I recently discovered a cross-site scripting vulnerability from Google Spreadsheets (or to be more specific, I extended the idea from fsteff’s discovery. It has been fixed now)

Then I started thinking: What exactly could one do with this? You have access to user’s cookies under google.com. At first, I was thinking of Google checkout, but that requires you to authenticate the purchases. But you can get the details from Google account page (name, address etc.) including your other email addresses. By itself, this isn’t too scary. However: You also get access to GMail.

So hacker gets access to your mail (I don’t think creating some PHP/python/whatever script to access the webmail portion would be too hard). Naturally they also get access to all emails that might include your password. Oh yeah, and they might also scan your email for your CC number: They got the ending digits from your Google account page as well as your address.

Next step? Figuring out the password reset page (or just try the passwords in emails) for your other email addresses as you might use Gmail for those as “secondary email". Reset the password and grab the interesting stuff from there as well.

Next step? Try password reset on other interesting sites (Facebook, web shops etc.) with the email addresses they obtained and then use them as they see fit. They could, for example, use social media sites (and Gtalk) to further the spread of the malicious URL

But there is still more: Google docs. I’m not sure how popular they are currently, but the code could just grab them and analyze later if there is anything noteworthy (SSNs etc.)

So, what should be done to migrate the risk even a bit? One possibility could be that all subdomains set some unique cookie which would be required in order to access content there.

So, I got a new computer to play with HyperV, partly made out of some spare parts. (sometime later I find out it doesn’t support it, neither processor or motherboard, but things don’t end there)

Naturally, I assemble the computer first. Nothing weird on that (just had to take processor out of my workstation in order to upgrade BIOS to support the new CPU). I put one of my PCI graphics card adapters there (as I didn’t really have any spare PCIe ones). I put my Windows 2008 R2 USB stick in and boot, excepting to get installing Server Core right away. Wait, uh, setup started and screen went blank… Reboot. Same repeats.

I decide to take my ATI PCIe card out of my workstation and use that. Okay, now this boots without problems. I select Standard Server Core and let the setup do it’s thing.

A bit later I’m greeted by the login screen. Awesome. I login and as excepted, I only command prompt. I google around to get started installing the HyperV (set static IP, hostname, install role etc.). I write (Microsoft: Seriously, just because it’s “core” install doesn’t mean you couldn’t add a better shell. You know, one with command completion (be it PowerShell, some stripped version or some new one). After all, you are excepted to write quite many of them…) the commands as instructed and a bit later I have something that I thought was a HyperV install.

I google around to figure out how I manage it. Wait, there is no XP support!? Uh, greeted by that fact I installed Windows 2008 32bit server on my Xen box and also the required upgrade. Uh, there is no HyperV role nor HyperV feature?? Fine, I wiped it and installed Vista (let’s not get to the Vista bashing this time…). I installed the MMC addin and tried to connect. hmm… Not working. Oh, I’m supposed to add the name to hosts or DNS. Well, added to hosts. Okay, it connects.

Then I used iscsicli to connect to to my iSCSI target. No problems there.

I try to create a new virtual machine. Everything goes fine…until it tries to create the disk. Loading, loading, loading… I canceled it and tried again (local disk, that iscsi target, creating disk manually etc.). Always hanging at that points. Google reveals someone else had the same problem. I try to troubleshoot (restarting HyperV services, restarting server etc.). Nope, nothing helps.

Then I check the event log. Oh, there is no virtualization support. Thanks for informing me… (if it doesn’t work, don’t pretend it works)

I bought a new mobo and did some CPU switching. Now the machine should be okay…

I reinstalled Windows. I also had to install Vista VM on my laptop as I no longer have HVM capable CPU on my Xen machine.

I did everything again until the point I should be able to connect to it. I attempt. Nope, “Access is denied.” Google’d around and found out I need to enable anonymous remote COM. Awesome, couldn’t figure out anything more dangerous? I do it and reboot. Now I’m getting “You might not have permission to perform this task". Googling revealed this handy tool, HVRemote. I try to use it. Giving some warning regarding disabled firewall (I did disable it during the first round as well)…
AND the fact Vista + HyperV R2 is not a supported combination.

So now I downloaded Win7 VM (the MS site says it’s for HyperV, but I do hope it also runs on VirtualPC…) and I am installing Hyper-V Server 2008 R2. Let’s see if I have any luck now…

EDIT:

So now I have successfully installed HyperV environment. The full steps:

• Install Win 7 (VHD trial image, works on Virtual PC) & Hyper-V Server 2008 R2
• Win7: Install RSAT
• Win7: Enable Hyper-V remote administration role
• Win7: Get hvremote.wsf
• Win7 admin prompt: cscript hvremote.wsf /anondcom:grant
• Win7 admin prompt: cscript hvremote.wsf /mmc:enable
• Win7 admin notepad: Add your server to System32\drivers\etc\hosts
• Hyper-V: Change computer name, check time, static IP etc. from core configurator. Don’t reboot yet
• Hyper-V: Get hvremote.wsf
• Hyper-V: net user XXXXX /add
• cscript hvremote.wsf /add:XXXXX
• Hyper-V: shutdown -r -t 0
• -
• For iSCSI:
• iscsicpl
• diskpart
• select disk 1
• attribute disk clear readonly
• online disk
• create part primary
• select part 1
• assign letter=M

HVRemote simplifies things shitloads. But if there is a pretty much need to use non-standard scripts to get the basic system going, there is still things that could be made easier… Including hvremote with the default install would be awesome.

It was pretty simple in the end. You can find the item with and without zero padding.

Code:

Code:

Code:

So, I have been having some problems with my ISP again. However, I have a 3G modem (Option iCON 225) that works in Linux, but you cannot pass it to DomU directly by creating a bridge and attaching that. So I have a following setup:

Internet<->modem<->
                   Dom0
Internet<->DomU<->

There is several things I need to do:
0. Get DKMS
1. Get hso driver
1.1. Unpack it to /usr/src/hso
1.2. dkms add -m hso -v 1.9; dkms build -m hso -v 1.9; dkms install -m hso -v 1.9
2. Obtain some scripts
2.1. cp -f hso.udev /etc/udev/rules.d/z20_hso-udev.rules; cp -f rezero /usr/sbin/; /etc/init.d/udev restart
2.2. Stick the modem in
2.3. Modify the connect.sh script:
Find line “route add default dev $NETDEV". Modify it to following:

ip route add default dev $NETDEV table 10
ip route add $INTERNALRANGE dev $INTERNALBRIDGE table 10
iptables -t nat -A POSTROUTING -s $BACKUPIP -o hso0 -j SNAT --to-source $PIP
iptables -t nat -A PREROUTING -i $NETDEV -j DNAT --to-dest $BACKUPIP
ip rule add from $BACKUPIP/32 to any table 10

INTERNALRANGE=Your internal IP range, for example 10.49.2.0/24.
INTERNALBRIDGE=Your internal bridge device, for example xenbr0
BACKUPIP=Router’s IP which you will set as source for the packets that you want to pass thru the 3G modem

Find line “ifconfig $NETDEV down". Modify it to following:

ip route flush table 10
iptables -t nat -D POSTROUTING -s $BACKUPIP -o hso0 -j SNAT --to-source $PIP
iptables -t nat -D PREROUTING -i $NETDEV -j DNAT --to-dest $BACKUPIP
ip rule add from $BACKUPIP/32 to any table 10
ifconfig $NETDEV down

You also might to comment out the resolv.conf lines.
2.4. Modify conninfo.ini

Note! Dom0 should have IP routing enabled, so “echo 1 > /proc/sys/net/ipv4/ip_forward". Use sysctl to set it at the boot time

3. Set the DomU
3.1. Add $BACKUPIP to $INTERNALBRIDGE
3.2. Add to boot script (for example, /etc/rc.local):

ip route add $INTERNALRANGE dev $INTERNALBRIDGE
ip route add default via $DOM0IP dev $INTERNALBRIDGE
ip rule add from $BACKUPIP lookup 10

Test with:
traceroute -s $BACKUIP ping.funet.fi
haruhi:~# traceroute -s 10.2.255.1 ping.funet.fi
traceroute to ping.funet.fi (128.214.248.132), 30 hops max, 40 byte packets
1 nanoha.serv.azt (10.2.0.10) 0.000 ms 0.000 ms 0.000 ms
2 ge0-0-1-650.esptnl-pe1.fi.elisa.net (213.161.47.241) 1384.000 ms 1384.000 ms 1416.000 ms
3 ae2.heltli-gw1.fi.elisa.net (139.97.6.246) 1416.000 ms 1456.000 ms 1536.000 ms
4 csc.ficix1-ge.ficix.fi (193.110.226.14) 1616.000 ms 1616.000 ms 1692.000 ms
5 helsinki0-x4100-csc0.funet.fi (193.166.255.154) 1736.000 ms 1784.000 ms *
6 ns-secondary.funet.fi (128.214.248.132) 424.000 ms !X 504.000 ms !X 556.000 ms !X

Now everything sent to your modem will be redirected to DomU. Unfortunally the only way to detect them is to match everything but interal IPs, but you can improve this if you want (for example, by setting ToS or creating new bridge for DomU-Dom0 communication).

Microsoft launched a while ago an intresting game, “Are you certifiable?” There is two paths avaiable, developer and IT Professional. Both consists 20 (questions per episode)*4 (episodes per season)*5 (seasons)=400 questions total. In the IT professional path, the questions vary from some random trivia ("When Windows was introduced?") to quite advanced questions in various Microsoft products (Vista, various 2008 server features like AD, CA and HyperV; Exchange, SQL server etc).

If you are considering taking a some certification exam, you might want to check it out. Bassicly it’s like a free mock exam. The program even tells you why some answer are correct (they seem to be from Microsoft’s Self-Paced Training Kit books).