• What is LogJam Attack ?

    What is LogJam Attack ?

    Diffie-Hellman key exchange is a popular cryptographic algorithm that allows Internet protocols to agree on a shared key and negotiate a secure connection. It is fundamental to many protocols including HTTPS, SSH, IPsec, SMTPS, and protocols that rely on TLS. The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography.

    Who is Affected ?
    Websites, mail servers, and other TLS-dependent services that support DHE_EXPORT ciphers are at risk for the Logjam attack

    How we will prevent this on Application side ?
    Update your applications ssl.conf file with the updated SSLCipherSuite and restart the service .

    1) Apache
    Disable support for SSLv2 and SSLv3 and enable support for TLS, explicitly allow/disallow specific ciphers in the given order :
    SSLProtocol             all -SSLv2 -SSLv3
    SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
    SSLHonorCipherOrder     on
    2) Nginx
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;
    3) Apache Tomcat  ( in server.xml)
    <Connector
    ciphers="ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-GCM-SHA384, DHE-RSA-AES128-GCM-SHA256, DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA, ECDHE-ECDSA-AES256-SHA, DHE-RSA-AES128-SHA256, DHE-RSA-AES128-SHA, DHE-DSS-AES128-SHA256, DHE-RSA-AES256-SHA256, DHE-DSS-AES256-SHA, DHE-RSA-AES256-SHA, AES128-GCM-SHA256, AES256-GCM-SHA384, AES128-SHA256, AES256-SHA256, AES128-SHA, AES256-SHA, AES, CAMELLIA, DES-CBC3-SHA"
    />
    4) Postfix ( /etc/postfix/main.cf )
    smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
    
    5) Sendmail ( LOCAL_CONFIG section of your /etc/mail/sendmail.mc )
    O CipherList=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

     

    Reference : https://weakdh.org

  • glibc GHOST vulnerability ( CVE-2015-0235 )

    What is glibc ?
    Gnu library C or glibc is an implementation of standard c library and its a core member of linux OS .

    What is GHOST Vulnerability ?
    The GHOST vulnerability is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials.And this bug is reported as CVE-2015-0235. Redhat and CentOS already ready with the fix and you can update your boxes to get the patched version.

    Why it is called as GHOST ?
    It is called as the GHOST vulnerability as it can be triggered by the GetHOST functions. ( gethostbyname*() set of functions )

    Are you safe ?
    As per redhat and qualys , most of the systems are vulnerable except those running with glibc-2.17 and glibc-2.18

    How to confirm whether you are safe or not ?
    qualys.com provided a vulnerability scanning script to check this

    ~]# rpm -qa | grep glibc
    glibc-2.12-1.107.el6_4.2.x86_64
    ~]# rpm -qa | grep release
    centos-release-6-4.el6.centos.10.x86_64

    ~]# /usr/bin/gcc ghost.c -o ghost
    ~]# ./ghost
    vulnerable

    After updating to patched version of glibc
    ~]# yum upgrade glibc
    ~]# rpm -qa | grep glibc
    glibc-2.12-1.149.el6_6.5.x86_64
    ~]# ./ghost
    not vulnerable

    ~]# cat ghost.c
     #include <netdb.h>
     #include <stdio.h>
     #include <stdlib.h>
     #include <string.h>
     #include <errno.h>
     #define CANARY "in_the_coal_mine"
     struct {
     char buffer[1024];
     char canary[sizeof(CANARY)];
     } temp = { "buffer", CANARY };
     int main(void) {
     struct hostent resbuf;
     struct hostent *result;
     int herrno;
     int retval;
     /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/
     size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;
     char name[sizeof(temp.buffer)];
     memset(name, '0', len);
     name[len] = '\0';
     retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);
     if (strcmp(temp.canary, CANARY) != 0) {
     puts("vulnerable");
     exit(EXIT_SUCCESS);
     }
     if (retval == ERANGE) {
     puts("not vulnerable");
     exit(EXIT_SUCCESS);
     }
     puts("should not happen");
     exit(EXIT_FAILURE);
     }

    References :-
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0235
    http://www.openwall.com/lists/oss-security/2015/01/27/9
    https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability

  • CentOs Fix for Bash Bug ( CVE-2014-6271 & CVE-2014-7169 )

    After couple of days trouble today we got a fix from Centos for the so famous bash security issue ( For known loop holes
    CVE-2014-6271 & CVE-2014-7169 )

    CentOS 5 Fix  :-

    * i386:
    ( sha256sum ) 9755e86ad8536c908f95340be308190b52989bfa0d9268a461c40a3f0d493bc7  :  bash-3.2-33.el5_10.4.i386.rpm

    * x86_64:
    ( sha256sum) b1e14edd0d675c6fb0be64cb875fbd9fac208a58e427ea32f373c9359b35642c   :  bash-3.2-33.el5_10.4.x86_64.rpm

    CentOS 6 Fix: –

    * x86_64:

    http://mirror.centos.org/centos/6/updates/x86_64/Packages/bash-4.1.2-15.el6_5.2.x86_64.rpm

    * i386:

    http://mirror.centos.org/centos/5/updates/i386/RPMS/bash-3.2-33.el5_10.4.i386.rpm

    Test Output : –

    [[email protected] ~]# rpm -qa | grep bash
    bash-3.2-32.el5

    [[email protected] ~]# env X='() { (a)= >\’ bash -c “echo date”;
    bash: X: line 0: syntax error near unexpected token `=’
    bash: X: line 0: `X () { (a)= >\’
    bash: error importing function definition for `X’
    date
    [[email protected] ~]#

    * After updating to latest bash rpm.

    [[email protected] ~]# rpm -qa | grep bash
    bash-3.2-33.el5_10.4
    [[email protected] ~]#

    [[email protected] ~]# env X='() { (a)= >\’ bash -c “echo date”;
    date
    [[email protected] ~]#

     

    Reference :-

    http://lists.centos.org/pipermail/centos-announce/2014-September

  • Serious Bug with BASH ( CVE-2014-6271 )

     

    Note : Redhat updated this patch is incomplete and they are working with a new one at the moment ( CVE-2014-7169 ) , Refer for the details for CVE-2014-7169

    Affected platforms :-

    Red Hat Enterprise Linux 4 (ELS)/ 5 / 6 /7
    CentOs 5/6/7

    How to test  if your version of Bash is vulnerable to this issue or not ?

    [[email protected]]# env x='() { :;}; echo vulnerable’  bash -c “echo this is a test”
    vulnerable
    this is a test
    [[email protected]]#

    Resolution :-

    This issue affects all software that uses the Bash shell and parses values of environment variables. This issue is especially dangerous as there are many possible ways Bash can be called by an application. Quite often if an application executes another binary, Bash is invoked to accomplish this. Because of the pervasive use of the Bash shell, this issue is quite serious and should be treated as such.

    In order to avoid exploitation from CVE-2014-6271, ensure that your system is updated to at least  versions of Bash.

    # yum update bash

    Fix for CentOs platforms

    Centos 5

    bash-3.2-33.el5.1.i386.rpm / bash-3.2-33.el5.1.x86_64.rpm

    Centos 6
    bash-4.1.2-15.el6_5.1.i686.rpm / bash-4.1.2-15.el6_5.1.x86_64.rpm

    Note : Its always better to reboot your machine after upgrading to the latest bash package . If its a production critical machine and not able to do a quick reboot then please run ” /sbin/ldconfig “

    How to make sure your machine/server is secure after the package update ?

    Run the above command again

    [[email protected]]# env x='() { :;}; echo vulnerable’  bash -c “echo this is a test”

    bash: warning: x: ignoring function definition attempt
    bash: error importing function definition for `x’
    this is a test

     

    Reference :-

    https://access.redhat.com/security/cve/CVE-2014-6271

    http://lists.centos.org/pipermail/centos/2014-September/146099.html

    https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

     

  • shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory

    Today I saw an interesting error ,while restarting apache
    =======
    ]# /etc/init.d/httpd restart
    shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
    Stopping httpd: [ OK ]
    Starting httpd: shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
    [ OK ]
    ]#
    ===========
    may be you also face this or already faced.
    Don’t surprise …Just do a  ” cd  / ”   , or  cd  to any direcotry ..  it will fix the error !!   😉

    Why this error ?
    Usually the current working directory ( CWD ) will not exists ( in my case i have deleted the folder from another shell and trying to restart apache )

  • New PHP-CGI exploit: CVE-2012-1823, Badly affecting php scripts

    Recently some folks reported an interesting and nasty bug with php which will allow an intruder to view the source code and access the file systems.

    As per the update from php ( http://php.net ) , this bug has gone unnoticed for at least past 8 years .

    # Who all are affected ?

    If you are using Apache mod_cgi to run PHP you may be vulnerable to this bug.

    # Are you safe ?

    Just pass the argument “ ?-s “ to any of  your php pages and see.  Are you shocked ???
    If you pass the following arguments in your site , say example.com :

    1 ) http://example.com/index.php?-s
    Will dump your source code of the file index.php ( in simple words it will display the content of the file index.php )

    2) http://example.com/index.php?-dauto_prepend_file%3d/etc/passwd+-n
    Will display your /etc/passwd file !!!!!!!

    # Which all php versions are affected ?

    The PHP Group – PHP 5.3.11,PHP 5.3.10, 5.4.0 and  5.4.1

    # How to fix ?

    To fix this, upgrade your php to PHP 5.3.12 or PHP 5.4.2.

    # Any Patch ?

    Yes , php has provided  a temporary work around . I have tested and confirmed ( in php 5.3.10 )that  this will close the loop hole .
    Apply the following rewrite rule in your sites DocumentRoot .htaccess file .

     
             RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]
             RewriteRule ^(.*) $1? [L]

     

    # More Reference ?
    http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
    http://www.php.net/archive/2012.php#id2012-05-03-1

  • STrace : Third Eye of a System Admin

     

    It was a monday early morning , I got a call from my SL1 team in offshore . It was regarding a unique issue of one application which is hosted in Apache tomcat platform .  After the initial investigation ,team updated the following and escalated the ticket to my queue.

    1) Site was not loading / 500 Internal Server Error
    2) Apache error log was throwing “ Premature End of Script “

    I started to work on that issue and found that particular “php” processes for that site was hitting the Maximum allowed connections in Apache . I couldnt find anymore info from apache logs .

    For example , if adminlogs.info is the site and “ admin “ is the username , 50 is the maximum allowed number of connections.

    # Ps aux | grep admin | wc -l
    51

    I decided to kill all these processes and restart apache . As expected , the site started to work as normal . But after few minutes its again hit the limit 50 !!!!  I felt something is stuck somewhere and the process cycle is not completing properly .

    And finally it was time to take a deeper look on the issue !!

    strace : strace is an excellent diagnostic tool for linux admins which will trace the system calls and signals.

    I decided to use strace to dig the above mentioned process , for example if the pid is “12345 “

    1) [email protected]:~ # strace -f -p 12345
    Process 27776 attached – interrupt to quit
    select (1024, [13], [], NULL, NULL

    here it clearly shows the system call is stuck with the ” Select ” query . Unfortunately , in the earlier stage of investigation we were not able to find/understand the file descriptor #13.

    ( In the above strace output , the first argument (1024) is the max number of file descriptors in a set, the second ([13]) is the set of file descriptors polled for reading, the third ([] – empty set) is the set of file descriptors polled for writing. )

    2) We can see the details of file descriptor (13) using  the ” lsof ” command as follows

    [email protected]:~ # lsof  -p 27776

    php-5.3.6 27009 dw02290c   13u IPv4 1612251401                 TCP server.web-global.com:49062->ldap-global4.com:ldap(ESTABLISHED)

    The above ” lsof ” output revealed that the file descriptor “13u ”  is stuck with a system call to a remote/backend ldap server . And due to which the process does not get any response from the remote ldap server and hence it became stuck/hung .

    3)  I confirmed the above connections using netstat command also

    [email protected]:~ # netstat -a | grep  ldap-global4.com
    tcp        0      0 server.web-global.com:49062  ldap-global4.com:ldap  ESTABLISHED

    4)  Then we advised the client to remove the above problem ldap server “ ldap-global4.com” from the configured server pool of their  application ( Issue was present in the staging site also ) . And later deployed the changes to live site after testing in staging site/ server.

    Hope this would be helpful to some of my friends facing such issues in future.

  • Hash Table Vulnerability or Hash Collision


    Description :-

    A hash table or hash map is a data structure that uses a hash function to map identifying values, known as keys , to their associated values . Thus, a hash table implements an associative array.  The various application servers store POST form data in hash tables, so that later they could be used during application development. If more than one key is hashed to a single hash using hash function, then it can lead to a problem called hash collision. Any application platform  that use a hash function  is easily affected by this vulnerability.

    A recent n.runs’ AG’s report explains that “If the language does not provide a randomized hash function or the application server does not recognize attacks using multi-collisions, an attacker can degenerate the hash table by sending lots of colliding keys. The algorithmic complexity of inserting n elements into the table then goes to O(n**2), making it possible to exhaust hours of CPU time using a single HTTP request” .

    This in turn results on DoS(Denial of Service) attacks. In general terms, DoS attacks are implemented by either forcing the targeted computer(s) to reset, or consuming its resources so that it can no longer provide its intended service or obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.

    How the attack works :-

    Here, three different keys namely wolf, tiger and elephant are hashed to the same hash 05 through hash function. This increases the complexity of processing a request which involves these key values and finally results in hash collisions.

    Let us now take a quick glance at how these hash table vulnerabilities affect PHP, JAVA and Tomcat..

    1) Apache Tomcat

    As the Apache Tomcat uses hash tables for storing various http request parameters, it is affected by the above mentioned issues.

    As a remedial measure, Tomcat’s Mark Thomas said: “Tomcat has implemented a work-around for this issue by providing a new option (maxParameterCount) to limit the number of parameters processed for a single request, This default limit is 10000: high enough to be unlikely to affect any application; low enough to mitigate the effects of the DoS.”

    The workaround is available in variants 7.0.23 and onwards, and 6.0.35 and later. However it is suggested to implement these measures and to upgrade to safer versions which are less prone to such attacks.

    2) Java

    Java uses the HashMap and Hashtable classes, which use the String.hashcode() hash function. Hence it could be affected by hash collision.

    3) PHP

    The case of PHP is not different too. It uses another hash function, which paves a reason for these attacks to happen in PHP as well. PHP is telling to tweak max_input_time and max_execution_time.  Also they released one bug fix ,but not for production servers.

    Refer : http://www.php.net/archive/2011.php#id2011-12-25-1

    For those working platforms, where fixes are not yet released, the suggested work arounds are:-

    1. Limit CPU time
      Limiting the processing time for a single request can help minimize the impact of malicious requests.

    2. Limit maximum POST size
      Limiting the maximum POST request size can reduce the number of possible predictable collisions, thus reducing the impact of an attack.

    3. Limit maximum request parameters
      Some servers offer the option to limit the number of parameters per request, which can also minimize impact.

    In short, the basic idea is to regulate the traffic of CPU utilization. thereby,at least you can keep a control on such attacks affecting your server before the respective fixes are released.

    Reference :-
    http://www.nruns.com/_downloads/advisory28122011.pdf

    http://www.kb.cert.org/vuls/id/903934

  • Install mysql 5.5 from source

    I got a request from  one of my clients  to setup a mysql server with the latest version.  I decided to install mysql using source , because i always love compilation 🙂

    As usual I downloaded the latest source and fired the command ” ./configure ”  with options . But the result was not good 🙁

     

    =>> Download the latest MySql source

    wget http://dev.mysql.com/get/Downloads/MySQL-5.5/mysql-5.5.15.tar.gz/from/http://mysql.oss.eznetsols.org/
     
     
    =>> Configure ( Old Story )

    1)  tar -zxf mysql-5.5.15.tar.gz
    2)  cd mysql-5.5.15
    3)  ./configure
    ./configure: command not found

    ( After some goggling , i found  ”  In MySQL 5.5 onwards , CMake is used as the build framework on all platforms. ” )

     

    =>> Download and install cmake

    $  wget http://www.cmake.org/files/v2.8/cmake-2.8.5.tar.gz
    $  tar zxvf cmake-2.8.5.tar.gz
    $  cd cmake-2.8.5
    $  yum install gcc-c++
    $  ./configure
    $  make
    $  make install

     

    =>> Configure ( New Story )

    $ cd mysql-5.5.15

    $  Configure using cmake

    cmake . -DCMAKE_INSTALL_PREFIX=/usr/local/mysql5 -DMYSQL_TCP_PORT=3306  -DMYSQL_UNIX_ADDR=/tmp/mysql.sock 

    — Could NOT find Curses (missing:  CURSES_LIBRARY CURSES_INCLUDE_PATH)
    CMake Error at cmake/readline.cmake:83 (MESSAGE):
    Curses library not found.  Please install appropriate package,

    $ yum install ncurses-devel

    rm -f  CMakeCache.txt   ( Equivalent to ” make clean ”  )

    $  Again run the cmake command after fixing the curses error.

    cmake . -DCMAKE_INSTALL_PREFIX=/usr/local/mysql5  -DMYSQL_TCP_PORT=3306  -DMYSQL_UNIX_ADDR=/tmp/mysql.sock 

    more cmake configuration options here :  cmake options

    $  make

    $ make install

     

    =>> Post installation Steps

    $  cp support-files/my-medium.cnf   /etc/my.cnf

    $  cp support-files/mysql.server   /etc/init.d/mysql

    $  chown -R mysql:mysql .

    $  ./scripts/mysql_install_db  – -user=mysql  – -datadir=/var/lib/mysql

    $  /etc/init.d/mysql restart

    $  ./bin/mysqladmin -u root password ‘new-password’

    $  ./bin/mysql_secure_installation

    Thats its you installed mysql 5.5 successfully. You can configure / optimize the mysql using the my.cnf file .

     

    =>> Test the insatalation

    $ mysql -u root -p

    > create table new ;

    Hope that this will be helpful for someone worrying with ” ./configure command not found ” in mysql latest version.

    How to reset mysql root password : click here 🙂

  • FTP Failed to retrieve directory listing

    Some times we will get the error ” Failed to retrieve directory listing ” while trying to connect FTP .

    Most of the time its because of the missing ftp kernel module ” ip_conntrack_ftp

    1) Check if the ftp kernel module is exists

    lsmod | grep ftp

    2) Add the module

    modprobe ip_conntrack_ftp

    3 ) Restart ftp server

    This will fix your issue !!