Linux

Linux related stories

Top Exploits of the Week #1

Quicktime 0day

I thought I’d try something different (excuse me if its been done before, oh well). Every week I will be making a list of the top 5 exploits of the week, details about them, etc.

So lets get the ball rolling:

#1 Internet Explorer 7 XML Buffer Overflow Exploit (Vista Target) — This remote beauty executes remote code on a vulnerable (probably still unpatched) Internet Explorer 7 machine running Windows Vista. Coded by muts.

#2 Internet Explorer 7 XML Buffer Overflow Exploit (XP SP3 Target) — Exploits the same bug as above but executes code on a Windows XP SP3 target. Coded by Guido Landi.

#3 XOOPS 2.3.1 Multiple LFI Exploits — XOOPS suffers from a few local file inclusion bugs, and DSecRG has some code for you.

#4 Linux Kernel ATMSVC DoS Exploit — Send a kernel into an infinite loop by locally running this exploit on a vulnerable machine. Code by Jon Oberheide.

#5 phpMyAdmin 3.1.0 XSRF Exploit — Cross site scripting attacks are more dangerous than most developers think. Here is exploit code, just don’t have phpMyAdmin open in another tab! Provided by Michael Brooks.

See you all next week with more. Bug on :)

SSH Gets Attacked

SSH

Yeah, brute force attacks on SSH is old news. But now, there is something new and interesting about them! Attackers (How did they get so smart!?) are now using ‘advanced’ techniques to make these attacks even more effective:

“Instead of using the same compromised machine to try multiple password combination, the newer attack relies on coordination among multiple botnet clients. Also, instead of throwing this resource at random Secure Shell (SSH) remote admin servers, the assault is targeted at specific servers.”

OH NO! We all must go and protect our servers now!

Or do any or all of these good practices that decent administrators have known about for years…

1) USE STRONG PASSWORDS! (You can bet attackers will have ‘johndoe’ in their wordlist, but not ’00J0hNND0eEe00$’)
2) Firewall all logins via SSH except for authorized IP addresses
3) Run SSH Server on another port besides 22

Some helpful tips for the helpless. Ho, ho, ho unwise system admins.

Igniting Linux Desktop Security

Active Connections

Long ago, my all-time favorite desktop firewall was none other than sygate pro (symantec junkies sought-and-destroyed a while back). I loved all of its seemingly superior and cool features that really just made me feel great about using it on some servers and workstations. But like most other desktop firewalls, sygate is/was windows only. But this article isn’t about just any desktop firewall; it is about Firestarter, the Linux GUI firewall solution.

Firestarter is a nice, sleek, Desktop-safe, open source and server or workstation setting network security solution. Say that 128 times fast! Haha. If you are an administrator or just a savvy Linux Desktop user who wants to feel a little more secure on your network, you’ll probably love Firestarter.

Some of the great features of Firestarter include a graphical user interface to configuring firewall rules and settings, a nice wizard to walk you through it, real-time event monitor to check on intrusion attempts or the like, in and outbound network access policy control, port forwarding, the ability to whitelist and blacklist traffic, viewing network connections, advanced kernel tuning to provide somewhat protection against [flooding, broadcasting, spoofing, typical DoS attacks], and much more!

Firestarter sits atop of iptables and it works quite nicely to control traffic in and out of your workstation or server. I’ll even give you a couple of quick and smile examples. Say you got XYZ Linux running ZYX Desktop system and you want to be able to transfer files (or data) via XZY, but only from a certain IP address. Simply add a rule in Firestarter and watch it work. What if you want to completely (for the boundries of this tool) block access from xx.xxx.xx.xxx? Add a rule to blacklist it on outboard traffic. Volia! Simple firewalling made super easy. I use Firestarter and I absolutely love it. So if you haven’t already tried Firestarter, I recommend you give it a shot! I can’t imagine you being disappointed.

Policy

Websites Beware

Websites Beware

For years now, Zone-H.org has been, primarily, a website that mirrors website defacements. And also over the years, nearly every company, government, or otherwise popular/high-profile server has experienced being hacked. In case your not familiar with how it works, I will tell you about the process.

Basically, an attacker defaces the target website in some way and they submit it to Zone-H. Zone-H verifies the defacement and publishes a mirror. They accept any web accessible site, high-profile or not. Blogs, personal websites, mom and pop websites, even free websites haven’t been spared from attackers. But what has made this act so popular, and really into a popularity contest, is Zone-H’s rigorous mirror system, recording stats and names they use to deface, feeding the crave for attention or otherwise.

If you look where they classify and detail ‘special defacements‘, you can see a lot of the attackers’ bread and butter. LG’s Pakistan website, US/Chinese/Malaysian government websites, even on occasion NASA or military websites are hacked and defaced. Some attackers leave politically motivated messages, other just for fun, such as this one by ‘netb00m’:

“LGE pakistan was way to easy to get into.
Its almost like you guys beg to get hack.
Anyway, cant you guys make phones more like palm?
I mean you guy do make good stuff, but palm is alot nicer. =)”

As long as Zone-H mirrors these defacements, the attacks will never end. There is simply too much motivation, too many chances to look ‘cool’. However true that is, sometimes these guys get in trouble. I wish the best for them, but they could help themselves by growing up a little. It may have been ‘cool’ back in the day to the deface websites, but now, its just another risk to take to prove yourself to people who seem to carry themselves on their sleeves.

Fedora confirms: Our servers were breached

It is more than week ago when The Fedora Project informed about “important issue” affecting to its infrastructure systems. No additional details were given.
As expected, the claims and rumors started to spread if there was a serious server breach.

The Fedora Project issued a recommendation that users will not download any packages or update their Fedora installations. There was a note to change the Fedora Project passwords (it was not reported widely for some reason) too.

Today, Mr. Paul W. Frields, Fedora Project Leader has posted an announcement about the facts:

One of the compromised Fedora servers was a system used for signing Fedora packages. However, based on our efforts, we have high confidence that the intruder was not able to capture the passphrase used to secure the Fedora package signing key. Based on our review to date, the passphrase was not used during the time of the intrusion on the system and the passphrase is not stored on any of the Fedora servers.

While there is no definitive evidence that the Fedora key has been compromised, because Fedora packages are distributed via multiple third-party mirrors and repositories, we have decided to convert to new Fedora signing keys. This may require affirmative steps from every Fedora system owner or administrator. We will widely and clearly communicate any such steps to help users when available.

The Fedora Project servers are hosted at Red Hat Inc., the employee of Mr. Frields.

This is an interesting detail from hosting history section:

209.132.176.122 – Linux Apache/2.2.3 Red Hat – 19-Aug-2008
209.132.176.122 – Linux Apache/2.2.0 Fedora   – 16-Aug-2008
209.132.176.122 – Linux Apache/2.2.3 Red Hat – 19-Aug-2008

Disaster recovery not just for natural disasters

There is always a lot of talk about disaster recovery being important against, flood, weather, power failures, etc. But very little talk on disaster recovery due to security events.

When a security event happens, it is a disaster. It can mean downtime to your web site, or that your records were deleted or modified, and sometimes the biggest disaster is the bad PR day.

Typical disaster plans talk about a short failover time, but neglect to take into account what happens if one server was compromised. In this case, how will the short failover time affect it – will the corrupt or modified data propagate to the failover server causing two failed sites instead of one?

With recent break-ins reaching the news, where extremist groups hacking into any site they can gain access to, I see too often the web site show a banner, just after the break in, saying that it will be back in a few days. I’m left wondering if when they’re back, will they still suffer from the same security hole (most likely an SQL injection) that allowed the attackers in the first place? What about hidden malware – was the server reinstalled from scratch? And what backup was used to restore – the one with the attacker’s backdoor? I think we all know the answers…

JFFS2 ACL security issue in OLPC project – the first one?

Let the CVE describe the vulnerability:

JFFS2, as used on One Laptop Per Child (OLPC) build 542 and possibly other Linux systems, when POSIX ACL support is enabled, does not properly store permissions during (1) inode creation or (2) ACL setting, which might allow local users to access restricted files or directories after a remount of a filesystem…

The only references available are:

from Linux MTD mailing list
and
from the ticket system of Laptop.org

It appears that the CVSS score assigned last week is 4.4., i.e. Medium.

OVPC – One Vulnerability Per Child or do we have any others?

Hey, this is post #1000 😉 and there are 925 posts in the archive.