• ImageMagick critical remote execution vulnerability – CVE-2016-3714

    What is ImageTragic !! (CVE-2016-3714 )

    In a vulnerable environment , image magic commands will allow remote code execution during conversion of several file formats.

    Which are the platforms affected ?

    As per RedHat ,  RedHat 5 , 6 and 7 platforms are affected with this vulnerability.

    How to check whether your platform is affected or not ?

    Create a .mvg file with the following content and run the convert command as follows. If your platform is vulnerable then the convert command will be able to list the folder contents.

    # vi exploit.mvg
    push graphic-context
    viewbox 0 0 640 480
    fill 'url(https://example.com/image.jpg";|ls "-la)'
    pop graphic-context
    [root@check-bug config]# convert exploit.mvg out1.png
    total 172
    drwxr-xr-x 2 root root  4096 May  5 04:52 .
    drwxr-xr-x 4 root root  4096 Jun  2  2014 ..
    -rw-r--r-- 1 root root  3447 Feb 10  2014 configure.xml
    -rw-r--r-- 1 root root 11041 Feb 10  2014 delegates.xml
    -rw-r--r-- 1 root root 46238 Jun 28  2009 english.xml
    -rw-r--r-- 1 root root 49251 Jun 28  2009 francais.xml
    -rw-r--r-- 1 root root  2403 Mar 24  2009 locale.xml
    -rw-r--r-- 1 root root   369 May  5 04:42 out1.png
    -rw-r--r-- 1 root root  1873 May  5 04:52 policy.xml
    -rw-r--r-- 1 root root  9727 Feb 10  2014 type-ghostscript.xml
    -rw-r--r-- 1 root root 13655 Feb 10  2014 type-windows.xml
    -rw-r--r-- 1 root root   671 Feb 10  2014 type.xml
    convert: unrecognized color `https://example.com/image.jpg"|ls "-la' @ color.c/GetColorInfo/965.
    convert: no decode delegate for this image format `/tmp/magick-XXoEao8j' @ constitute.c/ReadImage/537.
    convert: Non-conforming drawing primitive definition `fill' @ draw.c/DrawImage/3124.
    [root@check-bug config]

    How to Fix this vulnerability ?

    1. Upgrade your imagemagic packages to 6.9.3-10 or 7.0.1-1 ( As per imagemagic blog this bug patched and released in these versions : refer
    2. Apply the manual patch via policy.xml file.  Add additional policies for Imagemagic policy.xml file to disable processing of MVG, HTTPS, HTTP, URL, FTP, EPHEMERAL, and MSL commands within image files.

    How to apply the manual patch via additional policies ?

    Find policy.xml file on your distribution and add the following lines in <policymap> section of your policy.xml file.

    # vi policy.xml
    <policy domain="coder" rights="none" pattern="EPHEMERAL" />
    <policy domain="coder" rights="none" pattern="HTTPS" />
    <policy domain="coder" rights="none" pattern="HTTP" />
    <policy domain="coder" rights="none" pattern="URL" />
    <policy domain="coder" rights="none" pattern="FTP" />
    <policy domain="coder" rights="none" pattern="MVG" />
    <policy domain="coder" rights="none" pattern="MSL" />

    How to verify the fix ?

    After updating the policy.xml file , re run the image magic convert command . If the bug fixed properly then convert command will fail to list the directories.

    [root@check-bug config]#  convert exploit.mvg out2.png
    convert: not authorized `/tmp/exploit.mvg' @ constitute.c/ReadImage/425.
    convert: missing an image filename `out2.png' @ convert.c/ConvertImageCommand/2800.
    [root@check-bug config]#

    References :-



  • What is LogJam Attack ?

    What is LogJam Attack ?

    Diffie-Hellman key exchange is a popular cryptographic algorithm that allows Internet protocols to agree on a shared key and negotiate a secure connection. It is fundamental to many protocols including HTTPS, SSH, IPsec, SMTPS, and protocols that rely on TLS. The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography.

    Who is Affected ?
    Websites, mail servers, and other TLS-dependent services that support DHE_EXPORT ciphers are at risk for the Logjam attack

    How we will prevent this on Application side ?
    Update your applications ssl.conf file with the updated SSLCipherSuite and restart the service .

    1) Apache
    Disable support for SSLv2 and SSLv3 and enable support for TLS, explicitly allow/disallow specific ciphers in the given order :
    SSLProtocol             all -SSLv2 -SSLv3
    SSLHonorCipherOrder     on
    2) Nginx
    ssl_prefer_server_ciphers on;
    3) Apache Tomcat  ( in server.xml)
    4) Postfix ( /etc/postfix/main.cf )
    smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
    5) Sendmail ( LOCAL_CONFIG section of your /etc/mail/sendmail.mc )


    Reference : https://weakdh.org

  • glibc GHOST vulnerability ( CVE-2015-0235 )

    What is glibc ?
    Gnu library C or glibc is an implementation of standard c library and its a core member of linux OS .

    What is GHOST Vulnerability ?
    The GHOST vulnerability is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials.And this bug is reported as CVE-2015-0235. Redhat and CentOS already ready with the fix and you can update your boxes to get the patched version.

    Why it is called as GHOST ?
    It is called as the GHOST vulnerability as it can be triggered by the GetHOST functions. ( gethostbyname*() set of functions )

    Are you safe ?
    As per redhat and qualys , most of the systems are vulnerable except those running with glibc-2.17 and glibc-2.18

    How to confirm whether you are safe or not ?
    qualys.com provided a vulnerability scanning script to check this

    ~]# rpm -qa | grep glibc
    ~]# rpm -qa | grep release

    ~]# /usr/bin/gcc ghost.c -o ghost
    ~]# ./ghost

    After updating to patched version of glibc
    ~]# yum upgrade glibc
    ~]# rpm -qa | grep glibc
    ~]# ./ghost
    not vulnerable

    ~]# cat ghost.c
     #include <netdb.h>
     #include <stdio.h>
     #include <stdlib.h>
     #include <string.h>
     #include <errno.h>
     #define CANARY "in_the_coal_mine"
     struct {
     char buffer[1024];
     char canary[sizeof(CANARY)];
     } temp = { "buffer", CANARY };
     int main(void) {
     struct hostent resbuf;
     struct hostent *result;
     int herrno;
     int retval;
     /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/
     size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;
     char name[sizeof(temp.buffer)];
     memset(name, '0', len);
     name[len] = '\0';
     retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);
     if (strcmp(temp.canary, CANARY) != 0) {
     if (retval == ERANGE) {
     puts("not vulnerable");
     puts("should not happen");

    References :-

  • POODLE: SSLv3.0 vulnerability

    What is POODLE ?

    POODLE stands for Padding Oracle On Downgraded Legacy Encryption. This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack.

    How to Fix ?

    At present there is no working patch for this bug . So that Admin needs to manually disable SSLv3 on their servers .

    Disable SSLv3 – Apache

    1) Add ”   SSLProtocol All -SSLv2 -SSLv3  ”  to httpd.conf

    2) Restart apache service .

    Disable SSLv3 – Nginx

    1) Add   ” ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ”  to nginx.conf under ssl section .

    2) Restart nginx service .

    Disable SSLv3 – PostFix

    1) change smtpd_tls_mandatory_protocols to ”  smtpd_tls_mandatory_protocols =!SSLv2,!SSLv3 ”

    2) Restart postfix server .

    Disable SSLv3 – Weblogic

    Start weblogic with the following JVM option   ” -Dweblogic.security.SSL.protocolVersion=TLS1  ”

    How to Diagnose ?

    # openssl s_client -connect localhost:443 -ssl3

    ==> If you have already disabled sslv3 , then the output will be as follows

    20888:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1053:SSL alert number 40
    20888:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:

    ==> If you are not disabled the sslv3 and you are getting the following output , then your server is vulnerable to POODLE  !!.

    depth=0 /C=SomeCountry/ST=SomeState/L=Some Place/O=Example Pte Ltd/OU=Systems/CN=453232-example/emailAddress=info@example.com
    verify error:num=18:self signed certificate
    verify return:1
    depth=0 /C=SomeCountry/ST=SomeState/L=Some Place/O=Example Pte Ltd/OU=Systems/CN=453232-example/emailAddress=info@example.com
    verify return:1

    Certificate chain
     0 s:/C=SomeCountry/ST=SomeState/L=Some Place/O=Example Pte Ltd/OU=Systems/CN=453232-example/emailAddress=info@example.com
       i:/C=SomeCountry/ST=SomeState/L=Some Place/O=Example Pte Ltd/OU=Systems/CN=453232-example/emailAddress=info@example.com

    Reference :-



  • CentOs Fix for Bash Bug ( CVE-2014-6271 & CVE-2014-7169 )

    After couple of days trouble today we got a fix from Centos for the so famous bash security issue ( For known loop holes
    CVE-2014-6271 & CVE-2014-7169 )

    CentOS 5 Fix  :-

    * i386:
    ( sha256sum ) 9755e86ad8536c908f95340be308190b52989bfa0d9268a461c40a3f0d493bc7  :  bash-3.2-33.el5_10.4.i386.rpm

    * x86_64:
    ( sha256sum) b1e14edd0d675c6fb0be64cb875fbd9fac208a58e427ea32f373c9359b35642c   :  bash-3.2-33.el5_10.4.x86_64.rpm

    CentOS 6 Fix: –

    * x86_64:


    * i386:


    Test Output : –

    [root@ ~]# rpm -qa | grep bash

    [root@ ~]# env X='() { (a)= >\’ bash -c “echo date”;
    bash: X: line 0: syntax error near unexpected token `=’
    bash: X: line 0: `X () { (a)= >\’
    bash: error importing function definition for `X’
    [root@ ~]#

    * After updating to latest bash rpm.

    [root@ ~]# rpm -qa | grep bash
    [root@ ~]#

    [root@ ~]# env X='() { (a)= >\’ bash -c “echo date”;
    [root@ ~]#


    Reference :-


  • Again Bash !!! ( CVE-2014-7169 )


    Note : CentOS Fix for CVE-2014-7169 

    Redhat announced  that the fix for CVE-2014-6271 is incomplete and reporting new one CVE-2014-7169 .

    As per the latest update they are working to patch this against CVE-2014-7169.

    People are able to recreate the bug like the following

    /]$ rpm -qa | grep bash

    bash-4.1.2-15.el6_5.1.x86_64  ( patched version )

    ~]$ env x='() { :;}; echo vulnerable’  bash -c “echo this is a test”
    bash: warning: x: ignoring function definition attempt
    bash: error importing function definition for `x’
    this is a test

    /]$  env X='() { (a)= >\’ bash -c “echo date”; cat echo
    bash: X: line 0: syntax error near unexpected token `=’
    bash: X: line 0: `X () { (a)= >\’
    bash: error importing function definition for `X’
    cat: echo: No such file or directory

    /]$ env X='() { (a)=>\’ bash -c “echo echo vuln”; [[ “$(cat echo)” == “vuln” ]] && echo “still vulnerable :(“
    bash: X: line 1: syntax error near unexpected token `=’
    bash: X: line 1: `’
    bash: error importing function definition for `X’
    bash: echo: Permission denied
    cat: echo: No such file or directory

    Waiting for the patch from Redhat .

    Referrence : –



  • Serious Bug with BASH ( CVE-2014-6271 )


    Note : Redhat updated this patch is incomplete and they are working with a new one at the moment ( CVE-2014-7169 ) , Refer for the details for CVE-2014-7169

    Affected platforms :-

    Red Hat Enterprise Linux 4 (ELS)/ 5 / 6 /7
    CentOs 5/6/7

    How to test  if your version of Bash is vulnerable to this issue or not ?

    [root@]# env x='() { :;}; echo vulnerable’  bash -c “echo this is a test”
    this is a test

    Resolution :-

    This issue affects all software that uses the Bash shell and parses values of environment variables. This issue is especially dangerous as there are many possible ways Bash can be called by an application. Quite often if an application executes another binary, Bash is invoked to accomplish this. Because of the pervasive use of the Bash shell, this issue is quite serious and should be treated as such.

    In order to avoid exploitation from CVE-2014-6271, ensure that your system is updated to at least  versions of Bash.

    # yum update bash

    Fix for CentOs platforms

    Centos 5

    bash-3.2-33.el5.1.i386.rpm / bash-3.2-33.el5.1.x86_64.rpm

    Centos 6
    bash-4.1.2-15.el6_5.1.i686.rpm / bash-4.1.2-15.el6_5.1.x86_64.rpm

    Note : Its always better to reboot your machine after upgrading to the latest bash package . If its a production critical machine and not able to do a quick reboot then please run ” /sbin/ldconfig “

    How to make sure your machine/server is secure after the package update ?

    Run the above command again

    [root@]# env x='() { :;}; echo vulnerable’  bash -c “echo this is a test”

    bash: warning: x: ignoring function definition attempt
    bash: error importing function definition for `x’
    this is a test


    Reference :-





  • Moin Moin Wiki Active Directory Integration

    I was trying to setup AD integration for our moinmoin wiki . Unfortunately I couldnt see that much straightforward documentation on this. Here I am sharing my settings which worked pretty well.

    I have created a user wiki.admin in the AD and used that to query the Active directory .


    # Active Directory authentication  starts here
    from MoinMoin.auth.ldap_login import LDAPAuth
    ldap_authenticator1 = LDAPAuth (
    bind_dn = ‘wiki.admin@adminlogs.info’,
    bind_pw = ‘password’,
    base_dn = ‘DC=adminlogs,DC=info’,
    # LDAP REFERRALS (0 needed for AD)
    search_filter = ‘(sAMAccountName=%(username)s)’,
    # often ‘givenName’ – ldap attribute we get the first name from
    # often ‘sn’ – ldap attribute we get the family name from
    # often ‘displayName’ – ldap attribute we get the aliasname from
    coding = ‘utf-8’,
    timeout = 10,
    # set to True to automatically create/update user profiles
    # whether to emit “invalid username or password” msg at login time or not
    auth = [ldap_authenticator1, ]
    # this is a list, you may have multiple ldap authenticator as well as other authenticators
    cookie_lifetime = (1, 1)
    # no anon user sessions, 1h session lifetime for logged-in users
    # Active Directory authentication  ends here


    Add the above in your wikiconfigy.py file and restart apache ..Thats its !!  You will be able to authenticate using Active directory credentials 🙂

  • How to get mail statistics from your postfix mail logs

    Overview :-

    Last few years  i am supporting postfix mail servers. I would like to share one nice log diagnosing tool that I have used more ” Postfix Log Entry Summarizer

    Its an amazing tool and will provide you the following details

    • Total number of:
      • Messages received, delivered, forwarded, deferred, bounced and rejected
      • Bytes in messages received and delivered
      • Sending and Recipient Hosts/Domains
      • Senders and Recipients
      • Optional SMTPD totals for number of connections, number of hosts/domains connecting, average connect time and total connect time
    • Per-Day Traffic Summary (for multi-day logs)
    • Per-Hour Traffic (daily average for multi-day logs)
    • Optional Per-Hour and Per-Day SMTPD connection summaries
    • Sorted in descending order:
      • Recipient Hosts/Domains by message count, including:
        • Number of messages sent to recipient host/domain
        • Number of bytes in messages
        • Number of defers
        • Average delivery delay
        • Maximum delivery delay
      • Sending Hosts/Domains by message and byte count
      • Optional Hosts/Domains SMTPD connection summary
      • Senders by message count
      • Recipients by message count
      • Senders by message size
      • Recipients by message size

      with an option to limit these reports to the top nn.

    • A Semi-Detailed Summary of:
      • Messages deferred
      • Messages bounced
      • Messages rejected
    • Summaries of warnings, fatal errors, and panics
    • Summary of master daemon messages

    Installation :-

    Installation is very simple , just download the package and unzip

    •  wget http://jimsun.linxnet.com/downloads/pflogsumm-1.1.1.tar.gz
    •  tar -zxf pflogsumm-1.1.1.tar.gz
    • chown root:root pflogsumm-1.1.1


    Generate the statistics  :-

    #  cat /var/log/maillog | ./pflogsumm.pl
    ( The above command will generate a detailed statistics as follows )

    Grand Totals

       1867   received
       3523   delivered
          0   forwarded
       707   deferred  (75  deferrals)
         35   bounced
        259  rejected (6%)
          0   reject warnings
          0   held
          0   discarded (0%)

      55528k  bytes received
      71732k  bytes delivered
         46   senders
         32   sending hosts/domains
        649   recipients
        350   recipient hosts/domains

    Per-Day Traffic Summary
        date          received  delivered   deferred    bounced     rejected
        Jul 17 2011       257       2003       7295          8
        Jul 18 2011       471        352         94          2        216
        Jul 19 2011       986       1000        145         23         33
        Jul 20 2011       153        168         55          2         10

    Per-Hour Traffic Daily Average
        time          received  delivered   deferred    bounced     rejected
        0000-0100           9          9          3          0          1
        0100-0200          11         10          4          1          4
        0200-0300          10         10          3          0          2
        0300-0400          11         13          3          0          2
        0400-0500          16         82        287          1          2

    I am sure this will be definitely helpful for somebody who is working with postfix mail servers.