Posts

Showing posts from 2021

Geeking Out on IBM i - Part 2

Image
(This is part 2 of a three part series.  To view part 1, click here ) Network Configuration This part in the three-part "Geeking Out on IBM i" series focused on network configuration. This series is an effort to make IBM i (AS/400) lingo and concepts easily accessible to the hacker community, hoping to reduce the barrier of entry for security research. Configuring the IBM i Network Interfaces was an interesting challenge for me, a primarily Linux/Unix person.  When we finally got time to work on this project, Michigan was just heading into COVID19 lockdown, and remote-access to the machine was becoming urgent.  That made all of this a little more stressful.  I found a couple different “configuring TCP/IP on IBM i” articles on the Internet.  As usual, they were written for other versions of the OS, probably naming the system “AS/400” or “iSeries.”  This created some anxiety for this newly-minted IBM i geek.  I guess I have seen the exact same thing on all the different versio

Mama Always Told Me Not to Trust Strangers without Certificates

Image
Introduction This blog post details a vulnerability, the exploitation of which results in Remote Code Execution (RCE) as root, that impacts many modern Netgear Small Offices/Home Offices (SOHO) devices. The vulnerability isn’t your typical router vulnerability, in that the source of the vulnerability is located within a third-party component included in the firmware of many Netgear devices. This code is part of Circle , which adds parental control features to these devices. However, since this code is run as root on the affected routers, exploiting it to obtain RCE is just as damaging as a RCE vulnerability found in the core Netgear firmware. This particular vulnerability once again demonstrates the importance of attack surface reduction. The Circle update daemon that contains the vulnerability is enabled to run by default, even if you haven’t configured your router to use the parental control features. While it doesn’t fix the underlying issue, simply disabling the vulnerable code w

Geeking Out On IBM i - Part 1

Image
I remember the first time I tried to work on Linux.  Having spent most of my computer-time on DOS, Windows, and OS/2, many things on Linux were foreign to me.  I had unix access in college and had to develop programs in C using VI and GCC, but it was often the little things like having to unmount a floppy disk or CD before being able to remove it that confused me. IBM i has been an even greater leap for my brain still. On Linux, you have a bootloader which loads a kernel, which runs /sbin/init , which starts up everything else.  On Linux, you can substitute /bin/bash in place of /sbin/init to start an interactive shell as the main process of the operating system.  On Linux, you have a filesystem which starts with ' / ' and descends like an upside-down tree with tree-branches to create complex filesystems.  On Linux, configurations are split between files (textual and binary) in both the /etc directory and some files/directories in your home directory (likely in the ' .con

Old dog, same tricks

Image
Introduction Old dog, old tricks When enterprise software gets old, should we consider it tried-and-true, or decrepit and a threat, like the superglue holding the soles of my running shoes together? Old software that’s been humming around in the background hasn’t necessarily broken, but that doesn’t mean that you can necessarily trust it; in fact there should be a healthy skepticism when it comes to the security of old software, as not only do new vulnerabilities get discovered, but the capability of attackers grows as the bar rises higher in the game of cat-and-mouse. This should drive us to periodically review software that maybe we’ve been trusting, and today’s example is some software that has been around for a long time but has a landmine of a vulnerability. Beagle Software’s ClockWatch product line includes a number of solutions for setting clocks on machines and synchronizing them with high-accuracy time sources such as Global Positioning System (GPS), including an enterprise