Episode109

From Paul's Security Weekly
Revision as of 13:34, 3 June 2008 by Byte bucket (Talk | contribs)

Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

Sponsors

This episode is sponsored by Core Security Technologies, helping you penetrate your network. Rock out with your 'sploit out and check out the client side exploit and web application testing modules! Listen to this podcast and qualify to receive a 10% discount on Core Impact, worlds best penetration testing tool.

This podcast is also sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notibly the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Direct Feed subscription for immediate access to new Nessus plugins, and compliance checks” Tenable – Unified Security Monitoring!

Announcements & Shameless Plugs

Live from the PaulDotCom Studios Welcome to PaulDotCom Security Weekly, Episode 109 for May 22nd, 2008

Welcome to PaulDotCom Security Weekly, a show for security professionals, by security professionals.

Tech Segment: Be The Mailman

And hope your baby doesn't have his eyes.... :) So I was tasked this week with setting up a Mailman listserv server. Mailman is an open-source application built using Python. It relies on Apache and a mail server, such as Postfix in this example, to create and manage email lists. Its very flexible, and has a lot of options, which makes me really worried about security. Lets start with a little Apache configuration for the Mailman virtual host. Check out the rewrite rules from 0x000000:

RewriteEngine on
        RewriteLogLevel 3
        RewriteLog /var/log/apache2/rewrite.log
        RewriteCond %{REQUEST_METHOD}  ^(HEAD|TRACE|DELETE|TRACK) [NC,OR]
        RewriteCond %{THE_REQUEST}     ^.*(\\r|\\n|%0A|%0D).* [NC,OR]
        RewriteCond %{HTTP_REFERER}    ^(.*)(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
        RewriteCond %{HTTP_COOKIE}     ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
        RewriteCond %{REQUEST_URI}     ^/(,|;|:|<|>|">|"<|/|\\\.\.\\).{0,9999}.* [NC,OR]
        RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
        RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget).* [NC,OR]
        RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).* [NC,OR]
        RewriteCond %{HTTP_USER_AGENT} ^.*(libwww|curl|wget|python|nikto|scan).* [NC,OR]
        RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
        RewriteCond %{QUERY_STRING}    ^.*(;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC,OR]
        RewriteCond %{QUERY_STRING}    ^.*(localhost|loopback|127\.0\.0\.1).* [NC,OR]
        RewriteCond %{QUERY_STRING}    ^.*\.[A-Za-z0-9].* [NC,OR]
        RewriteCond %{QUERY_STRING}    ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC]
        RewriteRule .* - [F]

I've updated these based on some of his more recent blog postings, and applied them to my mailman instance. Its plucking all sorts of nasties out of my HTTP requests that could be potential XSS attacks. All of this activity is getting logged to a file as well, that I can review to see who has sent attacks at my web server. I also made some changes to the Apache 2 config to further lock it down:


ServerTokens Prod

ServerSignature Off

ErrorDocument 500 "An Error Has Occured."
ErrorDocument 404 /error.html

In Debian, these are located in "/etc/apache2/apache2.conf". Some other interesting notes about the Debian Apache installation is the way the modules and sites are configured. There are a set of directories and soft links that you can use to enable sites and modules:

drwxr-xr-x 2 root root  4096 2008-05-22 09:26 mods-available
drwxr-xr-x 2 root root  4096 2008-05-22 09:26 mods-enabled
drwxr-xr-x 2 root root  4096 2008-05-22 10:33 sites-available
drwxr-xr-x 2 root root  4096 2008-05-22 10:57 sites-enabled

So, for example, to enable SSL you can enable the modules as follows:

cd /etc/apache2/mods-enabled/
ln -s ../mods-available/ssl.load ssl.load
ln -s ../mods-available/ssl.conf ssl.conf

I did a couple of things here, I removed Apache's mod_status. This is bad.

I also created a local certificate (and yes make sure you are using the non-vulnerable openssl library!):

export RANDFILE=/dev/random
mkdir /etc/apache2/ssl/
openssl req $@ -new -x509 -days 365 -nodes -out  /etc/apache2/ssl/apache.pem -keyout /etc/apache2/ssl/apache.pem
chmod 600 /etc/apache2/ssl/apache.pem

Oh, one more thing, to enable SSL, add "Listen 443" to /etc/apache2/ports.conf.


Postfix is another component you will need to setup. And the most important thing to do here is edit "/etc/postfix/main.cf" and adjust the following line:

mynetworks = 127.0.0.0/8 192.168.1.0/24

and then add the following lines:

# Allow connections from trusted networks only.
smtpd_client_restrictions = permit_mynetworks, reject_unknown_client
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination

You don't want to be an open relay to the world!

Mini-Tech Segment - BT3 on USB on a Mac

I found my self in an interesting situation the other day. I needed to do some work with Karma, but found my self stuck. I pulled out the Linux laptop, fired it up, and quickly realized I didn't have my Atheros based PCMCIA wireless card with me! The built in wireless card in the linux laptop is a definate no go with madwifi and Karma.

So, what to do?

I figured, oh, I'll just boot up BT3 from CD in a VM on my MacBookPro. I had to quickly discount that, as all VMs create an abstraction to the wireless card on the host OS. I've tried this before, and failed miserably, because the VM doesn't support all of the native features that I need for packet injection and so forth for the atheros cards. so, strike that one!

My next option was to boot with a BT3 CD on the Macbook. Of course, I was looking to do some prety time consuming modification of BT3, Karma and a few other changes, that I didn;t want to have to repeat if I needed to do a reboot. So, scratch that idea...

What about my trusty BT3 bootable USB drive. I can write to it, save changes by using "mkchanges" to create a space to save changes. I can even get access to the atheros card directly! Check out how to create the bootable BT3 USB drive here. the instructions are for BT2, but work just fine on BT3

One slight problem. The MacBookPro won't boot form USB devices.

The fix for that was the easiest of them all. Enter a program named rEFIt. This OS X package changes your EFI boot loader to the one from rEFIt, and allows for USB booting! So, now can I not only boot from my BT3 installation, I can boot from ANY USB media with a vaild OS/partition table. Installation of rEFIt was pretty painless - it was a .dmg package.

rEFIt says that the .dmg install will automatically enable rEFIt as your new EFI bootloader. However with the current 0.11 release, it didn't do so. However a few commands form the manual install method made it work like a charm. Open terminal and issue the following commands:

cd /efi/refit
./enable.sh

You'll need to give your superuser password, and your off for a reboot.

Subsuquent reboots will bring up a gui boot menu for rEFIt, and you can select to boot "Legacy OS from USB" (in my case, USB said LEXAR). BT3 boots, and bob's you're uncle. I had full access the atheros card and could save my changes (after further USB configuration). I did experience some differences in booting the BT3 USB key and xwindows between my older 17" MBP and my newer 15" MBP. IT is obviously due to video driver issues, but I haven't bothered to try to figure them out at this point - everything I needed to do was at the command line - no evil xwindows needed!

One thing to note. If you were using a boot time password within your original Apple EFI, it will no longer work! rEFIt effectively replaces the Apple EFI, and rEFIt (in this version) does not support boot time passwords.


Stories For Discussion

IOS Rootkits - [PaulDotCom] - A research from Core Security has created a rootkit for Cisco IOS. This is scary stuff, one of my favorite quotes from this interview is:

Sean Comeau: Do you know of any IOS rootkits that have been found in the wild?

Sebastian Muniz: I've been told by the cousin of a friend of my girlfriend that this kind of rootkit has previously been used :) 


Add My Friend Tony Viagra To Your Social Network - [PaulDotCom] - Some social networks are not filtering out SPAM, or at least not well enough. This is a great idea, create a profile on a popular social network site, then use it to advertise for SPAM. This is ridiculous, reminds me of the movie "Idiocracy" where one of the characters is watching TV. The screen is huge, but 80% of the screen is taken up by advertisements!

Don't forget to wipe! - [Larry] - ...your iPhone. Yet another phone that can be bought refurbished, and have all of the personal data still contained form the previous owner. Much like my exploits from the purchase of a vulnerable bluetooth Nokia phone from e-bay.

Cisco: "There is no remote code execution in IOS" - [PaulDotCom] - Security People's response: "Uhhh, 'spurious memory access' usually leads to remote code execution. And what about that rootkit stuff from Sebastian Muniz?". Tisk tisk Cisco, don't start to try and hide the criticality of your vulnerabilities, it only gives the good guys a false sense of security, the bad guys an opportunity, and pisses off security researchers.

Yet MORE SSH fail! - [Larry] - Cisco, oh noes! This one is a DOS - unauthenicated users connecting via SSH to an IOS device (tons of versions are vulnerable), can reboot the device... As a security industry, we've said to use SSH for years...

Phashy Phlashing and Phlash Dancing with your firmware - [PaulDotCom] - On the subject of embedded devices, we get some new terms, namely "PDOS", or perminant DoS. A good example is the FTP vulnerability that bricks HP printers. However, flashing devices to perminantly brick them is fun, and you can use them for extortion. Neat concept, but as I have said before, and HD Moore says again, hiding malware in the firmware is much more useful than taking the device out. Embedded systems will be attacked, a great way to increase your defenses, encrypt your traffic. Nothing wrong with using IPSec to transfer sensitive information across your internal network, that way when someone embeds malware in a router, access point, or switch, they need to do better than just firing up a sniffer. Now, there are many other attack vectors, but that just an example of where attackers are going and what you can do about it. [Larry] - DOS-ing embedded devices by corrupting the flash. Sure, step one in being evil, but I agree with HD - if you can get that flash there, create your own to control the device, not deny service.

More SSH fail - [Larry] - what is it with SSH lately? Now, even the OpenSSH implementation on AIX 4.x and 5.x can allow for reveal of sensitive configuration, and bypass security restrictions. when will the madness end?

Control Your (or someone else's) house with Twitter! - [PaulDotCom] - This dude hooks up a home automation system to his house, and then to his computer. He rigs the computer to read messages from twitter, and then act upon them to say, turn off the lights. Just imagine the fun you could have with this one if you can hijack the twitter account! This is where things are going, as this becomes more popular, attackers will take notice and start combining them with physical attacks. If I'm a burglar, I'm hacking your twitter account to turn off all the lights (maybe for good) and robbin the house. Once its tied to home security, it will be even more of a target. It may not be a hot topic now, but this would be like a SCADA attack, except your house is the SCADA site.

China under SQL attack - [Larry] - Interesting! It appears that the tables are turned for a change. I question, however if china isn't now also sending that attacks in the other direction from compromised hosts.

BT Home Hub continues to by GNUCITIZEN's Bitch - [PaulDotCom] - So a recent firmware update changes the default password to the serial number. Good, right? No easily guessable password. Well, turns out that clients on the local LAN (remember those WEP key attacks against the BT home hub?) can enumerate the serial number through the MDAC protocol. Nice. When are people going to learn that default passwords are bad? You don't need them! Let the user choose the password on first boot! Its easy! Even if people pick a crappy password, at least there is no widely known default. Really grinds my gears that more vendors don't do this. We really need to create a standards organization to define security requirements for embedded systems.... Just another salad shooter idea.. [Larry] damn you Paul!

Paypal XSS - [Larry] - This one is worthy of mention, as it uses the EV crededntials of Paypal, and appears to be legitimate. So, why EV at all?

RSnake - State Of Affairs - [PaulDotCom] - I will agree with RSNake, things are worse, esp. with web app security. Maybe its some of my own growth and exposure, maybe its attackers changing motives, maybe its the accessability of the Internet and technology, but I used to secure things and almost feel safe. Now I secure things and wonder if I will react fast enough when it gets hacked. Love this quote I will tell you this - things are far worse than they appear, and there are no shortages of extremely vulnerable applications out there as I find zero-day vulnerabilities regularly. It’s simply amazing how bad things really are. My advice to you, never believe or feel safe, never be content. Always continue to implement security layers, monitor your systems and devices, and be ready to respond to an incident.

Taking Apple to the CORE - [Larry] - CORE got tired of waiting for Apple to get off their butts and fix 3 iCal Vulnerabilities. So, after being given the runaround for months, they released the exploits - with notification to apple of course! Here's some more info

Hacker Safe VP - Not So Safe - [PaulDotCom] - Not only are hacker safe web sites not so safe, but the VP is being arrested for fraud. I hope his butt is safer than his web sites in jail. When I worked for a University we spoke at length about firewalls. Many were opposed to firewalls. I just wanted to see us have some basic protections. Some thought that they created a false sense of security. At the time, I didn't buy into it 100%, however, I do now. Saying a site is "Hacker Safe", same thing, building that false sense of security can be a really bad thing, worse than if there was no firewall or crappy vulnerability scanner. [Larry] More comments on the show from me...

Paypal XSS - [Larry] - This one is worthy of mention, as it uses the EV crededntials of Paypal, and appears to be legitimate. So, why EV at all?

TJX Employee on Security - [PaulDotCom] - I mean wow, just wow. Does this sound familiar?:

Its a step up from their blank passwords and username and password being the same which they had in place before the breach

Not to mention they write the passwords down on a post-it note next to the computers and even write down what the password is used for.

Recently they started to add Cisco firewalls to their stores, its about time...but the technician from Fujitsu that came to one store did not know what he was doing. He said it was his first time setting up one of those firewalls, and then said he didn't know what he was doing and he thinks he set it up right.

I never use anything but cash at their stores

Voice Authentication - [PaulDotCom] - Remember in the movie hackers where the girl goes on a date with the geeky guy, gets him to say a bunch of words, then they put that recording back together and use it to bypass the voice auth? Well, recently Bell Canada has implemented voice authentication. [Larry] My name is Werner Brandeis. My voice is my passport. Identify me?