1. gcc security features (part 2)

    (See part 1)

    Remember: you must compile with -02 if you want the checks to be effective

    DEB_BUILD_HARDENING_FORTIFY (gcc/g++ -D_FORTIFY_SOURCE=2)

    The idea behind FORTIFY_SOURCE is relatively simple: there are cases where the compiler can know the size of a buffer (if it’s a fixed sized buffer on the stack, as in the example, or if the buffer just came from a malloc() function call). With a known buffer size, functions that operate on the buffer can make sure the buffer will not overflow.

    Example:

    void foo(char *string)
    {
        char buf[20];
        strcpy(buf, string);
    }
    

    Execution will fail:

    [home ~/harden] ./bad $(perl -e 'print "A"x100')
    zsh: segmentation fault  ./bad $(perl -e 'print "A"x100')
    

    When compiling with -D_FORTIFY_SOURCE=2, gcc will add some checks to detect the overflow and terminate the program:

    [home ~/harden] DEB_BUILD_HARDENING=1 make
    [home ~/harden] ./bad $(perl -e 'print "A"x100')
    
    *** buffer overflow detected ***: ./bad terminated
    ======= Backtrace: =========
    /lib/libc.so.6(__fortify_fail+0x37)[0x2ba8d18fb787]
    /lib/libc.so.6[0x2ba8d18f9e70]
    ./bad(main+0x26)[0x555555554856]
    /lib/libc.so.6(__libc_start_main+0xf4)[0x2ba8d18411c4]
    ./bad[0x555555554789]
    ======= Memory map:  ========
    2ba8d1607000-2ba8d1622000 r-xp 00000000 03:01 468316                     /lib/ld-2.7.so
    2ba8d1622000-2ba8d1625000 rw-p 2ba8d1622000 00:00 0 
    2ba8d1821000-2ba8d1823000 rw-p 0001a000 ...
    read more
  2. BlackHat 2008 materials

    The Black Hat Europe 2008 Media Archives are now online. I wasn’t there, but the archives contains some interesting materials:

    • Spam-Evolution
    • LDAP Injection & Blind LDAP Injection (see my post)
    • New Viral Threats of PDF Language
    • 0-Day Patch -Exposing Vendors (In)Security Performance
    • Client-side Security
    • Attacking Anti-Virus (there was a presentation on the same subject at CanSecWest and Hack.lu)
    • Investigating Individuals and Organizations Using Open Source Intelligence
    • DTRACE: The Reverse Engineer’s Unexpected Swiss Army Knife

    Related links:

    read more
  3. gcc security features (part 1)

    Since recent versions (>= 4.0, maybe before), gcc (and ld) has some nice security features. Debian has created a wrapper for the toolchain, to make the use of these features easy.

    To install the wrapper, run:

    apt-get install hardening-wrapper
    

    To enable the hardening features, you have to export the environment variable:

    export DEB_BUILD_HARDENING=1
    

    The features include additional checks for printf-like functions, stack protector, using address-space layout randomization (ASLR), marking ELF-sections as read-only after loading when possible, etc.

    Please note that you must compile with *-02* if you want the checks to be effective

    DEB_BUILD_HARDENING_FORMAT (gcc/g++ -Wformat -Wformat-security)

    Ask gcc to make additional checks on format strings, to prevent attacks.

    The following code, for ex:

    printf(buf);
    

    will result in a warning:

    [home ~/harden] DEB_BUILD_HARDENING=1 make
    gcc     bad.c   -o bad
    bad.c: In function ‘main’:
    bad.c:10: warning: format not a string literal and no format arguments
    

    Why is this code vulnerable ? Because the buffer (buf) could contain format characters like %s, and the printf function will interpret these characters to pop arguments from the stack, and can result in the execution of arbitrary code.

    Solution:

    • Replace previous code by
    printf("%s",buf);
    
    • Remember this ...
    read more
  4. CanSecWest 2008

    cansec

    Sébastien and I gave a presentation on IDS Correlation: A Weapon of Mass Investigation slides at CanSecWest.

    Most of the presentations were very interesting, including attacks against the anti-virus software (they are the most interesting targets, imho : run with system privileges, include parser for many protocols, are present on almost all machines, etc.), secure programming with gcc and glibc, snort 3 (our presentation was just after Marty’s), fuzzing with Peach, and some others I do not remember at the moment.

    We also gave two lightning talks, one on the Authenticating Firewall NuFW (slides here) and one on the Signatures.NU project (slides here).

    cansec_nufw

    We even won a beer for doing the presentation :)

    After so much work (and eating so much sushis with a delicious wild salmon), we went to Whistler for skiing, that was great.

    whistler

    Many thanks to all the people from the conference and to all who helped us !

    Some links:

    read more
  5. Prelude quick install

    To install Prelude, the Hybrid IDS (or Meta IDS) on Debian, on less than ten minutes, just use the packages:

    • install a database (PostgreSQL or MySQL)
    • install the Prelude manager, all needed packages will be installed automatically
    apt-get install prelude-manager
    
    • during the installation, dbconfig will ask to configure the database. Say yes, and give the parameters. dbconfig will create a new user, set a password, create the SQL schema and configure prelude-manager to use it.

    This should be enough for the manager. You will have to configure the listen address for the manager (the default is restricted to localhost) to listen on the network.

    To add agents (sensors), you have to install the package and register a new profile for each sensor.For ex:

    apt-get install prelude-lml
    apt-get install snort
    

    Create a new profile:

    prelude-admin register prelude-lml "idmef:w" <manager address> --uid 0 --gid 0
    ...
    prelude-admin register snort "idmef:w" <manager address> --uid 0 --gid 0
    ...
    

    Follow the instructions for the registration.

    Check the address of the manager in the config (global file is /etc/prelude/default/client.conf):

    server-addr = 192.168.1.1
    

    For a complete installation guide (with explanations) including the web interface Prewikka, look at the Prelude ...

    read more
  6. Conference: OSSIR

    We have given a presentation with Sébastien, for OSSIR.

    Subject is: Visualisation appliquée à la détection d’intrusion (which can roughly be translated to \visualization applied to intrusion detection). The slides can be found on the list of presentation materials.

    The conference was on our work since one year on intrusion detection, with the proposed implementation of a correlator, some explanations on classifications and current limitations, and how some graphs can help, especially the parallel axes representation.

    idmef-graph

    read more
  7. fusil_0.7-1_amd64.changes ACCEPTED

    Fusil (http://fusil.hachoir.org) has been accepted into Debian.

    The description:

    Fusil is a fuzzing framework designed to expose bugs in software by
    changing random bits of its input.
    .
    It helps to start process with a prepared environment (limit memory,
    environment variables, redirect stdout, etc.), start network client or
    server, and create mangled files. Fusil has many probes to detect
    program crash: watch process exit code, watch process stdout and syslog
    for text patterns (eg. "segmentation fault"), watch session duration,
    watch cpu usage (process and system load), etc.
    .
    Fusil is based on a modular architecture. It computes a session score
    used to guess fuzzing parameters like number of injected errors to
    input files.
    

    read more
  8. https transport for apt

    Starting from Lenny, apt support the https transport for apt repositories.

    Before, this would give the error:

    # apt-get update
    E: The method driver /usr/lib/apt/methods/https could not be found.
    

    On Lenny (and unstable), install the apt-transport-https package:

    apt-get install apt-transport-https
    

    And https repositories will now work.

    This is no current backport for Etch on backports.org, because the hack for the transport is quite intrusive and require some deep modifications in the entire apt code. Maybe another site will propose it ?

    Note: it seems there is currently no way to check the certificate or configure trusted certificates. This is a good step towards security anyway. Remember: always use trusted repositories (signed with a trusted key - see man apt-key for more information).

    read more
  9. LDAP injections, reflexions

    While searching for some security papers, I’ve been looking for something about LDAP injections.

    Let’s have a look on what OWASP says on their site:

    The same advanced exploitation techniques available in SQL Injection can be similarly applied in LDAP Injection.

    There is a problem here: there are some big differences between SQL and LDAP, which lead to differences in security:

    • in SQL, commands and values are expressed in the same input (a string containing a command). Several commands can be specified in one string:
    "SELECT field FROM table WHERE ...; DROP TABLE xx;"
    
    • while in LDAP, the filter contains only filter parameters, in a specific representation (RFC 2254). This representation uses a prefixed form (boolean operator comes before the fields), and each field must be enclosed between parenthesis.:
    "( & (uid=john.doe) (objectClass=person) )
    

    OWASP gives some examples, for a filter (cn=%s):

    1. If a user puts “*” on box search, the system may return all the usernames on the LDAP base
    2. If a user puts “jonys) (| (password = * ) )”, it will generate the code bellow revealing jonys’ password

    What ? One could make an application display the password ?!

    The first line is true: any filter like (uid=*) will return all users having ...

    read more

« Page 2 / 2