daniel:// stenberg://

1 year ago

daniel:// stenberg://
1 year ago

I was reminded of the great #Cisco security fix of 2019

#curl

This entry was edited (1 year ago)

in reply to daniel:// stenberg://

Gina Häußge

in reply to daniel:// stenberg:// 1 year ago

OMG, did they really pull that off? That's... amazing 😂

in reply to Gina Häußge

daniel:// stenberg://

in reply to Gina Häußge 1 year ago

@foosel that's the genuine "fix" for a reported security problem against some of their devices at the time, yes indeed

@Gina Häußge

in reply to daniel:// stenberg://

Gina Häußge

in reply to daniel:// stenberg:// 1 year ago

Yikes 😬

Unknown parent

daniel:// stenberg://

Unknown parent 1 year ago

@colin_mcmillen it was their fix for this reported security problem: redteam-pentesting.de/en/advis…

RedTeam Pentesting GmbH - Cisco RV320 Unauthenticated Configuration Export

RedTeam Pentesting discovered that the configuration of a Cisco RV320 router can still be exported without authentication via the device’s web interface due to an inadequate fix by the vendor.

^{www.redteam-pentesting.de}

@Colin McMillen

in reply to daniel:// stenberg://

Kiskae

in reply to daniel:// stenberg:// 1 year ago

enterprise-level fix

in reply to daniel:// stenberg://

AcidePoulain

in reply to daniel:// stenberg:// 1 year ago

litterally «if asked if vulnerable then politely reply no»

in reply to daniel:// stenberg://

Yaksh Bariya

in reply to daniel:// stenberg:// 1 year ago

This is ofcourse going the obvious solution when your blog's "network engineer" tag is filled with PR BS:

CW: everything on this blog is bullshit, and unrelated to what the tag name is

blogs.cisco.com/tag/network-en…

network engineer - Cisco Blogs

^{Cisco Systems}

in reply to daniel:// stenberg://

Karl Fredrik 🦊 @ 38.5c3

in reply to daniel:// stenberg:// 1 year ago

This is sorta what imgur does for wget as well, to "stop" scraping I guess...

(it has returned 429 "too many requests" every time I've tried, so I assumme it's an ingress rule for the user agent)

Linux terminal.

The first command attempts to run `wget` to download a file from Imgur. The command returns HTTP error 429 (too many requests).

The second command works, and contains the flag --user-agent="curl"

in reply to daniel:// stenberg://

Kelvin n0mql EN35ld

in reply to daniel:// stenberg:// 1 year ago

Your alt text says it returns a 404.

Nope. It returns a 403.

in reply to daniel:// stenberg://

Chris Gioran 💔

in reply to daniel:// stenberg:// 1 year ago

Ah, the classic Volkswagen approach to systems development.

in reply to daniel:// stenberg://

Bill, organizer of stuff

in reply to daniel:// stenberg:// 1 year ago

Thank goodness for '--user-agent' 🤪

in reply to daniel:// stenberg://

Martin Rocket

in reply to daniel:// stenberg:// 1 year ago

So many servers are happy when you just provide a trusted user-agent, and a referer. Sometimes one alao needs a token that can be obtaimed from an additional request.

in reply to daniel:// stenberg://

Psycodepath

in reply to daniel:// stenberg:// 1 year ago

unhackable

in reply to daniel:// stenberg://

Troed Sångberg

in reply to daniel:// stenberg:// 1 year ago

This should be the first hit on Google when searching for "imposter syndrome".

in reply to daniel:// stenberg://

Sertonix

in reply to daniel:// stenberg:// 1 year ago

Could you just change the casing of the default curl user agent?

in reply to daniel:// stenberg://

Wayne Dixon

in reply to daniel:// stenberg:// 1 year ago

@briankrebs I’ve been selectively blocking all sorts of stuff on some servers like that.

@BrianKrebs

in reply to daniel:// stenberg://

Sandor Szücs

in reply to daniel:// stenberg:// 1 year ago

to buy cisco is just sick: expensive and you see the "quality" of their sophisticated "security" devices.
How can they play with their reputation like this...

in reply to daniel:// stenberg://

Tito Swineflu

in reply to daniel:// stenberg:// 1 year ago

If it just piped the offending IP address into the iptables drop list, it would be a good start. No reason to let your adversary know they can try again with different parameters.

in reply to daniel:// stenberg://

klausfiend

in reply to daniel:// stenberg:// 1 year ago

This robust strategy persists in today's Palo Alto firewalls.

in reply to daniel:// stenberg://

srslypascal

in reply to daniel:// stenberg:// 1 year ago

Same nonsense on dl.dell.com - the default user agents of curl and wget trigger a 403 error, but setting the user agent to a less suspicious string such as "bullshit" or "nmap" solves the problem.

FTP Root

^dl.dell.com

This entry was edited (1 year ago)

in reply to daniel:// stenberg://

Michelle Hughes

in reply to daniel:// stenberg:// 1 year ago

We won't let you hack into this device unless you ask *politely*! That will stop hackers because the evil in their hearts prevents them from being polite.

in reply to daniel:// stenberg://

Mark Pauley

in reply to daniel:// stenberg:// 1 year ago

@colin_mcmillen
🤣

@Colin McMillen

in reply to daniel:// stenberg://

Waseem

in reply to daniel:// stenberg:// 1 year ago

🥴

in reply to daniel:// stenberg://

🐧DaveNull🐧 ☣️pResident Evil☣

in reply to daniel:// stenberg:// 1 year ago

😂

As moronic as this "security fix" is, I can't exactly say that I'm surprised…

in reply to daniel:// stenberg://

Asharas

in reply to daniel:// stenberg:// 1 year ago

Last time I checked supervisord's documentation website did the same, couldn't get an answer with curl until I try with another UA.

in reply to daniel:// stenberg://

okanogen VerminEnemyFromWithin

in reply to daniel:// stenberg:// 1 year ago

Bravo.
Elmer Fudd level.

in reply to daniel:// stenberg://

daniel:// stenberg://

in reply to daniel:// stenberg:// 1 year ago

I posted this image on LinkedIn as well, and the stats there tells me that Cisco is in fact now the third most common employing company among the viewers... (only beaten by AWS and Microsoft)

linkedin.com/posts/danielstenb…

Daniel Stenberg on LinkedIn: #curl | 37 comments

Never forget this awesome security fix of 2019 when Cisco fixed their vulnerable RV320/325 routers. #curl | 37 comments on LinkedIn

^{Daniel Stenberg (www.linkedin.com)}

in reply to daniel:// stenberg://

eigenman

in reply to daniel:// stenberg:// 1 year ago

Well that is a bit ridiculous now isn't it? 🤣

in reply to daniel:// stenberg://

spmatich vk3spm

in reply to daniel:// stenberg:// 1 year ago

does this qualify as code bloat? the user agent header is completely arbitrary and can be set to anything.
I mean why single out curl. Shouldn’t the nmap default user agent be in there too? etc etc

in reply to spmatich vk3spm

daniel:// stenberg://

in reply to spmatich vk3spm 1 year ago

@spmatich they singled out curl because the exploit proof of concept used curl. They stopped the example command line from working.

@spmatich vk3spm

in reply to daniel:// stenberg://

spmatich vk3spm

in reply to daniel:// stenberg:// 1 year ago

so the exploit just needs an update to include setting the user agent header to something else right, and it could be one of many many many different strings.

in reply to spmatich vk3spm

daniel:// stenberg://

in reply to spmatich vk3spm 1 year ago

@spmatich ... and that is exactly why the "fix" is so fun!

@spmatich vk3spm

in reply to daniel:// stenberg://

Filippo Nova

in reply to daniel:// stenberg:// 1 year ago

lol

in reply to daniel:// stenberg://

Gen X-Wing

in reply to daniel:// stenberg:// 1 year ago

This makes me want to add a check for curl as the user agent, but only so it sends back a fun message as part of the return headers. Something harmless.

in reply to daniel:// stenberg://

jn (big endian energy)

in reply to daniel:// stenberg:// 1 year ago

takes a real hacker to bypass that one :p

in reply to daniel:// stenberg://

Алексей Боцман

in reply to daniel:// stenberg:// 1 year ago

🤣

⇧

daniel:// stenberg:// 1 year ago • •

daniel:// stenberg://
1 year ago