Entries Tagged as ''

iPod Touch Vulnerability after Jailbreak

As you may know or may not know, there is a vulnerability for iPod Touch after jailbreak. The root password is hard-coded as “alpine”. If your iPod Touch connect to the hotspot network, people who is in the same subnet can do the following:

  1. Nmap the whole subnet.

    2. sudo nmap -A -O -T4 112.55.82.0/24

  2. The scan result will be shown as follows.

    3. Interesting ports on ******* (112.55.82.202):
    PORT STATE SERVICE VERSION
    22/tcp open ssh OpenSSH 5.2 (protocol 2.0)
    62078/tcp open tcpwrapped
    ….
    Running (JUST GUESSING) : Apple embedded (93%), Apple iPhone OS 1.X (89%)

  3. Then, the most likely what the people want to do is:

    4. ssh root@112.55.82.202
    Password: alpine

  4. Then, as you can guess, they want to do whatever they want.

    5. John-Smiths-iPod:/ root# ls
    Applications@  Library/  User@  boot/   dev/  lib/  private/  tmp@  var@
    Developer/     System/   bin/   cores/  etc@  mnt/  sbin/     usr/

The solution is very simple: just to change root password after jailbreak. We can go to terminal application in the iPod.

  • Type su – to enter super user mode
  • Type passwd to enter the new password
  • Type again the new password
  • Type exit. We are done.

Good luck and Thanks,

Tags: Cool Stuff, Linux, Security by hengdu
No Comments »

Vancouver City Featuring

This is the city where I am living.

Tags: So we travel by hengdu
No Comments »

ASA Simulation on Ubunut QEMU

When I tried to find the Cisco ASA simulator by Linux keyword, there are few related results came out. Two popular ways are setting up on Windows QEMU and VMWare. People who are using Windows can refer to that.

However, I found one site that is really useful to install ASA image to QEMU on Linux. I followed the steps and make my own ASA environment. Please note that this solution is not user friendly like dynamips or dynagen. Select the two ways above maybe a good choice. So, let’s see how it works in my site.

We need QEMU first

sudo apt-get install qemu

We need asa802-k8.bin

??? :)

We assume that we are working on $ASA_WORKSPACE. Under the directory, create an hexadecimal dump of image:

hexdump -C asa802-k8.bin > asa802-k8.hex

Search for the ZIP header. We can see that the ZIP file starts at offset 1228b0.

grep “1f 8b 08 00 1d” asa802-k8.hex
001228b0  1f 8b 08 00 1d 3d 73 46  00 03 ec 3a 6d 54 14 57  |…..=sF…:mT.W|

Find the image size.

ls -la asa802-k8.bin
-rw-r–r– 1 hengdu hengdu 14524416 2010-01-28 21:27 asa802-k8.bin

Now we need to find out where in the file we can start extracting the ZIP part.

echo “14524416 ; ibase=16 ; last – 1228B0″ | bc | tail -n 1
13334352

Extract the zipped part of the ASA image:

tail -c 13334352 asa802-k8.bin > asa802-k8.gz

Decompress it with gzip:

gzip -d asa802-k8
gzip: asa802-k8.gz: decompression OK, trailing garbage ignored

Make a tmp directory and extract the archive with cpio.

mkdir tmp
cd tmp
sudo cpio -i –no-absolute-filenames –make-directories < ../asa802-k8
cpio: Removing leading `/’ from member names
61039 blocks

Copy the Linux kernel to the upper directory:

cp vmlinuz ../asa802-k8.kernel

Make startup script file to ./asa/scripts/first_start.sh. I basically copy all script from the site. However, some part has to be modified in my environment.

#!/bin/sh

FIRST_START=no
if test ! -e /mnt/disk0/lina_monitor
then
fdisk /dev/hda << EOF
n
p
1
5
979
t
4
w
EOF
mkdosfs -F 16 /dev/hda1
mount -o umask=0000,noatime,check=s,shortname=mixed /dev/hda1 /mnt/disk0
cp /asa/bin/lina /mnt/disk0/lina
cp /asa/bin/lina_monitor /mnt/disk0/lina_monitor
FIRST_START=yes
fi
modprobe e100
modprobe e1000
ifconfig eth0 up
ifconfig eth1 up
ifconfig eth2 up
ifconfig eth3 up
ifconfig eth4 up
ifconfig eth5 up
if test $FIRST_START = yes
then
echo “”
echo “”
echo “This is your first boot, please wait about 1 min and then type the following commands:”
echo “cd /mnt/disk0″
echo “/mnt/disk0/lina_monitor”
echo “”
echo “Please note to use the following command under ASA to save your configs:”
echo “copy run disk0:/.private/startup-config”
echo “”
exit
fi
cd /mnt/disk0
/mnt/disk0/lina_monitor

Chmod for the script

sudo chmod +x ./asa/scripts/first_start.sh

Now you can compress all the file and have the initrd ready to use in Qemu:

sudo find . | cpio -o -H newc | gzip -9 > ../asa802-k8.initrd.gz

At this point, the Linux kernel files are ready for QEMU to use.

Create a virtual hard disk

qemu-img create FLASH 256M
Formatting ‘FLASH’, fmt=raw size=268435456

Then start QEMU

qemu -hda FLASH -kernel asa802-k8.kernel -hdachs 980,16,32 \
-initrd asa802-k8.initrd.gz -m 512 -nographic -append \
“console=ttyS0,9600n8 hda=980,16,32 bigphysarea=16384 auto nousb ide1=noprobe”

After many lines output, you will see # prompt. Then, we start ASA.

/bin/lina

Finally, I saw the familiar prompt.

ciscoasa#

So far, I still have some issues to figure it out, such as interface setup and working with my dynamips router. Hopefully I will figure out later time. Please feel free to join my discussion.

Thanks,

Tags: Linux, Security by hengdu
No Comments »

Network Security Assessment Reading Notes – Vulnerability Assessment

This chapter is called vulnerability assessment 101. I guess this is because the topic is too huge to fit in the one chapter, even in the one book. According to the book, the assessment basically divided to three steps.

The first step is to collect information. The commonly used tool is nmap, which is open source application and can be download for both Windows OS and Linux. The other commonly used tool is whois, which still can collect many information. Of course, there are many sophisticate tools, such as Qualys. Those techs are core property of those vendors. In terms of collecting information, there are two approaches in practise. One is non-sensor-based and the other is sensor-based. Apparently, sensor-based approaches can provide more information, such as users, configurations, processes running on the assets, devices registered on the assets, etc. Sensor-based approach can overcome NAT topology, while non-sensor-based scanner could not find the assets behind NAT.

The second step is enumerate information. The scanner should have knowledge from collected information about: 1) what OS is running on the asset? 2) How many TCP ports are open on the asset? 3) How many UDP ports are open on the asset? etc.

The last step is detection. This is core part of vulnerability assessment. This part is also described in details in the following chapters. When we try to identify what is a vulnerability, we need a definition, or precisely, a benchmark. Here is the one example of benchmark – FDCC Major Version. We can use Benchmark Editor to open it. Basically, one benchmark is a collection of many rules. For example, the one rule could be Password Policy -> Maximum Password Age -> 7776000. If scanner detects that the maximum password age is larger than that, then this is a vulnerability because the hacker may brute-force password during the time.

Tags: Networks, Security by hengdu
No Comments »

Network Security Assessment – Reading Notes 1

Recently I found the blog is good place to put my reading notes. So, let me start the first one. Since I am involving in network vulnerability scan job, This book is really fundamental and provides a lot of easy understanding definition and terminologies rather than jargons. The book name is Network Security Assessment: From vulnerability to patch.

network_security_assessmentThe first chapter gave us a clear vision about what is vulnerability. How to define it and how to score it.

Over the years, the definition of vulnerability has evolved into a software or hardware bug or misconfiguration that a malicious individual can exploit. A vulnerability can be publicly diclosed before a vendor patch, or can even be used quietly by attackers. An organization experiences multiple levels of risk to a vulnerability, depending on how the discoverer of the vulnerability deals with the information and how long it takes the vnedor affected to issue a patch or workaround.

Here is a solid example for my Windows 2008 Server, which is a network security asset. After scan, the one of vulnerability results shows CVE ID is CVE-2008-4844. The description is: “Use-after-free vulnerability in mshtml.dll in Microsoft Internet Explorer 5.01, 6, and 7 on Windows XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows remote attackers to execute arbitrary code via a crafted XML document containing nested SPAN elements, as exploited in the wild in December 2008.”

CVE stands for Common Vulnerabilities and Exposures, and a list of CVE numbers was created several years ago to help standardize vulnerability naming. The CVE created a list of all vulnerabilities and assigned each one a CVE ID in the format CVE-year-number. Vendors have been encouraged to use CVE numbers when referencing vulnerabilities.

Right now, we knew we have one vulnerability which has been defined by CVE ID, but how could we know the severity of that vulnerability? Theoretically, the risk is the products of four attributes: Vulnerability, Attacks, Threat and Exposure. However, different vendor has different scoring system. Therefore, CVSS is attempt to solve the problem by providing sophisticate scoring system. For example, for CVE ID: CVE-2008-1446, the CVSS base score is 9 and the CVSS vector is: (AV:N/AC:L/Au:S/C:C/I:C/A:C). The detailed CVSS guide is in here.

After we have realized that we have one vulnerability in our server, we need to patch a remedy to it, which will be mentioned in the following chapters. But in here, I would like to mention the windows of vulnerbility. It mainly talked about the gap between the vulnerability has been discovered and the patch has bee delivered. Because during that time frame, the attacker can easily launch the action to try to attack. How to solve that problem, the book put a lot of efforts on that. However, there is no panacea for solve all the problem. Again, no network security means no network.

Thanks,

Tags: Networks, Security by hengdu
No Comments »

NetMos 6-Port Serial Console in Fedora 10

I recently bought a NetMos 6 ports serial console card. It is installed in my Fedora 10 computer. As you might guess, the Linux only recognize the first four serial device, which is ttyS[0-3]. The problem in here is, the Fedora has already recognized the serial console card driver, but it only keep the first four as default. How to expand those ports?

There are many solutions. After some study, I found the simple way to solve this problem. Edit /boot/grub/menu.lst, add one more option “8250.nr_uarts=8″ after kernel command.

kernel /vmlinuz-2.6.27.41-170.2.117.fc10.i686 ro root=/dev/VolGroup00/LogVol00 rhgb quiet 8250.nr_uarts=8

After reboot the system, we can verify if all the ports are supported.

[root@console ~]# ls -la /dev/ttyS[0-8]
crw-rw—- 1 root uucp 4, 64 2010-01-21 11:29 /dev/ttyS0
crw-rw—- 1 root uucp 4, 65 2010-01-21 11:29 /dev/ttyS1
crw-rw—- 1 root uucp 4, 66 2010-01-21 11:29 /dev/ttyS2
crw-rw—- 1 root uucp 4, 67 2010-01-21 11:29 /dev/ttyS3
crw-rw—- 1 root uucp 4, 68 2010-01-21 11:29 /dev/ttyS4
crw-rw—- 1 root uucp 4, 69 2010-01-21 11:29 /dev/ttyS5
crw-rw—- 1 root uucp 4, 70 2010-01-21 12:15 /dev/ttyS6
crw-rw—- 1 root uucp 4, 71 2010-01-21 11:29 /dev/ttyS7
crw-rw—- 1 root uucp 4, 72 2010-01-21 11:29 /dev/ttyS8

We can list PCI to see hardware information.

00:08.0 Serial controller: NetMos Technology PCI 9845 Multi-I/O Controller (rev 01) (prog-if 02 [16550])
Subsystem: LSI Logic / Symbios Logic 0P6S (6 port 16550a serial card)
Flags: medium devsel, IRQ 16
I/O ports at 8400 [size=8]
I/O ports at 8000 [size=8]
I/O ports at 7800 [size=8]
I/O ports at 7400 [size=8]
I/O ports at 7000 [size=8]
I/O ports at 6800 [size=16]
Kernel driver in use: serial
Kernel modules: parport_serial

We also can see serial port information. From that we can see that ttyS[1-3] is unknown port. The port ttyS[4-9] is actually my 6 serial ports.

[root@console ~]# setserial -g -G /dev/ttyS[0-9]
/dev/ttyS0 uart 16550A port 0×03f8 irq 4 baud_base 115200 spd_normal skip_test
/dev/ttyS1 uart unknown port 0×02f8 irq 3 baud_base 115200 spd_normal skip_test auto_irq
/dev/ttyS2 uart unknown port 0×03e8 irq 4 baud_base 115200 spd_normal skip_test auto_irq
/dev/ttyS3 uart unknown port 0×02e8 irq 3 baud_base 115200 spd_normal auto_irq
/dev/ttyS4 uart 16550A port 0×8400 irq 16 baud_base 115200 spd_normal skip_test
/dev/ttyS5 uart 16550A port 0×8000 irq 16 baud_base 115200 spd_normal skip_test
/dev/ttyS6 uart 16550A port 0×7800 irq 16 baud_base 115200 spd_normal skip_test
/dev/ttyS7 uart 16550A port 0×7400 irq 16 baud_base 115200 spd_normal skip_test
/dev/ttyS8 uart 16550A port 0×7000 irq 16 baud_base 115200 spd_normal skip_test
/dev/ttyS9 uart 16550A port 0×6800 irq 16 baud_base 115200 spd_normal skip_test

Finally, I am able to use minicom to access my devices.

Thanks

Tags: How-to, Linux by hengdu
No Comments »

UFW Secures Ubuntu

Due to my desktop will go to public, I mean public IP not NASDQ, I have to enable firewall. After googling, I find a default firewall for Ubuntu system – Uncomplicated Firewall (UFW).

Enable/Disable Firewall

sudo ufw enable
sudo ufw disable

Add rules to firewall

sudo ufw allow 22
sudo ufw delete allow 22
sudo ufw deny from 10.1.1.1/24 to any port 22
sudo ufw allow from 10.2.2.2/24 to any port 22

To see current rules

sudo ufw status verbose

For all port mapping, you can go to cat /etc/service.

Thanks

Tags: Linux by hengdu
No Comments »