The acropalypse Vulnerability

First what is acropalypse?

Acropalypse is a vulnerability in Google’s markup editor (and Windows Snipping Tool). It allows an attacker to recover parts of a cropped or marked up image.

https://en.wikipedia.org/wiki/ACropalypse

There are a couple specific steps you have to follow for the bug to happen.

  1. Take a screenshot
  2. Save screenshot
  3. Crop or markup screenshot in Google Markup or the Windows Snipping Tool
  4. Save screenshot with the same name as original screenshot

The bug is when you save the cropped screenshot with the same name, it overwrites the original file, but the markup tools are not resizing or truncating the file. Meaning that there is extra data in the screenshot.

For example in the following two screenshots, notice the size and dimensions

Here is the first screenshot

The second screenshot shows smaller dimensions because it was cropped, but the size is still the same.

Am I affected?

Potentially. Most images are reprocessed if they are being uploaded to a web service. Discord only started doing that in January. So if you have images on Discord before then, you may want to look into that.

You also have to specifically overwrite the original screenshot image. If you don’t normally save the image first you may be fine. Never hurts to check though.

https://acropalypse.app/

Is macOS or iOS affected?

macOS and so presumably iOS, appear to properly resize the image after cropping has taken place. That would lead me to suspect that iOS and macOS devices are not vulnerable to a variant of apocalypse.

Twitter Post about acropalypse.

Mikrotik DHCP Server Lease Script Variables

The following variables are usable inside of the DHCP-Server script tab.

  • leaseBound – set to “1” if bound, otherwise set to “0”
  • leaseServerName – dhcp server name
  • leaseActMAC – active mac address
  • leaseActIP – active IP address
  • lease-hostname – client hostname
  • lease-options – array of received options

The DHCP server script runs every time there is a new lease, or a lease expires. Doesn’t look to run when static leases renew.

DHCP Server Scripts

https://wiki.mikrotik.com/wiki/Manual:IP/DHCP_Server#General

Mikrotik Script – Send Webhook when Power Fails on PSU

The goal for this script is to alert us if a remote site looses power. We can do this using a Mikrotik that has two PSUs. One is plugged into battery backup and the other in the non battery plug.

In this example, we are using PSU2 “number 8” We can find the number using

/system/health/print

We can now create a new scheduler entry with the following. Change out the number 8 to your PSU number, and change the webhook to your Teams webhook.

:local curState [system/health/get value-name=value  number=8]
:local name [/system/identity/get value-name=name]
:local webhook "https://teams.webhook.microsoft.com/webhook/more"

if ($curState != $lastState) do={
if ($curState = "ok") do={
/tool fetch http-method=post http-header-field="Content-Type: application/json" http-data="{\"text\": \"$name : Power is on.\"}" url="$webhook"
}
if ($curState != "ok") do={
/tool fetch http-method=post http-header-field="Content-Type: application/json" http-data="{\"text\": \"$name : Power is off.  On battery backup\"}" url="$webhook"
}
:global lastState $curState
}

Set to the appropriate interval (i.e. 5 minutes). The script will only alert once when the power state changes. This minimizes receiving an alert every 5 minutes while the power is off.

Mikrotik DHCP Scripts

The purpose of these scripts is to update the local DHCP lease table with a remote IP Address Management (IPAM) system.

Scheduler Script

This little script is added to the scheduler and goes through the entire DHCP lease table and uploads each MAC address and IP address pair to a website.

Change out the top three variables. May also need to change out the URL depending on how the website receives data.

:local url "upload.incredigeek.com"
:local username "myapiuser"
:local password "passwordforapiuserwebsite"

/ip/dhcp-server/lease/
:foreach i in=[find] do={ :put ([get $i address]." ".[get $i mac-address])
:local ipaddress ([get $i address])
:local macaddress ([get $i mac-address])
/tool fetch url="https://$url/api/v1/network/ipam/dynamic_ip_assignment?ip_address=$ipaddress&mac_address=$macaddress&expired=0" mode=https keep-result=no user=$username password=$password
:delay 1s;
}

DHCP Script

This script is to be used on the DHCP server script. Can add it by going to DHCP Server -> DHCP -> Double Click Server -> Script

Any time a new DHCP lease is obtained, this script is fired. Note that some of the variables like $leaseBound are specific to the script being used by the “DHCP server”

Also helpful to note that the script only runs if a new lease is obtained, or a lease expires and it disappears from the leases page. A DHCP renew does not trigger the script.

:local username "myapiuser"
:global password "myapipassword"
:global url "upload.incredigeek.com"

# The maximum retries
:local max 60
:local attempts 0
:local success 0
:do {
  :set attempts ($attempts+1);
  :if ($leaseBound = 0) do {
    :do {
      /tool fetch url="https://$url/api/v1/network/ipam/dynamic_ip_assignment?ip_address=$leaseActIP&mac_address=$leaseActMAC&expired=1" mode=https keep-result=no user=$username password=$password
      :set success 1;
    } on-error={
      :log error "DHCP FAILED to send unassignment to $url on attempt $attempts out of $max for $leaseActMAC / $leaseActIP";
      :delay 10s;
    }
  } else {
    :delay 1s;
    # see note below
    :local remoteID [/ip dhcp-server lease get [find where address=$leaseActIP] agent-remote-id];
    :do {
      /tool fetch url="https://$url/api/v1/network/ipam/dynamic_ip_assignment?ip_address=$leaseActIP&mac_address=$leaseActMAC&expired=0" mode=https keep-result=no user=$username password=$password
      :set success 1;
    } on-error={
      :log error "DHCP FAILED to send assignment to $url on attempt $attempts out of $max for $leaseActMAC / $leaseActIP";
      :delay 10s;
    }
  }
  :if ($success) do {
    :log info "DHCP lease message successfully sent $leaseActMAC / $leaseActIP to $url";
    :set attempts $max;  # break out of the do..while loop
  }
} while ( $attempts < $max )
}

Send Post Webhook Message to Teams from Mikrotik RouterOS

The following is the correct syntax needed to send a message to Microsoft Teams from a Mikrotik router. You will need a valid Teams webhook to send to.

Change “Test Message” out for your message. You should receive a “status: finished” response.

/tool fetch http-method=post http-header-field="Content-Type: application/json" http-data="{\"text\": \"Test Message\"}" url=https://domain.webhook.office.com/webhook/long/string

https://help.mikrotik.com/docs/display/ROS/Fetch

Redirect website HTTP to HTTPS using the .htaccess file

The following can be added to the .htaccess file to redirect all http request to https.

RewriteEngine On
RewriteCond %{HTTPS} off  
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

RewriteEngine On – Allows the rewrite capabilities. If it was off, the last rule “RewriteRule” would not work.
RewriteCond – This is a conditional that says if the current request is using HTTPS, don’t rewrite. If this option was not here, we would get an infinite redirect loop.
RewriteRule – This is the actual rule that rewrites or redirects any HTTP request to HTTPS. the R=301 means that it redirects using a 301 status code.

The following links provide more detail and info on htaccess redirects.

https://linuxize.com/post/htaccess-force-https/

https://www.redhat.com/sysadmin/beginners-guide-redirects-htaccess

Running tcpdump on Ubiquiti Airmax Equipment

Ubiquiti Airmax gear has tcpdump included. We can easily use it to capture packets to a file and then use SCP from the device to copy the file for analysis.

SSH to the device

ssh ubnt@192.168.1.20
cd /tmp/

Start tcpdump with the following command. Change ath0 and file.cap to the appropriate interface and file name.

tcpdump -i ath0 -w file.cap

After we are done collecting, we can quit with ctrl + c

Now we can use scp or sftp to copy the files off. There is an issue using scp or sftp from a normal Linux machine to the radio, fails with a “sh: /usr/libexec/sftp-server: not found”. It works fine if you initiate scp from the radio.

scp /tmp/file.cap username@remoteip:~/

Raspberry Pi – Blink Light – Python

A Simple Python script to blink a Raspberry Pi LED.

import RPi.GPIO as GPIO
from time import sleep

GPIO.setwarnings(False)
GPIO.setmode(GPIO.BOARD)  # Uses the physical pin numbering
GPIO.setup(7, initial=GPIO.LOW)  # Set GPIO pin to off

while True:
    GPIO.output(7, GPIO.HIGH)
    sleep(0.2)
    GPIO.output(7, GPIO.LOW)
    sleep(0.2)

Change pin numbers as needed.

We can also do this with BASH.

Control LED using BASH

Recover Password out of FileZillla Site Manager

Open up FileZilla, for to the Site Manager, right click on the entry you want, and export it. This will export all the settings for the site(s).

Once exported, open the XML file. Look for the Pass encoding field. Copy the base64 encoded password. Its the text highlighted in yellow. Yours should be longer.

FileZilla Base64 Encoded Password

Decode base64 encoded password. We can do this using the built in linux base64 utility. You can use also use python.

echo -n dWJudA== | base64 -d && echo ""

Result returns the password which is “ubnt”