So, there it is an Apple Mac configured to auto login is now showing a Login screen and it doesn’t seem to like any of the usernames and passwords that we could think of. In other words we’re locked out. I haven’t done an awful lot of Mac support, but I do know that it sits on top of a BSD core and because of this I knew we’d have some options. So, of course, the first thing I did was a quick search to try and get started… this post has a lot of helpful info about what to do if you’ve lost your administrator password (setting it up so you don’t have to enter a password for administrative tasks.) But most importantly it gave instructions for getting into single user mode.

CMD+S while the Mac is booting will trigger single user mode. If you see a black screen with a lot of text you’re in good.

The first thing I did was an fsck of the disk to try to determine if the drive was failing (my suspicion is that could be what caused the issue. Problems on the disk found and corrected. So, that sounds promising.

I browsed around to list the /user directory to make sure I knew the username for the primary user (ls /user ) and attempted to follow the instructions for starting Systemstarter which should launch NetInfo. The only problem is I didn’t see any information that looked promising. The instructions suggested to run niutil -list . /users but that didn’t return anything. Neither did passwd username give any means of actually changing the username. (That plugs into NetInfo.)

So, I started suspecting that there was a problem with netinfo and found a logfile in /var/log for netinfo…. yes it had problems trying to retrieve entries from the database.

So… at this point I had read this thread as well talking about problems with netinfo and the possibility of deleting (or renaming the netinfo folder), but I didn’t want to be so drastic to start with. So, I thought the suggestion of keeping the database and making it go through the new user setup to add a user to the existing database might be worth trying. My plan was to setup a new user and then from within the full running system try to change the password of the other user.

Well, I deleted /var/db/.AppleSetupDone and rebooted, walked through the setup of a new user and after the “getting more info” page it essentially hung and kept just a blank gray window on the page with a greyed out continue button and a back button.

So…. it was pretty convincing that the netinfo database was, to be technical, snarfed.

So, I went back into single user mode and this time I moved /var/db/local.nidb to /var/db/local.nidb.corrupted and rebooted. I must say I held my breath a bit, but I knew the files were still there in the /user directory for this user and if there were permissions problems I could fix them back at the command line…

So… I setup a new user and then used that to add the old user back into the netinfo database. It told me there was a folder with the same name and asked if I wanted to make use of that for the home for this user and again held my breath (afraid that it would wipe it clean…) but of course, it didn’t it just churned a few minutes and finished creating the user. I logged out and back in as the old user and everything was there and in good shape. Some things about the profile had reset to defaults (from what I had last seen.) I went back in and reconfigured auto-login for the user and all seemed to be set.

Oh, and we talked about making backups to a USB memory stick because Mac hard drives can fail JUST the same as PC hard drives.

So, what caused it? I have no clue… There had been some updates installed the two days before, but I don’t know that they would have damaged the netinfo database. I’m wondering if an abrupt power failure could have been the culprit, but I don’t know.

Here are a few (systemstartup) other (vim on mac reference), references I made use of (automated login howto).

It’s an older platform, but there are still some around. I found this nice guide to troubleshooting startup issues on these versions of Mac’s OS.

Windows users know chkdsk, linux users know fsck… users of each MIGHT have heard of SMART. These are different ways of TESTING hard drives. Well, there’s also a utility called TestDisk that looks promising for recovering data… Here’s the clip from their site. “free data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error (such as accidentally deleting a Partition Table). Partition table recovery using TestDisk is really easy.” It runs under a variety of OS’s and recognizes several different disk formats.

One of the tools I looked at having for my expanding kit has been a usb wireless adapter that would work with minimal install on Windows/Mac or Linux. As you can imagine…. it’s not as straightforward as just getting one that’s compatible with Windows…. well, after much searching I found the D-Link DWL-G122 802.11g Wireless USB adapter…. (Revision B it seems is the one to get…) Anyway, using a generic driver downloadable for the Mac it will work (from ralink http://www.ralinktech.com). On linux, you have choices (isn’t that the truth…) anyway, there is a native driver (from ralink for the RT2571W/RT2671 chipset) and there’s the rt2x00 driver project and it’s also possible (and fairly easy) to install the Windows driver via ndiswrapper.

So, if you do support for two or three different operating systems, you might want to see if you can find one of these usb keys. I managed to find this one on ebay and so far it’s been installed on a linux machine for a short period and now a Mac. All seems to work well. Next I’ll get to test it on a windows machine.

–update –
yes it works on WIndows quite well too. (I should note that although it’s a usb 2.0 wireless adapter it will work (although at a diminished speed) on a usb 1.1 port.

The revision I have that is supportable in all three is… H/W ver. B1

ah… the joys of *nix utilities…. I’ve just successfully tested a “capture” of a live, running system into a virtual disk image. No, I don’t mean that I booted up with an imaging utility. I took a live, booted and logged in system and imaged the primary hard drive that it was living on, into a file on another machine. (Yeah, I know, there are probably a few people reading this and saying they’ve done that and most people that would need to do this already know how…. sorry I missed the memo.) Not too long ago, VMWare released a tool to do something like this (that tool is for windows…) This should work on any platform that supports dd and netcat (although I’m not sure if piping output from one program to another works with a dos command shell – maybe cygwin would be a good environment to accomplish this with.) Anyway… here are the details.

I’m putting the finishing touches on a backup server and wanted to have vmware server installed and setup on it “just in case”, because with all the storage it could certainly host a virtualized mail server or something in a pinch. Well, my main concern was how to quickly and easily get an image file of a LIVE filesystem. I know I could boot up to ghost4linux or ghost4unix or something and image over a network, but that increases the downtime. Now, realistically if this were a live system you’d probably want to disable as many network services as possible first so that there wasn’t new information. This method will start at bit 0 of the drive and progress straight through. In other words, there’s no going back because something changed.

On the machine that will “receive” the image, here’s what you do…. sudo nc -l -p 9998 | dd of=testimage.img this starts netcat listening on port 9998 for data and anything it get’s will be written to testimage.img *(my first attempt at port 9999 gave the following:: Can’t grab 0.0.0.0:9999 with bind :: I suspect something else was already using port 9999.)

Ok, now on the system to be imaged… with netcat installed (and dd)… sudo dd if=/dev/hda | nc ipaddressofreceiversystem 9998 (in other words, we start up dd with the primary drive (drive to be imaged) as the input file and pipe it to netcat (telling netcat to connect to the address of our recipient system at the correct port (same as specified on the receiver.))

Now, for a 2GB test image this took, maybe 5 minutes, I didn’t time it, but it was not long. I found someone estimating about like this…. “Typically 36GB drive may take 50 minutes over 100Mbps link.” So, that might give you an idea of what kind of time to expect.

But, the file created here is not suitable for vmware to use… yet. If you have qemu-img (from the qemu emulator) you can convert it like this…. qemu-img convert testimage.img -O vmdk testimage.vmdk and then vmware can use it as an existing disk image. But if you don’t have qemu (it’s free/open source) you might download that, or try and see if vmware-vdiskmanager can convert to the vmdk from a raw image file. Scratch that, I’ve just found the vmware forums for accomplishing this and they look messy – get qemu and use qemu-img for this it will be much easier.

Vmware has launched a tool (windows only it seems) aimed to convert a REAL running system into a virtual machine. (For use with VMWare’s virtualization products. The converter also can convert images from competing virtual machine “platforms”(?) (Microsoft Virtual PC, Microsoft Virtual Server, Symantec Backup Exec System Recovery (formerly LiveState Recovery) and Norton Ghost9 (or higher) to VMware virtual machine disk format.)

Which gets me to a realization I had about a system that backs up to DVD images using mondoarchive – it should be possible to use those images to build a vmware virtual machine that should look and act like the original. Yes, I know, “duh”…. The only real limitation is likely disk space and with rapidly increasing hard drive sizes (and system boards with multiple disk i/o options like IDE AND SATA….) the possibilities become interesting flexibility and options when it comes to giving small businesses a means of migration (or an emergency backup in the instance of severe hardware failure.)

Of course with Windows systems there is the challange of hardware detection, linux systems typically don’t have the same “trauma” that windows does when the drive is “transplanted” to a new system. I continue to discover new ways to use virtualization (like vmware server.) (Both in house for testing) and for my tech support services.

If you’ve been delaying on updating with the recent Apple Mac OS X updates…. don’t, there are exploits in the wild now for at least one. It’s speculated that this code may have been in the wild before Apple released the security updates.

Apple is fixing 15 security flaws with the 10.4.8 version upgrade of Mac OS X. (There is a second update as well…. Security Update 2006-006). In typical fashion there are a bundle of issues in these updates. Several address remotely exploitable vulnerabilities.

According to Incidents.org 10.4.8 addresses the following….

- connecting to wireless networks using the EAP-FAST protocol
- Apple USB modem reliability
- using OpenType fonts in Microsoft Word
- compatibility with 3rd party USB hubs
- scanner performance
- RAW camera support
- printing documents with Asian language names
- performance of the Translation widget
- broadband network performance

That didn’t sound too bad, but some of the bad issues are lumped in to the 2006-006 security update.

Some of the remotely exploitable vulnerabilities COULD be exploited merely by a user visiting a malicious website that was specially crafted to take advantage of the flaw. Patch away.

So, I was formatting a drive the other day. It’s an external hard drive that will need to be readable AND writable by both Mac and Windows XP machines. So, the only choice (without paying for MacDrive to read/write to HFS+) is really FAT32. The drive is in the 250GB-300GB ballpark. So, I reference the maximum filesystem size and see that FAT32 supports up to 2TB filesystems. No problem. I was doing this from the Windows XP machine that would be one of the drives “hosts” and after much scratching around created and attempted to format the FAT32 partition – a LONG verification process ensued 30 minutes – 1 hour. After which…. “volume size too big” eh? Well… the format tool under Windows XP/2000 is crippled…

32 GB is the largest FAT32 partition that you can create under XP/2000. (Although they can read any size EXISTING fat32 partition.) Now, the reason they want to ENCOURAGE (force) you to use NTFS for large drives is the storage efficiency of NTFS compared to Fat32 on such large volumes. (On a larger than 32GB partition, Fat32 wastes more space if you have lots of small files compared to a similarly sized NTFS partition.)

So… a 3rd party utility is needed to get things done (a Mac might be able to do the format as well, as long as it knows it needs to share the drive between Windows/Mac).

fat32format is one downloadable option, but there are myriad gnu/linux boot cds with partitioning (and filesystem formatting software). Ranish is recommended too, as a good partition manager.

I saw a comment somewhere else that zero-day was overused and in essense ANY previously unknown vulnerability in open source software is technically zero day… the intent here though is to use the word in this context…. “vulnerability has been released without giving the vendor an opportunity to patch…” Yes, the fun vulnerability weekend seems to be continuing – there’s a javascript zdnet has coverage it’s “impossible to patch” (?) from the individuals that have publicized it. The announcement came at Toorcon.

It affects firefox on all Operating Systems it looks like and can allow for remote code execution. The only workarounds suggested are the noscript extension and the possibility of browsing in a Virtual Machine.

(10/2/06 update)

It’s starting to look like THIS story may be falling apart….

The main purpose of our talk was to be humorous.

As part of our talk we mentioned that there was a previously known Firefox vulnerability that could result in a stack overflow ending up in remote code execution. However, the code we presented did not in fact do this, and I personally have not gotten it to result in code execution, nor do I know of anyone who has.

I have not succeeded in making this code do anything more than cause a crash and eat up system resources, and I certainly haven’t used it to take over anyone else’s computer and execute arbitrary code.

I do not have 30 undisclosed Firefox vulnerabilities, nor did I ever make this claim. I have no undisclosed Firefox vulnerabilities. The person who was speaking with me made this claim, and I honestly have no idea if he has them or not.

I apologize to everyone involved, and I hope I have made everything as clear as possible.
Sincerely,
Mischa Spiegelmock

So, currently – the only flaw seems to be a remote browser crash. Still an issue, but not as bad as first claimed. Stay tuned.

–Update 10/3/06–

Now, I’m not prepared to say don’t worry about this…. as incidents.org notes DoS attacks against IE in the past have had a tendency to resurface as remote code execution vulnerabities…. so I wouldn’t be quite content with where things stand at the moment. That much said, there are many reports out now that this is a hoax.

Right now, I can say that the code presented at Toorcon apparently only leads to DoS and there have been no verifications of “30 exploits” for firefox’s javascript.

So, is firefox impervious to any and all web attacks – NO, just like any other software it has flaws, but the truth be told this does NOT appear to be the big problem we were initially led to believe. The SecurityFix has an angle on this that isn’t being covered too many other outlets. “We pretty much just wanted to have fun up there” and some other notes about their presentation and “research” on the flaw.

This leads me to conclude that they’ve pretty much succeeded in some ways towards one thing that they apparently urged people to do….

They ardently urged those in attendance to use their knowledge to “ruin things” as much as possible for Internet users.

The story of the boy that cried wolf comes to mind, ultimately crying wolf when there was none left the town defenseless when the wolf REALLY arrived. The same with computer security, we all lead busy lives and it’s important that if there’s a security problem it’s not a “crying wolf” incident. Too many incidents of JUST crying wolf over nothing and people ignore the warnings more and more. In fact, I think one reason many “average” people have such a hard time keeping their computers updated/antivirus up-to-date is the fact that there is just TOO much to keep up with. Windows, Office, Quicktime, Real player, Firefox, OpenOffice.org, AOL, Antivirus software, not to mention all the other add in toolbars and applications that people typically install. ALL these need to be kept up with updates and for many users you’ll find AT LEAST the list above installed on the system. Not to mention third party software that came with printers, digital cameras, etc. MANY times those 3rd party applications will act as a web client of sorts as well (for update notifications or who KNOWS what.) Add in to that the driver layer, like the Intel wireless drivers of recent note.

What they’ve done is muddy the waters and perhaps one more person has tuned out at this point, they found out firefox wasn’t safe and maybe it was a hoax, but many have the attitude they have nothing anyone would want to take anyway so they shouldn’t worry about computer security.

That much said, DoS vulnerabilities should be investigated and fixed, but this wasn’t quite the boogeyman it was built up to be.