9. Captive Portals are BAD !

   Captive portals almost always work by validating the IP address of the client, and often the MAC address. This creates a wrong feeling of security, because it is quite easy to bypass. Let’s explain the most common problem: spoofing.

   Installing a captive portal

   I have chosen to install Alcasar, which claims to be a highly secure solution developed by the French Ministry of Defense.

   First surprise, it’s a shell script ! In fact, it’s not really an application, only an installer for a few packages, with some configuration. Installation went pretty bad:

   • the installer only works for a specific version of Mandriva (2007), which is quite old, and buggy on my hardware
   • most things are hardcoded: the installer exploded without errors because my network is not ending by a 0 (10.0.0.129/25)
   • my third network card is not even used by the script ! Too bad for the DMZ

   After 4 or 5 retries, and modifications in the script, I finally got a working server.

   First tests

   After a reboot, everything seems to work. Got an address using DHCP, I try to connect to Google .. ok, the captive portal appears and asks for a login. With …

   read more

10. gcc security features (part 2)

    (See part 1)

    Remember: you must compile with -02 if you want the checks to be effective

    DEB_BUILD_HARDENING_FORTIFY (gcc/g++ -D_FORTIFY_SOURCE=2)

    The idea behind FORTIFY_SOURCE is relatively simple: there are cases where the compiler can know the size of a buffer (if it’s a fixed sized buffer on the stack, as in the example, or if the buffer just came from a malloc() function call). With a known buffer size, functions that operate on the buffer can make sure the buffer will not overflow.

    Example:

    void foo(char *string)
    {
        char buf[20];
        strcpy(buf, string);
    }
    

    Execution will fail:

    [home ~/harden] ./bad $(perl -e 'print "A"x100')
    zsh: segmentation fault  ./bad $(perl -e 'print "A"x100')
    

    When compiling with -D_FORTIFY_SOURCE=2, gcc will add some checks to detect the overflow and terminate the program:

    [home ~/harden] DEB_BUILD_HARDENING=1 make
    [home ~/harden] ./bad $(perl -e 'print "A"x100')
    
    *** buffer overflow detected ***: ./bad terminated
    ======= Backtrace: =========
    /lib/libc.so.6(__fortify_fail+0x37)[0x2ba8d18fb787]
    /lib/libc.so.6[0x2ba8d18f9e70]
    ./bad(main+0x26)[0x555555554856]
    /lib/libc.so.6(__libc_start_main+0xf4)[0x2ba8d18411c4]
    ./bad[0x555555554789]
    ======= Memory map:  ========
    2ba8d1607000-2ba8d1622000 r-xp 00000000 03:01 468316                     /lib/ld-2.7.so
    2ba8d1622000-2ba8d1625000 rw-p 2ba8d1622000 00:00 0 
    2ba8d1821000-2ba8d1823000 rw-p 0001a000 …

    read more

11. BlackHat 2008 materials

    The Black Hat Europe 2008 Media Archives are now online. I wasn’t there, but the archives contains some interesting materials:

    • Spam-Evolution
    • LDAP Injection & Blind LDAP Injection (see my post)
    • New Viral Threats of PDF Language
    • 0-Day Patch -Exposing Vendors (In)Security Performance
    • Client-side Security
    • Attacking Anti-Virus (there was a presentation on the same subject at CanSecWest and Hack.lu)
    • Investigating Individuals and Organizations Using Open Source Intelligence
    • DTRACE: The Reverse Engineer’s Unexpected Swiss Army Knife
    • …

    Related links:

    • Hack.lu presentations
    • USENIX Proceedings online
    • Defcon Media Archives

    read more

12. gcc security features (part 1)

    Since recent versions (>= 4.0, maybe before), gcc (and ld) has some nice security features. Debian has created a wrapper for the toolchain, to make the use of these features easy.

    To install the wrapper, run:

    apt-get install hardening-wrapper
    

    To enable the hardening features, you have to export the environment variable:

    export DEB_BUILD_HARDENING=1
    

    The features include additional checks for printf-like functions, stack protector, using address-space layout randomization (ASLR), marking ELF-sections as read-only after loading when possible, etc.

    Please note that you must compile with *-02* if you want the checks to be effective

    DEB_BUILD_HARDENING_FORMAT (gcc/g++ -Wformat -Wformat-security)

    Ask gcc to make additional checks on format strings, to prevent attacks.

    The following code, for ex:

    printf(buf);
    

    will result in a warning:

    [home ~/harden] DEB_BUILD_HARDENING=1 make
    gcc     bad.c   -o bad
    bad.c: In function ‘main’:
    bad.c:10: warning: format not a string literal and no format arguments
    

    Why is this code vulnerable ? Because the buffer (buf) could contain format characters like %s, and the printf function will interpret these characters to pop arguments from the stack, and can result in the execution of arbitrary code.

    Solution:

    • Replace previous code by

    printf("%s",buf);
    

    • Remember this …

    read more

13. CanSecWest 2008

    

    Sébastien and I gave a presentation on IDS Correlation: A Weapon of Mass Investigation slides at CanSecWest.

    Most of the presentations were very interesting, including attacks against the anti-virus software (they are the most interesting targets, imho : run with system privileges, include parser for many protocols, are present on almost all machines, etc.), secure programming with gcc and glibc, snort 3 (our presentation was just after Marty’s), fuzzing with Peach, and some others I do not remember at the moment.

    We also gave two lightning talks, one on the Authenticating Firewall NuFW (slides here) and one on the Signatures.NU project (slides here).

    

    We even won a beer for doing the presentation :)

    After so much work (and eating so much sushis with a delicious wild salmon), we went to Whistler for skiing, that was great.

    

    Many thanks to all the people from the conference and to all who helped us !

    Some links:

    • Our photos
    • Photos from Hirosan
    • Photos from Sid
    • CanSecWest last events and materials

    read more

14. Prelude quick install

    To install Prelude, the Hybrid IDS (or Meta IDS) on Debian, on less than ten minutes, just use the packages:

    • install a database (PostgreSQL or MySQL)
    • install the Prelude manager, all needed packages will be installed automatically

    apt-get install prelude-manager
    

    • during the installation, dbconfig will ask to configure the database. Say yes, and give the parameters. dbconfig will create a new user, set a password, create the SQL schema and configure prelude-manager to use it.

    This should be enough for the manager. You will have to configure the listen address for the manager (the default is restricted to localhost) to listen on the network.

    To add agents (sensors), you have to install the package and register a new profile for each sensor.For ex:

    apt-get install prelude-lml
    apt-get install snort
    

    Create a new profile:

    prelude-admin register prelude-lml "idmef:w" <manager address> --uid 0 --gid 0
    ...
    prelude-admin register snort "idmef:w" <manager address> --uid 0 --gid 0
    ...
    

    Follow the instructions for the registration.

    Check the address of the manager in the config (global file is /etc/prelude/default/client.conf):

    server-addr = 192.168.1.1
    

    For a complete installation guide (with explanations) including the web interface Prewikka, look at the Prelude …

    read more

15. Conference: OSSIR

    We have given a presentation with Sébastien, for OSSIR.

    Subject is: Visualisation appliquée à la détection d’intrusion (which can roughly be translated to \visualization applied to intrusion detection). The slides can be found on the list of presentation materials.

    The conference was on our work since one year on intrusion detection, with the proposed implementation of a correlator, some explanations on classifications and current limitations, and how some graphs can help, especially the parallel axes representation.

    

    read more

16. fusil_0.7-1_amd64.changes ACCEPTED

    Fusil (http://fusil.hachoir.org) has been accepted into Debian.

    The description:

    Fusil is a fuzzing framework designed to expose bugs in software by
    changing random bits of its input.
    .
    It helps to start process with a prepared environment (limit memory,
    environment variables, redirect stdout, etc.), start network client or
    server, and create mangled files. Fusil has many probes to detect
    program crash: watch process exit code, watch process stdout and syslog
    for text patterns (eg. "segmentation fault"), watch session duration,
    watch cpu usage (process and system load), etc.
    .
    Fusil is based on a modular architecture. It computes a session score
    used to guess fuzzing parameters like number of injected errors to
    input files.
    

    read more

17. https transport for apt

    Starting from Lenny, apt support the https transport for apt repositories.

    Before, this would give the error:

    # apt-get update
    E: The method driver /usr/lib/apt/methods/https could not be found.
    

    On Lenny (and unstable), install the apt-transport-https package:

    apt-get install apt-transport-https
    

    And https repositories will now work.

    This is no current backport for Etch on backports.org, because the hack for the transport is quite intrusive and require some deep modifications in the entire apt code. Maybe another site will propose it ?

    Note: it seems there is currently no way to check the certificate or configure trusted certificates. This is a good step towards security anyway. Remember: always use trusted repositories (signed with a trusted key - see man apt-key for more information).

    read more

18. inguma_0.0.6-1_amd64.changes ACCEPTED

    Inguma (http://inguma.sourceforge.net/), a free penetration testing and vulnerability research toolkit, has been accepted into Debian.

    Coming soon: fusil

    read more

« Page 2 / 3 »