DEV Community: smac89

Reading saved firefox passwords via cli and other woes

smac89 — Fri, 16 Sep 2022 08:16:23 +0000

I was recently working from home and needed a saved password from Firefox on my dev machine at work. Seeing as the only connection I had with the remote machine was through ssh, this meant the only option I had was to retrieve the password through the commandline.

I looked online and it wasn't long before I found a tool called nss-passwords. I installed it and gave it a try:

➜ nss-passwords -d ~/.mozilla/firefox/wnhkpui2.dev-edition-default localhost:3001
| http://localhost:3001 | japoduje@mailinator.com   | oRvr2x^4#w8X@sPd |
| http://localhost:3001 | rapakejuqe@mailinator.com | veryxilu

Wow! 🎉

Crazy how it worked soo easily! No need for superuser permissions: I can just read my saved passwords...

Hold up! Wait a minute! Why was that soo easy?

Is this safe?

Well, if you are really curious like I was and don't mind reading a bit of ocaml, the main code is right here. It's been a minute since I read OCaml code, but a cursory glance through the code reveals that it looks in your firefox profile folder (the -d option) to find a file called logins.json or signons.sqlite:

(if Sys.file_exists (FilePath.concat !dir "logins.json")
 then exec_json ()
 else exec_sqlite ()
);

Here be dragons! 🐉

The exec_json function in turn reads the json file, and extracts an array called logins, which it passes to another function called json_process:

let exec_json () =
  (** I totally
      get all
      of this
  *)
  List.iter (json_process logins.logins) !queries

Each element of the array looks like this:

{
    "id": 104,
    "hostname": "https://host.com",
    "httpRealm": null,
    "formSubmitURL": "https://host.com",
    "usernameField": "email",
    "passwordField": "password",
    "encryptedUsername": "MXXXXPgAAAAAAAAAAAAAAAAAAAEwXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=",
    "encryptedPassword": "MXXXXPgAAAAAAAAAAAAAAAAAAAEwXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
    "guid": "{c0f43272-22a3-43db-b5bd-2d0cfbe621dd}",
    "encType": 1,
    "timeCreated": 1662743548172,
    "timeLastUsed": 1662743548172,
    "timePasswordChanged": 1662743548172,
    "timesUsed": 1,
}

At this point, I decided to attempt to replicate what the code is doing using just command-line. The reason being to see how easy it would be for some random npm package you download to run a simple command to extract your passwords, so this one liner gives us the same json array we get from the above:

find -L ~/.mozilla/firefox/wnhkpui2.dev-edition-default -name 'logins.json' -exec jq '.logins' -r {} \;

Continuing... 🕳️

The json_process function doesn't seem all too interesting. However, it calls another function called do_decrypt, which is declared as the following in OCaml:

external do_decrypt : callback:(bool -> string) -> data:string -> string = "caml_do_decrypt"

That looks like a ffi for calling a function from another language, and in this case it looks like the function is written in C:

CAMLprim value caml_do_decrypt(value callback, value data) {
  CAMLparam2(callback, data);
  CAMLlocal3(res, exn, cb_data);
  const char *dataString = String_val(data);
  int strLen = caml_string_length(data);
  SECItem *decoded = NSSBase64_DecodeBuffer(NULL, NULL, dataString, strLen);
  SECStatus rv;
  SECItem    result = { siBuffer, NULL, 0 };

  if ((decoded == NULL) || (decoded->len == 0)) {
    /* Base64 decoding failed */
    res = Val_int(PORT_GetError());
    if (decoded) {
      SECITEM_FreeItem(decoded, PR_TRUE);
    }
    {
      value args[] = { data, res };
      caml_raise_with_args(*caml_named_value("NSS_base64_decode_failed"), 2, args);
    }
  }
  /* Base64 decoding succeeded */
  /* Build the argument to password_func ((bool -> string) * exn option) */
  cb_data = caml_alloc_tuple(2);
  Store_field(cb_data, 0, callback);
  Store_field(cb_data, 1, Val_unit);   /* None */
  /* Decrypt */
  rv = PK11SDR_Decrypt(decoded, &result, &cb_data);
  SECITEM_ZfreeItem(decoded, PR_TRUE);
  if (rv == SECSuccess) {
    res = caml_alloc_string(result.len);
    memcpy(Bytes_val(res), result.data, result.len);
    SECITEM_ZfreeItem(&result, PR_FALSE);
    CAMLreturn(res);
  }
  /* decryption failed */
  res = Val_int(PORT_GetError());
  exn = Field(cb_data, 1);
  {
    value args[] = { data, res, exn };
    caml_raise_with_args(*caml_named_value("NSS_decrypt_failed"), 3, args);
  }
}

Looks like the first thing it does is to attempt to use base64 to decode the encrypted value...ok.

rv = PK11SDR_Decrypt(decoded, &result, &cb_data)

Next it is calling this PK11SDR_Decrypt function, which seems to be part of the nss library.

Well I don't have time to start digging into how all that works, but it turns out we can download a package called nss-tools, which contains a command for decrypting the encrypted values, called pwdecrypt.

Extending our commandline above, we can successfully decrypt the username and password for any given domain by doing:

find -L ~/.mozilla/firefox/wnhkpui2.dev-edition-default -name 'logins.json' \
  -execdir sh -c 'jq '"'"'.logins | .[] | select(.hostname | endswith("host.com")) | "\(.encryptedUsername)\n\(.encryptedPassword)"'"'"' -r "$1" | pwdecrypt -d .' -- {} \;

Replace host.com from the above command with an actual hostname and it will spit out the username followed by the password

Woah! ✋🏼

What a bittersweet ending. On one hand, I've just discovered a way to read my firefox saved passwords, on the other hand I've just discovered that literally any npm package I install, can run the same command to extract my saved passwords. Thankfully I don't save real passwords on Firefox, I use bitwarden password manager, and only passwords I save on FF are passwords I use for logging into dummy test accounts.

I'm also a bit confused as to why it is Mozilla who is building the libraries and tools that enables this ease of access...

Btw if you think this is a firefox issue, think again. A quick search online reveals there are tools available for Chrome (which will most likely work on Brave, Edge, and Chromium). Someone also wrote an entire medium article detailing methods of "extracting" passwords from all major browsers.

There might be hope...💡

I haven't been able to test this, but perhaps the reason it is so easy to extract the passwords is because I haven't set a master/primary password in Firefox? 🤔

Update Oct 3rd, 2022

Indeed it turns out that if you set a password, then attempting to use any of the above methods will result in a password prompt:

Using nss-passwords script:

Using the command-line option:

Lessons learned

Never store passwords on your browser
Use a dedicated password manager like IPassword, Bitwarden, Lastpass, etc
If you must store the password in the browser, then make sure to use the master password option if your browser provides one.

Better way to try...except...pass in Python

smac89 — Thu, 23 Jun 2022 04:31:00 +0000

The typical 'try, exception, ignore' pattern I see people using in python is this:

try:
  # do something that might raise
except (MyError1, MyError2, etc) as err:
  pass

If you've ever found yourself doing something like that, I'm not here to tell you to stop, instead I'll show you a better way.

Introducing `contextlib.suppress` builtin

Using suppress, we can transform the above syntax to this:
requires python 3.4+

from contextlib import suppress
with suppress(MyError1, MyError2, etc):
  # do something that might raise

And there we have it, from 4 lines to a nicely condensed 2 lines.

Advantages

What do you gain from this? Shorter, concise code which makes clear the intentions of the user to ignore the exceptions.

Disadvantages

The exception will never be visible outside of the context, therefore if you are being a good log keeper and in the habit of using logger.exception("I tried to do something"), the exception will not be shown by the logger.

Conclusion

If you are already using this pattern, then I'm assuming you know what you're doing. The disadvantage mentioned might be a blocker for some. Consult your nearest python guru if you experience any adverse effects.

Overloading vs Overriding in Typescript

smac89 — Fri, 13 May 2022 17:17:22 +0000

The main difference between overloading and overriding is this: The former is concerned with the signature of a function, whereas the later is concerned with the behaviour of a method.

Override

Override is something you do to change the behaviour of a method in a subclass. When you override a method, it is expected that you intend to change the default behaviour of the method, that was inherited from the parent class. However, the method signature should remain the same in order not to violate LSP.

Overload

Overload is something you do to functions; Not to change their behaviour*, but rather to diversify their signature. A function overload keeps the same name as the function, but it's free to introduce a different signature. You've probably seen an example of this if you come from a JavaScript background and seen functions which have parameters that can be one of two or more types:

/**
* @param {string|string[]} The object to use
*/
function stringOrArray(strOrArr) {
  ...
}

It's difficult to tell that this is a function overload because JavaScript does not have a strong enough type system to disambiguate the overloads. However, with the Jsdoc comment, we can sort of make out that this function has an overload.
With typescript we can make this overload an actual part of our function signature, instead of living in a comment.

ex.

function stringOrArray(str: string)
function stringOrArray(arr: string[])
function stringOrArray(strOrArr: string | string[]) {
  ...
}

Conclusion

The implementation of the overloaded function stays the same, but the signature is allowed to be different. In the case of overriding, the implementation can be different, but the signature has to be the same, in order not to violate the Liskov Substitution Principle.

cURL docker through sockets

smac89 — Thu, 17 Feb 2022 08:57:06 +0000

Did you know that the docker daemon exposes a gRPC api for communication OR that cURL can send data to unix sockets?

Let's see how this all works.

Docker engine

The underlying infrastructure of the docker ecosystem is the docker engine.

It is implemented using a client/server model (much like most unix tools are), and exposes its API over a gRPC interface. As usual in such model, there is usually only one server, and many clients, and the story is no different for docker.

Docker architecture. Image from https://docs.docker.com

The daemon acts as the server, while the CLI which we are all familiar with acts as one of the clients. The single point of communication is usually exposed as a unix socket, and communication is carried out via gRPC exchanging data in the form of protocol buffers.

cURL --unix-socket

It turns out that cURL is not just great for talking to HTTP servers, but it can apparently also do the same via UNIX SOCKETS.

Let's say we wanted to get the docker version currently installed; Normally you would do the following on the command line:

docker version

Using the api, we do something like

curl --silent --unix-socket /run/user/1000/docker.sock http://v1.41/version

^{Note the above socket path assumes you are running docker in rootless mode and your user id is 1000. If running docker as root, the socket is likely to be located at /var/run/docker.sock}

Which gives us:

{"Platform":{"Name":"Docker Engine - Community"},"Components":[{"Name":"Engine","Version":"20.10.12","Details":{"ApiVersion":"1.41","Arch":"amd64","BuildTime":"2021-12-13T11:46:12.000000000+00:00","Experimental":"false","GitCommit":"459d0df","GoVersion":"go1.16.12","KernelVersion":"5.13.0-28-generic","MinAPIVersion":"1.12","Os":"linux"}},{"Name":"containerd","Version":"v1.4.12","Details":{"GitCommit":"7b11cfaabd73bb80907dd23182b9347b4245eb5d"}},{"Name":"runc","Version":"1.0.2","Details":{"GitCommit":"v1.0.2-0-g52b36a2d"}},{"Name":"docker-init","Version":"0.19.0","Details":{"GitCommit":"de40ad0"}}],"Version":"20.10.12","ApiVersion":"1.41","MinAPIVersion":"1.12","GitCommit":"459d0df","GoVersion":"go1.16.12","Os":"linux","Arch":"amd64","KernelVersion":"5.13.0-28-generic","BuildTime":"2021-12-13T11:46:12.000000000+00:00"}

How cool is that?!

You can take this even a step further, and expose a local docker daemon, over tcp to your friends over the internet. Here is a quick example which doesn't use cURL, but rather uses ncat:

server

ncat -kl -p 2376 -c 'ncat -U /run/user/1000/docker.sock'

client

curl http://localhost:2376/version | jq

One last thing to mention is that the format of the url ex. http://v1.41/version is not strict. Any of the following would have given the same result:

http:/foo/version
http://dummy/version
http:/./version

The recommendation is to use the version of the API supported by docker as the first part of the url, then the actual commands come later.

Sources:

Custom ports in SSH config for VSCode Remote SSH

smac89 — Fri, 28 Jan 2022 17:33:52 +0000

Scenario

You want to connect to a remote workstation via VsCode, but on a different port than the default (22).

Why would you need to do this?
There could be any reason, but one that comes to mind is if the default port requires authentication using something like PAM, or Kerberos, and you only want to be bothered by entering passwords when you use the default port instead of a custom port.

Problem

By default the Vscode Remote SSH plugin uses your local ~/.ssh/config file for configuring remote connections. Let's assume that in that file, you have created a host configuration like:

Host my-company-machine
   User my-user-name
   HostName 127.0.0.1
   GSSAPIAuthentication yes

Now you would like to connect to the remote machine through VSCode's Remote SSH extension, but using a different port than the default.

Ok solution

The easy solution would be to just add the port to the config file like so:

Host my-company-machine
   User my-user-name
   HostName 127.0.0.1
   GSSAPIAuthentication no
   Port 5000

Now VScode can connect to my-company-name using port 5000 on the remote, and problem solved?

Not really because we've now removed the authentication method required for the default port.

Better solution

The manpage for ssh_config(5) lists a directive called Include, which allows us to include other ssh configs inside ours.

Furthermore, we can override configuration for host declarations found in those other configs.

The solution I propose (and which has worked for me), is to create a new config for vscode, and in that file, override the port used to connect to the remote host.

~/.ssh/config

Host my-company-machine
   User my-user-name
   HostName 127.0.0.1
   GSSAPIAuthentication yes

~/.ssh/vscode-config

Host my-company-machine
   GSSAPIAuthentication no
   Port 5000
Include ~/.ssh/config

Now you just need to change your plugin settings so that VSCode uses this new config, instead of your default one. Next time you connect to the remote host, VSCode will use port 5000, and when you connect via regular ssh from a terminal, you will use port 22 by default, (or specify a custom port via the -p option).

Forcing webpack to recompile your files

smac89 — Tue, 18 Jan 2022 04:09:56 +0000

Just today I started noticing that when my react code rebuilds, I get eslint errors in the console, but not in my IDE.

Even stranger was the fact that when I run eslint by itself in the commandline, it doesn't show that anything was wrong:

eslint --cache --format stylish --ext '.js,.jsx,.ts,.tsx' --quiet ./

What gives?

The solution

touch command to the rescue. In order to force webpack to recompile the files, they had to be changed somehow, and I wasn't prepared to manually change each file by hand, recompile, and revert the change, just to wait for another recompilation.

I simply used the touch command on Linux to "touch" all the files which were having that problem, like so:

touch src/pages/**/*.{js,jsx,tsx,ts}

shell is zsh

After running this command, webpack was forced to recompile everything and I no longer saw those pesky errors again.

Restore Windows UEFI boot

smac89 — Mon, 06 Dec 2021 06:21:03 +0000

Introduction

Sometime last week, I decided to move my entire ESP folder into a dedicated boot partition mounted at /boot. (I did this because I liked the idea of having everything boot-related in a partition for easy access when I dual boot or need any file from there). Unfortunately, I didn't attempt to reboot in order to check if anything was broken...until today

Windows boot is broken...

And by "broken", I mean that in the rEFInd boot menu, there was nothing showing for windows. It only showed my linux installation.

At first, I was sure this was an easy fix and all I had to do was boot from a linux disk image, and run the commands:

mount /dev/sda3 /mnt
mount /dev/sda1 /mnt/boot
refind-install --root /mnt

...unfortunately, that didn't work :(. Attempting to boot directly from Windows Manager also didn't work, so at this point I knew something had gone very wrong.

As my sunday evening grew into sunday night, I decided to actually stop being lazy with this fix, and discover why windows was being soo elusive.

Steps to recovery

Using the steps outlined in the arch wiki for rEFInd, I was able to get my hands on an EFI shell. Using some of the commands from the arch wiki, I was able to discover that the windows boot EFI file didn't exist anymore in the boot partition.

output of bcfg boot dump -v

Well that explains a lot!

Both rEFInd and Windows boot manager expected to find a \EFI\Microsoft\Boot\bootmgfw.efi file, but it wasn't finding it, so the boot never worked.

Step 1. Add `bootmgfw.efi` to rEFInd

Boot into Linux and mount your windows partition, then copy the existing file into where rEFInd was expecting to find it.

sudo mkdir -p /boot/EFI/Microsoft/Boot
sudo cp /run/media/smac89/Windows/Windows/Boot/EFI/bootmgfw.efi /boot/EFI/Microsoft/Boot

At this point, you will see the blue windows logo from the rEFInd boot menu, but attempting to boot from it may result in the following screen:

...if so, continue to the next step

Step 2: Get access to a windows terminal

There are many ways to do this. Pick the one that is most convenient, and proceed.

Inside the terminal type the commands:

diskpart
list volumes

Find the volume containing the boot partition, and assign it a label if it doesn't have one:

select volume N
assign letter=m

Exit diskpart

exit

Finally, we use the following command to install windows boot entries to the boot partition:

bcdboot C:\Windows /l en-US /s m: /f ALL

After running the above command, the boot partition now contains all the entries needed to boot windows.

Reboot.

Thanks for reading.

DEV Community: smac89

Reading saved firefox passwords via cli and other woes

Wow! 🎉

Is this safe?

Here be dragons! 🐉

Continuing... 🕳️

Woah! ✋🏼

There might be hope...💡

Update Oct 3rd, 2022

Lessons learned

Better way to try...except...pass in Python

Introducing contextlib.suppress builtin

Advantages

Disadvantages

Conclusion

Overloading vs Overriding in Typescript

Override

Overload

Conclusion

cURL docker through sockets

Docker engine

cURL --unix-socket

How cool is that?!

server

client

Custom ports in SSH config for VSCode Remote SSH

Scenario

Problem

Ok solution

Better solution

~/.ssh/config

~/.ssh/vscode-config

Forcing webpack to recompile your files

The solution

Restore Windows UEFI boot

Introduction

Windows boot is broken...

Steps to recovery

Step 1. Add bootmgfw.efi to rEFInd

Step 2: Get access to a windows terminal

Introducing `contextlib.suppress` builtin

Step 1. Add `bootmgfw.efi` to rEFInd