Archive for the ‘Security’ Category

ASP.NET Session Cookie Crypto Attack Exploiting

September 20th, 2010 No comments

If the Linux CVE-2010-3081: 64bit Linux Kernel Root Exploit didn’t get you, then this little birdy might. It seems the implementation of the AES encryption algorithm which protects the integrity of the Session Cookies in ASP.NET has a weakness which could enable an attacker to hijack sessions – Which bank? The idea behind the use of AES is to ensure that the crypt’d data hasn’t been tampered with – and hence decryptable, but unfortunately the flawed implementation of the use of AES and how it handles errors gives out some much needed clues for an attacker to pursue.

From TheThreatPost article:

In this case, ASP.NET’s implementation of AES has a bug in the way that it deals with errors when the encrypted data in a cookie has been modified. If the ciphertext has been changed, the vulnerable application will generate an error, which will give an attacker some information about the way that the application’s decryption process works. More errors means more data. And looking at enough of those errors can give the attacker enough data to make the number of bytes that he needs to guess to find the encryption key small enough that it’s actually possible.

There is a Microsoft Security Advisory (2416728) which gives some workarounds until a proper fix is made available. What’s really concerning is this little tidbitt from Thai Duong about Using their tool the Padding Oracle Exploit Tool or POET:

“It’s worth noting that the attack is 100 [per cent] reliable, [that is], one can be sure that once they run the attack, they can exploit the target. It’s just a matter of time. If the attacker is lucky, then he can own any ASP.NET website in seconds. The average time for the attack to complete is 30 minutes. The longest time it ever takes is less than 50 minutes.”

What’s really interesting is seeing the video of the exploit in action on dotnetnuke (don’t close your eyes). ScottGu has blogged about this exploit which goes into far more detail than I can, but if you’re keen there’s a nice document on using the Padding Oracle exploit and includes discussions regarding the JSF View state, cracking CAPTCHA schemes as well as some juicy details on CBC-R.

{lang: 'en-GB'}

CVE-2010-3081: 64bit Linux Kernel Root Exploit

September 20th, 2010 1 comment

Well its been a heavy week on the security front, first up is a Linux root exploit for 64bit Machines.

A vulnerability in the 32-bit compatibility layer for 64-bit systems was reported. It is caused by insecure allocation of user space memory when translating system call inputs to 64-bit. A stack pointer underflow can occur when using the “compat_alloc_user_space” method with an arbitrary length input.

What does that mean? Essentially, some sanity checks in the compat_alloc_user_space function to check the length and ensure that the pointer to the block of memory is within the user-space of the process is valid was missing. The fix has already been committed but if you are running any x64 versions of Linux, make sure you update your Kernel – especially now that the exploit code is publicly available!

Read up on the exploit by Jeff Arnold from Ksplice and use this very useful CVE-2010-3081 high-profile exploit detection tool to determine if you’re boxens are already compromised.

Of particular note from his article is the breadth of exploitable distributions – see the references below for vendor specific information:

This vulnerability was introduced into the Linux kernel in April 2008, and so essentially every distribution is affected, including RHEL, CentOS, Debian, Ubuntu, Parallels Virtuozzo Containers, OpenVZ, CloudLinux, and SuSE, among others. A few vendors have released kernels that fix the vulnerability if you reboot, but other vendors, including Red Hat, are still working on releasing an updated kernel.

After downloading and running the tool under a non-sudo account, you should cheerfully get the following output.

thushan@dingo:~/tmp$ ./diagnose-2010-3081
Diagnostic tool for public CVE-2010-3081 exploit -- Ksplice, Inc.

$$$ Kernel release: 2.6.32-23-server
!!! Not a RHEL kernel, will skip LSM method
$$$ Backdoor in LSM (1/3): not available.
$$$ Backdoor in timer_list_fops (2/3): checking...not present.
$$$ Backdoor in IDT (3/3): checking...not present.

Your system is free from the backdoors that would be left in memory by the published exploit for CVE-2010-3081.

If not, its time to put those security drills into action!


{lang: 'en-GB'}

OpenSolaris FIX: Server refused to allocate pty (SSH)

May 11th, 2010 5 comments

Just upgraded a friends OpenSolaris boxen to SNV_134 (latest available from the OpenSolaris dev repository) and after rebooting we realised we couldn’t SSH into it.

Server refused to allocate pty

DOH! This is caused by a known bug that has been around for a few builds now.

You’ll need to modify /etc/minor_perm and add the following to the bottom of the file.

clone:ptmx 0666 root sys

And what happens if your terminals don’t accept keyboard input? You could drop back into the shell *or* be lazy like me, find gText editor in your Accessories, add it to the panel and change the properties to run it as a privileged user:

pfexec gedit %U

Then run the file, open the /etc/minor_perm file, save and reboot. Make sure you change back the shortcut path :-)

{lang: 'en-GB'}

FIX: WordPress Older Posts not working in IIS with Permalinks

April 28th, 2010 2 comments

I spent some time tweaking my blog today after moving it to some fresh hardware. You may find that everything is loading much faster now which can be attributed to two plugins in addition to the hardware upgrade – wp-super-cache and wp-widget-cache.

I’ve also fixed a long standing bug with my particular configuration of WordPress that runs on IIS which causes the “Older posts” link at the bottom does not function for the second page. The WordPress generated URL for this is

Which is a bit problematic, this ofcourse can be reproduced only on IIS from my musings (serves me right eh?). There are a couple of suggestions by people on the forums already, but I wasn’t too keen on them as they seemed too high-level fixes.

I’ve enabled Permalinks with this format:

So I looked through the sources to see why this was happening. After a bit of snooping about I got to the get_pagenum_link function in wp-includes/link-template.php file.

Heres a bit of source for reference – this is with WordPress 2.9.2:

function get_pagenum_link($pagenum = 1) {
	global $wp_rewrite;

	$pagenum = (int) $pagenum;

	$request = remove_query_arg( 'paged' );

	$home_root = parse_url(get_option('home'));
	$home_root = ( isset($home_root['path']) ) ? $home_root['path'] : '';
	$home_root = preg_quote( trailingslashit( $home_root ), '|' );

	$request = preg_replace('|^'. $home_root . '|', '', $request);
	$request = preg_replace('|^/+|', '', $request);

	if ( !$wp_rewrite->using_permalinks() || is_admin() ) {
		$base = trailingslashit( get_bloginfo( 'home' ) );

		if ( $pagenum > 1 ) {
			$result = add_query_arg( 'paged', $pagenum, $base . $request );
		} else {
			$result = $base . $request;
	} else {
		$qs_regex = '|\?.*?$|';
		preg_match( $qs_regex, $request, $qs_match );

		if ( !empty( $qs_match[0] ) ) {
			$query_string = $qs_match[0];
			$request = preg_replace( $qs_regex, '', $request );
		} else {
			$query_string = '';

		$request = preg_replace( '|page/\d+/?$|', '', $request);
		$request = preg_replace( '|^index\.php|', '', $request);
		$request = ltrim($request, '/');

		$base = trailingslashit( get_bloginfo( 'url' ) );

	if ( $wp_rewrite->using_index_permalinks() && ( $pagenum > 1 || '' != $request ) )
		$base .= 'index.php/';

		if ( $pagenum > 1 ) {
			$request = ( ( !empty( $request ) ) ? trailingslashit( $request ) : $request ) . user_trailingslashit( 'page/' . $pagenum, 'paged' );

		$result = $base . $request . $query_string;

	$result = apply_filters('get_pagenum_link', $result);

	return $result;

This function (from reading through) essentially generates the links for the page numbers & page navigation taking into account Permalinks if configured. This is all fine and dandy for Unix hosts but for Windows, unfortunately this bit of code fails us.

$request = preg_replace( '|page/\d+/?$|', '', $request);
$request = preg_replace( '|^index\.php|', '', $request);
$request = ltrim($request, '/');

As the preg_replace is case sensitive, it will not replace the invalid Index.php that is seen on IIS. So the easiest fix is to tweak the regex pattern a little bit and tell it be case insensitive.

$request = preg_replace( '|page/\d+/?$|', '', $request);
$request = preg_replace( '/|^index\.php|/i', '', $request);
$request = ltrim($request, '/');

This will then generate the (invalid) urls and the preg_replace will remove any additional Index.php’s from the request URL as its already mentioned in the $base variable a few lines below:

if ( $wp_rewrite->using_index_permalinks() && ( $pagenum > 1 || '' != $request ) )
$base .= 'index.php/';

Once you make the change and upload the files, your “Older posts” will start working again. I’ll submit a patch to WordPress I’ve submitted a patch to WordPress Trac, now its just a wait and see what they say, in the meantime here’s a patch file if you don’t want to modify sources manually. If there any issues, post a comment :-)

{lang: 'en-GB'}

In the Zone, Creating OpenSolaris Zones.

November 22nd, 2009 No comments

I’m really enjoying using OpenSolaris as our server / NAS at home, its a different ball game to Linux but an interesting one never the less. One of the cool features of Solaris are the Solaris  Zones (or Solaris Containers). Zones are an implementation of operating system-level virtualisation where the kernel isolates multiple instances of the user-space available. Something like chroot but so much more. Unlike running under a hypervisor (like VMWare or VirtualBox), Zone’s have very little (if any) overhead.

As I’ve come to realise, because of the way Solaris works in general, you can have multiple (isolated & secure) Zones for each application service exposed by the server – eg. one for Tomcat, one for Glassfish, maybe both Apache 1.3.x and 2.x, MySql, Postgres etc. Whats more, you can limit how much resources these Zones can utilise. They all have their own configuration including network routing (coupled with OpenSolaris Crossbow) and you can make for one kick ass setup that won’t break another area of the operating system.

In the Zones.

Here’s a guide on setting up a new Zone in OpenSolaris, configuring it and booting it.

Me Against the Music, its all in the global zone

When we first install OpenSolaris we’ve already got ourselves into a zone (the parent to all other zones) which is known as the global Zone.

You can find this by trying out the following to list all the available zones on a virgin install of OpenSolaris.

opensolaris# zoneadm list -vc
 ID NAME             STATUS     PATH                           BRAND    IP
 0 global           running    /                              native   shared

The output will be something like above. Now we can go about creating ourselves a zone for playing around in.

When working with zones, we only need to worry about three commands (damn I love that!). The zoneadm command to manage the physical zone, zonecfg command for configuring the zone and zlogin to login to the zone from the global zone.

First we have to do a bit of planning and thinking about what we’re going to do about this zone.

Here are few things to consider:

  • What do you want to run in the zone?
  • Will it need networking and have it exposed outside of the machine?
  • Where will the zone reside on your disk?
  • Would you like to limit the amount of CPUs the zone can see?
  • Would you like to limit the amount of RAM the zone can utilise?
  • Do you want to automatically boot the Zone when OpenSolaris starts?

For this post, we’re going to create a simple Zone (we won’t install anything).

Toxic Zone

Creating a zone we specify a zone to the zonecfg command.

opensolaris# zonecfg -z toxic

You’ll get something like this appearing because teh zone doesn’t exist, thats fine.

toxic: No such zone configured
Use 'create' to begin configuring a new zone.

Then you will be inside the zonecfg configuration.

Lets configure this zone to have the following:

  • Reside in /base/zones/
  • Autoboot with OpenSolaris
  • Shared IP of bound to physical interface e1000g1

Follow me:

zonecfg:toxic> create
zonecfg:toxic> set zonepath=/base/zones/
zonecfg:toxic> set autoboot=true
zonecfg:toxic> add net
zonecfg:toxic:net> set address=
zonecfg:toxic:net> set physical=e1000g1
zonecfg:toxic:net> end
zonecfg:toxic> verify
zonecfg:toxic> commit
zonecfg:toxic> exit

This will create the configuration, verify, write it and exit. You can verify it was created by running the list command again:

opensolaris# zoneadm list -vc
ID NAME             STATUS         PATH
0 global           running        /
- toxic            configured     /base/zones

Its currently in a configured state, you can read more about the Non-Global State Model in the documentation. Next thing to do is to install the zone – this will get the base packages setup and configured for use.

opensolaris# zoneadm -z toxic install

Everytime, boot her up.

Next lets boot this bad baby up.

opensolaris# zoneadm -z toxic boot

Now if we do a list again we’ll see that our state has changed to running.

opensolaris# zoneadm list -vc
ID NAME             STATUS         PATH
0 global           running        /
- toxic            running        /base/zones

Now we have to configure the zone itself – just like a real machine. For this we use the zlogin command to login to the zone console.

opensolaris# zlogin toxic
[Connected to zone 'toxic' pts/5]
Last login: Sat Nov 21 17:52:43 on pts/5
Sun Microsystems Inc.   SunOS 5.11      snv_127 November 2008

After that we’re now in the toxic zone. Anything we do inside here, stays within this zone and won’t affect our global or other zones. But before we continue we really should configure our networking.

First lets modify our /etc/nsswitch.conf file with vi.

passwd:     files
group:      files
hosts:      files dns
ipnodes:    files
networks:   file

Make sure the hosts entry has dns as above. Next we need to configure the nameservers.

toxic# echo 'nameserver' > /etc/resolv.conf

That will create a resolv.conf file with the nameserver which you can get from the global zone as it would be different for everyone:

opensolaris# cat /etc/resolv.conf

Breath on me, reboot the zone.

Now we can access the networking like the global zone. So you can do a package refresh and update-image too.

toxic# pkg refresh && pkg image-update

If it succeeds we have correctly setup our zone and its ready for use – you may want to reboot the zone however. To do this, exit the toxic console.

toxic# exit

[Connection to zone 'toxic' pts/5 closed]

Then lets reboot the zone.

opensolaris# zoneadm -z toxic reboot
opensolaris# zlogin toxic
[Connected to zone 'toxic' pts/5]
Last login: Sat Nov 21 17:58:44 on pts/5
Sun Microsystems Inc.   SunOS 5.11      snv_127 November 2008

Outrageous, removing the zones.

Now how about removing this zone and trying again? First get out of the zone console and back to your global zone. Issue the halt command to shutdown the zone.

root@toxic# exit
opensolaris# zoneadm -z toxic halt

Once stopped simply remove it.

opensolaris# zoneadm -z toxic uninstall
opensolaris# zonecfg -z toxic delete

You can make sure its gone by using the list command. That’s all there is to it!

Now you can consider yourself, In The Zone.

{lang: 'en-GB'}

Boffins get 1,000,000 Linux Kernels running as virtual machines!

August 4th, 2009 No comments

Thats right, that wasn’t a typo. Some crazy boffins at Sandia National Laboratories in Livermore, have run more than a million Linux kernels as virtual machines out of which 20,000 can be run simultaneously! Why on earth would they attempt such feats?

Prehaps this XKCD may jog your memory

XKCD: Networking

Yep, just about:

The technique will allow them to effectively observe behaviour found in malicious botnets, or networks of infected machines that can operate on the scale of a million nodes.


{lang: 'en-GB'}

Apple Security: I’m in yo keeboards hax0ring yo porn sitez.

August 2nd, 2009 No comments

I’ll let you decide if this is LOL worthy.

APPLE KEYBOARDS ARE vulnerable to a hack that puts keyloggers and malware directly into the keyboard. This could be a serious problem, and now that the presentation and code is out there, the bad guys will surely be exploiting it.

The vulnerability was discovered by K. Chen, and he gave a talk on it at Blackhat this year. The concept is simple, a modern Apple keyboard has about 8K of flash memory, and 256 bytes of working ram. For the intelligent, this is more than enough space to have a field day.

Nothing is encrypted, decrypted, and the process is simple. You then resume HIDFirmwareUpdaterTool, and in a few seconds, your keyboard is compromised. Formatting the OS won’t do you any good, the code is in keyboard flash. There are no batteries to pull, no nothing, the keyboard is simply compromised.

Then from the proof of concept document:

The application checks a number of properties of the keyboard and checks the validity of the ?rmware image ?le kbd 0×0069 0×0220.irrxfw in the bundle. The ?rmware validity checking routine is called CRC32: and is the 75 byte routine starting at 0×00003005. Despite the name, this routine does not do CRC32 at all and in fact, it simply just adds up the bytes of the ?rmware image ?le and the application veri?es that the sum is 0x252ed7.

EPIC FAIL. While the rest of the world has been working hard on securing the fabrics of their kernel, Apple have concentrated on painting the Lepoard with new stripes. Before you fall into a trap thinking this isn’t as big as they make it out to be – because you need physical (and root) access to update firmware (and the user would have to approve), think of malware or a Safari related exploit. How many security conscience Mac users are there do you think? Wasn’t the original deal move to Mac and forget all your troubles?

Surely Apple can’t be the only keyboard at fault, I’m sure my Razer Tarrantula (with a few modifications) can fall into the same trap – atleast you’d hope so, for Apple’s sake (or not!).

Anyway, woo WINdows 7 to Technet/MSDN guys this week!

{lang: 'en-GB'}

Microsoft releases Windows Vista SP2 and Windows 2008 Server SP2

May 27th, 2009 No comments

Quick note to let you know that Microsoft has released Service Pack 2 for Windows 2008 Server & Vista for the general public.

Download: Vista SP2 / Server 2008 SP2 x86Vista SP2 / Server 2008 SP2 x64
Download Size: 348.3 MB | 577.4 MB
Direct Downloads: Windows6.0-KB948465-x86.exe | Windows6.0-KB948465-X64.exe

KB Article: Microsoft KBQ948865

Service Pack 2 Details


Build: 6002.18005.090410-1830
File Name: Windows6.0-KB948465-X86.exe
Size: 365,230,920 bytes
CRC: 3368C777
MD5: C9394FD32DB15619328AF4FF0315750A
SHA1: 106C0484D7449CC4B70353C21D0C0D63E4BA66C3


Build: 6002.18005.090410-1830
File Name: Windows6.0-KB948465-X64.exe
Size: 605,410,472 bytes
CRC: 1737E14D
MD5: A3BCB1FFDB366397FA5FAB0898EB098D
SHA1: BE8D74ADC029FA7350FC1F0D32BEF853C0519A92

Enjoy! You can also slipstream this release into an existing SP1 installation media using vLite, just be weary of a couple of caveats.

{lang: 'en-GB'}

Weekend Nerding: Ubuntu 9.04 and GCC 4.4.0 released!

April 24th, 2009 2 comments

Just verfied that today is Friday – they really need an RSS feed for this. What better time to release GCC 4.4.0 and the highly anticipated Ubuntu 9.04.

GCC 4.4.0 brings improved C++0x support, a new register allocator and with the merge of the Graphite branch, which is “a new framework for loop optimizations based on a polyhedral intermediate representation”. More changes are detailed in their release notes.

As for Ubuntu 9.04, all the lovely bits of changes are documented in the Ubuntu 9.04 overview and dont forget the updated UbuntuGuide for Jaunty. Download links and local Australian Mirrors for iinet & internode.

Woo yeah for Friday.

{lang: 'en-GB'}

XKCD: Pirate Bay

March 9th, 2009 5 comments

Can someone seed? I'm stuck on .01%

{lang: 'en-GB'}