Quick command to get the base-64 encoded certificate — useful for establishing trust with AD DS domain controllers
openssl s_client -connect dc5.example.com:636 -showcerts </dev/null 2>/dev/null | awk ‘BEGIN{c=0} /BEGIN CERTIFICATE/{c++} c==1{print} /END CERTIFICATE/ && c==1{exit}’
Microsoft Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability (alternately referred to as MiniPlasma) is one of those findings that is a little confusing. The vulnerability appears tied to an issue Microsoft originally addressed in 2020, which raises the obvious question: if it was already patched, why is it relevant again now?
The original fix may have closed a specific exploitation path without fully eliminating the underlying bug class. The remediation may have been incomplete. Or a later code change may have reintroduced a previously fixed condition. Without updated vendor detail, it is hard to say exactly which of those happened; but the operational conclusion is the same: a system can still be exposed today even if the original 2020 patch was installed.
For environments looking for a practical mitigation, the good news is that many servers do not need Windows Cloud Files functionality at all. The vulnerable component is the Cloud Files Mini Filter Driver (CldFlt), which supports placeholder and hydration behavior used by features such as OneDrive Files On-Demand and other CfAPI-based integrations.
That makes CldFlt a viable mitigation target. If the filter is loaded but not attached to any volumes, there is a good chance it can be safely unloaded and disabled. This does not remove the driver from disk, but it does remove the active kernel attack surface associated with the running minifilter. Since this is an elevation-of-privilege issue, that distinction matters: the goal is not to claim the file no longer exists, but to prevent the vulnerable driver from being active in the system.
The following process checks whether any volumes are associated with CldFlt, temporarily unloads the filter, verifies that the system continues functioning normally, and then disables the driver persistently.
REM Check instances on CldFlt — if 0, proceed with testing disablement
fltmc filters
REM Example output:
REM Filter Name Num Instances Altitude Frame
REM —————————— ————- ———— —–
REM bindflt 0 409800 0
REM MsSecFlt 9 385600 0
REM CSAgent 9 321410.78870 0
REM storqosflt 0 244000 0
REM wcifs 0 189900 0
REM CldFlt 0 180451 0
REM FileCrypt 0 141100 0
REM UnionFS 0 130850 0
REM npsvctrig 1 46000 0
REM Wof 1 40700 0
REM Unload cldflt
fltmc unload cldflt
REM Verify stopped
sc query cldflt
REM Verify no longer in filters list
fltmc filters
REM Verify applications and expected file operations still work normally
REM If everything looks good, disable persistent startup
sc config cldflt start= disabled
After completing an in-place upgrade from Fedora 43 to Fedora 44, dnf5 failed to run with this error:
[lisa@fedora05 ~]# dnf5 update
Cannot load dnf5 plugin: /usr/lib64/dnf5/plugins/automatic_cmd_plugin.so
Cannot load shared library “/usr/lib64/dnf5/plugins/automatic_cmd_plugin.so”: libdnf5-cli.so.2: cannot open shared object file: No such file or directory
The Fedora 44 upgrade completed, and the installed dnf5 packages were all current Fedora 44 versions. However, there was a leftover plugin file still sitting in /usr/lib64/dnf5/plugins/automatic_cmd_plugin.so.
That file was not owned by any RPM package and had been built against an older library, libdnf5-cli.so.2.
But Fedora 44 had /usr/lib64/libdnf5-cli.so.3.
dnf5 was trying to load a stale plugin from before the upgrade.
These commands showed the problem:
ls -l /usr/lib64/libdnf5-cli.so*
rpm -qf /usr/lib64/dnf5/plugins/automatic_cmd_plugin.so
ldd /usr/lib64/dnf5/plugins/automatic_cmd_plugin.so
Results:
libdnf5-cli.so.3 existedautomatic_cmd_plugin.so was not owned by any packageldd showed it was looking for libdnf5-cli.so.2Remove the orphaned plugin file:
rm /usr/lib64/dnf5/plugins/automatic_cmd_plugin.so
ldconfig
dnf5 update
After deleting the stale plugin, dnf5 worked normally again.
This appears to be a leftover orphaned dnf5 plugin from before the major version upgrade. Even though the main dnf5 and libdnf5 packages were updated correctly, dnf5 still tried to load the old .so file it found in the plugins directory.
I encountered a challenge with a Kafka management tool — it supports SSO, and I was able to get an OAUTH connection set up to control what users could see when logging in through the UI, but the API component didn’t extract information from the bearer token and there was nothing in the rbac mapping to allow the bearer-token client ID to access anything.
Updates to allow the /api components to be authenticated by simple bearer tokens and a client ID mapped into a role are at https://github.com/ljr55555/kafka-ui
AuthorizationController.java was updated to properly support non-browser, machine-principal auth.
authentication.getName() is missingclient_idsubusername/api/authorization uses the same effective RBAC matching idea as the backend/api/authorization now works for bearer-token API callers and shows:
AccessControlService.javaPreviously, getUser() only worked when the authenticated principal was a RbacUser, which covered the browser/user flow.
Now it can also derive an AuthenticatedUser from opaque-token authenticated principals by extracting:
Previously, role matching was only role name matches one of user.groups(). Now it also supports role name matches user.principal(). That enables RBAC binding directly to the API client ID.
RBAC now works for:
DynamicConfigMapper.javaFixed a mapper bug.
The method mapping resource server config created a populated OAuth2ResourceServerProperties result object but always returned null.
It now returns result.
Dynamic/config mapping for resource-server settings no longer silently discards the mapped object.
To preserve the browser UI, the jar needs to be built with frontend included — which you know if you read the doc … or you take my route, start it all up, test the API successfully, and then get baffled that the user UI throws
bash./gradlew clean assemble -Pinclude-frontend=true
server:
port: 8443
ssl:
enabled: true
key-store: file:/etc/kafkaui/certs/kafbat.rushworth.us.p12
key-store-password: ${KEYSTORE_PASSWORD}
key-store-type: PKCS12
key-alias: kafbat
auth:
type: OAUTH2
oauth2:
client:
pingfed:
client-id: ${OAUTH_CLIENT_ID}
client-secret: ${OAUTH_CLIENT_SECRET}
scope:
- openid
- profile
- email
client-name: oauthclient
provider: oauthclient
redirect-uri: https://kafbat.rushworth.us:8443/login/oauth2/code/oauthclient
authorization-grant-type: authorization_code
issuer-uri: https://login.example.com
jwk-set-uri: https://login.example.com/pf/JWKS
authorization-uri: https://login.example.com/as/authorization.oauth2
token-uri: https://login.example.com/as/token.oauth2
user-info-uri: https://login.example.com/idp/userinfo.openid
user-name-attribute: username
custom-params:
type: oauth
roles-field: memberOf
resource-server:
opaque-token:
client-id: ${OAUTH_CLIENT_ID}
client-secret: ${OAUTH_CLIENT_SECRET}
introspection-uri: https://login.example.com/as/introspect.oauth2
kafka:
clusters:
- name: test
bootstrapServers: ${KAFKA_BOOTSTRAP_SERVERS}
rbac:
roles:
- name: "admins"
clusters:
- test
subjects:
- provider: oauth
type: role
value: "CN=KafbatAdmins,OU=SecurityGroups,DC=example,DC=com"
permissions:
- resource: applicationconfig
actions: all
- resource: clusterconfig
actions: all
- resource: topic
value: ".*"
actions: all
- resource: consumer
value: ".*"
actions: all
- resource: schema
value: ".*"
actions: all
- resource: connect
value: ".*"
actions: all
- resource: ksql
actions: all
- resource: acl
actions: [ view ]
- name: "${OAUTH_CLIENT_ID}"
clusters:
- test
subjects:
- provider: oauth
type: user
value: "${OAUTH_CLIENT_ID}"
permissions:
- resource: applicationconfig
actions: all
- resource: clusterconfig
actions: all
- resource: topic
value: ".*"
actions: all
- resource: consumer
value: ".*"
actions: all
- resource: schema
value: ".*"
- resource: connect
value: ".*"
actions: all
- resource: ksql
actions: all
- resource: acl
actions: [ view ]
services:
redpanda:
image: redpandadata/redpanda:v25.1.2
container_name: redpanda
command:
- redpanda
- start
- --overprovisioned
- --smp=1
- --memory=1G
- --reserve-memory=0M
- --node-id=0
- --check=false
- --kafka-addr=PLAINTEXT://0.0.0.0:9092
- --advertise-kafka-addr=PLAINTEXT://redpanda:9092
ports:
- "9092:9092"
kafbat-ui:
image: ghcr.io/kafbat/kafka-ui:latest
container_name: kafbat-ui
restart: unless-stopped
depends_on:
- redpanda
ports:
- "8443:8443"
volumes:
- ./config/application.yml:/etc/kafkaui/application.yml:ro
- ./config/roles.yml:/etc/kafkaui/roles.yml:ro
- ./certs:/etc/kafkaui/certs:ro
environment:
SPRING_CONFIG_LOCATION: file:/etc/kafkaui/application.yml
SPRING_CONFIG_ADDITIONAL_LOCATION: file:/etc/kafkaui/roles.yml
KEYSTORE_PASSWORD: REDACTED
OAUTH_CLIENT_ID: REDACTED
OAUTH_CLIENT_SECRET: REDACTED
KAFKA_BOOTSTRAP_SERVERS: redpanda:9092
Instead of flipping back and forth between java versions for various builds, you can just use a docker container for the proper Java version to run the build.
[lisa@docker kafka-ui]# docker run --rm -it --user $(id -u):$(id -g) -v "$PWD":/workspace -w /workspace eclipse-temurin:25 bash -lc './gradlew clean build'
Downloading https://services.gradle.org/distributions/gradle-9.2.0-bin.zip
............10%.............20%.............30%.............40%.............50%.............60%.............70%.............80%.............90%.............100%
Welcome to Gradle 9.2.0!
Here are the highlights of this release:
- Windows ARM support
- Improved publishing APIs
- Better guidance for dependency verification failures
For more details see https://docs.gradle.org/9.2.0/release-notes.html
Starting a Gradle Daemon (subsequent builds will be faster)
<=============> 100% CONFIGURING [1m 46s]
> Resolve dependencies of :api:detachedConfiguration273
Looking at network slowness, I noticed a lot of overrun errors and an inexplicable amount of broadcast traffic. Running a sniffer trace … these tuya bulbs announce themselves in a constant loop. We’ll add a network filter for now, but some other firmware on these bulbs would be great!
As I work through automating certificate installation, most applications have a “service account” user that has write access to the SSL certificate files. However, that user does not generally have permission to restart the application service.
We could get the ID added to sudoers with specific rights to manage the service … but it seemed more straightforward to use Polkit for very granular control permitting the service account to run specific verbs with systemctl.
The following rule allows the “tomcatadmin” user to run systemctl start, stop, or restart with the apache-tomcat.service unit.
cat > /etc/polkit-1/rules.d/60-apache-tomcat-tomcatadmin.rules <<'EOF'
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.systemd1.manage-units") {
var unit = action.lookup("unit");
var verb = action.lookup("verb");
if (subject.user == "tomcatadmin" &&
unit == "apache-tomcat.service" &&
(verb == "start" || verb == "stop" || verb == "restart")) {
return polkit.Result.YES;
}
}
});
EOF
With recent Windows updates, users now get a big message saying “Caution: Unknown remote connection” when launching RDP sessions from our CyberArk server. Easy enough – I have an internal CA, I can generate a code signing certificate, so I can sign these RDP files.
Except, in testing, I continually got an error indicating rdpsign cannot find the certificate. It’s there. I have a private key. It’s a code signing certificate. An hour or so later, I realize the “sha256” value is actually the SHA-1 thumbprint. Which … not my first guess and really more of a “out of reasonable options, start trying silly things” guess.
“$env:SystemRoot\System32\rdpsign.exe” /v /sha256 $hash256 $rdp
Voila, “All rdp file(s) have been successfully signed.”
Sigh — and, after all this work? I go from the red “unknown publisher” error to a yellow “yeah, you should think about this” banner.
We were having a lot of trouble using the measure tool in Blender — after discovering that you can hold the Ctrl key and “snap” your selection to a vertex, it actually worked in the way we wanted it to. But, before that discovery, my thought was to manually select two vertices and use a Python script to measure the distance between those points. That is “blender units” … and the metric or imperial units would be more meaningful. So I converted based on the scene configuration.
import bpy
import bmesh
def format_metric(meters: float) -> str:
a = abs(meters)
if a >= 1.0:
return f"{meters:.6f} m"
elif a >= 0.01:
return f"{meters * 100.0:.3f} cm"
else:
return f"{meters * 1000.0:.3f} mm"
def format_imperial(meters: float) -> str:
total_inches = meters / 0.0254
sign = "-" if total_inches < 0 else ""
total_inches = abs(total_inches)
feet = int(total_inches // 12)
inches = total_inches - (feet * 12)
if feet > 0:
return f"{sign}{feet} ft {inches:.3f} in"
else:
return f"{sign}{total_inches:.3f} in"
def measure_selected_vertices():
ctx = bpy.context
obj = ctx.edit_object
if obj is None or obj.type != 'MESH':
raise RuntimeError("Go into Edit Mode on a mesh and select exactly 2 vertices.")
bm = bmesh.from_edit_mesh(obj.data)
selected_verts = [v for v in bm.verts if v.select]
if len(selected_verts) != 2:
raise RuntimeError(f"Expected exactly 2 selected vertices, found {len(selected_verts)}.")
v1, v2 = selected_verts
# Convert local vertex coordinates to world-space coordinates
p1 = obj.matrix_world @ v1.co
p2 = obj.matrix_world @ v2.co
# Raw world-space distance in Blender units
raw_distance = (p2 - p1).length
scene = ctx.scene
units = scene.unit_settings
scale_length = units.scale_length if units.scale_length != 0 else 1.0
# Convert Blender units to meters according to the scene unit scale
distance_meters = raw_distance * scale_length
print("\n----- Vertex Distance -----")
print(f"Object: {obj.name}")
print(f"Raw distance (Blender units): {raw_distance:.6f}")
print(f"Scene unit system: {units.system}")
print(f"Scene unit scale: {scale_length}")
if units.system == 'METRIC':
print(f"Formatted distance: {format_metric(distance_meters)}")
elif units.system == 'IMPERIAL':
print(f"Formatted distance: {format_imperial(distance_meters)}")
else:
print("Formatted distance: Scene unit system is 'NONE'")
print(f"Interpreted using current unit scale: {format_metric(distance_meters)}")
measure_selected_vertices()
A quick PowerShell script to report on its own signature data:
$scriptPath = $PSCommandPath
if (-not $scriptPath) {
throw 'This script must be run from a .ps1 file so $PSCommandPath is available.'
}
$sig = Get-AuthenticodeSignature -FilePath $scriptPath
Write-Host "Script path: $scriptPath`n" -ForegroundColor Cyan
[PSCustomObject]@{
Status = $sig.Status
StatusMessage = $sig.StatusMessage
SignatureType = $sig.SignatureType
IsOSBinary = $sig.IsOSBinary
SignerSubject = $sig.SignerCertificate.Subject
SignerThumbprint = $sig.SignerCertificate.Thumbprint
SignerNotBefore = $sig.SignerCertificate.NotBefore
SignerNotAfter = $sig.SignerCertificate.NotAfter
TimeStamperSubject = $sig.TimeStamperCertificate.Subject
TimeStamperThumbprint = $sig.TimeStamperCertificate.Thumbprint
} | Format-List
To sign the script:
$thumb = '87E4C1F40D1DB8486F1E9093A76626AB1DFDEA30'
$scriptPath = "$env:USERPROFILE\git\CyberSecurity\misc\CheckPSSignature.ps1"
$cert = Get-ChildItem Cert:\CurrentUser\My, Cert:\LocalMachine\My |
Where-Object {
$_.Thumbprint -eq $thumb -and
$_.HasPrivateKey -and
($_.EnhancedKeyUsageList | Where-Object {
$_.ObjectId -eq '1.3.6.1.5.5.7.3.3' -or $_.FriendlyName -eq 'Code Signing'
})
} |
Select-Object -First 1
if (-not $cert) {
throw "Code signing certificate $thumb not found."
}
Set-AuthenticodeSignature -FilePath $scriptPath -Certificate $cert
Get-AuthenticodeSignature -FilePath $scriptPath | Format-List *
And now the script is signed:
