( Pollux's blog )

Il y a des fois, on a encore envie de croire en la justice.

Ca doit certainement être un coup des gars planqués en embuscade derrière les rideaux. Ou pas.

I've just created a LinkedIn group for Prelude IDS.

All Prelude users are welcome to join the Prelude IDS group to stay in touch with other Prelude users, use the forums, get news etc.

Several new RFCs for syslog have been issued in March:

• RFC5424: The Syslog Protocol
• RFC5425: Transport Layer Security (TLS) Transport Mapping for Syslog.
• RFC5426: Transmission of Syslog Messages over UDP.
• RFC5427: Textual Conventions for Syslog Management.

So what are the improvements since the previous RFC (3614), especially in RFC5424 ^[1]:

1. In section 5.1, "Minimum Required Transport Mapping":
   All implementations of this specification MUST support a TLS-based transport as described in RFC5425.
   Yay ! So they discovered TLS, that's great. Especially since RFC 5425 supports certificates authentication (section 4.2.1), certificate path validation, fingerprints, etc.
2. Improved timestamps (Section 6.2.3) with supports for milliseconds, time zones, UTC offsets
3. Section 6.3 describes structured data (name-value pairs)
4. Section 7: Structured Data IDs
   This allows using an enterprise ID (registered to the IANA) for the structured data elements

However, nothing really useful on reliability (resending events, making sure they were delivered, etc.) except the very poor (and useless) section 8.5, which only acknowledges the lack of support :/ Well, Prelude IDS can do that pretty good.

Also, nothing on taxonomy, though it may be improved with structured data. However, it would require a good definition of events, formats etc, and given the current state of CEE, which is quite dead (3 mails on the list so far this year), it won't improve .. There is something to be done here.

Partly because of the latest theoretical attack against the SHA-1 digest algorithm (details), I created a new GPG key:

sec   4096R/F1393998 2009-05-10
uid                  Pierre Chifflier <chifflier@gmail.com>
uid                  Pierre Chifflier <chifflier@inl.fr>
uid                  Pierre Chifflier <pollux@debian.org>
uid                  pollux <pollux@wzdftpd.net>
uid                  Pierre Chifflier <chifflier@cpe.fr>

It's signed with my old key 0x8D5F40CB, uploaded to keyservers, and will replace my old key.

I just released nfqueue-bindings 0.2 and nflog-bindings 0.1. Despite the difference of versions, functions are almost the same :)

Here is a short diff since previous version:

Add af_family argument to bind operations (allow IPv6 binds)
Add notes on set_queue_maxlen requiring a kernel >= 2.6.20
bugfix: use queue number when creating queue
bugfix: really link Perl binding to Perl library 
Fix cmake warning

Get them on nfqueue-bindings and nflog-bindings.

Un post en français, une fois n'est pas coutume.

En cette période, les libertés individuelles sont sacrifiées au nom de l'interêt de quelques majors décrépies et vieillissantes, pour confier a des sociétés privées le droit d'effectuer des jugements rapide et remettant au passage en cause le principe d'innocence présumée. Autant l'idée de limiter le téléchargement illégal est compréhensible, autant balancer des lois débiles l'est moins (certains diraient même que le QI d'une ministre est comparable à celui d'Homer Simpson ..).

^[1]

LA CNIL a d'ailleurs été exclue, grâce au président de séance !

L'UMP vient d'illustrer encore une fois le fait que dans leur monde l'argent prime sur tout, en repoussant une loi sur l'inceste pour faire revoter hadopi.

La conclusion de la députée UMP Arlettre Grosskost, cosignataire de cette proposition de loi, est consternante: "Je pense qu'il y a quand même des priorités, mais que voulez-vous…"

En effet, que demander de plus ..

Just after phpbb website has been compromised (see the detailed explication on this blog, another big problem just appeared, this time on squirrelmail:

SECURITY: Plugins Security Alert
Feb 05, 2009 by Paul Lesniewski
 	We are sorry to announce that we've had a security breach with our plugins system. An attacker uploaded at least
       four modified plugin packages, which we have since rectified. If you have downloaded any of the following
       plugins since January 17, 2009, you should immediately replace them (download them again):
AnnotateMore Server and Mailbox Annotations version 0.2
CAPTCHA version 1.1
Change LDAP Password version 2.2
Sieve Mail Filters version 1.9.7

ouch ! Squirrelmail does not give much details on the impact, but given that these plugins can touch passwords, that can be very bad ...

Today was given a nice presentation at CCC, entitled MD5 considered harmful today: Creating a rogue CA certificate.

It explains that, despite being broken since several years MD5 is still used is some important CA. Using this attack, they were able to generate a rogue CA certificate, and so were able to issue certificates which are marked as trusted by all browsers. As a result, the security of some websites like banks or e-commerce could be severely compromised !

So it seems that, unlike people promising the end of the world (like Dan Kaminsky at BlackHat 2008, Kris Kapersky at HITB, and Robert E. Lee and Jack C. Louis at T2 and Sec-T), this one could really lead to some serious consequences.

Congrats to them !

Solutions:

• Ban MD5 and such certificates (like those issued by RapidSSL, even in 2008)
• For CA implementations, randomize the serial of issued certificates could help mitigate the problem

Links:

• The website (very good explanation)
• The rogue CA certificate (pem format)
• The real CA certificate (pem format)
• The presentation (ppt)

If you are, like me, using this kind of layout for your disks:

disks => raid1 => lvm (encrypted or not) => partitions => filesystems

(Remember never to use XFS with this layout, unless you want to be sure to loose data - XFS still has problems with the 4k stack. Also, do not use XFS if you are not using a power supply. Oh, well, remember not to use to XFS at all ...)

This setup should ensure you to keep your data safe if one of the disk crashes. Good ! But what happens if you want to take one of the disks and mount it elsewhere (for ex. with an external USB converter) ? You have to re-create the FS stack manually, which can be quite tricky, so I post the commands here:

0 - find your disk partitions layout

# fdisk -l /dev/sdb
Device Boot      Start         End      Blocks   Id  System
/dev/sdb1   *           1         122      979933+  fd  Linux raid autodetect
/dev/sdb2             123       14946   119073780   fd  Linux raid autodetect

1 - Create a (degraded) raid array

# mdadm --assemble --run /dev/md0 /dev/sdb2
mdadm: /dev/md0 has been started with 1 drive (out of 2).

2 - Scan and create the LVM volume group

 # lvmdiskscan |grep md
 /dev/md0   [      113.56 GB] LVM physical volume

 # vgscan
 Reading all physical volumes.  This may take a while...
 Found volume group "raid1" using metadata type lvm2

 # lvscan |grep raid1
 inactive          '/dev/raid1/root' [20.00 GB] inherit
 inactive          '/dev/raid1/opt' [15.00 GB] inherit
 inactive          '/dev/raid1/pollux' [78.55 GB] inherit

Before the volume group can be used, it has to be activated.

 # vgchange raid1 -a y
 3 logical volume(s) in volume group "raid1" now active

If one of the volumes is encrypted, you have to play with cryptsetup

 # cryptsetup luksOpen pcrypt /dev/raid1/pollux

3 - mount volumes

 mount /dev/raid1/root /mnt

x - clean up the mess

It's better to close properly the cryt, lvm, and raid devices before removing the disk.

 # umount /mnt
 # cryptsetup luksClose pcrypt
 # vgchange raid1 -a n
 0 logical volume(s) in volume group "raid1" now active
 # mdadm --stop /dev/md0
 mdadm: stopped /dev/md0

Happy Christmas, Hanukkah, Kwanzaa, Solstice, Insert-Favorite-Holiday, whatever !

Installation

If you've followed the previous article, you now have a working ulogd2 installation. We will now explore the way data are stored in the database, and the default SQL schema provided with ulogd2.

SQL schema, basics

The SQL schema ? Not really, only the default one. Ulogd2 uses stored procedures and views to create an abstraction layer between the C code and the real storage of the data (the tables in the SQL database). The basics are the following:

Inserting data using the "INSERT" keyword is fast, but requires the application to know the SQL schema. An update of the SQL part will need an update of the C code, which is not very handy. So instead of using:

INSERT INTO tablename (field1,field2,...) VALUES (1,2,...);

We will create a stored procedure (in this example, we use PostgreSQL PL/pgSQL syntax):

CREATE OR REPLACE FUNCTION INSERT_PACKET_FULL(
               IN value11 integer,
               ...)
RETURNS bigint AS $$
DECLARE
       t_id bigint;
DECLARE
               t_id := INSERT INTO tablename (field1,field2,...) VALUES ($1,$2,...);
               RETURN t_id;
END
$$ LANGUAGE plpgsql SECURITY INVOKER;

Inserting data can now be done, using:

SELECT INSERT_PACKET_FULL(1,2,3,...);

So, we have succeeded into transforming a fast and single (and simple) query into something slower and more complex, great. But why ?

Pros:

• C and SQL code independence: now we can change the SQL part without updating the C code
• The SQL schema can be specific to the database used, and use the specific data types. For ex., PostgreSQL provides native support for IP and MAC addresses (using the inet and macaddr types) while MySQL does not, so we used binary types.
• SQL schema is easy to extend for specific needs or applications: you just need to add a new table, linked to the main table using the unique ID of the packet. This won't affect ulogd2.
• Retrieving data is also easier for applications (like NuLog, since the schema is hidden behind views (or stored procedures).
• You have a finer control on what is done with the data

Cons:

• Slower
• Harder to read
• Some databases do not have stored procedures (for ex. sqlite)

Default SQL schema (many tables)

Unlike the first version of ulogd, the default SQL schema provided with ulogd2 splits the data from the packets into several tables, each table containing data for a protocol. There are tables for IP (common fields for all packets), TCP, UDP, ICMP, ICMPv6, and since recently, SCTP. MAC addresses are also stored in a different table.

Global picture:

The provides a "cleaner" SQL schema than the "all-in-one-table" from the previous version, but at the cost of performance: each new packet will cause several insertions into different tables, and retrieving data will require to fetch data from several tables (using JOINs). This is, however, better space-efficient, since less data are stored (for ex, the MAC address is stored only once, and identified by a unique ID in the main table).

There are several views provided with this schema:

Each view is defined to fetch data from several tables:

CREATE OR REPLACE VIEW view_tcp AS
       SELECT * FROM ulog2 INNER JOIN tcp ON ulog2._id = tcp._tcp_id;

Even the "big" table ulog is a view, combining data from all tables:

CREATE OR REPLACE VIEW ulog AS
       SELECT _id,
       oob_time_sec,
       ...
       FROM ulog2 LEFT JOIN tcp ON ulog2._id = tcp._tcp_id LEFT JOIN udp ON ulog2._id = udp._udp_id
               LEFT JOIN icmp ON ulog2._id = icmp._icmp_id
               LEFT JOIN mac ON ulog2.mac_id = mac._mac_id
               LEFT JOIN hwhdr ON ulog2._id = hwhdr._hw_id
               LEFT JOIN icmpv6 ON ulog2._id = icmpv6._icmpv6_id;

This way, the application can quickly know, for ex, the number of different TCP ports used for destination and the number of packets using these ports:

SELECT tcp_dport,count(*) from view_tcp GROUP BY view_tcp.tcp_dport;
  tcp_dport | count 
  ===================
         80 |    39
        443 |     2

This schema should be used when your insertion rate is not too high (you are not CPU-bound).

Flat SQL schema

The default schema will work for most installations. However, if you have are logging data on a fast link, you may have performance problems. Assuming the problems come from the CPU, one solution is to change the SQL schema to a flat one (all in one table).

The flat schema is not yet written, but will shortly be submitted to ulogd2.

Please note that if the performance problem does not come from the CPU, it is very likely to come from the disks performance, in this case you will have to do some DB optimizations ...

Supported databases

Currently supported databases are MySQL and PostgreSQL. sqlite does not work, since it does not support stored procedures.

I have also recently submitted a new output plugin using the libdbi database abstraction layer, which brings support for Firebird, FreeTDS (MS-SQL and Sybase), Ingres, and Oracle. It also supports MySQL and PostgreSQL, but there are specific plugins for those 2.

The DBI plugin is not designed to replace all other plugins, since it can't use the DB-specific API, for ex the asynchronous API for PostgreSQL.

That's all for the database overview ! Now let's just hope that the (in)famous user "OR DROP DATABASE ulog; --" does not try to log anything ;)

References

• ulogd 2 articles, part 1
• ulogd 2 articles, part 2
• http://software.inl.fr/trac/wiki/ulogd2/user

Captive portals almost always work by validating the IP address of the client, and often the MAC address. This creates a wrong feeling of security, because it is quite easy to bypass. Let's explain the most common problem: spoofing.

Installing a captive portal

I have chosen to install Alcasar, which claims to be a highly secure solution developed by the French Ministry of Defense.

First surprise, it's a shell script ! In fact, it's not really an application, only an installer for a few packages, with some configuration. Installation went pretty bad:

• the installer only works for a specific version of Mandriva (2007), which is quite old, and buggy on my hardware
• most things are hardcoded: the installer exploded without errors because my network is not ending by a 0 (10.0.0.129/25)
• my third network card is not even used by the script ! Too bad for the DMZ

After 4 or 5 retries, and modifications in the script, I finally got a working server.

First tests

After a reboot, everything seems to work. Got an address using DHCP, I try to connect to Google .. ok, the captive portal appears and asks for a login. With the administration interface, I create a user, login, then tries to redirect me to the site, good. Except that the connection is never done ! After searching everywhere, I decide to use ssh to debug the problem on the server. After a few strace commands, I found that squid is trying to connect to the wrong host ! Yet another bug in the installer ...

After fixing a few more bugs, I finally succeed to use the captive portal.

Administration interface

The administration interface is nothing more than a user editor (it use its own user database), and a few statistic tools like AWStats and Firewall Eyes. Ouch, a log analyzer ! This means you won't be able to make complicated searches, and I have serious doubts about the ability to parse big log files.

The captive portal software itself is Chillispot, which is quite good but appears to be unmaintained (no release since 2 years).

The log analysis tools are very poor, not to say rudimentary. There is no easy way to find which user was connected on a host at a specific date, you have to dig yourself through several poor interfaces, connecting to the server and using grep is much more efficient !

Rules

Yet another surprise, there is no way to create rules to specify which protocols are authorized. I was supposing that only HTTP and HTTPS were allowed, but in fact when you are logged everything is open. No tools are provided, so you have to know iptables well :)

Confidentiality

Alcasar generates a self-signed certificate and uses HTTPS connections for login. This has to be treated seriously, because the certificate is self-signed, so it will be quite easy to generate another self-signed certificate with the same parameters to make a man-in-the-middle attack: most people will only look at the certificate and then validate it without questions ....

Strict security ?

Alcasar is developed by serious guys, and claims to comply with the French laws. It also claims that it allows to authenticate users and identify them strictly, and that these information could be used by the police. Scary.

I decided to run a very simple test, to check if Alcasar would be resistant to IP or MAC spoofing. I connected 2 laptops on the network, and login on one of them. The following steps are very easy: On the laptop not connected:

• start wireshark, and listen passively to get the IP and mac address of the host In a few seconds, I got them

• change my IP and MAC addresses

In fact, you do not have to run the first and third commands: only change the MAC address and launch the DHCP client. You'll get the same IP address as the real host, and the gateway will be configured.

• connect to a site:

Here you are ! In one command, you are connected !

Note: it is illegal to bypass a security protection. The commands here are provided for educational purposes only, do not use them or you could be prosecuted. However, the commands explained here are so easy a child could use them, so you have to know them and to defend.

Am I caught ?

Alcasar haven't seen the intrusion :) In fact, the problem is worse: I am logged with the identify of the other user, meaning that my actions will be logged with his name ! As there are no iptables rules by default, I was able to connect to an SSH server outside without problems.

Conclusion

Alcasar is only a set of scripts and configuration files based on other software. As for other captive portals, it is vulnerable to very simple attacks. The situation would not be as bad if Alcasar was not trying to present itself as a strict security solution. I would really be scared if my company was using a captive portal to handle internet access, because it gives a false feeling of security, can be bypassed very easily, and because of that, its logs cannot be used as legal stuff : no serious judge would take into account a solution which can be bypassed in a few seconds.

Captive portals like Alcasar provides a weak protection against attacks. If you want strict authentication of users, and protection against IP or ARP spoofing, use NuFW, it's free (as free beer) and free (GPL).

Xtables-addons is a is a project developped by Jan Engelhardt to replace the old patch-o-matic repository for the Linux kernel and iptables. Instead of patching the kernel source, extensions are built as modules and thus allow extending kernels without recompilation.

I have create a Debian package, split in two parts: xtables-addons-source (the sources of the kernel modules), and xtables-addons-common (common files: shared libraries, man pages, binaries).

To install xtables-addons on Debian (sid only, but the package works on Lenny after a rebuild), run the following commands:

apt-get install module-assistant xtables-addons-source
module-assistant prepare
module-assistant auto-install xtables-addons-source

It will automatically install the headers for your kernel, build the modules, create a local package, and install it. What's interesting is that, unlike before (using p-o-m or kernel patches), there is no need to reboot.

It adds new targets for iptables:

• CHAOS: randomly use REJECT, DELUDE or TARPIT targets. This will fool network scanners by returning random results
• DELUDE: always reply to a SYN by a SYN-ACK. This will fool TCP half-open discovery
• DHCPADDR: replace a MAC address from and to a VMware host
• IPMARK: mark a packet, based on its IP address
• LOGMARK: log packet and mark to syslog
• SYSRQ: trigger a sysreq over the network (sending a saK over the network looks like a real funny idea ;)
• TARPIT: try to slow down (or DoS) remote host by capturing the session and holding it for a long time, using a 0-bytes TCP window. Run that on port 25 if you have no mail server to slow down spammers ;)

There's also a list of new matches modules for iptables:

• condition: match on boolean value stored in /proc/net/nf_condition/name
• dhcpaddr: match the DHCP Client Host address in a DHCP message
• fuzzy: match a rate limit based on a fuzzy logic controller
• geoip: match a packet by its source or destination country
• ipp2p: match (certain) p2p protocols
• portscan: try to match port scanners based on packet contents
• quota2: named counters

It also provides a version of ipset, a framework to manager sets of IP addresses in iptables rules efficiently.

No news here, this post is mostly a note for myself, to remember some commands for git:

Creating a repository to be shared between several hosts (with an existing project)

On the server:

mkdir project.git
cd project.git
git --bare init

On the remote host:

cd project
git init
git remote add origin ssh://server/var/git/project
git config branch.master.remote origin
git config branch.master.merge refs/heads/master

Now you can make the first commit:

git add .
git commit -m "First commit"
git push

Fix a mistake in a previous commit

1. Save your work so far.
2. Stash your changes away for now: git stash
3. Now your working copy is clean at the state of your last commit.
4. Make the fixes. (If you just want to change the log, skip this step.)
5. Commit the changes in “amend” mode: git commit all amend
6. Your editor will come up asking for a log message (by default, the old log message). Save and quit the editor when you’re happy with it.
7. The new changes are added on to the old commit. See for yourself with git log and git diff HEAD^
8. Re-apply your stashed changes: git stash apply
9. Continue happily with your life.

I'm a happy git user, it really rocks.

These talks are probably online since a while, but as most of them are really interesting, have a look at CanSecWest 2008 conference materials:

• Marty Roesch - Sourcefire: Snort 3.0
• Rich Cannings - Google: Cross-Site Scripting Vulnerabilities in Flash Authoring Tools
• Jan "starbug" Krissler & Karsten Nohl - CCC: Proprietary RFID Systems
• Mark Dowd & John McDonald - IBM ISS: Media Frenzy: Finding Bugs in Windows Media Software
• Rob Hensing - Microsoft: Targeted Attacks and Microsoft Office Malware
• Oded Horovitz - VMWare: Virtually Secure
• Frédéric Raynal - Sogeti/Cap-Gemini: Malicious Cryptography
• Thierry Zoller and Sergio Alvarez - n.runs: The Death of AV Defense in Depth? Revisiting Anti-Virus Software
• Sun Bing: VMWare Issues
• Sebastien Tricaud and Pierre Chifflier - INL: Intrusion Detection Systems Correlation: a Weapon of Mass Investigation
• Dan Hubbard and Stephan Chenette - WebSense: Web Wreck-utation
• Marcel Holtmann - Intel: Secure programming with gcc and glibc
• olleB - toolcrypt.org: Mobitex network security
• Michael Eddington - Leviathan: Peach Fuzzing
• Charlie Miller - Independent Security Evaluators: Fuzz by Number
• Frank Marcus & Mikko Varpiola - Wurldtech / Codenomicon: Fuzzing WTF? What Fuzzing Was, Is And Never Will Be.
• Kowsik Guruswamy - Mu: Vulnerabilities Die Hard
• Dan Grifin - JW Secure: Hacking Windows Vista
• Philippe Lagadec - NATO/NC3A: ExeFilter: a new open-source framework for active content filtering
• Eric Hacker - BT INS: VetNetSec: Security testing for Extremists
• Andres Riancho - Cybsec: w3af: A framework to own the web
• Scott K. Larson - Stroz Friedberg: A Unique Behavioral Science Approach to Threats, Extortion and Internal Computer Investigations

Globally, there were many talks on fuzzers, some interesting work on cold boot attacks, a confirmation that anti-virus are also vulnerable, and a very nice presentation from the CCC guys on how to "dissassemble" an RFID chip :) I also liked the last presentation, which was not really about security stuff, but more about how a software could help determining the character and the pathologies of a guy, from his writings. Scary !

One bad point, though: commercial presentations with no real contents. VMWare folks, for ex., coming to say "hey, we have the best security API, we can monitor stuff from the VMX server" etc., that's cool. But when someone asks to see the code, or how to use the API, the answer was "well, eeeh. We can't show you, but it's cool, believe us".

Congrats, and thanks, to Dragos for keeping this conference high-quality over years.

The next edition of the Netfilter Workshop will take place in Paris, France, from September 29th to October 3th, 2008.

The first day is open to everyone, and the program is now online.

There will be many interesting presentations, and I will give a presentation of nfqueue-bindings and the weatherwall, a firewall based on the weather of the location of the destination of the packets, and ulogd2 along with Eric.

Entry is free but a registration is asked. Please fill in the registration form.

See you there !