Author Archives: Nicolas Bize

Javascript declarations and assignments

This week I was chasing a javascript bug. At qualys we heavily rely on extjs, and we have a few thousands javascript files that have to live together. The bug ended up being in the following lines:

    ...
    renderer: function(layer, text){
        var tag = node = Ext.apply({
            color: '#FCFCFC',
            background: '#666666'
        }, layer);
        tag.text = tag.text || text;
        if(node.disabled){
            tag.style = "color: #CCC !important";
        }
        return tag;
    },
    ...

Can you see what’s wrong?

The issue comes from the first line, an unconvenient mix of declarations and assignments:

var tag = node = Ext.apply({...})

The developer thought he was initializing 2 local vars called tag and node.

Let’s take something simple:

    function test(){
        var a = b = 2;
        alert(a, b);
    }
    test();
    alert(b);

In the first line, javascript starts by evaluating b = 2. This is an assignment of 2 to the variable b. Because b does not exist, javascript creates a new global variable b and attaches it to the current context, window. (note that this would throw a ReferenceError exception if we were in strict mode).

A quick ref to ECMA-262 shows that assignments return the value that was just assigned. You can double check that in your console eval(b = 2); returns 2.

So now the compiler has evaluated the first expression and now reads var a = 2 since 2 was evaluated. This correctly creates a local variable a containing the value 2 through a declaration, or more precisely a VariableStatement. note that eval(var b = 2); returns undefined.

Anyways… don’t mix up var a = [value] with a = [value] as they are completely different expressions that evaluate to different values and can create unexpected surprises…

Crucible: unrecognised diff format. expected diff hunk descriptor but found

At qualys we use crucible. Great tool though it can sometimes be a PITA… Like today for example.
I had a pretty big patch made from several svn revs:

svn diff -r 23284:23747 -x -b > ~/tmp/code.patch

When I tried to upload that to crucible, I received the msg: "Error adding patch: Unrecognised diff format. Expected diff hunk descriptor but found:"

It's a known issue from atlassian that has been alive for more than 2 yrs: https://jira.atlassian.com/browse/CRUC-6114.

Thanks for fixing your bugs so fast btw...

Anyways the pb comes from the fact that the diff command gathers metadata as well as code changes.

Turns out there is a great tool called filterdiff, part of the patchutils package that cleans that up well.

brew install patchutils
filterdiff --clean code.patch > clean.patch

Crucible should stop whining after that

Magicsuggest 2 release

I was so caught up with different projects, work, family, the move to the us… That i hadn’t touched that plugin for almost 9 months… I finally decided to make it a priority to fix what needed to be fixed and improve what had to be improved.

So here comes 2.0.0:

– Flexible responsive design
– Full support of bootstrap 3
– An entire new home with a showcase, tutorials, an amazing documentation full of examples, etc.
– A bunch of fixes and improvements.

Drop me a line if you use it in your bootstrap forms!

Cheers

MagicSuggest 2.0.0:
Homepage
Demo
Documentation
Tutorial
Licence

Copying json objects into the clipboard

At qualys we often work with complex json objects that we have to debug. I just found out that chrome dev tools include a copy command that allows to copy any variable into the clipboard. This can be useful to retrieve full json objects:

copy(JSON.stringify(obj))

The object can then be displaying in a nice formatted way using a plugin within sublime or using an online formatter.

Wep encryption ban

With the immense amount of security updates forced onto our dear os’s each day, you’d really wonder why one of those updates hasn’t completely banned wep encryption keys for securing wifi networks. This is now 2014, the wep keys have been and can be broken so easily and faster than before (we’re talking 20 secs to a few minutes..) that they shouldn’t be allowed for further use. And yet today anyone can just walk the streets and easily find targets to sniff and crack:

$ airport en0 scan | grep WEP

wagamama 6c:f3:7f:56:71:d0 -85 36 N GB WEP
wBALHRT5 00:0b:86:e6:4a:22 -74 11 N GB WEP
wBALHRT5 00:0b:86:dc:1f:01 -78 13 N -- WEP
wBALHRT5 00:0b:86:dc:1f:11 -85 36 N GB WEP

Bypass wifi time limits

I’m currently sitting in terminal 5 of the heathrow airport finishing a blueberry muffin while waiting for my corresponding flight back home once again, as I want to reconnect to the digital world, I am greeted with a 30-minute limit of free wifi. It seems like it is becoming a global trend in coffee shops and other public places nowadays. Anyways here is the procedure to circumvent such limits by spoofing your mac address:

On a mac/linux:
ifconfig to find the status: active network interface. On the latest pros and airs, it should be en0. Note the mac address somewhere to revert back once the operation is complete.

sudo ifconfig en0 ether [new_mac]
sudo ifconfig en0 down
sudo ifconfig en0 up

On a win7/win8:
Seems like microsoft forces you to use one of those mac addresses:

X2-XX-XX-XX-XX-XX
X6-XX-XX-XX-XX-XX
XA-XX-XX-XX-XX-XX
XE-XX-XX-XX-XX-XX

You can change mac address by simply using a program like http://lizardsystems.com/downloads/changemac_setup.exe

How to crack windows passwords in 5 minutes

I’ve been meaning to write about this for a long time. Windows 7 at its core has a huge security flaw that can easily be exploited to log into any machine you have physical access to.

It all starts at the password-protected login screen (winlogon.exe). There you find 2 important information:
– The user names
– The accessibility shortcuts still work (try hitting leftalt+leftshift+printscr from the login screen)

To enable those, winlogon.exe executes another exe: sethc.exe (you may have already the sticky-keys dialog popup that it triggers)

The flaw comes from the fact that winlogon executes c:\windows\system32\sethc.exe no matter what the file actually is.
If you can replace that file with a command prompt, this means that you can access the prompt from the login screen.
this can easily be exploited to change the user’s password and bypass the login screen:

Anyways, here is the 5 minutes procedure:
1/ Reset the computer, hit F8 for boot options and select “Repair your computer”
2/ Start a Command Prompt
3/ Make a backup of sethc.exe:
move c:\windows\system32\sethc.exe c:\windows\system32\sethc.exe.bck
4/ Copy your cmd prompt:
copy c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe
5/ Restart computer
6/ At login screen, trigger the sticky keys helper (ie. sethc.exe) by hitting shift 5 times
7/ With the new prompt, change the password:
net user [username] [pasword]

Don’t forget to restore the original sethc.exe file once you are done.

The downside of this method is, of course, the fact that you need physical access to the machine.
Still, the flaw has been existing for so long you wonder how come it’s still not patched up…

A bit of js flavor in ruby’s hashes

I’ve become frustrated writing a bunch of [:] lines working with ruby’s hashes.

hash = {:foo => 'bar'}   # so ugly...
=> {:foo=>"bar"}
hash[:foo]  # again...
=> "bar"

Sure there’s the openstruct thingy but it’s completely useless.

So i’ve gone against the rules and extended Hash, ending up in a dangerous (choose keys wisely) but so much more confortable syntax:

class Hash
  def method_missing(m)
    k = m.to_sym
    return self[k] if self.has_key? k
    super
  end
end

In action:

hash = {foo: 'bar'}
=> {:foo=>"bar"}
hash.foo
=> "bar"

Math problem

I came across an interesting math problem as I was reading Hacking, the art of exploitation v2. It took me a while to figure it out:

Use each of the numbers 1, 3, 4, and 6 exactly once with any of the four basic math operations (addition, subtraction, multiplication, and division) to total 24. Each number must be used once and only once, and you may define the order of operations; for example, 3 * (4 + 6) + 1 = 31 is valid, however incorrect, since it doesn’t total 24.

The illusion of phone security

My phone has become my everyday tool. I use it to check my mail, write blog posts, check my bank accounts, play games, perform transactions. I use it so much I often forget that it holds so much sensible data. If you were to get your phone stolen by someone, what passwords or accounts would he have access to? My phone checks my mail automatically on all my accounts. Very convenient. But I realized today that this convenience is an expensive asset. You think your paypal account is safe? Anyone can ask for your password to be reseted. If that someone has access to your automatically-checked mailboxes, he has access to your bank account, your facebook profile, and pretty much your entire digital life.

All of that digital life in the palm of my hands or in my backpocket is a danger I tend to overlook.

Some of you may have some locking mechanism such as a 4-digit phone pin… But really, when was the last time you made sure noone was looking as you entered your pin #… (even worse: most people choose the same pin # on their phone as their credit card pin #) I personnally think it’s better not to have any locking mechanism on your phone and behave like it has absolutely no security rather than believe in the illusion of its security.

I need to find another way to authenticate myself to my mail servers on my phone.