Return Styles: Pseud0ch, Terminal, Valhalla, NES, Geocities, Blue Moon.

Pages: 1-4041-

CVE-2010-5048: Remote code execution

Name: Anonymous 2010-09-05 17:34

Original release date: 09/05/2010
Last revised: 09/05/2010
Source: #sicp

Overview
progscrape changeset 42a310936c21c8896dd12b7bf2d9b0df2b07aa1c, as distributed on github.com starting on 9/5/10, contains an externally introduced modification (Trojan Horse) in the recently added threading code which allows remote attackers to execute arbitrary commands.
Description
Changesets 2e404d09524324d9433b9e560c95a40d7686349e and earlier are not affected.
Impact
CVSS Severity (version 2.0):
CVSS v2 Base Score: 7.5
Impact Subscore: 6.4
Exploitability Subscore: 10.0
CVSS Version 2 Metrics:
Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

References

External Source: MrVacBob
Hyperlink: http://twitter.com/mrvacbob/status/23031573891

External Source: Confirm
Hyperlink: http://twitter.com/Cairnarvon/status/22961802948

Name: Anonymous 2010-09-05 18:00

So. Does anyone know the best way to turn fresh hazelnuts into edible hazelnuts? We have a bunch of them.

Name: Anonymous 2010-09-05 18:06

AIBMT?

Name: Anonymous 2010-09-05 18:06

This is another Xarnthread, isn't it?

Name: Anonymous 2010-09-06 13:22

twitter
Fuck straight off.

Name: Anonymous 2010-09-06 14:29

>>5
You're visibly upset and also probably a hypocrite and a moron.

Name: Anonymous 2010-09-06 17:05

>>6
I do BBSes, and /prog/. Nothing else, especially none of that web 2.0 shit.

Name: Anonymous 2010-09-06 18:07

>>7
Hipster. Twitter is just a medium.

Name: Anonymous 2010-09-06 19:40

http://twitpic.com/2lykzm Vroom vroom.

Name: Anonymous 2010-09-06 19:44

>>8
It is a shitty medium.

Name: Anonymous 2010-09-06 19:59

>>10
So is Shiichan. That's no reason to dismiss the information spread through that medium.

Name: Anonymous 2010-09-06 20:03

>>11
Sure we can dismiss Twitter. Twitter is for named hipsters. Shiichan is for the noble anonymous.

Name: Anonymous 2010-09-06 20:15

>>12
Take your Cult of Anonymous back to the imageboards, where it belongs.

Name: Anonymous 2010-09-06 21:13

>>11
Shiichan at least allows the viewing of a complete topic, and not only one post at a time with no fucking surrounding context. Then there's the utterly stupid character limit, which is laughable considering the tremendous overhead incurred by serving all that HTML garbage around the minuscule amount of actual data.
I'm not going to get involved in a stupid conversation over whether any content on Twitter is actually worthwhile in the first place. /prog/ is a forum and serves that purpose nicely. Twitter tries to be chat, and does an awful job of it.

Name: Anonymous 2010-09-06 22:25

>>13
There is no cult of anonymous here. The point of anonymity is so that each message is judged according to its merit and not on the celebrity status of the poster. Attaching your name to a message is often vanity more than anything else.

Name: Anonymous 2010-09-06 23:28

>>15
Somewhat ironic that the person whose opinion you're regurgitating didn't bother practising what he preached.
Really, though, the blind adherence to anonymity you are advocating has significant downsides, and /prog/ is or should be intelligent enough to realize this and find the golden mean.

Name: Anonymous 2010-09-07 2:04

I think what we can all agree on is the fact that Twitter is shit.

Name: Anonymous 2010-09-07 5:24

>>17
Xarn uses it, it can't be shit.

Name: Anonymous 2010-09-07 7:06

Lain.

Name: Anonymous 2010-09-07 11:36

>>18
Xarn uses it, it must be shit.
Fixed for truth.

Name: Anonymous 2010-09-07 17:38

>>13,16
Fuck off, ``faggot''.

Name: Anonymous 2010-09-07 19:21

>>21
You just get worse and worse, don't you? At least when you started out some of your calls were defensible.

Name: Anonymous 2010-09-07 19:44

>>9
Is /prog/scrape the fastest scraper now? Are there any other ones beside http://dis.4chan.org/read/prog/1271453272/ and that ridiculous Seshup one?

Name: Anonymous 2010-09-07 20:24

>>22
Not really. Now fuck off, ``faggot''.

Name: Anonymous 2010-09-07 21:55

>>23
No, the C# one is still faster. It starts scraping threads several seconds before /prog/scrape does.

Name: Anonymous 2010-09-07 21:59

>>25
I beg to differ. It starts never, because I don't have that crap installed

Name: Anonymous 2010-09-07 22:20

>>24
Here comes the imageboard paladin.

Name: Anonymous 2010-09-07 22:33

>>25
The Seshup one manages to be even slower than single-threaded /prog/scrape was. It took exactly two hours to finish on my machine, /prog/scrape only took an hour and fifty-three minutes.
Multi-threaded /prog/scrape blows it out of the water, of course.

Name: Fuck off, !Ep8pui8Vw2 2010-09-07 22:54

>>27
Fuck off, ``faggot''.

Name: Anonymous 2010-09-08 1:32

>>28
Did you test them at the same time (so they both have the same number of posts to scrape)?
Also, the C# one takes about half as much time as multi-threaded /prog/scrape when you only have about 30 threads to update.

Name: Anonymous 2010-09-08 1:45

>>30
Did you test them at the same time (so they both have the same number of posts to scrape)?
On the same day, yes. The half-dozen or so posts /prog/scrape had to scrape that the Seshup one didn't won't make a huge difference.

Also, the C# one takes about half as much time as multi-threaded /prog/scrape when you only have about 30 threads to update.
Ridiculous lie. I know you're desperate to get people to try your scraper, Hotaru, but if it ever outperformed /prog/scrape (which I sincerely doubt), it definitely doesn't now.

What I'm actually curious about is the performance of the Postgres scraper. But not curious enough to install PostgreSQL.

Name: Anonymous 2010-09-08 2:12

Lol, web crawler performance bitchfight.

Name: Anonymous 2010-09-08 2:45

>>31
I'm not Hotaru.
With 20 threads to update:
./Progscrape.exe  9,30s user 2,91s system 69% cpu 17,561 total
./progscrape.py  2,36s user 2,06s system 9% cpu 47,162 total

Name: Anonymous 2010-09-08 10:08

>>33
lol, someone posted actual numbers.
i knew it was faster, but i didn't realize it was that much faster (and never bothered to time it).

Name: Anonymous 2010-09-08 11:44

>>33
I don't know what you did to your system, but if that last number is the time it took in seconds (and I don't know what you did to your system's time either), there's something seriously wrong with it.
/prog/scrape is consistently and considerably faster than the Seshup one on every system I've tried it on, and has the added benefit of not being written in a retarded language or by a compulsive liar.

Name: Anonymous 2010-09-08 15:44

I don't know what you did to your system, but if that last number is the time it took in seconds (and I don't know what you did to your system's time either), there's something seriously wrong with it.
It's zsh's built-in time. There's nothing wrong with my system other than it being about 10 years old. Python is just that slow.

not being written in a retarded language
Take your FIOC back to /pr/.

Name: Anonymous 2010-09-08 16:34

>>36
Python is just that slow.
You're an idiot if you think scraping /prog/ is CPU-bound. You could do it in Ruby and it would still be as fast as /prog/scrape, and faster than the Seshup one.
I noticed the Seshup one does manage to max out a CPU, but it doesn't actually do anything useful while it's doing that. Its slowness is not down to the language, but to the horrible way it was written.

I'd try to pinpoint the things it fucks up, but the code is fucking illegible. Congratulations, Hotaru, you're the new FrozenVoid.

Name: Anonymous 2010-09-08 18:42

>>37
I never said anything about CPU. It's clearly not a CPU-bound task. Either Python is just slow as fuck at networking, or the HTTP library that /prog/scrape uses is slow as fuck. Also, the C# one never maxes out a CPU on my machine.

I'd try to pinpoint the things it fucks up, but the code is fucking illegible.
Translation: There's actually nothing wrong with it, I just don't like it because it's not written in the only language I can understand.

Go read SICP, kid.

Name: Anonymous 2010-09-08 18:48

>>38
Either Python is just slow as fuck at networking, or the HTTP library that /prog/scrape uses is slow as fuck.
I'd like to preserve this bit of entertainment for future generations.

Go read SICP, kid.
That's fucking hilarious, coming from the guy who thinks Python belongs on /pr/.

Name: Anonymous 2010-09-08 18:56

Usually it's Xarn bashers who shit up potentially interesting threads related to things Xarn does. I'm not sure I prefer Seshup trolls who may or may not be Hotaru sockpuppets.

Name: Anonymous 2010-12-09 15:09

Name: Anonymous 2010-12-17 1:30

Are you GAY?
Are you a NIGGER?
Are you a GAY NIGGER?

If you answered "Yes" to all of the above questions, then GNAA (GAY NIGGER ASSOCIATION OF AMERICA) might be exactly what you've been looking for!

Name: Anonymous 2011-01-31 19:57

<-- check em dubz
Don't change these.
Name: Email:
Entire Thread Thread List
All trademarks and copyrights on this site are owned by their respective parties. All comments and posts are the responsibility of their own posters.
- Tinychan + 2ch Mode -