Archive for the ‘security’ Category

BlueOS 1.16.2

Saturday, May 9th, 2015

Downloaded. Installed. And gained access to the root prompt. All in 5 minutes. I really should do something about the perl decryption though.

And to the ones mailing me about my BlueOS root access backdoor. Well, I will not inform how I do it, because then it will be closed in matter of minutes with a new maintenance release from Bluesound :-). That said, injecting a new password hash into the recovery iso, while not for scriptkiddies, are not that much trouble and should take an educated fellow less than a couple of hours work.

Geek review of Bluesound Node

Monday, December 30th, 2013

I recently reviewed the Bluesound Node from a end user perspective. It rocks the house, so to speak.

The geek in me would not and could not let that be the end of it. How is it built? What makes it tick? Stuff like that.

A quick nmap of the box yields

edison% nmap 192.168.1.119

Starting Nmap 5.00 ( http://nmap.org ) at 2013-12-30 19:37 CET
Interesting ports on 192.168.1.119:
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 2.71 seconds

The webserver serves some very minimal pages. Most interessting are the diagnostics pages. The advanced tab, actually serves the output of dmesg and /var/log/messages, so obviously linux inside.

A lot could be deduced from the output of dmesg alone, but being a geek I wanted to know everything.  A quick test with root/root and whats not yielded nothing using ssh. Actually the user/user combo works wrt. authorization, but fails due to the fact that /home/user does not exists.

On the back of the node there are a mini usb for support. Obviously that is a console port. I tried to play around with that a bit, but no obvious way in, except knowing the root password.

I then used a couple of hours of my life and figured out how to gain access without knowing the root password. The details will be kept off the net. You have to figure it out yourself.

But in the end

root@Stue ~$ uname -a
Linux Stue 2.6.35.3-998-ga1cd8a7 #117 PREEMPT Tue Dec 3 16:51:52 EST 2013 armv7l GNU/Linux
root@Stue ~$ cat /proc/cpuinfo
Processor       : ARMv7 Processor rev 5 (v7l)
BogoMIPS        : 799.53
Features        : swp half thumb fastmult vfp edsp neon vfpv3
CPU implementer : 0x41
CPU architecture: 7
CPU variant     : 0x2
CPU part        : 0xc08
CPU revision    : 5

Hardware        : NAD SOVI Board
Revision        : 51030
Serial          : 0000000000000000
root@Stue ~$ cat /proc/meminfo  | head -10
MemTotal:         254980 kB
MemFree:           83216 kB
Buffers:            7856 kB
Cached:            76932 kB
SwapCached:            0 kB
Active:            99812 kB
Inactive:          60908 kB
Active(anon):      75948 kB
Inactive(anon):      312 kB
Active(file):      23864 kB

[    0.000000] Linux version 2.6.35.3-998-ga1cd8a7 (kg@ubuntu) (gcc version 4.4.4 (4.4.4_09.06.2010) ) #117 PREEMPT Tue Dec 3 16:51:52 EST 2013
[    0.000000] CPU: ARMv7 Processor [412fc085] revision 5 (ARMv7), cr=10c53c7f
[    0.000000] CPU: VIPT nonaliasing data cache, VIPT nonaliasing instruction cache
[    0.000000] Machine: NAD SOVI Board
[    0.000000] Memory policy: ECC disabled, Data cache writeback
[    0.000000] On node 0 totalpages: 65536
[    0.000000] free_area_init_node: node 0, pgdat 804c0634, node_mem_map 804eb000
[    0.000000]   DMA zone: 192 pages used for memmap
[    0.000000]   DMA zone: 0 pages reserved
[    0.000000]   DMA zone: 24384 pages, LIFO batch:3
[    0.000000]   Normal zone: 320 pages used for memmap
[    0.000000]   Normal zone: 40640 pages, LIFO batch:7
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 65024
[    0.000000] Kernel command line: console=ttymxc0,115200 root=/dev/mmcblk0p2 rootwait ro rootfstype=ext4
[    0.000000] PID hash table entries: 1024 (order: 0, 4096 bytes)
[    0.000000] Dentry cache hash table entries: 32768 (order: 5, 131072 bytes)
[    0.000000] Inode-cache hash table entries: 16384 (order: 4, 65536 bytes)
[    0.000000] Memory: 256MB = 256MB total
[    0.000000] Memory: 254868k/254868k available, 7276k reserved, 0K highmem
[    0.000000] Virtual kernel memory layout:
[    0.000000]     vector  : 0xffff0000 – 0xffff1000   (   4 kB)
[    0.000000]     fixmap  : 0xfff00000 – 0xfffe0000   ( 896 kB)
[    0.000000]     DMA     : 0xf9e00000 – 0xffe00000   (  96 MB)
[    0.000000]     vmalloc : 0x90800000 – 0xf4000000   (1592 MB)
[    0.000000]     lowmem  : 0x80000000 – 0x90000000   ( 256 MB)
[    0.000000]     modules : 0x7f000000 – 0x80000000   (  16 MB)
[    0.000000]       .init : 0x80008000 – 0x80024000   ( 112 kB)
[    0.000000]       .text : 0x80024000 – 0x8046a000   (4376 kB)
[    0.000000]       .data : 0x80484000 – 0x804c1040   ( 245 kB)
[    0.000000] SLUB: Genslabs=11, HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[    0.000000] Hierarchical RCU implementation.
[    0.000000]  RCU-based detection of stalled CPUs is disabled.
[    0.000000]  Verbose stalled-CPUs detection is disabled.
[    0.000000] NR_IRQS:272
[    0.000000] MXC GPIO hardware
[    0.000000] MXC IRQ initialized
[    0.000000] MXC_Early serial console at MMIO 0x73fbc000 (options ‘115200’)
[    0.000000] bootconsole [ttymxc0] enabled
[    0.000000] Console: colour dummy device 80×30
[    0.475328] Calibrating delay loop… 799.53 BogoMIPS (lpj=3997696)
[    0.703896] pid_max: default: 32768 minimum: 301
[    0.707706] Security Framework initialized
[    0.711075] Mount-cache hash table entries: 512
[    0.715116] CPU: Testing write buffer coherency: ok
[    0.722633] regulator: core version 0.5
[    0.726039] NET: Registered protocol family 16
[    0.729770] i.MX IRAM pool: 128 KB@0x90840000
[    0.733448] IRAM READY
[    0.737156] CPU is i.MX51 Revision 3.0
[    0.780569] Using SDMA I.API
[    0.783084] MXC DMA API initialized
[    0.786395] IMX usb wakeup probe
[    0.789124] the wakeup pdata is 0x80490eb8
[    0.789147] IMX usb wakeup probe
[    0.791858] the wakeup pdata is 0x80490f6c
[    0.801784] bio: create slab <bio-0> at 0
[    0.806432] SCSI subsystem initialized
[    0.810273] CSPI: mxc_spi-0 probed
[    0.813554] Freescale USB OTG Driver loaded, $Revision: 1.55 $
[    0.928925] usbcore: registered new interface driver usbfs
[    0.933645] usbcore: registered new interface driver hub
[    0.938140] usbcore: registered new device driver usb
[    0.944076] Advanced Linux Sound Architecture Driver Version 1.0.23.
[    0.949939] mc13892 Rev 2.4 FinVer 2 detected
[    0.953900] Initializing regulators for NAD SOVI.
[    0.958842] regulator: SW1: 600 <–> 1375 mV at 1050 mV
[    0.963928] regulator: SW2: 900 <–> 1850 mV at 1225 mV
[    0.968760] regulator: SW3: 1100 <–> 1850 mV at 1200 mV
[    0.973686] regulator: SW4: 1100 <–> 1850 mV at 1800 mV
[    0.978440] regulator: SWBST:
[    0.981374] regulator: VIOHI:
[    0.984427] regulator: VPLL: 1050 <–> 1800 mV at 1800 mV
[    0.989364] regulator: VDIG: 1650 mV
[    0.992759] regulator: VSD: 1800 <–> 3150 mV at 3150 mV
[    0.997744] regulator: VUSB2: 2400 <–> 2775 mV at 2600 mV
[    1.002851] regulator: VVIDEO: 2775 mV
[    1.006396] regulator: VAUDIO: 2300 <–> 3000 mV at 3000 mV
[    1.011495] regulator: VCAM: 2500 <–> 3000 mV at 2600 mV fast normal
[    1.017172] regulator: VGEN1: 1200 mV
[    1.020756] regulator: VGEN2: 1200 <–> 3150 mV at 3150 mV
[    1.025887] regulator: VGEN3: 1800 <–> 2900 mV at 1800 mV
[    1.030904] regulator: VUSB:
[    1.033666] regulator: GPO1:
[    1.036497] regulator: GPO2:
[    1.039256] regulator: GPO3:
[    1.042029] regulator: GPO4:
[    1.045666] Device spi1.0 probed
[    1.048528] Switching to clocksource mxc_timer1
[    1.053749] NET: Registered protocol family 2
[    1.057403] IP route cache hash table entries: 2048 (order: 1, 8192 bytes)
[    1.063405] TCP established hash table entries: 8192 (order: 4, 65536 bytes)
[    1.069284] TCP bind hash table entries: 8192 (order: 3, 32768 bytes)
[    1.074643] TCP: Hash tables configured (established 8192 bind 8192)
[    1.079822] TCP reno registered
[    1.082401] UDP hash table entries: 256 (order: 0, 4096 bytes)
[    1.087167] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[    1.092389] NET: Registered protocol family 1
[    1.096156] RPC: Registered udp transport module.
[    1.099992] RPC: Registered tcp transport module.
[    1.103922] RPC: Registered tcp NFSv4.1 backchannel transport module.
[    1.109898] LPMode driver module loaded
[    1.113096] Static Power Management for Freescale i.MX5
[    1.117591] PM driver module loaded
[    1.120606] sdram autogating driver module loaded
[    1.124745] Bus freq driver module loaded
[    1.128048] mxc_dvfs_core_probe
[    1.130828] DVFS driver module loaded
[    1.133869] i.MXC CPU frequency driver
[    1.137356] DVFS PER driver module loaded
[    1.155861] Installing knfsd (copyright (C) 1996 okir@monad.swb.de).
[    1.162207] Slow work thread pool: Starting up
[    1.166497] Slow work thread pool: Ready
[    1.169698] NTFS driver 2.1.29 [Flags: R/O].
[    1.173852] fuse init (API version 7.14)
[    1.177767] msgmni has been set to 497
[    1.183015] alg: No test for stdrng (krng)
[    1.186600] cryptodev: driver loaded.
[    1.189620] io scheduler noop registered
[    1.192902] io scheduler deadline registered
[    1.196489] io scheduler cfq registered (default)
[    1.439983] Serial: MXC Internal UART driver
[    1.443824] mxcintuart.0: ttymxc0 at MMIO 0x73fbc000 (irq = 31) is a Freescale i.MX
[    1.450099] console [ttymxc0] enabled, bootconsole disabled
[    1.462182] mxcintuart.1: ttymxc1 at MMIO 0x73fc0000 (irq = 32) is a Freescale i.MX
[    1.470812] mxcintuart.2: ttymxc2 at MMIO 0x7000c000 (irq = 33) is a Freescale i.MX
[    1.483203] loop: module loaded
[    1.486775] FEC Ethernet Driver
[    1.493082] fec_enet_mii_bus: probed
[    1.497306] ehci_hcd: USB 2.0 ‘Enhanced’ Host Controller (EHCI) Driver
[    1.504066] fsl-ehci fsl-ehci.0: Freescale On-Chip EHCI Host Controller
[    1.510711] fsl-ehci fsl-ehci.0: new USB bus registered, assigned bus number 1
[    1.542280] fsl-ehci fsl-ehci.0: irq 18, io base 0x73f80000
[    1.562251] fsl-ehci fsl-ehci.0: USB 2.0 started, EHCI 1.00
[    1.568937] hub 1-0:1.0: USB hub found
[    1.572760] hub 1-0:1.0: 1 port detected
[    1.792258] fsl-ehci fsl-ehci.1: Freescale On-Chip EHCI Host Controller
[    1.798907] fsl-ehci fsl-ehci.1: new USB bus registered, assigned bus number 2
[    1.832279] fsl-ehci fsl-ehci.1: irq 14, io base 0x73f80200
[    1.852257] fsl-ehci fsl-ehci.1: USB 2.0 started, EHCI 1.00
[    1.858786] hub 2-0:1.0: USB hub found
[    1.862596] hub 2-0:1.0: 1 port detected
[    1.867015] Initializing USB Mass Storage driver…
[    1.872131] usbcore: registered new interface driver usb-storage
[    1.878187] USB Mass Storage support registered.
[    1.882826] ARC USBOTG Device Controller driver (1 August 2005)
[    1.889550] input: gpio-keys as /devices/platform/gpio-keys/input/input0
[    1.897518] pmic rtc probe start
[    1.901432] pmic_rtc mc13892_rtc.1: rtc core: registered mc13892_rtc as rtc0
[    1.908562] pmic rtc probe succeed
[    1.912319] IR NEC protocol handler initialized
[    1.916856] IR RC5(x) protocol handler initialized
[    1.921650] IR RC6 protocol handler initialized
[    1.926214] IR JVC protocol handler initialized
[    1.930748] IR Sony protocol handler initialized
[    1.935382] MXC WatchDog Driver 2.0
[    1.939394] MXC Watchdog # 0 Timer: initial timeout 60 sec
[    1.946510] mxsdhci: MXC Secure Digital Host Controller Interface driver
[    1.953319] mxsdhci: MXC SDHCI Controller Driver.
[    1.958952] mmc0: SDHCI detect irq 128 irq 1 INTERNAL DMA
[    1.964444] mxsdhci: MXC SDHCI Controller Driver.
[    1.969706] mmc1: SDHCI detect irq 0 irq 2 INTERNAL DMA
[    1.975389] Registered led device: status_blue_a
[    1.975565] Registered led device: status_blue_b
[    1.975737] Registered led device: status_green
[    1.975909] Registered led device: status_red
[    1.977248] Cirrus Logic CS4350 ALSA SoC DAC Driver
[    2.013004] cs4350_spi spi1.2: found a CS4350 at REV C2
[    2.028561] No device for DAI imx-ssi-1-0
[    2.032611] No device for DAI imx-ssi-1-1
[    2.036660] No device for DAI imx-ssi-2-0
[    2.040675] No device for DAI imx-ssi-2-1
[    2.044735] No device for DAI imx-ssi-3-0
[    2.048751] No device for DAI imx-ssi-3-1
[    2.053946] in imx_sovi_asoc_init
[    2.057321] in imx_sovi_cs4350_probe
[    2.072494] capture=0 ext_ram=0 UseIram=0
[    2.077896] DMA Sound Buffers Allocated:UseIram=0 buf->addr=9f300000 buf->area=f9e0a000 size=524288
[    2.086991] asoc: cs4350 <-> imx-ssi-2-0 mapping ok
[    2.091916] Failed to add route AOUT1L->Line Out Jack
[    2.101133] ALSA device list:
[    2.104163]   #0: imx-sovi (CS4350)
[    2.108207] TCP cubic registered
[    2.111463] NET: Registered protocol family 17
[    2.116030] VFP support v0.3: implementor 41 architecture 3 part 30 variant c rev 2
[    2.157905] regulator_init_complete: disabling VCAM
[    2.163022] regulator_init_complete: disabling VAUDIO
[    2.169251] regulator_init_complete: disabling VSD
[    2.174254] regulator_init_complete: disabling VDIG
[    2.179556] pmic_rtc mc13892_rtc.1: setting system clock to 2013-12-30 18:50:38 UTC (1388429438)
[    2.188605] Waiting for root device /dev/mmcblk0p2…
[    2.291639] mmc0: new high speed SDHC card at address aaaa
[    2.297558] mmcblk0: mmc0:aaaa SU04G 3.69 GiB
[    2.302174]  mmcblk0: p1 p2 p3
[    2.427492] mmc1: new SDIO card at address 0001
[    2.437448] EXT4-fs (mmcblk0p2): mounted filesystem with ordered data mode. Opts: (null)
[    2.445667] VFS: Mounted root (ext4 filesystem) readonly on device 179:2.
[    2.452531] Freeing init memory: 112K
[    2.572303] USB Host suspend begins
[    2.572327] will suspend roothub and its children
[    2.572361] ehci_fsl_bus_suspend, DR
[    2.572777] host suspend ends
[    2.868618] EXT4-fs (mmcblk0p3): warning: maximal mount count reached, running e2fsck is recommended
[    2.880309] EXT4-fs (mmcblk0p3): recovery complete
[    2.886462] EXT4-fs (mmcblk0p3): mounted filesystem with ordered data mode. Opts: commit=30
[    4.542400] ehci_fsl_bus_suspend, Host 1
[    6.560837] mxc_spdif mxc_spdif.0: MXC SPDIF Audio Transmitter
[    6.569232] No device for codec mxc spdif
[    6.573331] No device for DAI mxc spdif
[    6.584224] No device for DAI imx-spdif-dai
[    6.600331] capture=0 ext_ram=0 UseIram=0
[    6.617000] DMA Sound Buffers Allocated:UseIram=0 buf->addr=9f500000 buf->area=f9e8f000 size=524288
[    6.626175] asoc: mxc spdif <-> imx-spdif-dai mapping ok
[    6.770533] eth0: Freescale FEC PHY driver [Generic PHY] (mii_bus:phy_addr=0:00, irq=-1)
[    6.961939] Compat-drivers backport release: compat-drivers-v3.8-1

So it is a NAD SOVI board using an i.mx51 freescale arm processor. With 256MB memory. The sound are produced by an Cirrus Logic CS4350 chip. The system runs a 2.6.35 kernel off a NAND flash chip in a very trimmed down setup based around busybox and the selected custom applications needed to make a media player. The system utilizes the very well known and awsome u-boot boot loader.

Without voiding guarantee by opening up the box, I can not get more specific information than that.

What amazes me the most about this setup, is that the system outputs very good sound quality, is very very stable, has fast boot times and yet does not consume very much memory. This is a lean, mean, music machine. It has one purpose in life and are trimmed down to fulfill that purpose and only that purpose.

That being said, I can see that the platform is built to support more extensive media streamers. Mine is just the low cost one. I also speculate that the NAD SOVI board has GPIO pins needed to fit into products with way more features.

Gaining access to the OS will allow me to tweak the setup a bit more to my need being both a programmer and a Linux sysadm. I have no desire to alter the OS and/or hardware, but I can envision the need for using the USB port to control an amplifier or integrate the NODE with other equipment over IP. Small tweaks. But again. Out of the box this is a wonderful product that I will recommend to friends and family.

 

About errors setting up SASL/StartTLS in Postfix under Ubuntu

Sunday, August 29th, 2010

In the process of setting up SASL and StartTLS under Postfix, I got this in the log:

“warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory”

It took me some minutes to figure out what was wrong. Obviously it has to do with postfix not being able to connect to the saslauthd server. The question is just, why? I went with a hunch of permissions … and wasted some time, so if you get the error, here is what solved it for me. In

/etc/default/saslauthd

You have to remove the default line and let saslauthd create its file under the postfix dirstructure. That is

> OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd
< OPTIONS="-c -m /var/run/saslauthd"

And then

/etc/init.d/postfix restart

Not rocket science, but I chased a wild goose looking at permissions for 15 minutes before figuring out what was wrong.

Firewall in an ZynOS based xDSL router (ie. zyxel P660R-D1)

Tuesday, April 13th, 2010

I recently got xDSL from one of the major danish ISPs. I was very satisfied until I discovered that port 80 was closed. I looked high and low for a solution. Eventually I gave up and contacted the support, which confirmed my suspicion: the router had an firewall which blocked port 80.

The solution is actually quite straight forward:

wan node index 1
wan node filter incoming tcpip 256 256 256 256
wan node filter outgoing tcpip 256 256 256 256
wan node save

And now my blog is accessible for the outside world again.

Upgrade of wordpress engine

Sunday, June 1st, 2008

Due to some script-kiddie hacking my aging wordpress (2.0.4) installation I decided to upgrade wordpress on zensonic.dk. At the same time I also hardneded the security a bit. Luckily the intruder only gained access to the apache user resulting in him/her being able to do very very little. He managed to send a couple of spam mails though. I have to live the rest of my life knowing that I probably helped a stupid person fool an even more stupid person by selling him some viagra pills. I think I will manage the burden.