Understanding Distributed Postgres BDR

I made this presentation to help myself learn about distributed Postgres; specifically Postgres BDR. It includes background information necessary to understand different Postgres Distributed modes of operation. The notion of a database journal is explained in case the audience is unfamiliar.

The meat of the presentation is looking at various conflicts that will inevitably arise when using a distributed Postgres BDR. It ends with the conclusion that app writers must deal with certain conflicts and points out the user experience effect.

 

Raspberry Pi No HDMI SSH

Update June 2, 2012: kernelcode on the raspberry pi forums has a much more elegant solution to the unknown IP address problem. The below code will write your current IP address out to a file. You can then shutdown the Raspberry Pi and remove the sd card; then read the card from your desktop and open the /home/pi/myip.txt file to view you IP address. Note that this isn’t full proof because it requires shutting down the Raspberry Pi board, but more then likely you will get the same IP address upon next boot.

ifconfig > myip.txt

Scenario

You’ve gotten your Raspberry Pi board in the mail and you want to start using it but you’re missing an HDMI cable or a HDMI capable display.  With a little blind typing, you can get open-sshserver up and going.

(This tutorial assumes that you have debian for Raspberry Pi, correctly, on an SDCARD.  If not, see <this tutorial>)

Login

Logging in blind is an easy task.  Type ‘pi’ and hit enter.  Then type ‘raspberry’ and hit enter.  Now switch to root as some of the later commands will require it.

sudo su

Packages

First you need to update your package list.

sudo apt-get update

Next you need to get the openssh-server.  Type the below command, wait a couple seconds, then type y + enter.  Now wait a minute or so while the package downloads and installs.

sudo apt-get install openssh-server

IP Address

Remember, you want to connect to your Raspberry Pi but you don’t have a display so you can’t get the ip address of the device.  The solution is to use the OK status LED to blink your IP address.  We now need to get the code that will blink the ip onto the device and run it.

wget http://bit.ly/N6aQj4 -O blink_ip.pl
perl ./blink_ip.pl

(The above url is a snapshot of the gist url https://gist.github.com/2858824)

blink_ip.pl

  • Starts with a long period of fast blinking
  • Blank for 4 seconds
  • Begin ip address display routine
    • 1-9 displayed by counting using the blinking led
      • Turn led on for .25 seconds
      • Turn led  off for .25 seconds
    • 0 is displayed by rapidly blinking the led
    • Turn led off for 2 seconds
    • Repeat

D-FENCE Hax0ring Competition

On November 8, 2011 ACM hosted their first, and hopefully not last, security event called D-FENSE (Offensive Security Competition). The goal of the event was to write our team name in a file that was on one of several machines placed on a local network. The catch was that the file was owned by root, which means we needed to get root access to modify it. The event officially started when we were given the SSID and password for the router and the two IP addresses for the sandboxed servers.

Our play started by checking the machines’ web servers. Typing the IP address of a machine into the web browser routes requests to that machine. A default Apache server takes these incoming requests and routes them to port 80. This brought us to a web page. At first we weren’t sure exactly what we were looking for but after clicking a few links we stumbled upon a Drupal installation.

Drupal is a content management system that allows you to easily create a website and content. The admin can also create new users to help with the content creation. This installation of Drupal did not hide the user login prompt. After searching recent blogs on the page, we were able to find who they belonged to. These owners are the usernames in the Drupal database.
We stumbled across patrick who must have been a lazy boy because he never changed his default password.

After logging in with username: patrick password: password, we were given the permission to create content for the site. The format for this content was html, as well as php. By uploading Php code, we were given a way to run code on the server’s side. The first piece of Php code we ran was to get a directory listing. This allowed us to see the file hierarchy.

=====================

Team awesome is comprised of Michael Mitchel, Sarah Diesburg, and Chris Meyers.  We divided the work into: service scanning and discovery, manual web assessment, and vulnerability research.  Manual web assessment proved fruitful.

Modifation of the FINISH_LINE.txt file was achieved through (1) guessing the drupal password as ‘password’ which gave access to (2) execution arbitrary php code through a blogging type web posting and, finally, (3) compilation and execution of a < linux 2.6.24.1 vulnerability.

(1)
Trivial

(2)

<?php

exec(‘ls -al /’, $array);

for ($i=0; $i < sizeof($array); $i++) {

    echo $array[$i] + “<br>”;

}

?>

The above php code, basically, provided us with a shell interface, albeit a bit tedious.  The ‘ls -al /’ command revealed the FINISH_LINE.txt file, owned on writable only by root. The competition goal was to write our group name to FINISH_LINE.txt and we had just achieved a milestone of obtaining a user level shell we concentrated our efforts on privilege escalation to root.

(3)
‘uname -a’ revealed that the server was running linux kernel 2.6.24.1.  A quick web search revealed that this version, and all previous, were susceptible to a local vmsplice privilege escalation vulnerability.  We copied the c exploit from the search result and compiled it on our local computer, commented out a missing #include error, added a #define PAGE_SIZE 4096, and compiled it for the last time, successfully.  We started a local apache2 server to facilitate a remote wget of our locally modified C code, using our aforementioned php arbitrary command execution.  Once the payload was on the server we compiled and executed it, again using the php arbitrary command execution.  The output from the compiled code execution led us to believe that it had worked and that, in fact, we had obtained root!  There was just one problem, we couldn’t send subsequent commands to the processes that had obtained root privilege escalation.  We tried echo piping into the binary and standard input redirection with no luck.  It was now about time to graduate from being a Script Kiddie and take a look at the vulnerability code.  At this point we were questioning whether the vulnerability was working.  To test it we needed to get some rooty command running inside of the elevated processes.  But where in the code could we insert a system() or exec() after it had obtained root privileges?

if (getuid() != 0)

    die(“wtf”, 0);

Immediately after the above set of statements we inserted the below, and recompiled.

system(“echo \”awesome\” > /FINISH_LINE.txt”);

After executing the exploit one last time we then issued a ‘ls -al /’ and found that the size of FINISH_LINE.txt had changed.

– All your base are belong to us

Exploit Hax0ring Competition

Team Awesome again took first place in a less web-focused competition and more systems oriented exploit competition.  Great fun was had in this week long competition that involved challenges that included privileged escalation, buffer overflow, network attacks, and advanced challenges that apply obfuscation techniques that remain uncracked.

A big thanks goes out to ACM for hosting the competition and http://exploit-exercises.com for providing 3 exploit packed level based virtual machines!

Club Hero – Social Jukebox

Club Hero

Fall 2011, Startup Weekend

http://www.clubhero.fm/

Participated in starting up a company in a single weekend.  At the end of the weekend our group presented a working prototype of a social Pandora that featured the usage of appengine, EchoNest REST API, Android, and various other frameworks.