Windows DNS Server Cache Poisoning

Amit Klein finally released his research on Windows DNS Server Cache Poisoning today. He discovered the vulnerability that enables DNS cache poisoning attack against the Windows DNS server back in April. It took Microsoft over 6 months to come up with a patch. The weakness found is in the transaction ID generation algorithm. This is very similar to some of Amit's earlier research on Bind 8 & 9 dns cache poisoning. Here are the links to the research.

Windows DNS Server Cache Poisoning

BIND 8 DNS Cache Poisoning

BIND 9 DNS Cache Poisoning

Botnets Become More Evasive

Botnets have adapted once again to become more evasive and reliable. They are now working in a more organized and coordinated fashion. Botnets are now employing load-balancing and high-availability techniques similar to those used by high traffic web applications. Here is some good reading material on the newest trend in bots...Fast-Flux Botnets.

Fast flux foils bot-net takedown

Know Your Enemy: Fast-flux Service Networks

Broadband Blockage of Outbound SMTP

Recently, I've noticed that more and more broadband ISPs are blocking outbound SMTP connections (TCP Port 25). I'm guessing this is an attempt to slow down all the spam relayed from infected computers on their networks. Instead of taking a more proactive approach and looking to better protect their user base some ISPs have opted for an easy and abrasive solution. They say lets just block outbound SMTP. Well, this affects many legit customers that are road warriors that work from home. Some of these remote workers VPN into work and should not encounter this issue, but I'm sure there is still a large number of remote workers that need to connect directly to TCP port 25. Do you think that maybe this is a ploy to sell more broadband business accounts without restrictions? Who knows! Anyways, this is how I got around this little inconvenience. If your mail server is running linux or unix and you have iptables installed.

iptables -t nat -A PREROUTING -d mail.ip.goes.here -p tcp --dport 26 -j REDIRECT --to-ports 25

Now, instead of connecting to TCP port 25 on your mail server...try connecting to TCP port 26. You should successfully connect and be able to do your business. :) This same technique can be applied if you have a network or host based firewall/nat device. All it's doing is redirecting traffic from TCP port 26 to 25.

Wordpress Captcha Plugin

CapCC is a Wordpress Captcha Plugin used for user registration and comments. I am using it on all my Wordpress blogs and loving it. The combination of CapCC & Akismet for fighting spam on your blogs is lethal. :)

Dynamic DNS Script for Namecheap.com

I have an Apache 2.2 web server running Debian Etch Linux on cable broadband Internet. My Internet Service Provider(like many others) charges way too much for static IP addresses. So the problem that I have is that my ISP frequently changes my IP, so static domain name resolution would suck. Also, I got lucky and my ISP leaves HTTP port 80 open. The solution to my problem is registering my domain with a domain registrar that offers dynamic DNS. I have chosen Namecheap.com because they offer dynamic DNS and have free whois protection. I checked out the Namecheap.com knowledge base to see exactly how their dynamic DNS works. There are a few clients that support Namecheap.com dynamic DNS for Windows. There is ddclient which supports Linux, but I decided since it was only a HTTP GET request I would just write a quick Perl script to do the task. The only requirement is that you have the LWP module installed. I setup a crontab so that every 10 minutes the script is called like this:

0,10,20,30,40,50 * * * * /home/dns/dynamicdns-namecheap-v1.pl >/dev/null 2>&1

You can download the Dynamic DNS Script for Namecheap.com here and the source is below.

#!/usr/bin/perl
#Perl script to update Dynamic DNS for Namecheap.com
#dynamicdns-namecheap-v1.pl
use strict;
use LWP::Simple;
my($ip, @hosts, $host, $domain, $domainpw, $url, $content);

@hosts = ("www","*");
$domain = "yourdynamicdnsdomainname.com";
$domainpw = "yourdynamicdnsdomainpassword";
$ip = `ifconfig eth0 |grep inet | awk \-F \: \'\{print \$2\}\' | awk \'\{print \$1\}\'`;

foreach $host (@hosts) {

$url = "http://dynamicdns.park-your-domain.com/update?host=".
$host."&domain=".$domain."&password=".$domainpw."&ip=".
$ip;
$content = get($url);
die "cant connect to dubdubdub" unless defined $content;
print $content."\n"; # uncomment for output
}

Wordpress 2.1 Vulnerabilities

Over the past few weeks there has been some vulnerabilities that have surfaced for Wordpress 2.1.* releases. The first link is sql injection attack in a weakness of xmlrpc.php. A prerequisite is that you must be a user on the target wordpress blog. The second link describes a blind sql injection attack on admin-ajax.php. The third link is the advisory of the admin-ajax.php exploit. The fourth link is to the proof of concept exploit code. I would highly recommend that you upgrade any older wordpress blogs. Enjoy! ;)

Wordpress 2.1.2 xmlrpc Security Issues

Wordpress admin-ajax.php Sql Injection

[waraxe-2007-SA#050] - Sql Injection in WordPress 2.1.3

WordPress 2.1.3 sql injection blind fishing exploit

Blogger with Your Own Domain

The goal I set out for is simple. I own the blog digitalcartel.blogspot.com and I have a few posts, but I wanted it on my own domain. I didn't want to migrate the existing posts and content to another blog system. I browsed blogger's management interface a little and noticed that in the Settings section there is a publishing tab that has domain options. Once your there, google has a very helpful link on the domain setup process. Okay, so now you know that we have to create a CNAME record for our domains DNS. Well, this goes one of two ways...Either your registrar is hosting your DNS or you are hosting it on your own. If you have it hosted by a registrar, go ahead and check this google page for more information. I happened to be hosting my own DNS and I'm running djbdns. You can only choose one host to point at google. I choose www.digitalcartel.org to avoid any conflicts involved with using a CNAME on your base domain. My CNAME alias entry in djbdns:

Cwww.digitalcartel.org:ghs.google.com

So now you have the CNAME alias in place so you just complete the rest of the steps from previous links. Once www.digitalcartel.org was working with my blog I was happy. But!!! I wanted the base domain digitalcartel.org to work with the blog as well. My solution of choice is mod_rewrite since I've been using it alot lately. I went ahead and made an DNS A record for digitalcartel.org and pointed it to one of my webservers. My A Record in djbdns:

+digitalcartel.org:1.8.7.0:3600

Basically, I just added the following to the apache webserver configuration to redirect anything heading for digitalcartel.org to www.digitalcartel.org. You could also put this in a .htaccess file.

ServerName digitalcartel.org
RewriteEngine On
RewriteCond %{HTTP_HOST} ^(.*)$
RewriteRule ^.*$ http://www\.%1 [R]

Once this was put into position, now I'm satisfied. :)

Apache Mod Rewrite Cheat Sheet

Today I was struggling with mod rewrite and as usual feeling lazy. I really didn't want to dig through my apache books/ebooks. I came across this cheat sheet and it was exactly what I needed. Also, see the Apache mod_rewrite reference documentation and URL Rewriting Guide. Maybe if I'm not too lazy sometime next week I will post some examples of how I have used it. :)

Linux printing with DELL 3100 CN

The goal I set out is to be able to print over the network from my Debian Etch laptop to a Dell 3100CN printer. The first part was just figuring out how to set the printer to have a static IP address. So I hit up the dell support site
for the manual. There is a web interface, but thats for noobs. I myself am a panel hacker. So below is how you would setup your network connectivity. Pay attention to the notes. Assigning an IP address is major stuff. You need an administrator for this or you could blow up your printer.

Assign an IP Address

An IP address is a unique number that consists of four sections that are delimited by a period and can include up to three digits in each section, for example, 111.222.33.44.

Assigning an IP address already in use can cause network performance issues.

NOTE: Assigning an IP address is considered as an advanced function and is normally done by a system administrator.

NOTE: Do not continue with this procedure until you have the following three addresses: - IP Address - Subnet Mask Address - Gateway Address

For more information on using your operator panel, see "Operator Panel."

1. Turn on the printer.
   
   

The Ready to Print appears.

2. Press Menu.
   
   
3. Press until Configure appears, and then press or .
   
   
4. Press until Network appears, and then press or .
   
   
5. Press until TCP/IP appears, and then press or .
   
   
6. Press until IP AddressSetup appears, and then press or .
   
   
7. Press until Panel appears, and then press .
   
   
8. Press .
   
   
9. Press until IP Address appears, and then press or .
   
   
10. The cursor is located at the first digit of the IP address. Press to enter the numbers for the IP address.
    
    
11. Press .
    
    

The cursor moves to the next digit.

12. Repeat steps 10 and 11 to enter all of the digits in the IP address, and then press .
    
    
13. Press .
    
    
14. Press until Subnet Mask appears, and then press or .
    
    
15. Repeat steps 10 to 11 to set Subnet Mask, and then press .
    
    
16. Press .
    
    
17. Press until Gateway Address appears, and then press or .
    
    
18. Repeat steps 10 to 11 to set Gateway Address, and then press .
    
    
19. Turn off the printer, and then turn it on again.

Okay, so you made it through the printer side configuration. Now, you get on your laptop and download Dell 3100 CN Postscript Printer Description File.
Then do the following:


1. Click "System" → "Administration" → "Printing"
2. Double Click "New Printer"
3. Click "Network Printer"
4. Choose "HP Jetdirect"
5. Enter of the printer
6. Choose "Install Driver..." and select the previously downloaded Dell_3100cn.ppd as the driver file
8. Select "Laser Printer 3100cn v3015.102 PS"
9. Enter the printer name, description, and location
10. Choose "Apply" and print test page.

Apparently, the above process is all good for Ubuntu. On Debian Etch, I was still having an issue, so I peeped out "/var/log/cups/error_log" and it was complaining about missing a file. So I busted out...
#cp /usr/local/src/Dell_3100cn.ppd /usr/share/ppd/
and now all is well. Mission accomplished. Time for a beer. ;)

Linux and open file descriptors

Increasing open file descriptors

I remember back in the day coming across file descriptors when running an ircd. In order to have a big bad ass ircd you would often need to increase the number of open file descriptors. By increasing this value, you can really push your server to the limit and whatever software you run on it.

A small number of open file descriptors (sockets) can significantly reduce both the performance of an Internet Server and the load that workload generator like httperf can generate. This is meant to provide some information about how to increase the limits on the number of open file descriptors (sockets) on Linux. Note: the actual numbers used below are examples. The numbers you should use will depend on weather you are modifying a system that will be used as a client or a server and the load being generated. In this example we increase the limit to 65535.

Also note that some of these steps may or may not be required depending on whether you are using PAM and if some of the stuff is being done remotely using ssh.

1. To check and modify system limits.

[The current limit shown is 8192]
% cat /proc/sys/fs/file-max
8192

[To increase this to 65535 (as root)]
# echo "65535" > /proc/sys/fs/file-max

If you want this new value to survive across reboots you can at it to /etc/sysctl.conf

# Maximum number of open files permited
fs.file-max = 65535

Note: that this isn't proc.sys.fs.file-max as one might expect.

To list the available parameters that can be modified using sysctl do

% sysctl -a

To load new values from the sysctl.conf file.

% sysctl -p /etc/sysctl.conf


2. Modify your software to make use of a larger number of open FDs.

[Find out where __FD_SETSIZE is defined]
% grep "#define __FD_SETSIZE" /usr/include/*.h /usr/include/*/*.h
/usr/include/bits/types.h:#define __FD_SETSIZE 1024
/usr/include/linux/posix_types.h:#define __FD_SETSIZE 1024

[Make a local copy of these files]
% cp /usr/include/bits/types.h include/bits/types.h
% cp /usr/include/linux/posix_types.h include/linux/posix_types.h

[Modify them so that they look something like
#define __FD_SETSIZE 65535

[Recompile httperf and/or your server so that it uses a larger file
descriptor set size by using -I include during compliation, this
will allow the compiler/preprocessor to use the new include files
rather than the default versions]

3. To check and modify limits per shell.

[Using csh: openfiles and descriptors show that the limit here is 1024]
% limit
cputime unlimited
filesize unlimited
datasize unlimited
stacksize 8192 kbytes
coredumpsize 0 kbytes
memoryuse unlimited
descriptors 1024
memorylocked unlimited
maxproc 8146
openfiles 1024

[To increase this to 65535 for all users (as root)]
# vi /etc/security/limits.conf

[Modify or add "nofile" (number of file) entries - note
that a userid can be used in place of *]
* soft nofile 65535
* hard nofile 65535

# vi /etc/pam.d/login
[Add the line]
session required /lib/security/pam_limits.so

[On many systems this will be sufficient - log in as a regular
user and try it before doing the following steps]

[These steps may be required depending on how PAM and ssh are configured
[Note on some systems - Debian?]
# vi /etc/pam.d/ssh
[Note on other systems - RedHat]
# vi /etc/pam.d/sshd
[Add the line]
session required /lib/security/pam_limits.so

# vi /etc/ssh/sshd_config
[May need to modify or add the line]
UsePrivilegeSeparation no

[Restart the ssh daemon]
[Note on some systems - Debian?]
# /etc/init.d/ssh reload
[Note on other systems - RedHat]
# /etc/rc.d/init.d/sshd reload


NOTE: it may still be necessary in some cases to adjust the limits manually.

In tcsh
limit descriptors 65535

In bash
ulimit -n 65535

Thanks for the bulk of this post.
http://bcr2.uwaterloo.ca/~brecht/servers/openfiles.html

Meet Linux

Novell's funny answer clips to those Mac versus Windows PC television commercials. My favorite one is clip 3. :)

Meet Linux.

Star Wars, Noobs, and Hackaz

LOL! Enjoy. :) Star Wars, Noobs, and Hackaz

Human Computation, Captcha, and ESP

I was trying to do some work when I stumbled upon this link. Needless to say, my work got put off until the video was over. This is a really kickass presentation on Human Computation. The presentation is by Luis von Ahn who is an assistant Professor at Carnegie Mellon University. Pre-interview he looks nervous and bit squirrely. Needless to say, he did an awesome job. He starts off discussing the pros and cons of captchas. He moves on to cover human computation and how he has applied it to his ESP game.

Wordpress server compromised

Long story short: If you downloaded WordPress 2.1.1 within the past 3-4 days, your files may include a security exploit that was added by a cracker, and you should upgrade all of your files to 2.1.2 immediately.

Long explanation...

No Good. Circle with da slash. I have a few wordpress installs. Even though they are not a few days old... I upgraded anyway. I suggest everyone running wordpress to do the same. I'm just wondering if MU was affected. I guess we will find out soon enough.

TLD DNS DDoS fact sheet released

Back in February, there was a rather large DDoS attack on the Internet's root DNS servers (TLD). There really wasn't many details on the attack, except for rumors that it originated somewhere in the Asia-Pacific region. Well now we have something to sink our teeth into. ICANN has released an official fact sheet with more information on the attack. There are still some unanswered questions, but this fact sheet is very concise and well put together. It covers details on the root server infrastructure including Anycast, DDoS, Zombies, and other aspects relevant to the attack.

ICANN TLD DNS DDoS attack fact sheet

The Buzz about the OpenPGP Bug

When encoding trumps encryption (or: the latest GnuPG issue)

Published: 2007-03-06,
Last Updated: 2007-03-07 12:39:48 UTC
by Arrigo Triulzi (Version: 1)

The latest GnuPG security advisory is, in the specific case of GnuPG, more of a "Human-Computer Interaction" than a security hole proper. The flaw is not in the encryption but in the way in which OpenPGP, a standard way of transmitting PGP-encrypted data, is interpreted by GnuPG "helpers" such as Enigmail and mail programs such as Evolution, KMail, etc.

An OpenPGP-compliant message can be made up of multiple sections, not all of which need to be signed or encrypted. The "helpers" and mail software do not use the GnuPG API correctly to interpret where the sections start and end leading to something called "injection" which is a fancy name for "adding untrusted data which is undetectable from trusted data".

Translated: you see the pretty icon telling you that the whole message is encrypted and signed whereas there is a section of it (text, image, binary, whatever) which isn't.

What if you use GnuPG "raw"? Well, the visual cues are insufficient even for an advanced user and this is why a new release of GnuPG is being distributed and relevant CVE numbers were issued.

To give you an idea of the extent of the issue here are the CVE numbers:

• CVE-2007-1263 - for the visual distinction issues in GnuPG itself, all 4 attacks.
• CVE-2007-1264 - Enigmail improper use of --status-fd
• CVE-2007-1265 - KMail improper or non-existing use of --status-fd
• CVE-2007-1266 - Evolution improper or non-existing use of --status-fd
• CVE-2007-1267 - Sylpheed improper or non-existing use of --status-fd
• CVE-2007-1268 - Mutt improper or non-existing use of --status-fd
• CVE-2007-1269 - GNUMail improper or non-existing use of --status-fd

Check Point SecurePlatform Hardware Compatibility

Check Point's Secureplatform(SPLAT) and hardware do not always play nicely together. In the past, I have experienced many issues with SPLAT not supporting newer system hardware. I have bumped my head on the unsupported network interface card many times. The following link is their official hardware compatibility page. However, I just recently discovered they have released a Secureplatform hardware compatibility testing tool. It's somewhat useful if you have the hardware available, but then again if you got the hardware...why not just try a SPLAT install. It could be handy if you don't want to blow away the current system. *Shrug* I guess its a step in the right direction.

New Checkpoint UTM appliance is on Crossbeam! w00t!

Finally, Checkpoint has come out with some good news! Their new small to medium business appliance is on crossbeam hardware. The appliance follows the all-in-one trend most security companies are following. The list of features include: Firewall, Web Application Firewall(isn't this included in firewall? lol), VoIP security, SSL VPN connectivity, anti-spyware, URL filtering, and IM/P2P blocking. I haven't seen the pricing yet, but I'm hearing it's not cheap. I'm going to try and get my hands on one, so that I can write a proper review. A little birdie told me that 5 SSL VPN user licenses are included. Finally, Check Point's marketing team is doing something right.

Check Point / CrossBeam UTM Appliance

Packet Sniffing 101 with Pcap

This a good article on packet sniffing and has some example uses of Net::Pcap in Perl.

Reliable Packet Dissection and Sniffing

Fingerprint authentication on latest Toshiba Smart Phones

Toshiba isn't really known for bleeding edge cell phones. However, they have recently made a major leap towards a more secure cell phone. I think this is cool and I expect more cell phones to follow. Supposedly, this is the year for mobile device security. There has been mobile device encryption out for some time from companies like PointSec. Also, two-factor authentication has been around for mobiles from the likes of RSA and others. I bet that Paris Hilton and other celebs wish that they had this technology back when their phones got jacked.

Fingerprint authentication on latest Toshiba Smart Phones

People are still using telnet?

Apparently, there are people out there still using telnet. If that's not bad enough, recently a nasty zero day vulnerability in the telnet daemon of Solaris 10 & 11 was discovered. Nowadays, almost everything has SSH support so there is no excuse to be using telnet. I really don't think telnet is a good idea even behind your perimeter line of defense. In my opinion, if something needs a password, then it needs encryption too.

More on the Solaris telnet zero day...