nUbuntu open Meeting.

Emanuele Gentili | Developement, nUbuntu | Tuesday, November 18th, 2008

Hello again security enthusiasts,

This Sunday Night, 23rd November 2008 @ 21.00 EST (24th November 2008 @ 2.00 UTC) there will be an open meeting in which anyone interested in nUbuntu can attend.

Agenda:

  • Repository
  • Additional applications
  • Bugs
  • Fluxbox theme
  • Fluxbox menu

Remember anyone is invited. This meeting will take place on irc.FreeNode.net in #nubuntu. Please arrive a few minutes early if possible.

Thanks again for using nUbuntu,

The quote of the day.

Emanuele Gentili | Developement, Life, nUbuntu | Sunday, November 9th, 2008

about nUbuntu ..

(05:14) (emgent) are you java monkey ?
(05:14) (emgent) we need it :)
(05:14) (gouki) Nahh! I hate Java: Saying that Java is nice because it works on all OS’s is like saying that anal sex is nice because it works on all genders
(05:15) (gouki) That’s how much I like it :P
(05:15) (emgent) heheh
(05:15) (emgent) this is the quote of the day
(05:15) (gouki) LOL
(05:15) (emgent) i will pubblish it in planet!
(05:15) (emgent) haha
(05:16) (gouki) Heheh! Sure thing ;) I’m a big bash.org fan :)

Ubuntu Server Safe.

Emanuele Gentili | Security | Sunday, August 17th, 2008

For several years I decided to reject the possibility of managing a hosting outside, mainly for security reasons.

Why pay an external hosting if we can not completely manage?
Where are the guarantees on server configuration and arrangements related to security?

It is true, there are virtual servers and dedicated servers, but who makes him to spend unnecessary money for a pseudo machine that can not always manage how we want?

So I decided to use an old Pentium 3 with Ubuntu Server (encrypted disks) and other serious side arrangements kernel and demons going to transfer logs on the external device.

The device that you can see in the picture, copy every few minutes some log files (which I set), analyzes at them independently and sends them both to paper Printer and via email to me (if they conform to the warning rules that I set).

A true server-safe!

Tools:

* Apache2 and Mod_Security
* GRSEC
* Chroots
* Open SSH Server (only with key login)
* Snort
* Knockd
* dm-crypt
and other stuff wrote by me. :)

Joomla 1.5.x com_user core component Security Fix.

Emanuele Gentili | Security | Wednesday, August 13th, 2008

Nice news, Joomla people keep out the official fix, go to apply it if you are vulnerable.

--- components/com_user/models/reset.php        2008-08-13 01:19:01.000000000 +0200
+++ new/components/com_user/models/reset.php    2008-08-13 01:20:16.000000000 +0200
@@ -112,6 +112,11 @@
        {
                global $mainframe;

+       if(strlen($token) != 32) {
+       $this->setError(JText::_('INVALID_TOKEN'));
+       return false;
+       }
+
                $db     = &JFactory::getDBO();
                $db->setQuery('SELECT id FROM #__users WHERE block = 0 AND activation = '.$db->Quote($token));

if you like download it, click here.

Happy defending! :-)

UPDATE:
Joomla Advisory is available here

New Vulnerability in Joomla 1.5.x com_user core component.

Emanuele Gentili | Security | Tuesday, August 12th, 2008

Hello folks,

New hight security issue was found in Joomla 1.5.x that allow remote admin password change.

This vulnerability affect more important website same nasa, university and istitution website, the fix isnt out (I’m writing it) but we can apply provisional fix for keep out stupid crackers.

How to check if my website is vulnerable:

The proof of concept is very simple, follow this steps:

0×01) open your browser and go to url:

http:www.target.com/index.php?option=com_user&view=reset&layout=confirm

(switch www.target.com with your website, and remember to add path if you have ex. /joomla/)

0×02) Write into text input box the char ‘ and Click OK.
(if you see this text input box you are vulnerable)

0×03) Now you are able to write in the new text input the new password for admin.

0×04) go to url http://www.target.com/administrator/ and try to login.

How to apply provisional fix:

This isnt a real fix, but with it you can keep out stupid crackers, follow this steps if you result vulnerable.

0×01) Login in admin panel and go to user management panel.

0×02) create a new SuperAdmin user and logout to admin panel.

0×03) Login in admin panel with new user, and go to user management panel.

0×04) remove all privileges to old admin (switch privilege to registred user) and disable this user.

Vulnerable code:

/components/com_user/controller.php
Line : 379-399

	function confirmreset()
	{
		// Check for request forgeries
		JRequest::checkToken() or die( 'Invalid Token' );

		// Get the input
		$token = JRequest::getVar('token', null, 'post', 'alnum');

		// Get the model
		$model = &$this->getModel('Reset');

		// Verify the token
		if ($model->confirmReset($token) === false)
		{
			$message = JText::sprintf('PASSWORD_RESET_CONFIRMATION_FAILED', $model->getError());
			$this->setRedirect('index.php?option=com_user&view=reset&layout=confirm', $message);
			return false;
		}

		$this->setRedirect('index.php?option=com_user&view=reset&layout=complete');
	}
/components/com_user/models/reset.php

Line: 111-130 	

	function confirmReset($token)
	{
		global $mainframe;

		$db	= &JFactory::getDBO();
		$db->setQuery('SELECT id FROM #__users WHERE block = 0 AND activation = '.$db->Quote($token)); 

		// Verify the token
		if (!($id = $db->loadResult()))
		{
			$this->setError(JText::_('INVALID_TOKEN'));
			return false;
		}

		// Push the token and user id into the session
		$mainframe->setUserState($this->_namespace.'token',	$token);
		$mainframe->setUserState($this->_namespace.'id',	$id);

		return true;
	}

Security Fix:
I’m working to write it, i will release it shortly.

Security: BIND9 exploit is out. please check your DNS!

Emanuele Gentili | Security | Thursday, July 24th, 2008

I am pleased (?) to annunce that BIND9 exploit is out (CVE-2008-1447).

This exploit targets a fairly ubiquitous flaw in DNS implementations which allow the insertion of malicious DNS records into the cache of the target nameserver.
This exploit caches a single malicious host entry into the target nameserver.
By causing the target nameserver to query for random hostnames at the target domain, the attacker can spoof a response to the target server including an answer for the query, an authority server record, and an additional record for that server, causing target nameserver to insert the additional record into the cache.

This issue was fixed in ubuntu via USN-622-1 but more ISP are now vulnerable.

What to do?
First of all check your DNS on www.doxpara.com (right menu)
If your DNS are vulnerable I suggest to switch on Open DNS for fix this security issue.

emgent@amnistia:~$ sudo su root
[sudo] password for emgent:
root@amnistia:/home/emgent# echo “nameserver 208.67.222.222” > /etc/resolv.conf
root@amnistia:/home/emgent# echo “nameserver 208.67.220.220” >> /etc/resolv.conf
root@amnistia:/home/emgent# exit
exit
emgent@amnistia:~$

Background on #ubuntu-quality:
[SNIP]
(04:36) ( emgent) hello
(04:37) ( LaserJock) hi emgent
(04:37) ( emgent) I’m plased to annunce that BIND9 exploit is now pubblic.
(04:37) ( emgent) s/plased/pleased/
(04:38) ( persia) It the solution also public, and distributed?
(04:38) ( emgent) sure. fixed some week ago in ubuntu.
(04:38)  * LaserJock wonders if he should clap or not
(04:39) ( emgent) but more ISP are vulnerale now..
(04:40) ( emgent) persia: you can check your dns on http://www.doxpara.com/ (right menu)
(04:42) ( emgent) s/vulnerale/vulnerable/
(04:44) ( Hobbsee) oh good!  telstra isn’t.
(04:45) ( emgent) nice, Telecom Italia now is vuln.
(04:45) ( persia) NTT is vulnerable, but that is bot unsurprising and unlikely to cause issues.
(04:45) ( emgent) I use Open DNS
(04:47) ( LaserJock) mine is vulnerable it says
(04:47) ( emgent) switch to open dns
(04:49) ( emgent) exploit was pubblished some hours ago.. and there is a big problem.. now all people can hack vuln DNS and redirect google.com to sarcazzo.com for example.
(04:50) ( emgent) i go to write a post in planet.
(04:50) ( LaserJock) interesting
[SNIP]

happy defending! :-)

Moin people.

Emanuele Gentili | Security | Wednesday, July 16th, 2008

In these hot days, waiting to define the recent regulations for the Ubuntu Whitehat team, I started to auditing and penetration testing in MoinMoin.

MoinMoin is a WikiWikiWeb collaborative hypertext environment, with an emphasis on easy access to and modification of information. MoinMoin is a Python WikiClone that allows you to easily set up your own wiki, only requiring a Web server and a Python installation.

A “nice” security issue I found from my work, a cross-site scripting in macro Advanced Search.

Immediately notified Thomas Waldmann, we have worked to write a fix to add escaping.

The vulnerable versions found to have been 1.6, 1.7 and version 1.8 (development).

Needless to say that the site of  upstream (www.moinmo.in) appears vulnerable, but also our help.ubuntu.com patched promptly by Andrew Glen-Young.

The only vulnerable version in Ubuntu repository was in Intrepid Bug 248167,  now fixed.

Big Thanks to Scott Kitterman for the timely sponsorship of my debdiff in Intrepid (main) .

Security Fix Announcements

MoinMoin 1.6 http://hg.moinmo.in/moin/1.6/rev/8686a10f1f58

MoinMoin 1.7 http://hg.moinmo.in/moin/1.7/rev/383196922b03

See also: http://moinmo.in/SecurityFixes

Off Topic

Now I’m MOTU, big thanks for feedback and votes.

Perchè questo sito usa Freesoftware? | contatti: emgent @ ubuntu.com | Skype My status

website counter