Debian, Information, OpenSourceSoftware, Security

[SECURITY] [DSA 1871-2] New wordpress packages fix regression

After installing “[SECURITY] [DSA 1871-1] New wordpress packages fix several vulnerabilities” from 23. of August 2009, I quickly saw that there was something wrong in the logs:
PHP Fatal error: Call to undefined function absint() in /usr/share/wordpress/wp-includes/functions.php on line 2008.

I looked over the DSA, and identified the fix for CVE-2008-4769 that broke this. Then I emailed Steffen Joeris, who released the DSA and notified him about my findings. Two hours later, Giuseppe Iuculano sent me an update which I installed and confirmed worked, and which I could not find any regressions to it.

I looked at the CVE-2008-4769 and at the Secunia advisory, which claims that the vulnerability is only working on Windows platform. This probably explains why Debian has waited so long for including the fix. The original CVE is from 2008-04-25, so this is old news btw…

From advisories:
“It was discovered that the get_category_template function is prone to a directory traversal vulnerability, which could lead to the execution of arbitrary code. This can be exploited to include arbitrary PHP files from local resources via directory traversal attacks. Successful exploitation allows execution of arbitrary PHP code, but requires privileges to store PHP files on an affected system and that WordPress is installed on a Windows platform.”

I have only registered generic attacks in the wild against the ‘cat’ parameter in my and other web logs (dating back to Dec 2006). No requests seems to aim at exploiting this vulnerability specifically.
An example of an URL that was supposed to work (Not confirmed):

The DSA regression was released 4 days after the original DSA BTW.

Debian, Information, OpenSourceSoftware

DUAL NAS SATA (10/100) with Debian Etch

For 898,- NOK (right around £100) down at Clas Ohlson here in Norway, you get a nice little NAS server (AID 38-2447). Straight out of the box, its a low-end NAS, but I bought this, in spirit of installing a full blown Linux distro on to it. And so I did.


It took me about 30 minutes from I started to read the howtos, downloading and preparing the image to the hard drive and flashing the initrd of the Dual NAS, until it was up and running.

My notes:
* When you connect to the telnet boot menu, ping the NAS in one console, and when it starts answering, you have about one second to connect to it via telnet in another console.

* It needs a DHCP server to obtain an IP address after Debian is booted…

* The Debian Etch image from Felix Mellmann is rather old…(21. Nov. 2007) so you need to upgrade it (contains weak ssh keys etc.)

* It seems that it will not work with Debian Lenny (Complaining about old kernel)

If anyone has any insight into how to compile and install a newer working kernel for this hardware, I would be interested 🙂
Also the link to the original source of the kernel which comes default with this NAS would be great (I saw it yesterday, but I cant seem to find it again).

Mean while, I fully recommend this buy for a small cheap home server.

CentOS, Debian, Information, OpenSourceSoftware, Redhat, Security, SuSE, Ubuntu, Virtualization

Updating Linux Xen kernels on DomU

I see sloppy Administrators do this again and again…

They might update the Linux-Xen enabled Kernel on Dom0, but often DomU keeps the same for different reasons.

Running a (para) virtual environment, the freedom of running different Linux distributions, is often a goal. If one keeps a single architect environment stack, like Ubuntu Hardy Dom0 and DomU’s or CentOS 5.x Dom0 and DomU, keeping kernels in DomU up to date is low hassle.

The hassle starts to arise when you deploy mixed environments, like running Ubuntu Hardy as Dom0 and CentOS 5.x as DomU, or vice versa. You could setup CentOS or Ubuntu to use each others Kernel packages, though that seemed a bit overkill for my setup. Having a Debian Etch DomU on a Ubuntu Hardy Dom0 is fixable with pointing Etch to grab the Kernel from Hardy via an apt-repo.

PyGrub solves some hassles, so I recommend reading up on that and verifying that CVE-2007-4993 is not affecting you.

But for the cases where I have a bit hassle, and I dont want to use PyGrub, I wrote a small bash script to update the Linux Kernels.
Get the script here, and update/change/modify or learn from it, before you use it.
It Powers down the DomU if it is booted, and mounts the Logical Volume of the DomU, before it copies the kernel modules to the DomU filesystem. Runs depmod and unmounts the filesystem. Then it gives you the small change you need to update your xen-domU.cfg with (I dont use pygrub).

BTW: This paper has a nice walk through from Xen DomU to Xen Dom0 bypassing SELinux Recommended read 🙂

Now go and update some Kernels!

Debian, Information, Linux Distributions, OpenSourceSoftware, Security, Ubuntu

Microsoft don’t get Free Software, Linux and Security – Again.

Yesterday, wrote an article on the Police/Conficker/Free software debate going on here in Norway.

Information director Eirik Lae Solberg at Microsoft Norway had a chance to comment:
“- If one had used a similar Linux distribution from the same time, one would have significant security issues.”

That is only true, if one did not upgrade! And in the GNU/Linux/Free Software world, one would not have any unmanageable issues upgrading.

I have personally managed lots of servers for large customers and universities, and when a new distribution release has been out,
take Debian as a very good example, you can change the source of packages from the current repository, to the new release repository.
And with some rather simple command line-fu, you can upgrade to the latest major Debian version.

Ubuntu has made this easy for the desktop users. Using a graphical front-end on your server (I dont), you can click your way to
a distribution upgrade.

I still recommend having people in the loop that has done such an upgrade, before you try this on your own. Always keep a
working backup, and you could even try the upgrade in a virtual machine, before you actually do it in production.

Eirik Lae Solberg even goes so far to claim that shows that Linux is more `hacked` than Windows… Using as a reliable source for such “scientific” statement, is just what Microsoft is known of doing. Well, just to let you all know, if you bother to check by your self, this is what you might find today:

$ GET|grep “<td>Linux”|wc -l
$ GET|grep “<td>Win”|wc -l

As you see: Todays score is 5 boxes are Linux, and 7 are Windows.

I wrote a quick bash script (get it here)to check the first 30 pages and print out the total sum:

$ bash bin/
Total Linux: 289
Total Microsoft: 390

To summarize: On the last 30 pages from Zone-H, 289 websites running Linux OS got defaced, while 390 websites running on Windows OS got defaced.
(If you run the script yourself, the numbers will probably change – this was numbers from today)

So giving you the hard facts, and not marketing propaganda like Eirik Lae Solberg from Microsoft wants you to believe, make up your own mind, and don’t believe what ever you hear from Mister Microsoft…

BTW: Zone-H is not a good reference for measuring security in Operating Systems, if you didn’t know that… But it is a good way to point out that Eirik Lae Solberg don’t know much about Operating System security, and that he would rather focus on telling that Microsoft is way better than every body else…
For how long will you eat that lie?

Back|Track, Debian, Metasploit, OpenSourceSoftware, Security, Ubuntu

Spawning a shell on the established connection to the webserver in Metasploit.

A good firewall setup has ingress and egress filtering. On a new setup, I like to set very strict rules for incoming and outgoing traffic. Setting up a new LAMP server etc, making sure its only can connect out to the places it should need to have access too, is a good security practice. Then open port 80 for connection from the world, minus .ru and .cn etc 🙂

So I thought…

Then egypt, from metasploit, made and presented me to the “php/shell_findsock payload”, which I think is awesome!

If you can get the LAMP server to some way execute the $shell_findsock payload, you can in many cases get a shell over the established http connection! You can also use the payload with other php exploits in the framework.

egypt states that “this payload leaves conspicuous evil-looking entries in the apache error logs”, but I did not get any on my Debian Etch test server. But on my Ubuntu intrepid, I got :
sh: Syntax error: Bad fd number
Invalid method in request exit

egypt also states: “The issue this payload takes advantage of (CLOEXEC flag not set on sockets) appears to have been patched on the Ubuntu version of Apache”
My test on a plain fresh install of Ubuntu 8.10 (Intrepid Ibex) shows that it works.

In the test case, I left my “backdoor” on the server in test.php with the code: <?php eval($_GET[‘evalme’]); ?>, which would be the default for this metasploit setup.
Short version:

msf < use exploit/unix/webapp/php_eval
msf exploit(php_eval) > set PAYLOAD php/shell_findsock
msf exploit(php_eval) > set RHOST
msf exploit(php_eval) > exploit

Metasploit with payload php/shell_findsock

And you thought that you where safe!

On my Debian Etch, the suhosin patch stopped the attack, but not on my Ubuntu Intrepid.

CentOS, Debian, Information, Linux Distributions, OpenSourceSoftware, Redhat, Security, SuSE, Ubuntu

…and after you upgrade, dont forget to `lsof`

BTW: Upgrading might not be enough…

After upgrading (up2date, yum, apt, …) my Linux systems, I check with lsof to see if any processes needs a restart…


Because, running processes might still be using old libraries and binaries etc, and would need a restart to use the new ones…

So… You might be vulnerable, even if you do install security updates regularly…

On older versions of lsof, I used to issue: lsof +L1|grep DEL
This does not seem to be sufficient on newer versions of lsof… Might be a bug?

After searching the web for information for an easier or better way of doing this, I found little… I even did not find any good info on the way I am used of doing it… If you have a smarter way of checking this, I would love to hear from you…

Here are some references to what I found:
* A bugzilla thread on It also has a script for redhat based systems.
* Debian/Ubuntu based systems comes with debian-goodies… apt-get install debian-goodies and then you can use checkrestart. Which checks for programs that needs restart 🙂

To manually check, here are some commands you can issue, depending on your version of lsof.

# lsof -n +L | grep -w DEL | egrep -v ” (/dev|/SYSV|/tmp)”
# lsof -n | grep “path inode=”
# lsof -n +L1 | egrep -w “txt|mem” | grep -v ” /SYSV”
# lsof -n +L | grep -w DEL | egrep -v ” (/dev|/SYSV|/tmp) ”

Hope you make this check a habit after updating your servers…

CentOS, Debian, Linux Distributions, OpenSourceSoftware, Redhat, Security, SuSE, Ubuntu

Basic discovering of #BAD THINGS# on your *NIX system…

You might think that you are safe, but something might be lurking on your system…

There are several ways to protect you from being 0wned by 5kr1p7 kiddies or more 1337 crackers. But still, your system might get 0wned, and you might not know it…

First, you should have a system that can update it self with new security patches/fixes. Red Hat/CentOS, Debian/Ubuntu and so on (Most modern systems today), have this functionality. Then you should use it! This is probably the best way to prevent unauthorized access to you systems.

Then you should probably know a thing or two on how to configure your system to be as secure as you need it to be…

If you have a system with lots of user accounts, may it be ssh, ftp, mail etc, then it might just be time, before someone hijacks an account or two…
Say if someone got login to your server as a normal user, they can misuse your system, generating very little noise, and you might not know about it.

Anyways, back to the point of this posting, checking your systems for things you might not know about…

In my basic toolkit, I use chkrootkit, rkhunter (You could also read here), lynis and unix-privesc-check. I also use ClamAV (clamscan) to scan the file system for suspicious files. I also have some one-liners (baked into a bash script) that extracts some interesting things based on system processes and the file system.

For more advanced “Host based Intrusion Detection”, I recommend that you look at OSSEC. You could also look at Aide and tools alike. RPM based distros like Red Hat, Fedora and CentOS can to an extent use the rpm command to verify installed packages and their signatures.

I will not go into details on how to use any of the tools that I mentioned. If you care, you should pursue the links, and even test the tools.

I will give a brief overview (Copy and paste from their websites), so you know a bit what they are all about:

chkrootkit: chkrootkit is a tool to locally check for signs of a rootkit.

rkhunter: Rootkit Hunter (RKH) is an easy-to-use tool which checks computers running UNIX (clones) for the presence of rootkits and other unwanted tools.

lynis: Lynis is an auditing tool for Unix (specialists). It scans the system and available software, to detect security issues. Beside security related information it will also scan for general system information, installed packages and configuration mistakes. This software aims in assisting automated auditing, software patch management, vulnerability and malware scanning of Unix based systems. It can be run without prior installation, so inclusion on read only storage is no problem (USB stick, cd/dvd).

unix-privesc-check: Unix-privesc-checker is a single bash script that runs on Unix systems. It tries to find misconfigurations that could allow local unprivileged users to escalate privileges to other users or to access local apps (e.g. databases).

ClamAV: Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates.

OSSEC: OSSEC is a scalable, multi-platform, open source Host-based Intrusion Detection System (HIDS). It has a powerful correlation and analysis engine, integrating log analysis, file integrity checking, Windows registry monitoring, centralized policy enforcement, rootkit detection, real-time alerting and active response. It runs on most operating systems, including Linux, OpenBSD, FreeBSD, MacOS, Solaris and Windows.

Aide: Advanced Intrusion Detection Environment. AIDE is an intrusion detection system that detects changes to files on the local system. It creates a database from the regular expression rules that it finds from the config file. Once this database is initialized it can be used to verify the integrity of the files. It has several message digest algorithms (md5, sha1, rmd160, tiger, haval, etc.) that are used to check the integrity of the file. More algorithms can be added with relative ease. All of the usual file attributes can also be checked for inconsistencies.

If you find any thing suspicious (Like a rootkit), you should probably go into “forensic mode”, as you cant trust your system and the installed binaries. Read more here about computer forensics.

If you still do not trust your system, you can Snort your network traffic, or better yet, have a full blown Sguil installation in front of your network/servers. If you get even more paranoid, you should probably shut down the system, and go fishing….

Any suggestions on other useful tools are welcome!

Debian, OpenSourceSoftware, Security, Sguil, Ubuntu

Packetsniffing, VLAN tagging and bridging or bonding it together without the VLAN tags

Updated 2008-07-07 with perhaps a better alternative? Bonding.
Last week I stumped into the need for sniffing a tap with more than one VLAN using Sguil. Usually, I have just been handled straight Ethernet traffic, and didn’t need to do anything special on my sensors. Believing it should be easy, with small or non changes needed, I started to grab data. As I found out, data did not enter my squil console in the expected way. Sancp grabbed the data with VLAN tags (fixable), and snort dumped also the VLAN tags (fixable). Heading over to seemed to face me with more patching of the tools I use, and I am not rely a fan of patching, if I don’t rely need to! I like using the tools like they come in a (Linux) distribution. So I was faced with patching Tcpxtract and Tcpflow, or work my way around.

Talking with a co-worker as we where leaving work, he rapidly mentioned using bridging etc. or I would have to patch. Searching my brain for the bridging solution, I found that I all ready had done this in Xen set-ups (Ubuntu Dapper (LTS) with Xen 3 on Dell 1855 x86_64 touches this issue). So when I got home, I had my set-up more or less figured out. Playing abit more with bridging, gave me the idea to use bonding instead, though I am not sure which method is best, performance wise. Bonding might just be wiser, due to the fact that it don’t mix

So, faced with one tap, and several VLANs, and just to sniff some, this is how you could go at it with:

Bonding on a Ubuntu/debian system:

# You need ifenslave:
aptitude install ifenslave

# I have my VLAN traffic on eth1,
# so I add my VLANs, etc 503 and 505

vconfig add eth1 503
vconfig add eth1 505

# Then I add bonding to the kernel

modprobe bonding
ifconfig bond0 up

# Then I add my VLAN’s to my bonded interface:
ifenslave bond0 eth1.503 eth1.505

# To check that you are happy, and it worked:

tcpdump -nn -i bond0

# This should give you only traffic from VLAN 503 and 505 without the VLAN tags.

Bridging on a Ubuntu/debian system:

# I have my VLAN traffic on eth1,
# so I add my VLANs, etc 503 and 505

vconfig add eth1 503
vconfig add eth1 505

# Then I bring them online

ifconfig eth1.503 up
ifconfig eth1.505 up

# If you want to at this point, you can just sniff eth1.50X
# and you will get the traffic of VLAN 50X without the vlan tag.
# But my issue is to sniff two VLANs out of XX VLANs.
# Then I make a bridge to add my two VLANs and brings it up

brctl addbr vlans
ifconfig vlans up

# Finaly I add my VLANs to the bridge

brctl addif vlans eth1.503
brctl addif vlans eth1.505

# To check that you are happy, and it worked:

tcpdump -nn -i vlans

# This should give you only traffic from VLAN 503 and 505 without the VLAN tags.

To sniff more VLANs, its just to add more VLANs to the bonding/bridge device. I want one interface for all traffic, but if you want to, you could make more virtual Ethernet devices, and just sniff each one. Preferably, you should probably just have one bridge for each physical Ethernet device.

Important: Im specifying a tap, as in a Network TAP and that by bridging interfaces together, hence, can not disturb traffic because of the nature of a Network TAP. So if you dont use a tap, be careful. You might just make a bridge between your VLANs :)

Debian, OpenSourceSoftware, Security, Ubuntu

Sguil 0.7.0, Snort, Barnyard & Sancp on Debian/Ubuntu…

I have used the last three weeks to play a bit with what I see as the funniest open-source NSM (Network Security Monitoring) set-up there is. Snort is the “de facto standard” for IDS, and the only console/frontend/dashbord that really put the bits and pieces of NSM together, is Sguil.

I first got introduced to sguil 0.6.1 about two years ago. I did not get any real hands on experience, but I knew from back then, that it was more or less the ultimate open-source set-up for a NSM set-up.

After having The ‘Tao of Networking Security Monitoring’ laying around me for about two and a half year, I managed to read it during Xmas and it gave me an insight into sguil. So when I started to look at sguil, I had access to .deb’s for sguil 0.6.1, but since sguil 0.7.0 is in Alpha and seems to be stable, I decided to go for that.
UPDATE: Sguil 0.7.0 was released 26 of March 2008.

I could write down the things I did, but if you are geeky enough, you can install my .deb’s and get a feel of what went down 🙂

I tried to make the .deb’s (sguil-*,sancp,barnyard) in the way that they fit well together. Barnyard is patched so it has the ‘sguil output’ and x86_64 patch etc. Also everything is aimed to work together and is using /nsm_data/ as the “/snort_data/” dir. There is also a user ‘nsm’ to run the whole thing together.

* Do a test install somewhere, and actual see that things fit like it should
* Get pads to work/ repack it for sguil
* Better startup script for the
* cron jobs for the sguil-sensor

Check out my .deb’s here if you want:

Feedback is more than welcome!


2008-03-30: Did a clean install of my .deb's on my test system. New is that TLS is required:
# openssl req -new -x509 -nodes -out /etc/sguild/certs/sguild.pem -keyout /etc/sguild/certs/sguild.pem -days 365
# ln -s /etc/sguild/certs/sguild.pem /etc/sguild/certs/sguild.key
2008-03-28: Checked out version 0.7.0 from cvs with the latest bug-fixes. Repacked .debs
2008-03-26: Sguil Version 0.7.0 has been released! (Bamm Visscher announced)
2008-02-10: Fixed barnyard issues.
2008-02-08: First errors found in barnyard package : init-script points to wrong $CONFIG variable and sguil output plugin has for some reason not been compiled in. Will look at this soon!