Pollux's corner

[archives] [tags]

links

Tags

Pollux's corner

  1. Vulnerabilities (phpbb, squirrelmail)

    Just after phpbb website has been compromised (see the detailed explication on this blog, another big problem just appeared, this time on squirrelmail:

    SECURITY: Plugins Security Alert
Feb 05, 2009 by Paul Lesniewski
    We are sorry to announce that we've had a security breach with our plugins system. An attacker uploaded at least
       four modified plugin packages, which we have since rectified. If you have downloaded any of the following
       plugins since January 17, 2009, you should immediately replace them (download them again):
AnnotateMore Server and Mailbox Annotations version 0.2
CAPTCHA version 1.1
Change LDAP Password version 2.2
Sieve Mail Filters version 1.9.7

    ouch ! Squirrelmail does not give much details on the impact, but given that these plugins can touch passwords, that can be very bad …

    read more

  2. Creating a rogue CA certificate

    Date Tue 30 December 2008

    Today was given a nice presentation at CCC, entitled MD5 considered harmful today: Creating a rogue CA certificate.

    It explains that, despite being broken since several years MD5 is still used is some important CA. Using this attack, they were able to generate a rogue CA certificate, and so were able to issue certificates which are marked as trusted by all browsers. As a result, the security of some websites like banks or e-commerce could be severely compromised !

    So it seems that, unlike people promising the end of the world (like Dan Kaminsky at BlackHat 2008, Kris Kapersky at HITB, and Robert E. Lee and Jack C. Louis at T2 and Sec-T), this one could really lead to some serious consequences.

    Congrats to them !

    Solutions:

    • Ban MD5 and such certificates (like those issued by RapidSSL, even in 2008)
    • For CA implementations, randomize the serial of issued certificates could help mitigate the problem

    Links:

    read more

  3. Restoring data from raid + lvm disks

    If you are, like me, using this kind of layout for your disks:

    disks => raid1 => lvm (encrypted or not) => partitions => filesystems

    (Remember never to use XFS with this layout, unless you want to be sure to loose data - XFS still has problems with the 4k stack. Also, do not use XFS if you are not using a power supply. Oh, well, remember not to use to XFS at all …)

    This setup should ensure you to keep your data safe if one of the disk crashes. Good ! But what happens if you want to take one of the disks and mount it elsewhere (for ex. with an external USB converter) ? You have to re-create the FS stack manually, which can be quite tricky, so I post the commands here:

    0 - find your disk partitions layout

    # fdisk -l /dev/sdb
Device Boot      Start         End      Blocks   Id  System
/dev/sdb1   *           1         122      979933+  fd  Linux raid autodetect
/dev/sdb2             123       14946   119073780   fd  Linux raid autodetect

    1 - Create a (degraded) raid array

    # mdadm --assemble --run /dev/md0 /dev/sdb2
mdadm: /dev/md0 has been started with 1 drive (out of 2).

    2 - Scan and create the LVM volume group

    # lvmdiskscan |grep md
/dev …
    read more

  4. ulogd2: the new userspace logging daemon for netfilter/iptables (part 3)

    Installation

    If you’ve followed the previous article, you now have a working ulogd2 installation.We will now explore the way data are stored in the database, and the default SQL schema provided with ulogd2.

    SQL schema, basics

    The SQL schema ? Not really, only the default one. Ulogd2 uses stored procedures and views to create an abstraction layer between the C code and the real storage of the data (the tables in the SQL database). The basics are the following:

    Inserting data using the “INSERT” keyword is fast, but requires the application to know the SQL schema. An update of the SQL part will need an update of the C code, which is not very handy. So instead of using:

    INSERT INTO tablename (field1,field2,...) VALUES (1,2,...);

    We will create a stored procedure (in this example, we use PostgreSQL PL/pgSQL syntax):

    CREATE OR REPLACE FUNCTION INSERT_PACKET_FULL(
               IN value11 integer,
               ...)
RETURNS bigint AS $$
DECLARE
       t_id bigint;
DECLARE
               t_id := INSERT INTO tablename (field1,field2,...) VALUES ($1,$2,...);
               RETURN t_id;
END
$$ LANGUAGE plpgsql SECURITY INVOKER;

    Inserting data can now be done, using:

    SELECT INSERT_PACKET_FULL(1,2,3,...);

    So, we have succeeded into transforming a fast and single (and simple) query into …

    read more

  5. xtables-addons accepted in Debian

    debian-packages

    Xtables-addons is a is a project developped by Jan Engelhardt to replace the old patch-o-matic repository for the Linux kernel and iptables. Instead of patching the kernel source, extensions are built as modules and thus allow extending kernels without recompilation.

    I have created a Debian package, split in two parts: xtables-addons-source (the sources of the kernel modules), and xtables-addons-common (common files: shared libraries, man pages, binaries).

    To install xtables-addons on Debian (sid only, but the package works on Lenny after a rebuild), run the following commands:

    apt-get install module-assistant xtables-addons-source
module-assistant prepare
module-assistant auto-install xtables-addons-source

    It will automatically install the headers for your kernel, build the modules, create a local package, and install it. What’s interesting is that, unlike before (using p-o-m or kernel patches), there is no need to reboot.

    It adds new targets for iptables:

    • CHAOS: randomly use REJECT, DELUDE or TARPIT targets. This will fool network scanners by returning random results
    • DELUDE: always reply to a SYN by a SYN-ACK. This will fool TCP half-open discovery
    • DHCPADDR: replace a MAC address from and to a VMware host
    • IPMARK: mark a packet, based on its IP address
    • LOGMARK: log packet and mark to syslog
    • SYSRQ: trigger …
    read more

  6. Captive Portals are BAD !

    Captive portals almost always work by validating the IP address of the client, and often the MAC address. This creates a wrong feeling of security, because it is quite easy to bypass. Let’s explain the most common problem: spoofing.

    Installing a captive portal

    I have chosen to install Alcasar, which claims to be a highly secure solution developed by the French Ministry of Defense.

    First surprise, it’s a shell script ! In fact, it’s not really an application, only an installer for a few packages, with some configuration. Installation went pretty bad:

    • the installer only works for a specific version of Mandriva (2007), which is quite old, and buggy on my hardware
    • most things are hardcoded: the installer exploded without errors because my network is not ending by a 0 (10.0.0.129/25)
    • my third network card is not even used by the script ! Too bad for the DMZ

    After 4 or 5 retries, and modifications in the script, I finally got a working server.

    First tests

    After a reboot, everything seems to work. Got an address using DHCP, I try to connect to Google .. ok, the captive portal appears and asks for a login. With …

    read more

  7. Git rocks

    No news here, this post is mostly a note for myself, to remember some commands for git:

    Creating a repository to be shared between several hosts (with an existing project)

    On the server:

    mkdir project.git
cd project.git
git --bare init

    On the remote host:

    cd project
git init
git remote add origin ssh://server/var/git/project
git config branch.master.remote origin
git config branch.master.merge refs/heads/master

    Now you can make the first commit:

    git add .
git commit -m "First commit"
git push
    Fix a mistake in a previous commit
    1. Save your work so far.
    2. Stash your changes away for now: git stash
    3. Now your working copy is clean at the state of your last commit.
    4. Use ‘git rebase -i’, and use the ‘edit’ command on the commit you want to edit
    5. Make the fixes. (If you just want to change the log, skip this step.)
    6. Commit the changes in “amend” mode: git commit —all —amend
    7. Your editor will come up asking for a log message (by default, the old log message). Save and quit the editor when you’re happy with it.
    8. The new changes are added on to the old commit. See …
    read more

  8. Materials for CanSecWest 2008

    Date Sun 19 October 2008

    cansec

    These talks are probably online since a while, but as most of them are really interesting, have a look at CanSecWest 2008 conference materials:

    read more

  9. Netfilter workshop 2008 in Paris

    The next edition of the Netfilter Workshop will take place in Paris, France, from September 29th to October 3th, 2008.

    The first day is open to everyone, and the program is now online.

    There will be many interesting presentations, and I will give a presentation of nfqueue-bindings and the weatherwall, a firewall based on the weather of the location of the destination of the packets, and ulogd2 along with Eric.

    Entry is free but a registration is asked. Please fill in the registration form.

    See you there !

    read more

  10. Prelude Correlator in Debian

    The Prelude Correlator is now packaged in Debian.

    From the description of the package:

    Prelude is a general-purpose hybrid intrusion detection system.
.
This package provides the Prelude Correlator, which is a powerful
correlation engine using Lua to write correlation rules.
.
The features currently include:
 * Rapid identification of important security events, enabling the analyst to
   assign task priorities
 * Alert correlation originally from heterogeneous sensors deployed on the
   whole infrastructure
 * Real-time analysis of events received by the Prelude Manager

    You can contribute ! If you use the correlation engine, please share your correlation rules.

    Related links:

    read more

« Page 4 / 7 »