Securifying teh r4qx0r
Jump to navigation
Jump to search
Stuff f1x0red 6/9/2002 Raq4, Michiel Kalkman ------ SSH : ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-ssl-dir=/opt/openssl Version over 3.4 --> sshd version OpenSSH_3.4p1 /etc/ssh/sshd_config ChallengeResponse no PrivilegeSeperation yes ------- Apache : uses /usr/lib/authenticate, which is spolitable (unsafe tmpfile creation). Needs /bin/ln to use published sploits, ergo chmod 700 /bin/ln - removing suid bit from /usr/lib/authenticate will break functionality. Wait for Sun to patch it.. (haha) -------- GCC downgrade privileges... [root /mnt]# which gcc /usr/bin/gcc [root /mnt]# ls -lsa `which gcc` 74 -rwxr-xr-x 2 root root 74572 Apr 10 01:53 /usr/bin/gcc [root /mnt]# chmod 700 `which gcc` [root /mnt]# which as /usr/bin/as [root /mnt]# ls -lsa `which as` 244 -rwxr-xr-x 1 root root 247852 Apr 9 23:51 /usr/bin/as [root /mnt]# chmod 700 `which as` [root /mnt]# which ld /usr/bin/ld [root /mnt]# ls -lsa `which ld` 313 -rwxr-xr-x 1 root root 316940 Apr 9 23:51 /usr/bin/ld [root /mnt]# chmod 700 `which ld` There are plenty of related files to chmod, but this should break most script based autorooters that use source .. --------- HTTP directory traversal vuln.. http://raq-042.vianetworks.nl:81/.cobalt/sysManage/../admin/.htaccess # Access file for /usr/admserv/html/.cobalt/admin/ (admin ) order allow,deny allow from all require user admin Authname CobaltRaQ Authtype Basic Ooops! Add a .htaccess file containing <Files .htaccess> Order allow,deny Deny from all </Files> in /usr/admserv/html/ and /usr/admserv/cgi-bin/ --------------- Cross-site scripting vuln in /usr/admserv/cgi-bin/.cobalt/alert for, alert.cgi and service.cgi Quick fix is to remove all HTML tags from input -> Edit service.cgi and after the line my $service = $q->param('service'); put $service =~ s/<([^>])*>//g; ------- TODO : /tmp needs its own partition so it can be mounted noexec, nosuid, nogid, nodev. Currently /tmp is a symlink to /home/tmp, [root /mnt]# mount /dev/hda1 on / type ext2 (rw) none on /proc type proc (rw) /dev/hda3 on /var type ext2 (rw,nosuid) /dev/hda4 on /home type ext2 (rw,usrquota,grpquota,grpid) none on /dev/pts type devpts (rw,gid=5,mode=0620) [root /mnt]# fdisk /dev/hda The number of cylinders for this disk is set to 38792. There is nothing wrong with that, but this is larger than 1024, and could in certain setups cause problems with: 1) software that runs at boot time (e.g., old versions of LILO) 2) booting and partitioning software from other OSs (e.g., DOS FDISK, OS/2 FDISK) Command (m for help): p Disk /dev/hda: 16 heads, 63 sectors, 38792 cylinders Units = cylinders of 1008 * 512 bytes Device Boot Start End Blocks Id System /dev/hda1 1 1524 768095+ 83 Linux /dev/hda2 1525 1846 162288 5 Extended /dev/hda3 1847 2253 205128 83 Linux /dev/hda4 2254 38792 18415656 83 Linux /dev/hda5 1525 1585 30743+ 83 Linux /dev/hda6 1586 1846 131543+ 82 Linux swap ... So, freeze services, move logs to a different partition, umount /var, fdisk, delete /dev/hda3, create new partition /dev/hda3 but don't use all available space. Then create an extended partition /dev/hda7. Tag both partitions as type 83 (linux native - ext2), write changes and return to prompt. # mke2fs /dev/hda3 # mke2fs /dev/hda7 # mount /dev/hda3 /var # rm /tmp # mount -o nosuid,nogid,noexec,nodev /dev/hda7 /tmp # vim /etc/fstab unfreeze services # reboot pray ---------- Scanning virtual hosts w/ whisker v1.4 ./whisker.pl -V -v -i -H ./virtual-hostss.txt -l out.list Does a verbose scan and writes output to out.list (700 Kb output for 83 hosts) Read like this, cat out.list | grep -v ^$ | grep -v 404 | less Which removes empty lines (^$) and file not founds (404).. ---------- PHP / CGI applications to upgrade phpBB (to 2.0.2, which contains security fixes) phpMyAdmin (to 2.2.2+) ~admin/searchlist/ contains all sites files that are perl or CGI (based on extension \.pl$, \.cgi$, \.php$ or \.php3$). Total of 6007 files. ----------- Setting up secure PHP http://www.php.net/manual/en/security.php pnp.ini variables register_globals = off 'unfortunately many of these websites use code that need it :( expose_php = off 'so people can't see it safe_mode = on 'restrict the php userspace in apache configurations Secure Web development http://www.owasp.org/ ---------------- IPCHAINS and MASON Mason http://users.dhp.com/~whisper/mason/ http://users.dhp.com/~whisper/mason/mason-1.0.0.tar.gz make install vi /etc/masonrc mason-gui-text Also needs http://www.stearns.org/samlib/sam-current.tar.gz make all make install IPChains http://freshmeat.net/redir/ipchains/4520/url_homepage/ipchains http://freshmeat.net/redir/ipchains/4520/url_tgz/ipchains-1.3.10.tar.gz make all make install