A vulnerability in wget exposes more flaws in commonly used tools, the major flaw in Drupal that just got worse & the new protocol built into your router you need to disable.

Plus a great batch of your feedback, a rocking round up & much much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Become a supporter on Patreon:

— Show Notes: —

wget vulnerability exposes more flaws in commonly used tools

• wget is a command line downloading client from the GNU project, often found on linux and unix servers, and even available for windows
• It was originally designed for mirroring websites, it has a ‘recursive’ mode where it will download an entire website (by crawling links) or an entire FTP site (or subdirectory) by traversing the directory tree
• It is this mode that is the subject of the vulnerability
• Versions of wget before the patched 1.16 are vulnerable to CVE-2014-4877, a symlink attack when recursively downloading (or mirroring) an FTP site
• A malicious FTP site can change its ‘LIST’ response (the directory listing command in the FTP protocol) to indicate the same file twice, first as a symbolic link, then the second time as a directory. This is not possible on a real FTP server, since the file system can not have 2 objects with the same name
• This vulnerability allows the operator of the malicious FTP site you are downloading from, to cause wget to create arbitrary files, directories and symlinks on your system
• The creation of new symlinks allows files to be overwritten
• An attacker could use this to overwrite or create an additional bash profile, or ssh authorized_keys file, causing arbitrary commands to be executed when the user logs in
• So an attacker could upload malware or an exploit of some kind, then cause the user to run it unintentionally the next time they start a shell
• “If you use a distribution that does not ship a patched version of wget, you can mitigate the issue by adding the line “retr-symlinks=on” to either /etc/wgetrc or ~/.wgetrc”
• Note: wget is often mislabeled as a ‘hacker’ tool because it has been used to bulk-download files from websites. Most times it is merely used an an HTTP client to download a file from a url
• Redhat Bug Tracker
• Some have proposed calling this bug “wgetmeafreeshell” or “wtfget” or “wgetbleed”, thankfully, we were spared such theatrics
• HD Moore Tweets
• HD Moore Blog Post
• Metasploit Module

Drupal flaw from 2 weeks ago, if you have not patched, assume your site is compromised

• Drupal 7 included a new database abstraction API specifically designed to help prevent SQL injection attacks
• It turns out to be vulnerable, a specially crafted request results in the execution of arbitrary SQL commands
• “Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks”
• All users running Drupal core 7.x versions prior to 7.32 need to upgrade
• Drupal Security Advisory
• One line patch — It seems the code assumed $data would always be a simple array, and if it was an associative array (had named keys instead of integers) it would have unintended affects
• Additional Coverage: Threat Post
• It was announced today that a wide spread automated attack has been detected against unpatched Drupal instances
• Because of the nature of the vulnerability, a valid user account is not required to exploit the vulnerability, and no traces are left behind when a site is compromised
• “Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 – Drupal core – SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement,” says a statement released by the Drupal maintainers on Wednesday
• Drupal Public Sevice Announcement
• Additional Coverage: Thread Post
• It is entirely possible that attackers could have dumped the contents of databases in Drupal, it is probably best to reset all passwords

NAT-PMP flaw puts 1.2 million home routers at risk

• NAT-PMP is a UDP protocol designed in 2005 and standardized in 2013 RFC6886 to replace part of uPNP with a more simple implementation
• It allows hosts on the internal network to request ‘please open tcp (or udp) port XXXX on the internet interface and forward that traffic to me’, and ‘what is our internet facing IP’
• This allows hosts to accept incoming connections (like game servers, skype calls, etc) without having to manually create a ‘port forwarding’ rule
• However, it seems some implementation are configured incorrectly, and accept requests from both the internal (expected) and external (very bad!) interface
• The NAT-PMP protocol uses the source IP address of the request to create the mapping, to help prevent abuse (so host A on the LAN cannot open up ports on host B, exposing it to the internet), however, because it is UDP, the source address can be spoofed
• Researcher Post
• Of the 1.2 million internet exposed devices Project Sonar found to be in some way vulnerable:
• 2.5% are vulnerable to ‘interception of internal NAT traffic’, specifically, an attacker can create a mapping to forward attempts to connect to the router itself, to an external address, allowing the attacker to take over DNS and other services, as well as the administrative interface of the NAT device
• 86% are vulnerable to ‘interception of external traffic’, allows the attacker to create a mapping on the external interface, for example, since more routers have the HTTP server disabled on the external interface for security reasons, an attacker could use your router to ‘reflect’ their website. Allowing them to keep the true address of their site secret, by directing traffic to your router, which would then reflect it to their address.
• 88% are vulnerable to ‘Access to Internal NAT Client Services’, because NAT-PMP is over UDP, it is often times possible to send a spoofed packet, with a fake from address. This allows an attacker to basically create port-forwarding rules from outside, gaining access to machines behind the router, that are normally not exposed to the Internet.
• 88% are vulnerable to a Denial of Service attack, by creating a mapping to the NAT-PMP service, the device will forward all real NAT-PMP requests off to some other host, basically breaking the NAT-PMP feature on the device
• 100% of the 1.2 million devices were vulnerable to ‘Information Disclosure’, where they exposed more data about the NAT-PMP device than they should have
• Also found during the SONAR scan: “7,400 devices responses were from a single ISP in Israel that responds to unwarranted UDP requests of any sort with HTTP responses from nginx. Yes, HTTP over UDP”
• Because of the nature of project SONAR and the wide spread of the vulnerability, it is not possible to tell which brands or models of device are vulnerable. It may be easier for users to test known routers with the metasploit module, and attempt to create a database

Feedback:

• Why I switched from Puppet to Saltstack

• Salt vs ansible vs puppet

• Possible to Spoof a Source IP Across the Internet

• Solution for SMTP from home lab

• Network throughput/bandwidth Issues.

• Woes with tar

Round Up:

• FBI cut hotel Internet access, sent agents to “fix” it without warrants
• Interview with the developers of the Gopher protocol
• Brazil Is Keeping Its Promise to Avoid the U.S. Internet
• Botnet uses gmail drafts as a “dead drop” for command and control
• Lawyer doesn’t know what Java is, thinks Bill Gates is trying to get out of a question.
• Don’t run the gnu ‘strings’ command on untrusted files
• SQL Injection attack against speed cameras in France
• Paul Vixie: “Abuse of CPE Devices and Recommended Fixes”
• Whitehouse unclassfied network breached by attackers
• Twitter possibly vulnerable to command injection via new ‘card’ URLs
• Researchers publish report investigating the bitcoin theft from CryptoRush.in
• Security is hard
• Computer hardware identification chart

The post wget a Shell | TechSNAP 186 first appeared on Jupiter Broadcasting.

Our guide to moving your Plex, btsync, SmokePing, and others to a new Linux server. And our take on how the Intel NUC performs as a home server with heavy Plex usage.

Plus the big features coming to a distro near you & has Netflix coming to Linux shown us how Linux users are now “all-in with DRM”? We debate.

Thanks to:

• Get Paid to Write for DigitalOcean

Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | Ogg Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Feed | Ogg Feed | iTunes Feeds | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Migrate Plex and btsync to a new server.

Brought to you by: System76

NUC Linux Server

Intel Nuc D54250WYKH

• Mini PC – Intel® NUC Kit D54250WYKH
• Amazon.com: Intel NUC BOXD54250WYKH1 Intel 4th Gen Intel Core i5-4250U with Intel HD Graphics 5000

The Intel NUC D54250WYKH has many useful features, including four USB 3.0 ports, an infrared sensor, a headphone/microphone jack, Mini HDMI*, and Mini DisplayPort* video interfaces, and extra space to accommodate 2.5-inch HDD or SSD drives to support a variety of home or small office usages.

• The chubby NUC has room for a 2.5 Inch SSD which was great for my OS and still has the standard PCI Mini storage slot

• Low noise profile, not silent. But very quiet, about three feet away I can’t hear it.

Performance of the NUC

• AnandTech | Intel D54250WYKH Haswell NUC Kit with 2.5″ Drive Slot Mini-Review*

• Inital tesiting shows a busy btsync and 1080p Plex stream can nearly max the 4 core i5 out.

The power consumption at the wall was measured with the display being driven through the mini-HDMI port. In the graphs below, we compare the idle and load power of the D54250WYK with other low power PCs evaluated before. For load power consumption, we ran Furmark 1.12.0 and Prime95 v27.9 together.

Moving Plex Media Server to another server

1 . Set up coming UID and GIDs between your NFS and app server.
2. When migrating, try to keep the same file paths. IE: /mnt/nfs was where I had the media nfs mount on the previous box.
3. Setup your fstab, when possible use systemd to mount so the mount is network aware.

Mount using /etc/fstab with systemd

Another method is using the systemd automount service. This is a better option than _netdev, because it remounts the network device quickly when the connection is broken and restored. As well, it solves the problem from autofs, see the example below:

/etc/fstab

servername:/home   /mountpoint/on/client  nfs  users,noauto,x-systemd.automount,x-systemd.device-timeout=10,timeo=14,noatime 0 0

**Tip: **noauto above will not mount the NFS share until it is accessed: use auto for it to be available immediately.
If you have any issues with the mount failing due to the network not being up/available, enable NetworkManager-wait-online.service: this will ensure that network.target has all the links available prior to being active.

1. Stop Plex on your current server.
2. Copy your old Plex Media Server configs to the new server:

• In general, the location for the various Linux versions of Plex Media Server will be found under:

  $PLEX_HOME/Library/Application Support/Plex Media Server/

Make sure that the directories and contents are all owned by plex:plex.

• Move an Install to Another System – Plex

SickRage

FEATURES:

• XBMC library updates, poster/fanart downloads, and NFO/TBN generation
• configurable episode renaming
• available for any platform, uses simple HTTP interface
• can notify XBMC, Growl, or Twitter when new episodes are available
• specials and double episode support
• Automatic XEM Scene Numbering/Naming for seasons/episodes
• Episode Status Manager now allows for mass failing seasons/episodes to force retrying.
• DVD Order numbering for returning the results in DVD order instead of Air-By-Date order.
• Improved Failed handling code for shows.
• DupeKey/DupeScore for NZBGet 12+
• Searches both TheTVDB.com, TVRage.com and AniDB.net for shows, seasons, episodes
• Importing of existing video files now allows you to choose which indexer you wish to have SickBeard search its show info from.
• Your tvshow.nfo files are now tagged with a indexer key so that SickBeard can easily tell if the shows info comes from TheTVDB or TVRage.
• Sports shows are now able to be searched for..

Moving btsync between servers

1. Copy down your paths and keys
2. Shutdown btsync on your old system
3. Depending on your version you need to remove the .sync folder, or the .Sync folders. Newest versionf of btsync will asking you if you want “take owner ship”.
4. “Add Folder” and put your folder path in.
5. Edit the sync listing and click “view key” then click update key.
   
6. Post your orginal key you copied down early in. Now btsync will connect up to your peers.

Easy SmokePing Install and Setup

• Smoke Ping is a challange to setup on Arch

How to use this image

• Install Docker
  • Docker – ArchWiki
  • Docker Documentation

A. Pull down the SmokePing Docker image: mokeping Docker Image | Docker Hub Registry

docker pull dperson/smokeping

B. Start the Docker image

sudo docker run --name smokeping -p 8000:80 -d dperson/smokeping

C. Visit https://localhost:8000/smokeping/smokeping.cgi

— PICKS —

Runs Linux

Scorpion TV Show is using linux as “hacker” os : LinuxActionShow

• Scorpion – First Look – YouTube

Desktop App Pick

bithammer · GitHub

• BitHammer : LinuxActionShow

Hey Chris and Matt, I thought I’d share this cool program BitHammer if you haven’t already heard of it. If you haven’t BitHammer searches out and bans BitTorrent users on your local sub-net. That means if you travel and work (Ohio LinuxFest), often using shared Wi-Fi. This is nice because many people have been plagued by rogue BitTorrent users who’ve crept onto these public hostpots either with a stolen/cracked password, or who lie (and the Wi-Fi owners) about it.

https://github.com/MichaelJCole/bithammer

Weekly Spotlight

Pocket-sized mobile touchscreen web server runs Tizen

The Egg is available in packages starting at $199 with 64GB through Nov. 6, with devices shipping in July 2015. The Egg is billed as a personal web server, and a way to cut the cord on social networking sites that sell information based on your data.

• The Egg | If you care about it, then Egg it! by Eggcyte — Kickstarter

— NEWS —

Linux 3.17 Kernel Released With Many Great Features

Linux 3.17 is a big improvement and brings a ton of great features like working AMD Radeon R9 290 support, Xbox One controller support, DMA-BUF cross-device synchronization, a lot of ARM hardware improvements, free-fall support for Toshiba laptops, Intel Braswell and Cherry Trail enablement work, EFI Xen Dom0 boot support, file-system improvements, and much more. Linux 3.17 is a very exciting update!

• The Top Features Of The Linux 3.17 Kernel

• Linux-Kernel Archive: Linux 3.17

At Last! Netflix Now Works On Ubuntu, No Hacks Required

Netflix now works on Ubuntu out of the box — no hacks, plugins or user-agent switching workaround required.

ChromeOS will no longer support ext2/3/4 on external drives/SD cards. Only fully supported filesystems are FAT and NTFS.

let’s drop support for ext2/3/4. Unnecessary features like this make it difficult to implement a feature that matter

AMD Moves Forward With Unified Linux Driver Strategy, New Kernel Driver

Basically converging the open-source Radeon Linux graphics driver and closed-source AMD Catalyst driver to run off the same kernel driver

NVIDIA Presents Its Driver Plans To Support Mir/Wayland & KMS On Linux

No firm time table was provided when NVIDIA’s Unix driver team hope to have their Linux proprietary driver fully running with Wayland/Mir and available to the public, but based upon how things are looking right now, it would likely be a safe bet for 2015.

Firefox OS Shows Continued Global Growth

Firefox OS is now available on three continents with 12 smartphones offered by 13 operators in 24 countries. As the only truly open mobile operating system, Firefox OS demonstrates the versatility of the Web as a platform, free of the limits and restrictions associated with proprietary mobile operating systems.

— FEEDBACK —

• Call for help for producing a Linux SDK

— CHRIS’ STASH —

• jupiterbroadcasting on Instagram

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— MATT’S STASH —

• Check out LINUX Unplugged
• Articles by Matt Hartley

Find us on Google+

• Chris
• Matt Hartley
• Jupiter Broadcasting’s Page

Find us on Twitter

• Chris – ChrisLAS
• Matt – matthartley

Follow the network on Facebook

• Jupiter Broadcasting on Facebook

Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC:

• https://jblive.tv
• Network Calendar

The post Painless Plex Migration | Linux Action Show 334 first appeared on Jupiter Broadcasting.

Liam from Gaming on Linux joins us to discuss the Witcher 2 port fiasco, and why Linux’s reputation as a gaming platform could be on the line.

Plus a heated Manjaro discussion, your feedback, and a BIG announcement!

Thanks to:

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Show Notes:

FU:

• OpenShot Video Editor | Blog: May Development Update: Video + Interview + More!

• Manjaro Xfce

• About Arch, Manjaro, and Wi-Fi

• Question for the Virtual LUG

• GitHub does dotfiles – dotfiles.github.io

• Straw Poll: What’s your DE?

The Witcher 2 Drama:

Guest: Liam Dawe (upurtweet) on Twitter

Full time dad, owner of @gamingonlinux and writer for @linuxvoice !

• The Witcher 2 Just Made A Bunch Of Linux Gamers Very, Very Angry

eON is a middle ground idea between what WINE does, and a native port. It is tuned and customised to each game we port — we do not simply slap a Windows binary into it and ship the game. For example, we often customise the D3D9->GL code path in various ways to cater for the title. Shaders are often rewritten to native GLSL, etc.

• GamingOnLinux – Why We Shouldn\’t Accept Bad Linux Ports

_The problem is if we keep accepting ports at a sub-par quality then Linux will gain a reputation for having low quality games. Think about that big picture for a moment, seriously.

_

New Show: Tech Talk Today (Mon – Thur)

9am Pacific / 12pm Eastern / 7pm GMT

• A daily, low key tech talk show. Covering the entire industry.

• A rotating cast of friends will join me, sometimes I’ll be solo.

• A unique perspective and insights, from outside the valley bubble. Outside the grasp of Google or Apple influence. A perspective from the open source community considering the important topics of the day.

• The state of technology coverage has bothered me for a long time, and specifically as many LUP listeners know the coverage of the Linux and open source communities.

• The show will try and be a daily taste maker of interesting topics and discussion.

• The daily format will allow for a large range of topics, and active live participation via Mumble, etc for talk back.

• Could be a little on the risky side, very blunt and honest opinions. Calling it like we see it.

• Patreon funded, with some limited sponsor opportunities available.

• Willing to consider discounted community spots.

• The Patreon fund is basically a fund JB’s growth campaign, and you get a daily show as a thank you.

• The revenue raised via Tech Talk Today’s Patreon funding will finance studio upgrades from facilities, to equipment, and even living conditions.

• Long term plans include funding a road show, and other big things we could only pull off with a stable platform of funding for us to stand on.

• This is a grand experiment. I’ve wanted to do a daily show again for a while, but its also some of the hardest workout there. It’s a lifestyle. Can I keep it up? Can we fund future JB growth? I’m not sure, but I am damn excited to find out!

The post Fine Wine or Sour Ports | LINUX Unplugged 42 first appeared on Jupiter Broadcasting.