Gregory's Server
 89 comments
daniel:// stenberg://
@foosel that's the genuine "fix" for a reported security problem against some of their devices at the time, yes indeed 
Simon Zerafa :donor: :verified:
So I assume that Curl can now present different User-Agent values as needed (assuming it didn't before, of course)? Which given I very rarely use Curl is probably a very stupid question but give I could think of that as a potential issue/solution shows how monumentally ridiculous that bug fix really is 🫤🤦♂️
Neil Craig
@simonzerafa @bagder @foosel It can indeed, there's a specific arg or you can use the generic `-H "header-name: header-value"` form. 
Ángela Stella Matutina
@tdp_org @simonzerafa @bagder @foosel Even good old
Paul Nicholls
cd ~
@root42 @nullcolaship @foosel @bagder Interesting that it still renders as a website of sorts with all letters 't' removed. I wonder which letters are the most redundant ones in this metric. 
mausmalone
@cd_home @root42 @nullcolaship @foosel @bagder It is pretty funny - it's just that most of the HTML tags for content (h1-6, a, p, div) don't have the letter t, while a lot of stuff in the head (title, script, style) do. Surely any tables on the page are ruined, though.
cd ~
@root42 @nullcolaship @foosel @bagder "Skip o search" is the process of quickly finding the non-sponsored, un-SEOed and not generated pages in the search results. Will soon be taught in schools.
husjon
@nullcolaship @foosel @bagder I looked at the source code image before reading your command and I thought I had a stroke 😅
Giles
@nullcolaship @foosel @bagder Just think of all those tabs they’d have been able to remove if they’d escaped their regex properly.
David Nash
@nullcolaship @foosel @bagder When Cisco announced public access to the simplified web presentation language they used internally, “HML”, they failed to describe exactly *how* they simplified it, but one look at their website revealed all. 
daniel:// stenberg://
@colin_mcmillen it was their fix for this reported security problem: https://www.redteam-pentesting.de/en/advisories/rt-sa-2019-003/ 
0xC0DEC0DE07E8
@colin_mcmillen @bagder wait, you can dump the config without authentication of any kind, which includes the devices password hashes, and somehow you can just pass those hashes back to authenticate to the device?
0xC0DEC0DE07E8
@colin_mcmillen @bagder 
Jess👾
I've got some really bad news for you about just how many devices there are out there that fail at LEAST 1 of those, and a nontrivial number that fail all 3.
Todd Knarr
@JessTheUnstill @c0dec0dec0de @colin_mcmillen @bagder TBF using symmetric encryption/hashing it's hard to avoid either storing or transmitting the credentials in the clear. To avoid both you need to use asymmetric (public-key) encryption and only transmit nonces (what hardware tokens do with certificate-based authentication).
Colin McMillen
@c0dec0dec0de @JessTheUnstill @tknarr @bagder my printer self-signs a cert. That's better than clear text even if there's the browser warning.
0xC0DEC0DE07E8 replied to Colin
@colin_mcmillen
Tom van Dijk
@bagder I like how this pentesting team just kept using curl, but schooled Cisco with “-A kurl” 😁 
Mohammed Anas
@bagder alt text mentions 404 error but screenshot shows 403, i guess that's a mistake? 
Yaksh Bariya
@bagder This is ofcourse going the obvious solution when your blog's "network engineer" tag is filled with PR BS: CW: everything on this blog is bullshit, and unrelated to what the tag name is
Karl Fredrik 🦊
@bagder This is sorta what imgur does for wget as well, to "stop" scraping I guess... (it has returned 429 "too many requests" every time I've tried, so I assumme it's an ingress rule for the user agent)
Carnildo
@kfh @bagder It makes sense for imgur, because it's a quick way to stop clueless people from trying to spider the site. Usage tracking requires a lot more resources than a simple string comparison on a header, so if you can stop 99% of the spiders before they even hit the usage-tracking code, it's a win.
Gytis Repečka
🔗 David Sommerseth
😆 I hope they followed up with a pull-request to the curl project .... removing the -A option ... for security reasons ..... 
Raymond
Yikes.. 2019 even.. Reminds me of discovering something i called super-root that allowed any monitored system to gain full read write and execute privileges on everything else monitored over the monitoring message bus via the local agent. They used IP address for ID validation when validating source in an auth token, then just wrote a bypass to ignore that when they needed to make monitoring work across NAT. It took years to beat a proper fix out of them.   
hnapel
I looked up the curl man page, especially the example for changing the user agent: Example: 😎
Martin Rocket
@bagder So many servers are happy when you just provide a trusted user-agent, and a referer. Sometimes one alao needs a token that can be obtaimed from an additional request. 
Troed Sångberg
@bagder This should be the first hit on Google when searching for "imposter syndrome". 
Alex Gleason
@bagder But you see, `curl -A "anonymous" ` is now considered unauthorized access of a computer system and is illegal according to the Computer Fraud and Abuse Act.
Wayne Dixon
@bagder @briankrebs I’ve been selectively blocking all sorts of stuff on some servers like that.
Sandor Szücs
@bagder to buy cisco is just sick: expensive and you see the "quality" of their sophisticated "security" devices.
Tito Swineflu
@bagder If it just piped the offending IP address into the iptables drop list, it would be a good start. No reason to let your adversary know they can try again with different parameters.  
srslypascal
@bagder Same nonsense on https://dl.dell.com - the default user agents of curl and wget trigger a 403 error, but setting the user agent to a less suspicious string such as "bullshit" or "nmap" solves the problem. 
Michelle Hughes
We won't let you hack into this device unless you ask *politely*! That will stop hackers because the evil in their hearts prevents them from being polite. 
Johann150 ⁂ :ipv6: :open_access: ☮
@MegaMichelle@a2mi.social @bagder@mastodon.social 
🐧DaveNull🐧 ☣️pResident Evil☣
@bagder 😂 As moronic as this "security fix" is, I can't exactly say that I'm surprised… 
Raven667
@devnull @bagder Having recently dealt with a Cisco software product, where it seems clear to me that no one on the team built it or knows how it works, they can't even make a clean fresh installer and can only sequentially update from a very old version, they have a _lot_ of junior engineers and few leaders.
🐧DaveNull🐧 ☣️pResident Evil☣
@raven667 That company is full of shit. It's beyond me why network folks love Cisco so much… Even their logo shows you the fingers 😂 We use Cisco VPN load of crap at work because some clowns decided. "It's more secure lol". As a Linux user, I don't use their anyconnect idiocy, thanks to OpenConnect client, which implement a workaround for CSD. CSD is a newspeak term to refer to their binary trojan downloaded by anyconnect, and executed on the client, for "security verification"… 
CauseOfBSOD :fediverse:
@bagder@mastodon.social oh no, whatever will i (a malicious hacker) do?
Kevin Karhan
@bagder #Cisco is absitshow and since the #DUAL_EC_DRBG #Gviware #Backdoor they're banned for 3x the time it takes them to apologize.ajd undo harm completely. So far, they've yet to do those things...
Jason Sando
@bagder this hit so close to home today ... been struggling with an infrastructure team having a basic auth protected service redirecting https to http. Gave then curl screenshots and their response was "we are not familiar with this 'curl' software, can you try it on Chrome or Edge?" 😔😒🤨 
daniel:// stenberg://
I posted this image on LinkedIn as well, and the stats there tells me that Cisco is in fact now the third most common employing company among the viewers... (only beaten by AWS and Microsoft) https://www.linkedin.com/posts/danielstenberg_curl-activity-7185597818894512130-kHFS 
spmatich :blobcoffee:
@bagder does this qualify as code bloat? the user agent header is completely arbitrary and can be set to anything.
daniel:// stenberg://
@spmatich they singled out curl because the exploit proof of concept used curl. They stopped the example command line from working.
spmatich :blobcoffee:
@bagder so the exploit just needs an update to include setting the user agent header to something else right, and it could be one of many many many different strings. 
Gen X-Wing
@bagder This makes me want to add a check for curl as the user agent, but only so it sends back a fun message as part of the return headers. Something harmless. |
@bagder OMG, did they really pull that off? That's... amazing 😂