Skip to main content

Posts

RAT Bastard

Earlier this week, several servers I maintain were targeted by automated attempts to upload a remote access trojan (RAT). The RAT is a simple rot-13 embedded PHP script. The script provides a means for establishing file transfer and permissions management via HTTP queries on the remote side and the dreaded eval() function on the local side - interestingly, these functions are somewhat protected; in order to work, it is necessary to provide a hash along with the HTTP query, and the length of the query string has to match the size of its associated file. Can't have someone else taking advantage of your hard work, I suppose. The script includes a standard six-byte GIF header before the "<?php" establishing the opening of the PHP code, and the payload itself had a .gif file extension. It is pretty obvious either to a naked eye or a program that more than a very basic check that this .GIF is not an image. It is slightly more sophisticated than other attempts I have seen w...

Chop That Dollar

Its been quite some time since I've received a 419 spam message in my inbox. But - like matter itself - 419 never dies - only changes form. I found the message below in my inbox this morning. I was pleased to note that the message originated from Yahoo, and contained several classic red flags for spam that even the neophyte mail server admin knows to watch out for, like from & reply-to headers with different different domains. This is the kind of l33t security I've come to expect from Yahoo. But hey, the Russians did it , and no one can be expected to secure their customers from state sponsored attacks. Susan here is no doubt a member of Nigeria's elite NIA . From: Susan ***** desmondwilliams614 yahoo.com Subject: Hello, Date: Sat, 18 Mar 2017 12:12:52 +0000 (UTC) Reply-To: desmondwilliams614 yahoo.com Susan ***** deswill0119 yahoo.fr Hello, Greetings. With warm heart I offer my friendship and greetings, and I hope that this mail will meets you in good time. Ho...

Wikileaks releases massive trove of CIA documents

Today Wikileaks released a massive new trove of leaks focused on the CIA's IT-based espionage capabilities . Wikileaks has named the document release Vault 7. The trove has just been released this morning, so details remain sketchy, however the included documents appear to contain detailed information related to dozens of malware tools used by the CIA's Center for Cyber Intelligence. Earlier this morning I heard an NPR report claiming that Wikileaks was redacting the source code associated with these hacking tools. I'm not sure if that is correct; I've found a few files with executable scripts included, but none of the scripts I've found so far are essentially malicious (although they were almost certainly used in the development and packaging of malware). I have found indications that Wikileaks redacted exploit files that were ready for as-is distribution. For example, the files I reviewed in the dump appear to be part of an internal wiki. I reviewed a file list...

Testing Laptop Batteries

Since I was gifted a new Raspberry Pi this Xmas, I've found myself becoming much more interested in the details of computer hardware than I've previously been. Among the first thing that I've wanted to do with my Pi is build an on/off switch - Pi are very bare bones, and require you to shutdown or reboot using software. Cold booting happens immediately after plugging in a power cord. This sort of setup is less than ideal for a huge number of reasons - there is little to no in-built hardware to protect my Pi from a power surge, and I have a lot of uses in mind for this and future Pis that make an external surge protector unrealistic. Even for home/office use where the Pi is connected to a stable power source, I'd like something akin to the power button that comes with desktops & laptops that can send an ACPI signal which I can in turn manage a bit using /etc/acpi/powerbtn.sh. Anyway, I have quite a bit to learn in this area. I've worked with power, but its almo...

How to Authenticate WHMCS Admin Users with PHP

Over the past few days I've been working on a project that involved building an authentication mechanism for a new website which checks user logins against a WHMCS admin database. There are a variety of options for authenticating normal, non-admin WHMCS users: on the easy side of things, you can simply use the WHMCS API's validatelogin() call, or for a more advanced project its possible to implement OAuth within your WHMCS instance . For my project, neither LDAP nor Active Directory were options. I was surprised to find that the WHMCS API did not contain a mechanism for authenticating admin users. I'm somewhat sympathetic given the security implications: WHMCS is a billing application and it should not be used to provide a sortof infrastructure authentication backbone, particularly given the many much more mature options available for this sort of thing. With that said, this project wasn't about looking to turn WHMCS into LDAP ... it was about allowing WHMCS admin t...

Assigning default ownership to all new files in a directory

Getting the hang of Linux file-system permissions can be tricky for beginners. I still have problems every now and again translating symbolic permission notation to octal permission notation and back again. One common scenario which can be complicated to enact in practice is the creation of default permissions for files inside of given directories. Although not a direct translation, in Windows this sort of functionality is usually implemented by selecting the "Allow propagation on child objects" setting when viewing Security Properties for a directory. But how to get this done in Linux? The preferred approach is the use of Access Control Lists using setfacl . Since Linux kernel 2.6, the acl flag is enabled by default with most standard filesystems. There's already several solid explanations for how to use Linux ACLs . But, there are scenarios in which this can be difficult or impossible to implement; using exotic filesystems or older kernels, etc. Or you just might find...

A nasty pair of MySQL exploits grant attackers system root from any database user

Four days ago I received an email from Dawid Golunski through the list illustrating one of the more brutal pair of security vulnerabilities I have seen recently. Here's how it works.     The exploit uses a vulnerability within MariaDB, PerconaDB (and/or XtraDB Cluster) and MySQL to, first, gain access to the 'mysql' system user using any mysql user that has CREATE / INSERT / UPDATE permissions. The first part revolves around a race condition when sql generates temporary files as part of the `REPAIR table` command. Then using the mysql system user the second vulnerability grants the attacker root access to the server using a clever hack that takes advantage of mysql_safe's approach to writing to file based error logs. Below I've provided a list of vulnerable server versions. Just about any server using the more recent (unpatched) stable releases of MySQL or MariaDB through CentOS is vulnerable (Percona isn't part of the st...