grack.com

Blog

Fedora Core Network Install

I decided to pave over my Windows 2000 box with a brand new install of Fedora Core 2.  The network install is awesome - burn the 4MB boot.iso to a CD, select “HTTP” install, point it any Fedora mirror and go!

It took about 30 minutes to get the installation completed on my old PII-400.  Your time may vary based on CPU hugeness and mirror fastness.

I’ve been using my Linksys firewall for managing internal DHCP, but it doesn’t really give you much flexibility to assign static IPs that I’d like.  I hope to get a quick and dirty DHCP server up and running with brand-new DHCP-managed static IP addresses for all of my networked devices (including my Xbox). 

It also gives me a chance to try my hand at setting up a full IMAP mail server at home.  I’ve been using hotwayd for snarfing messages from Hotmail and getting them remotely via POP3.  I’d prefer to have them sit in a common mailbox that I can read from either work or home.

Google Desktop Search: How it Works, Pt 1

I tried out Google Desktop Search today and I decided to take a deeper look at how it works and how it integrates into your daily experiences.  This information all comes from reverse-engineering and file/registry observation.  None of it is guaranteed to be correct.

From looking at some of the PDB file references, I think the internal name of this Google search engine is “Total Recall”.  This fits with the replacement string returned from Google (“”) and the port number registry key “trs_port”.

The search utility consists of three main applications and a number of “information provider” plugins.  The main applications are:

  • The Google Desktop Search main application.  This provides the UI for configuration of the Google search programs and launches them as necessary.
  • The indexing service.  This program runs a small HTTP server on port 4664, receiving desktop search requests and outputting search results.
  • The crawler service.  This program runs in the background, indexing local files that exist on your disk.

The plugins are:

  • A Winsock1/2 protocol filter.  These intercept requests to www.google.com, www.google.ca, etc. and add a “Desktop” link to the search page, as well as placing the local search results in with the remote search results.
  • An IE-specific BHO (browser helper object).  The BHO indexes the pages you visit and takes a screenshot to store as a thumbnail for later.
  • Microsoft Word/Excel/Powerpoint plugins.  Unknown at the time, but they are probably used to index Office files.

The Winsock 1/2 interception is one of the cooler parts of the Google Desktop Search Application.  Each request you make runs through this filter.  Whenever a Google search is performed, the interception layer sends the requests to the local indexing server and merges the results with the web search results.  I verified this by running Windump on the machine and comparing the request made to Google with the results that Firefox received.

The BHO uses the GoogleDesktopAPI2.dll to add pages to the indexing service.  To take screenshots, it uses the GetDC function to grab the current bitmap from IE itself.  You’ll notice that if any Windows are obscuring the IE window at the time the screenshot is grabbed, they’ll appear in your thumbnails.

GoogleDesktopAPI2.dll has a number of unnamed imports.  Each of the search plugins loads these imports by ordinal and calls into them.  So far, none of the imports have been decoded.

More info as it comes!

Spyware Installing on Fully-Patched XP SP2!

After reading the full-disclosure list for more ASP.NET vulnerability information, I came across a report of spyware installing on fully-patched XP SP2 IE instances.

The thread is here.  Basically, a site is forcing a CAB file down user’s throats without any sort notification.  If you want to try it out in VMWare or some other safe environment, jump to the URL http://www.themexp.org/about_wrap.php.

I can’t repeat it enough: Install Firefox today.

Neat Image - Digital Camera Noise Reduction

Neat Image is a tool for automatically reducing digital camera noise.  I tried it out last night on a few photos - it manages to clear up a lot of random noise you see when zooming in on most digital pictures.  Best of all - it’s free for personal use!

I managed to get results that were pretty good, but not as striking as their examples.  I suppose the developers of the tool would understand how to get the most out of it.  You’ll notice a subtle difference in the shots that you’ve processed with the tool. 

It’s a bit of extra work for each shot, but I think it pays off to clean up the pictures you really like.

As far as I know, cleaning up pictures this way won’t affect how they look when printed professionally.  I believe that proper processing blurs the image enough that you won’t see small per-pixel artifacts.

ASP.NET Security Bug: The Real Information

Has anyone noticed that Microsoft is willing to admit to that “a bug in ASP.NET canonicalization exists”, but refuses to divulge any more information?  Considering that the information is easily available and being distributed by bloggers between themselves, you should have all of the information at your fingertips to protect yourself.

Basically, the bug involves subverting Windows or Forms authentication by modifying your URL slightly.  By replacing traditional URL slashes with backslashes, you can fool ASP.NET into serving files that should be protected.

Note that you’ll need to use Firefox to check out some parts of this bug, since IE automatically replaces DOS-style slashes with URL-style slashes in the address bar.

The original message is here on NTBugTraq.  Don’t let Microsoft keep the important security information away from you!

Note: there are alternate ways to exploit this bug by using the URL-encoded version of a slash to subvert the URL scanner.  The one described above is the easiest attack to implement.  I’ll post more information here as I discover it.