Sam naprawiam lampę insektobójczą Blaupunkt BP-GIK04

Kupiłem lampę insektobójczą Blaupunkt BP-GIK04. I to był błąd. LED INSECT KILLER BP-GIK04 z LED łączy tylko nazwa. Urządzenie wyposażone jest w świetlówkę kompaktową UV. Wyprodukowane zostało w PRC z kilku kawałków tworzywa sztucznego oraz kliku niezbyt solidnie połączonych kabelków. Niestety nie działało. Za pierwszym razem, w dostarczonym urządzeniu działał tylko wentylator. Zostało ono wymienione przez sprzedawcę na kolejne, równie niedziałające urządzenie. W drugim egzemplarzu nie działała ani świetlówka, ani wentylator.

Continue reading “Sam naprawiam lampę insektobójczą Blaupunkt BP-GIK04”

diag_tool.cgi on DASAN H660RM devices with firmware 1.03-0022 allows spawning ping processes without any authorization leading to information disclosure and DoS attacks

diag_tool.cgi on DASAN H660RM devices with firmware 1.03-0022 allows spawning ping processes without any authorization leading to device enumeration on LAN interface and DoS attacks against both device and network.

CWE-862: Missing Authorization weakness in diag_tool.cgi allows remote attacker to spawn ping (and traceroute) processes on affected devices without authorization. Moreover similar bug in diag_get_result.cgi allows attacker to retrieve command output. Arbitrary command injection using ; or ` (back ticks) does not seems to work (which make this different than CVE-2018-10561 and CVE-2018-17869).

This vulnerability was assigned CVE-2019-9974.

Continue reading “diag_tool.cgi on DASAN H660RM devices with firmware 1.03-0022 allows spawning ping processes without any authorization leading to information disclosure and DoS attacks”

Boa Webserver on DASAN H660RM devices with firmware 1.03-0022 saves post data, including credentials, to /tmp/boa-temp

Boa Webserver on DASAN H660RM devices with firmware 1.03-0022 (and possibly other) saves post data, including credentials, to /tmp/boa-temp. Moreover this file is not sanitized after request has been processed, which allow retrieval of login credential possible until another POST request is made.

This vulnerability was assigned CVE-2019-9976.

Continue reading “Boa Webserver on DASAN H660RM devices with firmware 1.03-0022 saves post data, including credentials, to /tmp/boa-temp”

syslog_tool.cgi on DASAN H660RM devices with firmware 1.03-0022 uses a hard-coded key for logs encryption

DASAN H660RM devices with firmware 1.03-0022 (and possibly other) uses a hard-coded key “dasanektks123” for logs encryption. Data stored using this key can be decrypted by anyone able to access this key.

This vulnerability was assigned CVE-2019-9975.

Continue reading “syslog_tool.cgi on DASAN H660RM devices with firmware 1.03-0022 uses a hard-coded key for logs encryption”

ESE Key Daemon 1.2.7 released

New version of ESE Key Daemon was released today.

New features include the ability to handle multiple key combinations and distinguish between key presses and releases. A problem with the handling of the last line in a configuration file when there is no newline on the last line is gone. Numeric keys are now also allowed in the configuration file.

Download: esekeyd-1.2.7.tar.gz (.asc)

MD5: 5937ad6d7815dbc6ab6983411a9f37d4
SHA1: 07671be42b61973a3270aaf1b41c3467568ae7ac

nCipher HSM with OpenSSL

I just finished playing with some nCipher’s HSM. Unfortunately there is no integration guide for OpenSSL that cover CHIL interface and nCipher hardware security modules.

nCipher’s installation guide is quite good, but after you finish installing hardware, drivers and daemons, you are on your own.

I found only two helpful sources: Andrea Campi’s blog entry about nCipher NetHSM and OpenSSL and Marek Marcola’s post on openssl-users mailing list.

Both guides ends on key generation and self-signed certificates. Its enough to get CHIL enabled application to work with nCipher’s HSM, but will not help you to convert any existing OpenSSL (not an CHIL-aware) application to use HSM.

Continue reading “nCipher HSM with OpenSSL”

Szwajcarski nóż^Wpendrive oficerski

Szwajcarskie noże oficerskie słyną ze swej funkcjonalności. Odkąd zaczęto produkować wersje z wbudowaną pamięcią flash na USB zastanawiałem się, jak zapewnić oprogramowaniu zainstalowanemu na przenośnej pamięci równie dużą funkcjonalność.

Continue reading “Szwajcarski nóż^Wpendrive oficerski”

Optimizing GNOME for Netbooks

GNOME can be easily optimized for Netbooks using configuration editor. Disabling animations, thumbnails and splash screen speeds up GNOME while scaling down icons saves space on desktop.

Metacity will give the user less feedback by using wireframes, avoiding animations, or other means if /apps/metacity/general/reduced_resources is set to true. This can be set with gconf-editor or from shell with gconftool:

gconftool-2 -s /apps/metacity/general/reduced_resources -t bool true

Continue reading “Optimizing GNOME for Netbooks”