Security
Deliberately insecure Linux distributions as practice targets
There are a lot of penetration testing (aka pentest) tools, but they are not always easy to learn, so you need practice — a lot of practice. Before using these tools on a live environment, you need to set up a test environment, install some services with vulnerabilities, and then try to break into it. Fortunately, pentesters don't have to do all this preparation themselves, as this is a niche where a couple of Linux distributions can be found. We'll take a look at a few of these deliberately insecure Linux distributions, which can be run on an isolated network or in a virtual machine to be targeted with your pentesting tools or exploits. On the attacker's side, you could use a distribution like BackTrack or a pentesting tool like the Metasploit Framework.
Damn Vulnerable Linux and Metasploitable
Probably the most well-known vulnerable Linux distribution is Damn Vulnerable Linux, but
at this moment the website has the message "We are working. DVL 2.0
might appear in summer 2011
" and there doesn't seem to be a way to
download the most recent release, 1.5 (which dates from January 2009), so your author couldn't review DVL. The idea, however, is simple: DVL is shipped as a distribution that is as vulnerable as possible, for learning and research purposes for security pentesters and students. DVL was built by Thorsten Schneider, a security researcher at Bielefeld University in Germany, as a training system that he could use for his university lectures, to teach topics like buffer overflows, SQL injection, and so on.
Another well-known vulnerable Linux distribution is Metasploitable, an Ubuntu 8.04 server install on a VMWare image. This install includes a number of vulnerable packages, such as a Tomcat 5.5 servlet container with weak credentials, ssh and telnet accounts with weak passwords, along with outdated versions of distcc, tikiwiki, twiki, and MySQL. Metasploitable is meant as a practice target for the Metasploit Framework, but of course you can also use it to test other pentesting tools. Moreover, the virtual disk is non-persistent, so all damage you do to the system while pentesting disappears after a reboot. Metasploitable can easily be installed in VirtualBox: just add the vmdk file as a new virtual hard disk to VirtualBox and create a new Linux VM with this hard disk as the boot disk. Just don't forget to enable IO APIC in the virtual machine.
LAMPSecurity
An especially interesting vulnerable machine (or rather, a set of virtual machines) is LAMPSecurity. There is a CentOS based virtual machine that can be used as the attacker's operating system because it becomes preloaded with many attack tools, and another CentOS based virtual machine as the target, named Capture The Flag. Unfortunately, your author couldn't get these images, distributed as VMware images, to boot on VirtualBox. However, the Capture The Flag image comes with a tutorial PDF that demonstrates how to chain together a series of vulnerabilities to be able to completely compromise the target system. The document describes one possible path to get root, but of course there are other ways to compromise the target, so after reading the document, users can surely apply what they have learned to further explore the target.
The tutorial begins with scanning the target with the vulnerability scanner Nikto, which is specialized in testing web servers for interesting files and directories (e.g. a public /phpmyadmin) and vulnerable web server software. It also identifies the version numbers of Apache and PHP, which are useful to search for vulnerabilities that apply. Then the tutorial shows how to use Paros as a web proxy in the browser, so the pentester can intercept requests to the target: all requests and responses are registered and can be investigated in the Paros program to look for vulnerabilities in a web application.
In the next step of the tutorial, the user is guided to identify an SQL injection vulnerability in the target's web site. This section is a particularly interesting introduction to SQL injections, with a step-by-step explanation spelled out in detail, including how to get access to system files. In the last step, the tutorial builds upon this SQL injection with a local privilege escalation to get an interactive root shell for the attacker.
De-ICE PenTest
The most comprehensive vulnerable distribution project is definitely the De-ICE PenTest Lab, the brainchild of penetration tester Thomas Wilhelm. When he had to learn as much about penetration testing as possible in a short time, he found no usable targets to practice on, so he created his own live CDs: two "Level 1" ISO images and one "Level 2" image. On the attacker's side, Wilhelm recommends BackTrack. Unfortunately, the target machines have an hardcoded IP address, which can conflict with your own network's address range.
Each of the ISO images is meant to be used in a specific real-world scenario: for the first Level 1 image, you are hired by a small company to pentest an old server that has a web-based list of the company's contact information. The scenario for the second Level 1 image is a little tougher: the target system is an FTP server that has been used in the past to maintain customer information but has been sanitized, and you have to show that you can get sensitive information out of the server. In the Level 2 scenario, you should identify any vulnerabilities you can find, and you get the permission to cause damage.
De-ICE PenTest also has a forum, where users can discuss the challenges for the three ISO images and get some help (warning: there are spoilers in the forum). On the wiki, there are also some video walkthroughs. Of course these contain major spoilers, so you probably want to wait for them until you have completed the challenges.
Other projects
There are a lot of other projects. The Virtual Hacking Lab has the same approach as LAMPSecurity: it distributes an ISO image to run on the attacker's side (the security-focused Gentoo derivative live CD Pentoo), and offers some vulnerable images to run as the target machines. For instance, a directory lists quite a few vulnerable distributions. Unfortunately, the project doesn't come with comprehensive documentation.
The OWASP Broken Web Applications Project is, like its name says, focused on vulnerable web applications. OWASP is the Open Web Application Security Project, a community that works to create freely available documentation, methodologies, and tools concerning web application security. The OWASP Broken Web Applications Project is distributed as a virtual machine in a VMware image. It's running outdated, vulnerable versions of some real-life web applications, such as phpBB and WordPress, but also some intentionally vulnerable applications created by OWASP and other projects.
Holynix is an Ubuntu Server install on a VMware image, which also runs on VirtualBox or Qemu. According to the README, the image requires a specific network configuration with a static IP address, which is cumbersome if the required network mask conflicts with your own network. Your author downloaded version 2 and ran it in VirtualBox. The project has a forum with help, including instructions about importing the distribution's image in VMware or VirtualBox. Just don't forget to enable PAE/NX and IO APIC in the virtual machine, or it won't boot.
Practice
If you start digging, you'll easily find a dozen vulnerable Linux distributions that you can use to practice on. However, none of these distributions really stands out from the crowd. Many of them are already old —although that's not bad in this case, as it improves the chance of finding vulnerabilities. An somewhat more painful issue is that many of these distributions require a specific network configuration, which is a barrier to quickly test them in an arbitrary network. Along the same line, many of these projects are distributed as VMware images, which are not always easy to run in other hypervisors. Documentation is also an issue with many of these projects: while one could say that good pentesters will always have to be able to find their way on a foreign system, a little guidance could make these vulnerable distributions a more efficient tool for testing these tools and techniques. However, one thing is sure: pentesters that jump through all these hoops will be able to practice their techniques on a lot of different test targets.
Brief items
X.Org security advisory: root hole via rogue hostname
X.Org has patched a root hole in xrdb, in all versions up to 1.0.8. "By crafting hostnames with shell escape characters, arbitrary commands can be executed in a root environment when a display manager reads in the resource database via xrdb." Hosts that set their hostname via DHCP and/or hosts that allow remote logins via xdmcp are affected. The issue has been fixed in xrdb 1.0.9.
Laurie: Improving SSL certificate security
On Google's security blog, Ben Laurie looks at some Google initiatives to improve SSL certificate security. One is a certificate catalog that Google gathers as it spiders the internet, which can be queried via DNS (see the post for details). "The second initiative to discuss is the DANE Working Group at the IETF. DANE stands for DNS-based Authentication of Named Entities. In short, the idea is to allow domain operators to publish information about SSL certificates used on their hosts. It should be possible, using DANE DNS records, to specify particular certificates which are valid, or CAs that are allowed to sign certificates for those hosts. So, once more, if a certificate is seen that isn't consistent with the DANE records, it should be treated with suspicion."
Linux security summit CFP open
On his blog, James Morris has announced that the call for presentations for the 2011 Linux Security Summit is now open. Proposals will be accepted until May 27, and the summit will be held on September 8 in Santa Rosa, CA in conjunction with the Linux Plumbers Conference. From the summit site: "Brief technical talks in 30 minute slots, including at least 10 minutes of discussion (i.e. the maximum length of the presentation alone is 20 minutes). Papers are encouraged, and slides should be minimal. [...] Presentation abstracts should be approximately 150 words in length."
New vulnerabilities
asterisk: multiple vulnerabilities
| Package(s): | asterisk | CVE #(s): | CVE-2011-1174 CVE-2011-1175 | ||||||||||||||||
| Created: | March 31, 2011 | Updated: | April 27, 2011 | ||||||||||||||||
| Description: | From the Red Hat Bugzilla [1, 2]: CVE-2011-1174: If manger connections were rapily opened, sent invalid data, then closed, it could cause Asterisk to exhaust available CPU and memory resources. The Manager Interface is disabled by default. Versions 1.6.2.x and 1.8.x are affected, and 1.6.2.17.1 and 1.8.3.1 have been released to correct this flaw. CVE-2011-1175: If a remote, unauthenticated, attacker were to rapidly open and close TCP connections to services using the ast_tcptls_* API, they could cause Asterisk to crash after dereferencing a NULL pointer. This flaw affects 1.6.2.x and 1.8.x, and is corrected in 1.6.2.17.1 and 1.8.3.1. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
cobbler: privilege escalation
| Package(s): | cobbler | CVE #(s): | CVE-2011-1551 | ||||||||
| Created: | April 1, 2011 | Updated: | April 6, 2011 | ||||||||
| Description: | From the openSUSE advisory:
/var/log/cobbler/ directory was owned by the web service user. Access to this account could potentially be abused to corrupt files during root filesystem operations by the Cobbler daemon. | ||||||||||
| Alerts: |
| ||||||||||
evince: buffer overflow
| Package(s): | evince | CVE #(s): | CVE-2011-0433 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | April 1, 2011 | Updated: | January 30, 2012 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the openSUSE advisory:
This update of evince fixes a buffer overflow in linetoken(). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ffmpeg: denial of service
| Package(s): | ffmpeg | CVE #(s): | CVE-2009-4639 | ||||||||||||||||||||||||
| Created: | April 4, 2011 | Updated: | July 18, 2011 | ||||||||||||||||||||||||
| Description: | From the Mandriva advisory:
The av_rescale_rnd function in the AVI demuxer in FFmpeg 0.5 allows remote attackers to cause a denial of service (crash) via a crafted AVI file that triggers a divide-by-zero error. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
ffmpeg: multiple vulnerabilities
| Package(s): | ffmpeg | CVE #(s): | CVE-2010-3908 CVE-2011-0480 CVE-2011-0722 CVE-2011-0723 | ||||||||||||||||||||||||||||||||
| Created: | April 4, 2011 | Updated: | September 12, 2011 | ||||||||||||||||||||||||||||||||
| Description: | From the Mandriva advisory:
Fix memory corruption in WMV parsing (CVE-2010-3908) Multiple buffer overflows in vorbis_dec.c in the Vorbis decoder in FFmpeg, as used in Google Chrome before 8.0.552.237 and Chrome OS before 8.0.552.344, allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted WebM file, related to buffers for (1) the channel floor and (2) the channel residue. (CVE-2011-0480) Fix heap corruption crashes (CVE-2011-0722) Fix invalid reads in VC-1 decoding (CVE-2011-0723) | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
glibc: multiple vulnerabilities
| Package(s): | glibc | CVE #(s): | CVE-2011-0536 CVE-2011-1071 CVE-2011-1095 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | April 5, 2011 | Updated: | November 28, 2011 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory:
The fix for CVE-2010-3847 introduced a regression in the way the dynamic loader expanded the $ORIGIN dynamic string token specified in the RPATH and RUNPATH entries in the ELF library header. A local attacker could use this flaw to escalate their privileges via a setuid or setgid program using such a library. (CVE-2011-0536) It was discovered that the glibc fnmatch() function did not properly restrict the use of alloca(). If the function was called on sufficiently large inputs, it could cause an application using fnmatch() to crash or, possibly, execute arbitrary code with the privileges of the application. (CVE-2011-1071) It was discovered that the locale command did not produce properly escaped output as required by the POSIX specification. If an attacker were able to set the locale environment variables in the environment of a script that performed shell evaluation on the output of the locale command, and that script were run with different privileges than the attacker's, it could execute arbitrary code with the privileges of the script. (CVE-2011-1095) | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
kdelibs4: man-in-the-middle attack
| Package(s): | kdelibs4 | CVE #(s): | CVE-2011-1094 | ||||||||||||||||||||||||||||||||||||||||
| Created: | April 4, 2011 | Updated: | June 21, 2011 | ||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry:
kio/kio/tcpslavebase.cpp in KDE KSSL in kdelibs before 4.6.1 does not properly verify that the server hostname matches the domain name of the subject of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a certificate issued by a legitimate Certification Authority for an IP address, a different vulnerability than CVE-2009-2702. | ||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||
loggerhead: cross-site scripting
| Package(s): | loggerhead | CVE #(s): | CVE-2011-0728 | ||||||||
| Created: | April 4, 2011 | Updated: | April 6, 2011 | ||||||||
| Description: | From the CVE entry:
Cross-site scripting (XSS) vulnerability in templatefunctions.py in Loggerhead before 1.18.1 allows remote authenticated users to inject arbitrary web script or HTML via a filename, which is not properly handled in a revision view. | ||||||||||
| Alerts: |
| ||||||||||
logrotate: multiple vulnerabilities
| Package(s): | logrotate | CVE #(s): | CVE-2011-1098 CVE-2011-1154 CVE-2011-1155 | ||||||||||||||||||||||||||||||||
| Created: | March 31, 2011 | Updated: | June 26, 2012 | ||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: A shell command injection flaw was found in the way logrotate handled the shred directive. A specially-crafted log file could cause logrotate to execute arbitrary commands with the privileges of the user running logrotate (root, by default). Note: The shred directive is not enabled by default. (CVE-2011-1154) A race condition flaw was found in the way logrotate applied permissions when creating new log files. In some specific configurations, a local attacker could use this flaw to open new log files before logrotate applies the final permissions, possibly leading to the disclosure of sensitive information. (CVE-2011-1098) An input sanitization flaw was found in logrotate. A log file with a specially-crafted file name could cause logrotate to abort when attempting to process that file a subsequent time. (CVE-2011-1155) | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
otrs: arbitrary command execution
| Package(s): | otrs | CVE #(s): | CVE-2011-0456 | ||||||||
| Created: | April 1, 2011 | Updated: | April 6, 2011 | ||||||||
| Description: | From the openSUSE advisory:
Insufficient quoting of shell meta characters in otrs' webscript.pl could allow remote attackers to execute arbitrary commands. | ||||||||||
| Alerts: |
| ||||||||||
php-doctrine-Doctrine: SQL injection
| Package(s): | php-doctrine-Doctrine | CVE #(s): | CVE-2011-1522 | ||||||||
| Created: | April 4, 2011 | Updated: | April 21, 2011 | ||||||||
| Description: | From the Doctrine advisory:
The security hole was found and affects the Doctrine\DBAL\Platforms\AbstractPlatform::modifyLimitQuery() function which does not cast input values for limit and offset to integer and allows malicious SQL to be executed if these parameters are passed into Doctrine 2 directly from request variables without previous cast to integer. Functionality building on top using limit queries in the ORM such as Doctrine\ORM\Query::setFirstResult() and Doctrine\ORM\Query::setMaxResults() are also affected by this security hole. | ||||||||||
| Alerts: |
| ||||||||||
xmlsec1: remote overwrite of arbitrary files
| Package(s): | xmlsec1 | CVE #(s): | CVE-2011-1425 | ||||||||||||||||||||||||||||
| Created: | April 4, 2011 | Updated: | May 5, 2011 | ||||||||||||||||||||||||||||
| Description: | From the Mandriva advisory:
xslt.c in XML Security Library (aka xmlsec) before 1.2.17, as used in WebKit and other products, when XSLT is enabled, allows remote attackers to create or overwrite arbitrary files via vectors involving the libxslt output extension and a ds:Transform element during signature verification. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
xorg-x11: arbitrary command execution as root
| Package(s): | xorg-x11 | CVE #(s): | CVE-2011-0465 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | April 6, 2011 | Updated: | June 13, 2011 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the X.Org advisory:
By crafting hostnames with shell escape characters, arbitrary commands can be executed in a root environment when a display manager reads in the resource database via xrdb. These specially crafted hostnames can occur in two environments:
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>