Having a #meltdown over #spectre

The world is at unrest. Google’s project zero rocked the boat by announcing #meltdown and #spectre as real world – https://googleprojectzero.blogspot.fr/2018/01/reading-privileged-memory-with-side.html

Two exploits were announced today that have the impact of a sledgehammer to the face. This is some serious shit.. no playing. This hardware level exploit allows for memory to be accessed by applications not supposed to have access to it. This is like me telling you what you have in the fridge by looking inside the washing machine. In comparable impact terms – this is the Chernobyl of computing. This is an exploit by design initiated some 20 years ago. An exploit that has now become the heart of CPU performance as we know it. Software applications almost now depend on the type of shared memory access that CPUs are supposed to provide securely.

The concept is well explained so I won’t bother trying to reiterate.. instead lets focus on the Doom and Gloom side of things because, well, it’s more fun.

The danger of this exploit is that now a shitty advert embedded on a shitty website has the power to leak ALL of your stored passwords from within your browser. “How?!” you might ask.. well.. easy actually. Let me share this example:

9 views

Entering that master password should be visible to ONLY the application providing the interaction. In this case a browser is providing an obfuscated password input field to unlock the primary database of stored Username/Password combinations.. you know.. the details you use to access your email, online banking, social media, work intranet, shopping sites the lot. It’s all leakable.

For corporates this is potentially catastrophic. People like Amazon and Google are sweating as it potentially means that anyone using a virtual machine has access to dump the contents from the entirety of the physical memory within the host which would include all the memory accessed by other VMs on the same host. It’s serious.

So serious that Homeland Security state the fix is “replace CPU hardware..” – https://www.kb.cert.org/vuls/id/584653

Intel made the following statement.. trying to play it down as we know they would – https://newsroom.intel.com/news/intel-responds-to-security-research-findings/
AMD are less effected but still required to take action – https://www.amd.com/en/corporate/speculative-execution

This could be the end of x86 architecture as we know it. Maybe we’ll see x87 as a replacement. Maybe we wont. One thing is certain though.. this is the most serious hardware level exploit identified and it spans back to all Intel machines produced since 1995!!! 19 fucking 95! Millions of potentially exploitable, insecure machines in use everywhere. Planes, Trains and Automobiles are not exceptions. It’s come about as a direct result of attempting to squeeze as much performance out of a CPU as is possible. Enabling a CPU to make guesses regarding the future instructions it will receive effectively allows it to anticipate the request and action before it’s requested.

Assertion/Assumption based predictions. Unfortunately – the means of gating memory ranges from each other has been felled. It’s now known how to do it. It’s spreading like wildfire and the first patch isn’t likely to be seen in the wild until 9/01/2017 – Microsoft Patch Tuesday (https://support.microsoft.com/en-us/help/4056892/windows-10-update-kb4056892). Linux is soon to follow, and MacOS has been covered since 10.3.2 (apparently).

I’m hoping this is actually a CIA backdoor that’s now been shut as opposed to a gaping security hole either ignored or covered over to provide performance at the lowest cost.

Whatever the reason – the outcome will be a new architecture. Let’s hope we’re all still online to see the news when it’s released¬†ūüôā

They’re trying all the doors and all the windows..

Originally – I wasn’t looking for evidence of abuse or brute force attempts to my web server but through analysis of log files – I’ve found some.

A lot in fact. 100K+ HITs per day to particular parts of my site, the majority of which is brute force.

Screen Shot 2016-02-11 at 14.28.08

I’ve noticed weirdness in firewall logs too which I’m beginning to trawl through and start closing off doors because of. Thank the lord for iptables and a decent policy.

I’m now in a state of closing ports, rebinding services to IPs and setting up rate-limiting to thwart repetition. Blocking will now occur and prevent hammering of pages. Next is to start black-holeing IPs that persist.

PlexMediaSever – ‘There was a problem playing this item’

I had this error displaying to me when attempting to play a few items from my library. The files I knew were OK as VLC playback via sshfs direct from the server was fine.

Read a few things about SSL connections, Subtitles, this, that and the other – but none were the cause of my issue.

Turns out it was disk space.

From ‘Plex Media Server.log’

{{{
Feb 09, 2016 10:55:41 [0x7fc28a3f9700] WARN – Low disk space: 5043020343 bytes source file, 18746441728 bytes capacity, 3664343040 bytes available on /var/lib/plexmediaserver/Library/Application Support/Plex Media Server/Cache/Transcode/Sessions
Feb 09, 2016 10:55:41 [0x7fc28a3f9700] WARN – TranscodeSession: inadequate disk space for transcode
Feb 09, 2016 10:55:41 [0x7fc28a3f9700] ERROR – Failed to start session successfully.
}}}

Who’d have thought only having 3.5GB~ free would be an issue!

Just thought I’d share.

Also posted @ https://forums.plex.tv/discussion/206281/there-was-a-problem-playing-this-item

Macbook Pro (OSX) Bluetooth Audio Skipping Issues

So this has been bugging me for a while.. MacbookPro 10,1.. 2.3GHz i7, 8GB DDR3 RAM and the fecking audio playback over Bluetooth skips! For a while I suspected the naff’ish bluetooth speaker I was using (Jam) but after upgrading to a BOSE SoundLink.. the issue remained. Seriously now.. what the fudge!

I’d poked around before with trying to fix this problem, but suggestions were stupid; “Turn off the WiFi, Move the speaker further away, Move the speaker closer”. All shit. It seemed to me like the audio agent on the Mac was being scheduled in a way that would introduce lag into the bluetooth stream. I’ve known of similar things before with radio.. delay a process too much and the packets fall out of sync and can’t be recovered which results in¬†transmission gaps. Effectively lag.

Bit of Googling and found a damn useful thread: https://apple.stackexchange.com/questions/167245/yosemite-bluetooth-audio-is-choppy-skips/179209#179209?newreg=4bc544772e98420999b564078c6d264d

I’d seen the commands to manipulate the BluetoothAudioAgent before but didn’t have much luck. The commands below though.. genuinely seem to have fixed my problems.

Firstly, see what you’re default values are:

defaults read com.apple.BluetoothAudioAgent

Might be prudent to make a note of any values displayed using the above command. Update the agent options by setting the values below;

defaults write com.apple.BluetoothAudioAgent "Apple Bitpool Max (editable)" 80
defaults write com.apple.BluetoothAudioAgent "Apple Bitpool Min (editable)" 80
defaults write com.apple.BluetoothAudioAgent "Apple Initial Bitpool (editable)" 80
defaults write com.apple.BluetoothAudioAgent "Apple Initial Bitpool Min (editable)" 80
defaults write com.apple.BluetoothAudioAgent "Negotiated Bitpool" 80
defaults write com.apple.BluetoothAudioAgent "Negotiated Bitpool Max" 80
defaults write com.apple.BluetoothAudioAgent "Negotiated Bitpool Min" 80

Effectively – these commands control how “friendly” OSX is with other Bluetooth devices. Clearly though, being friendly doesn’t provide good audio quality.

After setting these values, reboot. After reboot, issue is fixed. Have been listening now for 90 minutes from Apple Music, YouTube and SoundCloud without a single skip.

fandabidozi.

Streaming movies locally to AppleTV from Plex Media Server

I’ve been wanting to watch¬†movies using¬†my AppleTV that I have locally. I use Plex Media Server to make the files available as streams. Plex Media Server is a¬†service running¬†on a CentOS Virtual Machine connected to the LAN. The VMware ESXi host runs a few VMs but I’ll not get into that.

Plex is great. Interface looks fantastic and the software does an amazing¬†job of transcoding files,¬†enabling streaming to¬†every device I’ve tried. I’ve been using¬†an app for iPhone called √≠MediaShare’ to fire a DLNA stream at the XboxOne for playback on the TV. Works ok but then created a reliance on my phone in order to browse the media library. Not perfect, but not far off!

What I really wanted, was to push media to¬†the AppleTV instead of the Xbox but without needing to navigate media using¬†my phone.¬†AppleTV wouldn’t work with iMediaShare at all so something new was needed.. to¬†Google!

After three clicks, I found this: https://github.com/iBaa/PlexConnect/wiki/Install-Guide

Followed the steps. Downloaded,¬†fired it up on the Plex server and voila! It works! Using the Trailers app I can now browse Plex and stream whatever is available ūüėÄ Awesome!! ūüėÄ

I need this to start now every time the server boots. No point it working.. if it’s.. uhh.. not working ūüôā

So.. to make a service you have to:

Create it:

sudo nano /etc/init.d/plexconnect
#!/bin/sh
# plexconnect: This shell script takes care of starting and stopping
# plexconnect.
# v1.0 – Nick Fennell @ tbfh.org
#
# chkconfig: 2345 65 35

. /etc/rc.d/init.d/functions

# See how we were called.
case “$1” in
start)
# Start daemon.
echo -n “Starting PlexConnect: “
touch /var/lock/subsys/plexconnect
# Adapt the line below. Needs to be the PlexConnect.py location.
daemon /home/nickfennell/PlexConnect/PlexConnect.py
echo
;;
stop)
# Stop daemon.
echo -n “Shutting down PlexConnect: “
killproc plexconnect
echo
rm -f /var/lock/subsys/plexconnect
;;
restart)
$0 stop
$0 start
;;
status)
status plexconnect
;;
*)
echo “Usage: plexconnect {start|stop|restart|status}”
exit 1
esac

 

Add it:

sudo chkconfig –add plexconnect

Enable it:

sudo chkconfig –levels 345 plexconnect on

Check it:

sudo chkconfig –list | grep plex

Note: This output shows SysV services only and does not include native
systemd services. SysV configuration data might be overridden by native
systemd configuration.

If you want to list systemd services use ‘systemctl list-unit-files’.
To see services enabled on particular target use
‘systemctl list-dependencies [target]’.

plexconnect 0:off 1:off 2:on 3:on 4:on 5:on 6:off

Start it:

sudo service plexconnect start

End.

Windows 2012 R2 – RRAS DHCPDISCOVER

Through deploying 2012 R2 into my home lab for testing I’ve recognised some¬†“weirdness” with the RRAS requesting 10 DHCP¬†leases when the service¬†is started.

Seems this is normal – RRAS requests 10 IPs (Technet). Keeps the IP/Subnet info but drops everything else offered by the DHCP server such as options. This ensures that dial-in clients have an IP available immediately without needing to await a DHCP response. Clever I guess.. just looks messy on my active leases as they’re all mixed up with my normal network devices. Additionally –¬†my ranges¬†are¬†being¬†consumed by RRAS and creating a lease shortage for the rest of my network.

Now the obvious thing to do here, is increase the size of the range. I know. But that’s far to simple.. What I fancy doing instead.. is creating a New range, and having the RRAS addresses allocated from that. I can tag it within IPAM tool as a RRAS DHCP Range and keep the addresses out of my main network pool.

To do this – I create a new range¬†on my DHCP server (ISC DHCP) with an idea here of¬†associating the DHCPDISCOVER messages coming from the 2012 R2 with this new range in order to¬†keep the RRAS¬†DHCP leases out of my primary range;¬†preventing exhaustion, and making my IP allocation look prettier (it’s important that things look pretty….).

For it to work, I need to establish a way of identifying the request. Let’s take a look at a DHCPDISCOVER message:

192.168.10.80.68 > 255.255.255.255.67: [udp sum ok] BOOTP/DHCP, Request from 00:50:56:37:a3:b0, length 319, xid 0xd40c1b0d, Flags [Broadcast] (0x8000)
Client-Ethernet-Address 00:50:56:37:a3:b0
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Discover
CLASS Option 77, length 14: “RRAS.Microsoft
NOAUTO Option 116, length 1: Y
Client-ID Option 61, length 17: ether 52:41:53:20:00:50:56:37:a3:b0:00:00:00:00:00:00
Hostname Option 12, length 10: “MS-Serv001
Vendor-Class Option 60, length 8: “MSFT 5.0”
Parameter-Request Option 55, length 13:
Subnet-Mask, Domain-Name, Default-Gateway, Domain-Name-Server
Netbios-Name-Server, Netbios-Node, Netbios-Scope, Router-Discovery
Static-Route, Classless-Static-Route, Classless-Static-Route-Microsoft, Option 252
Vendor-Option
END Option 255, length 0

Few different options here. I’ve made bold, and coloured red to¬†highlight.

Using these I could associate allocation of IPs to the:

MAC address of the sending interface (00:50:56:37:a3:b0)
IP address of the sending interface (192.168.10.80)
The Hostname of the requesting client (MS-Serv001)
The User Class specified by the requesting client (RRAS.Microsoft)

I should note: I did check the hostname option remained consistent across multiple messages, and although a totally viable option – I think I’ll go with the User Class option instead. It’s¬†a¬†nice specific value used to identify¬†requests from the RRAS, and one that won’t be effected by¬†changes to the 2012’s domain or network configuration.

Perfect.

 

Now, the DHCP Service will need to be reconfigured to prevent allocation to the RRAS from the primary pool (192.168.10.100-120), and instead allocated from the new range (192.168.10.81-99).

Matching the User Class is as relatively straight forward once you know the option to use. In this case ‘user-class’. Once determined, choose a name and create the class within the dhcpd.conf as below;

class “Microsoft Routing and Remote Access” {
match if option user-class = “RRAS.Microsoft”;
}

The class name is now Microsoft Routing and Remote Access

Once the class has been created we can then adjust access to the pool using ACLs. The ACLs deny clients matching class defined from the main pool causing it to fall-through to the next pool in the config. On this pool the class is allowed, and addresses will be allocated as required.

pool {
option domain-name-servers 192.168.10.251;
option domain-search “home”;
option routers 192.168.10.254;
option domain-name “lab”;
failover peer “failover-smart-dhcp1.lab”;
deny members of “Microsoft Routing and Remote Access”;allow unknown clients;
range 192.168.10.100 192.168.10.145;
}
pool {
failover peer “failover-smart-dhcp1.lab”;
allow members of “Microsoft Routing and Remote Access”;
range 192.168.10.81 192.168.10.99;
}

Pretty straight forward.

Restart the service and go. You should¬†check the config first but I’m a maverick.. Live life on the edge..

Anyhow.. Looking at the GUI of my DHCP server Рit seems the config works well.

Screen Shot 2015-07-09 at 11.42.46My primary scope (192.168.10.100-192.168.10.120) is no longer filled with leases from MS-Serv001! Happy days!!