On Being A Shellshock Rider

 Computing, Security  2 Responses »
Sep 262014
 

(With apologies to John Brunner for stealing and mangling the title of one his books which happens to be a considerably appropriate choice)

What?

The Shellshock vulnerability, where a 23-year old vulnerability in the bash Unix shell can sometimes be exploited by attackers to run their own code on a vulnerable server. So far this vulnerability has been found to be exploitable with certain popular services running on Unix-based systems (including Linux).

Why?

Because I happen to be one of those going around telling people to fix their servers. And because I needed a place to mouth off about some of the more idiotic reactions I have encountered.

How Bad Is It?

Well it’s unlikely that this will cause the collapse of human civilisation, and it’s probable that your fridge will continue to work.

It’s like being asked how long a piece of string is whilst you’re still hauling it in and have not found the other end yet. It could be a great deal worse than expected or a bit of a damp squib :-

  1. The exploits may be much harder to make use of than expected. An attacker needs to find the vulnerable scripts on the web servers out there, and unless a very common web applications is found to be vulnerable, this may not be that easy to find.
  2. There may be a lot more vulnerable devices out there than expected – all of the embedded devices that idiots are assuming are safe because they come with BusyBox could have bash installed as well because some developer found that their script worked with bash and not BusyBox.
  3. An attacker may accidentally release something like SQL Slammer and cause widespread disruption.

Ultimately we have to wait and see how bad it is likely to be. Peering in to a crystal ball is always dangerous but my best educated guess is that :-

  1. We won’t see an Internet melt-down.
  2. Some sites will be broken into and some of those will have data leaked. This will happen anytime between 23 years ago (yes it could have been exploited in the past) and 23 years from now.
  3. Some unexpected ways to exploit this vulnerability will be discovered – for example there are plenty of people who believe that Windows is safe from this; as it happens my Windows 2012 server does have bash installed on it.

Bash? Unix Shell?

Most early operating systems were controlled with some sort of command line where you would enter a command at a terminal, hit return, and then the computer would respond to your commands – a bit like DOS whose descendent can be discovered on a Windows system if you ever run cmd.exe. One of the innovations introduced by Unix was the concept of the user selecting which command processor to use and this command processor become known as the shell.

Most Unix shells allowed some level of programming initially to make repetitive interactive tasks easier to perform, but this eventually become shell scripting where useful functions could be made available persistently and to other users by writing a sequence of commands into a file.

The concept of replaceable shells allowed early Unix users to chose between various different shells – initially the Bourne shell (sh), and the C-Shell (csh), with improved shells coming along over time – the TENEX C-Shell (tcsh), the Korn shell (ksh), my shell of choice: Z-shell (zsh), and of course the Bourne Again Shell (bash).

The Vulnerability

Unix (and Linux … and Windows too) have the concept of environment variables where variables can be set to some value and that value will be available to child processes. As an example, the PATH environment variable is set when someone logs in, and is used to specify where to search for programs that are not supplied with a full pathname.

For instance, if you were to enter the command ls into a terminal window, this would be translated to the absolute path /bin/ls or c:\cygwin\bin using a the PATH environment variable.

Bash has a feature where it allows shell functions to be defined within an environment variable; however trailing code following the function is run.

Normally that would not matter, but when an attacker can provide the contents of the environment variable, then that attacker has a way of running their own code where they should not be able to.

Because it is the most serious way of exploiting this vulnerability discovered so far, everyone has concentrated on exploiting this vulnerability through a web server.

Most web servers use environment variables as a way of passing information about a request (i.e. data supplied by an attacker) to any scripts they run; when this script is a bash script or the non-bash script invokes another program via bash (very common amongst lazy programmers) then an attacker can run their own code on the server.

So What Is Vulnerable? And Exploitable?

Let us distinguish between vulnerable where a program with a serious flaw is installed, and exploitable where an attacker can make use of that vulnerability. Because if you just fix situations where a known exploit exists, you are still exposed to unknown exploits. And it is distinctly possible that attackers will develop more and more ways of exploiting this vulnerability over time.

The short answer to the question of what is vulnerable is that every device with bash installed is vulnerable.

To those thinking that only Linux servers are vulnerable, the list of what is vulnerable will probably come as a bit of a surprise :-

  1. It should be assumed that all iThingies (iPhones, iPads, etc.) have bash installed. After all, OSX has been confirmed to be vulnerable and the iThingies run something very similar.
  2. Android phones can run bash and it may be installed by default. If it is, then it is vulnerable.
  3. Windows machines do not come with bash installed by default, but that does not mean that it has not been installed at a later date. Any large corporate application that started life as a Unix-based application may well have an installation of bash lurking somewhere within it.
  4. Similarly for any other non-Unix based servers (VMS, IBM Mainframes, etc.). In fact I would not be surprised if the proportion of IBM mainframes with a vulnerable version of bash installed is surprisingly large.
  5. Embedded devices, or the Internet of Things. One of my pet peeves is the assumption that because people usually find BusyBox installed on devices they are familiar with, that they assume that all IoT devices have BusyBox and not bash. All it takes is one developer who finds their funky script doesn’t work with BusyBox but does with bash to result in an IoT device to have bash installed.

In the long term, it is possibly the last category that is the most exploitable because such devices are rarely updated, are assumed to be safe, and are frankly the most likely to be running rancid code that is easily exploitable.

Mitigations

With worms actively exploiting this hunting down all the vulnerable web servers, it’s time to ask about means to limit the damage :-

  1. Why haven’t you patched yet? Hasn’t the vendor released the patch? If not, go and shout at them.
  2. Turn off any services that you don’t need. Now.
  3. Why does your web server need to make connections to the outside world? First indications are that the worms out there at present download a second stage to start behaving badly. If your server can just do it’s job but cannot download stuff then any worm won’t be able to fully activate. This is not a panacea as you can still be exploited, but you cannot be automatically exploited.

Naked Celebrities!

 General, Media, Security  No Responses »
Sep 042014
 

So apparently a whole bunch of celebrities have had their naked selfies leaked by some “hacker”. As to how this was done, we don’t really know and will probably never know given that Apple is so secretive. But we can guess some possibilities :-

  1. The hacker built up a list of possible account names – jennifer (Jennifer Lawrence) might be a good one to try – and then tried the top 100 dumbest passwords against each one in turn. You would not get every single account this way, and a fair few would turn out to be a fan of Jennifer Lawrence rather than the celebrity herself. But you would get a few that way.
  2. The hacker targeted the celebrities with a phishing attack – basically asking the celebrity what their account password is. This sounds too unlikely to succeed, but with a plausible looking login page it does work surprisingly often. It’s not just the terminally stupid that fall victim to such attacks; the victims are really those who are too trusting and often in too much of a hurry.
  3. The next method a hacker might use is to tackle Apple’s password reset service which uses “memorable information” such as the name of your first school, your mother’s maiden name, etc. There is always a bit of a problem with “memorable information” such as this – it isn’t really that private, and a celebrity is likely to have “leaked” all such private information over time.
  4. Through some unknown vulnerability in Apple’s iCloud service. Given that we suspect that iCloud has certain “issues” with security (apparently Apple has no intruder lock out to make password guessing attacks harder), this isn’t impossible but I would guess that it is less likely that the two more obvious attacks above.

There’s a great deal of hateful “slut-shaming” going on over this celebrity leak which apart from anything else is really missing the point. It may be embarrassing for naked selfies to be leaked, but other personal information could be dangerous if leaked – the celebrity’s home address and alarm codes?

It is not the victim’s fault; it’s the fault of the anonymous (at the moment) hacker.

But the victim can improve their behaviour to make it harder to victimise them :-

  1. First of all if you’re called Jennifer Lawrence, don’t use any permutation of your name as a username; or even enter that as your full name into any cloud service. Make one up.
  2. Make sure you are using a sensible password. It needn’t be excessive, but anything that is just a single word is just not good enough.
  3. Be less trusting with your acount credentials. Make sure you know what the location bar in your browser is and where it is, and check it when you login. And don’t click on links in emails.
  4. If the service you are using offers two-factor authentication, turn it on.
  5. Learn about security; you are a target. Don’t go overboard (but see step 6), but spend an hour a week doing a little reading and taking steps to improve your personal security.
  6. Hire or befriend a geek who can act as your early warning system for threats. And someone you can go to for advice.

Note that I haven’t said “don’t take naked selfies” – it may be a bit foolish, but a life without a bit of foolishness is hardly a life at all.

And of course most of those suggestions work for ordinary people and not just celebrities!

“Unusual” IP Representations, and Why HP Needs Slapping With A Rotten Haddock

 Computing, Working Notes  No Responses »
Aug 272014
 

This post came about because HP (in their infinite wisdom) decided to make the web-based printer control all neat and tidy by aligning all of the IP columns and filling up the space with leading zeros. Spotted the problem yet?

Well you’re quicker than I was; although I had the advantage of knowing that something was wrong and that somebody had pasted that IP address with leading zeros, it took me a few seconds to wonder if it was just possible that leading zeros might be doing something “odd”.

The thing about IPv4 addresses (and IPv6 as well, but I’ll not be pasting in examples for those as they’re too long) is that they are not simply what we see on screen as 10.0.0.1 (or whatever). That representation is converted into a 32-bit binary number which is used as the address. As an example :-

✓ mike@pica» ping -c 1 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_req=1 ttl=255 time=0.688 ms

--- 10.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.688/0.688/0.688/0.000 ms
✓ mike@pica» ping -c 1 167772161  
PING 167772161 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_req=1 ttl=255 time=6.04 ms

--- 167772161 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 6.040/6.040/6.040/0.000 ms

As you can see, you do not have to use the conventional “dotted quad” representation; you can use the integer equivalent instead. You can also see why the “dotted quad” representation was invented!

To convert the “dotted quad” notation to an integer that can be used at the lowest level, certain calculations are performed. Either because of a peculiar clause in the original specifications of IPv4 addresses, or (and potentially more likely) as a side effect of one of the earliest implementations of IPv4, certain other representations are possible :-

✓ mike@pica» ping -c 1 0xa.0.0.1
PING 0xa.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_req=1 ttl=255 time=1.34 ms

--- 0xa.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.341/1.341/1.341/0.000 ms
✓ mike@pica» ping -c 1 012.0.0.1
PING 012.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_req=1 ttl=255 time=1.03 ms

--- 012.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.034/1.034/1.034/0.000 ms

As you can see, each individual octet (the numbers between the dots) can be represented in decimal (as we expect), in hexadecimal (by prepending “0x”), or most dangerously, octal (by prepending at least one “0”).

So an apparently innocuous IP address like 10.0.0.030 will actually by converted into an integer that can be converted back into a more usual 10.0.0.24 :-

✓ mike@pica» ping 10.0.0.030
PING 10.0.0.030 (10.0.0.24) 56(84) bytes of data.

There are several lessons to learn from this :-

  1. HP needs slapping with a really rotten haddock to make them realise that their printers have web interfaces that are unhelpful in the extreme.
  2. Leading zeros may be harmful, or at least may result in being slapped with a rotten haddock.
  3. Leading zeros in IP addresses indicate the use of octal and so the result may not be what you expect.
  4. Reading the screen can be helpful when diagnosing problems. It may be easy to miss, but there are clues enough to solve this little challenge even without knowing about octal.

 

Exploring (U)EFI

 Computing, Linux, Working Notes  No Responses »
Aug 152014
 

This post is likely to change frequently after it first appears as experiments/research/etc. occurs to me.

To get to grips with it, let’s first define the software that is in control of your PC when it first starts as the system firmware rather than the BIOS, as system firmware is a generic term which can refer to BIOS, EFI, UEFI, OpenFirmware, or anything else that someone comes up with.

UEFI (and the older EFI) is a replacement for the legacy BIOS that we’ve been stuck with for decades. Despite advances in almost every aspect of the “PC standard”, the BIOS has hardly advanced at all. To be fair, the user interface has gotten a bit less 1980s, and it of course deals with hardware devices that weren’t even imagined decades ago. But there are still some rather nasty limitations, which UEFI is supposed to resolve.

Of course there are those who claim that UEFI is a complete mess with no redeeming qualities, but the truth is probably somewhere between it being that and the neatest bit of system firmware ever invented.

This posting are my working notes (with the addition of a bit of pointless waffling) on UEFI, given that I’m likely to be found staring at a UEFI shell on a broken server at some point in the future. All experiments (so far) have been carried out with a VirtualBox-powered virtual machine (with UEFI turned on) running Ubuntu server.

Installation

The boot process looks a little different … unsurprisingly. And there’s an error in relation to missing UEFI stuff from the hard disk. But once the CD is booted the process looks the same …

Partitioning: Initially “Guided – use entire disk and set up LVM”

Doesn’t give an opportunity to review the partitioning, but :-

  1. EFISystem (/boot/efi) is roughly 512Mbytes
  2. /boot is roughly 256Mbytes
  3. LVM Volume Group

The Ubuntu installation uses grub as the boot loader, although it’s hardly the only option and there are hints that grub has been known to have issues with EFI. Although this could be “early adopters pain”, and not applicable currently.

GPT Partitions

See the Wikipedia article, but basically GPT replaced the old Master Boot Record partitions. The main advantage is that there are fewer dumb limits with GPT – there is no limit of 4 primary partitions (and no hacks to support extended partitions), but instead a minimum maximum of 128 partitions, which basically translates as the required minimum size of a partition table allows for up to 128 partitions but the partition table can be bigger.  More than you’re likely to need anyway.

Cleverly (if you want to put it that way), GPT can live alongside the old MBR partitions as the GPT starts at block 1 rather than block 0. This has been used by Apple to keep two partition tables so that OSX can use GPT whilst Windows still uses MBR.

Keeping two partition tables in sync is perhaps not the best idea for stability and given the need for backwards compatibility has only a limited useful lifetime, I’d rather live without it. In fact it would be nice if I could fill up the old MBR with stuff that told all MBR tools not to mess around with the partition tables.

In theory, (U)EFI and GPT are independent of each other, but in practice, GPT implies booting from UEFI and MBR implies booting from BIOS (some UEFI implementation switch to a BIOS-compatibility mode when they see an MBR).

The EFI System Partition

(U)EFI requires that to boot, a disk must have an EFI System Partition formatted as FAT. This is used as effectively a replacement for the BIOS boot method of loading code from block 0. This file system is usually mounted under Linux as /boot/efi and contains various files that allow Linux to be booted (more details to be added).

It is perhaps a shame that the EFI standards people didn’t suggest making the EFI system partition part of the on-board firmware. It wouldn’t be impossible (or very expensive) to incorporate a small writeable FAT file system into the motherboard to avoid the need for the EFI partition on one of the storage disks. It is not as if the EFI system partition needs to be very big – Ubuntu configured one as 512Mbytes in size which is vastly larger than required for what is actually installed which adds up to less than 4Mbytes.

EFIBOOTMGR

The tool efibootmgr is for interacting with the EFI boot manager and the EFI variables that control what gets booted in which order :-

# efibootmgr
BootCurrent: 0003
BootOrder: 0003,0000,0001,0002
Boot0000* EFI DVD/CDROM
Boot0001* EFI Hard Drive
Boot0002* EFI Internal Shell
Boot0003* ubuntu

The command has plenty of other options …

You can set the boot order with: efibootmgr -o 0002,0003,0001,0000. So I’ve set the preferred boot order to include the internal shell first … the purpose here is to look into EFI after all.

I also somehow managed to erase the “ubuntu” so re-created that with: efibootmgr -c -L UbuntuServer -l “\EFI\ubuntu\shimx64.efi” (yes unfortunately they use the wrong path separator).

EFI Shell

Is surprisingly limited. And rather too DOS-like for me.

Command Description
help Displays a list of the commands available … which very unhelpfully doesn’t pause at the end of the screen. Can also display additional details of a command if you try help command.
mode Displays a list of the available screen mode commands.
mode x y Sets the screen mode to the size specified (as listed with mode).
cls Clears the screen.
cls ${n} Clears the screen and sets the colours to a set specified by the number (0-7). Don’t bother; most of the choices are nasty.
map Displays teh mapping table showing the block devices (BLK${n}) and the recognised file systems (FS${n}). If you don’t have fs0 you’ve got problems!
fs0: Sets the specified file system as the current file system. This will change the prompt appropriately.
cd ${directory} Changes to the specified directory. Remember that the path separator is the DOS preferred character (\).
ls Lists files in the current directory.
edit ${filename} Edits the specified file (^S saves, ^Q quits), but don’t try editing files ending in .efi!
${filename}.efi Runs the EFI binary from the current directory, and yes that does mean you can boot Ubuntu Server by browsing to the \EFI\ubuntu directory and entering shimx64.efi (as I discovered after breaking the ubuntu boot option).

What’s With The Anti-Social Media?

 Computing  No Responses »
Aug 072014
 

There’s a bit of an anti-social media buzz around at the moment – apparently we’re not communicating properly if we’re not doing it in person, via phone, or by letter. There’s even a fairly popular video going around Facebook moaning about how we don’t communicate properly which I unfortunately cannot find a link to right now.

But what’s so bad about using technology to communicate?

Let’s get a few things settled to begin with :-

  1. Letters are just 19th century emails.
  2. Telegrams are just 19th century texts or instant messages.
  3. Phone calls are just 19th century (stretching a point here) voice chats.

Just because a technology is old doesn’t make it right; just because a technology is old doesn’t make it wrong.

There’s no arguing with the fact that communicating in the flesh as it were, is a much more complete form of communication than anything else. Take moving into a new place for example, someone who helps you move in by helping move the furniture is going to get a much better grasp of what your new home is like than someone who just sees a few snaps that you’ve tweeted.

But not everyone can be there helping you move in :-

  1. They could be stuck at work and unable to take the day off.
  2. They could be living on the other side of the planet – are you going to pay their travel costs?
  3. They could be physically limited and unable to handle the moving furniture bit.

But tweet a pic, and they’ll be able to share some part of the experience.

Now let’s assume you’re obsessed with physical keyboards (or any other unusual interest). Do the people around you share your obsession? Or do you have to visit specialist forums/groups/etc. to communicate with your fellow enthusiasts?

And not everyone finds it easy to communicate in a physical context :-

  • People who are house-bound find it difficult to make new physical acquaintances – should they stick a sign outside their front door saying “Lonely person fancies a chat.”, and would you respond to that?
  • There’s a whole bunch of “differently normal” people (specifically those with ASD) who may find physical communication impossible, difficult, or just rather boring who will gain a great deal more by communicating electronically.
  • Most of us have old acquaintances that we’re too busy to communicate “fully” with, but we’re definitely interested to see that they’re still alive and getting up to fun stuff.

Using technology enhances our communication options. We can choose to use those options, or not. Just as we can choose to emphasise physical presence or not.

 

 Older Entries  Newer Entries