Sunday, August 29, 2010

(EDITORS: STORY CAN END HERE)


I ran across a variation of the phrase in the blog title in this news article just minutes ago. I concluded (I think rightly) that it was a "serving suggestion" by the journalist/author to the copy editor of whatever publication was considering the article. I Googled the phrase and found the one above. I Googled that one and came up with over a quarter of a million results.

I conclude there must be a shortage of copy editors in the world.

And I'm thinking if I try hard enough I can get the number one hit for this search!

UPDATE!

Thar she blows...
I love it when a plan falls together!

Friday, August 27, 2010

PoTTy DLL Hijack Vulnerability



NAME: PoTTy v0.60
=================

VENDOR: Mr. Hinky Dink
======================

PoTTy, an Open Source, modified version of Simon Tatham's PuTTy (Windows version, v0.60) for Bruce Leidl's Obfuscated-OpenSSH v5.2 server, has been demonstrated vulnerable to the recent Windows DLL hijacking exploit(s).


PROOF OF CONCEPT
================


See storm's (storm@gonullyourself.org) exploit code at http://www.exploit-db.com/exploits/14796/

VENDOR RESPONSE
===============

WTF? How do I fix this?


REMEDIATION
===========

Stop running Windows.


HISTORY
=======

08/27/2010 - Vendor notified
08/27/2010 - Vendor craps pance
08/27/2010 - Vendor decides any publicity is good publicity
08/27/2010 - Vendor publishes details


LINKS:
======

Vendor Response: http://proxyobsession.net/?p=1097
PoTTy Download Page: http://www.mrhinkydink.com/potty.htm
Obfuscated-OpenSSH: http://github.com/brl/obfuscated-openssh

c. MMX Mr. Hinky Dink

Saturday, August 21, 2010

SKILLZ--


A few refinements were made today.

First, I bumped the BOTs' skillz downward.

Second, if BOTs are in first and second place, AutoAdjust is turned OFF.

Lastly, the spread that kicks in AutoAdjust is now HISCORE/3. This makes no difference in BOT House, but it kicks the spread up to 11 in EXPIV.

In all, it's easier to kick into AutoAdjust. You just have to work harder when you're winning!

I finally had to stop following BOT House and EXPIV on Twitter. There was just too much garbage and - I never thought it would happen, but - I'm actually starting to need tweets to stay informed on a number of subjects. I still keep a tab open on both of them to see what's going on and I continue to be amazed at the fact that, combined, they have over 1100 followers.

In fact, if you search for BOT House on Google (with or without quotes), the BOT House Twitter page is the number one hit. That came as quite a shock, considering without quotes there are over seventeen million hits (with quotes, just over 14K).

So anyway, tweet me if you get a chance. I am finally paying attention.

Thursday, August 19, 2010

It's Always Something!


After I published my first Websense hack back in 2007, my hard drive died. It took out BOT House for a couple of months (just the box itself, the UT servers were jacked around to other boxes and VMs).

The second time, RoadRunner died.

Now, on the day after the third Websense hack, RoadRunner decides to re-engineer its entire network.

They moved the DHCP server and re-IP'd the entire network in my area sometime after 2AM this morning. As a result, everything died.

For the average user, moving the DHCP server should never be an issue, but in RR's case, it's on a 10.0.0.0/8 network. The problem is, with my unique setup, I already have a route for 10.0.0.0/8, so the router/firewall (which is where BOT House lives) was never able to renew its address, knocking it offline.

Which is just as well because BH only expects to lose its address after an extended power outage. It's hacked around so that everything - startup scripts, routes, system variables, etc. - gets changed after a reboot with a new IP. No reboot, no IP change.

And naturally, once I rebooted BH to set everything right again the damned thing decided to check all the disks, which took forever.

The servers are indeed back up, but you will need to update your UT99 favorites, if that's how you connect.


AND ANOTHER THING...


For the first time in four years this place attracted comment SPAM in the Websense Redux article, which was THE WORST PLACE they could have picked. I don't want to moderate the comments, but if it keeps up I'll have no choice.

Wednesday, August 18, 2010

Websense/ISA "Via:" Bypass Redux


discovered by mrhinkydink

PRODUCT: Websense Enterprise

EXPOSURE: Trivial Web Policy Bypass (III)


SYNOPSIS
========

On May 29, 2010 I demonstrated that by adding a "Via:" header to an HTTP request it is possible for a user to completely bypass filtering and monitoring in a Websense Enterprise 6.3.3/Microsoft ISA Server (2004 or 2006) proxy integration environment. This was addressed in Websense Knowledge Base article #5117.

However, anyone familiar with the Via bypass technique would have noticed this remediation was insufficient.


PROOF OF CONCEPT
================

The following works in a Websense Enterprise system using the ISA Server integration product in a Cache Array Routing Protocol (CARP, sometimes referred to as "CRAP") configuration, which requires at least two ISA servers.

Assuming there a two ISA servers configured as per Websense Knowledge Base article #5117, one at IP address 10.10.0.1 and another at 10.10.0.2, perform the following:

I. Install Firefox >= 3.5

II. Configure Firefox to use one of the proxy servers in the CARP array (10.10.0.1).

III. Obtain and install the Modify Headers plug-in by Gareth Hunt

IV. Configure the plug-in to add a valid "Via:" header pointing to the other server in the array.

    Example: "Via: 1.0 10.10.0.2"

V. Browse to a filtered Web site

VI. All content is allowed without monitoring or filtering


PoC RESTRICTIONS
================

All restrictions of the original Via Bypass article apply.

See http://mrhinkydink.blogspot.com/2010/05/websense-633-via-bypass.html

OTHER USES
==========

Limited only by your imagination! You do have an imagination, don't you?

See http://mrhinkydink.blogspot.com/2010/05/websense-633-via-bypass.html


WORK-AROUNDS
============

Install Hotfix 17 provided by Websense.

HISTORY
=======

06/25/2010 - vendor notified

08/13/2010 - vendor releases Hotfix 17

08/18/2010 - PoC published



c. MMX mrhinkydink

Saturday, August 14, 2010

10 Days of "Auto AutoAdjust"


And no one has complained yet!

I must say it adds a bit of a challenge. And that challenge is staying less than 10 points ahead! That, and finding a good place to hide when it's time to KICK OUT THE JAMBS!

IN OTHER NEWS, it seems like the stars and planets have aligned for some sort of cosmic spotlight on the old Dinkster. Normally, for me at least, when I get that feeling it's reminiscent of the archetypal wide-eyed convict with hands spread and back against the prison wall.

Generally speaking, not a good feeling.

This time around I think things are going to be different. There are some endings and beginnings on the horizon and all of them are good. Not only is there a light over at the Frankenstein Place there's one at the end of the tunnel as well. Last week brought a Triple Whammy of Good Things, all centered around the same subject, a subject on which I just happen to be a Subject Matter Expert (SME, for you non-PMPs).

And although I don't want to get specific just yet, suffice to say this may finally be my ticket out of the Salt Mines.

Tuesday, August 03, 2010

XOR AX,AX Retired


The bot XOR AX,AX (a.k.a "Zero") has been retired and replaced by "ASS-HOLO", in (dis)honor of ACE-GORO, who is an annoying little bitch because he's always trying to lure players away to his server.

After testing out Auto-AutoAdjust I decided to take some skillz away from 6 Pack Sally, who was more than nasty enough without getting AutoAdjusted. She's still tough, but not as tough as she used to be.

FWIW, "xor ax,ax" is an old (I first heard about it in the 80s) programmer trick to load a CPU register with zero. Since any number xor'd with itself is zero, it helps to save CPU cycles and memory over an immediate load. It has become so prevalent over the years it has become a standard assembler optimization. It will probably never be retired.

Now that it's working I am declaring a General Amnesty and clearing out the firewall rules.

Monday, August 02, 2010

NEW! Bot Skillz Code


From here on out, if you want to know the Bot skill level during the game, say:

HSQ!


... and the admin will tell you after a short delay.

I suppose it stands for "Hinky Skill Quotient". It must be ALL CAPS. Don't forget the BANG (!) at the end.

Of course you can always do it the old-fashioned way, whatever that is. I assume there must be a command somewhere in the UT game console, but I seldom use it, so I wouldn't know.

Auto AutoAdjust works quite well. It gives the good/cheating players a run for their money and since they usually clear the place anyway I'm not too concerned about that happening. It will always reset to Novice sooner or later, and it will not AutoAdjust when a Bot has the lead.

When it happens the best thing to do is try to hide somewhere and let the hotshots deal with it until it's over.

Sunday, August 01, 2010

Back To Plan "A"


"Auto Godlike" was just a bit too much.

Some players are going to have nightmares tonight because of it. They went home crying their little eyes out.

Sorry about that.

Plus for some reason it seemed to be a little "sticky", meaning it just wouldn't reset itself between games. I know I've seen that before. Godlike has a mind of its own sometimes.

And when everybody's getting beat, no one wants to hang around. It really cleared the place out, which is not the point.

So it's back to "Auto AutoAdjust", which is capable of Godlike if it has to be. The spread is hard-coded to ten instead of half the high score. That way, Classic ]I[ will never go into AutoAdjust (the high score is only 10). There are better ways of doing that but for now it's a quick fix.

I need to put a little finesse into it as well. It shouldn't kick in if a bot is winning, only a human. That might take a little work, but bots are pretty obvious because they have a zero ping.

When the admin says "KICK OUT THE JAMBS" that's when everything kicks in, so watch out for it.

0days & Anonymous Assclowns


Tomorrow, August 2nd, Microsoft is supposed to release a patch to address the (decade-old) "LNK" 0day vulnerability in all (supported) versions of Windows.

If you haven't heard about this yet, you've been living under a rock for the past month.

Or, like most people, you just don't give a shit about computer security (after all, you play UT99 and install untrusted DLLs almost every time you play, right?).

I consider this a severe threat. So much so that I have moved all my online activities (except UT) over to Linux, specifically my 64bit Mythbuntu system.

(And - incidentally - I have also been using Opera, which is much better on Linux than it is on Windows - why is that?)

If you're wondering why you haven't heard about this on Hinky Links, the fact is I'm pretty burnt out on security and I've been letting Hinky Links slide into the shitter.

On top of that, working at the Salt Mines has been an incredible disappointment. Rumor has it our "Security Officer" is about to get the axe, and he's been acting like it.

That would be Anonymous Assclown #1 and the less said about him the better.

Anonymous Assclown #2 recently dropped a few threatening comments here at Blogspot accusing me of being in cahoots with yet another Assclown. I have no clue what that is all about, but if he shows up again I'm going to have to shut off anonymous comments.

ASSCLOWN UPDATE

I didn't mention it earlier, but this is what Assclown #2 had to say...
If you fail to answer my question in a timely manner, I will assume that you are working directly with Kimmo [this guy - hinky]. As such, I will be forced to send tons of false abuse reports to your registrar and host, GoDaddy, which may result in you losing your domain and hosting privileges.
I'm not sure what this assclown's schtick is, but apparently this "Kimmo" dude has raised the ire of 4chan et. al. over the past few years.

Me, I never heard of him. But since I'm not interested in losing my GoDaddy accounts just yet (although I've been bitching about them for years now), I called Tech Support and let them know of this guy's threats. Their policy is to contact the client before taking any action on abuse complaints, so it shouldn't be a problem.

I deleted Assclown 2's original comments but if he shows up again I'll probably let them float for awhile, just for posterity's sake.

Auto Godlike Mode!


Once Auto AutoAdjust started working after I fixed it, I decided it didn't work too well.

At least it did work, after all these months, but it just wasn't enough to make a difference. So now on top of AutoAdjust, I kicked the bots' skillz up to "Godlike".

Again, this only happens once the lead players' score is half the winning score ahead of the next highest player. It only effects the bots, so if there is a house full of humans nothing really happens.

Considering the bots normally start out as "Novice", if you're really good and you're the only person playing, WATCH OUT!

I have taken great pains to assure that the bots go back to "Novice" mode after the game is over, but there may be unusual circumstances where they might get stuck in "Godlike" mode.

To test all this out I may declare another General Amnesty and un-ban all the bad players.

I have the week off so I'll probably be playing quite a bit.

Pussyfooting Does It AGAIN!!!


Last night at about 7:45PM she shut down EXP IV for the second time in three days!

She wasn't as graceful this time. First I heard the sound of shit getting knocked over before the tell tale "beep" of the UPS off-button.

This was obviously a malicious, deliberate act! Cyberwar in my own Fambly Room!!!

I have since implemented countermeasures to keep it from happening again. A cardboard barricade, secured with spare paving bricks, is the first obstacle. If she gets past that, she has to knock the keyboard out of the way.