The Downside of the WordPress Plugin Directory

One of the most powerful and useful parts of WordPress and other popular CMS software offerings is the seemingly endless number of available plugins to extend functionality in nearly any way you like. WordPress provides the Plugin Directory, where developers can publish their open source plugins free of charge for other users to download and use at no cost. In fact, I’ve contributed to the Plugin Directory with a number of offerings over the years, including Document Gallery, Hello Simpsons Chalkboard Gag, and Prezi Embedder. But, with all this power does come a downside…

As a site owner planning to use one of these plugins, you either have to read every line of code from the plugins you are planning to to use (and understand the code enough to spot any possible security vulnerabilities), or you have to trust that the plugin developer has made the code secure. If the developer was careless, your site could quickly be compromised (hacked!).

Continue reading

Removing COM Module from Honeywell UtilityPRO

A few weeks ago, my apartment complex installed new UtilityPRO programmable thermostats in all of the units. As part of the CPS Energy Peak Saver program. Quite a convenient little gadget, but a little creepy too. With this thermostat, CPS has the ability to modify the temperature remotely without me knowing. Although I personally couldn’t care less, I spoke with some friends who didn’t like this idea. So that got me thinking — I wonder how difficult it would be to disable this remote access.

A little googling revealed that the thermostat I had was a Honeywell UtilityPRO, which handles remote communication through the ZigBee protocol. With this knowledge in hand, I did what any good computer scientist would do and ripped the damn thing apart (carefully, of course). What follows are the steps that I followed in removing the ZigBee COM module, which in turn disabled any remote communication with the thermostat.

Continue reading

OS-Agnostic Ghostscript Detection

In developing one of my more popular WordPress plugins, Document Gallery, I was faced with a challenge that stumped me for a bit. Recently, some of my users had asked for additional functionality to support auto-generation of thumbnails for the documents in their gallery. These documents could be any number of filetypes, but for this particular post we’ll be discussing PDF thumbnail generation.

PDFs are actually quite simple to thumbnail and the process is well-documented across the web. If I had been content with simply using the PHP Imagick extension to wrap my access to Ghostscript (GS), which does the actual conversion for PDFs, then the process of generating a thumbnail would have been quite straightforward, but I was not content with this solution, the primary reason being inefficiency. The way that Imagick processes PDFs before passing it down to GS is very slow. Thus, I went about setting up a framework to directly execute GS from PHP’s exec() with Imagick as a fallback in the event that I was unable to find a GS executable.

This all should have been quite simple, but it wasn’t. In order to accurately find and execute GS in a platform-agnostic way is actually quite challenging, and surprisingly poorly documented on the web. First, one must determine whether exec() is available. This is quite a convoluted thing to determine in-and-of-itself, but thankfully I found someone else’s solution for this and did not have to develop it myself. Finding the GS executable, however, was another story entirely. Continue reading

Tunneling Through the Great Firewall of China

Among the things that the People’s Republic of China is known for is the Great Wall of China, however, we tech nerds also associate the country with the Great Firewall of China (GFW). The GFW, officially known as the “Golden Shield Project,” is an ever-growing effort by the Chinese government to implement strict censorship of the Internet content accessible to its citizens. Sites that are or have previously been blocked include Google, Facebook, YouTube, and WordPress, plus many more.

Chinese flagRecently, a friend of mine was planning a trip to China in order to teach an ESL course. In addition to his understandable desire for some level of privacy in his internet access, he also needed access to YouTube in order to do some of the segments in his curriculum. When he asked for recommendations on how best to circumvent the GFW, my first thought was to use a VPN, but, after doing some reading, I discovered that the GFW has added technology in recent years to detect and block IPs associated with VPNs (see here and here).

With a true VPN no longer a reliable option, the next best thing I could think of was to use an SSH tunnel as a VPN alternative. Instructions for running an SSH tunnel on a Windows OS using PuTTY are scattered over the web, including here and here. The “gotcha” that you may well run into (as my friend did), is that you must enable remote DNS lookup, otherwise the URLs you are requesting will be visible to the GFW.

In order to do this, you only need to navigate to about:config in your Firefox browser (unfortunately, no other popular browsers currently support SOCKS5, which is required). In config, search for “dns” and double click on the line called “network.proxy.socks_remote_dns.” Once this value is set, Firefox will resolve all queries through your SSH tunnel, returning the encrypted content for your viewing pleasure.

So that was my experience tangling with the GFW. This great technological wonder is ever-evolving and has begun to defend against VPNs, one of the newer forms of secure access to the web. It is possible that the GFW could also detect and block the SOCKS5 protocol in the future, but for now at least SSH tunnels are still a viable option for tunneling through the GFW.

Accurately Track Your Dynamic IP With Text Messages

A few weeks ago, I posted about how to send SMS messages via command line. Today, as promised, I am going to follow up on that post by providing a practical use for this functionality.

My current setup at home includes a hole in my firewall to allow SSH access to a machine sitting inside of the network. On this machine sit various items that may be useful to me when traveling outside of my home network, including movies, music, and various other files. However, this open SSH hole does me zero good if I don’t know what my machine’s IP is, and I generally would not know since the IP is dynamically allocated by my ISP.

In order to always know where my machine is currently located, it needs to phone home every time the allocated IP changes. In this case, I mean to phone home literally. I have setup this particular machine to regularly check its IP, then, if the IP has changed since it last checked, it will send me a text message with the new IP.

Continue reading

SMS On Command Line

I ❤ SMSSometimes we as tech nerds like to do things just because we can. This is an example of exactly that. In an age where practically everyone who hasn’t been under a rock for the past decade has a smartphone which can send and receive email messages, putting in the work to allow sending old-school SMS messages, which are notoriously unreliable, from the command line is simply unnecessary. That said, it’s fun so I did it (and you can too)!

The first step you will need to take before starting is to make an account with Google Voice. Although you could also rely on an SMS gateways to handle text relay, this would first require knowing the cell provider that a number is tied to, which is often not practical.

In any event, once you have your account setup with Google Voice, the next step is to chose a language to write your SMS messaging script in. Although Google has never taken the trouble to release an official API for their messaging service, some smart individuals have figured it out and written libraries in a number of different languages. I personally chose to work in Perl and thus used WebService::Google::Voice::SendSMS, located in CPAN, but there are many other options, even other Perl libraries. A quick search for “<your chosen language> Google Voice” should return an option or two (and if not, why not write it?).

My solution for sending SMS via command line, seen at the bottom of this post, is relatively simple and leaves out some parameter checking that should probably be included for robustness, but it gets the point across. The basic idea is to first setup a config file containing your Google Voice login information in your home directory. Assuming a config file is found, the script uses the recipient’s phone number and the message to be sent, both given in the command line, to initiate the SMS message. Depending on whether the message is successfully delivered to Google or not, the program exits accordingly.

It is important to note that the program cannot determine whether the SMS message actually reached the intended recipient. This is neither a limitation of the library nor of Google Voice, but rather the SMS protocol, which cannot guarantee or verify delivery.

Continue reading

The Importance of Sanitizing Input Strings

As a young programmer, it’s easy for me to forget that, unlike in the academic programming environment, it is vital that I protect my programs against any and all potential attacks. Recently I realized just how easy it is to leave a gaping hole in a program’s security. I am posting this today as both a reminder to myself and a warning to any who might run across it: sanitize your program input!

Recently I was working on a personal project: a little web app that displays the machines in the Computer Science department lab based on active OS (since they are dual-booted with Ubuntu and Windows XP, the OS will regularly change on any given machine). You can see a snapshot of an older version of the map that was released a few months ago here.

The map worked fine, but it had a lot of overhead and required root privileges to run, so I decided to rewrite the backend using netcat instead of my previous solution which utilized nmap‘s OS detection. With netcat’s z flag, determining whether a machine is listening on a given port is trivial and since the labs are all extremely homogeneous it only requires a test of port 22 to determine if the machines are booted into Ubuntu (which will accept SSH connections) or into Windows (which will deny port 22 connections) or offline (in which case the connection will be dropped).

In any event, I wrote a PHP script which accepts three parameters based on the names of the lab machines, “prefix,” “start,” and “end.” If I were to call the script with the following query string: ?prefix=dog&start=1&end=62 then the script would scan the machines between dog01.cs.utsa.edu and dog62.cs.utsa.edu.

In order to make this magic happen, the program must make a shell call to netcat for each machine to be scanned. This can be completely safe, but only if you sanitize your data. Since the prefix will be used in each shell call and, unlike the numeric values for “start” and “end,” will remain static, it is perfect for inserting malicious code by the user. Before I released the script, I did one final sanity check and realized that I had not sanitized this value. Before closing the hole, I decided to play with the exploit a bit and the following is what I did:

First, I considered how the input strings were used in my program. The following string was passed to the shell for each iteration through the machines: /bin/nc -zv -w 1 $mac 22 2>&1| /bin/cat -. The value for $mac was defined as the user-entered $prefix and the sanitized integer value somewhere between $start and $end. As a proof of concept, I decided to do an ls of the /home directory to see who was currently mounted on the web server. Obviously, a user who wanted to do more damage could conceive of much worse things, but I was not inclined to foo-bar the server for the sake of this test.

It turns out, all that was required was to insert the URL-encoded value of “;ls -l /home;” as the value for $prefix. It breaks the netcat call, but that’s OK. The output returned was the following:

total 28
drwx-----x 45 bwright students 4096 Apr 22 12:17 bwright
drwx--x--x 86 drossite students 4096 Apr 28 19:59 drossite
drwxr-xr-x 137 lmaddox students 20480 Apr 25 20:03 lmaddox
sh: 01: command not found

(That last bit about command not found is the shell trying to figure out what to do with the integer that was given after our second semicolon.)

To resolve this security hole, all that is required is a regex replacement of all special characters. In this particular instance, anything other than letters is not going to represent a valid prefix, so, after pulling the prefix from the user, I simply apply the following: $prefix = preg_replace( '/[^a-zA-Z]/s', '', $prefix ). For my specific implementation, I am also able to limit the length of the value passed in (not shown). And that’s it. The program is now secure against malicious users compromising the server, through user input, at any rate.

If you have a similar almost uh-oh, feel free to share in the comments below!