Securifying teh r4qx0r

From Edgar BV Wiki
Jump to navigation Jump to search
Stuff f1x0red 6/9/2002
Raq4, Michiel Kalkman

------

SSH :

./configure --prefix=/usr --sysconfdir=/etc/ssh --with-ssl-dir=/opt/openssl

Version over 3.4 -->
sshd version OpenSSH_3.4p1

/etc/ssh/sshd_config

  ChallengeResponse no
  PrivilegeSeperation yes

-------

Apache :
uses /usr/lib/authenticate, which is spolitable (unsafe tmpfile creation).
Needs /bin/ln to use published sploits, ergo chmod 700 /bin/ln - removing
suid bit from /usr/lib/authenticate will break functionality.
Wait for Sun to patch it.. (haha)

--------

GCC downgrade privileges...

[root /mnt]# which gcc
/usr/bin/gcc
[root /mnt]# ls -lsa `which gcc`
  74 -rwxr-xr-x   2 root     root        74572 Apr 10 01:53 /usr/bin/gcc
[root /mnt]# chmod 700 `which gcc`
[root /mnt]# which as
/usr/bin/as
[root /mnt]# ls -lsa `which as`
 244 -rwxr-xr-x   1 root     root       247852 Apr  9 23:51 /usr/bin/as
[root /mnt]# chmod 700 `which as`
[root /mnt]# which ld
/usr/bin/ld
[root /mnt]# ls -lsa `which ld`
 313 -rwxr-xr-x   1 root     root       316940 Apr  9 23:51 /usr/bin/ld
[root /mnt]# chmod 700 `which ld`


There are plenty of related files to chmod, but this should break most script
based autorooters that use source ..

---------

HTTP directory traversal vuln..

http://raq-042.vianetworks.nl:81/.cobalt/sysManage/../admin/.htaccess

# Access file for /usr/admserv/html/.cobalt/admin/ (admin  )
order allow,deny
allow from all
require user admin
Authname CobaltRaQ
Authtype Basic


Ooops!

Add a .htaccess file containing 

<Files .htaccess>
    Order allow,deny
    Deny from all
</Files>

in /usr/admserv/html/ and /usr/admserv/cgi-bin/


---------------

Cross-site scripting vuln in 


/usr/admserv/cgi-bin/.cobalt/alert

for,
alert.cgi and service.cgi

Quick fix is to remove all HTML tags from input ->

Edit service.cgi and after the line 

my $service = $q->param('service');

put

$service =~ s/<([^>])*>//g;


-------

TODO :

/tmp needs its own partition so it can be mounted noexec, nosuid, nogid, nodev.

Currently /tmp is a symlink to /home/tmp,

[root /mnt]# mount
/dev/hda1 on / type ext2 (rw)
none on /proc type proc (rw)
/dev/hda3 on /var type ext2 (rw,nosuid)
/dev/hda4 on /home type ext2 (rw,usrquota,grpquota,grpid)
none on /dev/pts type devpts (rw,gid=5,mode=0620)
[root /mnt]# fdisk /dev/hda

The number of cylinders for this disk is set to 38792.
There is nothing wrong with that, but this is larger than 1024,
and could in certain setups cause problems with:
1) software that runs at boot time (e.g., old versions of LILO)
2) booting and partitioning software from other OSs
   (e.g., DOS FDISK, OS/2 FDISK)

Command (m for help): p

Disk /dev/hda: 16 heads, 63 sectors, 38792 cylinders
Units = cylinders of 1008 * 512 bytes

   Device Boot    Start       End    Blocks   Id  System
/dev/hda1             1      1524    768095+  83  Linux
/dev/hda2          1525      1846    162288    5  Extended
/dev/hda3          1847      2253    205128   83  Linux
/dev/hda4          2254     38792  18415656   83  Linux
/dev/hda5          1525      1585     30743+  83  Linux
/dev/hda6          1586      1846    131543+  82  Linux swap

...


So, freeze services, move logs to a different partition, umount /var,
fdisk, delete /dev/hda3, create new partition /dev/hda3 but don't use all
available space. Then create an extended partition /dev/hda7. Tag both
partitions as type 83 (linux native - ext2), write changes and return to prompt.


# mke2fs /dev/hda3
# mke2fs /dev/hda7
# mount /dev/hda3 /var
# rm /tmp
# mount -o nosuid,nogid,noexec,nodev /dev/hda7 /tmp
# vim /etc/fstab

unfreeze services

# reboot

pray

----------

Scanning virtual hosts w/ whisker v1.4

./whisker.pl -V -v -i -H ./virtual-hostss.txt -l out.list

Does a verbose scan and writes output to out.list (700 Kb output for 83 hosts)

Read like this,

cat out.list | grep -v ^$ | grep -v 404 | less

Which removes empty lines (^$) and file not founds (404)..

----------

PHP / CGI applications to upgrade

phpBB (to 2.0.2, which contains security fixes)
phpMyAdmin (to 2.2.2+) 


~admin/searchlist/

contains all sites files that are perl or CGI (based on extension \.pl$, \.cgi$, \.php$ or
\.php3$). Total of 6007 files.


-----------


Setting up secure PHP

http://www.php.net/manual/en/security.php

pnp.ini variables

register_globals = off 	'unfortunately many of these websites use code that need it :(
expose_php = off	'so people can't see it
safe_mode = on		'restrict the php userspace in apache configurations

Secure Web development

http://www.owasp.org/

----------------

IPCHAINS and MASON

Mason
http://users.dhp.com/~whisper/mason/
http://users.dhp.com/~whisper/mason/mason-1.0.0.tar.gz
make install
vi /etc/masonrc
mason-gui-text

Also needs
http://www.stearns.org/samlib/sam-current.tar.gz
make all
make install

IPChains
http://freshmeat.net/redir/ipchains/4520/url_homepage/ipchains
http://freshmeat.net/redir/ipchains/4520/url_tgz/ipchains-1.3.10.tar.gz
make all
make install