Keystrokes :.

Sometimes you just have to spread alerts such this one.
If you are running 64-bit Linux machines, then you should take care of this vulnerability, because there is also a public exploit that is being used to attack affected production systems. If your distribution has already provided a patch, you just have to update your system kernel. Otherwise, you should patch it yourself. A couple of links about that:

• Debian Security Advisory  2110
• Ksplice blog post about CVE-2010-3081

Ksplice developers also wrote a tool to check if your systems have been compromised by that exploit by looking for the backdoors it installs. You can find it here. In order to do the check, just download this source code file, compile it, and run it. You should see something like this:

$ gcc -o diagnose-2010-3081 diagnose-2010-3081.c
$ ./diagnose-2010-3081
Diagnostic tool for public CVE-2010-3081 exploit -- Ksplice, Inc.
(see http://www.ksplice.com/uptrack/cve-2010-3081)
 
$$$ Kernel release: 2.6.26-XX-XXX-XXX
$$$ Backdoor in LSM (1/3): not available.
$$$ Backdoor in timer_list_fops (2/3): not available.
$$$ Backdoor in IDT (3/3): checking...not present.
 
Your system is free from the backdoors that would be left in memory
by the published exploit for CVE-2010-3081.

Otherwise, your system is already compromised.
Patch this vulnerability and consider also running some analysis, because while this is a publicly known exploit, there are probably many bad guys with their own one.

I recently upgraded my iphone firmware, but since i’m really a paranoid man, i wanted to backup all of my critical stuffs stored on the phone first.
Yes, i know itunes keeps backups of the iphone contents but really, i didn’t want to trust an application and take the risk to loose my contacts, sms, and so on, especially when i was going to do something not expected by that application ( yes, i’m talking of the jailbreak ).
So, since my iphone was already out of jail, i was able to login via ssh into the device system. It simply keep all of your stuffs in (sqlite) databases and folders, so if you know where-is-what the backup process is really simple. So i wrote a simple shell script to do the backup, and here it is. In order to use it, you should:

• Mkdir the backup folder you wish to use and copy the script inside
• Connect your iphone to a network reachable from the machine you are going to run the script from
• Fill the IPHONE_ADDRESS field with the ip address on the given network assigned to the iphone
• Toggle flags to decide what you want to backup or not
• Run the script

You should also ( if you did not before ) append your public rsa id to your iphone root ‘authorized_keys’ file in order to avoid being prompted for password at each step, as explained in this previous entry.

I did this as root, but you may try running it as mobile if you wish, just replace any root@ with mobile@ using vim or sed ‘s/root@/mobile@/g’.

Also, this is a good chance ( to add the security tag ) to remember you, jailbreaked iphone users, to change the default ssh “alpine” password, because otherwise, if you connect to untrusted (public) networks with the ssh daemon running, stealing all of your personal data may be easy as running this script ( If your first thought is “they won’t know my ip!”, give up: a simple nmap scan will reveal you quickly and easily )

You can download the script here

Read more

Recently, the unofficial discussion board for students of my university department went down because of a misunderstanding with their hosting provider who also reassigned their machine to another customer wiping out all of their data. Now they restore the board but the last backup was dated back to last year so lots of data have been lost. Anyway, when one of the admins announced on facebook the board was up again, i ironically commented writing a small shell script that can be used to backup a simple mysql-based web application such as a discussion board or a CMS installation such as drupal, joomla, wp or whatever… But then i thought this happend more frequently than expected to people i know, so i decided to post that script here

#!/bin/bash
#-----------------------------------
# Web App. Dumb Backup Script
# http://www.n0on3.net
#-----------------------------------
$user='your-username-here'
$server='your-domain-name-here'
$appname='your-webapp-name-here'
$apppath='your-webapp-path-here'
$mysqluser='your-mysql-user-here'
$mysqlpassword='your-mysql-pwd-here'
$dbname='your-mysql-db-name-here'
#-----------------------------------
d=`date +'%d-%m-%y'`
ssh $user@$server "tar cjvf backup-$appname-$d-www.tar.bz2 $apppath"
ssh $user@$server "mysqldump -u $mysqluser
                  --password=$mysqlpassword $dbname
                  > backup-$appname-$d-db.sql"
scp $user@$server:$HOME/$user/backup-$appname-$d-www.tar.bz2 \
                  backup-$appname-$d-www.tar.bz2
scp $user@$server:$HOME/$user/backup-$appname-$d-db.sql \
                  backup-$appname-$d-db.sql
ssh $user@$server 'rm backup-$appname-$d-*'

Please notice that here you are using ssh login without password, that means you have to append your client machine public rsa id to your server authorized keys file.
But more important, here you are writing your database password in plaintext because the script must use it, so if you keep such a script on your client machine remember to encrypt it or to take any proper precaution

Answers and Winners for Ethical Hacker Network Christmas Contest Miracle on Thirty-Hack Street are out. Unfortunately my answer was not enough complete . Anyway, this is a nice chance to spread something on the most famous socnet users privacy management.

This is the answer i submitted on Jan 6 2010:

Read more

Having physical access to a machine, in many common cases means be able to get a root access to the installed system. This is widely known for some version of MS Windows, I don’t know much about Windows 7 right now, but here we have a video from guys at Offensive Security where windows vista is owned just booting backtrack and replacing C:\Windows\System32\Utilman.exe with cmd.exe, and weak passwords encoded to LM and NTLM hashes can be easily cracked with Ophcrack liveCD or any other live system and large rainbow tables. So people switching to linux may think their systems are more secure now, and bad guys won’t be able to access them if they leave the room for five minutes. Unfortunately that isn’t true for what concern physical access to default-like installations. When linux machines are powered on, a bootloader is launched and it do load the initrd if any and the kernel in memory, with a set of given options. Common bootloader such GRUB allow the user to choose among different entries, that may refer to different kernels or different option sets. By default, nothing prevent those entries from being edited. The following video shows how anyone with physical access to the machine can edit an entry to instruct the kernel in running a shell e.g. instead of the init daemon, without being asked for any password, and gaining this way root access to the machine. It’s also shown how to deny this kind of action, by setting up a password protection for all the entries.

Protecting grub entries anyway is just one little step to decrease risks coming from untrusted physical access. Boot from a LiveCD or external drive will give access to your filesystem easily. You can avoid this by denying the boot from CD-Roms and other devices in the BIOS settings, then setting up a password for the BIOS configuration. But BIOS configuration can be reseted at least removing the battery from the machine motherboard, and anyway someone can still extract your hard drive and mount it on another system. If you care about that, your solution may just be the encryption of your whole partitions, so that a passphrase will be required (every time) when they are mounted.

Here is the demo recorded in the context of the SSL Threat Analysis i wrote about previously.