, which is nice for me but not so nice for my 3m^3 computer cupboard which, being unventilated, gets quite warm and toasty. Today with the outside temperature at 20C and the inside temperature at 24C the cupboard was at 30C with the door closed, or 26C with the door open. So I cut a holes in the plasterboard in the wall near the top, a 120mm fan (with useless but cute blue LEDs, but nice and quiet with a fairly good flow rate), a nice looking outlet vent to hide the messy holes, and enough space for air to get in at floor level under the door. With the fan on and the door closed the temperature started rising, although slower than normal, to 29C. Turn the fan off, 30C.... so it's pretty consistant, but not particularly worth the effort. I need to figure out if my fan isn't moving enough air, or if it's just bad placement. -- I don't think I can get away with making any more large holes in the wall though, well not until Tracy goes out of the house for a few hours ;)
I saw a couple of Fujitsu Point 1600 tablets going on ebay for US$150 for the pair and couldn't resist. My house already has a number of Fujitsu Point 510 tablets around with a simple Perl/TK interface to control heating, lighting, security, house cams, incoming phone calls and so on. But the old 510's were starting to show off their less than impressive specs 56Mb 75MHz 256 colour. The 1600 is a bit better at 160Mb and 166MHz with enough graphics ram to go to 24 bit colour at 800x600. Fortunately the 1600 is pretty similar to the 510 externally so the wall mount is the same, and in fact they use the same LCD and touchscreen so I can use the 510's as backlight spares (isn't it wacky when you can get a new 510 for about half the price of a replacement backlight for the LCD). Of course now I have faster tablets it means I'm likely to write more GUI to slow them back down again.
I'm standing in the middle of Target when my phone vibrates to tell me there is an incoming SMS message, the message is from my home automation system and tells me that the alarm has been triggered. Then a second text to show it's a confirmed alarm. There's really not much I can do about it being a few thousand miles from home apart from try calling my partner or the neighbours. If I was in the UK I'd be able to bring up a little picture from the house cameras to see what was going on, but GPRS wasn't enabled for whatever roaming partner we have in New Hampshire. Anyway it turns out my partner had triggered it without noticing and she had left the house. The mobile conversation went along the lines of "oops - how do you cancel this thing?" "Sorry, Can't hear you, all the sirens in the background" "What?" "Hello?" "helloooo?" Anyway I'd forgotten that even after turning it off you had to reset the alarm to clear the events, and until then the HA system continued to shreak, wail, and flash the lights, probably to the delight of everyone in the chocolate isle of Target. Mapopolis is working really well once you get used to it, it's managed to get me out of a number of sticky situations and it doesn't endlessly complain like TomTom if I decide to take an alternative route, it just makes a happy "ching" sound and gets on with rerouting you.
I'm fed up of keep missing the postman when he rings the doorbell and we don't hear it as we're in the kitchen or have the music on. It's one of those HA things I've never got around to - in my first student house 10 years ago the first thing we did was to hook the doorbell up to our shared-house Novell server (called Malawi since it lived inside a wood box with that label) so that it popped up on everyones computer when someone was at the door (and being students we'd just all just sit there and ignore it, perhaps sending popup messages to each other to find someone who would go answer it).
I use one of these RF doorbells (Friedland Libra) and picked up a identical spare unit from Ebay for 8 pounds. I made sure to get a battery one not one that plugs directly into the mains as they don't bother using a transformer to step down the voltage, so interfacing to it is more risky.
Inside is a RF circuit and a PIC microprocessor and, fortunately, one of the output pins acts as a mute for the sound circuit. So one pin is high around 3v and is pulled low for a couple of seconds as the doorbell rings). I hooked this to a 3-pin DS2406, a one-wire device from Maxim that can monitor a single IO pin (a high is 2.2v or greater) and report on the status (and if there have been any transitions since you last spoke to it). These things are mad, a tiny package the size of a transistor with internal processor, 1Kb of EEPROM and an unique id. Pretty reliable too, one has been monitoring the heating system for the last couple of years. So one device, four wires, and now a Jabber bot announces within about a second when there is someone at the door. All for about 10 pounds of parts and an hours work.
Vcard implementing application suck. Over the holidays I decided to unify my contacts, I had different people in different places. When a flight got delayed for 24 hours in New York I was lucky that I had a friend in New York in the right contact database. Anyway I decided to standardise on vcf (vcard) format. One long big text file with entries for all my contacts. Sounds good so far, right? Well it turns out everyone deals with vcf files in a different way. Palm Desktop (win) will import such a file but trashes fields it doesn't understand (which means its a one-way import). Updating entries, even keeping the same serial number, causes it to create a duplicate entry.
My T610 phone will happily email me a vcf file and cunningly even embed the photo associated with the contact. But it isn't so happy having vcf's pushed back to it (you have the same duplication issues and it ignores the pictures). Outlook will only import one VCF entry at a time and seems to trash fields it doesn't understand. I can make Outlook express crash badly given a certain VCARD 3.0 format vcf file. Time to go play with kdepim (although the version I had installed on Red Hat Linux 9 didn't cope with version 3 stuff) and we just issued a kdepim erratum yesterday due to vcard processing vulnerabilieis. Hmmmm.. perhaps it's safer and quicker to just print out my contacts and stick the pages in my Franklin Covey planner.
I've just realised that I never finish anything that I do in my spare time. I tend to keep getting distracted by new and exciting projects so everything sits about 80% complete:
-
Home automation via bluetooth: I wrote a jabber bot which interfaced with my Ericsson phone and added an accessories menu letting me do things like set the heating, lighting, and so on. But it doesn't auto detect the phone coming into and out of the house, or pass on SMS messages, or do anything cunning with images.
-
Put the TiVo in another room:
I built a test circuit to pass composite video over CAT5 which works really well - the idea is use it to distribute RGB from the TiVo (by having 4 such circuits) which means I can bung it out of the way.
-
Java fun: I just bought a T610 phone and started playing with Java on it so I can do cunning things like view the cameras outside my house remotely from anywhere.
-
GTK: A jabber bot for the home automation system that pops up little animated transparant pictures of the people that call the house. It kind of works, but doing animation and changing the mask causes flickers.
Spare time over the last few weeks has been a bit limited what with the OpenSSH and Sendmail issues, and I guess I need to finish off my talk for ApacheCon.
A couple of months ago I was playing with bluetooth - It actually was pretty easy to add a new accessory menu and a perl state engine to allow me to do cool things like dim the lights and get the temperatures and send short messages to the tv via tivo. I kind of lost interest in it and so whilst it works perfectly it doesn't detect you arriving or leaving with the phone, and leaving bluetooth on all the time tends to drain the battery. A few folks asked me how I got bluetooth working with Red Hat Linux 9 (the answer is to cheat and use the bluez packages out of rawhide)
Our new bathroom finally got installed and I couldn't resist adding in extra cables in the new ducts between rooms - so now behind a panel in the bathroom we have various cables and power - quite fancy doing some network streamed audio in there and putting some marine speakers in the ceiling, low quality but the noise of the whirlpool and extractor fan will drown out the imperfections anyway.
|
|
