macronet

Mitigating CVE-2021-4034 (policykit pkexec) vulnerability on CentOS 6

 Kernel and drivers, Legacy, Linux  Comments Off on Mitigating CVE-2021-4034 (policykit pkexec) vulnerability on CentOS 6
Jan 272022
 

CentOS 6 has been end of life since 30.11.2020 – do not use it.

Well, you’re still reading this, so you are using it.

Really really quick mitigation: remove SUID-bit from pkexec: chmod ug-s /usr/bin/pkexec

RedHat provides updates and mitigation steps for RHEL6 (extended support), RHEL7 and RHEL8 on their customer portal – https://access.redhat.com/security/cve/CVE-2021-4034

Based on their excellent documentation it is easy to build a mitigation for CentOS 6 also.

  • Make sure you can still install packages (f.ex use CentOS Vault)
  • Install systemtap & kernel-devel -packages
  • Create pkexec_block.stp with the following content
    probe process("/usr/bin/pkexec").function("main") {
        if (cmdline arg(1) == "")
                        raise(9);
}
  • Compile and install module:
stap -g -F -m stap_pkexec_block pkexec_block.stp
  • Verify with lsmod that stap_pkexec_block -kernel module is loaded.
  • Make sure that module is loaded also after a reboot (copy to right place, run depmod -a & verify).

Mitigating log4j vulnerabilities on EOL UniFi(-video) services

 Legacy, Linux, Software  Comments Off on Mitigating log4j vulnerabilities on EOL UniFi(-video) services
Jan 102022
 

Official fixes for UniFi Network Application came in 6.5.54 (CVE-2021-44228) & 6.5.55 (CVE-2021-45046).
UniFi Video is EOL and will not receive updates.

If there is an older version used for some reason, it’s up to the server administrator to update required jar-files.

This is tested with unifi-video 3.10.13 & unifi 5.14.23-13880-1, running on Debian 11.

unifi (5.14.23-13880-1)

Download log4j v2.12.4 (last version supporting Java 7) from Apache (https://www.apache.org/dyn/closer.lua/logging/log4j/2.12.4/apache-log4j-2.12.4-bin.tar.gz)

Extract to temporary location, copy original files to a backup location & following downloaded files in their place:
log4j-api-2.12.4.jar -> /usr/lib/unifi/lib/log4j-api-2.12.1.jar
log4j-core-2.12.4.jar -> /usr/lib/unifi/lib/log4j-core-2.12.1.jar
log4j-slf4j-impl-2.12.4.jar -> /usr/lib/unifi/lib/log4j-slf4j-impl-2.12.1.jar

Restart unifi -service.

unifi-video (3.10.13)

Download log4j v2.3.2 (last version supporting Java 6) from Apache (https://www.apache.org/dyn/closer.lua/logging/log4j/2.3.2/apache-log4j-2.3.2-bin.tar.gz)

Extract to temporary location, copy original files to a backup location & following downloaded files in their place:
log4j-api-2.3.2.jar -> /usr/lib/unifi-video/lib/log4j-api-2.1.jar
log4j-core-2.3.2.jar -> /usr/lib/unifi-video/lib/log4j-core-2.1.jar
log4j-slf4j-impl-2.3.2.jar -> /usr/lib/unifi-video/lib/log4j-slf4j-impl-2.1.jar

Restart unifi-video -service.

Amateurs journey to RC-cars – part 7

 Something else, Uncategorized  Comments Off on Amateurs journey to RC-cars – part 7
May 122020
 

Recap (part 6)

ION broke down more (driveshaft, diff cup inside differential) and requires even more spare parts (pinion gear, spur gear) to prevent future downtime. A979-A is still going on strong.

Plan for this week

Maverick ION XT

Get ION fixed, parts should arrive tomorrow.

Also, found out the OEM manufacturer of the car so maintenance should be a bit cheaper in the future (different brand, ~same parts), and a nice selection of metal parts (diff cup, drive shaft) that might be a more permanent fix for these easily broken parts. Those metal A979-A dogbones should also be compatible, so that’s a quick fix regarding those.

Then, find out the largest LiPo -battery that fits in the car, install it with LiPo Low Voltage Buzzer, and enjoy the summer. And write part 8 where everything is fine.

Wltoys A979-A

Install upgraded battery pack and declare that part of the project ready…until there’s a need to buy RC car for a relative (or upgrade to a bigger one) and then this journey will be revisited.

Budget

Did I stay in the original budget? No, but quite close.

Maverick ION XT: 119€
1600mAh battery with Tamiya mini -plug: 20€
Maverick spare parts: 36,30€
Total: 139€ / 175,30€

Wltoys A979-A: 69€
1100mAh battery with JST -plug: 15,90€
Wltoys spare parts: 4,20€
Total: 84,90€ / 89,10€

Thor 6A Mini charger: 49€
Charging cable (JST): 6€
Total: 55€

Total without spare parts: 278,90€ (+ shipping costs)
Total with spare parts: 319,40€ (+ shipping costs)

(Maybe) final words

After a week, with some mixed feelings. Well, learned a lot new things.


Maverick ION XT is still a great car, but unfortunately just feels quite fragile. Waiting for the upgraded 1600mAh battery to see what difference it makes. But generally I’m quite happy with this.

Wltoys A979-A is better value for money, just replace original battery with a better one and off you go, it has held up against the same environment where ION broke down. My special one is really happy with this.

I’d sincerely like to thank Robbis Hobby Shop (rhs.fi) for their expertise and extreme speed on deliveries and replying to a newbie questions.

Part 6

Amateurs journey to RC-cars – part 6

 Something else, Uncategorized  Comments Off on Amateurs journey to RC-cars – part 6
May 112020
 

Recap (part 5)

Converted ION temporarily to RWD and debugged A979-A LiPo -compatibility and original LiFe-battery-setup.

Daily disappointment

Monday – decided to go for a spin on a nearby lot with tarmac and gravel. Drove ION there, doing donuts, having fun, and on the edge of the lot it suddenly started just making a bad noise and stopped running. Back differential was not working and I had no tools with me to debug further.

Oh well, que in A979-A, switch it o..oh, it was already on, great, dead battery.

ION debug

After taking the car apart, I found out that differential was fine, it just had a piece of diff cup in it that had broken out. Easy fix, just disassemble it, pick out extra pieces, reassemble and ready to go – since now i had two broken diff cups and two that were still ok -> car was rebuilt in RWD-configuration.

Bigger problem was that driveshaft was also in two pieces. And a pinion gear in the motor was touching only 50% of spur gear attached to the drive shaft, so they were/will be broken soon.

Quick message and the pieces were added to the package. So “replacement battery” has become so far “replacement battery and a lot of spare parts, and another LiPo-upgrade to A979”. Made sure there’s also dogbones for A979-A – though those are made of metal and probably wont break so easily.

Repair backlog

Broken parts so far in Maverick ION XT:
1x driveshaft
2x diff cup
1x dogbone
1x pinion gear (or soon will be)
1x spur gear (or soon will be)

Broken parts so far in Wltoys A979-A:
1x Monster trucky bodyshell (cosmetic problem, scratches since this rolls quite easily over while driving on tarmac – and does flips)

Part 5 <-> Part 7

Amateurs journey to RC-cars – part 5

 Something else, Uncategorized  Comments Off on Amateurs journey to RC-cars – part 5
May 092020
 

Recap (part 4)

Got wrong battery for ION, supercharged A979 with a new battery, got worried about it, crashed ION and broke it.

Wltoys A979-A LiPo-thoughts

Prequel

Advertisement (box) says car has Li-Ion battery. Car came with a LiFe -battery. Ordered replacement is a LiPo -battery, but how does this matter?

LiPo -batteries are known for actually breaking if they’re discharged too much, but what actually is “too much”. After reading some articles it was common that the safe “cut-off” -point is above 3.0V/cell (most common was 3.3V), since <3.0V starts causing damage to the battery. But since the car came with LiFe -battery (and advertised Li-Ion)…

Fortunately there are audible alarms (LiPo Low Voltage Buzzer) that are plugged into the balance cable on a LiPo -battery and they go off when the cell voltage is too low, so I added that to my “these are needed” -list.

Original LiFe-battery runtime

The new charger has a nice feature which shows the current voltage in different cells (on LiFe & LiPo -batteries), and after running that 750mAh LiFe -battery dry, it showed 3.15V + 3.15V = 6.3V – and running LiPo -battery empty it showed the same voltage.

Nominal voltage on the original battery (printed on the side) is 6.4V – but LiFe -batteries are made out of series of 3.3V cells, so nominal voltage should be 6.6V…dunno, maybe they are 3.2V cells. And when LiFe-battery is full it would read 7.2V (3.6V/cell), minimum safe voltage is about 2.6-2.9V/cell, so that would be 5.2-5.8V.

At least this car has safety cut-off that cuts power just below the advertised nominal voltage of the attached LiFe-battery, instead of closer to the minimum safe voltage -area. No wonder the original battery runtime is a bit disappointing since power is cut off quite early, but might be on purpose since LiFe-battery voltage is quite constant until battery is empty.

Li-Ion/LiPo -compatibility

Since we have a cut-off at about 3.15V/cell, safety zone for LiPo is 3.0-3.3V and Li-Ion is 2.9-3.2V. This is quite close enough for LiPo, so Low Voltage Buzzer is unneeded in my opinion – as long as car is switched off and the battery is not drained any longer. And this device really enjoys being powered with LiPo.

ION temporary RWD-conversion

Since the car was not fun to drive as 3WD (steered hard when throttling/braking), I decided to disassemble it a bit and make it temporarily RWD by removing the other dogbone also from the front. Pair of pliers, detached steering link and suspension from their ball studs and removed dogbone. Connected everything back and now I had a “make a donut” -machine.

Part 4 <-> Part 6

Amateurs journey to RC-cars – part 4

 Something else, Uncategorized  Comments Off on Amateurs journey to RC-cars – part 4
May 082020
 

Recap (part 3)

Cars arrived, enjoyed how they handled, disappointed by battery runtime, decided to get spare batteries and a charger.

Delivery

Parts arrived on Thursday afternoon, picked up the package and started unwrapping and found a wrong battery for ION (800mAh) instead of the ordered one (1200mAh). Notified the seller who asked for a photograph and promised to figure out on Friday how I got a wrong model and how to solve the issue.

Wltoys battery was completely different looking from the one that arrived with the car – even though model(range) was the same. Box of the car said that original battery was Li-Ion, battery itself (by googling the model) revealed that type was LiFe and the 1100mAh replacement was LiPo, and physically the right size.

Charger

Decided to purchase “Thor 6A Mini balance” that supported wide range of different batteries, and was a good choice – since now suddenly there were NiMH, LiFe and LiPo batteries being handled.

Second impressions

Decided to take a run on tarmac, after charging the batteries – to figure out if that 1100mAh replacement makes a difference. In short: about the best upgrade ever – stopped speedruns after 10 minutes since engine was getting hot and I wasn’t sure what happens to the battery if I run it totally empty. Felt a bit like ION was being left in the dust on speed-front, but fortunately it still handled better on hard surface – until crashing.

First breakage

Full speed turn, roll and a crash to a tree. Back on wheels but something was off – on low speed, trim fixed the leaning to other side and felt okay – but on full throttle &/ brake and the car was all over the place.

Took a look at it and oh behold, 4WD had become 3WD, something was missing and a front wheel was spinning free. No wonder it was weird to drive.

Spares

Time to find out what was broken, and go thorough interestingly named spare part catalogues – luckily ION as great instruction manual with full list of parts and a picture where they are around the car. I was missing parts called a dogbone and a diff outdrive.

Decided to add those parts to the same order where a replacement battery (1200 was upgraded to 1600mAh version) was being delivered, with some other adapters that were also needed.

Part 3 <-> Part 5

Amateurs journey to RC-cars – part 3

 Something else, Uncategorized  Comments Off on Amateurs journey to RC-cars – part 3
May 052020
 

Recap (part 2)

Figure out a store that has availability for the car and parts and find out a car that is what is wanted. Found three candidate stores, found the car I wanted, but bought two.

First impressions

Yay, like christmas, boxes full of goodies. Batteries went straight to the chargers and confirming they were full, everything was ready and backyard called.

ION was the first one to take the stage – 4WD worked well, had enough juice to drift and handled beautifully – except steering trim needed to be maxed out on one side to go straight. After going around for about 10 minutes it was time to change the car, parked ION and switched it off.

A979-A was something different, it went through places ION struggled a bit, felt more “off-roady”, but on a harder surface it wasn’t as stable. And suddenly it just stopped, with runtime barely over 5 minutes.

First disappointments

After switching the car off and on again, it ran for a short while and died again – battery was empty. Not quite surprising for such a small battery, but…I was expecting more.

First upgrades

Quite easy start, and already knew my budget was not going to hold.
– More intelligent charger, those that came with the cars were…adequate.
– Spare batteries (Maverick 1200mAh & Wltoys 1100mAh)
– Required adapters to get the batteries charged

Order placed on Tuesday evening at 23:00.

Part 2 <-> Part 4

Amateurs journey to RC-cars – part 2

 Something else, Uncategorized  Comments Off on Amateurs journey to RC-cars – part 2
May 042020
 

Recap (part 1)

1/16-1/18 sized monster truck/truggy/buggy to be run on easy off-road-terrain (gravel/grass) that has spare parts available (fast) and budget is about 250€ – which should contain also essential upgrades.

Provider

Ebay/Amazon is off-limits, at this point it takes way too long – this needs to happen “now”. Current situation with flights is a bit dire and I don’t want to wait for months (at worst) for my package – so a store from somewhere inside this country.

Did quite thorough search and found out multiple stores all around and when started going through it with more thought – the list started shrinking quite fast. Requirement for a working supply of spare parts seemed to be a key thing, surprisingly tight budget following it.

Eventually there were three store candidates left, all filling the required boxes on my shortlist – with couple last-minute extra ones: “Availability” & “Ready to Run”.

Car(s)

Going through different cars I finally ended up eyeing “Maverick ION XT” the most. It ticked all my boxes, looked nice and the manufacturer is described as “Beginner friendly RC-cars from side to side”.

After checking spare parts availability and deeming it suitable (parts available from multiple places and ~everything on the shelf, a bit premium prices though), I decided to throw in a surprise – since this selection left so much headroom on my budget, I decided to buy the second one from my list also – Wltoys A979-A Truck – to have a nice comparison, even though on the risk of going over budget when figuring out “essential upgrades”.

Maverick ION XT

Chassis: Truggy
Battery: 7.2v 1200mAh NiMH
Speed: ?
Driving time: ?
Charging time: ?
Charger: NiMH charger
Engine: MM-28 370 (Brushed)

Wltoys A979-A Truck

Chassis: Monster Truck
Battery: 6.4v 750mAh
Speed: 35 km/h
Driving time: 10 min
Charging time: about 180 minutes
Charger: USB balance charger
Engine: Brushed 390

Delivery

Order was placed 09:50 in the monday morning and the cars were ready to be picked up from the postal office on the next day at 15:00, so extremely fast delivery – just like I hoped for.

Part 1 <-> Part 3

Amateurs journey to RC-cars – part 1

 Something else, Uncategorized  Comments Off on Amateurs journey to RC-cars – part 1
May 032020
 

What to do when you have a too much time and a need to get your thoughts somewhere else, especially during these Covid-19 times.
Well, usually solution is to get a new hobby.

I visited relatives some time ago and helped their kid to fix a RC-car back into use (how to charge battery, connect it the right way, cleanup after use etc. the normal maintenance), and thought maybe I should get one also.

Que in some preliminary analysis, what are the size categories are nowadays, battery types, pricing range…and set some starting parameters.

Size

Something small that can be (technically) driven also inside the house, but big enough being able to enjoy driving outside. Smaller ones feel like hand-held-devices and larger ones rack up the cost quite fast.

Parameter: ~1/18 – 1/16

Type

Rally car? On road vehicle? Buggy? Truggy? Monster truck? Rock crawler?
After poking around I found out that usually differences between (same sized/model series) cars are the tires and body chassis – and sometimes suspension parts.

Decided that purely “on-road” is a bit too limited, off-road can be usually used on pavement also, and driving around in short grass/gravel would be the main platform. Then it’s just a matter of taste, which chassis looks nice.

Parameter: Buggy/Truggy/Monster Truck

Method of propulsion

FWD? Maybe for an on-road car.
RWD? Blasting donuts all day, that would be nice.
4WD? Getting around in a bit softer environment also.
AWD? …maybe not 6×6/8×8/etc. devices this time.

Parameter: 4WD

Battery type

This is more like “about anything goes, as it can (and probably will) be upgraded later, one way or another”. Something that doesn’t immediately break if forgotten connected/to a storage for a while would also be nice.

Parameter: NiMH/LiPo(preferred)

Maintenance

It’s going to get broken anyway, so easy access to spare parts is required.

Parameter: Serviceability is important

Budget

Something better than cheapo-supermarket-toys usually cost money, and earmark something also to essential upgrades (f.ex better battery).

Parameter: 250€ budget (car+upgrades)

Part 2

Sierra Wireless EM7345 on Debian Linux

 Hardware, Kernel and drivers, Linux, Network  Comments Off on Sierra Wireless EM7345 on Debian Linux
May 132018
 

Hardware: Lenovo ThinkPad W550s with Sierra Wireless EM7345

Software: Debian 10 (buster/testing)

Operator: Sonera (Finland)

After Debian installation the modem is recognized, but somehow a working connection just can’t be created:

# mmcli -L

Found 1 modems:
 /org/freedesktop/ModemManager1/Modem/0 [Sierra Wireless Inc.] Sierra Wireless EM7345 4G LTE

# mmcli -m 0

/org/freedesktop/ModemManager1/Modem/0 (device id '<snip>')
-------------------------
Hardware | manufacturer: 'Sierra Wireless Inc.'
| model: 'Sierra Wireless EM7345 4G LTE'
| revision: 'V1.1,11'
| H/W revision: 'unknown'
| supported: 'gsm-umts, lte'
| current: 'gsm-umts, lte'
| equipment id: '<snip>'
-------------------------
System | device: '/sys/devices/pci0000:00/0000:00:14.0/usb2/2-4'
| drivers: 'cdc_acm, cdc_ncm'
| plugin: 'Generic'
| primary port: 'ttyACM0'
| ports: 'enx000011121314 (net), ttyACM0 (at), ttyACM2 (at)'
-------------------------
Numbers | own : 'unknown'
-------------------------
Status | lock: 'none'
| unlock retries: 'sim-pin (3), sim-pin2 (3), sim-puk (10), sim-puk2 (10)'
| state: 'registered'
| power state: 'on'
| access tech: 'lte'
| signal quality: '35' (recent)
-------------------------
Modes | supported: 'allowed: 2g, 3g, 4g; preferred: none'
| current: 'allowed: 2g, 3g, 4g; preferred: none'
-------------------------
Bands | supported: 'unknown'
| current: 'unknown'
-------------------------
IP | supported: 'ipv4, ipv6, ipv4v6'
-------------------------
3GPP | imei: '<snip>'
| enabled locks: 'none'
| operator id: '24491'
| operator name: 'FI SONERA'
| subscription: 'unknown'
| registration: 'home'
| EPS UE mode: 'csps-2'
-------------------------
SIM | path: '/org/freedesktop/ModemManager1/SIM/0'

-------------------------
Bearers | paths: '/org/freedesktop/ModemManager1/Bearer/0'

# nmcli connection add type gsm ifname "" con-name 4G apn internet connection.autoconnect no
Connection '4G' (ef2b6f2d-e072-44cf-a9f8-831b79b179f2) successfully added.

# nmcli connection up 4G
Error: Connection activation failed: Unknown error

daemon.log revealed that modem got stuck on “Connect: ppp0 <–> /dev/ttyACM0” and a bit later on “Couldn’t initialize PDP context with our APN: ‘Serial command timed out'”

Problem seems to be that NCM -mode isn’t actually supported by EM7345 – even though advertised by the firmware (and H/W revision says unknown). Small confirmation for this theory is that Lenovo provides drivers for older Windows versions where MBIM isn’t natively supported.

Let’s override defaults for cdc_ncm and prefer MBIM -mode.

# cat /sys/module/cdc_ncm/parameters/prefer_mbim
N
# echo "options cdc_ncm prefer_mbim=Y" > /etc/modprobe.d/cdc_ncm.conf
# modprobe -r cdc_mbim cdc_ncm
# modprobe cdc_mbim
# cat /sys/module/cdc_ncm/parameters/prefer_mbim
Y
# systemctl restart ModemManager
# mmcli -L

Found 1 modems:
 /org/freedesktop/ModemManager1/Modem/0 [Sierra Wireless Inc.] MBIM [1199:A001]

# mmcli -m 0

/org/freedesktop/ModemManager1/Modem/0 (device id '<snip>')
-------------------------
Hardware | manufacturer: 'Sierra Wireless Inc.'
| model: 'MBIM [1199:A001]'
| revision: 'FIH7160_V1.2_WW_01.1616.01'
| H/W revision: 'XMM7160_V1.2_MBIM_GNSS_NAND_RE'
| supported: 'gsm-umts, lte'
| current: 'gsm-umts, lte'
| equipment id: '<snip>'
-------------------------
System | device: '/sys/devices/pci0000:00/0000:00:14.0/usb2/2-4'
| drivers: 'cdc_acm, cdc_mbim'
| plugin: 'Sierra'
| primary port: 'cdc-wdm0'
| ports: 'wwp0s20u4 (net), cdc-wdm0 (mbim), ttyACM0 (at), ttyACM2 (at)'
-------------------------
Numbers | own : 'unknown'
-------------------------
Status | lock: 'none'
| unlock retries: 'sim-pin2 (3)'
| state: 'registered'
| power state: 'on'
| access tech: 'lte'
| signal quality: '35' (recent)
-------------------------
Modes | supported: 'allowed: 2g, 3g, 4g; preferred: none'
| current: 'allowed: 2g, 3g, 4g; preferred: none'
-------------------------
Bands | supported: 'unknown'
| current: 'unknown'
-------------------------
IP | supported: 'ipv4, ipv6, ipv4v6'
-------------------------
3GPP | imei: '<snip>'
| enabled locks: 'fixed-dialing'
| operator id: '24491'
| operator name: 'FI SONERA'
| subscription: 'unknown'
| registration: 'home'
| EPS UE mode: 'csps-2'
-------------------------
SIM | path: '/org/freedesktop/ModemManager1/SIM/0'

-------------------------
Bearers | paths: 'none'

# nmcli connection up 4G
Error: Timeout expired (90 seconds)

…but still not quite there.
This time daemon.log says that the modem was stuck in 3GPP Registration state loop, idle -> registering -> home -> idle.

Reason for this behavior is Sonera, which (still) doesn’t support IPv6, and somehow fails the handshake if IP type ipv4v6 is offered first. Debug was done by running simple-connect manually:

# systemctl restart ModemManager
# mmcli -m 0 --simple-connect="apn=internet,ip-type=ipv4"
successfully connected the modem
# mmcli -m 0 --simple-disconnect
successfully disconnected all bearers in the modem
# systemctl restart ModemManager
# mmcli -m 0 --simple-connect="apn=internet,ip-type=ipv4v6"
error: couldn't connect the modem: 'Timeout was reached'
# systemctl restart ModemManager
# mmcli -m 0 --simple-connect="apn=internet,ip-type=ipv4"
successfully connected the modem
# mmcli -m 0 --simple-disconnect
successfully disconnected all bearers in the modem

So, how to translate this to network-manager actually handling the connection? Luckily just ignoring IPv6 altogether changes ip-type -setting, so (with nmcli) this is quite easily fixable:

# nmcli connection modify 4G ipv6.method ignore
# nmcli connection up 4G
Connection successfully activated (D-Bus active path: /<snip>)

…and finally, a working connection.