HonestRepair

View this email online

Thanks for subscribing to the HonestRepair Newsletter!
 
With the holidays steadily approaching I've been finding it hard to make time for projects lately. As a result this newsletter is a tad late, but that doesn't mean that progress hasn't been made! Keep reading to find out how a Reddit thread turned into an update for all three of our server-side applications. Also in this issue you'll find code for a Windows resource monitor for admins with task support and email notifications.
 

What's New?

 
HRConvert2 - This month I was approached by Reddit user neogeovr who raised concerns with the amount of sanitization being performed on user input. He specifically pointed out that pipes and double dots weren't explicitly being removed. Pipes were easy to fix, as it fits nicely in the sanitizeCore strings setup full of bad characters just for this purpose. Double dots, however, proved more tricky, as simply scrubbing out dots also corrupts valid filenames by mangling the extension (text.txt becomes testtxt). To solve this issue special conditions had to be crafted and added throughout the various cores that accept user input. It is important to note that all HonestRepair applications are hardened against these attacks by nature. The nature of software development in general is to fix issues like these as soon as possible. I am proud to report that all HonestRepair server side applications were patched within 24 hours. When I asked neogeovr if he had any example proof-of-concept attack code or indicators-of-compromise he did not provide any. Currently there is no evidence to suggest that our software has been exploited in the wild, but to be fair there also is no evidence to suggest that our software hasn't been exploited either. The most important thing to me is that there are genuine, non-malicious people out there putting their eyes on this stuff and reporting it so our software gets better for everyone. I really appreciate the heads-up from neogeovr and I encourage anyone and everyone to mess around with this code and submit a pull request or issue on Github if you find anything you don't like. In this particular case I rolled out a patch within 24 hours for all three currently supported server applications.
 
HRCloud2 - The same sanitization improvements from above apply. Other than that there really haven't been any changes. I also ported OpenJSCAD to the HRCloud2 App Launcher so users can now create, save, and open their 3D models from all their devices. I also realized that last month I completely forgot to mention the new visualizers built into HRStreamer. My bad!
 
HRScan2 - The same sanitization improvements from above apply. Other than that there really haven't been any changes.
 
Atoner - No substantial change from last time.
 
HonestRepair Network - A lot of dependency updates recently and a ton of WordPress plugin updates. Also a really good month for uptime. I haven't put in as much work on the new servers as I would have liked, but like I've been saying there really isn't any rush.
 

In The News

 
Oracle found itself in the limelight earlier this month when a new type of guest-to-host breakout was discovered in the popular VirtualBox hypervisor. The vulnerability was discovered by a sleepy panda bear who coincidentally goes by the name "SandboxEscaper."
 
Google services were briefly unavailable due to a routing mishap that led to much of the worlds traffic being redirected through China. This isn't the first time China has been accused of manipulating the infrastructure of the internet to alter the flow of information through it's territories, but it is scary and significant nonetheless. in 2010 Chinese telecom companies were accused of re-routing 15% of the internet. Imagine the size of that .pcap!
 
NPM allegedly distributed a malicious, crypto-coin wallet stealing malware via the event-stream package. The original maintainer of the project had turned over control of the NPM repo to an untrustworthy source. The malicious actor, known as "right9ctrl," then used his authority over the repo to add a malicious dependency. He then updated the code again, bumping the major-version number, to cover his tracks. This resulted in the latest version being clean with no signs of tampering or malicious intent, but the most recent branch of the previous major-version was compromised. Users installing fresh copies of the software would likely not be infected, while users upgrading older versions would be. I think. I honestly don't know what to believe anymore. I'm just gonna write my own kernel next. *Channeling Cartman from South Park "Screw you guys, I'm goin' home."
 
Tabulator is the coolest thing I've seen in a loooong time. I really want to make something with it, or incorporate it into HRC2 or something. Fun fact, this div elements in the rendered HTML instead of tables. However this sorcery is accomplished; it's beautiful. And it supports Ajax calls. JSON goes in, mind-numbing tables come out. I think I'm in love.
 

A Windows Resource Monitor w/Email Alerts

 
The code was written in VBS. It accepts a -ds switch which throws a message box for selecting the disk number for monitoring. If no disk is selected disk information is totaled and/or averaged. Also supports -ss switch which throws a message box for selecting the CPU socket for monitoring. If no socket is selected all CPU's are monitored. The -i switch is used to show as much info to the user as possible and disable email output. The -t switch is to disable message boxes and only enable email warnings. This is useful for running as a scheduled task.
 
Check out the Github link below.
 
Sadly I didn't get to do a writeup for this code, but I had a lot of fun making it and I think it works pretty good. If you've got a better one or think you can make improvements to this one I invite you to let me know about it!
HonestRepair
Rowley MA, USA
Check us out on Facebook!
All work licensed under GPLv3.
To change your subscription, click here.