Sunday, May 25, 2008

Vmware won't compile on Hardy

Vmware server and workstation are both currently broken on the kernel version in Hardy. You need to install a patch to get them to compile. Vmware server also requires xinetd. I changed
/etc/xinetd.conf
to force all services to only listen on localhost with
 bind            = 127.0.0.1


Not only that, but vmware-server-console is busted too!

/usr/lib/vmware-server-console/bin/vmware-server-console: /usr/lib/vmware-server-console/lib/libgcc_s.so.1/libgcc_s.so.1: version `GCC_3.4' not found (required by /usr/lib/libcairo.so.2)
/usr/lib/vmware-server-console/bin/vmware-server-console: /usr/lib/vmware-server-console/lib/libpng12.so.0/libpng12.so.0: no version information available (required by /usr/lib/libcairo.so.2)
/usr/lib/vmware-server-console/bin/vmware-server-console: /usr/lib/vmware-server-console/lib/libgcc_s.so.1/libgcc_s.so.1: version `GCC_4.2.0' not found (required by /usr/lib/libstdc++.so.6)

Fix it with

sudo ln -sf /usr/lib/libpng12.so.0 /usr/lib/vmware-server-console/lib/libpng12.so.0/libpng12.so.0
sudo ln -sf /lib/libgcc_s.so.1 /usr/lib/vmware-server-console/lib/libgcc_s.so.1/libgcc_s.so.1

Tuesday, May 20, 2008

Awesome article on VMWare detection and mitigation

Great article on how to detect VMWare, and how to prevent detection using undocumented VMX settings. Written by Ed Skoudis and Tom Liston from SANS.

Monday, May 19, 2008

Hardy usability downgrade: CD media removed from "Removable Drives and Media"

Argh! The option to prevent Audio CDs from being played automatically has been removed from System | Preferences | Removable Drives and Media. Why? It is so annoying to have Rhythmbox fire up when I just want to copy a CD. The preference is now hidden in the super intuitive place of Edit | Preferences | Media Tab in the Nautilus file manager.

Sunday, May 11, 2008

Intel soundcard on Hardy heron

My intel sound card didn't work out of the box with Hardy. I followed these instructions to compile and install the driver, and all was good.

Hardy initrd breaks luks with "/sbin/udevsettle" not found

The initrd in hardy broke luks cryptoroot, because the cryptroot script refers to udevsettle, which has been replaced with udevadm. It dies with "/sbin/udevsettle" not found. Here's how you fix it.

Unzip, and unpack the initrd:

gunzip -S "" initrd.img-2.6.24-16-generic
cpio -id < initrd.img-2.6.24-16-generic
vi scripts/local-top/cryptroot

Replace "/sbin/udevsettle --timeout=30" with "/sbin/udevadm settle --timeout=30". Repack the initrd:

find ./ | cpio -H newc -o > initrd.cpio
gzip initrd.cpio

NTP pool setup

I use the free ntp pool for access to accurate timing. Edit /etc/ntp.conf and add these lines:

server 0.us.pool.ntp.org
server 1.us.pool.ntp.org
server 2.us.pool.ntp.org
server 3.us.pool.ntp.org

Restart ntp and then check you have accurate time sync:

ntpq
ntpq> lpeers
remote refid st t when poll reach delay offset jitter
==============================================================================
+ip-72-167-54-20 192.12.19.20 2 u 844 1024 377 88.972 12.657 140.873
*nist.netservice .ACTS. 1 u 263 1024 377 47.284 0.231 164.968
-lashiir.sapros. 74.53.198.146 3 u 833 1024 377 64.212 34.142 111.228
+ntp.LogicX.net 18.103.0.198 2 u 904 1024 377 24.615 -1.935 49.235
ntpq>

Friday, May 9, 2008

Debmirror of ubuntu archive, with valid gpg keys

Getting debmirror to use the Ubuntu gpg signatures was harder than I expected. First I tried:
gpg --import /usr/share/keyrings/ubuntu-master-keyring.gpg


Which worked fine, but put the keys in ~/.gnupg/pubring.gpg and debmirror wants them in ~/.gnupg/trustedkeys.gpg, so I got this error:


Mirroring to /repo/ from http://us.archive.ubuntu.com/ubuntu/
Arches: i386
Dists: hardy
Sections: main,restricted,universe,multiverse
Will NOT clean up.
Pdiff mode: use.
Attempting to get lock, this might take 2 minutes before it fails.
Get Release files.
[0%] Getting: dists/hardy/Release... ok
[0%] Getting: dists/hardy/Release.gpg... ok
gpgv: keyblock resource `/home/name/.gnupg/trustedkeys.gpg': general error
gpgv: Signature made Thu 24 Apr 2008 02:19:52 EDT using DSA key ID 437D05B5
[GNUPG:] ERRSIG 40976EAF437D05B5 17 2 00 1209017992 9
[GNUPG:] NO_PUBKEY 40976EAF437D05B5
gpgv: Can't check signature: public key not found
gpgv: keyblock resource `/home/name/.gnupg/trustedkeys.gpg': general error
gpgv: Signature made Thu 24 Apr 2008 02:19:52 EDT using DSA key ID 437D05B5
gpgv: Can't check signature: public key not found
Release signature does not verify.
Errors:
Release signature does not verify.
Failed to download some Release or Release.gpg files!
WARNING: releasing 1 pending lock...

The debmirror man page recommends this command to get them into trustedkeys.gpg, which works fine:

gpg --keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg --export \
| gpg --no-default-keyring --keyring trustedkeys.gpg --import

Then the debmirror command:

sudo debmirror --nosource --host=archive.ubuntu.com --method=http --root=ubuntu \
--dist=hardy --section=main,restricted,universe,multiverse --arch=i386 \
--progress --nocleanup --ignore-small-errors -v /repo/

Thursday, May 1, 2008

Boot a dd disk image in VMWare

LiveView is a cool bit of open-source software that allows you to boot a disk image acquired using dd in a VMWare virtual machine. It handles the hardware conflicts that arise from booting the OS on different hardware, without modifying the original disk. Great idea. It is pretty much aimed at windows images, with some limited linux support. Be prepared to deal with the pain of windows activation!

The MUICache registry key mystery de-mystified

Recently I was seeing entries being created under

HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache

when running programs, and got to wondering what they were. Is it a way for malware to ensure it can persist and get started on reboot? Apparently not. The windows IR blog has a good discussion on the topic, but I found the best answer on Scot's Newsletter. I have copied the content below in case the website disappears:

I'm not sure what MUICache stands for but I know for sure that Windows uses HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache to cache location of icons and their string descriptions for various internal windows uses.

For example, if you change the value of @C:\WINDOWS\system32\SHELL32.dll,-8964 from Recycle Bin to Trash and Hit F5 on the destkop, the description of your Recycle Bin will be Trash.

Basiclly, the string Trash is now associated with Recycle Bin icon stored in SHELL32.dll. If you right click on any shortcut and select properties and then select Change Icon on Shortcut tab, you will see all the icons stored in SHELL32.dll.

Another example is, when you try to run a file with an unregistered/ unregconized extension in windows, you will get a dialog box asking you to select the program from the list.



In Programs listbox displays icons and their string names which represents programs that have "open" command in the registry.

Adobe Acrobat 7.0 corresponds to the key-value pair of
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe - Adobe Acrobat 7.0 in MUICache.

The key represents the location of the exe where icon is stored and value represent the description string of exe. You can get the description string by right click on the exe and select properties. In the version tab, you will see the description string that is used.

A C++ developer will put this information in the resource (.rc file) under VS_VERSION_INFO entry.

A developer may choose to create the key in MUICache during the installation or programatically when a program starts.

This entry is usually automatically generated by windows when a user double clicks on a registered/regconized extension.

For example, there is a key called .doc in HKEY_CLASSES_ROOT. The default value of this key is Word.Document.8. When a word document file is double clicked, Windows looks for .doc key in HKEY_CLASSES_ROOT and knows what type of document .doc is and in this case Word.Document.8. Then Windows searches for Word.Document.8 in HKEY_CLASSES_ROOT. Under Word.Document.8, there is a key that tells windows what program and what arguments to pass to open such document. In my computer the key is HKEY_CLASSES_ROOT\Word.Document.8\shell\Open\Command and its value is "C:\Program Files\Microsoft Office\OFFICE11\WINWORD" /n /dde

This entry also gets called when you select Tools > folder options from the folder menu and select File Types tab. You will see doc entry in there. Highlight it and select Advance and double click on open entry. You will see the exact same string in HKEY_CLASSES\Word.Document.8\shell\Open\Command.

After a known extension is double clicked and the program opens the document, Windows Automatically generates 2 entrys: one is HKEY_CLASSES_ROOT\Applications\Winword.exe\shell to indicate what to show up in the application list and how to open a document (picture below) and the other is in MUICache for corresponding icon and description string.



A developer can programtically create key in MUICache and HKEY_CLASSES_ROOT\Applications\filename.exe or use scripting during installation process. If not, when the registered/recognized extension is activated, these two entries are automatically generated.

When you deleted these two entries (but please don't), it'll pop up again the next time you double click on a known extension file (as long as, exenstion registry is still in tact).

That's why sometines we see these two keys related to viruses because as long as the virus exe is still on the machine, you can't seem to get rid of these keys. If you look on a symantic website, they documented a virus called dialer.exe (which dials high-cost telephone calls from your computer) associated with MUICache.