Monday, September 29, 2014

Shellshock: Patching GNU bash from source

Bash compilation notes, if you want to compile bash yourself. If you have an older version of bash and do not want to wait for your vendor, and you do not want to upgrade to the most latest version like 4.3. The patches for shellshock or CVE-2014-6271 are available for all the bash versions. However, early fixes have not been stable and the attack vectors are still evolving, so we still need to keep an eye on the developments.

Check what version you have by:
bash --version

Let's say I am running an old version of bash v 3.00

Before patching, I see that the trailing code after the function definition is getting executed:


[test@test ~]# env x='() { :;}; echo vulnerable' bash -c 'echo hello'
vulnerable
hello

Step 1: Download the bash source (base version) from:
http://ftp.gnu.org/gnu/bash/


wget http://ftp.gnu.org/gnu/bash/bash-3.0.tar.gz


Step 2: Get all the patches for bash 3.0 from the patches location and save them in a directory say patches:

mkdir patches

http://ftp.gnu.org/gnu/bash/bash-3.0-patches/

Save them as bash30-001.patch etc,  i.e. with a patch extension for easy handling.


[test@test patches]# ls
bash30-001.patch  bash30-005.patch  bash30-009.patch  bash30-013.patch  bash30-017.patch
bash30-002.patch  bash30-006.patch  bash30-010.patch  bash30-014.patch  bash30-018.patch
bash30-003.patch  bash30-007.patch  bash30-011.patch  bash30-015.patch  bash30-019.patch
bash30-004.patch  bash30-008.patch  bash30-012.patch  bash30-016.patch

Step 3: Extract bash and copy patches to the src dir:


[test@test bash_test]# tar -xvzf bash-3.0.tar.gz

Copy the patches to the extracted bash source directory:


[test@test bash-3.0]# cp ../patches/*.patch .

Step 4: Apply the patches:


[test@test bash-3.0]# for x in *.patch; do patch -p0 < $x; done


Step 5: Confirm that it got applied, second last line says 19:


[root@cap bash-3.0]# cat patchlevel.h
...
#define PATCHLEVEL 19

#endif /* _PATCHLEVEL_H_ */


Step 6: Compile bash:


./configure ; make ; make install

Step 7: After patching, test:


[test@test bash-3.0]# env x='() { :;}; echo vulnerable' bash -c 'echo hello'
hello
The statement echo vulnerable, did not execute.
I am not sure if this test is complete, as there are other ways to exploit it as well. I saw some of them here:
http://stevejenkins.com/blog/2014/09/how-to-manually-update-bash-to-patch-shellshock-bug-on-older-fedora-based-systems/

Nevertheless, there have been 3 bash patches so far, and I have applied all of them.




Extras: 

If you just want the compiled package and want to install it on different machines, then just use --prefix=destination_directory, like:


./configure --prefix=/home/test/compiled; make ; make install

This generates 4 directories (bin, info, man and share)

tarball it, so that you can distribute it to different machines:


cd /home/test/compiled

tar -cvzf bash_3.0.19_patched_binary.tar.gz bin/ info/ man/ share/

Before you extract the files in your root directory, make a backup of old bash binary in /bin/bash.

mv /bin/bash /bin/bash_old

Extraction:

tar -xvzf bash_3.0.19_patched_binary.tar.gz -C /


References:

http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-shellshock-the-remote-exploit-cve-2014-6271-an

http://stevejenkins.com/blog/2014/09/how-to-manually-update-bash-to-patch-shellshock-bug-on-older-fedora-based-systems/


Friday, September 12, 2014

pyopenssl install using pip in windows 7 64-bit

pip and easy_install are not there by default in python 2.7.8 installation in windows. I am not a windows guy, but I live in a practical world, where I cannot avoid it.

You can jump to the bottom (Part 2) for the installation of pyopenssl through pip, after installing pip through easy_install. Below (Part 1) are just some silly errors that I faced on windows.

Part 1

Collection of errors/problems one faces while working on windows
I was trying to install pyopenssl using easy_install in windows 7, 64 bit

C:\Python27\Scripts>easy_install pyopenssl
.....
error: Setup script exited with error: Unable to find vcvarsall.bat



You need to install:

1. Visual Studio C++ 2008 Express Edition (this is 32 bit, a full installer that creates env variables as well)

http://download.microsoft.com/download/A/5/4/A54BADB6-9C3F-478D-8657-93B3FC9FE62D/vcsetup.exe

2. Microsoft Visual C++ 2008 Redistributable Package (x64) (same as step 1, but 64 bit..if u install this 64 bit installer alone, env vars like VS90COMNTOOLS do not get created. So I had to install both 32 and 64 bit versions) I would recommend to search for files like vcvars*.bat in Program Files, where these files get installed.

http://www.microsoft.com/en-in/download/details.aspx?id=15336

You need to install if you have an arch mismatch, like your python is 32 bit, but OS is 64 bit. Or you do not have 64 bit compiler installed. You will see an error like this:

raise ValueError(sValueError: [u'path']

See here for details: http://stackoverflow.com/questions/2817869/error-unable-to-find-vcvarsall-bat


3. Windows SDK for Windows 7 and .NET Framework 3.5 SP1 (this is for the compiler and for the header files, select only Windows Headers and Libraries and Visual C++ Compilers)

http://www.microsoft.com/en-us/download/details.aspx?id=3138

If you face, "Cannot open include file: 'basetsd.h': No such file or directory", then it means you did not select the header and libraries file options for microsoft SDK in step 3.

See here for details: http://stackoverflow.com/questions/23691564/running-cython-in-windows-x64-fatal-error-c1083-cannot-open-include-file-ba


If you do not want to get into all these compilation windows troubles,  I would recommend installing pyopenssl using pip:

Part 2:

Installing pyopenssl using pip, by installing pip through easy_install

1. easy_install through its setuptools installation script (https://pythonhosted.org/setuptools/easy_install.html#downloading-and-installing-a-package)
2. Use easy_install to install pip
3. Use pip to install pyopenssl (pip install pyopenssl)
4. Confirm by "import OpenSSL" in your IDLE python prompt. "OpenSSL" import is case-sensitive.
So "import openssl" will fail. :)  

Thursday, September 4, 2014

pcap.h: No such file or directory, /usr/bin/ld: cannot find -lpcap


thc-ipv6-lib.c:39:18: error: pcap.h: No such file or directory
In file included from thc-ipv6-lib.c:40:
..
/usr/bin/ld: cannot find -lpcap
collect2: ld returned 1 exit status
This is a very basic stuff, but helps me making a note of what I did. If the gcc compiler is unable to locate the source headers or the libraries, just find the location and compile it quickly. My old machine didnt have a pcap library installed, but I found an old nmap install which had its own pcap library. So just use -I and -L flags to specify the location of source files and library files respectively and get your job done. Nothing impressive about it. 

http://www.network-theory.co.uk/docs/gccintro/gccintro_21.html

[root@ani thc-ipv6-2.5]# make
gcc -O2 -D_HAVE_SSL -c -o thc-ipv6-lib.o thc-ipv6-lib.c
thc-ipv6-lib.c:39:18: error: pcap.h: No such file or directory
In file included from thc-ipv6-lib.c:40:
....
Ran a find for pcap.h (find / -name pcap.h) which returned something like /tools/scanners/nmap-6.01/libpcap/pcap.h

[root@ani thc-ipv6-2.5]# gcc -O2 -D_HAVE_SSL -I/tools/scanners/nmap-6.01/libpcap -c -o thc-ipv6-lib.o thc-ipv6-lib.c
Then again another problemo,

[root@ani thc-ipv6-2.5]# make
gcc -O2 -D_HAVE_SSL -o parasite6 parasite6.c thc-ipv6-lib.o -I/tools/scanners/nmap-6.01/libpcap -lpcap -lssl -lcrypto
/usr/bin/ld: cannot find -lpcap
collect2: ld returned 1 exit status
make: *** [parasite6] Error 1
edit Makefile, include the pcap library and header source location:

LDFLAGS+=-I/tools/scanners/nmap-6.01/libpcap -L/tools/scanners/nmap-6.01/libpcap -lpcap $(if $(HAVE_SSL),-lssl -lcrypto,)
and then you go..

[root@ani thc-ipv6-2.5]# make
gcc -O2 -D_HAVE_SSL -o parasite6 parasite6.c thc-ipv6-lib.o -I/tools/scanners/nmap-6.01/libpcap -L/tools/scanners/nmap-6.01/libpcap -lpcap -lssl -lcrypto
gcc -O2 -D_HAVE_SSL -o dos-new-ip6 dos-new-ip6.c thc-ipv6-lib.o -I/tools/scanners/nmap-6.01/libpcap -L/tools/scanners/nmap-6.01/libpcap -lpcap -lssl -lcrypto
gcc -O2 -D_HAVE_SSL -o detect-new-ip6 detect-new-ip6.c thc-ipv6-lib.o -I/tools/scanners/nmap-6.01/libpcap -L/tools/scanners/nmap-6.01/libpcap -lpcap -lssl -lcrypto
gcc -O2 -D_HAVE_SSL -o fake_router6 fake_router6.c thc-ipv6-lib.o -I/tools/scanners/nmap-6.01/libpcap -L/tools/scanners/nmap-6.01/libpcap -lpcap -lssl -lcrypto
....
And for the remaining tools:
[root@ani thc-ipv6-2.5]# make
gcc -O2 -D_HAVE_SSL -o dnssecwalk dnssecwalk.c
In file included from dnssecwalk.c:24:
thc-ipv6.h:14:18: error: pcap.h: No such file or directory
In file included from dnssecwalk.c:24:
..
Just compile it with the correct arguments:

[root@ani thc-ipv6-2.5]# gcc -O2 -I/tools/scanners/nmap-6.01/libpcap -D_HAVE_SSL -o dnssecwalk dnssecwalk.c


Monday, September 1, 2014

21 Books to make you an extreme tech master

Learning is an important part of our life. A habit of reading a lot of books not only keeps updated with technology but also formalizes your knowledge as compared to random google searches and reading through articles. Every book may or may not help you in your day to day job but surely will make you a different person once you have read and mastered the concepts thoroughly. Also every book or author's style may or may not click with you immediately, therefore it is important to keep a lot of books in your arsenal.

This is a collection of few books I would like to recommend to anyone who wants to learn tech stuff. Sometimes if I have to guide beginners into reading a new book, this is what I recommend.

This is a very small list of books and I wanted to keep a motivational journal for my own reference and revisions.
Some of these books I had read more than 5 years back and I still remember their awesomeness. I will keep on updating this page as I get time. This is going to be very big.

Groovy

  • Programming Groovy
by Venkat Subramaniam

Groovy is a dynamic language. The syntax is very similar to Java and I decided to learn about it because I came across it for a small project.


Maven

  • Maven by Example 
  • Maven: The Complete Reference

  • Apache Maven 3 Cookbook

The above three books should be good enough to get a good grasp on maven.  For any problems and tricks stack overflow is the best place to search.


Web Applications and Security

  • XSS Attacks: Cross Site Scripting Exploits and Defense
by Seth Fogie, Jeremiah Grossman, Robert Hansen, Anton Rager, Petko D. Petkov

This is quite a powerful book if you want to master cross site scripting concepts and move beyond alert('xss').

  • SQL Injection Attacks and Defense
Quite a powerful book if you want to get into the complexities of SQL injection. Even though SQL injection is considered trivial these days, but actually it requires a lot of understanding of the involved databases, configuration involved and what works or not. Which could be enough to turn a beginner off.


  • Web Application Hackers Handbook
        http://www.amazon.com/The-Web-Application-Hackers-Handbook/dp/1118026470

  • High Performance Websites
You are missing a lot of details on how websites work and what are the essential parameters to be considered while evaluating the performance of web pages. A lot of case studies from Yahoo. Written by a guy who worked on enhancing the performance of Yahoo products. Must read.

      http://shop.oreilly.com/product/9780596529307.do

General Security

  • Hacking: The Art of Exploitation, 2nd Edition

One of the best books out there to get a general idea of what goes under the hood. The buffer overflow explanation is extremely good and it also deals with several protections and exploitation techniques. For some reason the book provides you enough clarity.

  • Hacking Exposed series
Hacking Exposed: Network Security Secrets and Solutions, Sixth Edition
by Stuart McClure , Joel Scambray , George Kurtz



Exploitation and Tools

  • Chained Exploits: Advanced Hacking Attacks from Start to Finish
Andrew Whitaker (Author), Keatron Evans (Author), Jack Voth (Author)
http://www.amazon.in/Chained-Exploits-Advanced-Hacking-Attacks/dp/032149881X

This book deals with security in a very practical and enjoyable way making it very easy to understand real life security challenges. And how do you put the security tools to their practical use.


  • Buffer Overflow Attacks: Detect, Exploit, Prevent
by Jason Deckard

Totally focused on Buffer overflow attacks and their exploitation. Expert mode turned on.


  • Writing Security Tools and Exploits
by James C. Foster, Vincent T. Liu

  • The Shellcoder's Handbook: Discovering and Exploiting Security Holes
by Chris Anley

If you are into assembly and shellcoding techniques. This book would be an extreme fun. Shellcode is the small piece of machine code that you try to get executed while exploiting a buffer overflow.


Matering Wireshark and Network analysis

  • Practical Packet Analysis, 2nd Edition
Using Wireshark to Solve Real-World Network Problems

  • Wireshark & Ethereal Network Protocol Analyzer Toolkit
(Jay Beale's Open Source Security)

Network packet analysis is a skill that a majority of professionals lack. These books would turn you into 'The One' who reads and understands whats going on the wire. Troubleshooting network related problems and mapping them with real life use cases.


Cryptography (programming)

  • Java Cryptography
By Jonathan Knudsen

It is a little old book. But very well written. Most of the concepts have not changed as far as JCE and JCA is concerned. There are not many well written books that cover Java cryptography. Have you ever wondered what exactly a Secure Random is? What is its significance. How to use the Java JCE to encrypt stuff, how to use different encryption algorithms and key sizes effectively to encrypt and decrypt data.



Linux related

  • Bash Cookbook
Solutions and Examples for bash UsersBy Carl Albing, JP Vossen, Cameron Newham

This book turns you in a master of bash shell. Minute differences that always puzzle even the experts and by learning them you can show off.


  • SSH, The Secure Shell: The Definitive Guide
By Daniel J. Barrett, Richard E. Silverman

Everything you wanted to know about the SSH protocol.


  • Build your own Linux
Linux from Scratch project

By far the best Linux oriented and free book. Learn how to create your Linux. Compile all the packages, assemble your own tools, compile your own kernel. You learn what all basic stuff is required to build a Linux system. If you know what you are looking for, you can build an extremely sophisticated Linux that deals with a specialized job and very small too.

  • The Linux Kernel Module Programming Guide
        Peter Jay Salzman
        Michael Burian
        Ori Pomerantz

This is a free book. Its old, but it is very good for understanding the basics of Kernel modules and how they work. You ca also write and compile your own hello world kernel module. It covers lots of basics, so if you want to grab an idea about the low level working of the internals, then you should give it a quick read. I am reading it, because while investigating Linux kernel related vulnerabilities, sometimes you need to understand how the whole kernel module/driver procedure simply works. A lot of times vulnerabilities are reported in the kernel, however it does not necessarily mean that your Linux is vulnerable. There are lots of ifs, oohs and aahs involved. And only a hawk eyed kernel expert can tell you the difference.