Archive | Security

Security is not a feature; it’s a process. Notes on issues, patches and essays on security.

When is a document not a document?

When is a document not a document? Perhaps when it contains executable code. Executable code can do bad things to your computer if it has the security permissions to do so or if it exploits flaws in the way the document readers execute the code. A Word document with AutoRun macros is an executable program in the form of document. A web page containing Javascript (or JScript or VBScript or Java or Flash) is an executable. Without limiting what functionality these executables can access, an action as simple as opening a document or navigate to a web site can open your machine to exploitation.

The latest instance of this is a flaw in Adobe Reader for Windows that allows a specially crafted PDF file to exploit your machine via the mailto protocol link. The SANS Internet Storm Center documents that the PDF mailto exploit documents in the wild, that is, it’s possible for you to catch this nasty bug off a web page or via the mail.

If you’re running Windows and have Adobe Reader installed, make sure you are running the latest version (links are in the article above). And don’t open any files from untrusted sources. And don’t trust any source.

Clippy on a rampage: exploit code appears for Microsoft Agent bug

September 13, 2007 Computerworld —Exploit code appears for Microsoft Agent bug “It took less than 24 hours for attackers to crank out proof-of-concept code targeting the one critical vulnerability disclosed — and patched — Tuesday morning by Microsoft, security researchers warned.” Ouch. A Day One exploit. Hopefully, Microsoft’s distribution of their updated Agent patches via Windows Update will be speedier than the bad guy’s spreading of their exploit.

Microsoft fixes 14 flaws in 9 patches; 6 are critical – Security – News – ZDNet Asia

ZDNet Asia does a nice job of summarizing August’s MS patches: Microsoft fixes 14 flaws in 9 patches; 6 are critical. Lots of critical software to patch: XML processing, Office, OLE Automation, GDI and Internet Explorer means that every Windows installation is threatened by “Remote Code Execution” — someone else owning your machine. Get Patching!

VietNamNet – Over 50,000 PCs infected with data-destroying viruses

Many fans of FoxPro complain FoxPro doesn’t get enough press. Some even argue that any PR is good PR. Not in this case, I think:

VietNamNet – Over 50,000 PCs infected with data-destroying viruses “In mid July, we received many reports from financial and monetary institutions saying that their data files FoxPro and SQL were destroyed. The reason is virus W32.Ukuran.Worm,” said an official of BKIS.

Bummer.

Brute Force Detection (BFD) script for vsftpd

vsftpd is the “very secure file transfer protocol daemon” and a great product to use for file transfers. Unfortunately, a bunch of script kiddies and zombies runs scripts guessing the 2283 most common user name and password combinations. Sometimes, I’ll see several of these runs of login attempts in a single day, peaking one day at over 13 thousand bogus login attempts. I resent the amount of time, resources, bandwidth and power my server has to spend rejecting these attempts.

Last year, I blogged about the script Brute Force Detection that works with many servers and reads the logs to ban repeated failed login attempts. Unfortunately, it did not have the settings to read vsftpd generated logs, and there were not any directions simple enough for me to understand to set one up. A year passes, I read more, learn more, expecially the great Man Page of the Month sessions at MonadLUG, and I find a couple of hours to hack at this, motivated by yet another log report filled with vsftpd login attempts. Here’s what I did:

BFD uses rules files that are portions of scripts customized for the particular log to read, the messages to look for, and the locations at which the IP addresses of the offending attacker can be found. When each rule file in turn is read into the main BFD script, it becomes part of a set of commands that slices and dices the log, finds the (adjustable) number of excessive attempts, and issues the commands to ban attempts from that IP address. The trick is figuring out what commands you need to implement to return the stream of IP addresses in the correct format. Here’s an example, the sshd rule file:

REQ="/usr/sbin/proftpd"
if [ -f "$REQ" ]; then
LP="/var/log/secure"
TLOG_TF="proftpd"
TRIG="15"

## PROFTP
ARG_VAL=`$TLOGP $LP $TLOG_TF | grep -w proftpd | grep -iwf $PATTERN_FILE | tr '[]' ' ' | tr -d '()' | awk '{print$10" "$13}' | tr -d ':' | awk '{print$1":"$2}' | grep -E '[0-9]+'`
fi

Boy, is that inscrutable! Here’s a quick tour: REQ is the required file (the binary that runs proftpd) so the script only runs if there is such a file (“fi” is the shell script equivalent of “if” – cute!). The other variables are used to feed the main processing line, starting with ARG_VAL. This line processes the log (named LP) through a series of pipes that filters the result down to the items that need to be processed. Grep processes lines through Globally searching, using Regular Expressions and Prints them through to the next command in the pipe. TR translates characters from one set to another, or -Deletes them. Awk is a simple text processing language, really handing for tricks like printing the tenth and thirteenth words out of a line.

Here’s the trick to working this out: take a log file you know has your suspect violations, use cat to feed it into the beginning of the pipe described above, and add item-by-item to the pipe to figure out what each does and what the final result looks like, in this case a text file IP Addresses and login names, something like:

192.168.1.1:fred
192.168.1.1:fred
192.168.1.1:fred
192.168.1.1:fred
192.168.1.1:barney
192.168.1.1:charlie
192.168.1.1:dave
192.168.1.1:eric

This is what BFD gets fed bac k to it. Then, it counts the number of attempts, compares that against the TRIG value set above, and if it exceeds the trigger level, executes the command (set in BFD’s configuration file, conf.bfd) to ban the offending attacker. (It also optionally sends an email to the admin, a good idea to ensure you’ve got things set up properly.)

Now, your installation of vsftpd may be a little different from mine, your logs may have different names and columns in different orders, so use this script only after testing out that it works properly with your configuration. Best of luck with it. Here’s my implementation of a script to detect vsftpd script kiddie attacks:

REQ="/usr/sbin/vsftpd"
if [ -f "$REQ" ]; then
LP="/var/log/messages"
TLOG_TF="vsftpd"
TRIG="15"

## VSFTPD
ARG_VAL=`$TLOGP $LP $TLOG_TF | grep -w vsftpd | grep -i rhost | grep -iwf $PATTERN_FILE | awk '{print $13":"$12}'| tr -d '[]()?@'| cut -d = -f 2,4 | grep -E '[0-9]+'`
fi

The cut command is a new one here: like the use of awk it lets you pick particular columns to slice out of the line, but also gives you the option to specify the delimiter that sets off the columns. In this case, I use cut to pick off the second half of two columns that are formatted as “rhost=192.168.1.1” and “ruser=badguy@badplace.com” to pick off the second values from each of those columns.

Phil Windley’s Technometria: Saying Yes to Paper Ballots

From Phil Windley’s Technometria | Saying Yes to Paper Ballots:

The standards are still evolving and experience is showing that the electronic machines do have problems accurately recording votes. (Emphasis in the original)

Paper ballots. Paper ballots. Paper ballots. Tell your congress(wo)man. Tell your senator. Tell your reps. Paper ballots. Let’s stop paying private firms huge amounts of money to ship badly-designed, poorly-engineered, easily-tricked voting machines. Voting is a lot more important than getting the results on the TV that night. Let’s do it right. Paper ballots. Audit trails. Open standards. Open code review.

Microsoft Patch Tuesday, May 2007

It’s the nineteeth week of the year, and Microsoft issues fixes #23 through #27, running a bit ahead of the pace from the last couple of years. And “Remote Code Execution” is obviously the goal of the bad guys. Here’s the list:

  1. MS07-023 – Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (934233)
  2. MS07-024 – Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (934232)
  3. MS07-025 – Vulnerability in Microsoft Office Could Allow Remote Code Execution (934873)
  4. MS07-026 – Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution (931832)
  5. MS07-027 – Cumulative Security Update for Internet Explorer (931768)
  6. MS07-028 – Vulnerability in CAPICOM Could Allow Remote Code Execution (931906)
  7. MS07-029 – Vulnerability in RPC on Windows DNS Server Could Allow

Here’s the Microsoft summary, with links for more details. The Internet Storm Center at the SANS Institute is rating most of these as “Patch Now!” with few contraindications. As usual, make backups, and get patching!

Powered by WordPress. Designed by Woo Themes

This work by Ted Roche is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 United States.