Saturday, December 18, 2021

Random thoughts on log4shell

Just as I was with my daily random YouTube video clips watching, I saw one of my subscribed content put up this. This is one of the content I found so far, easier for my to catch up with this vulnerability details.

If you prefer read than watch video, there's another online post about the related exploit at fastly is easy to read. Based on the diagram from this article, I think (maybe naively, and maybe it could be sufficient as a mitigation plan, I don't know), having the firewall rules to deny all with allow lists would be the best mitigation option while waiting for a patch. This stop the "query ldap" path at the first phase, thus it won't have a chance to go to the second phase from this vulnerability.

Anyway, this log4shell vulnerability has caught attention widely since last week. It has been a disasterous event for IT team. They need to find ways to check if the servers are impacted? Look for automated ways to detect if this log4j library exists in the machines. How serious is this? Is there a patch? While waiting for patch, what's next? How to mitigate the risk for the time being? Are mitigations in place? What other potential risks is there? And things got more worrying when the first patch of log4j by disabling the jndi feature doesn't not fix this mess completely!

I could imagine what's the team reaction when R&D team downloaded the log4j patch, applied the change to the repository, rebuild the application/system, went through QA testing and ready for release... Then, alas! Another log4j patch is released. As I just checked the log4j security page while writing this, a third patch is released.

And if you are in customer facing support team... You will need to know what the vulnerabiity is about, is it impacting the system that you are supporting, what is the recommendations. You need to do a lot of studies while waiting for R&D's reply. And you need to make sure your customer feel secure, happy and satisfied with your response. (I am trying to imaging what is the customer's expectation. :D)

Lastly, if you are interested to know more about jndi, visit the tutorial here. The log4j lookup function is actually quite handy. Based on today's update for log4j 2.17.0 (3rd patch that I mentioned earlier), you must enable the jndi lookup in order to use this function. Like the YouTuber said, it is not a log4j bug, or jndi problem, it's about how the function is being called/used. And of course, with good coding practice: always validate/sanitize user inputs can avoid this!

This is not a technical post, but just my record of thoughts that I have so far. I heard developers saying, "Why use log4j? We already drop log4j from our system, other dev team should have done the same." "We should use non-popular library so no one would target on our system." I was like... huh? Found someone that is more naive than me! Other dev out there, I just... wish you well.

Useful link(s)

Thursday, November 18, 2021

Rename files using power shell

I definitely miss Linux a lot. However, my main working environments are in Windows. It has been 5 years!

Just had a call with one of the customers. I need to rename 100+ files. Sigh. During the call, I had time pressure, and I couldn't tolerate with continuous of try and error. So, I used the slowest and safest but human-error-proned way of doing it, rename it manually, one by one.

We got silence moment in the call, then we suggested to communicate via email to sync up. Phew, pressure went away. So I did a quick Google search. I have tried to search for this solution for several times, but I never get it right, get it work. Probably I am still unconsciously resisting to PowerShell. Anyway, recently I seems to have more luck with PowerShell!

Then, in a few minutes, I finally found the "ultimate" solution!

Get-ChildItem *.txt | Rename-Item -NewName { $_.Name -replace 'a','b' }

And then, suddenly I found out, I forgot how to do this in Linux... Sigh.

* update

This is the equivalent Linux command:

rename 's/a/b/' *.txt

Tuesday, November 16, 2021

WSL - Window Subsystem for Linux

I am not sure how old is this feature available in Windows 10. Recently, I screened through Turn Window features on or off list again and found this. I got excited, and turn it on. I have to admit, this is the best solution for me as of now, which I cannot install Virtual Box on this laptop for whatever reason or policy. :P

I did a search on Google and found this page Install WSL by Microsoft. But it says... You must be running Windows 10 version 2004 and higher (Build 19041 and higher) or Windows 11. I checked my system, it is running at a lower version. :(

Well, do you think it would stop me from continue? Of course not! If you have it available in the list, of course it should be ready to use!

So I go ahead and enable it. Then, maybe I restarted laptop. In case you want to know how and where to enable it, follow these steps.

1. Open Control Panel
2. Click on "Programs"
3. Click on "Turn Window features on or off"
4. A dialog box pop up, scroll to the end. You'll see this.

5. Click to the checkbox besides Windows Subsystem for Linux
6. Then, maybe restart your system? (I can't recall if I did this or not)

Next, install.. I selected Ubuntu 20.04 LTS.

7. Launch Microsoft Store
8. Search for Linux
9. Click on the Linux distibution that you want to install.
10. Click on the Get button to download
11. Follow the instruction to install


One thing that doesn't work with this WSL is on the network related command. Here I list the few commands I tried which do not work, even after I have installed the necessary package.

$ show ip route
$ nmap
$ hping3

For example the hping3 command, you'll get the open_sockraw permission error, even you run with sudo!

And best part is, you cannot reboot. :D Unless you restart your Windows. I forgot what triggered me to do the reboot...

You can run this from command prompt. Open a DOS command window, and type wsl. You will get the shell running on your DOS environment!

In case you forgot your password, try this in DOS command window.

wsl -u root

It works like magic!

That's all for my sharing today. If you observed the screenshot earlier, I enabled the Windows Sandbox as well. It is another nice, cool feature that I use for some naughty testing! I'll find time to share it next time.

Friday, August 20, 2021

Restart a Windows server command

This is to restart the server immediately command. Keeping a copy here for me to refer next time.

shutdown /r /t 0

Friday, July 30, 2021





Tuesday, June 29, 2021

[有一本書] 老子的部落格 | Lao Tze's blog




1. 慈。
2. 儉。
3. 不敢為天下先。