Arbitrary code execution: Package Manager edition
-
@anonymous234 said in Arbitrary code execution: Package Manager edition:
@PJH Unless by "terminal" you mean one of those hardware devices from the 80s, your computer screen most likely can display graphics next to the text.
@dkf said in Arbitrary code execution: Package Manager edition:
@anonymous234 So you're going to require someone to get a GUI working in order to use ssh, even on bridging systems? Way to go increasing the dependency list and complexity for real users.
@another_sam said in Arbitrary code execution: Package Manager edition:
Here's how to display a graphical image, after you've found the headers (C is a shitty language) and linked to the library at both compile-time and run-time:
/* Fucked if I know, too long since I ran screaming from Xlib, but you need to create windows and shit */
But why can't plain old text-based terminals support graphics?
http://web.archive.org/web/20140521194225/https://pypi.python.org/pypi/PySixel/0.1.5
If you want to view a SIXEL image, you have to get a terminal which support sixel graphics.
Now SIXEL feature is supported by the following terminals.RLogin (Japanese terminal emulator)
http://nanno.dip.jp/softlib/man/rlogin/tanasinn (Works with firefox)
http://zuse.jp/tanasinn/mlterm
Works on each of X, win32/cygwin, framebuffer version. http://mlterm.sourceforge.net/XTerm (compiled with --enable-sixel option) You should launch xterm with "-ti 340" option. the SIXEL palette is limited to a maximum of 256 colors. http://invisible-island.net/xterm/
DECterm
Kermit
WRQ Reflection
ZSTEM
-
@another_sam said in Arbitrary code execution: Package Manager edition:
@dcon What's the difference to non-nerds or even nerds who have no familiarity with Windows GUI programming?
It's a very simple system provided dialog that only contains plain text and buttons (ok, ok/cancel, yes/no, abort/retry/cancel, etc)
-
@dcon said in Arbitrary code execution: Package Manager edition:
It's a very simple system provided dialog that only contains plain text and buttons (ok, ok/cancel, yes/no, abort/retry/cancel, etc)
But you must be able to have graphics in a message box.... </whine>
-
@PJH said in Arbitrary code execution: Package Manager edition:
But you must be able to have graphics in a message box.... </whine>
That's what the emoji are for. :) :( :p (alas, that's not my public key signatureโฆ)
-
@dcon it's not just text and buttons; you also have the option of including one of a handful of different icons.
-
@anotherusername said in Arbitrary code execution: Package Manager edition:
But why can't plain old text-based terminals support graphics?
Oh hell, I remember that stuff. It sucked.
-
@dkf what, you remember sixel graphics? Regardless of whether they sucked, it'd be adequate to simply display an image representing the key, right? And it looks like some of the common terminal clients already support it.
-
@anotherusername See, they had it figured out 33 years ago. Text and pixels are just bytes, if you can send one, you can send the other one.
-
@anotherusername said in Arbitrary code execution: Package Manager edition:
@dcon it's not just text and buttons; you also have the option of including one of a handful of different icons.
Well yeah. I wasn't going to outline every permutation! ... Ok I will
-
@dcon said in Arbitrary code execution: Package Manager edition:
@anotherusername said in Arbitrary code execution: Package Manager edition:
@dcon it's not just text and buttons; you also have the option of including one of a handful of different icons.
Well yeah. I wasn't going to outline every permutation! ... Ok I will
Hey, that's actually a pretty good, brief, complete, description:
Displays a modal dialog box that contains a system icon, a set of buttons, and a brief application-specific message, such as status or error information. The message box returns an integer value that indicates which button the user clicked.
-
Is it just me, or is calling this "arbitrary code execution" a bit of the "other side of the airtight hatchway" effect (MS07-052: Code execution results in code execution)?
I mean, sure, if you can get the user to install your arbitrary package, your arbitrary package will be able to execute code. That's... how packages work......
-
@flabdablet said in Arbitrary code execution: Package Manager edition:
Which is why Linux - which has had a comprehensive, usable, scriptable CLI for its entire existence, unlike Windows - is preferred by most sysadmins, given the choice.
Right; I always forget that VBScript never existed.
-
@blakeyrat said in Arbitrary code execution: Package Manager edition:
@flabdablet said in Arbitrary code execution: Package Manager edition:
Which is why Linux - which has had a comprehensive, usable, scriptable CLI for its entire existence, unlike Windows - is preferred by most sysadmins, given the choice.
Right; I always forget that VBScript never existed.
But what usable CLI would you have scripted it from?
-
@boomzilla said in Arbitrary code execution: Package Manager edition:
usable CLI
Access? It's got everything anybody will ever need.
-
@blakeyrat VBScript has many fine qualities, but a scriptable CLI it is not.
-
@ben_lubar said in Arbitrary code execution: Package Manager edition:
go get
does not have this vulnerability.No one uses it?
-
@flabdablet said in Arbitrary code execution: Package Manager edition:
VBScript has many fine qualities
I'm not sure I'd give it even that much credit.
-
@anotherusername It's reasonably well documented, and you can use it for most (but by no means all) Windows administration tasks.
-
@dkf said in Arbitrary code execution: Package Manager edition:
@anonymous234 So you're going to require someone to get a GUI working in order to use ssh, even on bridging systems?
And what about embedded systems?
-
@anonymous234 said in Arbitrary code execution: Package Manager edition:
@another_sam Well then fix Linux and C because they're broken.
-
@kt_ What's an OF embedded system?
-
@kt_ said in Arbitrary code execution: Package Manager edition:
And what about embedded systems?
Nah, fuck them.
But really though, the suggestion isn't a totally bad one, though exclusion of alternatives would be. Just as the ASCII art is another way to display the key (the hex string still exists and is displayed to clients who aren't configured for randomart), there could be a way to generate an image from the key. Basically the more capabilities the client has, the easier it is for the end user to verify the key.
-
@anotherusername said in Arbitrary code execution: Package Manager edition:
@kt_ What's an OF embedded system?
I seriously can't help you if you don't know, you luser.
-
@kt_ why don't you start by explaining how it's different from an embedded system.
-
@anotherusername said in Arbitrary code execution: Package Manager edition:
@kt_ why don't you start by explaining how it's different from an embedded system.
It's actually quite similar and it would be practically the same if not for the different bits.
-
-
@sloosecannon said in Arbitrary code execution: Package Manager edition:
@kt_ said in Arbitrary code execution: Package Manager edition:
if
*OF
If, of, who cares? What's the difference?
Paging @blakeyrat.
-
@sloosecannon said in Arbitrary code execution: Package Manager edition:
I mean, sure, if you can get the user to install your arbitrary package, your arbitrary package will be able to execute code. That's... how packages work......
they are talking about installation steps that allow arbitrary code execution. the code is executed at installation time, frequently with root credentials
-
@anotherusername I did not know about this 3-decade old technology. TIL.
-
@dcon You still haven't explained how I, a user of a computer, can tell the difference between a dialog that's magical and will copy the entire text of the dialog if I hit Ctrl-C, and one that is less magical.
-
@another_sam said in Arbitrary code execution: Package Manager edition:
@dcon You still haven't explained how I, a user of a computer, can tell the difference between a dialog that's magical and will copy the entire text of the dialog if I hit Ctrl-C, and one that is less magical.
If you press ctrl+c and get text in the clipboard, you know!
ctrl+c of that:
[Window Title] Notepad [Main Instruction] Do you want to save changes to Untitled? [Save] [Don't Save] [Cancel]
-
@dcon said in Arbitrary code execution: Package Manager edition:
If you press ctrl+c and get text in the clipboard, you know!
Useless advice that doesn't help me know before I take both the copy and paste actions, but I gave you a like anyway because I laughed.
-
@another_sam said in Arbitrary code execution: Package Manager edition:
@dcon said in Arbitrary code execution: Package Manager edition:
If you press ctrl+c and get text in the clipboard, you know!
Useless advice that doesn't help me know before I take both the copy and paste actions, but I gave you a like anyway because I laughed.
I almost left the reply at that! Then I decided to find an example of a message box - tho that one is not quite standard - save/don't isn't a standard msg box button. But that is what they look like (on win10). Sometimes with an icon on the left.
-
@boomzilla said in Arbitrary code execution: Package Manager edition:
usable CLI
Contradiction in terms
-
@Jaloopa said in Arbitrary code execution: Package Manager edition:
@boomzilla said in Arbitrary code execution: Package Manager edition:
usable CLI
Contradiction in terms
Sad Cat downvotes you.
๏บ
-
@boomzilla yes, it is sad that there's no such thing as a usable CLI
-
@Jaloopa said in Arbitrary code execution: Package Manager edition:
@boomzilla yes, it is sad that there's no such thing as a usable CLI
Have you tried Linux instead of whatever Windows is providing these days?....
-
@PJH several times. It never ends well
-
@Jaloopa, ah - perhaps you should stay away from
sudo
andsu -c
then...
-
@PJH I stay away from Linux, which works for me.
This morning, I saw a notification that my Windows 10 had downloaded an update and needed to restart. It was scheduled for a time that would be OK, but since I wasn't shooting aliens I told it to go ahead and do it now
-
@Jaloopa said in Arbitrary code execution: Package Manager edition:
It was scheduled for a time that would be OK, but since I wasn't shooting aliens I told it to go ahead and do it now
I take it you weren't presenting the weather either?
-
@Jaloopa said in Arbitrary code execution: Package Manager edition:
@boomzilla said in Arbitrary code execution: Package Manager edition:
usable CLI
Contradiction in terms
A CLI can be pretty usable, if it has consistent syntax, consistent and descriptive command names, and various discoverability mechanisms.
On the other hand, if you look at the syntax of linux commands like tar, dd or motherfucking ps you'll find a perfect example of how not to make CLIs. And if you look at shell scripts you'll see why string substitution is not a good way to process variables.
-
@anonymous234 said in Arbitrary code execution: Package Manager edition:
if you look at the syntax of linux commands like tar
Fucking tar. The day I started using the mnemonic of a small angry french man telling tar to 'eXtract Ze Files!" tar became 500% more usable.
Software tools should not need just-so stories. Just saying.
-
@anonymous234 said in Arbitrary code execution: Package Manager edition:
A CLI can be pretty usable, if it has consistent syntax, consistent and descriptive command names, and various discoverability mechanisms.
On the other hand, if you look at the syntax of linux commands like tar, dd or motherfucking ps you'll find a perfect example of how not to make CLIs. And if you look at shell scripts you'll see why string substitution is not a good way to process variables.
When you hear the word "man", do you think "human being of the adult male variety"? If so, congratulations, you're a normal person who speaks normal English.
Do you think "shorthand for mankind, or humans in general"? If so, congratulations, you're a normal person who speaks normal English.
Do you think "documentation"? If so, your brain is not braining properly.
-
@masonwheeler said in Arbitrary code execution: Package Manager edition:
@anonymous234 said in Arbitrary code execution: Package Manager edition:
A CLI can be pretty usable, if it has consistent syntax, consistent and descriptive command names, and various discoverability mechanisms.
On the other hand, if you look at the syntax of linux commands like tar, dd or motherfucking ps you'll find a perfect example of how not to make CLIs. And if you look at shell scripts you'll see why string substitution is not a good way to process variables.
When you hear the word "man", do you think "human being of the adult male variety"? If so, congratulations, you're a normal person who speaks normal English.
Do you think "shorthand for mankind, or humans in general"? If so, congratulations, you're a normal person who speaks normal English.
Do you think "documentation"? If so, your brain is not braining properly.
Now to what Google thinks of you. Do you get different results for
man yes
andyes man
?
-
@PJH said in Arbitrary code execution: Package Manager edition:
man yes
When a man says Yes to his wife despite not listening to what she just said
-
@dcon said in Arbitrary code execution: Package Manager edition:
@another_sam said in Arbitrary code execution: Package Manager edition:
@dcon said in Arbitrary code execution: Package Manager edition:
If you press ctrl+c and get text in the clipboard, you know!
Useless advice that doesn't help me know before I take both the copy and paste actions, but I gave you a like anyway because I laughed.
I almost left the reply at that! Then I decided to find an example of a message box - tho that one is not quite standard - save/don't isn't a standard msg box button. But that is what they look like (on win10). Sometimes with an icon on the left.
If you mean using the classic MessageBox API, you'd be correct.
However, Windows Vista introduced a new API called TaskDialog that was intended to replace it. This API is used widely in Microsoft's own programs including the OS itself (Vista, 7, 8, 10).
-
@Jaloopa said in Arbitrary code execution: Package Manager edition:
@PJH I stay away from Linux, which works for me.
This morning, I saw a notification that my Windows 10 had downloaded an update and needed to restart. It was scheduled for a time that would be OK, but since I wasn't shooting aliens I told it to go ahead and do it now
My computer waited 12 minutes after I logged in and had gotten everything set up and working before telling me I should reboot. But at least it told me.
-
@powerlord said in Arbitrary code execution: Package Manager edition:
@dcon said in Arbitrary code execution: Package Manager edition:
@another_sam said in Arbitrary code execution: Package Manager edition:
@dcon said in Arbitrary code execution: Package Manager edition:
If you press ctrl+c and get text in the clipboard, you know!
Useless advice that doesn't help me know before I take both the copy and paste actions, but I gave you a like anyway because I laughed.
I almost left the reply at that! Then I decided to find an example of a message box - tho that one is not quite standard - save/don't isn't a standard msg box button. But that is what they look like (on win10). Sometimes with an icon on the left.
If you mean using the classic MessageBox API, you'd be correct.
However, Windows Vista introduced a new API called TaskDialog that was intended to replace it. This API is used widely in Microsoft's own programs including the OS itself (Vista, 7, 8, 10).
Oh thanks! I was wondering how I could integrate this new and useful functionality in my own program!
-
@masonwheeler said in Arbitrary code execution: Package Manager edition:
Do you think "documentation"? If so, your brain is not braining properly.
Do I need to point out that "man" is short for "manual", a common name for documentation accompanying products including software?