Tom's Random Thoughts

Command-Line Tool Fuzzer

2009-11-10T23:37:00.000-08:00

Yesterday Marcus reminded me that I have written a Fuzzer for command-line tools... honestly I forgot this little PoC tool and it slept in my CVS repository for nearly 1.5 years. Until now, I put it online. Beta-testers are welcome.

kostenloser Counter

Local root via VBoxNetAdpCtl

2009-10-06T21:56:00.000-07:00

Our maintainer requested to set the sbit for VBoxNetAdpCtl but a quick code review revealed that the code is vulnerable to shell command injection via popen(3) and a possible buffer overflow. Both bugs were fixed upstream by Sun.

Unfortunately there were no CVE-IDs assigned to this issues yet.

And to avoid confusions: We do not ship this tool setuid. :-)

Update:

CVE-2009-3692 for popen()
CVE-2009-3704 for strncpy().

kostenloser Counter

SELinux on openSUSE 11.2 Milestone 6

2009-08-24T06:44:00.000-07:00

SELinux can be enabled via YaST's bootloader module easily now.

kostenloser Counter

openSUSE 11.2 M4 and SELinux

2009-07-24T11:33:00.000-07:00

This week was HackWeek, unfortunately I didn't had the time for hacking something because SELinux does not work in Milestone 4.

It looks like the new kernel in Milestone 4 for 11.2 needs some special switches to be pushed to enable SELinux.

The kernel config defines "apparmor" as the default security framework which denys loading the "selinuxfs" etc.

Therefore you need to add the following parameters to the kernel boot parameter: "security=selinux selinux=1 enforcing=0"

I started working on a yast module for SELinux but I doubt I will finish it... if somebody wants to take over, let me know! :-)

Additionally a new libselinux package was submitted that includes an updated selinux-ready script. Pavol also submitted a new policycoreutils package to fix a build failure.

kostenloser Counter

SELinux on openSUSE 11.2, what will be?

2009-06-29T23:53:00.000-07:00

The next openSUSE version is in the queue, milestone 3 of 11.2 was already released during LinuxTag last week.

We try to make 11.2 more SELinux-enabled than before. When you watch the security:SELinux (account needed) repository you may have recognized some changes during the last days. What did we changed so far:

mkinitrd (Base:System): needs a little patch to mount /proc of the root filesystem to make the SELinux functions in init happy
selinux-policy (security:SELinux): a new package that contains some sample policies as well as a config file (/etc/selinux/config)
libselinux (security:SELinux): now includes a script named selinux-ready to verify if your system's configuration is suitable to run SELinux and give you hints of solving possible hurdles

So far it is still needed to install the packages, adding the boot-parameters (selinux=1 enforcing=0), and to make the directory /selinux (we don't want to pack this dir in a package - FHS).

What is on our TODO list:

I hope we can add a yast-module to 11.2 to enable SELinux by one or two clicks
everything else that is needed to enable basic SELinux support (looking at F11 ATM)
we will not provide a policy or enable SELinux by default for now, but hopefully later

Volunteers are welcome. openSUSE:Factory is open now! :-)

kostenloser Counter

openSUSE: building in KVM

2009-06-26T01:37:00.000-07:00

When you use our open build service (OBS) and build packages on your local machine, code from the network is executed as root. This is ok as long as you trust the packages.

If you do not want the code to be executed with full access to your local files then you can use KVM.

Add the following lines to you ~/.oscrc:

[general]
build-type=kvm
build-device=/tmp/KVM.root
build-swap=/tmp/KVM.swap
build-memory=254

But before this files can be used you have to create them:

> dd if=/dev/zero of=/tmp/KVM.swap bs=1024 count=300000
> qemu-img create /tmp/KVM.root 6G
> su -c "mkfs.ext3 -c /tmp/KVM.root "

Now you can use osc build without caring too much about your local security.

Thanks to Adrian to bringing this up.

kostenloser Counter

Browser Security Handbook, just for the record

2009-05-05T07:04:00.000-07:00

http://code.google.com/p/browsersec/wiki/Main

kostenloser Counter

SHA-1 Collision Strength now at 2^{52}

2009-05-04T02:38:00.000-07:00

Slides

kostenloser Counter

automatic Security-Testing of Beta-Versions

2009-04-27T06:54:00.000-07:00

Today I finished my little project of creating an easy way to automatically verify the security settings of a new openSUSE/SLES.

Tools I used:

qemu
setupgrubfornfsinstall.sh (script by Ludwig Nussel to make network installations, great tool!)
lighttpd to provide autoinstallation profile for...
autoyast + add-on products (also a great tool)
use an own and an openSUSE repositories to...
install various shell scripts and tools (Lynis, etc.) for verifying local security settings of a Linux system
a button to press ;)

Now everything that I need to do when a new beta-testing phase starts is run setupgrubfornfsinstall.sh, installing the beta in qemu, letting autoyast configure the system to include as many software packages as possible, create a root and test account, use the additional repos to install the security tools that run automatically at the end of the boot process. Fun! :)

kostenloser Counter

SAMATE

2009-04-01T08:08:00.000-07:00

Today I stumbled over SAMATE a NIST project established in 2004. The goal is to evaluate tools that analyze source-code, web-applications or binary-code. Interesting are the test-cases (SRD) they provide, take a look yourself and browse them online.

kostenloser Counter

X-Force 2008 Trend & Risk Report released

2009-02-04T04:31:00.000-08:00

The X-Force 2008 Trend & Risk Report from IBM was published. It is published twice a year and provides the reader with a lot of numbers about software vulnerabilities, trends (comparison with previous year) and the author's opinion.

The report starts with a criticism of current vulnerability severity classification - which I will go into detail later because it is interesting, provides an overview of all vulnerabilities counted by IBM's security team (ISS), talks about the attack targets (web applications, operating systems, client software like web browsers), and "attack" techniques.

The author of the report correctly criticises (a) the lack of economical parameters in determining the severity of a vulnerability using the Common Vulnerability Scoring System (CVSS) and goes even further by taking the standpoint that (b) targeted/single attacks by amateurs are out-dated and large-scale attacks are the state-of-the-art threat. The economical considerations of cyber-criminals are - like in real economics - opportunity and cost, where the opportunity consists of

the number of potential targets and...
the value gained by controlling the machine

and the cost consist of

ease to exploit and...
monetize

The report shows that vulnerabilities rated very high with CVSS aren't a big threat because they are not widely exploited (like Kaminsky's DNS attack (CVE-2008-1447))
These economical considerations are worth enough to be added to CVSS I think, but they are not as valuable as the author thinks. Let me explain why:

CVSS weights vulnerabilities and not threats (it can do it but not in the base score) this is a big difference and should therefore not be compared (context failure)
the presence of a high-profile mafia does not mean amateur shoplifters go the way of the dodo bird (see (b) above)
because of 2. we still have targets that are not the victims of organized cyber-criminals that do dupery (mostly windows client machines), like high profile targets like the government, research labs, companies. Therefore the economical view is not useful for every context.
and last, the point of criticism of CVSS being too technical is also the biggest argument against the economical metric introduced by the X-Force team, it stems from no facts but seems just to be a rating based on guessing and belly-feeling.

The third section (Vulnerabilities) trys to explain the positive and negative peaks of disclosed vulnerabilities, which - for example - may be used for better planning of security response team resources.

on Tuesday most bugs are made public (reason: Windows Patch-Day?)
the lowest rate per week is at the week-end
per year most vulnerabilities were disclosed during the holidays (x-mas, summer, thanksgiving) - this contradicts a bit with the "Patch-Day Theory" mentioned above
severity increases
number of remotely exploitable bugs increase (unfortunately no relation to total increase of vuln.s given)
number of vulnerable web applications still increases (no relation to LOC or number of products etc.-)
more SQL injections (more automatization)

The report also lists the vendors with most vulnerabilities disclosed and correctly warns about the analysis because it does not take lines of code (LOC) or market-share into account. This is of course very important to make an effective comparison and should be remembered when you see these numbers in the news.
Note: Linux is not in the Top 10 list, thanks to buggy web applications but the Linux kernel is on the 3rd place in the Top 10 list of vulnerable operating systems (a result of the effectivity of open-source development and open communication I assume)

Surprisingly the report states that about half of the vulnerabilities were not patched (even >70% for web applications); it only counts a bug as fixed if an announcement was released (problematic but reasonable). The reason for that could be that developers often release a new version of their software that fixes security and non-security failures and encourage their customers to upgrade instead of backporting patches... just a guess.

The increase of appearance of a proof-of-concept (PoC) exploits at the same day as the vulnerability was disclosed may be an indicator for better coordination between vendors and bug reporters (or fun to exploit bugs, or automation of exploit writing); this should be examined in more detail I think.

The rest of the report is about client-side and web-based attacks that is most interestingly for AV vendors I assume (it also matches the information from the GDATA Malware Report 2008 (not available yet, just saw a presentation)). But have a look yourself, the report is an interesting reading.

kostenloser Counter

Worm infects wirelesss Routers only

2009-01-29T23:43:00.000-08:00

This is so cool...

http://blogs.spectrum.ieee.org/tech_talk/2009/01/attack_of_the_wireless_worms.html

kostenloser Counter

SANS Top 25 Programming Errors

2009-01-13T02:21:00.000-08:00

The SANS institute has updated their list of the top 25 programming errors.

Some entries could be argued about but that doesn't matter.

The connection to the Mitre databases (CWE, CVE, CAPEC), the examples and explanations make this list really valuable... but have a look yourself.

kostenloser Counter

SELinux on openSUSE 11.1

2008-12-10T06:53:00.000-08:00

openSUSE release 11.1 will be available in a few ticks. I tried the beta5 and RC1 and it seems that 11.1 will run fast, stable and comes with a good set of new software.

From the security perspective one thing would be really interesting: SELinux support

11.1 comes with all necessary patches to enable SELinux but unfortunately it does not run by default. I hope to change it for 11.2.

The following steps are needed to enable SELinux on openSUSE 11.1.

patching mkinitrd to mount /proc
add boot parameters
install the selinux-refpolicy RPM files, libraries and tools, mkdir /selinux
create a config file

1. mkinitrd
To allow the init process to load the SELinux policy the /proc filesystem has to be mounted very early. This can be done as part of the booting process that happens with the initrd ramdisk. All you need to do is adding the line "/root/usr/bin/chroot /root /bin/mount /proc" to /lib/mkinitrd/scripts/boot-boot.sh (see git.opensuse.org for the patch). After you modified the script just run mkinitrd to replace the old initrd in /boot.
(Note: the script /etc/init.d/boot will try to mount /proc again and fails, you can remove the lines if you like)
Update: The line to be added was updated to "/bin/mount /root/proc" (see git and patch)

2. boot parameter
Two boot parameters are needed: selinux and enforcing.
Just use yast2 -> System -> Boot Loader to modify the "Optional Kernel Command Line Parameter" field by adding "selinux=1 enforcing=0" (enforcing should enabled after all policies work smoothly)

3. reference policies
openSUSE 11.1 does not come with default policies but you can add the SELinux openSUSE_Factory repo that provides you with the following RPM files:

selinux-policy-refpolicy-standard
selinux-policy-refpolicy-mls
selinux-policy-refpolicy-mcs

The following tools are in the default 11.1 repo:

checkpolicy
policycoreutils
selinux-tools
setools-*
libselinux1
libsepol1
libsemanage1

Update: And well, don't forget to mkdir /selinux.

4. config file
The SELinux config file is at "/etc/selinux/config" and should have the following content:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive

# SELINUXTYPE= can take one of these two values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=refpolicy-standard

Reboot your machine. Log in as root and run setstatus the output should be:

SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 23
Policy from config file: refpolicy-standard

Now that should be all. Let me know if it does not work or if you have other comments.

kostenloser Counter

NIST published a new Recommendation for Key Derivation

2008-11-09T23:44:00.001-08:00

The title says it all, so have a look at the 20 pages yourself: http://csrc.nist.gov/publications/nistpubs/800-108/sp800-108.pdf

Donald Knuth stops paying for Failures found in his Books

2008-10-31T06:33:00.000-07:00

Bad news, most of you know the book series "The Art of Computer Programming". When you find a failure in it Donald Knuth sends you a check to get some $US as reward. Unfortunately it seems that a special number on this check was used several times to steal money from Knuth's bank account.

http://www-cs-faculty.stanford.edu/~knuth/news08.html

Disclaimer

The views expressed on this website/weblog are mine alone and do not necessarily reflect the views of my employer.

Note to journalists and other readers: Unless you receive express written permission to the contrary from the author of the content of this blog/website, reproduction or quotation of any statements appearing on this blog/website is not authorized.

kostenloser Counter

NASDAQ Computer Failure makes Google Share CRASH.

2008-10-09T23:20:00.000-07:00

Hm, I wasn't able to find much information about this issue but it seems a computer failure at the NASDAQ was responsible for GOOG to be in a free fall to Ø.

The Computerzeitung (german) and the tickerspy documented it.

If you have more information let me know, it looks like an interesting case that may not be a mistake but intention.

Disclaimer

kostenloser Counter

MySQL truncation attack, new? Nah!

2008-10-09T09:22:00.000-07:00

Have a look at this nice article about SQL statement truncation attacks: Stefan said that it is new, but I know at least two guys at SuSE which take care of this kind of vulnerability since several years now. :-) *boast*

Frankly, injection and truncation attacks are "a natural thing" and there is nothing to explore or to find new here. It doesn't matter what language is used, what backend-systems handle the request etc..

Disclaimer

kostenloser Counter

Security Vulnerabilities in Postfix and OpenWSMan

2008-08-14T09:40:00.000-07:00

Today we released two security advisories, one for postfix and the other one for openwsman.

Sebastian found the bugs in postfix that allow to read other users emails (CVE-2008-2937) (think about "Forget Password" functions of web-services) and code execution as root/mail (CVE-2008-2936) by delivering mail to a shell script via a file link. Exploiting both vulnerablities depend on the permissions of the mail directory.

The other advisory is about openwsman, an implementation of the Web Service Management specs. I think most people do not know or use it ;) - at least I didn't know it before I started auditing it. A review of the pre-auth code revealed a buffer overflow (CVE-2008-2234) when the function ws_base64_decode() was used to decode the HTTP authentication header. This function occurs at two places in the code. The other problem affects the callback-verify function for the OpenSSL library (CVE-2008-2233). The client code verifies the fingerprint of the certificate received by comparing it with a fingerprint stored in the config without checking the host the certificate comes from. An attacker can record the SSL handshake and replay it to the client (or man-in-the-middle attack), the fingerprints will match and everything looks fine.

We have to thank Wietse Venema and Anas Nashif for getting the code fixed.

And yes, the SuSE Security-Team still does pro-active work! ...even if you do not directly recognize it because it does not occur in the news. :)

Disclaimer

kostenloser Counter

Mac OS X 10.4.11: DNS resolver analysis

2008-07-15T00:56:00.000-07:00

Not much details, just the result of TIA watching my wife's MacMini.

gate:/home/thomas # cat transid-stat.sorted|head -n 24
17 0x6071
16 0x5F71
16 0x5E71
16 0x5D71
16 0x5C71
16 0x5B71
8 0xBBC2
8 0xBAC2
8 0xB9C2
8 0xB8C2
8 0xB7C2
8 0xB6C2
6 0x4EA8
6 0x4DA8
6 0x4CA8
6 0x4BA8
6 0x4AA8
6 0x49A8
5 0xA3D4
5 0xA2D4
5 0xA1D4
5 0xA0D4
5 0x9FD4
5 0x9ED4

gate:/home/thomas # cat portnum-stat.sorted|head -n 24
232 5353
4 49263
4 49262
4 49261
4 49260
4 49259
4 49258
4 49257
4 49253
4 49252
4 49251
4 49250
4 49249
4 49248
4 49247
4 49246
4 49244
4 49243
4 49242
4 49241
4 49240
4 49239
4 49238
4 49233

:-)

Disclaimer

kostenloser Counter

Tool: TIA to verify DNS Cache Poisoning Fix (CVE-2008-1447)

2008-07-11T07:09:00.000-07:00

I released an update of TIA, the DNS TRXID analyzer, to record and count the UDP source-port numbers used too. TIA can be downloaded from my suse.de page.

The tool simply counts the number of times a TRXID/port -number occured. Use whatever tool and method you like to find patterns etc. in it. :-)

Disclaimer

kostenloser Counter

Never saw an Application using SSL without Flaws.

2008-07-09T02:50:00.000-07:00

Most code that uses SSL I verified made at least one mistake that allows an attacker to read the plaintext traffic. When you were able to listen to one of my secure programming presentations or read this blog you already know the examples. And the list of vulnerable applications seems not to end...

I am currently doing a design and source-code review of an application which uses SSL for communications with its components.

The client verifys the certificate and the hostname, but uses a "clever" verify-callback function to compare the the fingerprint of the invalid certificate received with a fingerprint defined in the client's configuration. The hostname is not verified by the callback function!

All that is needed to make the client accept connections to another system controlled by an attacker is to sniff the public certificate with WireShark (other tools work too, but I used this one), save the server payload of the packages (with WireShark, just follow the TCP stream and save it as a C array). Now the malicious server only needs to create a listening TCP socket, accepts the SSL handshake messages from the client (they can be ignored) and replays the SSL payload. The client uses the curl API which recognizes that the certificate comes from the wrong host, calls the callback function, compares the fingerprint of the certificate with the trusted one, they match and so the connection is accepted. Voila!

Disclaimer

kostenloser Counter

DNS Cache Poisoning

2008-07-09T00:42:00.000-07:00

The US-CERT releases an advisory about DNS cache-poisoning yesterday. The story is not new: The DNS protocol is vulnerable to a Birthday Attack. The ISC released a new version of bind that uses a random Transaction-ID (TRXID) and a random UDP source-port for each query. This makes a Birthday Attack impracticable for DNS cache-poisoning.

We fixed it in PowerDNS in April and bind follows now (due to pressure from a Black Hat presentation). I hope that this reminder helps to remove this vulnerability from the Internet.

Also have a look at the great research work on PRNG implementations done by Amit Klein.

Update 1: The attack Dan Kaminsky found seems to be new, but yet there are no details available and we have to wait for his Black Hat conference presentation. Maybe he just sends UDP packets with a broadcast destination IP set (port is static) to all DNS servers involved in the resolution process to increase the likelyhood of a TRXID match... dunno. Nevertheless UDP port randomization stops the attack.

Update 2: Our QA team worked hard to test the new bind packages and they should be available at all our mirrors now... happy updating. :-)

Update 3: Hopefully the last one. We released the bind advisory today. Please make sure you did not specify a port number for queries in your config files (query-source port 53 or query-source-v6 port 53) . The default config files we ship should all be ok as far as I can see.

Disclaimer

kostenloser Counter

Search Queries send to Google

2008-07-01T02:41:00.000-07:00

When you use the google search bar of Firefox3 (maybe other browsers do it this way too) and type a word it is send character by character to http://suggestqueries.google.com/ to receive suggestions for word completion. It is of course ok to send the whole query after pressing return but sending each character can lead to information leaks of passwords, chat conversations, email content, etc. :)

Disclaimer

kostenloser Counter

Ruby and the OpenID Library

2008-06-27T08:46:00.000-07:00

Function call ruby-openid-2.0.3/lib/openid/util.rb:srand(Time.now.to_f) is problematic in two ways.

1.) The rand() and srand() implementation of the ruby interpreter (see file random.c) is clever enough to seed the random pool with some bytes from /dev/urandom. Using an own seed like the time reduces the entropy.

2.) The parameter used here is the time in microseconds as a float ([seconds].[microseconds]). But srand()'s argument type is int and therefore the microsecond part of the float is removed - Result: seed loses nearly 20 bits of entropy!

Disclaimer

kostenloser Counter