Ian Foster

When the defaults just aren’t enough

Influencing Linux IP Source Address Selection

When creating a socket unless manually specified, the OS will automatically determine the source address to use. However the OS’s default choice may not always be desired. Source Address Selection allows for influencing the sources address chosen by the OS. What is Source Address Selection? When a host with multiple routable IP addresses sends a packet to another host, it needs to determine which of its local addresses to use as the source “from” address. ...

December 11, 2024 · 6 min

Creating a Mikrotik BGP.Tools Session

When running a network with its own ASN, you will likely end up spending some time working with BGP. Knowing how your peer networks connect can help with your own network planning. BGP.Tools is a service that maps out different networks and the routes between them by having networks opt to provide bgp.tools with a BGP session sharing their exportable routes. This guide will walk you through setting up a BGP.Tools session with a Mikrotik router running RouterOS 7. ...

February 11, 2024 · 2 min

Remove SNAP from Ubuntu

Recent versions of Ubuntu are shipping with Snapcraft by default, and some of the default applications run inside a snap as well. Snaps are application containers, similar to Docker, but designed for desktop applications. Unfortunately Canonical seems to be pushing Snaps hard, and they are not always wanted. This is made worse by not providing an easy way to remove the snap functionality for Ubuntu. The commands bellow will entirely remove snap from an Ubuntu installation. ...

February 19, 2022 · 1 min

Sena WiFi Adapter Security Assessment & Vulnerabilities

This post outlines a security assessment of the new Sena Wifi Adapter I performed last summer for fun. With the world on lock-down due to COVID-19, I spent a lot of time last summer escaping the city going on motorcycle rides through the mountains and forests surrounding the bay area. It’s the perfect social distance activity because if you get within 6ft of someone you are likely to crash. One of my favorite motorcycle accessories is my Sena headset. It allows me to listen to navigation or music from my phone over Bluetooth while riding, and talk to other riders in my group. ...

March 9, 2021 · 18 min

Programming Bare ESP-WROOM-02

A while ago I received a bunch of bare ESP-WROOM-02 chips on tape, but could not find enough documentation to program them (partially out of laziness). With my recent interest in ESPhome, I decided to give them another try. This blog post contains the results of my research on how to program them. ESP-WROOM-02 The ESP-WROOM-02 is just a ESP8266 underneath. If you don’t have a breakout board like me, then you will need a UART adapter and make a few minimal solder connections to set the various boot modes to allow you to program the firmware. Once programed for the first time, you can use OTA updates to allow flashing firmware over WiFi and not need to mess with the wiring every time you want to reprogram it. ...

January 20, 2021 · 4 min

Xiaomi M365 Scooter Authentication Bypass

Sometime in the first half of 2018 there was an explosion of “Dockless e-scooters” appearing all over the Bay Area. These devices are electric scooters that anyone can rent for a one-way trip and find/leave then (at the time) anywhere you want. As one could guess this lead to lots of issues but they where convenient and I wanted one of my own so I did a little research onto how to acquire one for private use. ...

May 15, 2019 · 8 min

BygoneSSL - dealing with residual certificates for pre-owned domains

This is the blog version of my DEFCON 26 talk Lost and Found Certificates: dealing with residual certificates for pre-owned domains, which I co-presented with Dylan Ayrey. You can learn more about BygoneSSL and see a demo at insecure.design. The Problem A Certificate can outlive the ownership of a domain. If the domain is then re-registered by someone else, this leaves with the first owner with a valid SSL certificate for the domain now owned by someone else. ...

August 13, 2018 · 8 min

CertGraph

Certgraph is a tool I’ve been developing to scan and graph the network of SSL certificate alternative names. It can be used to find other domains that belong to an organization that may be several orders removed and not always obvious. Background The idea for this project came about after examining the SSL certificate for XKCD.com. If you look closely at the screenshot below you will see that the SSL certificate used on XKCD.com is also valid for many of domains which have no relationship to XKCD or Randall Munroe. ...

April 6, 2018 · 7 min

Tethr: Android Tethering Provisioning Check Bypass (CVE-2017-0554)

On most unrooted, stock, Android phones, enabling tethering will run a “Provisioning Check” with your wireless provider to ensure that your data plan allows tethering. This post documents Tethr, a way to bypass the provisioning check on Android devices prior to version 7.1.2. After discovering this method I reported it to the Android bug bounty fixing the issue and receiving CVE-2017-0554. Background The ability to tether is controlled by your device’s build.prop file, usually located at /system/build.prop. The default is to require the provisioning check before enabling tethering, but it can by bypassed by adding the following line: ...

December 27, 2017 · 4 min

Ambergris

For those of you not in the know, ambergris is defined as: a wax-like substance that originates as a secretion in the intestines of the sperm whale, found floating in tropical seas and used in perfume manufacture. However, that will not be what this post is about (sorry to disappoint). Instead, I’ll present what happens when building an image on Docker that contains a reverse shell in the Dockerfile. ...

January 19, 2017 · 7 min