The Linux Ninja

Here are some stories from the past week that I found interesting:

• Pcapline.py and the Ann’s Aurora network forensics challenge – Wesley McGrew’s blog post about the tool he wrote for his winning entry into the latest SANS Forensics Challenge
• REMnux: A Linux Distribution for Reverse-Engineering Malware – Lenny Zeltser announced a new linux-based distribution targeted at reverse-engineering malware. It comes preloaded with a great set of tools and is distributed in VMWare’s Virtual Machine format.
• The True Problem with Web Apps and Security – Rafal Los wrote a nice post talking about what he views as the reasons why making web apps secure is so hard.
• Writing Fuzzable Code – Adam Shostack talks about how Microsoft is trying to build security in to their codebase.
• Hi! I’m a security researcher and here’s your invoice – Interesting editorial by Michael Zalewski on the selling/withholding of vulnerabilities
• Special Look: Face Time parts 1, 2, 3 – Great series by Josh Wright examining Apple’s FaceTime video chat protocol
• OSX ROP Exploit – EvoCam Case Study

Jack Daniel (@jack_daniel) announced that there will be a Security B-Sides event coming to Austin on March 13 to coincide with everyone coming to town for SXSW Interactive an to help “Keep Security Weird.” I listened to the excellent B-Sides Las Vegas talks and I am extremely excited to be able to attend a B-Sides event in person since I’m already in the Austin area . I can’t think of a better way to make up for killing my phone service than by offering what promises to be an awesome lineup of talks .

If Jack or any other organizers read this let me know if there’s anything I can do to help out…

(also, I will probably start posting more regularly after getting settled in from moving and my duties at the new job)

The  number of  XSS, XSRF,  command injection, and SQL injection vulnerabilities in popular web applications has seemed to be increasing alot over the last year and I am left wondering why these things keep popping up (and I also wonder why it’s take me a month to finish this rant ).

Continue reading

Some recent security-related news:

• Offsensive Security announces Free “Metasploit Unleashed – Mastering the Framework” Class The Offensive Security team (makers of BackTrack) announced a new free online course yesterday. The course materials and labs will be available online for free, and the videos will require a small fee with all proceeds going to benefit Hackers for Charity.
• Nmap 5.0 Released Big release of Nmap with the “Top 5 Improvements” being the addition of the ncat (Nmap’s written from scratch version of netcat with new features), ndiff scan comparison tool, better performance, release of the Nmap Network Scanning book, and the Nmap Scripting Engine.
• Firefox 3.5 0-day released, now patched Critical bug in Firefox 3.5 that was exploitable on Mac, Linux, and Windows. Carlos “Dark0perator” Perez posted an article about how to use Metasploit to test your susceptibility to the bug.
• milw0rm, the famed exploit posting portal, almost closes due to a lack of str0ke’s time to process all the incoming exploits. Some of his friends stepped forward and offered to help with the posting of exploits and the site was saved.
• Linux kernel 2.6.30 Critical Bug This is supposed to be exploitable on both 32- and 64-bit systems but there appears to be some debate in the comments about how vulnerable an SMP or preemptible system may be to it.
• ISC DHCP dhclient has a critical bug

Eric Paris of the SELinux project announced the creation of the SELinux sandbox, a method to confine untrusted binaries on the LKML today.

The idea is to allow administrators to lock down tightly untrusted applications in a sandbox where they can not use the network and open/create any file that is not handed to the process. Can be used to protect a system while allowing it to run some untrusted binary.

This definitely appears to be an interesting new development for SELinux. A great place to run suspect code or maybe even windows binaries via WINE.
I’ve used SELinux a little bit in the past, but usually found it incredibly complex to learn for the basic home network uses I wanted to have it for. This new feature may get me to put some real effort towards actually making the leap and committing myself to learn how to properly implement and use it.
Related books:

• SELinux by Example by Frank Mayer, David Caplan, and Karl MacMillan, published by Prentice Hall
• SELinux by Bill McCarty, published by O’Reilly & Associates

Austrian physicists announced a breakthrough in the transmission of quantum cryptography messages. They have devised a method that will may allow for the messages to be bounced off of satellites as a means of transmission which removes the current limitation of using only optical fiber for transmission. Quantum cryptography uses light particles to transmit the message which allow for users to detect tampering or eavesdropping on their messages. This property comes from quantum indeterminacy (similar to Heisenberg’s uncertainty principle) which says that measuring or looking at the light particle will cause it to change its state and that leaves evidence that someone either looked at or tried to change the message.

Anthony Lineberry is presenting a new linux kernel rootkit technique at the BlackHat conference in Amsterdam. From the article:

This offers rootkit developers a new way to hide files or processes, or interfere with network traffic. The trick is that, without requiring extensive rights, libmemrk uses the /dev/mem device driver to write arbitrary code from userspace into main memory. /dev/mem is an interface that enables use of the physically addressable memory. For example XServer and DOSEmu, both use it. Lineberry says introducing rootkits via /dev/mem is also less obvious than the established route via loadable kernel modules (LKMs).

….

Lineberry also gives some tips on how the Linux world can protect itself against rootkits of this kind. He believes it should be enough to modify the memory driver so that it doesn’t allow the write/read pointer lseek to look for more than 16 kilobytes in the memory area. Current versions of Red Hat and Fedora are inherently secure, because their kernel already incorporates the features of SELinux (Security Enhanced Linux).

Lineberry says there are also corresponding improvements in version 2.6.26 of the mainline kernel. For that purpose, the kernel was given two new functions: range_is_allowed() and devmem_is_allowed(). But this protection, he says, won’t be effective unless the preprocessor directive CONFIG_STRICT_DEVMEM has been enabled when the kernel is compiled. Otherwise, range_is_allowed() always gives returns success. Lineberry says that the kernel configuration setting STRICT_DEVMEM, which sets CONFIG_STRICT_DEVMEM, is not activated by default during kernel compilation. He was unable to say when libmemrk would be available for downloading, as he was still engaged in eliminating its last weaknesses.

Using /dev/mem was previously theorized in a  Phrack article about using /dev/kmem, but Lineberry is the first to implement this technique.

Time to start recompiling my gentoo kernels!

The OSSEC team has announced the released of OSSEC v2.0. The new features include (quoted from the announcement):

• Compiled Rules – Per popular demand, we are introducing the capability in the product to be able to use pre-compiled rules written in “C”. Customers who felt that the XML format for writing rules was very limiting, can now use the strong programming capabilities of C.
• Agentless Monitoring – Lot of enterprises are faced with the requirement to monitor devices where there are restrictions on Agents to be installed either because of scalability requirements or due to the lack of the native operating system support. In version 2.0, Ossec customers can perform integrity checking and real time logs inspection on remote systems (such as Linux based devices, firewall devices such as PIX and routers etc).
• New Language Support – We added support for the Dutch language in the install
• New Log Rules Support – We added support for Yum logs and fixed/improved many of the other rules for different messages.
• New reporting tool – We added a new tool to create and help generate reports

OSSEC is a multiplatform, open-source Host Intrusion Detection System (HIDS) that I have used before and have been pleased with the results. I’d recommend at least testing it out to see if it meets your needs. The new features definitely make it even more appealing as a solution to help monitor the security of your systems and I’ll definitely be investigating ways to integrate it into my current setup.

A new packet capture repository has been launched called pcapr that is sponsored and run by Mu Dynamics.  pcapr appears to be a good alternative to OpenPacket and it supports protocol tagging, searching, and packet viewing in the web browser. Richard Bejtlich of Tao Security and also previously involved with OpenPacket, announced in a blog post earlier this month that he was no longer involved with OpenPacket and one of the reasons was the launching of Pcapr.

Here’s a quick snippet from the pcapr FAQ:

What is pcapr?

Packets are fundamental to how applications and systems communicate with each other and as far as we can tell, there’s no simple way for people to access specific packet sequences to learn, understand, troubleshoot and/or debug these systems. pcapr exists as a repository of these packets, providing full-text search, automatic tagging, viewing and editing of these packets.

I’ve created an account over at pcapr and the features that it offers work well and it is also nice to be able to “preview” the packet capture contents before doing downloading and opening in wireshark for further examination.

The Remote Exploit Development Team announced today that the BackTrack 4 Beta is now available for download. Now based on Debian, BackTrack 4 is more of a full distribution rather than the LiveCD of previous versions. Because of this, BackTrack 4 can now use Ubuntu software repositories and can even be upgraded in case of an update. The announcement also confirmed that users will get regular security tool updates as they are released via the repositories.

The features listed in the announcement also confirm Pryit CUDA support and kernel 2.6.28.1 with better hardware compatibility.

While the team considers the beta to be stable and usable, some tools have been left out, but will be added to the repositories soon. Here’s a Visit the download page here for some pentesting goodness. Also, we plan on having a first impressions review of the beta in the near future, so check back often.