89 comments
@foosel that's the genuine "fix" for a reported security problem against some of their devices at the time, yes indeed So I assume that Curl can now present different User-Agent values as needed (assuming it didn't before, of course)? Which given I very rarely use Curl is probably a very stupid question but give I could think of that as a potential issue/solution shows how monumentally ridiculous that bug fix really is 🫤🤦♂️ @simonzerafa @bagder @foosel It can indeed, there's a specific arg or you can use the generic `-H "header-name: header-value"` form. @tdp_org @simonzerafa @bagder @foosel Even good old @root42 @nullcolaship @foosel @bagder Interesting that it still renders as a website of sorts with all letters 't' removed. I wonder which letters are the most redundant ones in this metric. @cd_home @root42 @nullcolaship @foosel @bagder It is pretty funny - it's just that most of the HTML tags for content (h1-6, a, p, div) don't have the letter t, while a lot of stuff in the head (title, script, style) do. Surely any tables on the page are ruined, though. @root42 @nullcolaship @foosel @bagder "Skip o search" is the process of quickly finding the non-sponsored, un-SEOed and not generated pages in the search results. Will soon be taught in schools. @nullcolaship @foosel @bagder I looked at the source code image before reading your command and I thought I had a stroke 😅 @nullcolaship @foosel @bagder Just think of all those tabs they’d have been able to remove if they’d escaped their regex properly. @nullcolaship @foosel @bagder When Cisco announced public access to the simplified web presentation language they used internally, “HML”, they failed to describe exactly *how* they simplified it, but one look at their website revealed all. @colin_mcmillen it was their fix for this reported security problem: https://www.redteam-pentesting.de/en/advisories/rt-sa-2019-003/ @colin_mcmillen @bagder wait, you can dump the config without authentication of any kind, which includes the devices password hashes, and somehow you can just pass those hashes back to authenticate to the device? @colin_mcmillen @bagder I've got some really bad news for you about just how many devices there are out there that fail at LEAST 1 of those, and a nontrivial number that fail all 3. @JessTheUnstill @c0dec0dec0de @colin_mcmillen @bagder TBF using symmetric encryption/hashing it's hard to avoid either storing or transmitting the credentials in the clear. To avoid both you need to use asymmetric (public-key) encryption and only transmit nonces (what hardware tokens do with certificate-based authentication). @c0dec0dec0de @JessTheUnstill @tknarr @bagder my printer self-signs a cert. That's better than clear text even if there's the browser warning. @colin_mcmillen @bagder I like how this pentesting team just kept using curl, but schooled Cisco with “-A kurl” 😁 @bagder This is ofcourse going the obvious solution when your blog's "network engineer" tag is filled with PR BS: CW: everything on this blog is bullshit, and unrelated to what the tag name is @bagder This is sorta what imgur does for wget as well, to "stop" scraping I guess... (it has returned 429 "too many requests" every time I've tried, so I assumme it's an ingress rule for the user agent) @kfh @bagder It makes sense for imgur, because it's a quick way to stop clueless people from trying to spider the site. Usage tracking requires a lot more resources than a simple string comparison on a header, so if you can stop 99% of the spiders before they even hit the usage-tracking code, it's a win. 😆 I hope they followed up with a pull-request to the curl project .... removing the -A option ... for security reasons ..... Yikes.. 2019 even.. Reminds me of discovering something i called super-root that allowed any monitored system to gain full read write and execute privileges on everything else monitored over the monitoring message bus via the local agent. They used IP address for ID validation when validating source in an auth token, then just wrote a bypass to ignore that when they needed to make monitoring work across NAT. It took years to beat a proper fix out of them. I looked up the curl man page, especially the example for changing the user agent: Example: 😎 @bagder So many servers are happy when you just provide a trusted user-agent, and a referer. Sometimes one alao needs a token that can be obtaimed from an additional request. @bagder This should be the first hit on Google when searching for "imposter syndrome". @bagder But you see, `curl -A "anonymous" ` is now considered unauthorized access of a computer system and is illegal according to the Computer Fraud and Abuse Act.
@bagder @briankrebs I’ve been selectively blocking all sorts of stuff on some servers like that. @bagder to buy cisco is just sick: expensive and you see the "quality" of their sophisticated "security" devices. @bagder If it just piped the offending IP address into the iptables drop list, it would be a good start. No reason to let your adversary know they can try again with different parameters. @bagder Same nonsense on https://dl.dell.com - the default user agents of curl and wget trigger a 403 error, but setting the user agent to a less suspicious string such as "bullshit" or "nmap" solves the problem. We won't let you hack into this device unless you ask *politely*! That will stop hackers because the evil in their hearts prevents them from being polite. @MegaMichelle@a2mi.social @bagder@mastodon.social @bagder 😂 As moronic as this "security fix" is, I can't exactly say that I'm surprised… @devnull @bagder Having recently dealt with a Cisco software product, where it seems clear to me that no one on the team built it or knows how it works, they can't even make a clean fresh installer and can only sequentially update from a very old version, they have a _lot_ of junior engineers and few leaders. @raven667 That company is full of shit. It's beyond me why network folks love Cisco so much… Even their logo shows you the fingers 😂 We use Cisco VPN load of crap at work because some clowns decided. "It's more secure lol". As a Linux user, I don't use their anyconnect idiocy, thanks to OpenConnect client, which implement a workaround for CSD. CSD is a newspeak term to refer to their binary trojan downloaded by anyconnect, and executed on the client, for "security verification"… @bagder@mastodon.social oh no, whatever will i (a malicious hacker) do? @bagder #Cisco is absitshow and since the #DUAL_EC_DRBG #Gviware #Backdoor they're banned for 3x the time it takes them to apologize.ajd undo harm completely. So far, they've yet to do those things... @bagder this hit so close to home today ... been struggling with an infrastructure team having a basic auth protected service redirecting https to http. Gave then curl screenshots and their response was "we are not familiar with this 'curl' software, can you try it on Chrome or Edge?" 😔😒🤨 I posted this image on LinkedIn as well, and the stats there tells me that Cisco is in fact now the third most common employing company among the viewers... (only beaten by AWS and Microsoft) https://www.linkedin.com/posts/danielstenberg_curl-activity-7185597818894512130-kHFS @bagder does this qualify as code bloat? the user agent header is completely arbitrary and can be set to anything. @spmatich they singled out curl because the exploit proof of concept used curl. They stopped the example command line from working. @bagder so the exploit just needs an update to include setting the user agent header to something else right, and it could be one of many many many different strings. @bagder This makes me want to add a check for curl as the user agent, but only so it sends back a fun message as part of the return headers. Something harmless. |
@bagder OMG, did they really pull that off? That's... amazing 😂