Hacked With Python

A few days ago, my project PythonBuddy was hacked. The hacker hacked my server and replaced my whole site with a gif by running python code in the editor that used the open Python function. Here is what the code could have possibly looked like:

from os import open
with open('./templates/index.html', 'w') as f:
   f.write('<img ...'>

This hack was quite a wake up call. I had naively implemented PythonBuddy without any sandboxing.

After this incident, I scoured the web searching for a solution to prevent a hack like this from happening again. I wanted a quick fix.

Eventually, I came up with a quick solution to prevent people from using dangerous imports such as os:

import sys
sys.modules['os']=None
sys.modules['os.path']=None
sys.modules['pprint']=None
sys.modules['builtins']=None
sys.modules['shutil']=None
sys.modules['subprocess']=None
sys.modules['jinja2']=None
sys.modules['subprocess']=None
sys.modules['yaml']=None
sys.modules['sys']=None

This basically just blacklisted certain imports like “sys” or “os”.

While researching a fix for my program, I discovered some sandboxes that didn’t quite work out for me:

• Pypy sandbox
  • Required me to use the PyPy interpreter which would slow down my program
  • Created by a Python coredeveloper
• Simpleeval
  • Not flexible enough.
  • If I used this, I would have to parse through the document each time using regex to identify the functions being defined.
  • Also, it was quite limited and didn’t support enough functions.
• Edx’s codejail
  • Was really aimed towards the edx platform and I couldn’t really figure how to manipulate it for my own program.

Funnily enough, the person who hacked me contacted me via Reddit today and told me about the vulnerabilities in my site and how he was trying to help secure my site:

"So I found your pythonbuddy page earlier when you posted it and saw that it was defaced. I was curious how the person did it so I tried it myself. You probably discovered the Hacker gif I left you. I meant no harm. :) 

I even tried to mark the temp.py as readonly so others can't change it again.

I see you tried to fix the issue but It is still vulnerable btw. I used the open() command to overwrite the index.html

I recommend RestrictedPython or Sculpt the Javascript version you tried out.
Hope you didn't mind the harmless prank. I'm a student like you. Gl."

So, I created a different version of PythonBuddy which used RestrictedPython: PythonBuddy’s Restricted Python Branch . Unfortunately, this version doesn’t allow a lot of python functions and operators to work like “yield”.

Overall, the main takeaway here is that we should always safely execute unknown code via a protected environment such as a sandbox.

Additional Resources:

• StackOverflow Answer about Secure Python Execution
  
• The failure of pysandbox

Side Notes:

• Later today, I watched an amazing video from Pycon 2014 about Python sandboxing which made me realized if I were to create my own full-fledge sandbox, I would include functions that blacklist certain keywords, make builtins read in only, etc. But, right now, I hope to implement something more secure and well estabilshed like Pypy’s sandbox.

How to STOP Wasting so much TIME on Social Media

Last year, I spent an average of 5 hours on my phone going through Facebook, Instagram, and Twitter. Not so healthy, right?

So, I decided to go cold turkey and tried to delete the apps from my phone. After 2 days of trying this out, I redownloaded them.

Finally, I decided to create a compromise between my desire for entertainment and my desire for more time in my day.

Here are some tips that I used to cut down my social media usage from 5 hours to less than 2 hours:

Facebook and Twitter Tips:

1. Install Ublock
2. Go to Facebook and Twitter
3. Press the ublock plugin
4. Press the eyedropper tool and select the feed section on Facebook and Twitter
5. Then press “Create”
6. Refresh Facebook and Twitter
7. And Voila! When you go to Facebook and Twitter, you won’t waste your time browsing through your feed. Instead, you’ll just focus on the important stuff like messages.

Instagram tips:

• Disable account.

Helpful plugins for helping cure your social media addiction:

1. Kill News Feed: https://chrome.google.com/webstore/detail/kill-news-feed/hjobfcedfgohjkaieocljfcppjbkglfd
2. Stay Focused: https://chrome.google.com/webstore/detail/stayfocusd/laankejkbhbdhmipfmgcngdelahlfoj

Is WPA2 Really Secure? (Part 1)

After realizing my own WPA2 home network was compromised recently, I wondered how easy it was to break into a WPA2 network. I had heard about brute forcing methods but nothing fast and efficient enough to efficiently crack a network.

Let me take a step back. Before there was WPA2, there was WEP. WEP stands for “Wired Equivalent Privacy”. WEP, like WPA2, was invented to protect WIFI networks so that it would be as secure as ethernet connections networks. Before WEP (now we are going way back), network sniffer programs could tap into WI-Fi networks with no barriers.

The basic premise of WEP was simple: create a key made up of hexadecimal values. For one to access a WEP network, they would have to have the same WEP key as the router’s key. In addition, there were two different versions of WEP: 64 bit (10 digits) and 128 bit (26 digits).

Ok, so why were WEP networks so vulnerable? There were many flaws such as how it’s set up. One quick example is that WEP uses RC4 encryption algorithm aka stream cipher. Stream ciphers are vulnerable because an intruder can flip a bit in the cipher text and the corresponding bit will be revealed. I won’t delve too deeply in the flaws of WEP, but this research paper by University of California Berkeley explains it well: http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html

Next time, I will talk about the exciting new research over the past 2 years which reveal the unfortunate vulnerabilities of WPA2. (But don’t worry. If you have a long and complex password, you will most likely not be hacked!)

Sources:

• http://compnetworking.about.com/od/wirelessfaqs/f/wep_keys.htm
• http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html
• http://phys.org/news/2014-03-wpa2-wireless.html

Fix for ~Module w1 not found in directory~ for USB Persistence Users

This is a crosspost from my Kali Linux Forum post.

I finally installed my wifi correctly after a week of debugging.

For some reason even after I “apt-update”, “apt-upgrade”, “apt dist-upgrade”, and rebooted, my kernel was not updated. So, basically I downloaded the old 4.3.0 headers and installed them.

Here is some basic information about my perstistence usb drive and how I installed it:

• 500 GB Hard Drive (Seagate)
• Installed using most recent (2016.1) kali iso from torrent
• Drive is persistent
• I’m running side by side with Mac OSX El Capitan
• I’m using rEFind as my boot manager
• I have BCM4360 driver

Tutorial:

1. Navigate to /etc/apt/list and copy and paste this:
   • deb http://http.kali.org/kali kali-rolling main contrib non-free
   • deb-src http://http.kali.org/kali kali-rolling main contrib non-free
   • deb http://httpredir.debian.org/debian/ jessie main contrib non-free
   • deb http://old.kali.org/kali moto main non-free contrib
2. run apt-get update
3. Download from http://ftp.tku.edu.tw/kali/pool/main/l/linux/:
   • linux-headers-4.3.0-kali1-amd64_4.3.3-5kali4_amd64.deb” and “linux-headers-4.3.0-kali1-common_4.3.3-5kali4_amd64.deb
4. Download from http://http.kali.org/kali/pool/main/l/linux-tools/ , “linux-kbuild-4.3_4.3.1-2kali1_amd64.deb”
5. Download package gdebi package (both gui and main one) through the package manager
6. Open up gdebi GUI
7. Install each package listed above using gdebi GUI, starting with the “linux-kbuild” package, followed by the “linux_headers_common”, then the “linux_headers”
8. Ok, here’s the important part: DO NOT RUN “apt-update” right after!!!
9. Instead, run: “apt-get install broadcom-sta-dkms”
10. Run: “modprobe -r b44 b43 b43legacy ssb brcmsmac”
11. Run: “modprobe wl”
12. Run: “reboot”
13. And boom! Your wifi should be working!

If you want to see how I installed my live persistence usb, just look for my last post!

Hopes this helps! I’m sure relieved that I finally figured it out . It took me more than 80 hours to figure it out after looking all over google, stackoverfow, reddit, and kali forums .

Here’s my rambling about my debugging problems if you are interested: The problem with kali’s usb persistence is that the kernel seems to not be able to upgrade, even after “apt-update”, “apt-upgrade”, “apt dist-upgrade”.(when I ran “uname -r” it returned 4.3.0 instead of 4.5.0). Still, when I ran “apt-get install linux-headers-$(uname -r|sed ‘s,[^-]-[^-]-,,’) broadcom-sta-dkms” I got drivers for 4.5.0… weird…

So, yeah I tried the debian broadcom “wl” tutorial and had no luck

Tutorial for Creating a Live Persistence USB on Mac OSX (El Capitan)

This is a crosspost from my Kali Linux Forums post

Hi everyone!

Unfortunately my first post about my sucess with using Mac Linux Loader was short lived . I had a lot of issues with memory storage and wifi. So, I started over from scratch. Now after a whole week of trying many if not all tutorials, I have finally found a way to make live usb persistence work on OSX . So, I thought I’d share it with the Kali Forum to see if anyone else is successful with this way.

Here are the following methods which did not work for me (I’m using a Macbook air 2015 with El Calpitan):

• Using Mac Linux Loader didn’t work for persistence for some reason
• Using Ubuntu to create live usb and partition.
• Using Windows to create live usb and partition.

Here is the hardware/software I used to make this work:

• 500 GB External Harddrive. (Note: live persistence works fine if you have more than 16GB IMO)
• rEFInd (https://sourceforge.net/projects/refind/)
• MacBook Air 2015, El Capitan

So, here is a list of steps I followed for creating the USB Persistence:

1. Downloaded 64GB Kali image from official website with torrent. Then verified the SHA1SUM.
2. I followed this: http://docs.kali.org/downloading/kal…ve-usb-install
3. Disabled SIP by booting OSX in recovery (Hold Command + R while rebooting). When “OS X Utilities” shows up, I loaded Terminal up and typed: ` csrutil disable; reboot `
4. I installed rEFInd and ran it.
5. I opened up Finder and navigate to the boot folder and changed syslinux.cfg so that instead of vesamenu.c32 the default is menu.c32.
6. Rebooted computer.
7. rEFInd boot screen loads up and I choose the Kali EFI drive
8. I enter Kali Live.
9. Then I type in the terminal: gparted
10. I saw /dev/sda1 and /dev/sda2 with Kali Live. I pressed “unallocated space” and pressed “new” (under partition).
11. I labeled the partition “persistence” and chose “ext4” as the file system.
12. I then typed these commands:
    • mkdir -p /mnt/my_usb
    • mount /dev/sda3 /mnt/my_usb
    • echo “/ union” > /mnt/my_usb/persistence.conf
    • umount /dev/sda3
13. I rebooted my computer and loaded into “Live USB Persistence”. I gedited a file on the desktop and rebooted the computer again to see if it worked. And Voila! It saved!

Here is a list of steps I followed for installing the WIFI:

1. edited etc/apt/sources.list so that only this:
   • deb http://http.kali.org/kali kali-rolling main contrib non-free appeared
2. Typed
   • apt-get update && apt-get dist-upgrade -y
3. Rebooted computer
4. Typed:

   • apt-get install linux-headers-$(uname -r

     sed ‘s,[^-]-[^-]-,,’) broadcom-sta-dkms

   • modprobe -r b44 b43 b43legacy ssb brcmsmac
   • modprobe wl
5. Then WiFI worked!

Hopes this helps for the struggling OSX users! I will try to update this post with all my sources after I find them all!

EDIT: WIFI DOES NOT WORK NOW BECAUSE OF KALI ROLLING. SEE MY OTHER TUTORIAL TO INSTALL WIFI CORRECTLY ON USB PERSISTENCE!