|
|
| |
|
| |
Security
January 20, 2010
This article was contributed by Koen Vervloesem
After a beta period of almost a year, the developers of BackTrack have released the long-awaited successor to version 3. This specialized Linux distribution keeps its focus on security tools for penetration testers and security professionals, but also expands into a new direction: forensic investigations. It comes as a live distribution that is also installable on hard drive, and provides hundreds of open source security tools in a categorized menu hierarchy.
While previous releases
were based on Slackware-derivative SLAX,
BackTrack 4 (code name "pwnsauce") is based on Ubuntu 8.10 ("Intrepid
Ibex"). However, this is not a typical Ubuntu spin-off with a pre-chosen
package set and some eye candy glued on top: many of the tools have
received a custom configuration or patches to accommodate the needs of
security professionals. Therefore, the developers have set up their own
package repositories for updates. Under the hood lies a 2.6.30 kernel with
a variety of patched wireless drivers to "enhance wireless injection
attacks" as well as some older
wireless drivers for stability.
BackTrack 4 can be downloaded as a 1.5 GB
ISO file or as 2 GB VMware image. Actually, the ISO file is all you need in
most circumstances: it can be burned to a DVD, written
to a USB stick with tools such as Unetbootin or launched as a
virtual machine in VirtualBox, VMware, Xen, KVM, and so forth. Instead of using it as a live system, BackTrack 4 can now also be installed from within the live environment, thanks to Ubuntu's Ubiquity installer. The project's website lists tutorials for a couple of installation types, including an installation to hard disk, a dual boot installation, or a persistent installation on a USB stick.
Working with BackTrack
![[frame buffer console]](/images/2010/bt4-fb-sm.png)
After choosing the default option in the GRUB menu, BackTrack starts
with a stylish frame buffer console. One can start working right away on
the command line, or fire up a graphical desktop environment with
startx. This presents the user with a KDE 3 desktop which has some
nice tweaks. For example, there is a Run box embedded in the panel at the
bottom, which allows applications to be run without invoking a terminal
first. However, some of the tweaks are annoying. For example, the KDE
desktop welcomes the user with a very loud startup tune and many system
sounds are set at an equally loud level. Also keep in mind that, for the sake of security, networking is disabled by default, so the user has to fire it up manually with a /etc/init.d/networking start command.
The purpose of BackTrack is to present a collection of
hundreds of open source security tools. It would be out of the scope of
this article to list them all. Luckily, all these tools are well organized
in different submenus
![[BackTrack menu]](/images/2010/bt4-menu-sm.png)
of the "Backtrack" menu: "Information Gathering", "Network Mapping",
"Vulnerability Identification", "Web Application Analysis", "Radio Network
Analysis", "Penetration", "Privilege Escalation", "Maintaining Access",
"Digital Forensics", "Reverse Engineering", "Voice Over IP", and
"Miscellaneous". Each submenu is further subdivided into
subcategories. Most of the tools are command line utilities, but a nice
feature is that the menu items open a terminal window with the relevant tool showing its usage info (e.g. with the --help option).
The start menu has also some general menus like "Internet", "Graphics", "Multimedia", "System", "Utilities", etc. containing "normal" programs. The nice thing about it is that even some of these programs have a custom configuration. For example, Firefox is configured with the NoScript extension, protecting the penetration tester against malicious JavaScript on hacker websites he probably visits, the Tamper Data extension to view and modify HTTP headers, and the HackBar tool bar to help find and test SQL injections and cross-site scripting (XSS) holes. Moreover, the bookmarks tool bar is filled with some relevant web sites, such as the BackTrack web site and the Metasploit Project. Installing other software is possible with Synaptic or apt-get, which have access to the BackTrack repository, and getting an up-to-date BackTrack is as simple as an apt-get update && apt-get upgrade command.
With each release, BackTrack adds some new software. Starting with BackTrack 4, the distribution supports accelerated password cracking assisted by graphics cards. The Pyrit WPA cracking tool does this using NVIDIA's CUDA. Another newcomer is OpenVAS: previous releases of BackTrack didn't ship with the vulnerability scanner Nessus because of license issues, but BackTrack 4 finally makes up for this with the inclusion of the GPL-licensed OpenVAS.
Forensics
BackTrack 4 adds a new focus, indicated by the new boot menu item "Start
BackTrack Forensics". Traditionally, BackTrack wasn't suitable for forensic
purposes because it automatically mounts available drives and uses the swap
partition it finds on the hard drive. In a forensic investigation of a
computer this is obviously a recipe for disaster as it changes last mount times, and also wipes out hidden data in the swap partition which could be important. BackTrack 4 still does all that by default, but not if you start it with the forensics option in the boot menu.
The BackTrack developers have also expanded their collection of tools in
the "Digital Forensics" menu. All of this means that BackTrack is now not
only useful for penetration testers and security professionals, but also
more and more for
forensic experts. Of course if used in a forensic investigation it is
of utmost importance that BackTrack not go through an unattended boot, as this will use the standard boot mode which 'contaminates' the machine. To be really on the safe side, forensic experts should change the default boot option to the forensic one.
Conclusion
Although BackTrack documentation itself is scarce and fragmentary, this
is not a big issue, because it's more about the tools than about the
distribution. For people wanting to train their penetration testing skills,
the developers offer a "Penetration
testing With BackTrack" course. Upon completion of this course, students become eligible to take a certification challenge in an unfamiliar lab. After successful completion of this hands-on challenge, they receive the Offensive Security Certified Professional (OSCP) certification.
More than ever, BackTrack is an excellent Linux distribution for
security professionals. With the move from a SLAX-based live cd to a
full-blown Ubuntu-based Linux distribution, it's much easier to update the
system, install other software or customize the distribution. New tools
like OpenVAS and Pyrit are a welcome addition to the security
professional's toolbox. In addition, with the increased focus on forensics, the distribution will surely find some use outside the traditional penetration testers' scene.
Comments (none posted)
New vulnerabilities
aria2: denial of service
| Package(s): | aria2 |
CVE #(s): | CVE-2009-3617
|
| Created: | January 14, 2010 |
Updated: | January 20, 2010 |
| Description: |
From the CVE entry:
Format string vulnerability in the AbstractCommand::onAbort function in src/AbstractCommand.cc in aria2 before 1.6.2, when logging is enabled, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via format string specifiers in a download URI. NOTE: some of these details are obtained from third party information. |
| Alerts: |
|
Comments (none posted)
bash: multiple vulnerabilities
| Package(s): | bash |
CVE #(s): | CVE-2010-0002
CVE-2008-5374
|
| Created: | January 14, 2010 |
Updated: | September 23, 2011 |
| Description: |
From the Mandriva alert:
A vulnerability have been discovered in Mandriva bash package, which
could allow a malicious user to hide files from the ls command,
or garble its output by crafting files or directories which contain
special characters or escape sequences (CVE-2010-0002). This update
fixes the issue by disabling the display of control characters
by default.
Additionally, this update fixes the unsafe file creation in bash-doc
sample scripts (CVE-2008-5374). |
| Alerts: |
|
Comments (none posted)
bind: multiple vulnerabilities
| Package(s): | bind |
CVE #(s): | CVE-2010-0097
CVE-2010-0290
|
| Created: | January 20, 2010 |
Updated: | June 28, 2010 |
| Description: |
From the Red Hat advisory:
A flaw was found in the BIND DNSSEC NSEC/NSEC3 validation code. If BIND was
running as a DNSSEC-validating resolver, it could incorrectly cache
NXDOMAIN responses, as if they were valid, for records proven by NSEC or
NSEC3 to exist. A remote attacker could use this flaw to cause a BIND
server to return the bogus, cached NXDOMAIN responses for valid records and
prevent users from retrieving those records (denial of service).
(CVE-2010-0097)
The original fix for CVE-2009-4022 was found to be incomplete. BIND was
incorrectly caching certain responses without performing proper DNSSEC
validation. CNAME and DNAME records could be cached, without proper DNSSEC
validation, when received from processing recursive client queries that
requested DNSSEC records but indicated that checking should be disabled. A
remote attacker could use this flaw to bypass the DNSSEC validation check
and perform a cache poisoning attack if the target BIND server was
receiving such client queries. (CVE-2010-0290)
|
| Alerts: |
|
Comments (none posted)
gcc: arbitrary code execution
| Package(s): | gcc |
CVE #(s): | CVE-2009-3736
|
| Created: | January 14, 2010 |
Updated: | March 22, 2010 |
| Description: |
from the Red Hat security update:
A flaw was found in the way GNU Libtool's libltdl library looked for
libraries to load. It was possible for libltdl to load a malicious library
from the current working directory. In certain configurations, if a local
attacker is able to trick a local user into running a Java application
(which uses a function to load native libraries, such as
System.loadLibrary) from within an attacker-controlled directory containing
a malicious library or module, the attacker could possibly execute
arbitrary code with the privileges of the user running the Java
application. |
| Alerts: |
|
Comments (none posted)
glibc: encrypted password disclosure via NIS
| Package(s): | glibc |
CVE #(s): | CVE-2010-0015
|
| Created: | January 20, 2010 |
Updated: | October 28, 2010 |
| Description: |
From the Debian advisory:
Christoph Pleger has discovered that the GNU C Library (aka glibc) and
its derivatives add information from the passwd.adjunct.byname map to
entries in the passwd map, which allows local users to obtain the
encrypted passwords of NIS accounts by calling the getpwnam function.
|
| Alerts: |
|
Comments (none posted)
gzip: arbitrary code execution
| Package(s): | gzip |
CVE #(s): | CVE-2009-2624
|
| Created: | January 20, 2010 |
Updated: | March 8, 2010 |
| Description: |
From the Debian advisory:
Thiemo Nagel discovered a missing input sanitation flaw in the way gzip
used to decompress data blocks for dynamic Huffman codes, which could
lead to the execution of arbitrary code when trying to decompress a
crafted archive. This issue is a reappearance of CVE-2006-4334 and only
affects the lenny version.
|
| Alerts: |
|
Comments (none posted)
gzip: arbitrary code execution
| Package(s): | gzip |
CVE #(s): | CVE-2010-0001
|
| Created: | January 20, 2010 |
Updated: | October 17, 2011 |
| Description: |
From the Red Hat advisory:
An integer underflow flaw, leading to an array index error, was found in
the way gzip expanded archive files compressed with the Lempel-Ziv-Welch
(LZW) compression algorithm. If a victim expanded a specially-crafted
archive, it could cause gzip to crash or, potentially, execute arbitrary
code with the privileges of the user running gzip. This flaw only affects
64-bit systems. (CVE-2010-0001) |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2006-6304
CVE-2009-3556
CVE-2009-4020
CVE-2009-4141
CVE-2009-4272
|
| Created: | January 20, 2010 |
Updated: | November 5, 2012 |
| Description: |
From the Red Hat advisory:
the RHSA-2009:0225 update introduced a rewrite attack flaw in the
do_coredump() function. A local attacker able to guess the file name a
process is going to dump its core to, prior to the process crashing, could
use this flaw to append data to the dumped core file. This issue only
affects systems that have "/proc/sys/fs/suid_dumpable" set to 2 (the
default value is 0). (CVE-2006-6304, Moderate)
The fix for CVE-2006-6304 changes the expected behavior: With suid_dumpable
set to 2, the core file will not be recorded if the file already exists.
For example, core files will not be overwritten on subsequent crashes of
processes whose core files map to the same name.
the RHBA-2008:0314 update introduced N_Port ID Virtualization (NPIV)
support in the qla2xxx driver, resulting in two new sysfs pseudo files,
"/sys/class/scsi_host/[a qla2xxx host]/vport_create" and "vport_delete".
These two files were world-writable by default, allowing a local user to
change SCSI host attributes. This flaw only affects systems using the
qla2xxx driver and NPIV capable hardware. (CVE-2009-3556, Moderate)
a buffer overflow flaw was found in the hfs_bnode_read() function in the
HFS file system implementation. This could lead to a denial of service if a
user browsed a specially-crafted HFS file system, for example, by running
"ls". (CVE-2009-4020, Low)
Tavis Ormandy discovered a deficiency in the fasync_helper()
implementation. This could allow a local, unprivileged user to leverage a
use-after-free of locked, asynchronous file descriptors to cause a denial
of service or privilege escalation. (CVE-2009-4141, Important)
the Parallels Virtuozzo Containers team reported the RHSA-2009:1243
update introduced two flaws in the routing implementation. If an attacker
was able to cause a large enough number of collisions in the routing hash
table (via specially-crafted packets) for the emergency route flush to
trigger, a deadlock could occur. Secondly, if the kernel routing cache was
disabled, an uninitialized pointer would be left behind after a route
lookup, leading to a kernel panic. (CVE-2009-4272, Important)
|
| Alerts: |
|
Comments (1 posted)
libthai: arbitrary code execution
| Package(s): | libthai |
CVE #(s): | CVE-2009-4012
|
| Created: | January 15, 2010 |
Updated: | February 1, 2010 |
| Description: |
From the Debian advisory:
Tim Starling discovered that libthai, a set of Thai language support routines,
is vulnerable of integer/heap overflow.
This vulnerability could allow an attacker to run arbitrary code by sending a very
long string. |
| Alerts: |
|
Comments (none posted)
mysql: multiple vulnerabilities
| Package(s): | mysql |
CVE #(s): | CVE-2009-4028
CVE-2009-4030
|
| Created: | January 18, 2010 |
Updated: | January 14, 2013 |
| Description: |
From the Mandriva advisory:
The vio_verify_callback function in viosslfactories.c in MySQL
5.0.x before 5.0.88 and 5.1.x before 5.1.41, when OpenSSL is used,
accepts a value of zero for the depth of X.509 certificates, which
allows man-in-the-middle attackers to spoof arbitrary SSL-based MySQL
servers via a crafted certificate, as demonstrated by a certificate
presented by a server linked against the yaSSL library (CVE-2009-4028).
MySQL 5.1.x before 5.1.41 allows local users to bypass certain
privilege checks by calling CREATE TABLE on a MyISAM table with
modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments
that are originally associated with pathnames without symlinks,
and that can point to tables created at a future time at which a
pathname is modified to contain a symlink to a subdirectory of the
MySQL data home directory, related to incorrect calculation of the
mysql_unpacked_real_data_home value. NOTE: this vulnerability exists
because of an incomplete fix for CVE-2008-4098 and CVE-2008-2079
(CVE-2009-4030).
|
| Alerts: |
|
Comments (none posted)
openssl: denial of service
| Package(s): | openssl |
CVE #(s): | CVE-2009-4355
|
| Created: | January 14, 2010 |
Updated: | April 19, 2010 |
| Description: |
From the Debian alert:
It was discovered that a significant memory leak could occur in openssl,
related to the reinitialization of zlib. This could result in a remotely
exploitable denial of service vulnerability when using the Apache httpd
server in a configuration where mod_ssl, mod_php5, and the php5-curl
extension are loaded. |
| Alerts: |
|
Comments (none posted)
phpMyAdmin: multiple vulnerabilities
| Package(s): | phpMyAdmin |
CVE #(s): | CVE-2008-7251
CVE-2008-7252
CVE-2009-4605
|
| Created: | January 20, 2010 |
Updated: | April 19, 2010 |
| Description: |
From the Mandriva advisory:
libraries/File.class.php in phpMyAdmin 2.11.x before 2.11.10 creates
a temporary directory with 0777 permissions, which has unknown impact
and attack vectors (CVE-2008-7251).
libraries/File.class.php in phpMyAdmin 2.11.x before 2.11.10 uses
predictable filenames for temporary files, which has unknown impact
and attack vectors (CVE-2008-7252).
scripts/setup.php (aka the setup script) in phpMyAdmin 2.11.x before
2.11.10 calls the unserialize function on the values of the (1)
configuration and (2) v[0] parameters, which might allow remote
attackers to conduct cross-site request forgery (CSRF) attacks via
unspecified vectors (CVE-2009-4605).
|
| Alerts: |
|
Comments (none posted)
php-ZendFramework: multiple vulnerabilities
| Package(s): | php-ZendFramework |
CVE #(s): | |
| Created: | January 18, 2010 |
Updated: | January 20, 2010 |
| Description: |
From the Zend Framework release notes for 1.97:
The following security vulnerabilities are resolved in these releases:
- ZF2010-06: Potential XSS or HTML Injection vector in Zend_Json
- ZF2010-05: Potential XSS vector in Zend_Service_ReCaptcha_MailHide
- ZF2010-04: Potential MIME-type Injection in Zend_File_Transfer
- ZF2010-03: Potential XSS vector in Zend_Filter_StripTags when comments allowed
- ZF2010-02: Potential XSS vector in Zend_Dojo_View_Helper_Editor
- ZF2010-01: Potential XSS vectors due to inconsistent encodings
|
| Alerts: |
|
Comments (none posted)
ruby: escape sequence injection
| Package(s): | ruby |
CVE #(s): | CVE-2009-4492
|
| Created: | January 14, 2010 |
Updated: | August 15, 2011 |
| Description: |
From the Fedora alert:
A security vulnerability is found on WEBrick module in Ruby currently shipped on
Fedora 11 that WEBrick lets attackers to inject malicious escape sequences to
its logs, making it possible for dangerous control characters to be executed on
a victim's terminal emulator. |
| Alerts: |
|
Comments (none posted)
squirrelmail: arbitrary code execution
| Package(s): | squirrelmail |
CVE #(s): | CVE-2009-1381
|
| Created: | January 14, 2010 |
Updated: | January 20, 2010 |
| Description: |
From the CVE entry:
The map_yp_alias function in functions/imap_general.php in SquirrelMail before 1.4.19-1 on Debian GNU/Linux, and possibly other operating systems and versions, allows remote attackers to execute arbitrary commands via shell metacharacters in a username string that is used by the ypmatch program. NOTE: this issue exists because of an incomplete fix for CVE-2009-1579. |
| Alerts: |
|
Comments (none posted)
systemtap: arbitrary code execution
| Package(s): | systemtap |
CVE #(s): | CVE-2009-4273
|
| Created: | January 18, 2010 |
Updated: | April 27, 2010 |
| Description: |
From the Red Hat bugzilla entry:
A flaw was found in the "stap-server" network compilation server, an optional
part of systemtap. Part of the server is written in bash and does not
adequately sanitize its inputs, which are essentially full command line
parameter sets from a client. Remote users may be able to abuse
quoting/spacing/metacharacters to execute shell code on behalf of the compile
server process/user (normally a fully unprivileged synthetic userid).
|
| Alerts: |
|
Comments (none posted)
transmission: cross-site request forgery
| Package(s): | transmission |
CVE #(s): | CVE-2009-1757
|
| Created: | January 18, 2010 |
Updated: | January 20, 2010 |
| Description: |
From the Mandriva advisory:
Cross-site request forgery (CSRF) vulnerability in Transmission 1.5
before 1.53 and 1.6 before 1.61 allows remote attackers to hijack
the authentication of unspecified victims via unknown vectors
(CVE-2009-1757).
|
| Alerts: |
|
Comments (none posted)
virtualbox: multiple vulnerabilities
| Package(s): | virtualbox |
CVE #(s): | CVE-2009-3692
CVE-2009-3940
|
| Created: | January 14, 2010 |
Updated: | March 11, 2010 |
| Description: |
From the Gentoo alert:
* A shell metacharacter injection in popen() (CVE-2009-3692) and a
possible buffer overflow in strncpy() in the VBoxNetAdpCtl
configuration tool.
* An unspecified vulnerability in VirtualBox Guest Additions
(CVE-2009-3940). |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
|
|
|