Some days ago GitHub received a DMCA complain from the RIAA to remove youtube-dl due to copyright violations. The youtube-dl website is still online and I mirrored the files to my website just in case.

Now, due to a bug in GitHub – known for a long time – it’s possible to add files to other users’ repositories without modifying the checkout. You can’t change the current hash, but when adding files a new hash is created and you can link to that exact hash in order to get the files. Very neat!

So, long story short, that’s exactly what someone did.

Uninterrupted, good quality mobile phone reception is extremely important to rail passengers. In technical terms, it’s the pièce de résistance for every network provider because the demands on bandwidth increase with data-intensive applications. Swisscom has now successfully achieved a transmission speed of over 1 Gigabit per second on a moving train under test conditions. This result sets a new benchmark for the mobile phone industry.

Source: Swisscom

BigBlueButton is a free web-based video conferencing software that lately got quite popular, largely due to Covid-19. Earlier this year I did a brief check on its security which led to an article on Golem.de (German). I want to share the most significant findings here.

BigBlueButton has a feature that lets a presenter upload a presentation in a wide variety of file formats that gets then displayed in the web application. This looked like a huge attack surface. The conversion for many file formats is done with Libreoffice on the server. Looking for ways to exploit server-side Libreoffice rendering I found a blog post by Bret Buerhaus that discussed a number of ways of exploiting such setups.

One of the methods described there is a feature in Opendocument Text (ODT) files that allows embedding a file from an external URL in a text section. This can be a web URL like https or a file url and include a local file.

This directly worked in BigBlueButton. An ODT file that referenced a local file would display that local file. This allows displaying any file that the user running the BigBlueButton service could access on the server. A possible way to exploit this is to exfiltrate the configuration file that contains the API secret key, which then allows basically controlling the BigBlueButton instance. I have a video showing the exploit here.

Source: Hanno’s Blog

I never understood why you need to include external files or webpages in such a document and I can’t even think of a use-case why this is a great idea, unless you want to fuck up things.

Here’s the PoC, in case you’re interested.

Alle 19 Geheimdienste von Bund und Ländern dürfen demnächst heimlich Geräte hacken. Die Bundesregierung hat einen entsprechenden Gesetzentwurf beschlossen. Lange hatte die SPD Bauchschmerzen, jetzt ist sie umgekippt. Auch die Vorsitzende Saskia Esken war dagegen, jetzt trägt sie den Kompromiss mit.

Quelle: Netzpolitik

Von der Verräterpartei erwartet man mittlerweile ja auch gar nichts anderes mehr. Im Umfallen sind die Weltmeister. Dass durch solche kolossalen Fehlentscheidungen die Sicherheit der gesamten Bevölkerung gefährdet wird, scheint da nicht angekommen zu sein. Folglich muss davon ausgegangen werden, dass man es zumindest billigend in Kauf nimmt. Wann fangen die endlich mal an, auf Experten zu hören und keine Politik mehr gegen das Volk zu machen?


  • About

    I never asked for this.

  • Got something interesting?

    You think you got something which should be on this site? Then contact me. You want something removed from this site, because you think it should not be here? Then go fuck yourself. This is a free website. Free as in freedom. It tolerates every opinion from everyone. However, it does not tolerate things which are illegal according to the Swiss legislation.

  • Disclaimer

    I cannot be held responsible for any kind of direct, indirect or consequential damages caused by the stuff and or opinions I provide here. Use this on your own risk. Don’t blame me if something goes wrong or totally messes up your machine, your life or whatever. If this is unacceptable for you then go away and never come back again. Thank you!