Generating self-signed SSL certificate using OpenSSL

OpenSSL allows you to request, sign, generate, export and convert digital certificates.
OpenSSL comes by-default in Unix platform as an RPM or package file (RedHat, Solaris, etc).
The guide bellow explains how to generate a key store for digital certificates, generate private and self-signed SSL certificate for web servers, and export/convert the key store to PFX file (for importing to Windows platform).
The guide bellow was tested on common Linux platform web servers (Apache, Lighttpd, Nginx, Resin) however the same syntax should work the same on Windows platform.
 

Download link for Windows binaries:
http://www.slproweb.com/products/Win32OpenSSL.html
Download link for Linux source files (pre-compiled):
http://www.openssl.org/source/
1. Install OpenSSL.
2. Run the command bellow to generate a new key store called “server.key”
openssl genrsa -des3 -out /tmp/server.key 1024
3. Run the commands bellow to request a new SSL certificate:
openssl req -new -x509 -nodes -sha1 -days 1095 -key /tmp/server.key > /tmp/server.crt openssl x509 -noout -fingerprint -text /tmp/server.info
4. Run the command bellow to backup the key store file that has a password: cp /tmp/server.key /tmp/server.key.bak
5. Run the command bellow to generate a new key store without a password:
openssl rsa -in /tmp/server.key -out /tmp/no.pwd.server.key
6. Run the command bellow only if you need to generate a PEM file that contains a chain of both the key store and the public key in one file:
cat /tmp/no.pwd.server.key /tmp/server.crt > /tmp/no.pwd.server.pem
7. Run the command bellow only if you need to export a key store (without a password) to a PFX file (for importing to Windows platform)
openssl pkcs12 -export -in /tmp/server.crt -inkey /tmp/no.pwd.server.key -certfile /tmp/no.pwd.server.pem -out /tmp/server.pfx
Appendix:
server.key – Key store file
server.crt – Server SSL public key file
no.pwd.server.key – Key store file (without a password)
no.pwd.server.pem – Key store file + server SSL public key file (without a password)
server.pfx – Private key + public key, exportable for Windows platform (i.e IIS server)

The article can also be found at:
http://security-24-7.com/generating-self-signed-ssl-certificate-using-openssl/

Share

#days Security Conference

Organized by members of the local Defcon chapter in Switzerland (DC4131), the hashdays Security Conference is going to be the first incarnation of an independent and technical security conference in Switzerland. Two days full of technical talks covering the most current research on all aspects of IT security. The conference will take place from November 4th to 5th and will be held in Lucerne in the heart of Switzerland in the Radisson BLU Hotel directly at the lake front of lake Lucerne.

Renowned speakers that are already confirmed are: Alexander Kornbrust, Karsten Nohl, Tavis Ormandi, Philippe Oechslin, Ertunga Arsal, Harald Welte and many more.

Furthermore, there will be two 2-day workshops from November 3rd to 4th at the same location. The two offered workshops are:
* Saumil Shah: Exploit Laboratory. Learn how to write exploits from scratch
* Harald Welte, Karsten Nohl, David Burgess: Protecting from GSM attacks. Learn the latest of their research of cracking GSM networks and how to protect from it

More information can be found on our web page: https://www.hashdays.ch/

We’d enjoy to welcome you here in Switzerland!

Share

Apple Safari Denial Of Service (iPhone, iPad, iPod, OS X, Windows) 0-Day

I’ve spent a lot of time thinking about what to do with this one, and when I say a lot of time, I really mean just over 3 months now. I also informed Apple that I would be writing this article, and asked for an official quote from them, and also a rough date as to when the relevant patches would be disclosed.
I found this one by fuzzing Safari 5.0 on the night that it first came out, I was using Browser Fuzzer 2 (bf2)and then spent a while playing with it to see if I could turn this into more than just a Denial Of Service (DoS), unfortunately I wasn’t able to. This is not to say that it’s not possible to do so, I’m just not too sure on how to do it, it may very well be more than just a DoS with a few tweaks to the code.

I initially tried selling this one to ZDi, but their response to me was fair and to the point:

“Dear xyberpix

We have reviewed your recent case and discovered it was a duplicate of an issue we received in January of this year. We have also determined that this issue is likely non-exploitable. Due to this we are going to pass on the opportunity to pursue acquisition of this vulnerability information through the ZDI program.

Thank you for the submission and we look forward to your future work.

Regards,
The ZDI Team”

So, January 2010 and to date, this still has not been fixed by Apple! People give Microsoft and Adobe a hard time about their time to release patches, but seriously 8 months is really pushing it!

So I figured I’ll see what Apple has to say about this one, and sent it along to their product security team, asking if they were willing to reward vulnerability researchers for their time. I wasn’t asking for anything major at all, maybe the cheap iPad or even just a copy of Logic Studio 9 for my trouble. That’s really not too much to ask really is it? I didn’t have any high hopes though, and well here was their response:

“Hello Xyberpix,

When we address an issue in a Security Update, we give credit to the person who reported the issue to us.  However, Apple does not directly provide financial reward.”

Okay, fair enough, I didn’t go looking for bugs for financial gain, but it would have been a nice token nonetheless. I guess the fact that I’ve been a loyal Apple fan boy for close on 8 years now means nothing to them at all. I guess this is why I’m a firm believer in the No More Free Bugs movement, in the same sense though I can’t sit around idly and wait for what’s been over 3 months since I found this issue, and Apple has not released a patch yet!

Apple also came back to me stating that they had addressed this vulnerability in iOS 3.2 and iOS 4.0, well, erm, dunoo how to tell you guys this but, nope you didn’t. So being the nice guy that I am I sent them the relevant crash logs as requested. Their response was the following:

“Hello xyberpix,

Thank you for forwarding this issue to us.  We take any report of a potential security issue very seriously.

After reviewing the issue, it appears that this denial of service issue results in the unexpected termination of MobileSafari, but not of the host operating system or a system service.  For our internal tracking purposes, this will be classified as a “Crash / Hang” issue. Although we do not see additional security concerns, we do consider this to be an important issue, and are working with the engineering team to address it.

If you have reason to believe that the issue has ramifications beyond terminating Safari (such as terminating the operation of the host operating system or system service, or executing arbitrary code), we would appreciate the steps to reproduce this, or crash logs from when you observed it.”

I then replied asking about this issue on platforms other than iOS, namely Windows and OSX, to which I recieved the following response:

“Hello xyberpix,

The crash is still a security issue on platforms on which it has not been addressed.  So far, it has only been addressed on iOS.

For the protection of our customers, we ask that you do not disclose details of this vulnerability until it has been addressed on all platforms.

When we release an update to address this issue on other platforms, you will be credited for the vulnerability.”

Okay, so let me get this straight, this is not a security issue on iOS, it’s a crash/hang issue, which they have apparently addressed in iOS 4, and I had to bug Apple about the Windows and OS X Safari issues, even after I informed them that it was possible to crash Safari on all platforms, not just iOS? Something’s not quite right here…

When I asked for a rough timescale on when a patch for this is going to be released, I was given the following response:

“The following information should be considered confidential.  We are sharing this information as a status update on an issue you reported.  Please do not share this information with others.

This issue has already been assigned CVE-20xx-xxxx, when it was fixed on iOS.

The issue is currently planned for our next available software update.  I don’t have a date for you yet, but we will coordinate with you closer to the release of the udpate.

I completely understand confidentiality, but I also believe that security researchers should get more than just credit for discovering a vulnerability that Apple’s testers should have found in the first place.

Oh wait, it seems they did find it, but they just claimed to have fixed it, instead of actually fixing it, did I get that right?

My last attempt at contacting Apple was on the 2nd August 2010 to ask if they could please give me an official statement on this issue that I could include in this post, and if there was still no chance at all of getting some sort of reward for this finding. Their response was this:

“Hello xyberpix,

We do appreciate the time you took to find and report the issue to us.

As mentioned, it is not our policy to provide financial compensation for issues.”

I really don’t want this post to be taken the wrong way, yes I was looking for compensation for the vulnerability, but not thousands of dollars, just a little something to make the time spent on this one worthwhile. I also wanted to have an official statement from Apple on this one as to when they are likely to release a patch, neither of which they were willing to do. Personally I don’t feel that either of these things were too much to ask at all from a company that is growing in leaps and bounds each year.

If any Apple employee’s would like to discuss this one further with me, the case number for this issue is 111476071, and you have all my contact details.

As a matter of courtesy and security I will not be publishing the code for this DoS, as I do not believe that would be responsible, once a patch that works has been released by Apple, I will upload the code. I have also removed the CVE number and also the specific function that causes the crash.
I’m really looking forward to all your comments on this one people, as I’d love to hear your views.

Share

Microsoft Black Tuesday Summary – August 2010

I know, I know, I’m a couple of days late in publishing this one, so apologies to all.

If you haven’t seen the latest Microsoft security patches though, then this will be an interesting read to you. Hopefully you’re already in the midst of rolling out these patches though, but if not, have a look below at the nice new patches that you have to look forward to implementing across your estates.

This month there are a total of 15 patches, 9 Critical and 6 Important.
MS10-046 Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198)

This security update resolves a publicly disclosed vulnerability in Windows Shell. The vulnerability could allow remote code execution if the icon of a specially crafted shortcut is displayed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Rating: Critical

Restart Required: Yes

Affected Software: Microsoft Windows

MS10-049 Vulnerabilities in SChannel Could Allow Remote Code Execution (980436)

This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in the Secure Channel (SChannel) security package in Windows. The more severe of these vulnerabilities could allow remote code execution if a user visits a specially crafted Web site that is designed to exploit these vulnerabilities through an Internet Web browser. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger message that takes users to the attacker’s Web site.

Rating: Critical

Restart Required: Yes

Affected Software: Microsoft Windows

MS10-051 Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (2079403)

This security update resolves a privately reported vulnerability in Microsoft XML Core Services. The vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. An attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.

Rating: Critical

Restart Required: Yes

Affected Software: Microsoft Windows

MS10-052 Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution (2115168)

This security update resolves a privately reported vulnerability in Microsoft MPEG Layer-3 audio codecs. The vulnerability could allow remote code execution if a user opens a specially crafted media file or receives specially crafted streaming content from a Web site or any application that delivers Web content. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Rating: Critical

Restart Required: Maybe, dependent on configuration
Affected Software: Microsoft Windows

MS10-053 Cumulative Security Update for Internet Explorer (2183461)

This security update resolves six privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Rating: Critical

Restart Required: Yes
Affected Software: Microsoft Windows, Internet Explorer

MS10-054 Vulnerabilities in SMB Server Could Allow Remote Code Execution (982214)

This security update resolves several privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow remote code execution if an attacker created a specially crafted SMB packet and sent the packet to an affected system. Firewall best practices and standard default firewall configurations can help protect networks from attacks originating outside the enterprise perimeter that would attempt to exploit these vulnerabilities.

Rating: Critical

Restart Required: Yes
Affected Software: Microsoft Windows

MS10-055 Vulnerability in Cinepak Codec Could Allow Remote Code Execution (982665)

This security update resolves a privately reported vulnerability in Cinepak Codec. The vulnerability could allow remote code execution if a user opens a specially crafted media file or receives specially crafted streaming content from a Web site or any application that delivers Web content. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Rating: Critical

Restart Required: Maybe, dependent on configuration
Affected Software: Microsoft Windows

MS10-056 Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (2269638)

This security update resolves four privately reported vulnerabilities in Microsoft Office. The most severe vulnerabilities could allow remote code execution if a user opens or previews a specially crafted RTF e-mail message. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Rating: Critical

Restart Required: Maybe, dependent on configuration
Affected Software: Microsoft Office

MS10-060 Vulnerabilities in the Microsoft .NET Common Language Runtime and in Microsoft Silverlight Could Allow Remote Code Execution (2265906)

This security update resolves two privately reported vulnerabilities in Microsoft .NET Framework and Microsoft Silverlight. The vulnerabilities could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs) or Silverlight applications, or if an attacker succeeds in convincing a user to run a specially crafted Microsoft .NET application. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The vulnerabilities could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and executing the page, as could be the case in a Web hosting scenario.

Rating: Critical

Restart Required: Maybe, dependent on configuration
Affected Software: Microsoft Windows, Microsoft .NET Framework, Microsoft Silverlight

MS10-047 Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852)

This security update resolves several privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow elevation of privilege if an attacker logged on locally and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities. The vulnerabilities could not be exploited remotely or by anonymous users.

Rating: Important
Restart Required: Yes
Affected Software: Microsoft Windows

MS10-048 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2160329)

This security update resolves one publicly disclosed and four privately reported vulnerabilities in the Windows kernel-mode drivers. The most severe of these vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.

Rating: Important
Restart Required: Yes
Affected Software: Microsoft Windows

MS10-050 Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (981997)

This security update resolves a privately reported vulnerability in Windows Movie Maker. The vulnerability could allow remote code execution if an attacker sent a specially crafted Movie Maker project file and convinced the user to open the specially crafted file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Rating: Important
Restart Required: Maybe, dependent on configuration
Affected Software: Microsoft Windows

MS10-057 Vulnerability in Microsoft Office Excel Could Allow Remote Code Execution (2269707)

This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Rating: Important
Restart Required: Maybe, dependent on configuration
Affected Software: Microsoft Office

MS10-058 Vulnerabilities in TCP/IP Could Allow Elevation of Privilege (978886)

This security update resolves two privately reported vulnerabilities in Microsoft Windows. The more severe of these vulnerabilities could allow elevation of privilege due to an error in the processing of a specific input buffer. An attacker who is able to log on to the target system could exploit this vulnerability and run arbitrary code with system-level privileges. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Rating: Important
Restart Required: Yes
Affected Software: Microsoft Windows

MS10-059 Vulnerabilities in the Tracing Feature for Services Could Allow an Elevation of Privilege (982799)

This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in the Tracing Feature for Services. The vulnerabilities could allow elevation of privilege if an attacker runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.

Rating: Important
Restart Required: Maybe, dependent on configuration
Affected Software: Microsoft Windows

Share

Apple iPhone/iPod Touch/iPad Security Update

Yesterday Apple released a security update that patches the Jailbreakme vulnerabilities to stop people Jailbreaking their Apple devices.

Okay, so maybe I’m looking at this the wrong way around, but it seems that when a vulnerability gets a lot of media attention, Apple work the backsides off to get this one patched. I understand that we are talking serious vulnerabilities here, but still. I’ve personally been in contact with Apple for a couple of months now in regards to a DoS vulnerability that I discovered, and still have no time line on when a patch for this will be released, so maybe all that’s needed is to turn this into some media hype, hmmm.

So the vulnerabilities that this patches are the following:

  • FreeTypeCVE-ID: CVE-2010-1797

    Available for: iOS 2.0 through 4.0.1 for iPhone 3G and later, iOS 2.1 through 4.0 for iPod touch (2nd generation) and later

    Impact: Viewing a PDF document with maliciously crafted embedded fonts may allow arbitrary code execution

    Description: A stack buffer overflow exists in FreeType’s handling of CFF opcodes. Viewing a PDF document with maliciously crafted embedded fonts may allow arbitrary code execution. This issue is addressed through improved bounds checking.

  • IOSurfaceCVE-ID: CVE-2010-2973

    Available for: iOS 2.0 through 4.0.1 for iPhone 3G and later, iOS 2.1 through 4.0 for iPod touch (2nd generation) and later

    Impact: Malicious code running as the user may gain system privileges

    Description: An integer overflow exists in the handling of IOSurface properties, which may allow malicious code running as the user to gain system privileges. This issue is addressed through improved bounds checking.

Share

REVIEW: “Land the Tech Job You Love”, Andy Lester

BKLTTJYL.RVW   20091207

“Land the Tech Job You Love”, Andy Lester, 2009, 978-1-934356-26-5, U$23.95/C$29.95
%A   Andy Lester andy@theworkinggeek.com
%C   Raleigh, NC
%D   2009
%G   978-1-934356-26-5 1-934356-26-3
%I   Pragmatic Bookshelf
%O   U$23.95/C$29.95 praglife.com
%O  http://www.amazon.com/exec/obidos/ASIN/1934356263/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/1934356263/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1934356263/robsladesin03-20
%O   Audience n Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   252 p.
%T   “Land the Tech Job You Love”

It’s a bit hard to keep faith in the instructions contained in a book that starts out, not just on the first page, but inside the print cover, with “Question everything, including this book.”

There is a section, in the introduction, entitled “How This Book Was Born.”  It seems that two guys who hired people started giving talks on how to apply for a job.  (It strikes me, anyway, that this might be rather akin to having a toddler write a book on what to feed children.)  Why this one wrote the book is unclear.

Part one is about the job search.  Chapter one says that you should be honest, in order not to get the wrong job by misrepresenting yourself, but spin yourself in the best possible light.  (How to balance these somewhat contradictory positions is not specified.)   Assessing your wants, needs, and motivation is dealt with in chapter two.  Creating the content of your resume in the most promotional way is covered in chapter three.  Style is substance, says chapter four, and, regardless of what is important to you, follow the tips on fonts and paper colour.  Unsurprisingly, chapter five notes that you should research the job and the company, and use contacts to search for jobs.  Target your resume and cover letter, is the advice in chapter six.

Part two deals with the interview, and subsequently.  Chapter seven says to prepare for the interview.  Eight covers interview basics.  Stock answers to stock “tough” interview questions are given in chapter nine.  Chapter ten notes topics that cannot be discussed in
job interviews in the US.  Post-interview follow-up, reference submission, and accepting or declining a job offer are examined in chapter eleven.  Chapter twelve discusses strategic (social or professional) networking, training, and long term preparation for all of the activities in part one, for the inevitable next time around.

Some appendices cover things you shouldn’t do: cliched phrases in A, resume and letter constructions in B, and interview presentations in C.

The content and advice in this book are quite standard.  If you are looking for a job in Web administration, page creation, or sales, and are new to the applications and interview process, it will probably be useful.  In terms of landing a job you love, probably the main thrust of chapter one is the most significant: be honest, and you’re less likely to become stuck in a job you don’t fancy.  (There is, of course, no guarantee that the job you love actually exists …)

copyright Robert M. Slade, 2009    BKLTTJYL.RVW   20091207

Share

Information Security Solutions Europe Conference (ISSE 2010)

ISSE is Europe’s only independent, interdisciplinary, security conference. It is designed to educate & inform on the latest developments in technology, solutions, market trends and best practice.

Now in its twelfth year, ISSE 2010 will attract over 300 representatives from across Europe, providing an informal and stimulating environment for attendees to learn, share experiences and explore solutions with their European counterparts, focusing on security and related issues like cost of ownership, risk management and interoperability.

To join them or for further information please visit the event website at http://www.isse.eu.com

Book now to take advantage of the Early Booking rate that saves €150 off the standard delegate fee.

Share

Sonicwall Vulnerability Fixed

A month ago I complained about Sonicwall and google brushing us off when we reported vulnerabilities to them. The good news: Sonicwall has since contacted us, acknowledged the problem and is now rolling out a fix.

Was I too harsh on Sonicwall? It was hard to get their initial attention, but once we did they cooperated in an exemplary way. I’m not fooling myself to think any researcher that will notify them of a problem will get the same level of attention, but obviously they do give a damn, and maybe security@sonicwall will be open for notifications from now on.

Share