Archive for November, 2008
Diabetes: One Year To The Day
This is the one year anniversary of being diagnosed with type 2 diabetes. It’s been an interesting year, and I’ve learnt a lot about what it means to have diabetes, and it’s definitely impacted my diet.
The biggest change is a sad one for me - some of my favorites are simply not good for me. I can’t eat a bunch of stuff, including white rice (> 200 mg/dL blood glucose for even small amounts), which eliminates so many foods and makes eating commercial asian food basically off limits. Pretty much everything white - white flour, white bread, sugar, potatoes, etc, is off limits.
Another loss, which I feel sad about the most is alcohol (I do have the very occasional drink, but I’ve had less than 1 litre of alcoholic drinks in the last year, mostly beer, and I usually pay at the finger jab for it too).
In some ways, knowing that I have diabetes helps explain some of the things I have had wrong with me for a while, but in other ways, I’m sort of frustrated as I’m at the very low end of the diabetic scale. My A1C is 6.1 for several endocrinologist visits. I’ve been put on some interesting medications, including one that helped me mostly get over my needle phobia. Nothing concentrates the mind more than having to inject yourself three times a day. However, that med made me feel quite ill, so I was able to stop it.
The one disappointment is that I’ve not had much luck in losing weight, which is a key component of getting off the various medications I’m on. I really need to spend way more time at the gym as my diet is optimized to the point that I’m no longer losing weight by eating less (and different). My body is extremely good at making me awesomely tired and exhausted rather than giving up the fat reserves. The only way to beat this thing is get the metabolism moving. I hope this time next year, I will have better news on the weight front. The good news is that I now fit into the clothes I came to the USA in, but that’s not as good as I wanted or expected of myself.
Decoding wp-admin/js/revisions-js.php easter egg
From time to time, I look at WordPress, which as you may have guessed, runs my blog. It’s had a spotty security history. If I can find something in a few minutes, I’ll help out as it’s my data at risk.
But then they go and do this:
<?php
if ( !defined( 'ABSPATH' ) )
exit;
/** @ignore */
function dvortr( $str ) {
return strtr(
$str,
'\',.pyfgcrl/=\\aoeuidhtns-;qjkxbmwvz"<>PYFGCRL?+|AOEUIDHTNS_:QJKXBMWVZ[]‘,
‘qwertyuiop[]\\asdfghjkl;\’zxcvbnm,./QWERTYUIOP{}|ASDFGHJKL:”ZXCVBNM<>?-=’
);
}
$j = clean_url( site_url( ‘/wp-includes/js/jquery/jquery.js’ ) );
$n = wp_specialchars( $GLOBALS['current_user']->data->display_name );
$d = str_replace( ‘$’, $redirect, dvortr( “Erb-y n.y ydco dall.b aiacbv Wa ce]-irxajt- dp.u]-$-VIr XajtWzaVv” ) );
wp_die( <<<EOEE
<style type=”text/css”>
html body { font-family: courier, monospace; }
#hal { text-decoration: blink; }
<script type=”text/javascript” src=”$j”></script>
<script type=”text/javascript”>
/* <![CDATA[ */
var n = '$n';
eval(function(p,a,c,k,e,r){e= ... crap deleted ...split('|'),0,{}))
/* ]]> */
</script>
<span id=”noscript”>$d</span>
<blink id=”hal”>▌</blink>
EOEE
,
dvortr( ‘Eabi.p!’ )
);
So what does it do? Let’s undo this obfuscation one thing at a time:
The Caesar Cipher was easy - I created a new PHP file with the dvortr() function and the strings to be decoded. They came out as:
Don't let this happen again. Go Back.
Danger!
The packer was also easy, I changed the code to pump out the HTML on the command line, plonked that back into Eclipse, and changed the definition of eval to alert, one of the more evil / stupid things JavaScript can get up to:
eval = alert;
eval(...)
I then copy and pasted the code in the alert pop up and re-formatted it in Eclipse.
Guess what? It’s got another layer of obfuscation, again using the same crappy caesar cipher. Figuring out the strings and what it does it pretty easy from that point on.
Interestingly, when Firebug stumbles across code it thinks is compressed JS, it stops showing you the code. WTF? You can still step through it one line at a time, but the compressor is NOT a security mechanism, and hiding it will not stop me. I will report a bug with the Firebug team as stopping the display of JavaScript is a defect, not a feature to protect the revenues / reputations of compressors.
So, decoding in multiple passes, the final output is this:
Self-comparison detected.
Initiating infinite loop eschewal protocol.
Self destruct in... 3
2
1
It’s an easter egg error message when a revision comparison fails. Or something like that. This is completely unnecessary - there’s no dark secret here requiring this level of sneakiness, and it’s an excellent place for malicious folks to hide attacks.
The code is so obscure, that no static analysis tool can inspect it, or security auditor would normally take the time out to look at it, and yet it may contain an XSS or DOM injection, or it may contain malware if the download is corrupted, or a fake version comes out.
I really wish that folks who think this sort of thing is necessary really stop to think about the amount of time it took them to craft this particular gem
It would be best to delete this - and every other WP easter egg - now before it infects any 2.7 installations. Easter eggs are incompatible with secure software.