Hello x-wap-profile I Didn't Notice You There
@ Aug. 31, 2010, 11:41 p.m.
Filed under: Code Tech Security Python
After reading about some of the stupid that some mobile companies do when proxying their mobile traffic I decided to look at what my phone gave up. Luckily I didn't find anything way out there in the headers but I did find out about a header I didn't know about: x-wap-profile.
Before I continue let me say that I didn't find anything new :-). This is simply my own 'oh wait, what is this?' moment when playing with my phone.
The contents of the header had a URL. In my case it was http://device.sprintpcs.com/HTC/APA9292KT/latest. To my sadness it is an XML document. XML is the overly chatty great grandmother of modern markups. It doesn't understand why why you don't understand it half the time. It also smells funny. Anyway, after a bit of python I could read the XML in a more human friendly form: YAML. Note, this is some ugly and inefficient code but it was written to nicely see the data ....
The code simply snags the XML from the URL and then uses some ugly parsing/hacks to transform it. Here is the output from my phones header:
After seeing all this information a few things came to mind. The first was not all the data was correct. For instance the OS version is wrong, The second was that it seems like a lot more information than should be shared by simply browsing a site. When browsing with a desktop/laptop/netbook you give up some information. For instance, the machine I'm using right now reports up that I'm using Linux on an x86_64 machine with the Chromium browser. Obviously, the phone gives up a lot more information. It states that (by default) the device has no antispam or antivirus. It also states the kinds of networks which can be used, versions of hardware components, hardware specs and even default installed applications (many which can not be removed). I don't know about you but this is more info than I like to give to sites I'm simply browsing. What if a vulnerability is found in one of those default apps which can be triggered via the browser or through downloads? What if the browser itself is vulnerable if it can decode certain formats? What if someone hard codes debug credentials in a certain software/firmware version? etc... It seems like this is a near perfect source of information for tailoring smart drive by exploits with.
If you want to look at other profiles see google search.
digg it
seed it
del.icio.us
ma.gnolia
Comments: 0
Python RPM Specs Needing a Loving Home @ June 22, 2010, 4:37 p.m.
Filed under: Linux Code Tech Fedora Python
I found myself in need of some (currently) unpackaged python libraries and tools so I decided to do some quick packaging. If you are using these libraries (or want to) on a Fedora, RHEL or CentOS system and want to start packaging in Fedora then one of these could be an easy jumping in package. Note that they are not perfect so they still need a bit of love before getting them approved but it's (slightly) easier than starting from scratch!
django-picklefield.spec: provides an implementation of a pickled object field
python-amqplib.spec: Client library for AMQP
python-anyjson.spec: Wraps the best available JSON implementation available in a common interface
python-billiard.spec: Multiprocessing Pool Extensions
python-carrot.spec: AMQP Messaging Framework for Python
python-importlib.spec: Backport of importlib.import_module() from Python 2.7
python-celery.spec: task queue/job queue based on distributed message passing (requires all of the above)
digg it
seed it
del.icio.us
ma.gnolia
Comments: 0
python-dulwich spec file @ April 16, 2010, 8:39 p.m.
Filed under: Linux Tech Fedora Python
I was looking at Anyvc when I couldn't seem to find a dulwich package in Fedora. I threw together a spec file so I could test out anyvc (it's pretty cool by the way). I don't intend to maintain a dulwich package since I use Mecurial most of the time these days. Nothing against Git, I still like it!
If you are interested and taking the spec and running with it as a maintainer you can find it here.
digg it
seed it
del.icio.us
ma.gnolia
Comments: 0
Bad Java, BAD! No More Jars! @ March 27, 2010, 11:26 p.m.
Filed under: Code Tech Security Frustration Python
A big frustration for me is the sprawl of Jar's (java "packages") which are everywhere. These special zip files tend to be copied into other applications and then left alone. Many of these Jar's have newer releases to fix security issues, but the bundled version isn't updated. It's even worse that many Jar's don't provide enough meta information that you can be sure of who owns it. Yes, you could keep SHA1SUM's in a database like maven does, and that is better than nothing, but it's not really a fix, it's a hack.
Here is an example of metadata that came with one Jar:
How helpful! Well, we can at least see what it is by the name of the file: sqlitejdbc.jar. It still doesn't tell us what version. Let's look at another:
Better, but still isn't that helpful. In this case we get lucky as some of the info is in the file name: gettext-commons-0.9.6.jar.
It really seems like the whole 'keep metadata in your Jar' is more of an inside joke which requires a hack to try to track what jars to include (as maven does). Welcome to Jar hell. How fun. Anyway, here is another hack ...
For the heck of it I decided to write a very simple scanner. It reads the metadata from the Jar file and then tries to match it up against an online database. If it gets no results back it keeps it as 'either safe or not enough information'. If there isn't even enough data to make a call out to the database it's assumed bad and tells you the user to bother about it if that is listed, and if the database confirms vulnerabilities it's known bad. It needs a lot of work to better guess information not provided by the metadata but here is an example run (with some changes to protect the guilty)
I'm tired. I'm going to bed. I'll throw the code up somewhere tomorrow.
digg it
seed it
del.icio.us
ma.gnolia
Comments: 0
Patch For python-nmap @ March 24, 2010, 4:01 p.m.
Filed under: Code Tech Security Python
I discovered python-nmap but noted that it blocks. I threw together a quick wrapper for scanning for using in my own stuff and figured I might as well post it :-). Let's see if it goes upstream!
digg it
seed it
del.icio.us
ma.gnolia
Comments: 0
Filed under: Code Tech Security Python
After reading about some of the stupid that some mobile companies do when proxying their mobile traffic I decided to look at what my phone gave up. Luckily I didn't find anything way out there in the headers but I did find out about a header I didn't know about: x-wap-profile.
Before I continue let me say that I didn't find anything new :-). This is simply my own 'oh wait, what is this?' moment when playing with my phone.
The contents of the header had a URL. In my case it was http://device.sprintpcs.com/HTC/APA9292KT/latest. To my sadness it is an XML document. XML is the overly chatty great grandmother of modern markups. It doesn't understand why why you don't understand it half the time. It also smells funny. Anyway, after a bit of python I could read the XML in a more human friendly form: YAML. Note, this is some ugly and inefficient code but it was written to nicely see the data ....
#!/usr/bin/env python
"""
Terrible but works way to find out info about mobile clients.
"""
import re
import sys
import urllib
import yaml
from lxml import etree
rx = re.compile('\{.*\}')
no_tabs = re.compile("[\t\n]*")
no_li = re.compile('li ')
xml = etree.XML(urllib.urlopen(sys.argv[1]).read())
results = {}
prev_key = None
for ele in xml.iter():
if type(ele.tag) is type(""):
tag = rx.sub('', ele.tag)
text = no_tabs.sub('', str(ele.text))
if tag == "Bag":
continue
if tag == "li":
try:
results[prev_key].append(text)
except:
results[prev_key] = []
results[prev_key].append(text)
else:
prev_key = tag
results[tag] = text
print yaml.dump(results, default_flow_style=False)
The code simply snags the XML from the URL and then uses some ugly parsing/hacks to transform it. Here is the output from my phones header:
$ python wtf.py http://device.sprintpcs.com/HTC/APA9292KT/latest AcceptDownloadableSoftware: 'Yes' AdvertisingCapable: N/A AntiSpam: 'No' AntiSpamVendor: N/A AntiVirus: 'No' AntiVirusVendor: N/A AudioCodecsForDecoding: - mp3 - aac - aac+ - eaac+ - amr-nb - amr-wb - qcelp - wma - evrc - midi AudioCodecsForEncoding: - AMR-NB - QCELP AudioInputEncoder: - gzip - deflate AudioJack: 3.5mm BitsPerPixel: '16' BrowserName: Android Browser BrowserPortalVersion: '' BrowserVersion: Eclair 2.0 CPU: ARM11 CamcorderResolution: 1280x720 CamcorderZoomCapable: 'Yes' CameraBuiltInFlash: 2x power LED CameraHighestImageResolution: 3624x2488 CameraMegaPixels: 8M CameraZoomCapable: 'Yes' CcppAccept: - application/vnd.oma.drm.rights+xml - application/ogg - application/smil - application/vnd.oma.drm.message - application/vnd.wap.mms-message - application/vnd.wap.multipart.alternative - application/vnd.wap.multipart.mixed - application/vnd.wap.multipart.related - application/vnd.wap.sic - application/vnd.wap.xhtml+xml - application/vnd.oma.dd+xml - application/java-archive - audio/aac - audio/amr - audio/imelody - audio/mid - audio/midi - audio/mp3 - audio/mpeg3 - audio/mpeg - audio/mpg - audio/x-mpeg3 - audio/x-mpeg - audio/x-mpg - audio/x-mid - audio/x-midi - audio/x-mp3 - image/gif - image/jpeg - image/jpg - image/png - image/vnd.wap.wbmp - video/mpeg4 - video/mp4 - text/plain - text/html CcppAccept-Charset: - ISO-10646-UCS-2 - ISO-8859-1 - US-ASCII - UTF-8 CcppAccept-Language: '' ColorCapable: 'Yes' CommerceCapable: N/A ConnectionManagerVendor: N/A ConnectionManagerVersion: N/A DataNetworkTypes: - IS2000 - EVDO - WiMax - WiFi Description: '' DeviceIdentifierType: - MEID DeviceType: Android Touch DiagnosticsClientVendor: CIQ DiagnosticsClientVersion: 3.2.18 DiagnosticsProtocolVersion: 3.2.18 DownStreamBufferSize: None DownloadableBrowserApps: - 'No' DownloadableSoftwareSupport: - application/java-archive EmailCapable: 'Yes' EmbeddedApplicationsCapable: 'Yes' ExternalMemoryMaxSize: 32GB SDHC ExternalMemorySlot: 'Yes' FirmwareVersionWiMAXRadioModule: 4.6.2.1 build22766 FixedVoIPCapable: 'No' FotaClientVendor: SmithMicro FotaClientVersion: '' FotaProtocolVersion: 1.5.1 FramesCapable: 'Yes' GLMSClientVendor: '' GLMSClientVersion: '' GLMSProtocolVersion: '' GPSChipsetModel: '8650' GPSChipsetVendor: Qualcomm GamingCapable: 'Yes' HardwareVersion: '1.0' IMVideoCallingCapable: 'No' IOTAProtocolVersion: N/A ImageCapable: 'Yes' InputCharSet: - US-ASCII - UTF-8 - ISO-8859-1 - ISO-10646-UCS-2 IntelligentSearchCapable: 'Yes' JVMVersion: - N/A JavaAppletEnabled: 'Yes' JavaEnabled: 'No' JavaPlatform: - N/A JavaScriptEnabled: 'Yes' Keyboard: TouchKeypad LBSCapable: 'Yes' MI-UICapable: '' MI-UIVersion: '' ManufacturerWiMAXRadioModule: SEQUANS MobileOriginatedSmsSupport: 'Yes' MobileTVORVODCapable: 'Yes' Model: '9292' ModelWiMAXRadioModule: SQN1210 MultimediaEncoder: Qualcomm Qcamcorder MultimediaEncoderDisplaySize: - '800x480 ' - '640x480 ' - '320x240 ' - '176x144 ' - 128x96 MultimediaEncodingSupport: '' MultimediaFileFormatForDecoder: - MPEG4 - 3GP - 3G2 - AAC - AMR - MID - MP3 - WMA - WMV MultimediaFileFormatForEncoder: - MPEG4 - 3GP - 3G2 MultimediaMaximumBitRateForEncoding: 5000 kbps MultimediaMaximumBitRateForPlayback: 5000 kps MultimediaMaximumBitRateForStreaming: 1200 kbps MultimediaMaximumFrameRateForEncoding: 24 fps MultimediaMaximumFrameRateForPlayback: 30 fps MultimediaMaximumFrameRateForStreaming: '30 fps ' MultimediaPlaybackSupport: '' MultimediaPlayer: 'Yes' MultimediaStreamingSupport: '' MultimediaVideoDisplaySize: - '800x480 ' NavigationSupport: - Touch Screen NumberOfSoftKeys: '0' OMADMCapable: 'Yes' OMADMVendor: SmithMicro OMADMVersion: '2.0' OSName: Android OSVendor: QUALCOMM OSVersion: QSD8650/Eclair OnDemandCapable: '' OnDemandVersion: '' OutputCharSet: - US-ASCII - UTF-8 - ISO-8859-1 - ISO-10646-UCS-2 PictureMailSupport: 'Yes' PixelAspectRatio: 1x1 PreferenceForFrames: 'Yes' PssVersion: 3GPP-R6 Push-Accept: - text/plain Push-Accept-AppID: - None - None Push-Accept-Encoding: - base64 Push-MsgSize: '4096' RDF: '' RadioCapable: 'yes' ScreenSize: 480x800 ScreenSizeChar: 25x21 SecuritySupport: - SSL-3.0 - TLS-1.0 Seq: - en-us - es-us SoftwareNumber: 3.26.651.6 SoundOutputCapable: 'Yes' SprintMcdVersion: 3.5.4 StandardFontProportional: 'Yes' SupportedApplications: - Album - Browser - Calculator - Calendar - Camcorder - Camera - Dialer - FlashLite Plug-in for Browser - Footprints - HTC Sync - Lock Screen - Mail - Messages - Microsoft Exchange ActiveSync - Music (integrate with Ringto Trimmer) - OOBE - PDF Viewer - People - Quickoffice - Settings - Social Network - Stocks - Windows Media Streaming Player - Teeter - Voice Recorder - Weather - World Clock - Amazon MP3 - Sprint Navigation - Remote Diagnostic - Sprint TV - NFL - NASCAR - Voice Dialer - Visual Voicemail SupportedBearers: - IS2000/rel0 TablesCapable: 'Yes' TextInputCapable: 'Yes' TotalDeviceFlash: 1GB ROM TotalDeviceMemory: 512MB RAM UpStreamBufferSize: None VOIPAnalogJacks: ZERO Vendor: HTC VideoCodecsForDecoding: - MPEG4 simple profile - H.263 Profile 0 - H.264 Baseline - Motion-JPEG VideoCodecsForEncoding: - MPEG4 - H263 VideoMailSupport: 'Yes' VoiceChatCapable: 'Yes' VoiceInputCapable: 'Yes' WapDeviceClass: C WapVersion: '2.0' WmlDeckSize: '' WmlVersion: - None XhtmlModules: - Mobule-based XHTML W3C Recommendation XhtmlVersion: XHTML-Basic/1.0 component: '' type: None
After seeing all this information a few things came to mind. The first was not all the data was correct. For instance the OS version is wrong, The second was that it seems like a lot more information than should be shared by simply browsing a site. When browsing with a desktop/laptop/netbook you give up some information. For instance, the machine I'm using right now reports up that I'm using Linux on an x86_64 machine with the Chromium browser. Obviously, the phone gives up a lot more information. It states that (by default) the device has no antispam or antivirus. It also states the kinds of networks which can be used, versions of hardware components, hardware specs and even default installed applications (many which can not be removed). I don't know about you but this is more info than I like to give to sites I'm simply browsing. What if a vulnerability is found in one of those default apps which can be triggered via the browser or through downloads? What if the browser itself is vulnerable if it can decode certain formats? What if someone hard codes debug credentials in a certain software/firmware version? etc... It seems like this is a near perfect source of information for tailoring smart drive by exploits with.
If you want to look at other profiles see google search.
digg it
seed it
del.icio.us
ma.gnolia
Comments: 0
Python RPM Specs Needing a Loving Home @ June 22, 2010, 4:37 p.m.
Filed under: Linux Code Tech Fedora Python
I found myself in need of some (currently) unpackaged python libraries and tools so I decided to do some quick packaging. If you are using these libraries (or want to) on a Fedora, RHEL or CentOS system and want to start packaging in Fedora then one of these could be an easy jumping in package. Note that they are not perfect so they still need a bit of love before getting them approved but it's (slightly) easier than starting from scratch!
django-picklefield.spec: provides an implementation of a pickled object field
python-amqplib.spec: Client library for AMQP
python-anyjson.spec: Wraps the best available JSON implementation available in a common interface
python-billiard.spec: Multiprocessing Pool Extensions
python-carrot.spec: AMQP Messaging Framework for Python
python-importlib.spec: Backport of importlib.import_module() from Python 2.7
python-celery.spec: task queue/job queue based on distributed message passing (requires all of the above)
digg it
seed it
del.icio.us
ma.gnolia
Comments: 0
python-dulwich spec file @ April 16, 2010, 8:39 p.m.
Filed under: Linux Tech Fedora Python
I was looking at Anyvc when I couldn't seem to find a dulwich package in Fedora. I threw together a spec file so I could test out anyvc (it's pretty cool by the way). I don't intend to maintain a dulwich package since I use Mecurial most of the time these days. Nothing against Git, I still like it!
If you are interested and taking the spec and running with it as a maintainer you can find it here.
digg it
seed it
del.icio.us
ma.gnolia
Comments: 0
Bad Java, BAD! No More Jars! @ March 27, 2010, 11:26 p.m.
Filed under: Code Tech Security Frustration Python
A big frustration for me is the sprawl of Jar's (java "packages") which are everywhere. These special zip files tend to be copied into other applications and then left alone. Many of these Jar's have newer releases to fix security issues, but the bundled version isn't updated. It's even worse that many Jar's don't provide enough meta information that you can be sure of who owns it. Yes, you could keep SHA1SUM's in a database like maven does, and that is better than nothing, but it's not really a fix, it's a hack.
Here is an example of metadata that came with one Jar:
Manifest-Version: 1.0 Created-By: 1.6.0_10 (Sun Microsystems Inc.)
How helpful! Well, we can at least see what it is by the name of the file: sqlitejdbc.jar. It still doesn't tell us what version. Let's look at another:
Manifest-Version: 1.0 Archiver-Version: Plexus Archiver Created-By: Apache Maven Built-By: fberger Build-Jdk: 1.6.0_06
Better, but still isn't that helpful. In this case we get lucky as some of the info is in the file name: gettext-commons-0.9.6.jar.
It really seems like the whole 'keep metadata in your Jar' is more of an inside joke which requires a hack to try to track what jars to include (as maven does). Welcome to Jar hell. How fun. Anyway, here is another hack ...
For the heck of it I decided to write a very simple scanner. It reads the metadata from the Jar file and then tries to match it up against an online database. If it gets no results back it keeps it as 'either safe or not enough information'. If there isn't even enough data to make a call out to the database it's assumed bad and tells you the user to bother about it if that is listed, and if the database confirms vulnerabilities it's known bad. It needs a lot of work to better guess information not provided by the metadata but here is an example run (with some changes to protect the guilty)
$ python jarscanner.py *jar
WARNING:root:apache-mime4j-0.6.jar is the latest secure version or not enough info
WARNING:root:commons-codec-1.3.jar is the latest secure version or not enough info
WARNING:root:commons-logging-1.1.1.jar is the latest secure version or not enough info
WARNING:root:hsqldb.jar is the latest secure version or not enough info
WARNING:root:httpclient-4.0.jar is the latest secure version or not enough info
WARNING:root:httpcore-4.0.1.jar is the latest secure version or not enough info
WARNING:root:httpmime-4.0.jar is the latest secure version or not enough info
INFO:root:jetty-6.1.7.jar found 15 vulns
INFO:root:jetty-util-6.1.7.jar found 15 vulns
WARNING:root:servlet-api-2.5-6.1.7.jar is the latest secure version or not enough info
WARNING:root:The following jars are known to be bad ...
WARNING:root:jetty-6.1.7.jar
WARNING:root:jetty-util-6.1.7.jar
CRITICAL:root:Sorry, but a number of jars are crap and don't provide enough information.
These should be assumed bad!!!
CRITICAL:root:bdiff.jar
CRITICAL:root:fast-md5.jar (go bug dragonlz about it)
CRITICAL:root:gettext-commons-0.9.6.jar (go bug fberger about it)
CRITICAL:root:jcip-annotations.jar
CRITICAL:root:linuxfolderwatcher.jar
CRITICAL:root:messages.jar
CRITICAL:root:snakeyaml-1.5.jar (go bug somov about it)
CRITICAL:root:sqlitejdbc.jar
CRITICAL:root:stringtree-json-2.0.9.jar
CRITICAL:root:swt.jar
CRITICAL:root:unixapi.jar
CRITICAL:root:XXXXXXXXXX.jar
CRITICAL:root:XXXXXXXXXX.jar
I'm tired. I'm going to bed. I'll throw the code up somewhere tomorrow.
digg it
seed it
del.icio.us
ma.gnolia
Comments: 0
Patch For python-nmap @ March 24, 2010, 4:01 p.m.
Filed under: Code Tech Security Python
I discovered python-nmap but noted that it blocks. I threw together a quick wrapper for scanning for using in my own stuff and figured I might as well post it :-). Let's see if it goes upstream!
#!/usr/bin/env python
# By Steve 'Ashcrow' Milner
import nmap
try:
from multiprocessing import Process, Queue
except ImportError:
# For pre 2.6 releases
from threading import Thread as Process
from Queue import Queue
class NmapProcess(object):
"""
Process scans in a non-blocking way.
"""
def __init__(self, host):
"""
Creates an instance.
:Parameters:
- `host`: host to scan
"""
self.__host = host
self.__queue = Queue()
self.__nm = nmap.PortScanner()
self.__process = None
def scan(self, ports=None, arguments='-sV', callback=None):
"""
Starts the scan taking the same input as nmap scan except the host.
:Parameters:
- `ports`: ports to scan
- `arguments` arguments for nmap
- `callback`: optional callback to execute when results are available
"""
def scan_process(ports, arguments, callback=None):
self.__nm.scan(self.__host, ports, arguments)
self.__queue.put(self.__nm)
if callback and callable(callback):
callback(self.__nm)
self.__process = Process(
target=scan_process, args=(ports, arguments, callback))
self.__process.daemon = True
self.__process.start()
def __get_results(self):
"""
Returns results if they are available, else None.
"""
if self.__queue.empty():
return None
return self.__queue.get()[self.__host]
def __del__(self):
"""
Clean up.
"""
self.__process.join()
# Properties
results = property(__get_results)
results_available = property(lambda s: not s.__process.is_alive())
if __name__ == '__main__':
n = NmapProcess('127.0.0.1')
def p(s):
print("From Callback: " + str(s['127.0.0.1']))
n.scan(arguments="-sV -T4 -A", callback=p)
# Do stuff here ...
from time import sleep
while not n.results_available:
print("Waiting ...")
sleep(3)
print("From property: " + str(n.results))
digg it
seed it
del.icio.us
ma.gnolia
Comments: 0

