2. Ubiquiti Unifi OS Blocks Upgrades on Unhealthy Disks
3. Enable no-subscription Proxmox updates
4. Selectively bypassing Docker cache in steps
5. Quick and dirty Linux directory size
I found a great quote on the Ubuntu security forums today.
I have been toying with the idea of setting up SNORT and managed AV and found this at the beginning of the tutorial.
“Paranoia will get you through times of no enemies better than enemies will get you through times of no paranoia” ~ Pete Granger
This quote so easily spells out the best approach IT security.
Genius.
//EDIT
Fixed, see above posts.
//EDIT
it looks like something is wrong in this config. CME works perfectly however the SIP registration fails, for some reason I never receive a SIP INVITE. So be wary when using this config.
I have had my Cisco 2621XM working with Call Manager Express for some time now, and have had calls routing through iiNet’s SIP Servers, however recently I lost some configuration and had to rebuilt it again.
So I have decided to post it up here.
Note that this is only the SIP and CME configuration and heaps more is needed to actually run the router.
aaa authentication login LOCAL_AUTH local aaa session-id common ! ip dhcp pool p900 network 10.5.0.0 255.255.0.0 dns-server 203.0.178.191 default-router 10.5.0.1 option 150 ip 10.5.0.1 domain-name cme ! voice service voip sip localhost dns:iinetphone.iinet.net.au ! ! voice class codec 1 codec preference 1 g729br8 voice translation-rule 1 rule 1 /02XXXXXXXX/ /02XXXXXXXX/ rule 2 /XXXXXXXX/ /02XXXXXXXXX/ ! voice translation-rule 2 rule 1 /02XXXXXXXX/ /XXXXXXXX/ ! ! voice translation-profile Incoming_Number translate called 2 ! voice translation-profile Outgoing_Number translate calling 1 ! tftp-server flash:P00308000400.bin tftp-server flash:P00308000400.loads tftp-server flash:P00308000400.sb2 tftp-server flash:P00308000400.sbn ! sccp ccm 10.5.0.1 identifier 1 ! sccp ccm group 1 associate ccm 1 priority 1 ! ! dial-peer voice 1 voip description STD Calls translation-profile incoming Incoming_Number translation-profile outgoing Outgoing_Number destination-pattern .T voice-class codec 1 session protocol sipv2 session target dns:sip.nsw.iinet.net.au dtmf-relay sip-notify rtp-nte no vad ! ! sip-ua authentication username 02XXXXXXXX password XXXX realm iinetphone.iinet.net.au no remote-party-id retry invite 4 retry response 3 retry bye 2 retry cancel 2 retry register 5 timers register 300 mwi-server dns:sip.nsw.iinet.net.au expires 3600 port 5060 transport udp unsolicited registrar dns:sip.nsw.iinet.net.au expires 3600 sip-server dns:sip.nsw.iinet.net.au ! ! telephony-service load 7960-7940 P00308000400 max-ephones 5 max-dn 5 ip source-address 10.5.0.1 port 2000 system message CCM4 time-format 24 date-format dd-mm-yy voicemail 9999 mwi relay max-conferences 4 gain -6 moh flash:music-on-hold.au web admin system name XXXX XXXX dn-webedit time-webedit transfer-system full-consult transfer-pattern .... directory entry 1 0001 name XXXX create cnf-files version-stamp 7960 Oct 14 2008 07:28:46 ! ! ephone-dn 1 dual-line number 02XXXXXXXX label Main Phone description Main Phone name Main Phone no huntstop ! ! ephone 1 description Home 7940 mac-address 0011.93B6.CE9C speed-dial 1 04XXXXXXXX label XXXX type 7940 button 1:1
As part of my current job, I manage IP telephony for a building with about ~600 endpoints.
In .AU we go from +10GMT to +11GMT for daylight savings which come into effect the first Sunday of October. When we swapped over the times for daylight savings we noticed that some of the phones pull time from different sources. I searched for a definitive answer but couldnt find one in time.
Here is what we experienced. We run Cisco Call Manager 4.2(3)sr3a. The 7970 and 7975’s pull time directly from the windows taskbar time. So whatever time is showing on the taskbar is the time that will be shown on the 70 and 75’s. The 7906, 7940 and 7960 are a bit different. They seemed to pull the time from the CCM Date/Time group. The DT group is influenced by the Windows time, however the DTG will apply DST automatically.
This is what we experienced. If Windows was set at +10GMT and the DTG was also set at +10GMT (both in the sydney tz) and the time was 1PM, the 7X’s would show 1PM but all other phones would show 2PM. This is because the DT group thinks hey, Windows is +10GMT but I know were in DST so i will apply another 1 hour.
We were worried about placing either the Windows or CCM time in different TZ’s for logging reasons. If something was to happen down the track, the logs still need to reflect the right time.
I believe that these inconsistencies may have been caused by a number of factors inclusive of old firmware versions and windows patches not being applied. However due to this being a production network, upgrades on the fly are risky to do.
The fix here was to apply +10GMT(Syd) to Windows, set at the right time, and also +10GMT to CCM, but place it in the Brisbane TZ. This removed the errors as Brisbane does not participate in DST, but also kept both times at +10 to satisfy the logs.
Hope this helps some one.
The other day whilst browsing OC I came across a readable code of the PHP/Obfu.A IRC bot. I’m not sure whether the user contributed the actual readable code or had edited one of the obfuscated versions, but I decided to take a look at it.
It seems that PHP/Obfu.A was detected on the 30h of Jan 08 by two sources:
- http://www.f-secure.com/weblog/archives/00001371.html
- http://www.teamfurry.com/wordpress/2008/01/30/php-based-IRC-botnet-fast-flux-of-course/
Obfu.A is a RFI IRC bot that uses vulnerabilities in PHP code to execute remote PHP scripts. It uses the compromised site to load the remote script, join an IRC server (or in this case a number of IRC servers), and is then controllable by the bot-master. It is heavily obfuscated including the variables and server settings.
For more information on RFI exploits, see:
- http://www.offensivecomputing.net/?q=node/624
- http://en.wikipedia.org/wiki/Remote_File_Inclusion
I was about to test the usability of the code, but found that all settings, server details, passwords etc, were encrypted so as to further obfuscate the code. The script included a decrypting function using a cipher-key type of encryption, but had no function to encrypt. I set about analysing the decryption process and reversed it to create an encryption code so it would be usable in my tests.
Heres the original decrypt code:
function decrypt_settings($input)
{
$output = '';
$input = base64_decode($input);
for ($i = 0; $i < strlen($input); $i++) {
$character = substr($input, $i, 1);
$offset_character = substr(
decode("M0AhIyFAJF4mKl4mQCMkIUAjIUAjISQjJSMkJSMkJWUzMkAzNEBoVGg0QHdlNTYz
NV4hQCMqXjdGSEdFJEAlQCNAIyRAIyFAIyQhQCNAISMkIyUj" .
"JCVeJSZeJSYlXiYqU0RGI0AkIUZBVyRGQUFTREU="),
($i % strlen(decode("M0AhIyFAJF4mKl4mQCMkIUAjIUAjISQjJSMkJSMkJWUzMkAzNEBoVGg0QHdlNTYz
NV4hQCMqXjdGSEdFJEAlQCNAIyRAIyFAIyQ" .
"hQCNAISMkIyUjJCVeJSZeJSYlXiYqU0RGI0AkIUZBVyRGQUFTREU="))) - 1,
1
);
$character = chr(ord($character) - ord($offset_character));
$output .= $character;
}
return $output;
}
function decode($input)
{
$input = base64_decode(remove_spaces($input));
return $input;
}
function remove_spaces($input)
{
$input = str_replace(" ", "", $input);
return $input;
}
Those functions are called by something like decrypt_settings($settings[‘mo’]). In this case mo from the array had the value of cqtrig==
Let’s take a look at what its doing. First the function is called, and $input receives the value of an encrypted string. $input is then base64 decoded. Base64 is a type of encryption which PHP has functions for both encryption and decryption. We will work with the encrypted string cqtrig==.
The base64 decoded value is r«kŠ, which means nothing to us so far.
Next is the for loop, which basically says, increment $i whilst the value of $i is still less than the length of the $input string, which in this case is 4 characters, so run the loop 4 times.
$character gains the value of each letter, so on the first pass though the for loop, it will contain r, second «, etc etc
Then we find the $offset_character. At this point it is easiest for reading if we base64 decode the M0Ah…..
3@!#!@$^&*^&@#$!@#!@#!$#%#$%#$%e32@34@hTh4@we5635^!@#*^7FHGE$
@%@#@#$@#!@#$!@#@!#$#%#$%^%&^%&%^&*SDF#@$!FAW$FAASDE
is the resulted value.
Now the substr function will return a portion of the string which is defined by where the starting point is, and how many characters to take. substr ( string $string , int $start [, int $length ] )
3@!#!….. is our string.
The starting point is found by using another equation, $i % strlen(decode(“M0Ah……) -1. This piece of code finds the remainder value of $i divided by the string length value of 3@!#!…. So in essence it takes $i divided by 113 and the result is the remainder minus 1.
From tests that i did, the result of the equation is always one value less than $i. Then it takes one character after its pointer. So if $i is character number 26 in our encrypted string, substr will take the 26th character from the cipher text of 3@!#!….
For example on the first pass through the for loop, $i = 0, which means that substr’s result will be $offset_character = substr(3@!#!…. , -1, 1), so move the pointer one character from the end of the string, then let $offset_character equal that value. So therefore the first run through the for loop, $offset_character will equal E (from the end of 3@!#!….), the second run through $offset_character will equal 3, third @, etc etc.
So back to our example of r«kŠ,
Pass one through the for loop:
$character = r
$offset_character = E
Pass two through the for loop:
$character = «
$offset_character = 3
Pass three through the for loop:
$character = k
$offset_character = @
Pass four through the for loop:
$character = Š
$offset_character = !
Now after we have our $character and $offset_character vars filled, they are put through this: $character = chr(ord($character) – ord($offset_character))
Lets simplify it, ord($character) – ord($offset_character). ord is a built in PHP function which finds the ASCII value of a character. I found a decent ASCII table site here:
- http://pages.videotron.com/cdao/ASCII.htm
So for r and E in our example, r = 114, E = 69, so 114 – 69 = 45. So now in our function $character = chr(45). chr is a built in PHP function which returns the character value of an ASCII value. In this case 45 = –
So at the end of the for loop for the first pass $character equals -, which is the appended to $output by $output .= $character;
After we run through the four passes of the four loop, we should get -x+i, which is our decrypted setting!
In PHP/Obfu.A -x+i is used as the channel mode. However this process can be applied to all settings.
Now we know it decrypts the settings, how about encrypt?
This is what we have so far, r – E = – or 114 – 69 = 45.
So to encrypt we have r as our unknown (x) so x – E = – or x – 69 = 45.
Using maths (:o!) we can find x by, x = – + E and then rearranging to get x = 45 + 69, therefore x = 114
Now the fun part, rearranging the PHP to encrypt. We will reuse the decryption function and just move some things, as most of it stays the same.
Seeing as were starting off with what we want to encrypt, we don’t need to base64 decode it, so we can remove $input = base64_decode($input). The for loop stays the same, as were using the same principles of the cipher text.
Although when it comes to $character = chr(ord($character) – ord($offset_character)), we now want to add the ASCII values to gain our encrypted value, so it becomes $character = chr(ord($character) + ord($offset_character));
Finally we want to base64 encode the entire string, not just the individual characters. This is because the first thing when decrypting, is the string is base64 decoded, so we want to base64 encode. To do this to the entire string it needs to be outside the for loop.
The final encrypt function should look like this:
function encrypt_settings($input)
{
$output = '';
for ($i = 0; $i < strlen($input); $i++) {
$character = substr($input, $i, 1);
$offset_character = substr(
decode("M0AhIyFAJF4mKl4mQCMkIUAjIUAjISQjJSMkJSMkJWUzMkAzNEBoVGg0QHdlNTYz
NV4hQCMqXjdGSEdFJEAlQCNAIyRAIyFAIyQhQCNAISMkIyUj" .
"JCVeJSZeJSYlXiYqU0RGI0AkIUZBVyRGQUFTREU="),
($i % strlen(decode("M0AhIyFAJF4mKl4mQCMkIUAjIUAjISQjJSMkJSMkJWUzMkAzNEBoVGg0QHdlNTYz
NV4hQCMqXjdGSEdFJEAlQCNAIyRAIyFAIyQ" .
"hQCNAISMkIyUjJCVeJSZeJSYlXiYqU0RGI0AkIUZBVyRGQUFTREU="))) - 1,
1
);
$character = chr(ord($character) + ord($offset_character));
$output .= $character;
}
return base64_encode($output);
}
You can call this function using something similar to this:
$encrypted_settings = encrypt_settings("yoursettings");
echo($encrypted_settings);
So then you should have your encrypted string!
Hopefully this week ill be able to analyse the rest of the bot, but now most of the hard work is done by figuring out the encryption.
Hope this helps, have fun 🙂
An exploit exists in Media Player Classic when processing a crafted MP4 file. The file causes a stack overflow which can be used to execute shellcode.
Source code available at: http://milw0rm.com/exploits/4701
Movie of compiling and exploiting:
http://www.ecks90.com/files/mplayer.exploit.movie.rar
An exploit exists in Windows Explorer when processing a crafted GIF file. When read from disk, the file will cause a Denial of Service for explorer.exe
Source code available at: http://milw0rm.com/exploits/4215
Movie of compiling and exploiting:
http://www.ecks90.com/files/explorer.gif.dos.movie.rar
Well as of Friday 7th December I am now RHCT certified (Red Hat Certified Technician)
I managed to pass with 100% which was awesome, now bring on the RHCE!
- http://en.wikipedia.org/wiki/Rainbow_table
- http://www.antsight.com/zsl/rainbowcrack
Rainbowcrack is typically a windows based package, however as my server runs linux and runs constantly so i thought i would try and use the source package to compile it on linux. My server currently runs Ubuntu 7.04, however varying distros shouldn't matter greatly.
Compiling Rainbowcrack under linux isn't hard, however its not as point and click as win32, and as the default makefile.linux packaged with the source didnt work for me, i thought i would fix it up for others wishing to run it on linux. There are two ways of compiling rainbowcrack under linux, one easy way and one hard way. I chose the hard way not thinking that there was an easy way, however i will only outline the easy way.
Before compiling the source, you must have gcc and/or g++, openssl, libssl and libssl-dev installed. You must also have the source for openssl. Whether these are installed by rpm, a package manager or compiled from source doesn't make any difference, as i successfully did both and worked. Firstly put the unzipped rainbowcrack source in the same directory as the untared/unzipped openssl source. Next vi/gedit the makefile.linux in the rainbowcrack-??-src/src directory so that it reads...
all: rtgen rtdump rtsort rcrack rtgen: g++ -I ../../openssl-0.9.8e/include Public.cpp ChainWalkContext.cpp HashAlgorithm.cpp HashRoutine.cpp RainbowTableGenerate.cpp -lssl -O3 -o rtgen rtdump: g++ -I ../../openssl-0.9.8e/include Public.cpp ChainWalkContext.cpp HashAlgorithm.cpp HashRoutine.cpp RainbowTableDump.cpp -lssl -o rtdump rtsort: g++ -I ../../openssl-0.9.8e/include Public.cpp RainbowTableSort.cpp -o rtsort rcrack: g++ -I ../../openssl-0.9.8e/include Public.cpp ChainWalkContext.cpp HashAlgorithm.cpp HashRoutine.cpp HashSet.cpp MemoryPool.cpp ChainWalkSet.cpp CrackEngine.cpp RainbowCrack.cpp -lssl -O3 -o rcrack
Pretty much were just defining the includes for openssl in the compilation process. If your using a different directory structure just adjust the ../ as neccessary. You will most likely receive error warnings like line 2: all:: command not found, and it will repeat that for rtgen, rtdump, rtsort and rcrack, dont worry everything worked, its just the way that the makefile was setup
Also if u receive warnings about /usr/bin/ld: cannot find -lssl and collect2: ld returned 1 exit status it means that you either didnt install the libssl or the libssl-dev
An exploit exists in Adobe Photoshop CS2, CS3 and Paint Shop Pro 11.20 when processing a crafted PNG File. The file causes a buffer overflow which can be used to execute shellcode.
Source code available at: http://milw0rm.com/exploits/3812
Movie of compiling and exploiting:
https://www.ecks90.com/files/cs2.cs3.exploit.shell.movie.rar
Over the course of about 2 weeks my raid5 system broke twice requiring new disks and a rebuild.
The controller was a Highpoint RocketRaid 1640 SATA with 4x Seagate 250GB 7200RPM SATAII drives.
Rebuild time was as follows:
Build 1:
raid 5 rebuild started approx 4:25PM
5:27PM – 21%
6:24PM – 40%
7:04PM – 53%
7:28PM – 61%
8:35PM – 82%
9:25PM – 99%
9:27PM – 100%
Build 2:
raid5 rebuild started 11:51AM
2:13PM – 47%
2:51PM – 58%
3:44PM – 76%
4:25PM – 90%
4:55PM – 100%
I couldn’t find any reliable information on an estimated rebuild time, so theres my experience.