October 25, 2014

Shellshock: Code injection vulnerability found in Bash

bash-man-page(LiveHacking.Com) – A code injection vulnerability in the Bourne again shell (Bash) has been disclosed on the internet. If exploited then arbitrary commands can be executed, and where Bash is used in relation to a network service, for example in CGI scripts on a web server, then the vulnerability will allow remote code execution.

The problem resolves about the way that Bash processes environment variables used to export shell functions to other bash instances. Bash uses environment variables named by the function name, and a function definition starting with “() {” in the variable value to propagate function definitions through the process environment. The problem is that Bash does not stop after processing the function definition; it continues to parse and execute any shell commands following the function definition.

This means that shell commands can be tagged onto the end of environment variables and they will be executed by the shell. The vulnerability is deemed as critical because Bash is used widely on many types of UNIX-like operating systems including Linux, BSD, and Mac OS X.

The most prominent attack vector is via HTTP requests sent to CGI scripts executed by Bash. Also, if SSH has been configured to allow remote users to run a set of restricted commands, like rsync or git, this bug means that an attacker can use SSH to execute any command and not just the restricted command.

The initial bug was designated as CVE-2014-6271, and a patch was subsequently issued. However it was later discovered that the patch had an issue in the parser and did not fully address the problem. As a result a second CVE was assigned, CVE-2014-7169, to cover the remaining problems after the application of the first patch.

To test your system to see if your version of bash is vulnerable, run these two commands:

env X="() { :;} ; echo vulnerable" /bin/sh -c "echo completed"
env X="() { :;} ; echo vulnerable" `which bash` -c "echo completed"

In either case, if the word “vulnerable” is displayed then your shell needs patching.

The United States Computer Emergency Readiness Team (US-CERT) has issued a statement: Bourne Again Shell (Bash) Remote Code Execution Vulnerability, along with the following alert: GNU Bourne Again Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271, CVE-2014-7169).

Red Hat has posted a special report on its security blog: Bash specially-crafted environment variables code injection attack. Akamai, a provider of cloud services, has also posted a blog post called Environment Bashing.

 

NVIDIA fixes root privilege escalation in its Linux drivers

(LiveHacking.com) — Over a month ago an anonymous coder sent a small C program to Dave Airlie, who maintains the Direct Rendering Manager (DRM) subsystem in the Linux kernel, that allows an attacker to gain root access to a Linux machine by exploiting a vulnerability in NVIDIA’s Linux drivers.

The exploit works by using a vulnerability in the /dev/nvidiao device which allows the VGA window to be moved around until it can read and write to somewhere useful in physical RAM. Then the exploit performs a root privilege escalation by writing directly to kernel memory.

Over a month passed since information about the vulnerability was submitted to NVIDIA and the graphics company has not responded. As a result Airlie has made the exploit public.

“I was given this anonymously, it has been sent to nvidia over a month ago with no reply or advisory and the original author wishes to remain anonymous but would like to have the exploit published at this time, so I said I’d post it for them,” wrote Dave Airlie in a post to a security mailing list.

NVIDIA has now released version 304.32 of its drivers for Linux, FreeBSD and Solaris. The updated driver contains a hotfix to block access to the registers involved in this attack. At the same time NVIDIA has also blocked access to some other registers which it identified as being susceptible to a similar type of attack.

The 295.71 driver is available for download at the NVIDIA FTP site:

32-bit Linux: ftp://download.nvidia.com/XFree86/Linux-x86/295.71/
64-bit Linux: ftp://download.nvidia.com/XFree86/Linux-x86_64/295.71/

Solaris: ftp://download.nvidia.com/solaris/295.71/

32-bit FreeBSD: ftp://download.nvidia.com/XFree86/FreeBSD-x86/295.71/
64-bit FreeBSD: ftp://download.nvidia.com/XFree86/FreeBSD-x86_64/295.71/

The 304.32 driver is also available for download at the NVIDIA FTP site:

32-bit Linux: ftp://download.nvidia.com/XFree86/Linux-x86/304.32/
64-bit Linux: ftp://download.nvidia.com/XFree86/Linux-x86_64/304.32/

Solaris: ftp://download.nvidia.com/solaris/304.32/

32-bit FreeBSD: ftp://download.nvidia.com/XFree86/FreeBSD-x86/304.32/
64-bit FreeBSD: ftp://download.nvidia.com/XFree86/FreeBSD-x86_64/304.32/

Details about the updated driver and the patches are available at: http://nvidia.custhelp.com/app/answers/detail/a_id/3140

Linux 2.6.39 Memory Handling Vulnerability

(LiveHacking.Com) – Exploits have started appearing that make it possible to gain root privileges on some versions of the Linux kernel due to a flaw in the  /proc/<pid>/mem handling. The vulnerability first came to light when Linus Torvalds released a Linux kernel update last week to fix the flaw and the subsequent analysis of the bug at  Nerdling Sapple.

The bug, which was discovered by Jüri Aedla, allows a local, unprivileged user to escalate their privileges. The problem is that write support to /proc/<pid>/mem was re-enabled in the kernel but with insufficient permissions checking. This means that all Linux kernels >=2.6.39 are vulnerable, up until the fix noted above.

Red Hat have released a small C program which will test a kernel to see if it is vulnerable. If you are not sure if you are running an affected kernel version compile and run the test from https://bugzilla.redhat.com/attachment.cgi?id=556461:

$ gcc -o test test.c
$ ./test
vulnerable

You can read Red Hat’s full security advisory here. Canonical, the makers of Ubuntu Linux, have also announced the release an update for Ubuntu 11.10. The fix can be applied using a standard system update followed by a reboot.

Security Breach at Home of Linux Sourcecode

(LiveHacking.Com) – Kernel.org, the primary site for the Linux kernel source code, suffered a security breach that was discovered on August 28th. The hackers managed to gain root access to one of the servers and modify some of the ssh files. They also added a trojan startup file to the system start up scripts.

The key question is if the Linux source code was somehow modified to include back doors or vulnerabilities which would then be propagated to the various Linux distributions. The word from the system administrators is that the source code repositories were unaffected. But they are continuing to analyse the code within git, and the tarballs to confirm that nothing has been modified

The truth is that the potential damage of breaking into kernel.org is far less than typical software repositories. That’s because kernel development takes place using the git distributed revision control system. For each of the nearly 40,000 files in the Linux kernel, a SHA1 hash is calculated to uniquely define the exact contents of that file. Git is designed so that the name of each version of the kernel depends upon the complete development history leading up to that version. Once it is published, it is not possible to change the old versions without it being noticed.

Those files and the corresponding hashes exist not just on the kernel.org machine and its mirrors, but on the hard drives of several thousand kernel developers and distribution maintainers. Any tampering with any file in the kernel.org repository would immediately be noticed by each developer as they updated their personal repository, which most do daily.

Oracle Buys Ksplice to Add On the Fly Patching to Oracle Linux

(LiveHacking.Com) – Oracle has acquired Ksplice, Inc., who specialize in a technology for updating the Linux kernel, to patch security vulnerabilities and bugs, without rebooting.

By adding this service to Oracle Linux it will become the only enterprise Linux provider that can offer zero downtime updates. The Ksplice technology will be a standard feature of Oracle Linux Premier Support.

“More than 7,000 customers have chosen Oracle Linux for mission critical systems because of our world-class support offerings,” said Wim Coekaerts, Senior Vice President, Oracle Linux and Virtualization. “The addition of Ksplice’s zero downtime update technology further extends our Linux technology leadership.”

Ksplice prepares the hot updates at the object code level instead of the source code level, which allows Ksplice to perform hot updates with minimal programmer involvement. Ksplice analyzes the original kernel and the traditional source code patch by comparing compiled code (and its metadata) rather than source code.

“System administrators are forced to choose between known best practices and added operational costs when administering Linux updates,” said Jeff Arnold, CEO, Ksplice Inc. “Ksplice’s technology will be able to take Oracle’s kernel updates and transform them into zero downtime updates that provide always-accessible systems with no reboot necessary. This results in improved system availability and security as well as reduced operational costs for the customer.”

The following technical paper, written in 2008, describes some of the technology behind Ksplice: http://www.ksplice.com/paper

Hardening MySQL with mysql_secure_installation

A default Linux MySQL installation isn’t necessarily secure but a hardening script called mysql_secure_installation comes with the MySQL server to increase the default security. To run it, open a terminal window and as root (either using sudo or su -) type: mysql_secure_installation and press Enter.

The script will guide you through several steps to lockdown the MySQL installation.

The first step is to set the root password. By default a root password isn’t set, so to set it, hit Enter when asked for the current password (meaning blank) and then set the password as directed. Setting the root password ensures that nobody can log into the MySQL root user without the proper authorisation.

By default, a MySQL installation has an anonymous user, allowing anyone to log into MySQL without having to have a user account. The anonymous user is there just for testing. Type ‘y’ and hit Enter when asked to remove the anonymous user account.

To ensure that the root user can not login over the network (and allow root connections only from the local machine). Type ‘y’ and hit Enter when asked to disallow remote roots.

By default, MySQL comes with a database named ‘test’ that anyone can access. This is also intended only for testing, and should be removed before moving into a production environment. To remove it type ‘y’ and hit Enter when asked.

And that is it, if you answered positively to all the steps above your MySQL installation should now be secure.

Running mysql_secure_installation is recommended for all MySQL servers in production use.

Live Hacking Penetration Testing DVD V1.3 Released

A new version of Live Hacking’s free Linux distribution designed for penetration testing and ethical hacking has been released. V1.3 has updated over 140 packages including Metasploit and Firefox.

New in this release is Metasploit Framework 3.6 which can be used to test your network using the framework’s internal database of known weaknesses and exploits. New to V3.6 are post-exploitation modules that can be run on exploited systems to perform actions such as gathering additional information, pivoting to other networks and elevating system privileges. V3.6 also adds 15 new exploits making a total of 648 exploit modules, 342 auxiliary modules and 23 post modules.

The Live Hacking Linux distribution is a ‘Live DVD’ which boots directly from your DVD and doesn’t need to be installed on your computer. As well as the standard Linux networking tools the Live Hacking DVD has tools for DNS enumeration and reconnaissance as well as utilities for foot-printing, password cracking and network sniffing. It also has programs for spoofing and a set of wireless networking utilities.

Now that the pool of free IPv4 addresses has been depleted, the Live Hacking DVD includes the THC-IPV6 tool, a set of tools to attack the inherent protocol weaknesses of IPv6 and ICMP6.

Use this link to download the Live Hacking DVD V1.3.

ISC’s DHCP Client Could Allow Remote Code Execution

The Internet Systems Consortium (ISC), a non-profit company which develops software for the infrastructure of the Internet (like BIND and DHCP), has released details of a new remote code execution vulnerability present in its dhclient software.

dhclient is ISC’s DHCP client and can be found on most Linux systems as well as other Unix-like platforms such as FreeBSD. When a machine is configured to use DHCP (Dynamic Host Configuration Protocol) the dhclient broadcasts a request asking for hostname and IP configuration information. A DHCP server will then reply with the corresponding information.

The problem is that dhclient does not strip or escape certain shell meta-characters in responses from the dhcp server (like hostname) before passing the responses on to dhclient-script. Depending on the script and OS, this can result in execution of exploit code on the client. dhclient versions 3.0.x to 4.2.x are affected.

ISC have issued new versions of the software: 3.1-ESV-R1, 4.1-ESV-R2 or 4.2.1-P1 which can be downloaded from here. No patch is available for 4.0.x as it has reached its end of life. Anyone running 4.1.x should upgrade to 4.1-ESV-R2.

If you don’t want to rebuild the software yourself you should consider the immediate workarounds given below or wait until your Linux distribution issues an update.

Immediate workarounds

On SUSE systems, it is possible to disable hostname update by setting DHCLIENT_SET_HOSTNAME=”no” in /etc/sysconfig/network/dhcp. Other systems may add following line to dhclient-script at the beginning of the set_hostname() function:

new_host_name=${new_host_name//[^-.a-zA-Z0-9]/}

Exploit OOPS: Root Privileges on Linux

Security researcher Dan Rosenberg presents a small demo program which combines several security holes to obtaiLive Hacking Linux CDn root privileges on Linux systems on Full Disclosure Security mailing list.

He combined some existing vulnerabilities with the vulnerability discovered by Nelson Elhage in connection with the kernel’s thread management and troubleshooting routines (CVE-2010-4258).With this exploit, an attacker can potentially exploit an OOPS to write a null byte into the kernel’s memory area. [Read more...]

NetBSD 5.1 Released: Highly Portable Unix-like Open Source operating system

The NetBSD development team has released NetBSD 5.1. According to NetBSD blog, NetBSD 5.1 is the first feature update of the NetBSD 5.0 release branch. It includes security and bug fixes, as well as improved hardware support and new features for this open source highly portable Unix-like operarting system.

Highlights of this version:

  • RAIDframe parity maps, which greatly improve parity rewrite times after unclean shutdown
  • X.Org updates
  • Support for many more network devices
  • Xen PAE dom0 support
  • Xen PCI pass-through support

More details are valaible at http://www.NetBSD.org/releases/formal-5/NetBSD-5.1.html.

NetBSD is a free, fast, secure, and highly portable Unix-like Open Source operating system. It is available for a wide range of platforms, from large-scale servers and powerful desktop systems to handheld and embedded devices. NetBSD is developed and supported by a large and vivid international community. Many applications are readily available through pkgsrc, the NetBSD Packages Collection.

NetBSD 5.1 is available to download here.

Source:[netbsd.org]