Cloudweavers » security

PHP MultiPart Form-Data Denial of Service proof of concept

pascal.charest — Fri, 27 Nov 2009 16:12:29 +0000

PHP version 5.3.1 was just released. This release contains a patch for a denial of service condition we’ve reported on 27 October 2009. The problem is related with PHP’s handling of RFC 1867 (Form-based File upload in HTML).

Source: http://www.securityfocus.com/archive/1/507982

Exploit already on PacketStorm…

security specialist

pascal.charest — Fri, 02 Oct 2009 19:38:01 +0000

I’ve been asked to produce a service offering for a Montreal based security specialist contract. The request was generic – make me wonder about the provider lack of the specialized knowledge required to complete a selection. Hiring a consultant, specialist or sme (subject matter expert) should never be left to an ultimate comparison between university degrees. So, for fun, I submit a couples questions, all security related, feel free to answers as comment or by email:

1) what’s wrong with:
void f() {
char buf[2048];
gets(buf)
}

void main() {
f();
}

(note ; this is the modified version of this function. Read comment 1 on this blog post for more info)

2) With current systems, IPV6 is becoming standard feature. What security problems do you see with that statement and how would you go to secure an IPV4 network knowing those problems ?

3) There have been quite a few problems with SSL theory and OPENSSL implementation in the last few years – please, name a few and explain them.

4) What is entropy or prng ?

Surviving DDOS – discussion on building resilient networks/data infrastructure.

pascal.charest — Fri, 11 Sep 2009 15:15:53 +0000

Note: This is a selection of very early draft of a document I’m writing – As such, those are extract of “working notes” and should be considered as beta (not Google definition of beta ; true beta)… lots will change.

[...]
Internet being a jungle (or a city, whatever you find most dangerous), your infrastructure will be preyed upon. it can be by customers requiring services (too much of them can create difficult situations) or by malevolent individuals wanting to see your service off Internet.
[...]
Of the techniques available, dos/ddos might be the worst. Here’s a quick non technical theory review:

DOS: Denial of services
For a single attacker, cutting access to your services can be accomplished by solving this equation:
Attacker resource * resource(attack function) > Defender resource * resource(defense function)
The defense against the attack is simply the reverse of the equation. Using decent servers (for processing power) in a decent datacenter (for bandwidth) can help solve this equation to the defender advantage without having to modify services. If it doesn’t work, modifying the defense function (such as implementing a firewall correlating a source IP and the attacker function) will allow required resources for defense to be minimal and thus win the fight.
[...]

DDOS: Distributed Denial Of Services
The DDOS add the dimension of multiple (in the order of hundreds or thousands) attackers systems. This will bypass of most of the standard defenses “resource reduction function” since the resulting traffic will be tangent to a normal usage pattern. Randomly blocking visitor (or user) cannot be accomplished without risking blocking valid one and user pattern analysis is generally resource intensive.
[...]

How to survive DDOS
A lot of services and devices are available to mitigate the attack of a DDOS. Some can be implemented by the end user (server administrator) or by the upstream provider. However, most of them must be deployed as a planned feature, not while the network is under attack.
* drop spoofed/invalid packets at upstream provider (packets with invalid source IP (see RFC 1918), implement ingress filtering (see RFC 2267)) – it is also call dark address filtering.
* prepare rate-limiting function ‘per-vhost’ (if service = webpage), or ‘per-services’, and ‘per-source’.
* implement black hole filtering procedure (an in-line router / packet analyzer able to black hole packet will leave your server doing service computing, not routing).
* request analysis. SNORT is a well know and very good ingress filtering agent that can be used to filter traffic that does not match normal usage pattern.
* enable syn cookie (valid only against syn flood).
* always allow establish connections priority over new ones.
* off load as much as you can (mainly: DNS services in separate network, dropping both is harder).

And I’ll allow a bit of additional informations on this last one, because it is often overlooked and can represent your salvation when you are attacked. Either the attacker will use a specific IP, which is easy to mitigate by changing to any other you reserved for that and changing the DNS (5 minutes downtime is nothing in a major DDOS) OR the attacker is resolving your domain name through your DNS. This latest fact is quite important, because it mean the attack can be mitigated by using geo-localisation on your DNS system : different servers will answers requests from different part of the world. MaxMIND does offer a very up-to-date database of IP/Country and IP/Town ; and using Amazon AWS (cloud computing service by Amazon), new servers can be launched at minutes notice and your DNS (when properly configured) can be modified to provide specific IP “to-peoples-outside-your-normal-business-area”. You don’t even have to involve your upstream provider and you will be able to offset a very big part of the attack (as long as your normal business area is not russia + china).

Or, if implementing those recommendation are not a possibility, there is always services/devices available for sales. Be ready to pay a very big price for them.
[...]

Microsoft IIS 5/6 FTP 0Day released

pascal.charest — Mon, 31 Aug 2009 21:00:59 +0000

Microsoft IIS 5/6 FTP 0Day released

We are aware of an new 0-day exploit that was posted on Milw0rm today.

According the exploit, it was suppose to work on both IIS 5.0 and 6.0, on the FTP module.

Also according it, it affects IIS 6.0 with stack cookie protection.

The latest on this is that HDMoore is porting it to the MetaSploit framework.

We will update this diary with more info as we get it.

source: sans.org

Security @ DEFCON 17

pascal.charest — Mon, 17 Aug 2009 17:16:44 +0000

Survived! Well my laptop did – I’m exhausted and work was waiting for me in Montreal, but – let be honest, I can’t really complain.

For those who don’t know, the DEFCON is one of the leading hacker conference with over 8k attendees getting together in Las Vegas to share knowledge on hacking, cracking, social engineering, lock picking and similar discipline. Peoples come from all social group – 14y old video gamer to senior security specialist for the gov, going through consultant, programmer, developer and hobbyist. Fun crowd.

While my trip was flanked by 2 series of 4 vacation days (before and after), I was @DEFCON as the owner of Les Laboratoires Phoenix – my free software consulting firm – and as such, I was confronted to this dichotomy:

* I need Internet access to answer clients requests
* Connecting to Internet at DEFCON is professional suicide if your not up to it

Let me explain this second point a bit: first, the Wall of Sheep, an inline filter tracking unencrypted connections and broadcasting users credentials (including a partially obscured password) on a big screen in the lounge. Generally, the flow is quasi non-stop.

If you think that it’s not that bad, the password being garbled… think again : Wall of Death. It’s an inline switch, freely available, where the 7 ports broadcast a mirror of everything the firewall see (which is.. everything). Live, un-garbled, un-modified feed of everything in the pipe. In other words, if you are on the Wall of Sheep, then someone from the Wall of Death got your credential.

And then, this is only using the standard infrastructure. I am not mentioning peer attack, wireless impersonation and so on.

So, how to survive in such hostile environment ? Here’s a few rules (which should also be taken as golden rules if you work from your client’s office).

1) ‘netstat -lntp‘ ; this command (an output of incoming listing ports on your system) should return nothing. There is no need to have any listening services if you are ‘mobile’.

2) iptables -L -n -v ; this command give you your firewall rules. INPUT should be restricted to established and related connection with a default policy of DROP. OUTPUT, when in a ‘not-so-friendly’ environment, should defaulted to DROP with allowed outgoing on secure protocol only (http:443, ssh:22, …). If you need to connect to an un-encrypted destination, at least forward through a ssh-tunnel/proxy.

3) never auto-connect to unencrypted network. This is exactly what causes the wall of sheep to be full of iPhone user’s credentials. This cute little device can auto-connect to the unprotected network (such as DEFCON) and start sending security credential (un-encrypted) to twitter, facebook, myspace…

4) Do not take anything for granted. PREPARATION is the key. Before the trip, start collecting all your ssh-key fingerprint on your system, this can become really handy if someone tries some ‘not-so-great’ men-in-the-middle attack against you.

Well, thinking about it, number 4 is the best advice. DO NOT TAKE ANYTHING FOR GRANTED. In the last 2 years, there have been 2 attack against the SSL infrastructure disclosed at DEFCON. Btw, this is for GNU/Linux system. If you are using a Microsoft operating system at the DEFCON, you better… well… just don’t use it.

Using TOR for anonymity

pascal.charest — Thu, 18 Jun 2009 16:01:21 +0000

In the last couples of day, I’ve seen my fair share of privacy infringement from all kind of service provider. I am a ‘free web’ militant but I’m also a free software consultant and as such, my professional self is often called to deploy network management tools in ISP or servers hosting facility. Most of these tools can be used to maintain the integrity of the network and enhance performance, however, they can also be used in questionable behaviors such as wire tapping. Today, I’ll be installing/presenting TOR, an anonymity program, on a GNU/Linux workstation to hide web browsing request.

Let it be known that TOR is not the ultimate solution. This software should not be used as a way to ‘secure’ transactions/requests. Its very usage is to proxy tcp requests to a series of hosts all around the world. In other words, it will scramble the source IP of every request.

Installing TOR for anonymity

TOR is :

[...] a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. Tor provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy.
Source: TOR official website

Privacy is the keyword. Another important fact is that peer-to-peer applications will not work well with proxy relaying (so forget forwarding your bit-torrent traffic inside the ‘tor cloud’).

Installation process (GNU/Linux)

Installing dependencies

# apt-get install libssl-dev libevent-dev

Installing TOR

# download latest sources in repository.
# tar zxf tor-0.2.0.34.tar.gz
# cd tor-0.2.0.34 ; ./configure ; make ; sudo make install

Installing privoxy

# download lastest sources in repository.
# apt-get install autoconf
# adduser privoxy
# tar zxf privoxy-3.0.13-beta-src.tar.gz
# cd privoxy-3.0.13-beta
# autoheader ; autoconf ; ./configure ; make ; make install

Start applications

# /etc/init.d/privoxy start
# tor

Installing TORbutton add-ons for Firefox.

# https://addons.mozilla.org/en-US/firefox/addon/2275
# click add to firefox.

There you go. Click on the ‘tor disabled’ in the lower right corner and test by going at https://check.torproject.org/. You willl be able to browse the web while hiding the source IP of your request (this is only for http, for other protocol, you’ll have to forward them through a sock4 connection)…

top sysadmin stuff

pascal.charest — Sat, 07 Mar 2009 13:45:37 +0000

Being challenged everyday to augment my productivity, here is a few quick tricks/software helping system administrator.

1. BlackBerry

Yeah, I know. It was an easy one – and easy to expect since I’ve bought a Storm. Employees get to hate them (since they are always hooked to the business) but as owner of a small business, I NEED to be informed of everything going on. The ability of answering my email / instant messanging while in route between Montreal & Ottawa is of prime importance. My clients doesn’t need to know where I am or what I am doing, they know I’m ready to help them.

The BlackBerry by itself is not as feature-complete as the iPhone seem to be. Using the pre-loaded email client with gmail just doesn’t cut it. It’s using IMAP and discarding all your filter/labels for incoming messages. There is an alternative : gmail mobile application. Available from the central mobile application repository of Google. Using a customized alert setting, you can be informed when you have new mail (in your inbox), while preserving your filter/label configuration. While you are there, you should also install the maps application, can always be handy.

Another “must-have” app. for sysadmin is MidpSSH. Which, as its name make it pretty clear, is a SSH/Telnet client. There have been a few reports of incompatibility between Storm and midpssh – yet, with an up-to-date OS/taking into account that your device often capitalize the first letter (of a username)/openssh is case-sensitive, you should not have any problems to connect to GNU/Linux systems.

2. Monitoring software

A good monitoring system watching over your network is a life saver and all the difference between you informing your client of a system failure or the other way around. Nagios is pretty well known and getting help is very easy since the community is so dynamic. Another software doing the same job is Zabbix. I do have some predisposition toward it, being a certified expert. Both are free softwares and are easy to install/configure. Zabbix does have a cuter interface though – can become handy if your client require access.

Both software allows sysadmins to run remote command. Personally, I find those systems to be way too complicated to setup when Monit is easily available. Its configuration allow a syntax very similar to : if load > 5 for 10 minutes, then stop postfix-delivery. Another life saver when you don’t expect your remote monitoring agent to be able to launch a command. I use it for limits like (if load>80 for 2 minutes, then stop {httpd,mysqld}). If your system is badly losing interactivity, your normal remote monitoring software will never be able to save your system (ssh will timeout).

3. Log/Security software

While Zabbix/nagios can do some checksum on important files (such as /etc/passwd, /etc/shadow, …), they are not ready as IDS (Intrusion Detection System) yet. For such system, I recommend OSSEC. Following the online documentation, you will have a log-analysis system created in no time – using thousand of rules given with the software. Customization can also be done pretty quickly. The ‘action’ following a trigger can be email-alert or a command. The system come with a pre-built interface to iptables… port-scanning and brute force password testing are no more.

Add to all these tools a svn repository for your code, an Puppet system for global configuration and some wiki for documentation and you should have a pretty strong backbone to deal with anything your clients throws at you.

email servers “in the cloud”

pascal.charest — Fri, 22 Aug 2008 15:27:00 +0000

I’ve been asked about the possibility of harnessing the power “of the cloud” in the context of an email server. For the simplicity of this blog post, I’ll assume the definition of “cloud computing” to be equivalent to “Amazon AWS” offer.

When emails goes in
This is the easy part. Receiving email in an EC2 (Elastic Cloud Computing) instance is as easy as receiving it anywhere. You launch 2 instances in different availability zone, grab 2 IP and change your MX records. With the recent availability of EBS (Elastic blocks store), you even have access to permanent storage for email. In hours (big maximum) you have a complete setup supporting fail-over and backup capability (leave your queue/data store on EBS for persistence and snapshot for backup).

Being in a full virtual environment also negate most scaling problems. You dynamically start and stop anti-{spam,virus} scanning instances following the need of your clients and customers. This setup is also very cost-effective: you don’t have to pay for hardware (servers, switches, hard drive..), maintenance, power and all the network management involved in having public infrastructure (bgp, firewall, etc…).You don’t even have to vouch for a long term contract.

For your customer, this represent a very decent offer: speed and latency in the Amazon cloud are very nice – way better than most small technical shop can afford.

Then emails have recipient
Emails are not only coming IN your infrastructure, they – sometime – must be transmitted to other people’s networks. This is where archaic email management style really fail. Emails as a services is a dynasty based on the conception that internet proprieties are big, controllable, static and permanent. This is the exact opposite of what you would get placing an email server inside Amazon Cloud.

You do not control IP space/range – even if, you are leased “1″ IP. This is the big “bug”. You have no idea what peoples do in their instances. Get used to it, your range will be tagged, {grey,black} listed often in dns based blocking list. Very often. White list will refuse your queries, since you cannot vouch for Amazon customer use of the cloud.

Solution, you can still use a smtp server install somewhere else, but… kind of defeat the whole purpose. The financial exercise of fighting dnsbl vs maintaining hardware infrastructure is left to the reader.

hashing the know_hosts file

pascal.charest — Fri, 15 Aug 2008 16:29:58 +0000

OpenSSH client keep a fingerprint of servers to which connections (ssh-client) have been made. Such fingerprints are stored in .ssh/know_hosts and are automatically compared with the current server fingerprint on connection acknowledgment.

Hence, the .ssh/known_hosts file is crucial to system security against man-in-the-middle attack in a networked environment. This file is also a very very good vector of attack on system administrator computer and hashing the content of the file is a good practices. Especially with the current wave of big bugs hitting GNU/Linux systems.

The first step is to enable hashing of the new fingerprints:

# cat /etc/ssh/ssh_config
Host *
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication no
GSSAPIDelegateCredentials no
TCPKeepAlive yes
ServerAliveInterval 60

The “HashKnownHosts yes” configuration option is the way to go – it is a general setting affecting all users on your system (Host *). If you don’t have access to the central ssh_config option, don’t forget you have personalized user setting in .ssh/config.

This enable the hashing of future fingerprints. To modify your actual file, use the following ssh-keygen command. Your unmodified know_hosts will be save as know_hosts.old .

# ssh-keygen -H -f .ssh/know_hosts

Have fun, stay safe.

security of package manager

pascal.charest — Sun, 13 Jul 2008 02:23:02 +0000

The subject of the week seem to be information security, so I’ll get on with another post that should keep you awake – well… if you are a system administrator doing his job.

With the DNS vulnerability, we thought that this was the bottom of the barrel. Yet researcher are always able to amaze us: Attacks on package managers.

Ok, I must admit that it isn’t as bad as others bugs. Most of the risk can me mitigated by requesting meta-data verification (openssl) from your packager source or selecting a trusted repository. Still – I’ll verify all my sources…