Tag: CVE

CVE-2016-0777 – Are you still vulnerable to this OpenSSH Vulnerability?

I was quite surprised to notice that though since the 14th of January 2016, the OpenSSH has released a patch to correct a major bug issue for those using the OpenSSH remote connectivity login tool many IT professionals have forgot about that issue. The security vulnerability has been announced on the Common Vulnerabilities and Exposures (CVE) website since the midst of January, yet many system and security administrators may have not miss this information.

Credits: openssh.com
Credits: openssh.com

As mentioned, the ssh bug is about “The resend_bytes function in roaming_common.c in the client in OpenSSH 5.x, 6.x, and 7.x before 7.1p2 allows remote servers to obtain sensitive information from process memory by requesting transmission of an entire buffer, as demonstrated by reading a private key. “ To be more explicit, what really happen is that an attacker can guess the client’s get_snd_buf_size() in order to control out_buf_size(). In order to exploit this vulnerability, the attacker will have to force the malloc() to return free()d and uncleaned chunk of sensitive information. 

This block of code on the old roaming_common.c clearly demonstrate the issue. View full code here.

void
resend_bytes(int fd, u_int64_t *offset)
{
size_t available, needed;

if (out_start < out_last)
available = out_last - out_start;
else
available = out_buf_size;
needed = write_bytes - *offset;
debug3("resend_bytes: resend %lu bytes from %llu",
    (unsigned long)needed, (unsigned long long)*offset);
if (needed > available)
fatal("Needed to resend more data than in the cache");
if (out_last < needed) {
int chunkend = needed - out_last;
atomicio(vwrite, fd, out_buf + out_buf_size - chunkend,
    chunkend);
atomicio(vwrite, fd, out_buf, out_last);
} else {
atomicio(vwrite, fd, out_buf + (out_last - needed), needed);
}
}

You can perform some test on your machine or may be you are using an emulator such as MobaXterm to SSH on several servers by launching the following command

ssh whoami.filippo.io

You might encounter the following beautiful message:

         ***** WARNING ***** WARNING *****
You have roaming turned on. If you are using OpenSSH, that most likely means you are vulnerable to the CVE-2016-0777 information leak.

In case, this is true, you might want to secure yourself from this vulnerability by editing the /etc/ssh/ssh_config and pass the following parameter UseRoaming no . Of course, you will need to reload the ssh daemon and don’t forget to perform a new test!

 

CVE-2015-7547 – Update Glibc & restart BIND with Ansible

You might be seeing a huge crowd of system administrators and Devops rushing to update their servers immediately due to the security flaws detected on Glibc. This security leak is identified as skeleton key under CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow. What is most sour to taste is where the Glibc library is used in the BIND application!

 In brief, the CVE-2015-7547 vulnerability is simply where an attacker can performed mutilple stack-based overflows of the function send_dg and send_vc in the Glibc library to execute malicious code even causing denial of service attack.

Screenshot from 2016-02-21 12:14:09

Redhat have put it in this way “A back of the envelope analysis shows that it should be possible to write correctly formed DNS responses with attacker controlled payloads that will penetrate a DNS cache hierarchy and therefore allow attackers to exploit machines behind such caches.” I have try a little Ansible cookbook to update your Glibc package. Check it out on my Git Account

- - - 
  - hosts: ansible2
     user: root
     tasks:
       - name: update Glib
          yum: name=glibc* state=latest
       - name: restart named
          service: name=named state=restarted

Screenshot from 2016-02-21 11:30:52

Other articles on Buffer Overflow of Memory:

Other article related to Ansible

Debug your Internet bugs and vulnerabilities with ICSI Netalyzr

Can your Network be easily compromised? Is your Internet vulnerable? You might want to perform some tests on the Quality of Service your Internet Service Provider – ISP is providing you. It can also be more dangerous if your ISP is also your router vendor! One of the fast and reliable tool which i would proposed is the ICSI Netalyzr tool which test your internet connections for signs of trouble and provide you detailed report vulnerabilities, latency and several tests. The test can be performed by almost anyone with just a simple click.

“ICSI Netalyzr is a service maintained by the Networking Group at the International Computer Science Institute, an affiliate with the University of California, Berkeley  and funded by the National Science Foundation. The service got some publicity and found importance after late 2007 when Comcast was sued for throttling Internet traffic which Comcast later admitted to be true.” – freewareGenius

The report consist of:

  • A summary of the Noteworthy Events
  • Addresses-based Tests
  • Reachability Tests
  • Network Access Link Properties
  • HTTP and DNS tests
  • IPV6 tests and Network Security Protocols
  • Host Properties

I made several tests myself and notice that many routers are vulnerable to attacks. One of the test i made from a Netgear router DG series intentionally downgraded with an old firmware from the official website of Netgear was found to be vulnerable. Click here on this link to access to the Netalyzr tool.I would however recommend you to use DDWRT or OpenWRT for best QOS.

Example - A Netgear router vulnerable to CVE-2012-5958 and CVE-2012-5959
Example – A Netgear router vulnerable to CVE-2012-5958 and CVE-2012-5959

You could also check for DNS resolution, Latency issues and Measurement of your Network buffering capacity. You would need to authorize your browser to access a JAVA plugin to be able to perform the test.

You can also perform your test using the Android App as well as on the Netalyzer command line client.

A brief description of the fopen PHP vulnerability

One of the PHP vulnerability that is still being found on many websites is the fopen function in PHP – CVE-2007-0448. You can secure your website by disabling includes when calling the fopen function.

According to cvedetails.com “PHP 5.2.0 does not properly handle invalid URI handlers, which allows context-dependent attackers to bypass safe_mode restrictions and read arbitrary files via a file path specified with an invalid URI, as demonstrated via the srpath URI”

Its usually  not recommended to enable the fopen function in the php.ini, however, some developers include it in the code itself for a specific task. Lets see how this is exploited:

Lets say we have a page called vulnerability.php containing these code

<?php
$vulnerable = $_GET['vulnerable'];
include($vulnerable);
?>

So, $vulnerable = $_GET[‘vulnerable’]; means to put the ‘vulnerable’ GET property in the variable $vulnerable; i.e GET property that is in the URL. An example is http://mysite.com/page.php?vulnerable=yes&howmuch=Very.

By including the value of the variable ($vulnerable), you allowing an attacker to inject code. Someone for instance can try this on his browser

http://www.mywebsite.com/fopen.php?vulnerable=../../../index.php

This will enable the attacker to get into subdirectories and start exploring the whole directory. However, if you are running PHPFPM for a particular instance, only that particular instance is impacted as PHPFPM allows you to isolate each running instances within the server.