Niels

@[email protected]
69 Followers
32 Following
202 Posts
Lover, hater, IP networking.
NielsFeb 4
Show threadjon rFeb 3
@jschauma
We cannot search our internal code repository, because that requires an enterprise license.
NielsFeb 4
Jan SchaumannFeb 3

If you'd like to have a nice 🤦-y day like me, go ahead, search your internal code repository for the following:

curl -k
wget --no-check-certificate
verify=false
InsecureSkipVerify: true
ssl_verify_mode: 0
TrustSelfSignedStrategy
rejectUnauthorized: false
strict-ssl = false
http.sslVerify = false
--no-verify-ssl
--insecure*
verify_hostname: 0

It'll be great.

NielsJan 24
ElaJan 24

OMG. -froot bug resurfaced. https://seclists.org/oss-sec/2026/q1/89

I see the headlines, "10 years old bug".

My friends, this bug is older. Much older. Not this particular instance, but it is a classical mistake to make. It's a command line injection when calling the login executable.

Some people point to CVE-2007-0882. Solaris had that, almost 20 years ago.

But it's even older than that. It's so old it predates the CVE system. I don't remember exact dates, but we popped Linux and AIX boxes with that, mid 90s.

But it is *even older* than that. Have a look at System V R4, ©1990, getty calling login with unsanitized input:

https://github.com/calmsacibis995/svr4-src/blob/7dabeda6fc10bd1bbd1a84d502f05642b1bf0c9e/cmd/getty/getty.c#L526

But how deep does the rabbit hole go? When was this bug introduced?

Getty called login with user input since the dawn of time (UNIX V2, 1972):

https://www.tuhs.org/cgi-bin/utree.pl?file=V2/cmd/getty.s

But this predates command line arguments in login:

https://www.tuhs.org/cgi-bin/utree.pl?file=V2/cmd/login.s

So, when did this particular command line feature of login appear?

In the BSD universe, -f was introduced with POSIX compatibilitiy in 4.3BSD-Reno:

https://www.tuhs.org/cgi-bin/utree.pl?file=4.3BSD-Reno/src/usr.bin/login/login.c

But someone paid attention and filtered out user names starting with - in getty:

https://www.tuhs.org/cgi-bin/utree.pl?file=4.3BSD-Reno/src/libexec/getty/main.c

RCS timestamp says 6/29/1990, so same age as SysV R4.

The original 4.3BSD (1986) doesn't filter the user name:

https://www.tuhs.org/cgi-bin/utree.pl?file=4.3BSD/usr/src/etc/getty/main.c

And it does have a -r option in login:

https://www.tuhs.org/cgi-bin/utree.pl?file=4.3BSD/usr/src/bin/login.c

Exploitable? No idea, argv processing might be a problem. I'll find out another day.

In conclusion: bug existed since 1990, it's so easy to make when implementing POSIX that it keeps resurfacing, and at least one person in Berkeley knew since day 0.

oss-sec: GNU InetUtils Security Advisory: remote authentication by-pass in telnetd

NielsDec 19

#39c3 is a switch firmware upgrade installfest

https://chaos.social/@miketango/115728207286090237

MikeTango -> Offshore (@[email protected])

#39C3 is a sticker exchange with attached blahaj meetup

chaos.social
NielsDec 7
NLNOGDec 5
The NLNOG New Years Drink will be on January 30th 2026 in De Rechtbank in Utrecht. Thanks to our amazing sponsors, drinks and snacks are on the house! If you want to join us, please let us know via https://nlnog.net/tickets. More information on the event can be found on https://nlnog.net/events. We hope to see you there!
https://pretix.eu/nlnog/newyears2026/

Show threadNielsNov 29
We got all the old labels and glue clean off. #nohalfmeasures
NielsNov 29

Asset tags are the bane of the reusing class

#eventinfra #39c3

NielsNov 25
rsalzNov 25
How Akamai sees AI bot traffic; I found it interesting. https://www.akamai.com/blog/security/how-openai-became-the-majority-player
NielsNov 19

OH: “Serverless hosting is when you have servers, but don’t know it.”

#lunog8

NielsNov 9
jasper spaansNov 9

🤦

> how many times does the letter r occur in raspbery?

The letter 'r' occurs twice in "raspbery" (though the correct spelling is "raspberry", which also has two 'r's).

Final answer for the count: 2 times.