=============================================================================== notryan.com/blog/014.txt Sat, 09 May 2020 Ryan Jacobs 09:15:00 -0700 Whoops... 000.txt . . . . . . . . . =============================================================================== Hi all, Good morning from the west coast -- and happy weekends to you all! So uh... you might have received an RSS notification about a free prize, which was a half-accident, so I'll meet you in the middle on this one. Before I get too many emails, first let me explain what happened. tl;dr Email me before 11:59 PM UTC and get a 50%-off WebFPGA coupon? Sorry... --- Alright, so I was trying to be clever. My goal was to create a hidden post under the guise of "000.txt" with a hint telling people to email me for a prize. However, in my rss.c generator, I mistakenly started my loop at i=0 instead of i=1. See the snippet below: // p_item means print_item by the way... for (int i = 0; i < 1000; i++) p_item(i); Anyone who polled the rss.xml feed last night received a notification of the "hidden" file. Not very "hidden" eh? --- I was inspired to create a hidden file after witnessing the torrent of exploit testing against server.c. Man, people get really creative when there's a minimalist 100-line C server exposed on the public web.... After seeing people testing server.c with different exploitation techniques, I thought it would be interesting to write up a post about what people have tried so far, and why it has or hasn't worked. So I started logging requests. By the way, as far as I know, path traversal does not work. I have a check that rejects all requests that contain a slash with a "405 Not Allowed" error. This is fine with me because server.c is surrounded by files to serve in the same directory only. Anyways, you can stop trying to grab my /etc/passwd! $ grep etc/passwd notryan.com.log 1589012593: 0,etc/passwd 1589012660: 0,etc/foo 1589012732: 0,etc 1589012734: 0,etc/f 1589012763: 0,etcpasswd 1589012773: 0,etc/passwd 1589036300: 0,etc/passwd 1589036306: 0,etc/passwd However, this snippet did work and caught me by surprise. I've now since blocked dotfile requests. $ curl https://blog.notryan.com/.gitignore bin a.out log *.log rss.xml index.html *.txt.html This request exposes potential files to fetch. That scared me a little bit, but there's not much danger in this case. In fact, there is little enough danger than I am posting the original contents. Most of those files people already knew about because their browsers were fetching them by default. --- Here is another attempt I saw: $ grep '\.\.' notryan.com.log 1588940973: 0,............etcpasswd 1588940978: 0,..........etcpasswd 1588940981: 0,........etcpasswd 1588940984: 0,......etcpasswd 1588940987: 0,....etcpasswd 1588940990: 0,..etcpasswd 1588941909: 0,%2fetc%2fpasswd 1588941910: 0,..%2f..%2fetc%2fpasswd Notice the HTTP URL-encoded entities, e.g. "%2F" to indicate a "/". However, if you read the source code for server.c, you will notice that I didn't implement this translation. This keeps us safe from people passing in URL-encoded slashes and dots, etc. But the main reason that this "feature" is missing is because I didn't have the space to implement it... Keeping your codebase small oftentimes has the pleasant side-effect of reducing attack surfaces. Here is a mapping of URL-encoded characters for those curious: ! # $ & ' ( ) * + , / : ; = ? @ [ ] %21 %23 %24 %26 %27 %28 %29 %2A %2B %2C %2F %3A %3B %3D %3F %40 %5B %5D --- Okay. Back to the prize bit. There was one lucky person around 10 PM last night who emailed me inquiring about the prize, which shocked me. I honestly thought he found it that quickly! But then I realized my mistake and quickly corrected the code in rss.c, but at that point it was too late. I've since received about 5 emails since waking up this morning. For the first person, I have given away a coupon code for a free standalone WebFPGA device and free shipping. That was the original prize. For the rest of you, email me before midnight UTC for a 50%-off coupon, (if you are interested that is). I know it isn't much, but it is something. 50% is meeting you guys in the middle. It's the best I can do right now. But regardless, if you _are_ interested, I'm always excited to get people started with FPGAs! If you're not familiar with them, feel free to shoot me an email. They're awesome and will probably be in the near future of consumer computing. We are pushing the limits of Moore's Law and FPGAs are a specialized solution that could help us delay it for a few more decades. FPGAs allow for on-the-fly creation of specific hardware. Think of: game engine accelerators or virtual machines running in hardware... FPGAs are kinda like reprogrammable graphics cards. They have similar use cases, but FPGAs are very flexible. You can implement CPUs, Networking Switches, and GPUs, among other things. Instead of merely emulating an Atari, you can design the Atari 2600's CPU yourself! (It's version of the 6502 for those curious.) --- In other news, check out https://blog.notryan.com/stats.html I had some fun creating that last night by parsing the log results of server.c Anyways, that's all for today. Sorry if I disappointed any of y'all. On a side note, I'm thinking of ways to create an *extremely basic* commenting system while still keeping this blog in plaintext. I've got a couple of ideas kicking around, but we'll see what I come up with. It'll probably be something like: blog.notryan.com/blog/014.txt.comments Comment submittal might be through email. I've always wanted to write my own SMTP server... -- Ryan